F R E Q U E N C Y: inside the hacker mind April 2002 FREQ20 ============================== 1. “A Voice Undying” 2. Random Stuff From the Net 3. Ten Ways to Know You Really Suck 4. The Payphone From Hell 5. Understanding PortSentry 6. Angering Your Admin 7. Alaskan Scanner Frequencies 8. COCOT Numbers 9. Bridged Conference Calls 10. Crosstalk 11. Closing Arguments 12. Crew ============================== "The significant problems we face cannot be solved at the same level of thinking we were at when we created them." - Albert Einstein (1879-1955) 1. “A Voice Undying” For well over a year now, Frequency has been published and spread throughout the hacker underground as a way of saying exactly what you want to say. At least, we like to think that. Throughout this time frame we’ve begged, pleaded, and took all other steps possible to get our readers to spread the word in their own ways. Some have taken our advice and started their own shows or ezines, some have not. We’re not dedicating an introduction to begging some more, rather we’re thanking everyone who has helped get our message across. To everyone who has spoken up, fought against what they find unfair, and said things that just needed to be said…we say thank you. That raises an important point, one I think needs to be conveyed before this ezine goes any further. Sometimes things need to be said, if only for the sake of saying them. Some say we shouldn’t print out other people’s mistakes or screw ups, because we ourselves are far from perfect. This is a valid argument, but with one exception. If we hold back, we’re only hurting ourselves and doing a disservice to everyone who tunes in seeking an unbiased look at the world. These things affect hackers and freedom loving people alike, and should be talked about in an open nature. Are these problems significant in the big picture? Well yes and no. Yes, anytime people want to be able to say something but can’t, it is important to be there to give them a way of voicing themselves. It can be justifiably argued that the trials and tribulations of Dmitry Sklyarov are far more important for freedom and speech, but that’s the great thing about Hackermind and Frequency, we try to give you the big stories with the small. From the monumental events down to the miniscule “small town” happenings, everything effects us in one way or another, and for that reason, it all deserves to be talked about. You may say we’re biting the hands that feed us. On Hackermind, we have no qualms with saying things like they are. If Live365 gives us problems, we speak out. If they do something that’s unfair, we go against it. No matter the cost. So why do it? Why risk losing our show for talking against those that support us? Is it because we want to be assholes? Is it because we’re trying to piss off as many people as possible? No, it’s because we want the freedom to say whatever the hell we want. There should never be any fear, not when it comes to speech. And so we say things. We say things that upset a lot of people. And quite often, you yourself may completely disagree with what we have to say, or even what you read in the pages of this very ezine. What’s important to remember is that we must allow it, and that you too have a right to speak your mind. If we can all say what we want, there’s no censorship. That’s what we, and hackers all over the world, are fighting for. Freedom. A freedom from fear, from persecution, and from the day to day dealings of the business world. None of us claim to have all the answers, but we’ll fight for the right to say what we think until the day we die. Are there restrictions? No, although there’s no reason to be downright insulting. Some people, when faced with no recourse, resort to bashing a person’s personal integrity. This is uncalled for, and while we’ll fight to protect someone’s right to say it, there’s simply no need. For that reason, you’ll never hear us yelling out “you suck!” with no facts or evidence to back up our claims, it’s not our way. Arguments are won by making someone realize your way of thinking, and even they don’t agree with it, at least you’ve passed on your message. We say these things because they’re hard to hear. We say these things because they shock. And yes, we say what others don’t want us to. I could go on and on defending why we say what we do, but in the end it all comes down to one undeniable truth, sometimes things just need to be said. And as long as you can back up your logic, you have a valid argument. Hackers are often faced with a dilemma. Should they share information, or keep it to themselves? Should they speak out about horrible security, or keep quiet? We must realize that words should never be suppressed, not when a valid argument can be spoken. Unfortunately, there are those that will try to silence you. They will tell you that what you’re doing is “immature,” (www.fordreallysucks.com), or that you don’t know enough about the world to make an accurate judgment of things. Fair enough, but if you believe the latter I invite you to explain to Dash Interrupt why he should trust the legal system. Then kindly do the same for