2600 hacker quarterly volume 16 number 4 winter 1999-2000

8/11/2019 2600 Hacker Quarterly Volume 16 Number 4 Winter 1999-2000

1/60


2/60

WHA R L I


3/60

"Hacng can g you in a who(e (0+ore+rou(ethanyou+hikand if a

cop(e(y creepy hing 0 do. -lwetpageaied a+kidf+0 ifcouragehacking

Editor-In-ChiefEmmanuel Godstein

lavoU and DesignshapeSHIFTER

Coer esignsnc. The Choppng

Block

Inc

Oice Manager

Tampr

W:Berne S . Bils. Bue ha.Noam Chomski. Erc Corlev. Dr Deam.Dreal. Nathan Dorman. John Drake.Pa Este Mr French. Thomas Icom.Jo630. Kingpin. M. Ken Mitnick. The

Prophe. Dad Ruderman. Seraf. SlentSwtchman. Scott Skinner. Mr Upseter

Wbmass:K

erv Macki

Nework Oeraions:.z

2600(SSN 749385) is pubshedquarterly by Enterprises Inc.7 S ng s Lane, uket, NY 733

Second class postage permit paid atSetauket, New Yrk.

POSTMASR: Send addresschanges to,

P.O. Box 752, Middle Isand NY1193072.Copyright (c) 99 2600 Enterprises nc.eary subscriptin: U.S. and Canada $18 individual, $50 corporate (U.S. fds).Overseas - $26 idividua $6 corporate.Back issues availble for 1984-1998 a $20per year $2 per year overseas.ndividua issues vailabe from 1988 nat $ each

S6 25

eac overseas.

ADDRSS LL


4/60

Viulencer Vandalsr Victims

l ha 15

all

th 's


5/60


6/60

The fOlloTn

Ws

describedfor the purposes of education. I'm awarethis procedre could be and as beenused to circumvent the security of anyWindows NT machine whch te user hasphysical access to I do not condone theuse of this inormation for illegal purposes, nor am I responsible for anythingstupid anyone does wit ths inormationNTFS suppo in Lnux is stll Beta, readng and copying from the drive is safe,but copying to the drive is an "at yourown risk eal

One of the many misconceptionsabout Wndows N is that it's a secureoperatin9 system and that by formattinga dsk wth TS and properly settingpermissons, nobody can access the nformation on that disk without permissionto do so

There are two problems with this theory First, it is Second, all it reallyoes is mae crash recovery more dffcult I will describe a method for circumventin TFS security: using a nuxboot dsk This can be usefu in manyways From the system administrator'svew, this is an excellent way to get access to important les on a system that

has crashed before formatting the harddrive and reinstalling N From thehackers view, t gves access to the system files He would not normally have access to the regsty, user profiles, PSTFies, etc

In order to accomplish this you wil

fles on the 062 boot disk Follow the instructions for unzipping and making theboot disk and the data disk If you cantget this far, you have no business doingis in the rst place

When ths s done, copy ntfso to theboot disk, edit the Modules fie, add the

line "ntfs to it (no quotes), and save thefile At this pont it is best if you boot thedisk a ew tmes, first to test it and second to get familiar with what will happenand how Trinux wil respond to commands given it hs way there are nosunrises.WlNow take the two floppies to the machine you want to access Boot the first

disk When it asks if you have a data disk,put in the second disk and type "y thenht return It wll then ask you agan Type"n and hit return

When t is finished booting, you will

have a "Trinux 061 prompt Type "insmod ntfso - this loads the TS supportType "mount t ntfs /dev/hda1 /mnt

this wil mount the frst partition on the firsthard drive This assumes the frst partitonon the frst hard drve is an NTFS partition If not, the ollowing tale will give youan idea of how to mount the proper drive

These are for IDE drives/dev/hda1/dev/hda second partitio on the first

drive/dev/hdb1 first partition on the second

hard drive


7/60

2000

2000

10

Miroso eorking


8/60

m

*

*SM

*SMSERVER

$

C:\net se i: \\Iip address)\[shae name)

N :

t

U s"

bb

b f;d

t de"t

dNAT (etwork Adi Tool

LphtCrack N

AGENT S T

Passord Crac

A

N

t b


9/60

ing. So before you devise a vie p pu DOS

6.22 d dosboo.exe ono yor , d

chge e boo.ini, ook d fr bc copiesof._ 's no of o d old copy insom e "C:\win\pdcpair.

, if you pfer o crack passwords wih you' have o conver e he o a U passwde (c d pase e ashes.

Fe coses ing a hcker c do o teneng o

T machine is conecing via F. The pb-em is jus because acco exis on e

machine doesn' me t i's aowed FT ac-cess. So g e pssword ses, cck em, and

o em al.If e sy inks e's sm, e' nme e

Adminiaor (roo accoun. Eier way, if you

crack e pswor, you' ave FTP access wi

sraive prvieges. You c now dec web

pages, ge more paswors for oer compuers on

e newo upoad js, Here's a ick:copy e Even Vewer prgm o a shd direc-

to, ten e ew o . You now have access o

a logs on a machine.

Elte Taccs

Okay, e's pend you have access. The pb-

em is, you c' execue ps or do anyingese 's y The swer a j. e onet alows you compee lesysem access, aowsfor hos of your e comper, d es

you open d ki tivewindows (eBus does a

DOS EDIT edi e du.h or index.h

e. Oheise, you c aways use o up-

oad your e. esce d Ine Expor boave cins o upoad h es ia H jus

use e user nmes d pswords you cracked.

eork sniers c aso be pu no pace. ph-

Crack comes wi acke C, a decensnier. Seh e ne for oer Ehee, or To-

ken Rin sniers. Te poin ere is t if e iseve one dows 9.x machne on the neto i

sds ceex ASCI passwos w aueni-

cang, so a sner wi aways cach em.

