ࡱ> |  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{}~Root Entry F̡؂EWordDocumentmCompObj^ I've compiled a few questions that I feel may determine your readiness. Please answer truthfully, you have nothing to gain from lying. How many books have you read that you didn't have to for school, etc? (one point for each book) Would you rather learn C++, or to how to remotely shutdown a computer? (one mark if you answered learn C++) Do you want to take the time to learn the workings of the internet? (one mark if answered yes) Have you ever cancelled a date, party, or other social gathering to learn? (3 marks if yes) Well, let's add it up. If you scored in the 0-1 range, you lack the maturity to be a hacker, as of yet at least. If you scored in the 2-4 range, you are obviously new, but have hope (with the help of Karma and it's affiliates) of redeming your mind. If you scored 5+, then you are ready for the hacker voyage. If you scored 10+, you know very well your a hacker. 3) Starting Off Some hacking files will jump right into how to get into a system, but I believe that the best way to start off is by learning about what it is your hacking. Part 1: The Internet *following information added from I/O magazine* Started by DARPA (the Defense Advanced Research Project Agency), a government agency started in the, DARPA paid for research on connecting computers together so that they could communicate with one another. They wanted this communication to include "dynamic rerouting". Dynamic rerouting means that if one route to a computer on the network was taken out (say by a nuclear bomb), then an alternative route could be found so that the information could be delivered. This technology was being developed as the cold war was going, just in case. However, now that the cold war is over, dynamic rerouting has become useful for every day networking purposes. It doesn't take a nuclear explosion to disrupt something on a network, taking out communicatio lines and/or important machines, so dynamic rerouting is used to create a reliable communication medium between computers on a network. DARPA, along with the efforts of others came up with NCP (Network Control Program). The very first test network was setup in a massachusettes firm called Bolt Beranek & Newman, Inc. This network was called ARPANET and connected university and military research centers. In the early 1970's, ARAPNET started to grow and to include computers across the United States and Western Europe. NOC (Network Operations Center) was the hub of ARPANET. However, even though NCP could do dynamic rerouting, it was limited to one network andܥe# !Dm#,ll,llll l w(lllTlq %w MS Sans Serif SymbolTimes New RomanTimes New RomanTimes New Roman0Courier NewA Karma Special Report >http.freeweb.digiweb.com/education/mugster/ Hacking 101 v.2 Contents: 1) What is a hacker? 2) Do you have what it takes? 3) Starting Off >TCP/IP >UNIX, Shell accounts, and Telnet >NetBIOS >PPTP 00 U Workstation Service 01 U Messenger Service <\\_MSBROWSE_> 01 G Master Browser 03 U Messenger Service 06 U RAS Server Service 1F U NetDDE Service 20 U File Server Service 21 U RAS Client Service 22 U Exchange Interchange 23 U Exchange Store 24 U Exchange Directory 30 U Modem Sharing Server Service 31 U Modem Sharing Client Service 43 U SMS Client Remote Control 44 U SMS Admin Remote Control Tool 45 U SMS Client Remote Chat 46 U SMS Client Remote Transfer 4C U DEC Pathworks TCPIP Service 52 U DEC Pathworks TCPIP Service 87 U Exchange MTA 6A U Exchange IMC BE U Network Monitor Agent BF U Network Monitor Apps 03 U Messenger Service 00 G Domain Name 1B U Domain Master Browser 1C G Domain Controllers 1D U Master Browser 1E G Browser Service Elections 1C G Internet Information Server 00 U Internet Information Server [2B] U Lotus Notes Server IRISMULTICAST [2F] G Lotus Notes IRISNAMESERVER [33] G Lotus Notes Forte_$ND800ZA [20] U DCA Irmalan Gateway Service Unique (U): The name may have only one IP address assigned to it. On a network device, multiple occurences of a single name may appear to be registered, but the suffix will be unique, making the entire name unique. Group (G): A normal group; the single name may exist with many IP addresses. Multihomed (M): The name is unique, but due to multiple network interfaces on the same computer, this configuration is necessary to permit the registration. Maximum number of addresses is 25. Internet Group (I): This is a special configuration of the group name used to manage WinNT domain names. Domain Name (D): New in NT 4.0 For a quick and dirty look at a servers registered NetBIOS names and services, issue the following NBTSTAT command: nbtstat -A [ipaddress] NetBIOS Sessions The NetBIOS session service