_____________________________________________________________________________ \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/ \ Critical Issue # 05 A Technical Text / \ Mass ~~~~~~~~~~~ File Newsletter. / \________________________________|____________________________________/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ __________________________ __________ l___________ | ___________l // \ _______ _____ l|l _____ ______ ___ // /~~~~~~~\_\ l \ l l l|l l l // \ _ l l // / l [] / ~l l~ l|l ~l l~ // /~~~\_\ / \ l l <<<< ritical l / l l l|l l l // / / \ l l \\ \ l < l l l|l l l <<<< / ___ \ l l \\ \_______/~/ l l\ \ l l l|l l l \\ \____/~/ / / \ \ l l_____ \__________/ l__l \_\ l___l l_l l___l \_______/ /_/ \_\ l_______l ==--> ==--> ____ __ ____ ==--> (12/11/91) l \ / l ass ==--> l \ / l __ ______ ______ l \ / l / \ / \ / \ A Technical l l\ \ / /l l / \ / /~~~~~~ / /~~~~~~ text file newsletter l l\\ / l l / ____ \ \ ~~~~~~/ \ ~~~~~~/ ~~~~~~~~~~~~~~~~~~~~ l l \\____/ l l / / \ \ ~~~~/ / ~~~~/ / Issue: 5 l l l l /_/ \_\ /~~~~ / /~~~~ / ~~~~ ~~~~ ~~~~~~ ~~~~~~ _____________________________________________________________________________ l Writters l Special thanks to.... l l__________________________l________________________________________________l l l l l The Beaver l The Shadow Hacker, Erokoes, Abigail, Dementia l l Dementia Meister l Meister, Section 8, and all the TLH area l l l hack types. l l__________________________l________________________________________________l Disclaimer: If thou does not like this or any Critical Mass issue then simply do not download future issues. Prosecutions due to the use of the information given in this newsletter is not the fault of the editor or writters. Basically, we take no responsibility in legal problems that you have by using the information given, and if you don't like this newsletter, then sue me. Writters Wanted: We are alway looking for intresting articles to use in Critical Mass, and if you feel that you have information that might be useful in someway, then please contact me and we will see if it is good enough for a up comming issue of Critical Mass. The Beaver Send Email To: (904)997-6127 The Back Door BBS In this issue of Critical Mass..... ___________________________________________________________________________ l l l l Editorial /The Suchan Busts l Hacking Offa LUIS Terms l l Few Tid-bytes about Unix l l Hacking Offa LUIS Terminals l l Hacking AF Gateways l l Hacking Extenders l l_________________________________________________________________________l ______________________________ l l l Editorial l l By The Beaver l l____________________________l Boy has it been a pretty lame time for Tallahassee and it's local computer users. The problem, Taylor Suchan, the "hacker" busted recently, or at least that's what the Tallahassee Democrat would like you to believe, that he is some sort of whiz kid with a computer and a "hacker" among "hackers". Personally, I don't think the boy would know a VAX if you hit him on the head with one. Not to mention the fact, from what I understand, he couldn't produce a simple piece of BASIC code if his life depended on it. So where does the Democrat get off calling this lad a computer whiz kid. It seems that he used his superior intellect to break into local computer stores here and town and steal computer hardware. How does that make him a computer whiz kid? Your guess is as good as mine. The best description I have heard so far was at a keg party where and friend of mine was chatting with me about this recent bust. He said, "So they called him a computer hacker because he broken into a bunch of places and stole computer equipment? Hmm, that's strange, that's about equal to me stealing this keg of beer and having the TPD and the Democrat call me a excellent brewer, and not just a keg thief". I must say, I have to agree with that. The worst part it seemed to me was that he really did not seemed to be bothered by businesses in town that where having trouble making ends meet. A matter of fact, he went to the Democrat and proclaimed that he was a victim himself. It is to my knowledge that the guy has never been in a hacking organization in his life. Not the SAOO or the SH/CA or PALS to my knowledge. I do know that for a short while, he was trying to get a back board started on his old BBS before he was busted "The Gothic PlayGround", but I think lucky for all of us, it never really got off the ground. Well, all is safe now. Taylor has been arrested, and with an luck, the computer stores will get there equipment back, but knowing the TPD and FDLE (Florida Department of Law Enforcement), that might still be a while from now. My own personal opinion about there investigations on computer crimes, is that they are not to swift with handling these types of cases. A source told me that the first time Taylor was busted, they found two Paradyne 9600 baud modems and it took them a few minutes to figure out that they where leased line modems, and probably bought them at a state warehouse sale or something. Well, any rate, I have not had this much fun watching a bust since the mid-80's Steve Lewis busts for those of you who can remember that. I didn't like that guy much. The same source that told me about the Paradyne modem story