Ter aso a uge varie of expois for .e ck is weedng uh e DoS spois d

e oca ones. One remo exoiisack.eseishack.s (www.eeye.com heorei-

cay wi upoad y e (in yor , a ojrigh tugh S's H daemon. IS shps wi

mos T Seer ces, d comes wi one of

e eier sce pcs. Even if e machine n

quesion sn' a web seer, i pbably as l S i-staed. One popu web eer or is WebSieP whch a ulnbi in is paged Cexecuables. Specical ly, uploader.exe alows you

o upoad es o e compuer wiou ass-

wos.

ow, when I said h you c' og on o Teer over he Inee, ws piay wg.

e ony way o log in N nework is o be amember of he domn. So you' ave o me

yor compuer a member. How? Hack e PC


10/60

The most prevalent information on tele

phone counter-surveillance has been oat

ing around for at least 15 years. Short the

pair at the demark and measure resistance.

Open the pair at the demark and measure

the resistance. Abnormally high or low resistances indicate a phone tap. Forrest

Ranger wrote about it in text les, M.L.

Shannon and Paul Brookes included it in

their books, and an untold number of phonepreas ave emploed this technique. De

spite its popularity, the technique has itsshortcomings: it fails to detect devices in

stalled in the outside plant, split pairs areundetecte, and transmitters built into the

phone are not tested for.

What you'll need:

I) Access to a local DATU.2) A multimeter with high impedance

scales (several meters that measure into the

ggaohm range are available) and a capac

itance meter.

3) An induction probe.

4 A equency counter or near eld detector.

5) Something that makes continuousnoise, like a tape player.

Ancillry tools (screwdrivers a can

prone to normal R leakage.) Next, measure the capacitance o te line, dividing

the value by .83 (the average mutual capac

itance for a mile o phone line). This isroughly the length of your line. Write it

down, you'll need it later. Remember that

.83 is an average value, which can rangeom 7 to .90 depending on line condi

tions. o get a more accurate measurement

you can ne tune your gure b comparing

capacitance measurements on a section o

plant cable of a kown lengt, or use a

TR.Disconnect all the phones rom the line

you want to test. Go to your demark andisconnect your pair on the customer ac

cess side. Shor the pair and measure the re

sistance of the line om the arhest jack

with the meter set to its lowest scale. Reverse the polarity o the meter and measure

again. I either resistance is more than afew ohms, it would suggest a series device

wired into the line somewere on ourproperty. Now retu to your demark, open

the pair, and cover the ends in electricaltape. Measure the resistance of the pairwith the meter set to its highest scale. A less

than innite resistance would suggest a de

vice wired in parallel to your line


11/60

don't necessarily) suggest something wired

in series with the line This measurement

may be supplemented by either a resistanceto ground measurement o both sides o the

pair and a capacitance balance test or a

voltage measurement A resistive imbal

ance o more than 10 ohms or a noticeabledrop in ohook voltage calls or further

ispectionTo test or parallel devices in the outside

plant open the line with the DATU and reWire Gauge Loaded Pair Unloaded Pair

2

83 83

2

52 51

2 33.7 329

1 1 1610

eat the parallel test as described above

Tesng or telhone hook-switch compro

ises reuires an induction probe econ

nect your pair at the demark and plug a

your phones back in Tu your tape player

back on and put it near your phone Nowprobe all the lines coing

throgh

your

demark point If ou hear the tape payer

through the probe your phone's hook

switch has been cmpromisedChecking or slits on your in requres

an induction probe and access to a plant

wiring cabinet Ad a tone to either ead ofyour pair with

the DATU Probe al theconductors in the inder pair listening for

the trace tone yu hear the tone on morethan two leads (te ones connected to the

line you're checng) your line has beensplit This can be ither a bad splicing job

or someone intentonally hooking a pa up

to your ie

If any o the bove tests suggests tatthere is somethin on your line reeber

that there are plety o innocet reasons a

test could tu u positive so a detailed

physcal search is in order Disassebg

the phone in uetion and compaing te

innards to a schematic would be a wise deaat this point Tae the covers o youphone jacks dig around in your dear

point peek insid wiring cabinets f you

can and so on Tere are some places that

are likely out o your reach but keep in

mind that they' likely out o reach tomany wiretappers as well

BUY 2600 ONLIE!i


12/60

The Tool of the New e

MMXMost of is cle is ondensed m e

adiison manu. But honest wi yourself -

fo cicizing me f "sing s cle. When whe last me yucled Hs d SEd it out of em?

Huh? Didn't ti k so bitch.Te Hs Dit Access Test Unit Remo i

nal exnds e eld technician's testing capiies of

subscrir lines


13/60


14/60


15/60


16/60


17/60


18/60


19/60


20/60


21/60


22/60


23/60


24/60


25/60


26/60


27/60


28/60


29/60


30/60


31/60


32/60


33/60


34/60


35/60


36/60


37/60


38/60


39/60


40/60


41/60


42/60


43/60


44/60


45/60


46/60


47/60


48/60


49/60


50/60


51/60


52/60


53/60


54/60


55/60


56/60


57/60


58/60


59/60


60/60

2600 hacker quarterly volume 16 number 4 winter 1999-2000

Documents