provides a connection-oriented, reliable, full-duplex message service to a user process. NetBIOS requires one process to be the client and the other to be the server. NetBIOS session establishment requires a preordained cooperation between the two stations. One application must have issued a Listen command when another application issues a Call command. The Listen command references a name in its NetBIOS name table (or WINS server), and also the remote name an application must use to qualify as a session partner. If the receiver (listener) is not already listening, the Call will be unsuccessful. If the call is successful, each application receives notification of session establishment with the session-id. The Send and Receive commands the transfer data. At the end of a session, either application can issue a Hang-Up command. There is no real flow control for the session service because it is assumed a LAN is fast enough to carry the required traffic. NetBIOS Datagrams Datagrams can be sent to a specific name, sent to all members of a group, or broadcast to the entire LAN. As with other datagram services, the NetBIOS datagrams are connectionless and unreliable. The Send_Datagram command requires the caller to specify the name of the destination. If the destination is a group name, then every member of the group receives the datagram. The caller of the Receive_Datagram command must specify the local name for which it wants to receive datagrams. The Receive_Datagram command also returns the name of the sender, in addition to the actual datagram data. If NetBIOS receives a datagram, but there are no Receive_Datagram commands pending, then the datagram is discarded. The Send_Broadcast_Datagram command sends the message to every NetBIOS system on the local network. When a broadcast datagram is received by a NetBIOS node, every process that has issued a Receive_Broadcast_Datagram command receives the datagram. If none of these commands are outstanding when the broadcast datagram is received, the datagram is discarded. NetBIOS enables an application to establish a session with another device and lets the network redirector and transaction protocols pass a request to and from another machine. NetBIOS does not actually manipulate the data. The NetBIOS specification defines an interface to the network protocol used to reach those services, not the protocol itself. Historically, has been paired with a network protocol called NetBEUI (network extended user interface). The association of the interface and the protocol has sometimes caused confusion, but the two are different. Network protocols always provide at least one method for locating and connecting to a particular service on a network. This is usually accomplished by converting a node or service name to a network address (name resolution). NetBIOS service names must be resolved to an IP address before connections can be established with TCP/IP. Most NetBIOS implementations for TCP/IP accomplish name address resolution by using either broadcast or LMHOSTS files. In a Microsoft enviroment, you would probably also use a NetBIOS Namer Server known as WINS. NetBEUI Explained NetBEUI is an enhanced version of the NetBIOS protocol used by network operating systems. It formalizes the transport frame that was never standardized in NetBIOS and adds additional functions. The transport layer driver frequently used by Microsofts LAN Manager. NetBEUI implements the OSI LLC2 protocol. NetBEUI is the original PC networking protocol and interface designed by IBM for the LanManger Server. This protocol was later adopted by Microsoft for their networking products. It specifies the way that higher level software sends and receives messages over the NetBIOS frame protocol. This protocol runs over the standard 802.2 data-link protocol layer. NetBIOS Scopes A NetBIOS Scope ID provides an extended naming service for the NetBIOS over TCP/IP (Known as NBT) module. The primary purpose of a NetBIOS scope ID is to isolate NetBIOS traffic on a single network to only those nodes with the same NetBIOS scope ID. The NetBIOS scope ID is a character string that is appended to the NetBIOS name. The NetBIOS scope ID on two hosts must match, or the two hosts will not be able to communicate. The NetBIOS Scope ID also allows computers to use the same computer namee as they have different scope IDs. The Scope ID becomes a part of the NetBIOS name, making the name unique. Part 3: PPTP Introduction Point-To-Point Tunneling Protocol (PPTP) is a protocol that allows the secure exchange of data from a client to a server by forming a Virtual Private Network (VPN) via a TCP/IP based network. The strong point of PPTP is its ability to provide on