GoNullYourself5:(gonullyourself5.txt):25/07/2011 << Back To GoNullYourself5

-+syhdddho. .+yhyssssssshm/ ```.-shsssoooosssssyN- :+oossssssssssdhsso/:::::/ssssshdo: .so/::::::::::/hyso/:------:sssssym+m. /y/:::::::::::+hss/:--------:sssssyd:yy /yo-.ys::::::::::::/hso/---------:ossssshs:om- Go Null Yourself E-Zine `mysyhh/::::::::::::hss:---------:ossssssd/:+hh :mo:::+sys+/:::/:::yyso--------:+sssssssyh:/+sN: Issue #5 - Summer/July 2011 +dso+/:+ssyyysoo:::dsss:----:/+sssssssssd+:++sdh /mssssosssssyho:::ohssso//++osssssssssshy::+osyN- www.GoNullYourself.org .myyyssss++sh/::::+hsssssssssssssssssshy/:/osssms +msssssyyyy/::::::dsssssssssssossssyhy//+ssssshN` yhso+++++++/////+/yyssssssss+:::syhhy+osssssssyM- -+h:os:-sdo.-os:../hyssssss+:/+sysosddyssssssymM/ :y+-:ssyNN+dMMh.sNNyohyysysyhmh:-yNMdsssssydd+yo "Sometimes I'm scared to ` `` :dMMMMNdMMMNhNMNNdoNMMm/dMMhsssssdmo. /y think of what goes on in .yNMMMMMMMMMMMMMMMMMMMMMNhssssymh- `d that insane head of yours..." :y:+NMMMMMMMMNMMMMMMMMMMNysssshd+` d +ddd::NMMMMMNdhMMMMMMMMMNysssyds. y` :mhdhd.:NMMNddhhNMMMMMMMNysssydh o- `+` `ddy.hhh`/NmdhNNdNMMMMMMNyssshy.d` `h: .hMo-. smo` :ddsohhmMMMdmMMMMMNyssyh/`os` oh` .mMMNNm- -ms shdhmmMMMMmmMMMMMhssyh- /+ +s` ,yNNNNNNNNo ,mMMMMMMMMd, .sNMMNo` yh` .mddo/MMMMmmMMMMhsshs` -- :: -Mm oMd `NM: .+dy- `m. yy. mMMMmmMMMhssd/ `-` :Mm -++++mM oMN mM: `/dd+. ./ ` yMMMmmMMdssd: ` -s` .NMmmmmmmMM 'MMmmmmmNMN' :hNh+. /MMMdmMdsyh. :ysNMy -dh dd. -hMMdo- -/.`/-.MMMdNmsyy` -dMMMM :Mm MM. :hMMMmy` :ysy-o+-s.MMMdNyyy` ./Nho- dNNNNNNNNN, MM. yM :Mm MM. :hMmh+-` `/ys+////ssMddyy` `.:+shyo-` NM: :My MM. yM :Mm MM. .``+ss/. `:yo:/ossNmyd` `/osdNNms:` MM: :MN MM. yM :Mm MM. `/oos/.`:so:/syym:.-. `.-:oNMNho-` MM: :MM mMNmmmmmMM :Mm MM. `-oooo++ss+oooo+s+. `-:+oso/-`.:` -oosoo+++oysyh/++oo++-`` .h+ sh :hdddddddh/ dd` :ds oddddddddy. `/ssyhy+syysoh/.` -Mm+++++++oMM mMs:::::oMm MM. /Mh MM::::::hMh -yhyo/yssdo+s: /sssyMMssso- mM/ oMM MM. /Mh MM :+/ `odyyyyydssyo+h/ .MM NMdyyyyydMN MMdyyyyymMh MM `/hysssssyd++//+d. `o+ `+ooooooo+` .+oooooooo: oo -yhssssssydy+++/ss `ohhssssssyyms+o/oo` hM: `/hysoooooosssdshoo- ,ddddddd-d ,yddddddddo dM/ ,ddddddddd` -ydyssssssssyyydh+. Mm+````` yMh`````yMM mM/ Mh```````` .odhssssssssssyyydo 'hhhhhhdM, yMh hhhhhh+ dMo MMNNNNNNNN. `/dhsooooooooosssssyh ,,,,,,,,MM sMN,,,,,,,, mMo My```````` .ydyssssssssssssssssym. .oooooooo+: `/ooooooooo /o- My .hNmmmmho++ooosyyhdhyydo My `yMMms-` `.hMMNhh` +: `yMmo. `yMMy` .-hMy. `sMN. dMMh: sMs /MN+ `dN+` hm- /MM/ .m. +Ms `.-/y+ ym -:+syhhhh/ .N/` `sdmmy/` 0x01 Introduction || 0x07 Hacking 15A Announcements Shadytel, Inc 0x02 Feedback + Edits || 0x08 Gawker Passwords Analysis SinThet 0x03 Public-Key Encryption and RSA diminov || 0x09 360-928-00xx Scan Shadytel, Inc 0x04 Iridium Satellite Network Shadytel, Inc || 0x0a Terminal Servicez br0 storm 0x05 An Introduction to x86 NASM storm || 0x0b ProjectMF - An Overview df99 0x06 Art of Crypto: Tips and Tricks duper || 0x0c Et Cetera, Etc. teh crew [==================================================================================================] -=[ 0x01 Introduction Ahoy there, and welcome to the 5th issue of GNY Zine, your one-stop shop for hax, cats, and slacks. Just kidding on the last one there - we don't actually wear pants. It's been a busy last couple of months in the hacking scene, mostly due to the various escapades of the attention-whoring group LulzSec, followed closely by the infamous collective of perpetually bored, angsty teenagers known only as Anonymous. Lulz were had, as always with these types of things, but like with everything else on the Internet, time passes and all is forgotten. Another passing phase. *yawn* Moving on to more important matters, we're proud to announce that this issue marks the one year anniversary of GNY Zine. We'd like to thank all of our contributing authors, for these are the people who make the zine what it is. Every aspect of GNY Zine is 100% volunteer work, and we greatly appreciate all the effort that our authors put forth to keep a steady supply of content available for our scheduled releases. We'd also like to thank our readers, who give the GNY team reason to publish. As long as the hacker spirit lives on, we will continue providing the scene with informative, educational material as often as we can. If you're a reader and wishing to help, please consider becoming an author! Submitting content is the most helpful thing a person can do! Further information about becoming an author is located at the end of this article. Now, for a few announcements... We are excited to report that OrderZero, the author of "Story of a Raid" from issue #1 and a close friend to the GNY community, has officially had all charges against him dropped. OrderZero was raided by the FBI in June 2010 in connection to a leak of confidential information from the website Lockerz.com, invoking Title 18, Section 1030 (Fraud and related activity in connection with computers). He was later contacted and told that the charges were being dropped due to his status as a minor, and all of his equipment and books were returned. We wish OrderZero the best of luck in the future. We are also proud to announce that Shadytel, Inc, the monopolistic telecom conglomerate responsible for innovations such as offering reduced comfort noise as a tariffed service and billing plans starting at 7 cents per DTMF, is unveiling its latest innovation: The Lean, Mean, LIGATT Machine 206-312-6033 The (LM)^2 is a crafty Asterisk script that generates random babble in the voice of Gregory D. Evans by stitching together samples of the random babble of Gregory D. Evans. The finest of quotes were sampled from the recorded phone interview with LIGATT (GNY Zine, Issue #4), and with a little magic, our shady, phreaky friends have ensured the endless supply of LIGATT comedy gold for years to come. If you'd like in on the eh oh els, the Lean, Mean, LIGATT Machine is reachable through the phone number listed above. Now, enough babble of our own. Let the zine begin. Notable Events ============== April 26, 2011 - Sony PSN is compromised and taken offline, beginning a long string of attacks May 5, 2011 - LulzSec begins its attention-whoring campaign May 21, 2011 - Lockheed Martin suffers a network intrusion linked to the RSA Security hack June 22, 2011 - Ryan Cleary, loosely linked to Anonymous/LulzSec, is charged by UK authorities June 25, 2011 - LulzSec ends its attention-whoring campaign July 1, 2011 - GNY Zine turns 1 year old (woohoo!) July 11, 2011 - Booz Allen Hamilton suffers an intrusion on one of its dev servers -=-=- Now, on to formalities... If you are interested in submitting content for future issues of GNY Zine, we would be happy to review it for publication. Content may take many forms, whether it be a paper, review, scan, or first-hand account of an event. Submissions of ASCII cover art that display the GNY logo in some way are also appreciated. Well-received topics include computer hacking and exploitation methods, programming, telephone phreaking (both analog and digital), system and network exploration, hardware hacking, reverse engineering, amateur radio, cryptography and steganography, and social engineering. We are also receptive to content relating to concrete subjects such as science and mathematics, along with more abstract subjects such as psychology and culture. Both technical and non-technical material is accepted. Submissions of content, suggestions for and criticisms of the zine, and death threats may be sent via: - IRC private message (storm, m0nkee, or Barney- @ irc.gonullyourself.org #gny) - Reddit (stormehh @ reddit.com/r/gny) - Email (zine@gonullyourself.org) If there is enough feedback, we will publish some of the messages in future issues. Our PGP key is available for use below. We have devoted a lot of effort into this publication and hope that you learn something from reading it. Abiding by our beliefs, any information within this e-zine may be freely re-distributed, utilized, and referenced elsewhere, but we do ask that you keep the articles fully intact (unless citing certain passages) and give credit to the original authors when and where necessary. Go Null Yourself, its staff members, and the authors of GNY Zine are not responsible for any harm or damage that may result from the information presented within this publication. Although people will be people and act in idiotic fashions, we do not condone, promote, or participate in illegal behavior in any way. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.11 (GNU/Linux) mQENBEzNnTIBCADCuSQtPeshJqqYd8KHfNoQ7ru3mWfwL3dc3MAgH1QYL1m1DSGs 3rAeWqyN2Jv1LVz2qLFXsqCdQhEW2wZg2tPPgoGiKAXbWE2itIoPSa/M1jrms6ai vwq2ySiWPi2F77Rlyuwqs2Acoj+AGm1JINejx7DcK8RLWDViw+f8DMHmDZI4SS+s fE7kVKh0/mLE7TGBXL7rCNA2bOPEHah0nQw2X18v3UNMV6R31FWVAZgSuL/RI+sV LOuKDANYuj36KxFlx2pDUwHDUcB+BMqxzmdosC98xu80fKuNVEsLz3HpUXTfdSLJ 6F4gyKs1n2q7f6JcsdfoZ4nmj0IATnTK9tvfABEBAAG0HnN0b3JtIDxoaXhtb3N0 b3JtQGhvdG1haWwuY29tPokBPgQTAQIAKAUCTM2dhwIbIwUJCWYBgAYLCQgHAwIG FQgCCQoLBBYCAwECHgECF4AACgkQ6oWhb3tw/4DtYgf9Ga/2HD5gP84qTZkh7aOx PZQJJ3wJpZmQGw8kSvJLhtfBsvJJd8PuPay8aBmkVT+S+p0qUYjxc/BTD57t9O4+ Yh8DRk4gK+L9gvqR/RE/GxMEO+cyMXl0Nl8bTkV/qCygoctbTLPPJF37ZEFF0dp1 1kWUSdTkJ7++gs7b0+YCX65oyyg8OpHVSmw9KUU90aHyfeu7MdgGrEGR+FNDn9uK m9WamrOp82UKmb8wytXfnbG7z2XvgRynxazl7I4ErExtr6pbyPJCryrIGmlG/qzT cabX6tHtRnVSgrB+BVWu+XpHRi1lns8QxXYvV4SBAZDEBDq6f1qMpHFxyzq7MNSP t7Qfc3Rvcm0gPHppbmVAZ29udWxseW91cnNlbGYub3JnPokBPgQTAQIAKAUCTM2d fAIbIwUJCWYBgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ6oWhb3tw/4CW Dgf/dr7c6POPiMPrf30J39UrlvaS3BFo66WgEY3wa24brtv24Y19Ehk8fmP78uS/ tkfdg+6Pu280ILechVjofDqjDHSyVSy+CSVp1TJpgYvPbIcEa4JQoscUEe4lGJGg 1akXKu4RX1/o5wQrC/Tokm0NySxSPZfPhOnR5Bu1C6zvhneLVKpgLflfsCvlokxN bo3TIAsfgqodkYR5CdyWGUYYQ9c4nbz0F6cSI2+k/mWFDljv4UQECl3MUcU2fNiC a+1FAT6wmohVylYyyaA6YPVoe/9g5mKWQZyUq++bduLvV1qotpk7uJpKe3tgMJTn /3tYZbhywejqTRRauGBSGv7QcrQgc3Rvcm0gPHN0b3JtQGdvbnVsbHlvdXJzZWxm Lm9yZz6JAUEEEwECACsCGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheA BQJMzZ2KAhkBAAoJEOqFoW97cP+AS24IALcjJUygQnHg2kdIuGCErQP511aqxwFO CC5MEXRG+Mg7GLrtc6wy+D89ifWQldUR0UwK/S7MMQC2OhOJtdvjai7k8LfmeG1G iJZ6XYY7WEzaQWiVPso1P5SVo41OT38EXL6t2Ic3yGVGKJ9Vpo25SEmEoC9EL2Xa Blze0Z/6x5JUbK0yCY37vu2mYGLFpg7lCKQL24vg13OjNOMzeJFQssPCOeSCHkJv L+u5E9ohdUmHwWXAJVUieIu/S6sFDH0GrxNp8/YLhA4I/APpSjBZ6tofkrXNyajQ 9xjPT3KhuMErxRG+8a8iHhUH2VRibSdjwgJUxeg3DMqDQtxNFaRaFbqJAT4EEwEC ACgFAkzNnTICGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEOqF oW97cP+AMmcH/jrXI3Y+WVkC3XgaRC+CnInMNJSLnMpoX2hkKfJsIMiiH19O41+O W0U7bE0gvRjlDpQYEKlSnNz4a+bGmmceAmy6Rr11QsOuhtZG3/AfkhFEQ4f3U3zt 3miZILzcFc6vVXhXoq9stC6hoCzDPBu34s0OusHwxuVxX1eqCBSJYyrqSTlbxUKv SYFfC/MzU6Q+iSZgiPNTYdgKIN3JKqZ2726i5IJOu6xIKNQByU4nEgV+Z4YjH7YD MT9c6uSgqTACVM5h+3GW78G4Wl1E0lOXvimM/AEXHQSkZi34yq+JbOFspbyBhBz7 wRCIig4YSFDSwzPDdIx14NQlEq3+/tR9zx+5AQ0ETM2dMgEIALxlzgUfJ4leMnFF gURwNGM5x9aTquU548xI4ESCeaDMkj6nHhrV4NAliBq28i48UjgI7IdE3pKYfQXi aJZzQf4I+JULQkVzxF4uOjShhfXmhtABvBn+7du8qPqt5PwIFdb7ffmvXWFIX/in +4QlDnlrz7xMQJBrBE9S4BJzR5IgWxpb7xA1yUWEJ+5vME3R+JhJuozmmmuMBHR1 s8pk8oEVrdmqdHeG5YZLsMyR5Kh6qJbPcj96CS9CtQU3HiEW0nwv8c3tNPY/4rNf CAkeOWLAOvAq0Ybd82cIQr7Q0wVFo132H0Xs3Gw4MTiyvcd/BrGHeyjoBJfMhLCF elFSEn0AEQEAAYkBJQQYAQIADwUCTM2dMgIbDAUJCWYBgAAKCRDqhaFve3D/gBq2 CACpH3rPcPb4HswNplVUMift+b5dV2ETYuNFXMK8yblFXa9URA6vdUzqrF9XSc6+ Tz9v/PVWY6FKKpnH06cbZQS07FWuY+zopsipuPgTaFLQyLlG2M+OoQOyEUYUpBW+ wTJ2Jd4hPiTlaoCLg2niA0RyzxzbnelrTtDtFtMoqJJlLWdtFoITW8/OLASHA7vu bvRlfW89nueq9/4vEbxnvlUa7cOPtcZcGfHneHWV4JI9e5NJ6Agxp1gOkouF9/jn YneawjaEgI6QOS06yyTXOu/XCo6L+f4/wd+1EMzt+NjsUXSraeNw+tdjZEZ8Uo9/ 8QJQ4gF00KrsCCSrPyg/cZ5G =g7oJ -----END PGP PUBLIC KEY BLOCK----- [==================================================================================================] -=[ 0x02 Feedback + Edits We always strive to publish accurate information in GNY Zine, but we the authors and editors are in fact human beings and are subject to making mistakes from time to time, despite our best efforts. The publication, compilation, and distribution of this e-zine is derived entirely from our passion for technology and curiosity of how things tick. GNY Zine has no commercial influences. If you find that there is an error in content that we have published, please do not hesitate to email us so that it may be announced and corrected in the next issue. Not acting like a stuck-up elitist about it will probably invoke a more positive response too. With that being said, we are also receptive to content or personal experiences relevant to information presented in past issues. If you've written some code, applied a concept in a new way, or just want to voice your opinion about a topic, send us an email! We may be contacted at: zine@gonullyourself.org (PGP key is available in the Introduction) Please note that emails we like will be published in future issues, so specify if you wish for your message to remain private or if you wish for us to redact certain personal information from it. ---------------------------------------------------------------------------------------------------- Hey man, I'd like to congratulate you on having a zine and website that doesn't suck. Today's "hacker" culture tends to be either about e-penis (I hacked dis site cuz I'm l33t) or money (Credit Cards br0). Your zine seems in the vein of phrack, the spread of knowledge for intellect's sake rather than for idiocy, I salute you for that, quality material is always getting harder to find. Thanks, and keep up the good work! >> Thanks for the kind words - that's exactly what we're shooting for with the zine, so it's great >> to see that's how readers are receiving it. ---------------------------------------------------------------------------------------------------- Hi guys... Nice zine...I just came across yours and I can say I fairly like it. Great work! I just wanna report a small typo. In a section that talks about rootkit devel, it is said: finger @kernel.org In my box (CentOS), the working command is: finger -l @kernel.org OK, that's all. I hope that's useful. Have a nice day! :) -- regards, Mulyadi Santosa Freelance Linux trainer and consultant blog: the-hydra.blogspot.com training: mulyaditraining.blogspot.com >> Thanks for the heads up. However, testing it out on my fc13 machine, `finger @kernel.org` seems >> to be displaying the correct output: >> >> [storm@Dysthymia ~]$ finger @kernel.org >> The latest linux-next version of the Linux kernel is: next-20110418 >> The latest snapshot 2.6 version of the Linux kernel is: 2.6.39-rc3-git9 >> The latest mainline 2.6 version of the Linux kernel is: 2.6.39-rc3 >> The latest stable 2.6.38 version of the Linux kernel is: 2.6.38.3 >> The latest stable 2.6.37 version of the Linux kernel is: 2.6.37.6 >> The latest stable 2.6.36 version of the Linux kernel is: 2.6.36.4 >> The latest longterm 2.6.35 version of the Linux kernel is: 2.6.35.12 >> The latest stable 2.6.35 version of the Linux kernel is: 2.6.35.9 >> The latest longterm 2.6.34 version of the Linux kernel is: 2.6.34.9 >> The latest longterm 2.6.33 version of the Linux kernel is: 2.6.33.11 >> The latest longterm 2.6.32 version of the Linux kernel is: 2.6.32.38 >> The latest stable 2.6.32 version of the Linux kernel is: 2.6.32.28 >> The latest longterm 2.6.27 version of the Linux kernel is: 2.6.27.58 >> The latest stable 2.6.27 version of the Linux kernel is: 2.6.27.57 >> The latest stable 2.4.37 version of the Linux kernel is: 2.4.37.11 >> >> Running it on CentOS seems to be fine too: >> >> [storm@localhost ~]$ cat /etc/issue >> CentOS release 5.6 (Final) >> Kernel \r on an \m >> >> [storm@localhost ~]$ finger @kernel.org >> The latest linux-next version of the Linux kernel is: next-20110707 >> The latest snapshot 3 version of the Linux kernel is: 3.0-rc7-git1 >> The latest mainline 3 version of the Linux kernel is: 3.0-rc7 >> The latest stable 2.6.39 version of the Linux kernel is: 2.6.39.3 >> The latest stable 2.6.38 version of the Linux kernel is: 2.6.38.8 >> The latest stable 2.6.37 version of the Linux kernel is: 2.6.37.6 >> The latest stable 2.6.36 version of the Linux kernel is: 2.6.36.4 >> The latest longterm 2.6.35 version of the Linux kernel is: 2.6.35.13 >> The latest longterm 2.6.34 version of the Linux kernel is: 2.6.34.10 >> The latest longterm 2.6.33 version of the Linux kernel is: 2.6.33.16 >> The latest longterm 2.6.32 version of the Linux kernel is: 2.6.32.43 >> The latest longterm 2.6.27 version of the Linux kernel is: 2.6.27.59 >> >> The finger(1) manpage reports: >> >> If no options are specified, finger defaults to the -l style output if >> operands are provided, otherwise to the -s style. Note that some fields >> may be missing, in either format, if information is not available for >> them. >> >> It'd be interesting to see what difference on your system is causing finger to run without the -l >> flag as default. >> >> Anyways, thanks again, and glad that you enjoy the zine. [==================================================================================================] -=[ 0x03 Public-Key Encryption and RSA -=[ Author: dimonov What is encryption? ~~~~~~~~~~~~~~~~~~~ Encryption is a procedure which consists of an algorithm, and an encryption key. The typical method is to encipher a message with a key and an algorithm, to get the encrypted form, called ciphertext. Private-key encryption uses the same key for both encryption and decryption. Public-key encryption uses a different key for encryption and decryption. RSA is a public-key encryption algorithm. Public-key cryptography ~~~~~~~~~~~~~~~~~~~~~~~ With public-key cryptography: 1) The encryption algorithm is generally E(D(M)) = M 2) The decryption algorithm is generally D(E(M)) = M where M is the message, E(M) and D(M) is the ciphertext, with the encryption procedures being D and E on M. The encryption as well as the decryption in [1] and [2] are one-way functions. This means that even though D may be revealed in [1], it does not reveal an easy way to compute E, nor does it allow decryption of the cyphertext D(M). Why public-key cryptography? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With private-key cryptography, if a person named Bob wanted to send an enciphered message to Alice, he would need to give Alice a copy of the encryption key to decrypt the message. The problem with this scenario is that the keys need to be distributed over a secure communication channel. This is called the "key distribution problem". Before a private communication can happen, there has to be a secure communication channel already in place. If the key distribution were to take place over an insecure communication channel, an intruder listening on the channel could decipher the ciphertext after receiving the encryption key. Public-key encryption "solves" this problem, because it does not require any private couriers; it's keys can be distributed over an insecure communications channel. Bob sending a private message to Alice ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In the public-key encryption process, if Bob wanted to send a private message to Alice, he would take these steps: (Encryption and decryption procedures are referred to with subscripts Ea, Da, Eb, Db.) 1) Bob retrieves Ea from a public key database. 2) He then sends her an enciphered message, Ea(M). 