Archives for : type

    No need to bypass security with a boot disk – 17 year old Windows exploit found

    The problem has been discovered in the Virtual DOS Machine (VDM) introduced in 1993 to support 16-bit applications (real mode applications for 8086). VDM is based on the Virtual 8086 Mode (VM86) in 80386 processors and, among other things, intercepts hardware routines such as BIOS calls. Google security team member Tavis Ormandy has found several vulnerabilities in this implementation that allow an unprivileged 16-bit program to manipulate the kernel stack of each process via a number of tricks. This potentially enables attackers to execute code at system privilege level.

    In addition to the unpatched hole in Internet Explorer, a now published hole in Windows allows users with restricted access to escalate their privileges to system level – and this is believed to be possible on all 32-bit versions of Windows from Windows NT 3.1 up to, and including Windows 7. While the vulnerability is likely to affect home users in only a minor way, the administrators of corporate networks will probably have their hands full this week.

    The problem is caused by flaws in the Virtual DOS Machine (VDM) introduced in 1993 to support 16-bit applications (real mode applications for 8086). VDM is based on the Virtual 8086 Mode (VM86) in 80386 processors and, among other things, intercepts hardware routines such as BIOS calls. Google security team member Tavis Ormandy has found several vulnerabilities in this implementation that allow an unprivileged 16-bit program to manipulate the kernel stack of each process via a number of tricks. This potentially enables attackers to execute code at system privilege level.

    Ormandy has also published a suitable exploit which functions under Windows XP, Windows Server 2003 and 2008, Windows Vista and Windows 7. When tested by the The H’s associates at heise Security, the exploit opened a command prompt in the system context, which has the highest privilege level, under Windows XP and Windows 7. No patch has become available, although Ormandy reports that Microsoft was already informed of the hole in mid 2009. The developer decided to publish the information regardless because, in his opinion, there is a simple workaround: to disable the MS-DOS subsystem.

    The workaround requires users to start the group policy editor and enable the “Prevent access to 16-bit applications” option in the Computer ConfigurationAdministrative TemplatesWindows ComponentsApplication Compatibility section. When tested with these settings by the heise Security team, the exploit no longer functioned. The settings reportedly don’t cause any major compatibility problems for most users while no 16-bit applications are being used.

    Update – The above option is only available through the group policy editor on Windows 2003 systems. Some versions of Windows do not include a group policy editor. As an alternative, users can also create a registry key under HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsAppCompat with a D-Word value of VDMDissallowed = 1. Under Windows XP, to prevent the system from being vulnerable to the exploit, users can place the following text:

    Windows Registry Editor Version 5.00



    into a file called vdmdisallow.reg and double click the file. Windows will then automatically import the key (admin rights are required to perform this action).

    Update 2 - Microsoft has now confirmed the privilege escalation hole in Windows. The company says that it wants to complete its investigation of the vulnerability and will then decide whether, how and when to close it.

    See Also:

    REDMOND — When it rains, it pours. Especially in the Seattle area. Tavis Ormandy has published full details on a privilege escalation hack of all versions of Windows including Windows 7.

    The exploit takes advantage of a bug in the Windows implementation of the ‘virtual DOS machine’ used to run legacy 16-bit programs. The exploit can be avoided by turning the VDM ‘feature’ off but the danger of course is that enough Windows lusers won’t know about the bug and/or bother turning the ‘feature’ off.

    16-bit applications need BIOS support; the Windows kernel supports virtual BIOS interrupts in its ‘Virtual-8086’ mode monitor code. The code is implemented in two stages. The #GP trap handler transitions to the second stage when CS:EIP faults with specific ‘magic’ values.

    The transition requires (subsequent to authentication) restoring the context and the call stack from the faulting trap frame. But the authentication process is flawed, relying as it does on three incorrect assumptions.

    • Setting up a VDM context requires SeTcbPrivilege.The barrier to getting a VDM context can be subverted by requesting the NT VDM subsystem and then using CreateRemoteThread() to run code in the context of the VDM subsystem. The VDM subsystem already has the necessary flag set.
    • Ring 3 (unprivileged) code cannot install arbitrary code segment selectors.Using the two least significant bits of CS/SS to calculate the privilege of a task doesn’t work when it comes to Virtual-8086 mode. The 20-bit addressing (by adding CS << 4 to the 16-bit IP) is also used to map onto the protected linear Virtual-8086 address space. If CS can be set to an arbitrary value, then the privilege calculation can be circumvented.
    • Ring 3 (unprivileged) code cannot forge a trap frame.Returns to user mode are through IRET. An invalid context can cause IRET to fail pre-commit, which in turn forges a trap frame. And even with address randomisation it’s trivial to use NtQuerySystemInformation() to obtain the address of the second stage BIOS handler.

    Affected Systems

    This bug dates back 17 years and affects all systems released since 27 July 1993 – Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7. See the links below for further details.

    See Also
    MITRE: CVE-2010-0232
    Windows plagued by 17-year-old privilege escalation bug
    NEOPHASIS: Trap Handler Allows Users to Switch Kernel Stack

    World Clock

    I thought this was cool. It may come in handy for Ham Radio.

    Nmap Examples

    Some Nmap examples I thought I would post.

    Scanning past Watchguard Firewalls: nmap -sS -iL targetlist.txt -P0 -sV -T4

    Verbose Scan: nmap -v

    This option scans all reserved TCP ports on the target machine. The -v option enables verbose mode.

    nmap -sS -O /24

    Launches a stealth SYN scan against each machine that is up out of the 256 IPs on “class C” sized network where Scanme resides. It also tries to determine what operating system is running on each host that is up and running. This requires root privileges because of the SYN scan and OS detection.

    nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127

    Launches host enumeration and a TCP scan at the first half of each of the 255 possible eight-bit subnets in the 198.116 class B address space. This tests whether the systems run SSH, DNS, POP3, or IMAP on their standard ports, or anything on port 4564. For any of these ports found open, version detection is used to determine what application is running.

    nmap -v -iR 100000 -PN -p 80

    Asks Nmap to choose 100,000 hosts at random and scan them for web servers (port 80). Host enumeration is disabled with -PN since first sending a couple probes to determine whether a host is up is wasteful when you are only probing one port on each target host anyway.

    nmap -PN -p80 -oX logs/pb-port80scan.xml -oG logs/pb-port80scan.gnmap

    This scans 4096 IPs for any web servers (without pinging them) and saves the output in grepable and XML formats.

    Instead of limiting ourselves to scanning just one target., let’s broaden our horizon’s to bigger and better things. In example 2 we used our IP address to base a scan against. Using that address again we can get a look at numerous targets in our “community”. At the command line type the following (substituting a valid address of your choice of course):

    nmap -sT -O

    What this does is instruct nmap to scan every host between the IP addresses of and If you happen to find many interesting feedback results from this or a larger scale scan then you can always pipe the output into your choice of a human readable file or a machine parsable file for future reference by issuing the following option:

    To create a human readable output file issue the -oN command into your nmap string so that it would look similar to this:

    nmap -sT -O -oN sample.txt

    Rather have a machine parsable file? Enter the -oM to pipe the output into a machine parsable file:

    nmap -sT -O -oM sample.txt

    *Back when I was becoming aquatinted with all the nmap options, I ran my first large scale scan against 250 consecutive machines using an arbitrary number (nmap -sX -O -oN sample.txt XXX.XXX.XXX.0-250).To my great surprise I was confronted with 250 up and running virgin Linux machines. Another reason why Linux enthusiasts should NEVER become bored.

    -I This is a handy little call that activates nmap’s TCP reverse ident scanning option. This divulges information that gives the username that owns available processes. Let’s take a look (Note that the host has to be running ident). At the command line issue this command against your target, in this case our default Eve running Linux:

    -iR Use this command to instruct nmap to scan random hosts for you.

    -p Port range option allows you to pick what port or ports you wish nmap to scan against.

