[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]

..[ Phrack Magazine ]..
.:: Phrack Loopback ::.

Issues: [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ] [ 17 ] [ 18 ] [ 19 ] [ 20 ] [ 21 ] [ 22 ] [ 23 ] [ 24 ] [ 25 ] [ 26 ] [ 27 ] [ 28 ] [ 29 ] [ 30 ] [ 31 ] [ 32 ] [ 33 ] [ 34 ] [ 35 ] [ 36 ] [ 37 ] [ 38 ] [ 39 ] [ 40 ] [ 41 ] [ 42 ] [ 43 ] [ 44 ] [ 45 ] [ 46 ] [ 47 ] [ 48 ] [ 49 ] [ 50 ] [ 51 ] [ 52 ] [ 53 ] [ 54 ] [ 55 ] [ 56 ] [ 57 ] [ 58 ] [ 59 ] [ 60 ] [ 61 ] [ 62 ] [ 63 ] [ 64 ] [ 65 ] [ 66 ] [ 67 ] [ 68 ] [ 69 ] [ 70 ]
Current issue : #51 | Release date : 1997-09-01 | Editor : route
IntroductionPhrack Staff
Phrack LoopbackPhrack Staff
Line Noisevarious
Phrack Prophile on Swamp RattePhrack Staff
File Descriptor Hijackingorabidoo
LOKI2 (the implementation)route
Juggernaut 1.0 - 1.2 patchfileroute
Shared Library Redirectionhalflife
Bypassing Integrity Checking Systemshalflife
Stealth RPC scanninghalflife
The Art of ScanningFyodor
The Eternity ServiceAdam Back
Monoalphabetic cipher cryptanalysismythrandir
Phrack Magazine Article Index Guideguyver
A Brief introduction to CCS7Narbo
Phrack World Newsdisorder
extract.cPhrack Staff
Title : Phrack Loopback
Author : Phrack Staff
---[  Phrack Magazine   Volume 7, Issue 51 September 01, 1997, article 02 of 17

-------------------------[  P H R A C K     51     L O O P B A C K

--------[  Phrack Staff

Issue 50 proves that Phrack _is_ back, and better than ever.
Congratulations to you and the rest of the Phrack staff for putting
together what I think is by far the most informative issue to date.  The
quality of the articles and code (YES! Lots of code!) reflects the hard
work and commitment that obviously went in to this issue.  I could go on,
but I'm all out of lip balm.

Thank you!

    [ Thank you.  We aim to please. ]


    { ...Bugtraq Phrack 50 announcement deleted... }

So What?
Who cares? get this crap off of the mailing list.
phrack is as much trash as 2600 or any other 
little idiot magazine.

    [ Thank you.  We aim to please. ]


juggernaut is way cool, man.

minor bug: you dont unset IFF_PROMISC on exit, so it's not terribly stealthy,
but it's no big deal to fix. 

anyway. cool.


    [ Although Juggernaut is *not* meant to be a 'covert' program you are 
    completely right about that.  I should unset promiscuous mode when the 
    program exits.  In fact, in version 1.2 (patchfile available in this
    issue) I include this very thing. ]


 I've got the p50.tgz and well, played a little with jugernaut.
It's realy cool but:
	1) It doesn't compile so clean. You've forgot to #include
<linux/netdevice.h> before <linux/if_arp.h>
 	2) The spy connection part is not quite cool because you 
sniff and dump all the stuff that is comeing from the dest. port 
and dest. host ...
 So if U try 2 spy say: [4000] [23]
U spy in fact all the stuff that is comeing from [23] for
ALL the conn. made to on the 23 (telnet) port.
 This will cause a cool mess on the screen.
I've tried 2 restrict the spying by introduceing a new cond.
iphp->daddr==target->saddr in net.c ... it brocked the spy routine

Maybe U'll fix somehow that thing..

All my best regards,
	Sandu Mihai

    [ <linux/if_arp.h> includes <linux/netdevice.h>.  The compilation of the
    program should go smoothly on any linux 2.0.x based system.  Version 1.2 
    also fixes the TCP circuit isolation problem you allude to... ] 



This is a very impressive tool! Brilliant work!

Thank you,


    [ Thank you. ] 


I'm just writing this to say thanx for putting out such a kickass publication.
Down here in 514 it's fuckin dead, you mention hacking and half the people
don't have a clue what Unix is.It's fuckin pathetic, but i'm glad to say
that your mag has helped a lot and i look forward to future issues, you guys 
really do make a difference in the hacking community.  Thanx.  

Snake Eyes 

    [ Amen to that. ]


Hi! =8)

Why don't you (at Phrack) compile an updated Pro-Phile on known H/P
Groups like the one on issue #6 ?
So we - the readers - can know something more about the ACTUAL scene
(but perhaps it's not worth - ppl's sick of all that 3l33t d00dz ;)

I really appreciated that dox & srcs on spoofing, D.O.S., etc.
HIGH technical quality, sources, articles, news.... and it's free! :P
Ahh that's life! ;)

However, great job with the latest Phrack issues.
To quote a friend of mine (talking of Phrack Magazine)...