demand, multi-protocol support over existing network infrastructure, such as the Internet. This ability would allow a company to use the Internet to establish a virtual private network without the expense of a leased line. The technology that makes PPTP possible is an extension of the remote access Point-To-Point Protocol (PPP- which is defined and documented by the Internet Engineering Task Force in RFC 1171). PPTP technology encapsulates PPP packets into IP datagrams for transmission over TCP/IP based networks. PPTP is currently a protocol draft awaiting standardization. The companies involved in the PPTP forum are Microsoft, Ascend Communications, 3Com/Primary Access, ECI Telematics, and US Robotics. PPTP and Virtual Private Networking The Point-To-Point Tunneling Protocol is packaged with WindowsNT 4.0 Server and Workstation. PC's that are running this protocol can use it to securely connect to a private network as a remote access client using a public data network such as the Internet. A major feature in the use of PPTP is its support for virtual private networking. The best part of this feature is that it supports VPN's over public-switched telephone networks (PSTNs). By using PPTP a company can greatly reduce the cost of deploying a wide area, remote access solution for mobile users because it provides secure and encrypted communications over existing network structures like PSTNs or the Internet. Standard PPTP Deployment In general practice, there are normally three computers involved in a deployment: a PPTP client a Network Access Server a PPTP Server note: the network access server is optional, and if NOT needed for PPTP deployment. In normal deployment however, they are present. In a typical deployment of PPTP, it begins with a remote or mobile PC that will be the PPTP client. This PPTP client needs access to a private network by using a local Internet Service Provider (ISP). Clients who are running the WindowsNT Server or Workstation operating systems will use Dial-up networking and the Point-To-Point protocol to connect to their ISP. The client will then connect to a network access server which will be located at the ISP (Network Access Servers are also known as Front-End Processors (FEPs) or Point-Of-Presence servers (POPs)). Once connected, the client has the ability to exchange data over the Internet. The Network Access Server uses the TCP/IP protocol for the handling of all traffic. After the client has made the initial PPP connection to the ISP, a second Dial-Up networking call is made over the existing PPP connection. Data sent using the second connection is in the form of IP datagrams that contain PPP packets, referred to as encapsulated PPP. It is this second call that creates the virtual private network connection to a PPTP server on the private company network. This is called a tunnel. Tunneling is the process of exchanging data to a computer on a private network by routing them over some other network. The other network routers cannot access the computer that is on the private network. However, tunneling enables the routing network to transmit the packet to an intermediary computer, such as a PPTP server. This PPTP server is connected to both the company private network and the routing network, which is in this case, the Internet. Both the PPTP client and the PPTP server use tunneling to securely transmit packets to a computer on the private network. When the PPTP server receives a packet from the routing network (Internet), it sends it across the private network to the destination computer. The PPTP server does this by processing the PPTP packet to obtain the private network computer name or address information which is encapsulated in the PPP packet. quick note: The encapsulated PPP packet can contain multi-protocol data such as TCP/IP, IPX/SPX, or NetBEUI. Because the PPTP server is configured to communicate across the private network by using private network protocols, it is able to understand Multi-Protocols. PPTP encapsulates the encryptred and compressed PPP packets into IP datagrams for transmission over the Internet. These IP datagrams are routed over the Internet where they reach the PPTP server. The PPTP server disassembles the IP datagram into a PPP packet and then decrypts the packet using the network protocol of the private network. As mentioned earlier, the network protocols that are supported by PPTP are TCP/IP, IPX/SPX and NetBEUI. PPTP Clients A computer that is able to use the PPTP protocol can connect to a PPTP server two different ways: By using an IPS's network access server that supports inbound PPP connections. By using a physical TCP/IP-enabled LAN connection to connect to a PPTP server. PPTP clients attempting to