81NARY_REVgLUTlgN [a
, , . ~

Binary Revolution is a magazine about technology. Specifically,
we look at "underground" topics of technology including: Hacking,
Phreaking, Security, Urban Exploration, Digital Rights, and more.
We will also address politics asthey relatetotechnology or digital rights.

On-topic poetry, photography, and art are welcomed as well. This
magazine is what we make of it, so please send your submissions,
comments, questions, and suggestions to articles@binrev.com or
letters@binrev.com and help the revolution continue!

lNlNlN. binrev. corn
BINARY REVOLUTION !bin/rev!staff!
is a OOP Production
The Digital DawgPound is: Editor-In-Chief: StankDawg
StankDawg
dual_parallel Layout and Design: logan5
blandjnquisitor- Webmaster: blandjnquisitor
logan5
biOs Caver Credits:
w1nt3rmut3
Eva_Tech Concept: StankDawg
nick84 Design and Layout: logan5
Rax

Disclaimer: This magazine is about education. It may address topics that can be used in a negative
manner, but they are only presented for the sake of knowledge and learning. We DO NOT CONDONE
using any of the techniques or topics addressed in this magazine, or any of the sites mentioned in this
magazine, for destructive purposes. None of the members of DDP, nor the individual authors of the
articles, accept any responsibility for any damage that you may do with the information we present.
You are responsible for your own actions.

Copyright: The articles included in each issue are written by a variety of authors. Each author holds
the copyright to their respective articles. To reprint an article, you should contact the authors directly
and get permission to use their work. In addition, the art and logos referring to "DDP", "The Digital
DawgPound", "Binary Revolution", and any deriviation thereof are copyrights of The Digital DawgPound.
If you want to use any DDP content, simply contact us and will will gladly give consent under most
circumstances. Simply use common courtesy and we will gladly cooperate.

Binary Revolution . ©

B1NARY_REVZLUT1ZN
Ls /bin/rev/1.1/*.*
file: creator: file size:
Editorial/Introduction system 03-04

HACKING 101-
Footprinting a system StankDawg 05-09

DoS: Tools of the Tools blandinquisitor 10-12

2600 secrets nick84 & StankDawg 13-14

Letters system 15-18

A nubies guide to ghettodriving StankDawg 19-22

Phreaking Italy w1 nt3rmut3 23-24

Cookies: The Good,
the Bad, and the Ugly blandinquisitor 25-27

Public TTYs: Description and
Methodologies for Free Calling dual_parallel 28-34

Your rights and why you
already lost them Evo_Tech 35-36

Perl Corner-
Watching the watchers nick84 37-39

Closing comments system 40
·•...
, - - - - - - - - - - - - - - - - - - - - - - - - - / b i n/ rev /1 .1

!E Ed; tor; a L/ I n t rod u c t ; 0 n

W
hat is wrong with this world? We live in an age where the most bizarre
events happen. It is almost as though every episode of every bad sitcom
is coming to life as the days unfold. Things that used to be considered
humorous, and matters that were once considered minor are now becom-
ing felonies! That was the motivation for the cover of this issue.
On February 12th, 2003, the Palm Beach Post reported on this bizarre incident that
could easily been an episode of "Diff'rent strokes". A 6th grade student (age 11)
did something that many children may have done in their lives. He changed his
grades. He may have been ashamed of his grade, or felt he was graded unfairly, or
any number of reasons for the action. The reasoning is not important. He simply
made a bad decision based on whatever reason he had. Now this is wrong, and is
something that should be punished. This is not at question! If you do not already
know about his story, you might guess at the punishment for such an act. Perhaps
the child was suspended from school for a few days. Perhaps he was forced to stay
after school or be required to do extra homework assignments. Perhaps you feel that
this is a matter that the child's parents should handle by grounding him and mak-
ing him apologize for his actions. How would you react if this were your child? What
would you honestly consider to be an appropriate punishment for this situation?

Helen Roberts, principal of St. Lucie West middle school had him arrested!
That is correct, I said ARRESTED! Not only was he arrested, but he was arrested with
a FELONY charge against him! What felony did he commit, you ask? He committed
an "offense against intellectual property". At 11 years old, the child now may have a
felony on his record for changing a grade on his report card. Not only that, but principal
Roberts also went the extra step of EXPELLING him from the school. How is it that we
let drug dealers and murders get off with a slap on the wrist every day in the United
States, but an 11 year old child cannot make a mistake? When I hear about things like
this, it make me ashamed to be a human being .
You might be thinking to yourself that there must be more to the story, some
other reason that such action was taken. Allow me to explain the details as they were
reported by the Palm Beach Post (http://www.pa/mbeachpost.com) written by Nirvi
Shah. The story goes like this: the boy (who is a minor and therefore nameless) was
sitting in the lunchroom, when he came up with his diabolic plan. He told his teacher
Susan Seal that he left his lunch in her classroom. When he went to the classroom,
instead of retrieving his lunch, he sat down at Ms. Seals computer and changed 5
grades on his reading assignments and, of course, saved the changes. While doing
this, a math teacher walked by and caught him. The boy lied, as boys sometimes
do when they get caught, and was taken to the principals office to account for his
transgression.
Principal Roberts did some research and came up with the following quote from
the school resource deputy: "Whoever willfully, knowingly, and without authorization
modifies data ...residing or existing internal or external to a computer. .. for the purpose
of devising or executing any scheme or artifice to defraud... is guilty of a felony of
the second degree." Ellen Mancini, an assistant state attorney in the St. Lucie County
juvenile division said, "He modified data. I'd say it was a scheme to defraud". She went

....• 3
r": / b i n/ rev /1 .1-----------------------_
on to say, "It's cheating. It's depriving other students of the fairness of the systern," she
said. "It's as rnuch a fraud as anything else. Sornetirnes, you have to do things as an
exarnple of the authority of both the school systern and the legal systern". In her evalu-
ation of the event, the 11 year child intended to defraud the school. Whose grades are
these anyway? Wasn't there a saying when I was a child that said you are only depriv-
ing yourself when you cheat? Was he wrong? Yes! Does the punishrnent fit the crirne?
Ofcourse not! I cannot believe that it is really a question, yetthese people seern to be very
serious about going through with it. Kids have done this for as long as there have been
schools! I think saw an episode of this on "Little house on the prairie" for God's sake.
It wasn't a felony then, and it isn't a felony now!
What happened to common sense in this world?
According to their webpage, St Lucie West Middle School prides itself on being "One
of the Top 100 Wired Schools" in the Country by Family PC Magazine and the Princ-
eton Review. A smiling principal Helen Roberts sits above the welcome message, with
obvious pride in her accolades. Perhaps she doesn't realize that the instructor's computer
was leftturned on, with no password protection. In myopinion, this is something that is not
typical of a "top 100 wired school". Maybe she thinks that security is not a necessity in
a top "wired school". Interpreting laws is not a focus at a wired school obviously, nor
is common sense . I guess she can take pride in the fact that one of her
students DID learn a great deal about computers and applied what he learned.
Unfortunately, she wants him expelled. Maybe Princeton and Fam-
ily PC magazine are not the greatest judges of what constitutes a "wired school".
So how does the story end? The child was processed through the St. Lucie County
jail, and then he was released to his father. Luckily, after 2 weeks of media coverage
by independent media on (and off) the internet and even mainstream media including
Fox News, the Florida state attorney's office decided NOT to prosecute the child as a
felon. Instead, he'll be routed through a diversionary program for first time, nonviolent
offenders. The boy's father made him write letters of apology, and now is working with
an attorney of his own to defend his son against these ridiculous attacks. This is the
very definition of triviality in our court systems. Now, because of the failure within a
broken system where incompetence abounds, the boy's father must spend his hard-
earned money to defend against something that should be over and done with. Even
these new punishments and charges are too much, in my opinion, and more attention
is needed to the case. What about the actual decision makers who are keeping this
whole sitcom going for another season? Ellen Mancini (ellen@stlucieco.gov) and Helen
Roberts Ihroberts@stlucie.k12.fl.us) obviously do not think they are wrong. If you think
that they are wrong, please let them know.
In the meantime, enjoy the myriad of articles contained in this first issue of
BINARY_REVOLUTION! The ranting is limited to the first couple of pages, I promise.
The rest of the magazine contains articles that cover technology, phreaking, hack-
ing, digital rights, security, and everything in between. We appreciate your support,
and I look forward to being around for a while, if you will have us. But now, I turn the
magazine over to the members of the Digital Dawg Pound. Enjoy! 1111111111
0101

