Jump to content
September 12-12-12 tee - Thursday, September 12th at 12pm noon EST ×

<<< 12Oz Computer Tech Support SuperThread >>>

Mainter

By Mainter
in Channel Zero

 Share

Recommended Posts

This forum is supported by the 12ozProphet Shop, so go buy a shirt and help support!
This forum is brought to you by the 12ozProphet Shop.
This forum is brought to you by the 12oz Shop.
  • Replies 16.8k
  • Created
  • Last Reply

Top Posters In This Topic

  • lord_casek

    3772

  • Seffiks

    2661

  • Mainter

    2483

  • johnny ballbags

    479

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

GnomeToys
GnomeToys

CHALLENGE ACCEPTED

Dirty_habiT
Dirty_habiT

Computer security has many facets.  My basic recommendations for a home user are the following:   * Use a good brand of router, do not rely upon what the telco provided you to be secure.

KILZ FILLZ
KILZ FILLZ

@Tails0nEmaybe try asking here  @Dirty_habiTis pretty good with the ‘puters 

Posted Images

villain

villain

Posted
Posted

Re: «<< 12Oz Computer Tech Support >>>

 

glad to hear about the linux. what release did you install?

thanks for the cctv links. fucking dope. you work in the field?

 

ubuntu. linux for human beings. lol.

nah i don't work in the field. i'm just a full time paranoid. lol

I have a ridiculous amount of security information lying around.

Link to comment
Share on other sites
lord_casek

lord_casek

Posted
Posted

Re: «<< 12Oz Computer Tech Support >>>

 

i just got a box with 50 ubuntu sleeves in it. 100 cd's. one live, one install.

40 386 installs and lives, and 10 (actually 20) 64 bit versions of ubuntu.

 

ubuntu rocks the fucking house.

 

security is the shit. villain, post some knowledge. we've hit a slump here.

although porn links aren't that bad. we should kinda keep it in line with tech.

Link to comment
Share on other sites
villain

villain

Posted
Posted

Re: «<< 12Oz Computer Tech Support >>>

 

Yeah I'm really liking ubuntu.

Security... so what do you want to know about? I have stuff for specific applications and products you can buy, I have schematics and wiring diagrams so you can make shit, I have information on electronic warfare theory so you can get that straight heady science shit.... whatever floats your boat really. I haven't gotten too much into it lately cause I've been working on a graphic novel, but with me fucking with ubuntu and shit I'm up for a change of pace.

Link to comment
Share on other sites
Mainter

Mainter

Posted
  • Author
Posted

Re: «<< 12Oz Computer Tech Support >>>

 

Backdoor and default passwords

 

Many BIOSes have built in backdoor passwords to use to bypass a BIOS password which has been lost. This is, of course, an unacceptable way of handling this. No machine should have a backdoor password; this is a massive security hole. Instead, the machine should have a hardware jumper or dip switch located in a secure location that is not accessible when the case is locked. For desktops, the switch can be located on the motherboard and a locking case screw will prevent access. For notebooks, there switch should not be inside a compartment which can not be opened when the security cable slot is engaged.

 

* Award BIOSes

"Condo", "AWARD_SW", "J332", and "589589", "AWARD?SW", "lkwpeter", "aLLY", "j262", "j332". Some more are availible at pwcrack.com After 1996-12-19, Award required each OEM to set their own password.

* AMI BIOSes There is a program to reveal backdoor passwords in AMI BIOSes was posted on bugtraq Some backdoor passwords used include "A.M.I.", "AMI_SW", "AMI?SW". Some more are availible at pwcrack.com .

* Phoenix BIOSes

"phoenix"

* Toshiba notebooks

Toshiba has a trapdoor password to bypass the bios password. The company has adopted a truly asinine attitude regarding this password.

 

It turns out that if the first five bytes of sector 1 (the second sector) of a floppy in drive a are "4B 45 59 00 00" then you can bypass the password (type enter when asked for the password and you will be asked to set the password again).

* Thinkpad Notebooks

 

Thinkpads have special pads to short. Removing the battery, or letting it go dead, can wipe out the hard disk encryption key. See http://www.pwcrack.com/BIOS/bios.html for more details.

