Go Null Yourself E-zine Issue 5 - Topics in this issue include Public-Key Encryption and RSA, Iridium Satellite Network, An Introduction to x86 NASM, Hacking 15A Announcements, and more.
86f3bb26476e3e5a2ec562ce0ca774593bcf9c31e7989e41d26f503db919ad81
-+syhdddho.
.+yhyssssssshm/
```.-shsssoooosssssyN-
:+oossssssssssdhsso/:::::/ssssshdo:
.so/::::::::::/hyso/:------:sssssym+m.
/y/:::::::::::+hss/:--------:sssssyd:yy
/yo-.ys::::::::::::/hso/---------:ossssshs:om-
Go Null Yourself E-Zine `mysyhh/::::::::::::hss:---------:ossssssd/:+hh
:mo:::+sys+/:::/:::yyso--------:+sssssssyh:/+sN:
Issue #5 - Summer/July 2011 +dso+/:+ssyyysoo:::dsss:----:/+sssssssssd+:++sdh
/mssssosssssyho:::ohssso//++osssssssssshy::+osyN-
www.GoNullYourself.org .myyyssss++sh/::::+hsssssssssssssssssshy/:/osssms
+msssssyyyy/::::::dsssssssssssossssyhy//+ssssshN`
yhso+++++++/////+/yyssssssss+:::syhhy+osssssssyM-
-+h:os:-sdo.-os:../hyssssss+:/+sysosddyssssssymM/
:y+-:ssyNN+dMMh.sNNyohyysysyhmh:-yNMdsssssydd+yo
"Sometimes I'm scared to ` `` :dMMMMNdMMMNhNMNNdoNMMm/dMMhsssssdmo. /y
think of what goes on in .yNMMMMMMMMMMMMMMMMMMMMMNhssssymh- `d
that insane head of yours..." :y:+NMMMMMMMMNMMMMMMMMMMNysssshd+` d
+ddd::NMMMMMNdhMMMMMMMMMNysssyds. y`
:mhdhd.:NMMNddhhNMMMMMMMNysssydh o-
`+` `ddy.hhh`/NmdhNNdNMMMMMMNyssshy.d` `h:
.hMo-. smo` :ddsohhmMMMdmMMMMMNyssyh/`os` oh`
.mMMNNm- -ms shdhmmMMMMmmMMMMMhssyh- /+ +s`
,yNNNNNNNNo ,mMMMMMMMMd, .sNMMNo` yh` .mddo/MMMMmmMMMMhsshs` -- ::
-Mm oMd `NM: .+dy- `m. yy. mMMMmmMMMhssd/ `-`
:Mm -++++mM oMN mM: `/dd+. ./ ` yMMMmmMMdssd: ` -s`
.NMmmmmmmMM 'MMmmmmmNMN' :hNh+. /MMMdmMdsyh. :ysNMy
-dh dd. -hMMdo- -/.`/-.MMMdNmsyy` -dMMMM
:Mm MM. :hMMMmy` :ysy-o+-s.MMMdNyyy` ./Nho-
dNNNNNNNNN, MM. yM :Mm MM. :hMmh+-` `/ys+////ssMddyy` `.:+shyo-`
NM: :My MM. yM :Mm MM. .``+ss/. `:yo:/ossNmyd` `/osdNNms:`
MM: :MN MM. yM :Mm MM. `/oos/.`:so:/syym:.-. `.-:oNMNho-`
MM: :MM mMNmmmmmMM :Mm MM. `-oooo++ss+oooo+s+. `-:+oso/-`.:`
-oosoo+++oysyh/++oo++-``
.h+ sh :hdddddddh/ dd` :ds oddddddddy. `/ssyhy+syysoh/.`
-Mm+++++++oMM mMs:::::oMm MM. /Mh MM::::::hMh -yhyo/yssdo+s:
/sssyMMssso- mM/ oMM MM. /Mh MM :+/ `odyyyyydssyo+h/
.MM NMdyyyyydMN MMdyyyyymMh MM `/hysssssyd++//+d.
`o+ `+ooooooo+` .+oooooooo: oo -yhssssssydy+++/ss
`ohhssssssyyms+o/oo`
hM: `/hysoooooosssdshoo-
,ddddddd-d ,yddddddddo dM/ ,ddddddddd` -ydyssssssssyyydh+.
Mm+````` yMh`````yMM mM/ Mh```````` .odhssssssssssyyydo
'hhhhhhdM, yMh hhhhhh+ dMo MMNNNNNNNN. `/dhsooooooooosssssyh
,,,,,,,,MM sMN,,,,,,,, mMo My```````` .ydyssssssssssssssssym.
.oooooooo+: `/ooooooooo /o- My .hNmmmmho++ooosyyhdhyydo
My `yMMms-` `.hMMNhh`
+: `yMmo. `yMMy`
.-hMy. `sMN.
dMMh: sMs
/MN+ `dN+`
hm- /MM/
.m. +Ms
`.-/y+ ym
-:+syhhhh/ .N/`
`sdmmy/`
0x01 Introduction || 0x07 Hacking 15A Announcements Shadytel, Inc
0x02 Feedback + Edits || 0x08 Gawker Passwords Analysis SinThet
0x03 Public-Key Encryption and RSA diminov || 0x09 360-928-00xx Scan Shadytel, Inc
0x04 Iridium Satellite Network Shadytel, Inc || 0x0a Terminal Servicez br0 storm
0x05 An Introduction to x86 NASM storm || 0x0b ProjectMF - An Overview df99
0x06 Art of Crypto: Tips and Tricks duper || 0x0c Et Cetera, Etc. teh crew
[==================================================================================================]
-=[ 0x01 Introduction
Ahoy there, and welcome to the 5th issue of GNY Zine, your one-stop shop for hax, cats, and slacks.
Just kidding on the last one there - we don't actually wear pants.
It's been a busy last couple of months in the hacking scene, mostly due to the various escapades of
the attention-whoring group LulzSec, followed closely by the infamous collective of perpetually
bored, angsty teenagers known only as Anonymous. Lulz were had, as always with these types of
things, but like with everything else on the Internet, time passes and all is forgotten. Another
passing phase.
*yawn*
Moving on to more important matters, we're proud to announce that this issue marks the one year
anniversary of GNY Zine. We'd like to thank all of our contributing authors, for these are the
people who make the zine what it is. Every aspect of GNY Zine is 100% volunteer work, and we
greatly appreciate all the effort that our authors put forth to keep a steady supply of content
available for our scheduled releases.
We'd also like to thank our readers, who give the GNY team reason to publish. As long as the hacker
spirit lives on, we will continue providing the scene with informative, educational material as
often as we can. If you're a reader and wishing to help, please consider becoming an author!
Submitting content is the most helpful thing a person can do! Further information about becoming an
author is located at the end of this article.
Now, for a few announcements...
We are excited to report that OrderZero, the author of "Story of a Raid" from issue #1 and a close
friend to the GNY community, has officially had all charges against him dropped. OrderZero was
raided by the FBI in June 2010 in connection to a leak of confidential information from the website
Lockerz.com, invoking Title 18, Section 1030 (Fraud and related activity in connection with
computers). He was later contacted and told that the charges were being dropped due to his status
as a minor, and all of his equipment and books were returned. We wish OrderZero the best of luck in
the future.
We are also proud to announce that Shadytel, Inc, the monopolistic telecom conglomerate responsible
for innovations such as offering reduced comfort noise as a tariffed service and billing plans
starting at 7 cents per DTMF, is unveiling its latest innovation:
The Lean, Mean, LIGATT Machine
206-312-6033
The (LM)^2 is a crafty Asterisk script that generates random babble in the voice of Gregory D. Evans
by stitching together samples of the random babble of Gregory D. Evans. The finest of quotes were
sampled from the recorded phone interview with LIGATT (GNY Zine, Issue #4), and with a little
magic, our shady, phreaky friends have ensured the endless supply of LIGATT comedy gold for years to
come. If you'd like in on the eh oh els, the Lean, Mean, LIGATT Machine is reachable through the
phone number listed above.
Now, enough babble of our own. Let the zine begin.
Notable Events
==============
April 26, 2011 - Sony PSN is compromised and taken offline, beginning a long string of attacks
May 5, 2011 - LulzSec begins its attention-whoring campaign
May 21, 2011 - Lockheed Martin suffers a network intrusion linked to the RSA Security hack
June 22, 2011 - Ryan Cleary, loosely linked to Anonymous/LulzSec, is charged by UK authorities
June 25, 2011 - LulzSec ends its attention-whoring campaign
July 1, 2011 - GNY Zine turns 1 year old (woohoo!)
July 11, 2011 - Booz Allen Hamilton suffers an intrusion on one of its dev servers
-=-=-
Now, on to formalities...
If you are interested in submitting content for future issues of GNY Zine, we would be happy to
review it for publication. Content may take many forms, whether it be a paper, review, scan, or
first-hand account of an event. Submissions of ASCII cover art that display the GNY logo in some
way are also appreciated. Well-received topics include computer hacking and exploitation methods,
programming, telephone phreaking (both analog and digital), system and network exploration, hardware
hacking, reverse engineering, amateur radio, cryptography and steganography, and social engineering.
We are also receptive to content relating to concrete subjects such as science and mathematics,
along with more abstract subjects such as psychology and culture. Both technical and non-technical
material is accepted.
Submissions of content, suggestions for and criticisms of the zine, and death threats may be sent
via:
- IRC private message (storm, m0nkee, or Barney- @ irc.gonullyourself.org #gny)
- Reddit (stormehh @ reddit.com/r/gny)
- Email (zine@gonullyourself.org)
If there is enough feedback, we will publish some of the messages in future issues. Our PGP key is
available for use below.
We have devoted a lot of effort into this publication and hope that you learn something from reading
it. Abiding by our beliefs, any information within this e-zine may be freely re-distributed,
utilized, and referenced elsewhere, but we do ask that you keep the articles fully intact (unless
citing certain passages) and give credit to the original authors when and where necessary.
Go Null Yourself, its staff members, and the authors of GNY Zine are not responsible for any harm or
damage that may result from the information presented within this publication. Although people will
be people and act in idiotic fashions, we do not condone, promote, or participate in illegal
behavior in any way.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)
mQENBEzNnTIBCADCuSQtPeshJqqYd8KHfNoQ7ru3mWfwL3dc3MAgH1QYL1m1DSGs
3rAeWqyN2Jv1LVz2qLFXsqCdQhEW2wZg2tPPgoGiKAXbWE2itIoPSa/M1jrms6ai
vwq2ySiWPi2F77Rlyuwqs2Acoj+AGm1JINejx7DcK8RLWDViw+f8DMHmDZI4SS+s
fE7kVKh0/mLE7TGBXL7rCNA2bOPEHah0nQw2X18v3UNMV6R31FWVAZgSuL/RI+sV
LOuKDANYuj36KxFlx2pDUwHDUcB+BMqxzmdosC98xu80fKuNVEsLz3HpUXTfdSLJ
6F4gyKs1n2q7f6JcsdfoZ4nmj0IATnTK9tvfABEBAAG0HnN0b3JtIDxoaXhtb3N0
b3JtQGhvdG1haWwuY29tPokBPgQTAQIAKAUCTM2dhwIbIwUJCWYBgAYLCQgHAwIG
FQgCCQoLBBYCAwECHgECF4AACgkQ6oWhb3tw/4DtYgf9Ga/2HD5gP84qTZkh7aOx
PZQJJ3wJpZmQGw8kSvJLhtfBsvJJd8PuPay8aBmkVT+S+p0qUYjxc/BTD57t9O4+
Yh8DRk4gK+L9gvqR/RE/GxMEO+cyMXl0Nl8bTkV/qCygoctbTLPPJF37ZEFF0dp1
1kWUSdTkJ7++gs7b0+YCX65oyyg8OpHVSmw9KUU90aHyfeu7MdgGrEGR+FNDn9uK
m9WamrOp82UKmb8wytXfnbG7z2XvgRynxazl7I4ErExtr6pbyPJCryrIGmlG/qzT
cabX6tHtRnVSgrB+BVWu+XpHRi1lns8QxXYvV4SBAZDEBDq6f1qMpHFxyzq7MNSP
t7Qfc3Rvcm0gPHppbmVAZ29udWxseW91cnNlbGYub3JnPokBPgQTAQIAKAUCTM2d
fAIbIwUJCWYBgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ6oWhb3tw/4CW
Dgf/dr7c6POPiMPrf30J39UrlvaS3BFo66WgEY3wa24brtv24Y19Ehk8fmP78uS/
tkfdg+6Pu280ILechVjofDqjDHSyVSy+CSVp1TJpgYvPbIcEa4JQoscUEe4lGJGg
1akXKu4RX1/o5wQrC/Tokm0NySxSPZfPhOnR5Bu1C6zvhneLVKpgLflfsCvlokxN
bo3TIAsfgqodkYR5CdyWGUYYQ9c4nbz0F6cSI2+k/mWFDljv4UQECl3MUcU2fNiC
a+1FAT6wmohVylYyyaA6YPVoe/9g5mKWQZyUq++bduLvV1qotpk7uJpKe3tgMJTn
/3tYZbhywejqTRRauGBSGv7QcrQgc3Rvcm0gPHN0b3JtQGdvbnVsbHlvdXJzZWxm
Lm9yZz6JAUEEEwECACsCGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheA
BQJMzZ2KAhkBAAoJEOqFoW97cP+AS24IALcjJUygQnHg2kdIuGCErQP511aqxwFO
CC5MEXRG+Mg7GLrtc6wy+D89ifWQldUR0UwK/S7MMQC2OhOJtdvjai7k8LfmeG1G
iJZ6XYY7WEzaQWiVPso1P5SVo41OT38EXL6t2Ic3yGVGKJ9Vpo25SEmEoC9EL2Xa
Blze0Z/6x5JUbK0yCY37vu2mYGLFpg7lCKQL24vg13OjNOMzeJFQssPCOeSCHkJv
L+u5E9ohdUmHwWXAJVUieIu/S6sFDH0GrxNp8/YLhA4I/APpSjBZ6tofkrXNyajQ
9xjPT3KhuMErxRG+8a8iHhUH2VRibSdjwgJUxeg3DMqDQtxNFaRaFbqJAT4EEwEC
ACgFAkzNnTICGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEOqF
oW97cP+AMmcH/jrXI3Y+WVkC3XgaRC+CnInMNJSLnMpoX2hkKfJsIMiiH19O41+O
W0U7bE0gvRjlDpQYEKlSnNz4a+bGmmceAmy6Rr11QsOuhtZG3/AfkhFEQ4f3U3zt
3miZILzcFc6vVXhXoq9stC6hoCzDPBu34s0OusHwxuVxX1eqCBSJYyrqSTlbxUKv
SYFfC/MzU6Q+iSZgiPNTYdgKIN3JKqZ2726i5IJOu6xIKNQByU4nEgV+Z4YjH7YD
MT9c6uSgqTACVM5h+3GW78G4Wl1E0lOXvimM/AEXHQSkZi34yq+JbOFspbyBhBz7
wRCIig4YSFDSwzPDdIx14NQlEq3+/tR9zx+5AQ0ETM2dMgEIALxlzgUfJ4leMnFF
gURwNGM5x9aTquU548xI4ESCeaDMkj6nHhrV4NAliBq28i48UjgI7IdE3pKYfQXi
aJZzQf4I+JULQkVzxF4uOjShhfXmhtABvBn+7du8qPqt5PwIFdb7ffmvXWFIX/in
+4QlDnlrz7xMQJBrBE9S4BJzR5IgWxpb7xA1yUWEJ+5vME3R+JhJuozmmmuMBHR1
s8pk8oEVrdmqdHeG5YZLsMyR5Kh6qJbPcj96CS9CtQU3HiEW0nwv8c3tNPY/4rNf
CAkeOWLAOvAq0Ybd82cIQr7Q0wVFo132H0Xs3Gw4MTiyvcd/BrGHeyjoBJfMhLCF
elFSEn0AEQEAAYkBJQQYAQIADwUCTM2dMgIbDAUJCWYBgAAKCRDqhaFve3D/gBq2
CACpH3rPcPb4HswNplVUMift+b5dV2ETYuNFXMK8yblFXa9URA6vdUzqrF9XSc6+
Tz9v/PVWY6FKKpnH06cbZQS07FWuY+zopsipuPgTaFLQyLlG2M+OoQOyEUYUpBW+
wTJ2Jd4hPiTlaoCLg2niA0RyzxzbnelrTtDtFtMoqJJlLWdtFoITW8/OLASHA7vu
bvRlfW89nueq9/4vEbxnvlUa7cOPtcZcGfHneHWV4JI9e5NJ6Agxp1gOkouF9/jn
YneawjaEgI6QOS06yyTXOu/XCo6L+f4/wd+1EMzt+NjsUXSraeNw+tdjZEZ8Uo9/
8QJQ4gF00KrsCCSrPyg/cZ5G
=g7oJ
-----END PGP PUBLIC KEY BLOCK-----
[==================================================================================================]
-=[ 0x02 Feedback + Edits
We always strive to publish accurate information in GNY Zine, but we the authors and editors are in
fact human beings and are subject to making mistakes from time to time, despite our best efforts.
The publication, compilation, and distribution of this e-zine is derived entirely from our passion
for technology and curiosity of how things tick. GNY Zine has no commercial influences. If you
find that there is an error in content that we have published, please do not hesitate to email us so
that it may be announced and corrected in the next issue. Not acting like a stuck-up elitist about
it will probably invoke a more positive response too.
With that being said, we are also receptive to content or personal experiences relevant to
information presented in past issues. If you've written some code, applied a concept in a new way,
or just want to voice your opinion about a topic, send us an email!
We may be contacted at: zine@gonullyourself.org
(PGP key is available in the Introduction)
Please note that emails we like will be published in future issues, so specify if you wish for your
message to remain private or if you wish for us to redact certain personal information from it.
----------------------------------------------------------------------------------------------------
Hey man,
I'd like to congratulate you on having a zine and website that doesn't suck. Today's "hacker"
culture tends to be either about e-penis (I hacked dis site cuz I'm l33t) or money (Credit Cards
br0). Your zine seems in the vein of phrack, the spread of knowledge for intellect's sake rather
than for idiocy, I salute you for that, quality material is always getting harder to find.
Thanks, and keep up the good work!
>> Thanks for the kind words - that's exactly what we're shooting for with the zine, so it's great
>> to see that's how readers are receiving it.
