|
Massive guide (complete I might also add) to hacki
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
------------------------------------------------------------------------------
%%%%%%%%%%%%%%%%%%%%%%%%%%%%-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% %
% THE NEOPHYTE'S GUIDE TO HACKING %
% =============================== %
% 1993 Edition %
% Completed on 08/28/93 %
% by %
%% >>>>> Deicide <<<<< %%
%%% %%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
< The author of this file grants permission to reproduce and >
< redistribute this file in any way the reader sees fit, >
< including the inclusion of this file in newsletters of any >
< media, provided the file is kept whole and complete, >
< without any modifications, deletions or ommissions. >
< © 1993, Deicide >
INTRODUCTION:
============
------------
Over four years ago the final version of the LOD/H's Novice's Guide to
Hacking was created and distributed, and during the years since it has served
as a much needed source of knowledge for the many hackers just beginning to
explore the wonders of system penetration and exploration.
The guide was much needed by the throng of newbies who hadn't the
slightest clue what a VAX was, but were eager to learn the arcane art of
hacking. Many of today's greats and moderates alike relied the guide as a
valuable reference during their tentative(or not) steps into the nets.
However, time has taken it's toll on the silicon networks and the guide is
now a tad out of date. The basic manufacturer defaults are now usually secured
, and more operating systems have come on the scene to take a large chunk of
the OS percentile. In over four years not one good attempt at a sequel has
been made, for reasons unbeknownst to me.
So, I decided to take it upon myself to create my own guide to hacking..
the "Neophyte's Guide to Hacking" (hey..no laughing!) in the hopes that it
might help others in furthering their explorations of the nets.
This guide is modelled after the original, mainly due to the fact that the
original *was* good. New sections have been added, and old sections expanded
upon. However, this is in no means just an update, it is an entirely new guide
as you'll see by the difference in size. This guide turned out to be over 4
times the size of The Mentor's guide.
Also, this guide is NOT an actual "sequel" to the original; it is not
LOD/H sponsored or authorized or whatever, mainly because the LOD/H is now
extinct.
One last thing.. this guide is in no way complete. There are many OS's I
did not include, the main reasons being their rarity or my non-expertise with
them. All the major OS's are covered, but in future releases I wish to include
Wang, MVS, CICS, TSO, SimVTAM, Qinter, IMS, VOS, RSX, and many more. If you
feel you could help, contact me by Internet email or on a board or net(if you
can find me). Same thing applies for further expansion of current topics and
operating systems, please contact me.
AT&T's Sys75/85 was not included in this release. Reason being is although
I have the defaults I have no practical experience with Sys75 and I didn't
believe I could do it justice. We don't have them in my area of Western Canada
, and I don't like using other peoples accounts(I was given a few). If you
want to assist with the Sys75 area for next release, feel free to contact me.
Ok, a rather long intro, but fuck it.. enjoy as you wish..
Deicide - 71511.514@compuserve.com
ETHICS/SAFETY:
=============
-------------
One of the most integral parts of a hacker's mindset is his set of ethics.
And ethics frequently go hand in hand with safety, which is obviously the most
critical part of the process of hacking and the system exploration, if you
plan to spend your life outside of the gaol.
A hacker's ethics are generally somewhat different from that of an average
joe. An average joe would be taught that it is bad to break laws, even though
most do anyways. I am encouraging you to break laws, but in the quest for
knowledge. In my mind, if hacking is done with the right intentions it is not
all that criminal. The media likes to make us out to be psychotic sociopaths
bent on causing armageddon with our PCs. Not likely. I could probably turn the
tables on the fearmongering media by showing that the average joe who cheats
on his taxes is harming the system more than a curious interloper, but I
refrain.. let them wallow..
The one thing a hacker must never do is maliciously hack(also known
as crash, trash, etc..) a system. Deleting and modifying files unnecessary is
BAD. It serves no purpose but to send the sysadmins on a warhunt for your head
, and to take away your account. Lame. Don't do it.
Anyways, if you don't understand all of these, just do your best to follow
them, and take my word for it. You'll understand the reasoning behind these
guidelines later.
I. Don't ever maliciously hack a system. Do not delete or modify files
unnecessarily, or intentionally slow down or crash a system.