    -v Use verbosity to display more output data. Use twice (-v -v) for maximum verbosity.

    -h Displays a quick reference of nmap’s calls

    Now that we have looked at nmap’s three basic usage types and some of it’s other options, let’s mix and match them.

    nmap -v -v -sS -O

    This instructs nmap to use a maximum amount of verbosity to run a stealth scan and OS detection against all machines between IP addresses and This command will also require root privileges due to both the -sS and -O calls. Of course this will display a very overwhelming amount of data so let’s log our results into a human readable file for future reference:

    nmap -v -v -sS -O -oN sample.txt

    Now let’s make nmap run a stealth scan and instruct it to look only for machines offering http and ftp services between the addresses of and Once again we will log the output (I’m a log junkie) for future reference into a human readable file called ftphttpscan.txt:

    nmap -sS -p 23,80 -oN ftphttpscan.txt

    Remember the -iR option mentioned previously? Let’s use it to take a random sampling of Internet web servers using the verbatim example from nmap’s man page:

    nmap -sS -iR -p 80

    Last but certainly not least, while gleaning information, don’t forget to nmap yourself. Just type at the command line: nmap This is especially useful and recommended if you’re a newcomer to Linux and connected to the Internet via DSL or cable modem.

    Detect promiscuous network devices or sniffers on a network

    Old versions       nmap –script=promiscuous

    New Versions     nmap -sV –script=sniffer-detect

    How To Hijack Fast Food Drive-Thru Frequencies

    This is an article I found on the Phone Losers site I thought I would copy here so I can give it a go at some stage.

    How To Hijack Fast Food Drive-Thru Frequencies

    A few years back, some friends and I were messing around with a Taco Bell’s drive-thru frequencies. RijilV and isotek showed me how easy it was to hijack the frequencies of just about any fast food restaurant with a very simple mod to a ham radio. The radios they used were Yaesu VX-5 and VX-7 models. We had a few weeks of occasional fun, sitting a few parking lots away and saying all kinds of horrible things to potential fast food customers. For the most part, I didn’t record any of it. But you can find a few clips of our fast food hijinks if you scroll down on the PLA Sound Clips Archive page.

    Finally we decided to capture a bit of our FCC violations on video. But instead of capturing actual customers being harassed by us as they placed an order, I drove through the Taco Bell drive-thru myself with a video camera sitting on the dashboard. As I attempted to place my order, RijilV informed me of some crazy new Taco Bell policies and a manager immediately rushed out to explain to me that I wasn’t actually talking to an employee. Here is that video:

    After spending several years on Google Video and YouTube, it’s been watched approximately 20,000 times. And of those 20,000 people who have viewed it, approximately all of them have emailed me and asked me what kind of radio we used and how can they use a radio to do the same thing. So in the spirit of April 1st and in order to quell the number of emails sent to me and posts on the PLA Forums asking the same thing, I’ve decided to write this tutorial to help those people out.

    But I’m not going to explain how to modify a Yaesu VX5 or a Yaesu VX7. A simple Google search will show you how to modify these ham radios. The problem with these mods is that, even though they’re fairly simple, you have to buy the radios which could cost you anywhere from $200 – $400. Then, after removing a couple solder points, you have to learn how to use it, you have to look up fast food frequency lists, you have to understand the difference between the transmit frequencies and the receive frequencies and you have to scroll through PL tones using trial and error to find the correct one.

    Or how about we do this a different way. A way that uses a couple items that you might already have in your home. You can easily modify most old CB radios in a way that will allow them to transmit directly to drive-thru frequencies. You won’t have to scroll through hundreds of possible drive-thru frequencies, because a CB radio’s channels line up in exactly the same way as most drive-thru’s channels, only at a higher frequency. How do you get your CB radio to run at a higher frequency? A simple replacement of the crystal inside, with a 6.5536 MHz crystal. This triples the megahertz that are broadcast on and there is no learning required. You just take the modified CB radio to a fast food restaurant and start broadcasting to the customers.

    “But RBCP, I don’t have a 6.5536 MHz crystal lying around my house,” you might be whining at this point. But this isn’t true. Just about any house has several 6.5536 MHz crystals in them if you know where to look. This just happens to be the exact same crystal that you can find in electric heaters, hair dryers, electric stoves, curling irons, electric hot water heaters, irons, and toasters. These crystals are in just about any item that has heated coils and are used to control the frequency of the heating elements so that they don’t burn your house down.

    So for this modification you need…

    • 1 CB radio. It has to be a 40 channel CB radio with a digital display, which includes just about any CB radio manufactured after the mid 1980’s. The old 23 channel CBs from the 1970’s will not work. It can even be a walkie talkie CB radio. If you don’t have one, you can find one at Goodwill or a yard sale for probably less than $10.
    • 1 toaster. (Or other item with heating elements inside.) A toaster is the most ideal to use, because it’s almost guaranteed to have the crystal inside of it. It’s more common to find curling irons and hair dryers that don’t. Again, it should be a toaster manufactured within the past 20 years or so. Before that they didn’t have crystal requirements for toaster manufacturers. (And incidentally, there were a lot more electrical house fires back then.) Goodwill will probably have a toaster for less than $10.
    • 1 soldering iron and solder. Don’t worry if you don’t have soldering experience. It’s actually pretty easy. Click here for a soldering tutorial. You can purchase a soldering iron at Radio Shack or Sears for about $10.
    • A few screwdrivers

    Even if you have to buy all these materials, you’re only out $30. That’s a lot better than the $300 you might end up spending on a Yaesu radio. And some of you might already have all these items so you don’t have to pay anything. Ask a friend or a relative if they’ve got an old toaster or CB radio lying around that they don’t need.

    First you’ll want to take apart your toaster. This isn’t too hard. Just flip it upside down and start removing the screws. You’ll probably need to pull off the plastic lever and knobs before you remove the top of the toaster. Once you have the top off, you’ll see a green or brown circuit board inside.

    Flip the circuit board down and you’ll see all the components on the other side, including the 6.5536 MHz crystal. The crystal is silver and will have 6.5 stamped on the side of it. In the picture below, I’ve used an arrow to show you where it’s located.

    The crystal is likely in a different spot in other toasters, but it’s hard to mistake for any other electronic component. The crystal will have some form of 6.5 stamped on the side of it. In my toaster, it showed 6.55-12. While the official frequency needed is 6.5536 MHz, anything within 1.6 megahertz will work. So don’t worry if your crystal just says 6.5 or 6.50 – it’s all the same for our purposes.

    It’s kind of hard to see what I’m doing in the picture above, but I’m heating up the leads on the crystal from underneath with my soldering iron to melt the solder, and I’m pulling on the crystal from above with a pair of needle nose pliers. It only takes a few seconds to get the crystal out of the toaster.

    Now that the crystal is out of your toaster, throw your toaster away! Do not attempt to use it once the crystal is removed. Remember, the crystal is in there for safety and using your toaster without the crystal could burn your toast and/or start a kitchen fire. It’s likely your toaster won’t even turn on with the missing crystal, but please don’t even try. Just throw it away.

    As I mentioned before, just about any brand and model of CB radio will work, as long as it has the digital display on it. Which means, just about any CB radio manufactured after the mid 1980’s. These are the kinds of CB radios whose frequencies are controlled by a single crystal inside of them. For my mod, I used a Radio Shack TRC-207 walkie talkie CB radio, which is pictured above. I prefer using a walkie talkie CB radio because it doesn’t requiring sticking a huge CB antenna on the roof of my car which might be noticed if a fast food employee starts looking around the parking lot for the culprits.

    Taking apart your CB radio is just as easy as taking apart the toaster. Remove the screws and pop it open. You may or may not have to lift up the circuit board inside to find the crystal inside. In my particular model, the crystal actually plugged into a socket so I didn’t need to even desolder the old crystal. I just pulled it out with my fingers and then plugged in the new 6.55 MHz crystal. I don’t know how common this is, because in other CB radios that I’ve modified the crystal was soldered to the circuit board, just like in the toaster.

