-------[ Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 01 of 19 ] -------------------------[ P H R A C K 5 5 I N D E X ] --------[ Return of the Genius Loci ] Lies! Lies! Lies! Lord of the Lies. That's me. I promised a timely Phrack and look what happened. A 9 month lapse. Whew. Wow. Ri-friggin-diculous. Holy crap I suck. To all you patient/ambivalent readers out there -- terribly sorry about that. To all you whiners/complainers in the end, it just goes to show you: Fuck Off. For all you people that contributed nothing except negative commentary over the past few months, I'd like to introduce you to the real world. The real world is where free computer security technical journals don't pay bills or get you chicks. Or get you chicks that pay bills for that matter. THAT'S THE WORLD I LIVE IN. TRUST ME WHEN I TELL YOU I WOULD CHANGE IT IF I COULD. But I can't. So I do what I do to make ends meet. Sometimes it gets in the way. Hrm. You think 9 months is bad? Let's take a look at the publishing history of Phrack Magazine, since its inception, way back in November of 1985. I present to you the publishing schedule of Phrack Magazine from 1985 - 1999. ______________________________________________________________________________ Jan | 02? 10 23 52 Feb | 03 11 24 Mar | 04 12 25 37 42 45 Apr | 05 13 17 26 38 47 50 May | 31 Jun | 06 18 27 39 Jul | 14 19 43 53 Aug | 15 40 Sep | 07 33 46 48 51 55 Oct | 08? 16? 20 28 34 Nov | 01 21 29 32 35 44 49 Dec | 09? 22 30 36 41 54 ------------------------------------------------------------------------------ | 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 ------------------------------------------------------------------------------ Ok.. Things look pretty good for the first year... 8 issues in one year. Not bad fellas, not bad... Uh-oh! A 6 month gap between 16 and 17! What's up? Apparently, the editors at that time (Phrack's founding fathers TK and KL) had gone off to college and left the Magazine in the hands Elric of Imrryr. Mmmhmm. A FLIMSY EXCUSE! The next large gap we see is between 32 and 33. Apparently there was some crap going on having to do with the Secret Service shutting Phrack down and something about issues 31 and 32 not being sanctioned or something... Blah blah blah. Ok great. This was like 8 years ago. Who the hell carez. At any rate, things appear to be pretty much business as usual after that. Then something amazing -- Chris Goggans takes over. First a 3 month gap. Then a 4 month lapse. Then back down to 3. Then up to 5. Then 6. Then the unthinkable happens. A 16 month coma. THEN YOURS TRULY TAKEZ OVER AT THE HELM AND BREATHEZ SOME LIFE INTO THIS DEAD BODY! BOOM BAP! Check out THESE NUMBERS: 2 months, 4 months, 4 months, 3 months, 5 months!... Um. 9 months. Ok. Well. Oops. My point is... Well. 9 months isn't as bad as Goggans. So there you have it! Basically, when all's said and done, at the end of the day, I am not as bad as Goggans. In any event, this issue has a surplus of good articles. Read them. In other news, we heard a nasty rumor. Starting September 11th, 1999 Network Solutions "the dot com people" (*how adorable*) are going to start their policy of requiring prepayment at the time of domain-name registration. What does this mean to you? NO MORE FREE DOMAINS FOR THREE MONTHS! No more `try before you buy`, no more `cooling-off` period. If you fuck up and register `masster-ninja.com` brother, you're stuck with it! So check your spelling. Oh yah. I have something very un-P.C. to say, something very controversial... Something you're not going to like.. But I have to say it: GOD BLESS CANADA! WAIT. HOLD ON. Before you rm this issue, give me a chance to explain why Canada rules. If it wasn't for Canada, there would be no t00nces. There. That's the sole reason why Canada rules. If it wasn't for t00nces, there would have probably been a murder at the last Phrack sponsored BBQ (or at the very least, some serious battery). On 3 separate occasions he quelled major rucki. The largest of which would have resulted in drunken dirtbag being pummeled into chowder. He would have been a little smudgie on my front lawn. As much as I am usually down for a drunken dirtbag pummeling, we can't have that at the house. t00nces is an all-around great guy. He's definitely my favorite Canadian-American citizen. Besides. I lost our Country's pride when I played him in our monthly America vs. Canada pool game. My penance was to write a treatise on how much Canada rules. Well. The best I can do is how much t00nces rules. Phrack Magazine mourns the recent passing of W. Richard Stevens. For a special tribute, please see P55-04. Enjoy the magazine. It is by and for the hacking community. Period. -- Editor in Chief ----------------[ route -- Phrack World News --------------[ disorder -------- Elite --------------------> daveg -- Official Phrack King Crab ------[ loadammo -- Official Phrack Girlfriend ----[ A.R.A. -- B.A. Baracus Phrack Fracas -----[ PETE F. vs. KRIS C. -- Official Phrack Long Gun -------[ Bennelli M1 Super 90 (tactical) -- WHOA HO HO ---------------------[ aaronb -- Netris Championz ---------------[ prym & ReDragon -- Ketel One Connoisseur ----------[ vision -- Official Phrack Bouncer --------[ t00nces -- Congratulations to -------------[ W.O.F. and N.R.A. -- Special Thankz to --------------[ kweiheri, kamee -- Shout Outs and Thank Yous ------[ h4g1z, felix, WAYNE, rfp, nocarrier, dug -----------------------------------| song, incr, dreck, nicnoc, e5, sw_r, -----------------------------------| greg hoglund and dark spyrit, sangfroid, -----------------------------------| dnm - You're not in the club if -------[ you don't recognize half of these people Phrack Magazine V. 9, #55, September 09, 1999. ISSN 1068-1035 Contents Copyright (c) 1999 Phrack Magazine. All Rights Reserved. Nothing may be reproduced in whole or in part without written permission from the editor in chief. Phrack Magazine is made available to the public, as often as possible, free of charge. Go nuts people. Contact Phrack Magazine ----------------------- Editor in Chief: route@phrack.com Submissions: route@phrack.com Associate Editor: alhambra@phrack.com Commentary: loopback@phrack.com Phrack World News: disorder@phrack.com Submissions to the above email address may be encrypted with the following key: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGPfreeware 5.0i for non-commercial use mQGiBDdmijIRBADrabrDFYw6PRDrRRZsgetOOGo8oGROn4/H7q4L7rLm7weszn4L 8j1zY4AV4f3jFis0A/AqXPicxUHz0I3L6PzTMg11mmLbcj6wnAvr78LZ65y3Z5aA PEm/F7fNqAzFl9MCnUWa+53eH0TBKW7JdjpfCELeXTMLNsJREjL7f5qvyQCg/xqD g7dUtdIiDb7tm5DRhWqgDmED/iPUmujMt5x40bmf135vjev1Rle3nhHIe4fh58a7 VkZOmzqz/s3LninBuWcmuyZWShVGd8Hhd758yt41Xe/YHtEW4jSzYtE/1woYmp0K sZnFt+zIVAEm1mcVVV9+qrpEKVmbBLTR/oa+6A+t5/hFUjriTpAQUGF0xLzXNLYu c7cSA/0Q0rziq5xyuPbtUMKWE9zhxrt/SwfhunWx/n2vm2q9eFPfWqb9fDVuFrtv gwpaPVJ2CbM6F6c21pNGqm8zrSO8TYzgTScBKM80wn7ase3RBth36++N/Oq4Zczm froc9Och7qkgdZ7TkPCuorsyMc1169DXBxBSGfiQ85ylUYrbrLQRTWlrZSBELiBT Y2hpZmZtYW6JAEsEEBECAAsFAjdmijIECwMBAgAKCRAWHraAlbJmQSdiAKCjaUrs InxTXebFlAX5aUmdEKsD1wCfRZMfzv3BvQMKa6Rmbwlfzat0DFS5Ag0EN2aKMxAI APZCV7cIfwgXcqK61qlC8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mU rfdMZIZJ+AyDvWXpF9Sh01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VH MGHOfMlm/xX5u/2RXscBqtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2 azNsOA1FHQ98iLMcfFstjvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMh LLUq/zzhsSlAGBGNfISnCnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+c fL2JSyIZJrqrol7DVekyCzsAAgIH/jCj4drT8VSrxI2N3MlgkiQOMcaGLE8L3qbZ jyiVolqIeH+NEwyWzCMRVsFTHWfQroPrF30UsezIXuF0GPVZvlzSSB/fA1ND0CBz 9uK9oSYPwI8i513nMaF03bLWlB07dBqiDUcKgfm/eyPGu5SP+3QhVaERDnBOdolZ J6t3ER8GRgjNUyxXOMaZ4SWdB7IaZVph1/PyEgLLA3DxfYjsPp5/WRJcSbK3NZDG cNlmozX5WUM7cHwEHzmYSRDujs/e3aJLZPa7stS9YGYVPZcjxQoE6wr+jx4Vjps4 pW+f6iWvWEfYnYRJqzwe8318rX6OojqHttaQs8xNEqvPOTfkt12JAD8DBRg3Zooz Fh62gJWyZkERAj61AJ41XyTBasgKKYlOVnI4mWZYJemQIQCgiqaTkhpM6xCnqKD9 BKnOvDsNc44= =IQ3Y -----END PGP PUBLIC KEY BLOCK----- As always, ENCRYPTED SUBSCRIPTION REQUESTS WILL BE IGNORED. Phrack goes out plaintext. You certainly can subscribe in plaintext. phrack:~# head -20 /usr/include/std-disclaimer.h /* * All information in Phrack Magazine is, to the best of the ability of the * editors and contributors, truthful and accurate. When possible, all facts * are checked, all code is compiled. However, we are not omniscient (hell, * we don't even get paid). It is entirely possible something contained * within this publication is incorrect in some way. If this is the case, * please drop us some email so that we can correct it in a future issue. * * * Also, keep in mind that Phrack Magazine accepts no responsibility for the * entirely stupid (or illegal) things people may do with the information * contained herein. Phrack is a compendium of knowledge, wisdom, wit, and * sass. We neither advocate, condone nor participate in any sort of illicit * behavior. But we will sit back and watch. * * * Lastly, it bears mentioning that the opinions that may be expressed in the * articles of Phrack Magazine are intellectual property of their authors. * These opinions do not necessarily represent those of the Phrack Staff. */ -------------------------[ T A B L E O F C O N T E N T S ] 01 Introduction Phrack Staff 014 K 02 Phrack Loopback Phrack Staff 051 K 03 Phrack Line Noise various 037 K 04 Phrack Tribute to W. Richard Stevens Phrack Staff 004 K 05 A Real NT Rootkit Greg Hoglund 066 K 06 The Libnet Reference Manual route 181 K 07 PERL CGI Problems rfp 017 K 08 Frame Pointer Overwriting klog 020 K 09 Distributed Information Gathering hybrid 010 K 10 Building Bastion Routers with IOS Brett / Variable K 037 K 11 Stego Hasho Conehead 037 K 12 Building Into The Linux Network Layer kossak / lifeline 044 K 13 The Black Book of AFS nicnoc 011 K 14 A Global Positioning System Primer e5 015 K 15 Win32 Buffer Overflows... dark spyrit 078 K 16 Distributed Metastasis... Andrew J. Stewart 031 K 17 H.323 Firewall Security Issues Dan Moniz 015 K 18 Phrack World News disorder 021 K 19 Phrack Magazine Extraction Utility Phrack Staff 021 K 711 K ----------------------------------------------------------------------------- "...Yeah, yeah, Phrack is still active you may say. Well let me tell you something. Phrack is not what it used to be. The people who make Phrack are not Knight Lightning and Taran King, from those old BBS days. They are people like you and me, not very different, that took on themselves a job that it is obvious that is too big for them. Too big? hell, HUGE. Phrack is not what it used to be anymore. Just try reading, let's say, Phrack 24, and Phrack 54." - bjx of "PURSUiT" trying to justify his `old-school` ezine. bjx wrote a riveting piece on "Installing Slackware" article. Fear and respect the lower case "i". "We might get a PURSUiT meeting at DefCon 9 which will take place in year 2001. Meenwhile, it's an idea, because I belive 40% of the PURSUiT crew are going to DefCon 9, so we will try to convince the rest of the crew to join us." - bjx of "PURSUiT" on his distant defcon plans. Hey, buddy, if you save a dollar a day for the next two years, you should have enough! "I assume she did a jiggly +liar search on altavista..." - gheap, when asked to venture a guess as how a certain person was found on a random corporate webpage. "Hrm.. There just arent enough web sites that use the word `jiggly`." - gheap, after putting some thought into it. ----------------------------------------------------------------------------- ----[ EOF -------[ Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 02 of 19 ] -------------------------[ P H R A C K 5 5 L O O P B A C K ] --------[ Phrack Staff ] Phrack Loopback is your chance to write to the Phrack staff with your comments, questions, or whatever. The responses are generally written by the editor, except where noted. The actual letters are perhaps edited for format, but generally not for grammar and/or spelling. We try not to correct the vernacular, as it often adds a colorful perspective to the letter in question. Thanks to kamee and loadammo for their help. 0x01>------------------------------------------------------------------------- route, you suck--all you phrack people do. [ Extra double dumb-ass on us! ] you would think 8 months is enough time to put out phrack 55, but NO. [ You *would* think so, wouldn't you? I *knew* I should have quit my job. Well, I'm certain you spent the downtime working on your world-renown top-notch freely distributed highly-technical ezine right? How many issues did you pump out? 2? 3? Where can we get it? ] You say it will be out on August 31, now it is September 9? [ 09.09.99 is so much more of an elite date than 08.31.99. In fact, 09.09.99 is the most elite date of our lifetime. ] Faggots. [ Is uh.. Is that a proposition? Are you looking for some action or something? ] - grez@vulgar.net [ Thanks man! Now everyone knows where to send the love! ] 0x02>------------------------------------------------------------------------- I'm a San Francisco criminal defense attorney, and, because I believe curiosity should not be a crime and information wants to be free, I hereby volunteer my legal services to Phrack readers. For a free legal consultation, contact me, Omar Figueroa, Esq. at omar@alumni.stanford.org or (415) 986-5591. http://www.2xtreme.net/omar/ [ Very cool. I'm sure many readers if nothing else will at least have questions regarding the law and how it impacts their rarified profession... Keep in mind Omar that many 'hacker'-types requiring legal services are prone to idiocy and therefore not likely to have money. Hope you're up for some good ole-fashioned pro bono work! ] 0x03>------------------------------------------------------------------------- Hey, glad to see your site back up, I was beginning to wonder what happened... [ Alhambra tripped over the power cord. We didn't notice for a few months. Our bad. ] While you were down, an item came up on my Zen calendar that I thought you might enjoy: [ The `Zen Calander`? Does it have pictures of Shakyamuni Buddha in a bikini? ] "The shell must be cracked apart if what is in it is to come out, for if you want the kernel you must break the shell. And therefore, if you want to discover nature's nakedness, you must destroy its symbols, and the farther you get in, the nearer you come to its essence. When you come to the One that gathers all things up into itself, there your soul must stay." -Meister Eckhart hmmm.... [ Man that's just great. I'm going to go dunk my head in a pot of boiling water now. Be right back... ] Anyway, Phrack is a *great* mag, keep up the good work. [ Agreed. Thanks. ] - ped xing 0x04>------------------------------------------------------------------------- I don't have a computer yet because I don't know to much about it?? [ Are you asking me or telling me? And if you're sans computer, how the hell are you writing me this email? OMG! Are we communicating through your mind?!?