_ __
(_)_ __ / _| ___ ___ _ _ _ __ __ _ ___
| | '_ \| |_ / _ \/ __| | | | '__/ _` |/ _ \
| | | | | _| (_) \__ \ |_| | | | (_| | __/
|_|_| |_|_| \___/|___/\__,_|_| \__, |\___|
|___/
.------------- ----------------.
: Official Irc Channel -> #phreak/AustNET (irc.austnet.org):
: Official Web Site -> http://infosurge.rendrag.net :
: Official Submissions -> phase5@rendrag.net :
: Official Fed -> m3 :
: Official ClueStick Sponsor - > trisomy-21 :
: Official Pedophile ISP -> ScoutNET (www.sa.scouts.com.au):
: Official Product of the month -> BeigeBox (tm ALOC) :
: :
: issue #4: 06/05/2000 :
.__________________________________________________________.
"New school tekniq with twice the wang of the nearest competitor"
............................[ Table Of Contents ]...........................
[Intro ............................................................... phase5]
[Editorial ........................................................... phase5]
[GSM Overview ........................................................ phase5]
[Cryptology and the Magic Bullet ..................................... phunki]
[x.25 guide ..................................................... Epic Target]
[file access in php .................................................. jestar]
[Basic HTTP authentication ............................................ aphex]
[TCL .................................................................. lymco]
[Outro .............................................................. phase5]
[Total .................................................... infosurge (115kb)]
.................................[ shouts ].................................
[ shard ^jestar lymco secroth sour pmc bsdave rendrag alpha insane fyre ]
[ xm niffum concat assass|n prosthetic saboteur cmdrkeen phunki ghengis ]
[ synister head_rush tux vortex_v caddis ]
........[ Editorial ].................................[ phase5 ]............
another issue of infosurge. looking back we have done fairly decently for our
premier issues. we have gotten a fair amount of submissions from the general
.au people and this has been good. however, things could be a lot better.
we will be trying to produce a higher quality and more technical zine from
now on and hopefully people in .au can contribute.
........[ GSM Overview ]................................[ phase5 ]............
. intro
. network architecture
. digital speech encoding
. where am i?
. outro
. intro
In this article I will go over some of the basic concepts of GSM. This will
be a general overview, like looking at GSM from 10000 feet. There won't be any
information on the more technical aspects, nor will any one part be covered
in detail. However, you should get a basic grasp of how GSM works and how
cellular networks work.
. network architecture
GSM is a celluar network. This means that communication is possible over long
distances with low power output, and reduction of needed frequencies. If Mr. X
was at one place, and Mrs. Y was far away, you would need high power for the
signal to travel. Because with GSM the signal goes along tower to tower, only
low power is needed, just enough to transmit to the next tower. Another
limiting factor is that each call needs it's own frequency. Unfortunately,
there's just not enough frequencies to go around. Person 1 wants to make a
call. However, persons 2-30000 are also making calls. Not a good scenario.
With a celluar network, the broadcast area is split into cells. Each cell has
a base tower. Due to low power output of each base tower, a frequency used in
one cell won't carry over to another cell. Well, generally in practice the
frequency will also cover the neighbour cells , however cells away from it will
be able to use that same frequency.
. digital speech encoding
As wacky as it may seem, phones are used primarily for talking. And as luck
would have it, speech is analog (except for steven hawking :p). The GSM network
is digital. Therefore there needs to be a way to change speech to digital or
to degrade the quality of GSM and making it an analog network. Obviously, a
analog -> digital conversion system was implemented. As you talk samples are
taken. These samples are taken 8000 times a sec (8khz). Each sample is then
turned into an 8bit value. 8 x 8000 = 64kb/sec. This is fairly hefty in size
so compression is used. This compression is known as Full Rate (FR). It uses
RPE-LTP coding which compresses the 64kb/s to 13kb/s. There are also 2 newer
compression methods. These are Half Rate and Enhanced Full Rate. Half Rate
compresses to 7kb/s while Enhanced Full Rate is still 13kb/s. However, the
speech quality is better than Full Rate. Also, in the digital transmission
some error correction was also added. I will show the basic principle of it.
For 2 bits, we will add a third bit, so that in this section of 3 bits, there
will always be an even number of 0's. So, 00 -> 001, 11 -> 111, 01 -> 010,
10 -> 100. Now if one of those three are missing, it is easy to tell what it
should be based on the rule specified. Error correction changes a 13kb/s
compression to 16kb/s. This means instead of 64kb/s you can do 4 16kb/s
transmissions instead.
. where am i?
With a home phone, the PSTN knows where you are. It can say that you are
connected to a certain exchange and are at a certain location. With mobile
phones, this is obviously a problem. It's a problem because without knowing
where you are, your calls cannot be routed, received, or made. Now, when you
turn on your phone, it sends out a signal saying "here i am". The nearest base
station will pick it up and know where you are. Now, if your moving around
after you turn on your phone, you need to change your location information.
Base stations continously transmit signals which your phone receives. It sees
which has the strongest signal and then updates it's location. Whenever a
location update occurs, the base tower tells the nearest exchange on the PSTN.
This exchange will then pass this information out to the cell companies
designated local or home exchange. This exchange will always know where you
are.
. outro
This was a extremely basic view of GSM. This could have been more thorough
but I was pressed for time and this all i could come up with. Next issue, I
will delve more deeply into GSM, with possibly one or two articles detailing
it's various aspects and more articles following after that.
........[ Cryptology & the Magic Bullet ]...............[ phunki ]............
Very often, people/corporations are searching for a "magic bullet"
that will make their networks secure. That is, something they can
run/install that will instantly make an unsecure network a secure network.
This can be all sort's of things like a firewall or the use of cryptology,
and generally shows a lack of understanding about what security is. Just
because something uses crypto or a network is firewalled, does not
automatically make it "secure". What we'll be having a look at here is
some good uses of cryptology, with the aim of security. This is kinda
introductory, just sort of a brief introduction to good uses of
cryptology. I wanted to supply some code in java, but my compiler
has seriously eaten shit on both windows and linux, and my hatred of java
has been re-affirmed. As such, this file is quite weak, so i thought id
reward you with some asciipr0n(%$#!@) if you manage to wade through it.
Some fundamental problems in security, and how cryptography can help
When you're trying to set up/run a secure system, there a few things you
want. Some (among many) are protection of data in transit or storage,
verification of users and integrity of data. These are all aspects where
cryptology can help, so, lets have a look at them.
Protection of sensitive data
As you may or may not know, when you send data over the internet it goes
via many different hosts. Now, if someone is listening on one of those
hosts, your data can and will be compromised, so what can you do? Crypt it
baby! To go deeper, im going to use the example of Pretty Good Privacy
(PGP). This is a free (for non-commercial use) program used for encrypting
email. Heres a nice analogy for you: When you send a plain text email to
somone across the internet, its like sending a postcard. Pretty much
anyone whos in its path of delivery can read it. So, encryption through
pgp (or whatever) is sort of like putting your email in an "envelope", to
prevent prying eyes from viewing it. Email is just one example, cryptology
over networks can come in many different forms (like on ssl etc). It can
prevent people from seeing things they're not meant too.
Another time cryptology of this sort is good is for storage of sensitive
information. Resonably recently in England, a member of MI5 had his laptop
stolen whilst in transit (theres a high-budgeted govt department, "nah ..
just catch the train"). This could have been pretty fucking serious
with 0-day govt inph0z revealed, but, all the files on that laptop were
encrypted, so the secret pron cache was safe. If you have naughty things
on your hd's and the feds are coming to get you, you should encrypt
*everything* then format your hd a couple of times (about seven is a
figure i read somewhere to ensure everythings really gone .. alternately,
buy a big magnet :). Anyway, here cryptology can be used to protect
information stored on a permanent media. There are many many examples of
this, one of the most basic is the encryption of passwords on decent OS's.
But as most would be aware, passwords can be bruteforced.
Brute Forcing Attacks
Ok, here's a little aside if you dont know what bruteforcing is. I'm just
going to talk about unix passwords as an example, but NT passwords are
prey to the same attack (see l0phtcrack - www.l0pht.com). When a password
is encrypted, it's put through a one way algorithm, which converts the
password to the shit you see in /etc/passwd. Its called one way because
there is no way the garbled text can be reverted to its orginal state, ie
a clear text password. So, when someone logs on, the password they supply
at the prompt is encrypted with the same algorithm, then compared to the
one stored on file, if they match, its the same password and they're
in (this is a pretty piss poor form of authentication, as you'll see
later). Now, that sounds pretty good (disregarding me calling it
piss poor in the last sentence), but it has problems, specifically it can
be brute forced. So, we know we can't convert the stored password to clear
text, but what if we encrypted lots of different words in the same way and
compared them to the ones stored on file ... eventually, we'll find a
match. This is brute forcing, there's two types of brute forcing, one
using a dictionary file of commonly used passwords, and "pure" brute
forcing, where you start with "a" then "aa" then "ab" etc right through the
set of all printable characters. Brute forcing does take time, though
dictionary attacks are quicker than "pure" brute forcing.
User Verification
So, just who the fuck are you anyway? As i said before, passwords are
kinda piss poor for proving identity. They can be stolen, guessed, brute
forced etc. Cryptography can provide more security when proving our
identity. How so? Thorugh the use of keys and digital fingerprints as
signatures and/or one time passwords. First off, keys. I talked about keys
in Infosurge 3, so im going to make a wild assumption that you know about
public/private keys. Just say you receive an email from a friend
announcing the fact that they are gay, you find this a little odd,
considering they're constantly on the pull. "Maybe" your paranoid little
mind thinks "someone stole their email account password and is trying to
make a mockery of my friend" (not that being gay is anything to be ashamed
of). One way of verifying if it really was your friend is if they're using
a digital signature based on their private key which can be verified from
their public key. Using this method you can indeed verify that your friend
did send that message, and really is gay ("Gosh, must have all been for
show"). Of course, this is dependant on how private your friend kept his
private key (key managment is a very important part of using crypto, more
on that further on).
One Time Passwords are a more secure way of providing password based
authentication. Generally it goes like this: A user telnets to the host
they want to log on to and provides a username, the host then responds
with a challenge, which usually has two parts, a seed and an iteration.
The user takes this seed and iteration and generates a response, which is
then submitted to the host, which then checks to see if the response is
valid. Each time the user logs on, the iteration is decremented, so each
time a different response is needed. The response can be generated by
software or hardware, software being the case of a "response calculator"
local to the user, or hardware like SecureID which is synchronised with
the host and generates a new response over a given period of time (usually
about 30 - 90 seconds). This means anyone with a packet sniffer or "over
the shoulder tekniq" cant use the response at a later time, as a new
response will be required.
Data Integrity
So, you've set up a nice secure box, but as time goes by it needs to be
patched. Are these patches safe? What if someone has tampered with them?
Here, we can use cryptography to ensure that the file we downloaded is the
file we thought we were downloading. RedHat uses this to verify its
patches which are distributed as rpm's. This is done via a hashing
algorithm based on the file. So, the user downloads the file and generates
an md5 sum which they then compare to the sum provided with the file. Also
each package released by RedHat is digitally signed with a pgp signature
which can be verifed with RedHat's public key (cause if someone rooted the
server (and it is RedHat :P) they could put tampered rpms along with md5
sums for the tampered rpms up there, the digital signature prevents this
from being effective, unless RedHat store their private key on the server,
which would be incredibly stupid).
