Hackers Handbook - Millenium Edition

home *** CD-ROM | disk | FTP | other *** search

/ Hackers Handbook - Millenium Edition / Hackers Handbook.iso / library / hack99 / sysf15.txt < prev next >

Wrap

Text File | 1999-03-24 | 63.4 KB | 1,268 lines

___________________________________ \__ _____________ ________/___________________________ _____ __/_____ \_ / /_____ \_ , , __________)/ /______ / / / ` / / / /________/ / \/ \/ / / / _______________ ___________/ ______/ \__ , \ ` ` /jp / /______________/ /__________/_____\______/____/______________________/__ \_________________ /______________________________________/ /____/ /__/ /_/ __/ / >> system failure // issue 15 \____/ .----------------------------------------------------------------------------. | System Failure: Issue #15 | `----------------------------------------------------------------------------' We suck. I know, four months ago I said we'd have another issue out in two months. Well, so much for that idea. We've been having difficulties lately, partially due to the laziness of a lot of people (including myself), and partially due to our broke-ass service provider, who we've moved the hell away from. We're hoping for things to stabilize again very soon, and I'm hoping our next issue won't be as delayed as this one was. In the meantime, Merry Christmas! Please rest assured that we aren't dead (as some people have been speculating), we're just disorganized at the moment. :) Thanks to whoever drew the opening ascii (forgive me for forgetting... I'll be happy to give you credit in the next issue if you'll kindly step forward). Have a happy holiday, and enjoy the issue! --Logic Box [12/25/98] .----------------------------------------------------------------------------. | http://www.sysfail.org/ | | [sysfail@syfail.org] | `----------------------------------------------------------------------------' "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." --Benjamin Franklin, 1759 .----------------------------------------------------------------------------. | CONTENTS | | SysInfoTrade by SysFail Staff | | ARP Part III: Network Attacks and Denial of Service by BarKode | | An Electricity Primer, Part I by P3nnyw1se the Clown | | Wireless Ethernet and Its Workings by Saint skullY the Dazed | | Hackers and the Criminal Stereotype by Mr. Sonik | | A General Overview of Open Source Software by SlapAyoda | | An Introduction to the ICMP Protocol by BarKode | `----------------------------------------------------------------------------' <-------+ | SysInfoTrade +----------------> staff@sysfail.org --DefCon dates are in: July 9-11, 1999 in Las Vegas, Nevada. Join in on the fun as Sysfail launches our third annual scavenger hunt, and a frequency hunt! If you have extra little goodies you'd like to donate to our prize bin, e-mail staff@sysfail.org. Thanks to all who helped out last year! --1999 RSA Data Security Conference will be held at the San Jose Convention Center, San Jose, CA January 17-21, 1999 --Whee! The first annual LinuxWorld Conference and Expo will be held at the San Jose Convention Center on March 1-4, 1999. Check out the webpage at http://www.linuxworldexpo.com for more details. --Order the "Thank You for Abusing AT&T" stickers, which were black vinyl with white text. I also made a simple "OWNED" sticker, which is black vinyl with white text. "Tori Do" stickers with penguins on them are also available; white vinyl with black ink. All stickers are $1.00 each plus a stamp. --11/5/98: SSH Communications Security LTD admitted that there was a buffer overflow in its ssh 1.2.26 client. Rootshell holds by their claim that their recent break-in was not from the security hole in SSH. More info can be found here: http://rootshell.com/archive-j457nxiqi3gq59dv/199811/sshkerb.txt.html --Order Tori Do: The Epic from Penguin Palace. Art/Story by Pinguino. $24.00 TORI DO: The Epic- A young penguin martial artist goes on a quest, stepping outside his castle's gates for the first time. He is the Red Avenger, and he is joined by a sarcastic mage, a tag-a-long imp, and a dream, on his journey across the Antarctic terrain. The Red Avenger has been chosen as the protector of the penguins... but can he make it past an evil wizard to claim his title? This enhanced CD contains a soundtrack with jungle/dark ambient songs from RE:, Miguel Q, Solo Jr., and Nick B. It is playable in newer CD players (such as one in your stereo or car). Once you put the CD in your computer, you can use a web browser and fully experience Tori Do: The Epic. --The Communications Assistance for Law Enforcement Act allows law enforcement to wiretap lines, by June 30, 2000. The FCC is now working on figuring out if this applies to IP telephony, since IP telephony is an "information service" rather than a "switched service." --Zarite Inc. and Antionline formed a partnership that gives antionline many new toys: domains galore, an interactive bot on the web, a virtual hacker store, and a hacker search engine based on Infoseek technology. Zarite controls 30% of Antionline. The editor, John Vranesevich, owns 70% plus maintains managerial control. --Xybernaut showed off a wearable PC at Comdex; the pricetag bearing $4995 (excluding display). It's a P200MMX chip, 2gig hard drive, and 32 megs of ram that fits into a box the size of a walkman, attached to your belt. The display can be worn on your headset or your wrist. The unit is capable of speech recognition, and runs both windows and linux. --Gettysburg College: With their children's permission, parents at this college can log on and look at their kid's college transcript, phone bills, and student store purchases, over the web. --11/12/98: In the Microsoft anti-trust trial, the lawyers have resulted in name-calling. If you haven't read about the case yet, now would be the most interesting time to do it. --cDc releases a public beta release of BUTTSniffer, which is a packet sniffer and network monitor for win95, win98, and NT4. It is a standalone executable, and also a plugin for Back Orifice. --ASSOCIATED PRESS: DENVER, Sept. 15, A 28-year-old computer expert is accused of hacking into the US West computer system and diverting more than 2,500 machines that should have been helping answer phones to his effort to solve a 350-year-old math problem, according to documents filed in a federal court. (Thanks to RedBoxChiliPepper for this tidbit) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ARP Part III: Network Attacks and Denial of Service by BarKode (barkode@sysfail.org) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- You glared at part one, chuckled at part two, and now we have part three of the ARP trilogy. Today we learn how all that seemingly boring techno-babble in the first two articles affects the security of your local ethernet, and we'll cover the basics of some network attacks, and the always fun good o' session hijacking. Prerequisites for reading this: 1) You have read part one and two several times and have a good understanding of the content, or are already familiar with ARP. 2) You have some idea about how IP-based networks function. Acknowledging that, take into consideration that while this covers what most would consider intermediate IP networking theory, I'm going to focus this article towards those who probably have only read part one and two and have a basic idea of how IP networks function. Also, know that what we're talking about here is 50% implementation specific and 50% protocol specific. While the general