@! Are you using the /shining/? Ok. You can use yer shining to call me when you need my help... But don't be reading my mind between 4 and 5. That's _route's_ time. STAY OUT! ] but the basic things but i been trying to get to some underground site which willput me in the write direction,into hacking... [ I'm suggesting you spend that computer money on some at-home ESL classes. ] in your site is off the hook,it has infor that i can use thanx [ Yes, when I'm watching a movie or I don't want to be bothered, I take www.phrack.com off the hook. ] I know i may not be answered back but can you send me some site that may help me into starting my long journey of hacking [ http://owl.english.purdue.edu/esl/ESL-student.html ] ...thank you...in my email is weeddreams@yahoo.com 0x05>------------------------------------------------------------------------- Hi, I am a wannabe hacker. [ I'm a wannabe rockstar. Wanna hang out? ] I have access to all the equipment. modems, routers, even my own pbx. [ Well that's a start! I suggest the next step should be actually getting a computer of some sort so all that networking hardware doesn't go to waste! ] Where will i find material describing typical methods to test the systems for security. (TCP- SYN attack, ip-spoofing) [ Phrack Magazine, issues 48 - 53. ] I am especially interested in DOS attacks. [ And why not? You seem like a highly intelligent guy. I'll give you a heads up on a particularly nasty one (as yet unreleased) certain to take down even the most resilient hosts: Send the following 4 packets to the target host: 1 - TCP SYN|RST with ISN == (2^32 - 0x12A3) to a LISTENing port 2 - TCP ACK with SEQ_ACK == (0x12A4) to same port 3 - ICMP_PORT_UNREACH (IP header inside is irrelevant) 4 - UDP to same port Next, quickly douse your computer in lighter fluid, and set it on fire. Wait a few minutes, then try and reach that host. You'll find that you can't. Thank me later. ] Any pointers will be appreciated. [ void *you = NULL; ] - LordKrishna 0x06>------------------------------------------------------------------------- I know quite a bit about computers and started learning to program (or trying at least - I had trouble figuring out what the hell a variable was) when I was like seven. [ Yah, variables are tricky -- don't use them. Stick to symbolic constants. ] Now, I'm kinda' interested in hacking and phreaking, but I have seen many files out there from the 80's and early 90's that probably have little or no significance know. [ As useless as 1950's porn. ] I have seen plans for blue boxes and red boxes everywhere, but I am assuming that this does not work anymore, since as stupid as phone companies are often depicted, I'm sure they have managed to fix these problems by now. [ I have seen plans for world domination everywhere, and not even those work. Personally, I want my money back. ] However, I'm sure that there's still lots to do as far as phreaking goes, and definately hacking, because I hear about that all the time. [ I don't think anyone's ever hacked a tic-tac before. You could start there! ] Anyway, I was wondering if you or someone else you know would care to write a file describing what works and doesn't in the modern world. I love to read Phrack, but a lot of the older issues are either over my head [ Me too! I especially have problems with P25-05, P27-08, P28-06. I don't understand the need for wild turkeys when hacking. Maybe it was a fad 10 years ago. ] or seem more or less irrelevant. As you, and most other hackers/phreaks, probably grew up when computers were still in earlier stages, [ Yep. My first computer was a rock and some dirt. ] you probably know a lot more about how they work than newer programmers. [ Oh hell yes! Think of a computer as a tiny, super complex street hooker. The more you put in.. Wait. No. That's not a good analogy... Um... A computer is like a piece of paper. Er. No. Um. I really have no idea how they work. ] I can tell this just by reading this ASM book I got. I had no idea what kinda' stuff happened with the actual hardware and its fun to learn. [ Hrm. Do you think maybe we could get together one night and you could read to me? Softly? ] Basically, I just want a modern beginner's guide so I can go out and get my feet wet. [ Well jump right in! The idiot pool has plenty of space and I'm told the new spa has a diving board. ] Most of the literature I have seen on phreaking/basic hacking is really old, so if you know of anything modern I could look at, or would like to write something yourself, I'd appreciate this quite a bit. [ Have you tried searching for "hack +modern" on altavista? ] Thanks a lot, man. - Cyber Guy [ Great handle man! ] 0x07>------------------------------------------------------------------------- hia chief [ Heya dorko. ] my nick is spider [ How creative. Chalk has more flavor. ] i'm a future hacker to be for now i need info about a free server [ That's nice. I need info on how to make girls like me. I think we can probably help each other. ] - spider. [ Great handle man! ] 0x08>------------------------------------------------------------------------- phreaks, i have recently discovered your site. [ Congratulations. I've recently discovered how to love. ] i must say i was impressed by the contents. [ Well thank you very much! Sounds good so far... ] i live in japan, the drug trade here is good but very expensive. [ Hrm. Have you tried switching to generics? I know acetylsalicylic acid is sold in many generic forms. ] so i import cid and x from the states...one problem....they have a police [ Japan has to import Caller ID? ] dog to sniff every item before it is mailed. i have found a way to by pass this. first get a new unopened peanut butter jar....take the seal off very [ Hrm. Skippy or Jiff? Glass Jar or Plastic? Crunchy or smooth? And how big? What about peanut butter cookies? Will they work? Please people... Before you send in some half-cocked scheme, take 2 minutes and do some research. ] carefully dont rip it....scoop out a good amout of pb from the center.. carfully place "the stuff" inside a plastic bag and place into the jar... recover with the pb..... [ What do I do with the extra peanut butter? Can I use it to make a samich? Or should I hold on to it for safe keeping? ] place the seal back ontop and iron on....this gives back its unopened look...next place lid back on top and your ready to be inspected. - Sloshkin [ Well nice going Sloshkin! You've managed to ruined this completely lame drug trafficking technique for moronic drug smugglers! All FBI agents please contact your DEA pals! Tell them to be on the lookout for peanut butter. ] 0x09>------------------------------------------------------------------------- Due to the slow net,I have diffculty to download your excellent articles. [ Yep. It's all the porn trafficking going on. ] Can you do me the favor to send it to me by email? [ Not a problem, expect them in 6 - 8 weeks. ] I will not do harm to anyone,I swear. [ Better not. Phrack is equipped with explosive dye packs. If you do something illicit they will explode all over your hands and face and the authorities will be alerted. ] 0x0a>------------------------------------------------------------------------- I sing and play guitair in a fairly unique punk band called "The gods Hate Kansas". [ Really? That's coincidental because I hate Kansas. ] Our lyrics and beleifs tend to revolve around corporate and governmental sabotage. [ Excellent idea. Let's collapse our economy and destroy the government. Better yet, let's beat terrorist extremists (like Osama Bin Ladin) to the punch and blow ourselves up. Do you have any idea how much they hate Americans? Oh wait, they're just `Wag The Dog` inventions, right? ] Right now, we're gearing up to record in June. The new CD will only be about 5 songs so we decided to make it a "multi-media" CD and include a couple videos, our website, and some misc. files on lockping, redboxing, and hacking. [ Those free AOL CDs sound better. Must miss! ] I was wondering if you might have anything that you might specificly want to contribute to this effort. [ Just my unending sarcasm. Oh, BTW I was being sarcastic. ] The punk scene is a wonderfull breeding ground of discontent and has a lot of paralels to hacker culture [ Hackers are discontent? Hrm. Larry Wall seems pretty happy. And I don't think he likes punk. ] and this CD has the potential to reach a lot of people.. [ Like all the 15 year old disgruntled suburban kids in Kansas who think they `have it rough at home` and `no one understands their shit` so they get their noses pierced along with lame haircuts and hang out at seedy hardcore clubs! ] - Rion 0x0b>------------------------------------------------------------------------- WUZ ^ [ How preciously retarded! ] I found my schools dial-up and I want you guys to try and hack it if you can. ITS: xxx-7035 St. Francis Jr. High. Fuck it up as much as possible please! [ Dude, somehow I don't think it would right for us to hack into a `special` education school. I think you should just get back to your room, back into your restraints, and back on the meds. ] They have an entire network of macs and ibm's. [ All hooked up to machines to keep you guys from drooling. ] 0x0c>------------------------------------------------------------------------- Sup, I am interested in hacking. I do not know much about how to hack and want to learn more. I want to try and get a password from a certain somebody to read their mail. [ Well, genius, TRY ASKING. ] I opened up an account at wowmail to check it out. I found out that once you are in your own account that if u view source...it actually shows you your password! [ NO WAY@!#! HOLY SHIT THAT'S INCREDIBLE! ] So...is there a way to write a program where when a user tries to open their mail...somehow u can view source and send it back to your e-mail account without the user ever finding out? [ Jesus, let her go man and mind that restraining order. ] Or is there another way u could tell me how I could obtain the password and how to go about it? [ Spy for love. Pattern yourself after the Stasi Super-Romeo Roland G. He won the affections of a lovely young woman named Margarete, an interpreter at NATO's SHAPE (Supreme Headquarters Allied Powers Europe). She divulged all kinds of secrets regarding Allied military manuvers and whatnot. ] Thanx, Steve 0x0d>------------------------------------------------------------------------- Just wondering if i can be a part of Phrack.com ? [ Short answer: No. Long answer: Hell no. ] Personal Information ~~~~~~~~~~~~~~~~~~~~ Handle: Action Man Call me: Steve Past Handle: Virtual Son, Renegade [ Oooh! Lorenzo Lamas reads Phrack! I am torn between killing myself with a shovel or with the garbage disposal. ] Handle Origin: You know when some phat name that pops into your head when you need a handle....well there you go./ "Action Man" from the movie "MasterMinds" [ Master? Man head? Action? "Handle"? That's just too many homo-erotic masturbation-related words to be a conincidence. Less jerking, more schoolin' I say. ] Height: 5'8" Weight: 175lbs [ Whoa. A bit heavy aren't we? You know it's never *too* early to NOT eat bear claws 2 at a time. ] Eyes: Brown Hair: Brown Computers: IBM/Pentium TE(Technology Edge) When i was in the 5-6th grade i had an interest in computers and how they worked. [ Hey great. Let try and find a homeless person that cares. ] So my first comp was a ibm aptiva. [ My first comp was a room upgrade in Vegas. ] Not very fast but enough to get me through the day. [ Man, it usually takes me 3 or 4 ketel-1/tonics to get through the day. ] I started to have the interest in hacking/phreaking when i was about in the 7th so that the computer stuff came easy to me.. [ c:\dos> vol Volume in drive C is DOS Volume Serial Number is 12A1-1C20 c:\dos> label Volume in drive C is DOS Volume Serial Number is 12A1-1C20 Volume label (11 characters, ENTER for none)? 3L1T3H4CK3R c:\dos> vol Volume in drive C is 3L1T3H4CK3R Volume Serial Number is 12A1-1C20 c:\dos> damn i rool Bad command or file name Keep the faith buddy... ] at this point in time i am still crawling through the maze of hacking.. [ Me too! Well, kinda. I'm at the bottom of a vodka bottle. Same difference though. ] reading books...looking through the articles at your site and spending endless nights on the comp throwing commands at computers i get in to and dont know what i am in for. [ c:\dos> root Bad command or file name c:\dos> give actionman root Bad command or file name c:\dos> password root actionman Bad command or file name c:\dos> FUCKFUCKFUCKFUCKFUCKFUCKFUCK Bad command or file name c:\dos> whyamisolameohgodpleasesomeonekillme Bad command or file name c:\dos> ohgodimafourstarloser Bad command or file name ] So far in my boring ass town from where i dwell. [ Huh? ] Noone around here does what us Elite personnel do and it bothers me. [ By `us` I am going to assume you mean anyone but myself and Phrack staff. Actually, I am going to demand it. ] It bothers me that i cant hang with someone. [ Maybe you should try to make some friends Action Man! Your life can't be all hacking and saving the world and riding around on a Harley! ] I have to do it the hard way and that way is alone. [ Get use to it. ] Hopefully you can recrute me into the world of Phrack.com [ I think it's time for an intervention. Get yourself a sponsor. ] Thank you - Action Man 0x0e>------------------------------------------------------------------------- I Started my search today for revenge. [ Did you look under the bed? Whenever I'm trying to find something, like the T.V. remote, it's usually under the bed. ] My goal to learn to hack or talk a bored halker into helping me hack my ex's computer. [ Check out action man, I hear he's pretty damned good. ] After reviewing sites that you have made of 'how to hack' I see that what you do isn't as easy as one might first mistaken. [ It takes many many many hours to get this good. I'm talking dozens. ] As far as my goal I now see it wouldn't do any good or accomplish shit. So thanx for making all this info available to a peon such as myself. - Z-taj [ Wow, that was easy. I wish everyone gave up that quickly. ] 0x0f>------------------------------------------------------------------------- How to make a Drano Bomb by the Fellow Felon WARNING!!!!!!: This Article is Intended for Educational Use Only!! [ WHICH IS IRONIC GIVEN ITS SOURCE! ] The Unabomber Staff is NOT responsible for any misuse of this information!! [ Cretin. How do you misuse bomb creation plans? Isn't the intention to blow something up? ] Setting these off within city limits is a crime and you Probably will get caught. [ Not to mention the idiocy factor. ] Enough of that. A Drano Bomb is a simple way to scare the hell out of anyone. It sounds like a Shotgun Blast. [ How about a real shotgun? When fired, it sounds more like a shotgun blast and will scare more people. ] First however, you must obtain some aluminum foil, [ Foil, as we all know, can be tricky to track down. I've found that it usually runs in herds, and on a hot day foil herds tend to gather near lakes or rivers. One well placed head shot will bring your foil down. Course, then you gotta clean it... If you can't obtain this foil, do the next best thing and use your mom's best china. ] "The Works"-a toilet bowl cleaner, and a 20 ounce Pop bottle. You can use any toilet bowl cleaner as long as it says somewhere on ther bottle, "WARNING!!