3) Alice deciphers the message using the algorithm Da(Ea(M)) = M. She can only decipher Ea(M) with Da. A response would need to be enciphered with Eb, which is also available in the public-key database. An intruder listening on the communication channel won't be able to decipher the ciphertext, since it isn't possible to derive the encryption keys from the decryption keys. The author assumes that the intruder cannot insert / modify messages in the channel. Bootstrapping using public-key encryption ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Public-key encryption can be used as a "bootstrap" to create a secure communication channel, over which another encryption key exchange can take place (one which depends on a private communication channel). Once a secure channel is created, the first message can consist of the encryption key to decipher further messages. Signing ~~~~~~~ Signing a message proves that a message wasn't forged; that it was created by the person who holds the private-key. Bob sending Alice a signed message ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If Bob wanted to send Alice a signed message, they would take these steps: 1) Bob computes his signature for the message M using Db. S = Db(M). Since each message in public-key encryption is the ciphertext for another message, this is valid. 2) He then encrypts S using Ea, and sends it to Alice. Alice receives Ea(Db(M)), or Ea(S). 3) Alice decrypts the ciphertext with Da to obtain S. Da(Ea(S)) = S. Alice now knows that the sender is Bob, by looking at the signature. 4) Alice extracts the message with the sender's encryption procedure, available in a public-key database. Eb(S) = M. Alice now has a message-signature pair of (M, S) from Bob. Bob cannot later deny the fact that he sent the message, since nobody else could have created the signature S = Db(M). If Alice decides to go to court, she would only need to show a judge the message-signature pair (M, S), to prove that it was created by Bob. Alice cannot modify M, since she would need to generate a corresponding signature, S' = Db(M'). Rivest, Shamir, and Adleman's method ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Using RSA, a public-key encryption algorithm, a message M is encrypted with an encryption key (e, n). e and n are a pair of positive integers. The algorithm is as follows: 1) The message M is broken into a series of blocks. Each block is represented as an integer between 0 and n-1. 2) The message is then raised to the e'th power modulo n. That is, the resulting ciphertext is the remainder when M^e is divided by n. C ≡ E(M) ≡ M^e (mod n). 3) Decrypting the ciphertext is done by raising it to the power d modulo n. D(C) ≡ C^d (mod n). The encryption key (e, n) and the decryption key (d, n) are a pair of positive integers. Each user makes his encryption key public, and his decryption key private. Choosing encryption and decryption keys ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The algorithm to choose encryption keys is as follows: 1) n is computed as a product of two very large random prime numbers p and q. Although n will become public, p and q will be hidden from everyone else, because of the difficulty in factoring p and q from n, if they are large enough. n = p * q. 2) A large random integer which is relatively prime to (p - 1) * (q - 1) is chosen for d. That is, d is checked to make sure it satisfies gcd(d, (p - 1) * (q - 1)) = 1. Note: gcd = greatest common divisor. 3) The integer e is computed from p, q and d to be the "multiplicative inverse" of d, modulo (p - 1) * (q - 1). The formula used is e * d ≡ 1 (mod (p - 1) * (q - 1)). Encrypting and decrypting efficiently ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To encrypt and decrypt with the RSA algorithm efficiently, a technique called "exponentiation by repeated squaring and multiplication" is used. In this implementation, enciphering and deciphering are similar, making it possible to implement the algorithm in a few special-purpose integrated chips. Using this procedure, M^e (mod n) can be computed in 2 * log e (base 2) multiplications and divisions. The steps to do this are as follows: 1) Let Bk, B(k-1), ..., B(1), B(0) be the binary representation of e. 2) Set C to 1. 3) Repeat steps 3a to 3b for i = k, k-1, ..., 0: 3a) Set C to the remainder of C^2 when divided by n. 3b) If Bi = 1, then C is set to the remainder of C * M, when divided by n. 4) C is now the encrypted form (ciphertext) of M. Finding large prime numbers ~~~~~~~~~~~~~~~~~~~~~~~~~~~ The prime numbers p and q have to be large enough, to make it computationally infeasible or impossible for anyone to factor n = p * q. This is worth noting, because it n will be in the public key database, whilst p and q will stay secret. This is why RSA's authors recommend at least 100-digit prime numbers for both p and q. This has the effect on n, that it becomes a 200-digit number. An algorithm for finding large prime numbers is included below. 1) Generate 100-digit random numbers, and test them for primality. About (1n^100)/2 = 115 numbers will be tested, according to the prime number theory. 2) Testing a large number b for primality is done by choosing a random number 'a' from a uniform distribution {1, ..., b-1}, and testing whether gcd(a, b) = 1, and J(a, b) ≡ a^((b-1)/2) (mod b), where J(a, b) is the Jacobi symbol. 3) If this holds true for 100 randomly chosen values of a, then b is almost certainly prime. There's a negligible chance that b is composite, although even if a composite b were used in RSA, the decryption wouldn't work correctly. When b is odd, a <= b, and gcd(a, b) = 1, the Jacobi symbol J(a, b) has a value in {-1, 1}, and can be efficiently computed using the code: J(a, b) = (a == 1)? 1 : (iseven(a)? J(a/2, b) * (-1)^((b^2-1)/8) : J(b(mod a), a) * (-1)^((a-1)*(b-1)/4)); Another technique to finding large prime numbers, is taking a number of known factorization, and incrementing it by 1, then testing the result for primality. If a prime p is found, it can be proved that it really is prime by factorizing p-1. Computing d from ϕ(n) ~~~~~~~~~~~~~~~~~~~~~~~~ Any prime number greater than max(p, q) can be used as d, although it's important to use a number from a large enough set, to prevent it being found by a direct search. A variation of Euclid's algorithm can be used for computing d from ϕ(n): 1) Calculate gdc(ϕ(n), d), by computing a series X0, X1, ..., where X0 = ϕ(n), X1 = d, and X(i+1) ≡ X(i-1) (mod Xi), until Xk is equal to 0. 2) gcd(X0, X1) = X(k-1). Compute for each Xi the numbers Ai and Bi, such that Xi = Ai * X0 + Bi * X1. If X(k-1) = 1, then B(k-1) is the multiplicative inverse of X1 (mod X0). Since k will be less than 2 * log n (base 2), the computation is rapid. 3) If e < log n (base 2), start again, by choosing a different d value. This guarantees something called a "wrap-around" (reduction modulo n) for every encrypted message except M = 0 or M = 1. Security considerations ~~~~~~~~~~~~~~~~~~~~~~~ Since there aren't any known techniques to "prove" that an encryption algorithm is secure, the only way to test it is to see if anyone can break it. Whilst factoring numbers isn't difficult, no one has yet found an algorithm to factor a 200-digit number within a reasonable timeframe. The security of the RSA algorithm depends on the factorization of large prime numbers being infeasible: if a more efficient and faster factorization method is discovered, it would weaken the algorithm's security. A word of note is that there is the presumption of physical security to the private keys. Factoring n ~~~~~~~~~~~ Factoring n would allow someone to break the RSA algorithm, since the factors of n, which are p and q would allow the computation of ϕ(n), and d. Factoring is much more difficult than determining whether a number is prime or composite. Computing ϕ(n) ~~~~~~~~~~~~~~~~~ Computing ϕ(n) would allow someone to break RSA, by using the result to compute d as the multiplicative inverse of e modulo ϕ(n). This approach, however, is no easier than factoring n. The method to compute ϕ(n) is as follows: 1) (p + q) is obtained from n, and ϕ(n) = n - (p + q) +1. 2) (p - q) is the square root of (p + q)^2 - 4n. 3) q is half the difference of (p + q) and (p - q). q = ((p + q) - (p - q))/2 Because ϕ(n) is trivial to compute if n is prime, n must be composite. Computing d ~~~~~~~~~~~ Once d is computed, n could be factored easily; which is why computing d is no easier than factoring n. If d is known, n could be factored as follows: e * d - 1 is calculated, which is a multiple of ϕ(n). [n can be factored using any multiple of ϕ(n), according to Miller and Rieman's hypothesis and tests for primality.] References ---------- A Method for Obtaining Digital Signatures and Public-Key Cryptosystems - by RL Rivest, A Shamir, and L Adleman, MIT Laboratory for Computer Science and Department of Mathematics [Communications of the ACM, 1978]. [==================================================================================================] -=[ 0x04 Hacking the Iridium Satellite Network -=[ Author: Shadytel, Inc -=[ Website: http://www.shadytel.com Hello again there kids - It's time for yet another slice of the Shadytel world. This issue, it'll be double the Shadytel, double the fun! This time, we're here to talk about a network you probably don't know about, but has carried voices farther than the length of any voyage man has traveled, and lives above - even beyond us. This time, Shadytel is breaking into space. In 1998, Iridium was the next big thing. With 2400 bits of goodness, and one of the most expensive vocoder licenses known to man (AMBE or Advanced Multi Band Excitation licenses are thought to range anywhere from $100,000 to $1,000,000 US dollars), the company had something to prove - mostly that people would pay dollars a minute to make a phone call. In less than two years, they went bankrupt. Despite a strong backing from Motorola, the company was only able to keep the network afloat so far. Plans were made to let all 66 satellites, and the spares alike, burn up in the atmosphere or crash into the ocean. Fast forward to today. The Iridium network as we know it still exists. Sort of. The US Department of Defense, fearing the network they'd bought thousands of handsets for would stop working, started pumping as much money as they could into the zombie of a company. In addition to their stake of ownership in the company, the DoD has a gateway off a base in Hawaii. To this day, the Department of Defense still makes up 23% of the company's revenue. Moving onto the network itself, not much in the way of hardware has changed since 1998; nearly all calls are processed via a PSTN gateway in Tempe, Arizona, though rumors suggest that a functional gateway still exists in Avezzano, Italy. Beyond the Qwest 5ESS that links them to the outside world, very strange things exist on the Iridium side, most notably a Siemens D900, a modified EWSD typically used for GSM services working with a custom IVR to run the show from the ground. This could possibly justify Iridium's explanation of their 66 low earth orbit satellites "functioning not unlike extremely tall cellular towers." So with the very, very notable DoD presence on a network used excessively by foreign embassies and other strange organizations willing to pay a high price for a network possibly neutral from corrupt nations, is this article meant to expose the company as a government front? Hell no! We're here to help you own the crap out of it! From a numbering plan standpoint, Iridium is very sporadic, occupying a large number of hundred blocks on Qwest's Tempe 5ESS, TEMPAZMCDS0. Exceptions to this exist, though. In one range is an IVR simply known as the two-stage dialing service. More accurately, since calls to Iridium's country code +881-6 are not only blocked on some carriers, but hideously expensive (ranging anywhere from $1 to $5 per minute), Iridium made the decision to let the called party pay said dollar per minute if they decide to opt in. While the number (480-768-2500) is useful for scanning, it's also a little misleading. There are twenty available numbers in that range, and two others assigned; 2505 goes to some unnamed calling card platform, presumably for cheap access to the Iridium network, and 2510 goes through the satellite gateway switch to a modem; what looks to be a Lucent Portmaster. Beyond these, most numbers will go to ordinary Qwest subscribers. This is the sort of environment you need to be accustomed to when dealing with Iridium. They'll often take up roughly anywhere from twenty through fifty numbers in a hundred block, instead of using the whole thing. Exceptions exist, though, particularly in exchanges occupied or near their Avaya PBX. Speaking of which, aside from the Iridium test number, which we'll discuss in a bit, the Iridium PBX is only good for two things: - Steely Dan hold music - Bugging NOC employees inhabiting the building 24/7 This would also be a good time to mention that the satellite master control center, according to Iridium's 1997 website archive, is in northern Virginia, a territory where the company's current incarnation has a corporate headquarter presence to this day. Getting back to Tempe though, there are numbers that Iridium publishes for people to use, and given the spastic nature of the way numbers are assigned, every little bit certainly helps. For example, there's 480-752-5105. This is a free call for Iridium subscribers, but more importantly, it's a PBX range owned by Iridium. Nearby in that exchange, 40xx, 41xx, and 42xx are all jammed full of numbers pointing to the D900. There's also 480-345-4340, the Iridium fax service. And since we're a reputable corporation filled with shady deviants, we're releasing an Iridium range just for you. 480-456-7000 through 8199 will largely go to the D900, giving all of you lazy phreaks more than enough room to start. Finally, once you find yourself needing to know which numbers are which on the Iridium network, either by way of the two-stage dialing system, alarming amounts of toll-fraud, or voicemail numbers announced on the dedicated DIDs, there is indeed structure to the way their exchanges are provisioned. Here's a handy guide for just that: 8816-214 Commercial Accounts 8816-224 Commercial Accounts 8816-310 Test/Demo Accounts 8816-314 Commercial Accounts 8816-315 Prepaid Accounts 8816-316 Prepaid Accounts 8816-317 Colombia Ministry of Defense 8816-318 Crew Calling Card 8816-414 Commercial Accounts 8816-415 Prepaid Accounts 8816-514 Commercial Accounts 8816-629 contains smsc, etc 8816-762 DoD limited voice service 8816-763 DoD voice service 8816-766 DoD international voice service There are other unconfirmed myths we have about the Iridium network, such as a partnership with Sprint long distance, or the deep voiced male network announcements coming from the satellites themselves, but that's where we pass the torch on. We bring you our unsolved mysteries, make them the solved secrets that only you know. Go forth, shady readers, and happy dialing! [==================================================================================================] -=[ 0x05 An Introduction to Programming with x86 NASM -=[ Author: storm -=[ Email: storm@gonullyourself.org -=[ Website: http://gonullyourself.org/ This article is meant to serve as a SIMPLE and INTRODUCTORY guide to writing x86 assembly code on Linux using the NASM assembler. When I first began learning assembly, I realized that there weren't many quality resources suited for a beginner to the language, and I found myself learning mostly through word-of-mouth and referencing well-documented pieces of source code. I wished to write an article that would make up for this, bringing the cryptic language down to a level that beginners could understand. Please understand that the style of writing lends itself to potential for definitions that are not 100% correct in every possible technical sense, but this is intentionally done to promote understanding when one may not possess a full grasp of all the underlying concepts. For this article, we will be working with the following "Hello World" example: section .text global _start _start: mov eax, 4 mov ebx, 1 mov ecx, hello mov edx, hellosize int 0x80 mov eax, 1 mov ebx, 0 int 0x80 section .data hello db 'Hello world',0x0d,0x0a hellosize equ $-hello To get straight to the point, here's the quick and dirty way to compile a program with NASM: [storm@Dysthymia ~]$ nasm -f elf hello.asm [storm@Dysthymia ~]$ ld hello.o -o hello [storm@Dysthymia ~]$ ./hello Hello world [storm@Dysthymia ~]$ It is important to note that when we write assembly code, we will be using the Intel syntax. The two syntaxes primarily used on x86 are Intel and AT&T, of which the most noticeable difference between the two is the order of operands (the arguments) in instructions. The Intel syntax looks like: mov dst, src such that the following instruction: mov eax, 100 stores the value 100 (source) into the eax register (destination). The AT&T syntax is exactly the opposite: mov src, dst It also adds some syntactic sugar, distinguishing between immediate operands (hard-coded values) and registers: mov $100, %eax For the length of this article, we will be using: http://gonullyourself.org/main/shellcode/documentation/Linux%20x86%20System%20Calls%20Reference%20for%20kernel%202.6%20and%20higher/main.html as our referenced documentation. Note that everything found in this documentation has its own manpage, but it is agreeably cryptic and may pose intimidating to a beginning programmer. This reference was shamelessly stolen from the LSCR project (http://sourceforge.net/projects/lscr/), so you may download a local copy of it bundled in the latest tarball. Open the system calls reference in your web browser and click on the Index view. Scroll down to sys_write and select it. On the page, we see: eax 4 ebx Device descriptor. ecx Pointer to the buffer containing the data to be written. edx Number of bytes to be written. These four arguments - eax, ebx, ecx, and edx - are called 'registers'. If you're not familiar with registers, think of them as analogous to variables in high-level languages, like PHP or Python. Only with assembly, these reside on the CPU itself. Let's consult Webopedia: A, special, high-speed storage area within the CPU. All data must be represented in a register before it can be processed. For example, if two numbers are to be multiplied, both numbers must be in registers, and the result is also placed in a register. (The register can contain the address of a memory location where data is stored rather than the actual data itself.) The number of registers that a CPU has and the size of each (number of bits) help determine the power and speed of a CPU. For example a 32-bit CPU is one in which each register is 32 bits wide. Therefore, each CPU instruction can manipulate 32 bits of data. Usually, the movement of data in and out of registers is completely transparent to users, and even to programmers. Only assembly language programs can manipulate registers. In high-level languages, the compiler is responsible for translating high-level operations into low-level operations that access registers. CPUs have a specific number of registers as well as specific names and purposes for each of them. All of these change from architecture to architecture. For instance, on the x86 architecture, 16-bit systems have the four general purpose registers ax, bx, cx, and dx. On 32-bit systems, these four registers were 'e'xtended into eax, ebx, ecx, and edx. 64-bit systems extended these four registers even further, and they became