ideas here are sound and are applicable in some way to IP networks of any type, every implementation is slightly different, and you will experience that a method that may work fine on one operating system may not work at all on another. For instance, ARP caching techniques vary from platform to platform, so methods on a Linux machine with static ARP entries compared to a Cisco router are totally different. *************************** (Note: For all these examples, there are no switches, smart hubs, etc., implemented on the network in question.) (Note 2: If you wish to actually do some of what you see here, I suggest grabbing a copy of send_arp, an ARP forging application that's been floating around the net, and I've modified it a bit. It should be on www.sysfail.org soon after this article is published. If not, e-mail me.) Situation 1: You are on a ethernet at a small office. Another employee has picked up a copy of 2600 from the local Barnes and Noble. After spending 3 days OCRing code out of the book, he has managed to compile a copy of teardrop on the only Linux box at the office (the dial-up server, "RAS"). He thinks it's really funny to crash the unpatched print server all day whenever you need to queue up some invoices. Knowing that he's telnetting into the machine and logging in as root, and also knowing that his machine is the only machine in the office that has access to do that, you figure it would be just keen to somehow trick the server into thinking that you are coming from Joe's machine. Situation 1 Low-Down: We need to spoof a connection from "joe" to "server", and we are on "tom". We need to not take "joe" off the network or cause any funny messages to pop up on the screen. Here's our network layout: Full Class C: 192.168.0.x Netmask: 255.255.255.0 ------------------------------------------------------------------------------ | | | | | | | | * * * * Printer Server Tom Joe 192.168.0.5 192.168.0.1 192.168.0.2 192.168.0.3 (Linux) (Linux) (Windows) (0:0:0:0:0:01) (0:0:0:0:0:02) (0:0:0:0:0:03) You have made the intelligent choice to install Linux on your other drive on "tom". Your network is working fine, and you can communicate with all your other machines. Somehow, you need to make "server" think that you are telnetting to it from "joe". You've already sniffed the unencrypted root password "hork" from the local ethernet. Let's take a look at what happens when joe telnets to server. **** 0:0:0:0:0:03 ff:ff:ff:ff:ff:ff 0806 42 arp who-has 192.168.0.1 tell 192.168.0.3 0:0:0:0:0:01 0:0:0:0:0:03 0806 60 arp reply 192.168.0.1 is-at 0:0:0:0:0:01 0:0:0:0:0:03 0:0:0:0:0:01 0800 62: 192.168.0.3.1029 > 192.168.0.1.23: S 21441998:21441998(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 128, id 32010) 0:0:0:0:0:01 0:0:0:0:0:03 0800 58: 192.168.0.1.23 > 192.168.0.3.1029: S 2811556923:2811556923(0) ack 2144199 win 32736 <mss 1460> (ttl 64, id 175) *** What we have here are four separate packets initializing a telnet session. First packet: ARP request: get HW address of IP to connect to Second packet: ARP reply: Here's the hardware address requested from "server" Third packet: I want to telnet to you, you listening? Fourth packet: Sure thing bro, acking your port 23 request, let's go. We're not concerned about the latter two packets, just the first two. The ARP request/reply pair. If we can somehow convince server that it wants to send packets destined for "joe" to "tom", we're in business. Sounds easy enough, and in a way that's true. But there are several obstacles to overcome. You might say, "let's just assume the IP address of joe." That won't work. You'll have two machines responding to the same IP address, you really don't want that. You don't want a message on either box complaining that there's duplicate IPs on the network either. When your machine sees a packet go by, it checks the hardware address stamped on the ethernet packet header. If it's not a match, the packet isn't for us, and we don't care about it. More specifically, the device driver never looks at the destination IP, just the HW address (of course, there are exceptions where some drivers dig more into the packet for various purposes). This can be taken advantage of in numerous ways, and for ARP attacks, it can really come in handy. If we ifconfig up an interface on "tom" with the IP address of "joe", and tell "server" that "joe"'s IP address is located at "tom"'s Hardware address, then server should send packets destined for "joe" to "tom", and it will also accept packets from "tom" thinking that it's "joe", bypassing the IP-based security implemented on "server". Ok. Read that again. * We tell SERVER that the IP address of JOE is really located at the HARDWARE ADDRESS of TOM. Function: Packets from SERVER to JOE will be encapsulated on the ethernet with headers sending it to TOM instead of JOE (instead of the header including the ethernet address of JOE, it will have TOM'S address instead. This means JOE will ignore the packet while TOM will recieve it. SERVER will not know that TOM isn't JOE, because TOM is talking with JOE's IP). How: We send a hand-crafted ARP packet (reply specifically, it can be a request, but we'll get into that another time. The packet would look like this on the wire: 0:0:0:0:0:02 0:0:0:0:0:01 0806 60 arp reply 192.168.0.3 is-at 0:0:0:0:0:02 TOM SERVER ARPREPLY IP OF JOE HWA OF TOM Now, if you try to telnet to SERVER from TOM, you should be able to connect, and it will allow you to log in as root. But wait! We lit up a message on the Windows box on Joe's desk saying that there's an IP address conflict on the network! Busted! There are several things you must take into account: 1) You need to "ifconfig -arp eth<x>:<x>" and set up static ARP entries and routes when you do this. You don't want that interface speaking ARP to anyone unless you make it but you need it to know where to send packets. 2) Doing this *during* an existing session between JOE and SERVER will cause that connection to drop, unless you work fast. 3) You need to be constantly sending poison ARP to SERVER *and* JOE during your attack. As long as you keep telling both machines where to find (er, where you WANT them to find) each other, they won't *ask*. And the less they ask, the better. Situation 2: I want to hijack joe's session to server. How can this be done using ARP as a tool? First off, remember what we said about accidently cutting off Joe's session earlier? Well now that's exactly what we want to do. During a conversation between JOE and SERVER, you inject poison ARP, telling SERVER that you're JOE, and telling JOE that SERVER is the printer or something. Then, you proceed to send a flood of spoofed ACKs to the SERVER, pushing the sequence numbers out of JOE's acceptable window, and by the time JOE finds out what happened, you've already got his end of the connection, and SERVER hasn't even noticed anything funny (I'm not going to cover the insides of TCP sequence numbers today, that's another article. :) ). How this happens: * JOE is talking to SERVER * TOM assumes JOE's IP address. * TOM sends out an ARP reply unicast to JOE saying SERVER is-at 0:3:1:3:3:7 or something, then immediately send a packet to SERVER saying that JOE is-at 0:0:0:0:0:2 (tom's real HW address) * To be on the safe side, you push the sequence numbers of the session way out of JOE's acceptable range. * JOE is a Windows box and doesn't know what the hell is going on. He's just sending packets looking for SERVER and probably grinding the hard drive