GUIDE TO (mostly) HARMLESS HACKING

Hacking tip of this column: how to finger a user via telnet.
_______________________________________________________

Hacking. The word conjures up evil computer geniuses plotting the downfall
of civilization while squirreling away billions in electronically stolen
funds in an Antigua bank.

But I define hacking as taking a playful, adventurous approach to computers.
Hackers don't go by the book. We fool around and try odd things, and when we
stumble across something entertaining we tell our friends about it. Some of
us may be crooks, but more often we are good guys, or at least harmless.

Furthermore, hacking is surprisingly easy. I'll give you a chance to prove
it to yourself, today!

But regardless of why you want to be a hacker, it is definitely a way to
have fun, impress your buddies, and get dates. If you are a female hacker
you become totally irresistible to all men. Take my word for it!;^D

This column can become your gateway into this world. In fact, after reading
just this first Guide to (mostly) Harmless Hacking, you will be able to pull
off a stunt that will impress the average guy or gal unlucky^H^H^H^H^H^H^H
fortunate enough to get collared by you at a party.

So what do you need to become a hacker? Before I tell you, however, I am
going to subject you to a rant.

Have you ever posted a message to a news group or email list devoted to
hacking? You said something like "What do I need to become a hacker?" right?
Betcha you won't try *that* again!

It gives you an education in what "flame" means, right?

Yes, some of these 3l1te types like to flame the newbies. They act like they
were born clutching a Unix manual in one hand and a TCP/IP specification
document in the other and anyone who knows less is scum.

*********************
Newbie note: 3l1t3, 31337, etc. all mean "elite." The idea is to take either
the word "elite" or "eleet" and substitute numbers for some or all the
letters. We also like zs. Hacker d00dz do this sor7 of th1ng l0tz.
********************

Now maybe you were making a sincere call for help. But there is a reason
many hackers are quick to flame strangers who ask for help.

What we worry about is the kind of guy who says, "I want to become a hacker.
But I *don't* want to learn programming and operating systems. Gimme some
passwords, d00dz! Yeah, and credit card numbers!!!"

Honest, I have seen this sort of post in hacker groups. Post something like
this and you are likely to wake up the next morning to discover your email
box filled with 3,000 messages from email discussion groups on agricultural
irrigation, proctology, collectors of Franklin Mint doo-dads, etc. Etc.,
etc., etc....arrrgghhhh!

The reason we worry about wannabe hackers is that it is possible to break
into other people's computers and do serious damage even if you are almost
totally ignorant.

How can a clueless newbie trash other people's computers? Easy. There are
public FTP and Web sites on the Internet that offer canned hacking programs.

Thanks to these canned tools, many of the "hackers" you read about getting
busted are in fact clueless newbies.

This column will teach you how to do real, yet legal and harmless hacking,
without resorting to these hacking tools. But I won't teach you how to harm
other people's computers. Or even how to break in where you don't belong.

******************************
You can go to jail tip: Even if you do no harm, if you break into a portion
of a computer that is not open to the public, you have committed a crime. If
you telnet across a state line to break in, you have committed a federal felony.
*************************************

I will focus on hacking the Internet. The reason is that each computer on
the Internet has some sort of public connections with the rest of the Net.
What this means is that if you use the right commands, you can *legally*
access these computers.

That, of course, is what you already do when you visit a Web site. But I
will show you how to access and use Internet host computers in ways that
most people didn't know were possible. Furthermore, these are *fun* hacks.

In fact, soon you will be learning hacks that shed light on how other people
(Not you, right? Promise?) may crack into the non-public parts of hosts. And
-- these are hacks that anyone can do.

But, there is one thing you really need to get. It will make hacking
infinitely easier:

A SHELL ACCOUNT!!!!

A "shell account" is an Internet account in which your computer becomes a
terminal of  one of your ISP's host computers. Once you are in the "shell"
you can give commands to the Unix operating system just like you were
sitting there in front of one of your ISP's hosts.

Warning: the tech support person at your ISP may tell you that you have a
"shell account" when you really don't. Many ISPs don't really like shell
accounts, either. Guess why? If you don't have a shell account, you can't hack!

But you can easily tell if it is a real shell account. First, you should use
a "terminal emulation program" to log on. You will need a program that
allows you to imitate a VT 100 terminal. If you have Windows 3.1 or Windows
95, a VT 100 terminal program is included as one of your accessory program.