> It's improved a lot with Deamon9 in command....

K, that's all.
**PHRACK RULEZ!** (I had to say that :)
Oh... and sorry for my english!



    [ Not a bad idea.  Perhaps someone would like to do an article on
    the existing groups out there for P52? ]


I would like to know what you suggest to get me headed in the right
direction reguarding the compromise of computers on the internet.
any information that you would be able to spare would be most appreaciated.

    [ It's *all* about compromise.  It's something you have to do.  Be fair to 
    them.  Listen to them.  Don't shut them out of your life.  They are 
    wonderful creatures...  It's a give and take thing and sometimes, yes, you 
    *have* to compromise -- that's part of having a mature relationship. ]


I recently locked into my car so i called a friend to come help me 
when the slim jim was no help he decided to try another less known

We simply took a stiff metal coat hanger and straightened it out and
made a small loop in it then we took a small speaker wire about 3 feet
long and tied a loop into one end so it would slide to make the loop 
smaller or larger.

Then you take the wire and run it in through the loop in the hanger
and pry the top edge of the car door open and slide both looped ends
through holding onto the unlooped ends.
then you use the hanger to position the loop in the speaker wire
around the door lock once you have the loop into position you hold
the hanger steady and gradualy pull the loop tight around the lock 
once the loop is tight you just pull up on the hanger.

This works on most all vehicles with top door locks and with a little 
prep. and practice can be done in under 2 mins. also its less 
conspicious and easier to get than a slim jim. and they are cheap 
so no one care to toss the out after breaking into an entire lot of cars.

Hope you found this phile worth while
The Stony Pony

    [ Aspiring young car thieves among us thank you; however if you
      lock yourself in the car again, you might try unlocking the door
      manually. ] 


                           By [Xtreme]

I just wrote this to tell all you try hard hackers something.

1) You goto other hacker pages on the web.
2) You think loading a program that waz made by a hacker is hacking.
3) The only thing you do is get the lastest passwd file from your isp.
4) You goto channels like #hack and ask for passwd files.
5) You don't know where to get warez.
6) You always telnet to hosts and type

login: root
password: root

and stuff like that.

7) You brag about how you are a hacker.
8) You don't know C.
9) Your a girl.
10) You don't know what's a shell.
11) You don't know what Linux, FreeBSD and all those other UNIX's are.
12) You don't have a UNIX OS.
13) You think when using IRC war scripts, your hacking.
14) Asking how to hack other people's computer.
15) You try cracking a shadowed passwd file.
16) You don't know if a passwd file is shadowed or not.
17) You ask what is a T1.
18) You ask how to email bomb and you think email bombing is a form of hacking.
19) Your learning BASIC language.
20) You think you can get into hacking straight away.
21) You don't know how to set up an eggdrop bot.
22) You think .mil stands sites stand for a country.

    [ That is without a doubt, the dumbest thing I have ever read in my life.
    Not only do I award you no points, but we are all now dumber having read 
    that.  May God have mercy on your soul. ]


What command do I use to make you denial of service package work?

    [ You hit yourself in the head with a hammer. ]


I was scanning the 413 xxx 99XX range and I found some #'s.  I have
no idea what they do.  I was wondering if you could help me out.
Maybe call them and see what you find or someting.

(413) xxx-99xx
(413) xxx-99xx
(413) xxx-99xx		These are all fax #s, I think
(413) xxx-99xx

(413) xxx-99xx		goes beep beep beep

(413) xxx-99xx		goes beeeep

(413) xxx-99xx		auto foward I think

(413) xxx-99xx 		goes beeep beeep

    [ I tried calling these but I got no answer.  Maybe the 'X' on my phone
      is case sensitive? ]


I would like to know how could I get root permission from a simple user.
I have read that this can be accomplished by setuid programs, and I have read
an article describing the way this can be done in Phrack Magazine. Still I
couldn't gain root access. I would be very interested in finding ways of doing
this on Irix 5.2 or Solaris 2.5. If you know anything about this, please 
send me an e-mail. If you know any resources on the Web that details the use
of setuid programs in order to get root access, please tell me.

    [ P49-14 ]



Mich, not Mitch.  "Mich" is short for "Michel."

M. E. Kabay, PhD, CISSP (Kirkland, QC)
Director of Education
National Computer Security Association (Carlisle, PA)

    [ No, Mike is short for Michael. ]


Your zine is the best
Please send it to Psycho Al1@aol.com
The Psychotic Monk

PS:Aohell rulez

    [ You are an idiot. ]


Hi, Phrack people!