Attacking Cryptology
I explained before the brute force method and as it's name implies. its not
what you'd call an elegant attack. Nonetheless it works, it can take a long
time, but it can work quite effectively. The math behind cryptology is
pretty good, anything can be brute forced, but it becomes "computationally
intensive" ie, its takes a long long time to break. There's sort of a "magic
formula" behind cryptology (which can be applied to security in general if
you're creative) it goes something like this: when the cost of breaking
outweighs the value of what can be gained from breaking, you're doing alright.
Plain and simple, brute force just requires a lot of computations. So if the
maths is good, what can we do? We can attack the protocols used in
implementing cryptology. Protocols here are the methods used to establish
a secure environment with cryptology, preparing to communicate. The examples
i'll be using are with people, but more commonly one of these people will be a
server, and one will be a client.
Man in the middle
Here, we have bob and al wanting to establish secure communication thorugh
public/private key usage, with frank the ubercracker trying to listen in.
1) Bob sends Al his public key, Frank, being an ubercracker, intercepts this
and sends his own public key to Al, posing as Bob
2) Al now has Bob's public key (or so he thinks), and replies to Bob with his
public key. Frank intercepts Al's public key, and sends his own to Bob posing
as Al.
Ok, so here we have Frank in the middle with both public keys. Say Bob now
sends a message to Al with the public key he has received (Franks). Frank
intercepts this message, decrypts it with his private key, reads it copies
it whatever, then, encrypts it with Al's public key and sends it on to Al.
Al gets it, decrypts it, reads it writes a reply and sends it to Bob. Frank
intercepts Al's message to Bob, decrypts and reads it, then encrypts it with
Bob's public key and sends it on to Bob. So, Frank is in the middle
transparently reading the messages and passing them on, while Al and Bob
have no idea that anything is amiss. Fundamentally this is how most attacks
will occur, though circumstances and particpants along with the method of
exploitation can be pretty different.
So how can man in the middle attack be prevented?
One way is via a trusted third party, where a session key is generated by
a trusted party (usually a centralised server of some sort), encrypted with
the public keys of those who want to communicate and then sent out to the
relevant people who then establish communication using the trusted session key.
This of course relies on the trusted host being uncorruptable. Going back to
the Bob/Al/evil Frank scenario it could go like this:
1) Bob sends Al his public key
2) Al sends Bob his public key
3) Bob encrypts his message and sends only half to Al
4) Al receives this half, encrypts his own message and sends half of it to Bob
5) Bob receives Al's first half, and sends his second half to Al
6) Al receives Bob's second half, and sends his second half to Bob, and decrypts
Bob's message now it is complete
7) Bob receives Als second half and decrypts it.
This is better because even though Frank can still intercept the messages
he can't decrypt only half a message. This is of course assuming Bob and Al
both have messages they want to send to each other, cause if Bob wants to ask
Al a question, it's kinda difficult for Al to answer without receiving the
whole message first. Also, Frank could still be in the middle and just wing
it and try to completely forge Bob and Al's messages to each other (which
*could* happen).
Yet another way would be using public/private keys to establish a session key,
looks like this:
1) Bob generates a session key and encrypts it with Al's public key, gained
from a trusted third party, then digitally signs it using his private key.
2) Al receives Bob's message, verifies his signature, decrypts it using his
private key
3) Using the session key, they establish secure communication
The weak link here is in stage 1, where Bob receives the key from the
trusted third party. It could be a real person who's been bribed, coerced
etc or a host that has been compromised, but Bob trusts it.
The point of all this
I have two main points. The first is trust. It's pretty damn hard for two
parties who do not trust each other to establish secure communication
through cryptology. Trust is implicit thorughout nearly all areas of
security, somewhere along the line someone trusts something, and at that
point there is a weakness which can be exploited. A system trusts anyone
with a valid password. A vigilant sysadmin trusts his users to keep their
passwords secure. Bob and Al trusted the network they used to exchange keys
(which was kind of stupid, as they were using cryptology because they didnt
trust the network, this is akin to getting the dodgy cleaners who seem more
interested in casing out your house then vaccuming to go to the locksmith for
you). Frank exploited that trust to defeat their attempts at secure
communication. His attack was not on the math, but at the implementation.
>From that i come to my second point. In no way is cryptography a magic bullet.
Its always important to remember that cryptography != security, and i hope
that you found some evidence to belive that from this file. Used correctly,
with the right algorithm for the right job, crypto can make things more secure,
but by itself cannot protect a system from a wide variety of attacks (social
engineering, physical theft, dos's etc etc etc). This is what i mean by a
lack of understanding about what security is. I belive there is no magic
bullet, and that given enough time any system can be broken. But, going back
to what i said before about the "magic formula" of effort required to break
vs gains from breaking, there exists enough knowledge, tools and techniques
to make things very difficult, if they're used correctly and have bug free
implementation :)
Linkage
http://www.b4b0.org/zine/b4b0-07.txt - Read "My day in age" by Rhinestone
Cowboy, the first place ive seen "magic bullet" used, in this case in
relation to firewalls
http://www.pgp.com - uh, PGP
http://www.pgpinternational.com - uh, PGP International
http://www.mulletsgalore.com - mullets, lots. i reccomend the pron section
And now .. some fearsome asciipr0n!!!
oooooo
ooo ooo
oo| o o |oo
ooo| u |ooo
ooo| o |ooo
\___/
_____| |______
{ }
| | |
| \(_o_)(_o_)/ |
\__________/ /
}\_______ /{
} {
} . {
/ \
( \|/ }
\ / /
\ / /
| / \
| | |
| | |
/ }{ \
/_/_ / \_\_\
Yes, im aware she has no hands (uh .. her arms are crossed!) and that
she only has two toes, but its ascii pr0n j3w s1k fuqr$#@! what sort
of person fucking looks at asciipr0n?!(and *bad* asciipr0n at that :P)
hmm .. maybe someone like this ...
[01:02] Xzi- and the government just passed a law so its legal for the
ASIO (equivalent to CIA) is allowed to hack our computers
[01:02] Xzi- i love this country
[01:02] Cinclant- haha
[01:02] Cinclant- owned
Phwoar!!!!!! See that lead on ... i should be a comedian, or maybe a
newsreader ... OR MAYBE A FIREMAN $#@!
Ok, i was bit freaked out when i wrote this (phase5 kept staring in my window
late at night), so its a bit rantish. And yes that quote is lame (cinclant
was drunk, it was funny at the time)and the asciipr0n is bad, but you know what?
i just dont care
lovingly yours
phunki
v0idnull@yahoo.com
........[ x.25 guide ].............................[ Epic Target ]............
|
|
/ \
DESKTOP GUIDE TO HACKING
----- AUSTRALIAN X.25 NETWORKS -----
(V.2) BY EPIC TARGET
\ /
|
|
/ CONTENTS \
------------
1. What is Austpac And X.25 Anyway?
2. Public Access Dial-Ups
3. X.25 Service Gateways
4. NUA 101
5. Common Error Codes
6. Scanning
7. NUIs And Closed User Groups
8. Dedicated X.25 Connections And PADs To Jump Off
9. Introduction To X.25 Hacking
10. Fine Tuning The Brute Force Hack
11. Other X.25 Hacking Methods
12. General Safety
13. Systems Catalogue
14. Conclusion & Resources
DISCLAIMER : If you do not use/misuse the information in this file you
may find yourself the recipient of many piss-taking remarks and sound
beatings. The only way you're going to really learn is by getting out
there and exploring. Fuck what's "legal" and what's "illegal". I did in
this disclaimer. Get out there and DO and have some fun dammit ;)
INTRO
~~~~~
Some of you may have read Version 1 of this file, The Beginner's Guide
To Hacking On The Austpac X.25 Network. Well, after 7 months I have
decided that Version 1 sucked and so have improved it. I have collated
every shred of information I could. Infact, I wanted to keep the size
down and so have removed alot of sections that I felt were less relevant
but more than twice as much information as I took out has replaced it. I
guess now it kind of reads like a reference guide and so I also changed
the title. Read through it at your leisure, but I recommend that you
download it as it is good for referring to during your adventures. This
file is applicable to all Australian X.25 networks and I have included
some information on some new ones, but its main focus is still on
Austpac. The first 8 chapters discuss the landscape of, connecting to
and navigating around X.25 and the last 5 chapters discuss attacks on
systems applicable over X.25.
-----------------------------------------
/// 1. WHAT IS AUSTPAC AND X.25 ANYWAY? \\\
-------------------------------------------
So, you've heard about it on the 'net, maybe you've read about it
in the book 'Underground' and you want to know what its all about. So
what is this mysterious Austpac?
Abit of history : The world's first WAN was the internet. Its original
inception was in the late 60s as the ARPANET. At this stage it was an
experimental network and was only practical for research institutions
with alot of cash, like the military. Other commercial enterprises did
not connect to the Arpanet because it was just not cost effective. As
the information age progressed, commercial enterprises began wanting to
have cheap, digital communication and networking capabilities and so
various Telcos around the place decided that, hell, we can multiplex
about afew thousand digital interchanges on the one trunk and so we might
possibly be able to provide this service at a less exorbitant price than
we usually do. The way they did it was by applying packet switching.
So, the message you send gets put in an X.25 packet and sent along
these dedicated data lines around the network. At the same time, other
packets are doing the same thing on the same line, they are just
multiplexed together. There are hundreds of X.25 networks around the
world and most are linked together so that the nodes on different
networks can communicate with one another. Austpac is one of these
networks. X.25 networks are not the internet. They work by completely
different protocols. While the internet uses TCP/IP, the X.25 network
uses, that's right, X.25. The first X.25 networks came into inception
around the late 70s.
The Austpac service is provided by Telstra and is our Australian X.25
network. Get it? AUST (ralia) PAC (ket switching). You can have a
look at Telstra's official Austpac webpage at :
http://www.telstra.com.au/prod-ser/dataservices/austpac.htm
Although, you won't find any information about hacking there ;)
You can also make enquiries about Austpac, purchasing NUIs etc.
on 1800 088 898 during business hours (Eastern Standard Time.)
WHEN IS X.25 BETTER THAN TCP/IP?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Alright, we've heard enough about history, before the internet was
commercialised, we know people were hacking the X.25 networks.
But what about today? Why the hell would I want to bother with the
X.25 network, and why would companies be bothered with the X.25
network when there is the internet?
1. SECURITY. Rather than saying X.25 is secure I will say that the
Internet is INsecure. TCP/IP and UNIX. Interaction between not just many
different servers, but APPLICATIONS!! If you can't hack on the internet,
you suck. X.25 is a more bare bones transmission protocol and is designed
for interaction with other systems via a login server, or something
similar to the Telnet protocol in TCP/IP. EFTPOS transactions, for
example, take place over X.25 and not the internet for these obvious
reasons.
2. COST EFFECTIVENESS. Under certain circumstances X.25 networks are more
cost effective than the internet. Applications that require relatively
shorter logins are more cost effective over X.25. Examples include EDI
(Electronic Data Interchange), query & replies, update database,
transactions and to a certain degree electronic mail. Business to
Business transactions are still more often done over X.25 than the
internet these days although that is starting to change. Also, X.25 is
more efficient on noise prone transmission media as it has good error
checking.