Any good ISP will allow you to try it out for a few days with a guest
account. Get one and then try out a few Unix commands to make sure it is
really a shell account.

You don't know Unix? If you are serious about understanding hacking, you'll
need some good reference books. No, I don't mean the kind with breathless
titles like "Secrets of  Super hacker." I've bought too many of that kind of
book. They are full of hot air and thin on how-to. Serious hackers study
books on:
a) Unix. I like "The Unix Companion" by Harley Hahn.
b) Shells. I like "Learning the Bash Shell" by Cameron Newham and Bill
Rosenblatt. A "shell" is the command interface between you and the Unix
operating system.
c) TCP/IP, which is the set of protocols that make the Internet work. I
like "TCP/IP for Dummies" by Marshall Wilensky and Candace Leiden.

OK, rant is over. Time to hack!

How would you like to start your hacking career with one of the simplest,
yet potentially hairy, hacks of the Internet? Here it comes: telnet to a
finger port.

Have you ever used the finger command before? Finger will sometimes tell you
a bunch of stuff about other people on the Internet. Normally you would just
enter the command:

finger Joe_Schmoe@Fubar.com

But instead of Joe Schmoe, you put in the email address of someone you would
like to check out. For example, my email address is cmeinel@techbroker.com.
So to finger me, give the command:

finger cmeinel@techbroker.com

Now this command may tell you something, or it may fail with a message such
as "access denied."

But there is a more elite way to finger people. You can give the command:

telnet llama.swcp.com 79

What this command has just done is let you get on a computer with an
Internet address of llama.swcp.com through its port 79 -- without giving it
a password.

But the program that llama and many other Internet hosts are running will
usually allow you to give only ONE command before automatically closing the
connection. Make that command:

cmeinel

This will tell you a hacker secret about why port 79 and its finger programs
are way more significant than you might think. Or, heck, maybe something
else if the friendly neighborhood hacker is still planting insulting
messages in my files.

Now, for an extra hacking bonus, try telnetting to some other ports. For
example:

telnet kitsune.swcp.com 13

That will give you the time and date here in New Mexico, and:

telnet slug.swcp.com 19

Will show you a good time!

Read More

How To Find Ftp's The Easy Way'

I use google cuz its the best search engine en everyone can acces .
The easiest search quote is "index of ..."
Some kind of examples are:

index of ftp/ +mp3
index of ftp/ +divx
index of ftp/ +"whateveryouwant"

Google has many operators that should help you to specify your search
USE EM
There are also lots of advanced operators available
here are a few:

cache:
link:
related:
info:
stocks:
site:
allintitle:
intitle:
allinurl:
inurl:

eg:
allintitle: "index of ftp/mp3"

try to combine things and maybe u'll find something

Read More

 FAQ!!

  ============================================================
     This article offers a nontechnical overview of anonymous
     remailers to help you decide whether to use these
     computer services to enhance your privacy. I have written
     this especially for persons with a sense of humor. You
     may distribute this (unaltered) FAQ for non-commercial
     purposes.
   ===========================================================

What is an anonymous remailer?

     An anonymous remailer (also called an "anonymous server")
     is a free computer service that privatizes your e-mail.
     A remailer allows you to send electronic mail to a Usenet
     news group or to a person without the recipient knowing
     your name or your e-mail address.

Why would YOU use remailers?

     Maybe you're a computer engineer who wants to express
     opinions about computer products, opinions that your
     employer might hold against you. Possibly you live in a
     community that is violently intolerant of your social,
     political, or religious views. Perhaps you're seeking
     employment via the Internet and you don't want to
     jeopardize your present job. Possibly you want to place
     personal ads. Perchance you're a whistle-blower afraid of
     retaliation. Conceivably you feel that, if you criticize
     your government, Big Brother will monitor you. Maybe you
     don't want people "flaming" your corporate e-mail
     address. In short, there are many legitimate reasons why
     you, a law abiding person, might use remailers.

How does a remailer work?

     Let's take an example. A popular Internet remailer is run
     by Johan Helsingius, President of a Helsinki, Finland
     company that helps businesses connect to the Internet.
     His "an@anon.penet.fi" addresses are common in
     controversial news groups. Suppose you read a post from
     a battered woman <an123@anon.penet.fi> crying out for
     help. You can write her at <an123@anon.penet.fi>.
     Helsingius' computer will STRIP AWAY your real name and
     address (the header at the top of your e-mail), replace
     this data with a dummy address, and forward your message
     to the battered woman. Helsingius' computer will notify
     you of your new anonymous address; e.g.,
     <an345@anon.penet.fi>. You can use Helsingius' free
     service to forward letters to anyone, even to persons who
     do not use his service. His computer sends each user
     detailed instructions about his system.
   