Great job on issue 50! Nice magazine. Article 'bout TTY hijacking is really 

I have just one question to you. Is there any holes on target system in this
situation? There's a server, running freeBSD 2.1.5, with a shadowed passwords.
I've got a dial-up account on that machine as a simple user. What bugs can I 
use for having root privileges?

Best wishes from Ukraine!!                                         OmegA

    [ find / -perm -4000 -print ]


hello... long-time reader, first-time writer:

	i know that all "submissions" are to be encrypted... and i should be
	encrypting anyways, but i'll make it quick ... besides, this isn't
	really a "submission..."

	congrats on reaching the 50th issue mark, and congrats on an
	excellent ish!

	i just a quick question.  i would like to reprint the <soapbox>
	for issue #50 on my web page, with a hypertext link to the
	Official Phrack Homepage (http://www.fc.net/phrack/ - correct?).
	I think it says brings up some important points, and since it's
	copywrited, and you sren't losers, i'd ask you (it's not like a
	simple copywrite has stopped anyone before)!


    [ A simple copyright may not stop people, but the simple restitution
    remanded by courts might.  However, go ahead and put a hypertext link.  
    The official webpage will be at phrack.com/net/org, SOON. ]


     In Volume Four, Issue Forty-One, File 3 of 13, Supernigger was featured
in your Phrack Pro-Phile.  Whatever happened to him?  Did he "grow up and
get a real job" or is he still lurking around?

     - Styx

    [ Both. ]


People @ Phrack:

 In Phrack #50 in the file 'Linenoize' Khelbin wrote an article about remote
BBS hacking, namely using Renegade's default 'PKUNZIP -do' command overwrite
the userbase with your own ...

For some strange reason, while renegade is booted, and if it runs PKUNZIP -do
the procedure will NOT work... but the procedure DOES work when Renegade is
down at the Dos Prompt..?

Does Renegade extract files into memory or something while testing for
integrity? -8) .. I tried this out on 10-04, 5-11 and even
04-whatever-the-fuck-that-version-was and it didn't work.. I think Khelbin
needs help for his chronic crack addiction since I can't find any way possible
to get his article to work..