.,
jJtdkfJ1
4 ....•
. - - - - - - - - - - - - - - - - - - - - - - - - - / b i n/ rev /1 .1

HIIHINI HIIHINI
HIIHINI HIIHINI
This etticleis the first ina series of articles thataddress the oft-asked question, "How do Ibecomea hacker?"

rrFootprinting JJ A System
By: StankDawg
StankDawg@hotmail.com
acking is a very broad term that can refer to many things. In the context of this

H article, I am going to use hacking fundamentals to help you to "think outside the
lines." It may sound cliche to say it, but once you get the hang of the concepts
that I am teaching you, and the precise ways to accomplish each goal, you will
start to understand the mindset of a hacker.
One of the things that most hackers have in common is the concept of thinking their
way around things. When faced with a problem, or a situation that seems to have no
options, hackers are able to make options appear. Before a hacker considers the situation
closed, they make sure that all possibilities have been examined. This entails gathering
all of the information about a given situation and thinking about where that information
can lead them. With all of the information at hand, more options can be discovered . In a
technical environment, this means "footprinting" a system to get all of the information
you can about a particular environment in order to thoroughly investigate it.
Why is this step necessary? Many hackers don't know what it means to footprint a
system and others simply do not see the value in it. By footprinting a system, you will
get detailed information that will keep you from using inappropriate tools or methods
of attack on a system. For example, in the screen shot below, you will notice that an
attacker is trying to use a known exploit to break into my server. If this user had done a
little bit of work beforehand and footprinted my system, they would have known that I
am running an Apache web server on a machine using the Linux operating system. The
exploit that they were trying to use only works in systems running specific versions of
Microsoft Windows. This is obviously the work of a "script kiddie" who doesn't under-
stand basic hacking concepts. This attacker was probably just going through a range of
IP addresses using the same exploits, hoping that he gets lucky and finds one purely by
accident. I wish him luck.

- . • pO!Jan!100l:0i:15:41·0500j"GET !c!vinnt!systeroJl!crnd,exel!c+dir HTTP!1.0" 404 1111"./1 11.11
• • IlO!Jan!100l:0i:15:47·0500j"GET !ct/!linnt!systeroJl!crnd,exe)/c+dir HTTP!W' 404 1111 11./1 11.11
Screen Capture 1 -IP address blurred to protect the incompetent

To "footprint" a system, or to get a "footprint" of a system means to use logic and
technological understanding to obtain all of the publicly available information about a
system. Why is this important? Sun Tsu stated in his famous writing The Art of War,
" ... that general is skillful in attack whose opponent does not know what to defend. "You

....• 5
/ b i n/ rev /1 . 1 - - - - - - - - - - - - - - - - - - - - - - - - -....

should know everything humanly possible about a system, company, and site before
even touching it for the first time. By knowing all of the details about the system, you
know more about your attack than your opponent knows about their defense. This puts
you at an advantage.
To go about the process of gathering information, you should first start with the
basics. If the company has a web presence, by all means check it out. You may even
check out their competitors and see of they have already done some research and com-
parison work for you. I have found charts at other sites that compare that competing
company to the company you are looking at, using technical data . What a great time
saver that can be! As you continue your research , take notes regarding all of the differ-
ent server names that you may run across . Open a text editor like notepad or something
similar to copy and paste different bits of information into a text file . For example,
say you notice that when you enter the "support" section of the site, the server name
changes from www.fakecompany.com to forums.fakecompany.com or something
similar. Make a list of all of the servers . Notice the structure and naming convention of
their folders. Copy the name and address of the company, find out where it is located,
and may be get a list of names of employees. You may even take it upon yourself to call
the company and try to get more information over the phone. Every little bit of informa-
tion has some value. Companies make a living doing data mining and data warehous-
ing on consumers. Why not flip the script and do a little data mining on them?
Other than the obvious digging through their website, pamphlets, phone book, and
other public sources of information, what else can a person do to get a better footprint
of a system? Well, most of the ideas so far were more along the lines of company
information . This company information, which may contain user information, can tell
you a lot about the technical environment that exists. For example, if there are email
addresses that are publicly listed, this could be invaluable information . Why? With the
onset of single-sign-on, these may be the same usernames that are used for all access.
So never d ism iss th is fi rst step of information gathering as unnecessary. Once you have
gotten that out of the way, you can jump into the technical part of the footprint. Now it
is time to do some real digging on the technical side of things.
The very first place that a person should go is to the global domain registry. Currently,
this is operated by VeriSign at http://www.verisign-grs.com/. although it could change
to a different URL and ownership as the government tries to tinker with and extend its
control over the internet. Basically, just find the global registry, wherever it may move
to, and it contains the IP address and information of every web site that exists on the
internet. This is also referred to as a WHOIS database or a WHOIS lookup. The result of
a WHOIS search contains the name of the registrar that is responsible for giving access
and/or hosting service to the site in question . You should then, in turn, go to the WHO IS
lookup for the individual registrars. This second search will give you all of the contact
information for the person(s) from that company who is/are responsible that site. You
will be presented with phone numbers, DNS server names, and lots of information that
you should also keep in your footprint. Some of this may be used for more technical
research, and some may be saved for future social engineering . Be warned that while
this is usually accurate for companies, it is notoriously inaccurate for rogue websites .
Many users choose to give false contact information to protect their personal privacy.
Anotherquick bit of information to get isthe IP address if the system. You can usea simple
command line tool called NSLOOKUP to do this on a remote system . There are many
other ways to do this as well. Any software site will have several network applications

....
6
•
, - - - - - - - - - - - - - - - - - - - - - - - - - / b i n/ rev /1 .1
that will do IP address lookups as well as many other functions that will help form a
deeper footprint. Sometimes you may have physical access to the target system but not
have command lineaccess, nordo you haveanyapplicationsthatwillfind the IPaddressfor
you . In this case, you can useoneofhundredsoftoolson theweb. Onethatcomes in handyis
http://www.whatismyip.com which will give the IP address of the system you are
currently browsing from. This is particularly useful from public places where you need
to footprint quickly and without drawing a lot of attention .
One final thing that I like to do when creating a basic footprint is to try and find
out where the system is physically located. Sometimes the machine is not physically
located at the same place as their offices or that they publish on the web site. One tool
that you may use for this is called TRACE ROUTE (or TRACERT) which will start from
your IP address and show you the path that it takes from you to the destination. The
reason for doing this is to get an idea where your packets travel on the way to the des-
tination . Again, this step is very rarely used in practice because people do not realize
the importance of the data that is presented by this simple utility. Does it leave the state
or country that you are in? This makes a great deal of difference in the legality arena.
Does it pass through a .MIL or .GOV domain on the way? That would make me very
suspicious. Look at the screenshot below at a portion of a TRACERT to the site
mentioned above. You should get in the habit of interpreting the naming conventions
that you see. You can see below that while the names may seem random, you will see
tell-tale signs that show that hop-9 took place in Atlanta (*.ATL5.*) and then continued
on to several hops in Chicago. From Chicago, it reached what appears to be Michigan
(*.LNNG.MI.*) then into Flint Michigan (*.FLNT.MI.*). Not all names are clear cut (like
the last hop) but you now have any idea that this server is in, or near, Flint Michigan (In
actuality, it is just across the border in Illinois).

