-=-=-<< F0rbidden Knowledge - Volume Two, Issue Three Contents of this Issue... -/- Introduction by the Editorial Comittee -/- An Automated Response System under Unix using TCP Wrappers by Vortexia -/- A Hint for Social Engineering through IRC by Wyzewun -/- Cracking the EAN Barcode System Part One by Moe1 -/- More Beigeboxing Methods by Wyzewun -/- Old Car Alarms and Jaguar Lock Mechanisms by Hitsquad -/- Lock Mechanisms on BMW's by Wyzewun -/- News in brief by The Editors -/- Thanks and Greets -/- Lamer of the month section! By Editors vote! -=-=-<< Introduction to F0rbidden Knowledge, Volume 2, Issue 3 by The Editors Well, it's time for a new season of F0rbidden Knowledge. The SoS have split and we are giving full priority to the production of the Zine. It was simply too hard to continue working on other projects with the responsibility of finding out stuff and writing articles about it. We have dumped all prior associations, and are all working exclusively on F0rbidden Knowledge from now on. The FK team are... ----/ Chief Editor ..................... Wyzewun (wyze1@syrex.co.za) ---/ Co-Editors ...................... Vortexia (vortexia@one.se) --/ .................................. Marc Satur9 (satur9@usa.net) --/ The Crew ....................... Moe1 (moe1@mailbox.co.za) -/ ................................. Sniper (sniper@h4x0rz.za.org) -/ .................................. Gevil (gevil@hotmail.com) You may contact any of us through e-mail, otherwise you will find at least one of us on #zahack on EFNet. We hope you enjoy the Zine, it is nothing like the last two issues, so please mail us and tell us what you think. Please also keep in mind that because of us having to restart production of the zine completely half way through the month, and the fact that many people decided not to contribute their articles at the last minute, we did not have as much as we would've liked to have in this issue. However, I feel that the quality of the articles in this issue surpasses any in previous editions of FK and that we are definately heading for a good patch. I have also dumped the stupid ASCII art stuff, and given the zine an all-around new look, which is simpler and easier to read. Please mail me telling me what you think of the new F0rbidden Knowledge Cheers, Wyzewun (wyze1@syrex.co.za) -=-=-<< An automated response system under Unix using TCP Wrappers by Vortexia Ok... here we go :) How to make a system respond to connection attempts you well.... dont like so much *grin* Well... there are a coupla ways, I only gonna cover the most simple one (with TCP Wrappers, which is a standard program on linux systems and can be installed under a bsd system from /usr/ports/security/tcp_wrapper) Ok... first a brief explanation on how a tcp wrapper works.... Someone connects to your box... your box spawns tcpd (the tcp wrapper daemon), which then checks the connecting person's ip against your allow and deny lists, IF it likes that persons ip then it starts the program they are connecting to (the daemon the connecting client wants), and quits itself... if it doesnt, it either just drops the connection clients connection, or it runs a script before dumping the connecting clients connection :) Ok... so now to the actual, how the hell to implement this section... First of all if ya wanna tcp wrapper something you gotta put it in inetd.conf 2 sample entries from a bsd system: This is without TCP Wrappers: telnet stream tcp nowait root /usr/libexec/telnetd /usr/libexec/telnetd This is with TCP Wrappers: telnet stream tcp nowait root /usr/local/libexec/tcpd /usr/libexec/telnetd Ok... this is pretty damn self explanatory... standard inetd.conf entry is first, I wont explain all the options they arent important at this stage, except you will notice that I inserted tcpd in the second entry, following that example will allow you to wrapper most things..... (backup original /etc/inetd.conf before you modify it incase you stuff up). Ok... then you find out where hosts.allow and hosts.deny are on your system (if its linux its probably in /etc, if its FreeBSD probably /usr/local/etc). Then you add some options to them... Ok, we wanna deny all by default... we would put the following in hosts.deny for each daemon. telnetd: ALL popper: ALL etc etc, the first entry has to be the NAME of the actual file you are denying, I.E if telnetd in inetd.conf is /usr/sbin/in.telnetd then put there in.telnetd, if its /usr/libexec/telnetd put telnetd etc etc etc. Then we wanna allow something in for telnetd, so in hosts.allow we put something like: telnetd: 34.23.42.38 235.34.129.38 This will allow those 2 ips in for telnetd, alternatively you can put wildcards in there. Ok, now you got basic wrappers working allowing and disallowing