also informed me that FDLE know has ever issue of Critical Mass and The IBM Home Destruction Kit, not to mention a few buffers hack buffers of various hack boards to say the least, so I guess they are having some i interesting reading, but that does not really bother me to much. So what's the moral..... Keep them deck's locked in at night and have fun. In other interests, Shadow and I are working on a underground internet BBS, but this is still in the making. Should be interesting though. It will be running on a VAX/VMS somewhere in America, but as I said this is still in the making. If you wish to can details on it, please contact I or the Shadow Hacker at one of our interesting BBS's here in town. I am personally hoping that it works out. Talk about a FAST board.... Yesh! We are hoping to have types from all over the country to hang out there after a late night of wondering though that maze we love... Internet. Hopefully, we will have the hack types from Chicago at Terminal Enterprises call along with many others. As I said, just drop me a line. Well, other than that, there ain't to much going one, so lets go ahead and let this issue of Critical Mass unfold...... _____________________________ l l l A Few Tid-Bytes On UNIX l l By The Beaver l l___________________________l I myself am not particularly fond of Unix OS, but it sure as hell beats MS-DOS any day. This OS was created by Bell Labs in the 60's, and is now one of the most popular OS on mini's today. The great thing about it is is that is can support multiple users, has nice multi-tasking capabilities, and is generally fun to hack. It can be used on anything to your average IBM PC to a VAX 6320, and is great for networking, because on one Unix operating machine, you can probably run the same programs on another Unix machine. There are many other types of Unix look a likes (I.E. - the Ultrix, etc) but they all pretty much run the same. If you have no idea what Unix looks like, or what commands or, go to your local library and check out a book or to. This is another feature that makes Unix type systems nice..... Theres lots of info.... First off, we will start with a system that we have found that all we have is front door access (I.E. - You can't connect up to it though internet and do fingers on it so you have no idea what you are dealing with.) I start here because as I always stress, you must look for the most obvious things first, such as test accounts, etc on the system. Besides this there are also a few users that you should always try, because they are almost always there. They are...... uucp nuucp who nobody guest root Note: Unix systems ARE case sensitive, so keep this in mind, when I say something about Unix, be it a command or username, the casing IS important. The first one you will notice is "uucp". This is a Unix networking protocol to send files from one Unix machine to Another, a lot like FTP in some cases. Now, this will almost always be on there and a lot of times you will find them to be open access. Now, I know your thinks, damn just type uucp and I am in on a Unix machine? Well, no. This is not always the case. During setting up the system, the system administrators are supposed to set up the account with a "public/uucp/spool" access, or no shell. When you use a Unix machine, with a username, you get a certain shell, be it a 'sh' shell or better yet a 'ksh' shell. Imagine what happens to you when programing in BASIC on your IBM and you type the word "shell". What happens??? It loads your command interpreter and gives you a DOS prompt, or in BASIC's case a DOS Shell Prompt. Now imagine when you connect up to a Unix machine, after you enter your username and password, it looks at your access and shell capability (if you have any) and then says "Ok, he has access to 'sh'" ('sh' being the shell type, see your Unix manual you got at the library), and it loads up a 'sh' shell. Now lets say I give it no shell but a program to run, say uucp? How can you get to a shell when you have no access to one? Well, any rate, the whole point is that sometimes they forget the 'public/uucp/spool' and give you a 'public/uucp/sh' and you can not only use uucp to transfer files with, but also at there 'login:' prompt , enter the system by simply typing 'uucp', and if a shell is there. Tada! You got a account! Now, lets look at another nice feature about Unix outside the Box on internet. We will use the command 'finger'. For our example here, the internet address will be "The.Unix.We.Want". Now sometimes you can get Unix to do really nice stuff for you one internet, if the machine that you are targeting is on internet. I have seen quite a few machines that will actually hand you user listing right off there machine no questions ask. On some Unix systems, if they will let you, you can 'finger' certain people off of a certain machine. That is to say, on our example system, we will say that there is a guy named "bob" on the remote system that we want. First, just to show the less experienced, we will do a full finger of all current users on-line... So we would do the following..... finger @The.Unix.We.Want This will give all the current users on-line. Now we want to finger "bob". Note: It doesn't matter if bob is on-line or not, it user arguments are