_____________________________________________ / \ | ___________________________________ | | | | | | | | | | | | | | | | | | | | | _________| | | | | | / \ | | | | / \ | | | | / \ | | | |__________/ \__________| | | / | \ | | / | \ | | / | \ | | /______________|______________\ | | | | Computer Academic Underground | | | | Electronic Magazine | | #0018 | | 0415.98 | \ _____________________________________________ / ############################################################################## %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ============================================================================== ------------------------------------------------------------------------------ .............................................................................. Table of Contents Foreward General Member Listing -= CAU =- 817 2600 Meeting -= CAU =- Pink Oz or the Wizard of Floyd protocol Software Review: The Gimp uv- Hacking Tag Team Hacking I)ruid Can we Hack? protocol Exploit of the Month -= CAU =- 972.756.XXXX -= CAU =- Phreaking Closing ############################################################################## Foreward Allright, not much technical information this month. I'll work harder on a more technical zine next month. The main server had a little downtime this month due to two things. First of all, the server became unstable for a few days due to the motherboard going bad, which I eventually replaced and upgraded the server at the same time. Second, I moved into a new apartment, which kept the server completely offline for almost a full day while the machine and phone lines were being moved. But I'm all settled in now, and the CAU GHQ should be stable, at least for now. In the near future, I'm looking toward a cable-modem upgrade, which may result in some downtime when that happens, but that won't bee too soon. Anyway, on to the zine. I)ruid ############################################################################## General %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Member Listing (In the order in which they were brought into the CAU) Handle IRC Nick E-Mail -------------------------------------------------------------- I)ruid I}ruid druid@caughq.org ultra violet uv_ uv@caughq.org Crimson Assassin Crimson_A crimson@caughq.org Fizban Fizban^ fizban@caughq.org Sublime sublime sublime@caughq.org int3l int3l int3l@caughq.org MajestiX maJesTix majestix@caughq.org -------------------------------------------------------------- -= CAU =- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 817 2600 Meeting First Friday of Every Month 6:00pm until 9:00pm North East Mall Food Court N.E. Loop 820 @ Bedford Euless Rd. Hurst, Texas Payphone: 817.???.???? We're getting a much better response than at Cafe Cybre... (and yes, I keep forgetting to get the payphone number...) -= CAU =- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Pink Oz or The Wizard of Floyd Well just in case you have not tried syncing the 1939 Wizard of OZ with Pink Floyd's Dark side of the moon, it produces a number of moments that are either funny or just plain eerie. To sync up you must start the CD after the 3rd roar of the MGM Lion. One moment of interest is when Dorothy is walking on a fence near the beginning and falls, the lyrics are "balanced on the biggest wave" and then the song changes to a much more intense feel as the uncles are worried about Dorothy. Also when the witch comes on the scene the bells from "time" kick in. It's a perfect match. There are also several syncs if you start the CD over again although there is a timing issue to starting it right again. Some have suggested playing "Strangers" after the first ends. You should try this with several people because you may miss some syncs otherwise. The next time you see it you will probably find several that you missed the first time. Enjoy. protocol The way things are done. 101010 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Software Review: The Gimp Homepage: www.gimp.org Related: www.gnome.org Gimp is an image manipulation program, as well as an image creation util. This nifty little program, written by Peter Mattis and Spencer Kimball, is released under the GNU General Public License. This program is released for a wide range or *nixes and runs under X11. (btw- X11R6.4 is out. Get it www.camb.opengroup.org) GIMP stands for GNU Image Manipulation Program. GIMP is the closest thing to photoshop for unix that i have found that is GNU released. This program rox. In like 10-30 min I messed with it and came up with all new graphix for my web page. Its really great for creating buttons and backgrounds. Also good with text manipulation upon images. If you want to see some examples of what I have done, http://www.caughq.org/~uv . Think about what some one with artistic capabilities could do??? love, uv- uv@caughq.org ############################################################################## Hacking %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Tag Team Hacking First off, let me tell you just what exactly 'Tag Team Hacking' is. I first came across this technique one day while I was on IRC. All of a sudden, my terminal started beeping, and it wasn't me. This usually means someone is logged in through un-encrypted telnet and is coming in through the ttysnoops daemon, which allows me to see their terminal screen just as if it was one of my terminal screens. So I switched around terminals until I found the beeping terminal. It was int3l, and he was logged into some random machine. Anyway, I sat there for a minute watching what he was doing, and decided to call him up and ask him what he was doing. When he answered, he told me what he was doing and such, and I got a little into it as well, and since ttysnoops allows me to read and type to his terminal just like he does, we started sharing time on the compromised system terminal, thus creating what I like to call 'Tag Team Hacking'. Not only does this method keep logins to the actual system to a minimum, but it also allows for two people to communicate back and forth about the hack, which usually helps for coming up with new ideas, and keeps you from trying the same exploits your tag-team partner has tried, and so forth. I am lucky, because I have an extra phone line, and int3l has a cellphone, so were able to communicate via voice, but others with less fortune than I may need to communicate back and forth via IRC, ICQ, or some other online service. But, how do you set up your virtual wrestling ring and implement your crazy tag-team styles? Allright, here's how to do it. First of all, one of you must be