op: Taos BBS

~~~ Telegard v3.02

    [ We dunno.  Anyone else have an answer? ]


Regarding Xarthons submission about Linux IP_MASQ in Phrack 50...

The masquerading code is not designed for security. Hardwiring RFC1918
addresses into the IP_MASQ code is not a clever idea for two reasons:

1) It diminishes the usefulness of the code. I have used masquerading to
keep things running when my company changed internet providers. I
masqueraded our old _valid_ IP range. Other people may come up with
other valid uses, like providing redundancy through two ISPs.
2) The masquerading code is part of the Linux packet filter, which can
certainly be configured to prevent spoofing, a quite a bit more.

If the static packet filter and the masquerading code are used together
they can provide as much security as a 'dynamic' filtering firewall like
Firewall-1 in many cases. A very short 'HOW-TO':

1) Put spoofing filters on all interfaces. Only allow incoming packets
to the external interface if the destination address is that of the
external interface (that's the address the masquerading code inserts as the
source address of outgoing packets).

2) Insert rule(s) in the forwarding filter to masquerade your outgoing
packets. You do not need to route incoming replies to masqueraded
packets, that happens auto-magically. Deny everything else (and _log_).

3) Make sure the gateway does not run anything that leaves you
vulnerable. Don't run NFS, the portmapper etc. Update sendmail, bind to
the latest versions if you run them.

4) Disable telnet, and use 'ssh' for maintenance. If you must support
incoming telnet connections through the firewall install the TIS firewall
toolkit, and use one-time passwords.

5) Run 'COPS', 'Tripwire'.

6) Read a good book about Internet security, and make sure you
understand all the issues involved before you configure _any_ firewall,
even one with a GUI and a drool-proof manual.

I hope this is useful to some people.  

Ge' Weijers (speaking for myself only) 


You write in P49-06:

  ...  The only sure way to destroy this
  channel is to deny ALL ICMP_ECHO traffic into your network.

No.  It suffices to clear the content of the packets
when passing the firewall.


    [ True enough.  However, by doing this you remove the RTT info from
    the ICMP echos which will break some implementations which rely on it. ]


Hi, Im a Wannabe, maybe you would call me and idiot.
Where do you guys hang out, IRC? Wich channel, #supreme? Wich server?
Know any good trix for me how to learn more about hacking?

Please answer my letter, I know that you get lots of letters, but

    [ EFNet, #phrack ]


You cant realy say that IRC is for loosers cuz in Phrack 50 I saw an
article with some text taken from IRC, and you were logged in.

    [ We are losers.  Ergo, yes we can. ]

Which good hack books, UNIX books or things like that do you recommend.

Thank You For An Answer!!

    [ Anything Addison Wesley or ORA.  Also, many of the PTR/PH books. ]


I am writing to inquire about the fate of Pirate Magazine
and how I might contact it's creators. It seems to have been out of
circulation since 1990 and I was hoping to look at possibly organizing
some kind of initiative to revive this excellent publication. I thought
first to turn to Phrack magazine. Thanx for your time.

Joong Gun

    [ Anyone have any information? ]



            I just got Phrack 50 and loved it....It is the first one I've
got. I was wondering if you guys know about any other newsletters or
magazines that are sent to your e-mail address or you can get off the web on
a regular basis, like Phrack. thanX

    [ Other magazines come and go on a pretty regular basis.  Phrack is
    eternal. Phrack is all you need. ]


Please help me.  If I can't join your club, please let me learn from you.  I
am interested in both Program hacking and remote access.



    [ You join our club if you can find our secret clubhouse. ]


hi. This is from a guy you probably will never hear of again, and
definantly have never heard of already. I wanna ask you a question. At
my school, people write crap on their backpacks with witeout. I have
never done this for 2 reasons

1) I dont wanna be grouped with the poseur metalheads, etc who write
"Pantera" and "666" and "Satan" etc but cannot name a song of thiers,
and/or go to church....

2) I dont wanna be grouped with the wanna be hackers who write stuff
like Anarchy symbols, "Aohell" "Kaboom" and the such, because thats just
plain lame. You have to feel sorry for people who think they are elite
because they can mailbomb somebody.

Another reason I have never written anything is I havent found anything
worht advertising. Now i have, I wanna write "The guild" or something to
that extennt maybe "r00t" or something. I have not done this for i do
not want to piss you off (indirectly something may get to you about it.
It could happen, remember the 6 degrees of seperation? hehehe). If this
is ok with you, lemme know please. (cad@traveller.com) Also, if your
wondering why im mailing this to you alone,  it is because you are a
fucking baddass. heh. Well, lemme know whenever ok? thanks.

(I know i have an absence of punctuation, i'm in a hurry and I have

    [ You have our permission to write r00t on your backpack. ] 


yes i want to learn how to hack and need to learn fast
Js444 told me you can help
will repay BIG
    [  How big?  ]


I sent this from your hoime page...is it X-UIDL?  I dunno, it's 4 AM

um oh, keep in mind that ur response (if made) to this may be dumped to
#hack printed in the next Citadel knockoff or whatevrr

I was just like thinking oh, I was thinking "I don't have an Irix
sniffer!"...actually my thoughts don't have quotes around them it was
more like

~o- all the Irix sniffers I have suck -o~

and then theres like Irix 4, 5, 6.  Bah.  And like sniffit sucks and
anyway.  And then I mentioned this and people were making fun of me, but