-CONTAINS HYDROCHLORIC ACID!!". [ Ok. Enough of this crap. Had I left this entire letter in, some retard would probably blow his dick off and somehow, I'd be liable. ] 0x10-------------------------------------------------------------------------- hey, u got some real nice info here. [ Hey man I've got some real nice *everything* here. Take only pictures, leave only footprints. ] i used a few of the ideas for revenge and thanks alot for posting it. [ People like you make people like me want to own guns. Well, _more_ guns... more ammunition anyway... ] it really sucks that the punk ass govt. wants to take all this shit off the net. [ The `punk ass` government rounds people like you up by the truckload and sticks them in pens to barter with the aliens who frequent our planet. "Ok, how many do you want this time to NOT enslave our entire race...?" Just remember to lift at the knees. ] u know it all stems from fear that the public will finally rise up and take control. [ Or that retards like you will try to build a draino bomb and blow off his dick. I say go for it. ] anyway, i'd really appreciate it if u come across anything having to do with phuckin up cars or things that go "kaboom" let me send them my way. [ PLEASE DON'T BREED. ] hey, don't send the files here please. i phucked up on the address. send it master23@collegeclub.com. thanks. the other site is open to a few other people. it would be best for me if they didn't see it. [ DON'T BE A PUPPET TO THE MAN! Stand up for yourself! ] - master23 [ Hey, any relation to master22? He was in my shop class. ] 0x11>------------------------------------------------------------------------- Hi there ! I read, that you are good informated in hacking stuff, IP's... [ I know a thing or two about a thing or two. ] My question is: I made a bet with a friend, that I'll hack to his computer. [ A rousing game of cat and mouse! You rogue! ] But there fore I need his IP. [ What do you mean my horse is out of gas? ] I have already tried much things but all did fail, do you know a procedure to get his IP, he has got while he is online without NetBus or IRC ? I thought of finding out his DNS, or are there other ways to reach my aim ? CU & olease write back ! - Kerstin [ Kerstin.. That's a cute name. Hrm.. I bet you're cute. In fact, I think we might have a lot in common... Although.. Hrm.. Now that I think about it, your spelling and broken English are just queer enough that you're probably from a country where Kerstin is a guy's name... In which case, I'm going to have to ask you to leave. ] 0x12>------------------------------------------------------------------------- WHAT IS THE REASON OF THE HOW TOO INFO ON THIS SITE. [ OH MY DEAR GOD, IT'S WALKING CLOSER GUYS! ] DO KNOW WHAT YOU ARE DOING TO OUR CHILDREN. [ Don't tell anyone, but I heard it was television and radio. And the rap music. ] SOMEONE TOLD ME TODAY THAT THIS THURS. IS BLOW UP YOUR SCHOOL NATIONAL HOLIDAY. [ I'm willing to bet that you're one of those people who gets dismissed in shame because that "ability to differentiate fantasy from reality" part of your brain doesn't work quite right. ] THEY TOLD ME CHECK THIS SITE OUT. [ Well then! Even though you're an asshole, apparently your friends aren't. ] I CAN NOT BELIEVE WHAT I HAVE READ. [ You're talking about proof reading your email before sending it, right? Or maybe your broken caps lock key? ] I AM SICK AT MY STOMACH!!!!!!!!!!!!!!!!!!!!!!!! [ Let's say this Twinkie represents the normal amount of psychokinetic energy in the New York area. According to this morning's PKE sample, the current level in the city would be a Twinkie 35 feet long weighing approximately six hundred pounds. That's a big Twinkie. ] WHAT IS THE PURPOSE PLEASE LET ME KNOW. I CANT FIGURE OUT 1 SINGLE REASON. JUST SICK........... [ I think you have the wrong number. What number were you trying to dial? ] - Tracy. 0x13>------------------------------------------------------------------------- Please help me. I tested neptune program in linux kernel 1.2.8. Target host's OS is Redhat 5.2. But!! TCP SYN flooding cannot!! Unreachable host address was 1.0.0.1 Target port was 23 SYN number was 100 ~ 10000000000. After runningBut!! Connection established!! Why?? [ Yoda needs to lay off the DOS attacks. ] 0x14>------------------------------------------------------------------------- i need help hacking into the university of texas' system. any information at all would be helpful. i need to change my grades before the report cards come out. thanks. - christina i really need some help changing my grades. i got ot the university of texas at austin. if i fail i'll get kicked out of ut and my house. any information would be very very helpful! thanks. [ Did you just stutter or was that a double-dose of stupidity? ] - christina [ Hrm... Well muh dear, let's talk trade. Why don't you come on over Friday night, at say, 9ish? I'm sure we'll be able to work something out... And if you DO end up getting kicked out of your house... You can always stay at the Phrack Compound.. ] 0x15>------------------------------------------------------------------------- I am looking for a very simple and easy to follow recipe for the synthesis of amphetamine.... Anytype..... As long as it is relatively easy to follow..... Many thanx in advance [ Ah yes. The lame legacy of Phrack past. Drug creation. Whoo. Dude. Get a fucking job and move out of your parent's basement before you blow it up with your ghetto drug lab attempt. ] - Blonk 0x16>------------------------------------------------------------------------- Hi, I was wondering if you would be able to place more articles about Australia. I am Aussie and would like to learn more about the systems in place over here. [ HEY! DO YOU KNOW STEVE IRWIN? I heard once he got eaten by a crocodile and then, 2 weeks later, he climbed out of the croc's mouth and conked him on the head and then took him to a wildlife preserve! ] Thanks for your time, - King Kon 0x17>------------------------------------------------------------------------- Editor's of Phrack.. Hey, I was wondering if you would publish a lil information on my BBS.. [ YOU GOT IT LAD! Hey, if I telnet over there, is there a pot of gold waitin' for me? ] I've been running my BBS since 10/30/99 without Too many users and with only a few daily callers.. and I'm looking for a way to get my BBS out in the public, as well as the underground public.. I read Phrack, and know that Alot of other ppl do as well. So I thought I would ask. Anyhow I need to run, if your intrested in helping me out, contact me at this Email address or you can telnet to my BBS. The Leprechauns Lair BBS Telnet: tllbbs.dyns.cx port23/ANSI Dialin: (540) 636-6417 28.8, 1-N-8/ANSI -Leprechaun Boy/SysOp of TLL BBS 0x18>------------------------------------------------------------------------- selling cds to their owner: part 1: record store by:con-x 1: start by pealing off all stickers (including magnettic strip) from the most expensive cds you can find. [ Like `Yanni's Greatest Hits` and `The Carrot Top Collection vol. 11`? ] note: 1; the more cds the more money- 2; the bigger the record store the better. [ Note: _more_ money is good because money can be exchanged for goods and services. Also note: shoes are good because they protect and cover your feet. ] 2: get a friend to get a bag from the store that you are scaming. have your friend stand infront of you. pretend to look at cds wile sliping the ones in the bag. note: 1; beware of all the cameras around you. 2; dont get cought. [ Note: getting "caught" would be bad because you would go to jail and not be able to 3: go up to the counter and say- "my mom bought thease cds for my birthday but I can't use them, can I get any refund for them?" note: 1; accept any half price and/or voucher offers-the less conversation, the less they will know you the next time. [ Plus, since you don't know that many words, it helps to keep the jabber to a minimum. ] 2; this rarely happens but if you get caught, signal your friend to run up and say "excuse me, don't accept those cds- I just saw some guy trick him into returning those for him. I think that they were not paid for. if anything you should bust that guy over there because HE'S the real criminal". [ Ah! The old switch-aroo! How elegant! The only problem is that trick only works in cartoons and sketch comedy. Your sources have betrayed you. ] 4: most times they will only give vouchers. sell the vouchers to someone in the store who's buying cds. say- "excuse me, are you buying any cds?" not all the time will they say yes to this text part- "I have some vouchers that I can't use because I am going on vacation are you willing to trade money for some of them?" [ Because you're going on vacation? They're CD's, not milk dumbass. They're not going to spoil. ] now you have free money!!! [ With which to buy more cases of Pabst Blue Ribbon and more blocks upon which to put your car. ] con: tricking the store to give you money for their cds. [ SO THAT'S YOUR GAME! I suspected.. But you kept it so cleverly hidden up until now. ] goodside: this con is untraceable!!! they notice that they are loosing money. --they have not been robbed--they still have the same amount af [ Try telling that to judge. ] cds--they think that they are gaining money by returning cds--you have got nothing to loose!!!!!!! [ In your case, that might be true. Rock bottom IS rock bottom. ] badside: getting cought-this happens when you peeloff stickers and slip the cds into the bag-if you don't get cought, then you will be fine. [ It's "C-A-U-G-H-T" you cantankerously dimwitted Carolyn meinel-esque ... uh.. Tool. ] the earnings: I got $50.00 to $80.00 a day!!! [ Yes, but this money is income from the insurance settlement (never let your children drink bleach and ammonia and then jump up and down). ] if you do it 2 or 3 times a day (or more) at different stores, you could get $100.00 to $200.00 easily!!! [ Or you could get a real job. ] - con-x 0x19>------------------------------------------------------------------------- hi there! [ WELL HELLO THERE! ] Can you say to me what type of language have you used to make your counter code? [ Hrm. I dunno. My counters are all made out of little tiles. ] Better, can you send to me this code for my experiements... [ Not really. I have my computer hooked up to an abacus. Don't ask. It's complicated. ] Thanks for all 0x1a>------------------------------------------------------------------------- Hello, friends, I want to congratulate you and tell you gon on, your stuff is the best. [ DAMN FUCKING RIGHT! ] I need some direccions of www where I can find information about phreaking in spanish, so I can read it more easily. [ Well... Let's see.. There's the Lambada, the forbidden dance... It's pretty freaky and scandalous.. Of course you can't go wrong with some Ricky Martin! I hear the Latin women go bonkers for this guy! Positively nutso freaky jiggy! ] Thanks you very much, continue with your job!! [ FULL STEAM AHEAD! ] Rodrigo 0x1b>------------------------------------------------------------------------- Storm# fake -s xxx.254.160.11 'echo /etc/inetd.conf >> 510 stream tcp nowait root /bin/bash /bin/bash -i -s' Starting the remote shell exploit ... done! Storm# fake -s xxx.254.160.11 'echo killall -HUP inetd' Starting the remote shell exploit ... done! Storm# telnet xxx.254.160.11 510 bash# [ Hey. Great. Fake logs of someone not breaking into a false machine. CAN YOU SPOT THE ERROR! ] 0x1c>------------------------------------------------------------------------- hey there in one of your first articles in issue 2 or 3 you mentioned blow guns well i have a few improvements that can be used to make them more durable/lethal. such as easy to make poisons (numbing/sleeping/etc.) made from everyday herbs (tried and true) farther range and ease of use. [ OOOOOk. Rite. Just where do you people come from? Seriously. Are you bred in some underground laboratory, run _by_ retards, _for_ retards? ] them implication are easy to see such as annoying dogs being put to sleep etc etc... :-) write back if you want some directions [ `them implication`? Ah, let me guess. You're from the South, you never went to school because you were `educated` at home by your cousin-mother. If the natural selection club doesn't weed you out first, I'm sure you'll do it on your own somehow. ] 0x1d>------------------------------------------------------------------------- I have been reading phrack for some time now and am completely pissed off with the total lack of good hacking suggestions. [ This isn't a fucking craft store. Don't expect us to assemble the thing just so you can paint it and say it's yours. ] I have tried to implement a number of these ideas, and they just dont work against my web site (http://www.XXX.govt.nz) even though it is on NT and is protected with a minimal amount of security behind a borderware 5 firewall. [ "Hi. I'm coyly trying to get a site targeted that isn't my own". ] perhaps you can try and hack my web site and prove me wrong! [ Perhaps I can try and dig for oil in my backyard! Not likely. ] yours in frustration [ Mine in ambivalence. ] - Brian A. Scott Internet Security Consultant [ No you're not. ] 0x1e>------------------------------------------------------------------------- Alright, a device I thought up that I have never seen plans for online (save my own shitty pages) is called the airhorn grenade. Basically, all that it is is an ordinary airhorn with some tape over the trigger so that it can be thrown into someone's yard, preferably at night, and wake up the whole goddamn neighborhood while giving you ample time to run/drive/bike a long distance away from the whole scene. Dogs will bark, police will be called. Try to toss it into some bushes or other inaccessable area. This may not be the most interesting and complex text, but I have faith that it is the first to document the simple as hell airhorn grenade. I'm sure many people could have thought this up themselves, but then I guess someone would have written about it. Oh well. Have fun, and orcae ita. [ MY GOD THAT'S BRILLIANT! Take a cut out of petty cash and buy yourself something special! Tape! Who would have ever thought of something so elegantly absurd! GENIUS! The simplicity is absolutely amazing and at the same time subtly obtuse! Yes! WAIT! It's more than that! It's actually less like genius and more like the idea and/or sensation of slamming your penis in a dictionary or some other large manual. ] 0x1f>------------------------------------------------------------------------- not really sure how to address you... [ The Sultan of love. ] I have made a big mistake. [ If you're here, you must have done something wrong! ] I crashed my computer with out having any information on how to bring it back up. [ Did you try an encyclopedia? They have lots of good information! ] My computer doesn't want to access the cmos or anything but the a-drive. [ Well, you need to show it who's boss! This is the `break-in` process where you make it your bitch. Just keeping slappin until it learns. ] I have contacted zenith data systems and they don't have the disks anymore. [ BASTARDS! ] If you or anyone you know has some type of disk or file or any information on