Phiber Optik, Kevin Mitnick, and everyone else who has been screwed over for doing something trivial. Maybe reminding people that Dash Interrupt was put into a mental hospital for drawing a cartoon time and time and time and time again is somewhat annoying, maybe we lose a readers interest when we do that or talk about it. But like so much else, it’s just one of things that need to be said. And now, Freq20. –screamer ============================================================ 2. *** Random Stuff From the Net *** [BRAINED.ORG] brained.org 22/23 ----------------------------------------------------------- This is simply a warning. Anyone found to run exploits against remote servers will face consequences. Consequences such as being banned from brained.org and reported to authorities. Current listing of all the h4x0rs on our system can be viewed in /tmp/h4x0rpigs Current hax0rpigs: 3624 julian marius --Zerash Your friendly Brained.org Admin \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ …well since they put it so nicely. Nice service, touchy admins. --------------------------------------------------------- [FREESHELL.ORG] freeshell.org 22/23, sdf.lonestar.org 23 $finger @freeshell.org alathome allen schubert *t0 7 Tue 01:51 allerzac zach rb 34 Tue 01:29 ballhod Denny Ballhorn r9 - Tue 01:23 cachote Veronica Ortiz p7 13 Tue 01:14 cantilen Stewart Melvin q5 - Tue 01:31 chasjeff Jeff Chase q3 2 Tue 02:01 coach41 Donald C. Lee w5 4:36 Mon 21:14 crash200 Luis Renato pe 49 Tue 01:18 davatar Robert *r6 12 Tue 01:52 dcg David Godfrey re - Tue 01:57 dly8b David Yeh pd - Tue 02:07 erics Eric Strohm *s1 9 Tue 01:49 fifilip filip p2 32 Tue 01:35 frogg David Landry s4 1 Tue 01:51 hanifa Hanifa pf 8 Mon 23:24 hoyosa Andrew J. Hoyos uc 4:59 Mon 21:08 hwebb Hugh Webb r3 10 Tue 01:53 ispleen Thomas Peri pb 1 Tue 02:04 janesvil Nate Green *s6 - Tue 02:09 jenb Jen *p1 15 Tue 01:40 johnw John p5 14 Tue 01:54 karrar Adil Karrar *p4 - Tue 02:05 keebler Howard Smith p6 34 Tue 00:55 kipton Kipton Barros *r7 4 Tue 02:04 ksimpson Ken Simpson rf - Tue 02:08 laurel Laurel Fan p0 2 Mon 19:31 lee7 james s0 13 Tue 01:39 lpeng Leland Peng pa 4 Tue 01:14 luki Luki Hardjono rc 1 Tue 01:46 m33p Charla Angelus qa 39 Tue 01:28 marssram mars q2 26 Tue 01:19 mattplln Matt Pullin qf 4 Tue 02:04 mgardner Michael Gardner *z1 5d Wed 18:12 mithras David p3 - Tue 02:02 new SDF newuser *P8 5d Wed 18:25 new SDF newuser *r8 - Tue 02:07 new SDF newuser *s5 - Tue 02:06 new SDF newuser *yc 5d Wed 17:06 nobrain Zhenyang Zhu s3 - Tue 01:58 orwell J M Salvadori *q0 14 Tue 01:28 othyro rd - Tue 01:32 hypogov.dc pha7wax Richard p9 9 Mon 23:31 ref Fernando Garcia qe 3 Tue 01:05 rj45 Rollend James q6 27 Tue 01:40 rparab rajesh parab *ra - Tue 01:29 s3an s3an p8 1 Tue 02:07 salamonv Victor Salamon *qd - Mon 20:44 schaotix Screamer Chaotix s2 - Tue 02:08 <- kinda screams hack me don’t it? sethm Seth M. *q1 47 Tue 01:06 snowolfe keith dowell r2 32 Tue 01:35 sp0t reef z0 5d Wed 16:41 swld0 oswald cutter r0 5 Tue 01:15 sydney2k Widya Santoso *q4 3 Tue 02:04 syzygy Zachary Taylor r1 7 Tue 02:00 triset mD qc - Tue 02:08 triset mD sc 1 Tue 01:50 twolips TwoLips *q7 24 Tue 01:06 urbanpri urban_primitive pc - Tue 02:08 vvaio vaio r5 45 Tue 01:22 xamii Carlos Mora Piedra q8 - Tue 01:19 yes franz t1 - Tue 01:59 yoshiver Yoshi q9 18 Mon 23:08 amkl;dfajs \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ But they’re nice folks, so don’t bother them. -------------------------------------------------------- [M-NET.ARBORNET.ORG] m-net.arbornet.org 23 > netstat -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 m-net.http 211.132.113.22.2623 ESTABLISHED tcp4 0 0 m-net.http 24.208.16.166.3400 ESTABLISHED tcp4 0 0 m-net.http 24.208.16.166.3399 ESTABLISHED tcp4 0 0 m-net.http 24.208.16.166.3398 ESTABLISHED tcp4 0 0 m-net.http 24.208.16.166.3397 ESTABLISHED tcp4 0 0 m-net.http 24.208.16.166.3396 ESTABLISHED tcp4 0 0 m-net.http 24.208.16.166.3395 ESTABLISHED tcp4 0 0 m-net.http 24.208.16.166.3394 ESTABLISHED tcp4 0 0 m-net.http 24.208.16.166.3393 ESTABLISHED tcp4 0 0 m-net.3841 199.232.76.164.auth TIME_WAIT tcp4 0 0 m-net.http 68.8.103.33.20591 FIN_WAIT_2 tcp4 0 0 m-net.pop3 212.54.22.154.3770 TIME_WAIT tcp4 0 0 m-net.ftp 63.255.35.66.1044 ESTABLISHED tcp4 0 0 m-net.telnet 65.33.142.203.32850 ESTABLISHED tcp4 0 0 m-net.pop3 143.166.182.112.4251 TIME_WAIT tcp4 0 0 m-net.telnet 209.112.141.48.1695 ESTABLISHED tcp4 0 0 m-net.smtp 205.141.210.153.41855 TIME_WAIT tcp4 0 0 m-net.telnet 167.205.48.115.2333 ESTABLISHED tcp4 0 0 m-net.smtp 194.42.45.101.2360 TIME_WAIT tcp4 0 0 m-net.smtp 64.209.168.240.19168 ESTABLISHED tcp4 0 0 m-net.telnet 167.205.4.25.2151 ESTABLISHED tcp4 0 0 m-net.smtp 162.127.14.4.3051 TIME_WAIT tcp4 0 0 m-net.http 12.236.153.46.12201 FIN_WAIT_2 tcp4 0 0 m-net.3821 194.109.6.45.ssh ESTABLISHED tcp4 0 3192 m-net.ssh 66.220.107.138.2838 ESTABLISHED tcp4 0 0 m-net.http 68.8.109.13.27273 FIN_WAIT_2 tcp4 0 0 m-net.telnet 64.112.207.25.1377 ESTABLISHED tcp4 0 120 m-net.telnet 24.72.53.225.2678 ESTABLISHED tcp4 0 0 m-net.ssh 128.238.3.21.57380 ESTABLISHED tcp4 0 0 m-net.telnet 209.129.16.5.59213 ESTABLISHED tcp4 0 0 m-net.telnet 