The lone exception to this rule is the modification of system logs and
audit trails to hide your tracks.
II. Don't give your name or real phone number to ANYONE, it doesn't matter
who they are. Some of the most famous phreaks have turned narcs because
they've been busted, and they will turn you in if you give them a
chance. It's been said that one out of every three hackers is a fed, and
while this is an exaggeration, use this as a rule and you should do
fine. Meet them on a loop, alliance, bbs, chat system, whatever, just
don't give out your voice number.
III. Stay away from government computers. You will find out very fast that
attempting to hack a MilTac installation is next to impossible, and will
get you arrested before you can say "oh shit". Big Brother has infinite
resources to draw on, and has all the time it needs to hunt you down.
They will spend literally years tracking you down. As tempting as it may
be, don't rush into it, you'll regret it in the end.
IV. Don't use codes from your own home, ever! Period. This is the most
incredibly lame thing i've seen throughout my life in the 'underground';
incredible abuse of codes, which has been the downfall of so many people.
Most PBX/950/800s have ANI, and using them will eventually get you
busted, without question. And calling cards are an even worse idea.
Codes are a form of pseudo-phreaking which have nothing to do with the
exploration of the telephone networks, which is what phreaking is about.
If you are too lazy to field phreak or be inventive, then forget about
phreaking.
V. Don't incriminate others, no matter how bad you hate them. Turning in
people over a dispute is a terrible way to solve things; kick their ass,
shut off their phones/power/water, whatever, just don't bust them.
It will come back to you in the end..
VI. Watch what you post. Don't post accounts or codes over open nets as a
rule. They will die within days, and you will lose your new treasure.
And the posting of credit card numbers is indeed a criminal offense
under a law passed in the Reagan years.
VII. Don't card items. This is actually a worse idea than using codes, the
chances of getting busted are very high.
VIII. If for some reason you have to use codes, use your own, and nothing
else. Never use a code you see on a board, because chances are it has
been abused beyond belief and it is already being monitored.
IX. Feel free to ask questions, but keep them within reason. People won't
always be willing to hand out rare accounts, and if this is the case
don't be surprised. Keep the questions technical as a rule. Try and
learn as much as you can from pure hands on experience
X. And finally, be somewhat paranoid. Use PGP to encrypt your files, keep
your notes/printouts stored secretly, whatever you can do to prolong
your stay in the h/p world.
XI. If you get busted, don't tell the authorities ANYTHING. Refuse to speak
to them without a lawyer present.
XII. If police arrive at your residence to serve a search warrant, look it
over carefully, it is your right. Know what they can and can't do, and
if they can't do something, make sure they don't.
XIII. If at all possible, try not to hack off your own phoneline. Splice your
neighbour's line, call from a Fortress Fone, phreak off a junction box,
whatever.. if you hack long enough, chances are one day you'll be
traced or ANI'd.
Don't believe you are entirely safe on packet-switched networks either,
it takes a while but if you scan/hack off your local access point they
will put a trace on it.
XIV. Make the tracking of yourself as difficult as possible for others.
Bounce the call off several outdials, or try to go through at least two
different telco companies when making a call to a dialup.
When on a packet-switched network or a local or wide area network,
try and bounce the call off various pads or through other networks
before you reach your destination. The more bounces, the more red tape
for the investigator and the easier it is for you to make a clean
getaway.
Try not to stay on any system for *too* long, and alternate your calling
times and dates.
XV. Do not keep written notes! Keep all information on computer, encrypted
with PGP or another military-standard encryption program.
Written notes will only serve to incriminate you in a court of law.
If you write something down originally, shred the paper.. itty bitty
pieces is best, or even better, burn it! Feds DO trash, just like us,
and throwing out your notes complete will land in their hands, and
they'll use it against you.
XVI. Finally, the day/night calling controversy. Some folks think it is a
better idea to call during the day(or whenever the user would normally
use his account) as to not arouse the sysadmin's suspicion of abnormal
calling times, while others think it is better to call when nobody is
around.
This is a tough one, as there is no real answer. If the sysadmin keeps
logs(and reads over them) he will definetly think it strange that a
secretary calls in at 3 am.. he will probably then look closer and find
it even stranger that the secretary then grabbed the password file and
proceeded to set him/herself up with a root shell.
