XXXX X XXXX XX X X XX XXXX XXXX X X XX XXXXX XX XX XX XX XXX XX XX XX XX XX XXX XX XX XX XX XXX XXX XX XX XX XXXXXX XX XX XX XXX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XXX X XXXXX XXX XXXX XX XX [ P U R S U i T - a u g 9 9 ] X Index for this issue of PURSUiT [0x00] Introduction by the staff [0x01] Editor's notes by bxj [0x02] Internet2 (i2) and Next Generation Internet (NGI) by Cyphunk [0x05] AXS Script Makes WebServer Vulnerable by f0bic [0x06] Boxing in the UK (series) by Oktal [0x07] Introduction to firewalls by deadline [0x08] The FileThief exploit by Mister-X and Alkatraz [0x09] PURSUiT News update If you got an article you want us to publish, please e-mail it to bxj, foney_op or Cyphunk and after we'll read it we will decide if to publish it in PURSUiT or not. In either cases, the writer will be informed. I (bxj) can be contacted at , e-mails to f0bic can be sent to and Cyphunk can be e-mailed to if needed. We all can be reached on the UnderNet IRC network, in the channels #HackTech #HackUK and #KIP. A note for Phrack editors: We come in peace. ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSU iT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PUR SUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][P ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' '`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'` ` Well, there is not much to tell, just read the editor's notes for ' ' information on the zine, and on each issue. ` ` ' ' We all would like to thank the following people for helping and ` ` making this zine possible: ' ' ` ` Bill Clinton, Al Gor (hey, he invented the net), Monica Lewinsky, ' ' Linda Trip, Jay Lenno, George Lucas, the New York Police, ` ` Jack the ripper (the one who cut people), The guy who invented ' ' air-conditioning, the guy who invented sneakers, Bose Inc., ` ` And rest of the world, except the ones we really really hate. ' ' ` ` Yeah, this one was just to fill up space, so just ignore it, and ' ' we were just kidding about the guy who invented sneakers. ` ` ' ' Don't forget to read the news at the end of the zine. ` ` ' `'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`' ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' _______________________ [_______________________] [ ] [ Editor's notes ] [_______________________] [_______________________] What is PURSUiT? PURSUiT is about information. About knowledge. Knowledge is not power, it's an advantage. Information is the real power. We will supply information, and educate on how to use that information. We will supply knowledge, and guide how to control that knowledge. PURSUiT is here to share information, to teach the world what really is going in the underground. No, we will not teach how to make a homade atom bomb. And no, we will not instruct on how to kill your neighboors. We will tell you the stuff that really matters. A little background. PURSUiT started somewhere in 1999, as an idea to get the old-school days back. To be a real, informative zine. We gathered some of the most skilled individuals of this industry, and became one. A smart man once said, that a small group of skilled individuals, excellent with their performance and one with their cause, are better than a whole army. Commandos, they called it. Well, I belive PURSUiT are the commandos of todays digital world. Remember the old days, the days of the BBSs, the telecommunications and computers revolution, the days when "Windows" was not a fluent term in more than 80% of Earth's population, the days when there were almost no script kiddies, when the Internet was not a "super-highway" and when Geocities was not formed yet. The days when true Hackers lived. The days of learning, days of information and days of sharing. PURSUiT is here to return these days. PURSUiT is bringing back the old-school. Peace out, and keep it real, always, --bxj. ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx x x x Tracking Satellites Basics x x x x By Overfien x x x xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Their are 3 basic types of orbits you should be aware of when tracking satellites. 1) Low altitude circular orbits used by phase 2 satellites 2) Elliptical orbits as used by phase 3 sats. 3) Spacecraft and geostationary orbits planned for phase 4 satellites Satellites are moving targets, so when a ground station uses directional intennas aiming information must be available. Your average daily access time for a satellite is an important quantity in determining how useful the satellite will be to you. A low-altitude satellite (such as SBID, Fugi-OSCAR 20, RS-10/11 or a microsat) will generally be in range for 25 minutes or less each time it passes by. A satellite in high-altitude elliptical orbits for phase 3 space- craft (such as VBeekon, OSCAR 10 and 13) behaves very differently. It will provide one or two passes per day, but the total access time will be (very roughly) 12 hours for Northern hemisphere stations. A geostationary satellite appears to hang motionless in the sky. If it's in range you'll have access to it 24 hours per day (unless the weather really sucks). If it's out of range you'll never see it. Satellite enthusiasts wishing to track a satellite are intrested in specific information. They want to know: 1) When the satellite will be in range; more specifically times for AOS (acquisition of signal) and LOS (loss of signal) for each pass. 2) Where to aim the antenna (azimuth and elevation) at any time. 3) The regions of the earth that have access to the satellite. There are "2" main methods of tracking; which are the graphic method and the computer method. I would like to focus on the computer meth. Tracking software naturally answers the basic tracking questions: It will tell you when the satellite is in range and provide you with antenna pointing data. For example, at each specified time the program may list range (the distance between your station and the satellite), the doppler shift for the mode you specify (which helps you locate your downlink), the height of the satellite (for elliptical orbits this varies), the phase or mean Anomaly (a number that tells how close to you the satellites antennas are currently aimed), predict signal levels (on the downlink), path delay time (often labeled echo) and an orbit number (for refference purpose I believe - no effect on tracking) Lets look at the