I don't care.  I only care lately when people are like, "Oh that's what
youy make?  I'm 17, have a criminal record and make three times that!". 
Anyway, people are like, "No, no nirva is elite" so I thought, aha, I'll
ask nirva what a good Irix sniffer is.  Oh, like now that people are
laughing at that I have to keep this quets like secrtet.  I even think
some Irix's don't have compile, like Solaris.  Christ, some Solaris's
have jack shit.  Anyway.

1) Why don't u log on #hack, or are you tres elite #!guild or beyond
elite #www or #root #Twilight_Zone and more importantly

2) Irix sniffer - captures passwords, actually compiles.  I hate
coding.  I am a a lazy American.  And like, getting legit root access on
an Irix...bvah, Irix sniffer!

Bye-bye hackers

oh PostScript

3) Are you a cyberpunk?

If I ran Phrack I wouldn't like Mr. Tishler have "Are hackers in general
geeks?" as the question _everyone_ gets, I think, Are you a cyberpunk? 
Would be it

    [ 1.  We do hang out on as many public channels as we can stand for
          at least a little bit of time each issue.  But really why do
          you care if an editor of Phrack is there when people are shouting
          about their penis size and how many drugs they are on?  If you
          want to talk about something, we are always available by e-mail
          and will usually talk to you by private msgs if we aren't busy
          doing something else at the moment.  
      2.  Anyone want to write us a really cool one?
      3.  Who are we to change tradition? ]



I wanna ask you something about the following problem. I'm really stuck (the 
1st time ;-)) ! Is it possible to pass a firewall and access one of the 
domains behind it ??  I'm afraid that the sysadmins did their job fine :( 
I've got everything what I need but that damn  wall....I'll give you some info 
that I've obtained so far:

- IP-address of the firewall,
- All the domains + IP adresses behind this wall,
- The login-account of the superuser,
- All the open-UNIX ports behind the wall,
- The company has no WWW-site but they do have an Intranet.

portscanning gives me this: 
25~=smtp-mail 220 x.x.x.x SMTP/smap Ready.

This is at IP x.x.x.2 but I found out that also x.x.x.1 belongs to the same 
company with 3 other ports...
9~=discard-sink null

Is the only way to go by D.O.S. attack the firewall and then spoof the 
firewall's IP addres ?

But how to start ?? Woul u be so kind to help me ??


    [ fragmentation. ]


Ok, this might sound dumb , but, I think it would be cool to have this as a

"Blah, blah, blah, and along with your subscription, you'll receive a
LIFETIME WARRANTY ON YOUR BRAIN!!  That is, if for any reason your brain
can't figure out a problem you're having hacking, just e-mail us with your
question and we'll be glad to help you out. Note: Please PGP encrypt all
questions regarding hacking questions. Thank you."

Do you like it? Note that blah, blah, blah is whatever you would it to be.
Such as, "You can subscribe to Phrack Magazine by sending e-mail to
Phrackedit@infonexus.com requesting you be put on the list, and along with
your subscription......" 

Ok, thats it....write back if you like it....or if you don't. Here is my PGP
public key.
Oh yeah...you might have gotten mail from PhatTode@aol.com. That is me. So
direct replies to those messages to this new address...Thank you.

    [ You're right.  It does sound dumb. ]


   sorry to bother you but I just got Redhat Linux 4.1 in the mail.  I
think it's great besides the fact that I hear that it lacks security. 
HOw do I get PGP up in it?  Is it easy to install?  Thanks.

Killer Bee
    [ yes, very easy to install.  Read the documentation.  It's different 
    for different platforms.  ]



	My name is Joseph and I am intrested in any information you may have
about the early day's of hacking and current hacking underground.. also
I understand you are a member of the guild ?? what is this?

Joseph --> jgriffiths@iname.com

    [ The guild is like what r00t was before r00t got all famous and became 
    greatly feared and admired.  Oh.  And we spend most of our time counting
    our millions and having sex with models. ]


Hi there,

Do you know where I can find the Rosetta stone for interpreting the output
of Solaris  lockd & statd in debug mode?  I can't find any public information
about it, even on Sun sites.  Sun Microsystem refuses to let their lab
publish anything about interpretation of system calls outputs.  Are they
afraid that they will be losing support contracts if this information gets
out?  The man page does not include arguments to run in debug mode, and
what's the point of providing the tools w/o the means to interpret the
result?  Teach a man how to fish .....you know.



    [ Someone want to write an article on it? ]


In regards to the article on Ethernet spoofing:

As an aside note for the highly paranoid:  ethernet spoofing

Note: some of this is theorized, and might not be 100% accurate - if you
get the jist of it, you should be able to figure out if it works for

It is possible to spoof ethernet hardware addresses as well.  Some cards
will allow you to do this easily, but you need to have card programming
docs (check the Linux kernel source for your card driver-!!).  Others
won't let you do it at all, and require a ROM change, or worse it might
be solid state logic on the card - EVIL.  Course you might be able to
get around solid state stuff by recoding the ROM, but I wouldn't
recommend it unless you don't have the $70 to buy a new card, and have a
month or two to spend in the basement.

	... rest of stuff(tm) deleted ...

Interestingly enough, most of the Sun sparc stations I've seen allow you to
enter in any mac address that you want using ifconfig(1M).  I "know someone"
who picked up a Sparc IPC for $50 (Can $$) and upon discovering that the
