What's New!

Chat with

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 


Meet the 
Happy Hacksters 

Help for 



It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

Carolyn's most
popular book,
in 4th edition now!

For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Visit this group
Happy Hacker Digest April 23-24, 1997

      This is a moderated list for discussions of *legal* hacking.
                        Moderator is Matt Hinze

                 Send posts to: matt@cs.utexas.edu (Matt Hinze)
        [if you can, include a "HH" in the subject header]

               Please don't send us anything you wouldn't
              email to your friendly neighborhood narc, OK?

        To subscribe or
unsubscribe, use the subscribe boxes on the menu bars, please..
If you decide you just want to use the forum and not get these
mailings, we promise our feelings won't get hurt if you unsubscribe
from this list.
          The Happy Hacker Digest Webpage, located at
 http://www.cs.utexas.edu/users/matt/hh.html, contains recently
          discussed web sites and past URLs Of The Day.

         H a p p y  H a c k i n g !
URL Of The Day: http://members.tripod.com/~havoc00/corner.shtml
RSnakes' Hacking Webpage

Table Of Contents

* Note From Matt
* MegaHack Mailing List
* Hacking Macintosh AppleTalk
* Windows Ports
* More PHF
* Confused By SUID
* Misc Questions
* Linux Woes
* Dynamic Domain Name
* What Is My IP Address?
* MkLinux Info
* Lollipop Shaped Cursor?
* SNI-12: BIND Vulnerabilities and Solutions


** Note From Matt

I'm compiling a list of hacking resources that are beginner-friendly.
The list will include web sites, Usenet newsgroups, mailing lists,
etc., anything that might help out beginners learn about computer
security. But I need your help! I can't scour the net by myself as
well as we all can together, so please send in any resources (to me,
at matt@cs.utexas.edu) that you think would fit this type of thing.

I think projects like these, however small, are pretty cool.
Hopefully, the readers of the Happy Hacker Digest can collaborate on
other stuff, too. Wouldn't it be awesome to eventually release an
advisory or two? So if you have any ideas on other projects, let me
know at the address above.


*** MegaHack Mailing List

From: "garbage@mdc.net" <garbage@mdc.net>

I would like to inform the readers of HH about a new hacking/security
mailing list, focusing on NT/Unix/Tcp-ip.

       To subscribe:
       To: majordomo@fred.net
       in body: subscribe megahack

The owner of the list, megajolt@big.fred.net, has asked that topics
try to be mainly security, ie no warez/crack/virus or other sillyness.
Please read the welcome message if you do subcribe.


*** Hacking Macintosh AppleTalk

From: "DaFada 2" <dafada2@hotmail.com>

greetings happy hackers,

While browsing through my schools Ethernet Appletalk server i was
checkin out some of the the other schools , most of which i must say
are'nt secure in the least, and i logged onto one server named network
control, once inside i checked out the TCP/IP control pannel and found
that it had its own gateway and IP # and such.  I wuz wondering if it
is possible to gain access to this computer from telnet or possibly
from a line outside of the schools AppleTalk network. I have
asked several people about this and browsed the web and no one seems
to know for sure if its possible to connect.


[Matt: I must admit, I'm clueless when it comes to hacking Macs.
Surely someone can help, though. If you know of a resource that we
should check out, let the list know!]

*** Windows Ports
From: Eh? <vasudeva@mindport.net>

>I have a computer that I want my friends to be able to telnet into
>from other places. It has an ip address, but no domain name. Do I have
>to register a domain name in order for others to access it? Any help
>would be appreciated. Thanks.
>[Matt: Nope. The can just telnet to the IP, like:
>$ telnet

This touches on a  topic about which I've been very curious;  I would
like to expand on it.  Could deviant's friends telnet into his box if
he had a dialup account, and, therefore, a dynamically-assigned IP?
Assuming, of course, that he was using one of the little
find-your-dynamic-ip progs and could relate it to them during the
session.  In a sideways-related vein, could one telnet (or otherwise
gain access remotely) into a Windows box?  Exactly how do Windows'
ports work, in comparison to UNIX ports?


[Matt: If his machine is running a telnet daemon, and you know the IP
address (regardless of how he got it), you can telnet into it. There
is a Windows NT telnet daemon, and it works well.]

*** More PHF

From: "Yeo Sung" <theg1ver@hotmail.com>

I was trying out the PHf hack, and I found that you can use any
command on the address, as in ls%20/etc/ where ls is list and %20 is a
space, well I tried to "telnet%20###.edu". I got back Query Results

/usr/local/bin/ph -m alias=x /bin/telnet ###.edu

Trying ###.##.###.###...
Connected to ###.edu.
Escape character is '^]'.

is there any way I can carry out a login and password attempt through
this ?