216.68.38.167.1290 ESTABLISHED tcp4 0 0 m-net.telnet 24.247.172.84.14409 ESTABLISHED tcp4 0 0 m-net.http 24.200.93.138.33724 FIN_WAIT_2 tcp4 0 0 m-net.telnet 12.107.167.130.20684 ESTABLISHED tcp4 0 0 m-net.telnet 35.8.1.4.39836 ESTABLISHED tcp4 0 0 m-net.http 213.237.158.103.1192 FIN_WAIT_2 tcp4 0 0 m-net.http 213.237.158.103.1191 FIN_WAIT_2 tcp4 0 0 m-net.http 213.237.158.103.1190 FIN_WAIT_2 tcp4 0 0 m-net.http 213.237.158.103.1189 FIN_WAIT_2 tcp4 0 0 m-net.http 213.237.158.103.1188 FIN_WAIT_2 tcp4 0 0 m-net.http 213.237.158.103.1187 FIN_WAIT_2 tcp4 0 0 m-net.http 213.237.158.103.1186 FIN_WAIT_2 tcp4 0 0 m-net.http 213.237.158.103.1185 FIN_WAIT_2 tcp4 0 0 m-net.http 213.237.158.103.1184 FIN_WAIT_2 tcp4 0 0 m-net.http 213.237.158.103.1183 FIN_WAIT_2 tcp4 0 0 m-net.http 213.237.158.103.1182 FIN_WAIT_2 tcp4 0 0 m-net.http 213.237.158.103.1181 FIN_WAIT_2 tcp4 0 0 m-net.http 213.237.158.103.1180 FIN_WAIT_2 tcp4 0 0 m-net.http 213.237.158.103.1179 FIN_WAIT_2 tcp4 0 0 m-net.http 213.237.158.103.1178 FIN_WAIT_2 tcp4 0 0 m-net.http 213.237.158.103.1177 FIN_WAIT_2 tcp4 0 0 m-net.http 213.237.158.103.1176 FIN_WAIT_2 tcp4 0 0 m-net.http 213.237.158.103.1174 FIN_WAIT_2 tcp4 0 0 m-net.http 213.237.158.103.1175 FIN_WAIT_2 tcp4 0 0 m-net.http 213.237.158.103.1172 FIN_WAIT_2 tcp4 0 0 m-net.http 213.237.158.103.1173 FIN_WAIT_2 tcp4 0 0 m-net.telnet 216.221.96.233.1515 ESTABLISHED tcp4 0 0 m-net.telnet 24.82.227.189.1096 ESTABLISHED tcp4 0 0 m-net.ssh 212.93.212.118.3038 ESTABLISHED tcp4 0 0 m-net.ssh 203.162.56.202.54111 ESTABLISHED tcp4 0 0 m-net.telnet 167.205.19.162.44164 ESTABLISHED tcp4 0 0 m-net.telnet 209.142.247.171.15061 ESTABLISHED tcp4 0 0 m-net.telnet 12.107.167.130.16448 ESTABLISHED tcp4 0 0 m-net.telnet 63.255.35.66.1042 TIME_WAIT tcp4 0 4 m-net.telnet 167.3.131.87.1139 ESTABLISHED tcp4 0 0 m-net.ssh 68.40.158.62.33321 ESTABLISHED tcp4 0 0 m-net.telnet 203.185.240.7.64495 ESTABLISHED tcp4 0 0 m-net.3408 207.206.185.86.9009 ESTABLISHED tcp4 0 0 m-net.ssh 194.105.18.49.39501 ESTABLISHED tcp4 0 0 m-net.smtp 63.241.198.47.40717 ESTABLISHED tcp4 0 0 m-net.ssh 209.196.48.203.1455 ESTABLISHED tcp4 0 48 m-net.ssh 209.196.48.203.1435 ESTABLISHED tcp4 0 0 m-net.1660 211.252.31.2.8080 ESTABLISHED tcp4 0 0 m-net.1659 211.252.31.2.8080 ESTABLISHED tcp4 0 0 m-net.1654 211.252.31.2.8080 ESTABLISHED tcp4 0 0 m-net.ssh 195.199.102.237.3310 ESTABLISHED tcp4 0 0 m-net.1409 211.252.31.2.8080 FIN_WAIT_2 tcp4 0 0 m-net.ssh 198.111.176.99.2581 ESTABLISHED tcp4 0 0 m-net.1346 195.23.2.17.6667 ESTABLISHED tcp4 0 0 m-net.1345 195.23.2.17.6667 ESTABLISHED tcp4 0 0 m-net.ssh 198.111.176.47.33234 ESTABLISHED tcp4 0 0 localhost.6666 *.* LISTEN tcp4 0 0 localhost.6667 *.* LISTEN tcp4 0 0 m-net.ssh 194.65.128.97.42955 ESTABLISHED tcp4 17088 17083 m-net.2617 209.142.214.65.ssh ESTABLISHED tcp4 0 0 m-net.4902 64.124.4.68.http FIN_WAIT_2 tcp4 0 0 *.http *.* LISTEN tcp4 0 0 *.smtp *.* LISTEN tcp4 0 0 m-net.ssh 207.106.89.46.624 ESTABLISHED tcp4 0 0 *.submission *.* LISTEN tcp4 0 0 *.3306 *.* LISTEN tcp4 0 0 *.7902 *.* LISTEN tcp4 0 0 *.ssh *.* LISTEN tcp4 0 0 *.pop3 *.* LISTEN tcp4 0 0 *.finger *.* LISTEN tcp4 0 0 *.login *.* LISTEN tcp4 0 0 *.shell *.* LISTEN tcp4 0 0 *.telnet *.* LISTEN tcp4 0 0 *.ftp *.* LISTEN tcp4 0 0 *.sunrpc *.* LISTEN tcp4 0 0 localhost.domain *.* LISTEN tcp4 0 0 m-net.domain *.* LISTEN udp4 0 0 *.4247 *.* udp4 0 0 *.3874 *.* udp4 0 0 m-net.3869 209.142.211.2.domain udp4 0 0 *.ntalk *.* udp4 0 0 *.biff *.* udp4 0 0 *.sunrpc *.* udp4 0 0 localhost.ntp *.* udp4 0 0 m-net.ntp *.* udp4 0 0 *.ntp *.* udp4 0 0 *.1026 *.* udp4 0 0 localhost.domain *.* udp4 0 0 m-net.domain *.* udp4 0 0 *.syslog *.* Active UNIX domain sockets Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr c8e96900 stream 0 0 0 c8e96c40 0 0 c8e96c40 stream 6232 0 0 c8e96900 0 0 c8e96940 stream 0 0 0 c8e96980 0 0 c8e96980 stream 8192 0 0 c8e96940 0 0 c8e96e00 stream 0 0 c8f671c0 0 0 0 /tmp/mysql.sock c8e96f80 stream 0 0 c8e87900 0 0 0 /var/run/ndc c8e96d00 dgram 0 0 0 c8e93fc0 0 c8e96f00 c8e96f00 dgram 0 0 0 c8e93fc0 0 c8e96f40 c8e96f40 dgram 0 0 0 c8e93fc0 0 c8e96fc0 c8e96fc0 dgram 0 0 0 c8e93fc0 0 0 c8e93fc0 dgram 0 0 c8e88b00 0 c8e96d00 0 /var/run/log /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ Boredom can make a person do weird things… ---------------------------------------------------------------------------- ================================================================ 3. *** Ten Ways to Know You Really Suck *** By: Dare Before you dismiss this as just a bullshit article with no relevance whatsoever, please look through the list that follows. You may be surprised to find a few things that you yourself do, or have done in the past. Contrary to the title it doesn’t necessarily mean you suck, but if you fit all ten I suppose you do. Basically these are ten things that I, and others, have found some pretty pathetic individuals doing in the past. But even if you refuse to take it seriously, it should give you a good laugh. X. Your name was taken from a hacker movie that came out a year ago, or has the word “hacker” in it. IX. You have a massive collection of text files from the 1980’s that you still study to this day. VIII. You insist you have a Crossbar 1 for your local switch. VII. You still haven’t mastered the “Hello, World!” program, or worse yet it prints out “Hello, World!