battery that powers the IDPROM was deceased, we needed to fake a mac address
to get it to talk to someone.  Sun's default is 0:0:0:0:0:0 but the 3Com
card's mac (from a different network) worked quite nicely.

Interesting concept the author has though, I'll be f*ck around with the idea
when I'm supposedly doing work =)

    [ MAC address spoofing techniques are well known about, especially under
    Sparcs.  However, do some research, write some code and an article and 
    submit it... ]


I love your e-zine it is the coolest thing i've read.

    [ Thank you.  It's the coolest thing we've written. ]

Please could you tell me any ways to violate the security of a "MacAdmin"
based system on the Apple Macintosh.

    [ What's a Macintosh? ]

Mark "Vombat" Brown

May phrack and Fiona live forever!

    [ ...and may Phrack and Fiona do a joint project some time soon... ]


	Hey, I sent this to you because yer handle is shorter.
Anyways, great job on issue 50, always a pleasure to read it, and
in article 12, by Sideshow Bob, I was wondering about the "tail"
command. I don't seem to have this nifty util, and was wondering 
if perchance, you knew where I could get a copy. Also: the Skytel 
article sorta looked like an advertisement to me. Nothing against that, it's
still pretty interesting to learn of Skytel's history, and of the nifty things
out there, but I was wondering if it sounded like a detailed ad to anyone else.
But if you could help me out with the tail command, I'd be so grateful.
			Joel Thomas

    [ Standard GNU utility.  Try your local unix box. ]


| G'day mate, 
| I am a computer user in Camplong, Timor.  I have limited internet access, as
| it is a long distance phone call from home.  I have downloaded your issues
| 46-50 and haven't read through them all yet, but what I see looks good.  
| What I need from you is a UUENCODER program so I can extract the included
| files. 

    [  Standard GNU shell tool.  Any Unix host will have it.  Do a websearch   
    to get it for Windows.  ]

| I am also confused on how to extract the .c files from the text
| files(philes?). 

    [  As it says in the header file: gcc -o extract extract.c  

    then `extract filename`  ]

| I am not a C programmer, but my dad is.  

    [  That's nice. ]

| I need PGP.  Although my side of the internet is safe, noone reading others
| letters (the sysop is too dumb or something to even think about that) I want
| my mail to get where it is going in one piece unread. Where can I find a
| free copy of PGP?  

    [  Do a websearch.  ]


.. crack me up. Excellent social porno in your reader's letters section.
Keep on commenting. Might start screaming soon.

Um, the guy from slovakia might want to get hold of Bill Squire for
information on smartcard programmers; as I seem to recall, he likes
messing with these electronic devices.

Another thing; I though DC was now just sticking to his viola? According
to all the news he only started hacking because someone vandalized it? 
Wonder if I should have used the same thing in my case: "I plead not
guilty, Magistrate sir, but the University's good-for-nothing courses
drove me to it." Whatever it takes, I guess.. 




This is a response to p48-02 in which one "Mr. Sandman" proceeded to spew
out eleven paragraphs of blatant misinformation. Rather than lumbering
through a point-by-point rebuttal to his letter, I will quickly summarize
what was wrong with it, and then state a few facts to clarify some things.

KoV never touched Skidmore. This is something that anyone who was in the
group will attest to. And not just to follow the old "admit nothing, deny
everything" plan. In reality, we NEVER touched it.

In retrospect, I find it very odd that someone from New York would claim
to know so much about the inner workings of a decidedly regional
[Connecticut] hacker collective. While we weren't exactly xenophobic, we
certainly didn't go out of our way to divulge information about ourselves
to anyone outside the group (or the state, for that matter). This would
explain why Mr. Sandman's letter was riddled with insufferably laughable
lies that were obviously the product of a jealous and dejected outsider.

One thing that needs to be put to rest is that we were certainly not "a
bunch of egotistical and immature criminals" as Mr. Sandman would have you
believe. The primary focus of KoV's efforts was not to "break into
universities" or "make ourselves look bigger and more important than we
were." We existed, first and foremost, to unify what was, at that time, a
greatly divided scene. Squabbling and infighting among those few real
hackers who were still around was leading to a critical breakdown at the
fundamental level. Something had to be done, and fast. In an effort to
bring together a group of like-minded individuals (not only from the
hacker perspective but also in terms of anarcho-libertarian philosophy and
ideology), I started KoV with an intentionally humorous name behind the
acronym. It was an almost immediate success, and over time I certainly
accomplished all that I'd set out to do, and then some.

The current state of the "Connecticut hacker scene" (for lack of better
terminology) is much different than it was in the summer of 1994. People
are working together, cooperating, and the incessant "civil wars" which
plagued us back then are all but nonexistent today. I think I'd be well
within my rights to credit KoV with helping to assure that those problems
are now but a memory. It really bothers me when anonymous instigators like
Mr. Sandman attempt to dishonor all the work that we did to get this far,
without even really having a clue as to what we were (and are) all about.
Perhaps he and his ilk could benefit from such groups as KoV. Because no
matter how I feel about him and his actions...

        "The more we fight among ourselves,
                the less of a threat we are to the system."