rax, rbx, rcx, and rdx. For this article, we are working with a 32-bit x86 system. When writing assembly code, our goal is to manipulate the contents of registers in such a way to set the stage for executing system calls. System calls (syscalls) basically act as an API to the kernel to do the most basic of basic tasks. Each kernel (Windows, Linux, XNU, so on) provides different syscalls, and this list usually expands with newer versions. Similar to how the PHP language gives us print() and fwrite(), the Linux 2.6 and higher kernel provides us with sys_write, which we use in our hello.asm program. You can read the official manpage of sys_write at `man 2 write`. In case you didn't know, manpages are divided into sections, and section 2 is devoted entirely to syscalls. Now that we know the basics, let's step through our code. The first line of our hello.asm program: mov eax, 4 What we are doing here is storing the value 4 to the eax register. By doing this, we are setting ourselves up to tell the CPU, "Hey, when I tell you to, execute syscall #4." Each individual syscall has a unique number, and by looking back at the documentation for sys_write, we see that it's assigned the number 4. If we wanted to execute sys_uname instead, for instance, then we would store the number 122 to eax. Moving onto the second line, we see: mov ebx, 1 In the documentation, we can see that ebx is used for: ebx Device descriptor. This is simply a cryptic way of asking the programmer "Where do you want to write the data to?" The POSIX specification standardizes three device descriptors: STDIN (Standard In) - input STDOUT (Standard Out) - output STDERR (Standard Error) - error When you type on the command line to give input to a program, you are writing data to STDIN. When a program prints data to the screen, it is writing to STDOUT. When a program prints an error message, it is writing to STDERR. Each of these device descriptors is assigned a number: 0 - STDIN 1 - STDOUT 2 - STDERR We store the value 1 to ebx, because we want sys_write to write to STDOUT, i.e., the terminal. If you instead wanted to write to a file, then we would first use the sys_open syscall, which returns a file descriptor (represented by a number) that we would then pass on to sys_write. Predictably, we will want to set up ecx next: ecx Pointer to the buffer containing the data to be written. We do this with the next line in our code, where we store a pointer to the string "Hello world\r\n" to ecx: mov ecx, hello To explain this operation we are doing, look down below, where you'll see the declaration of the string "Hello world\r\n": hello db 'Hello world',0x0d,0x0a Looking at the NASM documentation, the NASM language provides the following pseudo-instructions to declare data in a program: db value ; Allocate a byte sized value dw value ; Allocate a word sized value dd value ; Allocate a dword sized value Here we declare a string using the db pseudo-instruction (as it's not an actual instruction in the assembly language, but a tool offered by NASM), which is stored to the .data section of memory (designated for initialized variables). We assign this value to the name 'hello', which is not a register, but another tool offered by NASM that allows us to work with the notion of variables in writing our program. It should be noted that the actual string is not assigned to 'hello'; instead, 'hello' represents the location in memory where our given string is stored, called a pointer. This pointer is passed on to ecx in our program. Instead of writing the string itself to the ecx register (since registers are very small), we instead give it a pointer to the data we want to write. To reiterate, a pointer is simply a memory address that "points" to the data residing at that address. When we want to run our program, the "Hello world\r\n" string is copied into memory, and the address of where these bytes are located would be the value of our pointer. Most programs written in the C language work closely with the notion of pointers too. A buffer or function is referenced by its name, and a pointer to the buffer or function is obtained by prefixing the name with an ampersand (&). Here, we can see the pointer at work in our program: [storm@Dysthymia ~]$ gdb hello GNU gdb (GDB) Fedora (7.2-51.fc14) Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i686-redhat-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /home/storm/hello...(no debugging symbols found)...done. (gdb) info variables All defined variables: Non-debugging symbols: 0x080490a4 hello (gdb) x/13xb 0x080490a4 0x80490a4 <hello>: 0x48 0x65 0x6c 0x6c 0x6f 0x20 0x77 0x6f 0x80490ac <hello+8>: 0x72 0x6c 0x64 0x0d 0x0a (gdb) As you can see, this is exactly the value that 'hello' is replaced with (look at offset +10). (gdb) disassemble _start Dump of assembler code for function _start: 0x08048080 <+0>: mov $0x4,%eax 0x08048085 <+5>: mov $0x1,%ebx 0x0804808a <+10>: mov $0x80490a4,%ecx 0x0804808f <+15>: mov $0xd,%edx 0x08048094 <+20>: int $0x80 0x08048096 <+22>: mov $0x1,%eax 0x0804809b <+27>: mov $0x0,%ebx 0x080480a0 <+32>: int $0x80 End of assembler dump. (gdb) Our fourth line of the code: mov edx, hellosize By looking at the documentation, we see that edx is associated with: edx Number of bytes to be written. If you look down below to the bottom of the code, we see demonstrated some special syntax that grabs the size of our 'hello' string and saves it to 'hellosize', analogous to strlen() in C. Instead of storing the literal number 13 to edx (11 bytes for the text, 2 bytes for the carriage return and newline), we just say "whatever the size of 'hello' is". By doing this, it abstracts the process of determining the length of our string, which is useful should we change the string being written. For example, if we change 'hello' to instead be "Hello there world, how are you?\r\n", then the value stored to edx will automatically change to 33. With the original "Hello world\r\n" string in mind, we can give edx a value of 5 and it will only print "Hello". If we give edx a value of 11, then it will only print "Hello world" with no trailing whitespace. The next line in our asm code: int 0x80 This is called a kernel interrupt and is basically our program's way of notifying the kernel that everything is set and we're ready to run the syscall. At this point, the value of eax will be read and recognized to hold a value of 4, prompting the kernel to run sys_write. The remaining registers are read and passed as arguments to the kernel function. If you'd like a first-hand look at what's happening under the hood, then take a look at the Linux kernel source code, itself. As of the writing of this article, we are looking at the latest stable release of the kernel, 2.6.39.3. The sys_write function resides in fs/read_write.c : SYSCALL_DEFINE3(write, unsigned int, fd, const char __user *, buf, size_t, count) { struct file *file; ssize_t ret = -EBADF; int fput_needed; file = fget_light(fd, &fput_needed); if (file) { loff_t pos = file_pos_read(file); ret = vfs_write(file, buf, count, &pos); file_pos_write(file, pos); fput_light(file, fput_needed); } return ret; } Each register we set matches up exactly to each argument passed to the function: an (unsigned) integer to the file descriptor we're writing to, a pointer to the buffer of data we're reading from, and a count of how many bytes to write. The kernel will execute the syscall and print out "Hello world\r\n" to STDOUT. Looking further down the example code, there is one more interrupt we execute before the program is finished. Corresponding to an eax value of 1 is the sys_exit syscall, which is used to cleanly terminate the current process. The ebx register holds an integer that represents the return value of the process. It is mostly standardized that a return value of 0 means "no error," while a return value of anything but 0 means an error of some sort occurred. Concerning errors in processes, the integer returned is matched to a specific error code by consulting the program's documentation. This is different than error reporting in C, where the return value upon error is usually -1, and the integer representing the error code is stored to the 'errno' buffer. Expectedly, our simple program has encountered no errors, so we mov the literal value of 0 to ebx and execute the syscall, effectively ending the program. As outlined at the beginning of the article, we now compile our NASM program like so: [storm@Dysthymia ~]$ nasm -f elf hello.asm [storm@Dysthymia ~]$ ld hello.o -o hello [storm@Dysthymia ~]$ ./hello Hello world [storm@Dysthymia ~]$ If you're of the curious type, you may wish to start analyzing other binaries and see which system calls they execute. This can be done using the `strace` command: [storm@Dysthymia ~]$ strace ./hello execve("./hello", ["./hello"], [/* 62 vars */]) = 0 write(1, "Hello world\r\n", 13Hello world ) = 13 _exit(0) = ? [storm@Dysthymia ~]$ It may be interesting to observe the complex execution path that's followed even when a simple program like `echo` is run without any arguments. Hopefully after reading this, you have gained a fundamental understanding of the assembly language and other basic, universal OS concepts. In future issues, we'll take it one step further and use our knowledge to reverse engineer programs, and build exploit payloads, better known as shellcode. [==================================================================================================] -=[ 0x06 The Art of Crypto: Tips and Tricks -=[ Author: duper -=[ Website: http://projects.ext.haxnet.org/~super/ .______________________________________, | | | The Art of Crypto: Tips and Tricks | :______________________________________: | | | | | [=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%] | | { } | | [ another fine article brought to ] | | [ you by duper of HaxNet #projects ] | | { } | | [%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=] | ; ! `=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-' Before I begin, I'd like to make it absolutely clear that I am by no means: a professional code breaker, an expert cryptographer, or a math genius. Therefore, this article does not aim to cover low-level implementation details, such as the looking tables and their corresponding S-boxes (Substitution boxen). Furthermore, the theory behind some advanced attacks, such as collisions in one-way hash functions as in the case of MD5, will be touched upon, but the finer mathematical and technical idiosyncrasies are irrelevant in what follows. Similarly, the following text will not be dedicated to subtleties like easily constructed subliminal channels, such as the well-known single character modification to the Digital Signature Algorithm (DSA, also known as El Gamal). The purpose of this rambling treatise is to share effective techniques and experience that I've gained over the years which can be immediately applied to practical information security scenarios by both those that are relatively new to hacking crypto and the seasoned system administrator as well. The primary goal is to present some tips and tricks that can be used to easily identify and exploit weaknesses that are commonly found in custom and well-known cryptosystems in the wild. Initially however, some preliminary historical information will be outlined, as it pertains to the current state of cryptographical science today. Only a small amount of prefunctory encryption knowledge is assumed; if the reader happens to lack even this, then some introductory reading resources are recommended in order to get up to speed with the material. If you're unfamiliar with the names "Alice", "Bob", and "Eve" (among others) when used as generic wildcards in theoretical public key infrastructure (PKI) examples (similar to "foo", "bar", and "baz" in code samples), chances are you should at least breeze through some reference literature pertaining to the study of making/breaking ciphers on the web -- make sure you're familiar with at least a few abstract concepts that are relative to the public key and private key approaches to encryption. If you've never even heard of public or private key crypto before, then before continuing with this article you really should invest a bit of attention to at least the first several chapters from the books which essentially represent the bibles of the crypto world: 'Applied Cryptography: Protocols, Algorithms, and Source Code in C', and 'Practical Cryptography' (the second edition is called 'Cryptography Engineering'). 'Practical Cryptography' and its renamed counterpart are co-authored by Niels Ferguson, while all of the fly named titles are authored by Bruce Schneier, the man who some say is the closest thing that the digital security industry has to a rock star. Bruce maintains a consistently updated blog on his web site: www.schneier.com. The source code for the older, yet still extremely relevant piece 'Applied Cryptography,' is freely downloadable from his site. Now that we've gotten the prerequisites out of the way, let's start off with some interesting historical background. As most of you probably already know, a sender encoding some message with a cipher in attempt to keep the real meaning a secret, while still enabling it to be read by the intended recipient(s), has been utilized in the art of war for ages. A popular example that just about every hacker has at least heard of is Julius Caesar's simplistic substitution or "rotating" cipher; without a doubt, ROT13 is a permanent fixture in crypto lore and related subjects. A more modern, yet less conventional employment of encoded messages was carried out by the United States of America, which took advantage of a small segment within its indigenous population to speak their traditional language in radio transmissions between battleships in the Pacific. This Native American (or American Indian -- take your pick) language was more or less unknown to the rest of the world. This fact, combined with the time and difficulty inherent in the process required to conduct a linguistic analysis of the dialect by opposing forces, led to much success in the secret communication of urgent war time agendas for the Americans. Quite appropriately, the indigenous peoples that made such an effort possible became known forevermore as "code talkers." Due to ongoing conflict across the globe, the mid-twentieth century witnessed many innovations in code making and code breaking come and go. For example, messages transmitted via Continuous Wave (CW) Morse code by the "Enigma" crypto machine, developed by Nazi Germany circa World War II, were decrypted by the Western Allies after acute observation of permutation and group theory principles by the notorious Charles Babbage. These machines were certainly pretty crude by today's standards and became obsolete soon after their invention. Soon after, the U.S. enacted legislation which consolidated previously existing defense organizations tasked with code-breaking during the war effort into the National Security Agency (NSA) as it's known today. Since its inception, the NSA has been first and foremost: a highly specialized government wing specializing in the practice of cryptographic endeavors (which is evidenced by prominence of a key pictorial on the agency's seal). Several decades later -- through the continuous progression of Moore's Law, extremely complex cryptographic systems and algorithms became available residentially, most as notably Phil Zimmerman's Pretty Good Privacy (PGP) e-mail encryption protocol began to enjoy widespread use. Not long afterwards, with the growth of the World Wide Web and the vast increase of electronic commerce transactions taking place over the Internet, Secure Sockets Layer (SSL) was coded into the fabric of all popular web browser software as a transport layer security (TLS) mechanism, which just about brings us to where we are now. Realistically, it doesn't take a genius to be able to crack a cipher. An obscene amount of children and housewives do it daily without realizing while solving the word jumble puzzles most commonly found near the comics section in locally distributed newspapers. If one knows what to look for, it's really not all that difficult to point at least a few weaknesses that exist in the majority of cryptosystems used by Internet applications and other computer programs. Of course, some issues are much more severe the others. The remainder of this article will contain at least a brief description for each of a vast number of encryption weaknesses commonly encountered on the Internet today. Typical encryption-related security holes found on web servers and other daemons implementing SSL will be discussed as well as some common misconfigurations that occur in the deployment of public key infrastructure on the Internet in general. Up until recently, one of the most commonly existing weaknesses in web servers featuring the HyperText Transfer Protocol/Secure (HTTPS) method was the permission of SSL version two connections from web browsers. SSLv2 has long been known to be vulnerable to a man-in-the-middle attack which involves re-negotiating the same SSL handshake that is performed after a client connects to the server's listening port. The third version of the SSL protocol was supposed to fix this weakness, however it arose again in a slightly different form. It seems that the most recent versions of the OpenSSL library no longer permit the re-negotiation of an SSL session at all. Not long ago, a new stream could be negotiated with the server-side by simply pressing capital "R" within an ongoing connection using the s_client program. $ openssl s_client -ssl2 -connect google.com.:443 Another commonly found weakness involves the usage of weak encryption algorithms used to encrypt data that transmitted over a Transport Control Protocol (TCP) connection encrypted by SSL. For example, crypto algorithms classified as export-grade produce ciphertext which doesn't take long at all to crack, even if a brute force search attack is being performed on computing hardware that is considered relatively modest by today's standards. $ openssl s_client -connect EXPORT40 google.com.:443 $ openssl s_client -connect EXPORT56 google.com.:443 Another weakness that commonly occurs on SSL servers is the use of the Electronic CodeBook (ECB) mode of encryption. The problem here is that each ciphertext block corresponding to identical plaintext will also be identical even after being encrypted. This is because the algorithm basically remains in the same computational state from start to finish. After the initial block of text is run through the cipher, if an identical block of text is encountered later on in the message, it will yield the same exact ciphertext as the preceding equivalent block. Such a situation is called a "known plaintext attack." In general, crypto software configured for ECB mode is unacceptable. Especially since more secure modes such as Cipher Block Chaining (CBC) and Cipher FeedBack (CFB) mode are usually available. CBC and CFB modes take the results from previous encoding iterations and use them as input while encrypting the remaining plaintext blocks. In this way, if two or more blocks with identical text happen to appear in the input stream, then the ciphertext output between them will differ. This makes cryptoanalysis a significantly more difficult job. Note that the described weakness in ECB mode will not arise if the plaintext length happens to