Sunday, August 13, 2017

Insect Pro 2.0 - Exploiting TFTP Server

Pony Loader 2.0

Pony 2.0

- = - Collection system passwords "Pony" - = -
-=- Система сбора паролей "Pony" -=-

While hacking about on some Russian bad boys servers I found some interesting files. At first it looks like the same old Pony 1.9, because the builder and panel say Pony 1.9, but the change log says: "Pony 2.0" with no release date. However, the builder was compiled in June 2014.

After reviewing the builder and panel, I can confirm it is an updated version of Pony 1.9, very similar but with some new additions. See the change log for complete list of updates. 


Notable New Features in Pony 2.0:
- Implemented resident mode for the loader and collect passwords
- Implemented a collection of purses for Bitcoin clients
- Collecting proxy settings/credentials from browsers
- TDS "Flow Control" feature in loader panel



Pony Builder

The builder is an application that takes a configuration and builds the actual malware file which is then executed on a victim machine. Upon execution, the malware collects the desired passwords stored on the victim machine, sends them to the criminals, and then downloads or 'loads' another piece of malware, for example ZeuS. This is where it gets the name Pony Loader. 


Translation of help file:
Builder "PonyBuilder.exe"
Task Builder - configure and compile the client "Pony.exe", which must progruzhat on infected computers. Contents:
Folder "masm32" - compiler Microsoft Macro Assembler (MASM).
Folder "PonySrc" - source code in MASM client program (grabber) "Pony.exe".
Folder "BuilderSrc" - source code in Delphi 7 auxiliary program-Builder "PonyBuilder.exe".
File "PonyBuilder.exe" - program-builder for the client "Pony.exe".
File "help.txt" - help file.
File "build.bat" - script used to compile the Builder build from source "PonySrc".
File "Pony.ico" - icon is attached to "Pony.exe" when compiling if bildere select the corresponding option.

Files from Pony 2.0 Builder


PonyBuilder.exe
- It was packed with UPX
- Compile date: June 17th 2014
Pony Loader 2.0 - PonyBuilder.exe packed with UPX

Pony Loader 2.0 - PonyBuilder.exe unpacked 

Pony 1.9 Builder:
Pony Loader 1.9 - PonyBuilder.exe - Compiled Dec 22, 2012


Interface is divided into four tabs:

Builder
  • Text box "Domain list to send the password" - here you can assign a list of URL gates to send the password.Each line - separate URL, for example: http://somedomain.com/dir/gate.php You can add an unlimited number of rows (URL), the same URL, you can add a few times. Domain can contain information about the port connection, for example: http://privatedomain.com:8080/gate.php . Protocol https:// is not currently supported.
  • "Pony.exe" will attempt to connect and send the report to the passwords on the list, if the data is successfully delivered, the program quits immediately without attempting to connect to the rest of the URL.
  • Button "Select Icon" allows you to set an icon for the source file is only supported format *. ico.
  • Button "Create build" compiles the file "Pony.exe" with the specified settings.
Builder tab

Loader
  • Simple loader (boot files). After collecting passwords with these links (URL) will be loaded and running files. URL specified in the same way as the list of domains to send the password. In the lower part of the tab, you can specify the following options:
  • Activate loader - include work loader, otherwise the files will not be loaded.
  • Do not run the same files twice - after the successful launch of the downloaded file in the registry will be added to the reference value (hash) of the data file, and then, when reloading, the duplicate will not run.