Are there many remailers?

     Currently, there are roughly a dozen active, PUBLIC
     remailers on the Internet. (Undoubtedly, there are many
     PRIVATE remailers that restrict who may use them.)
     Remailers tend to come and go. First, they require
     equipment and labor to set up and maintain; second, they
     produce zero revenue.

Why are remailers free?

     There is a simple answer. How can remailer administrators
     charge people who want maximum privacy? Administrators
     can't ask for a Visa number or take checks.

Why do people operate remailers, if not for money?

     People set up remailers for their own personal usage,
     which they may or may not care to share with the rest of
     us. Joshua Quittner, co-author of the high-tech thriller
     MOTHER'S DAY, interviewed Mr. Helsingius for WIRED
     magazine. Helsingius said:

          "It's important to be able to express certain
          views without everyone knowing who you are.
          One of the best examples was the great debate
          about Caller ID on phones. People were really
          upset that the person at the receiving end
          would know who was calling. On things like
          telephones, people take for granted the fact
          that they can be anonymous if they want to and
          they get really upset if people take that
          away. I think the same thing applies for e-
          mail."

          "Living in Finland, I got a pretty close view
          of how things were in the former Soviet Union.
          If you actually owned a photocopier or even a
          typewriter there you would have to register it
          and they would take samples of what your
          typewriter would put out so they could
          identify it later. That's something I find so
          appalling. The fact that you have to register
          every means of providing information to the
          public sort of parallels it, like saying you
          have to sign everything on the Net. We always
          have to be able to track you down."

What makes an "ideal" anonymous remailer?
     An "ideal" anonymous remailer is: (a) Easy to use. (b)
     Run by a reliable individual whose system actually does
     what it promises. In addition, this person should have
     the computer expertise to take prudent steps to safeguard
     your privacy from civilian or government hackers. (c)
     Able to forward your messages in a timely manner. By
     "timely" I mean minutes or hours. (d) Holds your messages
     for a RANDOM time before forwarding them. This time lag
     makes it harder for snoops to link a message that arrives
     at, say, 3:00 P.M. with a message that leaves your
     machine at, say, 2:59 P.M. (e) Permits (better yet
     encourages!) PGP encryption software. If a remailer does
     NOT permit PGP (Pretty Good Privacy), reasonable people
     might assume that the remailer administrator enjoys
     reading forwarded mail.

What makes a responsible remailer user?

     A responsible user: (a) Sends text files of a reasonable
     length. Binary files take too much transmission time. (b)
     Transmits files selectively. Remailers are NOT designed
     to send "You Can Get Rich" chain letters or other junk
     mail.

Who are irresponsible remailer users?

     Here is a quote from one remailer administrator:

     "This remailer has been abused in the past, mostly by
     users hiding behind anonymity to harass other users. I
     will take steps to squish users who do this.  Lets keep
     the net a friendly and productive place.... Using this
     remailer to send death threats is highly obnoxious.  I
     will reveal your return address to the police if you do
     this."

     Legitimate remailer administrators will NOT TOLERATE
     harassment or criminal activity. Report any such
     incidents to the remailer administrator.

How safe are anonymous remailers? [for paranoids only :-)]

     For most low-security tasks, such as responding to
     personal ads, remailers are undoubtedly safer than using
     real e-mail addresses. However, all the best made plans
     of mice and men have weaknesses. Suppose, for example,
     that you are a government employee, who just discovered
     that your boss is taking bribes. Is it safe to use an
     anonymous remailer to send evidence to a government
     whistleblower's e-mail hot line? Here are a few points to
     ponder:

     (a) The person who runs your e-mail system might
     intercept your secret messages to and from the anonymous
     remailer. This gives him proof that YOU are reporting
     your corrupt boss. This evidence could put you in danger.

     (b) It is possible that the anonymous remailer is a
     government sting operation or a criminal enterprise,
     designed to entrap people. The person who runs this
     service might be your corrupt boss' partner.

     (c) Hackers can do magic with computers. It's possible
     that hackers have broken into the remailer (unbeknownst
     to the remailer's administrator) and that they can read
     your messages at will.