input the computer requires. Naturally it will need the location of your groundstation in terms of latitude and longitude. Some newer programs may even ask for your height above sea level (this shouldn't have any observable effect for 99.99% of amateur/satellite tracking programs), so even if you live in Seattle and have a monster EME antenna, you can just enter "0" or some approx. "#" if you don't know the correct value. The program also has to know the precise orbit of the satellite you're intrested in via orbit size, shape, orientation with respect of the earth/stars. This is called orbital elemants. Now your basically ready to track. For example, when I boot up my "sat box" basically one of my boxes just used for tracking. A main menu pops up that asks: 1) Do you want Batch tracking data 2) Do you want real-time tracking data 3) Do you want to modify parameters 4) Move to graphical interface 5) Exit program Once I responded by typing a single number (perhaps followed by the enter key) If I respond "1" to obtain Batch tracking data, the program needs to know which sat. your intrested in, the date an time to start the calculations. We now take a look at the Batch output provided by a typical program. I am using the new version of IWI98: ADLMIL 3 Ground Station: lat=39*N, long=77*W, Ht=0km DAY # 602 - - - Friday, August 20 - - - 1999 UTC AZ EL Doppler Range HHMM DEG DEG HZ KM 1145 167 5 - 18353 1200 166 11 -1867 20664 1215 165 16 -1733 22773 1230 166 21 -1596 24694 The heading identifies the satellite "ADLMIL 3" (HEH, I promise its not a military satellite ;-)) My ground station location (I had to change for unexplainable reasons) first 3 columns of the table show time, Azimuth and Elevation. ADLMIL 3 will come in range sometime between 1145 and 1200 utc and remain in range for 'bout 9.5 hours. Column 4 provides data on Doppler shift. AT 1200 UTC a signal coming through the mode B transponder will appear 1867 HZ lower than predicted using the transponder frequency. Because of the algorithm being used to compute Doppler shift, no value is provided for 1145 utc, the first time the satellite comes into range. Alright just as theirs a jargon for practically everthing theirs also one for "Satellite Tracking" heres it broken down: Access range (acquisition distance) Acquisition distance: Maximum distance between the subsatellite point and ground station at which access to spacecraft if possible AOS (Acquisition Of Signal) Apogee: Point on orbit where satellite height is maximum Azimuth: Angle in the horizontal plane measured clockwise with respect to North (North = 0*) Epoch (Epoch time): A reference time at which orbital elements are specified EQX (ascending node) Ground track (subsatellite path): Path on surface of earth traced out by SSP as satellite moves through space Increment (longitudinal increment) LOS (Loss Of Signal) Node: Point where satellite ground track crosses the equatar Pass (satellite pass) TCA (Time of Closest Approach): Time at which satellite passes closest to a specific ground station during orbit of intrest Well, this completes my text on satellite tracking basics. Expect too see more articles in the future until then "watch the sky"!! Overfien@hushmail.com ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= ||PURSUiT is proud to present.. || || || || Internet2 (i2) and Next Generation Internet (NGI) || || || || Compiled by Cyphunk || || || =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= ----------------------------------------------------- - Internet2 (i2) and Next Generation Internet (NGI) - ----------------------------------------------------- Internet2 and NGI are two advanced network initiatives by the US government (for NGI) and UCAID (University Corporation for Advanced Internet Development, for i2.) The key here is initiative. What I mean is that you won't find physical networks that are called Internet2 and NGI. Both NGI and i2 run over existing high speed US Backbone networks such as the vBNS, Abilene, ESNet and many others (discussed later). The only real thing that makes i2 and NGI different from each other is who is in charge. You will see many NGI and i2 peers that are registered under both initiatives. The requirements for becoming a peer on one of these networks is: 1) You have a project that requires very reliable and high-speed connections to another i2 peers. 2) You have a lot of money. The reason for these initiatives was/is: 1) To foster high speed applications of which cannot run on the existing Internet and need a guaranteed connection. 2) To develop smarter network services and ways of guaranteeing bandwidth and latency rates. 3) To increase collaboration of National-to-National and National-to-International research departments (commercial, academic and governmental). A question that may arise is: "Why not just upgrade the existing Internet and use that as the platform for advanced research?" The reason this was not done is because it has become obvious over time that no matter how much bandwidth you throw to the Internet it will be over used. So, instead of thinking BIGGER the NGI and i2 initiatives are mainly about thinking SMARTER. These networks are private to their peers and those peers must have a Research and Development related purpose for being there. This cuts out the general, bandwidth sucking, public right from the start. In order to keep the i2 and NGI peers from causing the same problems amoungst themselves advanced services and "Quality of Service" (QoS) systems and policies have been developed and put in place over these networks to keep one peer from stepping on the toes (line quality) of another. The end goal of many of the advanced applications and technologies being developed by i2 and NGI peers is to have them introduced to the public and commercialized through places such as the internet. Types of applications already being developed involve TeleEmersion and TeleMedicine (to think of a few). After thinking and working *smarter* these networks will go *bigger* and faster. Amongst the goals of i2 and NGI is to develop the fastest and most efficient networks on the planet to "further the US lead in the global IT market" (whatever). To do so, both sides will work together on finding ways to work more efficiently and develop faster hardware devices. When at i2 and NGI conferences you may hear allot of talk about TeraPOP's (Terabit Points of Access). Though there are no TeraPOP's out there yet they are definitely on the horizon (a few years off). Practically all of the literature on the net concerning i2 and NGI are incomplete. The problem is that most of the papers are in M$ PowerPoint format, which really does no good except for the person which created it. It's like looking at teachers' notes when you're not the teacher; it's not helpful. I hope to make this somewhat complete and understandable. However, considering that many of the pieces of these two networks are still under development, don't be surprised if there are some gaps and you finish with more questions than you started with. My one request, however, is that you e-mail me at: mindmore@mindless.com with the questions that this article may raise and any comments/corrections you may have. This article attempts to detail the services and the goals of both NGI and i2. I'll try not to bore you though :) Note: It helps if you already have an understanding of Networking (OSI Layers, Protocols, devices and the likes) to understand the details of i2 and NGI. Also, I realize that there are probably allot of grammer errors, thanks for bearing with me. This paper is split up into 4 sections. The first discusses the Services provided by NGI and i2 (QoS, Multicasting, and IPv6). The second discusses i2 and NGI separately, covering the characteristics of the two individually. The third discusses the physical characteristics of the networks that the i2 and NGI peers connect through. The 4th, brief sections, discusses security issues that I see. I. Services ------------------------------------------------------------------------ As I said before, both i2 and NGI support and are active in developing the standards for IPv6, QoS and Multicasting. I will try get into each networks implementation of these services later. The purpose of this section is to introduce you to the services I just mentioned so that you have a basic understanding about them. > IPv6 in brief IPv6, also known as IPng (IP Next Generation), is the *upgrade* to the currently over killed IPv4 addressing protocol. These addresses are called IP addresses and every computer on the net must have a unique IP address to communicate on the Internet. There are allot of computers on the net and very soon there won't be enough IPv4 addresses left for them. IPv4 addresses are 32-bit addresses. This allows for 4,294,967,296 possible numbers. However, I'm guessing that after segmentation we get around 1.5 billion or so addresses. When this protocol was defined it was thought that a 32-bit address would be plenty. After all, how many computers could the small group of DARPA Geeks own :). However, the Internet became something more then a high speed government and academic network and into the public/global domain. Today we are coming to a point where we just don't have enough IP addresses. I mean, you call you ISP and ask them how much it would cost to get your own Static IP address from them. For me, with my ISP, it is $20 more a month. That is a big jump from FREE. So, the guys and gals at the IETF (Internet Engineering Task Force) have been working on IPv6, which will fix these problems. IPv6 gives us 128-bit addresses represented in binary, of course, and Hexadecimal. 128 bits give -18,446,744,073,709,551,616 squared- possible numbers, which should last us until the transition of the Internet being public/global to becoming extraterrestrial/public/universal. There is more to the protocol than just an increased address space, however. The headers structure of the IP packet has changed. IPv6 headers are somewhat larger then IPv4 headers but IPv6 headers are much more simplified. For instance, the IPv4 header sizes can vary whereas the IPv6 headers are always 40 bytes. Making the headers a fixed size allow for easier processing. IPv6 has also taken away some of the unused fields that were in IPv4 making it simpler. It has also added optional fields that can be used for increased security. For example IPv6 encryption headers indicate which encryption keys to use, and carry other handshaking information. For more info check the IPv6 related RFC's, there are a ton of them. > QoS One thing that people are starting to realize is that no matter how much bandwidth you throw to the public or private sector, they always use it and over use it. Though one objective of i2 and NGI is to increase bandwidth capacity, the other is to manage or regulate who has access to that bandwidth, how much of it and the quality of it. The Internet currently runs as a "Best Effort" service network. This means that if the TIT (Tokyo Institute of Technology) NanoTech department needs 5mbps with no more then a 200ms delay for a joint project with MIT (Massachusetts Institute of Technology), over the internet they will rely on pure luck to get what they need. Luck that the lines from them to MIT will not be saturated with traffic at that time. This is a big problem, because this sort of luck rarely ever happens over the Internet. We need to develop a way to guarantee them the bandwidth and quality they need for that period of time. This is done through QoS (Quality of Service) whose development is primarily the job of the IETF (Internet Engineering Task Force) QoS workgroup. One objective of NGI and i2 is to guarantee end to end QoS. Which means that even if it takes 10 hops to get from TIT in Tokyo to MIT of if it takes 2 hops, they will be guaranteed 5mbps, 200ms, all the way. Currently there are two basic standards being used for QoS: the RSVP protocol and DiffServ. >> RSVP (Resource ReSerVation Protocol) RSVP guarantees end to end bandwidth reservations and delay times from node too node. Unlike DiffServ, which works more in a BB (Bandwidth Broker, ISP)-to-BB basis or Network-to-Network basis whereas RSVP works on a node to node basis. This allows for tighter QoS and is necessary for Multicasting but is not as flexible as DiffServ. RSVP supports multicast groups (discussed later) and RSVP operates on top of IPv4 or IPv6 acting like a layer 4 protocol. RSVP, also, acts like a routing protocol though it does not take the place of existing routing protocols, it operates on top of them (adding features where needed). RSVP causes a higher strain on the network due to the fact that there is checking going on from node to node. For more information