running a version of unix that has a ttysnoop daemon, or some other login.d replacement that allows you to interact with the terminal session as well as the person that is telnetting in. The other person can be on whatever type of system they want, all they need is access to telnet. Slakware Linux comes with the ttysnoops package, as well as many other x86 UNIX implementations. To begin, the telnetting user telnets into the unix machine, creating a terminal session that both people can interface with, one via the snoop daemon, the other via telnet. From there either of you can then telnet directly to the target system, or bounce through some wingate servers, or whatever you want to do. What I have found that works quite effectively is if one person is doing 'research' (downloading exploits, browsing rootshell.com, whatever) while the other is in actual control of the terminal session. Then you switch. If you cannot communicate with your tag-team partner via voice, a seperate terminal and an IRC session works quite well. Anyway, that's my tidbit for this month. Once again, I'm sure the halfway intelligent ones of you can come up with some more techniques and tricks for tag-team hacking. And just remember, when you do things as a group, it diffuses the blame. I)ruid %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Can we hack? After reading Greenie's article on Tag Team Hacking it got me to thinking about using something more portable. Welcome to "KIBITZ"! It's included as a separate file. What is kibitz you say (and why do I care)? Well buddy just you wait and see; kibitz is the best thing since sliced bread. Better than cable TV. What it does is hook two people together in a shell or any program. Here is a diagram: ________ ________ | | | | | user 1 | | user 2 | |________| |________| \ / \__________________/ | | | Kibitz | |__________________| | _________|________ | | | Shell or program | |__________________| So everything from one user is relayed to the other user. To begin this process all you do is "mesg y" then "kibitz user2" then the other user sees something close to: Message from root@some.net on ttyp1 at 11:35 ... Can we talk? Run: kibitz -515 This has kibitz start a shell. If you want to run a program just tack it after user2 and any params it needs. Then after typing kibitz -515 you could start pico from the shell and chat a bit before the fun. Or you or user2 could type "kibitz user3" and add another to the fun. This works with local or remote users. If you do "kibitz user2 sleep 100" you have a short lived two way chat. To end the session just exit the program. This might be fun to place in a user's .profile so that you get an interactive live session. "But I'm sure I typed the password right". I also thought about a possible hack written in EXPECT. No code no proof just an idea that stayed more than a second or two. I was thinking about a variation of the backhoe thing in 2600 [ EDITOR'S NOTE: 2600 Magazine, Volume 14, Number 4, page 6 ]. But instead of just spawning shells from a cron job actually running commands through the disconnected process. The script would use "kibitz -noproc user" to talk to the user after being triggered. One trigger I can think of is to use some random file (maybe the contents contain an 'interact' statement or a list of commands to execute) that the expect script rm's after viewing. One advantage to this is that there are no nasty root shells laying around and the activation is from the user. Well just a thought. protocol The way things are done. 101010 [ EDITOR'S NOTE: Kibitz source code for perl is included in the external file 'kibitz.pl' included in ther original cau-0018.zip package. ] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Exploit of the Month This moth's Exploit of the Month award goes to icqspoof.c! Not much of an exploit, but it is hilarous. Lots of fun around the workplace. Simply put, this little bit of code allows whomever runs it to fake an ICQ message from an arbitrary UIN, as long as the attacker knows the IP of the recipient, and the recipient is currently running ICQ. [ EDITOR'S NOTE: icqspoof.c has been included in the original cau-0018.zip package, appropriately named 'icqspoof.c'. You can also find more ICQ fun at http://www.digivill.net/~minus/icq/ ] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 972.756.XXXX Scanned By: DialIt! via the CAUGHQ Server ----------------------------------------- 972.756.0188 : CONNECT 972.756.0195 : CONNECT 972.756.0448 : CONNECT 972.756.0482 : CONNECT 972.756.0533 : CONNECT 972.756.0551 : CONNECT 972.756.0655 : CONNECT 972.756.0713 : CONNECT 972.756.0804 : CONNECT 972.756.0885 : CONNECT 972.756.1023 : CONNECT 972.756.1025 : CONNECT 972.756.1042 : CONNECT 972.756.1084 : CONNECT 972.756.1203 : CONNECT 972.756.2079 : CONNECT 972.756.2098 : CONNECT 972.756.3185 : CONNECT 972.756.3187 : CONNECT 972.756.3451 : CONNECT 972.756.3495 : CONNECT 972.756.3496 : CONNECT 972.756.3530 : CONNECT 972.756.3531 : CONNECT 972.756.3730 : CONNECT 972.756.3785 : CONNECT 972.756.3798 : CONNECT 972.756.4231 : CONNECT 972.756.4280 : CONNECT 972.756.4298 : CONNECT 972.756.4543 : CONNECT 972.756.4897 : CONNECT 972.756.4935 : CONNECT 972.756.5495 : CONNECT 972.756.5498 : CONNECT 972.756.6098 : CONNECT 972.756.6634 : CONNECT 972.756.6655 : CONNECT 972.756.6928 : CONNECT 972.756.6929 : CONNECT 972.756.6930 : CONNECT 972.756.6931 : CONNECT 972.756.9054 : CONNECT 972.756.9096 : CONNECT 972.756.9160 : CONNECT 972.756.9306 : CONNECT 972.756.9307 : CONNECT 972.756.9333 : CONNECT 972.756.9364 : CONNECT 972.756.9489 : CONNECT ############################################################################## Phreaking ############################################################################## Closing Well, not much of a Phreaking section once again. Don't worry, it should fill out a little as the summer begins, and people are more eager to get out and do stuff. This month is the first prefix scan to be included in the zine for a long time. Hopefully this will be a recurring trend, depending on how quickly I can scan, and how many scan contributions we recieve over the next few months. If you want to contribute, send prefix scans to zine@caughq.org. Anyone that sends in a scan will be credited for it. Anyway, that's all for this month. I)ruid ############################################################################## ____ ____ __ __ / \ / \ | | | | ----====####/ /\__\##/ /\ \##| |##| |####====---- | | | |__| | | | | | | | ___ | __ | | | | | ------======######\ \/ /#| |##| |#| |##| |######======------ \____/ |__| |__| \______/ Computer Academic Underground