----------------------------------------------------------------------------------------------------
Hi guys...
Nice zine...I just came across yours and I can say I fairly like it. Great work!
I just wanna report a small typo. In a section that talks about
rootkit devel, it is said:
finger @kernel.org
In my box (CentOS), the working command is:
finger -l @kernel.org
OK, that's all. I hope that's useful. Have a nice day! :)
--
regards,
Mulyadi Santosa
Freelance Linux trainer and consultant
blog: the-hydra.blogspot.com
training: mulyaditraining.blogspot.com
>> Thanks for the heads up. However, testing it out on my fc13 machine, `finger @kernel.org` seems
>> to be displaying the correct output:
>>
>> [storm@Dysthymia ~]$ finger @kernel.org
>> The latest linux-next version of the Linux kernel is: next-20110418
>> The latest snapshot 2.6 version of the Linux kernel is: 2.6.39-rc3-git9
>> The latest mainline 2.6 version of the Linux kernel is: 2.6.39-rc3
>> The latest stable 2.6.38 version of the Linux kernel is: 2.6.38.3
>> The latest stable 2.6.37 version of the Linux kernel is: 2.6.37.6
>> The latest stable 2.6.36 version of the Linux kernel is: 2.6.36.4
>> The latest longterm 2.6.35 version of the Linux kernel is: 2.6.35.12
>> The latest stable 2.6.35 version of the Linux kernel is: 2.6.35.9
>> The latest longterm 2.6.34 version of the Linux kernel is: 2.6.34.9
>> The latest longterm 2.6.33 version of the Linux kernel is: 2.6.33.11
>> The latest longterm 2.6.32 version of the Linux kernel is: 2.6.32.38
>> The latest stable 2.6.32 version of the Linux kernel is: 2.6.32.28
>> The latest longterm 2.6.27 version of the Linux kernel is: 2.6.27.58
>> The latest stable 2.6.27 version of the Linux kernel is: 2.6.27.57
>> The latest stable 2.4.37 version of the Linux kernel is: 2.4.37.11
>>
>> Running it on CentOS seems to be fine too:
>>
>> [storm@localhost ~]$ cat /etc/issue
>> CentOS release 5.6 (Final)
>> Kernel \r on an \m
>>
>> [storm@localhost ~]$ finger @kernel.org
>> The latest linux-next version of the Linux kernel is: next-20110707
>> The latest snapshot 3 version of the Linux kernel is: 3.0-rc7-git1
>> The latest mainline 3 version of the Linux kernel is: 3.0-rc7
>> The latest stable 2.6.39 version of the Linux kernel is: 2.6.39.3
>> The latest stable 2.6.38 version of the Linux kernel is: 2.6.38.8
>> The latest stable 2.6.37 version of the Linux kernel is: 2.6.37.6
>> The latest stable 2.6.36 version of the Linux kernel is: 2.6.36.4
>> The latest longterm 2.6.35 version of the Linux kernel is: 2.6.35.13
>> The latest longterm 2.6.34 version of the Linux kernel is: 2.6.34.10
>> The latest longterm 2.6.33 version of the Linux kernel is: 2.6.33.16
>> The latest longterm 2.6.32 version of the Linux kernel is: 2.6.32.43
>> The latest longterm 2.6.27 version of the Linux kernel is: 2.6.27.59
>>
>> The finger(1) manpage reports:
>>
>> If no options are specified, finger defaults to the -l style output if
>> operands are provided, otherwise to the -s style. Note that some fields
>> may be missing, in either format, if information is not available for
>> them.
>>
>> It'd be interesting to see what difference on your system is causing finger to run without the -l
>> flag as default.
>>
>> Anyways, thanks again, and glad that you enjoy the zine.
[==================================================================================================]
-=[ 0x03 Public-Key Encryption and RSA
-=[ Author: dimonov
What is encryption?
~~~~~~~~~~~~~~~~~~~
Encryption is a procedure which consists of an algorithm, and an
encryption key. The typical method is to encipher a message with a key and
an algorithm, to get the encrypted form, called ciphertext.
Private-key encryption uses the same key for both encryption and
decryption.
Public-key encryption uses a different key for encryption and
decryption. RSA is a public-key encryption algorithm.
Public-key cryptography
~~~~~~~~~~~~~~~~~~~~~~~
With public-key cryptography:
1) The encryption algorithm is generally E(D(M)) = M
2) The decryption algorithm is generally D(E(M)) = M
where M is the message, E(M) and D(M) is the ciphertext, with
the encryption procedures being D and E on M.
The encryption as well as the decryption in [1] and [2] are one-way
functions. This means that even though D may be revealed in [1], it does
not reveal an easy way to compute E, nor does it allow decryption of the
cyphertext D(M).
Why public-key cryptography?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
With private-key cryptography, if a person named Bob wanted to send an
enciphered message to Alice, he would need to give Alice a copy of the
encryption key to decrypt the message. The problem with this scenario
is that the keys need to be distributed over a secure communication
channel. This is called the "key distribution problem". Before a
private communication can happen, there has to be a secure communication
channel already in place. If the key distribution were to take place over
an insecure communication channel, an intruder listening on the channel
could decipher the ciphertext after receiving the encryption key.
Public-key encryption "solves" this problem, because it does not require
any private couriers; it's keys can be distributed over an insecure
communications channel.
Bob sending a private message to Alice
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In the public-key encryption process, if Bob wanted to send a private
message to Alice, he would take these steps:
(Encryption and decryption procedures are referred to with subscripts
Ea, Da, Eb, Db.)
1) Bob retrieves Ea from a public key database.
2) He then sends her an enciphered message, Ea(M).
3) Alice deciphers the message using the algorithm Da(Ea(M)) = M.
She can only decipher Ea(M) with Da. A response would need to
be enciphered with Eb, which is also available in the
public-key database.
An intruder listening on the communication channel won't be able to
decipher the ciphertext, since it isn't possible to derive the encryption
keys from the decryption keys. The author assumes that the intruder
cannot insert / modify messages in the channel.
Bootstrapping using public-key encryption
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Public-key encryption can be used as a "bootstrap" to create a secure
communication channel, over which another encryption key exchange can
take place (one which depends on a private communication channel).
Once a secure channel is created, the first message can consist of the
encryption key to decipher further messages.
Signing
~~~~~~~
Signing a message proves that a message wasn't forged; that it was
created by the person who holds the private-key.
Bob sending Alice a signed message
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If Bob wanted to send Alice a signed message, they would take these
steps:
1) Bob computes his signature for the message M using Db.
S = Db(M). Since each message in public-key encryption is the
ciphertext for another message, this is valid.
2) He then encrypts S using Ea, and sends it to Alice.
Alice receives Ea(Db(M)), or Ea(S).
3) Alice decrypts the ciphertext with Da to obtain S.
Da(Ea(S)) = S. Alice now knows that the sender is Bob, by
looking at the signature.
4) Alice extracts the message with the sender's encryption
procedure, available in a public-key database.
Eb(S) = M. Alice now has a message-signature pair of (M, S)
from Bob.
Bob cannot later deny the fact that he sent the message, since nobody
else could have created the signature S = Db(M). If Alice decides to
go to court, she would only need to show a judge the message-signature
pair (M, S), to prove that it was created by Bob. Alice cannot modify
M, since she would need to generate a corresponding signature,
S' = Db(M').
Rivest, Shamir, and Adleman's method
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Using RSA, a public-key encryption algorithm, a message M is encrypted
with an encryption key (e, n). e and n are a pair of positive
integers. The algorithm is as follows:
1) The message M is broken into a series of blocks. Each block
is represented as an integer between 0 and n-1.
2) The message is then raised to the e'th power modulo n. That
is, the resulting ciphertext is the remainder when M^e is divided
by n. C ≡ E(M) ≡ M^e (mod n).
3) Decrypting the ciphertext is done by raising it to the
power d modulo n. D(C) ≡ C^d (mod n).
The encryption key (e, n) and the decryption key (d, n) are a pair of
positive integers. Each user makes his encryption key public, and his
decryption key private.
Choosing encryption and decryption keys
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The algorithm to choose encryption keys is as follows:
1) n is computed as a product of two very large random prime
numbers p and q. Although n will become public, p and q will be
hidden from everyone else, because of the difficulty in factoring p
and q from n, if they are large enough. n = p * q.
2) A large random integer which is relatively prime to (p - 1) *
(q - 1) is chosen for d. That is, d is checked to make sure it
satisfies gcd(d, (p - 1) * (q - 1)) = 1.
Note: gcd = greatest common divisor.
3) The integer e is computed from p, q and d to be the
"multiplicative inverse" of d, modulo (p - 1) * (q - 1). The
formula used is e * d ≡ 1 (mod (p - 1) * (q - 1)).
Encrypting and decrypting efficiently
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To encrypt and decrypt with the RSA algorithm efficiently, a technique
called "exponentiation by repeated squaring and multiplication" is
used. In this implementation, enciphering and deciphering are similar,
making it possible to implement the algorithm in a few special-purpose
integrated chips. Using this procedure, M^e (mod n) can be computed in
2 * log e (base 2) multiplications and divisions. The steps to do this
are as follows:
1) Let Bk, B(k-1), ..., B(1), B(0) be the binary
representation of e.
2) Set C to 1.
3) Repeat steps 3a to 3b for i = k, k-1, ..., 0:
3a) Set C to the remainder of C^2 when divided by n.
3b) If Bi = 1, then C is set to the remainder of C *
M, when divided by n.
4) C is now the encrypted form (ciphertext) of M.
Finding large prime numbers
~~~~~~~~~~~~~~~~~~~~~~~~~~~
The prime numbers p and q have to be large enough, to make it
computationally infeasible or impossible for anyone to factor n = p
* q. This is worth noting, because it n will be in the public key
database, whilst p and q will stay secret. This is why RSA's authors
recommend at least 100-digit prime numbers for both p and q. This has
the effect on n, that it becomes a 200-digit number. An algorithm for
finding large prime numbers is included below.
1) Generate 100-digit random numbers, and test them for
primality. About (1n^100)/2 = 115 numbers will be tested,
according to the prime number theory.
2) Testing a large number b for primality is done by choosing
a random number 'a' from a uniform distribution {1, ..., b-1},
and testing whether gcd(a, b) = 1, and J(a, b) ≡
a^((b-1)/2) (mod b), where J(a, b) is the Jacobi symbol.
3) If this holds true for 100 randomly chosen values of a,
then b is almost certainly prime. There's a negligible chance
that b is composite, although even if a composite b were used
in RSA, the decryption wouldn't work correctly.
When b is odd, a <= b, and gcd(a, b) = 1, the Jacobi symbol J(a, b) has
a value in {-1, 1}, and can be efficiently computed using the
code:
J(a, b) = (a == 1)? 1 : (iseven(a)? J(a/2, b) * (-1)^((b^2-1)/8) :
J(b(mod a), a) * (-1)^((a-1)*(b-1)/4));
Another technique to finding large prime numbers, is taking a number
of known factorization, and incrementing it by 1, then testing the
result for primality. If a prime p is found, it can be proved that it
really is prime by factorizing p-1.
Computing d from ϕ(n)
~~~~~~~~~~~~~~~~~~~~~~~~
Any prime number greater than max(p, q) can be used as d, although
it's important to use a number from a large enough set, to prevent it
being found by a direct search.
A variation of Euclid's algorithm can be used for computing d from
ϕ(n):
1) Calculate gdc(ϕ(n), d), by computing a series X0, X1,
..., where X0 = ϕ(n), X1 = d, and X(i+1) ≡ X(i-1)
(mod Xi), until Xk is equal to 0.
2) gcd(X0, X1) = X(k-1). Compute for each Xi the numbers Ai
and Bi, such that Xi = Ai * X0 + Bi * X1. If X(k-1) = 1, then
B(k-1) is the multiplicative inverse of X1 (mod X0). Since k
will be less than 2 * log n (base 2), the computation is
rapid.
3) If e < log n (base 2), start again, by choosing a different
d value. This guarantees something called a "wrap-around"
(reduction modulo n) for every encrypted message except M = 0
or M = 1.
Security considerations
~~~~~~~~~~~~~~~~~~~~~~~
Since there aren't any known techniques to "prove" that an encryption
algorithm is secure, the only way to test it is to see if anyone can
break it. Whilst factoring numbers isn't difficult, no one has yet
found an algorithm to factor a 200-digit number within a reasonable
timeframe. The security of the RSA algorithm depends on the
factorization of large prime numbers being infeasible: if a more
efficient and faster factorization method is discovered, it would weaken
the algorithm's security. A word of note is that there is the presumption
of physical security to the private keys.
Factoring n
~~~~~~~~~~~
Factoring n would allow someone to break the RSA algorithm, since the
factors of n, which are p and q would allow the computation of
ϕ(n), and d. Factoring is much more difficult than determining
whether a number is prime or composite.
Computing ϕ(n)
~~~~~~~~~~~~~~~~~
Computing ϕ(n) would allow someone to break RSA, by using the
result to compute d as the multiplicative inverse of e modulo ϕ(n).
This approach, however, is no easier than factoring n. The method to
compute ϕ(n) is as follows:
1) (p + q) is obtained from n, and ϕ(n) = n - (p + q) +1.
2) (p - q) is the square root of (p + q)^2 - 4n.
3) q is half the difference of (p + q) and (p - q).
q = ((p + q) - (p - q))/2
Because ϕ(n) is trivial to compute if n is prime, n must be
composite.
Computing d
~~~~~~~~~~~
Once d is computed, n could be factored easily; which is why computing
d is no easier than factoring n. If d is known, n could be factored as
follows:
e * d - 1 is calculated, which is a multiple of ϕ(n).
[n can be factored using any multiple of ϕ(n), according to Miller
and Rieman's hypothesis and tests for primality.]
References
----------
A Method for Obtaining Digital Signatures and Public-Key Cryptosystems
- by RL Rivest, A Shamir, and L Adleman, MIT Laboratory for Computer
Science and Department of Mathematics [Communications of the ACM, 1978].
[==================================================================================================]
-=[ 0x04 Hacking the Iridium Satellite Network
-=[ Author: Shadytel, Inc
-=[ Website: http://www.shadytel.com
Hello again there kids - It's time for yet another slice of the Shadytel world. This issue, it'll be
double the Shadytel, double the fun!
This time, we're here to talk about a network you probably don't know about, but has carried voices
farther than the length of any voyage man has traveled, and lives above - even beyond us. This time,
Shadytel is breaking into space.
In 1998, Iridium was the next big thing. With 2400 bits of goodness, and one of the most expensive
vocoder licenses known to man (AMBE or Advanced Multi Band Excitation licenses are thought to range
anywhere from $100,000 to $1,000,000 US dollars), the company had something to prove - mostly that
people would pay dollars a minute to make a phone call.
In less than two years, they went bankrupt. Despite a strong backing from Motorola, the company was
only able to keep the network afloat so far. Plans were made to let all 66 satellites, and the
spares alike, burn up in the atmosphere or crash into the ocean. Fast forward to today. The Iridium
network as we know it still exists. Sort of.
The US Department of Defense, fearing the network they'd bought thousands of handsets for would stop
working, started pumping as much money as they could into the zombie of a company. In addition to
their stake of ownership in the company, the DoD has a gateway off a base in Hawaii. To this day,
the Department of Defense still makes up 23% of the company's revenue.
Moving onto the network itself, not much in the way of hardware has changed since 1998; nearly all
calls are processed via a PSTN gateway in Tempe, Arizona, though rumors suggest that a functional
gateway still exists in Avezzano, Italy. Beyond the Qwest 5ESS that links them to the outside world,
very strange things exist on the Iridium side, most notably a Siemens D900, a modified EWSD
typically used for GSM services working with a custom IVR to run the show from the ground. This
could possibly justify Iridium's explanation of their 66 low earth orbit satellites "functioning not
unlike extremely tall cellular towers."
So with the very, very notable DoD presence on a network used excessively by foreign embassies and
other strange organizations willing to pay a high price for a network possibly neutral from corrupt
nations, is this article meant to expose the company as a government front?
Hell no! We're here to help you own the crap out of it! From a numbering plan standpoint, Iridium is
very sporadic, occupying a large number of hundred blocks on Qwest's Tempe 5ESS, TEMPAZMCDS0.
Exceptions to this exist, though. In one range is an IVR simply known as the two-stage dialing
service. More accurately, since calls to Iridium's country code +881-6 are not only blocked on some
carriers, but hideously expensive (ranging anywhere from $1 to $5 per minute), Iridium made the
decision to let the called party pay said dollar per minute if they decide to opt in. While the
number (480-768-2500) is useful for scanning, it's also a little misleading. There are twenty
available numbers in that range, and two others assigned; 2505 goes to some unnamed calling card
platform, presumably for cheap access to the Iridium network, and 2510 goes through the satellite
gateway switch to a modem; what looks to be a Lucent Portmaster. Beyond these, most numbers will go
to ordinary Qwest subscribers.
This is the sort of environment you need to be accustomed to when dealing with Iridium. They'll
often take up roughly anywhere from twenty through fifty numbers in a hundred block, instead of
using the whole thing. Exceptions exist, though, particularly in exchanges occupied or near their
Avaya PBX. Speaking of which, aside from the Iridium test number, which we'll discuss in a bit, the
Iridium PBX is only good for two things:
- Steely Dan hold music
- Bugging NOC employees inhabiting the building 24/7
This would also be a good time to mention that the satellite master control center, according to
Iridium's 1997 website archive, is in northern Virginia, a territory where the company's current
incarnation has a corporate headquarter presence to this day.
Getting back to Tempe though, there are numbers that Iridium publishes for people to use, and given
the spastic nature of the way numbers are assigned, every little bit certainly helps. For example,
there's 480-752-5105. This is a free call for Iridium subscribers, but more importantly, it's a PBX
range owned by Iridium. Nearby in that exchange, 40xx, 41xx, and 42xx are all jammed full of numbers
pointing to the D900.
There's also 480-345-4340, the Iridium fax service.
And since we're a reputable corporation filled with shady deviants, we're releasing an Iridium range
just for you. 480-456-7000 through 8199 will largely go to the D900, giving all of you lazy phreaks
more than enough room to start.