3. EASE OF IMPLEMENTATION. Due to the low level nature of the protocol,
it doesn't have to conform to the restrictions of TCP/IP and so can
transmit any old wierd kind of stuff.
4. The Hacker's Reason : WIERD ASS SYSTEMS. If the Internet is a city,
X.25 is a Jungle. On the internet, the percentage of interesting systems
to crass commercial crap and porno sites is very low indeed. If hacking
those is your thing, well back to the WWW for you. Otherwise, get the
fuck out of http and onto X.25 nets. All the back systems, research
institutions, military, telecommunications systems, financial systems are
all on X.25. Just the plain obscurity, wierdness and diversity of the
systems you may find are alluring enough to any hacker. Oh yeah, alot of
the good systems are locked up tight on the internet end. So That's why
I like to take the back door, through X.25.
WHY IS CALLING THRU X.25 DIFFERENT THAN THRU REGULAR DIALUP LINES?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Asides from being cheaper over long distances the answer is again, SECURITY.
It is easier for an unauthorised individual (that's you, sparky) to find a
specific system's telephone dialup line than a specific system's X.25 NUA
address. Second of all, "secure" systems may not even HAVE dialup lines. A
primary use of the X.25 service is for linking two networks that are a great
geographical distance from one another. In this case, they only need the WAN
connection. If someone wants to work from home, they can also access their
local public access Austpac dial-in and call the network over X.25, possibly
using a closed user group NUI for added security.
-------------------------------
/// 2. PUBLIC ACCESS DIAL-UPS \\\
---------------------------------
Contrary to popular belief, you don't have to do anything illegal to
actually get on the Austpac network. This is because the basic way of
accessing the network is through a public access dialup. This will allow
you to access systems that accept reverse charge billing, and other
systems if you have an NUI. Am I going to give you a public access dial-in
number? :
- 13 14 00 -
I guess I am. So, fire up Hyperterminal or Procomm plus for Windows.
(Basically you need a VT100 terminal emulator, or a VT100 terminal ;) dial
131400 and you'll get:
AUSTPAC: 0505214190064
And the cursor will be blinking below it. Type in your NUA and away you
go. Don't worry about things like altering your PAD parameters. You only
need to do this if you are using a different terminal emulation. VT100 is
the default configuration so you needn't worry.
1800 Dialups
~~~~~~~~~~~~
Here are some freecall 1800 dialups. Don't abuse these by trying to scan
the entire of Austpac for example.
- 1800 655 057 -
- 1800 653 991 -
These have all been active for atleast two years and so I reckon they'll be
around for a while. Still, try to be nice :)
------------------------------
/// 3. X.25 SERVICE GATEWAYS \\\
--------------------------------
These are basically public access gateways from the internet to X.25
networks. Unfortunately, I don't have a current address for one of these
but you can bet your ass they're out there, and for other X.25 networks
as well! It used to be that you could telnet to :
austpac.telstra.net
or
austpac.aarnet.edu.au
Login as : austpac and be dropped into a public access PAD. Also, you
could get to the internet from Austpac by an NUA, which would have been
useful for covering your tracks. If you find one, don't scan off it. It will
get shut down.
----------------
/// 4. NUA 101 \\\
------------------
NUAs are the "addresses" on the X.25 networks. NUA stands for (N)etwork
(U)ser (A)ddress. You need to have an understanding of them because
otherwise you will get the shit confused out of you, because different
X.25 networks have different NUA addressing formats.
DNICs
~~~~~
To start with, I will explain the DNIC (Data Network Identifier Code.)
This is the address for a particular X.25 network. They are used when
someone from one network wishes to call a node on another network. It's
like a different area code. If you are actually on the same network as
the node you wish to contact, you can leave this out. Each DNIC has 5
digits. Here are some DNICs of popular X.25 networks :
AUSTPAC (Thats us!) : 05052
SPRINTNET (Formerly TELENET - in USA) : 03110
XSTREAM (formerly TYMNET - In USA) : 03106
TRANSPAC (France) : 02080
DATEX-P (Germany) : 02624
PSS (England) : 02342
TELETEX (Another Australian net!) : 05054
SingCom (Au) Net (No official name) : 05056
Australian Private Networks : 05057
For a more complete listing, have a look at some of the other files on
the internet. This is just afew of the main ones. These go at the start
of the NUA, if you're going to use them. The 0 at the front of the DNIC
denotes that you wish to make an international connection.
SPRINTNET FORMAT
~~~~~~~~~~~~~~~~
Sprintnet addresses have 13 numbers in an NUA if you are including the
DNIC. For example :
0311032200526
This can be broken down into smaller logical sections as such :
0 3110 322 00 526
International SPRINTNET Area Code Nothing Host Address
Connection DNIC Much
XSTREAM FORMAT
~~~~~~~~~~~~~~
Xstream addresses have 11 numbers in their NUAs, again counting the
DNIC, example :
03106123456
Another difference is that this breaks down differently to the Sprintnet
NUA :
0 3106 12 3456
International XSTREAM Area Host Address
Connection DNIC (No pattern)
For purposes of scanning, major Areas on Xstream are : 00, 07 and 90.
There are others but they are not as rich in NUAs.
AUSTPAC FORMAT
~~~~~~~~~~~~~~
An Austpac NUA has 9 digits . For example :
222933023
If you were overseas and calling Austpac you would use a DNIC at the
start and so the NUA would have 13 digits, example :
0505222933023
As far as I can tell this breaks down thus :
0 5052 2 2933 023
International Austpac Area Code Sub-Area Host Address
Connection DNIC (Corresponds
to old phone
area codes - so this one is in NSW.)
Note that the 2 on the end of the Austpac DNIC remains at the beginning of a
locally called NUA.
Also, for purposes of scanning, the most NUAs can be found by leaving the
first number of the Host Address section as 0 and scanning thru the lower
portion of the last two numbers, ie. 222933000 - 222933020
By the way, connect to 222933000 and login : practice
password : practice. A nice "practice" account for you. Actually its a law
practice ... ;)
Austpac Area Codes : 050522 = New South Wales
050523 = Victoria
050526 = Australian Capital Territory
050527 = Queensland
050528 = South Australia
050529 = Western Australia
PORT ADDRESSES
~~~~~~~~~~~~~~
This is the last part of any NUA. It is also optional. In the formats
above, I have not included port addresses. This is because it is an
optional addition to access a specific system on their subnet. A port
address has two digits 00 thru 99. If you don't include a port address
on your NUA, it will still connect you to the default system. Adding the
port address puts you thru to a more specific system. So, if you are
scanning and you find an NUA like our old example :
222933000
Then you can add a port address on and see if it will allow you to
connect to anything more specific, so you scan thru :
22293300000 to 22293300099 and see if you get another connect. Not all
NUAs will have subnets and so using port addresses may or may not be
applicable.
MNEMONIC HOST CODES
~~~~~~~~~~~~~~~~~~~
These are an additional security measure that are used with an NUA. I don't
know for sure if they are used on Austpac as I have never found one. However,
they are used on other X.25 networks and I have seen them advertised on the
Australian webpage for Global X.25. My opinion is that they are used on
Austpac as the Fast Select fields in the X.25 packets allow for something
like this. Gandalf XMUXs in particular make use of these. They are a string
of letters added onto the end of the NUA following a comma like so:
22293000,HOST
As an example. They work like ports, allowing you access to different
systems on an NUA. They can also be used to protect the system on that NUA
as they function like an external password. They can be used for things like
dialouts and network services. Common Mnemonics are : [SYSTEM, CONSOLE, PAD,
DIAL, MODEM, X25, X29, SYS, HOST]. I'd imagine they'd be more likely used on
NUAs that have port assignments as well.
---------------------------
/// 5. COMMON ERROR CODES \\\
-----------------------------
Particularly whilst scanning around on Austpac, the PAD may issue you
with error codes, denoting a kind of error that has taken place. Apart
from this one :
ERR invalid command
Which is pretty straight forward, the others are somewhat cryptic.
Here is a list of the more common ones and their meanings :
The format Austpac error codes take is this :
CLR XXX XXX a = CLR : Call Cleared (ie. deleted.)
| | | b = Up to 3 Letters, denotes the type of error that
(a) (b) (c) has occurred.
c = Three numbers, additional information on the
error it is usually 000 which means there is
nothing special to report about the error.
CLR NP 000 = Called number not assigned. This is the equivalent of
the "Your call could not be connected" recording from
a telephone.
CLR NP 067 = Called number not assigned, Invalid NUA. This means
that not only could your call not be connected, but the
NUA you entered will likely never be connected.
CLR RNA 000 = Called number does not subscribe to reverse charging.
This means there is a system there, but you can't
access it without an NUI.
CLR NA 000 = Access not permitted. This means there is a system
there, you just can't access it without an appropriate
Closed User Group NUI.
CLR OCC 000 = Called number occupied. This is the equivalent of a
telephone busy signal. It means the link to the
system is full, or the system is down for maintenance.
Try again later.
For futher information on error codes, have a look at :
o The Force Files - By The Force
o Accessing Telecom Australia's AUSTPAC service - By Softbeard
-----------------
/// 6. SCANNING \\\
-------------------
There are no search engines on the X.25 network (duh). So how do you find
your way around? Well, you could try connecting to NUAs you have found on
the internet (The Force Files has a big listing of NUAs.) But the problem
is, these sites have probably been connected to by about a million other
people already and so are hacked to death. The best way to find new NUAs is
by SCANNING. This means, trying one NUA after another and incrementing by 1
each connect attempt. For example : 222933000 , 222933001 , 222933002 etc.
Using knowledge of where the most NUAs are is also helpful in searching in
the right places. Also, you can code your own comms program to scan the
addresses for you.
You can do scanning from a public access dial-in and without an NUI. This
is because, many sites on X.25 networks accept reverse charge connections
and so will just drop you straight into their site. If the site does not
accept reverse charge connections, you won't be able to get in, but you
will be able to know there is a site at that address. This is because,
when you try to connect, you will get an error message that will tell you
the reason that you could not connect. This will include whether a site
was there or not.
AUTOMATING IT
~~~~~~~~~~~~~
There are two types of automated scanners for X.25, the ones that run off
your home computer and the ones that run off a remote PAD off a system you
have previously hacked into.
1. With all the differences in structure of different networks out there,
and with all the different things you might like to do with your scanner, you
may as well make it one of your own. To make one of these, you can script
Hyperterminal, you can also do some scripting in Procomm Plus's ASPECT
scripting language. You can also get what is known as a serial port
extender. This doesn't use your comms program, it sends commands to the
modem by itself. A good one for windows is here :
http://www.windowware.com/winware/download.htm#dlwilextenders
2. This one is abit more difficult. Use the Operating System's programming
language to compile a scanner. The now legendary DEFCON scanner written by
The Force scanned off PRIMES and was coded in PRIMOS.
AN EXAMPLE SCAN (222650050 - 222650070)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
AUSTPAC: 0505214190064 222650059
222650050 CLR NP 000
CLR NP 000
222650060
222650051 CLR NP 000
CLR NP 000
....