Loader tab - Compared to Pony 1.9


Settings
To see all the settings, you must activate the option "Show advanced settings" in the main menu.
  • Compress - compress reports using library aPLib, adds about 5Kb to the size of the executable file, text data pack well before sending, it is strongly recommended to use, greatly reduces the traffic to the server.
  • Encrypt - encrypt reports algorithm RC4.
  • Encryption Password - the password that encrypts reports similar password must be installed in the server configuration.
  • Save reports to disk (for debugging) - When you run "Pony.exe", after the passwords were collected in the same location where he was running the executable file will be created "out.bin", a container with passwords in a form in which it is sent to the server for further processing (decryption).
  • Send blank reports (for statistics) - usually, if no password is found, the client "Pony.exe" anything sent to the server will not, but sometimes useful to switch this option to get statistics on the number of successful launches "Pony.exe".
  • Debug mode - removes interceptor exceptions used exclusively for debugging purposes.
  • Send only new reports - if this option is not activated, then duplicate records with passwords will not be sent.
  • Samoudalenie - running file "Pony.exe" will be removed after complete its work.
  • Add icon - selected icon to attach a file to be compiled.
  • Packing build using UPX - compress executable "Pony.exe" after compilation.
  • Number of attempts to send the report - how many times to try to send a report when an unsuccessful transmission, it is recommended to specify at least two attempts. 
Option to build:
  • Exe-file - a regular executable file Windows (*. exe)
  • Dll-file - version of the assembly in the form. dll library, it is autonomous, for testing, you must call from your project only API-function LoadLibrary (), ie URL to send the password and all settings are sewed in itself. Dll file. In the folder DllTest is a simple example of testing in the same folder, you must put the file Pony.dll, then run the file DllTest.exe, which in turn calls LoadLibrary () for. Dll library.
  • In the list of "Available modules decryption" can be excluded from the build unnecessary decipherers passwords, it will reduce the size of the build.
Settings tab - Note new Bitcoin feature


Skin
On this tab, you can choose a favorite skin (peel) Builder.
Skins tab


Pony 2.0 Panel


Admin login:
Not leaked for TrojanForge ;-)


Home:
I didn't feel like installing the needed components - just looking. 


Others:
Bitcoin wallets and proxy lists are now stolen.
Email - Certificates - Bitcoin Wallets - RDP credentials - Proxy list




Loader:

This is one notable new feature - a simple "Flow Control" traffic distribution system TDS. (Translated to English) Giving the admin control over what will be loaded based on OS or country.