or showing a little animated paperclip that says "Click here to learn more about session hijacking" which just points to a broken link on microsoft.com. * Meanwhile, TOM is re-synching the connection to SERVER, and as far as SERVER is concerned, the connection was just broken for a moment, and now is better, and will gladly talk to TOM in the place of JOE, considering that the IP is right and that TOM's HW address maps to that IP in the arp table on SERVER. * JOE is still a Windows box and at this point Windows telnet will bring up a message like "Lost Connection" and probably lock up telnet because it's so poorly coded and has no emulation and... anyway.... * TOM has full control over the connection and SERVER couldn't be happier about it. JOE just sits there and plays a neat screen saver and grinds the hard drive every couple minutes. I will probably be writing an article specifically on this topic, as I'm not going to cover this more specifically in the scope of this article. Situation 3: I just picked up 2600 at Barnes and Noble. I want to be a hacker. My 6th grade computer teacher is a real dork and I want to make the network not work right n stuff. I tried mashed potatos in the power outlets but I got in trouble. What can I do? Well, good news for you. ARP can cause all sorts of problems on a network. If you haven't figured out how this is possible yet, I'm not sure what to tell you, read the article again and maybe you'll think of a way you could make computers on a network not able to talk to each other using ARP. I hope you enjoyed, and should you have any questions, email me. -bk Billy: "Mom! Sally hijacked my irc session and made me say stuff!" References: I. "TCP/IP Illustrated, Volume 1: The Protocols" W. Richard Stevens, January 1994. (Addison-Wesley Professional Computing Series). ISBN:0201633469 II. "Playing redir games with ARP and ICMP" MESSAGE THREAD: document sections reviewed were authored by Yuri Yolobuev =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- An Electricity Primer, Part I by P3nnyw1se the Clown (p3nnyw1se@hotmail.com) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The first of (hopefully?) many articles on electricity. Tell me what you think. But only if you have something nice to say; didn't your mother teach you anything? Please, enjoy. I will not be held responsible for your stupidity. Don't come crying to me if you stick your tongue in an electrical outlet or decide to bring your toaster in the shower with you. I will have absolutely no sympathy for you, and to add insult to injury, I will laugh at you. So there. CHAPTER 0: PREFACE ------------------ Section I - Ranting and Raving Most people don't understand electricity. Some know a little about what to do in a lightning storm, or how to reset their circuit breaker if a fuse blows, but the vast majority couldn't explain to you what exactly it is or does. Most never even question it. They take for granted their computers, televisions, toasters, espresso machines, hair dryers, calculators, and many other of life's conveniences. They don't even THINK about electricity until they get pissed off when the power goes out and they can't take their hot shower in the morning. In order to truly understand the electronics we use every day (and computers, specifically), we need to at least have a good knowledge of how electricity works and some of the main concepts. Section II - Requirements I think it only take about three things to learn electricity: 1. Patience. Sometimes you might not understand something right away. And that's okay, just study the chapter again and research some more from other books, and you should be okay. 2. Math. Teaching you algebra is WAY beyond the scope of these articles. I will be assuming you have at least a 9th grade math level. 3. Desire. I can't make you learn anything; you have to want to. Section III - How to Use These Articles This is a series of articles. In each article there will usually be two or three chapters. The chapters are split up into sections. The best way to learn the material is to read around one chapter a day, and only continue when you understand all of the material in the previous chapter. CHAPTER 1: BASICS OF ELECTRICITY -------------------------------- This chapter will introduce you to the very basics of electricity. I think this is probably the most important chapter, because it should hopefully give you an idea of just what and how electricity operates. Section I - Protons, Neutrons, and Electrons Matter is defined as anything that occupies space and has weight. Your mother is an example of very large matter. Other examples of matter are the air you breathe, the root beer you drink, and your pet turtle. All matter is built with atoms. An atom is the smallest basic unit of matter. For many years, atoms were thought to be the smallest thing in existence. Then they discovered sub-atomic particles inside the atom. I know what you're saying: "I learned all this crap in Mr. Smith's 8th grade science class!" True, but you were too busy staring at the breasts of the girl sitting next to you, so pay attention. The atom is built with a nucleus at the center and other, much smaller, particles called electrons circling the nucleus. The nucleus contains positively charged particles called protons, and particles with no charge called neutrons (get it? neutral, neutrons?). Electrons are negatively charged. Each atom has a different number of protons in the nucleus. The number of protons determines its atomic number. For example, copper has 29 protons, therefore its atomic number is 29. Atoms also have weight. The atomic weight of an atom is determined by the mass of the atom. Only protons and neutrons contribute to the mass. Because a proton is approximately 1,845 times the size of an electron, the electrons really don't affect the mass at all. Hydrogen (the only atom with no neutron at all and only one proton) has an atomic weight of 1.0079, compared to iron's atomic weight of 55.847. The way the electrons orbit around the nucleus is not random. They orbit in circles called shells. The innermost shell is designated K, and the rest, going outward, are L, M, N, O, P, and Q. Each shell can only have a certain number of electrons (FIGURE 2-1). If the first shell, K, has all the electrons it can fit, the electrons go to the next shell, and so on. .--------------------------------------------------------. | Shell Designation | Total Number Of Electrons Possible | |-------------------|------------------------------------| | K | 2 | | L | 8 | | M | 18 | | N | 32 | | O | 18 | | P | 12 | | Q | 2 | `--------------------------------------------------------' FIGURE 1-1: Number of electrons each shell can hold. The outermost shell with electrons contained within is called the valence shell. The number of electrons this shell contains is this atom's valence. The farther away the valence shell is from the nucleus, the weaker the strength of the orbit is, so it's easier for an atom to gain or lose electrons. It's also easier to gain or lose electrons if the shell isn't full. An atom that has the same number of protons and electrons is electrically balanced (remember, neutrons have no charge). When an electrically balanced atom receives or gives an electron, it is no longer electrically balanced. When an electrically balanced atom receives an electron, it is negatively charged, and is called a negative ion. When an electrically balanced atom gives an electron, it is positively charged, and is called a positive ion. This process is called ionization. Section II - Conductors and Insulators If these electrons in the valence shell gain enough energy from an external force, they can leave the atom and become free electrons, moving from atom to atom. Materials that have many free electrons are called conductors. Many metals are examples of conductors. (FIGURE 1-2) Often times copper is used because of its good conductance and its relatively low price. .