permitted, it will tell you what it knows about "bob"...... We would type this...... Login: bob In real life: Bob Smith Last Time On: Sept 18, 1991 From tty04a Plan: I have no plan. Or something to this degree. It will sometimes include other things like plans and phone numbers, but this shall due (remember phone numbers, you can sometimes use them for a social engineer). Now here is where it can get interesting on some machines.... Lets say that there is more than on we with the name "In real life:" of "bob". I have found in many cases it will show you ALL the users with the name "bob"! So from here, open a buffer and start fingering common names such as bob, john, dave, david, mary, etc. One time I entered "student" and got over 400 usernames on a system and was in it the next day. Ok, know your inside the machine. What do you do? Get all the usernames! Easy, the password file is a public access file, and anyone can get it, BUT all the passwords are encrypted, so all you really get it there Login Name:Encrypted Password:ID:Group ID:Name/Login Dir". To get this file, I would use the command "cat". This is sorta the equivalent to the command "type" on a IBM machine. The password file will be in the "/etc" directory. So to get the password file, type...... cat /etc/passwd Make sure that buffer is open. You will notice that all the passwords will be complete gibberish, but after getting the file, the first thing I do is look for is accounts with no passwords. This is easy to spot, because if the account has a password, Unix will have something to encrypt... If not, it will leave it blank. For example, will say "bob" did have a password , so his name in the passwd file will look something like....... bob:!Wrf$QAASj$:12:12:Bob Smith:/sh Note the format, the ":" separate everything..... Like thus..... LoginName:Password:ID:GroupID:Name:Dir(Shell) So......... bob:!Wrf$QAASj$:12:12:Bob Smith:/sh ^ ^ LoginName Password (Encrypted) But Lets say "john" has no password (keep in mind the format), his would be something like...... john::12:12:John Doe:/sh See the "::"? There ain't know password. You can usually pick up a few accounts by doing this.... Now there are even other ways. But these take a little C programing knowledge and use of a function called "crypt". I once read by a hacker in a book that you can do a method called "Hashing Passwords" on Unix systems. Though I have never tried it, heres how it is done......In the authors words. " In that file, the password is HASHED... It would be a pain in the %$@# to find a hashed password... But I think that it can be done. on smaller systems all you have to do to get a password is find the ROOT:#####: where #### will be gibberish. To DE-crypt the Unix , put that gibberish in a file and type CRYPT Unix==--- Note: I am starting a series of articles on a system I have pretty much mastered. Hacking VMS, inside and out. Coming Soon. That should be huge and filled with all sorts of stuff for ya, with only new methods that I know about along with a few others! _______________________________ l l l Hack'in Offa LUIS Terminals l l By The Beaver l l_____________________________l First off, I ain't talking about hacking LUIS (Library System for Florida Universities), because that would not only be bored, but stupid, considering they ARE public access terminals, but rather how to go up to ANY luis terminal and hack off of it. First let me tell you about Me and Shadow Hackers little hack adventure. One day we decided to go to one of the FSU libraries to do some goofing off basically. We were there to look up some information and where using the LUIS terminal. The deal was that we found a "reset" button (open cover on the front) and went, "hey, lets watch this thing reboot and see what it does!". A normal question for typical hackers to ask. So we did it. As it rebooted, I saw something that looked real interesting. I saw it say for a split second, "NERDC ACTIVE", but then it auto-signed on. I told Shadow what I saw and we knew what it meant, and so shall you in a moment. It meant that they where hooked up though NERDC (North West Regional Data Center), better know as a "VTAM" type of a machine. I had hacked on it before and knew of a few places to get too from it. Now it was time to try and fool the server equipment. My idea was when it 'auto-signed on' to give it a few extra characters, so it would never get to LUIS. We tried it, but it failed. Shadow said to me "There has to be a way to break out". About five seconds after this statement, with a little luck and skill, he found it! Now where are in VTAM hell, or so we thought, until I should shadow how to get to FIRN and then go to TYMNET and them go to TYMNET in Atlanta! So where standing at this terminal, supposed to be looking up books, but we are sitting on the TYMNET link to Atlanta! Ha! The world is open to us, not to mention all the other data centers! Here is how it is done. Walk up to ANY LUIS terminal and hit these key arrangements in order...... ALT - ATTN (the ATTN key will be in the far left side of the keyboard) Return ALT - ATTN Return Hit return (Note: the key that says "Return" on it, not the standard place where the return key is!) a few times. You will now see "NERDC ACTIVE". Here where you can have some fun. From