Change log from Pony 1.9 posted by Xylitol

Change log for Pony 2.0:
(Russian)
Pony 2.0
------------------------------------------------
Клиент (Pony.exe).
[!] Реализован резидентный режим для лоадера и сбора паролей
[!] Реализован сбор кошельков Bitcoin для оригинального клиента, а также Electrum, MultiBit, Litecoin, Namecoin, Terracoin,
    Bitcoin Armory, PPCoin (Peercoin), Primecoin, Feathercoin, NovaCoin, Freicoin, Devcoin, Frankocoin, ProtoShares, MegaCoin,
Quarkcoin, Worldcoin, Infinitecoin, Ixcoin, Anoncoin, BBQcoin, Digitalcoin, Mincoin, Goldcoin, Yacoin, Zetacoin, Fastcoin,
I0coin, Tagcoin, Bytecoin, Florincoin, Phoenixcoin, Luckycoin, Craftcoin, Junkcoin
[!] Лоадер может запускать .DLL файлы из памяти (без сброса на диск)
[+] Реализован сбор паролей из Я.Браузер, FTP Disk, новых версий Opera (основанных на коде Chrome)
[*] При работе программы от имени пользователя SYSTEM (сервиса Windows) лоадер теперь будет запускать файл с правами активной сессии (залогиненного) пользователя
[*] Доработан сбор паролей Firefox, теперь не зависит от наличия библиотек SQLite3
[*] При отправке паролей теперь поддерживаются HTTP редиректы (Location: http://...)
[+] Опциональный резервный режим загрузчика: если успешно загружен первый файл - остальные будут пропущены
[+] Добавлена возможность отключить сбор паролей (оставить только лоадер)
[+] Сбор информации вместе с паролями об установленных прокси серверах в браузерах
[+] При возможности самоудаление будет произведено без сброса .bat файла на диск
[-] Исправлен процессинг SQLite3 файлов для Chrome / Firefox содержащих 48 bit integers
[-] Исправлен серьезный баг в нескольких функциях, который мог приводить к ошибкам при сборе паролей и вылету программы
Билдер (PonyBuilder.exe).
[+] Добавлены подсказки
[+] Добавлена возможность отключить скины
[*] Обновлены компоненты AlphaControls (скины) до версии v9.01
[*] Компилятор masm32 (ml.exe) заменен на JWASM, билд теперь собирается быстрее
[*] Обновлен и улучшен инструментарий билдера
[*] Билдер перенесен на Delphi XE5
[*] Обновлен паковщик UPX до версии 3.91w
[-] Было невозможно сохранить большое количество строк в списках URL
[-] Исправлены проблемы с кодировкой GUI
Сервер (PHP).
[+] Добавлена совместимость с PHP 5.4+
[+] Полная поддержка CuteFTP 9, 9.0.4 и 9.0.5
[+] Статистика по Bitcoin клиентам
[+] Добавлено определение ОС Windows 8.1 и Windows Server 2012 R2
[+] Добавлена возможность скачать только SMTP доступы из листа E-mail
[+] Некоторые ошибки (особенно те, которые невозможно отправить в лог админки) будут добавлены в error лог PHP
[*] Исправления ошибок в JavaScript
[*] Локализованный JavaScript код перенесен в Smarty
[*] Обновлен шаблонизатор Smarty до версии 3.1.17
[*] Устранены CSRF уязвимости
[*] Закладка "Домены" и весь ее функционал теперь отключены по умолчанию, включить можно в config.php ($show_domains = true)
[*] Улучшен сбор паролей и обработка конфигов в FTP Voyager
[*] Обновлена база GeoIP
[*] Улучшен код работы с БД MySQL
[-] Редкие предупреждения PHP, появляющиеся при создании графиков, могли их "сломать"
[-] Исправлен обработчик ошибок дешифровки в CuteFTP
[-] Исправлен сбор паролей для некоторых версий WiseFTP
[-] Для некоторых модулей устранены ошибочные сообщения в логах при чтении БД SQLite3
[-] При отключенном шифровании отчеты добавлялись некорректно, что приводило к импорту дублирующих отчетов в БД
[-] Исправлены множественные ошибки парсинга XML при обработке конфигов Directory Opus
[-] Исправлена дешифровка паролей в WinSCP




Change log:
(Google translation)
Pony 2.0
------------------------------------------------
Client (Pony.exe) 
[!] Implemented resident mode for the loader and collect passwords
[!] Implemented a collection of purses for the original Bitcoin client and Electrum, MultiBit, Litecoin, Namecoin, Terracoin,
    Bitcoin Armory, PPCoin (Peercoin), Primecoin, Feathercoin, NovaCoin, Freicoin, Devcoin, Frankocoin, ProtoShares, MegaCoin,
Quarkcoin, Worldcoin, Infinitecoin, Ixcoin, Anoncoin, BBQcoin, Digitalcoin, Mincoin, Goldcoin, Yacoin, Zetacoin, Fastcoin,
I0coin, Tagcoin, Bytecoin, Florincoin, Phoenixcoin, Luckycoin, Craftcoin, Junkcoin
[!] Loader can run. DLL files from memory (without reset disk)
[+] Implemented collection of Ya.Brauzer passwords, FTP Disk, new versions of Opera (code-based Chrome)
[*] When the program on behalf of the user SYSTEM (service Windows) will now run the loader file as an active session (logged on) Users
[*] Improved collect passwords Firefox, is no longer dependent on the availability of libraries SQLite3
[*] When sending passwords now supports HTTP redirects (Location: http:// ...)
[+] Optional redundant bootloader mode: if successfully loaded the first file - the rest will be skipped
[+] Added option to disable the collection of passwords (just leave the loader)
[+] Gathering information with passwords on the installed proxies in browsers
[+] If possible samoudalenie will be made without relief. Bat file to disk
[-] Fixed processing SQLite3 files for Chrome / Firefox containing 48 bit integers
[-] Fixed a serious bug in several functions, which could lead to errors in the collection of passwords and reach program

