Archives for : Pin

    No need to bypass security with a boot disk – 17 year old Windows exploit found

    The problem has been discovered in the Virtual DOS Machine (VDM) introduced in 1993 to support 16-bit applications (real mode applications for 8086). VDM is based on the Virtual 8086 Mode (VM86) in 80386 processors and, among other things, intercepts hardware routines such as BIOS calls. Google security team member Tavis Ormandy has found several vulnerabilities in this implementation that allow an unprivileged 16-bit program to manipulate the kernel stack of each process via a number of tricks. This potentially enables attackers to execute code at system privilege level.

    In addition to the unpatched hole in Internet Explorer, a now published hole in Windows allows users with restricted access to escalate their privileges to system level – and this is believed to be possible on all 32-bit versions of Windows from Windows NT 3.1 up to, and including Windows 7. While the vulnerability is likely to affect home users in only a minor way, the administrators of corporate networks will probably have their hands full this week.

    The problem is caused by flaws in the Virtual DOS Machine (VDM) introduced in 1993 to support 16-bit applications (real mode applications for 8086). VDM is based on the Virtual 8086 Mode (VM86) in 80386 processors and, among other things, intercepts hardware routines such as BIOS calls. Google security team member Tavis Ormandy has found several vulnerabilities in this implementation that allow an unprivileged 16-bit program to manipulate the kernel stack of each process via a number of tricks. This potentially enables attackers to execute code at system privilege level.

    Ormandy has also published a suitable exploit which functions under Windows XP, Windows Server 2003 and 2008, Windows Vista and Windows 7. When tested by the The H’s associates at heise Security, the exploit opened a command prompt in the system context, which has the highest privilege level, under Windows XP and Windows 7. No patch has become available, although Ormandy reports that Microsoft was already informed of the hole in mid 2009. The developer decided to publish the information regardless because, in his opinion, there is a simple workaround: to disable the MS-DOS subsystem.

    The workaround requires users to start the group policy editor and enable the “Prevent access to 16-bit applications” option in the Computer ConfigurationAdministrative TemplatesWindows ComponentsApplication Compatibility section. When tested with these settings by the heise Security team, the exploit no longer functioned. The settings reportedly don’t cause any major compatibility problems for most users while no 16-bit applications are being used.

    Update – The above option is only available through the group policy editor on Windows 2003 systems. Some versions of Windows do not include a group policy editor. As an alternative, users can also create a registry key under HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsAppCompat with a D-Word value of VDMDissallowed = 1. Under Windows XP, to prevent the system from being vulnerable to the exploit, users can place the following text:

    Windows Registry Editor Version 5.00



    into a file called vdmdisallow.reg and double click the file. Windows will then automatically import the key (admin rights are required to perform this action).

    Update 2 - Microsoft has now confirmed the privilege escalation hole in Windows. The company says that it wants to complete its investigation of the vulnerability and will then decide whether, how and when to close it.

    See Also:

    REDMOND — When it rains, it pours. Especially in the Seattle area. Tavis Ormandy has published full details on a privilege escalation hack of all versions of Windows including Windows 7.

    The exploit takes advantage of a bug in the Windows implementation of the ‘virtual DOS machine’ used to run legacy 16-bit programs. The exploit can be avoided by turning the VDM ‘feature’ off but the danger of course is that enough Windows lusers won’t know about the bug and/or bother turning the ‘feature’ off.

    16-bit applications need BIOS support; the Windows kernel supports virtual BIOS interrupts in its ‘Virtual-8086’ mode monitor code. The code is implemented in two stages. The #GP trap handler transitions to the second stage when CS:EIP faults with specific ‘magic’ values.

    The transition requires (subsequent to authentication) restoring the context and the call stack from the faulting trap frame. But the authentication process is flawed, relying as it does on three incorrect assumptions.

    • Setting up a VDM context requires SeTcbPrivilege.The barrier to getting a VDM context can be subverted by requesting the NT VDM subsystem and then using CreateRemoteThread() to run code in the context of the VDM subsystem. The VDM subsystem already has the necessary flag set.
    • Ring 3 (unprivileged) code cannot install arbitrary code segment selectors.Using the two least significant bits of CS/SS to calculate the privilege of a task doesn’t work when it comes to Virtual-8086 mode. The 20-bit addressing (by adding CS << 4 to the 16-bit IP) is also used to map onto the protected linear Virtual-8086 address space. If CS can be set to an arbitrary value, then the privilege calculation can be circumvented.
    • Ring 3 (unprivileged) code cannot forge a trap frame.Returns to user mode are through IRET. An invalid context can cause IRET to fail pre-commit, which in turn forges a trap frame. And even with address randomisation it’s trivial to use NtQuerySystemInformation() to obtain the address of the second stage BIOS handler.

    Affected Systems

    This bug dates back 17 years and affects all systems released since 27 July 1993 – Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7. See the links below for further details.

    See Also
    MITRE: CVE-2010-0232
    Windows plagued by 17-year-old privilege escalation bug
    NEOPHASIS: Trap Handler Allows Users to Switch Kernel Stack

    Ham Radio Links

    Amateur Packet Radio Australian

    Aussiewide Packet Radio Network


    Queensland APRS Users Group

    VK2KFJ’s Packet Radio Links page


    VK5 AX25 Packet Network Map (VK5AH)




    Amateur Packet Radio Gateways

    Amateur Packet Radio, net 44, and AMPR.ORG `

    American Febo Enterprises







    G4JKQ TCP/IP Telnet listing

    G7JJF TNC Driver Support (WINTNC)

    High speed packet

    High Speed Packet radio

    High-speed Packet Radio


    K4ABT (home page)

    Linux® / Amateur Radio Information

    Linux AX25-HOWTO


    Packet Info and Downloads

    Packet Links

    Packet Net (VK5 packet map)

    Packet Net (FBB software)