[Matt: Not through a browser, but if you could bring up an xterm...]

Also, I got a passwd file question. I tried on this server this
command using the phf, /cat%/etc/shadow/ I got the encrypt passwords
but they all ended with something like a


no things like home or group or shit like that also,


all of them end with ::::0::0 can i just stuff this through a passwd
cracker or should I go back to the shadowed passwd file with the x and
add all that in ?


*** Confused by SUID

From: "Michael Paul" <mbp@locke.ccil.org>

What's the big deal with suid?  I know what it means, but I don't see
how this could be used to gain root.  If a suid program crashes, it
terminates itself, right?  Or is there a way to get to a prompt from

I'm still a newbie to unix; I know enough to get around, but I don't
really know any advanced tricks.  If you reply to this please avoid
using too much unix terminology, or better yet explain the terms so
I'll know in the future.

Michael Paul

*** Misc Questions

From: Killer Bee <killerb@nyct.net>

     I have 2 questions to ask:
1.  What is a cookie and what does it do?

[Matt: A cookie is a bit of information that a web page sends to your
browser. You browser keeps it until that same web page asks for it
again. Cookies serve all types of purposes, from counting the times
you've visited a site, to verifying identity.]
2.  Where is Silicon Toad's new site?  (Because I need some text's to

[Matt: http://www.silitoad.com]


From: PGorman@mbe.com (Paul Gorman)
Hello All!

At work here, I have full I-net E-mail capabilities, but no other
I-net support.   I know there are some daemons out there that will
E-mail back silly facts like Weather, Date, Gossip, etc... There was
even one that replied to your message and translated it into the
Swedish Chef!   but, sadly, that cool daemon is no longer.
Does anyone know of any nifty/goofy E-mail daemon's that are still
up and running?
Also, completely different.. I'm about to install Linux on an old 486,

something I saw earlier about Monkey..  Looks nifty, my one little
fish:  Has anyone out there sucessfully connected a LANtastac Network
to a Linux box?   I mean, it doesn't use IPX or nuthin, so what *does*

it use?

*** Linux Woes

From: "Int_21" <geoff@www.coffs.net.au>

> I'm having a bit of trouble with Linux setting up a ppp connection I
> have managed to figure out what the problem is so now I need help to
> fix it. I have read through the linux-ppp faq and all the others and
> haven't found anything on it.My problem is not actually in pppd but in
> the chat program used to set it up.I have written my own pppd and chat
> script but now here's where the problem comes in.My modem is set in
> win95 to blind dial (dial without looking for a dial tone) because for
> some reason my modem doesn't detect the dial tone in my country.But
> now in linux when I initiate chat using my script it by default checks
> for a dial tone before dialing the number and since it cant detect one
> it cancels the operation and so wont even dial the number.Does anyone
> know of a way that I can make chat blind dial or maybe there's an AT
> command to do it.At the moment I'm just using the atdt command to try
> and dial.
> Oh yeah and changing my modem's internal configuration to set it to
> blind dial is not an option.

What is contained here is SHOULD what your problem:
REPLACE: Your CURRENT modem Dial string (Which is ATDT) with:
REPLACE: [yournumber]  with the phone number that is needed to dial:

If your 'tel-co' uses TONE dialing: ATX3DT[yournumber]

If your 'tel-co' uses PULSE dialing: ATX3DP[yournumber]

And That's It  DIALING YOUR MODEM should work now.
If that doesn't work after that email me at the following address:

|                             |
|        [====] [====]        |
|          =='=\  ==|         |
|          ==|==\ ==|         |
|          ==| ==\==|         |
|          ==|   ===|         |
|        [====] [====]        |
|              at             |
|        [/\]______[^]        |
|        |===========|        |
|        |===========]        |
|        [\/]                 |
|                             |

|    HTTP://BASE.INT_21.ORG   |
|     int_21@DeathsDoor.com   |

*** Dynamic Domain Name

From: Warpy <warpy@null.net>

To anonymous:
Looking for a free dynamic ip domain name? How does *.dyn.ml.org
sound? Check out this url - http://www.ml.org/NIC

Those of you out there who are interested in the idea of Corewars but
who don't have a domain name you can use the above to get your own.