/n” VI. Sending people Sub7 has become your favorite pastime. V. You have a bookmark for google’s “Hacking Hotmail” links. IV. People that know you laugh when they hear the word “hacker.” III. The ten year old down the street has an account on your machine…called root. II. j00 $+|ll +|-||n|< l33+ $p3@|< |$ d@ $|-||+ I. Why the hell won’t these telenet addresses work?! ================================================================= 4. *** The Payphone From Hell *** By: Laz I can’t be sure what drew me to it, perhaps it was the strange aura that emanated outward…or maybe the odd feeling it gave me, or maybe I was just really bored. Whatever the reason, I recently approached what I would soon label the payphone from hell. It didn’t look any different from the other phones, but this one would make you swear you were trapped in the twilight zone. Hopefully, through further explanation, you too will be prepared when you meet your own “payphone from hell.” The first thing I do is dial my ANAC code, only instead of reading the phones number back it gave me an error message! Alright I thought, maybe I dialed it wrong, and I quickly dialed it again. No luck, same error…something about “code 55” and then telling me to try a different number. How rude. But far from sadistic. Next I dialed a number that I knew would read back ANI, and that of course would let me know the number I was calling from. Get this, on that particular day MCI wasn’t reading back numbers. Sure you might say I shouldn’t blame the phone for this, but this problem has never occurred before…how could I be certain it was MCI screwing up and not the phone itself? Next I did what I should have done in the first place, I checked under the receiver to see if the number had been written down. Fortunately for the sake of my own dignity it had not, so I knew I would be out of luck unless I could magically think of a way to make this phone dial a loop line and record the tones it made upon entering. But, like I said, this was a payphone…pretty hard to do that without some effort, more effort than one phone deserves I might add. Ah ha! The operator, the lifeblood of the telephone network…of course she would help me! Yes, SHE…all operators are female you see, even the male ones (I’m trapped in the past, sorry…). Quickly I dialed 0, well I suppose as quickly as 0 can be dialed…and voila, there she was (no seriously, it was a she). “Hello operator, I was wondering if you could tell me the number I’m calling from,” I said in a calm voice, not wanting her to think I was one of those naughty phone phreaks the telco’s always dealing with. But wouldn’t you know it? She refused! She said she was incapable of doing that! Now if there’s one thing I know, operators have ONI (operator number identification) and are capable of passing ANI (through ANI II)…so she was clearly lying to me. Rather than argue with an operator, a battle that is seldom won without a few casualties, I let it go and hung up. I was beaten…if I couldn’t call into a loop and record the tones I would have no way of getting the number! If I only had another ANI number, that would have to work! Or if it didn’t, I would no for certain the payphone was to blame. But wait, this is a phone…a device that connects me to the entire world! All I’d have to do is call a friend, and have them go online to find some ANI readbacks! I didn’t have a cell phone at the time, so I picked up the payphone and dialed a friend of mine who lived a few towns over. She had no idea what a hacker was much less an ANI number, but I knew she could go online and find me one. Feeling I had beaten this phone once and for all, I dialed the number. PLEASE INSERT 75 CENTS FOR 3 MINUTES. What?! 75 cents!? I thought it would be 50 at most, for crying out loud I didn’t bring 3 quarters with me (don’t lie, you know damn well red boxing would be stupid). Perhaps some friendly carrier access code would do the trick, but guess what…they all led to AT&T. Yes that’s right, dialing 1010811 gave me…AT&T! Well, either AT&T or a reorder, as was the case with 1016868. Goodness gracious, this phone was inhuman! Oh be quiet, I know it’s not human to begin with…bitch bitch bitch. I felt like I had just gotten into a bar fight, and wasn’t even able to get drunk first. I couldn’t think of a damn thing to do…unless I played with the phone next to it. But wait! That could be the key! Most payphones that I’ve seen stacked together have had numbers that were close together, usually only one digit off. There’s no guarantees of course, but sometimes things just work out that way…and wouldn’t you know it, the phone beside it had it’s number written down under the receiver! Ooh you crafty son of a bitch, you’re going down! Grabbing up the receiver, I dialed the number of the phone I was on plus one. It rang, but not the phone beside me. I waited, knowing SS7 sometimes gave you a rang before the person you were calling got theirs…but after several rings