* Other BIOSes

"biostar", "biosstar", LKWPETER", "BIOSTAR", "j262", j256", "Syxx", "Wodj"

* Clearing BIOS password using debug:

O70,1E O71,FF O70,1F O71,FF

* emachines

At least some emachines have a dip switch on the motherboard to clear the passwords.

* More info on BIOS backdoor passwords and clearing CMOS. I supplemented the info on this page with stuff from there.

* Discharging CMOS RAM

There is usually a jumper near the battery for this. This is often a three pin jumper and you move it from 1-2 to 2-3 or vice versa. If there is no jumper, you can acomplish the same results by shorting a particular pin on the CMOS RTC chip to ground for a few seconds while the power is turned off.

 

Dallas 1287 24 Pin DIP replace chip

Dallas 1287A 24 Pin DIP Short pins 12 and 21

Chips&Tech P82C206 PLCC Short pins 74 and 75 (upper left corner)

Opti P82C206 PLCC Short pins 3 and 26 (bottom row)

Motoroola MC146818AP unplug chip

Dallas DS12885S 24 pin DIP short pins 12 and 20

Bechmarq bq325aS 24 pin SIP short pins 12 and 20

 

Actually, you could just wipe a grounded cliplead accross all the pins of the chip you suspect is the CMOS RTC/RAM chip. This is usally a 24 pin DIP. If the functionality is handled by the motherboard chipset, just do the same for all the motherboard chipset pins. Note that if there is no series current limiting resistor on the external battery, it may have enough power to melt a trace off the board; this trace will be the battery power to the CMOS RTC/RAM and you can solder in a piece of wire to replace the trace. I have never heard of this happening on a motherboard and it would be pretty common the way they are handled.

 

It should also be noted that you can look up the manufacturer's data sheet for the chip on their web site to find out how to erase the RAM.

* CmosPwd

* The program CmosPwd can be used to crack the CMOS passwords on ACER, IBM, AMIBIOS, Award BIOS, Compaq, DELL, Packard Bell, Phoenix, Toshiba, and Zenith machines. This runs under Linux or DOS/windows. Cisco routers

Cisco routers prevent remote logon unless the passwords have been set.

* 3 Com

Lanplex/corebuilder line: Login=debug, Password=synnet

Linkswitch 2700, superstack 2700, cellplex 7000: login=tech, password=tech

Superstack II hub and switches don't respond to the above but do have user=tech, password=tech or user=monitor, password=monitor.

* IBM 8237 Hub Has backdoor password in cleartext in the image. No way to change the password without editing firmware image and hacking the checksum.

* Quake servers

rcon password is "tms"; appears to require that you masquerade as 192.246.40.* to use.

* IRC scripts There are many trojan IRC scripts with backdoor passwords.

* Unix

One of the more famous and clever backdoors existed in early unix systems. Denis richie added hidden self-replicating object code to the C compiler that modified both the C compiler and the Login program when they were recompiled. So even if you recompiled the complete system from sources and inspected the sources there was still a hidden backdoor.

Early systems had a default root password of "gnomes".

many distributions had default passwords

* Windows 95 screen lock

You can bypass the screen lock on any windows 95 box if it has autorun enabled on the CD-ROM drive. Insert a special CD and it will be autorun even though the screen is locked. The autorun program can copy sensitive data to a floppy and/or kill the screen saver process. ftp://null.angel.nu/projects/95sscrk.zip is one of the programs which can be used to decrypt the screen saver password. This appears to also be a problem on windows NT machines. Autorun.inf is the magic file.

* Motorola cell phones

The DPC-550 cell phone has a backdoor password to unlock the phone. Typically "000000000000" or "123456123456".

* UT Lexar Telephone switches

Default login used by maintenance personal was "lexar", no password; customers were required by contract to maintain a dialup line.

Backdoor login was "DESIGNED_BY_IC_KF". Their technicians knew that this backdoor existed but were not given its value.

These deficiencies were reported to Lexar a decade ago. If they haven't fixed them by now, tough.

Lexar switches print some distinctive escape codes followed by a "login:" prompt and are easy prey for war dialers. I broke into one almost by accident when it got added to a list of BBSes as a C/unix.

Link to comment
Share on other sites
villain

villain

Posted
Posted

Re: «<< 12Oz Computer Tech Support >>>

 

 

Nice collection there. I've got a decent sized collection myself. Technical Manuals however would be harder to come by on the internet since those are the manuals that actually tell you how to break down and rebuild military equipment.