    PAcket Digital Amateur Network (PADAN)

    Radio-TNC Wiring Diagrams


    Slovenian ATV/Packet

    Sound Card Packet




    TNOS Central


    WA4DSY 56k RF Modem

    Yet Another 9k6 Modem


    Sound Card Packet

    Sound Card Buddy

    Soundcard Interfacing

    Sound Card Packet AGWPE (KC2RLM)

    Sound Card Interface with Tone Keyer (WA8LMF)

    QDG sound card interface

    Return to Top


    Winlink! 2000

    Aussie Winlink

    Pactor Communications Australia


    Winpack home page

    Winpack info


    TNC information


    Setting Your TNC’s Audio Drive Level

    TNC and Radio mods


    MFJ-1278B Care and maintenance


    AEA radio and TNC mods

    Other suppliers


    Fox Delta



    The DXZone Digital and Packet Radio



    TNC-X – The Expandable TNC


    Amateur Packet Radio Gateways


    The Gateways Home Page


    High-Speed Digital Networks and Multimedia (Amateur)

    North Texas High Speed MultiMedia group

    Also take a look at the wireless LAN pages


    Aus APRS




    APRS in Adelaide


    APRS in the UK





    BYONICS (Electronics Projects for Amateur Radio)


    Dansk APRS Gruppe

    France APRS

    Kansas City APRS Working Group


    Live Australian APRS data maps


    Queensland APRS Users Group

    Tri-State APRS Working Group

    Other Digital Modes




    Morse Code

    CW Operators’ QRP Club Inc.

    Fists Down Under

    LEARN MORSE CODE in one minute !

    MRX morse code

    Not Morse Code, Slow Scan , Packet or APRS

    HamDream by HB9TLK (digital radio)

    JE3HHT, Makoto (Mako) Mori

    PSK31 and other PC Magic

    WSJT ACTIVITY IN AU (follow link)

    Amateur Digital Radio

    AR Digital Voice Communications

    Australian National D-Star

    Ham Radio digital info

    ICOM America digital

    Temple University Digital Voice Project

    Temple University Vocoder Redux

    WinDRM – HF Digital Radio Mondiale



    Australian D-Star information

    D-Star wikipedia

    ICOM America D-Star Forums


    Software Defined Radio

    FlexRadio Systems Software Defined Radios

    Rocky software for SoftRock-40 hardware

    SDRadio – a Software Defined Radio

    SoftRock-40 Software Defined Radio

    The Weaksignals pages og Alberto I2PHD (software)

    Digital Radio

    BBC digital Radio

    Digital Audio Broadcasting

    Digital Radio Broadcasting

    Digital Radio


    DRM – Digitaler Rundfunk unter 30 MHz


    Amateur Radio Direction Finding

    Amateur Radio Direction Finding and Orienteering

    Amateur Radio Direction Finding Webring

    Homing In


    Victorian ARDF Group Inc.

    Repeater Linking

    There are currently There are 5 internet linking projects that I know of :-

    IRLP,  iPHONE, iLINK, eCHOLINK and WIN SYSTEM (May 2005)


    Hamlink (K1RFD)

    KWARC (live audio)

    Internet Linking


    IRLP status



    G4CDY-L Internet Gateway



    VK2JTP iLINK gateway

    WB2REM & G4CDY’S  iLINK boards



    laser diodes

    A R Laser Communications

    Australian Optical DX Group

    Driver Enhancements

    European Laser Communications


    Amateur Radio Licence


    Worldwide Information on Licensing for Radio Amateurs by OH2MCN

    Amateur Radio Clubs and Organisations

    Also see ATV link page

    and VHF link page


    Adelaide Hills Amateur Radio Society

    Amateur Radio Victoria

    Barossa Amateur Radio Club VK5BRC

    Brisbane Amateur Radio Club

    Brisbane VHF Group

    Central Coast Amateur Radio Club

    Central Goldfields A R Club


    Coffs Harbour & District Amateur Radio Club

    CW Operators’ QRP Club Inc.

    Eastern and Mountain District Radio Club

    Gold Coast AR Society

    Healesville Amateur Radio Group

    Historical Wireless Society of South East Queensland

    Ipswich Metro Radio Group

    Lockyer Valley Radio and Electronic Club Inc

    Manly-Warringah Radio Society


    QRP Amateur Radio Club International

    Queensland APRS Users Group

    RADAR Club Inc

    Radio Amateurs Old Timers Club Australia Inc

    Radio Sport

    Radio and Electronics Association of Southern Tasmania

    Riverland Amateur Radio Club

    South Australian Packet User Group Inc. (SAPUG)


    South Coast AMATEUR RADIO Club


    Sunshine Coast Amateur Radio Club

    VK Young Amateur Radio Operator’s Net


    VK3BEZ (WIA Eastern Zone Amateur Radio Club)


    West Australia Repeater Group


    WIA VK4 Qld



    WICEN Australia

    WICEN Brisbane Qld

    New Zealand


    Papakura Radio Club

    Wanganui Amateur Radio Society Inc.