how I can bring this computer back up. I would really like to do it myself. You know to see if I can.??? [ Yes, let me consult my vast database of CMOS burning utilities. Give me some time, it's kept over at my mansion in the Hamptons. ] Thank you for you time and expertise. Sincerely, - Mitch Rhymer [ Dude, is that your hip-hop name, or your real name? ] 0x20>------------------------------------------------------------------------- Hi, I recently visited your site and was amazed at the information and articles you had archived. I am a man of curiosity and am in search of information that the government would rather an "average" citizen not have. I am not a Fed or any type of law officer or such, I am truly just interested in obtaining "security" of my liberty. Most the stuff on your site is Greek to me, (hacking systems, etc.). Do you know of any great sites that are controversial that inform the average Joe. I found your page by searching "anarchy." Let me give you an example of what I am looking for and maybe that will help you since my request is so broad. The government would rather all of the citizens no own guns, bombs, etc., (in fact, I believe the whole David Karresh/Waco, Texas thing was because Big Brother was uneasy with the arms they were storing). I don't need conspiracy groups, but I want as much info as I can get before the Government starts regulating us over the internet - and you know it will soon come to that! Thanks if you can help! - Darryl [ Ok. Darryl. I want to talk to you for a minute. Yes, it's ok.. Cmon out from under the bed. Put down the flashlight and take the pot of your head. It's time you come to terms with the delusional episodes that tear through your life. They're ruining your otherwise mundane life. Your father and I are going to get you back on your program. Yes. I know. The shots hurt, the medicine tastes horrible and the shock therapy is rough. But it IS for your own good. We just don't want another breakdown like the time you held Ms. Lancaster hostage for 3 days because you thought she was 'stealing your thoughts'. ] 0x21>------------------------------------------------------------------------- if you have can you send me illegal credit card number ? [ Try: 8921-129-123939-989450-129586-98489-129094-09102-03209-3. Expires 05/03. ] thanks - jeremy15 0x22>------------------------------------------------------------------------- hi..i wonder if you could take time to answer a question for me,it would be most appreciated..I was contacted by a girl on ICQ and she asked if she could send me a picture..after the picture had been sent,this girl proceeded to tell me what i had on my desktop, which sites i had visited,what files i had on my computer,then she started deleting files from my hard drive...can you tell me how she got access to my computer and how i can stop this in future.. [ Jesus H. Christ. This just goes to show you... If I've said it once, I've said it 1000 times: STAY THE HELL AWAY FROM GIRLS ON IRC/ICQ/AOL CHATROOMS. Lord knows I've learned MY lesson. ] many thanks - A.Bramley 0x23>------------------------------------------------------------------------- Will you help me? [ In all likelihood, no. ] E-mail back and I will give the info you need to assist me. [ I have all the info I need right here --> > . <. ] It is crucial that I get help. My schooling depends on it. [ This sounds like a job for "SHOULD HAVE FUCKING STUDIED". ] MESS WITH THE BEST DIE LIKE THE REST!! [ You're so going to be on welfare when you get older. ] - ACIDBURN [ Elite handle `cos it's true! ] 0x24>------------------------------------------------------------------------- i'm sorry if i have written to the wrong person. [ Hey man, if you've made it here, you're definitely talking to the right guy. ] but i really need help hacking into someones personal computer.they have some info in their icq programme and their e-mail about me that will eventually screw me over. [ Well, that's what you get when you netsex little boys and girls. Shame on you Richard. ] i just need to know how i can access their comp to either wipe out the entire hard drive or just the desired info.... i have the e-mail address of the person mentioned and their ip number..that is it...please help if you can.... - richard 0x25>------------------------------------------------------------------------- you know your phrack archive article no.2, p2-4? (the one on blowguns by the pyro.) i have no idea on how to make the darts right. i read the phile over, and over, but i can't get a picture in my mind on what to do next, can you please tell me where i can get some pictures [ Ok. How about this: >oo-- Or this one: }==> ] or something that can tell me better? [ Do you mean like a priest? ] or if not, can u help me? i would really appreciate it...thanx for your time! 0x26>------------------------------------------------------------------------- congrats on the great page, (as if you dont hear that enough) i read you made it to tv, will that highten security on your page? most places have disclaimers saying if you dont meet the standards dont enter, [ We have one saying `you must be this tall to hack this site`. And then there's a jpeg of a midget holding a pickle. ] i find yours doesnt, i was wondering if you being on tv, could risk you losing the page, [ Well, I kept it throughout my 18 month stint on `The Facts of Life` so I don't why see this should be any different (I played Tootie's boyfriend who had a secret life as a gay circus animal trainer. Towards the end of the last season though, ratings dropped so they had me eaten by a bitchy llama). ] try not to make me look like a total ass [ I can only do so much, Ben. ] - ben 0x27>------------------------------------------------------------------------- hi my name is Zero X9. I am in desperate need of help. [ Bro, go to a doctor. Rashes 'down there' are nothing to fool around with. You'll know better to 'look not touch' next time you see a dead animal. ] i have a computer swiped from a local school that has At Ease on it. i either need a place to get an overwrite password or Dis Ease 1.0. [ My advice is to return the computer you fucking vandal. ] Thank you for your time. Sinceraly, - Zero X9 0x28>------------------------------------------------------------------------- I wonder if you guys can help me. I'm trying to hack into a certain individual's e-mail --I have everything I need -- except the password and unfortunately I Don't know an easy way to generate the correct one Is it possible to get in through the web?-- I do not have direct access to the server--only a dial up connection. [ SWEET FUCKING CHRIST MAN! DO YOU THINK IT'S JUST THAT EASY? If it was we wouldn't be making the millions we do and sexing up super models. FUCK. DON'T TRIVIALIZE IT. ] PLEASE Can you help me. [ Get a job. ] 0x29>------------------------------------------------------------------------- this is how to make a flame thrower out of a squirt gun [ This is how to set yourself, your sister and your shanty on fire. ] items: super soker (doesn't matter just use what you have or wanna get) [ Huh? What I have or wanna get? That's a pretty vague instruction. I want my money back, this kit is bunk. ] gas/or flamable liquid a lighter (the grill ones that have the red handle and the long black thing at the end) [ Hrm. I thought the long black thing with the red handle was something else. Maybe I'm thinking of some other prod-like instrument. ] tape how to make: its easy!!! tape the lighter to the barrel part of the squirt gun (where ever it fits best) fill the squrit gun with the flamableliquid of your choice and its done how to use: pump it up press the button on the lighter(so it turns on thats a givin) then point shoot tip: use oil to make it thicker (not too thick or it won't come out) and it will stick better to where you shoot it 0x2a>------------------------------------------------------------------------- Hi I love your magazine, and hacking a lot, so instead of calling myself a hacker I call my self a Phracker may i have the permission to do that, please? [ No. Go rm yourself. ] 0x2b>------------------------------------------------------------------------- Goog morning! [ Goog afternoog! ] Sorry for my very-bad-english: that's because I'm mailing from Spain, [ That's still no excuse. Even that Spaniard from the Princess Bride spoke pretty good English, and he spent his whole life sword-fighting. ] where people speak a strange language called Spanish. [ Other people's cultures are funny! ] OK, now I've learned some new words, appart from fuck, shit, ass, snot, and milk twice, [ I see they're pretty up to date there in European schools! ] so I think in this moment I'm able to send you this apocalyptic mail. [ Oops! Moment's passed. Email is now slightly less than dire, and maybe a tiny bit foreboding. ] Well, i'm searching some revolutionary method to produce a substance called speed (metamphetamine) [ Dude, didn't you see that movie "Go"? All you need is to sell aspirin and cold tablets to thick-headed suburban kids. ] beggining from a nose inhalator (Vicks in my country), and I've listened somewhere that is explained in a magazine called "Prhack". [ Prhack is our marketing arm. They take care of all of the t-shirts mugs, mouse-pads, feeted pajamas, muzzles, and garrote wire. ] I haven't found this name in a magazine so I guess that should be the incredible "Phrack" Magazine. Is it true? [ No, no, no, Phrack is widely touted as `inedible`. ] If the answer is afirmative, please tell me in what number appears, or directly the explanation. [ Magic 8-ball says `0`. ] Thank you very much!!! 0x2c>------------------------------------------------------------------------- Exactly who is this loser who has nothing better to do than screw with people trying to earn a living?? [ Initially, I had no idea what the F you were talking about. So, in the interest of time-wasting, I dug a bit. The article you refer to, but conveniently don't quote or mention, is P45-19. Next time, at least drop a URL to the article in question. I now have no choice now but to ridicule you. Granted, I probably would have done it either way, but now I feel justified. ] I realize that this is an old, archived article, but come on. [ Well then maybe you should have quoted or referenced it in some way so people would know what the hell you are talking about. ] This stuff is asinine, petulant, childish, [ You forgot fatuous, fractious and puerile! And smackdab-u-licious! ] "I'm pissed off at the world because my daddy didn't buy me a BMW" shit! [ I'm pissed at the world because no one has taken my idea for using hair as currency seriously. I mean, think about it.. We could all grow our way into financial independence! Of course the alopecians among us would be a bit impoverished... We could make them our slaves! ] And the part in the last paragraph about "molesting kids in the playland" reveals his pedophilic nature. [ Maybe he meant `bolstering kids in the playland`. So, in actuality he was completely supportive of their whimsical nature. That's what I think he meant. ] Maybe he should be placed in the local "pen" and have "Bubba" teach him all about the birds and the bees. [ FOUL! Unnecessary use of excessive quotation. 100 yard penalty. ] Oh, and nice disclaimer, by the way. [ Thanks man. I worked on it myself. ] Releasing yourself from legal ramifications does nothing for the moral side of the issue. [ Morals are subjective and vary from person to person. ] Are you pedophiles?? [ I'm an audiophile. Is that the same thing? ] Is John Wayne Gacy on your staff?? [ John Wayne Gacy is dead, moron. Furthermore, I do believe Gacy was a bit more than a pedophile. He murdered 33 people. Phrack staff collectively have only about 7 under their belts. ] Entertainment purposes?? Who the hell are you trying to entertain?? [ Ourselves first. Everyone else, second. ] Cybergeeks whacking off to pictures of six year olds?? [ Hey man, what you do on your own time is your own thing. We at Phrack subscribe to the `don't ask and for the love of god don't tell` policy. You sick, sick man. ] Claim no responsibility?? [ With Freedom comes responsibility. ] Then why the hell post the article? [ *shrug* I didn't. Look at the date. It's more than 5 years old. Who the hell are you ranting to? Certainly no one that cares. I wasn't even at the helm back then. Cry someone else a river. ] Draw the line. There is no comedic value in telling people to "molest" children just to piss off McDonald's restaurant. If he doesn't like the place, DON'T FUCKING GO THERE!!!!! And don't publish articles of this nature if you don't want to be grouped with the author as an advocate of twisted behavior. [ If YOU don't like the magazine or its contents, DON'T FUCKING READ IT. ] ------------------------------------------------------------------------------ ----[ EOF -------[ Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 03 of 19 ] -------------------------[ P H R A C K 5 5 L I N E N O I S E ] --------[ Various ] 0x01>------------------------------------------------------------------------ SecurPBX using SecurID by pbxphreak .