Part II: Advanced spoofing (Blind)

Appendix: Short note about rlogin
---------------------------------


I suppose you know what rlogin is, but how did I get to that 'eriu' 
commandfile?
All info is found in RFC 1282, I have included 2 extracts here, these are the
two most important ones for us.
(If you want to know more about the subject, I suggest you read the RFC) 

(concerning  \000coder\000spoof\000vt100/9600\000")
Extract 1 from RFC 1282:
   Upon connection establishment, the client sends four null-terminated
   strings to the server.  The first is an empty string (i.e., it
   consists solely of a single zero byte), followed by three non-null
   strings: the client user name, the server user name, and the terminal
   type and speed.  More explicitly:

        <null>
        client-user-name<null>
        server-user-name<null>
        terminal-type/speed<null>

   The server returns a zero byte to indicate that it has received these
   strings and is now in data transfer mode. 
End extract.

(concerning "\255\255ss\000\025\000\080\000\000\000\000")
Extract 2 from RFC 1282:
   The window change control sequence is 12 bytes in length, consisting
   of a magic cookie (two consecutive bytes of hex FF), followed by two
   bytes containing lower-case ASCII "s", then 8 bytes containing the
   16-bit values for the number of character rows, the number of
   characters per row, the number of pixels in the X direction, and the
   number of pixels in the Y direction, in network byte order.  Thus:

        FF FF s s rr cc xp yp
   
   Other flags than "ss" may be used in future for other in-band control
   messages.  None are currently defined.
End extract.

If you want to attack other services, I suggest you get the RFC on that
service (or any other technical source), and study it.