Finally, once you find yourself needing to know which numbers are which on the Iridium network,
either by way of the two-stage dialing system, alarming amounts of toll-fraud, or voicemail numbers
announced on the dedicated DIDs, there is indeed structure to the way their exchanges are
provisioned. Here's a handy guide for just that:
8816-214 Commercial Accounts
8816-224 Commercial Accounts
8816-310 Test/Demo Accounts
8816-314 Commercial Accounts
8816-315 Prepaid Accounts
8816-316 Prepaid Accounts
8816-317 Colombia Ministry of Defense
8816-318 Crew Calling Card
8816-414 Commercial Accounts
8816-415 Prepaid Accounts
8816-514 Commercial Accounts
8816-629 contains smsc, etc
8816-762 DoD limited voice service
8816-763 DoD voice service
8816-766 DoD international voice service
There are other unconfirmed myths we have about the Iridium network, such as a partnership with
Sprint long distance, or the deep voiced male network announcements coming from the satellites
themselves, but that's where we pass the torch on. We bring you our unsolved mysteries, make them
the solved secrets that only you know. Go forth, shady readers, and happy dialing!
[==================================================================================================]
-=[ 0x05 An Introduction to Programming with x86 NASM
-=[ Author: storm
-=[ Email: storm@gonullyourself.org
-=[ Website: http://gonullyourself.org/
This article is meant to serve as a SIMPLE and INTRODUCTORY guide to writing x86 assembly code on
Linux using the NASM assembler. When I first began learning assembly, I realized that there weren't
many quality resources suited for a beginner to the language, and I found myself learning mostly
through word-of-mouth and referencing well-documented pieces of source code. I wished to write an
article that would make up for this, bringing the cryptic language down to a level that beginners
could understand. Please understand that the style of writing lends itself to potential for
definitions that are not 100% correct in every possible technical sense, but this is intentionally
done to promote understanding when one may not possess a full grasp of all the underlying concepts.
For this article, we will be working with the following "Hello World" example:
section .text
global _start
_start:
mov eax, 4
mov ebx, 1
mov ecx, hello
mov edx, hellosize
int 0x80
mov eax, 1
mov ebx, 0
int 0x80
section .data
hello db 'Hello world',0x0d,0x0a
hellosize equ $-hello
To get straight to the point, here's the quick and dirty way to compile a program with NASM:
[storm@Dysthymia ~]$ nasm -f elf hello.asm
[storm@Dysthymia ~]$ ld hello.o -o hello
[storm@Dysthymia ~]$ ./hello
Hello world
[storm@Dysthymia ~]$
It is important to note that when we write assembly code, we will be using the Intel syntax. The
two syntaxes primarily used on x86 are Intel and AT&T, of which the most noticeable difference
between the two is the order of operands (the arguments) in instructions.
The Intel syntax looks like:
mov dst, src
such that the following instruction:
mov eax, 100
stores the value 100 (source) into the eax register (destination).
The AT&T syntax is exactly the opposite:
mov src, dst
It also adds some syntactic sugar, distinguishing between immediate operands (hard-coded values) and
registers:
mov $100, %eax
For the length of this article, we will be using:
http://gonullyourself.org/main/shellcode/documentation/Linux%20x86%20System%20Calls%20Reference%20for%20kernel%202.6%20and%20higher/main.html
as our referenced documentation. Note that everything found in this documentation has its own
manpage, but it is agreeably cryptic and may pose intimidating to a beginning programmer. This
reference was shamelessly stolen from the LSCR project (http://sourceforge.net/projects/lscr/), so
you may download a local copy of it bundled in the latest tarball.
Open the system calls reference in your web browser and click on the Index view. Scroll down to
sys_write and select it.
On the page, we see:
eax 4
ebx Device descriptor.
ecx Pointer to the buffer containing the data to be written.
edx Number of bytes to be written.
These four arguments - eax, ebx, ecx, and edx - are called 'registers'. If you're not familiar with
registers, think of them as analogous to variables in high-level languages, like PHP or Python.
Only with assembly, these reside on the CPU itself. Let's consult Webopedia:
A, special, high-speed storage area within the CPU. All data must be
represented in a register before it can be processed. For example, if two
numbers are to be multiplied, both numbers must be in registers, and the
result is also placed in a register. (The register can contain the address
of a memory location where data is stored rather than the actual data
itself.)
The number of registers that a CPU has and the size of each (number of bits)
help determine the power and speed of a CPU. For example a 32-bit CPU is one
in which each register is 32 bits wide. Therefore, each CPU instruction can
manipulate 32 bits of data.
Usually, the movement of data in and out of registers is completely
transparent to users, and even to programmers. Only assembly language
programs can manipulate registers. In high-level languages, the compiler is
responsible for translating high-level operations into low-level operations
that access registers.
CPUs have a specific number of registers as well as specific names and purposes for each of them.
All of these change from architecture to architecture. For instance, on the x86 architecture,
16-bit systems have the four general purpose registers ax, bx, cx, and dx. On 32-bit systems, these
four registers were 'e'xtended into eax, ebx, ecx, and edx. 64-bit systems extended these four
registers even further, and they became rax, rbx, rcx, and rdx. For this article, we are working
with a 32-bit x86 system.
When writing assembly code, our goal is to manipulate the contents of registers in such a way to set
the stage for executing system calls. System calls (syscalls) basically act as an API to the kernel
to do the most basic of basic tasks. Each kernel (Windows, Linux, XNU, so on) provides different
syscalls, and this list usually expands with newer versions.
Similar to how the PHP language gives us print() and fwrite(), the Linux 2.6 and higher kernel
provides us with sys_write, which we use in our hello.asm program. You can read the official
manpage of sys_write at `man 2 write`. In case you didn't know, manpages are divided into sections,
and section 2 is devoted entirely to syscalls.
Now that we know the basics, let's step through our code. The first line of our hello.asm program:
mov eax, 4
What we are doing here is storing the value 4 to the eax register. By doing this, we are setting
ourselves up to tell the CPU, "Hey, when I tell you to, execute syscall #4." Each individual
syscall has a unique number, and by looking back at the documentation for sys_write, we see that
it's assigned the number 4. If we wanted to execute sys_uname instead, for instance, then we would
store the number 122 to eax.
Moving onto the second line, we see:
mov ebx, 1
In the documentation, we can see that ebx is used for:
ebx Device descriptor.
This is simply a cryptic way of asking the programmer "Where do you want to write the data to?" The
POSIX specification standardizes three device descriptors:
STDIN (Standard In) - input
STDOUT (Standard Out) - output
STDERR (Standard Error) - error
When you type on the command line to give input to a program, you are writing data to STDIN. When
a program prints data to the screen, it is writing to STDOUT. When a program prints an error
message, it is writing to STDERR. Each of these device descriptors is assigned a number:
0 - STDIN
1 - STDOUT
2 - STDERR
We store the value 1 to ebx, because we want sys_write to write to STDOUT, i.e., the terminal. If
you instead wanted to write to a file, then we would first use the sys_open syscall, which returns a
file descriptor (represented by a number) that we would then pass on to sys_write.
Predictably, we will want to set up ecx next:
ecx Pointer to the buffer containing the data to be written.
We do this with the next line in our code, where we store a pointer to the string "Hello world\r\n"
to ecx:
mov ecx, hello
To explain this operation we are doing, look down below, where you'll see the declaration of the
string "Hello world\r\n":
hello db 'Hello world',0x0d,0x0a
Looking at the NASM documentation, the NASM language provides the following pseudo-instructions to
declare data in a program:
db value ; Allocate a byte sized value
dw value ; Allocate a word sized value
dd value ; Allocate a dword sized value
Here we declare a string using the db pseudo-instruction (as it's not an actual instruction in the
assembly language, but a tool offered by NASM), which is stored to the .data section of memory
(designated for initialized variables). We assign this value to the name 'hello', which is not a
register, but another tool offered by NASM that allows us to work with the notion of variables in
writing our program. It should be noted that the actual string is not assigned to 'hello'; instead,
'hello' represents the location in memory where our given string is stored, called a pointer. This
pointer is passed on to ecx in our program. Instead of writing the string itself to the ecx
register (since registers are very small), we instead give it a pointer to the data we want to write.
To reiterate, a pointer is simply a memory address that "points" to the data residing at that
address. When we want to run our program, the "Hello world\r\n" string is copied into memory, and
the address of where these bytes are located would be the value of our pointer. Most programs
written in the C language work closely with the notion of pointers too. A buffer or function is
referenced by its name, and a pointer to the buffer or function is obtained by prefixing the name
with an ampersand (&). Here, we can see the pointer at work in our program:
[storm@Dysthymia ~]$ gdb hello
GNU gdb (GDB) Fedora (7.2-51.fc14)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/storm/hello...(no debugging symbols found)...done.
(gdb) info variables
All defined variables:
Non-debugging symbols:
0x080490a4 hello
(gdb) x/13xb 0x080490a4
0x80490a4 <hello>: 0x48 0x65 0x6c 0x6c 0x6f 0x20 0x77 0x6f
0x80490ac <hello+8>: 0x72 0x6c 0x64 0x0d 0x0a
(gdb)
As you can see, this is exactly the value that 'hello' is replaced with (look at offset +10).
(gdb) disassemble _start
Dump of assembler code for function _start:
0x08048080 <+0>: mov $0x4,%eax
0x08048085 <+5>: mov $0x1,%ebx
0x0804808a <+10>: mov $0x80490a4,%ecx
0x0804808f <+15>: mov $0xd,%edx
0x08048094 <+20>: int $0x80
0x08048096 <+22>: mov $0x1,%eax
0x0804809b <+27>: mov $0x0,%ebx
0x080480a0 <+32>: int $0x80
End of assembler dump.
(gdb)
Our fourth line of the code:
mov edx, hellosize
By looking at the documentation, we see that edx is associated with:
edx Number of bytes to be written.
If you look down below to the bottom of the code, we see demonstrated some special syntax that grabs
the size of our 'hello' string and saves it to 'hellosize', analogous to strlen() in C. Instead of
storing the literal number 13 to edx (11 bytes for the text, 2 bytes for the carriage return and
newline), we just say "whatever the size of 'hello' is". By doing this, it abstracts the process of
determining the length of our string, which is useful should we change the string being written.
For example, if we change 'hello' to instead be "Hello there world, how are you?\r\n", then the
value stored to edx will automatically change to 33. With the original "Hello world\r\n" string in
mind, we can give edx a value of 5 and it will only print "Hello". If we give edx a value of 11,
then it will only print "Hello world" with no trailing whitespace.
The next line in our asm code:
int 0x80
This is called a kernel interrupt and is basically our program's way of notifying the kernel that
everything is set and we're ready to run the syscall. At this point, the value of eax will be read
and recognized to hold a value of 4, prompting the kernel to run sys_write. The remaining registers
are read and passed as arguments to the kernel function.
If you'd like a first-hand look at what's happening under the hood, then take a look at the Linux
kernel source code, itself. As of the writing of this article, we are looking at the latest stable
release of the kernel, 2.6.39.3. The sys_write function resides in fs/read_write.c :
SYSCALL_DEFINE3(write, unsigned int, fd, const char __user *, buf,
size_t, count)
{
struct file *file;
ssize_t ret = -EBADF;
int fput_needed;
file = fget_light(fd, &fput_needed);
if (file) {
loff_t pos = file_pos_read(file);
ret = vfs_write(file, buf, count, &pos);
file_pos_write(file, pos);
fput_light(file, fput_needed);
}
return ret;
}
Each register we set matches up exactly to each argument passed to the function: an (unsigned)
integer to the file descriptor we're writing to, a pointer to the buffer of data we're reading from,
and a count of how many bytes to write.
The kernel will execute the syscall and print out "Hello world\r\n" to STDOUT.
Looking further down the example code, there is one more interrupt we execute before the program is
finished. Corresponding to an eax value of 1 is the sys_exit syscall, which is used to cleanly
terminate the current process. The ebx register holds an integer that represents the return value
of the process. It is mostly standardized that a return value of 0 means "no error," while a return
value of anything but 0 means an error of some sort occurred. Concerning errors in processes, the
integer returned is matched to a specific error code by consulting the program's documentation.
This is different than error reporting in C, where the return value upon error is usually -1, and
the integer representing the error code is stored to the 'errno' buffer.
Expectedly, our simple program has encountered no errors, so we mov the literal value of 0 to ebx
and execute the syscall, effectively ending the program.
As outlined at the beginning of the article, we now compile our NASM program like so:
[storm@Dysthymia ~]$ nasm -f elf hello.asm
[storm@Dysthymia ~]$ ld hello.o -o hello
[storm@Dysthymia ~]$ ./hello
Hello world
[storm@Dysthymia ~]$
If you're of the curious type, you may wish to start analyzing other binaries and see which system
calls they execute. This can be done using the `strace` command:
[storm@Dysthymia ~]$ strace ./hello
execve("./hello", ["./hello"], [/* 62 vars */]) = 0
write(1, "Hello world\r\n", 13Hello world
) = 13
_exit(0) = ?
[storm@Dysthymia ~]$
It may be interesting to observe the complex execution path that's followed even when a simple
program like `echo` is run without any arguments.
Hopefully after reading this, you have gained a fundamental understanding of the assembly language
and other basic, universal OS concepts. In future issues, we'll take it one step further and use
our knowledge to reverse engineer programs, and build exploit payloads, better known as shellcode.
[==================================================================================================]
-=[ 0x06 The Art of Crypto: Tips and Tricks
-=[ Author: duper
-=[ Website: http://projects.ext.haxnet.org/~super/
.______________________________________,
| |
| The Art of Crypto: Tips and Tricks |
:______________________________________:
| |
| |
| [=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%] |
| { } |
| [ another fine article brought to ] |
| [ you by duper of HaxNet #projects ] |
| { } |
| [%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=] |
; !
`=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-'
Before I begin, I'd like to make it absolutely clear that I am by no means: a professional code
breaker, an expert cryptographer, or a math genius. Therefore, this article does not aim to cover
low-level implementation details, such as the looking tables and their corresponding S-boxes
(Substitution boxen). Furthermore, the theory behind some advanced attacks, such as collisions in
one-way hash functions as in the case of MD5, will be touched upon, but the finer mathematical and
technical idiosyncrasies are irrelevant in what follows. Similarly, the following text will not be
dedicated to subtleties like easily constructed subliminal channels, such as the well-known single
character modification to the Digital Signature Algorithm (DSA, also known as El Gamal).
The purpose of this rambling treatise is to share effective techniques and experience that I've
gained over the years which can be immediately applied to practical information security scenarios
by both those that are relatively new to hacking crypto and the seasoned system administrator as
well. The primary goal is to present some tips and tricks that can be used to easily identify and
exploit weaknesses that are commonly found in custom and well-known cryptosystems in the wild.
Initially however, some preliminary historical information will be outlined, as it pertains to the
current state of cryptographical science today.
Only a small amount of prefunctory encryption knowledge is assumed; if the reader happens to lack
even this, then some introductory reading resources are recommended in order to get up to speed with
the material. If you're unfamiliar with the names "Alice", "Bob", and "Eve" (among others) when used
as generic wildcards in theoretical public key infrastructure (PKI) examples (similar to "foo",
"bar", and "baz" in code samples), chances are you should at least breeze through some reference
literature pertaining to the study of making/breaking ciphers on the web -- make sure you're
familiar with at least a few abstract concepts that are relative to the public key and private key
approaches to encryption.
If you've never even heard of public or private key crypto before, then before continuing with this
article you really should invest a bit of attention to at least the first several chapters from the
books which essentially represent the bibles of the crypto world: 'Applied Cryptography: Protocols,
Algorithms, and Source Code in C', and 'Practical Cryptography' (the second edition is called
'Cryptography Engineering'). 'Practical Cryptography' and its renamed counterpart are co-authored by
Niels Ferguson, while all of the fly named titles are authored by Bruce Schneier, the man who some
say is the closest thing that the digital security industry has to a rock star. Bruce maintains a
consistently updated blog on his web site: www.schneier.com. The source code for the older, yet
still extremely relevant piece 'Applied Cryptography,' is freely downloadable from his site.
Now that we've gotten the prerequisites out of the way, let's start off with some interesting
historical background. As most of you probably already know, a sender encoding some message with a
cipher in attempt to keep the real meaning a secret, while still enabling it to be read by the
intended recipient(s), has been utilized in the art of war for ages. A popular example that just
about every hacker has at least heard of is Julius Caesar's simplistic substitution or "rotating"
cipher; without a doubt, ROT13 is a permanent fixture in crypto lore and related subjects.
A more modern, yet less conventional employment of encoded messages was carried out by the United
States of America, which took advantage of a small segment within its indigenous population to
speak their traditional language in radio transmissions between battleships in the Pacific. This
Native American (or American Indian -- take your pick) language was more or less unknown to the rest
of the world. This fact, combined with the time and difficulty inherent in the process required to
conduct a linguistic analysis of the dialect by opposing forces, led to much success in the secret
communication of urgent war time agendas for the Americans. Quite appropriately, the indigenous
peoples that made such an effort possible became known forevermore as "code talkers."
Due to ongoing conflict across the globe, the mid-twentieth century witnessed many innovations in
code making and code breaking come and go. For example, messages transmitted via Continuous Wave
(CW) Morse code by the "Enigma" crypto machine, developed by Nazi Germany circa World War II, were
decrypted by the Western Allies after acute observation of permutation and group theory principles
by the notorious Charles Babbage. These machines were certainly pretty crude by today's standards
and became obsolete soon after their invention. Soon after, the U.S. enacted legislation which
consolidated previously existing defense organizations tasked with code-breaking during the war
effort into the National Security Agency (NSA) as it's known today. Since its inception, the NSA has
been first and foremost: a highly specialized government wing specializing in the practice of
cryptographic endeavors (which is evidenced by prominence of a key pictorial on the agency's seal).
Several decades later -- through the continuous progression of Moore's Law, extremely complex
cryptographic systems and algorithms became available residentially, most as notably Phil
Zimmerman's Pretty Good Privacy (PGP) e-mail encryption protocol began to enjoy widespread use. Not
long afterwards, with the growth of the World Wide Web and the vast increase of electronic commerce
transactions taking place over the Internet, Secure Sockets Layer (SSL) was coded into the fabric of
all popular web browser software as a transport layer security (TLS) mechanism, which just about
brings us to where we are now.
Realistically, it doesn't take a genius to be able to crack a cipher. An obscene amount of children
and housewives do it daily without realizing while solving the word jumble puzzles most commonly
found near the comics section in locally distributed newspapers. If one knows what to look for, it's
really not all that difficult to point at least a few weaknesses that exist in the majority of
cryptosystems used by Internet applications and other computer programs. Of course, some issues are
much more severe the others.