Link to comment
Share on other sites
Mainter

Mainter

Posted
  • Author
Posted

Re: «<< 12Oz Computer Tech Support >>>

 

haha. no way. i'm just surfing porn tonight.

 

 

aww what the fuck i thought you would have a joke like i have been trying to get a hold of yer mom but she hasnt been on the corner latley

Link to comment
Share on other sites
lord_casek

lord_casek

Posted
Posted

Re: «<< 12Oz Computer Tech Support >>>

 

Nice collection there. I've got a decent sized collection myself. Technical Manuals however would be harder to come by on the internet since those are the manuals that actually tell you how to break down and rebuild military equipment.

 

you would seriously be surprised.

check your favorite p2p programs.

navy seal sniper trianing mans

http://www.torrentspy.com/torrent/714837/Navy_SEAL_Sniper_Training_Manual

 

i'm sure a little work would turn up hundreds of the manuals you are speaking of.

there are collectors. i know atleast one.

Link to comment
Share on other sites
Mainter

Mainter

Posted
  • Author
Posted

Re: «<< 12Oz Computer Tech Support >>>

 

a tutorial i had in my documents

Hacking Cell Phone VMBs

 

Section 1: The Introduction

----------------------------

 

In the activity known as phreaking, VMBs (voice mail boxes) are one of

great treasured finds of tireless effort. Well thanks to modern

cellular technology, it doesn't have to take so much tireless effort.

Most modern cell phones have VMBs to take messages when the owner is

away or is too much of a lazy shit to pick up the phone like somebody

I know (*cough*Kyle*cough*). This makes for a seemingly endless bound

of VMBs available for us to explore. Well of course in this tutorial

we will be covering exactly that, methods that you can use to break

into these VMBs, to play big brother, take over, or just generally

mess around with. Enjoy...

 

 

 

 

Section 2: The Method

----------------------

 

Well our first step is of course to get to the VMB. To do this we are

going to call up the number of our target, and let it ring. This works

best if you call at a time when the cell phone is off, so if you know

your target try to figure out when the most likely time would be that

they would have their cell phone off and call then, or else just call

in the middle of the night and hope they aren't an insomniac. Then

when the message starts playing hit either # or *. You will then hear

it ask you to enter in your password. Your first try should be to

punch in the last four digits of the cell phone number. If this doesn't

work then here is a decent list of common passwords for you to try

out...

 

6969

0420

1234

4321

1223

9876

1111

1010

3060

 

If you don't screw around with anything and just use it to listen in

on saved messages, then you should be able to hold access for months.

Otherwise, if you decide to use the "Change Password" option and take

it over, then you probably won't be holding it for long. So yeah, I

advise against doing that. Also a helpful hint is that though most

service providers use 4 digit passwords for VMBs, some providers may

require subscribers to have passwords of at least 6 digits. If this is

the case, first try the cell phone number you are dialing as the pass.

If this doesn't work, you can try one of the following common

passwords...

 

111111

222222

333333

444444

555555

666666

777777

888888

999999

123456

654321

696969

101010

121212

 

If none of these work then try a variation of any of the schemes listed

above, or try something like the subscriber's birthday, first name,

last name, home phone number, etc. Just use your imagination.

 

 

Section 3: In Conclusion

-------------------------

 

Well as always I hope you enjoyed reading this tutorial as much as I

enjoyed writing it. Life has been keeping me too busy lately to really

do much else, but be sure to check in at informationleak.com to see

my latest work. Until next time...Section 1: The Introduction

----------------------------

 

In the activity known as phreaking, VMBs (voice mail boxes) are one of

great treasured finds of tireless effort. Well thanks to modern

cellular technology, it doesn't have to take so much tireless effort.

Most modern cell phones have VMBs to take messages when the owner is

away or is too much of a lazy shit to pick up the phone like somebody

I know (*cough*Kyle*cough*). This makes for a seemingly endless bound

of VMBs available for us to explore. Well of course in this tutorial

we will be covering exactly that, methods that you can use to break

into these VMBs, to play big brother, take over, or just generally

mess around with. Enjoy...