I knew I should give up. Before doing so, I lifted up the receiver of the other phone, just to make sure it’s ringer wasn’t broken…but no, I wasn’t on the other end. If this was going to work, I would have to dial the number of the phone I had just called from minus one, to try for one digit below. With nerves of steel…I dialed. No ring. I tried the receiver on the phone beside me and once again, I was not on the other end. With my head held in shame, I realized it was futile. Out of shame, I stuffed my hands in my pockets and kept my head down as I walked off. That truly was, the payphone…from hell. ================================================================ 5. *** Understanding PortSentry *** By: Screamer Chaotix PortSentry is a fairly new firewall-like program designed to detect port scans, and then block the scanner from making any further connection attempts. With this article I hope to show the reader how to identify PortSentry, and what to look out for upon finding it. Along with this, I’ll try to give readers a better understanding of how PortSentry can be defeated once it has been detected. Of course, to have the best, in depth understanding of PortSentry possible, you should download a copy for yourself from http://www.psionic.com/products/portsentry.html. First, let’s go over your typical port scan. You probably use nmap like many other people, which has to be one of the greatest scanners available. Unfortunately, it’s not without it’s faults. While a good half-open syn scan will fool many computers, most IDS’s will log it in a heartbeat. PortSentry is one of them, as it is designed to look for regular TCP and UDP scans, as well as stealth ones. Only PortSentry goes one step farther, it immediately marks the scanner’s IP and sends back bogus information. Thus, a scan may return well over a hundred open ports, or perhaps make it appear as though you’re scanning a Linux machine when it’s really Windows based. As with anything else, understanding what makes the program work is the key to defeating it, not to mention merely recognizing it in the wild. First off, the root user of the machine being scanned must activate the program correctly in order for it to be effective. This involves issuing the following commands one at a time, “./portsentry –stcp”, “./portsentry –sudp”, “./portsentry –tcp”, and “./portsentry –udp”. Or, simplify things and use “-atcp” and “-audp”. “–stcp” and “–sudp” enable several “tripwire” ports to monitor for stealth scans, while –tcp and –udp check for the regular old fashion ones. “-atcp” and “-audp” are the most sensitive, as though don’t wait for a tripwire port to be scanned. It’s up to root to decide which ports are trip wired and which are not, as well as to decide which hosts are invited to scan (it may sound foolish, but it comes in handy to allow the loopback IP to scan the system). Now let’s take a look at what a scanner would see, beginning with a scan that was NOT detected by Port Sentry. Starting nmap V. 2.30BETA17 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on targetname(XXX.XXX.XXX.XXX): Port State Service 21/tcp open ftp 23/tcp open telnet 25/tcp open smtp Nmap run completed -- 1 IP address (1 host up) scanned in 1 second Nothing too interesting, some typical ports are found to be open. Now, here’s what the same person would see should they decide to scan a host running PortSentry. Starting nmap V. 2.30BETA17 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on ool-182cb8f9.dyn.optonline.net (24.44.184.249): Port State Service 1/tcp open tcpmux 11/tcp open systat 15/tcp open netstat 21/tcp open ftp 23/tcp open telnet 25/tcp open smtp 79/tcp open finger 80/tcp open http 111/tcp open sunrpc 113/tcp open auth 119/tcp open nntp 143/tcp open imap2 515/tcp open printer 540/tcp open uucp 635/tcp open unknown 1080/tcp open socks 1524/tcp open ingreslock 2000/tcp open callbook 6667/tcp open irc 12345/tcp open NetBus 12346/tcp open NetBus 31337/tcp open Elite 32771/tcp open sometimes-rpc5 32772/tcp open sometimes-rpc7 32773/tcp open sometimes-rpc9 32774/tcp open sometimes-rpc11 Nmap run completed -- 1 IP address (1 host up) scanned in 1 second Your average Joe, and by that I mean someone who just downloaded his first port scanner, might look at this and think they’ve hit the mother load! Their next step will probably be to try one, perhaps one of the NetBus ports. If not that, finger’s always an old favorite. Of course, their IP has already been blocked by PortSentry, and any connection attempt they make will be thwarted immediately. According to several pieces of documentation I’ve read, this will help keep a hacker from ever getting near your system. I don’t speak for everyone, but I have at least a dozen shell accounts out there, all of which have different IP’s. Let us also not forget those trusty routers and intelligent peripherals that give us the ability to telnet out. From anyone of these places an attacker can try again with complete ease, perhaps by using a different scan technique from a new IP, or by connecting to ports manually. So exactly which ports are usually tripwired? A list follows. (Please