-----------------------------------. | Common Conductors | |-----------------------------------| | Silver | | Copper | | Gold | | Aluminum | `-----------------------------------' FIGURE 1-2: Metals are good conductors. (Listed in the order of their conductance) Insulators are the exact opposite of conductors. They are materials that have very few free electrons. Insulators can absorb electrons from other atoms to fill their valence shell, and therefore eliminate free electrons. (FIGURE 2-3) .-----------------------------------. | Common Insulators | |-----------------------------------| | Mica | | Glass | | Rubber | | Air | `-----------------------------------' FIGURE 1-3: Materials used as insulators (Listed in the order of their insulation) Section III - A Brief Look at Current Electrons move from negatively charged atoms to positively charged atoms. This movement or flow of atoms is called current. The symbol for current is I. The amount of current is the sum of the charges of the electrons moving past a single point. To measure the amount of charge we use coloumbs. The symbol for the coloumb is C. Because electrons have so little a charge, the charge of 6,280,000,000,000,000,000 (or 6.28 * 10 ^ 18) electrons is one coloumb. If one coloumb of charge moves past a single point in one second, that is called an ampere (or sometimes just an amp). The symbol for the ampere is A. Current is measured in amperes. Section IV - Use the Force, Luke (A Brief Look at Voltage) Voltage, difference of potential, and electromotive force are all terms that mean the same thing. Basically, when there is a group of atoms with lots of electrons and another group of atoms with a small amount of electrons at the other end, connected by a conductor, current will flow. The force that makes current flow is called voltage. The work done in a circuit is the result of voltage. The symbol for Voltage is E (for EMF, or electromotive force). The unit for measuring voltage is called a volt. The symbol for the volt is V. One volt is the potential applied to a circuit to cause one ampere of current to flow through a conductor whose resistance is one ohm (we will deal with ohms and resistance in the next section). Section V - A Brief Look at Resistance Some greedy little atoms don't like to give up their electrons without a fight. They are said to resist the flow of current. This opposition to current flow is called resistance. The symbol for resistance is R. There is no material that has NO resistance. However, some materials have more resistance than others. Some materials have very little resistance, and are called conductors. (FIGURE 1-2) Other materials have plenty of resistance, and are called insulators. (FIGURE 1-3) Resistance is measured in ohms. The symbol for the ohm is the Greek letter omega. One ohm is the amount of resistance that allows one ampere of current to flow when one volt is applied. CHAPTER 2: SCIENTIFIC NOTATION ------------------------------ If you already know what scientific notation is and how to use it, then go ahead and skip this chapter, but it certainly wouldn't hurt to review it. Definetly read this if you're not familiar with scientific notation. Section I - What is Scientific Notation, Anyway? Scientific notation is an easy way to express very large or very small numbers. We use these type of number many times in electricity. The format for scientific notation is a single digit number being multiplied by a power of ten. For example, 1002 in scientific notation is 1.002 * 10 ^ 3. Section II - Reading and Converting Scientific Notation Reading a number in scientific notation is as easy as a drunk cheerleader at a high school party. First, we need to take a look at whether the exponent is positive or negative. Positive means to move the decimal point to the right, while negative means to move the decimal point to the left. For example: 3.1337 * 10 ^ 4 = 31,337 All we had to do was move the decimal point to the right (the exponent was positive) 4 places (the exponent was 4). But let's take a little trickier number: 7 * 10 ^ -9 = .000000007 Because the exponent was negative, we move the decimal point to the left however many times that is indicated, in this case nine times. An ampere is a large unit of current, and is not often used in circuits. Commonly, something smaller, such as a milliampere or microampere are used. A milliampere is 1 / 1,000 the size of an ampere, and a microampere is 1 / 1,000,000 the size of an ampere. In other words, it would take 1,000 milliamperes to equal the amount of current as one ampere. There are many other commonly used prefixes. (FIGURE 2-1) .------------------------------------------------------. | Prefix | Symbol | Value | Power Of Ten | |--------|--------|---------------|--------------------| | Giga | G | 1,000,000,000 | 10 ^ 9 | | Mega | M | 1,000,000 | 10 ^ 6 | | Kilo | k | 1,000 | 10 ^ 3 | | Milli | m | .001 | 10 ^ -3 | | Micro | µ | .000001 | 10 ^ -6 | | Nano | n | .000000001 | 10 ^ -9 | `------------------------------------------------------' FIGURE 2-1: Commonly used prefixes; their symbols and values. So, for example (using FIGURE 2-1) how many volts are there in five megavolts? 1,000,000 V X V ------------- = ------ (1,000,000 megavolts = 1 volt) 1 MV 5 MV 1,000,000 X ----------- = --- 1 5 1 * X = 5 * 1,000,000 (Cross multiply) X = 5,000,000 V So there are 5,000,000 volts in a megavolt. For some more practice, how many amperes are their in 42 milliamperes? 1,000 mA 42 mA ---------- = ------- (1,000 milliamperes = 1 ampere) 1 A X A 1,000 42 ------- = ---- 1 X 1,000 * X = 1 * 42 (Cross multiply) 1,000 * X 1 * 42 ----------- = -------- (Divide both sides by 1,000) 1,000 1,000 X = .042 So there are .042 amperes in a milliampere. CHAPTER 3: CURRENT ------------------ Current, the movement of electrons from one atom to the next, is an important thing to understand when working with electronics. Section I - Laws of Electrostatic Charges Current, as defined earlier, is the movement of electrons. The force that moves them is voltage. Anyway, let's take a look at the laws of electrostatic charges: 1. Unlike charges attract. 2. Like charges repel. Easy enough. This means that an electron would be attracted to a proton, but a proton and a proton or an electron and an electron would repel each other. Because the negatively charged electrons are attracted to the positively charged protons, the electrons continue orbiting the nucleus of an atom. The centrifugal force keeps the electrons from just smacking into the nucleus. Because a single electron has a charge very, very, small we measure the charges in coloumbs, which is the charge of 6.28 * 10 ^ 18 electrons (see chapter two for a review of scientific notation if you're confused by that number). The symbol for the coloumb is C. Section II - The Flow of Current When an area has lots of positively charges atoms, and another area has lots of negatively charged atoms, and they're connected by a conductor, the electrons will move from atom to atom. That long sentence could be shortened by saying: When there's a difference of potential, current will flow. The unit of measurement for current is the ampere. The symbol for the ampere is A. An ampere is the amount of current when one coloumb of charge moves past a point in one second. A formula we could use to describe this: Q (I is current in amperes, Q is quantity of electrical charge in I = --- amperes, t is time in seconds) t So, using the above formula, how many amperes are present in a circuit if 15 coloumbs moves past a point in 3 seconds? 