here, you can type..... FIRN Bam, your at the beloved "FIRN". You can play there, but lets say you want to go to tymnet, and the FIRN prompt type..... TYMNET Bam, your on tymnet net. You can play there (read "hacking tymnet") Now lets say you get bored with Tallahassee tymnet, type... at the Tymnet prompt.... (Tymnet is exactly the same a FIRN, for they are one and the same).. type.... NEA Bam, your at Tymnet in Atlanta. The options are endless! And pretty safe to. There are other nets you can go to, like Florida State Government systems. To disconnect and get help on all the "server" commands, hit a few PF keys (right side of the keyboard) till you get the hang of it. Now go back to the "NERDC ACTIVE" crap and type..... NWRDC Now your at North West Regional Data Center, and you can get to all the Florida Data centers, but WARNING! You are on a NERDC terminal and all the data centers work together! So if you are trying to hack CICS (Which we did, then realized we could have seriously fucked up!), it will send what terminal you are at! I don't just mean the City, I mean all the way to the exact terminal! All they have to do is look it up and they can tell you basically where you are currently standing/sitting! CICS for instance, is a state accounting system, and they don't take kindly to being hack! A little safer method to get to FIRN and all that is to connect to FSU1, via username "IBM" and then go to NWRDC, but really, this ain't no safer, but you can do all the exact same things. Considering Tymnet has nothing to do with NERDC, the terminal identification will not be pasted on. But though the terminals at FSU libraries (look for CDCnet terminals), you can pretty much get anywhere you want from there, are you can call from home and go to FIRN, though from home, it is a SLOW loop, but works well to do safe hacking on tymnet. Anyway, just take this sloppy article and copy down then commands and see what you can do. It very easy to get the hang of and have fun. So the next time one of you young hackers gets your deck taken away, say "hey mom, drive me to FSU so I can look up some stuff" , then hack all day! Or if you are just in the region or outta a line, go there! Have fun. ---====--- _______________________________ l l l Hacking AF Gateways l l By Dementia Meister l l_____________________________l Hey here is a trick for using the miltary gateways. If you want to go throught a miltary gateway, just TELNET to it, there is no login, only a password check. When asked to enter the password, enter the name up to the part '.AF.MIL'. IE... the IZMIR-GW.AF.MIL password is IZMIR-GW. This is a way to use them as relays to reach 'not reachable host'(s). Have fun. Here is a list of some Air Force Gateway's ------------------------------------------------------------- academy-gw.af.mil adelphi-gw.army.mil afwl-gw1.af.mil alconbury-gw.af.mil altus-gw.af.mil andersen-gw.af.mil ankara-gw.af.mil arinc-gw-an.af.mil arinc-net1-gw.af.mil aviano-gw.af.mil baarksdalenet-gw.af.mil bergstrom-gw.af.mil dobbins-gw.af.mil eglin-gw.af.mil izmir-gw.af.mil torrejon-gw.af.mil plus there is a lot more. (see P.A.L.S. issue #1 for a more complete list.) -=[ ]). |\|\. ]=- (Dementia Meister) CREDIT(s): Abigail and I (]). |\|\.) found out this neat little trick about the gateways one late night, bored off our ass. _____________________________ l l l Hacking Extenders l l By The Beaver l l___________________________l Extenders come in all colors shapes and sizes, and are generally pretty cool hack off of. They are very useful in hacking what would be direct numbers and sometimes long distance. First off, lets talk a little bit about extenders and differenet types of them. A extender is a number that one can call, and by calling this number you can go to multiple place by entering a extention. This is not to be confused with VMB's (Voice Mail Boxxes), but actually connect to the desired extention or fone number. Here is a example.... I commonly call the great little extender (connact me for details), which is a 1-800 number. Now, when I call it, I get "Welcome To The (something or other, to soft to tell) Network. Please enter the 4 digit code to the office you are calling". From here, I enter with ye old touch-tones "5533" and await a carrier. From there I connect to a DECnet and go to a varity of places, because I know that this extender servers a certain prefix, so the 4 digiti code is actually the exchange to where I want to call, so in effect, it ends up being a free LD call, and the system I am calling will have a hard time tracing! Caught your interest! But wait, there is a catch. 