note, the admin can choose which ports to set as trip wires, so this list is by no means a guarantee.) TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,30303,32771,32772,32773,32774,31337,40421,40425,49724,54320" UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,32770,32771,32772,32773,32774,31337,54321" Those were taken straight from the “portsentry.conf” file. Without modification, the above selections are commented out. However, because they are as strong as the default settings get I decided to use them. If you stay away from these ports once you know a system is using PortSentry, you should be all right. But if you find yourself getting a lot of “connection refused” messages, odds are you stumbled across one of them. If you’re still determined, move on to another IP address and try again. You should be able to find which services are open, and thus plan your attack with a bit more ease. To conclude, this article should give you a better understanding of how to identify a system running PortSentry, as well as how to get around it. Hopefully in the future there will be more ways of circumventing this new form of defense, and I’m sure hackers everywhere are up for the challenge. ================================================================== 6. *** Angering Your Admin *** By: JayX Few things satisfy my desire to annoy more than pissing off my system administrator here at school (and anywhere for that matter). Then again, admins do a lot of good and you really shouldn’t do anything to make their job harder than it already is, especially if they’re hacker friendly. From time to time though, you may come across an admin who declares that all hackers are monsters and should suffer the same fate as Old Yeller (he died folks). For this reason, I’ve come up with a few ways to really annoy your admin here, but without doing anything that will get you thrown in jail. WARNING: I say these things won’t get you thrown in jail, but as we’ve all seen, you never know what can happen. Do these things at your own risk. THE MASS MAILING As a particular radio personality found out, a mass mailing can be an effective way of getting an administrators attention. The easiest way I’ve found to do this is as follows: Personal and system wide distribution lists It is also possible to create personal distribution lists so that, for instance, you can send mail to ``cohorts'' and have it go to a group of people. Such lists can be defined by placing a line like alias cohorts bill ozalp jkf mark kridle@ucbcory in the file .mailrc in your home directory. The current list of such aliases can be displayed with the alias command in mail. System wide dis- tribution lists can be created by editing /etc/mail/aliases, (see alias- es(5) and sendmail(8)); these are kept in a different syntax. In mail you send, personal aliases will be expanded in mail sent to others so that they will be able to reply to the recipients. System wide aliases are not expanded when the mail is sent, but any reply returned to the ma- chine will have the system wide alias expanded as all mail goes through sendmail. That information comes straight from the man page of the “mail” program, and should be pretty self explanatory. With all the names you wish to mail placed into your .mailrc file (use finger to find them) you can mass mail the group. But we’re not just mailing people to make new friends, we want to convey a message. Perhaps you want to let people know of an injustice on the system, or perhaps you want to spread a joke about the admin. Whatever you choose to say, make it creative…nothing is more annoying than a mass mailing with no creativity. Oh, by the way…sending this to the admin is a surefire way to get yourself booted from the system. ALL THE WRONG PROGRAMS Believe it or not, some admins do search through their users directories. What’s that? You thought you had privacy on that system? Tsk, tsk, you should never assume something like that. It’s true that many admins simply have too much to do to care about looking at your files, but from time to time they may want to check on you, if only to make sure you’re not attempting anything destructive. If you’re like me, this is a bit of an annoyance. But what’s even more annoying, is getting well over thirty directories when the admin searches for “hack” or something of that nature. So, to really make his day miserable, name all your directories something like “hack” or “hacker” or perhaps even “root”. These are bound to set off alarms in your admin’s mind, and cause him to waste valuable time searching through your files. Directories are one thing, but giving your programs suggestive names is quite another. Quick story, I once had a simple program on a UNIX account at my school. It did nothing accept automate a few tasks that I performed everyday, a simple shell script. The admin of the school however, was a real pain the ass (to be fair there were several, but I still refer to them as “the admin”). He seemed to hate hackers, even going so far as to warn people about talking about them in private! Yes that’s right, if you used the “talk” program and mentioned