Builder (PonyBuilder.exe)
[+] Added tips
[+] Added option to disable skins
[*] Updated components AlphaControls (skins) to version v9.01
[*] Compiler masm32 (ml.exe) replaced JWASM, is now going to build faster
[*] Updated and improved tools Builder
[*] Builder ported to Delphi XE5
[*] Updated to version packer UPX 3.91w
[-] It was impossible to keep a large number of rows in the URL list
[-] Fixed a problem with the encoding GUI 

Server (PHP) 
[+] Added compatibility with PHP 5.4 +
[+] Full support for CuteFTP 9, 9.0.4 and 9.0.5
[+] Statistics Bitcoin clients
[+] Added detection of OS Windows 8.1 and Windows Server 2012 R2
[+] Added ability to download only SMTP accesses from list E-mail
[+] Some errors (especially those that can not be sent to the admin log) will be added to the error log PHP
[*] Fixed errors in JavaScript
[*] Localized JavaScript code moved to Smarty
[*] Updated Smarty template engine to version 3.1.17
[*] Fixed CSRF vulnerability
[*] Bookmark "Domains" and all of its functionality is now disabled by default, enable it in config.php ($ show_domains = true)
[*] Improved collection and processing config passwords in FTP Voyager
[*] Updated GeoIP database
[*] Improved code with MySQL
[-] Rare warning PHP, appearing when creating graphs, they could "break"
[-] Fixed the error handler decryption in CuteFTP
[-] Fixed collect passwords for some versions WiseFTP
[-] Some modules eliminated error messages in the logs when reading the database SQLite3
[-] If you disable encryption added incorrectly reports that led to the import of duplicate reports in the database
[-] Fixed multiple errors in the processing of XML parsing config Directory Opus
[-] Fixed the decryption passwords in WinSCP


From the help file of Pony 2.0:
"Implemented instantaneous decoding saved passwords for the following programs: "
* FAR Manager
* Total Commander
* WS_FTP
* CuteFTP
* FlashFXP
* FileZilla
* FTP Commander
* BulletProof FTP
* SmartFTP
* TurboFTP
* FFFTP
* CoffeeCup FTP
* CoreFTP
* FTP Explorer
* Frigate3 FTP
* SecureFX
* UltraFXP
* FTPRush
* WebSitePublisher
* BitKinex
* ExpanDrive
* ClassicFTP
* Fling
* SoftX
* Directory Opus
* FreeFTP
* DirectFTP (определяется как FreeFTP)
* LeapFTP
* WinSCP
* 32bit FTP
* NetDrive
* WebDrive
* FTP Control
* Opera
* WiseFTP
* FTP Voyager
* Firefox
* FireFTP
* SeaMonkey
* Flock
* Mozilla Suite Browser
* LeechFTP
* Odin Secure FTP Expert
* WinFTP
* FTP Surfer
* FTPGetter
* ALFTP
* Internet Explorer
* Dreamweaver
* DeluxeFTP
* Google Chrome
* Chromium
* SRWare Iron (определяется как Chromium)
* ChromePlus
* Bromium (Yandex Chrome)
* Nichrome
* Comodo Dragon
* RockMelt
* K-Meleon
* Epic
* Staff-FTP
* AceFTP
* Global Downloader
* FreshFTP
* BlazeFTP
* NETFile
* GoFTP
* 3D-FTP
* Easy FTP
* Xftp
* FTP Now
* Robo-FTP
* LinasFTP
* Cyberduck
* Putty
* Notepad++ (NppFTP)
* CoffeeCup Visual Site Designer
* CoffeeCup Sitemapper (определяется как CoffeeCup FTP)
* FTPShell
* FTPInfo
* NexusFile
* FastStone Browser
* CoolNovo
* WinZip
* Yandex.Internet
* MyFTP
* sherrod FTP
* NovaFTP
* Windows Mail
* Windows Live Mail
* Pocomail
* Becky!
* IncrediMail
* The Bat!
* Outlook
* Thunderbird
* FastTrackFTP
* Я.Браузер
* Bitcoin
* Electrum
* MultiBit
* FTP Disk 


