---[ Phrack Magazine Volume 8, Issue 54 Dec 25th, 1998, article 01 of 12 -------------------------[ P H R A C K 5 4 I N D E X --------[ Living in SYN Things that we want for Christmas: Functional remote operating system detection. Functional remote promiscuous mode detection. Functional agent based intrusion detection. A note about this issue. Loyal and perceptive readers will notice this issue is a bit smaller. There are two reasons for this. The first is swift delivery. We are attempting to make Phrack issues a bit more svelte in order to pump them out on a more timely basis. The other reason is quality. There is enough garbage out there. We turn down at least half of all submissions to bring you the good stuff. Enjoy. Rewind to August 1998. It's Sunday morning in Las Vegas, about 5:00am-ish. Angstrom and I decide to leave the Hard Rock Hotel. It's been a long night of drinking and gambling. I am up maybe $200. He's up about $30. We're both inebriated beyond repair. We return to Jackie Gaughan's Plaza Hotel and Casino, a wretched place where the old go to get older and everyone's got at least one foot in the grave. Back to the Future II? Biff's Pleasure Palace? Welcome to the Plaza Hotel. Anyhow, we saunter on in, make our way over to the lounge and find Artimage, Asriel, Glyph, and Alhambra.* After some random dialogue (the specifics of which I have completely forgotten) Asriel tells me I should play some more Blackjack. "I only have hundreds." was my reply. I didn't want to play anymore anyhow. This was the 6th day of my Vegas stint and I was burnt on gambling. "<shrug> Bet a hundred then." says As. "<shrug> Ok." I caved. I plop down on a unoccupied blackjack table and plunk my hundred down. The dealer was a gentle looking 200 year old man from Laos. "MONEY PLAYZ!" I say. I remember being very drunk. "Money plays?" He questions? The pit boss wakes up. "Money plays." I confirm "Money plays!" He announces to the pit boss. The pit boss scribbles in his book. Here's where the details get fuzzy. I can't remember the hand I was dealt, nor any subsequent cards. All I know is I played textbook blackjack. That's all you need to know here. I played according to the `book`. I lost that hundred. At that point, my blackjack betting system kicked in. I lay down 2 more bills. "Money playz." I repeat. "Money plays!" He announces to the pit boss. The pit boss scribbles something else in his little book. My system is simple and almost foolproof. Bet small when you are just fucking around. Bet big when you want to win big. Lose a big hand? Double your bet. Lose again? Double it again. Lose again? Goto 1. The odds in blackjack tend to hover around .05% house favor (this can vary widely depending on several factors including the type of blackjack, the number of decks, the skill of the player, whether or not the player counts cards, the card counting scheme used, etc**). Eventually, odds are, you will win all your money back, AND THEN SOME!*** Of course, this relies on both your bankroll and the table maximum being unlimited. Small details I usually overlook. So I lose the 2 hundred. THE SYSTEM IS STILL IN FULL EFFECT. I plunk down another 4 small. "Money plays?" The dealer musses? I nod. "Money plays." The pit boss scribbles. I lose another hand. Bye-bye 4 hundred. Asriel is laughing at this point. "Dude, I think you should quit now." He offers. "Nah. I'm not done yet." Hrm. Time to gather my thoughts. No more namby-pamby. Time to separate the armchair gamblers from the hard-core haggard idiot types who end up having to live in Vegas. I peel off 10 hundreds. 1 large is placed in that little betting circle thingy. "Money plays." The pit boss scribbles, Onlookers gawk, I pray. Now this hand I remember distinctly. First card: an 8. Hrm. Second card: a 6. Ugh. Dealer shows an 8. FUCK. Oh. Good. Well, that's $1700 well spent in about 2 minutes. Well. I had to hit. I get a 6. Wow. WOW! Dealer flips his hold card. A 10. "HAHAHAHHAHAHAHAHAHA" I proclaim. "10 blacks out" The dealer shouts. The pit boss stops writing. "Want to be rated?" He asks. "Nope! Bye!" And off I went to cash out. * http://www.infonexus.com/~daemon9/PIX/Misc/defcon6/r00tdinner%2b/latenite3.jpg ** Actually, playing basic strategy alone can sometimes give you a pretty close to even odds (or even better then even). Usually, however, you will find that you will need to count cards in addition to basic strategy to have a real advantage. *** Assoc. Editor's note: If you take this advice, chances are you'll be a very upset and angry gambler come next Defcon. Whine to route when you can't afford a hotel room, not me. Maybe he'll let you sleep on his floor. A special shout-out to Ron Rivest. It has worked its way down the grapevine that he reads Phrack. Add one more to the Super Elite People That REad Phrack (SEPTREP) list. If you are or know one of these people, please send email to the editor to be added to the list (See linenoise for the list). A word of caution about P54-06 and P54-10: If you attempt to apply the kernel patches for these articles in succession on the same system, the second