Btw: To those of you out there who are running a version of libc which
is earlier than 5.4.7, i suggest you upgrade it. To check what version
you are running look in /lib. A vulnerability exists in versions up to
5.4. which allows a regular user to view arbitrary files. I have
tested this on the slackware winter 96 distribution and it works. ;)

A great hack is accomplished before it has begun...
(paraphrased from Sun Tzu)   -[warpy@null.net]-

*** What is my IP Address?

From: "Darryl G. Wright (1)" <darrylw@beltek.com>

I have a dynamic IP connection to the Internet which enables me to
surf the net but prevents me from setting up any type of server
including a temporary FTP server. Is there any way (utilities,
information resources?) I can figure out what my own IP is at the time
of assignment? Old Winsock used to allow this but the Win95
construction keeps it all locked away. I'd appreciate any help.

-=< Darryl >=-

[Matt: There is a program called WINIPCFG.EXE which will provide your
current IP address as well as all kinds of other useful stuff.]

*** MKLinux Info

From: mulder@jumbo.ntplx.net (Evil Ninja Mulder)

alright....as sensitive as i am to the evils of reliance, BELIEVE me:
i spent over an HOUR trying to find this one simple little tidbit of
information. ..

the problem is this: i am interested in running MKlinux, the apple
port to Linux, on my computer, because i want to set up a small web

..but i found out the hard way i have no idea hwat linux really is.
after traipsing around, i practically had a breakdown when no one
revelas this fact:

can i keep my old os? i dont get this. how can i siwtch from one os or
the other? this questions is SO elementary every site just overlooks

i would very much appreciate calm, nice answers to this pathetic kid
instead of rantings and ravings about my stupidity.

oh, and also, if, for some reason, you feel macs make me a horrible
person, keep it to yourself.

thank you!


+Evil Ninja Mulder+   mulder@ntplx.net

"The youth of today will no longer be pacifistic and sedate in their
dealings with a corrupt world; when all this hatred is brought to an
it will be youth who are ultimately responsible."

I Support Youth Against Fascism -

*** Lollipop Shaped Cursor?

From: Chris Lohman <chris.lohman@brooktree.com>

I have found recently when I telnet to any ports on my
Sparc5/Solaris2.5.1 (because I {usually} only hack myself) machine and
hit [ctrl]+a the cursor changes to something like a lollipop and then
[ctrl]+q changes it back.

I cannot find any explanation for this in any of my documentation nor
can I find anything on the net.  Do you know if this has any purpose
or use ?

*** SNI-12: BIND Vulnerabilities and Solutions

[Matt: SUPER IMPORTANT NOTE: This post has been severly edited. The
original advisory also contained a fix for both exploits. I decided to
cut them due to the fact that most admins who will be affected by this
are already recieve this message. On top of that, the entire advisory
runs 803 lines, and would not be suitable to publish in the digest due
to it's sie. However, if you want the entire advisory (including
fixes) , please visit http://www.secnet.com or email me
(matt@cs.utexas.edu) and I will be happy to send it to you.]

From: Oliver Friedrichs <oliver@SECNET.COM>

                        ######    ##   ##    ######
                        ##        ###  ##      ##
                        ######    ## # ##      ##
                            ##    ##  ###      ##
                        ###### .  ##   ## .  ######.

                           Secure Networks Inc.
                     CORE Seguridad de la Informacion

                             Security Advisory
                               April 22, 1997

                    BIND Vulnerabilities and Solutions

Problem Description

This advisory contains descriptions and solutions for two
vulnerabilities present in current BIND distributions.  These
vulnerabilities are actively being exploited on the Internet.

I.  The usage of predictable IDs in queries and recursed queries
allows for remote cache corruption.  This allows malicious users to
alter domain name server caches to change the addresses and hostnames
of hosts on the internet.

II. A failure to check whether hostname lengths exceed MAXHOSTNAMELEN
in size.  This results in potential buffer overflows in programs which
expect the BIND resolver to only return a maximum hostname length of

                 Problem I.  The usage of predictable ID's

Problem I. - Impact

Remote root users can poison BIND and Microsoft Windows NT name server
caches by forging UDP packets.  We should note that unlike other well
documented attacks, in this instance it is NOT necessary for the
attacker to take over a DNS server or sniff the target network.

Problem I. - Technical Details

This particular cache corruption attack requires that the target
nameserver be configured to allow recursion.  Recursion allows a
nameserver to handle requests for zones or domains which it does not
serve.  When receiving a query for a zone or domain which is not
served by the name server, the name server will transmit a query to a
nameserver which serves the desired domain.  Once a response is
received from the second nameserver, the first nameserver sends the
response back to the requesting party.