    Wellington VHF Group


    American QRP Club


    Clear Lake Amateur Radio Club





    K2MFF Amateur Radio club

    North TeXas Repeater Association


    The Repeater Builders Technical Information Page

    Richardson Wireless Klub




    Submarine Veterans Amateur Radio

    Southgate AR club


    The 500 KC Experimental Group for Amateur Radio

    Tucson Amateur Packet Radio

    W6DEK 435 Los Angeles

    Amateur Radio


    Australian AR Repeater Map



    Ham Radio in Australia with VK1DA

    HF Radio Antenna Tuners

    Queensland AR Repeater listings

    Radioactive Networks: Ham

    Tony Hunt VK5AH (Home of Adelaides 10m Repeater)

    VK1DA’s Amateur Radio Web Directory



    VK2BA (AM radio)




    VK3YE’s Gateway to AR










    New Zealand

    Micro Controller Projects for Radio Amateurs and Hobbyists

    Precision Frequency Transmission and Reception



    AC6V’s AR & DX Reference

    Amateur radio with Knoppix

    Amateur Radio Soundblaster Software Collection


    AMRAD Low Frequency Web Page


    Direction finding

    DSP Links




    eQSL (electronic QSL)


    Felix Meyer



    Gateway to Amateur Radio

    Grid Square Locator


    G4KLX (The [ON/]G4KLX Page)




    Hamview DSP software

    Homebrew RF Test Equipment And Software

    KB4VOL   link site



    KU4AY ham radio directory



    K1TTT Technical Reference


    K3TZ Ham Radio Experimentation

    K6XC (links)

    Lighthouses (International Lighthouse/ Lightship Weekend)



    Michael Todd Computers & Communications



    NW7US   (Amateur and Shortwave Radio)

    N3EYR’s Radio Links


    PI6ATV (ATV, Antenna, software, info)

    Radio Links

    Radio Corner (forum)

    Ray Vaughan


    streaming radio programs

    The Elmer HAMlet (information)

    VE1XYL and VE1ALQ

    WB6VUB (links)



    XE1BEF  (DX, mods, links and more)

    Communications Equipment


    Andrews Communication Systems





    Hamak (RM Products Italy)


    KENWOOD Australia

    Kyle Communications

    ICOM Australia



    Radio-Data (links)

    Radio Specialists (equipment connectors and antenna)



    Townsville CB& Communications

    TTS Systems

    VK4-ICE Communications

    WiNRADiO (PC based receivers)



    Vertex Standard


    Z Communications Company (repair of old radio equipment)

    See also Kits and components

    Radio mods, cables, connection info

    batlabs (Motorola radio connection, cable info)

    Hall Electronics

    Radio Mods (mods info and more)

    W4RP IC-2720H Page

    XE1BEF  (DX, mods, links and more)

    Please also look at manufacture’s sites

    Lightning Protection (video and links)

    K9WK Amateur Radio

    Lightning Protection Institute

    Marine Grounding Systems

    Moonraker boat lightning information



    RFI Lightning protection


    Amateur Spread Spectrum

    Spread Spectrum Scene

    Spread spectrum

    SS Info

    Call-sign finders

    The DX Notebook



    Equipment suppliers and manufacturers

    Easy-radio (your DNS server may have problems finding this site)

    Kits and Components

    Australian and selected international suppliers




    Antique Electronic Supply

    Antenna Systems and Supplies Inc. (sm)



    Clarke & Severn Electronics

    Cliff Electronics (Aus) Pty. Ltd


    David Hall Electronics

    Dick Smith Electronics


    Dominion Electronics


    Elliott Sound Products


    Fox Delta (ATV and more)

    Hammond Mfg

    Hy-Q International

    IRH Components


    Microwave Dynamics

    MicroZed Computers



    Mouser Electronics


    Oatley electronics

    Ocean State Electronics


    pacific DATACOM


    Prime Electronics

    Radio Parts

    R.C.S. Radio (circuit boards)

    RF Modules Australia (ZigBee) http:\

    RFShop (Brisbane)

    Rockby Electronics and Computers

    RS Components



    Silvertone Electronics

    South Island Component Centre (New Zealand)

    Surplus Sales of Nebraska

    Surplustronics (New Zealand)

    Tandy (Australia)


    TTS Systems

    WB9ANQ’s Surplus Store


    Worldwide Electronic Components http:/

    Also look at the ATV links

    PCB layout and schematic programs baas electronics LAYo1 PCB


    Electronics WORKBENCH Industries McCAD OrCAD TARGET 3001! Tech5 TinyCAD VEGO ABACOM

    Amateur Satellites and space



    AMSAT-ZL (kiwisat)

    CSXT Civilian Space eXploration Team



    ISS fan club

    SATSCAPE   (free satellite tracking program)

    Satellite tracking software





    IPS Radio and Space Services


    Near-Real-Time MUF Map

    Radio Mobile (path prediction)

    VK4ZU (Propagation)


    Satellite TV



    KRISTAL electronics


    Nationwide Antenna Systems


    SAT TV


    Radio and Scanning


    Brisbane Radio Scanner

    Extreme Worldwide Scanner Radio

    Newcastle Area Radio Frequency Guide


    New Zealand

    Kiwi Radio


    Wellington Scanner Frequencies


    ZL3TMB (Christchurch NZ)


    Frequency guide

    Incident Broadcast Network (including Australian feeds)

    Radio H.F.  (some ham stuff)

    Amateur Radio DX and Contest

    DX Cluster

    AA1V’s DX Info-Page

    AC6V’s AR & DX Reference

    Australian contesting

    Buckmaster callsign database

    DX Greyline

    DX Summit

    DX 425 News


    EI8IC Global Overlay Mapper

    eQSL (electronic QSL)

    German DX Foundation-GDXF

    GlobalTuners (provides access to remotely controlled radio receivers all over the world)

    Ham Atlas by SP6NVK

    Kiwi DX List

    Oceania Amateur Radio DX Group Incorporated

    Oceania DX Contest


    The AM Window

    The Daily DX

    IARU QSL Bureaus

    International DX Association

    Internet Ham Atlas


    IOTA groups and Reference


    IOTA 425

    Island Radio Expedition Fondation

    LA9HW HF Contest page

    NG3K Contest/DX Page

    Northern California DX Foundation

    Simple phrases in European Languages

    SUMMITS on the AIR

    Telnet Access to DX Packet Clusters

    The DX Notebook

    VE6OA’s DX Links Contest Club

    World of DK4KQ

    XE1BEF  DX and links

    Logging Software

    VK Contest Log (VKCL)