on RSVP check out rfc1633 and rfc2205 >> DiffServ (Differentiated Services) DiffServ causes less strain on a network then does RSVP. For this reason, it is the preferred method. However, DiffServ doesn't guarantee the connection as well and as tight as RSVP does. So there are trade offs. DiffServ works buy labeling packets with "per-hop behaviors" (PHB's). PHB's basically define the level of service that this packet will need. The PHB is initially defined on the edge routers (closest to the sending device). End devices on the network have the job of reshaping traffic as it leaves the domain, taking into account any burst traffic that may occur. DiffServ assures a basic throughput but allows for bursts when resource availability permits (depending on the PHB type assigned to the packet). All the information needed for DiffServ is held in the DS-field in the IP headers. In all likely hood we will not be implementing DiffServ on our home, or small networks or even large ones for that matter. It will be the responsibility of your BB (Bandwidth Broker, also know as your ISP) to provide DiffServ where needed. It will be the BB's job of aggregating all of their DiffServ traffic into one stream before it is sent out of the network and onto another. Last thing: DiffServ, unlike RSVP, has no built in support for Multicasting. For purposing of testing QoS methods the QBONE initiative was created in 1998. The QBONE is a joint effort of academic, governmental and corporate researchers and engineers. Created as a wide area testbed for QoS protocols. It crosses both NGI and i2 borders operating through almost all of the advanced networks in the US and abroad (such as vBNS, Abilene, ESNet, CA*NET, which are discussed later). For more details on the QBONE and QoS try http://www.internet2.edu/qbone/. > IP Multicasting Let's say that both you and I live in the same city and use the same Internet provider. Lets also say that we are both listening to a live stream (if they one day do live) of Geeks in Space (www.the-sync.com/geeks) at the exact same time. This means that the same datagrams are coming to the same network, the same POP, at the same time, like so: _____ ____ |Geeks|----Stream1-----|our |-------- Me | in | |Lame| |Space|----Stream2-----|ISP |-------- You ----- ---- It would certainly be to the entire Internets advantage and ours if we could combine those two streams into one, creating less congestion on the network. IP Multicasting reefers to doing exactly that. Example: _____ ____ |Geeks| |our |-------- Me | in |----Stream------|Lame| |Space| |ISP |-------- You ----- ---- In the above example there is only one stream of datagrams going out over the internet but once it gets to our ISP it splits the stream into two and sends Geeks In Space to you and I at the same time. In order to do this it creates "Multicasting Groups" for each stream (both you and I being in the same group). It also requires smart routers which can replicate streams and keep track of and create these groups, dynamically adding users when needed. Also, the routers all along the way from the Real Audio server to our ISP must support IP multicast protocols such as DVMRP (Distance Vector Multicast Routing Protocol), PIM (Protocol Independent Multicast) or MOSPF (Multicast Open Shortest Path First). To use IP multicasting today you must connect to an existing network within the public Internet known as the MBONE (at least, that is where all the action is at). Before you can do that, however, your ISP must support Multicasting. Check with them to see if they do, else, switch ISP's. For more information about the MBONE and IP multicasting check out www.mbone.com. For even more info on multicasting try www.ncne.nlanr.net/faq/multicast.html II. NGI and i2 ------------------------------------------------------------------------ Like I said before, the NGI and i2 initiatives are almost identical. They operate on, mostly, the same networks and backbones. They have pretty much the same goals. However, there are a few things that make them different, other than who is in control of each initiative and the budget that they have. The following takes a look at each initiative. > NGI In the NGI there are a few different Government organizations that are involved in making the goals of NGI a reality. Those organization are DARPA (Defense Advanced Research Projects Agency), NSF (National Science Foundation), NASA (National Aeronautics and Space Administration), NIST (National Institute of Standards and Technology), NLM (National Library of Medicine) and the DoE (Department of Energy). Each of these organizations have different responsibilities, some overlapping in areas. Each of these organizations have their own physical networks that they can test things out on (some of which are discussed later). I'm not going to discuss the specifics of what their jobs are, if you want more information go to: www.ngi.gov NGI project budget for 1998 was $80 million US Dollars. 1999 is $110 million. 2000 will be $110 million. The project was only granted 3 years of funding by Congress but planned up till 2002 (I guess the budget comes later). There is a possibility that it could be extended even father, however. There are number of very specific goals for NGI: To develop a NGI testbed that supports end-to-end QoS for new networking technologies and advanced research. This testbed will connect at least 100 NGI sites - universities, Federal research institutions, and other research partners - at speeds 100 times faster than today's Internet (OC-3 - 155mbps), and will connect 10 sites at speeds 1,000 times faster than the current Internet (OC-48 - 2.5gbps). Another goal of the NGI is to demonstrate Terabit switching technology by 2002. At the NGI/i2 conference I went to there was a professor from Hebrew University Israel who gave a lecture on an Optical Terabit switch that he had developed and tested. The switch could do well over 1tbps with hop rates of 10ms. That certainly grabbed the attention of the NSF guys at the conference. The device is supposed to go into production sometime in two years, as I remember. The NGI network is spread out over several different networks. The ones that I know of are: vBNS (run by NSF), Abilene (run by UCAID), ESNet (run by DoE) and NREN (run by NASA). In order for a corporation or University to hook up to NGI they must connect