222650052
CLR NP 000 222650066
.... 0505222650066
FAC: P 128
222650058 COM
CLR RNA 000
Enter USER-ID:
Explanation : What happened here is that on 222650058 there was a system,
but it didn't accept reverse charge connections and so you couldn't get in,
but noted it down for future reference (right?) and continued scanning. When
you got to 222650066 it connected you to the system and you were dropped into
the Enter USER-ID: Prompt. If you went back to the RNA NUA with an NUI, you
would have connected to a system that spews stuff that looks valid. Such is
the nature of X.25.
SCANNING SAFETY
~~~~~~~~~~~~~~~
Apparently, the theory is that there are so many people connecting to a PAD
at once that they can't tell if someone is scanning off one. I think you
should be abit more careful though. Don't scan alot of public access dialups,
particularly 1800 ones and definitely not off X.25 Service Gateways. This gets
them shut down, or even a trace put on them. Atleast try and co-ordinate your
scans with other hackers that you know of using those services so you can have
a better idea of your personal quota and the same area doesn't get scanned
twice. Large scans should be done from a dedicated connection PAD at a system
that you don't mind getting booted off after a while. When scanning, it is
probably best to do it off a familiar system, or by disguising your P.O.T.S.
number because if a site realises they have a hacker, they might try
looking at recent past connections. If you've scanned from home, wait 30
days or something before trying to gain entry so that the logs will be
cleared.
------------------------------------
/// 7. NUIs AND CLOSED USER GROUPS \\\
--------------------------------------
NUI stands for (N)etwork (U)ser (I)dentifier and is kind of like a calling
card number for X.25 networks. Their principal use is for billing. If
someone wants to connect to a site that doesn't accept reverse charge
billing, then they need an NUI so that the network knows who to bill for
the connection and their time on-line. NUIs are alphanumeric and can be up
to 12 characters long. The NUI can be anything from 846294673545 to hello
and are impossible to scan. To access an NUI you need a password for
verification. It is highly unlikely that you will come across an NUI in
your adventures, but that doesn't mean you won't ;) So, if you're lucky
enough to find (or buy) an NUI then you can access those sites that don't
accept reverse charge billing.
CLOSED USER GROUPS
~~~~~~~~~~~~~~~~~~
This is how VPNs (V)irtual (P)rivate (N)etworks are created. A closed
user group only accepts connection from a group of users with specific
NUIs. So, people without an authorised NUI cannot even make a connection
to a node in a closed user group. They will be able to tell that such a
site is there though, because of the error message they will recieve. Also,
there may be some optional parameters that people with a closed user
group NUI may be able to access. Some systems have been forced to abandon
CUG NUIs in favour of other security options because they wish to allow
access from overseas and X.75 (X.25 International Gateway Protocol) is not
the best at carrying these security options from network to network.
--------------------------------------------------------
/// 8. DEDICATED X.25 CONNECTIONS AND PADS TO JUMP OFF \\\
----------------------------------------------------------
When a business has a site on the X.25 network, they don't connect to
the network via public access dial-ins. They get a dedicated Austpac
ISDN connection from their computers to the X.25 service provider. This
is basically a permanent high speed connection to the network. At the
business they will have a PAD, a (P)acket (A)ssembler (D)isassembler that
they access to connect to Austpac via their ISDN connection. The great
thing about these is that, when you access the network via one, you don't
have to have an NUI to access systems that don't accept reverse charge
billing. The PAD will accept billing for all connections made from it.
An unusual occurence is that you will connect to an NUA and just drop
straight into a PAD without having to login to a system or anything.
A typical greeting from an X.25 PAD can be one of the following :
X.25 Communication PAD
or simply :
Node:
After that you just type in your NUA and jump away.
SO HOW DO I ACCESS ONE OF THESE PADS?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well, first you have to have access to the system. First and foremost,
you could hack into it via X.25 and then once you're in, access their PAD
and "jump" back out onto the X.25 network, now with full billing
capabilities.
Second of all, you could access the system from their LAN. Their LAN may
also be connected to the internet - which makes it an easy target.
Lastly, you may get in through that businesses dial-up line. That
is, the dial-up line from the regular telephone network to their modem and
into their system. An important thing to note here is that it is unwise to
dialin to a company's computers in this way without using some kind of
technique to cover your tracks. If they discover a rogue connection to
their dial-in, it is a simple matter to organise a trace. You should use
a diverter, pit or some other phreaking method to make your connection.
COMMANDS TO ACCESS PADS ONCE IN THE SYSTEM
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
VMS - SETHOST/X29 - This will access a PSIPAD (PSI stands for Packetnet
System Interface)
PRIME - NETLINK
UNIX - Look for things like : X.29
Sunlink
Solstice
HBX-PAD
There are a number of UNIX distributions out there and so it could
be anything. There are also a number of UNIX OSIs.
-------------------------------------
/// 9. INTRODUCTION TO X.25 HACKING \\\
---------------------------------------
The phrase "old style hacking with a vengeance" springs to mind. Actually,
this kind of hacking (brute forcing, knowing nuances of different systems
etc.) never really went out of vogue. It has just been overshadowed by
network service hacking techniques that are used on the internet. Network
service and application hacking is still trying out one exploit after another
anyway, so its all brute forcing to me.
LOGIN SERVER HACKING
~~~~~~~~~~~~~~~~~~~~
The way I see it, the potential vulnerabilites of a login server can be
broken into six categories.
1. Input Validation Flaws - There are afew admittedly rare time when the
OS manufacturer stuffs up the input validation for their authentication
input. For example, on versions of PRIME before 18 a couple of [^C]s will
just drop you right in. There is also the IRIX flaw explained in the
Systems Catalogue. Its good to learn about these little errors. Obviously
there are no buffer overflow attacks for login servers ... ;)
2. Default Accounts - These are the accounts that are originally set on the
OS and are on the system out of the box. Lazy Sysadmins don't bother to
change them.
3. Sysadmin Set Defaults - These are defaults that are set by the sysadmin to
make his life easier. For example, he can create a script that makes the
users default password his birthdate or a variation on the username etc.
These make life easier for the hacker as well as lazy users don't bother
to change them, or never access their account to have a chance to
change them.
4. Operating System Back Door Accounts - These are default passwords, but
with a twist. Due to some kind of flaw they are easily left installed by
sysadmins that would otherwise change them. Some examples of backdoor
accounts are ones that do not show up in regular userlist queries or ones
that come back when deleted.
5. Application Backdoor Accounts - Ok, so dickwit admin installs an
application on his box as root and it writes an entry to his password file
creating an account for itself. This can be easily overlooked by sysadmins
who don't realise what has happened. An example of this is the Ingres
database in UNIX. Once its installed -> l: ingres p: ingres and its hello
easy entry.
6. Weak Passwords - Due to generally uneducated users that don't understand
how to strengthen passwords and probably see them as a nuisance and couldn't
care less if someone hacks their account you'll find passwords like ...
'password' ... on systems out there. Some are harder to guess, but once
you know what your doing, it takes a pretty educated user to stop you.
The last five of these vulnerablities are exploited by Brute Forcing. I will
go into greater detail on this subject in the next chapter.
X.25 NETWORK SERVICES
~~~~~~~~~~~~~~~~~~~~~
You'll probably understand the concept of network services and TCP/IP, but
it must be understood that there are differences between running them on
TCP/IP and X.25. Ports work differently on X.25. Different users connecting
to the same NUA will get the server that is on that NUA and get assigned a
channel number, so different connections on different channels can reach a
server at the same time. A connection to an NUA can't include a TCP/IP type
port assignment for connecting to a different service while using the X.25
protocol. It IS possible to encapsulate TCP/IP within X.25 but this is
dependant on the end systems and not the X.25 protocol. Port numbers in
regards to X.25 are separate connections of their own (as explained in
Chapter 4), and THEY DO often have network services running off them.
X.25 hacking is more challenging than TCP/IP hacking because there is a
lack of centralisation of network services and not as many network services
to a system as a typical TCP/IP network.
There are network services over X.25 that can be especially useful in
hacking into/exploring certain networks and systems. At first glance, it
seems that the only way to get into a system over X.25 is by brute forcing
the login server. This is not entirely the case. Recent years have seen the
introduction of afew very useful network services over X.25. If you're talking
TCP/IP like services, I've come across SMTP servers out there and we all know
what they're like! However, over X.25 you are more likely to encounter the
more arcane type of network service. In the systems catalogue chapter, I have
included one such service, the Gandalf XMUX. There are also things like
Cisco routers (oh boy are there Cisco routers ;) and HP Data Communications
and Terminal Controllers. It is true that some of these services are
unpassworded and some require minor authentication, but on network services,
the brute forcing is a great deal easier as you will come to realise.
Because everyone is familiar with Internet hacking I have tried to draw some
parallels to give you a foundation. Remember though, the system may throw
something at you that has no parallel on a TCP/IP network. Dropping you
straight into a menu is for example, not an unheard of thing to happen.
SYSTEM IDENTIFICATION
~~~~~~~~~~~~~~~~~~~~~
If you know abit about the system you're up against, you have the option of
trying out default passwords and known back doors for that system. You will
also have an idea of the login format. Make it your business to be able to
identify systems by their banner (prompt and herald). There are afew things
that can help you in identifying different systems other than the simple
text message they give you. A good knowledge of these techniques can be
especially helpful if the Sysadmin has decided to be a smartass and modified
the prompts.
1. Upper Case/Lower Case Letters In Prompt - Pay attention, not just to the
words used in the prompt, but the case as well. Particularly the first
letters. For example, take the ubiquitous UNIX prompt:
login:
Note the lower case characters. If it had been something like this:
Login:
That could have denoted a System75. Note the upper case character.
2. The Importance Of The Login Incorrect Error - You get these when you have
entered incorrect authentication. First of all, you can identify systems
by whether or not they give you an error on an incorrect login name, or
whether they wait for you to enter both login and password before
responding. Secondly and most importantly, you can make an identification
by examining what the error message says. Imagine you get this prompt:
Username:
If it continues like this:
Password:
User authorisation failure
It is, of course, a VAX/VMS. However, if it continues like this:
Password:
Invalid username - password pair
Then it can be identified as an AOS/VS. To make sure you get through to
the Login Incorrect Error, enter garbage as authentication to begin with.
3. The Importance Of The Login Format Incorrect Error - You may be familiar
with an obtuse error an HP system will give you if you haven't catered
to its exact etiquette:
EXPECTED A: HELLO COMMAND (CIERR 6057)
Which means the authentication has to be preceded by a HELLO. This is one
of the more syntax related errors. However, alot of systems require
alphanumeric strings as authentication and so can give you wierd responses
when you enter something non-alphanumeric. Try [ENTER] without preceding
with any characters, [CTRL], and things like ','s and other delimeters.
As an example, a Gandalf XMUX, when given an [ENTER] will respond with:
Invalid Name
Names must consist of 1 to 8 alphanumeric characters
Which is very helpful as it is unusual and is a signature by which this
system can be identified. You can also get these kind of messages by
using [CTRL-CHARS].
4. Ways To Get Disconnected - Something that can happen when you're plugging
in [CTRL-CHARS] is that you get disconnected. There are different ways to
do this for different systems. In VMS login a [^Z] will get you booted
off. Also, press [CTRL] again and again and count how many times it takes
to get disconnected. The amount differs from system to system.