be less than or equal to the encryption algorithm's block size. Nevertheless, Electronic CodeBook should still be avoided algorither, just in case the key and/or input size change unexpectedly. Some extra efficiency isn't worth the loss in data security. Typically, daemons that provide SSL services are linked with the OpenSSL library. Usually, this is a vulnerability in and of itself since the crypto security playing field is constantly in motion. It's more than likely that a currently running service was compiled prior to the release of a new OpenSSL release which patches one or more publicly known security holes. Depending on how a particular daemon is setup, it's quite likely for the version number or other information about about the utilized encryption library to be leaked through a client network connection. Other popular application programming interfaces (APIs) for encryption include Mozilla's Network Security Services (NSS), GnuTLS, Bouncy Castle, Beehive, the Microsoft .NET Framework's System.Security.Cryptography namespace, etc. Although these are fairly common libraries, and each exposes a wide range of crypto functionality, it is by no means an exhaustive list. As time unfolds, vulnerabilities are publicized and patched in either a crypto API itself, or a specific unsafe usage of it within a software package dependent upon one or more of the open source and/or commercial crypto APIs. For instance, an application could be using the latest version available of any given encryption library and still risk data compromise as a result of improper key management, use of a weak algorithm/mode/key/etc., as well as other mishaps that are mentioned later in this text. As an example, consider an application encrypting lengthy input blocks via a weak block cipher mode, with a private key value equivalent to a commonly used default password that's being transmitted over a plaintext SOAP/XML web service (i.e. lacking both HTTPS and WS-Security), all while using an algorithm that has thoroughly researched weaknesses -- think RC2-ECB and a 40-bit key. Aside from promiscuously sniffing network traffic, which was possible for the example given in the previous paragraph, there are many other situations that can lead to private key plaintext or ciphertext exposure. Gaining access to the private key's plaintext is certainly preferred from an attacker's perspective. It's not quite "game over," but knowledge of ciphertext relating to a private key such as a Key Encrypting Key (KEK), or the ciphertext of the private key itself, takes the attacker one step closer to cracking the plaintext private key. The usage of default keys for block ciphers and private certificates available out-of-the-box in software products attempting to take advantage of PKI are other possibilities. Lax filesystem permissions that permit the reading of files containing private key/certificate material may occur. Crypto cracking tools have evolved tremendously since the olden days of traditional wordlist-based cracking of encrypted/salted user login passes with John The Ripper. It wasn't that long ago that the ciphertext passwords for all users on a UNIX system (including root) was available to everyone through the world-readable /etc/passwd file. Circa the early-to-mid 1990s, due to widespread cracking of password files, almost all UNIX flavors quickly migrated to user password protection based on the /etc/shadow file and PAM (Pluggable Authentication Modules). The seminal Linux distributions that were becoming more and more available on CD-ROM media via mail order, and as book inserts, quickly followed suit, especially with respect to PAM which allowed the fine-tuning of a system's authentication behavior by configuring dynamic shared objects (DSOs) to be loaded for modular addition of desired authentication functionalities. Not long after, the crypt(3C) library function in Linux began to support MD5 as an alternative to DES, which was now on its last legs of UNIX login authentication and other crypto applications as well. (Note that in this context, DES refers to single DES, which is not to be confused with TripleDES or 3DES, a much stronger algorithm based on the original single DES source code.) However, the UNIX/Linux login crypto woes weren't over yet. The early 2000s witnessed the discovery of several high-impact PAM vulnerabilities in Set-UID binaries allowing the loading of arbitrary DSOs, i.e., shared library files that are usually compiled into a filename ending in a '.so' extension. Typically, an executable binary will be dynamically linked with such a file. In the case of PAM, since the DSOs were loaded at runtime via the dlopen() library function, a normal user could compile a DSO that performed arbitrary actions while executing in PAM's privileged superuser context. Around the same time that privilege escalation exploits were being discovered in the PAM modular authentication system, other growing pains continued to materialize out of the crypt(3C) function itself. For example, one weakness caused the initial password of an account to be encrypted with DES despite the move to the MD5 as the default encryption algorithm for user passwords. This was probably due to crypt(3C) requiring a special character sequence '$1$' to be prepended to its salt argument in order to ensure the use of MD5. Administrator utilities such as the command useradd(1) may have failed to pass the salt argument properly, although this is just a theory. What can be said for sure, is that one or more system components that interacted with the login authentication process became out of sync with the cryptographic changes that were taking place. This is reinforced by the fact that another vulnerability was discovered in RedHat Linux around the same time where only the first eight characters of a plaintext password encrypted by crypt(3C) could be compared to the actual password, regardless of if its true length was greater than eight characters or not. During and after those rough times for UNIX authentication, Microsoft was experiencing problems of its own. Not only was NTLM authentication being attacked, but the Windows LSASS (Local Security Authority System Service) process was being reverse engineered, and hashes from the 'C:\Windows\System32\security\SAM' file were being extracted by tools like passdump2.exe. Since Vista, The CNG (Cryptographic Next Generation) Key Isolation service works with LSASS in order to protect cached key data. A common error web application developers make is generating session identifiers or other encoded strings used for authentication/authorization from plaintext data that is already known to the end user. This allows a known plaintext attack to be put into action. If a site user notices that one of the cookies their browser is sending to the site corresponds to the SHA-1 hash for the string "guest" while they're logged into the guest account, then it doesn't take a genius to figure out that sending the cookie instead as the SHA-1 value for "admin" may cause the server to permit administrative access to the site. Likewise, web application or CGI vulnerabilities, such as directory traversals that allow the remote reading of source code and/or configuration files, can disclose a variety of sensitive encryption-related information, from the algorithm in use to the private key itself, especially since the web server process by necessity has read access to data pertaining to its own encryption activities. Extracting hard-coded keys from the application's binary files is yet another possibility. To expand on web-based crypto issues, let's look at how SSL/TLS can be undermined. Although SSL is commonly used by HTTP, many other network protocols that are in use on the Internet today support SSL as well. First of all, everybody knows that self-signed certificates are a bad idea. This is because the concept of full certificate chain verification is totally removed from the equation since self-signed certs have no chain. As such, no trusted third-party will be specified that can confirm the identity of the server, such as a CA (Certificate Authority). Another well-known issue that can compromise a digital certificate's integrity is expiration. Between the time that the certificate was created and the time it expired, a myriad of changes in space and time affecting the security of the PKI infrastructure could have transpired. The domain name it was meant to serve could have changed ownership, an issuing intermediate-level CA may have went out of business, a root-level CA might have suffered a malicious cyber attack, or perhaps weaknesses were discovered in the certificate type. The last example mentioned is much more possible now as ever before, considering the growing selection of certificate options that are becoming increasingly available from certificate authorities: EV (Extended Validation), SNI (Server Name Indication), wildcard certificates, so on. One particularly interesting attack that is much more effective than one might expect is the spoofing of X.509 certificate headers. Essentially, an attacker who is playing man-in-the-middle creates a self-signed certificate with X.509 header values which match the legitimate certificate one-to-one. Despite the complete lack of cryptographic identity, there have been quite a few attacks like this that have succeeded in the past, including at least one that would have allowed unrestricted access to Microsoft network services in the absence of two-factor certificate/password authentication. Even in the presence of two-factor authentication, the certificate piece would have been rendered irrelevant greatly decreasing the bar for a successful attack to mere password knowledge, or a brute-force search against it with chances of success being directly related to how the service then handled account lockout and/or login attempt throttling. +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-+ | | | Bibliographical Information and Recommended References List | | | +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+ * http://tools.ietf.org/rfc/rfc1321.txt Internet Engineering Task Force (IETF) Request For Comments (RFC) 'The MD5 Message-Digest Algorithm' * http://en.wikipedia.org/wiki/National_Security_Agency National Security Agency: From Wikipedia, the free encyclopedia * http://en.wikipedia.org/wiki/Cryptanalysis_of_the_Enigma Cryptanalysis of the Enigma: From Wikipedia, the free encyclopedia * http://en.wikipedia.org/wiki/Alice_and_Bob Alice and Bob: From Wikipedia, the free encyclopedia * http://en.wikipedia.org/wiki/Permutation_group Permutation Group: From Wikipedia, the free encyclopedia * http://www.schneier.com/ Schneier on Security A blog covering security and security technology. * http://www.schneier.com/book-applied.html Applied Cryptography, Second Edition (ISBN 0471128457) * http://www.schneier.com/book-applied-source.html Applied Cryptography Source Code * http://www.schneier.com/book-practical.html Practical Cryptography (ISBN 0471223573) * http://www.schneier.com/book-ce.html Cryptography Engineering (ISBN 0470474246) * http://openpgp.org/ The OpenPGP Alliance Home Page * http://www.ietf.org/rfc/rfc4880.txt IETF RFC for The OpenPGP Message Format * http://www.philzimmermann.com/EN/background/index.html Philip Zimmermann: Creator of PGP and Zfone * http://www.pgpi.org The International PGP Home Page * http://gnupg.org/ GNU Privacy Guard * http://www.symantec.com/business/theme.jsp?themeid=pgp PGP Encryption Products * http://nostarch.com/pgp.htm PGP & GPG: Email for the Practical Paranoid (ISBN 9781593270712) * http://www.cryptolounge.org/wiki/Main_Page CryptoLounge.org MediaWiki - Main Page * http://www.mozilla.org/projects/security/pki/nss/ Network Security Services (NSS) ._________. : : : E O F : : : `---------' [==================================================================================================] -=[ 0x07 Hacking 15A Announcement Machines -=[ Author: Shadytel, Inc -=[ Website: http://www.shadytel.com/ h0h0h0 kids! It's Shadytel pissing down your legs once again with yet another long, drawn out explanation of how we own the world. It's been a while since the world of phreaking has seen an article on a piece of equipment, so for this quarter, we're going to spin the great rotary dial of time back to 1982 for a moment. Crotch- grabbing pedophiles sodomized the hearts of millions with thrilling pop albums, iconic battles between the East and West surged on with newly-revived hatred, and the first number five ESS ever rolled off an assembly line. Magnetic drum recordings lived on for a while longer, but eventually Alcatel-Lucent (then still Western Electric) needed a digital announcement machine to complement a digital switch. The end result? A machine that doesn't sound digital at all. If you've heard a 15A announcement system before, you've probably mistaken it for a looping piece of really old tape. Between the faint voices of adjacent announcement channels and enough noise to sound like it was recorded in an air conditioning duct, there's almost no mistaking it. Fortunately for us, that makes it really easy to pick out in a crowd of switches. Here's what one particular one sounds like in action: 503-635-1026. So - let's say you're scanning this switch. What does finding a 15A mean? Well, it's simple - 15As have very limited access capabilities. Basically, there's an LCD panel on the front slightly smaller than the one on your alarm clock, and there's a voice-based remote access feature that the on-board microcontroller runs. No Ethernet, not even a serial port. If you have any doubts that your 15A has a remote access number, keep listening to the test announcements you find when you scan. Announcements made remotely will have touchtones at the end a lot. So now, with a little luck in your scan, you've probably come across something that answers like this: {Roughly 1200 hertz tone} "Enter your security code after the tone" {touchtone number 5} Yessir, Lucent (inadvertently) did their jobs well. When you get a login prompt from a 15A, there's no mistaking it. Like the announcements themselves, you'll know exactly what you've got the second you hear it. Now, logging in would normally be the tricky part. Most offices won't change their default passwords, because they really don't need to. By default, there's no possible way to guess it. Ready? *47985621 No matter what they change it to - if they ever change it, it'll always start with a star. "Press # at any time to return to the main menu. Enter a function code, or press ** for help." The 15A does a good job explaining its own menu, so we won't dwell on it much here. A few quick notes, though: - Channels usually start at zero, and work their way up to seven - A diagnostic is less interesting than it sounds; it beeps while it checks the announcements for silence - There are a few hidden features on the menu. *5 will let you assign passcodes to individual channels, and *91 records over *every* channel. Fortunately, this one asks you to confirm before attacks from a swarm of angry telco lawyers ensue. Finally, some of us have found 15As that have no voice prompts, so for the benefit of the vocally disadvantaged, here's how the menu was read out to us: *0 - Select channel *8 - Change security code *4 - Perform diagnostics *6 - Disconnect Likewise, here's the menu you get after you select a channel: *0 - Select channel *8 - Set security code *90 - Record *2 - Playback *3 - Set channel status *4 - Perform diagnostics *6 - Disconnect So, finally, you might be asking yourself... You've got a 15A announcement machine, what do you do with it? Unlike, say, an EAS, there really is a limit to how much recording time is on there, so you can't really explore too much. Unlike the Innovative Systems machines, you can't setup a conference on them, or make your own voicemail boxes. So what's so much better about a 15A? It boils down to one word: crosstalk. On a 15A, there are actual, individual loops for every different announcement, and unlike some of the more modern counterparts, not only are they always playing *every* second they're turned on, but they're connected to announcement trunks using individual analog pairs. In its stock configuration, there's tons of electromagnetic leakage between these channels; that's what makes it sound like there are other voices in the background. Now, keeping in mind that recordings can be much, MUCH louder than the telco makes them, what do you think is stopping you from making a channel that bleeds through so loudly, you can hear it really clearly on everything else? The sheer potential awesomeness we're dealing with here is only limited by your ability to hear peoples' reactions. Competitive loudness is a proud American tradition. Let's use it where it counts. [==================================================================================================] -=[ 0x08 Gawker Passwords Analysis -=[ Author: SinThet -=[ Email: vektorical@gmail.com -=[ Website: http://sinthet.wordpress.com/ Hardly a secret to the general public, and common knowledge to anyone and everyone even remotely associated with the security or hacking scene(s), a group known as Gnosis released just under 200k user names, emails, and decrypted passwords from a stolen database belonging to Gawker late 2010. For the curious "hacker" (however you define the word), this is like an early Christmas present. It provides valuable insight into how people view security, and how much they value it. It allows us to make hypotheses about the psychology behind people's passwords. It provides yet another glimpse as to just how lax security policies at large companies are. Originally, I was going to analyze these patterns and apply them to a general wordlist in order to determine just how much I'd be able to improve the results by. However, as I pursued this, I found myself pretty much running in circles, since the majority of the passwords cracked followed similar methods I was trying to implement, and so I'd done more to reverse engineer some of the techniques no doubt used to crack the released passwords. Regardless, I'll still present my results of the initial analysis, and hopefully, you'll find them informative and at least somewhat interesting. Disclaimer: I'm no professional. I'm a high-school kid that likes learning by doing. I'm doing this not because I expect to make a breakthrough in anything, but because it's interesting. Hopefully, someone smarter than me will read this, notice a pattern I've missed, and make an improvement on my observations. I realize the majority of these passwords aren't of the particularly secure kind; however, I believe patterns found here repeat in the uncracked passwords as well, perhaps more cleverly disguised, but present nonetheless. NOTE: I will provide links to full statistics that I've calculated, as well as the source code used to calculate it. a. An Analysis of the leaked + cracked Passwords. ---------------------------------------------------- In this section, I will present a few statistics, a truncated version of my full results. Firstly, let's start with some frequency analysis from a character perspective. ~~~~MOST COMMON CHARACTERS IN LEAKED PASSWORDS~~~~~ a: 8.4% e: 7.99% o: 5.89% r: 5.61% s: 5.48% i: 5.21% n: 5.15% 1: 4.48% Let's compare this to the most common characters in the English language. ~~~~~~~~~~~~~~~~~~~~~~~~ E 12.51% T 9.25% A 8.04% O 7.60% I 7.26% N 7.09% S 6.54% R 6.12% We're using the first 8 most common for a reason. DES encryption only encrypts the first 8 characters. So, if your password is "123456789", the resulting hash might be "abcdefgh". This means that typing "12345678" would grant you access just as well as "123456789", since the hash algorithm doesn't acknowledge the ninth (and any subsequent) characters' existence. The letters "a,e,o,r,s,i,n" appear in both lists. Furthermore, their order is somewhat similar. From this, it's a reasonable conclusion that a good deal of the passwords are normal English words (not entirely surprising). The presence of the number 1 in such a high percentage (The next percentage for a number is 2, with roughly 2.2%), is especially useful. We can make a safe guess that a good portion of our English-word-using people have at some point encountered the message "Your password must consist of at least one number" when registering for a website. If you were an annoyed person trying to quickly get through a registration, adding a single number to the end (or the beginning) is the quick and easy solution. The number 1, being what most people see as the "first" number, is probably a popular choice. Furthermore, 1 is the start of many sequences. It is often used as a substitute for the letter "I". These properties set 1 apart from most other characters. Next, let's take a look at the most common passwords in the entire list. ~~~~~MOST COMMON PASSWORDS IN LEAKED GAWKER DATABASE~~~~~~~~ 1: 123456: 3057: 1.64% of all passwords. 