IT C:\WINDOWS\Syslem32.\cmd.exe - SD
9 48 IlS 49 IlS 49 AS 0.so-1-0-0.TL1.ATL5.ALTER.HET [152.63.85.2171
10 68 IlS 69 IlS 68 AS 0.so-6-0-0.TL1.CHI2.ALTER.HET [152.63 .13.211
11 67 IlS 69 IlS 69 AS 0. so-1-0-0.~L1.CHI2.ALTER .HET [152.63.67.1061
12 68 IlS 69 IlS 69 AS 0. so-7-0-0.~R1.CHI2.ALTER.HET [152.63.67.1301
13 68 IlS 69 IlS 68 AS 293.AT~7 -0.~Rl.CHI6.ALTER .HET [152.63.65.301
14 66 IlS 69 IlS 79 AS 191.AT~9-0-0.GIl1. CI1l6 .ALTER.HET [152 .63.65.691
15 67 AS 69 AS 69 AS voyagel~gl ".cllstoAel'.altel'.net [157.130.118.1381
16 76 IlS 69 IlS 69 AS 498 .atA6-0,I'tI'1.1nng.ni,uoyagel'.net [169.207.224
.1451
17 70 AS 79 IlS 69 AS se3-0.l'tl'0,flnt .IlLvoyagel'.net [209.153.129.861
18 86 AS 79 IlS 79 AS winntc luster.f astdnsservers. COil [209.81.157.2001

race cenplete.
Screen Captnre2 - Also notice that the name in the final hoptips offthe OS as possibly heing Windows NT
By now you have a pretty good idea of what servers are in play and the major system
targets. Notice that I still have not touched the systems directly! I have done all of this
basic level footprinting by using public means. Even now, there are more things that
you can, and should do, before you take the next steps and start touching the systems
directly. The next step is to identify what operating systems the systems are running as
well as what applications the systems are running .

....• 7
/ b i n/ rev /1 .1-------------------------.. .
To find the operating system, it is helpful that you are familiar with operating
systems in general. By knowing some of the standards and naming conventions
of the operating systems, you may be more likely to recognize the system. Again,
this information may also be easily garnished from the company's web site or other
public records. Look for the "about" page or search through their help files to see if
there are references to the technical environment that they run. But by having some
general experience with different operating systems and how they look and feel, you
may be able to determine, or at least make a strong guess at the operating system.
Look for signs like error messages that are specific to a certain operating system.
Watch the naming conventions that it uses. If you see references to directories with
names like "/usr" or "leu:" then you have an idea that it is probably a UNIX system of
some kind . Do not assume this to be the case, since many systems are "honeypots"
that are set up to look like something else entirely just to lure you in and trap you.
There are also tools online that will query a site, and based on technical responses to
packet requests, give you a good idea what the site may be running. One of the best is
http://uptime.netcraft.com/up/graph/ but there are others to choose from. I could have
presented this URL to you earlier, but it is important not to be dependant on these tools
without understanding the principals that they are based upon.
The rest of the footprinting processes become more intrusive. From here on in, you
are probably no longer viewing public information! That means that you could be
breaking the law if you perform these steps on a system to which you do not have
authority. For the rest of this exercise, we will assume that you have authority to the
systems in question. It can be debated whether simply looking at a system is an attack
or whether a portscan constitutes access. The bottom line is that you need to know the
up -to-date laws for your state and country. Even if you do these things innocently, and
for the sake of knowledge and understanding, YOU MAY BE BREAKING THE LAW! Do
so at your own risk.
The next step of the footprint is to find out what applications the target system is
running. There are many ways to do this. I have to repeat that this kind of informa-
tion may also be found on the companies web page or documentation, so always
check there first. They may publish XLS files or .PDF files which tells you that they are
running Microsoft Applications as well as Adobe applications. What you may find far
more interesting are the proprietary programs and applications they are running and
what databases they use. Usually, however, this level of technical data is kept a little
bit more private. Similar to finding out the operating system, it is a good to have some
experience with different types of databases and applications . Look for error messages
(or success messages) that may give you a clue. Something that says "Error code:
ORA4500" could indicate that they are using an Oracle database. So could a directory
called "C:\ORANT" or similar naming convention. If they give you public access to their
systems, try them!
One of the best ways to find very technical information about a system is also
the most dangerous. It is called a portscan and it is dangerous because it will most
likely get you caught, especially if you do it carelessly. There are many different
portscan tools and applications out there that will allow a user to select a system by IP
address (which you should have from the earlier steps of the footprint) and scan it to
see what open ports it has. If the system you are scanning has an intrusion detection
system (IDS) then you should be forewarned that the act of portscanning is considered
"hostile" by most of these programs. Your IP address and activities will be logged and

8 ....•
, - - - - - - - - - - - - - - - - - - - - - - - - - / b i n/ rev /1 .1
Service Pr oto co l Port
;netbios-ssn TCP 139 investigated by the security officer for that
' nei bio s -s s n TCP '1 39 system! Depending on what else you do,
:l1 etbi.? s -s s n TCP 139 it could be elevated to a law enforcement
.netbios-ssn TCP 139 agency. This is one of the reasons for the
:nei bios -s s n TCP 139 motto: "NEVER HACK FROM HOME!"
' nei bio s -s s n TCP 139
TCP '110 The portscan will tell you all of the
' pop3
po
i p'3.: TCP ,110
open ports on the machine, If the system

' pop~.
TCP 110 has multiple machines, which is highly
' pop~. TCP 110 likely, you should portscan all of the ones
' pop3 TCP 110 that you know. By analyzing the results
TCP l2?_ from a portscan, you can tell what ports
.emtp TCP l2?_. it has open, You may recognize certain
TCP ;2?_ ports as being used by certain apps, The
TCP ' 25 screen shot to the left was taken from a
TCP ._i 2,5
__-. limited portscan, You can see what ser-
TCP l2?_
' s mtp TCP ;2?_. vices they are running and by connecting
' s mtp TCP .l2?_ to some of them, you may discover what
:s mtp TCP l2?_ applications they are using, Better
:s mtp TCP .l2? portscan and network analysis tools will
: ~p TCP :21 give you similar information and much,
iflp 'TCP ' I2~ much more, Two of the best commercial
' flp TCP ' 21 packages for hardcore footprinting and
security risk analysis are NetRecon from Symantec, and LANguard from GFI.
There are literally hundreds of free and open source equivalents as well. I highly
recommend you do this from a different location if you are not previously authorized to
do this! If you do a portscan using your laptop from a library, coffee house, or university,
then it will be much more difficult to track the alleged attack back to you.
This is another reason for the great interest in wireless hacking. With open
wireless networks, you can get an almost totally anonymous connection that
can be untraceable if you know what you are doing. Another great tool if
you have physical access to the system is http://scan.sygate.com/which is a portscan-
ner and other tools, all ofwhich have a web interface. Once again this is useful if you are
in a public place trying to find information on a public system. This could also be useful
if you are inside the company you are researching. Depending on how serious you are
about this investigation, you might even consider working for the company part-time if
you do not already. This will give you limited access to insider information and give you
physical access to their systems.
This may seem like a long process, but as you get better at it and get the hang of it,
you will get faster. But speed is not necessarily important, which is why note-taking
is emphasized so much. Taking good notes is a must and also allows you the luxury
of stopping and continuing later. This does not all have to be done in one sitting! In
actuality, it may be better to spread out the time between visits to prevent patterns in
the logs that may get you detected more easily. You will notice that in almost all of your
hacking endeavors, this fundamental process will come up over and over again, or at
least some parts of this process. Get good at doing it and it will become second nature
to you . The most important thing is that you understand the importance of it, and realize
that even though it may sound cliche, knowledge truly is power. 11111111
0101

....• 9
••••
10
•
_----------------------- 1b i nl rev 11 .1
Flawed Programming-
There are other types of attacks that make full use of programming oversights. The Pentium
fOOf attack allows someone to crash any x86 environment by executing the bogus instruc-
tion OxfOOfc7c8 because of a flaw in Pentium microprocessor programming. We know that
it is possible to execute commands in a bufferoverrun situation, and this type of attack is
based on that principle. For those who may not be familiar with the term "buffer overflow," it
is a condition that allows for code to be run (usually as root) by putting a greater number of
characters than allowed for into a variable. The most common occurrence of this is when a
program inserts data into a buffer without checking its size.