The remainder of this article will contain at least a brief description for each of a vast number of
encryption weaknesses commonly encountered on the Internet today. Typical encryption-related
security holes found on web servers and other daemons implementing SSL will be discussed as well as
some common misconfigurations that occur in the deployment of public key infrastructure on the
Internet in general.
Up until recently, one of the most commonly existing weaknesses in web servers featuring the
HyperText Transfer Protocol/Secure (HTTPS) method was the permission of SSL version two connections
from web browsers. SSLv2 has long been known to be vulnerable to a man-in-the-middle attack which
involves re-negotiating the same SSL handshake that is performed after a client connects to the
server's listening port. The third version of the SSL protocol was supposed to fix this weakness,
however it arose again in a slightly different form. It seems that the most recent versions of the
OpenSSL library no longer permit the re-negotiation of an SSL session at all. Not long ago, a new
stream could be negotiated with the server-side by simply pressing capital "R" within an ongoing
connection using the s_client program.
$ openssl s_client -ssl2 -connect google.com.:443
Another commonly found weakness involves the usage of weak encryption algorithms used to encrypt
data that transmitted over a Transport Control Protocol (TCP) connection encrypted by SSL. For
example, crypto algorithms classified as export-grade produce ciphertext which doesn't take long at
all to crack, even if a brute force search attack is being performed on computing hardware that is
considered relatively modest by today's standards.
$ openssl s_client -connect EXPORT40 google.com.:443
$ openssl s_client -connect EXPORT56 google.com.:443
Another weakness that commonly occurs on SSL servers is the use of the Electronic CodeBook (ECB)
mode of encryption. The problem here is that each ciphertext block corresponding to identical
plaintext will also be identical even after being encrypted. This is because the algorithm basically
remains in the same computational state from start to finish. After the initial block of text is run
through the cipher, if an identical block of text is encountered later on in the message, it will
yield the same exact ciphertext as the preceding equivalent block. Such a situation is called a
"known plaintext attack."
In general, crypto software configured for ECB mode is unacceptable. Especially since more secure
modes such as Cipher Block Chaining (CBC) and Cipher FeedBack (CFB) mode are usually available. CBC
and CFB modes take the results from previous encoding iterations and use them as input while
encrypting the remaining plaintext blocks. In this way, if two or more blocks with identical text
happen to appear in the input stream, then the ciphertext output between them will differ. This
makes cryptoanalysis a significantly more difficult job. Note that the described weakness in ECB
mode will not arise if the plaintext length happens to be less than or equal to the encryption
algorithm's block size. Nevertheless, Electronic CodeBook should still be avoided algorither, just
in case the key and/or input size change unexpectedly. Some extra efficiency isn't worth the loss in
data security.
Typically, daemons that provide SSL services are linked with the OpenSSL library. Usually, this is a
vulnerability in and of itself since the crypto security playing field is constantly in motion. It's
more than likely that a currently running service was compiled prior to the release of a new OpenSSL
release which patches one or more publicly known security holes. Depending on how a particular
daemon is setup, it's quite likely for the version number or other information about about the
utilized encryption library to be leaked through a client network connection.
Other popular application programming interfaces (APIs) for encryption include Mozilla's Network
Security Services (NSS), GnuTLS, Bouncy Castle, Beehive, the Microsoft .NET Framework's
System.Security.Cryptography namespace, etc. Although these are fairly common libraries, and each
exposes a wide range of crypto functionality, it is by no means an exhaustive list. As time unfolds,
vulnerabilities are publicized and patched in either a crypto API itself, or a specific unsafe usage
of it within a software package dependent upon one or more of the open source and/or commercial
crypto APIs.
For instance, an application could be using the latest version available of any given encryption
library and still risk data compromise as a result of improper key management, use of a weak
algorithm/mode/key/etc., as well as other mishaps that are mentioned later in this text. As an
example, consider an application encrypting lengthy input blocks via a weak block cipher mode, with
a private key value equivalent to a commonly used default password that's being transmitted over a
plaintext SOAP/XML web service (i.e. lacking both HTTPS and WS-Security), all while using an
algorithm that has thoroughly researched weaknesses -- think RC2-ECB and a 40-bit key.
Aside from promiscuously sniffing network traffic, which was possible for the example given in the
previous paragraph, there are many other situations that can lead to private key plaintext or
ciphertext exposure. Gaining access to the private key's plaintext is certainly preferred from an
attacker's perspective. It's not quite "game over," but knowledge of ciphertext relating to a
private key such as a Key Encrypting Key (KEK), or the ciphertext of the private key itself, takes
the attacker one step closer to cracking the plaintext private key. The usage of default keys for
block ciphers and private certificates available out-of-the-box in software products attempting to
take advantage of PKI are other possibilities. Lax filesystem permissions that permit the reading of
files containing private key/certificate material may occur.
Crypto cracking tools have evolved tremendously since the olden days of traditional wordlist-based
cracking of encrypted/salted user login passes with John The Ripper. It wasn't that long ago that
the ciphertext passwords for all users on a UNIX system (including root) was available to everyone
through the world-readable /etc/passwd file. Circa the early-to-mid 1990s, due to widespread
cracking of password files, almost all UNIX flavors quickly migrated to user password protection
based on the /etc/shadow file and PAM (Pluggable Authentication Modules). The seminal Linux
distributions that were becoming more and more available on CD-ROM media via mail order, and as book
inserts, quickly followed suit, especially with respect to PAM which allowed the fine-tuning of a
system's authentication behavior by configuring dynamic shared objects (DSOs) to be loaded for
modular addition of desired authentication functionalities.
Not long after, the crypt(3C) library function in Linux began to support MD5 as an alternative to
DES, which was now on its last legs of UNIX login authentication and other crypto applications as
well. (Note that in this context, DES refers to single DES, which is not to be confused with
TripleDES or 3DES, a much stronger algorithm based on the original single DES source code.) However,
the UNIX/Linux login crypto woes weren't over yet. The early 2000s witnessed the discovery of
several high-impact PAM vulnerabilities in Set-UID binaries allowing the loading of arbitrary DSOs,
i.e., shared library files that are usually compiled into a filename ending in a '.so' extension.
Typically, an executable binary will be dynamically linked with such a file. In the case of PAM,
since the DSOs were loaded at runtime via the dlopen() library function, a normal user could compile
a DSO that performed arbitrary actions while executing in PAM's privileged superuser context.
Around the same time that privilege escalation exploits were being discovered in the PAM modular
authentication system, other growing pains continued to materialize out of the crypt(3C) function
itself. For example, one weakness caused the initial password of an account to be encrypted with DES
despite the move to the MD5 as the default encryption algorithm for user passwords. This was
probably due to crypt(3C) requiring a special character sequence '$1$' to be prepended to its salt
argument in order to ensure the use of MD5. Administrator utilities such as the command useradd(1)
may have failed to pass the salt argument properly, although this is just a theory. What can be said
for sure, is that one or more system components that interacted with the login authentication
process became out of sync with the cryptographic changes that were taking place. This is reinforced
by the fact that another vulnerability was discovered in RedHat Linux around the same time where
only the first eight characters of a plaintext password encrypted by crypt(3C) could be compared to
the actual password, regardless of if its true length was greater than eight characters or not.
During and after those rough times for UNIX authentication, Microsoft was experiencing problems of
its own. Not only was NTLM authentication being attacked, but the Windows LSASS (Local Security
Authority System Service) process was being reverse engineered, and hashes from the
'C:\Windows\System32\security\SAM' file were being extracted by tools like passdump2.exe. Since
Vista, The CNG (Cryptographic Next Generation) Key Isolation service works with LSASS in order to
protect cached key data.
A common error web application developers make is generating session identifiers or other encoded
strings used for authentication/authorization from plaintext data that is already known to the end
user. This allows a known plaintext attack to be put into action. If a site user notices that one of
the cookies their browser is sending to the site corresponds to the SHA-1 hash for the string
"guest" while they're logged into the guest account, then it doesn't take a genius to figure out
that sending the cookie instead as the SHA-1 value for "admin" may cause the server to permit
administrative access to the site. Likewise, web application or CGI vulnerabilities, such as
directory traversals that allow the remote reading of source code and/or configuration files, can
disclose a variety of sensitive encryption-related information, from the algorithm in use to the
private key itself, especially since the web server process by necessity has read access to data
pertaining to its own encryption activities. Extracting hard-coded keys from the application's
binary files is yet another possibility.
To expand on web-based crypto issues, let's look at how SSL/TLS can be undermined. Although SSL is
commonly used by HTTP, many other network protocols that are in use on the Internet today support
SSL as well. First of all, everybody knows that self-signed certificates are a bad idea. This is
because the concept of full certificate chain verification is totally removed from the equation
since self-signed certs have no chain. As such, no trusted third-party will be specified that can
confirm the identity of the server, such as a CA (Certificate Authority).
Another well-known issue that can compromise a digital certificate's integrity is expiration.
Between the time that the certificate was created and the time it expired, a myriad of changes in
space and time affecting the security of the PKI infrastructure could have transpired. The domain
name it was meant to serve could have changed ownership, an issuing intermediate-level CA may have
went out of business, a root-level CA might have suffered a malicious cyber attack, or perhaps
weaknesses were discovered in the certificate type. The last example mentioned is much more possible
now as ever before, considering the growing selection of certificate options that are becoming
increasingly available from certificate authorities: EV (Extended Validation), SNI (Server Name
Indication), wildcard certificates, so on.
One particularly interesting attack that is much more effective than one might expect is the
spoofing of X.509 certificate headers. Essentially, an attacker who is playing man-in-the-middle
creates a self-signed certificate with X.509 header values which match the legitimate certificate
one-to-one. Despite the complete lack of cryptographic identity, there have been quite a few attacks
like this that have succeeded in the past, including at least one that would have allowed
unrestricted access to Microsoft network services in the absence of two-factor certificate/password
authentication. Even in the presence of two-factor authentication, the certificate piece would have
been rendered irrelevant greatly decreasing the bar for a successful attack to mere password
knowledge, or a brute-force search against it with chances of success being directly related to how
the service then handled account lockout and/or login attempt throttling.
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-+
| |
| Bibliographical Information and Recommended References List |
| |
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
* http://tools.ietf.org/rfc/rfc1321.txt
Internet Engineering Task Force (IETF) Request For Comments (RFC) 'The MD5 Message-Digest Algorithm'
* http://en.wikipedia.org/wiki/National_Security_Agency
National Security Agency: From Wikipedia, the free encyclopedia
* http://en.wikipedia.org/wiki/Cryptanalysis_of_the_Enigma
Cryptanalysis of the Enigma: From Wikipedia, the free encyclopedia
* http://en.wikipedia.org/wiki/Alice_and_Bob
Alice and Bob: From Wikipedia, the free encyclopedia
* http://en.wikipedia.org/wiki/Permutation_group
Permutation Group: From Wikipedia, the free encyclopedia
* http://www.schneier.com/ Schneier on Security
A blog covering security and security technology.
* http://www.schneier.com/book-applied.html
Applied Cryptography, Second Edition (ISBN 0471128457)
* http://www.schneier.com/book-applied-source.html
Applied Cryptography Source Code
* http://www.schneier.com/book-practical.html
Practical Cryptography (ISBN 0471223573)
* http://www.schneier.com/book-ce.html
Cryptography Engineering (ISBN 0470474246)
* http://openpgp.org/
The OpenPGP Alliance Home Page
* http://www.ietf.org/rfc/rfc4880.txt
IETF RFC for The OpenPGP Message Format
* http://www.philzimmermann.com/EN/background/index.html
Philip Zimmermann: Creator of PGP and Zfone
* http://www.pgpi.org
The International PGP Home Page
* http://gnupg.org/
GNU Privacy Guard
* http://www.symantec.com/business/theme.jsp?themeid=pgp
PGP Encryption Products
* http://nostarch.com/pgp.htm
PGP & GPG: Email for the Practical Paranoid (ISBN 9781593270712)
* http://www.cryptolounge.org/wiki/Main_Page
CryptoLounge.org MediaWiki - Main Page
* http://www.mozilla.org/projects/security/pki/nss/
Network Security Services (NSS)
._________.
: :
: E O F :
: :
`---------'
[==================================================================================================]
-=[ 0x07 Hacking 15A Announcement Machines
-=[ Author: Shadytel, Inc
-=[ Website: http://www.shadytel.com/
h0h0h0 kids! It's Shadytel pissing down your legs once again with yet another long, drawn out
explanation of how we own the world.
It's been a while since the world of phreaking has seen an article on a piece of equipment, so for
this quarter, we're going to spin the great rotary dial of time back to 1982 for a moment. Crotch-
grabbing pedophiles sodomized the hearts of millions with thrilling pop albums, iconic battles
between the East and West surged on with newly-revived hatred, and the first number five ESS ever
rolled off an assembly line. Magnetic drum recordings lived on for a while longer, but eventually
Alcatel-Lucent (then still Western Electric) needed a digital announcement machine to complement a
digital switch.
The end result? A machine that doesn't sound digital at all.
If you've heard a 15A announcement system before, you've probably mistaken it for a looping piece of
really old tape. Between the faint voices of adjacent announcement channels and enough noise to
sound like it was recorded in an air conditioning duct, there's almost no mistaking it. Fortunately
for us, that makes it really easy to pick out in a crowd of switches. Here's what one particular one
sounds like in action: 503-635-1026.
So - let's say you're scanning this switch. What does finding a 15A mean? Well, it's simple - 15As
have very limited access capabilities. Basically, there's an LCD panel on the front slightly smaller
than the one on your alarm clock, and there's a voice-based remote access feature that the on-board
microcontroller runs. No Ethernet, not even a serial port. If you have any doubts that your 15A has
a remote access number, keep listening to the test announcements you find when you scan.
Announcements made remotely will have touchtones at the end a lot.
So now, with a little luck in your scan, you've probably come across something that answers like
this:
{Roughly 1200 hertz tone} "Enter your security code after the tone" {touchtone number 5}
Yessir, Lucent (inadvertently) did their jobs well. When you get a login prompt from a 15A, there's
no mistaking it. Like the announcements themselves, you'll know exactly what you've got the second
you hear it.
Now, logging in would normally be the tricky part. Most offices won't change their default
passwords, because they really don't need to. By default, there's no possible way to guess it.
Ready? *47985621
No matter what they change it to - if they ever change it, it'll always start with a star.
"Press # at any time to return to the main menu. Enter a function code, or press ** for help." The
15A does a good job explaining its own menu, so we won't dwell on it much here. A few quick notes,
though:
- Channels usually start at zero, and work their way up to seven
- A diagnostic is less interesting than it sounds; it beeps while it checks the announcements
for silence
- There are a few hidden features on the menu. *5 will let you assign passcodes to individual
channels, and *91 records over *every* channel. Fortunately, this one asks you to confirm
before attacks from a swarm of angry telco lawyers ensue.
Finally, some of us have found 15As that have no voice prompts, so for the benefit of the vocally
disadvantaged, here's how the menu was read out to us:
*0 - Select channel
*8 - Change security code
*4 - Perform diagnostics
*6 - Disconnect
Likewise, here's the menu you get after you select a channel:
*0 - Select channel
*8 - Set security code
*90 - Record
*2 - Playback
*3 - Set channel status
*4 - Perform diagnostics
*6 - Disconnect
So, finally, you might be asking yourself... You've got a 15A announcement machine, what do you do
with it? Unlike, say, an EAS, there really is a limit to how much recording time is on there, so you
can't really explore too much. Unlike the Innovative Systems machines, you can't setup a conference
on them, or make your own voicemail boxes.
So what's so much better about a 15A?
It boils down to one word: crosstalk. On a 15A, there are actual, individual loops for every
different announcement, and unlike some of the more modern counterparts, not only are they always
playing *every* second they're turned on, but they're connected to announcement trunks using
individual analog pairs. In its stock configuration, there's tons of electromagnetic leakage between
these channels; that's what makes it sound like there are other voices in the background. Now,
keeping in mind that recordings can be much, MUCH louder than the telco makes them, what do you
think is stopping you from making a channel that bleeds through so loudly, you can hear it really
clearly on everything else? The sheer potential awesomeness we're dealing with here is only limited
by your ability to hear peoples' reactions. Competitive loudness is a proud American tradition.
Let's use it where it counts.
[==================================================================================================]
-=[ 0x08 Gawker Passwords Analysis
-=[ Author: SinThet
-=[ Email: vektorical@gmail.com
-=[ Website: http://sinthet.wordpress.com/
Hardly a secret to the general public, and common knowledge to anyone and everyone even remotely
associated with the security or hacking scene(s), a group known as Gnosis released just under 200k
user names, emails, and decrypted passwords from a stolen database belonging to Gawker late 2010.
For the curious "hacker" (however you define the word), this is like an early Christmas present. It
provides valuable insight into how people view security, and how much they value it. It allows us to
make hypotheses about the psychology behind people's passwords. It provides yet another glimpse as
to just how lax security policies at large companies are. Originally, I was going to analyze these
patterns and apply them to a general wordlist in order to determine just how much I'd be able to
improve the results by. However, as I pursued this, I found myself pretty much running in circles,
since the majority of the passwords cracked followed similar methods I was trying to implement, and
so I'd done more to reverse engineer some of the techniques no doubt used to crack the released
passwords.
Regardless, I'll still present my results of the initial analysis, and hopefully, you'll find them
informative and at least somewhat interesting.
Disclaimer: I'm no professional. I'm a high-school kid that likes learning by doing. I'm doing this
not because I expect to make a breakthrough in anything, but because it's interesting. Hopefully,
someone smarter than me will read this, notice a pattern I've missed, and make an improvement on my
observations.
I realize the majority of these passwords aren't of the particularly secure kind; however, I believe
patterns found here repeat in the uncracked passwords as well, perhaps more cleverly disguised, but
present nonetheless.
NOTE: I will provide links to full statistics that I've calculated, as well as the source code used
to calculate it.
a. An Analysis of the leaked + cracked Passwords.
----------------------------------------------------
In this section, I will present a few statistics, a truncated version of my full results.
Firstly, let's start with some frequency analysis from a character perspective.
~~~~MOST COMMON CHARACTERS IN LEAKED PASSWORDS~~~~~
a: 8.4%
e: 7.99%
o: 5.89%
r: 5.61%
s: 5.48%
i: 5.21%
n: 5.15%
1: 4.48%
Let's compare this to the most common characters in the English language.