The following attack is outlined in the paper "Addressing weaknesses
in the Domain Name System Protocol" by Christopher Schuba and Eugene
Spafford [6]. To the extent of our knowledge, this problem has not
been previously addressed.  The paper also assumes that the attacker
has super-user access to a primary nameserver, here we demonstrate
that this is not necessary nor are source routed packets required.

Using the recursion feature, one can poison the cache on a name server
with the following procedure:

Problem I. - The Players

HOST.ATTACKER.COM is the attacking host.

DNS.ATTACKER.COM is ATTACKER.COM's nameserver, we presume that this is
   the only name server for ATTACKER.COM to simplify the description.

DNS.TARGET.COM is the target nameserver which runs BIND.  What we will
attempt to do is add an A (address) resource record on DNS.TARGET.COM
that will resolve WWW.SPOOFED.COM to  We are sure that
WWW.SPOOFED.COM is not cached in DNS.TARGET.COM's DNS cache.

DNS.SPOOFED.COM is the nameserver for SPOOFED.COM's domain.  We have
determined this before the attack begins.  Once again we just presume
its the only one in order to simplify this description.

Problem I. - The Attack

A.  First a query is sent to DNS.TARGET.COM asking for the address of
UNKNOWN.ATTACKER.COM.  Our query has the recursion desired bit set,
meaning that if the nameserver we are querying has recursion enabled,
it will query another nameserver with our query (assuming it does not
have the information cached).

B.  DNS.TARGET.COM will first determine who serves the ATTACKER.COM
domain, then it will build a query packet and send it to

C.  We sniff DNS.ATTACKER.COM's local network and retrieve the query
packet sent by DNS.TARGET.COM to DNS.ATTACKER.COM.  We can then
determine the query ID (qid0) used by DNS.TARGET.COM.  Chances are
that the next queries generated by DNS.TARGET.COM will have query IDs
that will fall in the range [qid0,qid0+N] where N is dependent on the
amount of queries DNS.TARGET.COM is generating in the period of time
on which the attack takes place.  N is usually <= 10 for most cases.

D.  Once we have determined what the next query ID generated will be,
we send a query to DNS.TARGET.COM asking for WWW.SPOOFED.COM's

E.  Then we start sending spoofed DNS replies from DNS.SPOOFED.COM,
telling DNS.TARGET.COM that WWW.SPOOFED.COM is ''.

F.  If we guessed the query ID used by DNS.TARGET.COM in its recursed
query and our response is received first, our response will be taken
as valid and the address will be cached.  Subsequent responses will
be discarded as duplicates.  We can always send many (N*M) spoofed
packets with different IDs in the range (qid0,qid0+N] so we will be
sure that at least one of them will hit DNS.TARGET.COM and have the
'right' ID. M is a factor dependent of the amount of UDP packets we
expect to lose on their way to DNS.TARGET.COM.

Problem I. - The Result

If the attack succeeded, any query to DNS.TARGET.COM asking for
WWW.SPOOFED.COM's address, will get as a response.  Thus,
any user on TARGET.COM's domain will connect to if they try
to contact WWW.SPOOFED.COM.

The usage of in this description is of course for
instructional purposes, any IP address can be used, in particular an
attacker could use its own IP address (BADGUY.COM's IP) so all
connections  to 'host' will go to 'BADGUY'.  The attacker can then
'impersonate' WWW.SPOOFED.COM.  Given this attack, it is easy to
visualize the effects of impersonating a high traffic FTP distribution
site.  This attack can also be used to intercept email traffic, and
bypass address based authentication methods, including TCP wrappers
and firewalls.

Problem I. - Notes

This attack depends on a few things to succeed:

1. The attacker has complete control of DNS.ATTACKER.COM's network,
he can both spoof and sniff DNS packets there.  In particular, he can
sniff DNS packets sent to DNS.ATTACKER.COM.

2. Spoofed DNS responses sent from the attacker to DNS.TARGET.COM must
be received before the legit response from DNS.SPOOFED.COM.  This is
very easy to achieve.  In testing we have not yet encountered a
situation where we could not get our packets to the nameserver first.

3. The name server on DNS.TARGET.COM supports recursion and caches
responses.  This is common practice.  It should be noted that most
nameservers allow recursion (unless specifically denied by
configuration options).  Root name servers, however, do not allow

If DNS.TARGET.COM caches negative responses as well (NCACHE), a denial
of service attack can be performed, in this case, spoofed responses
sent by the attacker will tell DNS.TARGET.COM that WWW.SPOOFED.COM
does not exist (and be authorative on this).