DNs Cache Poisoning-
It is also possible to alter a router so that it redirects all incoming traffic to an unintended
location, either through the attacker's system, or into a non-existent one. DNs attacks or
"cache poisoning," occurs when a DNs server is tricked into resolving an unintended location.
An example of cache poisoning would be if someone redirected all the traffic intended to go to
www.stankdawg.com to www.disney.com therefore denying service to www.stankdawg.com.
Also, it is possible to redirect traffic to a non-existent network or "black hole." An example of
this would be sending all incoming traffic meant for www.oldskoolphreak.com to be sent to an
arbitrary address, essentially erasing www.oldskoolphreak.comfromtheinternet.This could
go undiscovered for days, until the host notices their hits went from 5000 to O!

A LOOK AT CANNED DoS ATIACKS:
smurf-
smurf is a self-amplifying attack that uses directed broadcasts to crash a network. There
are 3 players in this scenario: the criminal, the amplifying network, and the victim system.
What happens is that an ICMP ECHO packet is spoofed to appear as though it were sent from
the victim's system to the amplifying system's broadcast address. Here's where the shiznit
hits the fan. Every box on the amplifying system that is configured to respond to a broad-
cast ping request will respond to the victim system, thereby flooding it with responses, and
shutting it down. To keep your system out of the amplification business, simply disable
directed broadcasting at your border router. To keep from getting "smurfed," limit incoming
ICMP and UDP at your router to only those systems that need it. If you find your system on
the business end of a DoS attack, get with the amplification system, and use a tool like MCI's
"dostracker" to trace the attack to its source.

Fraggle-
Fraggle, a variant of smurf, is a DoS mechanism that uses bogus UDP packets, to port 7
(the echo port), as opposed to smurf's ICMP. The advantage over smurf, if you want to call
it that, is that if a box on the amplification system is not configured to respond to UDP, it will
send back an error message that will consume bandwidth.

DDoS ATIACKS:
In February of 2000, the long theorized DDos attacks came. EBay fell, then CNN.com,
then 5 other major systems and a myriad of minor ones came grinding to a halt. DDos
attacks require more forethought than DoS attacks, but that doesn't make them any harder
to accomplish, or any less common. The difficulty is in Owning the systems themselves!
There are 2 parts to most DDos scripts, the client (used by the criminal), and the servers
(placed on unwitting or already Owned systems). An attacker will place the server software on
as many computers as possible, making them his "zombies." Then, when the attacker feels
the time is right, the zombies will execute the attack command, using their resources, and IP
addresses, to shut the victim system down .

....• 11
/ b i n/ rev /1 .1-------------------------.. .
The first DDoS attack mechanism was written for 'nix systems by "Mixter." The "Tribe Flood
Network" offered all the standard DoS attacks, and sported a TCPbound root shell. After
TFN was shown to be effective, the look-alikes hit the scene, all attempting to offer better
features while simplifying the process even farther. Trinoo and Stacheldraht are 2 major
players in the post-TFN market. Of the 2, Stacheldraht is the most stable and lethal of the
DDoS programs. Offering ICMP, UDP, SYN, and smurf-style attacks, encrypted telnet sessions
between client and server, and the ability to blind network-based intrusion detection
software, Stacheldraht is the leanest, meanest way to hose a network almost anonymously.

LOCAL ATIACKS:
There are a number of local attacks, but they are not very popular. Also, they are all but
outdated. These examples are more aptly defined as "exploits," but I mention them here
because they can lead to a DoS situation, even though they are distant cousins. On NT 4.0,
there is a way to fill %systemdrive% by exploiting disk quota functionality. In Linux kernel
2.2.0, a local attacker could use the munmap 0 function call used by Idd to overwrite key
areas of the kernel memory, causing a kernel panic.

In closing, remember that the key word in "denial of service" is DENIAL! It's not always
a matter of using brute force to shut someone down. Almost always, the most effective
attacks are also the stealthiest. If you want to learn more about DoS attacks, try them out on
YOUR OWN system. Learn safely, and have phun!

SHOUTS:
StankDawg, who for all the editing is hereby officially promoted to co-author, dualparallel,
and everybody at www.stankdawg.com and www.oldskoolphreak.com. 111111111
0101

DDP
KiJ(
LJ-5~

Ain'~ no par~9 1
like a DDP par~9·
....
12
•
_ - - - - - - - - - - - - - - - - - - - - - - - / b i n/ rev /1 .1
*================================================================*

* 2600 Secrets - by: nick84 & StankDawg @ DDP(www.stankdawg.com) *
*================================================================*

Recently 2600 has been including a number of secret / hidden messages on certain
pages within each issue, which this article aims to outline. Be forewarned that
there may be "spoilers" here that you may not want to know in case you insist
on finding them all on your own. This list starts with the first issue of year
2000.

Page 33 - Each issue page 33 will not be listed as such, as the number 33 will
be cleverly disguised in various ways. In issue 19.4 the editors of 2600 wrote
the following comical reply about it: "we get more mail on this than any other
subject by far. And yet, everyone who writes in seems to know what page number
they're talking about even though they claim the page information is faulty! It
defies all logic".

Previous Page 33's

17.1 - Date listed as "spring 0" instead of "Spring 2000" (*NOTE*: this issue
had several different page anomalies similar to the ongoing page 33
fun.This was the first issue that the phenomenon started and appears to
be a running joke that there is an existence of a "Y2K bug" still
lingering in the 2600 computer system right up to this day.)
17.2 Date listed as "Summer 19100" instead of "Summer 2000"
17.3 Date listed as "Fall 0" instead of "Fall 2000"
17.4 Date (Winter 2000-2001) covered with a black (censor?) bar
18.1 Omission of date "Spring 2001"
18.2 Mi rror Image
18.3 Replaced "Fall 2001" and "Page 33" with their respective rot-13 trans
lations of "Snyy 2001" and "Cntr 33" .
18.4 Omission of the date "Winter 2001-2002" and the word "Page"
19.1 Unknown hieroglyphics, possibly Wingdings font
19.2 XXX & III
19.3 33 dots/periods
19.4 Upside-down top right of page.

Index Page - The index page usually contains a hidden phrase/message, or picture:

Previous hidden content on the Index Page

17.1 ???
17.2 ???
17.3 ???
17.4 "Ya Basta" beneath the word May (Ya Basta "practical anarchism")
18.1 ???
18.2 ???
18.3 the word" rebuild" in the bottom center
18.4 ???
19.1 ???
19.2 the word "think" above the word "comprehensive" in line 2
19.3 IP address 166.112.200.202 [citizencorps.gov] under the word "monitoring"
19.4 "Kevin is now free" (above "positivity")

....• 13
Ibi nl rev 11 · 1 - - - - - - - - - - - - - - - - - - - - - - - _
Front Cover - Covers have been known to contain hidden words/meanings/Significance:
Previous unexplained or hidden content on the Covers