one will fail at the syscalls.master file. You will need to patch this by hand. It's not hard. Go ahead and try it. I trust you. Enjoy the magazine. It is by and for the hacking community. Period. -- Editor in Chief ----------------[ route -- Associate Editor ---------------[ alhambra -- Phrack World News --------------[ disorder -- Phrack Publicity ---------------[ dangergirl -- Phrack Webpage Guy -------------[ X -- Phrack Typographical fixer -----[ silitek -- Phrack Special Consultant ------[ redragon -- Mad Cow disease ----------------[ sir dystic and dildog -------- Elite --------------------> daveg -- Official Phrack/r00t auto ------[ BMW M3 -- Your trusted security advisors -[ p and sw_r -- Shout Outs and Thank Yous ------[ kamee, vision, artimage, chris, meenk, -----------------------------------| the former SNI team, n8, phundie, par, -----------------------------------| radium, k0re, horizon, dhg, mds, mudge, -----------------------------------| bioh, pm (for the elite dox) Phrack Magazine V. 8, #54, Dec 25th, 1998. ISSN 1068-1035 Contents Copyright (c) 1998 Phrack Magazine. All Rights Reserved. Nothing may be reproduced in whole or in part without written permission from the editor in chief. Phrack Magazine is made available quarterly to the public, free of charge. Go nuts people. Contact Phrack Magazine ----------------------- Submissions: phrackedit@phrack.com Commentary: loopback@phrack.com Editor in Chief: route@phrack.com Associate Editor: alhambra@phrack.com Publicist: dangergrl@phrack.com Phrack World News: disorder@phrack.com Submissions to the above email address may be encrypted with the following key: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzMgU6YAAAEH/1/Kc1KrcUIyL5RBEVeD82JM9skWn60HBzy25FvR6QRYF8uW ibPDuf3ecgGezQHM0/bDuQfxeOXDihqXQNZzXf02RuS/Au0yiILKqGGfqxxP88/O vgEDrxu4vKpHBMYTE/Gh6u8QtcqfPYkrfFzJADzPEnPI7zw7ACAnXM5F+8+elt2j 0njg68iA8ms7W5f0AOcRXEXfCznxVTk470JAIsx76+2aPs9mpIFOB2f8u7xPKg+W DDJ2wTS1vXzPsmsGJt1UypmitKBQYvJrrsLtTQ9FRavflvCpCWKiwCGIngIKt3yG /v/uQb3qagZ3kiYr3nUJ+ULklSwej+lrReIdqYEABRG0GjxwaHJhY2tlZGl0QGlu Zm9uZXh1cy5jb20+tA9QaHJhY2sgTWFnYXppbmU= =1iyt -----END PGP PUBLIC KEY BLOCK----- As always, ENCRYPTED SUBSCRIPTION REQUESTS WILL BE IGNORED. Phrack goes out plaintext. You certainly can subscribe in plaintext. phrack:~# head -20 /usr/include/std-disclaimer.h /* * All information in Phrack Magazine is, to the best of the ability of the * editors and contributors, truthful and accurate. When possible, all facts * are checked, all code is compiled. However, we are not omniscient (hell, * we don't even get paid). It is entirely possible something contained * within this publication is incorrect in some way. If this is the case, * please drop us some email so that we can correct it in a future issue. * * * Also, keep in mind that Phrack Magazine accepts no responsibility for the * entirely stupid (or illegal) things people may do with the information * contained herein. Phrack is a compendium of knowledge, wisdom, wit, and * sass. We neither advocate, condone nor participate in any sort of illicit * behavior. But we will sit back and watch. * * * Lastly, it bears mentioning that the opinions that may be expressed in the * articles of Phrack Magazine are intellectual property of their authors. * These opinions do not necessarily represent those of the Phrack Staff. */ -------------------------[ T A B L E O F C O N T E N T S 1 Introduction Phrack Staff 22K 2 Phrack Loopback Phrack Staff 58K 3 Phrack Line Noise various 90K 4 Phrack Prophile on the parmaster Phrack Staff 26K 5 Linux and Random Source Bleaching phunda mental 174K 6 Hardening OpenBSD for Multiuser Environments route 90K 7 Scavenging Connections On Dynamic-IP Networks Seth McGann 34K 8 NT Web Technology Vulnerabilities rfp 40K 9 Remote OS detection via TCP/IP Stack Fingerprinting Fyodor 58K 10 Defeating Sniffers and Intrusion Detection Systems horizon 100K 11 Phrack World News Disorder 240K 12 extract.c Phrack Staff 32K 966K ----------------------------------------------------------------------------- "...a bellvue in the mental hospital world of media whore web pages..." - xanax on #phrack, 10-13-1998, when asked to comment on Antionline. "This is not a tool we should take seriously, or our customers should take seriously..." - Edmund Muth, Microsoft, as reported by the New York Times, referring to Back Orifice. (How many thousands of machines were owned with BO?) *deraadt* your style is so unlike anyone elses, that is makes no sense that you have this "style" - Theo Deraadt, OpenBSD project leader, refering to route's code in this issue. "So I thought of something useful I could do with the money. I bought a Nintendo 64 for one of my sisters, who has a slight mental retardation. The reason for this was because the doctors have always told us that things to stimulate her hand eye coordination would help her." - Chameloen of the `masters of downloading` "hacking group", commenting on why he didn't spend money on medical care for his sister. ----------------------------------------------------------------------------- ----[ EOF