use an ISP's network access server must be properly configured with a modem and a VPN device to make the seperate connections to the ISP and the PPTP server. The first connection is dial-up connection utilizing the PPP protocol over the modem to an Internet Service Provider. The second connection is a VPN connection using PPTP, over the modem and through the ISP. The second connection requires the first connection because the tunnel between the VPN devices is established by using the modem and PPP connections to the internet. The exception to this two connection process is using PPTP to a create a virtual private network between computers physically connected to a LAN. In this scenario the client is already connected to a network and only uses Dial-Up networking with a VPN device to create the connection to a PPTP server on the LAN. PPTP packets from a remote PPTP client and a local LAN PPTP client are processed differently. A PPTP packet from a remote client is placed on the telecommunication device physical media, while the PPTP packet from a LAN PPTP client is placed on the network adapter physical media. PPTP Architecture This next area discusses the architecture of PPTP under Windows NT Server 4.0 and NT Workstation 4.0. The following section covers: PPP Protocol PPTP Control Connection PPTP Data Tunneling Architecture Overview: The secure communication that is established using PPTP typically involves three processes, each of which requires successful completion of the previous process. This will now explain these processes and how they work: PPP Connection and Communication: A PPTP client utilizes PPP to connect to an ISP by using a standard telephone line or ISDN line. This connection uses the PPP protocol to establish the connection and encrypt data packets. PPTP Control Connection: Using the connection to the Internet established by the PPP protocol, the PPTP protocol creates a control connection from the PPTP client to a PPTP server on the Internet. This connection uses TCP to establish communication and is called a PPTP Tunnel. PPTP Data Tunneling: The PPTP protocol creates IP datagrams containing encrypted PPP packets which are then sent through the PPTP tunnel to the PPTP server. The PPTP server disassembles the IP datagrams and decrypts the PPP packets, and the routes the decrypted packet to the private network. PPP Protocol: The are will not cover in depth information about PPP, it will cover the role PPP plays in a PPTP environment. PPP is a remote access protocol used by PPTP to send data across TCP/IP based networks. PPP encapsulates IP, IPX, and NetBEUI packets between PPP frames and sends the encapsulated packets by creating a point-to-point link between the sending and receiving computers. Most PPTP sessions are started by a client dialing up an ISP network access server. The PPP protocol is used to create the dial-up connection between the client and network access server and performs the folloing functions: Establishes and ends the physical connection. The PPP protocol uses a sequence defined in RFC 1661 to establish and maintain connections between remote computers. Authenticates Users. PPTP clients are authenticated by using PPP. Clear text, encrypted or MS CHAP can be used by the PPP protocol. Creates PPP datagrams that contain encrypted IPX, NetBEUI, or TCP/IP packets. PPTP Control Connection: The PPTP protocol specifies a series of messages that are used for session control. These messages are sent between a PPTP client and a PPTP server. The control messages establish, maintain and end the PPTP tunnel. The following list present the primary control messages used to establish and maintain the PPTP session. Message Type Purpose PPTP_START_SESSION_REQUEST Starts Session PPTP_START_SESSION_REPLY Replies to Start Session Request PPTP_ECHO_REQUEST Maintains Session PPTP_ECHO_REPLY Replies to Maintain Session Request PPTP_WAN_ERROR_NOTIFY Reports an error in the PPP connection PPTP_SET_LINK_INFO Configures PPTP Client/Server Connection PPTP_STOP_SESSION_REQUEST Ends Session PPTP_STOP_SESSION_REPLY Replies to End Session Request The control messages are sent inside of control packets in a TCP datagram. One TCP connection is enabled between the PPTP client and Server. This path is used to send and receive control messages. The datagram contains a PPP header, a TCP Header, a PPTP Control message and appropriate trailers. The construction is as follows ----------------------------------- PPP Delivery Header ----------------------------------- IP Header ----------------------------------- PPTP Control Message ----------------------------------- Trailers ----------------------------------- PPTP Data Transmission After the PPTP Tunnel