- Valgamon
  Sat Jun 07 15:49:25 EDT 1997


What up.

Yo, Ima hack/phreak from back in the day (1984) 

My 1st bbs was on an atari with a floppy drive and 64k!

Nowadays, I do rap music and acting, live in Los angeles (im from western NY), 
and run 900#s and adult websites.

Check this out, I need to thangs:

#1: FTP space for adult pix (not really important, since my host gives me 
unlimited space), but I have no anonymous ftp capabilities)

#2: Windows NT or unix

Can you help??

Have broom (Music software) will travel (trade)

    [ We will trade you unix for a rap song about Phrack and a movie role 
      for route. ]


This is in reference to the first part of your " PGP Attack FAQ," which
addresses the length of time necessary to brute force IDEA. Perhaps I'm
overly paranoid (naw...) or just a perfectionist, but I would like to
point out two things about this:

1) Somewhat of an error in your math?
2) "As far as present technology is concerned."

"As we all know the keyspace of IDEA is 128-bits. In base 10 notation
that is:


To recover a particular key, one must, on average, search half the
keyspace. That is 127 bits:


If you had 1,000,000,000 machines that could try 1,000,000,000 keys/sec,
it would still take all these machines longer than the universe as we
know it has existed and then some, to find the key. IDEA, as far as
present technology is concerned, is not vulnerable to brute-force
attack, pure and simple. "

                Somewhat of an error in your math

OK, let's examine the math. For simplicity, let's say we only had one
machine that could try 1,000,000,000 keys/sec. The number of seconds it
would take for this machine to search half the keyspace, and thus find
the correct key would be
170,141,183,460,469,231,731,687,303715,884,105,728 divided by
1,000,000,000. This would yield 170,141,183,460,000,000,000,000,000,000
seconds of maximum search time before finding the key. This in turn
would be 2,835,686,391,010,000,000,000,000,000 minutes =
47,261,439,850,100,000,000,000,000 hours =
1,969,226,660,420,000,000,000,000 days = 5,395,141,535,400,000,000,000
years = approximately 5.395 sextillion years. If there are 1,000,000,000
of these machines as you suggest, then the years required for a
successful brute force crack would be 5,395,141,535,400,000,000,000 /
1,000,000,000 = 5,395,141.5354. So, it comes down to: are you saying
that these 1,000,000,000 machines are acting as a collective entity or
can *each* one of these machines operate on 1,000,000,000 keys/sec and
thus operate together at a speed of (1,000,000,000) * (1,000,000,000) =
1,000,000,000,000,000,000 keys/sec. If the first is true, then you are
correct in saying that "it would still take all these machines longer
than the universe as we know it has existed and then some," as it would
take app. 5.395 sextillion years (scientists estimnate that universal
redshift shows the universe to have existed thus far for only 15 billion
years). If the second is true, then it would take far less time than the
existence of the universe at app. 5.395 million years... which could be
compared to twice the amount of time human beings have existed on earth,
or just a fraction of the time dinosaurs were here.

    [ Hrm.  Take it up with Schneier. ]

                 "As far as present technology is concerned."

How far is present technology concerned?! The Intel/Sandia Teraflops
Supercomputer can reportedly perform 1.06 trillion floating point
operations per second (refer to 
http://www.intel.com/pressroom/archive/releases/cn121796.htm). Assuming

    [ Keep in mind that factoring and brute force key searches are 
    integer-based calculations, not floating point operations. ]

one of these "instructions" can operate on, let's say something around a
28th power float variable, then disregarding read/write operations, the
system can search at 1.06 trillion keys/sec. This yields a total search
time (before a successful "hit") of
170,141,183,460,469,231,731,687,303715,884,105,728 / 1.06 trillion =
160,510,550,434,000,000,000,000,000 seconds = 5,089,756,165,470,000,000
years or 5.089 quintillion years... still a rediculous amount of time
even on the fastest publicised system in existence. Now, this system,
the Intel/Sandia Teraflops Supercomputer is made up of 9,200 200 MHz
Pentium Pro processors. Being that they didn't have to buy them at
markup/retail and they manufacture them from scratch for their own
purposes, let's say it cost $500 per chip plus some negligible ram and
labor costs (how much ram do you need when you have a gig+ worth of
onboard cache, etc.). With 9,200 chips, the system would take about
$4,600,000 to build. A practical question: if federal taxation is %28 on
an annual income of $80,000, where does all the money go? Well, let's
say a Billion dollars per decade goes to the NSA to build whatever they
want.  If the 9,200 chip system cost $4,600,000 then a little algebra
reveals that with one billion dollars, the NSA could purchase
approximately 2 million 200 MHz pentium pros. If the 9200 chip system
did 1.06 trillion keys/sec, thus the 2 million chip system would be
capable of approximately 230,434,782,609,000 keys/sec or app. 230
trllion keys/sec. Now, say the NSA is smart enough not to buy crappy x86
chips and instead get 500 MHz DEC Alpha RISC chips. This is 300 Mhz or 3
fifths faster than a 200 MHz pentium pro approximately. so 230 trillion
+ (230 trillion * 3/5) = 368,695,652,174,000 or 368 trillion keys/sec.
The original calculation yields that the successful search time would be
170,141,183,460,469,231,731,687,303715,884,105,728 / 368,695,652,174,000
= 461,467,832,499,000,000,000,000 seconds = 14,633,048,975,700,000. Ok,
great... so now we're down to 14.6 quadrillion years of search time,
which means that at least now we may get REALLY lucky and hit the right
key within a certain degree of insanity. But, this was only a billion