---------------. | | 037592 | | `--------' | SecureID | `---------------' SecurID Token: ------------- The SecurID token provides an easy, one step process to positively identify network and system users and prevent unauthorized access. Used in conjunction with Security Dynamics Server software, the SecurID token generates a new unpredictable access code every 60 seconds. SecurID technology offers crackproof security for a wide range of platforms in one easy-to-use package. Highlights: ---------- - Easy, one-step process for positive user authentication - Prevents unauthorized access to information resources - Authenticates users at network, system, application or transaction level - Generates unpredictable, one-time- only access codes that auto- matically change every 60 seconds - No token reader required; can be used from any PC, laptop or work- station ideal for remote access and Virtual Private Networks - Works seamlessly with ACE/Agent for secure Web access - Tamperproof The Solution: ------------ For a sophisticated hacker or a determined insider, it doesnt take much to compromise a users password and gain access to confidential resources. And when an unauthorized user enters a supposedly secure system all privilege definition and audit trail functions become virtually meaningless... in essence, the damage is done. Single-factor identification a reusable password is not enough. To identify and authenticate an authorized system user, two factors are necessary. Factor one is something secret only the user knows: a memorized personal identification number (PIN) or password. The second factor is something unique the user possesses: the SecurID token. Carried by authorized system users, SecurID tokens available in three models generate unique, one-time, unpredictable access codes every 60 seconds. To gain access to a protected resource, a user simply enters his or her secret PIN, followed by the current code displayed on the SecurID token. Authentication is assured when the ACM recognizes the tokens unique code in combination with the user's unique PIN. Patented technology synchronizes each token with a hardware or software ACM. The ACM may reside at a host, operating system, network/client resource or communications device – virtually any information resource that needs security. This simple, one-step login results in crackproof computer security that easy to use and administer. The tokens require no card readers or time-consuming challenge/response procedures. With SecurID tokens, reusable passwords can no longer be compromised. Most importantly, access control remains in the hands of management. SECURID PINPAD: -------------- An added level of security can be implemented with a SecurID PINPAD token. The PINPAD token enables users accessing the network to login with an encrypted combination of the PIN and SecurID token code. Using the keypad on the face of the PINPAD token, a user enters his or her secret PIN directly into the token, which generates an encrypted passcode. This additional level of security is especially appropriate for users in application environments who are concerned that a secret PIN might be compromised through electronic eavesdropping. SecurID tokens are ideal for any environment. The original SecurID token conveniently fits into a wallet like a credit card. The SecurID key fob offers a new dimension in convenience to those customers requiring high levels of security in multiple environments, along with compact size and durability. In addition to providing the same reliable performance in generating random access codes as the original SecurID token, the SecurID key fob comes in a small, light- weight format. SecurPBX -------- Ok. Plain and simple. SecurPBX is a product to protect PBX systems worldwide and automated Help Desk functions. SecurPBX provides remot access security for telephone lines, modem pools, voicemail ports, internet access lines, and the maintenance port on PBX systems. Used in conjunction with Security Dynamics SecurID, SecurPBX protects valuable PBX resources from remote access by unautorized callers without comprimising the conveniences of remote telephone and data access to teleworking or traveling employees. Callers dial specific numbers on the PBX for long distance services. As an adjunct to the PBX and a client to the server, SecurPBX recieves the callers request for resources. Functioning as a client, SecurPBX requires remote callers to provide SecurID user authentication and an authorized destination telephone number before being transfered to the desired resource. SecurPBX transmits the credentials to the server for authentication and simultaneously validates the telephone number by user specific permissions and denials. SecurPBX integrates with the PBX to process the call based on the validity of the caller via SecurID and the destination number attemped. .----------. | | SERVER |---- -x- <-- Security `----------' | | | | _-_ .--------------. | | | 037592 | ,-----. | `--------' ----- | PBX | ----- .-----------. | SecureID | `-----' | SecurePBX | `--------------' | Switch | | `-----------' | --------------- Users Each SecurID card is a visually readable credit card sized token or key which is programmed with Security Dynamics powerful algorithm. Each card automatically generates an unpredictable, one time access code every 60 seconds. The token is conveinent to carry and simple to use and is resistant to being counterfeited or reversed engineered. SecurPBX extends the secure working enviroment of an organization to remote locations. SecurPBX applies user specific calling restrictions before any call is completed to prevent unauthorized toll charges and misuse of PBX resources. The time of day, volume of calls per user, destination telephone numbers (restricted to NPA and NXX) and customizable classes of service add a vital layer to access security without compromising the conveinience of having remote access to telephone resources. SecurPBX logs all successful and unseccessful attempts including the destination telephone number. Caller ID/ANI if available also provides the origination telephone number, pin pointing the location of the caller. Highlights of SecurPBX: ---------------------- - Compatible with all major PBX vendor types. - Cost effective remote access security for PBX resources. - Prevents unauthorized access to valuable voice and data resources. - Secures remote long distance, and alternative method for replacing calling cards. - Works in conjunction with each users SecurID card. - Centralized network authentication and security administration. - Easy to Use, voice prompting available in multiple languages. - Audit trails and reporting assure true caller accountability. - Caller ID/ANI option provides originating telephon number identifying hacker locations. SecurPBX operates in Microsoft Windows NT enviroment. Callers and data users achieve seamless access to PBX resources with validation data gathered as efficiently as using a calling card and/or attemping a standard logon procedure. In many cases, SecurPBX can be a calling card replacement and may also be used with cellular phones to combat calling card fraud. Fraudulent or suspect callers are denied access before toll charges and resources damage occur. Typically, securing a PBX from unauthorized remote access has required disabling remote access to the PBX. Using dynamic, two factor authentication through the server and validation destination numbers dialed, SecurPBX systematically locks out unauthorized callers preventing toll, voicemail, and data fraud. This provides a secure access point for teleworking resources. SecurPBX uniquie voice identification: ------------------------------------- SecurPBX is a unique indentification solution providing secure remote access to all major PBX or Centrex telephone systems. Protected resources included are: - Long distance lines and trunks - Voice mail access lines - Call centers - Interactive voice response systems and audio response units Access is controlled through postive identification by their unique, individual voice prins. SecurPBX uses SpeakEZ voice print speak verification service tehcnology to efficiently allow access to authorized callers while eliminating access to unauthorized callers. The SpeakEZ voice print system is recognized as the best in the voice verification industry today. Significant investments in telephone resources simple cannot be protected by traditional static passwords or PINs. When making a telephone call from any telephone using your calling card number, the one condition verifiable as certain by the PBX or phone company is that someone is making a call with a known authorization code, however, it could be anyone. Casual calling by unauthorized personnel, recognized as a major misuse of corporate telephone resources, must be controlled if not eliminated. SecurPBX provides that capability to your organization. SecurPBX prodives reliable, independant two factor user identification and authentication. Factor one is something the users knows: a memorized personal identification number or password. The Second factor is something unique the user possesses: his/her own voice print. Each caller is required to merely speak his/her chosen password which is compared to a stored voice print. The password can be in any language or dialect. SecurPBX extends the unique user authentication provided by SpeakEZ voice print to include user specific calling restrictions. Time of day, volume of calls per user, destination telephone numbers which are restricted to NPA and customizable classes of service add important layers of access security without compromising the convenience of remote access to telephone resources. Highlights: ---------- - Compatible with all major PBX vendor-types and Centrex - Cost effective remote access security for PBX resources - Prevents unauthorized access to valuable voice resources - Secures remote long distance - Non-intrusive security, callers are validated by their own voice prints - Language independent passwords - Centralized authentication and security administration - Easy to use, voice prompting available in multiple languages - Audit trails and reporting assure true caller accountability - Multiple voice prints available per user Remote Access Security Solution: ------------------------------- Optionally, after authentication, SecurPBX administrators can manage user permissions and denials on from either the same SecurPBX workstation or from another workstation connected via a LAN or remotely by modem in a Windows friendly environment. Long distance callers achieve seamless access to PBX outbound trunks with validation criteria gathered as efficiently as a calling card and as easily as talking to a telephone attendant. Fraudulent or suspect callers are denied access before any damaging toll charges can occur. SecurPBX logs all calls, successful and unsuccessful, including the date and time, user ID, and destination telephone number. Depending on the PBX type, Calling Line Identification ANI may be used as part of the validation process and in those cases, will also be logged. Log information can be exported to an external spreadsheet application or displayed in reports generated by the SecurPBX Administrator. SpeakEZ Voice Print: ------------------- SpeakEZ Voice Print Speaker Verification is a highly effective method of confirming a caller's identity. The service is based on the fact that each person's voice is uniquely different, and, as a means of identification, is highly reliable. Speaker Verification is an application of the SpeakEZ Voice Print technology which compares a digitized sample of a person's voice with a stored model "voice print" of that individual's voice for verification. - Authenticates the caller as opposed to information (i.e. PIN) or a piece of equipment. - Easy to use, language independent - Safe: a voice print cannot be lost or stolen - Cost-effective: does not require special hardware for the caller - Virtually fraud-proof: a voice is difficult to forge Applications of SecurPBX: ------------------------ - Secure Telecommuting (all valuable PBX resources) - Call center user authentication - Securing Interactive Voice Response (IVR) and Audio Response Units (ARUs) - Help Yourself suite of products for help desk automation (ASAPTM - ACE/Server Administration Program - PIN reset, SecurNT - Windows NT password reset, E-Help Desk - Entrust/PKITM profile recovery) Technical Requirements: ---------------------- Telephony platforms : All major PBXs including Nortel, AT&T, Rolm and Mitel Processor : 100% IBM compatible PC, Pentium 133 minimum Disk requirement : Hard disk 1 gigabyte minimum, 32MB RAM for Switch I nterface, Client software, 8 MB for Administrator software, actual storage based on size of user population Capacity : An unlimited number of users may be administered and issued SecurID Cards. 32 simultaneous voice channels per Switch Interface Configuration : Multiples of 4, 12 and 24 line telephone interfaces Management : SecurPBX Administrator includes extensive administrative menus in user-friendly Windows 3.1 and 95 environment, real time monitoring and management of multiple PBX sites Conclusion: ---------- SecurPBX is defiantely the way to go to prevent your data and PBX systems from getting hacked and abused. 0x02>------------------------------------------------------------------------ <++> P55/Linenoise/ckludge.c !2231f4cc /* */ /* CKludge.C (Amiga) */ /* */ /* If you are a PC user you can port this C source easily. */ /* */ /* You might even want to use it to fix your fucking millenium bug... */ /* */ /* Ha! Ha! Ha! 2000 is nigh. */ /* */ /* Clock Kludge 1.0 by `The Warlock' */ /* */ /* This little patch will freeze your clock - useful if you wish to bypass */ /* time restrictions imposed by many programs... */ /* */ /* It works by patching the level 3 IRQ vector, vertical blank, to hold the */ /* complex interface adapter internal time of day clock registers to zero. */ /* ($bfe801 = TOD lo, $bfe901 = TOD mid, $bfea01 = TOD hi) */ /* */ /* Should work on all Amiga models. */ /* */ /* Handles relocated vector base correctly. */ /* */ /* Compiling info: lc2 -v (disable stack checking so no need to use le.lib) */ /* */ #include "exec/types.h" #include "exec.memory.h" #include "exec/interrupts.h" #include "hardware/custom.h" #include "hardware/intbits.h" struct Interrupt*VertBIntr; long count; main() { extern void VertBServer(); */ allocate an Interrupt node structure */ VertBIntr=(struct Interrupt *) AllocMem (sizeof(struct Interrupt),MEMF_PUBLIC); if (VertBIntr==0){ printf("not enough memory for interrupt server"); exit (100); } /* initialize the Interrupt node */ VertBIntr->isNode.1n_Type=NT_INTERRUPT; VertBIntr->isNode.1n_Type=Pri=-60; VertBIntr->isNode.1n_Name="Clock Kludge"; VertBIntr->is_Data=(APTR)&count; VertBIntr->is_Code=VertBServer; /* put the new interrupt server into action */ AddIntServer (INTB_VERTB,VertBIntr); /* wait for user to type 'q' */ printf ("Type q to quit...\n); while (getchar()!='q'); /* remove interrupt server */ RemIntServer (INTB_VERTB,VertBIntr); /* free memory */ FreeMem (VertBIntr,sizeof(struct Interrupt)); } /* the VertBServer might look like this */ XDEF _VertBServer _VertBServer: clr.b $bfe801 ; clear TOD lo clr.b $bfe901 ; clear TOD mid clr.b $bfea01 ; clear TOD high move.l a1,a0 ; get address of count addq.l #1,(a0) ; increment value of count moveq #0,d0 ; continue to process other vb-servers rts ; must be rts NOT rte end ; eof <--> 0x03>------------------------------------------------------------------------ <++> P55/Linenoise/IPChange.asm !85660240 *--------------------------------------* * * IPChange.Asm (DevPac) by `The Warlock' * * Nowadays almost all ISPs allocate dynamic IP addresses, meaning your IP * address will change for each connection you make. * * On a shitbox PC, a reset causes the CD signal on the serial port to go low, * meaning that the connection is lost and you must initiate another. * * On an Amiga, a reset does not pull the CD signal low, meaning that * reconnection is possible. * * When you reconnect, your ISP allocates another dynamic IP address, so in * effect, you have changed your IP address without starting a new connection! * * Create a batch file called ipchange.bat as follows: * * echo > s:reconnect * wait 5 * cpu nofastrom > nil: * ipchange * * Make the following additions to your startup-sequence: * * if exists s:reconnect * delete s:reconnect > nil: * execute * else * endif * * Now, whenever called, ipchange.bat will reset, and automatically load your * internet software for quick reconnection. * *--------------------------------------* opt c+,d- case sensitive no debug section ,code code section *--------------------------------------* START bra.s MAIN call main *--------------------------------------* ID dc.b "$VER:IPChange V1.0 by `The Warlock!",0 *--------------------------------------* cnop 0,4 32 bit alignment MAIN move.l 4.w,a6 exec base a6 jsr -$84(a6) call forbid() move.l 4.w,a6 exec base a6 jsr -$78(a6) call disable() lea RESET(pc),a5 supervisor code a5 move.l 4.w,a6 exec base a6 jsr -$1e(a6) call supervisor() *--------------------------------------* cnop 0,4 32 bit alignment RESET lea 2,a0 kickstart rom jump vector reset kickstart rom remapped jmp (a0) kickstart rom restarted *--------------------------------------* end eof *--------------------------------------* <--> 0x04>------------------------------------------------------------------------ THE BULGARIAN PHREAK SCENE ^^^^^^^^^^^^^^^^^^^^^^^^^^ by TOKATA (firestarter)... What to say about the Bulgarian phreak scene - is there really one? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hmmm... it's a bad new - in Bulgaria there aren't any phreak-wise peoples at all... But almost second fucked bastard, which has a computer, is interested in hacking. Bastards, which don't know any programming language; their hard drive is full with games, MP3s and porno JPG files; hang on Internet and download hacking programs. They use them (or ask someone to show how to work with them) and imagine - they a superhackers. So Bulgaria is full of motherfucking lamers. We have an electronic underground magazine named "Phreedom Magazine", but the hacking is the main theme. No phreak articles, because there aren't any phreak authors. So, read... Bulgarian phone system - the best phone system in the world! :))) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hmmm... how to begin... err... So, 98% from our local tandem exchanges are SxS A-29 type (made by Siemens). A typical SxS exchange - no computerization, strowger switches, sleeve. The impedans is 600ohms, the battery by off-hook is 60V, by on-hook - 10V. The resistance range is within 0-1600Ohms, the current - within 15-100mA, but usually is 40-60mA. A mini Bulgarian crossbar system (KRS-200) is used in some small villages (up to 200 subscribers). As transit national exchange is used "Crosspoint" (made by Siemens too) aka ESK-1000. The Crosspoint's switch is a ESK-relay. ESK stands for Edelmetal-Schnell-Kontakt auf Deutsch. Also "Crosspoint" is used as local tandem in some of the big cities. In Sofia (our capital) is located a transit international exchange MT-20 (by THOMSON - France). Also year ago our Telco began to install real digital switching systems there. But the tax for these is terrible and their subscribers are companies, offices and some bastards with a lot of money... and the most of capital ISPs ;) The cables are quite old, there is much of background noise in the handset, the modem connections are terrible - with a 14.4K modem the average speed is 1000bps, it drops you on every 3 minutes. After rain there is no subscriber with normal connection. So the number detection here is too hard. By us ONLY the calling party can drop the connection. So if you want to catch someone, you make a complaint to the telco. She put on your Linefinder a device, named 'dog'. That 'dog' effects on the switch contacts, so you can hold the connection. After that, you call the Telco from the neighbors and they catch the called party number by the wires. But 'the dog' don't work by long distance conversations. Also we have an ANI equipment, named 'AMUR' or 'SKAT', specially designed for SxS switches, but in the villages and very small towns, there isn't any ANI. So with ANI the Telco can catch you, but they don't use it for normal cases, I think, you know 'why' ;))) But if you make a call from a different area the Telco can't catch you even with the help of ANI :) But nobody knows that :( All the people think: "The Telco ALWAYS CAN DETECT your number! There is no chance to mislead them". Blah, what for idiots. Btw I try to test here the forced ANIF, so I hope to get it in work. In my town (47 000 citizens) we ha- ve ANI equipment, but all the Telco employers says - it's used only for sub- scribers info. The billing information here is still collecting with the help of photographs. No operator comes on my line when I flash the switchhook. Signaling ~~~~~~~~~~ I devoted a 2 years on learning the signaling methods in Bulgaria, but: 1. There aren't good tech books about signaling. In some books it is menti- oned quite cursory. 70% and higher about signaling I have learned from several Phrack articles. 2. Nobody from the local Telco in my town knows anything about this. I talked with a few high educated employers, but they knew less than me :( Well, I have learned the following from the books (and from other places): N4 and N5 is used on international circuits, otherwise R2 is used. Well, I know that "Crosspoint" uses R2, but I'm not sure that the stupid A-29 (SxS type) uses the R2 signaling system. Also, I have read in a tech book, that (!) R2 is in-band signaling system. But we all know, that this is not true, because the blow-off frequency for R2 is 3825Hz. The major multiplexing is FDM with 4KHz channels. So if you whistle 3825Hz tone in the microphone, when speaking on LD, the other end will hear that. So we try to blue box with programs. If that success, we will announce that :) But I think - there are line and rejector filters at the end of our trunks and the signal must be clear (a straight sinusoide). An telco employer said to me, he heard about 2100Hz signal, but he wasn't sure :( Can anyone help? Our beloved Telco ~~~~~~~~~~~~~~~~~ So by us, the BTC (Bulgarian Telecomunication Company) was always monopo- listic. Also they try now to occupy and take under full control all ISP in Bulgaria. The local calls are not free and our taxes are the highest in Euro- pe. Our average salary is 100$ and we pay 0.04$ for each tax unit. There are also permanent taxes and other thing and for comparison if you have 200 units you'll pay 10$. That's 12% from the average salary in country!!! Also if you dial from Canada to Bulgaria that'll cost you 0.8$ per minute, BUT IF YOU CALL Canada from Bulgaria (btw we can't dial direct North America without ope- rator assistance) that'll cost you 2.3$ per minute he-he-he :) So this year our Telco is going to go private. There was 3 candidates to buy 51% from Telco's shares - Deutsche Telecom/Turkey firm, Telefonica and the Holland/Greece telcos. The price was 500 000 000$. But Telefonica and DT gave up in the last moment. Maybe you guess why? Nobody want to throw his mo- ney for Telco, that uses 98% SxS switches, where a big part from peoples (70%) are poor and don't make many calls (under 100 units), in which country you don't know what will happen tomorrow and etc... So, as I've read about Argentina's telco, I can say: the situation is al- most the same. But by us there is ONLY ONE company which control anything - all the phones, pagers, a big part of GSM network, all public phones, runs the only X.25 datapac network - BULPAC, they are also ISP... Total monopoly! The Laws ~~~~~~~~ Ha-ha-ha? What for laws? Against phreaking? There is no way :) Also nobody in Bulgaria don't understand what {the fuck} term 'phreaking' means. And not just the ordinary people. If you are in the IRC channel #bulgaria and ask: "Hey, what does the phreaking mean?", I'm sure that nobody shall know. Up to now, I didn't hear about someone to get busted for phreaking. Our telco (and all of their employers) think - the system is unbreakable! But they also have an law about devices, that are illegally hooked to the phone line. At the first time you'll be warned 'bout that, and at the second time you'll be dis- connected. But you pay the tax for new phone (100$) and congratulations - you already have a phone :) So, our legislation don't contain anything about hacking, cracking, phreaking and all kinds of electronic frauds. In Bulgaria there is no term such as 'illegal software' or 'illegal access to someone's computer'. The PayphoneZ ~~~~~~~~~~~~~ There is no good word to say about our shitty motherfucking Telco, even for payphones. You think - you can do red boxing in Bulgaria. Forget it! Our Payphones a COCOT and are used only for local calls! There are huge, metal boxes :) full mechanical, no fine electronics! You can see inside a capacitor like a hand bomb! The Payphones worked with coins, but there was so many idi- ots, who took out there coins from the payphones with a thread (string). So our beloved Telco become a mad about this and they replace the coins with a special made by them phone-coins with borders, which made them impossible to take out ;). As I have said, the payphones are COCOT - you take the handset, hear a dialtone, dial a number (pulse, with a dialing disk!!!), the called person answers... and then the polarity is reversed. A relay inside the phone notice that and after 3 seconds cuts off the mouthpiece... and the earpiece. Then the hole for the money gets opened and the coin falls inside. There are no such terms such a coin return. There is a trick to make free calls (local) on these phones. If you press the hook, when the polarity is reversed, there is no current on the line in that moment, and because there is no current in that moment, the relay wouldn't be noticed for the answer, and it wouldn't cut the mouth- earpiece. Another trick is to unlock the phone and fill your pockets with coins :) The lock picking on these is quite easy... There was also payphones for international and LD calls operating with money, but 10 years before began an big inflation and these phones died. Now you should to put a lot of coins (2-5kg) to make a 3 min international call. So 5-6 years before our telco installed two types of card-phones: BetCom and Bulfon. BetCom is British-Bulgarian Company (GPT&BTC) and their card phones are magnetic strip style. The security of these card was too weak so a few people began to make free phone calls. After 3 years loosing a lot of money from these frauds, BetCom install new phones and change the cards with elec- tronic ones, but there are still many old phones :) You just copy the magnetic strip of the card and here it is... The Bulfon phones are much intelligent. They are the same such as these in Argentina and Germany. The test signal is 16KHz, with nice LCD display, have button for several languages, for replacing exhausted cards, for signal am- plification and other options. I forgot to say, that both the cardphones use pulse dialing. They usual don't have a number to dial the cardphone, but for a short time the phones in the capital have already a number... and MF dialing. There was a very popular trick on Bulfon cardphones with 2 cards - full one and empty one (bat at least with 1 unit). You quickly push and pull the full card into the slot and the display begin to flash. After that you do this again and put the empty card. The phone remember the units from the first card and you talk for free. A big amount of people became familiar with this and they began to use it for and without need. And since our telco is mad for every loosed penny, this feature bombed out. Also I have heard, that a few people recharge cards and make unlimited ones (a PIC emulator), but since I'm not a cardphreaker, I don't know much about it. But I know that the bulfon exchange is very sophisticated and it's very hard to fool those. For example, you can't dial more than 400 units with the same card from one cardphone. And yet one funny feature - every night, a built-in modem in the cardphone establish a connection with the Bulfon exchange and transfer info. Info such as - how many units are used, the cards serial number and much more (such as frauds). If you, for example, steal a few cards from the post office, the exchange send to all the phones, that cards with a number 444 xxx xxx ... are invalid. Ahh... I forgot, the public phone cables don't go through PVC or metal pi- pes. But... on Bulfon (and I think - and on BetCom) phones you can't just cut the wire and hook with a handset, because as you know the line device can't find the phone - when you pick up the handset on Bulfon, the exchange send 16KHz test signal and the phone must answer with the same signal. The CPU of these is 68HC11 (Motorola). btw we have a GSM network since 1995. Also we have a pager network. Phreaking methods ~~~~~~~~~~~~~~~~~ As I have said, there aren't phreak wise people in Bulgaria (but almost every is interested in hacking). A lot of falsely accused 'phreaks' do pitting - hooking with a handset to a pair of wires or the outside connection box. Phreak methods used by me are: - forced 3way calling = some type of abuse the structure of the connector. So, in my town the NPA is X-YY-ZZ. So lets imagine, that someone called 4-33-28. I begin to dial 4-33 and when I hit the right pause after the 3rd it's puts me into their conversation. - free calling from local payphones = already talked bout that. - free calling on local and short haul calls - by dialing a chain of prefi- xes (such as in UK). I dial the prefix (NPA) of the town X, and after that dial the prefix for another place and then the number. But not every exchan ge allows you to make that. Your exchange waits a signal from exchange X, that a called party is answered, but the X waits too for that... But the connection is terrible... and after 3 minutes without taxing on the trunk your Telco cuts the connection ;( Also I think that black and blue boxing is still possible, but didn't test it entirely. There also "hidden" long distance numbers and prefixes, which are very use- ful in some cases (I also found 3-4 of them), but nobody try to find it :( There aren't free numbers in Bulgaria, except these for police, fire alarm, hospital and the telco number for failure complaints, but they are ONLY FOR LOCAL DIALING! I also discover a method to call these as trunk-calls, BUT... but our phone system is made so, that if on a trunk-call there isn't a tax signal coming after 3 minutes, the call is terminated. Some people with knowledge of electronic also make "free calls" through their neighbor's lines, but BTC is familiar with those methods and it always check the line (plus these of the neighbors) when a subscriber made a com- plaint for big bill. In Bulgaria there are NO PBX-es, Voice Mail Systems, WATS numbers, Call for- warding, Call waiting, DTMF requesting, Speed dialing and other. About PBX - some of our factories have PBX-es, but I still learn how to use/ abuse them. In almost every town with more than 10 000 subscribers we have a conference phone, which can be dialed only local (errrr... quite not true ;)) for 1 tax unit per 3/5/10/30 minutes. But the stupid people don't know that and in many towns (such as mine) this phone is *forever* free. I also have heard about peoples, which emulate the GSM SIM card to make free calls. PHREAK'EM ALL!!!  0x05>------------------------------------------------------------------------ ----[ PDM Phrack Doughnut Movie (PDM) last issue was `Dark City`. PDM54 recipients: I forget. I think Adam Shostack was definitely one. It's been a while though. PDM55 Challenge: "Beware my wrath." 