 

 

 

 

Section 2: The Method

----------------------

 

Well our first step is of course to get to the VMB. To do this we are

going to call up the number of our target, and let it ring. This works

best if you call at a time when the cell phone is off, so if you know

your target try to figure out when the most likely time would be that

they would have their cell phone off and call then, or else just call

in the middle of the night and hope they aren't an insomniac. Then

when the message starts playing hit either # or *. You will then hear

it ask you to enter in your password. Your first try should be to

punch in the last four digits of the cell phone number. If this doesn't

work then here is a decent list of common passwords for you to try

out...

 

6969

0420

1234

4321

1223

9876

1111

1010

3060

 

If you don't screw around with anything and just use it to listen in

on saved messages, then you should be able to hold access for months.

Otherwise, if you decide to use the "Change Password" option and take

it over, then you probably won't be holding it for long. So yeah, I

advise against doing that. Also a helpful hint is that though most

service providers use 4 digit passwords for VMBs, some providers may

require subscribers to have passwords of at least 6 digits. If this is

the case, first try the cell phone number you are dialing as the pass.

If this doesn't work, you can try one of the following common

passwords...

 

111111

222222

333333

444444

555555

666666

777777

888888

999999

123456

654321

696969

101010

121212

 

If none of these work then try a variation of any of the schemes listed

above, or try something like the subscriber's birthday, first name,

last name, home phone number, etc. Just use your imagination.

 

 

Section 3: In Conclusion

-------------------------

 

Well as always I hope you enjoyed reading this tutorial as much as I

enjoyed writing it. Life has been keeping me too busy lately to really

do much else, but be sure to check in at informationleak.com to see

my latest work. Until next time...

Link to comment
Share on other sites
Mainter

Mainter

Posted
  • Author
Posted

Re: «<< 12Oz Computer Tech Support >>>

 

another useful one

 

What is DRM?

 

DRM is an encryption manifest file which dissallows an individual who's purchased a CD which contains the DRM directly written into the actual Audio Disk. DRM stands for Digital Rights Management.

 

 

What's the cause for DRM Encryption?

 

 

 

DRM(Digital Rights Management) is to control the internets piracy of Audio files, mp3s for example.. on P2P (Peer To Peer) Clients, (A famous one is KaZaA) for non-3rd party use. Which this means that You can rip the audio to your computer, and listen to them only at your computer and nowhere else. Now there usually is an internal ripper provided by the CD itself, for you to burn the audio to another CD-R or whatever, but if you follow my howto it'll make things alot simpler.

-What you need-

 

1: 6-ft. (182m)* Shielded Audio Cable, 1/8/11th's stereo miniplug, to 1/8/11th's stereo miniplug. Radio shack item # (42-2387A)

2: A CD Player.

3: The CD which has the DRM encryption.

4: A Computer with working Microphone input, and soundcard output.

5: An Audio editor such as Sonic Foundry Sound forge 6.0 or something like it.

 

Now, take the Audio chord and plug it into your CD player where you'd put your headphones, then take the other end and plug it directly into your CPU's microphone input.

 

Once that's done, open up your Audio Editor... click on File>New> Once the new layout has opened, click "Record" now once it has started to record, click Play on your CD Diskman. (Make sure you have your Sound on the Diskman to MAX output)

 

Now thats pretty much it... once the disk has been fully played and upstreamed to your audio editor... you can disect the Tracks and the name them on New Sound layouts, name the track... and save it as mp3. Becuase by default all audio editors save upstreamed tracks as .WAV format, and wav format is a relativelly enormus size as far as bytes are concerned. I hope you enjoyed this. and Remember, it's our right to do what we want with what we buy. Just make responsible decisions and do not pirate!

Link to comment
Share on other sites
Mainter

Mainter

Posted
  • Author
Posted

Re: «<< 12Oz Computer Tech Support >>>

 

Presented here is a whitepaper on exploiting Windows device drivers, with a step-by-step explanation on how to exploit the vulnerability and get a shellcode running.

 

DETAILS

 

Introduction:

Device driver vulnerabilities are increasingly becoming a major threat

to

the security of Windows and other operating systems. It is a relatively

new area, thus very few technical papers covering this subject are

available. To the author's knowledge, the first windows device driver

attack was presented by SEC-LABS team in the "Win32 Device Drivers

Communication Vulnerabilities" whitepaper.

 

This publication presented useful technique of drivers exploitation and

layed a ground for further research. Second publication surely worth to

mention is the article by Barnaby Jack, titled "Remote Windows Kernel

Exploitation Step into the Ring 0".