800 numbers you can trace off due to 90's equipment switching (ESS shit you know). To get a idea of how fast this shit can work, dial 811 (ANI for our area) and you will see! Thats why it is better to do this shit from a pay fone, though I have used extenders from time to time from home. You just have to watch how you do it. Now there are other types of extenders, then kind companys use, that require a access code. These you really have to watch your ass. These are sometimes better in that you can usually call anywhere in the US and sometimes outside. The thing is that when your access code you hacked gets busted, one of two things might happen. They will just kill the code, or they will attempt to bust you by straping a fake carrier there or a fake busy signal to keep you calling back so they can Identify easier. It ends up, or at least the story goes, that a few fone phreaks out about these niffty guys years ago. They found a number that was in Florida that was owned by a orange vendor, and his personel would call this number and enter the number that they wanted to connect to (note:There where no access codes). Now, at some point in time a few phreaks found this and though "cool, I'm not even box'in!" and explored. Well, the orange vendor found out what was happing and killed the whole thing. Phreaks, like Capt. Crunch, started to check these out. Then companys who made these devices started to add on access codes, so phreaks wrote programs for there machines to crack'em. Heres the way they where based..... 1> Call the extender 2> enter a access code 3> enter the destination fone number 4> was there a carrier? If there was, this code is good. Remember though, the only place hack on coded ones now is from a fortress fone. Codes can be 6-12 chars long.... Maybe longer. Lets discuss some of the differenet types of extenders Local-in-Local-out WATS-in-Local-out WATS-in-WATS-out By far the best to get is the last, cause then you can call anywhere. Usually, these are protected by access codes though. Now believe it or not, there are still ones that you can use that require no access code, like the one I talked about that I like to use above, which is a WATS-in-Local-out. Now one the thatI was talking about, I have used it and found other extenders though it! Thats right, call on extender that servers one prefix, out to a seven digit extender though the first! To hack these, you can use programs like AIO (All In One Hacker), or Code Thief, or any of the other programs out there that hack on extenders. Writting on is not that difficult.... All they have to do is the following: 1> call the extender 2> enter a access code followed by.... 3> destination number that has a carrier (FIRN, or something that you know will not be busy) As I said, It would be good idea to either hack off a fortress fone or hack though another extender. Extenders like this are easy to find. Look in your local fone book for stuff like SPRINT extenders and such. Just keep in mind of the warnings. Now, what good are Local-in-Local-out extenders? Well, now that have seen a ANI ("811" automatic number identifier) in action, think about direct hacks. Lets say you have been wargaming a area and found a nice system that you would like to attempt to gain access to, but where afraid of a trace. Well, call a local extender and goto that system. These are really easy to find, plus if you get trace, that get the extender number and you know what they where up to but, ha, they ain't got shit. How to find these? These are easy. Alot of times you will find that when you call them, the message will usually say something like," this is (insert name here ). No ones around so please leave a message or enter the (office/extention) you wish to connect to." The best places I find these guys in our area is the 599, 488 and 487 prefixes. The way I scan for them is I wrote a little program that dials modem sequentally though the numbers I dial. I just grab a glass of milk/ coffee or what not, and dial away, hitting space bar to hand up. I just listen to what I hit and record numbers I find intresting. Not only is this a good way of doing this, but you can also record other intresting fone numbers (beepers/system/fone testing equipment/etc). Now one note with hacking a carrier with a access code. Do it random order, this is because it is easy to identify that someone is hacking there extender. Here are two extenders that will show you the range that they can go though.... (904)487-7766 - Dial tone (this guy has never been hacked) (904)487-7762 - Apex Dialup port. Now, you can scan for WATS-in-Local-out the sameway you did it local. With the little program I was talking about above. Remember, as with wargaming, don't over do it. Don't do 4000 numbers. One more thing before I let you go with extenders, if I get a recording, I hit the touch-touch tones. Alot of the time, it will be a VMB but you never can tell. Anyrate, this is all just very basic info, just enough to get one started and its something to play with. Anyrate.... Chow ---====--- _______________________________ l l l Finnal Notes l l_____________________________l Welp, thats all folks! You may have noticed that there is no letters section... The reason is simple. It has been a pretty good while since a Critical Mass has come out, so I have either not captured my mail or I have not gotten any mail worth printing here. Anyrate, the next Critical Mass should be all about VMS. The only things it will contain will be the normal editorial, letters, finnal notes and hacking VMS. The hacking VMS series should be pretty big, and might talk up not only Critical Mass #6 but possibly #7 and #8 as well! Anyrate, its been real and happy hacking... ---====--- Special Thanks To: The Shadow Hacker, Section 8 for the place to hang, Dementia Meister, Abigail, Darth Vaider, anyone I might have missed, and of course, all members of the SAOO. A Special "I hope you die" to: All NFSA sysops.