These methods are the TYPES of methods that can be used in identifying
systems. The EXAMPLES included are typical examples and are not all the
things that can happen. Instead of putting all the permutations here, I have
gathered the banner information and included them in the systems catalogue
for each system and other tips.
ONCE YOU'RE IN
~~~~~~~~~~~~~~
This is pretty system specific and there are already many fine articles
around on the subject, particularly on UNIX. Basically, what you do is much
the same as what you would do once into a system you have hacked via the
Internet. However, here are afew X.25 specific suggestions:
- Trojan the PAD as a backdoor. Make it so you can log in again using a
secret string.
- Trojan the PAD to collect passwords.
- Read the PAD/Server logs to get more valid NUAs
- Try to get the NUI out of the PAD. The Solstice PAD for example, has a
facility for entering an NUI into the PAD. There is no userfriendly way of
getting the NUI out, but its gotta be stored somewhere right?
- The Best Backdoor : Take all significant files from the system, then
encrypt them (with IDEA) and put them on a cd for later use. This is more
important on X.25 than on the internet. Take lists of names, /etc/passwd
from UNIX, sysuaf.dat from VMS and anything that might give you some more
options for getting in again next time.
For more information on what to do in specific systems once you're in, I
have included afew of my favourite files in the resources section.
------------------------------------------
/// 10. FINE TUNING THE BRUTE FORCE HACK \\\
--------------------------------------------
This is your "Hack, Hack" type of hacking. Basically it means trying out
combinations of usernames and passwords one after the other, or setting
loose an automated program to do it for you. There *IS* an art form to this.
Especially over X.25, the authentication can be easily guessed. Brute
forcing works best if you either spend alot of time on each system, or spend
a small amount of time on each system but try lots of systems. You then have
the choice of trying afew likely passwords for a large amount of usernames,
or a large amount of passwords for each username. The golden rule of brute
forcing is that a methodical approach is what yields results, not luck.
These methods will also be of particular interest to the dialup server hacker
and you wouldn't believe how many sites on the internet are susceptible to a
methodical attack of this kind. You might also want to use these concepts to
create a quick dictionary for /etc/passwd file cracking as well.
LOGIN NAMES
~~~~~~~~~~~
1) Keep using default login names after the default passwords haven't
worked.
2) Usually, last name, first name combinations ie.
Richie Cunningham = rcunni or cunnir often around 5 letters from
last name and one letter from first name.
3) Projects at the company, company names, departments, abbreviations on
these.
4) Go through the generic username list that often have [NULL] or easily
guessed passwords: [guest, temp, info, help, intro, aid, test, demo,
visitor]
INCORRECT USERNAME?
~~~~~~~~~~~~~~~~~~~
Systems such as UNIX and VAX/VMS will not tell you if you have entered an
incorrect login/username, they will go through the entire login sequence
before telling you if you have stuffed it or not. However, there are a
number of systems out there that *will* tell you if you have entered an
incorrect username, for example the HP3000 will tell you just what is
wrong about the authentication you have given it. Exploit these systems.
PASSWORDS
~~~~~~~~~
1) Use known defaults/backdoors. I have included some of the more prolific
of these in the Systems Catalogue chapter and I have included some
resources to obtain some more at the end of this file. You might also want
to start your own collection empirically and by noting down common
accounts you find when you enter a system (ie. by cat /etc/passwd & show
users etc.)
2) Anything in the herald. Variations and combinations of this.
3) Same as account name. The classic example l: joe p: joe. If it is a
large system with hundreds of users, there is bound to be atleast one
of these guys. On a VMS it is especially easy to set Password to same
as Username.
4) Account names spelled backwards. Variations on the account name.
mix account name with herald information etc.
5) The ever common list :
[x25, x29, c, qwerty, asdfgh, hello, computer, secret, password,
whatever, open, access, fuckyou, account, please, work]
You may as well try 'sex' & 'love' while you're at it. I doubt it would be
productive to take a leaf out of the movie 'Hackers' book and try 'god'.
That only used to be popular because there was this big joke about how
root=god. Try to think like a person who has an account on this system.
6) Basic Names : ALOT of people use their wives', children's,
girlfriend's, pet's names etc. as their passwords. I reckon some
obsessive compulsive office geeks even feel guilty if they don't. Its
like associating your secret with someone you can trust - although it
doesn't really work like that.
7) yes, no, y, n : Some people are completely clueless. Once, shoulder
surfing at my uni, some guy kept typing in 'n' as his password. I guess
he didn't want one ...
8) Other common choices : Basic Animals (dog, tiger etc.), Sports teams,
Music groups, Automobiles (holden, impreza etc.), sports/acting stars
(jordan etc.)
9) Geographical Locations : The name of the city the system is in etc.
10) Things to do with what you think the system is, what it is used for.
11) Name of the X.25 Network (ie. austpac)
12) Projects at the company you know of, Products of the company.
13) Abbreviations and variations of the company name.
14) Single Letters : a,b,c etc. (There's 26 of them!)
15) Following patterns : Default passwords, People using the same password
on this system as they do on another, Account/Password combinations
from related networks that have appeared more than once - possibly
used for a particular sysadmin function - I just explained how the
WANK worm hacked into computers.
16) Common SNMP community names : [public, private, secret, world, read,
network, community, write, all private, admin, default, password, monitor,
manager, security.]
17) Remember to try [NULL] passwords with every login you try. Some systems
will just drop you in if the password is null, but there will be those
that don't.
TYPE OF PASSWORD
~~~~~~~~~~~~~~~~
Just a note here, Only if the password is known by one person is it likely to
be something personal or to do with personal tastes. If it is used by a group
of people, it will be more 'technical' or something common to all of them.
Remember this if you have prior information or you are trying to access a
particular kind of account.
AUTOMATED BRUTE FORCING
~~~~~~~~~~~~~~~~~~~~~~~
The same scripting techniques for automating scanning apply to automating
brute force password cracking. Plug in your defaults list first, then your
list of common passwords vs usernames. Make sure your brute forcer
accommodates that system's login format. Basically you need to make a couple
of lists. Have a list of common passwords and several lists of defaults for
systems. Order their usage so the most likely gets tried first. You may have
to alternate between the above username methods to get the best order. Its fun
to make your own 'artificially intelligent' brute forcing app. For probably
the best list of defaults out there, try NEOPHYTE'S GUIDE TO HACKING - By
Deicide.
SAFETY
~~~~~~
If a sysadmin spots 1000 failed login attempts there is only one possible
explanation. If you have been at it for hours and failed, he will know
someone is trying to come in. If you do get in, clean up the logs
immediately so that there is no trace of this activity. Also, try to use
methods that make it hard for you to be traced when going on a lengthy
brute force excursion.
-------------------------------------
/// 11. OTHER X.25 HACKING METHODS \\\
---------------------------------------
SOCIAL ENGINEERING
~~~~~~~~~~~~~~~~~~
I don't think this is cheating, a hacker uses ANY method he can to get
into a system. One of his primary assets is lateral and out-of-the-box
thinking. You may learn some things once you get in that allow you to get
in using a more conventional method next time.
Social engineering can be done by email or by long distance telephone call
and is just about the only real world technique that can be used if the
system is not local. The idea is talking them into doing something that will
grant you access. It is often better to ask them to change the password of
an account, rather than tell you it. This method is less suspicious and alot
of the time, only the owner of the account can tell you the password due to
encryption.
Another thing that is worth a try is asking them for 'legitimate' access by
posing as a student or researcher. You can then become firmly entrenched in
the system with Sysadmin privileges before they know it. Even if you have to
pay initially, it could be worth it.
ATTACK RELATED SYSTEM
~~~~~~~~~~~~~~~~~~~~~
If you're having trouble with one system, try hacking a related system,
things discovered there might lead you in to the system you want to get
into. This is especially true of systems that are on a port or mnemonic of
this system's NUA.
ATTACK THE SERVICING ROUTER
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Often, these can be really easy to get into. If the system you want access
to uses two-factor authentication for example, then the best way to approach
the problem would be by hacking the router. As you know, Cisco routers can be
quite commonly encountered on X.25 and these techniques can then be used to
get into more and more systems once into a router that you randomly
encountered as well as ones you deliberately attack. Alot of technical
methods can be used to get into serviced systems from a router and I
will go through them briefly here.
- Eavesdrop on traffic (ie. passwords.)
- Redirect network traffic and set up a 'decoy' login screen to get their
authentication details. You can even perform a 'man in the middle' attack
using this method, by reading off the challenge from the actual login
screen, you can get the correct response out of your unsuspecting victim.
- It may also be possible to perform a "session hijacking" attack, similar
to those done on TCP/IP routers (See programs like Juggernaut and Hunt.)
Even though nothing has yet been developed, my opinion is that it would
be even easier over X.25 than over TCP/IP and would be *very* compromising
to security.
- Finally, It may be possible to perform similar attacks over a Gandalf
XMUX or other network services.
MAIL OVER X.25
~~~~~~~~~~~~~~
There are many sites on X.25 that provide mailing services. Basically, the
users either log in to the site to get their mail, their system logins in
periodically and downloads their mail, or their system has an account which
the mail site logs into to upload their mail periodically. If you can gain
access to this site, you can try gain access to people's mail. Mail is
notorious for transmitting passwords, "Hey Joe, while I'm away, use my
account. The password is ..." This kind of mail system could be a public
system used X.25 network wide, or a corporate system, servicing only afew
systems on the X.25 net.
Password switching within the system/LAN is a simple affair as opposed to
this and so you can read through that mail to see if they've gone and
transmitted details for higher level accounts, or accounts on other systems.
There are many different protocols used for mail on X.25, but a common one
is UUCP. The thing about UUCP is that it requires an account on the recieving
system to work. Basically, one system logs into the UUCP or NUUCP account on
the other system and transfers files, like mail. Have a look through the
systems UUCP scripts when you get in because they will have account details
and passwords for their contact systems. Once, I found a system that mails
its logs to other systems over X.25 by UUCP. That's the definition of an
oxymoron.
You may also come across SMTP servers out there. Basically, the way you
use them over X.25 is the same way you would if you were telnetted into one
over the internet.
TRICKS AND TROJANS
~~~~~~~~~~~~~~~~~~
These are the more unconventional methods that are basically timeless and
exploit the human element of security by trickery whilst using a computer.
- Email them a trojan. I refer you to zipped_files.exe from spring '99.
Although not used over X.25 it shows how an attack of this kind can be
especially devastating to even the most 'secure' of security.
- Have users sign up for another system with a Username and Password of
their choice. They may use the same ones on 'your' system as theirs. Mail
them about it if you can.
PRIOR KNOWLEDGE
~~~~~~~~~~~~~~~
I have geared this file towards hacking using a computer and initially knowing
very little about the target system. However, if you have been in the system
before, or know things about the system/users - a whole new range of techniques
become available. For example, knowing contact telephone numbers opens up
social engineering, knowledge of products etc. gives password guessing options.
This is why its important to swipe significant info from systems you get into
and intend to stay into.
------------------------
/// 12. GENERAL SAFETY \\\
--------------------------
GETTING BACK TO P.O.T.S.
~~~~~~~~~~~~~~~~~~~~~~~~
This is where it starts. If they trace you from your PAD or dialup
access point, then the Plain Old Telephone System is where you have to
hide. Here are some techniques for doing this:
1. Someone else's phone line. This can be accomplished by using a
diverter, pit or can, or just using your neighbour's phone line.