 

Due to lack of technical paper on the discussed subject, Piotr Bania

decided to share results of his own research. In this paper a device

driver exploitation technique will be introduced, provide detailed

description of techniques used and include full exploit code with

sample

vulnerable driver code for tests.

 

The reader should be familiar with IA-32 assembly and have previous

experience with software vulnerability exploitation. Plus, it is highly

recommended to read the two previously mentioned whitepapers.

 

 

ADDITIONAL INFORMATION

 

The original article can be found at:

<http://pb.specialised.info/all/articles/ewdd.pdf>

http://pb.specialised.info/all/articles/ewdd.pdf

Link to comment
Share on other sites
Mainter

Mainter

Posted
  • Author
Posted

Re: «<< 12Oz Computer Tech Support >>>

 

iTunes 6.0 Shared Music Denial of Service/Spoofing/Flooding/Abuse*

 

*Demo:*

The following is a link to a Flash demo in which we demonstrate the

vulnerability. (link to flash demo

<http://www.airscanner.com/security/itwns2.html>)

 

 

 

*URL:

*http://www.airscanner.com/security/05101001_itunes.htm

 

 

 

*Product:*

iTunes 6.0

 

*Platform:*

Tested on Windows XP and OSX

 

*Requirements:*

Nemesis for spoofing. Perl for the scripting environment. iTunes on

either OSX or Windows.

 

* Credits:*

Seth Fogie

Airscanner Mobile Security

http://www.airscanner.com

Mobile Antivirus Researchers Association

http://www.mobileav.org

October 10, 2005

 

* Risk Level:*

Low: Denial of service (Shared Music anonymous forced disconnect) and

list abuse attacks are both merely annoying to iTunes users.

Medium: Shared Music lists from various users can be renamed and

swapped, thus creating an environment in which you can't be sure to

whom

you are connecting.

*

* *Summary:*

iTunes is a popular service allowing you to play music, buy music,

download music, share music, create playlists, etc.; it includes a

video

player and other features: http://www.itunes.com

 

The iTunes Shared Music feature allows users on a network to create

playlists from songs on their computer and to share them on the

network.

When you create a new list and enable sharing, other iTunes users will

see your lists under the Shared Music list, unless they change their

preferences from the default settings. We discovered that it is

possible

to create spoofed Shared Music entries, to rename existing entries, to

disconnect existing entries, and to re-initiate existing lists. We can

also kill an existing stream without authorization via an anonymous

packet.

*

* *Details:*

iTunes Shared Music Entry Spoofing: It is possible to create fake

Shared

Music entries by spoofing fake domain/list names and IP addresses

inside

an MDNS packet that is used to broadcast existing lists. This spoofing

attack can be scripted to post numerous entries to specific or all

iTunes users on a network (flooding). By repeated excessive posting of

Shared Music Entries, we were able to create a major system load on

systems using iTunes.

 

iTunes Shared Music Entry Rename: It is possible to rename a valid

entry

across the network by spoofing the IP of the originating computer. With

this power, we can swap existing Shared Music Entries and trick people

into connecting to the wrong list.

 

iTunes Shared Music Entry Time To Live Spoofing: It is possible to

reset

the TTL value of existing lists (or new lists), thus allowing an

attacker to set the TTL on an existing list to one second, resulting in

the list being removed from all client computers, even if a song is

currently being shared.

 

In order to spoof entries, you have to first send a SVR packet out with

all the appropriate information, which must then be followed by a

spoofed response packet to convince other iTunes clients that the first

packet was real. In order to create spoofed lists, or to alter existing

lists, you must also spoof the originating IP. The IP does not have to

be on the local subnet.

 

For an example of what is possible, we have recorded a session in

rather

large swf files. Click here

<http://www.airscanner.com/security/itwns2.html> or here for the 2MB

web

based video. Screen shot of a multi-spoof

<http://www.airscanner.com/security/images/itunes.JPG> also available.

 

*Credits and Thanks:

*Special thanks to the creators of nemesis, without which this testing

would have been much more difficult. We also would like to acknowledge

the creators of Ethereal for an excellent sniffer.

 

* Workaround:*

Disable 'Look for shared music' option under the Sharing tab in

Preferences.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...