    Put your CB back together and test it to make sure it’s working. You’re finished! Obviously, you won’t be able to talk on normal CB channels anymore since your CB is transmitting and receiving at a much higher frequency now. But who cares, CB channels are lame anyway. Let’s hop in the car and drive to our nearest fast food establishment to test it out.

    Sit near the drive-thru and wait for a customer to pull up. While the customer is talking to the drive-thru speaker, start flipping through your channels until you hear them talking. I’ve found that most drive thrus end up being somewhere in the 16 – 25 channel range. I’ve never found one above channel 30 and only a few on channels 1 through 15. It all depends on how their drive-thru is set up and what frequencies they’re using. Anyway, push down your talk button and start talking to the customer.

    The cool thing about using a CB radio to transmit on drive-thru frequencies is that a CB is designed to work for several miles. The headsets that those fast food people wear are only designed to work for about 100 feet. So you can easily overpower the employees, even if you’re several parking lots away. In fact, you may be inadvertently screwing with several other drive-thrus in town without even knowing it. This is more likely when you’re using the kind of CB radio that’s supposed to be installed in a car. Those usually run on 5 watts and can cover an entire city. This is another reason I like to use my walkie talkie. It’s lucky if it will work for even a mile, so I’m only harassing one restaurant at a time.

    If you found this tutorial useful, you might also enjoy the video I’ve made on the same subject. It includes much of the same information in this tutorial, but also includes actual footage of us messing with a drive-thru with this CB mod. Enjoy!

    You might also enjoy our original Taco Bell Takeover video, our Happy Birthday drive-thru video and our Drive-Thru Shenanigans video.

    icon for podpress PLA TV: Hijacking Fast Food Frequencies [9:12m]: Download (4913)

    Local Copy

    DUKPT Overview and Transaction notes


    I was asked on another post relating to DUKPT to provide some backgound. Given I have lots of material on the subject, I thought I would create this thread. Link


    I will come back at some stage and expand on this when I get time.

    Transaction Process narrative:

    The diagram describes a mobile terminal/ATM is described using the a AS2805 (‘2805’) message type and 3DES DUKPT and dual direction auth SSL from the terminal to the aquirer (transaction switch).

    A good explanation of DUKPT can also be found at Wikipedia.


    Diagram of the flow


    DUKPT transaction flow - terminal to bank

    DUKPT transaction flow - terminal to bank


    Background notes:

    • The terminal or ATM firstly encrypts the user entered pin (may be a unique DUKPT key or static, depending on the design and banks involved) prior to incorporating it into the AS 2805 transaction message.
    • the message is then encrypted again using the DUKPT key which has been established through the merchant logon process within the aquirer Host Security Module (HSM) i.e. the user entered pin is encrypted separately and encapsulated within the DUKPT encrypted 2805 message to provide full message encryption.
    • In the diagram a separate dual authenticating SSL session is also used between the terminal/ATM and the aquirers infrastructure. This allowing the transaction including the pin to traverse the external Wired/GPRS/LAN within 2 primary independent layers of encryption, with a 3rd protecting the PIN.
    • When the transaction enters the aquirer environment the message encapsulation layer provided by SSL is removed.  This leaving the DUKPT’ed 2805 message which also encapsulates the separately encrypted PIN.
    • This encrypted message is passed to the aquirer switch engine through to the aquirer’s HSM for decryption of the 2805 message excluding the user entered pin.
    • This is when transactional information necessary for aquirer’s merchant reporting (truncated card number, transaction amount, transaction type, etc.) and fraud management data is collected.
    • The aquirer switch then passes the encrypted PIN to the aquirer HSM requesting that the PIN be decrypted using the aquirer’s PIN encryption and translated to the next banks (Bank 1)  PIN Encryption Key (Pin translation only occurs within the aquirer HSM) This is then sent back to the aquirer Switch engine as the Bank 1 encrypted PIN.
    • The aquirer switch engine then send the decrypted 2805 message with the newly encrypted PIN back to aquirer HSM to be encrypted with the Bank 1 MAC key.
    • The resultant Bank 1 key encrypted message is then sent to Bank 1 for processing and/or passing to the card issuer (using a similar process as described above).
    • When the result is received back from the issuing bank it is encrypted with the Bank 1 MAC key (the pin will not be present in the result message).
    • This is then decrypted by the aquirer HSM, the transaction fate result stored into the aquirer merchant reporting system and the transaction fate re-encrypted with the original aquirer DUKPT key (should be different per terminal/merchant instance) and the result sent back to the terminal through the original established SSL encrypted terminal connection.

    The aquirer may terminate the the SSL connection on a hardware device such as a CISCO Content Service Switch (CSS), or equivalent instead of the design described in the diagram which terminates onto a SSL session server/gateway (Possibly including a Certificate Authority) or on the aquirer transaction switch.

    When PIN blocks are received by the aquirer processing centre, the PIN encryption is translated from the terminal key to the Local Master Key (LMK) by the Host Security Modules (HSM).

    When the message is sent on the upstream bank interchange link to the issuer or gateway , the aquirer HSM translates the encrypted PIN block from the LMK to the Zone Master Key (ZMK) of the aquirer interchange link. The PIN block is always encrypted using DEA3 (3DES) whenever outside of the Terminal or ATM.

    HSM-8000-User Guide V2.2

    VoIP and SIP links

    I’m looking at the Microsoft OCS server and other SIP integration environments. So I thought I would put the links here for others who were interested. I am also considering the issues associated with Mitel VoIP and OCS integration.

    It would be interesting if the Microsoft OCS could seamlessly allow the use of soft phones and the Mitel VoIP system. I assume a trunk needs to be setup between the two… Anyway something to look at.

    Office Communications Server 2007 VoIP Test Set

    OCS Testing Tool

    Connect Mitel and OCS2007

    Mitel 3300 & OCS – Ring on deskphone and softphone

    Connecting Mitel 3300cx and OCS


    OCS 2007 Best Practices Analyzer

    Cisco Command Cheat Sheet

    I found a list of useful Cisco commands which I though I would post here.


    • Config# terminal editing – allows for enhanced editing commands
    • Config# terminal monitor – shows output on telnet session
    • Config# terminal ip netmask-format hexadecimal|bit-count|decimal – changes the format of subnet masks


    • Config# hostname ROUTER_NAME


    • Config# banner motd # TYPE MESSAGE HERE # – # can be substituted for any character, must start and finish the message


    • Config# description THIS IS THE SOUTH ROUTER – can be entered at the Config-if level


    • Config# clock timezone Central -6
      # clock set hh:mm:ss dd month yyyy – Example: clock set 14:13:00 25 August 2003


    • Config# config-register 0x2100 – ROM Monitor Mode
    • Config# config-register 0x2101 – ROM boot
    • Config# config-register 0x2102 – Boot from NVRAM


    • Config# boot system tftp FILENAME SERVER_IP – Example: boot system tftp 2600_ios.bin
    • Config# boot system ROM
    • Config# boot system flash – Then – Config# reload


    • Config# cdp run – Turns CDP on
    • Config# cdp holdtime 180 – Sets the time that a device remains. Default is 180
    • Config# cdp timer 30 – Sets the update timer.The default is 60
    • Config# int Ethernet 0
    • Config-if# cdp enable – Enables cdp on the interface
    • Config-if# no cdp enable – Disables CDP on the interface
    • Config# no cdp run – Turns CDP off


    • Config# ip host ROUTER_NAME INT_Address – Example: ip host lab-a
    • Config# ip host RTR_NAME INT_ADD1 INT_ADD2 INT_ADD3 – Example: ip host lab-a – (for e0, s0, s1)