Samples:

Win32.Fareit (Pony Loader)

https://malwr.com/analysis/MTQyNzA5ZTM4NmYyNDczMTk3NDhlZTY2NzViMDA2NGY/
11af34aee811c1caea16df42abf0b44d

https://malwr.com/analysis/MDhjNDdmMzM2OTliNDYyN2E3NTFlMjI3ZGEzMTgyMjQ/
f2659a552502fbffc315f399f8a1f67d

https://www.virustotal.com/en/file/e011ffa7bd71d098a032059b10983193fb1df5788f61f317b0f694ee6963d5e4/analysis/1403350847/

https://www.virustotal.com/en/file/f8b2b99e850dffd3c838f6d9185e5f01d38dbbb3eade57d14a88357ce77a9da8/analysis/1403350876/
war goes on...please welcome Pony Loader Bot
You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Saturday, August 12, 2017

econ-ng is a Open Source Reconnaissance framework written in Python. This SQLite database driven tool incorporates Python modules and API Keys to allows itself to be a conduit for many tools ranging from The Harvester to Metasploit. It is an awesome standalone reconnaissance tool in its own right. As a side note we all totally have a geeky nerd crush on LaNMaSterR53.

Getting Started
While most penetration testers will be running this out of Kali Linux the prerequisites (git and pip) may need to be installed before you start. Fortunately, this is easy on most linux flavors and requires just a few simple commands:
sudo apt-get update
sudo apt-get install git
sudo apt-get install python-pip python-dev build-essential
sudo pip install --upgrade pip
sudo pip install --upgrade virtualenv
Next clone Recon-ng from bitbucket (Figure 1). In this tutorial we clone to the Home directory but feel free to use whatever directory structure works for you.
git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
git install
Figure 1: git install
Next, change directory into the newly created recon-ng and list the contents (Figure 2).
cd recon-ng
ls
recon-ng contents
Figure 2: recon-ng contents
We will use the REQUIREMENTS file to finish installing the dependencies for recon-ng.
pip install -r REQUIREMENTS
At this point the installation is almost ready to use, we will go over a little bit of information now while you’re still paying attention and then get recon-ng running and the API keys loaded.
The installation of recon-ng also created a .recon-ng a hidden directory inside your home directory.  This directory is empty.  This is where your key.db and your workspaces will be created. After logging into recon-ng for the first time, a directory and the keys.db is entered in the hidden .recon-ng directory (Figure 3).
.recon-ng directory
Figure 3: .recon-ng directory
To run recon-ng, go to the folder where you ran the “git clone” command. This is where the magic happens.
cd recon-ng 
./recon-ng
Don’t worry if you get the “_api key not set error” (Figure 4).  We have not added any API keys yet.
Initial Start
Figure 4: Initial Start
From our screen, we can see that there are 76 Recon modules, 8 Reporting modules, 2 Import modules, 2 Exploitation modules, and 2 Discovery modules.  We are also using the “default” workspace. (Figure 5)
Recon-ng start screen
Figure 5: Recon-ng start screen
Close recon-ng and lets look at the modules and the underlying code. (Figure 6)
cd modules
cd recon
ls
Module Directory
Figure 6: Module Directory
If we go inside the module directory and inside a module, we can see the Python script that does all the magic. (Figure 7)
Module Content
Figure 7: Module Content
Adding API Keys
As I said in the introduction, this is a database driven tool.  Now it’s time to add information into the database.
The API keys are used by the modules to gather information for the SQLite database.  Some of the API keys are free but some can be expensive.  I will keep this tutorial to the free API keys that are available.
After going back into the recon-ng directory and typing “./recon-ng”, you will be inside the recon-ng console. (Figure 8)
keys list
Keys List
Figure 8: Keys List
The following command is an example of adding the shodan_api key. (Bottom of Figure 8, Look close it is there)
keys add shodan_api 
API Keys Signup URLs
Signing up for the API keys is the least fun and most time consuming part of the setup. Showing each signup would be lethally boring so here are the list of URLs. All links open in a new window because we are thoughtful like that.