hackers he would beat the living—well, he would do something. Well one day I named my script “ftpkill” and saved it. Sure enough, within the month he had contacted me, ordering me to remove the “exploit” or face removal from the system. I invited him to open the file and see what the actual program did, but he informed me that “he knew how hackers worked.” All in all, it was a good laugh…especially when he realized I had done absolutely nothing wrong. And of course… SHARE WITH THE WORLD It’s a highly underrated thing to do, but also highly effective at upsetting your admin. You see it from time to time in this very ezine, it’s called “On the Inside.” People submit print outs of the insides of computer systems for their fellow hackers to take in and enjoy. If they themselves can’t get access, at least they can see what it’s like. This angers admins, mainly because you’re showing them the inside of “their property.” (It can be argued that as long as it’s your account, it’s your property…similar to showing a friend the contents of your locker at school.) But as long as you don’t give out someone’s login information, there’s really nothing except implied harm. Meaning the only damage done comes from the imagination of the admin. But even if you don’t cut and paste the inside of the machine, you can always share information about the system. Let people know what it’s running, and how well it handles certain things. You’re not giving out trade secrets, and you’re not telling people anything that they haven’t heard…you’re only putting the focus on that particular machine, and that’s really annoying. In conclusion, I want to say that most admins have my utmost respect. I know, that’s a bit contradictory considering the article I’ve just presented to you, but hear me out. Admins are computer experts who are trying to give people the best computing experience they can have, so they shouldn’t be seen as “the bad guys.” The only time I would label one as such is when they go so far out of their way to condemn hackers, and all things hacker related. If they were a true computer expert, they would know that many hackers can create wonderful things and accomplish feats that boggle the imagination. The things I’ve laid out before you are just several ways for you to be a pain in the ass. And let’s face it, sometimes all it takes to get someone up and on their feet is a pain in the ass. ================================================================== 7. *** Alaskan Scanner Frequencies *** By: Paracord Being disappointed with the lack of information found on the net for scanner frequencies for Anchorage Alaska I thought I would share my years of searching with my fellow geeks who seek this info. ####################################### Anchorage Police Department 460.075 460.125 460.175 460.250 460.300 460.725 460.475 460.500 460.325 460.525 460.550 460.375 460.1125 460.1625 450.2750 450.7500 452.4500 ####################################### Alaska state Troopers 155.790 154.740 155.250 155.280 155.290 155.460 155.4050 155.415---N.C.I.C--National Crimes Information Computer-Usually encrypted 155.4250-Some form of Trooper Voicemail ####################################### Yellow Cab 152.330 ####################################### Enstar Gas Company 153.4600 ####################################### Fort Rich Military Police 173.4875 ####################################### Elmendorf Airforce Police 164.175 ####################################### ================================================================ 8. *** COCOT Numbers *** [IrishSamurai] (254) 776 0258 - Theatre (254) 776 1172 - Theatre (254) 296 4332 - Convenient Store (254) 759 2843 - Convenient Store (254) 751 9629 - Bowling Alley (254) 776 0867 - Shells Gas Station * On this particular CoCot you don't get the ear splitting. Just 7 single clicks followed by a double click followed by another single click and then it resets. (254) 776 0953 - Shells Gas Station [Dual_Parallel] 505-262-9931, 602-956-0697, 602-956-0973 - says "thank you," then plays DTMF tones 480-833-8914 - modem picks up, touch tones "reset" the modem and it will eventually replay a few DTMF tones you enter. If someone picks up the phone, it will ask for 35 cents. 480-890-9915, 480-833-9932 - modem, then your cost-of-call trick [Screamer Chaotix] (203) 372 9221 – Trumbull Shopping Park, upper level outside (203) 878 1585 – Connecticut Post Mall, main floor, next to Sears (203) 372 9221 – Connecticut Post Mall, lower level, near restrooms [Dash Interrupt] (501) 329 9742 (501) 505 8842 (501) 336 4011 (501) 329 9698 (501) 513 9915 (501) 513 9916 ================================================================== 9. *** Bridged Conference Calling *** By: crew [Obtained from http://da.state.ks.us/disc/pubs/standards/s5412_00.htm] 1.0 SUBJECT: Bridged Conference Calling