     Hard-core privacy people do not trust individual
     remailers. These people write programs that send their
     messages through several remailers. This way only the
     first remailer knows their real address, and the first
     remailer cannot know the final destination of the e-mail
     message. In addition, they PGP encrypt all messages.

Where can I learn more?

     Go to the Usenet news group ALT.PRIVACY.ANON-SERVER. Pay
     special attention to posts by Raph Levien, "The Remailer
     Guru."

Where can I get a list of current remailers?

     Raph Levien [see above] generously runs a remailer
     pinging service which collects details about remailer
     features and reliability. To read Levien's data, finger:

     <remailer-list@kiwi.cs.berkeley.edu>.

     There is also a Web version of the same information, at:

     http://www.cs.berkeley.edu/~raph/remailer-list.html

     In addition, Raph Levien <raph@kiwi.cs.berkeley.edu>
     regularly posts his "List of Reliable Remailers" at
     ALT.PRIVACY.ANON-SERVER.

Anything else I should know?

     YOUR privacy and safety are in danger! The black market
     price for your IRS records is $500. YOUR medical records
     are even cheaper. Prolific bank, credit and medical
     databases, the Clipper Chip Initiative, computer matching
     programs, cordless & cellular phone scanners, Digital
     Telephony legislation, and (hidden) video surveillance
     are just a few factors that threaten every law abiding
     citizen. Our anti-privacy society gives criminals and
     snoops computer data about YOU on a silver platter.

     If you want to protect your privacy, I urge you to join
     organizations such as the Electronic Frontier Foundation
     <membership@eff.org> and Computer Professionals for
     Social Responsibility <info@cpsr.org>.

Read More

Understanding SMTP and how to send emails via Telnet.

 

  Understanding SMTP and how to send emails via Telnet.                   

                       

 This text explains how one can telnet do an SMTP server, and use that
 server to their advantage via commandline.  What you are about to see, is
 what really goes on behind the scenes of every program you use to send
 email.  Now you will know how to do it manually and how to send email
 from other people.  This can be easily done in your email software, but
 we dont like that GUI mess, so we stick with the commandline.

 NOTE:  I do not recommend that anyone take this knowledge and attempt
        to cause any harm with it.  The emails being sent "CAN" be
        traced back to you if needed. If you plan to use this in a manner
        that is not appropriate then i suggest highly that you bnc through
        wingates, proxies and/or shells before reaching the smtp server. (It wont
        guarantee anything but it will make the smtp owners attempt to trace
        you just alittle harder.)


 Vulnerable Machines: Any machine running an SMTP server.  (port 25 usually)

                      Any machine running SMTP that allows forwarding will let you
                      send emails to anywhere in the world. (not many of these around
                      anymore) The rest will only allow you to send emails within
                      their domain.



 -------------------------------------------------------------------------------
 Found below is an example on how one can achieve the sending of spoofed mail. 
 -------------------------------------------------------------------------------


 /* Connect to the smtp server */

 [brainrawt@yourmommas brainrawt]$ telnet blau.com 25
 Trying 205.123.15.34...
 Connected to mail.blau.com (205.123.15.34).
 Escape character is '^]'.
 220 mail.blau.com ESMTP Sendmail 8.9.3/8.9.3; Tue, 3 Jul 2001 18:32:54 -0500

 /* Say "helo" to the server.  Its the nice thing to do. */

 >helo blau.com
 250 mail.blau.com Hello rawt.blazingpenguin.com [192.168.0.3], pleased to meet you

 /* Tell the server where this email will "appear" to come from */

 >mail from: root@blau.com
 250 root@blau.com... Sender ok

 /* Tell the server where this email IS going */

 >rcpt to: brainrawt@blau.com
 250 brainrawt@blau.com... Recipient ok

 /* Prepare the server for our message by typing "data" */

 >data
 354 Enter mail, end with "." on a line by itself

 /* Now we shall get that msg in there (dont forget the "." on the line by itself.) */

 >This is my message and i am only sending it to help you better understand how this works.
 >.
 250 SAA29307 Message accepted for delivery


 /* Message has been accepted by the server.  Lets get outta here! */

 >quit
 221 mail.blau.com closing connection
 Connection closed by foreign host.
 [brainrawt@yourmommas brainrawt]$

 --------------------------------------------------------------------------------------------
 The above example has sent an email from "root@blau.com" to "brainrawt@blau.com" with the
 message "This is my message and i am only sending it to help you better understand how this
 works." and it has all been done remotely by a user that doesnt even have an account on
 blau.com.
 --------------------------------------------------------------------------------------------

Read More

MY LOGO

Read More

DNS

Pretend for the moment that you know only the basic function of DNS
— that it translates WWW.VICTIM.COM into 1.2.3.4. The code that
does this is called a resolver. Each time the resolver contacts the
DNS to translate names to addresses, it creates a packet called a
query. The exchange of packets is called a transaction. Since the
number of packets flying about on the internet requires scientific
notation to express, you can imagine there has to be some way of
not mixing them up.