There are afew ethical implications with this and you also don't
want to be discovered because of an anomaly in someone's phone bill.
So, use 1800 dialups, or just once in a while for other dialups.
Also, you can use a payphone's line, a business line, or a line in
a high asshole area, where everyone can afford the calls and then
some.
2. Use diverting to avoid ANI. Diverting your phone to the number you
wish to call and then ringing yourself will stop ANI, also diverting
someone else's number and ringing them will do it as well. This was
explained in Infosurge Ezine #1 - Defeating ANI by phase5.
3. Don't start a hack from a dial-up server if you're dialed in from
home. You can erase the logs of your times, modems etc. of calling,
but in this case, they can just get traces on their dial-in lines
and look for out-of-place numbers. You can't erase the phone
companies' logs so easily.
4. Go cellular as soon as possible. If you're calling from a cloned
cellular, it is convenient and the only way they can trace you is
by direction finding while you're on-line.
LOG DOCTORING
~~~~~~~~~~~~~
When you get into a system, your originating NUA will likely be
recorded somewhere within. In order to avoid being traced back to that
NUA, you have to alter the logs so that they no longer show where you
came from.
Log doctoring also serves a second purpose, it prevents them from
realising they have an intruder in their system and implementing trace
procedures.
In the Systems Catalogue Chapter, I have included some information on
logs of different systems.
USING A LAUNCHPAD/BACKUP SYSTEM
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A launchpad/backup system is one that you route through on your way
to another system. It is a system that you can confidently alter the
logs in, so that if you fail to alter the logs in the next system, they
can't trace you further than your launchpad system.
A good launchpad system is a low security site, with dumb and lazy
sysadmins, one in which the logs are easily altered. (probably a UNIX,
hehe.)
You don't just have to use one launchpad system. The more systems you
route through after altering their logs the better. Just incase you
slip up somewhere, or they trace you somehow anyway.
Routing through overseas systems can provide a nice amount of red tape
for them to get through in order to trace you.
You can also route through a launchpad system if the system you wish
to enter mails its logs to other systems (hence you can't erase them so
easily.)
Generally, before you have a lauchpad system, you should hack from a
disguised POTS location as per the first section.
HACKING WITH STEALTH
~~~~~~~~~~~~~~~~~~~~
If you don't get noticed, they don't know to trace you. So, you go to
great lengths to hide your presence from the sysadmins. In most hacking
files, you may notice that ethics & safety come under the same section.
This is because doing things like damaging a system will get you
noticed in a big way. Personally, I couldn't give a fuck what you do
out there, but know that if they didn't have a reason to trace you
before you damaged a system, they definitely would after.
SYSADMINS & TRACING YOU
~~~~~~~~~~~~~~~~~~~~~~~
They can wait on a system for you to log in, and when you do. Grab
your originating NUA from the logs before you can remove it.
Read through their mail when you come to visit, to see if they are on
to you.
Getting traced to a launchpad because you failed to alter the logs in
the next system, means that the sysadmins of the launchpad may get
alerted to your presence there by mail from the other sysadmins.
(Although, they may not be able to find out that system's mail address and
would have to go through the rigamarole of contacting the X.25 provider.)
Generally, if the sysadmins realise they have a hacker, you should get
out immediately, without further action. You could massively increase
your security, but it is still a great risk if you stay.
DEFEATING DATATAPS
~~~~~~~~~~~~~~~~~~
If you get traced, and the FEDs really want to bust your ass they
will set up a datatap on your line. Here are some notes about ideas
I've had about defeating them. No apologies for the irrelevance of this
section - I like it.
Encrypt your live data. This can be done by making up an encryption
program, installing the Server on your remote launchpad system and the
Client on your home computer. That way, everything between your home
computer and your launchpad is encrypted. Any datatap on your phone
line will pick up jack.
Because actual wiretap like interception of modern modem transmissions
can be extremely difficult, a common technique used by the FEDs is to
interpose two modems with your phone line and have a computer relaying
the data between them and copying it off at the same time. This throws
the telephone line voltages way off. You can check your line voltages
with a multimeter. On-hook it should be around 48-52VDC and off-hook
it should be around 8-12VDC. An actual wiretap like intercept is much
harder to detect, but you can still do it. If you are interested in this
kind of Technical Surveillance Countermeasures, then consult a book
like : Wiretap Detection Techniques - By Theodore N. Swift.
---------------------------
/// 13. SYSTEMS CATALOGUE \\\
-----------------------------
This is a catalogue of different systems you can come across on X.25
networks. All of these are present on Austpac in particular. I will start
with the system banner to show you the herald, prompts and error messages
you can expect from individual systems in order to show you how they can be
readily identified. I will then identify the system and show you some tricks
for getting into each system as well as defaults, safety and other
information. This is not a complete list (I don't think anyone could ever
make one) it is my current primary collection. There are heaps more out there
and even some that are unidentified by anyone.
Username:
Password:
User authorisation failure
System: VAX/VMS
Banner variations: A herald may be put above the prompt, for example:
Warning - Unauthorised access prohibited
Ignore this unless it contains useful information.
Ways to check for
this system: Put a ',' for the username and you will get an error
message.
[^Z] Will get you disconnected.
Login format: Alphanumeric
Defaults: Username Password
~~~~~~~~ ~~~~~~~~
FIELD SERVICE
SYSTEST UETP
SYSTEM OPERATOR
MANAGER
SYSTEM
SYSLIB
SYSMAINT SERVICE
SYSMAINT
DIGITAL
Safety/logs: To check if logging exists
$ ACCOUNTING/PSI5
$ TRACE ANALYSE
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
login:
Password:
Login incorrect
login:
System: Standard UNIX.
Banner Variations: A herald can be put at the top and the login: can be
preceded by certain characters, for example:
ttys034 login:
Login Format: Any characters.
Defaults: login Password
~~~~~ ~~~~~~~~
uucp uucp
nuucp nuucp
sys sys
bin bin
adm adm
lp lp
root root
rje rje
daemon daemon
Safety/Logs: Look through syslog.conf file for information on logs kept.
Browse /var/adm/ directory for logs.
Browse /var/log/ directory for logs.
Notes: Insecure on the inside, reasonably secure on the outside. The main
weaknesses would be a result of its functionality.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
UNIX FLAVOURS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To give you an idea of some variations the
standard UNIX prompt may take when given out by a
separate distribution of UNIX & also to make sure
you don't think they are something else, I have
compiled the following list. This also contains
some other information on these specific
distributions. This is not a complete list and
there are futher variations on even these.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SunLink X.29 Terminal Service
login:
System: Sun Solaris
Banner variations: I believe the SunLink may be taken out, however this
may denote a different type of UNIX. You may also
get this banner:
Solstice X.29 Terminal Service
login:
This is Sun Solaris as well, just a
different X.29 OSI.
Defaults: UNIX defaults
Safety/logs: /var/adm/loginlog
/var/adm/messages
/var/adm/x29serverlog
/usr/temp/x29userlog
Links: http://www.sun.com
http://www.tcgtech.com/external_documents/x25/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IRIX ([possibly node name or IP])
login:
Password:
UX:login: ERROR: Login incorrect
System: SGI IRIX
Banner variations: May be node name or IP address in brackets after
IRIX
Defaults: UNIX defaults, but shipped with guest as default
Bugs: guest account.
Very interesting bug. for login put : ../../../etc/[something]
You have now created an /etc/[something] it is because the
LOCKOUT feature (which can lock you out after x tries on a login
name) writes bad login information to /var/adm/badlogin.
Safety/logs: /var/adm/badlogin - will need to erase info that got put
in here, particularly the results of your brute forcing.
If LOCKOUT is not enabled you needn't worry about this.
Links: http://oliver.efri.hr/~crv/security/bugs/IRIX/login.html
- details on the login bug
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Welcome to SCO UNIX System V/386 Release 3.2
X25!login:
System: SCO UNIX
Banner variations: Often, more is added to the herald. The X25! can
also be removed from the prompt, but this is a good
example of one of these types of standard UNIX
prompt variations.
Defaults: UNIX defaults
Safety/logs: ~/.lastlogin
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IBM AIX Version 3 for RISC System/6000
login:
System: AIX
Banner variations: Text and numbers put at start and on end of herald.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
DRS/NX 6000 SVR4 Version 7
login:
System: DRS/NX
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
User Access Verification
Password:
Password:
Password:
% Bad passwords
System: CISCO Router
Banner variations: I have only ever seen this banner in this format
although another possible CISCO banner is :
[node name]>
Login format: Alphanumeric
Defaults: Password
~~~~~~~~
cisco
cisco router
c
public
private
Bugs: Only requires password for authentication
Massive security hole in itself
Uses the community names for passwords which makes defaults and
easily guessed passwords common.
Notes: Can use these to set up sniffers, gather information, redirect
network traffic, basically OWN the network it services. Knowing
X.25, it will probably be controlling some wierd ass network
that would be totally fun to explore.
Links: http://www.cisco.com
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
MPE:
EXPECTED A :HELLO COMMAND (CIERR 6057)
MPE:
EXPECTED [SESSION NAME,]USER.ACCT[,GROUP] (CIERR 1424)
MPE: HELLO FIELD.SUPPORT
Password =
System: Hewlett Packard MPE/iX
Banner variations: There will always be a : as the prompt, however anything
can be put before it. Things to do with HP, MPE , iX etc.
are the most popular but I have also seen [node name]:
Ways to check for
this system: Put garbage at the login prompt and you will get the
EXPECTED A :HELLO COMMAND (CIERR 6057) error message, or
something similar.
Login format: The HP has got to have THE most unintuitive login format I have
ever seen. In recent versions they have tried to make it abit
better, but its still pretty confusing. The format is commonly
HELLO USER.ACCOUNT (ie. HELLO FIELD.SERVICE) Note the use of
HELLO before the login information. If that doesn't work, try
adding a GROUP onto the end so HELLO USER.ACCOUNT,GROUP
(ie. HELLO FIELD.SERVICE,PUB)
Defaults: HELLO Password
~~~~~ ~~~~~~~~
MGR.TELESUP hponly
MGR.SYS lotus
FIELD.SUPPORT hpword
telesup
Bugs: It will tell you exactly what is wrong with your authentication, be
it the username is wrong, the account, or it needs a group (not in
home group) etc. Generally the password prompt only comes up when
you have entered correct login information.
Safety/logs: At sysgen> prompt, type log You will then get a log>
prompt. Here, type c or cl to clear the log.
Links: http://docs.hp.com/dynaweb/smpe/b1017/@Generic__CollectionView/
- Official Hewlett Packard manuals, including manuals about
security!
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
@ Userid:
Password?
Login incorrect
System: Shiva LANRover
Banner variations: I have only ever seen this banner
Login format: Alphanumeric
Defaults: Userid Password
~~~~~~ ~~~~~~~~
Guest [NULL]
root [NULL]
Bugs: Guest and root accounts are backdoors of sorts. They do not show
up in the userlist and so are often missed by the sysadmin.
Safety/logs: type: clear log to erase the audit log.
Notes:
Links: http://www.shiva.com
http://www.b4b0.org
- #7 of their ezine has an article on hacking Shiva.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Password >
Gandalf [System Name]
Rev A1 Primary Console Menu [date]
Node: [nodename] [time]
Primary Menu
...