~~~~~~~~~~~~~~~~~~~~~~~~
E 12.51%
T 9.25%
A 8.04%
O 7.60%
I 7.26%
N 7.09%
S 6.54%
R 6.12%
We're using the first 8 most common for a reason. DES encryption only encrypts the first 8
characters. So, if your password is "123456789", the resulting hash might be "abcdefgh". This means
that typing "12345678" would grant you access just as well as "123456789", since the hash algorithm
doesn't acknowledge the ninth (and any subsequent) characters' existence.
The letters "a,e,o,r,s,i,n" appear in both lists. Furthermore, their order is somewhat similar. From
this, it's a reasonable conclusion that a good deal of the passwords are normal English words (not
entirely surprising). The presence of the number 1 in such a high percentage (The next percentage
for a number is 2, with roughly 2.2%), is especially useful. We can make a safe guess that a good
portion of our English-word-using people have at some point encountered the message "Your password
must consist of at least one number" when registering for a website. If you were an annoyed person
trying to quickly get through a registration, adding a single number to the end (or the beginning)
is the quick and easy solution. The number 1, being what most people see as the "first" number, is
probably a popular choice. Furthermore, 1 is the start of many sequences. It is often used as a
substitute for the letter "I". These properties set 1 apart from most other characters.
Next, let's take a look at the most common passwords in the entire list.
~~~~~MOST COMMON PASSWORDS IN LEAKED GAWKER DATABASE~~~~~~~~
1: 123456: 3057: 1.64% of all passwords.
2: password: 1955: 1.036% of all passwords
3: 12345678: 1119 : .5% of all passwords.
4: lifehack: 661: .35% of all passwords.
5: qwerty: 418: .22% of all passwords.
6: abc123: 333: .17% of all passwords.
7: 111111: 311: .16% of all passwords
8: monkey: 300: .16% of all passwords.
9: consumer: 273 : .14% of all passwords
10: 12345: 253: .14% of all passwords.
First, take a moment to grab a bucket. It's your duty as a reader interested in computer security to
want to barf at these results. Next though, we should notice that 1 is very common again. in fact,
it alone accounts for 15.6% of the characters in the top ten most used passwords. It is contained
within 50% of the most common passwords. Its importance as the "first" in a sequence is reinforced.
6 of the top 10 passwords are common sequences, 5 of them contain the number one, and 4 of them
start with one (the odd man out is a combo of two sequences, abc and 123).
Let's look at the other 4 words: password, lifehack, monkey, consumer. "password" will almost always
come up as a common password. People who use it don't appreciate the importance of security, and
when forced to change it, probably fall into the "add a number to the end" category. Sadly, we'll
never know how many have done this, since "password" is 8 characters long. Damn DES, you suck for
security, as well as analysis. "lifehack" and "consumer" aren't particularly surprising, since
they're both related to websites owned by the same entity. This is an interesting pattern though.
It suggests that this person probably keeps different passwords (a slight sigh of relief can be
had), and tries to remember them by relating them to each website. This can be good to remember for
targeted attacks, but almost useless for indirect account mining (stealing low security forum
credentials in hopes of someone using the same password on paypal). Still, if you're targeting a
single person, this kind of activity suggests that you may be able to simply guess their password
based on the kind of website you're trying to get into via their credentials.
The password "monkey", however, is different. "monkey" appears 554 times, 300 of which it stands
alone. However, that's 254 times which it appears augmented with something else, just enough to
displace "12345" as the number 10 most common password. The percentage (~.14% of all passwords) may
seem small, but 254 accounts is a pretty substantial number. Since these passwords contain both
numbers and letters, their owners may consider them more secure, and so more likely to reuse them
for multiple logins. Obviously, this increases their value substantially.
Now, lets start comparing the leaked passwords to a "common password" list, and see how we do.
~~~~~Top Ten Passwords which appear in Common Password List~~~~~
1: 123456: 3057: 1.62% of all passwords
2: password: 1955: 1.038% of all passwords
3: 12345678: 1119: .59% of all passwords
4: qwerty: 418: .22% of all passwords
5: abc123: 333: .17% of all passwords
6: 111111: 311: .17% of all passwords
7: monkey: 300: .16% of all passwords
8: letmein: 247: .13% of all passwords
9: dragon: 233: .11% of all passwords
10: baseball 213: .11% of all passwords
There is a high level of overlap between the two groups. The exceptions to the rule are "lifehack",
"consumer", and "12345". "12345" is gone probably because the wordlist assumes a longer password
length. However, the absence of two frequently occurring passwords, suggests that our conjecture
about including site-specific keywords is important, it could increase our gain by 934 accounts.
It's especially convenient in this case, because we don't even have to worry about clever people
appending gibberish to the end --> Fail DES.
For curiosity's sake: 79% of the passwords contained in the "common" list appeared in the leak.
These 1805 unique passwords made up 22% of the leaked 188281 passwords. So, roughly one in 5
accounts can be broken into using a list which contains just over 2200 passwords. That's a pretty
sad state of affairs, considering the trivial amount of time this would take with even a semi-modern
processor.
Now, moving on, we should take a look at first characters and numbers.
~~~~~~~~~~~~~~~[6 of B]
Most common first characters:
s: 19765: 10.5%
m: 15322: 8.14%
b: 14029: 7.45%
Most common first numbers:
1: 14970: 7.95%
2: 2171: 1.15%
4: 1037: .55%
~~~~~~~~~~~~~~~~
The fact that 1 appears yet again is important, especially in such a high percentage. However, s m
and b may not jump out as particularly useful. They may not be in a way that'll get us any closer to
an actual password, but for optimization, these are great, especially in a real world example where
you are generating hashes. If you have a wordlist, like we do, applying our patterns randomly may
waste time, but if we focus our efforts in the order in which they are most likely to have the
highest payoff, we should be able to harvest more hits quickly and efficiently.
Since the first characters can help us optimize our search, it's only logical that we should analyze
the last character as well.
~~~~~~~~~~~~~~~
Most common Last characters:
e: 15948 : 8.47%
n: 13639 : 7.24%
s: 12683 : 6.74%
Most common Last Numbers:
1:15854 : 8.42%
2:7176 : 3.811
3:7143 : 3.79%
~~~~~~~~~~~~~~~~
Again, we can learn something from these statistics. The most common ending characters correspond
quite well to the English language yet again. Therefore, if a word starts with one of the top "first
letters" and ends with one of the top "last letters", we probably shouldn't bother applying any
patterns to our wordlist words, but rather make the safe assumption that the password is in fact, a
word in the English language.
The "last numbers" also tell us some important things. If a password ends in 1, and starts with a
letter (especially one of the common letters), there's a good chance it's one of our "tack a number
to the end" passwords.
However, 2 and 3 aren't typically one of the "tack a number" choices. Instead, they are pretty good
indicators of a "123" sequence tacked onto another common phrase. (The top-ten combo of abc123 is a
good example).
--------------------------
Overall, these results are pretty indicative of a poor overall security culture. Most of the
websites which were affiliated with Gawker tailored to a crowd of people at least somewhat
comfortable/interested in some form of technology or another. You'd think they'd be a tad more
security-aware, and know to choose better passwords. Instead, 1/5 of the accounts can be cracked
using a wordlist containing the top 2000 least secure passwords. Patterns within the cracked
passwords suggest that the situation could be increased to a yield of 1/4 with limited brute force
work appended to a standard dictionary.
Unfortunately, these results aren't all that surprising if we look at the Internet as a whole. What
is sad is that in 2011, people are making the same mistakes hackers were lulzing around about in
1999, and probably 1980. If any of the patterns or observations in this article apply to any of your
passwords, please, do your part and choose a more secure password, or at the very least, use
different passwords for different websites. Unless of course, you enjoy being hacked, which is what
will happen to you eventually if you continue using weak passwords. It's only a matter of time, so
please, help yourself and help increase the security of the general Internet by a tiny margin.
Thanks for reading! If you would like a copy of my working directory, which contains this article,
my notes, source-code, the common password list, a list of Gawker passwords, and some files of
junk-output, it's available at sinthet.wordpress.com
-----------------------------------------------------------------------
b. Technical comments-
-----------------------------------------------------------------------
All of these statistics were calculated by code written in Python 2.7.1.
The code is available at http://www.box.net/shared/nzlba6trs329u4kry0lg
Some (more like all) of it is not very optimized at all, but it all managed to run in an acceptable
amount of time on my weak netbook (1.6GHz1 1GB RAM).
[==================================================================================================]
-=[ 0x09 360-928-00xx Scan
-=[ Author: Shadytel, Inc
-=[ Website: http://www.shadytel.com/
0000 - Business
0001 - Ringout, CNAM: QWEST CORP
0002 - Ringout, CNAM: QWEST CORP
0003 - NIS via SS7
0007 - Ringout
0008 - Ringout
0009 - Ringout
0011 - Busy signal
0013 - Reorder via SS7
0014 - NPA changed to 360 rec
0015 - Ringout
0018 - Loop, low end
0019 - Loop, high end
0020 - 102-type test
0024 - Ringout
0028 - 102-type test
0031 - rec, "Your long distance call could not be completed because your service has been restricted.
Please contact your Qwest business office."
0032 - 100-type test
0033 - Silent termination? No supe
0034 - Reorder via SS7
0035 - Ringout
0036 - Ringout
0037 - Modem
0038 - Ringout
0046 - DATU
0049 - AIS Report, number in service
0050 - CBCAD/check the number and dial again
0051 - EAS test rec, NIS
0052 - YCDNGT
0053 - Permanent signal rec
0054 - Coin deposit rec
0055 - CBCAD/check your instruction manual or call repair service for assistance
0056 - rec, Dialing 1 not necessary
0057 - rec, Dial 1 first
0058 - CBCAD from the phone you're using
0059 - rec, dialing 0 not necessary
0060 - 105-type lookalike?
0061 - Reorder via SS7
0065 - "To activate telephone service, please contact your local service provider of choice. Thank
you."
0066 - 105-type test
0070 - 105-type test
0090 - CBCAD/PIC error
0092 - LD access code not required rec
0093 - Network difficulties rec
0094 - Busy via SS7
0099 - Reorder via SS7
[==================================================================================================]
-=[ 0x0a Terminal Servicez br0
-=[ Author: storm
-=[ Email: storm@gonullyourself.org
-=[ Website: http://gonullyourself.org/
A new project we've unveiled on 0x00 Network (irc.gonullyourself.org) is #nmap, a channel devoted to
scanning the Internet for anything and everything. Bots report live feeds from nmap -iR instances,
constantly updating the channel with new results. As of the release of this zine issue, the #nmap
database currently holds scan results for over 18,000 IP addresses, totaling over 485,000 open ports.
Here is an excerpt from the database - Microsoft Terminal Services (Remote Desktop Connection). For
the sake of brevity, we've filtered the list for only IP addresses that resolve to a hostname:
Host: 81.82.245.50 (d5152F532.static.telenet.be) Ports: 3389/open/tcp//ms-term-serv///
Host: 190.24.235.84 (corporat190-24235084.sta.etb.net.co) Ports: 3389/open/tcp//ms-term-serv///
Host: 91.187.218.106 (host-91.187.218-106.pool.intred.it) Ports: 3389/open/tcp//ms-term-serv///
Host: 209.144.20.43 (rvd190142b.sprocketnetworks.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 173.247.184.210 (173-247-184-210.static-ip.telepacific.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 66.193.118.109 (66-193-118-109.static.twtelecom.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 82.193.109.204 (82.193.109.204.ipnet.kiev.ua) Ports: 3389/open/tcp//ms-term-serv///
Host: 205.188.1.233 (chatfarm-ld02b-sr10.ehost.aol.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 82.223.161.175 (dns2.grupotilenus.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 75.148.99.85 (75-148-99-85-Utah.hfc.comcastbusiness.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 193.72.18.25 (193-72-18-25.adsl-static.switzerland.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 75.147.83.163 (75-147-83-163-Philadelphia.hfc.comcastbusiness.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 131.128.188.64 (dorado.cba.uri.edu) Ports: 3389/open/tcp//ms-term-serv///
Host: 94.198.162.153 (94.198.162.153.static.hosted.by.easyhost.be) Ports: 3389/open/tcp//ms-term-serv///
Host: 213.29.33.180 (adslctc-1972.adslcust.sbone.cz) Ports: 3389/open/tcp//ms-term-serv///
Host: 216.227.80.173 (s-216-227-80-173.dsl1.rtr.chat.fpma.frpt.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 80.57.239.243 (g239243.upc-g.chello.nl) Ports: 3389/open/tcp//ms-term-serv///
Host: 184.154.40.146 (shangwuq2.idc120.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 95.63.158.198 (static-198-158-63-95.ipcom.comunitel.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 194.254.173.23 (laser01.iutv.univ-paris13.fr) Ports: 3389/open/tcp//ms-term-serv///
Host: 134.68.210.25 (plum.uits.iupui.edu) Ports: 3389/open/tcp//ms-term-serv///
Host: 81.94.206.115 (115-206-94-81.rackcentre.redstation.net.uk) Ports: 3389/open/tcp//ms-term-serv///
Host: 213.142.146.112 (213-142-146-112.reverse.adeox.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 67.202.99.245 (digital-direction.bestserversllc.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 68.166.139.140 (mail.doherty1.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 62.148.195.80 (a80.netikka.fi) Ports: 3389/open/tcp//ms-term-serv///
Host: 129.59.129.86 (discovery.isis.vanderbilt.edu) Ports: 3389/open/tcp//ms-term-serv///
Host: 82.70.136.254 (82-70-136-254.dsl.in-addr.zen.co.uk) Ports: 3389/open/tcp//ms-term-serv///
Host: 66.76.197.177 (s66-76-197-177.chtnwv.ab.sta.suddenlink.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 68.185.26.238 (68-185-26-238.static.mdfd.or.charter.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 66.132.219.224 (srv3.iss-pr.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 195.138.210.23 (mx.ra-national.ru) Ports: 3389/open/tcp//ms-term-serv///
Host: 167.128.62.155 (unused-corv-62-155.corvallis.k12.or.us) Ports: 3389/open/tcp//ms-term-serv///
Host: 69.0.20.46 (69-0-20-46.adsl.snet.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 88.202.88.135 (88-202-88-135.ip.skylogicnet.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 65.44.176.194 (mail.scrupleshaircare.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 212.55.196.84 (orania2.trade-soft.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 81.246.27.186 (mail-in.vanmieghem.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 72.26.226.222 (72-26-226-222.meganetserve.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 76.8.49.27 (ip2.ac03.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 65.215.26.227 (mail.aimu.org) Ports: 3389/open/tcp//ms-term-serv///
Host: 75.56.9.30 (adsl-75-56-9-30.dsl.mrdnct.sbcglobal.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 74.208.127.234 (u15368620.onlinehome-server.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 69.197.165.242 (jnp48.joinedwithititalian.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 78.7.29.226 (78-7-29-226-static.albacom.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 167.128.190.131 (dhcp-lacomb-190-131.lebanon.k12.or.us) Ports: 3389/open/tcp//ms-term-serv///
Host: 208.101.3.31 (sl003-e.jsmtp.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 80.177.52.42 (mailgate.theengineeringpractice.co.uk) Ports: 3389/open/tcp//ms-term-serv///
Host: 67.142.222.6 (host67142006222.direcway.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 87.106.3.167 (technicagroup.co.uk) Ports: 3389/open/tcp//ms-term-serv///
Host: 196.219.199.131 (mail.iie-egypt.org) Ports: 3389/open/tcp//ms-term-serv///
Host: 203.64.173.111 (ctd.nuu.edu.tw) Ports: 3389/open/tcp//ms-term-serv///
Host: 84.254.148.235 (84-254-148-235.ip.skylogicnet.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 203.113.25.12 (203.113.25.12.static.totisp.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 212.60.228.117 (port-212-60-228-117.static.qsc.de) Ports: 3389/open/tcp//ms-term-serv///
Host: 213.209.186.68 (213-209-186-68.ip.skylogicnet.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 69.85.8.2 (dsl-2.8-238.gtb.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 74.208.44.130 (e-learning.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 131.212.46.219 (nomad46-219.d.umn.edu) Ports: 3389/open/tcp//ms-term-serv///
Host: 72.32.204.218 (db1.madisonlogic.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 72.169.70.226 (host7216922670.direcway.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 194.177.64.72 (mail2.irisip.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 200.155.8.215 (escalena2.escalena.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 69.53.24.165 (host69-53-24-165.birch.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 81.47.209.2 (2.Red-81-47-209.staticIP.rima-tde.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 217.115.132.100 (n217-115-132-100.cnet.hosteurope.de) Ports: 3389/open/tcp//ms-term-serv///
Host: 188.168.189.195 (host195.zakazrf.ru) Ports: 3389/open/tcp//ms-term-serv///
Host: 82.3.48.210 (statichost-210.next.co.uk) Ports: 3389/open/tcp//ms-term-serv///
Host: 24.178.209.78 (mail.brsales.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 201.234.189.25 (201.234.189-25.static.impsat.com.co) Ports: 3389/open/tcp//ms-term-serv///
Host: 93.74.46.134 (atonementless-therapist.volia.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 69.35.254.232 (dpc6935254232.direcpc.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 68.9.207.156 (ip68-9-207-156.ri.ri.cox.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 217.162.18.62 (217-162-18-62.static.cablecom.ch) Ports: 3389/open/tcp//ms-term-serv///
Host: 217.126.49.238 (238.Red-217-126-49.staticIP.rima-tde.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 68.68.204.189 (exchange.yklegal.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 70.39.122.237 (NO-RDNS-RECORD) Ports: 3389/open/tcp//ms-term-serv///
Host: 72.250.232.155 (host-72-250-232-155.ercbroadband.org) Ports: 3389/open/tcp//ms-term-serv///
Host: 99.198.57.185 (99-198-57-185.cust.wildblue.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 207.218.237.100 (ev1s-207-218-237-100.theplanet.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 74.114.164.123 (74-114-164-123.static.fullcontrol.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 62.100.140.226 (ppp-226.net-62-100-140.static.magiconline.fr) Ports: 3389/open/tcp//ms-term-serv///