has been created, user data is transmitted between the client and PPTP server. Data is sent in IP Datagrams containing PPP packets. The IP datagram is created using a modified version of the Generic Routing Encapsulation (GRE) protocol (GRE is defined in RFC 1701 and 1702). The structure of the IP Datagram is as follows: --------------------------------------------------- PPP Delivery Header --------------------------------------------------- IP Header --------------------------------------------------- GRE Header --------------------------------------------------- PPP Header --------------------------------------------------- IP Header --------------------------------------------------- TCP Header --------------------------------------------------- Data --------------------------------------------------- By paying attention to the construction of the packet, you can see how it would be able to be transmitted over the Internet as headers are stripped off. The PPP Delivery header provides information necessary for the datagram to traverse the Internet. The GRE header is used to encapsulate the PPP packet within the IP Datagram. The PPP packet is created by RAS. The PPP Packet is encrypted and if intercepted, would be unintelligible. Understanding PPTP Security PPTP uses the strict authentication and encryption security available to computers running RAS under WindowsNT Server version 4.0. PPTP can also protect the PPTP server and private network by ignoring all but PPTP traffic. Despite this security, it is easy to configure a firewall to allow PPTP to access the network. Authentication: Initial dial-in authentication may be requried by an ISP network access server. If this Authentication is required, it is strictly to log on to the ISP, it is not related to Windows NT based Authentication. A PPTP server is a gateway to your network, and as such it requires standard WindowsNT based logon. All PPTP clients must provide a user name and password. Therefore, remote access logon using a PC running under NT server or Workstation is as secure as logging on from a PC connected to a LAN (theoretically). Authentication of remote PPTP clients is done by using the same PPP authentication methods used for any RAS client dialing directly into an NT Server. Becuase of this, it fully supports MS-CHAP (Microsoft Challenge Handshake Authentication Protocol which uses the MD4 hash as well as earlier LAN Manager methods.) Access Control: After Authentication, all access to the private LAN continues to use existing NT based security structures. Access to resources on NTFS drives or to other network resources require the proper permissions, just as if you were connected directly to the LAN. Data Encryption: For data encryption, PPTP uses the RAS "shared-secret" encryption process. It is referred to as a shared-secret because both ends of the connection share the encryption key. Under Microsofts implementation of RAS, the shared secret is the user password (Other methods include public key encryption). PPTP uses the PPP encryption and PPP compression schemes. The CCP (Compression Control Protocol) is used to negotiate the encryption used. The username and password is available to the server and supplied by the client. An encryption key is generated using a hash of the password stored on both the client and server. The RSA RC4 standard is used to create this 40-bit (128-bit inside the US and Canada is available) session key based on the client password. This key is then used to encrypt and decrypt all data exchanged between the PPTP client and server. The data in PPP packets is encrypted. The PPP packet containing the block of encrypted data is then stuffed into a larger IP datagram for routing. PPTP Packet Filtering: Network security from intruders can be enhanced by enabling PPTP filtering on the PPTP server. When PPTP filtering is enabled, the PPTP server on the private network accepts and routes only PPTP packets. This prevents ALL other packet types from entering the network. PPTP traffic uses port 1723. PPTP and the Registry This following is a list of Windows NT Registry Keys where user defined PPTP information can be found: KEY: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RASPPTPE\ Parameters\Configuration Values: AuthenticateIncomingCalls DataType = REG_WORD Range = 0 - 1 Default = 0 Set this value to 1 to force PPTP to accept calls only from IP addresses listed in the PeerClientIPAddresses registry value. If AuthenticateIncomingCalls is set to 1 and there are no addresses in PeerClientIPAddresses, the no clients will be able to connect. PeerClientIPAddresses DataType = REG_MULTI_SZ Range = The format is a valid IP address This parameter is a list of IP addresses