    • Config# ip domain-lookup – Tell router to lookup domain names
    • Config# ip name-server – Location of DNS server
    • Config# ip domain-name – Domain to append to end of names


    • # clear interface Ethernet 0 – Clears counters on the specified interface
    • # clear counters – Clears all interface counters
    • # clear cdp counters – Clears CDP counters


    • Config# ip route Net_Add SN_Mask Next_Hop_Add – Example: ip route
    • Config# ip route Next_Hop_Add – Default route
    • Config# ip default-network Net_Add – Gateway LAN network


    • Config# ip routing – Enabled by default
    • Config# router rip
    • Config# router igrp 100
    • Config# interface Ethernet 0
    • Config-if# ip address
    • Config-if# no shutdown


    • Config# ipx routing
    • Config# interface Ethernet 0
    • Config# ipx maximum-paths 2 – Maximum equal metric paths used
    • Config-if# ipx network 222 encapsulation sap – Also Novell-Ether, SNAP, ARPA on Ethernet. Encapsulation HDLC on serial
    • Config-if# no shutdown


    IP Standard1-99
    IP Extended100-199
    IPX Standard800-899
    IPX Extended900-999
    IPX SAP Filters1000-1099


    • Config# access-list 10 permit – allow all src ip’s on network
    • Config# access-list 10 permit host – specifies a specific host
    • Config# access-list 10 permit any – allows any address
    • Config# int Ethernet 0
    • Config-if# ip access-group 10 in – also available: out


    • Config# access-list 101 permit tcp eq telnet
      -protocols: tcp, udp, icmp, ip (no sockets then), among others
      -source then destination address
      -eq, gt, lt for comparison
      -sockets can be numeric or name (23 or telnet, 21 or ftp, etc)
    • Config# access-list 101 deny tcp any host eq www


    • Config# access-list 101 permit ip any any
    • Config# interface Ethernet 0
    • Config-if# ip access-group 101 outIPX STANDARD:
    • Config# access-list 801 permit 233 AA3 – source network/host then destination network/host


    • Config# access-list 801 permit -1 -1 – “-1” is the same as “any” with network/host addresses
    • Config# interface Ethernet 0
    • Config-if# ipx access-group 801 outIPX EXTENDED:
    • Config# access-list 901 permit sap 4AA all 4BB all
      – Permit protocol src_add socket dest_add socket
      -“all” includes all sockets, or can use socket numbers


    • Config# access-list 901 permit any any all any all
      -Permits any protocol with any address on any socket to go anywhere
    • Config# interface Ethernet 0
    • Config-if# ipx access-group 901 inIPX SAP FILTER:
    • Config# access-list 1000 permit 4aa 3 – “3” is the service type


    • Config# access-list 1000 permit 4aa 0 – service type of “0” matches all services
    • Config# interface Ethernet 0
    • Config-if# ipx input-sap-filter 1000 – filter applied to incoming packets


    • Config-if# ipx output-sap-filter 1000 – filter applied to outgoing packets


    • Config# ip access-list standard LISTNAME
      -can be ip or ipx, standard or extended
      -followed by the permit or deny list
    • Config# permit any
    • Config-if# ip access-group LISTNAME in
      -use the list name instead of a list number
      -allows for a larger amount of access-lists


    • Config-if# encapsulation ppp
    • Config-if# ppp authentication chap pap
      -order in which they will be used
      -only attempted with the authentification listed
      -if one fails, then connection is terminated
    • Config-if# exit
    • Config# username Lab-b password 123456
      -username is the router that will be connecting to this one
      -only specified routers can connect


    • Config-if# ppp chap hostname ROUTER
    • Config-if# ppp chap password 123456
      -if this is set on all routers, then any of them can connect to any other
      -set same on all for easy configuration


    • Config# isdn switch-type basic-5ess – determined by telecom
    • Config# interface serial 0
    • Config-if# isdn spid1 2705554564 – isdn “phonenumber” of line 1
    • Config-if# isdn spid2 2705554565 – isdn “phonenumber” of line 2
    • Config-if# encapsulation PPP – or HDLC, LAPD

    DDR – 4 Steps to setting up ISDN with DDR Configure switch type

    1. Config# isdn switch-type basic-5ess – can be done at interface config

    2. Configure static routes
    Config# ip route – sends traffic destined for to
    Config# ip route bri0 – specifies how to get to network (through bri0)

    3. Configure Interface
    Config-if# ip address
    Config-if# no shutdown
    Config-if# encapsulation ppp
    Config-if# dialer-group 1 – applies dialer-list to this interface
    Config-if# dialer map ip name Lab-b 5551212
    connect to lab-b at 5551212 with ip if there is interesting traffic
    can also use “dialer string 5551212” instead if there is only one router to connect to

    4. Specify interesting traffic
    Config# dialer-list 1 ip permit any
    Config# dialer-list 1 ip list 101 – use the access-list 101 as the dialer list

    5. Other Options
    Config-if# hold-queue 75 – queue 75 packets before dialing
    Config-if# dialer load-threshold 125 either
    -load needed before second line is brought up
    -“125” is any number 1-255, where % load is x/255 (ie 125/255 is about 50%)
    -can check by in, out, or either

    Config-if# dialer idle-timeout 180
    -determines how long to stay idle before terminating the session
    -default is 120


    • Config# interface serial 0
    • Config-if# encapsulation frame-relay – cisco by default, can change to ietf
    • Config-if# frame-relay lmi-type cisco – cisco by default, also ansi, q933a
    • Config-if# bandwidth 56
    • Config-if# interface serial 0.100 point-to-point – subinterface
    • Config-if# ip address
    • Config-if# frame-relay interface-dlci 100
      -maps the dlci to the interface
      -can add BROADCAST and/or IETF at the end
    • Config-if# interface serial 1.100 multipoint
    • Config-if# no inverse-arp – turns IARP off; good to do
    • Config-if# frame-relay map ip 48 ietf broadcast
      -maps an IP to a dlci (48 in this case)
      -required if IARP is turned off
      -ietf and broadcast are optional
    • Config-if# frame-relay map ip 54 broadcast


    • Show access-lists – all access lists on the router
    • Show cdp – cdp timer and holdtime frequency
    • Show cdp entry * – same as next
    • Show cdp neighbors detail – details of neighbor with ip add and ios version
    • Show cdp neighbors – id, local interface, holdtime, capability, platform portid
    • Show cdp interface – int’s running cdp and their encapsulation
    • Show cdp traffic – cdp packets sent and received
    • Show controllers serial 0 – DTE or DCE status
    • Show dialer – number of times dialer string has been reached, other stats
    • Show flash – files in flash
    • Show frame-relay lmi – lmi stats
    • Show frame-relay map – static and dynamic maps for PVC’s
    • Show frame-relay pvc – pvc’s and dlci’s
    • Show history – commands entered
    • Show hosts – contents of host table
    • Show int f0/26 – stats of f0/26
    • Show interface Ethernet 0 – show stats of Ethernet 0
    • Show ip – ip config of switch
    • Show ip access-lists – ip access-lists on switch
    • Show ip interface – ip config of interface
    • Show ip protocols – routing protocols and timers
    • Show ip route – Displays IP routing table
    • Show ipx access-lists – same, only ipx
    • Show ipx interfaces – RIP and SAP info being sent and received, IPX addresses
    • Show ipx route – ipx routes in the table
    • Show ipx servers – SAP table
    • Show ipx traffic – RIP and SAP info
    • Show isdn active – number with active status
    • Show isdn status – shows if SPIDs are valid, if connected
    • Show mac-address-table – contents of the dynamic table
    • Show protocols – routed protocols and net_addresses of interfaces
    • Show running-config – dram config file
    • Show sessions – connections via telnet to remote device
    • Show startup-config – nvram config file
    • Show terminal – shows history size
    • Show trunk a/b – trunk stat of port 26/27
    • Show version – ios info, uptime, address of switch
    • Show vlan – all configured vlan’s
    • Show vlan-membership – vlan assignments
    • Show vtp – vtp configs