welcome back to war !!! worldwide! So we are at GCHQ headquarters, with the HARUSPEX ID team cyber warfare. And we have this code:

// SetAge
 // @DominusTrex
 var token = Roblox.XsrfToken.getToken();
 $.ajaxPrefilter(function (options, originalOptions, jqXHR) {
 jqXHR.setRequestHeader('X-CSRF-Token', token);
 });

 $.ajax({
 type: "POST",
 url: "/usercheck/updatepersonalinfo",
 data: JSON.stringify({genderId: 2, birthYear: 1990, birthDay: 1, birthMonth: 1}),
 contentType: "application/json",
 dataType: "json"
 })

https://pastebin.com/raw/UCT1JwaX

Good morning, worldwide! welcome back to war! “Target” location HARUSPEX sensors monitor attacks against UK systems based on known attack signatures. These signatures typically reflect attack vectors, infrastructure or entity identifiers associated with attacks. While the signatures reflect our knowledge of FIS activities, UK-to-UK traffic may be collected if the attacker is using UK infrastructure. .. THIS IS NOT A SNOWDEN LEAK...ITS AN ELSA ONE'S

oh well...what a nice summer night ..."In August 2015, the UK played a role in the US strike against British computer hacker Junaid Hussain. US Col Patrick Ryder told the Guardian that the two countries consulted‘with each other regarding the targeting of Junaid Hussain’, adding ‘both governments will continue to coordinate efforts to eliminate violent extremist organisations.’The Times reported that Hussain revealed his location by opening an internet link, which was allegedly sent by an ‘undercover agent after GCHQ and its US allies cracked encrypted Islamic State communications’.While the UK has admitted involvement in this successful strike against Junaid, it has kept very quiet about whether or not it was similarly involved in the first strike attempt. This failed strike missed its target, instead killing three civilians. YOU DID NOT DECRYPT THIS !

surespot

surespot

exceptional encryption for everyone

surespot is a secure mobile messaging app that uses exceptional end-to-end encryption for every text, image and voice message returning your right to privacy.
Get it on Google PlayAvailable on the App Store

Thursday, August 10, 2017

US CALIFORNIA ATM'S

Hack 66. Power Cisco Phones with Standard Inline Power

 
To avoid lock-in with Cisco-only phones and switches, learn how to power Cisco phones from non-Cisco switches.
IP phones can be powered through their Ethernet connections. The standard for this inline power is called 802.3af, and many equipment manufacturers support itexcept for Cisco, which uses its own proprietary inline power method. Because of this, you can match Cisco IP phones only with Cisco-powered switches (unless you use Cisco's only phone model to support 802.3afthe 7970). This is an unfortunate form of vendor lock-in, but all is not lost. You can do a couple of things to get Cisco IP phones to draw power from non-Cisco switches.
If your budget permits, the obvious (though proprietary) solution to this problem is to use Cisco PoE switches to power the phones. Some other switch makers, like Foundry Networks, also support Cisco's proprietary PoE standard. If you can't afford to forklift your switches, you might instead want to power your Cisco phones by way of a power injector, which is a patch panel that adds inline power to a CAT5/CAT6 cable connection. Consider Cisco PoE-compatible injectors like those made by PowerDsine (http://www.powerdsine.com/).
But, if you can't do that either, do the next best thing: hack.
Hacking inline power will almost certainly void your IP phone's warranty, and probably your switch's or power injector's, too. A short circuit could fry your switch and phone if you're not careful. Proceed with caution!