17.1 - A silhouette of 3 people in a movie theatre. The 3 people look strikingly
similar to Bugs Bunny, Darth Vader, and Mickey Mouse. It is a protest
over the lawsuits against 2600 by the MPAA. At the bottom is a picture of
a VCR with the buttons 1abel ed with the words "awareness" "unity" and
"power". The DVD logo has the word "tyranny" in it and there is a
"REJECT" button next to it.
17.2 - Although it was not known at the time of publication, these were scenes
from the documentary film "Freedom Downtime" about Kevin Mitnick and the
film being made about him.
17.3 - A handcuffed individual wearing an H2K shirt with the phrase "VOTE NADER"
seemingly tattooed on his arm. His hand holds a Motorola cel-phone with
the number "3479379686" and the time "8:06" on it. The number was actu
ally the decimal representation of the 2600.com website at that time. It
has since changed.
17.4 The BellSouth building at night with the Batman symbol in the sky behind it.
18.1 A courthouse with the saying "Equal justice under law" is guarded by
police officers in riot gear. A "Save WBAI" bumper sticker is on the
steps. WBAI is the station in New York that broadcasts "Off The Hook".
The scene poses the question: How can there be equal justice under the
law, if the law is no longer accessible to the people?
18.2 - The 2600 van in front of the Ford building with the name of the building
altered to say "Ford Really Sucks" as a protest against Ford and other
companies threatening legal action against sites that register names us
ing the company's name a negative manner. Refiected on the windshield are
IP address ranges that are owned by Ford.
18.3 - Picture of Dmitry Sklyarov superimposed against the New York City sky
line. The picture was taken before September 11. IF you hold the book
at an angle so that the light bounces off of it just right, you can see a
peace sign formed on the glossy paper just below the 2600 logo in the
open sky.
18.4 - In the background is a road si gn readi ng, "Do Not Enter - Except
Authori zed Vehicl es ". The foreground quotes a statute that demonstrates how
liberal and vague that laws can be written so that they infringe on our
civil rights so badly that we might as well not take any actions at all
at the risk of breaking some poorly worded law.
19.1 - Several hidden words from the top down including: Cyber Crime Treaty ,
Infinite Justice, WTO, RIAA, Code Yellow, CARP, FCC, C(B/D?)DTPA,
CH(???),DNA, MPAA, USA Patriot, Axis Of Evil, DMCA.
19.2 Map of open/closed wireless networks in Manhattan, New York City.
19.3 Picture in front of the White House . The jar labeled Tips is named after
a controversial Orwellian like program in the United States. The jar
contains social security cards, a US passport, a phone bill, a copy
of 2600 issue 19.1, 2 diskettes labeled "evidence", a roll of film, and
a plane ticket. Being placed in the jar is the US constitution which
symbolizes the loss of our civil rights, particularly privacy, to
programs like this.
19.4 - Believed to be the face of Emmanuel Goldstein from 1984 on the Blinken
lights project building.

So go back and dig up your old issues of 2600 and see of you missed any of these little hidden
secrets . I am sure they are not done yet!

....
14
•
_ - - - - - - - - - - - - - - - - - - - - - - - 1b in 1 re v 11 . 1

Comment: Response:
"I've been interested in hackin g sinceI was9.1started Well, we welcome anyone here who wants to learn.
wi th VB v3(1thi nk) making AOL progs and tr ying to Ihope you do registerand visit freq uently.what people
find someone who knew hacking me to take me told you is true. You have to read a LOT. but here you
under my wing. I talked to a few of them, same can read and interact and get responses to specific
response from ail of t hem: READ. Weil, I couldn 't questions. Th ere are already tons of threads that will
und erstand what I was reading. Now I'm turn ing 17 teachyou a lot.
and I get it a littl e mo re,however I'm stiil searching fo r
that proverbial master to teach me to snap a fly out of There are a couple ofthings that you menton that
his hand. I've been socia llyengineering since I was in I think I should address. If you want to learn and
mid d le school. ln 8t h g rade I was the first one to send experience real hacking, you need to first define what
messages over the network via DOS prompt and hacking is to you. Iseriouslythink you should read our
make mu sic I did it ail blind, not knowing wh at I was FAQ and read the very top of the Main Page.These are
typin g wo uld do anything.Then with a new com put- the things that we emphasize here.
ersy stem in play, I was the first one to bypasssecurity,
warez gam es onto them, and at the end of the year, You will find very little help with creating and
flood the system with a virus of my friendscreation distributing viruses. If that is your interest, you can
that fi ils the com puter w ith random fiies of random find that in formation elsewhere on the web. While
suffix (.exe, .cfg, .w lz, .hlp, etc) so they could n't find I am not totally opposed to it, I prefer to focus on
file and delete them at once. Eventuaily this filled more productive and positive things than destru ction.
every computer in th e school with SHIT files and ate
memory when the compu ter started . Then I fucked Red boxing doesn't work anymore. People can debate
with the .bas files in the server and it wen t down . that if they want, but I believe it. "Gator-clipping" or
I don 't know how long it took them to clean what beige boxing does.
I did, I never went back. This again, ail without
knowin g what I was doing. I sociaily engineer every As far as timeliness of in formation, listen to RFA
chance I have. Ail over my high school I watc h secu- (which you do), read the 'lines (many linked from
rity, builshit teachers and adm in istration. I reaily tr y here, j ust look fo r them), and visit the forums
without knowing what I'm doing.However, I stillwant frequenrly.DurArticlespageisup-to-dateand I am in the
to phreak and hack. I st ill haven't figured out ' NIX process ofputting dates on that page j ust for validity.
systems, I don't even know where to begin or how
to instail the fucking thing. I think I've found some Most people work or go to school and hacking is a
accurate redbox readme 's from PIS5. Maybe.l 'm go ing hobby. Un fortunately, you might not find a full-time
to go to Radio Shack and loo k around at the shi t the re, "'mentor"simply because of the time issues. Instead,
I need though, source. It seems like it's a giant you have found a whole forum fullofmentors.
communi ty of underground social engin eers using StankDawg
th e art of phreaking/h acking to make th eir liveseasier.
I want in, badly. However I can't sort th e 1970's Question:
art icles from wh at's new. I can't find anyth ing t hat's I was playing with my router and came across and
up-to-date w ith HOW TO and INTRODUCTION opti on for a DMZ host. it d idn't give to much of a
stamped on th em. I want to find a leg in t he door or description of wh at it wasexcept that you can set an
at least some kind of new bie site. I very badly want ip addr essfor it... now if I set an IPfor this wou ld t hat
to start phreaking since it seems the easi est to get open up my network?
into overall. Twirlz

If yo u think you can help at all, please. I'm tired ofthis- Answer:
pretty schoo l shit and eng ineering my way onto Wal- The DMZ is forsome online games or mediastreaming
Mart PA syste ms. I want to get serious, I want to have that doesn't work to wellbehind a firewall.Iknow that
a red box wit h m e and be able to make a cail when I some live Ou ickTIme Serverstreams don't like fi rewalls
want. I want to gator clip my way onto a phone li ne too well, so you'd have to place your machine in the
and make calls. Shit, Iwantto be able to get whe re I DMZ to get the stream properly.
want. If you can help atall, thanks. And I'll registe r if I
need to reply, which I hop e I will." Ouoteth I from my Belkin router manual: "ahem"
-j p "Please note that when a computer is placed in the