connections, now you wanna do auto response, so first of all, I must say this, now is a good time to learn how to read man pages :P man 5 hosts_access will show you the man page, section 5 for hosts_access, man 5 hosts_options can also help with what follows. Ok... lets change our hosts.deny file slightly... we want auto response on pop3 that uses a daemon with filename popper... so we put in something like this.... popper: ALL: spawn (/root/security/wrapper.script %h %s %c %h) This says, before dropping the denied connection, run the script /root/security/wrapper.script with the parameters %h %s %c %h. Note, you can tell it to run ANYTHING here with ANY parameters (please dont abuse *grin*, will explain HOW to abuse later) Ok... the parameters... first lets cover what they do, there are further options than the ones covered by basic auto response only needs the ones I have specified, I will cover one other one later as well. %h is the hostname, or ip if it cant find the hostname %s is the daemon they tried to connect to, and the server address, or as much info is available to TCPD %c is client information (the perosn who is connecting) user@host, if identd is running, or just the hostname again. A further useful one I found is %a which doesnt return host, it just returns an ip address. Ok... how to then write the script that it passes all this 2.... Lets look at a basic bash script... Ok, we want this to portscan the host, finger the host, then email the results to someone so they will be aware that someone is trying to connect... (remeber anything other than the first line of whats below that starts with a # is a comment) #!/bin/bash nmap -o $1.$2.strobe.scan $1 # nmap is our portscanner, $1 refers to %h (the first parameter), $2 is # %s. What this says is run a portscanner against $1 (the connecting # host) and output it to a file with name containing the connecting client # and the daemon they tried to connect 2. finger \w@$1 >$1.$2.finger.results # This says run finger against the host and output to a file echo "Strobe results for $1" >$1.$2.mail.output cat $1.$2.strobe.scan >>$1.$2.mail.output echo "Finger results for $1" >>$1.$2.mail.output cat $1.$2.finger.results >>$1.$2.mail.output cat $1.$2.mail.output |mail -s "Security Violation Report" |mail root (script ends here) Ok... the last 5 lines are pretty simple really, the first line says make a file called $1.$2.mail.output ($1 and $2 being the information specified by %h and %s). The Second line says append the file $1.$2.strobe.scan to the mail file. The Third line says append a line that says: "Finger Results for $1" The forth line says append the finger resulsts to the mail file the fifth line says email the entire file to the local root account. Simple huh? :) Ok... now to auto respond *evil grin*, Say you felt REALLY nasty and wanted to smurf or nestea everyone connecting to your box... just replace the nmap line or one of the other lines with your favorite attack proggy :) For example: smurf $1 bcast.file -S 128 -n 2000 will happily smurf $1 with 2000 128k packets (dont try this on a modem link or anything with less bandwidth than dual channel ISDN, its just an example *grin*). Anyway :) thats how you do it If this article is confusing or you want more info on how to do even more fun things with tcpd or want explanations, I hang on #zahack on efnet and Im always willing to help anyone out with what I know Cheers Vortexia (vortexia@one.se) -=-=-<< Fooling people on IRC into running Programs by Wyzewun Getting a relatively smart person to run a program they recieved off IRC is actually a lot easier than one would normally think it is. I've found that the method that works best is to find some form of Lame DoS attack that they are vunerable to. (For Windows, I recommend trying Jolt or Click because half of the idiots on this planet are vunerable to those) After kicking the target off IRC a couple of times, msg him and tell him that you know what is happening to him. Make up some bullshit name for an exploit and tell him that he is vunerable to it, and he must go and download the patch from Microsoft's site. At this stage, tell him that you've just realised that you have the patch for it, and that if he wants he can have it from you, but make sure that you offer to let him search Micro$oft's site so that he doesn't think something funny is going on. After he can't find it and asks you to DCC him the patch, just send over Netbus, Back Orifice, Your new Virus, Whatever. Easy as that. If you have a site you may want to put up the executable there to make him less suspicious. It's really all up to you, this article gives you a means to an end that is completely up to you. -=-=-<< Cracking the EAN Barcode System by Moe1 The EAN or European Article Number System Barcode has 13 values, making it easy to spot. Value 1 is situated outside the "left hand side" border. Together with the second digit, it tells us the origin of the product. Values from 3-12 give's us the article code. And value 13 is a checksum which checks the validity of all the other numbers. The checksum is calculated as follows: 1. Add all the odd position numbers except the last digit (1+3+5+7+9+11) 2. Add all the even position numbers (2+4+6+8+10) and multiply the answer by 3. (Note that we are leaving out the last digit, which is our checksum) 3. Add the answer in 1 with the answer in 2. 