    For Native IOS – Not CatOS


    • Config# ip address
    • Config# ip default-gateway MODE:
    • Config# interface Ethernet 0/5 – “fastethernet” for 100 Mbps ports
    • Config-if# duplex full – also, half | auto | full-flow-control


    • Config# switching-mode store-and-forward – also, fragment-free


    • Config# mac-address-table permanent aaab.000f.ffef e0/2 – only this mac will work on this port
    • Config# mac-address-table restricted static aaab.000f.ffef e0/2 e0/3
      -port 3 can only send data out port 2 with that mac
      -very restrictive security
    • Config-if# port secure max-mac-count 5 – allows only 5 mac addresses mapped to this port


    • Config# vlan 10 name FINANCE
    • Config# interface Ethernet 0/3
    • Config-if# vlan-membership static 10TRUNK LINKS:
    • Config-if# trunk on – also, off | auto | desirable | nonegotiate
    • Config-if# no trunk-vlan 2
      -removes vlan 2 from the trunk port
      -by default, all vlans are set on a trunk port



    • Config# delete vtp – should be done prior to adding to a network
    • Config# vtp server – the default is server, also client and transparent
    • Config# vtp domain Camp – name doesn’t matter, just so all switches use the same
    • Config# vtp password 1234 – limited security
    • Config# vtp pruning enable – limits vtp broadcasts to only switches affected
    • Config# vtp pruning disableFLASH UPGRADE:
    • Config# copy tftp:// opcode – “opcode” for ios upgrade, “nvram” for startup config


    • Config# delete nvram


    • show ip bgp – Displays entries in the BGP routing table.
    • show ip bgp injected-paths – Displays paths in the BGP routing table that were conditionally injected.
    • show ip bgp neighbors – Displays information about the TCP and BGP connections to neighbors.

    BGP Conditional Route Injection:

    Step 1 Router(config)# router bgp as-number
    -  Places the router in router configuration mode, and configures the router to run a BGP process.

    Step 2 Router(config-router)# bgp inject-map ORIGINATE exist-map LEARNED_PATH
    -  Configures the inject-map named ORIGINATE and the exist-map named LEARNED_PATH for conditional route injection.

    Step 3 Router(config-router)# exit
    -Exits router configuration mode, and enters global configuration mode.

    Step 4 Router(config)# route-map LEARNED_PATH permit sequence-number
    – Configures the route map named LEARNED_PATH.

    Step 5 Router(config-route-map)# match ip address prefix-list ROUTE
    – Specifies the aggregate route to which a more specific route will be injected.

    Step 6 Router(config-route-map# match ip route-source prefix-list ROUTE_SOURCE
    – Configures the prefix list named ROUTE_SOURCE to redistribute the source of the route.
    Note The route source is the neighbor address that is configured with the neighbor remote-as command. The tracked prefix must come from this neighbor in order for conditional route injection to occur.

    Step 7 Router(config-route-map)# exit
    – Exits route-map configuration mode, and enters global configuration mode.

    Step 8
    Router(config)# route-map ORIGINATE permit 10
    – Configures the route map named ORIGINATE.

    Step 9 Router(config-route-map)# set ip address prefix-list ORIGINATED_ROUTES
    – Specifies the routes to be injected.

    Step 10 Router(config-route-map)# set community community-attribute additive
    – Configures the community attribute of the injected routes.

    Step 11 Router(config-route-map)# exit
    – Exits route-map configuration mode, and enters global configuration mode.

    Step 12
    Router(config)# ip prefix-list ROUTE permit
    – Configures the prefix list named ROUTE to permit routes from network

    Step 13 Router(config)# ip prefix-list ORIGINATED_ROUTES permit
    – Configures the prefix list named ORIGINATED_ROUTES to permit routes from network

    Step 14 Router(config)# ip prefix-list ORIGINATED_ROUTES permit
    – Configures the prefix list named ORIGINATED_ROUTES to permit routes from network

    Step 15 Router(config)# ip prefix-list ROUTE_SOURCE permit
    – Configures the prefix list named ROUTE_SOURCE to permit routes from network
    Note The route source prefix list must be configured with a /32 mask in order for conditional route injection to occur.


    Step 1 (config)# interface ethernet0/0
    (config-if)#ip address
    (config-if)# no shutdown
    – Configure an IP address on the router’s Ethernet port, and bring up the interface. (On an existing router, you would have already done this.)

    Step 2 (config)# ip dhcp pool mypool
    – Create a DHCP IP address pool for the IP addresses you want to use.

    Step 3 (dhcp-config)# network /8
    – Specify the network and subnet for the addresses you want to use from the pool.

    Step 4 (dhcp-config)#domain-name
    – Specify the DNS domain name for the clients.

    Step 5 (dhcp-config)#dns-server
    – Specify the primary and secondary DNS servers.

    Step 6 (dhcp-config)#default-router
    – Specify the default router (i.e., default gateway).

    Step 7 (dhcp-config)#lease 7
    – Specify the lease duration for the addresses you’re using from the pool.

    Step 8 (dhcp-config)#exit
    – Exit Pool Configuration Mode.

    This takes you back to the global configuration prompt.

    Next, exclude any addresses in the pool range that you don’t want to hand out.

    For example, let’s say that you’ve decided that all IP addresses up to .100 will be for static IP devices such as servers and printers. All IP addresses above .100 will be available in the pool for DHCP clients.

    Here’s an example of how to exclude IP addresses .100 and below:

    Optional (config)#ip dhcp excluded-address

    The full DHCP reference can be found on the CISCO site.