15 I = ---- (Filling in the numbers for the variables) 3 I = 5 So the current would be 5 amperes. Let's try a harder one: A circuit has 19 amperes of current. How long would it take for 7 coloumbs to move past a point in the circuit? 7 19 = --- (Filling in the numbers for the variables) t 19 7 ---- = --- 1 t 19 * t = 1 * 7 (Cross multiply) 19 * t 1 * 7 -------- = ------- (Divide both sides by 19) 19 19 t = .368421052 So the time it would take would be about .36 seconds. If electrons are added to one side of a conductor, and electrons can be taken away from the other side, current will flow through the conductor. These electrons will move from one atom to the next, bumping that electron onto the next atom, etc, etc. So no one electron moves very far, they just knock the next electron onto the next atom. Because of the law of electrostatic charges, current flows from negative to positive. Although the movement of electrons is slow, each individual electron moves very fast (the speed of light, or 186,000 miles a second). The device that will take electrons from the positive side and reapply them to the negative side is called a voltage source (commonly a battery). =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Wireless Ethernet and Its Workings by Saint skullY the Dazed (skully@sysfail.org) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- By now most of you have probably heard about wireless ethernet devices from companies such as Breezecom and Airolan. But you may not understand how they work and why. The purpose of this article is to get you familiar with them (specifically Breezecom's, which I have the most experience with) and explain how they accomplish certain things. 1. What these devices are ------------------------- Wireless ethernet devices are usually a little box with a power cord, 10bT port, and an antenna port of some kind. They will usually be very dumb (forwarding all traffic both ways), or fairly intelligent (forwarding only certain traffic, and possibly even some firewalling abilities). Most will forward whole ethernet segments (making the two segments transparent to one another), although some are designed specifically for single workstations. These will be described in detail below. 2. How they work ---------------- Since I'm very familiar with Breezecom, slightly familiar with Airolan, and not at all familiar with other brands, I'll describe how Breezecom's devices work. The theory is sound for all wireless ethernet devices though. Basically, the wireless device (radio) uses a standard RJ-45 patch cable, which is then plugged into either a machine or a hub (depending on the radio, it will either use a straight through or crossed cable). Then, the radio communicates with its peer via the antenna port, which can either have an omnidirectional antenna (anywhere from 4" to 36", depending on the distance) or an unidirectional antenna (not unlike a microwave antenna). The Conifer DB-24 is a commonly used unidirectional antenna (24db, about 36"x12" aluminum). The peer--usually a bridge, or in the case of Breezecom equipment, what's known as an Access Point (AP)--can handle several radios. This bridge then connects to the network via another RJ-45 patch cable. For those who grill on ascii charts, here goes an attempt. --------------- --------- ----------- ----------- --------- ----------- | Workstation |-| Radio |-| Antenna |-| Antenna |-| Radio |-| Network | | or Hub |-| 1 |-| 1 |-| 2 |-| 2 |-| | --------------- --------- ----------- ----------- --------- ----------- Now then, with Breezecom equipment, Radio 1 can be one of two different radios. It will either be what's known as a Single Access radio (SA) or WAN Bridge (WB). Now then, how do you know if you need an SA or a WB? Well, the SA has software that checks the hardware (mac) address of the machine it's plugged into and will not forward any packets destined for/from mac addresses other then the one it was initially plugged into. This means that an SA can not be plugged into a hub (using a crossover cable) and used as a WB. The WB, on the other hand, can be plugged into a hub, and has been factory wired to use a straight through cable for plugging into a hub. It does *not* check mac addresses and will forward packets from any mac address to the rest of the network and vice-versa. The WB also has it's own mac address (whereas the SA assumes the mac address of the interface it's plugged into) and can be assigned an IP. This makes the WB preferrable for a corporate environment, while the SA is designed more for end-users. Now then, Radio 2 is an AP. The AP is designed to connect to multiple SA/WB's for the purpose of linking multiple segments to the main ethernet segment. This allows a corporation with several buildings, for example, to have on AP about the middle of their campus with a large omni-directional antenna and then each building with its own WB and localnet setup. Not only does this allow the company to avoid running expensive fiber between buildings, but it allows them to easily add more buildings and links as necessary. This also lets them use NetBeui or IPX/SPX transparently across segments. 3. How they're managed ---------------------- Wireless equipment, being networked devices, must be able to be configured. Breezecom has included two ways that their radios can be managed, either through a serial console (9600, N81, no flow control), and for the AP and WB's, SNMP (aka, Security Not My Problem). Obviously, by using only the serial consoles, you limit any security problems that may exist, but in a network with many radios, that's not always practical. Fortunately, Breezecom's SNMP traps seem to be fairly secure. A. Serial Console The serial console operates in much the same way serial consoles act. You connect the terminal, fire it up, and start configuring. It's a simple menu with most screens having options numbered sequentially. The basic functions are as followed: 1. System Setup (IP addy, ESS ID) 2. Advanced Setup (Filtering certain protocols, SNMP on/off) 3. Maintenance (Various Logs, packets sent/received/dropped) 4. Security Level (User/Admin, password) The menus are all self-explanatory, and after five minutes of exploring, you should be able to find most anything you want. Obviously, if someone has several SA's out there, they don't want their users to be able to reprogram at will, hence the security level and optional password. B. SNMP Management Everything available on the serial console is also available via SNMP. As do most SNMP-managed devices, the Breezecom radios have two communities, private and public. Access to the private community is controlled via the password, although everything in private is available read-only in the public community (from what I've found, at least... I've not had time to thoroughly examine all the SNMP stuff). In my case, I was working for an ISP using Breezecom radios with the AP's 75 feet up a tower. SNMP management was very nice because occasionally we'd have a WB flake out and stop forwarding packets, at which point we'd use the SNMP software to reset it rather then driving 10 miles to the site, climbing 75' and resetting it by hand. On the downside, SNMP is not the most secure protocol in the world, and can be sniffed for the password. 