System: Gandalf XMUX
Banner variations: The Password > prompt is when the console is
passworded, this can have a herald above it. Note
that I have put the XMUX console prompt below it.
This is because often you will just be dropped
straight into the console. After you have entered the
password, this is the prompt you will get.
Login format: 1 to 8 alphanumeric characters.
Defaults: Password
~~~~~~~~
gandalf
xmux
console
system
password
sys
mux
xmux1
Bugs: Often unpassworded
Only require password for authentication
Safety/logs: All connections (with NUAs) recorded in the LOGGER
Notes: Very curious systems. Have encountered them frequently on Austpac. I
believe the XMUX stands for something like X.25 Multiplexer. Used for
system maintenance and channel control etc. The menu is user friendly,
however they are powerful systems. You can read more about them in
NEOPHYTE'S GUIDE TO HACKING - By Deicide and also Guide To Gandalf
XMUXs - By Deicide.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
UserID?
Password?
System: IBM AS/400
What can/can't be changed: A herald can be put above the prompt.
Login format: Alphanumeric
Defaults: UserID Password
~~~~~~ ~~~~~~~~
qsecofr qsecofr
qsysopr qsysopr
qpgmr qpgmr
Bugs:
Safety/logs:
Notes: See alt.2600 hack faq for more defaults
Links: http://www.as400.IBM.com
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
TELSTRA SYSTEMS
~~~~~~~~~~~~~~~
What would a file on Austpac be without some information on systems used
by the people that run it - Telstra.
GROUPS UserID
~~~~~~ ~~~~~~
INSTALLER STARTUP
NMG
NSS
EMG
COC
MONITOR
Oh yeah, I don't know what OS these are for, but it looks like HP to me,
but then again, its on X.25 so, who knows?
UNRESPONSIVE SYSTEMS
~~~~~~~~~~~~~~~~~~~~
Sometimes, you'll connect to a system, it says it has connected, but its
just sitting there, a blank screen doing fuck all. You can try 'nudging' it
into action. Hit [ENTER] afew times, try some [CTRL-CHARS] particularly
[^C] and [^Z] and try [^A] afew times. Often this will wake up the system
and bring up the system login prompt.
--------------------------------
/// 14. CONCLUSION & RESOURCES \\\
----------------------------------
Well, that's the culmination of 6 months worth of research. Maybe in another 6
months I'll decide that this file sucks and make a version 3. I'm already
finding new information. Anyway, now you've had fun reading the file, its time
to get into the REAL fun. USING what you've learned. Go out and do some
exploring. I wanted you to do this, that's why I went into so much detail about
safety. You've got all the information you need to get started and to obtain
more advanced info you have to go out and GET it yourself. It's out there,
waiting to be set free. And remember, we need more mentors (Some fucking
mentor I am anyway ;). Help others like I helped you because its the hacker
way. :)
- Epic Target 26/9/99 --> Version 2 18/4/00
Shouts to the following in no particular order : VX0MEG, JesteR-, phase5,
Lirik, Vorper7, Johnson, Jestar, The Czar, Resc1440, Concat, Phunki.
RESOURCES
~~~~~~~~~
Here are some files and books I recommend that you read if you wish
more information. Some of them are about hacking on an X.25 network,
others are about covering your tracks and others are about what to do
once you are inside the system.
General X.25 Hacking
o Out Of The Inner Circle - By Bill Landreth (Book)
o The Cuckoo's Egg - By Clifford "Cliffy Boy" Stoll (Book)
o Underground - By Suelette Dreyfuss (Book)
o McGraw Hill Internetworking Handbook (Book)
o Accessing Telecom Australia's AUSTPAC service - By Softbeard
o A Novice's Guide To Hacking - By The Mentor
o The Beginner's Guide To Hacking On Datapac - By The Lost Avenger
And UPI
o The Force Files - By The Force
o NEOPHYTE'S GUIDE TO HACKING (1993 Edition) - By Deicide
o Infosurge Ezine #1 : Social Engineering - By The Czar
o Austpac.notes - by Vorper VII
o Globetrotter Ezine - By The Force
o An Introduction To Packet Switched Networks Parts I and II -
Telecom Security Bulletin File - Written By Blade Runner
o The Alt.2600 Hack FAQ - By Simple Nomad
Specific Systems
o Hacking UNIX Tutorial - By Sir Hackalot
o RIM Remote System - Neurocactus Ezine
o Advanced Hacking VAX's VMS - By Lex Luthor
o Guide to Gandalf XMUXs - By Deicide
o B4B0 Ezine #7 : Hacking The Shiva LAN-Rover - By Hybrid
o The Complete Hewlett Packard 3000 Hacker's Guide - By AXIS
o X.25 And LAPB Commands For Cisco Routers
Safety
o Pitting - Neurocactus Ezine
o SS7 Based Diverter - Phrack 50 File 9 Of 16
o Insider Ezine #1 : Safer Boxing Using The RJ31X jack - By
VX0MEG
o Infosurge Ezine #1 : Defeating ANI - By phase5
o Wiretap Detection Techniques - By Theodore N Swift (Book)
o X.25 Tracing For Internet Users - Dennis Jackson (JANET -
CERT Coordinator)
RFCs
o RFC 874 - A Critique Of X.25
o RFC 877 - Standard For Transmission Of IP Datagrams Over Public Data
Networks
o RFC 1356 - Multiprotocol Interconnect On X.25 And ISDN In The Packet
Mode
o RFC 1090 - SMTP On X.25
o RFC 1381 - SNMP MIB Extension For X.25 LAPB
o RFC 1382 - SNMP MIB Extension For The X.25 Packet Layer
o RFC 1461 - SNMP MIB Extensions For Multiprotocol Interconnect Over X.25
Links
http://charisma.rendrag.net/phorum/
- X.25 Forum run by the Australian Hacker Jestar. I can be contacted here
under the handle Marlinspike. Anyway, I'll try answer any questions you have
if you post there. Err ... also post some good info there.
http://qwerty.nanko.ru/x25/
- Very good archive of X.25 files. Alot of the files mentioned here can be
found there.
http://www.microtronix.com
- Makers of the X-Span X.25 Router and the MicroNODE. They have some X.25
tutorials and an X.25 glossary.
http://www.yankeegroup.com
- Data Communications researchers. The Yankee Group Reports often have some
good information. Check your local library for hardcopies of Yankee Group
Reports.
........[ file access in php ]..........................[ jestar ]............
_____________________________
What am I on about?
Ok. For those of you who have no idea what I am on about php3 is a
server side scripting language for making dynamically generated
websites. For some more in depth background about it see
www.php3.com or my introductory article in one of the previous
infosurges (no 2 if memory serves correctly). A little more background
for this article would have to address the file access I am going to
cover. Basically, I am talking about accessing various lines within
a plain ascii text file. The example will be the 8ball of doom, which
will be included on the upcoming redesign of http://charisma.rendrag.net/
The full script for it is included at the end of this article, and its
a rather short and easy to understand script.
_____________________________
File access commands
To access the contents of a file you must first set a variable that
points to the opened file, this is done using a variable as usual and
giving it the value of file(filename.txt) where filename.txt is the file
you wish to access. The whole line would look something like this:
$penii = file("filename.txt");
Notice the semicolon which is required. You also may notice the variable
is named after a part of the anatomy not usually used in polite conversation,
my code is rated MA15+, if you dont approve, get over it. If you are opening
the file inside a function (and you should be) it will probably be better to
not hardcode the filename in, but rather to pass it to the function. To
do this you would say you want an argument from the function, and give it
a name. ie:
Function fileaccess($filename)
{
}
If you do this, you could then open the file with this command:
$penii = file($filename.".txt");
The . is used to join to strings into one. So now to open this file from
a script to access the file joe.txt you would put:
fileaccess("joe"); ?>
Simple? I thought so. So now you are probably wondering what $penii contains?
Well it contains an array of strings, each string being one line from
the file you just opened, so $penii[0] may be something like:
"hello my name is lymcos mum, how may i service you this
evening?"
If you wanted to include this on your page you would simply:
echo($penii[0]); ?>
Easy stuff. That should give you pretty much all the idea you need to
get started with simple file access stuff, if you get stuck as always
there is a very good reference manual at www.php3.com which should help
you out, or you could drop into #Phreak at austnet and try and catch me
or someone else there who can help.
_______________________________
The example
Function ballQuote ($quotefile)
{
$file = file($quotefile.".txt");
$lines = count($file);
srand((double)microtime()*1000000);
$randomnum = rand(1,($lines-1));
echo($file[$randomnum]);
}
?>
Just a few notes on that code, I was making a magic 8 ball, so it needed
to pick a quote at random, which meant i needed to know how many lines
where in the file at any time, and then to pick one of them at random.
count() is used to count the number of lines in a text file and srand()
is for seeding the random number generator, I have used the computers
current time, multiplyed by 1 million for the seed, which seems to work
pretty well (assuming you have a decent number of lines in your text
file) the echo just replaces the line number with the variable which
contains the random number that was just generated.
_______________________________
Closing..
Yeah, this is a pretty simple technique but to do anything major with
php you really need to be able to do this stuff, using this I have
written this 8ball, a quotes reader and also a news posting system
with basic user/pass protection (reading from profile files) so dont
think that this is useless.
Jestar - 2000
........[ Basic HTTP authentication ]....................[ aphex ]............
If you have ever had an experience where your browser has popped up a window
containing a message something to the effect of...
Username and Password Required
Enter username for secret-kiddie-pr0n at http://asio.gov.au/secrets/pr0n
... then you have come into contact with a server that uses HTTP Basic
Authentication. This is probably the most common method of protecting access
to non-public documents on webservers and works exactly the same way on all
webservers. Just make sure not to get confused between this and other fake
"authentication" systems like Javascripts that go
to whatever directory is given to them as a password.
Basically, we know a server is using this scheme if we get a HTTP error 401
when we give the wrong password, or don't supply one. So if when trying to
access http://asio.gov.au/secrets/pr0n you get an error 401 you know you
need a l/p to access it. Okay, so we know we can't access asio's dirty
kiddie porn archive. But if we could, what would the request look like?
GET /secrets/pr0n HTTP/1.1
Authorization: Basic mNsJQw2jAJDSlDsdsh==
So should we pick this up in our sniffer logs, its useless, because it's encrypted
right? Errr... Nope. That's Base64 encoding, not encryption, duh. All we
need to do to decode this is a little bit of perl like this...
use MIME::Base64;
print decode_base64("mNsJQw2jAJDSlDsdsh==");
Oh, and if ya don't have the MIME::Base64 module you can download it from
http://www.perl.com/CPAN - it's used for e-mail handling stuff, but can prove
useful for causes such as this one. :) Anyway, when decoding that we see it
really said "gay.user:eyeyamsoleet" - that being the username, followed by a
colon, and then password. In plain text.
So we know that HTTP Basic Authentication offers no real security, but perhaps
we want to implement it for something which a fairly low amount of security
will do for, or for something to do on a rainy day just to see how it's done.
So this is how to set it up under Apache...
First off, we need to create a password file. We do that using the htpasswd
command like so...
[aphex@asio]# htpasswd -c /etc/httpd/conf/passwords
We then add users to it like so...