    VK/ZL Logger

    WinRD+ logging program




    CLX Home page

    DX CLUSTER programs




    DX PacketCluster Sites on the Internet

    DXSpider – DX cluster system is written in perl

    Packet Cluster user manual

    The DXSpider User Manual

    VE7CC-1 Dx Spider Cluster


    Short Wave DX


    Electronic DX Press (HF, MW and VHF)

    CQ World Wide DX Contest


    Longwave Club of America (also Ham)

    NIST time stations

    OK1RR DX & Contesting Page

    Prime Time Shortwave

    Radio Interval Signals


    SM3CER Contest Service

    The British DX Club

    Yankee Clipper Contest Club


    Radio Scouting

    Scouts Australia JOTA/JOTI

    The history of the Jamboree On The Air history.htm

    World Organization of the Scout Movement

    Australian Regulator


    International Regulator


    Electronic Information and technical reference

    AC6V’s Technical Reference

    Chip directory

    Circuit Sage

    CommLinx Solutions Pty Ltd

    Computer Power Supply Mods

    Discover Circuits

    Electronic Information

    Electronics Links and Resources

    Epanorama (lots of links)

    Electronics Tutorials

    Electronic Theory

    Fox Delta


    Hobby Projects (electronic resource)


    Information site

    ISO Date / Time

    Latitude/Longitude Conversion utility – 3 formats

    New Wave Instruments (check out SS Resources)

    Paul Falstad (how electronic circuits work)

    PINOUTS.RU (Handbook of hardware pinouts)



    RF Cafe

    RF Globalnet

    RHR Laboratories


    RS232 Connections, and wiring up serial devices

    RF Power Table

    Science Lobby (electronic links)

    Tech FAQ (technical information for mobile electronics installers)

    Electronic service

    Repair of TV Sets

    Sci.Electrinic.Repair FAQ

    Service engineers Forum


    Cable Data




    Coaxial cable data

    Coaxial Cable Page




    NESS Engineering

    RF Industries cables


    Times Microwave


    W4ZT Antenna cable chart

    50 W Coaxial Cable Information

    75 W Coaxial Cable Information

    Antique Radio

    Antique Electronic Supply

    Alan Lord

    Antique Radio

    Apex Jr

    Archives of Boatanchors

    Australian Vintage Radio MK II

    Australian Wireless (OZ-Wireless) Email List

    AWA and Fisk Radiola

    Crystal Radio


    Hammond Museum of Radio

    Historical Radio Society of Australia Inc.

    JMH’s Virtual Valve Museum

    John Rose’s Vintage Radio Home

    Klausmobile Russian Tube Directory


    Kurrajong Radio Museum

    Links to Vintage Radios (Amateur)

    Mike’s Electric Stuff

    Nostalgiar Air

    Phil’s Old Radios

    Radio A’s Vintage Radio Page

    Radio Era

    Rap ‘n Tap

    Replacing Capacitors

    Savoy Hill Publications

    South East Qld Group of the HRSA

    SEQG of the HRSA Crystal comp

    SEQG One Tube Radio comp


    The Vintage Radio Emporium

    The Wireless Works

    Triode Tube Data Tubesworld  (Valve Audio and Valve data)

    Vintage Radio

    Vintage Radio Times

    Vintage Radios and programs

    Vintage Radios UK

    Vintage Radio and Test Equipment Site

    Vintage Radio World

    Vintage Radio and Audio Pages



    Ye Olde Hurdy Gurdy Museum of Vintage Radio

    Valve Audio and Valve data Ake’e Tube Data CVC

    Data Sheet Locator


    Frank’s Electron tube Pages

    Hammond  Manufacturing

    House of Tubes

    High Voltage Tube Archive


    Industrial Valve Data


    NJ7P Tube Data Search

    RCA-R10 Data

    SAS Audio Labs

    Sowter Audio Transformers

    Spice Valves



    Tube datasheets

    Vacuum Tube Links

    Valves and Tubes

    Valve Data Links

    Valve Data

    Valves Unlimited

    Valve and Tube Supplies


    Audio Calculators and Links Calculators & References Links.htm


    Car Audio Australia

    DIY Audio

    Duncan’s Amp Pages

    Elliott Sound Products


    Norman Koren


    The Self Site

    The Class-A Amplifier Site


    DUBUS (VHF magazine)

    Elektor Electronics

    Harlan Technologies (Amateur Television Quarterly)

    Radio & Communications Monitoring Monthly


    VHF Communications Mag



    SETI Australia

    D-Star IC2820 VK5 ICF – updated

    I recently downloaded the IC2820 V19a channel mapping for the ICOM 2820 from IC2820_VK5RWN_C_V19a.icf.

    After uploading the file to the radio I discovered that many of the simplex channels I previously used on my IC2820 were now gone (not surprising). Lucky I copied the original radio config to a new .icf file before I uploaded the new one.

    One frustrating thing I did discovered with the 2820 cloning software is that the EXPORT function appears to only export the stations heard by the radio to CSV and no the full radio configuration. A full copy of the config can only be stored in the native .icf file format, which is full of numbers (looks like memory contents). So manually editing the config file was out of the question.



    For those who have played with the software (CS-2820), you may have noticed that you can only spawn one instance. So copying the frequencies from my old config to the new config (the above link plus my original mapping) was not going to be as easy as I thought i.e export both and combine in notepad or excel.

    I discovered that it is possible to highlight and copy multiple lines in the channel map (only in the application copy buffer, not in the windows clipboard – can’t copy it to excel or notepad). Once you have copied the lines you want from the original config select ‘File – Open’ from the menu and open the new config (in my case the above file – renamed). If the application has not been closed it is possible to place the cursor where you want to add the channels from the old config and select paste (control v) and the copied rows will then be placed into the new config.

    I originally based my simplex frequencies (2m and 70cm) on the AREG frequencies in the modified ham Motorola Syntrx radios located on the AREG website.