4. Problems With Wireless ------------------------- Wireless ethernet in and of itself has many problems, including limitations of ethernet and protocols such as TCP/IP and ARP. The radios should be able to limit the problems (for example, IP spoofing), but they don't. The only problem they avoid is spoofing ARP packets (since ARP is based on the mac address, not the IP address). You can still smurf, spoof IPs, assume others' connections, and generally wreak havoc with the network fairly anonymously. We'll go into a few problems and how the radios could theoretically prevent, or at least minimize, damage that can be done. A. Spoofed IPs While it may not be beneficial to everyone, if the radio would monitor TCP traffic (it has native TCP support) and only allow the traffic for a certain IP across, as well as the mac addy, this would avoid a whole slew of problems. Most routers are configured to not allow spoofed IPs. These radios should have the same configuration option. Naturally, for purposes of subnets (which can be done with SA's), you would want this off, but for the purpose of a single workstation it should be an option. Actually, this would fix most of the problems I was thinking of. B. Network Sniffing In my experience with these radios, I can see everything on the segment, just as if I were connected directly to the hub. This can be both good and bad. Bad in the sense that anyone can sniff the network for passwords (think you're ok there? Do you use telnet, pop3, snmp?), but I'm sure that some paranoid admins would like to be able to monitor their network to watch for problems. Now then, again, this could be something that can be configured in the SA. Only allow packets that are destined for ethernet-wide broadcast, and packets for a particular mac address. 5. Conclusion ------------- I do realize that this could be way more complete; however, if I start getting complete I'd probably step on Breezecom's toes a few times. If there's enough interest, and I think I can do it without potentially getting myself in trouble with Breezecom's legal department, I'll write a follow-up that gets into more detail. If you do have a local ISP doing wireless, and they're a fairly decent ISP, I'd heartily recommend it over DSL or cable modems. And if you're in a corporation with multiple buildings trying to find a cost-effective way to network them, definitely don't pass over wireless ethernet without giving it a good look. Despite the security problems that could be avoided with better software, they are a good way to go. Send comments, questions, hate mail, etc. to skully@sysfail.org, as always. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Hackers and the Criminal Stereotype by Mr. Sonik (sonik@sysfail.org) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Sometimes I wonder what the big deal is with people who are labeled as criminals simply for having a hobby that may dabble into some illegal areas. Society is quick to label hackers as criminals, even if the hacker discovers a loophole in the telephony or computer world and exploits it once for learning purposes--not only for themselves, but for the security professionals that are supposed to keep the telephone network and computer systems secure. Society asks "What's the big deal? They break the law, right? They should go to jail." Well, should a hacker get more of a sentence for stealing three dollars in long-distance calls than say, a rapist or a drug dealer? I know I can't influence people with my opinon alone, so I decided to give you some information and let you be the judge. One thing has become very clear: we need to watch out for ourselves, and more importantly, others who share the same interests. We simply can't keep following the road that we are on, or we will crash for sure. So what can we do? Some of the things we can do to help change society's perception of us is to educate people as to what exactly a hacker or phreaker is. We are merely nothing more than hobbyists who choose to explore the outer limits of technology. What's so bad about that? What's the problem with wanting to understand the ins-and-outs of a computer system? Or maybe you would like to understand how the telephone of yours really works. Maybe you could start a computer club or hacker/phreaker club in your area. 2600 meetings are a good example of these types of public gatherings. This also serves as an excuse to get out of the house and meet new people. Maybe you could start a local newsletter or something similar that focuses on the newest trends of the computer industry. Almost anything that you could think of to generate positive attention in your community towards the hacker subculture would be something worth doing. I had heard of people donating their time to building computers out out of outdated hardware to donate to local charities, schools, and needy families. You would be suprised at how excited a poor family gets over an old 286 and a dot matrix printer. When coupled with, say, a 2400 baud modem and free internet access to a shell account, this could make so much more information availible to a family that never had that ability before. And that's what hackers are all about. The spread of information. Anytime someone helps the community in such a way, he is usually always thought of a good person. Imagine what it could do to reduce society's fear of hackers, and at the same time educate them as to the difference between a hacker and a white collar criminal. Imagine how the community would respond to a hacker who is donating time and/or knowledge to the community by teaching computer classes, or educating others about computers and personal security. I know I would feel a whole lot safer if a hacker taught me things about computer security, rather than an underpaid shmuck teaching about a subject they only read about in a book. I urge people to get out and donate their time to the community whenever they can. Chances are, only respect will come your way after doing good deeds for others. These are only some of the things that we can do to combine our knowledge and expertise to help hackers and computer enthusiasts gain a good reputation in the public eye. Remember, you must prove to others that you are a responsible person in order to gain trust throughout society. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- A General Overview of Open Source Software by SlapAyoda (vader@geekbox.net) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Open source software is often referred to as "free software," not because of how much it costs, but because of the way it is freely distributed. The opposite of proprietary software, which is developed only by the company who originally manufactured it, and prohibits unauthorized distribution, open source software is presented with its source code, encouraging users to distribute and contribute to the software. Contributions come in several forms: suggestions, bug fixes, and new ideas. Choosing open source can be a good decision for both the manufacturer and the user. Developers gain the assistance of their user base in coding the program, and the users recieve software that they can modify to, as Eric S. Raymond puts it, "scratch their own itch." Open source software can be very diverse, ranging from games to powerful internet applications that bind together "the web." Currently, open source hardware is being developed, as well as an open source BIOS (http://www.freiburg.linux.de/OpenBIOS/). A small debate has also arisen about treating books with an open source-type policy. Open source software has become a hot topic for discussion on such websites as Slashdot (http://slashdot.org), and in essays such as the excellent "The Cathedral and the Bazaar" by Eric S. Raymond (http://www.redhat.com/redhat/cathedral-bazaar/cathedral-bazaar.html). This article will attempt to give the reader an understanding of the basics of open source software, and will also describe some popular examples of open source software. Linux is an open source operating system that is available for download, at no cost, from many different locations. It is also purchasable in CD form, at a very low price. Linux was developed by Linus Torvalds in 1991, at the Univeristy of Helsinki in Finland. Linux is a POSIX-compliant operating system, and is designed to be a UNIX clone. Linux is made up of two parts: the kernel, which is the core of the operating system, and additional software. Orignally, people installed the Linux kernel by hand, and then installed and used other individual bits of software to do their tasks. Today, most people use distributions, developed seperately by other companies. These distros consist of a current version of the Linux kernel, and useful software packages. It is also a great deal easier to install a distro than just the kernel by itself, and some offer graphical installation programs. The three most widely used distros are Slackware, Red Hat, and Debian, although there are many more. There are many people who use Linux, and the number is increasing now at a faster rate than ever before. These users often make contributions to both the kernel and software. Most users of Linux believe strongly in the open source philosophy. Without it, Linux might not be able to survive. For more information on Linux, visit http://www.linux.org. GNU software is fundamental to the UNIX community. From bash to make to zlibc, GNU software is seen to most as the standard in quality UNIX software. GNU software differs from other software by having its own special license that specifically allows modifcation and distribution by any of its users, under certain circumstances. The GNU General Public License, or GPL, states that users may modify the software as they wish and distribute either the original or modified copy, for a fee if they choose. The one rule that applies to the software, however, is that the person must pass on the freedoms to the person he distibutes the software to. This is called "Copylefting". As opposed to copyrighting, it ensures that users recieve a program that they can modify and distribute. Users also have a signifigant impact on development here, as oftentimes they develop their own versions of current programs to suit their own needs, or they might contribute thier ideas or code to the original manufacturer. For more information on GNU software and the GNU philosophy, visit http://www.gnu.org/gnu/gnu-history.html. BSD, short for Berkley Systems Development, is a term that encompasses several UNIX variants. FreeBSD, NetBSD, and OpenBSD, are three seperate packages, all with separate software, but based on the same version of UNIX, BSD. Similar to Linux, they are open source and POSIX-compliant, but they all vary a bit. All of the BSDs are available for download on the internet, or for purchase on CD. Many people also use and contribute to the BSD efforts. For more information visit http://www.freebsd.org, http://www.netbsd.org, or http://www.openbsd.org. Open source development is not confined to UNIX. Netscape has recently announced that their web browser, which runs in both Microsoft Windows and UNIX, as well as MacOS and other platforms, will now be open source. They have created a specific subset of their company, named Mozilla (http://www.mozilla.org/), to deal with the integration of users' code. This is expected to have a large impact in their continuing battle against Microsoft's Internet Explorer, as Microsoft has decided to not make Internet Explorer open source. Another company that serves the more mainstream operating systems as well as UNIX with a great open source project is Apache (http://www.apache.org/). Apache webservers serve many of the popular websites of today, and run well in Windows and UNIX. They offer some of the best performance around, certainly due in part to the help of countless users who have contributed to the project. A first in the open source community, a small group of people are beginning work on an open source BIOS, named appropriately OpenBIOS. They are planning to create a product that will support a wider range of hardware and also be more geared towards Linux. Recently, they released a very preliminary product that will work on two different chipsets. It looks like OpenBIOS has a bright future ahead of it. For more information, visit http://www.freiburg.linux.de/OpenBIOS. Microsoft is a company notorious for being opposed to open source software. One may speculate that a monetary profit becomes difficult to attain off of open source, as it could be copied freely at no cost to the user. Since Microsoft has already established its primary goal as profit, their stance is only logical. This past Halloween, an office memo of theirs was found and released to the public on the internet. It concerned open source, and how to combat it. It spoke a great deal of Microsoft's strategies on beating Linux, Mozilla, and other competitors. It has been dubbed the Halloween Document, and has caused much havoc within the computing community. For more information, visit http://www.opensource.org/halloween.html. Open source software has a large effect on computing daily. Every user of the internet makes use of open source software without even knowing it. For example, bind--a program that converts numeric IP address to hostnames. Without it, users would have to memorize IP addresses to know which webpage is which. Sendmail is open source software that delievers a great majority of the internet's mail. The future of open source can only be a postive one. Even without the support of computing giants Apple and Microsoft, developers have shown that they can be successful in producing a good product that will continue and progress by constantly evolving. But open source development can not continue without the support of the community. If you want to get involved in the open source movement, visit one of the pages mentioned in this article. You'll be glad you did. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- An Introduction to the ICMP Protocol by BarKode (barkode@sysfail.org) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Continuing the line of articles about common internet protocols, here's a look into ICMP, or Internet Control Message Protocol. ICMP is an essential protocol on IP-based networks, as IP is not a "reliable" protocol. <EDITORIAL NOTE BY BARKODE> For those of you wondering why I keep writing articles covering the basics of standard internet protocols, it's brought on by a number of things. One of them being that System Failure has changed its focus completely. By the time I joined last year, the group had weeded out articles focusing on crime and "how to rip off the phone company" and such. Gears have shifted towards a technical, intelligent magazine for a larger, more intellectual audience. I sincerely hope that the difference has been noticed. Secondly, demographics (e-mails to SysFail) show a crowd that is new to the scene, and helping those people is an important part of what System Failure is all about. </EDITORIAL NOTE BY BARKODE> ICMP is essential to the operation of an IP -based network for a variey of reasons. IP being "unreliable" (there is no guarantee an IP packet will get to its destination), there must be an error-handling routine. ICMP is that solution. If for some reason a machine can't handle an incoming IP packet, it drops the packet and sends back an ICMP error message to the machine that sent the original packet telling it something is wrong. The most familiar function of ICMP to most people is the Echo Request/Reply set, or "ping" as it's better known. When you ping a machine, you're sending an ICMP message called an "echo request" to that machine. The network layer of that machine will send you back an ICMP "echo reply," if it is so configured to do so. An ICMP packet looks like this: .---------------------------------. | IP Header | ICMP Message Data | `---------------------------------' 20 bytes The actual header of an ICMP packet looks like this: 0 7 8 15 16 31 .-------------------------------------------------. | 8 Bit Type | 8 Bit Code | 16 Bit Checksum | `-------------------------------------------------' The rest of the packet differs between ICMP "types." An ICMP type declares what the function of the ICMP packet is, and how it's to be dealt with by the system. An ICMP "code" is a subtype. For instance, ICMP type "3" code "0" is a "network unreachable" while a type "3" code "1" is a "host unreachable". ICMP type "3" is the "destination unreachable" type. So, when we ping a machine, we create an ICMP "echo request" packet. The type is "8" and code is "0". The packet is created, and assuming you were using an ethernet for this, the packet would look similar to this: 00000000: 00 40 05 16 56 AA 00 00 b4 54 b1 BB 08 00 45 00 00000010: 00 54 54 ed 00 00 40 01 19 d9 d1 AA BB CC d1 BB 00000020: CC EE 08 00 67 74 41 2d 00 00 5a 9b 5b 36 ab 89 00000030: 03 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 00000040: 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 00000050: 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 00000060: 36 37 That's what the packet would actually look like on the wire. Let's break it down, protocol by protocol: 00000000: 00 40 05 16 56 AA 00 00 b4 54 b1 bb 08 00 -- -- |_______________| |_______________| |___| | | | Destination Hardware Source Hardware Protocol (16 bits) Address Address (08 00 == IP) (48 bits) (48 bits) This is the ethernet layer, containing the source and destination hardware addresses for the packet, as well as what protocol is encapsulated within it. In this case, 08 00 means its carrying an IP packet. ____ 8 bit Type of || service field 00000000: -- -- -- -- -- -- -- -- -- -- -- -- -- -- 45 00 ||__ (4 bits, msb) Version (ipv4 == 4) | | (4 bits, lsb) Num. of 32 bit words in header, normally 5 This is the IP layer, which contains information necessary to move the packet from network to network, or machine to machine for that matter. The first 4 bits of the first byte of the header specify what IP protocol is in use. On today's internet, we use IPv4, so this would be a 4. The second, least signifigant 4 bits specify how many 32-bit words are located within this packet. You'll find this is often a 5, because there are most often 5 32-bit words in an IP packet, without options. The second byte is the 8-bit type of service field, which we'll dig into deeper in another article. Assume for now that this field gives more detail as to the application that is sending this data and how it should be handled. 16-bit total length (in bytes) | 3-bit flags, | 13-bit Frag Offset | | | | IP Protocol Type (ICMP) (8 bits) | (16bits) | | | Fragment |(8bit)| (16bits) Source IP (32 bits) | ID | TTL | Checksum | Destination IP (32 bits) _|_ _|_ _|_ | | _|_ ____|____ _______|______ | | | | | | | | | | | | | | 00000010: 00 54 54 ed 00 00 40 01 19 d9 d1 AA BB CC d1 BB | 00000020: CC EE -- -- -- -- -- -- -- -- -- -- -- -- -- -- | |___| | |____________________________________________________| The 16-bit total length is the length of the whole datagram, in bytes. Fragment ID (sometimes just "ID"), Flags and Frag offset will be discussed in another article. The "Time To Live" is the maximum amount of hops this packet can go through before it is discarded and the sender is delivered a message saying that the packet didn't get to its destination. Each hop decrements this field by one before sending the packet along. The protocol type in this case is a "1", specifying ICMP as the protocol in use. The checksum is a matter of one's complement notation against the header on both the sending and receiving machines, and we'll look into this more specifically in the next article. The rest is self-explanatory. Now for the ICMP packet itself. ICMP Type - Echo Request (8) | Identifier - UNIX implementations use the PID | ICMP Code, 0 | of the calling process | | | | | Checksum | Sequence Number | | _|_ ___| _|_ __________________ | | | | | | | | | | 00000020: -- -- 08 00 67 74 41 2d 00 00 5a 9b 5b 36 ab 89 | 00000030: 03 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 | 00000040: 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 ---- 56 bytes of 00000050: 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 | data 00000060: 36 37 | (Variable) ___| The first two bytes are the ICMP type and code, respectively. The checksum works the same as it does for IP. The identfier is set to the PID on UNIX machines, usually. Either way, it's a unique identifier for whatever purpose the machine needs. Using the PID is a good idea, as it allows a machine to determine what process the packet belongs to. Anyone who has used ping knows what the sequence number is. The sequence number is an incrementing number for each packet sent, allowing a process, or person for that matter, to track their packets. The rest of the data is piggybacked onto the packet to pad it to meet the minimum transmission unit for the network media, as well as to send some more data with the packet in order to test speed between two places. The echo reply is then generated, and the packets look very similar. The exceptions being the source/destination HW and IP addresses are switched, and the ICMP type is changed from "8" to "0" (Echo Reply). **** We'll look more into this and other topics in the next System Failure. For those of you that are interested in protocol analyzation, I suggest picking up a good sniffer/network analyzer and watching what goes by on your network. You might find some interesting things, and it's a good way to learn about protocols and their implementation on different operating systems and networks. Hope you enjoyed, and keep those e-mails coming. -bk References: I. "TCP/IP Illustrated, Volume 1: The Protocols" W. Richard Stevens, January 1994. (Addison-Wesley Professional Computing Series). ISBN:0201633469 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Maybe System Failure 16 will be out in early February or so. Who knows. See you all in a couple months. I think. :) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-E-O-F-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-