    Common Commands and Troubleshooting

    • Set a password on the console line:
      • configure terminal
      • line console 0
      • password ‘cisco’
      • login
    • Passwords are case sensitive.
    • You must configure a password on the VTY lines, without one no one will be able to telnet to the switch/router.
    • The default mode when logging into a switch/router via telnet or SSH is user exec mode, which is indicated by the ‘>’ prompt.
    • To configure the switch/router you need to use the privileged EXEC mode. To do this you enter the enable command in user EXEC mode. The prompt is indicated with ‘#’.
    • If both enable secret and enable password are set, the enable secret will be used.
    • The enable secret is encrypted (by default) where as the enable password is in clear text.
    • In a config containing an enable secret 5 ‘hash’ the 5 refers to the level of encryption being used.
    • If no enable password/secret has been set when someone telnets to the device, they will get a ‘%No password set’ message. Someone with physical access must set the password.
    • To place all telnet users directly into enable mode:
      • configure terminal
      • line vty 0 4
      • privilege level 15
    • To put a specific user directly into privileged EXEC mode (enable mode)
      • username superman privilege 15 password louise
    • Telnet sends all data including passwords in clear text which can be intercepted.
    • SSH encrypts all data preventing an attacker from intercepting it.
    • Setting up a local user/password login database for use with telnet:
      • configure terminal
      • line vty 0 4
      • login local
      • exit
      • username telnetuser1 password secretpass
    • To set up SSH you need to create the local user database, the domain name must be specified with the ip domain-name command and a crypto key must be created with the crypto key generate rsa command. To enable SSH on the VTY lines, use the command transport input ssh.
    • If you connect two Cisco switches together and the lights don’t go amber then green, but instead stays off. A straight through cable has been used instead of a crossover cable.
    • The term ‘a switches management interface’ normally refers to VLAN1.
    • Assign a default gateway using the ip default-gateway ipaddress command.
    • You can use the command interface range fasterthernet 0/1 – 12 to select a range of interfaces to configure at once.
    • MOTD banner appears before login prompt.
    • The login banner appears before the login prompt but after the MOTD banner.
    • The banner exec appears after a successful logon.
    • line con 0 – configuring the logging synchronous on the console port stops the router from displaying messages (like an interface state change) until it detects no input from the keyboard and not other output from the router, such as a show commands output.
    • exec-timeout x y (x=minutes, y=seconds) – the default is 5 minutes. Can be disabled by setting x=0 y=0
    • Shortcut commands
      • Up Arrow – will show you the last command you entered. Control+P does the same thing.
      • Down Arrow – will bring you one command up in the command history. Control+N does the same thing.
      • CTRL+A takes the cursor to the start of the current command.
      • CTRL+E takes the cursor to the end of the current command.
      • Left arrow or CTRL+B moves backwards (towards the start) of the command one character at a time.
      • Right arrow or CTRL+P moves forwards (towards the end) of the command one character at a time.
      • CTRL+D deletes one character (the same as backspace).
      • ESC+B moves back one word in the current command.
      • ESC+F moves forward one word in the current command.
    • show history command will show the last 10 commands run by default.
    • the history size can be increased individually on the console port and on the VTY lines with the history size x command.
    • Config modes
      • config t R1<config> is the global configuration mode.
      • line vty 0 4 R1<config-line> is the line config mode.
      • interface fastethernet 0/1 R1<config-if> interface config mode.
    • Cisco Discovery Protocol (CDP) runs by default on Cisco routers and switches. It runs globally and on a per-interface level.
    • CDP discovers basic information about neighboring switches and routers.
    • On media that supports multicasts at the data link layer, CDP uses multicast frames. on other media, CDP sends a copy of the CDP update to any known data-link addresses.
    • The show cdp command shows CDP settings.
    • CDP can be disabled globally using the command no cdp run and re-enable using cdp run.
    • CDP can be disabled at an interface level using the no cdp enable command at the sub-interface level.
    • The command show cdp neighbor – lists one summary line of information about each neighbor. Including:
      • Device ID – the remote devices hostname.
      • Local Interface – the local switch/router interface connected to the remote host.
      • Holdtime – is the number of seconds the local device will retain the contents of the last CDP advertisement received from the remote host.
      • Capability – shows you the type of device the remote host is.
      • Platform – is the remote devices hardware platform.
      • Port ID – is the remote interface on the direct connection.
    • The command show cdp neighbor detail – lists one large set (approx 15 lines) of information, one set for every neighbor. Including:
      • The IOS version.
      • VTP management domain.
      • Management addresses.
    • show cdp entry name – lists the same information as the show cdp neighbors detail command, but only for the named neighbor (case sensitive).
    • show cdp – states whether CDP is enabled globally, and lists the default update and holdtime timers.
    • show cdp traffic – lists global statistics for the number of CDP advertisements sent and received.
    • show cdp interface type number – states whether CDP is enabled on each interface or a single interface if the interface is listed, and states the update and holdtime timers on those interfaces.
    • CDP should be disabled on interfaces it is not needed to limit risk of an attacker learning details about each switch or router. Use the no cdp enable interface subcommand to disable CDP and the cdp enable interface subcommand to re-enable it.
    • The command show cdp interface shows the CDP settings for every interface.
    • Interface status messages:
      • Interface status is down/down – this indicates a physical problem, most likely a loose or unplugged cable.
      • Line protocol is down, up/down – this indicates a problem at the logical level, most likely an encapsulation mismatch or a missing clock rate.
      • Administratively down – this indicates the interface has been shutdown and needs to be manually opened with the sub interface command no shutdown.
    • The command show mac-address-table shows the mac address table. show mac-address-table dynamic sows the dynamically learned entries only.
    • Most problems on a switch are caused by human error – misconfiguration.
    • The command show debugging shows all the currently running debugs.
    • undebug all – will turn all debugging off.
    • The command show vlan brief shows a switches VLAN configuration.
    • If pinging fails on a pc, there is a problem with the local PC, most likely a bad install of TCP/IP.
    • On a pc the command netstat -rn shows the pc’s routing table.
    • Additional Telnet commands:
      • show sessions shows information about each telnet session, the where command does the same thing.
      • resume x, x being the session number is used to resume a telnet session.
      • To suspend a session use the command CTRL+ALT+6.
      • To disconnect an open session use the command disconnect x, x being the session number.
    • Ping result codes:
      • !!!!! – IP connectivity to the destination is ok.
      • ….. – IP connectivity to the destination does not exist.
      • U.U.U – the local router has a route to the destination, but a downstream router does not.
    • debug ip packet – can help troubleshooting the above ping results.
    • When using traceroute or extended ping the Escape Sequence is: CTRL+SHIFT+6.
    • Extended ping can only be run from enable mode.
    • If a routing table contains multiple routes to the same destination with multiple next hops and the prefixes are different, the most specific (longest) prefix route will be used. If all of the prefix lengths are the same the Administrative Distance will be used. [AD/Metric].
    • Administrative Distance is a measure of a routes believability, with a lower AD being more believable than a route with a higher AD. AD only comes into play if the prefix lengths are the same.
    • You can set the Administrative Distance on a static route with the command ip route 150, you would do this to set a backup route if a dynamic route fails/is not available in the routing table.

    Cisco NX-OS/IOS BGP (Advanced) Comparison

    These may also assist: Undocumented Cisco Commands

    Breaking VISA PIN

    Below is an article I found recently. This one of the most comprehensive descriptions of PIN Verification Value (PVV) hacking.

    I thought I would replicate it here for my local reference.

    As comments have been made regarding the grammar used in the original text, I have corrected some of the obvious errors whilst maintaining the context of the original material.

    ——– Original Text ———-

    Have you ever wonder what would happen if you lose your credit or debit card and someone finds it. Would this person be able to withdraw cash from an ATM guessing, somehow, your PIN? Moreover, if you were who finds someone’s card would you try to guess the PIN and take the chance to get some easy money? Of course the answer to both questions should be “no”. This work does not deal with the second question, it is a matter of personal ethics. Herewith I try to answer the first question.

    All the information used for this work is public and can be freely found in Internet. The rest is a matter of mathematics and programming, thus we can learn something and have some fun. I reveal no secrets. Furthermore, the aim (and final conclusion) of this work is to demonstrate that PIN algorithms are still strong enough to provide sufficient security. We all know technology is not the weak point.

    This work analyses one of the most common PIN algorithms, VISA PVV, used by many ATM cards (credit and debit cards) and tries to find out how resistant is to PIN guessing attacks. By “guessing” I do not mean choosing a random PIN and trying it in an ATM. It is well known that generally we are given three consecutive trials to enter the right PIN, if we fail ATM keeps the card. As VISA PIN is four digit long it’s easy to deduce that the chance for a random PIN guessing is 3/10000 = 0.0003, it seems low enough to be safe; it means you need to lose your card more than three thousand times (or losing more than three thousand cards at the same time 🙂 until there is a reasonable chance of losing money.

    What I really meant by “guessing” was breaking the PIN algorithm so that given any card you can immediately know the associated PIN. Therefore this document studies that possibility, analyzing the algorithm and proposing a method for the attack. Finally we give a tool which implements the attack and present results about the estimated chance to break the system. Note that as long as other banking security related algorithms (other PIN formats such as IBM PIN or card validation signatures such as CVV or CVC) are similar to VISA PIN, the same analysis can be done yielding nearly the same results and conclusions.

    VISA PVV algorithm

    One of the most common PIN algorithms is the VISA PIN Verification Value (PVV). The customer is given a PIN and a magnetic stripe card. Encoded in the magnetic stripe is a four digit number, called PVV. This number is a cryptographic signature of the PIN and other data related to the card. When a user enters his/her PIN the ATM reads the magnetic stripe, encrypts and sends all this information to a central computer. There a trial PVV is computed using the customer entered PIN and the card information with a cryptographic algorithm. The trial PVV is compared with the PVV stored in the card, if they match the central computer returns to the ATM authorization for the transaction. See in more detail.