to one of these backbones. In many cases we see where the requesting peer will just connect to a GigaPOP which is already connected to one of the backbone NAP's. Then they must arrange (with the NSF I believe) to be added to the NGI registrar and routing tables. In many cases, the organization or university can get government funding from the NSF. > i2 Internet2 is an advanced network initiative by UCAID (University Corporation for Advanced Internet Development) and several other corporations. The budget is about $80 million a year. i2, like NGI, is spread out over various high speed backbones in the US. The two major ones are vBNS and Abilene, which will be discussed later. In most cases Universities will connect to GigaPOPs which intern connect to one of the i2 backbones. I2, like NGI, is involved with implementing and developing QoS, IPv6 and advanced network applications. There isno real literature on the net that discusses the goals of i2. The talk is more around the backbones that it operates on. III. Advanced high speed backbones ------------------------------------------------------------------------ As I said before, both i2 and NGI run over serveral high speed backbone networks. The follow discusses a few of them in detail. > vBNS The NSF initiated the very high speed Backbone Network Service (vBNS) in 1995. With help from MCI the NSF setup a high speed backbone across the US. The purpose was to connect Government, Industry and Universities to 5 SCC's (Super Computing Centers) in the US and then, inevitable, to each other. For those interested, those 5 SCC's are: - Cornell Theory Center - National Center for Atmospheric Research - Pittsburgh Supercomputer Center - National Center for Supercomputer Applications - San Diego Supercomputer Center The vBNS serves as a backbone for both the NGI and i2 initiatives. The vBNS uses IP over ATM over SONET. It operates at speeds up to OC-48 (2.5gbps). MCI also created a second "testnet" network for testing experimental technologies until they prove stable for implementation on the vBNS. Most Peers connect at DS3 and OC-3 speeds to one of the vBNS NAP's (Network Access Points) or to a GigaPOP that is already plugged up to a NAP. The vBNS supports both Native and Tunneled IPv6. > Abilene The Abilene network was created by UCAID in collaboration with Qwuest Communications, Cisco, Nortel Networks and a few other that I don't remember. Created for the sole purpose of connecting i2 peers. Operates at speeds up to OC-48 using IP over SONET. As I remember, the lines were laid and POP's put in place by Qwuest Communications. If you want to connect to the Abilene backbone all you need is $110k a year for a OC-3 connection, $320k a year for a OC-12. Small price to pay :] > ESNet ESNet (Energy Science Network) headed by the DoE (department of Energy) provides for speeds up to OC-12. Connects directly to the vBNS, STARTAP and many other high speed US backbones. Peers connect anywhere from 64k up to OC-12 speeds. Been around for a while and has allot of networks connected to it. For more information check out: www.es.net > International networks It was 1997 that the NSF starting taking proposals from other R&D networks in other countries to add International peers to its registrar for the vBNS. I guess the US GOV and academic establishments realized that the US wasn't exactly the smartest country on the planet. The International peers connect through the STARTAP and connect from there to other i2 or NGI peers. STARTAP (Science, Technology, And Research Transit Access Point) is the International NAP for most US networks (other than the Internet). The STARTAP connects directly to the Ameritech NAP in Chicago which connects to the vBNS and many other high speed US networks. The STARTAP is funded by the NSF and maintained by the University of Illinois at Chicago and a few other Chicago based groups. The STARTAP currently supports speeds up to OC-12 and supports DiffServ, RSVP, Multicasting and IPv6. For more information on the STARTAP check out: www.startap.net The following are just a few examples of International networks are hooking up to i2 or NGI through the STARTAP. >> Israel's tap The Israeli government has committed $10 million a year for the next four years towards advanced network development in Israel. The group in charge of all i2 and NGI activities is the IUCC (Israel Inter-University Computation Center) whose main members are the eight major universities in Israel. This is where it will start, with the Universities, and then shortly after it should be open to commercial R&D departments. There is one Satellite link at 44mbps from Israel (Tel Aviv University) to the STARTAP in Chicago US. Israel bought the entire spectrum on the sat so there are plans for upgrading that speed anywhere from 60mbps to 140mbps, as needed. There is also a fiber optic E3 (34mbps) line from Israel (Bar Ilan U. I believe) to the UK where it connects to the QUANTUM network in Europe (http://www.dante.net/quantum). After that there is another fiber optic line going from the connection point in the UK over to the US at 10mbps for redundancy. I've heard rumors of a 2gbps line being setup from the US to Israel but I have not been able to confirm this. Though the i2 website for the IUCC claims full support for QoS, I don't believe it. At an i2/NGI conference I went to I asked one of the IUCC speakers about this and he gave no real assurances for QoS support, quite the opposite. For more information on the i2 project in Israel go to www.internet-2.org.il >> CA*NET3 CA*NET3 currently runs at OC-48 (2.5gbps). The Canadian government in partner with some High Tech companies funds the project. NAP's to the backbone are located all along the southern border of Canada and connects to other US networks through the STARTAP. The Canadian Government has committed $53 million to the project which will last a year or so (don't remember the exacts). The project was initiated in 1998. CA*NET3 uses DWDM (Dense Wavelength Division Multiplexing) to get to OC-48. CANARIE (Canadian Network for the Advancement of Research, Industry and Education) is the group in charge of the project and for more info check out their site at: www.canarie.ca or www.canet3.net. The CANARIE consortium includes commercial, academic and governmental departments of Canada. IV. Security concerns ------------------------------------------------------------------------ There are a couple of security concerns as I see it. The first is about the way most universities and organizations make requests to plug up to i2 or NGI. They create a proposal and many will list, in great detail, the details of their network. One sad sight I saw was the San Diego Supercomputer Center which posted a map of all the IP NetID's for its network. Even worse was CANARIE which posted the same thing (the NetID's) for the entire CA*NET3 backbone. Now, these are private networks. However, all I would need, in theory, is a terminal at a i2 or NGI peer to start playing around. It seams even easier when I start to really look at their proposals. Most peers make the default path their NGI or i2 connection when the destination is another i2 or NGI peer, even for something as simple as a webpage. So, depending on how it is implemented I may be able to just start from a simple Student terminal, as opposed to having to hack into the Systems group terminals or servers first. The second is concerning DoS attacks. Give me bandwidth and I'm in DoS heaven :) On a i2 or NGI peer's network I may have allot of bandwidth at my disposal (depending on what type of policy they come under when connecting to i2 or NGI backbones). Then, if I find a peer stupid enough with a proxy from there to the normal Internet, who knows. And I'm only a nominal security buff, I imagine that there are allot more concerns that I haven't seen. There is, however, a IETF Security Workgroup in place for this exact reason. So, who knows? If you have any questions, comments, corrections... e-mail me at: mindmore@mindless.com I will try to post any technical corrections in the next issue of this e-zine. - Cyphunk ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ------------------------------------------------+ | ------------------------------------- | AXS Script Makes WebServer Vulnerable | ------------------------------------- | | --- by f0bic - [ linux security ] | --- f0bic@deadprotocol.org | (this article was also published on BugTraq) | ________ | [_______________________________________| ----------------- Brief Description ----------------- The AXS webserver script by Fluid Dynamics(www.xav.com) allows unauthorized third party users to make use of the ax-admin Administration/Configuration module and remotely edit and/or delete log files and overwriting files on the system. System resources compromization might also be one of the effects of this vulnerability. -------------------- Vulnerable Platforms -------------------- Any operating system AXS is compatible with. - *NIX Operating Systems (AXS cgi set) - WindowsNT Operating System (AXS perl set) I have seen the AXS ( cgi set ) operate on Apache 1.2.6/1.3.3, NCSA, Netscape-Commerce. ( perl set ) operate on IIS 3.0/4.0, Netscape-Fasttrack. ------------------------- Vulnerability Description ------------------------- The AXS Script, which is a cgi or perl script that keeps track of the number, the source locations, the clientinfo of visitors to your http port(80). It writes this data to an output file, named log.txt by default (but it can easily be relocated). This log.txt is normally located in the cgi-bin directory of the server, allowing write access to this directory. The AXS cgi script contains two .cgi appended files; ax.cgi and ax-admin.cgi respectively. The ax.cgi file is the one that actually "grabs" the info about the visitors and then writes them to log.txt (or wherever you relocated this too). The ax-admin.cgi is the the configuration file for the ax.cgi script. The ax-admin.cgi is default passworded by "IronMan" and sometimes is even left blank. Due to this weak access security it is very easy to gain "configuration access" to the ax.cgi script, allowing you to reconfigure it, delete the log files, change the location of the logs. The default location for the AXS script is http://www.server.com/cgi-bin/ax.cgi. The default location for the AXS Admin script is http://www.server.com/cgi-bin/ax-admin.cgi. To obtain access to the ax-admin.cgi module by default you get a password screen issued, Ironman being the default password. The password is determined by the characters in the $password="*" field of the ax-admin.cgi hardcode ("*" being a the default/chosen password or a blank). Most of the time I have seen the password field to be left blank or defaulted. If the password is left blank you will not be prompted for a login screen, instead it will automatically drop you into the ax-admin configuration page. From this point on you can alter files on the server system, possibly resulting in Denial-of-Service attacks against the system's resources. --------- Solutions --------- The AXS problems relate to a lack of resources that could suffice for secure business applications. The AXS script on the other hand has been developed for ease of use, not for trouble of security; this is one of the mistakes that Fluid Dynamics has made. The easy way is not to run with none or default password on the ax-admin.cgi module. I have informed Fluid Dynamics about the fact that I have seen servers where the ax-admin password was the same as the one for a valid shell account on that system. Fluid Dynamics has also gone trough no trouble at all to encrypt any of the passwords used in the ax-admin verification. EOF ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' +--------------------------+ | PURSUiT presentation, | | | | Boxing in the UK | | | | By Oktal | | | | | +--------------------------+ Part 1. Blue Boxing Part 2 will be on Beige Boxing and will be in the issue 3 of PURSUiT Blue boxing is sending noises down a fone line to sieze the trunk and make free fone calls (among other things). The trunk is where operators dial from. But they don't use the same frequencies as home fones, so we need to get the tones from your soundcard to the fone line. What you will need for this hobby: 1 Computer + Sound card 1 Tone-generating software (eg. http://x-iz.net/gbh/bluebeep.zip) 1 Cheap telephone (I use the old 'Viscount' series by BT because I have a friend who has loads he doesn't want) 4 Wires (at least 1 metre each) 2 2.5mm jack plugs (from your local electrical shop) 1 Hole-making equipment (hammer+nail) 1 Soldering iron + solder (optional) What you must do for this hobby: Open up the handset so you can see all the insides. There should