Bob goes to to a deli, to get a sandwich. Bob walks up to the
counter, takes a pointy ticket from a round red dispenser. The
ticket has a number on it. This will be Bob’s unique identifier for
his sandwich acquisition transaction. Note that the number will
probably be used twice — once when he is called to the counter to
place his order and again when he’s called back to get his
sandwich. If you’re wondering, Bob likes ham on rye with no onions.

If you’ve got this, you have the concept of transaction IDs, which
are numbers assigned to keep different transactions in order.
Conveniently, the first sixteen bits of a DNS packet is just such a
unique identifier. It’s called a query id (QID). And with the
efficiency of the deli, the QID is used for multiple transactions.
2.

Until very recently, there were two basic classes of DNS
vulnerabilities. One of them involves mucking about with the QID in
DNS packets and the other requires you to know the Deep Magic.

First, QIDs.

Bob’s a resolver and Alice is a content DNS server. Bob asks Alice
for the address of WWW.VICTIM.COM. The answer is 1.2.3.4. Mallory
would like the answer to be 6.6.6.0.

It is a (now not) secret shame of mine that for a great deal of my
career, creating and sending packets was, to me, Deep Magic. Then
it became part of my job, and I learned that it is surprisingly
trivial. So put aside the idea that forging IP packets is the hard
part of poisoning DNS. If I’m Mallory and I’m attacking Bob, how
can he distinguish my packets from Alice’s? Because I can’t see the
QID in his request, and the QID in my response won’t match. The QID
is the only thing protecting the DNS from Mallory (me).

QID attacks began in the olden days, when BIND simply incremented
the QID with every query response. If you can remember 1995, here’s
a workable DNS attack. Think fast: 9372 + 1. Did you get 9372, or
even miss and get 9373? You win, Alice loses. Mallory sends a
constant stream of DNS responses for WWW.VICTIM.COM. All are
quietly discarded —- until Mallory gets Bob to query for
WWW.VICTIM.COM. If Mallory’s response gets to your computer before
the legitimate response arrives from your ISP’s name server, you
will be redirected where Mallory tells you you’re going.

Obvious fix: you want the QID be randomly generated. Now Alice and
Mallory are in a race. Alice sees Bob’s request and knows the QID.
Mallory has to guess it. The first one to land a packet with the
correct QID wins. Randomized QIDs give Alice a big advantage in
this race.

But there’s a bunch more problems here:

    *

      If you convince Bob to ask Alice the same question 1000 times
all at once, and Bob uses a different QID for each packet, you made
the race 1000 times easier for Mallory to win.
    *

      If Bob uses a crappy random number generator, Mallory can get
Bob to ask for names she controls, like WWW.EVIL.COM, and watch how
the QIDs bounce around; eventually, she’ll break the RNG and be
able to predict its outputs.
    *

      16 bits just isn’t big enough to provide real security at the
traffic rates we deal with in 2008.

Your computer’s resolver is probably a stub. Which means it won’t
really save the response. You don’t want it to. The stub asks a
real DNS server, probably run by your ISP. That server doesn’t know
everything. It can’t, and shouldn’t, because the whole idea of DNS
is to compensate for the organic and shifting nature of internet
naming and addressing. Frequently, that server has to go ask
another, and so on. The cool kids call this “recursion”.

Responses carry another value, too, called a time to live (TTL).
This number tells your name server how long to cache the answer.
Why? Because they deal with zillions of queries. Whoever wins the
race between Alice and Mallory, their answer gets cached. All
subsequent responses will be dropped. All future requests for that
same data, within the TTL, come from that answer. This is good for
whoever wins the race. If Alice wins, it means Mallory can’t poison
the cache for that name. If Mallory wins, the next 10,000 or so
people that ask that cache where WWW.VICTIM.COM is go to 6.6.6.0.
3.