2: password: 1955: 1.036% of all passwords 3: 12345678: 1119 : .5% of all passwords. 4: lifehack: 661: .35% of all passwords. 5: qwerty: 418: .22% of all passwords. 6: abc123: 333: .17% of all passwords. 7: 111111: 311: .16% of all passwords 8: monkey: 300: .16% of all passwords. 9: consumer: 273 : .14% of all passwords 10: 12345: 253: .14% of all passwords. First, take a moment to grab a bucket. It's your duty as a reader interested in computer security to want to barf at these results. Next though, we should notice that 1 is very common again. in fact, it alone accounts for 15.6% of the characters in the top ten most used passwords. It is contained within 50% of the most common passwords. Its importance as the "first" in a sequence is reinforced. 6 of the top 10 passwords are common sequences, 5 of them contain the number one, and 4 of them start with one (the odd man out is a combo of two sequences, abc and 123). Let's look at the other 4 words: password, lifehack, monkey, consumer. "password" will almost always come up as a common password. People who use it don't appreciate the importance of security, and when forced to change it, probably fall into the "add a number to the end" category. Sadly, we'll never know how many have done this, since "password" is 8 characters long. Damn DES, you suck for security, as well as analysis. "lifehack" and "consumer" aren't particularly surprising, since they're both related to websites owned by the same entity. This is an interesting pattern though. It suggests that this person probably keeps different passwords (a slight sigh of relief can be had), and tries to remember them by relating them to each website. This can be good to remember for targeted attacks, but almost useless for indirect account mining (stealing low security forum credentials in hopes of someone using the same password on paypal). Still, if you're targeting a single person, this kind of activity suggests that you may be able to simply guess their password based on the kind of website you're trying to get into via their credentials. The password "monkey", however, is different. "monkey" appears 554 times, 300 of which it stands alone. However, that's 254 times which it appears augmented with something else, just enough to displace "12345" as the number 10 most common password. The percentage (~.14% of all passwords) may seem small, but 254 accounts is a pretty substantial number. Since these passwords contain both numbers and letters, their owners may consider them more secure, and so more likely to reuse them for multiple logins. Obviously, this increases their value substantially. Now, lets start comparing the leaked passwords to a "common password" list, and see how we do. ~~~~~Top Ten Passwords which appear in Common Password List~~~~~ 1: 123456: 3057: 1.62% of all passwords 2: password: 1955: 1.038% of all passwords 3: 12345678: 1119: .59% of all passwords 4: qwerty: 418: .22% of all passwords 5: abc123: 333: .17% of all passwords 6: 111111: 311: .17% of all passwords 7: monkey: 300: .16% of all passwords 8: letmein: 247: .13% of all passwords 9: dragon: 233: .11% of all passwords 10: baseball 213: .11% of all passwords There is a high level of overlap between the two groups. The exceptions to the rule are "lifehack", "consumer", and "12345". "12345" is gone probably because the wordlist assumes a longer password length. However, the absence of two frequently occurring passwords, suggests that our conjecture about including site-specific keywords is important, it could increase our gain by 934 accounts. It's especially convenient in this case, because we don't even have to worry about clever people appending gibberish to the end --> Fail DES. For curiosity's sake: 79% of the passwords contained in the "common" list appeared in the leak. These 1805 unique passwords made up 22% of the leaked 188281 passwords. So, roughly one in 5 accounts can be broken into using a list which contains just over 2200 passwords. That's a pretty sad state of affairs, considering the trivial amount of time this would take with even a semi-modern processor. Now, moving on, we should take a look at first characters and numbers. ~~~~~~~~~~~~~~~[6 of B] Most common first characters: s: 19765: 10.5% m: 15322: 8.14% b: 14029: 7.45% Most common first numbers: 1: 14970: 7.95% 2: 2171: 1.15% 4: 1037: .55% ~~~~~~~~~~~~~~~~ The fact that 1 appears yet again is important, especially in such a high percentage. However, s m and b may not jump out as particularly useful. They may not be in a way that'll get us any closer to an actual password, but for optimization, these are great, especially in a real world example where you are generating hashes. If you have a wordlist, like we do, applying our patterns randomly may waste time, but if we focus our efforts in the order in which they are most likely to have the highest payoff, we should be able to harvest more hits quickly and efficiently. Since the first characters can help us optimize our search, it's only logical that we should analyze the last character as well. ~~~~~~~~~~~~~~~ Most common Last characters: e: 15948 : 8.47% n: 13639 : 7.24% s: 12683 : 6.74% Most common Last Numbers: 1:15854 : 8.42% 2:7176 : 3.811 3:7143 : 3.79% ~~~~~~~~~~~~~~~~ Again, we can learn something from these statistics. The most common ending characters correspond quite well to the English language yet again. Therefore, if a word starts with one of the top "first letters" and ends with one of the top "last letters", we probably shouldn't bother applying any patterns to our wordlist words, but rather make the safe assumption that the password is in fact, a word in the English language. The "last numbers" also tell us some important things. If a password ends in 1, and starts with a letter (especially one of the common letters), there's a good chance it's one of our "tack a number to the end" passwords. However, 2 and 3 aren't typically one of the "tack a number" choices. Instead, they are pretty good indicators of a "123" sequence tacked onto another common phrase. (The top-ten combo of abc123 is a good example). -------------------------- Overall, these results are pretty indicative of a poor overall security culture. Most of the websites which were affiliated with Gawker tailored to a crowd of people at least somewhat comfortable/interested in some form of technology or another. You'd think they'd be a tad more security-aware, and know to choose better passwords. Instead, 1/5 of the accounts can be cracked using a wordlist containing the top 2000 least secure passwords. Patterns within the cracked passwords suggest that the situation could be increased to a yield of 1/4 with limited brute force work appended to a standard dictionary. Unfortunately, these results aren't all that surprising if we look at the Internet as a whole. What is sad is that in 2011, people are making the same mistakes hackers were lulzing around about in 1999, and probably 1980. If any of the patterns or observations in this article apply to any of your passwords, please, do your part and choose a more secure password, or at the very least, use different passwords for different websites. Unless of course, you enjoy being hacked, which is what will happen to you eventually if you continue using weak passwords. It's only a matter of time, so please, help yourself and help increase the security of the general Internet by a tiny margin. Thanks for reading! If you would like a copy of my working directory, which contains this article, my notes, source-code, the common password list, a list of Gawker passwords, and some files of junk-output, it's available at sinthet.wordpress.com ----------------------------------------------------------------------- b. Technical comments- ----------------------------------------------------------------------- All of these statistics were calculated by code written in Python 2.7.1. The code is available at http://www.box.net/shared/nzlba6trs329u4kry0lg Some (more like all) of it is not very optimized at all, but it all managed to run in an acceptable amount of time on my weak netbook (1.6GHz1 1GB RAM). [==================================================================================================] -=[ 0x09 360-928-00xx Scan -=[ Author: Shadytel, Inc -=[ Website: http://www.shadytel.com/ 0000 - Business 0001 - Ringout, CNAM: QWEST CORP 0002 - Ringout, CNAM: QWEST CORP 0003 - NIS via SS7 0007 - Ringout 0008 - Ringout 0009 - Ringout 0011 - Busy signal 0013 - Reorder via SS7 0014 - NPA changed to 360 rec 0015 - Ringout 0018 - Loop, low end 0019 - Loop, high end 0020 - 102-type test 0024 - Ringout 0028 - 102-type test 0031 - rec, "Your long distance call could not be completed because your service has been restricted. Please contact your Qwest business office." 0032 - 100-type test 0033 - Silent termination? No supe 0034 - Reorder via SS7 0035 - Ringout 0036 - Ringout 0037 - Modem 0038 - Ringout 0046 - DATU 0049 - AIS Report, number in service 0050 - CBCAD/check the number and dial again 0051 - EAS test rec, NIS 0052 - YCDNGT 0053 - Permanent signal rec 0054 - Coin deposit rec 0055 - CBCAD/check your instruction manual or call repair service for assistance 0056 - rec, Dialing 1 not necessary 0057 - rec, Dial 1 first 0058 - CBCAD from the phone you're using 0059 - rec, dialing 0 not necessary 0060 - 105-type lookalike? 0061 - Reorder via SS7 0065 - "To activate telephone service, please contact your local service provider of choice. Thank you." 0066 - 105-type test 0070 - 105-type test 0090 - CBCAD/PIC error 0092 - LD access code not required rec 0093 - Network difficulties rec 0094 - Busy via SS7 0099 - Reorder via SS7 [==================================================================================================] -=[ 0x0a Terminal Servicez br0 -=[ Author: storm -=[ Email: storm@gonullyourself.org -=[ Website: http://gonullyourself.org/ A new project we've unveiled on 0x00 Network (irc.gonullyourself.org) is #nmap, a channel devoted to scanning the Internet for anything and everything. Bots report live feeds from nmap -iR instances, constantly updating the channel with new results. As of the release of this zine issue, the #nmap database currently holds scan results for over 18,000 IP addresses, totaling over 485,000 open ports. Here is an excerpt from the database - Microsoft Terminal Services (Remote Desktop Connection). For the sake of brevity, we've filtered the list for only IP addresses that resolve to a hostname: Host: 81.82.245.50 (d5152F532.static.telenet.be) Ports: 3389/open/tcp//ms-term-serv/// Host: 190.24.235.84 (corporat190-24235084.sta.etb.net.co) Ports: 3389/open/tcp//ms-term-serv/// Host: 91.187.218.106 (host-91.187.218-106.pool.intred.it) Ports: 3389/open/tcp//ms-term-serv/// Host: 209.144.20.43 (rvd190142b.sprocketnetworks.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 173.247.184.210 (173-247-184-210.static-ip.telepacific.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 66.193.118.109 (66-193-118-109.static.twtelecom.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 82.193.109.204 (82.193.109.204.ipnet.kiev.ua) Ports: 3389/open/tcp//ms-term-serv/// Host: 205.188.1.233 (chatfarm-ld02b-sr10.ehost.aol.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 82.223.161.175 (dns2.grupotilenus.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 75.148.99.85 (75-148-99-85-Utah.hfc.comcastbusiness.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 193.72.18.25 (193-72-18-25.adsl-static.switzerland.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 75.147.83.163 (75-147-83-163-Philadelphia.hfc.comcastbusiness.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 131.128.188.64 (dorado.cba.uri.edu) Ports: 3389/open/tcp//ms-term-serv/// Host: 94.198.162.153 (94.198.162.153.static.hosted.by.easyhost.be) Ports: 3389/open/tcp//ms-term-serv/// Host: 213.29.33.180 (adslctc-1972.adslcust.sbone.cz) Ports: 3389/open/tcp//ms-term-serv/// Host: 216.227.80.173 (s-216-227-80-173.dsl1.rtr.chat.fpma.frpt.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 80.57.239.243 (g239243.upc-g.chello.nl) Ports: 3389/open/tcp//ms-term-serv/// Host: 184.154.40.146 (shangwuq2.idc120.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 95.63.158.198 (static-198-158-63-95.ipcom.comunitel.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 194.254.173.23 (laser01.iutv.univ-paris13.fr) Ports: 3389/open/tcp//ms-term-serv/// Host: 134.68.210.25 (plum.uits.iupui.edu) Ports: 3389/open/tcp//ms-term-serv/// Host: 81.94.206.115 (115-206-94-81.rackcentre.redstation.net.uk) Ports: 3389/open/tcp//ms-term-serv/// Host: 213.142.146.112 (213-142-146-112.reverse.adeox.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 67.202.99.245 (digital-direction.bestserversllc.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 68.166.139.140 (mail.doherty1.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 62.148.195.80 (a80.netikka.fi) Ports: 3389/open/tcp//ms-term-serv/// Host: 129.59.129.86 (discovery.isis.vanderbilt.edu) Ports: 3389/open/tcp//ms-term-serv/// Host: 82.70.136.254 (82-70-136-254.dsl.in-addr.zen.co.uk) Ports: 3389/open/tcp//ms-term-serv/// Host: 66.76.197.177 (s66-76-197-177.chtnwv.ab.sta.suddenlink.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 68.185.26.238 (68-185-26-238.static.mdfd.or.charter.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 66.132.219.224 (srv3.iss-pr.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 195.138.210.23 (mx.ra-national.ru) Ports: 3389/open/tcp//ms-term-serv/// Host: 167.128.62.155 (unused-corv-62-155.corvallis.k12.or.us) Ports: 3389/open/tcp//ms-term-serv/// Host: 69.0.20.46 (69-0-20-46.adsl.snet.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 88.202.88.135 (88-202-88-135.ip.skylogicnet.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 65.44.176.194 (mail.scrupleshaircare.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 212.55.196.84 (orania2.trade-soft.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 81.246.27.186 (mail-in.vanmieghem.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 72.26.226.222 (72-26-226-222.meganetserve.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 76.8.49.27 (ip2.ac03.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 65.215.26.227 (mail.aimu.org) Ports: 3389/open/tcp//ms-term-serv/// Host: 75.56.9.30 (adsl-75-56-9-30.dsl.mrdnct.sbcglobal.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 74.208.127.234 (u15368620.onlinehome-server.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 69.197.165.242 (jnp48.joinedwithititalian.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 78.7.29.226 (78-7-29-226-static.albacom.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 167.128.190.131 (dhcp-lacomb-190-131.lebanon.k12.or.us) Ports: 3389/open/tcp//ms-term-serv/// Host: 208.101.3.31 (sl003-e.jsmtp.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 80.177.52.42 (mailgate.theengineeringpractice.co.uk) Ports: 3389/open/tcp//ms-term-serv/// Host: 67.142.222.6 (host67142006222.direcway.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 87.106.3.167 (technicagroup.co.uk) Ports: 3389/open/tcp//ms-term-serv/// Host: 196.219.199.131 (mail.iie-egypt.org) Ports: 3389/open/tcp//ms-term-serv/// Host: 203.64.173.111 (ctd.nuu.edu.tw) Ports: 3389/open/tcp//ms-term-serv/// Host: 84.254.148.235 (84-254-148-235.ip.skylogicnet.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 203.113.25.12 (203.113.25.12.static.totisp.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 212.60.228.117 (port-212-60-228-117.static.qsc.de) Ports: 3389/open/tcp//ms-term-serv/// Host: 213.209.186.68 (213-209-186-68.ip.skylogicnet.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 69.85.8.2 (dsl-2.8-238.gtb.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 74.208.44.130 (e-learning.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 131.212.46.219 (nomad46-219.d.umn.edu) Ports: 3389/open/tcp//ms-term-serv/// Host: 72.32.204.218 (db1.madisonlogic.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 72.169.70.226 (host7216922670.direcway.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 194.177.64.72 (mail2.irisip.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 200.155.8.215 (escalena2.escalena.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 69.53.24.165 (host69-53-24-165.birch.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 81.47.209.2 (2.Red-81-47-209.staticIP.rima-tde.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 217.115.132.100 (n217-115-132-100.cnet.hosteurope.de) Ports: 3389/open/tcp//ms-term-serv/// Host: 188.168.189.195 (host195.zakazrf.ru) Ports: 3389/open/tcp//ms-term-serv/// Host: 82.3.48.210 (statichost-210.next.co.uk) Ports: 3389/open/tcp//ms-term-serv/// Host: 24.178.209.78 (mail.brsales.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 201.234.189.25 (201.234.189-25.static.impsat.com.co) Ports: 3389/open/tcp//ms-term-serv/// Host: 93.74.46.134 (atonementless-therapist.volia.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 69.35.254.232 (dpc6935254232.direcpc.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 68.9.207.156 (ip68-9-207-156.ri.ri.cox.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 217.162.18.62 (217-162-18-62.static.cablecom.ch) Ports: 3389/open/tcp//ms-term-serv/// Host: 217.126.49.238 (238.Red-217-126-49.staticIP.rima-tde.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 68.68.204.189 (exchange.yklegal.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 70.39.122.237 (NO-RDNS-RECORD) Ports: 3389/open/tcp//ms-term-serv/// Host: 72.250.232.155 (host-72-250-232-155.ercbroadband.org) Ports: 3389/open/tcp//ms-term-serv/// Host: 99.198.57.185 (99-198-57-185.cust.wildblue.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 207.218.237.100 (ev1s-207-218-237-100.theplanet.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 74.114.164.123 (74-114-164-123.static.fullcontrol.