4. We divide the sum of 1 and 2 by the number 10 and if the remainder is not zero, then we substract the remainder from 10 and this should give us our last positioned number. Once the checksum is done, we know that the barcode is valid. Now on to the lines (yeah doze pesky lines above the values) Note: 7 lines make's up 1 value. There are 3 graphic codes that are used and we have 2 groups of values as explained above. From those 3 graphic codes, 2 codes (A,B) are used in the first group of values and code (C) is used in the second group of values. Below shows us the different graphic code that makes up the different numbers of the values. Take notice of the different lines. BLACK LINE REPRESENTED BY 1 WHITE SPACE REPRESENTED BY 0 CODE A CODE B CODE C if code A were: | if code B were: | if code C were: 0 ----> 0001101 | 0 ----> 0100111 | 0 ----> 1110010 1 ----> 0011001 | 1 ----> 0110011 | 1 ----> 1100110 2 ----> 0010011 | 2 ----> 0011011 | 2 ----> 1101100 3 ----> 0111101 | 3 ----> 0100001 | 3 ----> 1000010 4 ----> 0100011 | 4 ----> 0011101 | 4 ----> 1011100 5 ----> 0110001 | 5 ----> 0111001 | 5 ----> 1001110 6 ----> 0101111 | 6 ----> 0000101 | 6 ----> 1010000 7 ----> 0111011 | 7 ----> 0010001 | 7 ----> 1000100 8 ----> 0110111 | 8 ----> 0001001 | 8 ----> 1001000 9 ----> 0001011 | 9 ----> 0010111 | 9 ----> 1110100 NOTE: only in group 1 are CODE A & B used, in group 2 it's all CODE C. So look at group 1 and identify which CODE forms the number. EXAMPLE: I buy a Sunday Times Newspaper, and I look at the bottom of the front page and see a nice little barcode. Due to my curiosity I wanna know how that shit works so I decide I wanna try and crack that scheme those newspaper boys use. First I look at the numbers and find that there are 13 numbers (9 770039 533008) immediately I know that they are using the EAN system. Since I know how to crack this system, its no problem. I first do a checksum to see if any screws up occur... 9+7+0+9+3+0 = 28 (7+0+3+5+3+0) x 3 = 54 28+54 = 82 82 divided by 10 = 8 remainder 2 10 - 2 = 8 = CHECKSUM (value 12 or 13th position no. in barcode) Ok Checksum done. Now we see what makes up 770039 and we find that its the code pattern: ABBABA And our code pattern for 533008 is: CCCCCC (check and see the lines would be exactly the same as the lines in CODE C) Right so we know: BARCODE: 9 770039 533008 977 tells us its a book or some sort of reading material 770039 is ABBABA and 533008 is CCCCCC and our checksum is 8 I took the Sunday Times Newspaper for an example because it seems it's the easiest to do. If you still dont understand how barcodes can be of any assistance to you then "ERM" think harder. < Wyze1: Amonst a couple of other things - Think IDs > Bye! Moe1 (moe1@mailbox.co.za) in Issue Four, perhaps later. Depends on how lazy Moe1 is, how the readers respond to this article, and how many spelling mistakes and grammatical screw-ups Wyzewun can try to edit out of the article before he faints :P> -=-=-<< More Beigeboxing Methods by Wyzewun In Issue Two, I covered use of the Blue and Green Telkom boxes to box. This Issue, I'll be looking at some alternative methods... Method Number One ~~~~~~~~~~~~~~~~~ Go to an abandoned building that used to be an office (South Africans - Watch out for squatters *grin*) and it is extremely likely that it will have working phone lines running into it. Of course, it is also very likely that there will be no form of phone jack to be found - Are we using a phone jack? No. We're using Crocodile Clips. Problem Solved. :) Method Number Two ~~~~~~~~~~~~~~~~~ Try using the phone of some-one who has recently moved out of a house, or use your neigbours' phone when they are on holiday. Simply find the cord that runs from their phone out of their house, cut it open, and connect up your box. If the tenants have moved out and have had their phone disconnected, phone up Telkom and tell them that the disconnection of the phone was a mistake and ask them to reconnect it. :) This way, you can keep a phone working for up to three months before Telkom finally cut it off. Method Number Three ~~~~~~~~~~~~~~~~~~~ Find