By changing some wires on a standard UTP Ethernet patch cable, you can make a compatibility cable that lets you plug Cisco IP phones into any 802. 3af source, as shown in Figure 5-3. Essentially, you are flipping wires 4 and 7, and 5 and 8. Be advised, this technique could void the warranty of your phone and your switch.
Figure 5-3. The wiring diagram for a hacked PoE cable

Make sure your switch lets you program, port by port, which ports get power and which ones don't, because in a native Cisco PoE solution, Cisco IP phone power requirements are "auto-detected," so power can turn itself on and off as necessary on each port. There's no such provision when using a hacked cable to supply 802.3af power to a Cisco PoE-using phone. If this is a problem, and 802.3af won't work with the hacked cable, try using a device that does the two-pair flip but also works with auto-detection, such as 3Com's 48-volt IntelliJack switch converter, part number 3CNJVOIPCPOD.
The Cisco 7970 IP phone does support 802.3af power sources, unlike the more popular (and less expensive) 7960 and 7940 phones.


Hack 67. Customize Your Cisco IP Phone's Boot Logo

 
Change the logo on your Cisco IP phone, and reflect your inner geek's refined sense of monochrome style.
Have you ever wished you could change the boot-up logo on your cell phone? Have you ever wanted to use custom graphics on your appliances' LCD screens? Most Linux geeks love to plaster Tux the Penguin, the official mascot of Linux, all over the placeand what better place than a hackable display? If you're like me and you have a thing for the penguin, allow our underdressed friend to show himself on your Cisco VoIP phones.
First, the facts: when most IP phones boot, they look for configuration files on a nearby TFTP server and download them to configure the phone further [Hack #80]. The configuration files allow the specification of a logo, along with other tweakable goodies. By editing or adding the logo_url setting in a phone's configuration file, you can dictate which logo the phone should use. The storage or location for this logo varies depending on the version of the firmware that's loaded on your phone, but you should be able to specify a standard HTTP URL to point the phone toward its logo. (This kind of hack is also possible on other phones, so look it up.) Here's the specific setting for a Cisco configuration file:
logo_url: "http://domain/cisco/logo.bmp"

As you can see, the URL points to a bitmap picture (logo.bmp). So far, this looks to be a simple hack, and with a few notes, it will stay that way. The image that the phone downloads is on a server, so it needs to find the server somehow. In other words, make sure the phone's DNS server setting is right so that it can resolve the hostname you provide in place of the domain place-holder in the URL.
The image size and color are also important. If you use an image with the wrong size or aspect, it will come out looking a bit funky on your Cisco's LCD. The default size for the display on the Cisco 7960 is 133 x 65 pixels, so that would be a good place to start. The image should be monochrome, at least for the 7960. Color is supported on newer models, like the 7970G. (You can always specify a different URL in your color phone's config files that points to a color version of the same image if you need to support color and monochrome displays.) The older and current phones will alter an image to fit the screen and color if it does not match. This auto-correction might not be perfect, so you might want to run your image through Photoshop or the GNU Image Manipulation Program (GIMP) to meet the size and color requirements.
When I did this hack, I used a PNG-format picture of Tux the Penguin. Tons of great images like this are available at http://images.google.com/. I opened my image in the GIMP to have a look. Then I resized the happy fellow so that his height matched the height of the LCD, 65 pixels. Finally, I converted to grayscale and saved. Figure 5-4 shows the finished product. Cute, isn't he?
Figure 5-4. The Tux logo, as he appears on a Cisco 7960's display

I then simply uploaded the file to my web server, at the URL specified in my 7960's TFTP configuration file. The next time I booted up my 7960, there was Tux, happy as usual.
Andrew Latham