Then there’s that other set of DNS vulnerabilities. These require
you to pay attention in class. They haven’t really been talked
about since 1997. And they’re hard to find, because you have to
understand how DNS works. In other words, you have to be completely
crazy. Lazlo Hollyfeld crazy. I’m speaking of course of RRset
poisoning.

DNS has a complicated architecture. Not only that, but not all name
servers run the same code. So not all of them implement DNS in
exactly the same way. And not only that, but not all name servers
are configured properly.

I just described a QID attack that poisons the name server’s cache.
This attack requires speed, agility and luck, because if the “real”
answer happens to arrive before your spoofed one, you’re locked
out. Fortunately for those of you that have a time machine, some
versions of DNS provide you with another way to poison the name
server’s cache anyway. To explain it, I will have to explain more
about the format of a DNS packet.

DNS packets are variable in length and consist of a header, some
flags and resource records (RRs). RRs are where the goods ride
around. There are up to three sets of RRs in a DNS packet, along
with the original query. These are:

    *

      Answer RR’s, which contain the answer to whatever question
you asked (such as the A record that says WWW.VICTIM.COM is 1.2.3.4)
    *

      Authority RR’s, which tell resolvers which name servers to
refer to to get the complete answer for a question
    *

      Additional RR’s, sometimes called “glue”, which contain any
additional information needed to make the response effective.

A word about the Additional RR’s. Think about an NS record, like
the one that COM’s name server uses to tell us that, to find out
where WWW.VICTIM.COM is, you have to ask NS1.VICTIM.COM. That’s
good to know, but it’s not going to help you unless you know where
to find NS1.VICTIM.COM. Names are not addresses. This is a chicken
and egg problem. The answer is, you provide both the NS record
pointing VICTIM.COM to NS1.VICTIM.COM, and the A record pointing
NS1.VICTIM.COM to 1.2.3.1.

Now, let’s party like it’s 1995.

Download the source code for a DNS implementation and hack it up
such that every time it sends out a response, it also sends out a
little bit of evil — an extra Additional RR with bad information.
Then let’s set up an evil server with it, and register it as
EVIL.COM. Now get a bunch of web pages up with IMG tags pointing to
names hosted at that server.

Bob innocently loads up a page with the malicious tags which
coerces his browser resolve that name. Bob asks Alice to resolve
that name. Here comes recursion: eventually the query arrives at
our evil server. Which sends back a response with an unexpected
(evil) Additional RR.

If Alice’s cache honors the unexpected record, it’s 1995 —- buy
CSCO! —- and you just poisoned their cache. Worse, it will replace
the “real” data already in the cache with the fake data. You asked
where WWW.EVIL.COM was (or rather, the image tags did). But Alice
also “found out” where WWW.VICTIM.COM was: 6.6.6.0. Every resolver
that points to that name server will now gladly forward you to the
website of the beast.
4.

It’s not 1995. It’s 2008. There are fixes for the attacks I have
described.
Fix 1:

The QID race is fixed with random IDs, and by using a strong random
number generator and being careful with the state you keep for
queries. 16 bit query IDs are still too short, which fills us with
dread. There are hacks to get around this. For instance, DJBDNS
randomizes the source port on requests as well, and thus won’t
honor responses unless they come from someone who guesses the ~16
bit source port. This brings us close to 32 bits, which is much
harder to guess.
Fix 2:

The RR set poisoning attack is fixed by bailiwick checking, which
is a quirky way of saying that resolvers simply remember that if
they’re asking where WWW.VICTIM.COM is, they’re not interested in
caching a new address for WWW.GOOGLE.COM in the same transaction.

Remember how these fixes work. They’re very important.

And so we arrive at the present day.
5.

Let’s try again to convince Bob that WWW.VICTIM.COM is 6.6.6.0.

This time though, instead of getting Bob to look up WWW.VICTIM.COM
and then beating Alice in the race, or getting Bob to look up
WWW.EVIL.COM and slipping strychnine into his ham sandwich, we’re
going to be clever (sneaky).

Get Bob to look up AAAAA.VICTIM.COM. Race Alice. Alice’s answer is
NXDOMAIN, because there’s no such name as AAAAA.VICTIM.COM. Mallory
has an answer. We’ll come back to it. Alice has an advantage in the
race, and so she likely beats Mallory. NXDOMAIN for
AAAAA.VICTIM.COM.