    VK5 – 2M Syntrx Frequency Plan – Issued 22/11/2005
    VK5 – 70cm Syntrx Frequency Plan – Issued 22/11/2005

    The new updated file containing the new D-Star mapping, supplemented by my slightly modified AREG simplex channels can be located here.


    Here is a screen print.

    CS-2820 copy screen print

    CS-2820 copy screen print

    This is the .icf file converted to a .xls (csv to xls – from excel). The conversion can be done with CHIRP.

    The Freq and channel file: 2820h

    I hope this information helps someone.

    Nmap Examples

    Some Nmap examples I thought I would post.

    Scanning past Watchguard Firewalls: nmap -sS -iL targetlist.txt -P0 -sV -T4

    Verbose Scan: nmap -v

    This option scans all reserved TCP ports on the target machine. The -v option enables verbose mode.

    nmap -sS -O /24

    Launches a stealth SYN scan against each machine that is up out of the 256 IPs on “class C” sized network where Scanme resides. It also tries to determine what operating system is running on each host that is up and running. This requires root privileges because of the SYN scan and OS detection.

    nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127

    Launches host enumeration and a TCP scan at the first half of each of the 255 possible eight-bit subnets in the 198.116 class B address space. This tests whether the systems run SSH, DNS, POP3, or IMAP on their standard ports, or anything on port 4564. For any of these ports found open, version detection is used to determine what application is running.

    nmap -v -iR 100000 -PN -p 80

    Asks Nmap to choose 100,000 hosts at random and scan them for web servers (port 80). Host enumeration is disabled with -PN since first sending a couple probes to determine whether a host is up is wasteful when you are only probing one port on each target host anyway.

    nmap -PN -p80 -oX logs/pb-port80scan.xml -oG logs/pb-port80scan.gnmap

    This scans 4096 IPs for any web servers (without pinging them) and saves the output in grepable and XML formats.

    Instead of limiting ourselves to scanning just one target., let’s broaden our horizon’s to bigger and better things. In example 2 we used our IP address to base a scan against. Using that address again we can get a look at numerous targets in our “community”. At the command line type the following (substituting a valid address of your choice of course):

    nmap -sT -O

    What this does is instruct nmap to scan every host between the IP addresses of and If you happen to find many interesting feedback results from this or a larger scale scan then you can always pipe the output into your choice of a human readable file or a machine parsable file for future reference by issuing the following option:

    To create a human readable output file issue the -oN command into your nmap string so that it would look similar to this:

    nmap -sT -O -oN sample.txt

    Rather have a machine parsable file? Enter the -oM to pipe the output into a machine parsable file:

    nmap -sT -O -oM sample.txt

    *Back when I was becoming aquatinted with all the nmap options, I ran my first large scale scan against 250 consecutive machines using an arbitrary number (nmap -sX -O -oN sample.txt XXX.XXX.XXX.0-250).To my great surprise I was confronted with 250 up and running virgin Linux machines. Another reason why Linux enthusiasts should NEVER become bored.

    -I This is a handy little call that activates nmap’s TCP reverse ident scanning option. This divulges information that gives the username that owns available processes. Let’s take a look (Note that the host has to be running ident). At the command line issue this command against your target, in this case our default Eve running Linux:

    -iR Use this command to instruct nmap to scan random hosts for you.

    -p Port range option allows you to pick what port or ports you wish nmap to scan against.

    -v Use verbosity to display more output data. Use twice (-v -v) for maximum verbosity.

    -h Displays a quick reference of nmap’s calls

    Now that we have looked at nmap’s three basic usage types and some of it’s other options, let’s mix and match them.

    nmap -v -v -sS -O

    This instructs nmap to use a maximum amount of verbosity to run a stealth scan and OS detection against all machines between IP addresses and This command will also require root privileges due to both the -sS and -O calls. Of course this will display a very overwhelming amount of data so let’s log our results into a human readable file for future reference:

    nmap -v -v -sS -O -oN sample.txt

    Now let’s make nmap run a stealth scan and instruct it to look only for machines offering http and ftp services between the addresses of and Once again we will log the output (I’m a log junkie) for future reference into a human readable file called ftphttpscan.txt:

    nmap -sS -p 23,80 -oN ftphttpscan.txt

    Remember the -iR option mentioned previously? Let’s use it to take a random sampling of Internet web servers using the verbatim example from nmap’s man page:

    nmap -sS -iR -p 80

    Last but certainly not least, while gleaning information, don’t forget to nmap yourself. Just type at the command line: nmap This is especially useful and recommended if you’re a newcomer to Linux and connected to the Internet via DSL or cable modem.

    Detect promiscuous network devices or sniffers on a network

    Old versions       nmap –script=promiscuous

    New Versions     nmap -sV –script=sniffer-detect

    How To Hijack Fast Food Drive-Thru Frequencies

    This is an article I found on the Phone Losers site I thought I would copy here so I can give it a go at some stage.

    How To Hijack Fast Food Drive-Thru Frequencies

    A few years back, some friends and I were messing around with a Taco Bell’s drive-thru frequencies. RijilV and isotek showed me how easy it was to hijack the frequencies of just about any fast food restaurant with a very simple mod to a ham radio. The radios they used were Yaesu VX-5 and VX-7 models. We had a few weeks of occasional fun, sitting a few parking lots away and saying all kinds of horrible things to potential fast food customers. For the most part, I didn’t record any of it. But you can find a few clips of our fast food hijinks if you scroll down on the PLA Sound Clips Archive page.