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 62.100.140.226 (ppp-226.net-62-100-140.static.magiconline.fr) Ports: 3389/open/tcp//ms-term-serv/// Host: 216.119.232.242 (216.119.232.242.nw.nuvox.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 207.36.233.205 (207-36-233-205.ptr.primarydns.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 91.148.136.54 (ip-136-54.powernet.bg) Ports: 3389/open/tcp//ms-term-serv/// Host: 188.84.85.58 (static-58-85-84-188.ipcom.comunitel.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 190.210.147.205 (customer-static-210-147-205.iplannetworks.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 196.47.81.237 (196-47-81-237.mweb.co.za) Ports: 3389/open/tcp//ms-term-serv/// Host: 152.2.50.70 (yoda.hsrc.unc.edu) Ports: 3389/open/tcp//ms-term-serv/// Host: 62.202.1.29 (29-1.202-62.fix.bluewin.ch) Ports: 3389/open/tcp//ms-term-serv/// Host: 146.6.184.34 (lib-msias002.utmsi.utexas.edu) Ports: 3389/open/tcp//ms-term-serv/// Host: 200.39.112.231 (ip-200-39-112-231-mx.marcatel.net.mx) Ports: 3389/open/tcp//ms-term-serv/// Host: 173.11.114.251 (173-11-114-251-SFBA.hfc.comcastbusiness.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 213.142.136.240 (213-142-136-240.reverse.adeox.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 70.166.210.59 (mail.azfcf.org) Ports: 3389/open/tcp//ms-term-serv/// Host: 81.47.212.142 (142.Red-81-47-212.staticIP.rima-tde.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 72.20.102.69 (server69.enterprisewizard.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 216.24.200.211 (unassigned.psychz.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 210.146.146.87 (s87.IaichiFL44.vectant.ne.jp) Ports: 3389/open/tcp//ms-term-serv/// Host: 97.64.179.122 (cw.artechsolutions.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 64.38.150.122 (mail.hughesrobbins.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 193.37.229.83 (ml-083.magenta-netlogic.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 140.138.35.91 (rd1109-ypwan.admin.yzu.edu.tw) Ports: 3389/open/tcp//ms-term-serv/// Host: 66.116.110.72 (ms128.webhostingprovider.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 167.128.206.180 (oakheights-180.sweethome.k12.or.us) Ports: 3389/open/tcp//ms-term-serv/// Host: 66.165.106.29 (capital2wheeler.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 116.12.51.61 (vibrantstage.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 208.126.100.1 (mail.lakescorridor.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 63.87.104.194 (mail.spectorllc.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 61.220.251.239 (61-220-251-239.HINET-IP.hinet.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 82.225.62.126 (par69-3-82-225-62-126.fbx.proxad.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 217.128.13.118 (LAubervilliers-151-13-14-118.w217-128.abo.wanadoo.fr) Ports: 3389/open/tcp//ms-term-serv/// Host: 66.29.202.135 (ns1.deployit.no) Ports: 3389/open/tcp//ms-term-serv/// Host: 173.165.89.133 (173-165-89-133-Illinois.hfc.comcastbusiness.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 66.191.130.146 (66-191-130-146.static.roch.mn.charter.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 66.206.66.136 (xr136.xroads.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 113.53.236.163 (113-53-236-163.totisp.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 99.68.102.126 (adsl-99-68-102-126.dsl.ipltin.sbcglobal.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 90.188.129.66 (host-90-188-129-66.pppoe.omsknet.ru) Ports: 3389/open/tcp//ms-term-serv/// Host: 212.81.200.179 (A-BI-179.sarenet.es) Ports: 3389/open/tcp//ms-term-serv/// Host: 75.106.212.170 (75-106-212-170.cust.wildblue.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 88.202.89.100 (88-202-89-100.ip.skylogicnet.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 203.57.152.103 (www.bodymap.com.au) Ports: 3389/open/tcp//ms-term-serv/// Host: 63.215.72.22 (domain.not.configured) Ports: 3389/open/tcp//ms-term-serv/// Host: 24.187.209.90 (ool-18bbd15a.static.optonline.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 178.170.124.116 (26499hpv124116.ikoula.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 207.218.202.242 (maguro.proelite.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 87.193.204.24 (port-87-193-204-24.static.qsc.de) Ports: 3389/open/tcp//ms-term-serv/// Host: 60.242.136.236 (60-242-136-236.static.tpgi.com.au) Ports: 3389/open/tcp//ms-term-serv/// Host: 130.237.218.26 (sms-218.nt.nada.kth.se) Ports: 3389/open/tcp//ms-term-serv/// Host: 76.10.206.161 (mail13.totaldaydeals.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 152.2.41.235 (africa.unc.edu) Ports: 3389/open/tcp//ms-term-serv/// Host: 137.99.113.103 (nightwork.facil.uconn.edu) Ports: 3389/open/tcp//ms-term-serv/// Host: 202.5.178.171 (client178171.mynewsat.com.au) Ports: 3389/open/tcp//ms-term-serv/// Host: 46.163.66.180 (wvps46-163-66-180.dedicated.hosteurope.de) Ports: 3389/open/tcp//ms-term-serv/// Host: 208.67.195.78 (208-67-195-78.static.fullcontrol.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 209.44.103.109 (mail13.dailyofferfeeds.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 67.46.166.164 (dpc6746166164.direcpc.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 128.83.56.199 (lib-pclas328.lib.utexas.edu) Ports: 3389/open/tcp//ms-term-serv/// Host: 61.31.48.90 (90.48.31.61.ecs.com.tw) Ports: 3389/open/tcp//ms-term-serv/// Host: 67.18.173.136 (88.ad.1243.static.theplanet.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 69.138.192.12 (c-69-138-192-12.hsd1.md.comcast.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 216.37.162.77 (UNUSED-216-37-162-77.UNUSED.EPIX.NET) Ports: 3389/open/tcp//ms-term-serv/// Host: 195.91.244.242 (h195-91-244-242.ln.rinet.ru) Ports: 3389/open/tcp//ms-term-serv/// Host: 67.143.106.230 (host6714300230106.direcway.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 208.176.240.131 (208.176.240.131.ptr.us.xo.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 210.145.23.200 (210-145-023-200.jp.fiberbit.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 222.151.89.170 (222-151-089-170.jp.fiberbit.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 74.208.205.87 (u15175363.onlinehome-server.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 198.144.175.39 (www.inthehall.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 210.225.104.53 (210-225-104-053.jp.fiberbit.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 69.64.43.127 (colossus108.startdedicated.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 210.146.247.143 (s143.247.146.210.fls.vectant.ne.jp) Ports: 3389/open/tcp//ms-term-serv/// Host: 81.187.106.147 (ip147.cranmer1.wf-net.co.uk) Ports: 3389/open/tcp//ms-term-serv/// Host: 84.234.74.87 (soodit.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 68.157.207.92 (adsl-068-157-207-092.sip.msy.bellsouth.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 194.150.188.157 (smart-repair.de) Ports: 3389/open/tcp//ms-term-serv/// Host: 70.38.12.36 (host.iztim.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 63.204.36.110 (adsl-63-204-36-110.dsl.snfc21.pacbell.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 67.59.85.110 (67-59-85-110.smartz.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 131.247.202.182 (u244339.forest.usf.edu) Ports: 3389/open/tcp//ms-term-serv/// Host: 64.8.122.64 (win30.securedc.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 143.107.201.230 (intranet.hcrp.usp.br) Ports: 3389/open/tcp//ms-term-serv/// Host: 74.206.17.162 (74-206-17-162.static-ip.m.telepacific.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 203.45.71.122 (border10.lnk.telstra.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 203.128.234.71 (203-128-234-71.static.hostus.net.au) Ports: 3389/open/tcp//ms-term-serv/// Host: 74.208.164.94 (u15353859.onlinehome-server.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 74.200.200.115 (asambleadf.edata.com.mx) Ports: 3389/open/tcp//ms-term-serv/// Host: 74.95.40.41 (74-95-40-41-Oregon.hfc.comcastbusiness.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 207.0.204.212 (host-212.runcentral.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 87.54.253.94 (0x5736fd5e.cpe.ge-1-1-0-1105.aaanqu1.customer.tele.dk) Ports: 3389/open/tcp//ms-term-serv/// Host: 140.128.71.200 (71-user200.ncut.edu.tw) Ports: 3389/open/tcp//ms-term-serv/// Host: 83.13.156.202 (fga202.internetdsl.tpnet.pl) Ports: 3389/open/tcp//ms-term-serv/// Host: 140.193.49.98 (net198.med-reh.umanitoba.ca) Ports: 3389/open/tcp//ms-term-serv/// Host: 88.202.1.41 (88-202-1-41.ip.skylogicnet.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 84.254.147.235 (84-254-147-235.ip.skylogicnet.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 85.91.200.66 (85-91-200-66.internet2.ru) Ports: 3389/open/tcp//ms-term-serv/// Host: 70.41.35.55 (70-41-35-55.cust.wildblue.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 150.216.151.42 (sc-au-304-pc-1.lab.ecu.edu) Ports: 3389/open/tcp//ms-term-serv/// Host: 84.254.144.201 (84-254-144-201.ip.skylogicnet.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 209.12.23.10 (cweb003.jacksontechnical.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 85.48.251.192 (192.pool85-48-251.static.orange.es) Ports: 3389/open/tcp//ms-term-serv/// Host: 67.19.164.90 (5a.a4.1343.static.theplanet.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 62.90.202.83 (mail.timlul.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 74.86.45.74 (studiowebonline.com.au) Ports: 3389/open/tcp//ms-term-serv/// Host: 69.73.130.229 (static-229-130-73-69.nocdirect.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 85.159.68.69 (bunlardanistiyorum.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 66.76.250.122 (s66-76-250-122.semmcmtc01.smnlok.ok.sta.suddenlink.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 66.46.176.95 (smtp1.sherweb.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 212.25.10.66 (remote.stierli-partner.ch) Ports: 3389/open/tcp//ms-term-serv/// Host: 84.254.177.99 (84-254-177-99.ip.skylogicnet.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 87.236.197.71 (leviathan.idisk.cz) Ports: 3389/open/tcp//ms-term-serv/// Host: 24.106.189.251 (rrcs-24-106-189-251.se.biz.rr.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 74.81.212.213 (host213.212.81.74.static.maximumasp.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 65.71.36.142 (65-71-36-142.ded.swbell.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 217.78.33.135 (custip.dcs.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 74.165.149.4 (adsl-074-165-149-004.sip.bna.bellsouth.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 66.141.181.24 (smtp.wardnetworks.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 217.92.47.15 (mail.tribo-chemie.de) Ports: 3389/open/tcp//ms-term-serv/// Host: 91.144.151.49 (dynamicip-91-144-151-49.pppoe.kirov.ertelecom.ru) Ports: 3389/open/tcp//ms-term-serv/// Host: 89.96.49.14 (89-96-49-14.ip10.fastwebnet.it) Ports: 3389/open/tcp//ms-term-serv/// Host: 64.37.65.66 (christ1st.1webway.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 167.128.6.99 (philmig.lblesd.k12.or.us) Ports: 3389/open/tcp//ms-term-serv/// Host: 217.199.168.142 (ds8126.dedicated.turbodns.co.uk) Ports: 3389/open/tcp//ms-term-serv/// Host: 167.128.198.71 (dhcp-hs-198-71.lebanon.k12.or.us) Ports: 3389/open/tcp//ms-term-serv/// Host: 208.113.70.14 (208.113.70.14.servepath.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 217.41.124.118 (217-41-124-118.evansdinnington.mezzonet.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 69.35.199.82 (dpc6935199082.direcpc.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 74.86.174.154 (serversemidedicado.joinhost.com.br) Ports: 3389/open/tcp//ms-term-serv/// Host: 83.15.136.154 (elc154.internetdsl.tpnet.pl) Ports: 3389/open/tcp//ms-term-serv/// Host: 72.51.35.52 (peer1server.idc10000.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 88.202.83.29 (88-202-83-29.ip.skylogicnet.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 212.198.110.39 (212-198-110-39.rev.numericable.fr) Ports: 3389/open/tcp//ms-term-serv/// Host: 129.74.4.108 (sso-pprd-v2.cc.nd.edu) Ports: 3389/open/tcp//ms-term-serv/// Host: 75.106.66.15 (75-106-66-15.cust.wildblue.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 90.184.54.162 (4706ds2-kj.0.fullrate.dk) Ports: 3389/open/tcp//ms-term-serv/// Host: 71.190.139.50 (static-71-190-139-50.nycmny.fios.verizon.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 209.114.126.41 (kfhs.fhsu.edu) Ports: 3389/open/tcp//ms-term-serv/// Host: 217.128.37.108 (LLagny-156-36-44-108.w217-128.abo.wanadoo.fr) Ports: 3389/open/tcp//ms-term-serv/// Host: 70.150.192.130 (mail.summitsportsmedicine.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 85.214.219.48 (h1904971.stratoserver.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 59.167.198.98 (ppp198-98.static.internode.on.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 63.231.42.182 (seasharesbs.seashare.org) Ports: 3389/open/tcp//ms-term-serv/// Host: 67.228.164.163 (si-sv2373.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 75.105.228.17 (75-105-228-17.cust.wildblue.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 74.247.72.248 (adsl-074-247-072-248.sip.msy.bellsouth.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 81.206.231.228 (ip51cee7e4.adsl-surfen.hetnet.nl) Ports: 3389/open/tcp//ms-term-serv/// Host: 216.75.60.212 (2k3s-60-212.aspadmin.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 204.153.7.45 (authmail.rotadyne.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 70.166.226.160 (wsip-70-166-226-160.ks.ks.cox.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 68.65.220.164 (164.smart-dns.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 84.254.130.64 (84-254-130-64.ip.skylogicnet.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 167.128.185.137 (dhcp-pioneer-185-137.lebanon.k12.or.us) Ports: 3389/open/tcp//ms-term-serv/// Host: 134.121.88.226 (s58088226.temp.wsu.edu) Ports: 3389/open/tcp//ms-term-serv/// Host: 67.142.203.38 (host671420038203.direcway.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 67.142.199.5 (host67142005199.direcway.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 203.59.231.10 (203-59-231-10.perm.iinet.net.au) Ports: 3389/open/tcp//ms-term-serv/// Host: 202.5.186.147 (client186147.mynewsat.com.au) Ports: 3389/open/tcp//ms-term-serv/// Host: 212.125.85.199 (unallocated.star.net.uk) Ports: 3389/open/tcp//ms-term-serv/// Host: 204.13.209.44 (44.204-13-209.reverse.enterhost.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 69.36.197.7 (69-36-197-7.cot.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 68.157.248.31 (adsl-068-157-248-031.sip.pns.bellsouth.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 75.148.171.113 (75-148-171-113-Houston.hfc.comcastbusiness.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 208.109.127.157 (ip-208-109-127-157.ip.secureserver.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 69.167.164.29 (host.laserspotreduce.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 200.40.206.202 (correo.dofin.com.uy) Ports: 3389/open/tcp//ms-term-serv/// Host: 85.214.208.56 (h1883657.stratoserver.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 213.209.172.24 (213-209-172-24.ip.skylogicnet.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 208.109.190.116 (ip-208-109-190-116.ip.secureserver.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 72.169.3.208 (host721692083.direcway.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 212.13.49.140 (ADSL-F49-S140.nortenet.pt) Ports: 3389/open/tcp//ms-term-serv/// Host: 62.149.173.245 (host245-173-149-62.serverdedicati.aruba.it) Ports: 3389/open/tcp//ms-term-serv/// Host: 210.146.219.120 (s120.IaichiFL52.vectant.ne.jp) Ports: 3389/open/tcp//ms-term-serv/// Host: 81.27.47.96 (96-47-27-81.vps.webhuset.no) Ports: 3389/open/tcp//ms-term-serv/// Host: 81.84.243.245 (a81-84-243-245.static.cpe.netcabo.pt) Ports: 3389/open/tcp//ms-term-serv/// Host: 167.128.200.136 (dhcp-do-200-136.sweethome.k12.or.us) Ports: 3389/open/tcp//ms-term-serv/// Host: 69.239.102.249 (adsl-69-239-102-249.dsl.sndg02.pacbell.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 210.232.50.162 (210-232-050-162.jp.fiberbit.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 202.181.80.20 (202.181.80.20.static.rev.eftel.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 87.106.104.217 (s15351115.onlinehome-server.info) Ports: 3389/open/tcp//ms-term-serv/// Host: 81.216.218.238 (238.218.216.81.static.hud.siw.siwnet.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 128.46.200.81 (ee134pc3.ecn.purdue.edu) Ports: 3389/open/tcp//ms-term-serv/// Host: 202.132.58.77 (202-132-58-77.adsl.ttn.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 207.201.194.71 (www.geiss.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 87.106.250.19 (s15325009.onlinehome-server.info) Ports: 3389/open/tcp//ms-term-serv/// Host: 67.154.251.20 (ip67-154-251-20.z251-154-67.customer.algx.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 69.65.116.27 (unknown27.116.65.69.defenderhosting.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 160.94.178.66 (w103-02.cselabs.umn.edu) Ports: 3389/open/tcp//ms-term-serv/// Host: 69.35.235.198 (dpc6935235198.direcpc.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 196.47.81.97 (196-47-81-97.mweb.co.za) Ports: 3389/open/tcp//ms-term-serv/// Host: 200.94.104.5 (static-200-94-104-5.alestra.net.mx) Ports: 3389/open/tcp//ms-term-serv/// Host: 201.163.0.180 (smtp3.v-office.com.mx) Ports: 3389/open/tcp//ms-term-serv/// Host: 129.65.53.1 (cp-rjv51.cp-calpoly.edu) Ports: 3389/open/tcp//ms-term-serv/// Host: 210.145.17.70 (210-145-017-070.jp.fiberbit.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 134.60.65.83 (schokobrunnen.biologie.uni-ulm.de) Ports: 3389/open/tcp//ms-term-serv/// Host: 91.121.123.85 (ns2014904.ovh.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 69.35.211.220 (dpc6935211220.direcpc.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 70.147.192.139 (adsl-070-147-192-139.sip.jan.bellsouth.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 88.202.5.94 (88-202-5-94.ip.skylogicnet.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 216.57.213.82 (pr-osnw-fcp.osnw.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 216.131.106.228 (228.106.131.216.shared.ntb.reliablehosting.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 61.9.230.184 (CPE-61-9-230-184.static.sa.bigpond.net.au) Ports: 3389/open/tcp//ms-term-serv/// Host: 66.28.254.83 (host83.glaad.org) Ports: 3389/open/tcp//ms-term-serv/// Host: 195.23.156.109 (mail.fcrh.pt) Ports: 3389/open/tcp//ms-term-serv/// Host: 210.59.162.184 (210-59-162-184.HINET-IP.hinet.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 66.104.121.36 (ip66-104-121-36.z121-104-66.customer.algx.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 69.172.53.2 (69-172-53-2.static.networktel.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 62.2.177.136 (62-2-177-136.static.tinext.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 200.59.137.185 (host-59-137-185.linksat.net.ar) Ports: 3389/open/tcp//ms-term-serv/// Host: 66.202.35.218 (mail.firstplastics.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 70.88.229.115 (70-88-229-115-clark-turner-company-md.hfc.comcastbusiness.