be a speaker and a microphone, each with 2 wires connecting into them. Attach (or solder) one of your 4 wires to each of the wires in the handset. Now make a hole in the casing for the wires to emerge from. Open up the jack plugs and attach the 2 wires from the speaker to the connections in one plug and and 2 wires from the mic to the connections in the other plug. Use solder if you want. Stick the handset back together. Disconnect the speakers and microphone from your computer and plug the earpiece into the microphone socket and the mouthpiece into the speaker socket. -OR- If you have electrical knowledge, you could make a box that generates the tones by its self and doesn't need connection to a soundcard. A long time ago, BT had a tone (2280hz) which was used by BT engineers to access cirtain funtions within the trunk. Phreakers discovered that this could be abused to sieze the trunk and make free calls out of it. But BT got wise to the phreakers so now blue boxing is impossible in the UK. But BT does have 'country direct' lines which are freefone 0800 numbers to overseas. They are mostly in the 0800 890 XXX range along with some other useful numbers. These countries' exchanges are not as modern as here and they are blue boxable. (NB: not all country direct lines are boxable) Some country direct numbers to countries with CCITT-5 lines: South Africa 0800 890 027 Germany 0800 890 049 Brazil 0800 890 055 Chilie 0800 890 056 Libia 0800 890 059 Australia 0800 890 061 Indonesia 0800 890 062 French 0800 890 133 Bahamas 0800 890 135 Gabon 0800 890 241 etc etc etc You can then make an international call out of that country to the UK (or any other country) and make a free call. Using Bluebeep by Onkel Dittmeyer: The 'action mode' sucks so you should program a script to play the tones. A sample (and very good) script that I made is included in the zip file (http://x-iz.net/gbh/bluebeep.zip) To make your own script to your own needs, read 'Script Language' from the Info|Documentation menu. To run a script, type BLUEBEEP /EXEC FILENAME.EXT from the prompt. For a list of all the command-line switches, type BLUEBEEP /? Tone specifications for the CCITT-5 exchange: Description Frequency (Hz) Duration (ms) Pause after tone (ms) digit 1 700 & 900 60 40 digit 2 700 & 1100 60 40 digit 3 900 & 1100 60 40 digit 4 700 & 1300 60 40 digit 5 900 & 1300 60 40 digit 6 1100 & 1300 60 40 digit 7 700 & 1500 60 40 digit 8 900 & 1500 60 40 digit 9 1100 & 1500 60 40 digit 0 1300 & 1500 60 40 KP1 1100 & 1700 80 40 KP2 1300 & 1700 80 40 ST 1500 & 1700 80 80 Clear Ahead Tone 2400 & 2600 150 30 Seize Tone 2600 & 2600 80 20 Be aware that duration times may differ slightly with the exchange. To sieze the trunk of a CCITT-5 line: 1. You will hear a bleep after you dial the country direct number 2. Send the clear ahead tone after that bleep (makes it think you've hung up) 3. Then Send the sieze tone (so it thinks it's talking to the telco equipment) 4. You will hear a bleep and a chunk 5. Dial the number as shown: KP2+Zero+CountryCode+AreaCode+Number+ST eg. KP2,0441818118181,ST But BT often put filters on the country direct lines to filter out these tones. Here are some tricks to get past a lot of filters: The average tone of a conversation is around 3000 Hz. This is called 'pink noise'. Bluebeep allows 3 simultaneous tones, so add 3000 Hz to the last frequency of each tone in the dial set list. Some filters raise or lower the pitch of the sound slightly. Try tones just above or just below the given frequencies. (eg. 2395 or 2405 instead of 2400) You may have to do some freqency analysis on the echo you get from the system. A good tool for this is Wintone (30-day trial version at www.steaksandwich.com, registration $20 (£13), or you could read my article on cracking software, which will be coming soon in PURSUiT) That's it guys. Any information you may have on UK boxing can be sent to ms@punkass.com for a great big essay i have planned for the mag next year on UK boxing. Remember part 2 of this article (beige boxing) is in issue 2. Wardialling & Scanning If a country direct number is abused too much then BT is forced to shut it down :( So every so often the one you use will go away and you'll have to use another. Well, the list above is by no means complete. And there are other very useful numbers in the 0800 890 XXX range, so... Why not find out what they all are? "What, scan 1000 numbers???" No... you get a wardialler to do that for you. It dials them all up (don't do this all at once, BT'll notice) and when you come back it'll tell you which ones picked up and which ones didn't exist. (it might also tell you if it was a data or voice line) Then you can dial the ones that look interesting. You just tell it what range to scan and leave it for a while. You could also be at your deak while the dialler is running so you can listen to them and take note of what the voice ones are, like "voice: "Mark at reception how may I help you?" A good wardialler is ToneLoc at http://x-iz.net/gbh/toneloc.zip Example ToneLoc Syntax: C:\> TONELOC OUTPUT.TXT /M:0800890XXX /R:000-999 /S:3:00a /E:4:00a will dial 0800890000, 0800890001, 0800890002... 0800890999 starting at 3 am and ending at 4 am (regardless of how far thru the scan it has got) C:\> TONELOC OUTPUT.TXT /M:0800890XXX /R:000-999 /H:1:00 will scan the range starting NOW and ending in one hour Toneloc also has some cool options like Black Book; A txt file of numbers to NEVER dial (eg. 999) during a scan and loads of other cool stuff. To setup options like that and config stuff like modem strings, run TLCFG.EXE A really neat trick is the Scan Map. I can't explain it, it is just so great. Run TONEMAP SAMPLE.DAT to see what I mean. EOF ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' *-------------------------------* | PURSUiT is proud to present.. | | | | Introduction to Firewalls | | | | By deadline | *-------------------------------* What is a firewall? --------------------- A firewall is a system or group of systems that enforces an access control policy between two networks. The actual means by which this happens varies widely, but in principle, the firewall can be thought of as a pair of mechanisms, one that is there to block traffic, and the other which permits traffic. Some firewalls place a greater emphasis on only blocking traffic, while others are strictly for permitting