the point where a cable goes from the overhead poles into the ground. It is sometimes covered with a concrete or asbestos cover, so you may have to get past that. Assuming you somehow have done so, open up the cable, and you should find twisted pairs of wires like this... pair #%# <--scotch lock 2 pairs | // | /><><><> ///><><><> //\<><><><>\ | \><><><><\ twisted- \\ together #%# << ASCII Art Stolen from Kokey >> The wires are colour coded to indicate negative and positive wires. When in doubt of how to connect your box, consult Kokey's handy Table-O-Colours... Base colours Negative legs ------------ ------------- blue white orange red green black Or alternatively, if you can get down far enough to see where the wires un-ravel to, you can just do that. ;-) Well, that's all the ways I'm going to cover on beigeboxing in SA for this issue, yes, there are more, but I'm going to have to research them in a bit more detail, so yes, FK4 will have more beigeboxing stuff! Just remember to tell me when you get sick of this... :) -=-=-<< Affirmative Car Shopping by Hitsquad Since Wyzewun explained how to borrow a bus in the previous months, I thought we should move up a level and explain how to, um borrow a car for a short time before he gets picked up by the police. Anyway, with many older car alarms, when the car is bumped, the alarm sounds and the lights flash. Like most electrical systems, there is a fuse in case there is a power fails in some way and this fuse will break the circuit, thereby killing the alarm. Now this is all good and fine if nobody can reach the fuse, but if you can reach the fuse, then there's trouble. With the older car systems, the fuse is behind the left front light that flashes, so simply break the light and the fuse behind it and that is the end of one alarm system. Simple huh? So now if there is an old car down the road from you, with an alarm that keeps waking you up at night, you know how to switch it off. ;-) This method however does not disable the engine/battery cut offs so it might be harder to steal the car. (This method was tried on an old Porsche and it worked, unfortunetly, the money I won on the bet was less than the light I had to replace and I did have the owners permission :-< ) Also, according to Jaguar magazine, there are over 500 000 jaguars in South Africa. Now if you lock your keys in the car , there is a fairly simple and not so destructive way to get your keys and you don't need a brick. The lock mechanism has been placed behind the rear-view mirror. Simply remove the mirror and there is the lock mechanism which you can then open your car. Easy as that. Hitsquad Things To Ponder - #06 Should you trust a stockbroker who is married to a travel agent? -=-=-<< More affirmative car shopping by Wyzewun Allright, if we're going to go into the whole car theft thing this issue then thats fine with me - I also have a new trick or two to share... The Lock Mechanism on a BMW with Central Locking is in fact located in the boot of the car. So, to get yourself a new BMW, you will need a tennis ball and a brick. No, I am NOT going to write an article on Tennis Ball Theft! Shut up and Stop Laughing at me!@#! :P Cut the Tennis Ball in half, place it over the lock on the boot and hit it with the brick as hard as you can. All the doors should open. Note that this can also be done with a nail instead of a tennis ball, which is more effective, but also requires practice and will fuck up the lock if you don't do it right. -=-=-<< News in Brief by The Editors -/- Konr@d magazine (Berlin, Germany) set to publish article on Johannesburg Computer Culture in their March Issue. The article includes the results of interviews with Wyzewun as well as mentions of many other prominent South African hackers and what they do. -/- Wyzewun has insisted that he is going to drink Tequila until his liver explodes unless some-one designs a nice ASCII Art Logo for FK. Then again, he may enjoy that... Damn... -=-=-<< Thanks and Greets Group Greets: Cult of the Dead Cow, Hacker News Network, L0pht, Legions of Underground, Phrozen Crew, r00t, Technotronic, The Hackers Choice Personal Greets: Aleph1, Cache, Caliburn, Crazyg*y, Cyber Demon, Cyclotron, fern, FireIce, Grey Wolf, kokey, Mnemonic, Mudge, optiklenz, opium, Pavlov, Radix, route, Sector12, Sledge, Spy, The Keyboard Caper *********************** Lamer of the Month: *********************** NICK: HOTMETAL! REASON: Has a habit of posting bullshit on mailing lists and making himself look like a fool REAL NAME: Cami (Camihose?) *********************** -=-=-<< When and Where to get the Next Issue Issue Number: Four Release Date: 5th March 1999 Distrib Site: www.posthuman.za.net Notes: FK4 will be even better than this issue, I promise :)