Alice’s advantage is not insurmountable. Mallory repeats with
AAAAB.VICTIM.COM. Then AAAAC.VICTIM.COM. And so on. Sometime,
perhaps around CXOPQ.VICTIM.COM, Mallory wins! Bob believes
CXOPQ.VICTIM.COM is 6.6.6.0!

Poisoning CXOPQ.VICTIM.COM is not super valuable to Mallory. But
Mallory has another trick up her sleeve. Because her response
didn’t just say CXOPQ.VICTIM.COM was 6.6.6.0. It also contained
Additional RRs pointing WWW.VICTIM.COM to 6.6.6.0. Those records
are in-bailiwick: Bob is in fact interested in VICTIM.COM for this
query. Mallory has combined attack #1 with attack #2, defeating fix
#1 and fix #2. Mallory can conduct this attack in less than 10
seconds on a fast Internet link.

Read More

Default usernames and password

  

Default usernames and passwords for 

                                                                 Routers/Switches/Hubs 

   Type/vendor/notes/etc                     Username Password
  
   3Com                                      admin    synnet
   3Com                                      read     synnet
   3Com                                      write    synnet
   3Com                                      monitor  monitor
   3Com                                      manager  manager
   3Com                                      security security
   3Com_Office_Connect_5x0_ISDN_Routers      n/a      PASSWORD
   3comCellPlex7000                          tech     tech
   3comCoreBuilder7000/6000/3500/2500        debug    synnet
   3comCoreBuilder7000/6000/3500/2500        tech     tech
   3comHiPerARCv4.1.x                        adm      <blank>
   3ComLANplex2500                           debug    synnet
   3ComLANplex2500                           tech     tech
   3comLinkSwitch2000/2700                   tech     tech
   3comSuperStackIISwitch                    2200     debug
   3comSuperStackIISwitch                    2700     tech
   ACC(Ericsson)                             netman   netman
   ADC_Kentrox_Pacesetter_Router             n/a      secret
   All_Zyxel_equipment                       n/a      1234
   AT&T_3B2_firmware                         n/a      mcp
   AXIS200/240[netcam]                       root     pass
   Bay_routers                               Manager  <blank>
   Bay_routers                               User     <blank>
   Bay350T_Switch                            n/a      NetICs
   BaySuperstackII                           security security
   BRASX/I01_(DataCom)                       n/a      letmein
   BreezeCOM_adapters2.x(console_only)       n/a      laflaf
   BreezeCOM_adapters3.x(console_only)       n/a      Master
   BreezeCOM_adapters4.x(console_only)       n/a      Super
   Cayman_DSL                                n/a      <blank>
   Crystalview_outsideview32                 n/a      crystal
   digiCorp_(viper?)                         n/a      BRIDGE
   digiCorp_(viper?)                         n/a      password
   DLink_hub/switches                        D-Link   D-Link
   Flowpoint_DSL_installed_by_Covad          n/a      password
   Flowpoint_DSL2000                         admin    admin
   Jetform_design                            Jetform  n/a
   Lantronics_Terminal_server_port           7000     n/a
   Lantronics_Terminal_server_port           7000     n/a
   Linksys_DSL                               n/a      admin
   Livingston_IRX_router                     !root    <blank>
   Livingston_officerouter                   !root    <blank>
   Livingston_portmaster2/3                  !root    <blank>
   Microplex_print_server                    root     root
   Motorola-Cablerouter                      cablecom router
   Netopia_7100                              <blank>  <blank>
   Netopia_9500                              netopia  netopia
   Orbitor_console                           n/a      password
   Orbitor_console                           n/a      BRIDGE
   Osicom(Datacom)                           sysadm   sysadm
   Shiva                                     root     <blank>
   Shiva                                     Guest    <blank>
   SpeedstreamDSL(Efficient)                 n/a      admin
   UClinux_for_UCsimm                        root     uClinux
   Webramp                                   wradmin  trancell
   Alteon ACEswitch 180e (web)               admin    admin
   Alteon ACEswitch 180e (telnet)            admin    <blank>
   NETPrint (all)                            n/a      sysadm
   Xylan Omniswitch                          admin    switch
   Xylan Omniswitch                          diag     switch
   AcceleratedDSL CPE and DSLAM              sysadm   anicust
   Arrowpoint                                admin    system
   Cabletron (routers & switches)            <blank>  <blank>
  
   Needed
  
   Packeteer
   Cabletron
   SMC
   Accton
  
 

 

Read More