Host: 216.119.232.242 (216.119.232.242.nw.nuvox.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 207.36.233.205 (207-36-233-205.ptr.primarydns.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 91.148.136.54 (ip-136-54.powernet.bg) Ports: 3389/open/tcp//ms-term-serv///
Host: 188.84.85.58 (static-58-85-84-188.ipcom.comunitel.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 190.210.147.205 (customer-static-210-147-205.iplannetworks.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 196.47.81.237 (196-47-81-237.mweb.co.za) Ports: 3389/open/tcp//ms-term-serv///
Host: 152.2.50.70 (yoda.hsrc.unc.edu) Ports: 3389/open/tcp//ms-term-serv///
Host: 62.202.1.29 (29-1.202-62.fix.bluewin.ch) Ports: 3389/open/tcp//ms-term-serv///
Host: 146.6.184.34 (lib-msias002.utmsi.utexas.edu) Ports: 3389/open/tcp//ms-term-serv///
Host: 200.39.112.231 (ip-200-39-112-231-mx.marcatel.net.mx) Ports: 3389/open/tcp//ms-term-serv///
Host: 173.11.114.251 (173-11-114-251-SFBA.hfc.comcastbusiness.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 213.142.136.240 (213-142-136-240.reverse.adeox.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 70.166.210.59 (mail.azfcf.org) Ports: 3389/open/tcp//ms-term-serv///
Host: 81.47.212.142 (142.Red-81-47-212.staticIP.rima-tde.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 72.20.102.69 (server69.enterprisewizard.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 216.24.200.211 (unassigned.psychz.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 210.146.146.87 (s87.IaichiFL44.vectant.ne.jp) Ports: 3389/open/tcp//ms-term-serv///
Host: 97.64.179.122 (cw.artechsolutions.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 64.38.150.122 (mail.hughesrobbins.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 193.37.229.83 (ml-083.magenta-netlogic.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 140.138.35.91 (rd1109-ypwan.admin.yzu.edu.tw) Ports: 3389/open/tcp//ms-term-serv///
Host: 66.116.110.72 (ms128.webhostingprovider.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 167.128.206.180 (oakheights-180.sweethome.k12.or.us) Ports: 3389/open/tcp//ms-term-serv///
Host: 66.165.106.29 (capital2wheeler.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 116.12.51.61 (vibrantstage.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 208.126.100.1 (mail.lakescorridor.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 63.87.104.194 (mail.spectorllc.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 61.220.251.239 (61-220-251-239.HINET-IP.hinet.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 82.225.62.126 (par69-3-82-225-62-126.fbx.proxad.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 217.128.13.118 (LAubervilliers-151-13-14-118.w217-128.abo.wanadoo.fr) Ports: 3389/open/tcp//ms-term-serv///
Host: 66.29.202.135 (ns1.deployit.no) Ports: 3389/open/tcp//ms-term-serv///
Host: 173.165.89.133 (173-165-89-133-Illinois.hfc.comcastbusiness.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 66.191.130.146 (66-191-130-146.static.roch.mn.charter.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 66.206.66.136 (xr136.xroads.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 113.53.236.163 (113-53-236-163.totisp.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 99.68.102.126 (adsl-99-68-102-126.dsl.ipltin.sbcglobal.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 90.188.129.66 (host-90-188-129-66.pppoe.omsknet.ru) Ports: 3389/open/tcp//ms-term-serv///
Host: 212.81.200.179 (A-BI-179.sarenet.es) Ports: 3389/open/tcp//ms-term-serv///
Host: 75.106.212.170 (75-106-212-170.cust.wildblue.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 88.202.89.100 (88-202-89-100.ip.skylogicnet.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 203.57.152.103 (www.bodymap.com.au) Ports: 3389/open/tcp//ms-term-serv///
Host: 63.215.72.22 (domain.not.configured) Ports: 3389/open/tcp//ms-term-serv///
Host: 24.187.209.90 (ool-18bbd15a.static.optonline.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 178.170.124.116 (26499hpv124116.ikoula.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 207.218.202.242 (maguro.proelite.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 87.193.204.24 (port-87-193-204-24.static.qsc.de) Ports: 3389/open/tcp//ms-term-serv///
Host: 60.242.136.236 (60-242-136-236.static.tpgi.com.au) Ports: 3389/open/tcp//ms-term-serv///
Host: 130.237.218.26 (sms-218.nt.nada.kth.se) Ports: 3389/open/tcp//ms-term-serv///
Host: 76.10.206.161 (mail13.totaldaydeals.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 152.2.41.235 (africa.unc.edu) Ports: 3389/open/tcp//ms-term-serv///
Host: 137.99.113.103 (nightwork.facil.uconn.edu) Ports: 3389/open/tcp//ms-term-serv///
Host: 202.5.178.171 (client178171.mynewsat.com.au) Ports: 3389/open/tcp//ms-term-serv///
Host: 46.163.66.180 (wvps46-163-66-180.dedicated.hosteurope.de) Ports: 3389/open/tcp//ms-term-serv///
Host: 208.67.195.78 (208-67-195-78.static.fullcontrol.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 209.44.103.109 (mail13.dailyofferfeeds.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 67.46.166.164 (dpc6746166164.direcpc.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 128.83.56.199 (lib-pclas328.lib.utexas.edu) Ports: 3389/open/tcp//ms-term-serv///
Host: 61.31.48.90 (90.48.31.61.ecs.com.tw) Ports: 3389/open/tcp//ms-term-serv///
Host: 67.18.173.136 (88.ad.1243.static.theplanet.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 69.138.192.12 (c-69-138-192-12.hsd1.md.comcast.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 216.37.162.77 (UNUSED-216-37-162-77.UNUSED.EPIX.NET) Ports: 3389/open/tcp//ms-term-serv///
Host: 195.91.244.242 (h195-91-244-242.ln.rinet.ru) Ports: 3389/open/tcp//ms-term-serv///
Host: 67.143.106.230 (host6714300230106.direcway.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 208.176.240.131 (208.176.240.131.ptr.us.xo.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 210.145.23.200 (210-145-023-200.jp.fiberbit.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 222.151.89.170 (222-151-089-170.jp.fiberbit.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 74.208.205.87 (u15175363.onlinehome-server.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 198.144.175.39 (www.inthehall.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 210.225.104.53 (210-225-104-053.jp.fiberbit.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 69.64.43.127 (colossus108.startdedicated.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 210.146.247.143 (s143.247.146.210.fls.vectant.ne.jp) Ports: 3389/open/tcp//ms-term-serv///
Host: 81.187.106.147 (ip147.cranmer1.wf-net.co.uk) Ports: 3389/open/tcp//ms-term-serv///
Host: 84.234.74.87 (soodit.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 68.157.207.92 (adsl-068-157-207-092.sip.msy.bellsouth.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 194.150.188.157 (smart-repair.de) Ports: 3389/open/tcp//ms-term-serv///
Host: 70.38.12.36 (host.iztim.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 63.204.36.110 (adsl-63-204-36-110.dsl.snfc21.pacbell.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 67.59.85.110 (67-59-85-110.smartz.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 131.247.202.182 (u244339.forest.usf.edu) Ports: 3389/open/tcp//ms-term-serv///
Host: 64.8.122.64 (win30.securedc.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 143.107.201.230 (intranet.hcrp.usp.br) Ports: 3389/open/tcp//ms-term-serv///
Host: 74.206.17.162 (74-206-17-162.static-ip.m.telepacific.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 203.45.71.122 (border10.lnk.telstra.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 203.128.234.71 (203-128-234-71.static.hostus.net.au) Ports: 3389/open/tcp//ms-term-serv///
Host: 74.208.164.94 (u15353859.onlinehome-server.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 74.200.200.115 (asambleadf.edata.com.mx) Ports: 3389/open/tcp//ms-term-serv///
Host: 74.95.40.41 (74-95-40-41-Oregon.hfc.comcastbusiness.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 207.0.204.212 (host-212.runcentral.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 87.54.253.94 (0x5736fd5e.cpe.ge-1-1-0-1105.aaanqu1.customer.tele.dk) Ports: 3389/open/tcp//ms-term-serv///
Host: 140.128.71.200 (71-user200.ncut.edu.tw) Ports: 3389/open/tcp//ms-term-serv///
Host: 83.13.156.202 (fga202.internetdsl.tpnet.pl) Ports: 3389/open/tcp//ms-term-serv///
Host: 140.193.49.98 (net198.med-reh.umanitoba.ca) Ports: 3389/open/tcp//ms-term-serv///
Host: 88.202.1.41 (88-202-1-41.ip.skylogicnet.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 84.254.147.235 (84-254-147-235.ip.skylogicnet.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 85.91.200.66 (85-91-200-66.internet2.ru) Ports: 3389/open/tcp//ms-term-serv///
Host: 70.41.35.55 (70-41-35-55.cust.wildblue.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 150.216.151.42 (sc-au-304-pc-1.lab.ecu.edu) Ports: 3389/open/tcp//ms-term-serv///
Host: 84.254.144.201 (84-254-144-201.ip.skylogicnet.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 209.12.23.10 (cweb003.jacksontechnical.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 85.48.251.192 (192.pool85-48-251.static.orange.es) Ports: 3389/open/tcp//ms-term-serv///
Host: 67.19.164.90 (5a.a4.1343.static.theplanet.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 62.90.202.83 (mail.timlul.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 74.86.45.74 (studiowebonline.com.au) Ports: 3389/open/tcp//ms-term-serv///
Host: 69.73.130.229 (static-229-130-73-69.nocdirect.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 85.159.68.69 (bunlardanistiyorum.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 66.76.250.122 (s66-76-250-122.semmcmtc01.smnlok.ok.sta.suddenlink.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 66.46.176.95 (smtp1.sherweb.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 212.25.10.66 (remote.stierli-partner.ch) Ports: 3389/open/tcp//ms-term-serv///
Host: 84.254.177.99 (84-254-177-99.ip.skylogicnet.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 87.236.197.71 (leviathan.idisk.cz) Ports: 3389/open/tcp//ms-term-serv///
Host: 24.106.189.251 (rrcs-24-106-189-251.se.biz.rr.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 74.81.212.213 (host213.212.81.74.static.maximumasp.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 65.71.36.142 (65-71-36-142.ded.swbell.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 217.78.33.135 (custip.dcs.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 74.165.149.4 (adsl-074-165-149-004.sip.bna.bellsouth.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 66.141.181.24 (smtp.wardnetworks.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 217.92.47.15 (mail.tribo-chemie.de) Ports: 3389/open/tcp//ms-term-serv///
Host: 91.144.151.49 (dynamicip-91-144-151-49.pppoe.kirov.ertelecom.ru) Ports: 3389/open/tcp//ms-term-serv///
Host: 89.96.49.14 (89-96-49-14.ip10.fastwebnet.it) Ports: 3389/open/tcp//ms-term-serv///
Host: 64.37.65.66 (christ1st.1webway.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 167.128.6.99 (philmig.lblesd.k12.or.us) Ports: 3389/open/tcp//ms-term-serv///
Host: 217.199.168.142 (ds8126.dedicated.turbodns.co.uk) Ports: 3389/open/tcp//ms-term-serv///
Host: 167.128.198.71 (dhcp-hs-198-71.lebanon.k12.or.us) Ports: 3389/open/tcp//ms-term-serv///
Host: 208.113.70.14 (208.113.70.14.servepath.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 217.41.124.118 (217-41-124-118.evansdinnington.mezzonet.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 69.35.199.82 (dpc6935199082.direcpc.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 74.86.174.154 (serversemidedicado.joinhost.com.br) Ports: 3389/open/tcp//ms-term-serv///
Host: 83.15.136.154 (elc154.internetdsl.tpnet.pl) Ports: 3389/open/tcp//ms-term-serv///
Host: 72.51.35.52 (peer1server.idc10000.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 88.202.83.29 (88-202-83-29.ip.skylogicnet.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 212.198.110.39 (212-198-110-39.rev.numericable.fr) Ports: 3389/open/tcp//ms-term-serv///
Host: 129.74.4.108 (sso-pprd-v2.cc.nd.edu) Ports: 3389/open/tcp//ms-term-serv///
Host: 75.106.66.15 (75-106-66-15.cust.wildblue.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 90.184.54.162 (4706ds2-kj.0.fullrate.dk) Ports: 3389/open/tcp//ms-term-serv///
Host: 71.190.139.50 (static-71-190-139-50.nycmny.fios.verizon.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 209.114.126.41 (kfhs.fhsu.edu) Ports: 3389/open/tcp//ms-term-serv///
Host: 217.128.37.108 (LLagny-156-36-44-108.w217-128.abo.wanadoo.fr) Ports: 3389/open/tcp//ms-term-serv///
Host: 70.150.192.130 (mail.summitsportsmedicine.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 85.214.219.48 (h1904971.stratoserver.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 59.167.198.98 (ppp198-98.static.internode.on.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 63.231.42.182 (seasharesbs.seashare.org) Ports: 3389/open/tcp//ms-term-serv///
Host: 67.228.164.163 (si-sv2373.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 75.105.228.17 (75-105-228-17.cust.wildblue.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 74.247.72.248 (adsl-074-247-072-248.sip.msy.bellsouth.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 81.206.231.228 (ip51cee7e4.adsl-surfen.hetnet.nl) Ports: 3389/open/tcp//ms-term-serv///
Host: 216.75.60.212 (2k3s-60-212.aspadmin.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 204.153.7.45 (authmail.rotadyne.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 70.166.226.160 (wsip-70-166-226-160.ks.ks.cox.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 68.65.220.164 (164.smart-dns.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 84.254.130.64 (84-254-130-64.ip.skylogicnet.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 167.128.185.137 (dhcp-pioneer-185-137.lebanon.k12.or.us) Ports: 3389/open/tcp//ms-term-serv///
Host: 134.121.88.226 (s58088226.temp.wsu.edu) Ports: 3389/open/tcp//ms-term-serv///
Host: 67.142.203.38 (host671420038203.direcway.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 67.142.199.5 (host67142005199.direcway.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 203.59.231.10 (203-59-231-10.perm.iinet.net.au) Ports: 3389/open/tcp//ms-term-serv///
Host: 202.5.186.147 (client186147.mynewsat.com.au) Ports: 3389/open/tcp//ms-term-serv///
Host: 212.125.85.199 (unallocated.star.net.uk) Ports: 3389/open/tcp//ms-term-serv///
Host: 204.13.209.44 (44.204-13-209.reverse.enterhost.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 69.36.197.7 (69-36-197-7.cot.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 68.157.248.31 (adsl-068-157-248-031.sip.pns.bellsouth.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 75.148.171.113 (75-148-171-113-Houston.hfc.comcastbusiness.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 208.109.127.157 (ip-208-109-127-157.ip.secureserver.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 69.167.164.29 (host.laserspotreduce.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 200.40.206.202 (correo.dofin.com.uy) Ports: 3389/open/tcp//ms-term-serv///
Host: 85.214.208.56 (h1883657.stratoserver.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 213.209.172.24 (213-209-172-24.ip.skylogicnet.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 208.109.190.116 (ip-208-109-190-116.ip.secureserver.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 72.169.3.208 (host721692083.direcway.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 212.13.49.140 (ADSL-F49-S140.nortenet.pt) Ports: 3389/open/tcp//ms-term-serv///
Host: 62.149.173.245 (host245-173-149-62.serverdedicati.aruba.it) Ports: 3389/open/tcp//ms-term-serv///
Host: 210.146.219.120 (s120.IaichiFL52.vectant.ne.jp) Ports: 3389/open/tcp//ms-term-serv///
Host: 81.27.47.96 (96-47-27-81.vps.webhuset.no) Ports: 3389/open/tcp//ms-term-serv///
Host: 81.84.243.245 (a81-84-243-245.static.cpe.netcabo.pt) Ports: 3389/open/tcp//ms-term-serv///
Host: 167.128.200.136 (dhcp-do-200-136.sweethome.k12.or.us) Ports: 3389/open/tcp//ms-term-serv///
Host: 69.239.102.249 (adsl-69-239-102-249.dsl.sndg02.pacbell.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 210.232.50.162 (210-232-050-162.jp.fiberbit.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 202.181.80.20 (202.181.80.20.static.rev.eftel.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 87.106.104.217 (s15351115.onlinehome-server.info) Ports: 3389/open/tcp//ms-term-serv///
Host: 81.216.218.238 (238.218.216.81.static.hud.siw.siwnet.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 128.46.200.81 (ee134pc3.ecn.purdue.edu) Ports: 3389/open/tcp//ms-term-serv///
Host: 202.132.58.77 (202-132-58-77.adsl.ttn.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 207.201.194.71 (www.geiss.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 87.106.250.19 (s15325009.onlinehome-server.info) Ports: 3389/open/tcp//ms-term-serv///
Host: 67.154.251.20 (ip67-154-251-20.z251-154-67.customer.algx.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 69.65.116.27 (unknown27.116.65.69.defenderhosting.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 160.94.178.66 (w103-02.cselabs.umn.edu) Ports: 3389/open/tcp//ms-term-serv///
Host: 69.35.235.198 (dpc6935235198.direcpc.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 196.47.81.97 (196-47-81-97.mweb.co.za) Ports: 3389/open/tcp//ms-term-serv///
Host: 200.94.104.5 (static-200-94-104-5.alestra.net.mx) Ports: 3389/open/tcp//ms-term-serv///
Host: 201.163.0.180 (smtp3.v-office.com.mx) Ports: 3389/open/tcp//ms-term-serv///
Host: 129.65.53.1 (cp-rjv51.cp-calpoly.edu) Ports: 3389/open/tcp//ms-term-serv///
Host: 210.145.17.70 (210-145-017-070.jp.fiberbit.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 134.60.65.83 (schokobrunnen.biologie.uni-ulm.de) Ports: 3389/open/tcp//ms-term-serv///
Host: 91.121.123.85 (ns2014904.ovh.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 69.35.211.220 (dpc6935211220.direcpc.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 70.147.192.139 (adsl-070-147-192-139.sip.jan.bellsouth.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 88.202.5.94 (88-202-5-94.ip.skylogicnet.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 216.57.213.82 (pr-osnw-fcp.osnw.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 216.131.106.228 (228.106.131.216.shared.ntb.reliablehosting.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 61.9.230.184 (CPE-61-9-230-184.static.sa.bigpond.net.au) Ports: 3389/open/tcp//ms-term-serv///
Host: 66.28.254.83 (host83.glaad.org) Ports: 3389/open/tcp//ms-term-serv///
Host: 195.23.156.109 (mail.fcrh.pt) Ports: 3389/open/tcp//ms-term-serv///
Host: 210.59.162.184 (210-59-162-184.HINET-IP.hinet.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 66.104.121.36 (ip66-104-121-36.z121-104-66.customer.algx.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 69.172.53.2 (69-172-53-2.static.networktel.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 62.2.177.136 (62-2-177-136.static.tinext.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 200.59.137.185 (host-59-137-185.linksat.net.ar) Ports: 3389/open/tcp//ms-term-serv///
Host: 66.202.35.218 (mail.firstplastics.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 70.88.229.115 (70-88-229-115-clark-turner-company-md.hfc.comcastbusiness.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 62.219.149.77 (mail.happycourse.co.il) Ports: 3389/open/tcp//ms-term-serv///