traffic. Diagram: O = Outside Host 1: packets to the firewall F = Firewall/Router 2: firewall accepts or denys I = Internal Network 3: packets go to host (3) IIII |-----IIII (2) | (1) FFFFF-| (3) OOOO-------FFFFF-------IIII OOOO FFFFF-| IIII | (3) |-----IIII IIII Protection -------------- Firewalls offer protection against many kinds of things. They offer protection from malicious packets, e-mail spam/bombs, and also, intruders to your system. But their is also attacks Firewalls CANNOT protect u against (attacks that dont go threw the firewall) like people from inside the network, and from there, that user can give access to outside networks, which can be potentionally dangerous to your network. And lastly, Firewalls cant protect against tunneling over application protocols to trojaned or poorly written clients. Types of Firewalls -------------------- 1: Network Layer ------------------ Network firewalls usually make there desicions based on address (source) and the ports of a packet. Routers are probably the most known network level firewall, because its not able to make a great decision about where the packet is actually going or where it came from. Newer network firewalls have increased greatly in maintaining information about the packets that pass threw them, contents of data streams, and other sources of information. A imporant thing to remember is that network firewalls route traffic directly threw them, so to use one you usually need to have a validly assigned IP address block. Network firewalls usually are fast and transparent to users. 2: Application Layer ---------------------- Application level firewalls are usually a host running proxy servers. The proxy server usually permit no traffic directly between networks and give a more detailed log of traffic then the Network level firewalls. These firewalls can be used as network address translators, since packets go "in one side and out the other", after passing threw a application that effectivly masks the origin of the initiating connection. Proxy Servers --------------- A proxy server is a application that mediates traffic between a protected network and the Internet, meaning it only allows specific connections to connect to the host, and allows only connections out of the host threw specified ports. Proxys are usually used instead of router based traffic controls, because they prevent traffic from passing directly between two network. Alot of proxys have more logging and support for the user authentication. Because proxys must understand the application protocol being used, they can also implement protocol specific security, where as only certin prototcols are allowed to be incoming and outgoing from a host. Firewall Downsides -------------------- Firewalls while restricting access from outside attacks. Also restricts users inside the network to connect to some/maybe even all networks outside the current one. This means, a user in the secure network, may not be able to connect to lets say www.linux.org unless he has the permissions to. This also is the same for ftp, telnet, and other various network utilities. EOF ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ]--------------------------------[ [ FileThief.pl ] ]--------------------------------[ [ Developed By ] ]--------------------------------[ [ Mister-X (Admin@x-iz.net) ] [ Alkatraz (funnet@icom-web.com) ] ]--------------------------------[ For those of you who cant tell what this script does by looking at the source code. It scans /etc/passwd for users with the same UID as your own. If it finds them it reports to STDOUT and log to a file, for later browsing. Yes, it is a common occurance for slack admins to add users with the same UID meaning that you have full access to their files. PERL Script Follows: #!/usr/bin/perl ($myusr, undef, $id, undef, undef, undef, undef, $hdir, undef) = getpwnam(getlogin); $fid = time."-$id"; print "Welcome to filethief - searching for $id in /etc/passwd.\n"; $myusr = getlogin; $found = 0; open(logf, ">>$hdir/filethief-$fid.log"); open(pwd, ") { local($usr, undef, $uid, undef) = split(/:/, $_, 4); if(($uid eq $id) && ($usr ne $myusr)) { $found++; print logf "$usr has the same ID as $myusr ($id).\n"; } } close(pwd); if($found eq 0) { print logf "\nNo matches were found at ".localtime(time)."\n"; } else { print logf "Found [$found] matches at ".localtime(time)."\n"; } close(logf); open(logf, "<$hdir/filethief-$fid.log"); while() { print; } close(logf); exit(1); EOF ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' iuuiuuiu uiuiu uiu i I I iu uiu yi BI BI iu uiu i yi I BI iu ui yi yi BI uiuuiuui y yi yi BI iuu yi yi iyi BIB iu yi yiyi BI BI BI iu yi yi BIBIBI BI uiu [ PURSUiT News Update ] Well after all, that's the first issue of PURSUiT, so we have no news to talk about, so we will use this space for ideas, future features and other things. Stuff we had on mind: --------------------- 1. Lamer list This was the idea of one of us, just to take out rage on people that keep on bugging us, or just for the fun of it. If we will include it in the future, I belive it won't be serious, just to have some laughs the night after it on IRC ;) 2. Shouts It's my idea mostly, though I think it won't be included. If it will, we will probably use it to thank people who helped putting out the zine, reviewed it, made some corrections etc. 3. Docs exposing Now this idea came through an anonymous source, which suggested that PURSUiT could drop docs of a few people here and then. The people we had on mind are mostly the ones that everyone hates, (I won't declare them here :) but we first need to get the docs, so it might not go. 4. Questions\Answers section This is mostly self explained, a section or column, where people will be able to email us and we will answer the question over the zine, so that other people could know the answer too. If we will get enough response for that, we might do it. That's it for now, if you have other suggestions, ideas, or features you belive we should include just email us to: bxj - f0bic - ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSU iT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PUR SUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][P ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' Well, we all hope you enjoyed the first issue of PURSUiT. Remember, you can always catch us on IRC, or email us. EOF