0x06>------------------------------------------------------------------------ ----[ Super Elite People That REad Phrack (SEPTREP) New additions: Why they are SEP: ----[ Current List W. Richard Stevens Ron Rivest ----------------------------------------------------------------------------- ----[ EOF -------[ Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 04 of 19 ] -------------------------[ P H R A C K 5 5 P R O P H I L E ] This issue we're doing something a bit differently. Normally, this file is reserved for the Phrack Prophile. However, this issue, we are instead paying homage to a recently deceased esteemed member of the upper echelon of the computer elite. This is our little way of providing a tribute to the most widely read TCP/IP author in history. I first read Stevens in 1992. I still have that first edition UNIX Network Programming book sitting on my shelf. I learned a great deal from that book, but that was nothing compared to how much the TCP/IP Illustrated series taught me... I remember getting vol. I in 1994.. I still have that one too, all marked up with highlighters and whatnot... Before I knew it, I found myself firmly immersed in IP networks (I even read vol. II from cover to cover). I know I have Stevens to thank for sparking that interest in me. His death is a great loss. There is also another reason why W. Richard Stevens is featured here -- he was to be the prophile for Phrack 55. I sent Richard email initially on August 31st asking him if he would have time to be profiled for Phrack 55. To my great delight (and somewhat suprise) he agreed! I emailed him the template, and sent him a follow-up email... The last I heard from him was on September 1st, telling me that he was pretty busy and needed some time to look it over. Sadly this is also the day he died. These emails will not appear here out of respect for Stevens and his family. Instead, republished here is a copy of his obiturary from www.bigdealclassifieds.com. STEVENS, W. Richard, noted author of computer books died on September 1. He is best known for his ``UNIX Network Programming'' series (1990, 1998, 1999), ``Advanced Programming in the UNIX Environment'' (1992), and ``TCP/IP Illustrated'' series (1994, 1995, 1996). Richard was born in 1951 in Luanshya, Northern Rhodesia (now Zambia), where his father worked for the copper industry. The family moved to Salt Lake City, Hurley, New Mexico, Washington, DC and Phalaborwa, South Africa. Richard attended Fishburne Military School in Waynesboro, Virginia. He received a B.SC. in Aerospace Engineering from the University of Michigan in 1973, and an M.S. (1978) and Ph.D. (1982) in Systems Engineering from the University of Arizona. He moved to Tucson in 1975 and from then until 1982 he was employed at Kitt Peak National Observatory as a computer programmer. From 1982 until 1990 he was Vice President of Computing Services at Health Systems International in New Haven, CT, moving back to Tucson in 1990. Here he pursued his career as an author and consultant. He was also an avid pilot and a part-time flight instructor during the 1970's. He is survived by his loving wife of 20 years, Sally Hodges Stevens; three wonderful children, Bill, Ellen and David; sister, Claire Stevens of Las Vegas, NV; brother, Bob and wife Linda Stevens of Dallas, TX; nieces, Laura, Sarah, Collette, Christy; and nephew, Brad. He is predeceased by his parents, Royale J. Stevens (1915-1984); and Helen Patterson Stevens (1916-1997). Helen lived in Tucson from 1991-1997, and Royale lived here in the early 1930's attending Tucson High School while his father was treated for TB at the Desert Sanitorium (now TMC). The family asks that in lieu of flowers, donations be made in Richard's name to Habitat for Humanity, 2950 E. 22nd Street, Tucson, AZ 85713. -- route ----[ EOF -------[ Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 05 of 19 ] -------------------------[ A *REAL* NT Rootkit, patching the NT Kernel ] --------[ Greg Hoglund ] Introduction ------------ First of all, programs such as Back Orifice and Netbus are NOT rootkits. They are amateur versions of PC-Anywhere, SMS, or a slew of other commercial applications that do the same thing. If you want to remote control a workstation, you could just as easily purchase the incredibly powerful SMS system from Microsoft. A remote-desktop/administration application is NOT a rootkit. What is a rootkit? A rootkit is a set of programs which *PATCH* and *TROJAN* existing execution paths within the system. This process violates the *INTEGRITY* of the TRUSTED COMPUTING BASE (TCB). In other words, a rootkit is something which inserts backdoors into existing programs, and patches or breaks the existing security system. - A rootkit may disable auditing when a certain user is logged on. - A rootkit could allow anyone to log in if a certain "backdoor" password is used. - A rootkit could patch the kernel itself, allowing anyone to run privileged code if they use a special filename. The possibilities are endless, but the point is that the "rootkit" involves itself in pre-existing architecture, so that it goes un-noticed. A remote administration application such as PC Anywhere is exactly that, an application. A rootkit, on the other hand, patches the already existing paths within the target operating system. To illustrate this, I have included in this document a 4-byte patch to the NT kernel that removes ALL security restrictions from objects within the NT domain. If this patch were applied to a running PDC, the entire domain's integrity would be violated. If this patch goes unnoticed for weeks or even months, it would be next to impossible to determine the damage. Network based security & the Windows NT Trust Domain ---------------------------------------------------- If you know much about the NT Kernel, you know that one of the executive components is called the Security Reference Monitor (SRM). The DoD Red Book also defines a "Security Reference Monitor". We are talking the same language. In the Red Book, a security domain is managed by a single entity. To Quote: "A single trusted system is accredited as a single entity by a single accrediting authority. A ``single trusted system'' network implements a reference monitor to enforce the access of subjects to objects in accordance with an explicit and well defined network security policy [DoD Red Book]." In NT parlance, that is called the Primary Domain Controller (PDC). Remember that every system has local security and domain security. In this case, we are talking about the domain security. The PDC's "Security Reference Monitor" is responsible for managing all of the objects within the domain. In doing this, it creates a single point of control, and therefore a "single trusted system" network. How to violate system integrity ------------------------------- I know this is alot of book theory, but bear with me just a bit longer. The DoD Orange Book also defines a "Trusted Computing Base" (TCB). If you are an NT programmer, then you have likely worked with the security privilege SE_TCB_PRIVILEGE. That privilege maps to the more familiar "act as part of the Operating System" User-Right. Using the User Administrator for NT you can actually add this privilege to a user. If you have the ability to act as part of the TCB, you can basically do anything. There is very little security implemented between your process and the rest of the machine. If the TCB can no longer be trusted, then the integrity of the entire network system is shot. The patch I am about to show you is an example of this. The patch, if installed on a Workstation, violates a network "partition". The patch, if installed on a PDC, violates the entire network's integrity. What is a partition? The Red Book breaks the network into NTCB (Network Trusted Computing Base) "Partitions". Any single component or machine on the network may be considered a "partition". This makes it convenient for analysis. To Quote: "An NTCB that is distributed over a number of network components is referred to as partitioned, and that part of the NTCB residing in a given component is referred to as an NTCB partition. A network host may possess a TCB that has previously been evaluated as a stand-alone system. Such a TCB does not necessarily coincide with the NTCB partition in the host, in the sense of having the same security perimeter [DoD Red Book]." On the same host you may have two unique regions, the TCB, which is the traditional Orange Book evaluation for Trusted Computing Base, and the NTCB. These partitions do not have to overlap, but they can. If any component of one is violated, it is likely that the other is as well. In other words, if a host is compromised, the NTCB may also be compromised. Obviously to install a patch over the TCB, you must already be Administrator, or have the ability to install a device driver. Given that Trojans and Virii work so well, it would be very easy to cause this patch to be installed w/o someone's knowledge. Imagine an exploit ------------------ Before I digress into serious techno-garble, consider some of the attacks that are possible by patching the NT kernel. All of these are possible because we have violated the TCB itself: 1. Insert invalid data. Invalid data can be inserted into any network stream. It can also introduce errors into the fixed storage system, perhaps subtly over time, such that even the backups get corrupted. This violates reliability & integrity. 2. Patch incoming ICMP. Using ICMP as a covert channel, the patch can read ICMP packets coming into the kernel for embedded commands. 3. Patch incoming ethernet. It can act as a sniffer, but without all of the driver components. If it has patched the ethernet, then it can also stream data in/out of the network. It can sniff crypto keys. 4. Patch existing DLL's, such as wininet.dll, capturing important data. 5. Patch the IDS system. It can patch a program such as Tripwire or RealSecure to violate its integrity, rendering the program unable to detect the nastiness... 6. Patch the auditing system, i.e., event log, to ignore certain event log messages. Now for the rare steak. Let's delve into an actual kernel patch. If you already understand protected mode and the global descriptor table, then you can skip this next section. Otherwise put on your hiking boots, there are a couple of switchbacks ahead. Rings of Power -------------- Windows NT is unlike DOS or Windows 95 in that it has process-space security. Every user-mode process has an area of memory that is protected by a Security Descriptor. Usually this SD is determined from the Access Token of the user that started the process. Access to all objects is handled through a "Access Control List". For Windows NT, this is called "Discretionary Access Control". Personally I find it really hard to grasp something if I don't understand it's most basic details. So, this next section describes the very foundation that makes security possible on the x86 architecture. First, it is important to understand "protected mode". Protected mode can only be understood by memory addressing. Almost all of the expanded capabilities of the x86 processor are built upon memory addressing. Protected mode gives you access to a 4 GB memory space. Multitasking and privilege levels are all based upon tricks with memory addressing. This discussion only applies to 386 and beyond. Memory is divided into code and data segments. In protected mode, all memory is addressed as a segment + an offset. Conversely, in real mode, everything is interpreted as an actual address. For our discussion, we only care about protected mode. In protected mode things get a little more complicated. We must address first the segment, followed by an offset into that segment. It is sort of a two step process. Why is this interesting?? This is how most modern operating systems work, and it is important for exploits and Virii. Any modern mobile code must be able to work within this arena. What is a selector? A selector is just a fancy word for a memory segment. Memory segments are organized by a table. These table entries are often called descriptors. So, remember, a selector is-a segment is-a descriptor. It's all the same thing. If you understand how the memory segments are kept track of, then you pretty much understand the whole equation. Every memory segment is first a virtual address (16-bits) plus an offset from that address (32-bits). A segment is not an actual address, like in realmode, but the number of a selector it wants to use. A selector is usually a small integer number. This small number is an offset into a table of descriptors. In turn, the descriptor itself then has the actual linear address of the beginning of the memory segment. In addition to that, the descriptor has the access privilege of the memory segment. Descriptors are stored in a table called the Global Descriptor Table (GDT). Each descriptor has a Descriptor Privilege Level (DPL), indicating what ring the memory segment runs in. Suffice it to say, the selector is your vehicle. Under NT and 95, there are selectors which cover the entire 4GB address range. If you were using one of these selectors, you could walk all over the memory map from 0 to whatever. These selectors do exist, and they are protected by a DPL of 0. Under Windows 9x, selector 28 is a ring 0 that covers the entire 4gb region. Under NT, selectors 8 and 10 achieve the same purpose. Dumping the GDT from SoftIce produces a table similar to this: GDTBase=80036000 Limit=0x03FF 0008 Code32 00000000 FFFFFFFF 0 P RE 0010 Data32 00000000 FFFFFFFF 0 P RW 001B Code32 00000000 FFFFFFFF 3 P RE 0023 Data32 00000000 FFFFFFFF 3 P RW 0028 TSS32 8001D000 000020AB 0 P B 0048 Reserved 00000000 00000000 0 NP 0060 Data16 00000400 0000FFFF 3 P RW etc, etc .... You can see what segment you are currently using by checking the CPU registers. The registers SS, DS, and CS indicate which selectors are being used for Stack Segment, Code Segment, and Data Segment. The stack and code segments must be in the same ring. 1. Segments can overlap one another. In other words, more than one segment can represent the same address-space. Segments can overlap one another wholly, or only in part. The address range for a segment is important, of course, but there is other delicious information we care about. For instance, a segment also has a Privilege Level (DPL). ---- ---- | | | | | | | | | | ---- | | ---- | | | | | | | | ---- | | | | ---- What is a DPL? Descriptor Privilege Level. This is important to understand. Every memory segment is protected by a privilege level, often called a "ring". The Intel processor has 4 rings, 0 through 3, usually only ring 0 and 3 are used. Lower ring levels have more privilege. In order to access a memory segment, the caller must have a current privilege level equal to or lower than the one being accessed. Current privilege level is often called CPL, and descriptor privilege level is often called DPL. This type of protection is a requirement for almost any security architecture. In the old days of DOS, mobile code such as virii were able to hook interrupts and execute any code at whim. They were walking all over the memory map at will. No such luck with the advent of Windows NT. There's a gaping need for Windows NT exploits that can take advantage of the old tricks. The central problem is that most code is executing within user mode, and has not access to ring 0, and therefore no access to the Interrupt Descriptor Table or the memory map as a whole. Under NT, the access to ring 0 is controlled from the right to add your own selector to the GDT. When you transition to ring 0, you are still in protected mode and the Virtual Memory Manager is still operating. Lets suppose you have written a virus that patches the Global Descriptor Table (GDT) and adds a new descriptor. This new descriptor describes a memory segment that covers the entire range of the map, from 0 to FFFFFFFF___. The DPL of the descriptor is 0, so any code running from it can access other ring-0 segments. In fact, it can access the entire map. A DPL 0 memory segment marked as "conforming" will violate integrity. The sensitivity label, in this regard, would be the DPL. The fact it is conforming violates the DPL's of other segments, if they overlap. If your descriptor is marked conforming, it can be called freely from ring-3 (user mode). This new entry goes unnoticed, of course. Who monitors the GDT on their system? Most people don't even know what that is. There are few IDS systems that monitor this type of information. Now you have effectively placed a backdoor into the memory map. You could be running under any process token, and have full read/write access to the map. This means reading/writing other important tables, such as the Interrupt Table. This means reading other procii's protected memory. This means infecting other files and procii w/ your virii at whim. Patching the SRM ---------------- The Security Reference Monitor is responsible for enforcing access control. Under NT, all of the SRM functions are handled by ntoskrnl.exe. If the integrity of that code were violated, then the SRM could no longer be trusted. The whole security system has failed. The Security Reference Monitor is responsible for saying Yes/No to any object access. It consults a process table to determine your current running process' access token. It then compares the access token with the required access of the object. Every object has a Security Descriptor (SD). Your running process has an Access Token. Comparing these two structures, the SRM is able to deny or allow you access to the object. orange book: "In October of 1972, the Computer Security Technology Planning Study, conducted by James P. Anderson & Co., produced a report for the Electronic Systems Division (ESD) of the United States Air Force.