Host: 67.40.89.225 (macarco.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 205.201.248.51 (205-201-248-51.i95.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 68.65.152.170 (mail.sunbeltmotivation.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 220.133.214.124 (220-133-214-124.HINET-IP.hinet.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 151.100.168.131 (digilab.uniroma1.it) Ports: 3389/open/tcp//ms-term-serv///
Host: 194.179.130.22 (mail.prodimpexitalia.it) Ports: 3389/open/tcp//ms-term-serv///
Host: 210.227.43.26 (210-227-043-026.jp.fiberbit.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 148.205.148.162 (lenovo-74e5c325.rhon.itam.mx) Ports: 3389/open/tcp//ms-term-serv///
Host: 64.139.15.153 (ip-64-139-15-153.dsl.sca.megapath.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 200.12.207.11 (host-12-207-011.linksat.net.ar) Ports: 3389/open/tcp//ms-term-serv///
Host: 200.85.133.43 (nodo-133-43.unete.com.bo) Ports: 3389/open/tcp//ms-term-serv///
Host: 67.228.17.212 (si-sv2170.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 81.218.173.47 (mail.superlinkcom.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 167.128.121.208 (dhcp-ms-121-208.monroe.k12.or.us) Ports: 3389/open/tcp//ms-term-serv///
Host: 72.173.22.140 (72-173-22-140.cust.wildblue.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 84.254.163.227 (84-254-163-227.ip.skylogicnet.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 150.201.62.43 (tech471.semo.edu) Ports: 3389/open/tcp//ms-term-serv///
Host: 81.47.112.250 (250.Red-81-47-112.staticIP.rima-tde.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 212.227.134.122 (quecontactos.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 213.217.134.72 (www.mercurycaffe.it) Ports: 3389/open/tcp//ms-term-serv///
Host: 209.181.209.43 (timeshareware.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 192.101.18.121 (tandberg-cs.swcenter.edu) Ports: 3389/open/tcp//ms-term-serv///
Host: 74.94.43.181 (74-94-43-181-Philadelphia.hfc.comcastbusiness.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 66.33.111.242 (tooth-implant-directory.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 75.105.67.209 (75-105-67-209.cust.wildblue.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 167.128.66.234 (unused-corv-66-234.corvallis.k12.or.us) Ports: 3389/open/tcp//ms-term-serv///
Host: 82.223.216.76 (vrtw11781.servidoresdns.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 131.252.213.142 (gophers.cat.pdx.edu) Ports: 3389/open/tcp//ms-term-serv///
Host: 88.208.222.168 (server88-208-222-168.live-servers.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 216.139.244.29 (216-139-244-29.aus.us.siteprotect.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 211.23.240.191 (211-23-240-191.HINET-IP.hinet.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 76.73.13.118 (s120.IaichiFL52.vectant.ne.jp) Ports: 3389/open/tcp//ms-term-serv///
Host: 75.80.50.196 (cpe-75-80-50-196.socal.res.rr.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 88.208.202.107 (mail.condoroffers.co.uk) Ports: 3389/open/tcp//ms-term-serv///
Host: 212.67.197.119 (ds2620.dedicated.turbodns.co.uk) Ports: 3389/open/tcp//ms-term-serv///
Host: 66.197.79.27 (hosted.by.cirn.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 134.147.82.34 (exdc1.exchange.ruhr-uni-bochum.de) Ports: 3389/open/tcp//ms-term-serv///
Host: 89.108.114.104 (vm1282.hvm.agava.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 210.232.27.201 (210-232-027-201.jp.fiberbit.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 83.69.244.7 (mail.deotravel.ru) Ports: 3389/open/tcp//ms-term-serv///
Host: 213.180.94.202 (de-0048.d.ipeer.se) Ports: 3389/open/tcp//ms-term-serv///
Host: 70.41.48.38 (70-41-48-38.cust.wildblue.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 75.107.35.180 (75-107-35-180.cust.wildblue.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 167.128.64.194 (unused-corv-64-194.corvallis.k12.or.us) Ports: 3389/open/tcp//ms-term-serv///
Host: 74.55.203.11 (b.cb.374a.static.theplanet.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 208.187.180.60 (mail.sdevcorp.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 216.7.175.222 (216.7.175-222.static.data393.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 74.238.224.150 (adsl-074-238-224-150.sip.btr.bellsouth.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 72.170.140.104 (host7217000104140.direcway.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 124.178.253.29 (CPE-124-178-253-29.static.wa.bigpond.net.au) Ports: 3389/open/tcp//ms-term-serv///
Host: 64.239.40.152 (magazineadvertisingagency.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 167.128.54.50 (unused-corv-54-50.corvallis.k12.or.us) Ports: 3389/open/tcp//ms-term-serv///
Host: 216.5.25.183 (525-183.dscga.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 64.42.79.46 (64-42-79-46.atgi.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 217.20.27.149 (mail.thamesinnovationcentre.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 72.232.172.3 (3.172.232.72.static.reverse.ltdomains.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 69.35.76.56 (dpc693576056.direcpc.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 188.165.218.223 (ns212184.ovh.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 82.223.137.64 (mwwd881.servidoresdns.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 74.208.184.35 (u15354319.onlinehome-server.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 208.109.138.55 (linhost288.prod.mesa1.secureserver.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 213.8.113.219 (tony09-113-219.inter.net.il) Ports: 3389/open/tcp//ms-term-serv///
Host: 85.19.150.20 (mx01.osl.inic.no) Ports: 3389/open/tcp//ms-term-serv///
Host: 84.254.147.193 (84-254-147-193.ip.skylogicnet.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 18.78.0.88 (CELL2.MIT.EDU) Ports: 3389/open/tcp//ms-term-serv///
Host: 59.124.115.244 (59-124-115-244.HINET-IP.hinet.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 90.80.72.250 (250-72.80-90.static-ip.oleane.fr) Ports: 3389/open/tcp//ms-term-serv///
Host: 70.110.77.74 (smtp.floridah2olaw.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 82.200.9.72 (res72.mgtelecom.ru) Ports: 3389/open/tcp//ms-term-serv///
Host: 75.126.217.45 (si-sv3819.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 74.53.152.156 (9c.98.354a.static.theplanet.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 64.1.254.234 (w234.z064001254.sjc-ca.dsl.cnc.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 202.5.172.0 (client172000.mynewsat.com.au) Ports: 3389/open/tcp//ms-term-serv///
Host: 130.34.21.186 (dhcp-21186.tagen.tohoku.ac.jp) Ports: 3389/open/tcp//ms-term-serv///
Host: 188.121.54.111 (ip-188-121-54-111.ip.secureserver.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 75.104.71.238 (75-104-71-238.cust.wildblue.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 217.34.35.49 (host217-34-35-49.in-addr.btopenworld.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 211.13.204.46 (www.blue.shared-server.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 71.59.251.175 (c-71-59-251-175.hsd1.or.comcast.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 85.89.99.35 (85-89-99-35.kbpauk.ru) Ports: 3389/open/tcp//ms-term-serv///
Host: 201.93.184.79 (201-93-184-79.dsl.telesp.net.br) Ports: 3389/open/tcp//ms-term-serv///
Host: 82.169.141.54 (82-169-141-54.ip.telfort.nl) Ports: 3389/open/tcp//ms-term-serv///
Host: 188.215.215.247 (215-6ee590c.drekthareuro.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 84.50.222.82 (82.222.50.84.sta.estpak.ee) Ports: 3389/open/tcp//ms-term-serv///
Host: 208.81.130.138 (svr20881130-138.ihostservers.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 69.227.109.34 (adsl-69-227-109-34.dsl.irvnca.pacbell.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 64.139.61.186 (denver.newhaven-usa.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 194.254.254.32 (gremaq-onduleur.univ-tlse1.fr) Ports: 3389/open/tcp//ms-term-serv///
Host: 207.65.65.26 (horror.teraptra.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 76.14.78.148 (76-14-78-148.static-sf-cable.astound.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 69.57.50.87 (byrdhomebuildersinc.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 213.82.216.84 (host84-216-static.82-213-b.business.telecomitalia.it) Ports: 3389/open/tcp//ms-term-serv///
Host: 69.162.103.208 (208-103-162-69.static.reverse.lstn.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 217.36.226.148 (host217-36-226-148.in-addr.btopenworld.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 72.81.253.130 (static-72-81-253-130.bltmmd.fios.verizon.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 90.179.132.237 (237.132.broadband12.iol.cz) Ports: 3389/open/tcp//ms-term-serv///
Host: 217.155.242.179 (dsl-217-155-242-179.zen.co.uk) Ports: 3389/open/tcp//ms-term-serv///
Host: 205.136.92.109 (lloyddaniel.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 210.225.123.108 (210-225-123-108.jp.fiberphone.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 190.8.2.233 (host-8-2-233.linksat.net.ar) Ports: 3389/open/tcp//ms-term-serv///
Host: 148.204.152.183 (sepi.escasto.ipn.mx) Ports: 3389/open/tcp//ms-term-serv///
Host: 69.229.105.110 (adsl-69-229-105-110.dsl.irvnca.pacbell.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 200.108.66.19 (host019.200-108-66.telespazio.net.ar) Ports: 3389/open/tcp//ms-term-serv///
Host: 72.169.149.49 (host7216949149.direcway.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 72.54.96.194 (mail.wedgewoodcabinetry.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 80.34.199.229 (229.Red-80-34-199.staticIP.rima-tde.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 64.141.176.202 (host-202-176-141-64.ussignalcom.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 67.47.1.235 (dpc67471235.direcpc.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 75.125.50.147 (ev1s-75-125-50-147.theplanet.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 128.208.251.175 (D-128-208-251-175.dhcp4.washington.edu) Ports: 3389/open/tcp//ms-term-serv///
Host: 195.157.57.109 (countrywideea.co.uk) Ports: 3389/open/tcp//ms-term-serv///
Host: 202.65.163.229 (202-65-163-229.sat.ruralinzone.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 69.162.80.85 (85-80-162-69.reverse.lstn.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 169.232.91.33 (s91-33.resnet.ucla.edu) Ports: 3389/open/tcp//ms-term-serv///
Host: 216.121.43.193 (193.43.121.216.reverse.servepath.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 216.99.51.53 (ip-53.51.99.216.dsl-cust.ca.inter.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 200.42.101.32 (200-42-101-32.dup.prima.net.ar) Ports: 3389/open/tcp//ms-term-serv///
Host: 220.246.73.40 (040.73.246.220.static.netvigator.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 208.115.217.27 (27-217-115-208.static.reverse.lstn.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 205.161.255.51 (ftp2.gerlingersteel.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 70.85.24.114 (72.18.5546.static.theplanet.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 74.92.127.26 (74-92-127-26-Philadelphia.hfc.comcastbusiness.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 74.86.33.91 (74.86.33.91-static.reverse.softlayer.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 69.90.63.27 (vps.simplemedia.ca) Ports: 3389/open/tcp//ms-term-serv///
Host: 207.234.188.164 (vw01d.scomage.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 68.45.220.111 (c-68-45-220-111.hsd1.nj.comcast.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 151.100.4.41 (bids.infosapienza.uniroma1.it) Ports: 3389/open/tcp//ms-term-serv///
Host: 66.240.137.42 (66-240-137-42.momentum.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 24.119.221.99 (24-119-221-99.cpe.cableone.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 80.51.114.52 (host-80.51.114.52.helionet.pl) Ports: 3389/open/tcp//ms-term-serv///
Host: 128.40.203.61 (s7-adm.adm.ucl.ac.uk) Ports: 3389/open/tcp//ms-term-serv///
Host: 216.37.187.66 (UNUSED-216-37-187-66.UNUSED.EPIX.NET) Ports: 3389/open/tcp//ms-term-serv///
Host: 64.81.136.98 (dsl081-136-098.chi1.dsl.speakeasy.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 89.107.224.164 (ns1.prosetnet.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 217.13.211.220 (static220.pppoe.kmv.ru) Ports: 3389/open/tcp//ms-term-serv///
Host: 115.29.33.228 (ip29.hichina.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 64.185.47.21 (nts-21.47-185-64.static.nts-online.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 72.240.118.218 (mail.mdunity.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 217.174.254.104 (server217-174-254-104.live-servers.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 72.173.172.16 (72-173-172-16.cust.wildblue.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 200.105.139.233 (static-200-105-139-233.acelerate.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 209.173.246.88 (flogainc.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 69.133.89.255 (cpe-69-133-89-255.mi.res.rr.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 129.128.49.188 (hematite.rr.ualberta.ca) Ports: 3389/open/tcp//ms-term-serv///
Host: 188.164.209.16 (kdzrfe.bestofthebestnocontest.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 167.128.50.205 (unused-corv-50-205.corvallis.k12.or.us) Ports: 3389/open/tcp//ms-term-serv///
Host: 89.190.249.64 (64-249-190-89.baltnet.ru) Ports: 3389/open/tcp//ms-term-serv///
Host: 208.123.113.174 (c-208-123-113-174.flamingtechnologies.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 128.123.39.129 (ofspc-224.nmsu.edu) Ports: 3389/open/tcp//ms-term-serv///
Host: 200.32.30.66 (200-32-30-66.dup.prima.net.ar) Ports: 3389/open/tcp//ms-term-serv///
Host: 208.102.181.122 (RO-ESR1-208-102-181-122.fuse.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 64.201.160.101 (static-64-201-160-101.ptr.terago.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 222.151.74.242 (222-151-074-242.jp.fiberbit.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 74.208.47.199 (u15257960.onlinehome-server.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 62.128.137.15 (ntdd2173.fm.netbenefit.co.uk) Ports: 3389/open/tcp//ms-term-serv///
Host: 63.144.240.104 (63-144-240-104.dia.static.qwest.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 212.40.247.50 (212.40.247.50.static.user.ono.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 134.121.130.0 (cvm16v.vetmed.wsu.edu) Ports: 3389/open/tcp//ms-term-serv///
Host: 72.169.86.7 (host72169786.direcway.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 81.180.117.155 (web.carturesti.ro) Ports: 3389/open/tcp//ms-term-serv///
Host: 206.194.125.166 (css.sweb.ocgov.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 216.17.39.59 (new-ip-3959.usinternet.com) Ports: 3389/open/tcp//ms-term-serv///
Host: 188.202.140.164 (static.kpn.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 75.106.108.55 (75-106-108-55.cust.wildblue.net) Ports: 3389/open/tcp//ms-term-serv///
Host: 46.254.50.12 (46-254-50-12.aa.net.tr) Ports: 3389/open/tcp//ms-term-serv///
[==================================================================================================]
-=[ 0x0b ProjectMF - An Overview
-=[ Author: df99
-=[ Email: bluebox@projectmf.org
-=[ Website: http://www.projectmf.org/
It's been about five years since ProjectMF was introduced to the world by famed hacker/phone phreak
Mark Abene (A.K.A. Phiber Optik) at the sixth HOPE conference in 2006. Mark's work on the original
ProjectMF brought back an ability that many phone phreaks thought was long dead. At last younger
phone phreaks could get a taste of what phone phreaking was like during the 1950s through the early
1990s. We older phone phreaks could re-live some of our older exploits back "in the day".
Project MF is a living, working simulation of analog SF/MF signaling just as it was used in the
public switched telephone network up until the early 90's, when most everything was cut-over by the
regional Bells to the fully-digital SS7/ISDN network as it continues today.
SF/MF signaling? What's that? Well, back in the early 1950s, Ma Bell began to install equipment that
made a telephone operator's task of routing a long distance call much easier. Remember, this was
years before the ability of the average person (or an operator, for that matter) to direct-dial a
long distance call existed. To place a long distance call, one would call their local operator and
specify the destination city and number. He would then hang up and await the operator to complete
the complex process of establishing the long distance connection.
The operator would determine the "route" of a call, which often required intermediate connection
points at cities between the source and destination of the call. The operator, using old-fashioned
cord board switchboards, would establish a connection to the first intermediate city over a "trunk"
line. A trunk was simply a dedicated telephone circuit between two cities. The operator at the
intermediate city would take the routing information from the first operator and establish another
trunk circuit to the next intermediate point, connecting the inbound and outbound trunks together
with her switchboard cords. The next operator in the chain would repeat the process until the
operator in the distant destination city would connect to and ring the destination phone. The
original operator would then call back the phone originating the call and complete the connection.
The entire process could take many minutes, especially if all trunks between two cities were busy.
If this were the case, the operator would have to manually re-route the call through an additional
intermediate city.
With the installation of new automated switching equipment in the early 1950s, the operator's task
of routing a call was made much more automatic. The originating operator took the destination number
from the originating customer. At this point, she looked up various routing codes to the
destination (often just an area code, exchange, and phone number), selected a trunk to the automated
equipment, and keyed in the routing digits. At this point, the equipment took over the task of
connecting the call to the destination through various intermediate cities. In case all of the
trunks between two cities were busy, the equipment could automatically re-route the call through
cities with available trunks.
In the early sixties, customers were given the ability to dial the destination long distance number
directly, removing the operator from the system completely.
Obviously, the new equipment could not use speech to convey routing information between connecting
points, as with the old operator-only system. A new way of conveying this information had to be
developed. This is where the SF (Single Frequency) and MF (Multi-Frequency) system came in. The
switching equipment used a 2600 Hertz tone to indicate to the equipment if a trunk were available or
busy. The presence of 2600 on the trunk indicated it was free. The new switchboard used by toll
operators automatically detected a trunk "whistling" 2600, seized it, and sent the routing
information into the equipment using a series of operator-keyed "MF" or multi-frequency tones, one
for each digit, plus two MF tones used to indicate the start and end of the routing information.
These MF tones were similar to modern DTMF or "Touch Tones" (still many years away), but used
different frequencies.