    Finally we decided to capture a bit of our FCC violations on video. But instead of capturing actual customers being harassed by us as they placed an order, I drove through the Taco Bell drive-thru myself with a video camera sitting on the dashboard. As I attempted to place my order, RijilV informed me of some crazy new Taco Bell policies and a manager immediately rushed out to explain to me that I wasn’t actually talking to an employee. Here is that video:

    After spending several years on Google Video and YouTube, it’s been watched approximately 20,000 times. And of those 20,000 people who have viewed it, approximately all of them have emailed me and asked me what kind of radio we used and how can they use a radio to do the same thing. So in the spirit of April 1st and in order to quell the number of emails sent to me and posts on the PLA Forums asking the same thing, I’ve decided to write this tutorial to help those people out.

    But I’m not going to explain how to modify a Yaesu VX5 or a Yaesu VX7. A simple Google search will show you how to modify these ham radios. The problem with these mods is that, even though they’re fairly simple, you have to buy the radios which could cost you anywhere from $200 – $400. Then, after removing a couple solder points, you have to learn how to use it, you have to look up fast food frequency lists, you have to understand the difference between the transmit frequencies and the receive frequencies and you have to scroll through PL tones using trial and error to find the correct one.

    Or how about we do this a different way. A way that uses a couple items that you might already have in your home. You can easily modify most old CB radios in a way that will allow them to transmit directly to drive-thru frequencies. You won’t have to scroll through hundreds of possible drive-thru frequencies, because a CB radio’s channels line up in exactly the same way as most drive-thru’s channels, only at a higher frequency. How do you get your CB radio to run at a higher frequency? A simple replacement of the crystal inside, with a 6.5536 MHz crystal. This triples the megahertz that are broadcast on and there is no learning required. You just take the modified CB radio to a fast food restaurant and start broadcasting to the customers.

    “But RBCP, I don’t have a 6.5536 MHz crystal lying around my house,” you might be whining at this point. But this isn’t true. Just about any house has several 6.5536 MHz crystals in them if you know where to look. This just happens to be the exact same crystal that you can find in electric heaters, hair dryers, electric stoves, curling irons, electric hot water heaters, irons, and toasters. These crystals are in just about any item that has heated coils and are used to control the frequency of the heating elements so that they don’t burn your house down.

    So for this modification you need…

    • 1 CB radio. It has to be a 40 channel CB radio with a digital display, which includes just about any CB radio manufactured after the mid 1980’s. The old 23 channel CBs from the 1970’s will not work. It can even be a walkie talkie CB radio. If you don’t have one, you can find one at Goodwill or a yard sale for probably less than $10.
    • 1 toaster. (Or other item with heating elements inside.) A toaster is the most ideal to use, because it’s almost guaranteed to have the crystal inside of it. It’s more common to find curling irons and hair dryers that don’t. Again, it should be a toaster manufactured within the past 20 years or so. Before that they didn’t have crystal requirements for toaster manufacturers. (And incidentally, there were a lot more electrical house fires back then.) Goodwill will probably have a toaster for less than $10.
    • 1 soldering iron and solder. Don’t worry if you don’t have soldering experience. It’s actually pretty easy. Click here for a soldering tutorial. You can purchase a soldering iron at Radio Shack or Sears for about $10.
    • A few screwdrivers

    Even if you have to buy all these materials, you’re only out $30. That’s a lot better than the $300 you might end up spending on a Yaesu radio. And some of you might already have all these items so you don’t have to pay anything. Ask a friend or a relative if they’ve got an old toaster or CB radio lying around that they don’t need.

    First you’ll want to take apart your toaster. This isn’t too hard. Just flip it upside down and start removing the screws. You’ll probably need to pull off the plastic lever and knobs before you remove the top of the toaster. Once you have the top off, you’ll see a green or brown circuit board inside.

    Flip the circuit board down and you’ll see all the components on the other side, including the 6.5536 MHz crystal. The crystal is silver and will have 6.5 stamped on the side of it. In the picture below, I’ve used an arrow to show you where it’s located.

    The crystal is likely in a different spot in other toasters, but it’s hard to mistake for any other electronic component. The crystal will have some form of 6.5 stamped on the side of it. In my toaster, it showed 6.55-12. While the official frequency needed is 6.5536 MHz, anything within 1.6 megahertz will work. So don’t worry if your crystal just says 6.5 or 6.50 – it’s all the same for our purposes.

    It’s kind of hard to see what I’m doing in the picture above, but I’m heating up the leads on the crystal from underneath with my soldering iron to melt the solder, and I’m pulling on the crystal from above with a pair of needle nose pliers. It only takes a few seconds to get the crystal out of the toaster.

    Now that the crystal is out of your toaster, throw your toaster away! Do not attempt to use it once the crystal is removed. Remember, the crystal is in there for safety and using your toaster without the crystal could burn your toast and/or start a kitchen fire. It’s likely your toaster won’t even turn on with the missing crystal, but please don’t even try. Just throw it away.

    As I mentioned before, just about any brand and model of CB radio will work, as long as it has the digital display on it. Which means, just about any CB radio manufactured after the mid 1980’s. These are the kinds of CB radios whose frequencies are controlled by a single crystal inside of them. For my mod, I used a Radio Shack TRC-207 walkie talkie CB radio, which is pictured above. I prefer using a walkie talkie CB radio because it doesn’t requiring sticking a huge CB antenna on the roof of my car which might be noticed if a fast food employee starts looking around the parking lot for the culprits.

    Taking apart your CB radio is just as easy as taking apart the toaster. Remove the screws and pop it open. You may or may not have to lift up the circuit board inside to find the crystal inside. In my particular model, the crystal actually plugged into a socket so I didn’t need to even desolder the old crystal. I just pulled it out with my fingers and then plugged in the new 6.55 MHz crystal. I don’t know how common this is, because in other CB radios that I’ve modified the crystal was soldered to the circuit board, just like in the toaster.

    Put your CB back together and test it to make sure it’s working. You’re finished! Obviously, you won’t be able to talk on normal CB channels anymore since your CB is transmitting and receiving at a much higher frequency now. But who cares, CB channels are lame anyway. Let’s hop in the car and drive to our nearest fast food establishment to test it out.