2.0 DISTRIBUTION: All State Agencies in the Topeka Area 3.0 FROM: Russell Getter, Director of DISC 4.0 PURPOSE: To establish procedures to be used by state agencies to establish the Conference Calling feature without direct telephone operator assistance. 5.0 BACKGROUND: Since installation of the Topeka Plexar (Centrex) service in 1987, additional telephone features have become available for state agency use. One such feature is called "bridged conference calling." This feature can be established by a state agency Plexar (Centrex) user, and it is available for conference calls of no more than fifteen stations. 6.0 PROCEDURE: The method for establishing and using the bridged conference calling feature is as follows: 6.1 Bridged conference calls are arranged and scheduled at least one work day in advance to insure that a conference line is available and assigned. If the agency coordinating a bridged conference call is in Topeka, it should call the State Operator at 296-3299 to schedule the call and be ready to provide requisite information such as date, time, anticipated length of the call and the number (maximum of fifteen) of stations expected to participate in the conference. At least one of the conferees must be a 296 prefix (Centrex) number for the conference to be established. During this call the State Operator will inform the coordinating agency of the conference line telephone number. 6.2 The agency coordinating a bridged conference call must then inform each of the participating conferees of the time of the scheduled bridged conference call and the conference line telephone number, which was assigned by the State Operator. 6.3 At the time prescribed for the bridged conference call each of the participating conferees calls the conference telephone number provided to them by the coordinating agency, and upon dialing this number each caller will automatically be added to the conference net. When the first conferee enters the conference net, the conferee will continue to hear the phone ringing until a second conferee calls in and is connected to the net. 6.4 After all conferees have been connected on the net, any one of the conferees from the 296 prefix (Centrex) may use the switch hook flash to lock the net thereby preventing anyone else from entering the conference. 6.5 When a conferee enters the bridged conference, other conferees hear a ring, and when a conferee leaves the conference, other conferees hear a short dial tone. 6.6 When a conferee leaves the conference before it is concluded, it is necessary for that person to insure his/her phone is disconnected completely from the conference net by leaving the phone on the hook at least five seconds before placing another call. This prevents the conference from going into a locked mode. 7.0 CONTACT PERSON: Andrew F. Scharf - Assistant Deputy Director for Telecommunications, 785-296-3343 [To try a bridge for yourself, call up the Phone Losers of America at either 435-663-8255 or 435-234-8255 and enjoy a friendly conference call.] ===================================================================== 10. *** Crosstalk *** > Frequency/Hackermind, Hello, I represent UGN (UNDERGROUNDNEWS) which can be viewed at www.undergroundnews.com. Monthly we get anywhere from 100,000 - a million unique impressions. We recently underwent a change of ownership form a Black Beard to its present owner Gizmo. We also as a result of this hired all new staff, we fired a Optix Illusions who was found sabatausing the links and backdooring different site sections. We are currently looking for news links (a site to place a banner of ours on their page in return for one on ours). As you can see our hits would in most areas be quite good for viewers of your site as well as quite beneficial from ours. If you are interested please feel free to contact me at Gizmo@undergroundnews.com and I will get back to you immediately. Your site is well respected and large which is why we feel that we could both benefit from this. [Gizmo] REPLY> After replying to this letter with a “we wish you the best of luck,” and then mentioning it on the air, Gizmo saw fit to pester our friend Unreal for my personal information. After questioning him, he noted that my statement about how “we don’t need their links” infuriated him and told me it was none of my business that he was after my real name, address, and phone number. After questioning further, I was (in traditional UGN fashion) banned from the chat. Sadly, we can no longer support what appeared to be a “UGN on the mend,” and would like to wipe our hands clean of the whole issue. For the record, should anything we say on the show anger someone, we ask that you please email us about it. We’ll gladly talk it through with you like adults, and if an apology is necessary one will be given. But please, don’t go behind our backs and ask friends for personal info, that’s just sad. [NOTE: For historical clarity we have included a chat transcript of what transpired. This is in NO WAY intended to create any more hostile feelings. We doubt anyone at UGN would like to discuss this further, so this is really the best way to show what happened without creating gossip and rumors. The chat ends quite abruptly, as I was banned from the room. Also, Gizmo[lappy] is the true Gizmo from UGN] *** Now talking in #undergroundnews *** Topic is 'UGN Annual Summer Gathering information available at: http://www.undergroundnews.com/gathering.htm '