The existence of several nameservers for the domains does not alter
the basic outline of this attack.  The attacker would only need to
send DNS responses with source addresses of each of SPOOFED.COM's
nameservers. (N*M*I responses, where I is the number of nameservers).

Problem I. - Systems Affected

- - All systems using BIND as their domain name server with recursion

- - Windows NT (server) version 3.51 & 4.0 DNS server.
  Microsoft has been notified and has acknowledged this is a serious
  problem.  No information on a fix is availible.

                      Problem II. Hostname length checking

Problem II. - Impact

BIND allows passing of hostnames larger than MAXHOSTNAMELEN in size to
programs.  As many programs utilize buffers of size MAXHOSTNAMELEN and
copy the results from a query into these buffers, an overflow can
occur. This can allow an attacker to execute arbitrary commands on a
remote server in a worst case scenario.

Problem II. - Systems Affected

All systems running BIND.

Fix Information

Obtain BIND version 4.9.5-P1.  BIND is availible from ftp.isc.org in
the directory /isc/bind/src.  Patches to solve both problem I and
problem II are included at the end of this advisory.  Once BIND
has been obtained, follow the following procedure:

i.   First remove the patches from this text.  This can be performed
by removing all text in between the "CUT HERE" lines, and saving it
to a text file (i.e. /tmp/diffs.txt).

ii.  Perform the following operations to apply the patches:

% gzip -d bind.tar.gz
% mkdir bind
% cd bind
% tar -xvf ../bind.tar
% patch < /tmp/diffs.txt

iii. Rebuild BIND


        Ivan Arce          <ivan@secnet.com>
        Emiliano Kargieman <ek@secnet.com>

   The OpenBSD Project
   Who found a good solution to problem, developed a solution and
   performed various tests to ensure its correctness.  Individuals
   involved in this effort were:

        Theo de Raadt     <deraadt@openbsd.org>
        Niels Provos      <provos@openbsd.org>
        Todd Miller       <millert@openbsd.org>
        Allen Briggs      <briggs@openbsd.org>

  Further attributions:
        AUSCERT           <auscert@auscert.org.au>
        David Sacerdote   <davids@secnet.com>
        Oliver Friedrichs <oliver@secnet.com>
        Alfred Huger      <ahuger@secnet.com>

Additional Information:

 [1] Vixie P. , "DNS and BIND security issues".
     This was originally published in the proceedings of the
     5th USENIX Security Symposium and its included in the BIND
     distribution under the doc/misc directory.

 [2] Kumar A., Postel J., Neuman C., Danzig P. , Miller S.
     "RFC1536: Common DNS implementation errors and suggested fixes"

   Refer to problem 2 for a description of other weaknesses previously
   found in the recursion scheme.

 [3] Lottor, M., "RFC1033: Domain administrators operations guide"
 [4] Mockapetris, P., "RFC1034: Domain names - Concepts and
 [5] Mockapetris, P., "RFC1035: Domain Names - Implementation and
 [6] Schuba Christopher and Spafford Eugene, "Adressing weaknesses in
     the Domain Name System Protocol", COAST Laboratory, Department of
     Computer Science, Purdue University.

     Comments and questions regarding this advisory can be sent to:

        Ivan Arce <ivan@secnet.com>
        Emiliano Kargieman <ek@secnet.com>

     For more information about CORE S.A. contact: core@secnet.com

     Or visit: http://www.secnet.com/core

Encrypted mail can also be sent to <sni@secnet.com> encrypted with
the following PGP key:

Type Bits/KeyID    Date       User ID
pub  1024/9E55000D 1997/01/13 Secure Networks Inc. <sni@secnet.com>
                              Secure Networks <security@secnet.com>

Version: 2.6.3ia


© Notice
The contents of this advisory are © (C) 1997 Secure Networks
Inc and CORE Seguridad de la Informacion S.A., and may be distributed
freely provided that no fee is charged for distribution, and that
proper credit is given.

You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers
and advisories at ftp://ftp.secnet.com/advisories

You can browse our web site at http://www.secnet.com

You can subscribe to our security advisory mailing list by sending
mail to majordomo@secnet.com with the line "subscribe sni-advisories"

Happy Hacking,
Matt Hinze <matt@cs.utexas.edu>

 © 2013 Happy Hacker All rights reserved.