the server will accept connections from. KEY: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\\ Parameters\Tcpip Values: DontAddDefaultGateway DataType = REG_WORD Range = 0 - 1 Default = 1 When PPTP is installed, a default route is made for each LAN adapter. This parameter will disable the default route on the corporate LAN adapter. PPTPFiltering Key: MNOPdef]c]]]]]]]]]]]]]]]]^c]^]]]]]]]]]]]]]]]]]]]^c ]^] V]^c ]c ]^c ]c ]c]c]c]c ]^c 0VW~/0123GHIJKz{|,-UVfghig h i ¿]b]b]b]b]]b]b]]]]b]b]b]b]b]b]]]]]]]^c$]^]^]]]]^]^]^c]c]]]]]]]]]]]]]]]]]^]^c2 !!!!H!I!!!!!!!!!!!"""""3"4"5"6"##&&&&&&&&'''~{xu]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b.''A'B'w'x''''''''''( ( ( ( (L(M(((((&)'):);)<)N)O)P)Q)c)d)e)f)g)h)i))))))~{xu]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b.))****D*E*F******+ +P+Q++++++++++++++++/,0,1,r,s,t,,,,,,,,,~{xu]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b.,---Y-Z-[-f-g-h-i-w-x-y-z------.B.C.D.......///G/H/I/t/u/v/w////////~{xu]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b./000B0C0D0E0T0U0V0W00000000000516171x1y1z1111111;2<2=2]2^2_2`2a222222~{xu]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b.22333W3X3Y3333333444U4V4W4l4m4n4o4p4444444051525s5t5u5555555364656v6~{xu]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b.v6w6x6666667@7A7B7777777888F8G8H8888888 9 9R9S9T9|9}9~9999999999~{xu]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b.99999999999:::>:?:@:A:B:C:D:E:b:c:d:::::::::::<???EE/I0I1INIOIlI}{ywu]]]]]]V]]]]]]b]^b]^b]^b]^b ]^bc$]^b]^b]^b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b]b.lImIIIIIIIIIJJ#J$JBJCJaJbJJJJJJJJJJJKK:K;KYKZKxKyKKKKKKKKKLL2L3LQLRLpLqLLLLLL]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]8LLLL M M*M+MIMJMiMjMMMMMMMMM N N)N*NINJNiNjNNNNNNNNN O O)O*OIOJOiOjOOOOOOOOO P P)P*PIP]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]8IPJPiPjPPPPPPPPP Q Q)Q*QIQJQiQjQQQQQQQQQ R R)R*RIRJRiRjRRRRRRRRR S S)S*SISJSiSjSSSSSS]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]8SSSS T T+T,TLTMTmTnTTTTTTTTTUU3U4UTUUUuUvUUUUUUUUUVV;VX?X@XAXBXXXXX Z Z Z[[[{]|]}]L_M_N_aaabbbdddddddddU]U]U]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]^c$]^c$]^c$]^c$]^]]]]]]]]]]]]]]4dEfFfGfAgBgCgAhBhChhhhiiiVjWjXjkkklllmmmunvnwn{n|n}n~nnnnnnnnnnnnnnnnnnnoooo]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]8ooooooo.o/o=o>o@oAoBoCoDoEoSoTobocoeofogohoiojo{o|ooooooooooooooooooooooooooooo]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]8ooopppppp p ppp+p,p.p/p0p1p2p3pHpIpWpXpZp[p\p]p^p_pmpnp|p}ppppppppppppppppppppppp]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]8ppppppp q qqqqqqq,q-q;qq?q@qAqBqCq`qaqoqpqrqsqtquqvqwqqqqqqqqqqqqqqqqqqqqqqq]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]8qqrrrrrrr"r#r1r2r4r5r6r7r8r9rErFrTrUrWrXrYrZr[r\rhrirwrxrzr{r|r}r~rrrrrrrrrrrrrrrrrrrr]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]8rrrrrrrrrrrrrrrss s s sssssss(s)s1s2s3s5s6s7s8s9s:sLsMsUsVsWsYsZs[s]s^s_smsnsvswsxszs{s|s}s]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]8}s~sssssssssssssssssssssstttttttttt,t-t:t;t?bc]]]]]]]]]]]]]]]]]^]^]^]^]^]]]]]]^]]]]]]]]]]]]]]]]^]]]]]]]]]]]6cxy۬ܬ9:;ޮ߮ !"EFNOrst-.abkl]]]]]]]]]]]]]]]]]^]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]8ޱ߱'([\fgӲԲղ345DEFDEFLMqrs]]]]]]]]]]]U]U]U]]]]]]]]]]]]]]]]]]^]^]]]]]]]]]]]]]]]]]]]]]]]734ijk '()FGfg+,-GHwx?@bc]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]8789]^_`apqr#$HI012YZ#$;<]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]^c$]^c$]^]^]]]]]]]]]]]]6<lmn12[\!":;cdPQ]^()def]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]8./HIz{MN{|=>STU012:;<ABCD]^]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]2!:jk{|} $>NOPewo~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ efWwo~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 0123HIJK{|-Vgih i {vq~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ i !!I!!!!!""4"5"#&&&&''B'x'x''''' ( (M(((');)<)O)P)d)h))))**E**** +Q++++++++0,s,,,,,-Z-g-h-x-y---C.C.../H/u/v////0C0D0U0V0000061y111<2^2^2_2223X3334V4m4n44415t55546w666A77778G888 9S9}9~9999A:D:c:d::::::::~ ~ ~ ~ ~ ::??0I1IOImIIIIIJ$JCJbJJJJwo~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ JJJK;KZKyKKKKKL3LRLqLLLLLwo~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ L M+MJMjMMMMM N*NJNjNNNNN O*Owo~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ *OJOjOOOOO P*PJPjPPPPP Q*QJQjQwo~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ jQQQQQ R*RJRjRRRRR S*SJSjSSSwo~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ SSS T,TMTnTTTTTU4UUUvUUUUUwo~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ UVTU12;<BCDz~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ !Dq!D#iK@Normala "A@"Default Paragraph Font@ FMicrosoft Word 6.0 Document MSWordDoc9q