dollars we gave the NSA in a decade. If we're especially paranoid, let's
say the government was so concerned over nuclear terrorists sending
encrypted messages, that the NSA got a TRILLION dollars to build a
system. That divides the whole equation by a thousand making the search
time 14,633,048,975,700 years or 14.6 trillion years... STILL
rediculous. Ok, so let's say that now we're giving the NSA a HUNDRED
TRILLION DOLLARS thus dividing the search time by 100 yielding
146,330,489,757 years which is about ten times longer than the existence
of the universe. But now, if we had 1,000,000,000 of *these* machines
working concurrently the search time would wind up being 146.330489757
years. But, if each RISC processor were replaced with a small piece of
nanotechnology, each piece of this nanotech being 100 times faster than
the alpha chips, you get 1.46330489757 year. There ya have it... some
classified nanotechnology, 100 trillion dollars, and a DAMN lot of
landmass all multiplied by 1,000,000,000 and you've brute forced IDEA in
a year and a half. I won't go into the tedious calculations, but an
object with the surface area of two of our moons would approximately be
able to house this complex. Now, as I know you're asking about where to
store all the keys... and the fact that this drive would be bigger than
a solar system and so on, just have the keys generated using the same
PRNG in the brute force attack... you'll just have three times the
instructions (write for the generation, read to get it, write to compare
it) so multiply the search time by three. The technology is possible...
it's economics and territory that doesn't work.

    [ Theorectially shure.  But you have sorta just proved the point that
    it is not feasible. ]



The snippit in P50 in section 02 of the zine by Xarthon entitled
> Yet another Lin(s)ux bug!  "IP_MASQ fails to check to make sure that a
> packet is in the non routable range." "So in conclusion, you are able to
> spoof as if you are on the inside network, from the outside. "

Is so incomplete I would almost call it a lie. The only way that Linux
would do this is if the person setting up the IP-Masq system issued the
command "ipfwadm -F -p masquerade" which if you read the IP-Masq HOWTO it
tells you explicity NOT to do for this very reason. My retort for Xarthon
and all others who do stupid ass things like leave port 19 open and such;
is that Linux only sux if you do. To wit, don't be a moron, and you won't
have to complain that it sucks.

Swift Griggs 	      | UNIX Systems Admin


Hi there, 

I have a question regarding a certain piece of hardware that has come
into my possession. Since this little piece of equipment contains no
indications of its intended use i have no idea what this thing could do.
So here's a descrition of the little box; i hope you might be able to
provide me with more information on what this device is supposed to do.

-lightgrey rectangular casing (13CMx9CMx3CM)
-frontpanel has one green LED, a connector labeled "SCANNER", and a
little door which reveals two sets of dipswitches (2 sets of 8, labeled
"DIPSW1" and "DIPSW2")
-backpanel has three connectors, a RJ4-like connector (only it has 6
lines instead of 4; it looks like a connector for a Memorex Terminal)
labeled "A", a standard IBM-PC keyboard connector labeled "B", and a
small (9-pin) serial interface-connector labeled "C".
-there is a sticker with a serial number, a barcode, and "Made in
Taiwan" on the bottom
-the circuit-board contains IC's of Sony, Philips, and TExas Instruments
-there is also one removable EPROM, made by AMD; it has a label on it
which reads "V2.61 CS:EF88"

I have found that a normal keyboard plugged into connector B, while a
KBD-to-RJ-jack cord is plugged into connector A will allow the box to be
placed between the keyboard and the kbd-port; so my first guess would be
that this is some kind of filtering device. But that doesn't explain why
there is a serial-connector and this "SCANNER" connector present.

So, do you know what this thing is ?


    [ Readers? ]


  hi, my friends.i am a newbie come from China,i had read some Phrack magazine.
but to me surprise,i had not success compile a program still now.i send e-mail
to the author,but server tell me there is no this user.
  for example, phrack-49-15 describle tcp port scan,but i  can not find
ip_tcp.h, other paper tell me a way to guess password,and said the program only
need Ansi complier,but i can not success too. oh.my god.
  i use sun os ,gcc, i need your help, thanks.
                                        keven zhong

    [ Here at Phrack, we use TheDraw for ANSI compilers.  I hope that
      answers your question. ]


I'm just writing this to say thanks to all the hackers that represent Phrack
and work hard to keep it going,you guys are truly keeping the new generation
alive.If it weren't for Phrack i'd probably never have wanted to waste my time
with computer's,the technical info is first class and a lot better than most
of the crap out there.I would suggest that maybe once in a while u guys could
write some more stuff geared towards the newbies,it really is important
because most people who aren't familiar with the terms get completely
lost.Down here in Montreal(514),most people think hacking is spreading virri
or u/l shitty trojans,there's no talk about unix or networks.We really need
some help down here,the scene is practically dead and most newbies don't have
any support to help them get started.Anywyas i just want to say keep up the
good work,and it's really appreciated.
| Return Address:      Dave.Conway@claw.mn.pubnix.net
| Standard disclaimer: The views of this user are strictly his/her own.

    [ Thanks, if anyone cool is in Montreal, e-mail this guy and revive
      your scene. ]

----[  EOF
[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]
© Copyleft 1985-2021, Phrack Magazine.