....• 15
/ b i n/ rev /1 . 1 - - - - - - - - - - - - - - - - - - - - - - - - -....
DMZ it is not protected by the firewall and is open to little or no data hoping to overload (or NUKE) the target
hackerattacks.Use this feature onlywhenneeded. H router/system.
2) They send out packets with intentionally damaged
Huh. There's that "H''wovd again . records so that the system has to try and recover the
bad data causing a huge amountofstrees on the target
Allthemachines on mynetwork (except myserver) get a router/system.
dynamic IP address from the virtual DHCP serverin the 3) DDoS (Distributed Denial of Service) use either/
router. On my router, you assign the internallP address both of these methods but the reside on mul-
of the machineyou want in the DMZ and then activiate tiple attacking machines. Instead of 1 machine at-
the DMZ feature. It still uses the IP address that is issued tacking (which 99.99999% of the time is not powerful
by the router but turns off all the protection features of enough to take out entire routers anymore) they use
the firewall. multiple machines to all attack at the same time, syn-
Logan5 chronizing their attacks and NUKING the router/system
inquestion.
Question:
How do nukers work and what are 'packets: How IP Spoofing is usually a topic here, which is the
would one make a nukerwith Delphi? concept of tricking the header record of a packet
D-AcE to reflect a FAKE originating address so that the
attack is not traced back to the attacker. This makes it
Answer: difficult to defend against, but easy to route
Wowl OK, 1'/1 answer this one... away from (use another/backup router that
is not being attacked to maintain availabil-
PACKETS: ity while the attack is analyzed and traced).
A packet is the method of transportation of
data over the internet. When you send an HOW TOMAKE A NUKER WITH DELPHI:
email for example, it gets wrapped up by your Don't. You will get arrested. Almost all DoS at-
system into a "packet" that contains 3 parts. tacks are traced and found. Header records
and logs will always show traces of your at-
Part 1 is theheaderrecord. Itcontains a fewthings,most tack. They are largely ineffective now anyway.
importantof which are the destination address, and the
originating address. It also contains the packet number HTHI further reading ...
to keepsimilar packets together. http://www.howstuffworks.com/router.htm
http://www.howstuffworks.com/question525.htm
Part 2 is the data (sometimes called "payload'? record. http://www.howstuffworks.com/firewoll.htm
This is the actual data that is being transmitted. This StankDawg
wouldbe youremailtext with formatting (orforum post,
downloaded web pages, any kind of data...). If there is Question:
too much data to fit inone packet,it issplitinto multiple I want to switch to Linux, but I don't know any-
packets. Each individual packet has a header record thing about it. So before I use a lot of money on an
which keepsall the parts together. operating system I don't know, I would like to find a
free version of it, but where can I find it?
Part 3 is the footer record. It basically contains the £OF Cr4X
(end of file) marker for the packet. It also contains error Answer:
checking to make sure the packet is intact upon arrival. You can download almost any Linux distro for free.
Ifone packet is damaged, the entire message doesn't http://linuxiso.orglfyou don't have a CD burner a lot
have to be resent, only the damaged packet needs to ofplaces will burn CD's and sell 'em for a few bucks. You
be resent. could also find your local LUG (Linux user group) here ...
http://www./inux.org/groupslindex.html ...and drop
Thatis a very basic explanation. There are specific sizes than an email. I'm suresomeone has an old set of CO's
for each packet segment and explanations for them all they can let you borrow/have.
over the web.Just understandhow they work for now. BoBB

NUKERS: Question:
As far as I know, this is a slang term for DoS Help, does anyone know the basics behind finding
(Denial of Service) tools. The send out mul- info outall the way up to taking over websites? Basic
tiple packets to a specific site. They can take various or hard, or even places that has EASY to read info, I
forms, but the all work similarly. They manipulate cant stressthat enough?
the packet to do a couple ofdifferent things. Cheers ...
7) They simply send out millions of tiny packets with -Insu

16 ....•
, . . _ - - - - - - - - - - - - - - - - - - - - - - - / b i n/ rev /1 .1
Answer: Comment:
There is no easy trick to hacking websites. That is I keep notes on things I've been reading or working
a myth. You have to understand the website and on. I think so would you, if possible I'd like to get
their structure and look for weaknesses. It is a case a copy of what you've gathered over time on CD
-by-case basis. If it were easy enough to have a set or paper.It would bea big help since I seeyou've been
of instructions, then everyone would be doing it. in the scene for awhile. Only looking to widen the
horizon, if you now what I mean. I have good intension
There was a phase during the earlyyears of the web and don't mean no harm. I'm not a cop or anything
where many sites (mostly prOn sites) would use the affiliated with one. Just a guy that likes haxOr
same hashing algorithm to authenticate users. Or they and wants to learn more. What I really want to read
used a simple nonencrypted database to store users about more then anything is on Linux.I'm done with
and passwords. In thesecases, hackers wrotetoolsto do the books Ijust want some thing raw.Get back to me
simple lookups or even ADDS to the database to allow if you can, if not well delete peace.
access. This was an app you would download and it Metadox
would work on those sites that used that SPECIFIC type Response:
ofdatabase or algorithm. We keep a huge resource of information in the Digital
Dawg House at www.stankdawg.com/forums as
Obviously, the prOn companies put a stop to this well as an archive of all DDP member articles at
quickly.Now mostsites are different or usemore secured www.stankdawg.com/articles that are available to
systems so that there are no "magic"tools to hack any anyone. Our forums are a great,searchable source for
web site. You may get extremely lucky and find some information. If you cannot find what you need, feel
moron who is running an old setup that these may still free to post question in the forums, where we do out
work on, but that is doubtful. If you want in, you will best to findan answer.
have to find a backdoor and it will only work on that StankDawg
particular system in most cases.

For one sample of basics, try my article on basic Comment:
directory transversal at http://www.stankdawg.com/ hello there,
articles/ I was inquiring about joining. Well, I wouldjust like to
StankDawg meet other hackers that i can discuss things about.
I am located in Tokyo, Japan. I noticed you mention
Question: your group is international and was wondering if
I'm trying to find a music ripper to rip some old tapes you had any contacts in Japan I could meet? I have
of mine, but all I can find is CD rippers...would a CD been programming since I was 11 and have had
ripper work if I was ripping a tape? ...also, after you a great love for computers (and exploiting them.
get done recording is your wav suppose to sound all Finding out how they really work) since that time.
choppy or will the mp3 conversion fix that? because I am getting into assembly, disassembling, and
if notthen I have a , gig wav file!!! if not what would I cracking but could really use some guidance. Well, let
be doing wrong. I've been playing with audacity and me know the good word.
I don't know what I would be doing wrong. Izzy
Twirlz
Answer: Response:
OK A .wav file is about 1 MB for every 10 seconds You don't have to join DDP proper to hang out at the
of audio. I think the reason your wav is choppy is site and in the forums. Yes, DDP has members from
because a gig of audio is a lot to ask of any system. around the world, but we also have forum members
trying to pre -cache that much raw data is going to from all over the world as well.There are regular hits
give your box a hernia. try splitting your wav into in my logs from Japan so someone is visiting from
more processor-friendly chunks and see if the qual- Japan besides you. By all means join the forums and
ity is a little closer to what you want. Failing that, introduce yourself and you will not only meet others
just convert the whole thing into mp3, that should from acrossthe world, but possiblymeet other hackers
reduce the size dramatically, and also the strain on inJapan as well. We lovehearing the worldperspective
your computer. If the conversion makes the quality on hacking!
better,it would be the size reduction's effect on the file. StankDawg
Also,there are good ways and bad ways to transfer a
tape to yourcomp. The worst way is to hold a shitty mic Question:
up to the speaker on your boom box.The best way is to Ok, so I'm reading all this stuff about beige boxing
run an audio cableout of your stereo and into the line and some articles explain some stuff differently
in jack on your soundcard. than others. I opened up this box on the side of
bland_inquisitor a (uh... my) house and there were like these