With the removal of an operator from the process, some clever folks discovered that they could
control the entire automated system by generating their own SF and MF tones from a "Blue Box",
consisting of several audio oscillators or tone generators connected in various combinations through
switches (the blue box got its name because the first such device confiscated in 1961 by Bell System
security was in a blue chassis). The Blue Box gave the user the ability to become their own
super-operator, with capabilities formerly reserved to phone company personnel. These capabilities
included routing calls overseas, setting up complex routing patterns, accessing special Ma Bell test
numbers, and much more. The golden age of phone phreaking had begun.
See the old Bell System film "Speeding Speech" at YouTube for an excellent primer on all of this,
from Ma Bell herself!
www.youtube.com/watch?v=oPM_j7p7YnQ
The most typical use of a blue box was to place free telephone calls. The operation of a blue box
was simple: First, the user places a long distance telephone call, usually to an 800 number or some
other non-supervising (non-charging) phone number. For the most part, anything going beyond 50 miles
would go over a trunk type susceptible to this technique. When the call starts to ring, the caller
uses the blue box to send a 2600 Hz tone. The 2600 Hz is a supervisory signal, because it indicates
the status of a trunk; on-hook (tone) or off-hook (no tone). By playing this tone, you are
convincing the far end of the connection that you've hung up and it should wait. When the tone
stops, the trunk will go off-hook and on-hook (known as a supervision flash), making a "Ka-Cheep"
noise, followed by silence. This is the far end of the connection signaling to the near end that it
is now waiting for MF routing digits. Once the far end sends the supervision flash, the user would
use the blue box to dial a "Key Pulse" or "KP", the tone that starts a routing digit sequence,
followed by either a telephone number or one of the numerous special codes that were used internally
by the telephone company, then finished up with a "Start" or "ST" tone. At this point, the far end
of the connection would route the call the way you told it, while the user's end would think you
were still ringing at the original number. If that original number were an 800 (free) number, the
Blue Box user would complete the call for free, as the telco billing equipment registered only the
originally dialed number.
The key to this system was that the SF and MF tones were sent on the same circuit used to carry
speech once the call was connected. To combat Blue Box usage, the phone company in the 1980s and
1990s began to separate the speech circuit from the circuit used to set up the call. The Blue Box
would no longer work on these circuits, since the connection between end points used a separate
signaling channel. The voice circuit would no longer respond to the tones. Blue Boxing was no longer
possible on most circuits by the end of the 1990s, except to certain locations that still used the
old equipment.
If you are perplexed at this point, then for a primer on what this is all about, a must-read is the
Esquire magazine article that was published in October, 1971 titled "Secrets of the Little Blue Box"
by Ron Rosenbaum (blog.historyofphonephreaking.org/2008/08/secrets-of-the-little-blue-box.html ).
This article first exposed the exploits of Blue Box phone phreaks to the public and stimulated Ma
Bell to crack down legally and technologically on the phone phreaking community.
From there, pursue the files on www.textfiles.com to read some of the actual texts that were
circulated by phone phreaks "back in the day".
To hear some of this stuff in action, head over to the PhoneTrips web site (www.phonetrips.com) and
listen to the tapes phone phreaks made of their activities. For particularly good examples of blue
box usage, I recommend listening to "Classic Tandem Stacking", "A HiFi 914 Routings tape, part 1",
and "A HiFi 914 Routings tape, part 2".
Even though this became obsolete, it is again made possible by a set of modifications and patches
made to the open-source Asterisk PBX server software running under Linux on a PC - ProjectMF! It
allows users to dial into such a private system via a variety of access methods, including the
regular public switched telephone network and SIP. The user is presented with a ringing line. The
ringing can be disconnected and the trunk seized by playing a 2600 tone into the line. Thereafter,
the call can be diverted to another number or to a series of internal recordings and functions that
reside on the server/switch by playing MF or multifrequency tones into the line.
This is all perfectly legal, as the system is totally private. It is really more than a simulation.
The call is going over a trunk group of 24 SF/MF trunks, although both sides of the trunks are
terminated on the same PC. The hardware that makes this possible is two extra dedicated Ethernet
cards on the PC running T1 over Ethernet protocol over a loopback Ethernet cable. Your incoming call
gets looped over one of the 24 trunks before terminating back on the same switch, so you have 2600
and MF control.
I have maintained a public ProjectMF system for several years now (www.projectmf.org). At last
old-timers, aspiring phone phreaks, and the curious can experience the clandestine thrill of blue
boxing their own calls! I have extended Mark Abene's original patches to add to the realism and
reliability of the system. Lots of the old tricks are possible, including trunk "stacking", as
illustrated in one of the Phonetrips recordings (www.phonetrips.com).
The Asterisk hardware and demo may be seen at a YouTube video at:
www.youtube.com/watch?v=hCvu2qgcsVQ
My ProjectMF server can be accessed via the PSTN on 630-485-2995. The switch will play back recorded
instructions when you dial in.
Access is also available via:
-CNET (telephone switch collectors network): 1-762-2600/2601 (see www.ckts.info for gateway numbers)
-Asterisk direct connection: exten => 2600,1,Dial(IAX2/cnetguest@projectmf.homelinux.com/17622600)
Note that you need a source of 2600 Hz tone and an MF dialer or Blue Box (NOT a regular DTMF (Touch-
Tone) dialer) to make ANY use of this at all. You can download a software blue box for Windows,
which also requires you to install install Microsoft's .NET framework. This program will let you
generate MF tones through your PC's sound card and speakers. You can use the number keys on the
right side of your keyboard (if you use a full-size keyboard) as an almost-real blue box, as well as
the point and click method.
Alternately, you can build your own, real blue box with instructions found on www.projectmf.org.
Limited quantities of programmed Blue Box chips and printed circuit boards are available for this
project.
A demo of this Blue Box can be seen at YouTube at:
www.youtube.com/watch?v=Kow8_N_dNts
and
www.youtube.com/watch?v=DzmCAc4ACTE
During the ringing of the line (or after it stops), play a short burst of 2600, wait for the wink
acknowledgment (the "Ker-Cheep"), followed by the MF digits from the list below. The 2600 Hz tone
must be played at a somewhat higher level than the MF digits. Additional calls can be placed by
playing 2600 again, waiting for the wink, and re-routing the call with new MF digits.
If you do not begin dialing within 5 seconds after playing 2600 and getting the wink, you will hear
a "reorder" tone (fast busy). You must then re-seize the line with another burst of 2600.
The system will read back the digits it hears if you dial anything the switch does not understand.
Play around with volume levels, especially if just holding the PC speaker up to the phone. The MF
tones do not need to be excessively loud. It is important to do this in a fairly quiet environment.
Do not talk while dialing. The switch will try to interpret loud sounds as MF digits.
You can divert a real call through the box. Just dial 2600, KP, a 10-digit phone number (no leading
"1"), and ST. Experiment on the test numbers to get the levels right first.
Here are some numbers to try after you have seized a trunk with 2600 Hz. (Any three-digit code will
also work with an area code prefixed). The user directory at www.ckts.info contains the latest list
of working numbers.
KP + 101 + ST "Weasels" recording
KP + 102 + ST "Monkeys" recording
KP + 103 + ST "Moo 1" recording
KP + 104 + ST "Moron" recording
KP + 105 + ST "Moo 2" recording
KP + 106 + ST "Something wrong" recording
KP + 107 + ST "Made it up" recording
KP + 108 + ST "I'm bored" recording
KP + 109 + ST "Don't understand" recording
KP + 110 + ST "Step in stream" recording
KP + 111 + ST "ProjectMF" presentation recording (exit with DTMF "0")
KP + 112 + ST "Classic Tandem Stacking" recording - Evan Doorbell (exit with DTMF "0")
KP + 113 + ST "Evan Doorbell juices off N1 and phreaks around. Part 1 (exit with DTMF "0")
KP + 114 + ST "Evan Doorbell juices off N1 and phreaks around. Part 2 (exit with DTMF "0")
KP + 115 + ST "Evan Doorbell investigates 1xx and 0xx codes (exit with DTMF "0")
KP + 116 through 120 and 122 + ST "How Evan Doorbell Became a Phone Phreak, parts 1-6"
KP + 600 + ST Asterisk echo test
KP + 121 + ST "Operator" - Leave message if no answer
KP + 123 + ST Joybubbles (Joe Engressia) 1991 Off the Hook Interview, Part 1
KP + 124 + ST Joybubbles (Joe Engressia) 1991 Off the Hook Interview, Part 2
KP + 125 + ST Haxor Joybubbles tech interview, part 1
KP + 126 + ST Haxor Joybubbles tech interview, part 2
KP + 127 + ST Haxor Joybubbles tech interview, part 3
KP + 128 + ST Sounds of Long Distance, part 1
KP + 129 + ST Sounds of Long Distance, part 2
KP + 130 + ST Sounds of Long Distance, part 3
KP + 131 + ST Directory Assistance
KP + 132 + ST Sounds of Long Distance, part 4
KP + 133 + ST Sounds of Long Distance, part 5
KP + 134 + ST Sounds of Long Distance, part 6
KP + 135 + ST Sounds of Long Distance, part 7
KP + 136 + ST Sounds of Long Distance, part 8
KP + 137 + ST Sounds of Long Distance, part 9
KP + 138 + ST Sounds of Long Distance, part 10
KP + 139 + ST Sounds of Long Distance, part 11
KP + 140 + ST Sounds of Long Distance, part 12
KP + 141 + ST Sounds of Long Distance, part 13
KP + 142 + ST Sounds of Long Distance, part 14
KP + 143 + ST Sounds of Long Distance, part 15
KP + 144 + ST Sounds of Long Distance, part 16
KP + 145 + ST Dialing the 1XX Codes from Greenville NC Coin Phones, Part 1
KP + 146 + ST Dialing the 1XX Codes from Greenville NC Coin Phones, Part 2
KP + 147 + ST Local Coin Control in the 1970s
KP + 161 + ST Record a comment
KP + 171 + ST Playback comments. 0 to exit, * and # to skip backward and forward
KP + 199 + ST 2600 Hz supervision test
KP + xxx-xxx-xxxx + ST Outdial to phone network
KP + 011 + country code + number + ST Collectors Net Access (www.ckts.info)
KP + 2111 + ST Conference bridge. Please hang up with "#" when done.
KP + 777 + ST Direct access to Telephreak
KP + 2602 + ST DISA dialtone. Can use DTMF to dial. Stack with repeated 2602
[==================================================================================================]
-=[ 0x0c Et Cetera, Etc.
-=[ Author: teh crew
Blah, blah, blah, IRC quotes.
[23:29] <&storm> GOOD NIGHT
[23:29] <&ElectRo`> no
[23:29] * &storm slams the door
[23:29] <&elchupathingy> no fuck u storm
[23:29] <&elchupathingy> stay the fuck here
[23:29] <&ElectRo`> stay
[23:29] <&OrderZero> NO
[23:29] <&elchupathingy> there is no door in irc
[23:29] <&elchupathingy> only feelings
[23:29] <~Silks> ^
[23:30] <&ElectRo`> ^
[23:30] <&elchupathingy> and ur crushing them
[23:30] <&elchupathingy> don't leave us
Also, we were (un)lucky enough to catch a buffer overflow lecture being held on the LulzSec IRC.
Needless to say........... we weren't shocked at all at the users' intelligence.
<lawlertrawler> and we are going to feed backwards
<lawlertrawler> using bash shell
<lawlertrawler> (not sh)
<OrderZero> WHY ARE WE GOING TO FEED BACKWARDS BRAH
<lawlertrawler> we can do something like
<OrderZero> Why not sh?
<lawlertrawler> because printf doesn't work the same way
<lawlertrawler> we can do
<OrderZero> Infact why not csh for that matter
<OrderZero> or zsh
<OrderZero> DUDE
<OrderZero> WHY
<OrderZero> BACKWARDS
<davispuh> because in RAM it is that way
<PhenZen> if you count in binary its backwards btw
<ravonix> using bash, it doesn't cut off; however, it does abort trap
----------------------------------------------------------------------------------------------------
)
(.)
.|.
l7J
| |
_.--| |--._
.-'; ;`-'& ; `&.
& & ; & ; ; \
\ ; & &_/
F"""---...---"""J
| | | | | | | | |
J | | | | | | | F
`---.|.|.|.---'
Chupa's Cooking Corner
Well, I have failed to write up my computer related article, but I feel that food is just as
important and might as well spread a few things that I enjoy eating and making.
First up is simple and any lazyass hacker can make this and enjoy some kickass food.
_____ _ _____ _
/ ___| (_) | ___| (_)
\ `--. _ __ _ ___ _ _ | |_ _ __ _ ___ ___
`--. \ '_ \| |/ __| | | | | _| '__| |/ _ \/ __|
/\__/ / |_) | | (__| |_| | | | | | | | __/\__ \
\____/| .__/|_|\___|\__, | \_| |_| |_|\___||___/
| | __/ |
|_| |___/
Ingredients:
2 or 3 Potatoes
Texas Pete, or favorite hot sauce, need one bottle at least.
Hot spices, recommend cayanne pepper.
Cooking oil, or something that will be used to fry the potatoes.
Steps:
First, you need to cut the potatoes into french fries. After doing this, lay them into the
oil, just enough to coat them in a thin layer of oil. After coating them in oil, place them
into a bowl and mix in your spices and make sure to get them well coated. Now, preheat the
oven to 400 degrees.
Second, after getting the fries ready, heat up the oil and place the fries into the fryer.
The fries should be fried until they start to brown. Now, place into the oven to crisp the
fries. This usually takes 10 minutes, but check them before this so they do not burn.
Third, if you wish to, you can refry the fries to add more crispiness, but that's up to you.
Place them into a deep bowl and pour your hot sauce onto them. Once they are evenly coated
in hot sauce, eat them.
If you truly are a lazy hacker, then just buy a bag of premade french fries and cook them
based on their directions, followed by step Three to complete.
_____ _ _____
/ ___| (_) | ___ \
\ `--. _ __ _ ___ _ _ | |_/ /_ _ _ __ __ _ ___ _ __ ___
`--. \ '_ \| |/ __| | | | | ___ \ | | | '__/ _` |/ _ \ '__/ __|
/\__/ / |_) | | (__| |_| | | |_/ / |_| | | | (_| | __/ | \__ \
\____/| .__/|_|\___|\__, | \____/ \__,_|_| \__, |\___|_| |___/
| | __/ | __/ |
|_| |___/ |___/
This is more complicated than the spicy fries, but complements them very nicely.
Ingredients:
Cayanne pepper, Red pepper, Taco seasoning, anything red and spicy.
Italian seasoning
Powdered Garlic
1 Egg
1 lb. Ground beef, lean less fat the better, but personal preference.
1 lb. Pepper jack cheese
Optional:
Jalapeno Olive Oil
These burgers must be grilled - no exception. None of this lazy shit on some skillet. Get a
damn grill to cook these.
Start off by cutting up 1/3 lb. of the pepper jack into very small chunks. The smaller, the
better.
After cutting up the pepper jack cheese, take the ground beef and put into a large mixing bowl,
and crack an egg and mix it into the meat. Add in the pepper jack as you mix, and make sure the
cheese is mixed evenly throughout the meat.
As you continue to mix the meat, throw in large quantities of spices. The goal of this is to
make the meat a deep red. Once this has been achieved, form the meat into patties.
I usually make sliders as they are easier to cook on a grill. This is because the extra cheese
causes the meat to stick less to it self, and larger patties will fall apart on the grill.
Cook the burgers until there is a light char on the outside. Eat and enjoy.
That will make a basic burger. Some further recommendations are provided:
Create a blacking powder with fresh ground Jalapeno peppers and cayanne pepper. To do this, dry
out the peppers beforehand by placing them in the oven on a low temperature. After the peppers
are dried, cut them up into small pieces and place into a mortar and pestel.
Grind this up into a fine powder while mixing in cayanne pepper. After this powder is complete,
place it on the burgers both before and after grilling.
This will add a much needed kick to the burgers.
A final addition that I like to do is mix Jalapeno chunks into the meat along with the cheese.
These burgers go along very nicely with the Spicy fries. Make them as spicy as you can muster.
Change up what spicies you put into the meat and the amount of pepper jack as well.
____ _ _ _ _ ____ _
/ __ \ | | | | | | | / __ \ | |
| / \/ |__ ___ ___ ___ | | __ _| |_ ___ | | __ ___ ____ _ | / \/ __ _| | _____ ___
| | | '_ \ / _ \ / __/ _ \| |/ _` | __/ _ \ | | / _` \ \ / / _` | | | / _` | |/ / _ \/ __|
| \__/\ | | | (_) | (_| (_) | | (_| | || __/ | |___| (_| |\ V / (_| | | \__/\ (_| | < __/\__ \
\____/_| |_|\___/ \___\___/|_|\__,_|\__\___| \_____/\__,_| \_/ \__,_| \____/\__,_|_|\_\___||___/
This is a new one for me, but it's pretty good, especially after some very spicy burgers and
french fries.
Ingredients:
4 Eggs
1 Stick of butter
1/3 cup Whole milk
1/3 cup Surgar
1/2 cup Flour
12oz Bitter Sweet baking chocolate
To start, take the butter and sugar and place into a large mixing bowl. Mix these together.
After they are mixed, put the 4 eggs into the bowl. Continue to mix until you achieve a smooth
consistency. If you are using a electric mixer, put it on low speed. Mix in the rest of the
ingredients, except for the chocolate.
You need to melt the chocolate, which can be trick to do without burning. A double boiler is
recommended (just a pot within a pot of boiling water), but a microwave can also be used if care
is taken. Slowly mix the melted chocolate into the mixing bowl. Now, mix this on low speed
until it is consistent, and no yellow is noticeable.
After it has been mixed, spray non-stick spray into a cupcake pan and pour your chocolate mix
into each one, filling it about half-way up. Cook at 350 degrees for 8 minutes, checking them
every few minutes with a toothpick. Gently stab the toothpick into the cakes, and you will know
they are complete when there is no wet batter on the toothpick after removing it from the cakes.
Once finished baking, place on cooling racks and enjoy :D
This has been Chupa's Cooking Corner.
Enjoy, ELChupathingy
----------------------------------------------------------------------------------------------------
Yum.
It is here that we bid you farewell, my delicious friends, for we must go forth and hax teh planet.
As usual, we would like to now open the call for papers for issue 6, which is scheduled for release
sometime in October 2011. Remember - there is no greater gift than the gift of a submitted article.
Well, not quite, but it still comes pretty close.
Enjoy the rest of the summer, and for God's sake, do try to get some sunlight.
<3, the gny crew
irc.gonullyourself.org +6697 #gny
reddit.com/r/gny
[==================================================================================================]