    Sit near the drive-thru and wait for a customer to pull up. While the customer is talking to the drive-thru speaker, start flipping through your channels until you hear them talking. I’ve found that most drive thrus end up being somewhere in the 16 – 25 channel range. I’ve never found one above channel 30 and only a few on channels 1 through 15. It all depends on how their drive-thru is set up and what frequencies they’re using. Anyway, push down your talk button and start talking to the customer.

    The cool thing about using a CB radio to transmit on drive-thru frequencies is that a CB is designed to work for several miles. The headsets that those fast food people wear are only designed to work for about 100 feet. So you can easily overpower the employees, even if you’re several parking lots away. In fact, you may be inadvertently screwing with several other drive-thrus in town without even knowing it. This is more likely when you’re using the kind of CB radio that’s supposed to be installed in a car. Those usually run on 5 watts and can cover an entire city. This is another reason I like to use my walkie talkie. It’s lucky if it will work for even a mile, so I’m only harassing one restaurant at a time.

    If you found this tutorial useful, you might also enjoy the video I’ve made on the same subject. It includes much of the same information in this tutorial, but also includes actual footage of us messing with a drive-thru with this CB mod. Enjoy!

    You might also enjoy our original Taco Bell Takeover video, our Happy Birthday drive-thru video and our Drive-Thru Shenanigans video.

    icon for podpress PLA TV: Hijacking Fast Food Frequencies [9:12m]: Download (4913)

    Local Copy

    The EDinburgh Great Shiraz Challenge

    Kerry and I went along to the EDinburgh Cellars Great Shiraz Challenge.

    Between Kerry and I we tasted more than 25 great wines over a harrowing 2.5 hours of hustle and bustle in a huge tent in the ED’s carpark. It was great, we both thought that it was well worth the $30/head entry fee.

    One of the great things was the amount of large and small wine companies presenting their spoils. Refreshingly many of the tasting areas were manned by the wine maker, winery owner or someone of similar stature. This made for great conversations and allowed us to find other great non-mainstream wineries on the day.

    As Kerry (Wine group – 9yrs) and I (Corporate) both worked for SouthCorp (Prior to Fosters), we agreed that we would be looking for the special wines of the day. Well we did grab an RWT on the way out as the last tasting for the day – we are not stupid.

    We had a great day overall and purchased and ordered some great wins at the Cellars after the event.

    It was great catching up with Barb and Karel from Lengs and Cooter Wines and taste some of their great wines. Barb used to work at SouthCorp for many years and Karl worked at Telstra, but Kerry and I agree that they make great wines.

    Of the wines in the winning list below our favourites are:

    2006 Woodstock “The Stocks” Shiraz

    2004 Bullers Caliope Shiraz

    2006 Hentley Farm “The Beast” Shiraz

    2005 d’Arenberg Dead Arm Shiraz

    2006 Glaetzer ‘Bishop’ Shiraz

    Other top votes from us for the day are:

    2008 Mike Press Adelaide Hills Shiraz (It’s been a long time since we’ve tasted such a good cheap wine)

    2007 Honey MoonVineyard Adelaide Hills Shiraz

    2004 Lengs & Cooter Old Vines Shiraz

    2004 Lengs & Cooter Reserve Shiraz

    2005 Artful Dodger Barossa Shiraz

    2007 Veronique Regions Shiraz

    2006 Cape Jaffa La Lune Biodynamic Shiraz

    2006 Ceravolo Sparkling Shiraz

    2007 Yelland & Papps Greenock Shiraz

    Results – Shiraz Challenge

    Shiraz Day 2008 was a massive hit, with a record crowd of over 900 slurping through a field of just over 300 Shiraz. As always, we ask attendees to vote for their favourite wine of the day, and congratulations goes to Clarendon Hills for their superbly compelling 2006 Liandra Shiraz. Here’s the full list of the Top 20:

    2006 Clarendon Hills Liandra Syrah

    2005 Torbreck Factor Shiraz

    2005 Langmeil Freedom 1843 Shiraz

    2006 Hentley Farm ‘The Beast’ Shiraz

    2005 Whistler Reserve Shiraz

    2006 Penfolds RWT Shiraz

    2005 Wild Witch Shiraz

    2005 d’Arenberg Dead Arm Shiraz

    2005 Dutschke St Jakobi Shiraz

    2006 Woodstock ‘The Stocks’ Shiraz

    2006 Brick Kiln Shiraz

    2004 Bullers Caliope Shiraz

    2006 Hentley Farm ‘The Beauty’

    2005 Pikes ‘The E.W.P’ Shiraz

    2004 Paracombe Somerville Shiraz

    2006 Kalleske Greenock Shiraz

    2005 Bendbrook Goat Track Shiraz

    2004 Penfolds St Henri Shiraz

    2004 Bethany Wines GR9 Reserve

    2005 Paxton EJ Shiraz

    TOP 20 UNDER $30:

    2005 Tin Shed Melting Pot Shiraz

    2004 Carlei Estate ‘Green Vineyard’

    2004 Majella Shiraz

    2007 Torbreck Woodcutters Shiraz

    2005 Hugo Shiraz

    2006 Tar & Roses Shiraz

    2004 Whistler Shiraz

    2005 2 Mates Shiraz McLaren Vale

    2005 d’Arenberg Footbolt Shiraz

    2006 Mitolo Jester Shiraz

    2006 Guichen Bay Vineyards Reserve

    2006 Pirathon Shiraz by Kalleske

    2006 Scarpantoni Block 3 Shiraz

    2006 Naked Run Barossa Shiraz

    2006 Bird in Hand Shiraz

    2006 O’Leary Walker Shiraz

    2006 Glaetzer ‘Bishop’ Shiraz

    2007 Paxton Quandong Shiraz

    2006 Trevor Jones ‘Boots’ Shiraz

    2005 Dutschke Gods Hill Road Shiraz


    Trojan software has been found in ATMs located in Eastern Europe

    This is Great, I want one of these cards and a list of ATM’s.