....• 17
I b i nl rev 11 . 1 -----------------------~
four screw loakin'things the biggest bandwidth hog ever. you'll transfer MUCH
[01101 more data if you are running p2p than you will just
[01101 runninga web server.
Kind like that, and there were some white colored Iuse as my provider. They have never
wires in there too. Is this what I'm leakin'for? said a word about it. and it clearly states NNo serverof
Jeremy Renault ANY kind"·in the- ms.'l·say-oo for it. w orst ·they ron d o
Answer: is kick you off.
Sounds like you have an older 4-post protector BiOs
outside your house, in lieu of a TN! - Telephone Net-
work Interface. The wires may not be red and green. Question:
Just take the alligator clips from your beige box and I would like to start writing articles for the Digital
touch them to the posts until you get dial tone DawgPound. I am wondering if I can submit them
(feel free to check the voltage with a DMM if you're some where. Do u know where?
uncomfortable). Rogue Operator
duatparalte!
Answer:
Question: Well, what a great, timely question this is! With the
onset of our official DDP zine, we now open the doors
Iwant to set up a personal website totally dis attached for article submissions. This first issue was filled with
from my biz website. I'm faced with two options of articles by DDP members alone. We have written for
where to host it. I REALLY want to host it myself here many ditterentztnes in the past from 2600, to outbreak,
at home, since I have a G4 running as x Server and to radical future, to frequency. With the onsetofournew
it's more than up to the task. I'm really itchin'to do it zine that you see beforeyou, we now find ourselves in
that way, for the experience and leaning process, but I the position ofacceptingarticle submissions. Send any
deally I'd like to register a new domain name. My article submissions to articles@binrev.com and we will
problem is that my ISPdoes not allow hosting sites on a get back to you ASAP with information on using your
residential account nor do they have the option for article. If we cannot use it for whateverreason (such as
using a static IP address with a residential account. a full issuealready committed) we may know someone
I can use a DN5 alias to point to the web server, so e lse who can use irbe foreoitgels·wtda tedand·putyo"
that's not really an issue.If I wanta static IPaddress and in touch with them.
having a "legal" server, I'd have to bump up to a StankDawg
BusinessClass accou nt which is over S, 00 a month,and
I'd have to pay a monthly fee for the static IP address. If you have questions or comments for the
letters page, post them in the forums at
I *could* just set the site up on my server at home http://www,stankdawg,cam/farums or email us
and hope that doesn't notice a spike of at letters@binrev.com and maybe you will see
bandwidth usage coming from my account. But with your name here next issue!
my luck, they would pick up on it and it and shut StankDawg
me down....site, account and alI.I could also set up a
second hosting account with the hosting company
where by biz site is hosted ...that's only 5100 a year.
But that means I don't get to play with my server.

So, can anyone give me an idea how much traffic
there would have to be before picked upon
anything? Does anyone else host their own site on an
15P accou nt that they're not supposed to? Just curious
on anyone's experiences in a similar situation.
logan5
Answer:

loqans, Ihave had 2 websites on my home server. I use
dyndns.org to handle the name deal, since i don't have
a static IP.

I was running both of the websites, (digitalrights,arg
and animeshift.mine.nu) from my home server.
digitalrights,arg brings in (on a good day) between
300 and 800 hits a day. Ican almost say forsure they will
not notice the bandwidth spike. do you run p2p? p2p is

....
18
•
••••
• 19
/bin/rev/1.1

GPS (Global Position System) devices are a luxury that Ghettodrivers can forego. These
devices will add extra information to your Ghettodriving. Specifically, they can add latitude
and longitude readings for each wireless network you find. This is helpful to pinpoint the
exact location of networks that you pick up. Usually, you will know your own scans and
save them with well chosen filenames to make them recognizable. When you start shar-
ing your information with others (see STEP 5), they may need more precise information.

Antennas are another optional step, but these are generally unused by ghettodrivers. They
are sometimes expensive, and the point of ghettodriving is to keep the cost down. You can
find many places one the web to research how to make your own antenna, but it will require
some time and knowledge. A better alternative for the ghettodriver with a budget would be
to purchase on of the models of PCMCIA cards that has an opening for an external antenna
built onto the edge of the card. Both Orinoco and Cisco make models like this with many more
companies following suit.

STEP 2: SDFTWRRE
Again,since this is geared for nubies, I am going to focus on the Windows XPenvironment. The
software of choice for Windows XP is called "Network Stumbler' or "NetStumbler" for short.
Always download the latest version to assure support for the greatest number of cards. Also,
do not worry if your card is listed under the unsupported list. As I said earlier, Windows XP and
NetStumbler provide generic drivers that may detect your card just fine even if it is not listed
as a supported card.

There are also good clients for Linux. The most notable is "Kismet". If you are familiar with
Linux, this might be the best way to go since Linux also has a few more tools and utilities for
cracking. If you do not want to commit your entire laptop to Linux, you can also try the Knoppix
distribution, which boots and runs entirely from the CD.

Also, since ghettodriving is about making due with what you have, I would be remiss to men-
tion what do to if your card is not supported by NetStumbler or Kismet. Since Windows XP
wireless networking is set to always listen for WAPs anyway, you may simply need the client
application software that came with your wireless card. With this installed and running, you
can simply use the built -in Windows XP wireless support to find wireless networks. There are
other packages like aphopper that may work in a pinch as well. It is not as friendly as having a
dedicated app like NetStumbler, but it will work, and that is the bottom line.

NetStumbler installation is straightforward. Once you install the software, you simply start
the application and it will begin "sniffing" for Access Points. As you move around, and come in
and out of range of wireless network, NetStumbler will detect and notify you of the network.
At this point, you are up and running, but it is important that you understand a few more things
before you go further.

STEP 3: UNDERSTRND HOW IT WORKS
Wireless Access Points, or WAPs(or even simply APs)work on radio frequencies using basic
radio wave technology. It is not much different than the way that your car radio works. Radio
stations send out an extremely strong signal that gets picked up by your car radio (thus the
need for an antenna). This is the same way that wireless networking works, only on a smaller
scale. The radio station has a set frequency that you dial in on your radio tuner and it is sent
out from an enormous broadcasting tower. A Wireless Access Point sends out a constant
signal at a set frequency. The only real difference is that 802.11 has a much smaller range.

Since you know that the WAP is shouting out its availability all the time, just like a radio
station, common sense tells you that you must be able to dial into that frequency, just like a

....
20
•
·•... 21
22 ....•
_ - - - - - - - - - - - - - - - - - - - - - - / b i n/ rev /1.1

By: wI nt3rmut3
fairly universal topic, phreaking. The phone system here is very different than

A the one in the states, well at least in Rome. The pay phones are run by basically
the same company, Puntotel. The big diff is that 99.9% of the phones are used
by cards, not coins. Coin ones are very rare. The cards come in multiple sizes,
ranging from 2.50 euros, to 10 and higher. They are also all the same exacttype, except
some take just cards, and some take cards and coin. They also have a lot of features,
besides talking. They allow for SMS, email, and fax. emails run for about 20 cents, and
the SMS is, I believe 10 cents, but I cant use it, b/c it can be only used to message
European cellies. A normal call would go like this:
r:-r.----.rT""'T- - - - - - - - - --,
1) pop the card in
2) pick up the receiver
3) dial the city code your In (06 for
Rome)
4) dial the number

That's for intra-Rome. Its akin to 10
digit dialing in the states. then, you press
the fat OK button. The other funny thing
is that it doesn't dial until you are done
typing in the number. Its sorta like dial
tone emulation on some pay phones,
where it waits for the whole number then
dials. One big difference between Italy
and the states is that numbers can be
of any length.

USA: 1 + NPA + xxx + xxxx
Rome: 06 + whatever length you have

Its sorta like a step-by-step, taking in the digits as it comes. Oh, and in case your
wondering the dial tone is totally different. Its a beeping, about a second long, and a
second of silence .
....• 23
/ bi n/ rev /1.1 - - - - - - - - - - - - - - - - - - - - - - _ . . . .

ODDITIES:
4-digits
You have heard numbers on the radio like dial star something on your Joe Blow
cell phone provider for requests on some Clear Channel station. They have something
similar here, but for the land lines. Rome is a big tourist attraction, not to mention a big
ass city, so you either turn to public transportation (a whole other file) or taxi. The taxis
make it simple. Dialing 3750 or other 4 digit numbers give you instant access to a taxi
company, or perhaps other companies, simplifying the extortion of your money.

Permanent Marker
Something I have noticed on a lot
of payphones is 3 digit numbers
written on the sides. At first I
thought this was isolated, but I
looked around, and they're every-
where. My guess is there is some
way to call the phones, but I have
yet to figure that out.