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 62.219.149.77 (mail.happycourse.co.il) Ports: 3389/open/tcp//ms-term-serv/// Host: 67.40.89.225 (macarco.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 205.201.248.51 (205-201-248-51.i95.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 68.65.152.170 (mail.sunbeltmotivation.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 220.133.214.124 (220-133-214-124.HINET-IP.hinet.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 151.100.168.131 (digilab.uniroma1.it) Ports: 3389/open/tcp//ms-term-serv/// Host: 194.179.130.22 (mail.prodimpexitalia.it) Ports: 3389/open/tcp//ms-term-serv/// Host: 210.227.43.26 (210-227-043-026.jp.fiberbit.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 148.205.148.162 (lenovo-74e5c325.rhon.itam.mx) Ports: 3389/open/tcp//ms-term-serv/// Host: 64.139.15.153 (ip-64-139-15-153.dsl.sca.megapath.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 200.12.207.11 (host-12-207-011.linksat.net.ar) Ports: 3389/open/tcp//ms-term-serv/// Host: 200.85.133.43 (nodo-133-43.unete.com.bo) Ports: 3389/open/tcp//ms-term-serv/// Host: 67.228.17.212 (si-sv2170.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 81.218.173.47 (mail.superlinkcom.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 167.128.121.208 (dhcp-ms-121-208.monroe.k12.or.us) Ports: 3389/open/tcp//ms-term-serv/// Host: 72.173.22.140 (72-173-22-140.cust.wildblue.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 84.254.163.227 (84-254-163-227.ip.skylogicnet.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 150.201.62.43 (tech471.semo.edu) Ports: 3389/open/tcp//ms-term-serv/// Host: 81.47.112.250 (250.Red-81-47-112.staticIP.rima-tde.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 212.227.134.122 (quecontactos.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 213.217.134.72 (www.mercurycaffe.it) Ports: 3389/open/tcp//ms-term-serv/// Host: 209.181.209.43 (timeshareware.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 192.101.18.121 (tandberg-cs.swcenter.edu) Ports: 3389/open/tcp//ms-term-serv/// Host: 74.94.43.181 (74-94-43-181-Philadelphia.hfc.comcastbusiness.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 66.33.111.242 (tooth-implant-directory.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 75.105.67.209 (75-105-67-209.cust.wildblue.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 167.128.66.234 (unused-corv-66-234.corvallis.k12.or.us) Ports: 3389/open/tcp//ms-term-serv/// Host: 82.223.216.76 (vrtw11781.servidoresdns.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 131.252.213.142 (gophers.cat.pdx.edu) Ports: 3389/open/tcp//ms-term-serv/// Host: 88.208.222.168 (server88-208-222-168.live-servers.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 216.139.244.29 (216-139-244-29.aus.us.siteprotect.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 211.23.240.191 (211-23-240-191.HINET-IP.hinet.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 76.73.13.118 (s120.IaichiFL52.vectant.ne.jp) Ports: 3389/open/tcp//ms-term-serv/// Host: 75.80.50.196 (cpe-75-80-50-196.socal.res.rr.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 88.208.202.107 (mail.condoroffers.co.uk) Ports: 3389/open/tcp//ms-term-serv/// Host: 212.67.197.119 (ds2620.dedicated.turbodns.co.uk) Ports: 3389/open/tcp//ms-term-serv/// Host: 66.197.79.27 (hosted.by.cirn.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 134.147.82.34 (exdc1.exchange.ruhr-uni-bochum.de) Ports: 3389/open/tcp//ms-term-serv/// Host: 89.108.114.104 (vm1282.hvm.agava.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 210.232.27.201 (210-232-027-201.jp.fiberbit.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 83.69.244.7 (mail.deotravel.ru) Ports: 3389/open/tcp//ms-term-serv/// Host: 213.180.94.202 (de-0048.d.ipeer.se) Ports: 3389/open/tcp//ms-term-serv/// Host: 70.41.48.38 (70-41-48-38.cust.wildblue.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 75.107.35.180 (75-107-35-180.cust.wildblue.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 167.128.64.194 (unused-corv-64-194.corvallis.k12.or.us) Ports: 3389/open/tcp//ms-term-serv/// Host: 74.55.203.11 (b.cb.374a.static.theplanet.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 208.187.180.60 (mail.sdevcorp.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 216.7.175.222 (216.7.175-222.static.data393.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 74.238.224.150 (adsl-074-238-224-150.sip.btr.bellsouth.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 72.170.140.104 (host7217000104140.direcway.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 124.178.253.29 (CPE-124-178-253-29.static.wa.bigpond.net.au) Ports: 3389/open/tcp//ms-term-serv/// Host: 64.239.40.152 (magazineadvertisingagency.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 167.128.54.50 (unused-corv-54-50.corvallis.k12.or.us) Ports: 3389/open/tcp//ms-term-serv/// Host: 216.5.25.183 (525-183.dscga.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 64.42.79.46 (64-42-79-46.atgi.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 217.20.27.149 (mail.thamesinnovationcentre.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 72.232.172.3 (3.172.232.72.static.reverse.ltdomains.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 69.35.76.56 (dpc693576056.direcpc.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 188.165.218.223 (ns212184.ovh.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 82.223.137.64 (mwwd881.servidoresdns.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 74.208.184.35 (u15354319.onlinehome-server.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 208.109.138.55 (linhost288.prod.mesa1.secureserver.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 213.8.113.219 (tony09-113-219.inter.net.il) Ports: 3389/open/tcp//ms-term-serv/// Host: 85.19.150.20 (mx01.osl.inic.no) Ports: 3389/open/tcp//ms-term-serv/// Host: 84.254.147.193 (84-254-147-193.ip.skylogicnet.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 18.78.0.88 (CELL2.MIT.EDU) Ports: 3389/open/tcp//ms-term-serv/// Host: 59.124.115.244 (59-124-115-244.HINET-IP.hinet.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 90.80.72.250 (250-72.80-90.static-ip.oleane.fr) Ports: 3389/open/tcp//ms-term-serv/// Host: 70.110.77.74 (smtp.floridah2olaw.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 82.200.9.72 (res72.mgtelecom.ru) Ports: 3389/open/tcp//ms-term-serv/// Host: 75.126.217.45 (si-sv3819.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 74.53.152.156 (9c.98.354a.static.theplanet.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 64.1.254.234 (w234.z064001254.sjc-ca.dsl.cnc.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 202.5.172.0 (client172000.mynewsat.com.au) Ports: 3389/open/tcp//ms-term-serv/// Host: 130.34.21.186 (dhcp-21186.tagen.tohoku.ac.jp) Ports: 3389/open/tcp//ms-term-serv/// Host: 188.121.54.111 (ip-188-121-54-111.ip.secureserver.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 75.104.71.238 (75-104-71-238.cust.wildblue.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 217.34.35.49 (host217-34-35-49.in-addr.btopenworld.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 211.13.204.46 (www.blue.shared-server.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 71.59.251.175 (c-71-59-251-175.hsd1.or.comcast.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 85.89.99.35 (85-89-99-35.kbpauk.ru) Ports: 3389/open/tcp//ms-term-serv/// Host: 201.93.184.79 (201-93-184-79.dsl.telesp.net.br) Ports: 3389/open/tcp//ms-term-serv/// Host: 82.169.141.54 (82-169-141-54.ip.telfort.nl) Ports: 3389/open/tcp//ms-term-serv/// Host: 188.215.215.247 (215-6ee590c.drekthareuro.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 84.50.222.82 (82.222.50.84.sta.estpak.ee) Ports: 3389/open/tcp//ms-term-serv/// Host: 208.81.130.138 (svr20881130-138.ihostservers.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 69.227.109.34 (adsl-69-227-109-34.dsl.irvnca.pacbell.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 64.139.61.186 (denver.newhaven-usa.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 194.254.254.32 (gremaq-onduleur.univ-tlse1.fr) Ports: 3389/open/tcp//ms-term-serv/// Host: 207.65.65.26 (horror.teraptra.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 76.14.78.148 (76-14-78-148.static-sf-cable.astound.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 69.57.50.87 (byrdhomebuildersinc.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 213.82.216.84 (host84-216-static.82-213-b.business.telecomitalia.it) Ports: 3389/open/tcp//ms-term-serv/// Host: 69.162.103.208 (208-103-162-69.static.reverse.lstn.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 217.36.226.148 (host217-36-226-148.in-addr.btopenworld.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 72.81.253.130 (static-72-81-253-130.bltmmd.fios.verizon.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 90.179.132.237 (237.132.broadband12.iol.cz) Ports: 3389/open/tcp//ms-term-serv/// Host: 217.155.242.179 (dsl-217-155-242-179.zen.co.uk) Ports: 3389/open/tcp//ms-term-serv/// Host: 205.136.92.109 (lloyddaniel.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 210.225.123.108 (210-225-123-108.jp.fiberphone.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 190.8.2.233 (host-8-2-233.linksat.net.ar) Ports: 3389/open/tcp//ms-term-serv/// Host: 148.204.152.183 (sepi.escasto.ipn.mx) Ports: 3389/open/tcp//ms-term-serv/// Host: 69.229.105.110 (adsl-69-229-105-110.dsl.irvnca.pacbell.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 200.108.66.19 (host019.200-108-66.telespazio.net.ar) Ports: 3389/open/tcp//ms-term-serv/// Host: 72.169.149.49 (host7216949149.direcway.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 72.54.96.194 (mail.wedgewoodcabinetry.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 80.34.199.229 (229.Red-80-34-199.staticIP.rima-tde.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 64.141.176.202 (host-202-176-141-64.ussignalcom.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 67.47.1.235 (dpc67471235.direcpc.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 75.125.50.147 (ev1s-75-125-50-147.theplanet.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 128.208.251.175 (D-128-208-251-175.dhcp4.washington.edu) Ports: 3389/open/tcp//ms-term-serv/// Host: 195.157.57.109 (countrywideea.co.uk) Ports: 3389/open/tcp//ms-term-serv/// Host: 202.65.163.229 (202-65-163-229.sat.ruralinzone.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 69.162.80.85 (85-80-162-69.reverse.lstn.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 169.232.91.33 (s91-33.resnet.ucla.edu) Ports: 3389/open/tcp//ms-term-serv/// Host: 216.121.43.193 (193.43.121.216.reverse.servepath.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 216.99.51.53 (ip-53.51.99.216.dsl-cust.ca.inter.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 200.42.101.32 (200-42-101-32.dup.prima.net.ar) Ports: 3389/open/tcp//ms-term-serv/// Host: 220.246.73.40 (040.73.246.220.static.netvigator.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 208.115.217.27 (27-217-115-208.static.reverse.lstn.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 205.161.255.51 (ftp2.gerlingersteel.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 70.85.24.114 (72.18.5546.static.theplanet.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 74.92.127.26 (74-92-127-26-Philadelphia.hfc.comcastbusiness.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 74.86.33.91 (74.86.33.91-static.reverse.softlayer.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 69.90.63.27 (vps.simplemedia.ca) Ports: 3389/open/tcp//ms-term-serv/// Host: 207.234.188.164 (vw01d.scomage.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 68.45.220.111 (c-68-45-220-111.hsd1.nj.comcast.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 151.100.4.41 (bids.infosapienza.uniroma1.it) Ports: 3389/open/tcp//ms-term-serv/// Host: 66.240.137.42 (66-240-137-42.momentum.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 24.119.221.99 (24-119-221-99.cpe.cableone.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 80.51.114.52 (host-80.51.114.52.helionet.pl) Ports: 3389/open/tcp//ms-term-serv/// Host: 128.40.203.61 (s7-adm.adm.ucl.ac.uk) Ports: 3389/open/tcp//ms-term-serv/// Host: 216.37.187.66 (UNUSED-216-37-187-66.UNUSED.EPIX.NET) Ports: 3389/open/tcp//ms-term-serv/// Host: 64.81.136.98 (dsl081-136-098.chi1.dsl.speakeasy.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 89.107.224.164 (ns1.prosetnet.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 217.13.211.220 (static220.pppoe.kmv.ru) Ports: 3389/open/tcp//ms-term-serv/// Host: 115.29.33.228 (ip29.hichina.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 64.185.47.21 (nts-21.47-185-64.static.nts-online.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 72.240.118.218 (mail.mdunity.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 217.174.254.104 (server217-174-254-104.live-servers.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 72.173.172.16 (72-173-172-16.cust.wildblue.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 200.105.139.233 (static-200-105-139-233.acelerate.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 209.173.246.88 (flogainc.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 69.133.89.255 (cpe-69-133-89-255.mi.res.rr.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 129.128.49.188 (hematite.rr.ualberta.ca) Ports: 3389/open/tcp//ms-term-serv/// Host: 188.164.209.16 (kdzrfe.bestofthebestnocontest.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 167.128.50.205 (unused-corv-50-205.corvallis.k12.or.us) Ports: 3389/open/tcp//ms-term-serv/// Host: 89.190.249.64 (64-249-190-89.baltnet.ru) Ports: 3389/open/tcp//ms-term-serv/// Host: 208.123.113.174 (c-208-123-113-174.flamingtechnologies.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 128.123.39.129 (ofspc-224.nmsu.edu) Ports: 3389/open/tcp//ms-term-serv/// Host: 200.32.30.66 (200-32-30-66.dup.prima.net.ar) Ports: 3389/open/tcp//ms-term-serv/// Host: 208.102.181.122 (RO-ESR1-208-102-181-122.fuse.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 64.201.160.101 (static-64-201-160-101.ptr.terago.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 222.151.74.242 (222-151-074-242.jp.fiberbit.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 74.208.47.199 (u15257960.onlinehome-server.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 62.128.137.15 (ntdd2173.fm.netbenefit.co.uk) Ports: 3389/open/tcp//ms-term-serv/// Host: 63.144.240.104 (63-144-240-104.dia.static.qwest.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 212.40.247.50 (212.40.247.50.static.user.ono.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 134.121.130.0 (cvm16v.vetmed.wsu.edu) Ports: 3389/open/tcp//ms-term-serv/// Host: 72.169.86.7 (host72169786.direcway.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 81.180.117.155 (web.carturesti.ro) Ports: 3389/open/tcp//ms-term-serv/// Host: 206.194.125.166 (css.sweb.ocgov.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 216.17.39.59 (new-ip-3959.usinternet.com) Ports: 3389/open/tcp//ms-term-serv/// Host: 188.202.140.164 (static.kpn.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 75.106.108.55 (75-106-108-55.cust.wildblue.net) Ports: 3389/open/tcp//ms-term-serv/// Host: 46.254.50.12 (46-254-50-12.aa.net.tr) Ports: 3389/open/tcp//ms-term-serv/// [==================================================================================================] -=[ 0x0b ProjectMF - An Overview -=[ Author: df99 -=[ Email: bluebox@projectmf.org -=[ Website: http://www.projectmf.org/ It's been about five years since ProjectMF was introduced to the world by famed hacker/phone phreak Mark Abene (A.K.A. Phiber Optik) at the sixth HOPE conference in 2006. Mark's work on the original ProjectMF brought back an ability that many phone phreaks thought was long dead. At last younger phone phreaks could get a taste of what phone phreaking was like during the 1950s through the early 1990s. We older phone phreaks could re-live some of our older exploits back "in the day". Project MF is a living, working simulation of analog SF/MF signaling just as it was used in the public switched telephone network up until the early 90's, when most everything was cut-over by the regional Bells to the fully-digital SS7/ISDN network as it continues today. SF/MF signaling? What's that? Well, back in the early 1950s, Ma Bell began to install equipment that made a telephone operator's task of routing a long distance call much easier. Remember, this was years before the ability of the average person (or an operator, for that matter) to direct-dial a long distance call existed. To place a long distance call, one would call their local operator and specify the destination city and number. He would then hang up and await the operator to complete the complex process of establishing the long distance connection. The operator would determine the "route" of a call, which often required intermediate connection points at cities between the source and destination of the call. The operator, using old-fashioned cord board switchboards, would establish a connection to the first intermediate city over a "trunk" line. A trunk was simply a dedicated telephone circuit between two cities. The operator at the intermediate city would take the routing information from the first operator and establish another trunk circuit to the next intermediate point, connecting the inbound and outbound trunks together with her switchboard cords. The next operator in the chain would repeat the process until the operator in the distant destination city would connect to and ring the destination phone. The original operator would then call back the phone originating the call and complete the connection. The entire process could take many minutes, especially if all trunks between two cities were busy. If this were the case, the operator would have to manually re-route the call through an additional intermediate city. With the installation of new automated switching equipment in the early 1950s, the operator's task of routing a call was made much more automatic. The originating operator took the destination number from the originating customer. At this point, she looked up various routing codes to the destination (often just an area code, exchange, and phone number), selected a trunk to the automated equipment, and keyed in the routing digits. At this point, the equipment took over the task of connecting the call to the destination through various intermediate cities. In case all of the trunks between two cities were busy, the equipment could automatically re-route the call through cities with available trunks. In the early sixties, customers were given the ability to dial the destination long distance number directly, removing the operator from the system completely. Obviously, the new equipment could not use speech to convey routing information between connecting points, as with the old operator-only system. A new way of conveying this information had to be developed. This is where the SF (Single Frequency) and MF (Multi-Frequency) system came in. The switching equipment used a 2600 Hertz tone to indicate to the equipment if a trunk were available or busy. The presence of 2600 on the trunk indicated it was free. The new switchboard used by toll operators automatically detected a