    From the Security Now Podcast

    Steve: It’s like, oh, goodness, yeah. It’s quite something. So the big news, though, I just sort of had to kind of smile because I told all of our listeners this was going to happen. I said just wait, this is a bad idea, we’re going to see how bad it is. Trojans have – Trojan software has been found in ATMs located in Eastern Europe.
    Leo: Oh. Oh.
    Steve: From many different vendors.
    Leo: Oh, dear.
    Steve: But what one thing do all of the trojan-infected ATMs have in common, Leo?
    Leo: Let me guess.
    Steve: Mm-hmm.
    Leo: Windows?
    Steve: Windows XP.
    Leo: Ai yi yi.
    Steve: The LSASS service is the manager of protected content in the system. It’s not quite the right acronym. I can’t think of what it is right now. But it’s like the main security service. And fake ones have been found in the Windows directory. The LSASS EXE normally lives in the Windows System32 directory. They were written in Borland’s Delphi.
    Leo: You’re kidding.
    Steve: No.
    Leo: Well, that’s kind of sophisticated for a hacker. Wow.
    Steve: And it’s considered, I mean, it’s commercial-grade code. It’s good code.
    Leo: Oh, boy.
    Steve: These are not remote installation Trojans. It’s believed that somebody had to have access to the machines.
    Leo: Oh, even worse.
    Steve: But they have special credit cards. When they swipe the special credit card in the infected machine, it accesses the trojan software, which among other things allows them to dump out all the cash from the machine. But in the meantime it’s logging all of the users’ information and PINs, which it’s able to dump out encrypted with DES encryption from the printer, from the ATM printer in the front of the machine.
    Leo: Wow.
    Steve: So the – and anyway, so it’s interesting to me. Again, it’s, you know, people defended the idea of implementing these things that I contend should never have been written in Windows. They say, well, but it’s easier to write them. And it’s like, yes.

    DUKPT Overview and Transaction notes


    I was asked on another post relating to DUKPT to provide some backgound. Given I have lots of material on the subject, I thought I would create this thread. Link


    I will come back at some stage and expand on this when I get time.

    Transaction Process narrative:

    The diagram describes a mobile terminal/ATM is described using the a AS2805 (‘2805’) message type and 3DES DUKPT and dual direction auth SSL from the terminal to the aquirer (transaction switch).

    A good explanation of DUKPT can also be found at Wikipedia.


    Diagram of the flow


    DUKPT transaction flow - terminal to bank

    DUKPT transaction flow - terminal to bank


    Background notes:

    • The terminal or ATM firstly encrypts the user entered pin (may be a unique DUKPT key or static, depending on the design and banks involved) prior to incorporating it into the AS 2805 transaction message.
    • the message is then encrypted again using the DUKPT key which has been established through the merchant logon process within the aquirer Host Security Module (HSM) i.e. the user entered pin is encrypted separately and encapsulated within the DUKPT encrypted 2805 message to provide full message encryption.
    • In the diagram a separate dual authenticating SSL session is also used between the terminal/ATM and the aquirers infrastructure. This allowing the transaction including the pin to traverse the external Wired/GPRS/LAN within 2 primary independent layers of encryption, with a 3rd protecting the PIN.
    • When the transaction enters the aquirer environment the message encapsulation layer provided by SSL is removed.  This leaving the DUKPT’ed 2805 message which also encapsulates the separately encrypted PIN.
    • This encrypted message is passed to the aquirer switch engine through to the aquirer’s HSM for decryption of the 2805 message excluding the user entered pin.
    • This is when transactional information necessary for aquirer’s merchant reporting (truncated card number, transaction amount, transaction type, etc.) and fraud management data is collected.
    • The aquirer switch then passes the encrypted PIN to the aquirer HSM requesting that the PIN be decrypted using the aquirer’s PIN encryption and translated to the next banks (Bank 1)  PIN Encryption Key (Pin translation only occurs within the aquirer HSM) This is then sent back to the aquirer Switch engine as the Bank 1 encrypted PIN.
    • The aquirer switch engine then send the decrypted 2805 message with the newly encrypted PIN back to aquirer HSM to be encrypted with the Bank 1 MAC key.
    • The resultant Bank 1 key encrypted message is then sent to Bank 1 for processing and/or passing to the card issuer (using a similar process as described above).
    • When the result is received back from the issuing bank it is encrypted with the Bank 1 MAC key (the pin will not be present in the result message).
    • This is then decrypted by the aquirer HSM, the transaction fate result stored into the aquirer merchant reporting system and the transaction fate re-encrypted with the original aquirer DUKPT key (should be different per terminal/merchant instance) and the result sent back to the terminal through the original established SSL encrypted terminal connection.

    The aquirer may terminate the the SSL connection on a hardware device such as a CISCO Content Service Switch (CSS), or equivalent instead of the design described in the diagram which terminates onto a SSL session server/gateway (Possibly including a Certificate Authority) or on the aquirer transaction switch.

    When PIN blocks are received by the aquirer processing centre, the PIN encryption is translated from the terminal key to the Local Master Key (LMK) by the Host Security Modules (HSM).

    When the message is sent on the upstream bank interchange link to the issuer or gateway , the aquirer HSM translates the encrypted PIN block from the LMK to the Zone Master Key (ZMK) of the aquirer interchange link. The PIN block is always encrypted using DEA3 (3DES) whenever outside of the Terminal or ATM.

    HSM-8000-User Guide V2.2

    Secure Application Development links


    I have been putting some secure application development documents together recently and have found some good general tutorials and guidelines which I thought I would post here.

    Best Practices

    Other Resources