Long-Distance Dialing
I have been known to make long
distance calls, and i need some
help in saving some money, so I
use 101's for that in the states, but
you gotta go for the cards here in Rome. Stumbling upon a phone shop, they offered me
100 minutes to the states for 5 euros. What a deal. After making some calls, I soon find
out that the card has gone from 80 minutes, to 30 minutes. WTF? Thought it was just a
glitch. But after buying more, I start to get only 30 minutes, not even a "100" to begin
with. My guess is the company that produces them, Vectone, either knew I was coming,
or the such proliferation of the cards forced their value down, and in turn killed the min-
utes. I did find the 800 number busy 50% of the time. BTW, u wanna the number?

800-969-572 (yes, that's 6 digits)

PIN: 9912 7236971

Good luck using that in the states.

Closing Arguments
So, its all good here in Rome, except for the long distance. If anyone can figure out the
3 digit numbers on the phones, or run into one of my PLA stickers, (bright green), drop
me a line at: wlnt3rmut3@binrev.com
See ya! ~i~l

24 -".•
~-------------/b;n/rev/1.1

COOKI~9: "Turn that (computer) off... That cookie
shit scares me." -- Tony Soprano

the good.
TH E
cookie. Those little crumbs of
code that allow sites to get to

THtJAD know you a little better have
been elevated to almost legendary status by
the media and the tech-savvy community.
I hope here to shed some light on the subject;
The UGLY to tell you what they are, how they work, their
by: blandjnquisitor limitations, how to get rid of them, and how
(blandJnqu'sItor@o/dsl ;
cl ose( DAT);
if i nitial ise a var i a bl e to st rip ne w 1 i ne cha ract e rs f rom a st ri ng
use vars qw/IN LT/; INLT ~ q r/(?:lrll nllt)/;
if pr eve nt un-ini tial ise d erro rs
lall_ip~";
la l l_h n_i p~ " ;
lall _sp_i p ~ ";
Ihn_ip~" ;
$s p_hn_ip=" ;
$s p_l i nes=";
if if a line num ber was e nt e red on t he command line e . g . perl i p_ r e s o lver . pl
if 1724 start resol ving ips from this point on
i f (I ARG V[OJ) { stn li ne from~I ARG V [O], )
else { $ln li ne fro m = 0, }
for each $line (@data) {
$1 1 ne no++,
if ($lln e no)= stn li ne from)

38 -".•
, , - - - - - - - - - - - - - - - - - - - - - - - - - / b i n / rev /1 .1

if (II i ne ) {
Il i ne ~~ s/IN LT//g;
(I ip)~sp l i t(ll 1,ll ine );
# i f ip is a number in th e form at *** .***.***.*** t hen
if (li p ~~ m!(ld+)I.(ld+)I.(ld+)I.(l d+)!) {
if i f the ip has allready been reso lved th en sk ip th is par t
u nle s s (Iall_ip ~~ Ilip!) {
lall _ ip ~ lall_ip "Iip";
$hostname
if r e s o lv e the actu al ip add ress
$hostname
(g ethost byad dr( pack('C 4', I !' 12, 13, 14), 2 ) )[OJ;
$hostname = $hostname II 'no re verse DNS';
if ge t the length of the hos t name to 1 i ne up th e co l umns
$ocha r no = l engt h ($hostname);
if ($och a rno > 50) { $ch a rno=l;

e l se { $charno = 50-$och a rno; }
if add this ammount of space ch aracters to make up th e
if res t of the l in e untill the start of th e i p address
$adds pace = " " x $c har no ;
pr int $hostname $addspace t ip "\ n";
if use va r i ous colours for th e va r i ous hostnames
$line~star t = '' ;
if ($hostname =~ /edu/i){ $1 i ne_ s t ar t =
'(font color~"B008000">'; {
if ($hostname =~ / (com ln e tlo rg)/i ){ $line_star t
'(font colo r~"BOOOOF F">'; )
if ($hostname =~ /( go vlmi l)/ i){ $l in e_start =
'(font color~"BF FOOOO">'; )
if compile t he finished hostname / ip 1 ine c omp l e t e with
if f ont colou r
$h n_ ip = $lin e_sta rt $hostname $addspac e $ip
$1 i ne_end "vn":
if add t h i s lin e t o t he rest
lall_hn_ip ~ lall_h n_ip Ihn_i p;
if i f the hostname i s a specia l on e (gov/m il) t hen add
if it to a special store of its own to be displaye d at
if t he to p of t he page an d a lso add the cores ponding raw
if log lines to a speci al sto re
if (Ihostname ~~ I(govl mil )/il{ Isp_ hn_ ip ~ Isp_h n_ip
$hn_ip; $ad dunde rl ine = " - " x $ocha rno; $sp_l ines =
$sp_lines "\n$ hostname\n$a ddunde r l ine\n"; $a ll_sp_ ip
lall_sp_ip "Iip"; {
}
if if we ha ve a special i p then sto re t he log lines for i t
if (Iall_sp_ip ~~ Ilip!) {
$s p_l ines = $sp _lines " $l ine " vn" :
}
}
}
}
}
if if t he r e a re special hostnames present t he n sort out th e 1 in e spacing
if (Isp_hn_i p) { lall _hn_ip ~ lall _hn _ip "In"
"~~~~~~~~~~~~~~~~~~~~~~~~~~~~* GOV I * . MI L ~ ~~ ~~ ~~ ~~ ~~ ~~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ l n ln "

$sp_hn_ip $sp_lin es; }
} BBB en d su b get_hos tnames
B~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~

sub sa ve_html_pag e {
if save the fini s he d htm l pag e to a file rea dy for v i e wi ng
open(DAT,")$html_resul ts_file") II d i e ( "E r r o r ensure this script has write
permissions \"$html_results_file\"");
pr int DAT "Ihtml_page";
close(DA T);
}
B~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~

....• 39
/ b i n/ rev /1 . 1 - - - - - - - - - - - - - - - - - - - - - - - - -.....

1111111111
0101
/ * com men t s * /
http://www.binrev.com/
The official website of Binary Revolution Magazine - source for news relating to the publication of
/bin/rev/, as well as information on how to make submissions.

http://www.stankdawg.comf
The home of it all. Keep up with all DDP activities here.

http://www.oldskoolphreak.comf
Home of Radio Freek America (RFA). The official online radio show of the DDP. Starring
dualparallel and a cast others.

http://www.digitalrights.orgf
Yes, you DO have rights! You must visit this site to see how your rights are being taken away
by our government on a daily basis. Formed by DDP member BiOs.

http://www.rootsecure.netf
Security news, updated daily. True unbiased reports from one of our worldwide correspondents.
Created, written, and maintained by DDP member nick84.

http://www.portlalliance.comf
Home of a great online 'zine called Radical Future. Contains contributions from DDP members
as well as P7A allies.

http://www.outbreakzine.tkf
Home of Outbreak, a monthly online 'zine containing more DDP contributions. From technical,
to humor, this zine covers it all.

http://www.2600.comf
Come on, they started it all. Several DDP members have been published in 2600 and we
strive to achieve their level of recognition. This magazine emulates their format.

http://www.phrack.orgf
Another inspirational 'zine for technical information. We hope to achieve similar technical
credibility.

THANKS:
As the editor of this fine magazine that you just finished reading, I must thank all of the mem-
bers of the Digital DawgPound . Without them, I would be just another geek on the internet.
pissing people off. But with them, I am another geek on the internet pissing off a much wider
audience than I could ever reach alone. Of course, I am kidding, but I do appreciate all of their
contributions and support. Not only our members deserve thanks, but also our regular visitors
and listeners, or as I like to think of them ...friends. This product came about thanks to their
support and encouragement as well. Please send your comments, flames, questions, and
answers to the forums at http://www.stankdawg.comfforumsforfeel free to email me directly at
stankdawg@stankdawg.comwith anything at all.

Until next issue ... keep on hacking!

40 -".•
•• •
Big Brotherkwatching.
VJAS

Photo Credit: Andy MacDonald· www.zardoz.net