    The description of the PVV algorithm can be found in two documents linked in the previous page. In summary it consists in the encryption of a 8 byte (64 bit) string of data, called Transformed Security Parameter (TSP), with DES algorithm (DEA) in Electronic Code Book mode (ECB) using a secret 64 bit key. The PVV is derived from the output of the encryption process, which is a 8 byte string. The four digits of the PVV (from left to right) correspond to the first four decimal digits (from left to right) of the output from DES when considered as a 16 hexadecimal character (16 x 4 bit = 64 bit) string. If there are no four decimal digits among the 16 hexadecimal characters then the PVV is completed taken (from left to right) non decimal characters and decimalizing them by using the conversion A->0, B->1, C->2, D->3, E->4, F->5. Here is an example:

    Output from DES: 0FAB9CDEFFE7DCBA

    PVV: 0975

    The strategy of avoiding decimalization by skipping characters until four decimal digits are found (which happens to be nearly all the times as we will see below) is very clever because it avoids an important bias in the distribution of digits which has been proven to be fatal for other systems, although the impact on this system would be much lower. See also a related problem not applying to VISA PVV.

    The TSP, seen as a 16 hexadecimal character (64 bit) string, is formed (from left to right) with the 11 rightmost digits of the PAN (card number) excluding the last digit (check digit), one digit from 1 to 6 which selects the secret encrypting key and finally the four digits of the PIN. Here is an example:

    PAN: 1234 5678 9012 3445
    Key selector: 1
    PIN: 2468

    TSP: 5678901234412468

    Obviously the problem of breaking VISA PIN consists in finding the secret encrypting key for DES. The method for that is to do a brute force search of the key space. Note that this is not the only method, one could try to find a weakness in DEA, many tried, but this old standard is still in wide use (now been replaced by AES and RSA, though). This demonstrates it is robust enough so that brute force is the only viable method (there are some better attacks but not practical in our case, for a summary see LASEC memo and for the dirty details see Biham & Shamir 1990, Biham & Shamir 1991, Matsui 1993, Biham & Biryukov 1994 and Heys 2001).

    The key selector digit was very likely introduced to cover the possibility of a key compromise. In that case they just have to issue new cards using another key selector. Older cards can be substituted with new ones or simply the ATM can transparently write a new PVV (corresponding to the new key and keeping the same PIN) next time the customer uses his/her card. For the shake of security all users should be asked to change their PINs, however it would be embarrassing for the bank to explain the reason, so very likely they would not make such request.

    Preparing the attack

    A brute force attack consists in encrypting a TSP with known PVV using all possible encrypting keys and compare each obtained PVV with the known PVV. When a match is found we have a candidate key. But how many keys we have to try? As we said above the key is 64 bit long, this would mean we have to try 2^64 keys. However this is not true. Actually only 56 bits are effective in DES keys because one bit (the least significant) out of each octet was historically reserved as a checksum for the others; in practice those 8 bits (one for each of the 8 octets) are ignored.

    Therefore the DES key space consists of 2^56 keys. If we try all these keys will we find one and only one match, corresponding to the bank secret key? Certainly not. We will obtain many matching keys. This is because the PVV is only a small part (one fourth) of the DES output. Furthermore the PVV is degenerated because some of the digits (those between 0 and 5 after the last, seen from left to right, digit between 6 and 9) may come from a decimal digit or from a decimalized hexadecimal digit of the DES output. Thus many keys will produce a DES output which yields to the same matching PVV.

    Then what can we do to find the real key among those other false positive keys? Simply we have to encrypt a second different TSP, also with known PVV, but using only the candidate keys which gave a positive matching with the first TSP-PVV pair. However there is no guarantee we won’t get again many false positives along with the true key. If so, we will need a third TSP-PVV pair, repeat the process and so on.

    Before we start our attack we have to know how many TSP-PVV pairs we will need. For that we have to calculate the probability for a random DES output to yield a matching PVV just by chance. There are several ways to calculate this number and here I will use a simple approach easy to understand but which requires some background in mathematics of probability.

    A probability can always be seen as the ratio of favorable cases to possible cases. In our problem the number of possible cases is given by the permutation of 16 elements (the 0 to F hexadecimal digits) in a group of 16 of them (the 16 hexadecimal digits of the DES output). This is given by 16^16 ~ 1.8 * 10^19 which of course coincides with 2^64 (different numbers of 64 bits). This set of numbers can be separated into five categories:

    Those with at least four decimal digits (0 to 9) among the 16 hexadecimal digits (0 to F) of the DES output.

    Those with exactly only three decimal digits.

    Those with exactly only two decimal digits.

    Those with exactly only one decimal digit.

    Those with no decimal digits (all between A and F).

    Let’s calculate how many numbers fall in each category. If we label the 16 hexadecimal digits of the DES output as X1 to X16 then we can label the first four decimal digits of any given number of the first category as Xi, Xj, Xk and Xl. The number of different combinations with this profile is given by the product 6 i-1 * 10 * 6j-i-1 * 10 * 6k-j-1 * 10 * 6 l-k-1 * 10 * 1616-l where the 6’s come from the number of possibilities for an A to F digit, the 10’s come from the possibilities for a 0 to 9 digit, and the 16 comes from the possibilities for a 0 to F digit. Now the total numbers in the first category is simply given by the summation of this product over i, j, k, l from 1 to 16 but with i < j < k < l. If you do some math work you will see this equals to the product of 104/6 with the summation over i from 4 to 16 of (i-1) * (i-2) * (i-3) * 6i-4 * 16 16-i ~ 1.8 * 1019.

    Analogously the number of cases in the second category is given by the summation over i, j, k from 1 to 16 with i < j < k of the product 6i-1 * 10 * 6j-i-1 * 10 * 6k-j-1 * 10 * 616-k which you can work it out to be 16!/(3! * (16-13)!) * 103 * 6 13 = 16 * 15 * 14/(3 * 2) * 103 * 613 = 56 * 104 * 613 ~ 7.3 * 1015. Similarly for the third category we have the summation over i, j from 1 to 16 with i < j of 6 i-1 * 10 * 6j-i-1 * 10 * 616-j which equals to 16!/(2! * (16-14)!) * 102 * 614 = 2 * 103 * 615 ~ 9.4 * 1014. Again, for the fourth category we have the summation over i from 1 to 16 of 6i-1 * 10 * 616-i = 160 * 615 ~ 7.5 * 1013. And finally the amount of cases in the fifth category is given by the permutation of six elements (A to F digits) in a group of 16, that is, 616 ~ 2.8 * 1012.

    I hope you followed the calculations up to this point, the hard part is done. Now as a proof that everything is right you can sum the number of cases in the 5 categories and see it equals the total number of possible cases we calculated before. Do the operations using 64 bit numbers or rounding (for floats) or overflow (for integers) errors won’t let you get the exact result.

    Up to now we have calculated the number of possible cases in each of the five categories, but we are interested in obtaining the number of favorable cases instead. It is very easy to derive the latter from the former as this is just fixing the combination of the four decimal digits (or the required hexadecimal digits if there are no four decimal digits) of the PVV instead of letting them free. In practice this means turning the 10’s in the formula above into 1’s and the required amount of 6’s into 1’s if there are no four decimal digits. That is, we have to divide the first result by 104, the second one by 103 * 6, the third one by 102 * 62 , the fourth one by 10 * 63 and the fifth one by 64 . Then the number of favorable cases in the five categories are approximately 1.8 * 1015, 1.2 * 1012, 2.6 * 1011 , 3.5 * 1010, 2.2 * 109 respectively.

    Now we are able to obtain what is the probability for a DES output to match a PVV by chance. We just have to add the five numbers of favorable cases and divide it by the total number of possible cases. Doing this we obtain that the probability is very approximately 0.0001 or one out of ten thousand. Is it strange this well rounded result? Not at all, just have a look at the numbers we calculated above. The first category dominates by several orders of magnitude the number of favorable and possible cases. This is rather intuitive as it seems clear that it is very unlikely not having four decimal digits (10 chances out of 16 per digit) among 16 hexadecimal digits. We saw previously that the relationship between the number of possible and favorable cases in the first category was a division by 10^4, that’s where our result p = 0.0001 comes from.