[1] In that report, the concept of "a reference monitor which enforces the authorized access relationships between subjects and objects of a system" was introduced. The reference monitor concept was found to be an essential element of any system that would provide multilevel secure computing facilities and controls." It then listed the three design requirements that must be met by a reference validation mechanism: a. The reference validation mechanism must be tamper proof. b. The reference validation mechanism must always be invoked. c. The reference validation mechanism must be small enough to be subject to analysis and tests, the completeness of which can be assured."[1] The SRM is *NOT* tamper proof. It may be protected by the TCB security privilege, but I suggest that the only truly tamper-proof SRM is going to use cryptographic mechanisms. Using an attack vector such as Virii or Trojan's, a patch could easily be placed within the TCB. You can patch the SRM itself if you have access to the map. In this, you can insert a backdoor such that a certain user-id ALWYAS has access. However, this does not require you to edit the user's security level in any way. You are patching it at the access point, not the source. So, auditing programs will not be able to notice the problem. This is a simple trick that could be employed in any NT RootKit. There are several key components to the NT Kernel. They are sometimes referred to as the "NT Executive". The NT executive is really a group of individual components with a well defined interface. Each component has such a well defined interface, in fact, that you could actually take it out completely and replace it with a new one. As long as the new component implemented all of the same interfaces, then the system would continue to function. The following are all components of the NT Executive: HAL: Hardware Abstraction Layer, HAL.DLL NTOSKERNL: Contains several components, NTOSKRNL.EXE The Virtual Memory Manager (VMM) The Security Reference Monitor (SRM) The I/O Manager The Object Manager The Process and Thread Manager The Kernel Services themselves -(Exception handling and runtime library) LPC Manager (Local Procedure Call) Hey, these are some of the modules listed when a Blue Screen occurs! The system is just a big memory map! With all of this data we are bound to find structures of interest! Many key data structures are crucial to security. Once we know what we are looking for, we can get into SoftIce and start poking around. A list of the exported functions for some of these components is in Appendix A. Using a tool such as SoftIce, reverse engineering the SRM and other components is easy ;) The methodology is simple. First, we must find the component we are interested in. They all sit in system memory at some point... Some key data structures are: ACL (Access Control List), contains ACE's ACE (Access Control Entry), has a 32-bit Access Mask and a SID SID (Security Identifier), a big number PTE (Page Table Entry) SD (Security Descriptor), has an Owner SID, a Group SID, and an ACL AT (Access Token) Now for some tricks! The first thing we need to do is identify which of these data structures we will be using. If we want to reverse engineer the Security Reference Monitor, then we can be assured that our SID is going to be used in some call somewhere.. This is where SoftIce comes in. SoftIce has an incredible feature called expressions. SoftIce will let you define a regular expression to be evaluated for a breakpoint. In other words, I can tell SoftIce to break if only a special set of circumstances has occurred. So, for example (working implementation): 1. I want softice to break if the ESI register references my SID. Since a SID is many words long, I will have to define the expression in several portions: bpx (ESI->0 == 0x12345678) && (ESI->4 == 0x90123456) && (ESI->8 == 0x78901234) What I have done here is tell softice to break if the ESI register points to the data: 0x123456789012345678901234. Notice how I use the -> operator to offset ESI for each word. Now, try to access an object. SoftIce will promptly break when your SID is used in a call. There are many system components that are worth reverse engineering. You may also want to play with the following: 1. GINA, (GINA.DLL) The logon screen you see when you type your password. Imagine if this component was trojaned.. A Virii could capture passwords across the enterprise. 2. LSA (The Local System Authority) This is the module responsible for querying the SAM database. This would be an ideal place to put a rootkit-password that *ALWAYS* allows you access to the system. 3. SSDT, The System Service Descriptor Table 4. GDT, the Global Descriptor Table 5. IDT, the Interrupt Descriptor Table Getting to ring zero in the first place --------------------------------------- User mode is very limiting under NT. Your process is bound by the selector it is currently using. The process cannot simply waltz over the entire memory map. As we have discussed, the process must first load a selector. You cannot simply read memory from 0 to FFF_, you can only access your own memory segment. There are tricks however. If the process is running under a user token that has "add service" privilege, then you can create your own call gate, install it in realtime, and then use it to run your code ring 0. Once you are running ring 0 you can patch the IDT or the Kernel. This is how User-Mode normally accesses a Ring-0 Code Segment. If you don't want to go to this trouble, you can upload a byte patcher that runs in ring zero on boot. This is as simple as writing a driver and installing to run on the next reboot. However, installing your own call-gate is by far the most sexy. Lets talk sexy. The answer is a call gate. All of the functions provided by NTDLL.DLL are implemented this way. This is why you must call Int 2Eh to make a call. The entire set of Int 2Eh functions are known as the Native Call Interface (NCI). What really happens is the Int 2Eh is handled by a function in NTOSKRNL.EXE. This function is called KiSystemService(). KiSystemService() routes the call to the proper code location. When you make a system call, you must first load the index of the function you wish to call. This is loaded into register EAX. Next, if the call takes parameters, a pointer to this block is loaded into EDX. Interrupt 2Eh is called, and EAX holds the return value. This is old hat to most assembler programmers. What is not obvious is how this is implemented in the Kernel. The function KiSystemService() is called, and left with the responsibility for dispatching the call. KiSystemService() must first determine *WHAT* function to call next, based on what we put in EAX. So, to this end, it maintains a table of functions and their index numbers.. imagine that! SofIce will dump this table if your interested. It looks something like: :ntcall Service table address: 80149398 Number of services:000000D4 0000 0008:8017451E params=06 ntoskrnl!NtConnectPort+0834 0001 0008:80199C16 params=08 ntoskrnl!SeQueryAuthenticationIdToken+04B8 0002 0008:8019B3A2 params=0B ntoskrnl!SePrivilegeObjectAuditAlarm+02B0 0003 0008:80158E50 params=02 ntoskrnl!NtAddAtom 0004 0008:80197624 params=06 ntoskrnl!NtAdjustPrivilegesToken+0422 0005 0008:80197202 params=06 ntoskrnl!NtAdjustPrivilegesToken 0006 0008:80196256 params=02 ntoskrnl!PsGetProcessExitTime+1848 0007 0008:8019620E params=01 ntoskrnl!PsGetProcessExitTime+1800 0008 0008:8015901E params=01 ntoskrnl!NtAllocateLocallyUniqueId 0009 0008:801592EC params=03 ntoskrnl!NtAllocateUuids 000A 0008:8017B0F6 params=06 ntoskrnl!NtAllocateVirtualMemory 000B 0008:8011B8E4 params=03 ntoskrnl!ZwYieldExecution+08AC etc etc... Well, this is all very interesting, but where is this table stored? How does SoftIce manage to read it? Of course, it's all undocumented ;-) Here I have no one to thank more than my friend from Sri Lanka, a fellow Rhino9 member, who goes by the handle Joey__. His paper on extending the NCI is nothing less than mind-blowing. I draw heavily upon his research for this section. I feel this paper could not be complete without going over call-gates and the NCI, so I paraphrase some of his work. For more detailed information on adding your own system services, read his paper entitled "Adding New Services to the NT Kernel Native API". A very interesting thing happens when you boot NT. You start with about 200 functions in the NCI. These are all implemented in NTOSKRNL.EXE. But, soon afterwards, another 500 or so functions are added to the NCI, these being implemented in WIN32K.SYS. The fact that additional functions were added proves that it is possible to register new functions into the NCI during runtime. The table that SoftIce dumps when you type NTCALL is called the System Service Descriptor Table (SSDT). The SSDT is what the KiSystemService() function uses to look up the proper function for a Int 2Eh call. Given that the NCI is extensible, it must be possible to add new functions to this table. As it turns out, there are actually multiple tables. WIN32K.SYS doesn't actually add to the EXISTING system table, but creates a whole NEW one with 500 or so functions, and then ADDS it to the Kernel. To do this, it calls the exported function KeAddSystemServiceTable(). So, in a nutshell, all we have to do is create a new table with OUR functions and do the same thing. Another angle on this involves adding our functions to the existing NCI table. But, this involves patching memory. Again, that's what we do best. To pull this trick off cleanly, we must allocate new memory large enough to hold the old tables plus our additional entries. We then must copy the old tables into our new memory, add our entries, and then patch memory so that KiSystemService() looks at our new table. The FOUR-Byte Patch ------------------- Okay, lesson number one. Don't make yourself do extra work when you don't have to. This is the story of my life. I started this project by reversing the RtlXXX subroutines. For instance, there is a routine called RtlGetOwnerSecurityDescriptor(). This is a simple utility function that returns the Owner SID for a given security descriptor. I patched this routine to check for the BUILTIN\Administrators group, and alter it to be the BUILTIN\Users group. Although this patch works, it doesn't help me obtain access to protected files and shares. The RTL routine is only called for Process and Thread creation, it would seem. So, to make a long story short, I have included the RTLXXX information and patch below. It will illustrate a working kernel patch and should help you see my thought process as I 0wned a key kernel function. Okay, lesson number two. If at first you don't succeed, try another function. This time I got very wise and decided to test a number of breakpoints in the Kernel before doing any extra work. Because I wanted to circumvent access to a file directly, I moved directly onward to the SeAccessCheck() function. Up front, I set a breakpoint on this function to make sure it is being called when accessing a file. To my excitement, it appears this function is called for almost any object access, not just a file. This means network shares as well. Going further, I tested my next patch against network share access as well as file access. I created a test directory, shared it over the network, and created a test file within that directory. At first, the file had the default Everyone FULL CONTROL permissions. I set a breakpoint on SeAccessCheck() and attempted to cat the file. For this simple command the function is called three times: Break due to BPX ntoskrnl!SeAccessCheck (ET=2.01 seconds) :stack Ntfs!PAGE+B683 at 0008:8020C203 (SS:EBP 0010:FD711D1C) => ntoskrnl!SeAccessCheck at 0008:8019A0E6 (SS:EBP 0010:FD711734) Break due to BPX ntoskrnl!SeAccessCheck (ET=991.32 microseconds) :stack Ntfs!PAGE+B683 at 0008:8020C203 (SS:EBP 0010:FD711CB8) => ntoskrnl!SeAccessCheck at 0008:8019A0E6 (SS:EBP 0010:FD7116D8) Break due to BPX ntoskrnl!SeAccessCheck (ET=637.15 microseconds) :stack Ntfs!PAGE+B683 at 0008:8020C203 (SS:EBP 0010:FD711D08) => ntoskrnl!SeAccessCheck at 0008:8019A0E6 (SS:EBP 0010:FD711720) Next I set the file access to Administrator NO ACCESS. Attempting to cat the file locally resulted in an "Access Denied" message. The routine is called 13 times before the Access Denied message is given. Now I try to access it over the network. The function is called a total of 18 times before a Access Denied message is given. It would seem it takes alot more work to deny access than it does to give it. ;) I was lit now, it looked like I had my target. After another 2 shots of espresso, I dumped the IDA file for SeAccessCheck, busted into SoftIce and started exploring: To make things simpler, I have removed some of the assembly code that is not part of my discussion. If you are going to start playing with this, then you should disassemble all of this yourself nonetheless. I recommend IDA. At first I tried WDAsm32, but it was unable to decompile the ntoskrnl.exe binary properly. IDA, on the other hand, had no problems. WDAsm32 has a much nicer GUI interface, but IDA has proved more reliable. Just as most engineers, I use many tools to get the