trunk "whistling" 2600, seized it, and sent the routing information into the equipment using a series of operator-keyed "MF" or multi-frequency tones, one for each digit, plus two MF tones used to indicate the start and end of the routing information. These MF tones were similar to modern DTMF or "Touch Tones" (still many years away), but used different frequencies. With the removal of an operator from the process, some clever folks discovered that they could control the entire automated system by generating their own SF and MF tones from a "Blue Box", consisting of several audio oscillators or tone generators connected in various combinations through switches (the blue box got its name because the first such device confiscated in 1961 by Bell System security was in a blue chassis). The Blue Box gave the user the ability to become their own super-operator, with capabilities formerly reserved to phone company personnel. These capabilities included routing calls overseas, setting up complex routing patterns, accessing special Ma Bell test numbers, and much more. The golden age of phone phreaking had begun. See the old Bell System film "Speeding Speech" at YouTube for an excellent primer on all of this, from Ma Bell herself! www.youtube.com/watch?v=oPM_j7p7YnQ The most typical use of a blue box was to place free telephone calls. The operation of a blue box was simple: First, the user places a long distance telephone call, usually to an 800 number or some other non-supervising (non-charging) phone number. For the most part, anything going beyond 50 miles would go over a trunk type susceptible to this technique. When the call starts to ring, the caller uses the blue box to send a 2600 Hz tone. The 2600 Hz is a supervisory signal, because it indicates the status of a trunk; on-hook (tone) or off-hook (no tone). By playing this tone, you are convincing the far end of the connection that you've hung up and it should wait. When the tone stops, the trunk will go off-hook and on-hook (known as a supervision flash), making a "Ka-Cheep" noise, followed by silence. This is the far end of the connection signaling to the near end that it is now waiting for MF routing digits. Once the far end sends the supervision flash, the user would use the blue box to dial a "Key Pulse" or "KP", the tone that starts a routing digit sequence, followed by either a telephone number or one of the numerous special codes that were used internally by the telephone company, then finished up with a "Start" or "ST" tone. At this point, the far end of the connection would route the call the way you told it, while the user's end would think you were still ringing at the original number. If that original number were an 800 (free) number, the Blue Box user would complete the call for free, as the telco billing equipment registered only the originally dialed number. The key to this system was that the SF and MF tones were sent on the same circuit used to carry speech once the call was connected. To combat Blue Box usage, the phone company in the 1980s and 1990s began to separate the speech circuit from the circuit used to set up the call. The Blue Box would no longer work on these circuits, since the connection between end points used a separate signaling channel. The voice circuit would no longer respond to the tones. Blue Boxing was no longer possible on most circuits by the end of the 1990s, except to certain locations that still used the old equipment. If you are perplexed at this point, then for a primer on what this is all about, a must-read is the Esquire magazine article that was published in October, 1971 titled "Secrets of the Little Blue Box" by Ron Rosenbaum (blog.historyofphonephreaking.org/2008/08/secrets-of-the-little-blue-box.html ). This article first exposed the exploits of Blue Box phone phreaks to the public and stimulated Ma Bell to crack down legally and technologically on the phone phreaking community. From there, pursue the files on www.textfiles.com to read some of the actual texts that were circulated by phone phreaks "back in the day". To hear some of this stuff in action, head over to the PhoneTrips web site (www.phonetrips.com) and listen to the tapes phone phreaks made of their activities. For particularly good examples of blue box usage, I recommend listening to "Classic Tandem Stacking", "A HiFi 914 Routings tape, part 1", and "A HiFi 914 Routings tape, part 2". Even though this became obsolete, it is again made possible by a set of modifications and patches made to the open-source Asterisk PBX server software running under Linux on a PC - ProjectMF! It allows users to dial into such a private system via a variety of access methods, including the regular public switched telephone network and SIP. The user is presented with a ringing line. The ringing can be disconnected and the trunk seized by playing a 2600 tone into the line. Thereafter, the call can be diverted to another number or to a series of internal recordings and functions that reside on the server/switch by playing MF or multifrequency tones into the line. This is all perfectly legal, as the system is totally private. It is really more than a simulation. The call is going over a trunk group of 24 SF/MF trunks, although both sides of the trunks are terminated on the same PC. The hardware that makes this possible is two extra dedicated Ethernet cards on the PC running T1 over Ethernet protocol over a loopback Ethernet cable. Your incoming call gets looped over one of the 24 trunks before terminating back on the same switch, so you have 2600 and MF control. I have maintained a public ProjectMF system for several years now (www.projectmf.org). At last old-timers, aspiring phone phreaks, and the curious can experience the clandestine thrill of blue boxing their own calls! I have extended Mark Abene's original patches to add to the realism and reliability of the system. Lots of the old tricks are possible, including trunk "stacking", as illustrated in one of the Phonetrips recordings (www.phonetrips.com). The Asterisk hardware and demo may be seen at a YouTube video at: www.youtube.com/watch?v=hCvu2qgcsVQ My ProjectMF server can be accessed via the PSTN on 630-485-2995. The switch will play back recorded instructions when you dial in. Access is also available via: -CNET (telephone switch collectors network): 1-762-2600/2601 (see www.ckts.info for gateway numbers) -Asterisk direct connection: exten => 2600,1,Dial(IAX2/cnetguest@projectmf.homelinux.com/17622600) Note that you need a source of 2600 Hz tone and an MF dialer or Blue Box (NOT a regular DTMF (Touch- Tone) dialer) to make ANY use of this at all. You can download a software blue box for Windows, which also requires you to install install Microsoft's .NET framework. This program will let you generate MF tones through your PC's sound card and speakers. You can use the number keys on the right side of your keyboard (if you use a full-size keyboard) as an almost-real blue box, as well as the point and click method. Alternately, you can build your own, real blue box with instructions found on www.projectmf.org. Limited quantities of programmed Blue Box chips and printed circuit boards are available for this project. A demo of this Blue Box can be seen at YouTube at: www.youtube.com/watch?v=Kow8_N_dNts and www.youtube.com/watch?v=DzmCAc4ACTE During the ringing of the line (or after it stops), play a short burst of 2600, wait for the wink acknowledgment (the "Ker-Cheep"), followed by the MF digits from the list below. The 2600 Hz tone must be played at a somewhat higher level than the MF digits. Additional calls can be placed by playing 2600 again, waiting for the wink, and re-routing the call with new MF digits. If you do not begin dialing within 5 seconds after playing 2600 and getting the wink, you will hear a "reorder" tone (fast busy). You must then re-seize the line with another burst of 2600. The system will read back the digits it hears if you dial anything the switch does not understand. Play around with volume levels, especially if just holding the PC speaker up to the phone. The MF tones do not need to be excessively loud. It is important to do this in a fairly quiet environment. Do not talk while dialing. The switch will try to interpret loud sounds as MF digits. You can divert a real call through the box. Just dial 2600, KP, a 10-digit phone number (no leading "1"), and ST. Experiment on the test numbers to get the levels right first. Here are some numbers to try after you have seized a trunk with 2600 Hz. (Any three-digit code will also work with an area code prefixed). The user directory at www.ckts.info contains the latest list of working numbers. KP + 101 + ST "Weasels" recording KP + 102 + ST "Monkeys" recording KP + 103 + ST "Moo 1" recording KP + 104 + ST "Moron" recording KP + 105 + ST "Moo 2" recording KP + 106 + ST "Something wrong" recording KP + 107 + ST "Made it up" recording KP + 108 + ST "I'm bored" recording KP + 109 + ST "Don't understand" recording KP + 110 + ST "Step in stream" recording KP + 111 + ST "ProjectMF" presentation recording (exit with DTMF "0") KP + 112 + ST "Classic Tandem Stacking" recording - Evan Doorbell (exit with DTMF "0") KP + 113 + ST "Evan Doorbell juices off N1 and phreaks around. Part 1 (exit with DTMF "0") KP + 114 + ST "Evan Doorbell juices off N1 and phreaks around. Part 2 (exit with DTMF "0") KP + 115 + ST "Evan Doorbell investigates 1xx and 0xx codes (exit with DTMF "0") KP + 116 through 120 and 122 + ST "How Evan Doorbell Became a Phone Phreak, parts 1-6" KP + 600 + ST Asterisk echo test KP + 121 + ST "Operator" - Leave message if no answer KP + 123 + ST Joybubbles (Joe Engressia) 1991 Off the Hook Interview, Part 1 KP + 124 + ST Joybubbles (Joe Engressia) 1991 Off the Hook Interview, Part 2 KP + 125 + ST Haxor Joybubbles tech interview, part 1 KP + 126 + ST Haxor Joybubbles tech interview, part 2 KP + 127 + ST Haxor Joybubbles tech interview, part 3 KP + 128 + ST Sounds of Long Distance, part 1 KP + 129 + ST Sounds of Long Distance, part 2 KP + 130 + ST Sounds of Long Distance, part 3 KP + 131 + ST Directory Assistance KP + 132 + ST Sounds of Long Distance, part 4 KP + 133 + ST Sounds of Long Distance, part 5 KP + 134 + ST Sounds of Long Distance, part 6 KP + 135 + ST Sounds of Long Distance, part 7 KP + 136 + ST Sounds of Long Distance, part 8 KP + 137 + ST Sounds of Long Distance, part 9 KP + 138 + ST Sounds of Long Distance, part 10 KP + 139 + ST Sounds of Long Distance, part 11 KP + 140 + ST Sounds of Long Distance, part 12 KP + 141 + ST Sounds of Long Distance, part 13 KP + 142 + ST Sounds of Long Distance, part 14 KP + 143 + ST Sounds of Long Distance, part 15 KP + 144 + ST Sounds of Long Distance, part 16 KP + 145 + ST Dialing the 1XX Codes from Greenville NC Coin Phones, Part 1 KP + 146 + ST Dialing the 1XX Codes from Greenville NC Coin Phones, Part 2 KP + 147 + ST Local Coin Control in the 1970s KP + 161 + ST Record a comment KP + 171 + ST Playback comments. 0 to exit, * and # to skip backward and forward KP + 199 + ST 2600 Hz supervision test KP + xxx-xxx-xxxx + ST Outdial to phone network KP + 011 + country code + number + ST Collectors Net Access (www.ckts.info) KP + 2111 + ST Conference bridge. Please hang up with "#" when done. KP + 777 + ST Direct access to Telephreak KP + 2602 + ST DISA dialtone. Can use DTMF to dial. Stack with repeated 2602 [==================================================================================================] -=[ 0x0c Et Cetera, Etc. -=[ Author: teh crew Blah, blah, blah, IRC quotes. [23:29] <&storm> GOOD NIGHT [23:29] <&ElectRo`> no [23:29] * &storm slams the door [23:29] <&elchupathingy> no fuck u storm [23:29] <&elchupathingy> stay the fuck here [23:29] <&ElectRo`> stay [23:29] <&OrderZero> NO [23:29] <&elchupathingy> there is no door in irc [23:29] <&elchupathingy> only feelings [23:29] <~Silks> ^ [23:30] <&ElectRo`> ^ [23:30] <&elchupathingy> and ur crushing them [23:30] <&elchupathingy> don't leave us Also, we were (un)lucky enough to catch a buffer overflow lecture being held on the LulzSec IRC. Needless to say........... we weren't shocked at all at the users' intelligence. <lawlertrawler> and we are going to feed backwards <lawlertrawler> using bash shell <lawlertrawler> (not sh) <OrderZero> WHY ARE WE GOING TO FEED BACKWARDS BRAH <lawlertrawler> we can do something like <OrderZero> Why not sh? <lawlertrawler> because printf doesn't work the same way <lawlertrawler> we can do <OrderZero> Infact why not csh for that matter <OrderZero> or zsh <OrderZero> DUDE <OrderZero> WHY <OrderZero> BACKWARDS <davispuh> because in RAM it is that way <PhenZen> if you count in binary its backwards btw <ravonix> using bash, it doesn't cut off; however, it does abort trap ---------------------------------------------------------------------------------------------------- ) (.) .|. l7J | | _.--| |--._ .-'; ;`-'& ; `&. & & ; & ; ; \ \ ; & &_/ F"""---...---"""J | | | | | | | | | J | | | | | | | F `---.|.|.|.---' Chupa's Cooking Corner Well, I have failed to write up my computer related article, but I feel that food is just as important and might as well spread a few things that I enjoy eating and making. First up is simple and any lazyass hacker can make this and enjoy some kickass food. _____ _ _____ _ / ___| (_) | ___| (_) \ `--. _ __ _ ___ _ _ | |_ _ __ _ ___ ___ `--. \ '_ \| |/ __| | | | | _| '__| |/ _ \/ __| /\__/ / |_) | | (__| |_| | | | | | | | __/\__ \ \____/| .__/|_|\___|\__, | \_| |_| |_|\___||___/ | | __/ | |_| |___/ Ingredients: 2 or 3 Potatoes Texas Pete, or favorite hot sauce, need one bottle at least. Hot spices, recommend cayanne pepper. Cooking oil, or something that will be used to fry the potatoes. Steps: First, you need to cut the potatoes into french fries. After doing this, lay them into the oil, just enough to coat them in a thin layer of oil. After coating them in oil, place them into a bowl and mix in your spices and make sure to get them well coated. Now, preheat the oven to 400 degrees. Second, after getting the fries ready, heat up the oil and place the fries into the fryer. The fries should be fried until they start to brown. Now, place into the oven to crisp the fries. This usually takes 10 minutes, but check them before this so they do not burn. Third, if you wish to, you can refry the fries to add more crispiness, but that's up to you. Place them into a deep bowl and pour your hot sauce onto them. Once they are evenly coated in hot sauce, eat them. If you truly are a lazy hacker, then just buy a bag of premade french fries and cook them based on their directions, followed by step Three to complete. _____ _ _____ / ___| (_) | ___ \ \ `--. _ __ _ ___ _ _ | |_/ /_ _ _ __ __ _ ___ _ __ ___ `--. \ '_ \| |/ __| | | | | ___ \ | | | '__/ _` |/ _ \ '__/ __| /\__/ / |_) | | (__| |_| | | |_/ / |_| | | | (_| | __/ | \__ \ \____/| .__/|_|\___|\__, | \____/ \__,_|_| \__, |\___|_| |___/ | | __/ | __/ | |_| |___/ |___/ This is more complicated than the spicy fries, but complements them very nicely. Ingredients: Cayanne pepper, Red pepper, Taco seasoning, anything red and spicy. Italian seasoning Powdered Garlic 1 Egg 1 lb. Ground beef, lean less fat the better, but personal preference. 1 lb. Pepper jack cheese Optional: Jalapeno Olive Oil These burgers must be grilled - no exception. None of this lazy shit on some skillet. Get a damn grill to cook these. Start off by cutting up 1/3 lb. of the pepper jack into very small chunks. The smaller, the better. After cutting up the pepper jack cheese, take the ground beef and put into a large mixing bowl, and crack an egg and mix it into the meat. Add in the pepper jack as you mix, and make sure the cheese is mixed evenly throughout the meat. As you continue to mix the meat, throw in large quantities of spices. The goal of this is to make the meat a deep red. Once this has been achieved, form the meat into patties. I usually make sliders as they are easier to cook on a grill. This is because the extra cheese causes the meat to stick less to it self, and larger patties will fall apart on the grill. Cook the burgers until there is a light char on the outside. Eat and enjoy. That will make a basic burger. Some further recommendations are provided: Create a blacking powder with fresh ground Jalapeno peppers and cayanne pepper. To do this, dry out the peppers beforehand by placing them in the oven on a low temperature. After the peppers are dried, cut them up into small pieces and place into a mortar and pestel. Grind this up into a fine powder while mixing in cayanne pepper. After this powder is complete, place it on the burgers both before and after grilling. This will add a much needed kick to the burgers. A final addition that I like to do is mix Jalapeno chunks into the meat along with the cheese. These burgers go along very nicely with the Spicy fries. Make them as spicy as you can muster. Change up what spicies you put into the meat and the amount of pepper jack as well. ____ _ _ _ _ ____ _ / __ \ | | | | | | | / __ \ | | | / \/ |__ ___ ___ ___ | | __ _| |_ ___ | | __ ___ ____ _ | / \/ __ _| | _____ ___ | | | '_ \ / _ \ / __/ _ \| |/ _` | __/ _ \ | | / _` \ \ / / _` | | | / _` | |/ / _ \/ __| | \__/\ | | | (_) | (_| (_) | | (_| | || __/ | |___| (_| |\ V / (_| | | \__/\ (_| | < __/\__ \ \____/_| |_|\___/ \___\___/|_|\__,_|\__\___| \_____/\__,_| \_/ \__,_| \____/\__,_|_|\_\___||___/ This is a new one for me, but it's pretty good, especially after some very spicy burgers and french fries. Ingredients: 4 Eggs 1 Stick of butter 1/3 cup Whole milk 1/3 cup Surgar 1/2 cup Flour 12oz Bitter Sweet baking chocolate To start, take the butter and sugar and place into a large mixing bowl. Mix these together. After they are mixed, put the 4 eggs into the bowl. Continue to mix until you achieve a smooth consistency. If you are using a electric mixer, put it on low speed. Mix in the rest of the ingredients, except for the chocolate. You need to melt the chocolate, which can be trick to do without burning. A double boiler is recommended (just a pot within a pot of boiling water), but a microwave can also be used if care is taken. Slowly mix the melted chocolate into the mixing bowl. Now, mix this on low speed until it is consistent, and no yellow is noticeable. After it has been mixed, spray non-stick spray into a cupcake pan and pour your chocolate mix into each one, filling it about half-way up. Cook at 350 degrees for 8 minutes, checking them every few minutes with a toothpick. Gently stab the toothpick into the cakes, and you will know they are complete when there is no wet batter on the toothpick after removing it from the cakes. Once finished baking, place on cooling racks and enjoy :D This has been Chupa's Cooking Corner. Enjoy, ELChupathingy ---------------------------------------------------------------------------------------------------- Yum. It is here that we bid you farewell, my delicious friends, for we must go forth and hax teh planet. As usual, we would like to now open the call for papers for issue 6, which is scheduled for release sometime in October 2011. Remember - there is no greater gift than the gift of a submitted article. Well, not quite, but it still comes pretty close. Enjoy the rest of the summer, and for God's sake, do try to get some sunlight. <3, the gny crew irc.gonullyourself.org +6697 #gny reddit.com/r/gny [==================================================================================================]