    Our aim for all these calculations was to find out how many TSP-PVV pairs we need to carry a successful brute force attack. Now we are able to calculate the expected number of false positives in a first search: it will be the number of trials times the probability for a single random false positive, i.e. t * p where t = 2^56, the size of the key space. This amounts to approximately 7.2 * 10^12, a rather big number. The expected number of false positives in the second search (restricted to the positive keys found in the first search) will be (t * p) * p, for a third search will be ((t * p) * p) * p and so on. Thus for n searches the expected number of false positives will be t * p^n.

    We can obtain the number of searches required to expect just one false positive by expressing the equation t * p^n = 1 and solving for n. So n equals to the logarithm in base p of 1/t, which by properties of logarithms it yields n = log(1/t)/log(p) ~ 4.2. Since we cannot do a fractional search it is convenient to round up this number. Therefore what is the expected number of false positives if we perform five searches? It is t * p^5 ~ 0.0007 or approximately 1 out of 1400. Thus using five TSP-PVV pairs is safe to obtain the true secret key with no false positives.

    The attack

    Once we know we need five TSP-PVV pairs, how do we get them? Of course we need at least one card with known PIN, and due to the nature of the PVV algorithm, that’s the only thing we need. With other PIN systems, such as IBM, we would need five cards, however this is not necessary with VISA PVV algorithm. We just have to read the magnetic stripe and then change the PIN four times but reading the card after each change.

    It is necessary to read the magnetic stripe of the card to get the PVV and the encrypting key selector. You can buy a commercial magnetic stripe reader or make one yourself following the instructions you can find in the previous page and links therein. Once you have a reader see this description of standard magnetic tracks to find out how to get the PVV from the data read. In that document the PVV field in tracks 1 and 2 is said to be five character long, but actually the true PVV consists of the last four digits. The first of the five digits is the key selector. I have only seen cards with a value of 1 in this digit, which is consistent with the standard and with the secret key never being compromised (and therefore they did not need to move to another key changing the selector).

    I did a simple C program, getpvvkey.c, to perform the attack. It consists of a loop to try all possible keys to encrypt the first TSP, if the derived PVV matches the true PVV a new TSP is tried, and so on until there is a mismatch, in which case the key is discarded and a new one is tried, or the five derived PVVs match the corresponding true PVVs, in which case we can assume we got the bank secret key, however the loop goes on until it exhausts the key space. This is done to assure we find the true key because there is a chance (although very low) the first key found is a false positive.

    It is expected the program would take a very long time to finish and to minimize the risks of a power cut, computer hang out, etc. it does checkpoints into the file getpvvkey.dat from time to time (the exact time depends on the speed of the computer, it’s around one hour for the fastest computers now in use). For the same reason if a positive key is found it is written on the file getpvvkey.key. The program only displays one message at the beginning, the starting position taken from the checkpoint file if any, after that nothing more is displayed.

    The DES algorithm is a key point in the program, it is therefore very important to optimize its speed. I tested several implementations: libdes, SSLeay, openssl, cryptlib, nss, libgcrypt, catacomb, libtomcrypt, cryptopp, ufc-crypt. The DES functions of the first four are based on the same code by Eric Young and is the one which performed best (includes optimized C and x86 assembler code). Thus I chose libdes which was the original implementation and condensed all relevant code in the files encrypt.c (C version) and x86encrypt.s (x86 assembler version). The code is slightly modified to achieve some enhancements in a brute force attack: the initial permutation is a fixed common steep in each TSP encryption and therefore can be made just one time at the beginning. Another improvement is that I wrote a completely new setkey function (I called it nextkey) which is optimum for a brute force loop.

    To get the program working you just have to type in the corresponding place five TSPs and their PVVs and then compile it. I have tested it only in UNIX platforms, using the makefile Makegetpvvkey to compile (use the command “make -f Makegetpvvkey”). It may compile on other systems but you may need to fix some things. Be sure that the definition of the type long64 corresponds to a 64 bit integer. In principle there is no dependence on the endianness of the processor. I have successfully compiled and run it on Pentium-Linux, Alpha-Tru64, Mips-Irix and Sparc-Solaris. If you do not have and do not want to install Linux (you don’t know what you are missing 😉 you still have the choice to run Linux on CD and use my program, see my page running Linux without installing it.

    Once you have found the secret bank key if you want to find the PIN of an arbitrary card you just have to write a similar program (sorry I have not written it, I’m too lazy 🙂 that would try all 10^4 PINs by generating the corresponding TSP, encrypting it with the (no longer) secret key, deriving the PVV and comparing it with the PVV in the magnetic stripe of the card. You will get one match for the true PIN. Only one match? Remember what we saw above, we have a chance of 0.0001 that a random encryption matches the PVV. We are trying 10000 PINs (and therefore TSPs) thus we expect 10000 * 0.0001 = 1 false positive on average.

    This is a very interesting result, it means that, on average, each card has two valid PINs: the customer PIN and the expected false positive. I call it “false” but note that as long as it generates the true PVV it is a PIN as valid as the customer’s one. Furthermore, there is no way to know which is which, even for the ATM; only customer knows. Even if the false positive were not valid as PIN, you still have three trials at the ATM anyway, enough on average. Therefore the probability we calculated at the beginning of this document about random guessing of the PIN has to be corrected. Actually it is twice that value, i.e., it is 0.0006 or one out of more than 1600, still safely low.


    It is important to optimize the compilation of the program and to run it in the fastest possible processor due to the long expected run time. I found that the compiler optimization flag -O gets the better performance, thought some improvement is achieved adding the -fomit-frame-pointer flag on Pentium-Linux, the -spike flag on Alpha-Tru64, the -IPA flag on Mips-Irix and the -fast flag on Sparc-Solaris. Special flags (-DDES_PTR -DDES_RISC1 -DDES_RISC2 -DDES_UNROLL -DASM) for the DES code have generally benefits as well. All these flags have already been tested and I chose the best combination for each processor (see makefile) but you can try to fine tune other flags.

    According to my tests the best performance is achieved with the AMD Athlon 1600 MHz processor, exceeding 3.4 million keys per second. Interestingly it gets better results than Intel Pentium IV 1800 MHz and 2000 MHz (see figures below, click on them to enlarge). I believe this is due to some I/O saturation, surely cache or memory access, that the AMD processor (which has half the cache of the Pentium) or the motherboard in which it is running, manages to avoid. In the first figure below you can see that the DES breaking speed of all processors has more or less a linear relationship with the processor speed, except for the two Intel Pentium I mentioned before. This is logical, it means that for a double processor speed you’ll get double breaking speed, but watch out for saturation effects, in this case it is better the AMD Athlon 1600 MHz, which will be even cheaper than the Intel Pentium 1800 MHz or 2000 MHz.

    In the second figure we can see in more detail what we would call intrinsic DES break power of the processor. I get this value simply dividing the break speed by the processor speed, that is, we get the number of DES keys tried per second and per MHz. This is a measure of the performance of the processor type independently of its speed. The results show that the best processor for this task is the AMD Athlon, then comes the Alpha and very close after it is the Intel Pentium (except for the higher speed ones which perform very poor due to the saturation effect). Next is the Mips processor and in the last place is the Sparc. Some Alpha and Mips processors are located at bottom of scale because they are early releases not including enhancements of late versions. Note that I included the performance of x86 processors for C and assembler code as there is a big difference. It seems that gcc is not a good generator of optimized machine code, but of course we don’t know whether a manual optimization of assembler code for the other processors (Alpha, Mips, Sparc) would boost their results compared to the native C compilers (I did not use gcc for these other platforms) as it happens with the x86 processor.


    Here is an article where these techniques may have been used.