[aphex@asio]# htpasswd /etc/httpd/conf/passwords gay.user
Then you will be prompted to enter the chosen password for gay.user twice,
and the results will be stored in /etc/httpd/conf/passwords like so...
gay.user:tM0.PnhfVy76k
Btw, in case ya can't see - thats DES encryption over there. That file is also
world readable, so it may cause you a bit of hassle if you don't set up Basic
HTTP Authentication correctly. What I mean by that is make sure there are *no*
common passwords, and preferably, no common usernames either between these
users and people with shell accounts, access to your FTP daemon etc.
Anyway, so we now have a password file, and we need to setup the directory to
protect. So we edit a line like this into /etc/httpd/conf/srm.conf
AuthType Basic
AuthName secret-kiddie-pr0n
AuthUserFile /etc/httpd/conf/passwords
require valid-user
The AuthName is usually the name of the site you are trying to access. AuthType
is Basic (as oppossed to other, more secure authentication methods like "Digest"
which are great but haven't been implemented by any browsers yet.)
AuthUserFile is where our passwd file is.
And instead of "require valid-user", we could limit access to this directory
to only certain users in the passwd file. So in a passwd file containing
gay.user, dirtyoldguy, warez.mastah and rogery, we could say...
require gay.user dirtyoldguy rogery
I would include how to do this under IIS5 as well but I don't know how to, and I
don't have NT.
Anyway, that was, in a nutshell, HTTP Basic Authentication, why it sucks,
and how you can have it if you want it anyway. Hope it was of some use to you...
........[ TCL ]..........................................[ lymco ]............
Intro to TCL - lymco
shouts;
#phreak, #bsd, #ozsecurity - austnet
kertiz, zerologikz, box, dogg, spinout - icq
TCL (tick-el) noun: An exciting development programming language in the UNIX world (*g*)
TCL standing for: Tool Command Language.
Intro:
While reading through a Unix programming book (Beginning Linux
Programming), I discovered a sweet tutorial on TCL. However, when a friend
tryed to understand the conceps, he could not follow. After re-explaining
sections, and giving some advice he picked up this powerful scripting
language without any troubles.
To view, yet understand this tutorial, you need
clue libraries installed,
perhaps some unix technique would be appreciated. If you lack these, either
learn, or download some skills at skillz.tucows.com.
[ Index ]
1. Our First Program
2. Variables
3. Quoting
4. Maths, etc
5. Controls, Loops
6. Outro
Article Key:
$ : Prompt of a user in the shell, ie: [wang@localhost etc]$
% : Tcl Shell Prompt
<< : Commands/Code will follow this line
>> : Commands/Code will end previous this line
[ Our First Program ]
Well to keep tradition, lets write our wonderful 'Hello World' program,
world.tcl.
Here's the source:
<<
#!/usr/bin/tclsh
puts "Hello World"
>>
Save that as world.tcl.
Well that was rather quick and simple right? Tcl programs are often referred
to as scripts since Tcl is an interpreted language. These scripts are executed
by a shell, named 'tclsh'.
Now, lets run our Hello World script by using tclsh.
Note: you will need read permission.
<<
$ tclsh world.tcl
Hello World
$
>>
Okay, that was very basic. I assure you, you will not jizz in your pants while
reading this, but it can get pretty cool while you explore new programming
languages.
Like other languages, you can run the core language shell, in this case, tclsh
and you can execute Tcl commands directly. Funky shit.
Try as follows:
<<
$ tclsh
% set s "Blah"
Blah
% puts $s
Blah
>>
See how tclsh gives us a % prompt, and it executes commands as they are
inputed. We can use the source command to make tclsh take commands from a file.
Let's try again:
<<
% source world.tcl
Hello World
% exit
$
>>
The 'exit' command exits the tclsh shell, and returns back into the bash/unix
shell. We can turn our script into a Unix program by specifying the
interpreter to use on the first line.
Try the following, save as hello2.tcl:
<<
#!/usr/bin/tclsh
set s "Hello World Again?!"
puts $s
>>
Wait a minute, I think I have seen that sort of thing before? If you are
familiar with Perl,etc it works exactly the same way. Note, that not all boxes
will have tclsh located in /usr/bin, but generally they do, although can
modify on various systems. If you are un-certain try: 'whereis tclsh'.
<<
$ chmod +x world2.tcl
$ ./world2.tcl
Hello World Again?!
$
>>
Commenting:
Comments are lines ignored by your tcl shell. They are useful for adding what
you are doing, and why, this may come in handy for later reference.
Example:
<<
#!/usr/bin/tclsh
# This is a 'hello world' example with commenting.
puts "Hello World"
>>
[ Variables, etc ]
Variable names are case sensitive, and if you want to have multiple word names,
and want to use a blank space (eg: my wang), you will need to bracket the
variable with double quotes ("). We use the 'set' command to assign variables
with values.
<<
% set a 123
123
% set "my wang" "its erect!"
its erect!
%
>>
Hey, what if I want to view a variable, but leave the value alone? Simple,
just use the 'set' command again, and don't assign it a value argument. (Im
talking to myself again)
<<
% set a
123
% set "my wang"
its erect!
%
>>
These damn TCL scripts are flirting with me..
So simple enough, the 'set' command can not only create and re-assign values,
it can also print the value of the variable.
If you want to put variables, or multiple variables into the commands, you
insert a '$' charector before the variable. If your variable contains spaces,
you simply surround the variable name with braces eg: '{my wang}'.
<<
% puts $a
123
% puts [expr $a + $a]
246
% puts ${my wang}
its erect!
%
>>
Woah, slow up, what's this expr stuff? The expr command evaluates the
expression of $a + $a, but replaces the variables with it's value of
'123 + 123'. Placing it in the square brackets allows this result to be
'worked out'.
Example:
<<
% set "wang size" 7
7
% set "your wang" [expr ${wang size} - 3]
4
%
>>
Quite simple..
To remove a variable, we use the 'unset ' command.
eg:
<<
% unset "my wang"
% puts ${my wang}
can't read "my wang": no such variable
>>
[ Quoting ]
In TCL, whenever you use a variable with the '$' sign, the variable is
replaced with it's value.
For example:
<<
% set size 7
7
% set "schlong size" $size
7
%
>>
To stretch commands over multiple lines, we do this by inserting a backslash
(\). We just insert this at the end of a line and it acts like a continue
point.
<<
% set pube [expr ${schlong size} \
- 5]
2
%
>>
Say if we wanted to donate a value of text + a string to a variable. As we
know, if a variable is inside the double quotes (") It's value will be shown.
This is quite simple.
<<
% set "bill gates" "Hi. my name is Bill Gates, my penis size is $pube inches, \
that's why my company is Microsoft."
Hi, my name is Bill Gates, my penis size is 2 inches, that's why my company is Microsoft.
%
>>
If you are knew to programming/scripting, TCL may be a good language to start
with, it's syntax is extremely basic. If you already familiar in the
programming field, you would be picking this up without a problem.
[Maths, etc]
Lets work more on the expr command, a very useful function indeed.
Example:
<<
% set a 2
2
% set b 4
4
% expr $a+$b
6
% expr 2*"$a.$b"
4.8
% expr 3*(1+[string length "vagina"])
21
>>
Hopefully, you can figure out the above without too much reference. The last
example may be a bit confusing when you see 'string length'. String length
returns the value of the following argument, in this case "vagina" *cough*.
You can have multiple words, and blank spaces are included as one charector.
That's pretty simple right? But you may of realised, "I want to put this in a
.tcl file, and not input it directly from the bash, I also want it to display
the values". Try the following script, it virtually works by inserting 'puts'
before the expr command.
<<
#!/usr/bin/tclsh
puts "Printing out expr commands:"
puts [expr 3*(1+[string length "vagina"])]
>>
Basically prints the calculated format of "3*(1+6)".
Quite simple right? General algebra sort of thing.
More examples:
Function: Description:
== != true and false
&& || and or
+ - add subtract
* / % times divide percentage
Another maths which is a annoying, is: 'set blah [expr $blah + 1]',
like we know, maths teachers, or anyone doing maths calculations, want a
simpler way of doing things (because maths teachers, and students are
naturally slack), a command 'incr' was developed.
Example:
<<
% set blah 1
1
% incr blah
2
% incr blah 5
7
%
>>
As we see above, the syntax is 'incr variable number', if no specific number
is set, then by default it adds 1 to the variable, else, it adds the following
interger value. You can also throw in a negative value as the argument, and it
will subtract from the variable.
[Controls, Loops]
This is one of the most important areas in a language.
If, else:
<<
if (expression) {
blah
} else {
blah2
}
>>
Written example of what's happening:
If the first expression is true (returns 1), then it continues to 'blah', if
it is not true (does not return 1), then it continues to 'blah2'.
Example:
<<
#!/usr/bin/tclsh
set a 3
set b 5
if {([expr $a+$b] == 8)} {
puts "$a + $b = 8"
} else {
puts "$a + $b does not equal 8"
}
>>
Most languages have this sort of syntax (c, php, javascript).
Switches:
The passed string is compared in turn with each pattern. When the match is
found, the specific body is run. Specifying 'default' results if no matches
are found, then this body will be run.
Switch Options
-exact String must exactly match
-glob Glob matching.
-regexp Regular Expression matching
-- Used to mark end of options if a string starts with a hyphen
Example
<<
foreach arg $argv {
switch -glob -- $arg {
-l {set leet true}
-s {puts "Script Kiddie tekniq isn't acceptable."}
-z {puts "fjear zerocool"; exit 1}
default {error "bad argument"}
}
}
>>
That should be quite simple to pick up right? Switches can also be referred to
as 'flags', and are very useful in programming structures. If you are clueless
with the above, then think about when you input the command line to run the
program. (For example) ./blah.tcl. You can specify argument flags to allow
certain options, etc. Are you following now? Eg: './blah.tcl -l', would return
whatever you have set for the -l argument, and execute that command, plus your
main tcl structure.
Quick tip, when laying out your code, always try to make where the body
originated from, ends align. Well, I confused myself when typing that, so
I'll do an example.
<<
if (blah) {
if (blah2) {
if (blah3) {
puts "moo"
}
puts "moo2"
}
}
>>
See how it's displayed nice and neat? If you remember to align your code
properly, it _does_ come in handy.
While:
The while command repeats the body until it returns false.
Remember -1 doesn't equal true. So it keeps looping until it can't read any
more lines.
<<
% set fd [open "foo" "r"]
file3
% while {[gets $fd line] != -1} {
puts "$line"
}
% close $fd
>>
Here is a final test, try using some of the functions you have learnt in this
tutorial, to write a TCL script which interacts with your Unix flavoured
system, to perform a certain task.
[Outro]
Well, what do you know now? Loops, Variables, Maths functions, the basics of
TCL. I hope you learnt something from this tutorial. If you did manage to
write a useful TCL script, and want to share, then forward a text based email
with the script included for me to check out. Although I am not a compiler,
and will not debug any screwed code for you.. ;)
If you liked this document, and want a more advanced tutorial next issue, then
e-mail me with praise and _perhaps_ an erotic love note, and I may consider
it.. *g* Also, make sure to check out 'Beginning Linux Programming'.
Cheers,
lymco - matthew@lymco.net
[icq - 22771484]
.................................[ outro ]..................................