On the other hand, if you call during the time the user would normally
call, the real owner of the account may very well log in to see his
name already there, or even worse be denied access because his account
is already in use.
In the end, it is down to your opinion.
And remember, when you make a decision stick to it; remember the time
zone changes.
WHERE TO START
==============
--------------
Probably the hardest period in hacking is that of when you are first
starting. Finding and penetrating your first system is a major step, and can
be approached in many ways. The common ways to find a system to hack are;
- UNIVERSITIES : Universities commonly have hundreds of users, many of
which aren't too computer literate, which makes
hacking a relatively simple chore. And security is
often poor, so if you don't abuse the system too much
your stay could be a long one.
On the other hand, for a nominal fee you can usually
pick up a cheap *legitimate* (now there's a concept)
account. Or you could enroll in the university for
a few credits, and just go until the accounts are
handed out. Unfortunely, if you are caught hacking
off your own account it won't be hard to trace it
back to you. If you get a legimate account at first,
you might be best to hack a student's account for your
other-system hacking.
The other fun part about universities is often they
will provide access to a number of nets, usually
including the Internet.
Occasionally you'll have access to a PSN as well.
- CARRIER SCANNING: Carrier scanning in your LATA(Local Access Transport
Area), commonly known as wardialing, was popularized
in the movie War Games.
Unfortunely, there are a few problems inherent in
finding systems this way; you are limited to the
systems in your area, so if you have a small town you
may find very little of interest, and secondly,
ANI is a problem within your own LATA, and tracing is
simple, making security risks high. If you are going
to hack a system within your own lata, bounce it at
least once.
There are many programs, such as ToneLoc and CodeThief
(ToneLoc being superior to all in my humble opinion),
which will automate this process.
- PACKET-SWITCHED : This is my favorite by far, as hacking on PSNs is how
NETWORKS I learned nearly all I know. I've explored PSNs
world-wide, and never ran out of systems to hack.
No matter what PSN you try you will find many
different, hackable systems. I will go more indepth
on PSNs in the next section.
PACKET-SWITCHED NETWORKS
========================
------------------------
Intro to PSNs
=============
First off, PSNs are also known as PSDNs, PSDCNs, PSSs and VANs to name
a few. Look up the acronyms in the handy acronym reference chart<g>.
The X.25 PSNs you will hear about the most are; Sprintnet(formerly
Telenet), BT Tymnet(the largest), and Datapac(Canada's largest).
All these networks have advantages and disadvantages, but i'll say this;
if you are in the United States, start with Sprintnet. If you are in Canada,
Datapac is for you.
The reason PSNs are so popular for hackers are many. There are literally
thousands of systems on PSNs all around the world, all of which(if you have
the right facilities) are free of charge for you to reach. And because of the
immense size of public PSNs, it is a rare thing to ever get caught for
scanning. Tracing is also a complicated matter, especially with a small
amount of effort on your part to avoid a trace.
How packet-switching works
==========================
The following explanation applies for the most part to all forms of
packet-switching, but is specifically about PSNs operating on the X.25
protocol, such as Datapac & SprintNet, as opposed to the Internet which
operates on TCP/IP. It is the same principle in essense, however.
Packet-Switched Networks are kinda complicated, but I'll attempt to
simplify the technology enough to make it easy to understand.
You, the user, connect to the local public access port for your PSN,
reachable via a phone dialup. You match communications parameters with the
network host and you are ready to go.
From there, all the data you send across the network is first bundled into
packets, usually of 128 or 256 bytes. These packets are assembled using
Packet Assembly/Disassembly, performed by the public access port, also known
as a public PAD(Packet Assembler/Disassembler), or a DCE(Data Communicating
Equipment or Data Circuit-Terminating Equipment).
The packets are sent along the network to their destination by means of
the various X protocols, standardly X.25 within your home network, and
internationally using X.75/X.121. The X protocol series are the accepted CCITT
standards.
The host system(DTE: Data Terminal Equipment, also a PAD) which you are
calling then receives the packet and disassembles the packet using Packet
Assembly/Disassembly once again into data the system understands.
The DTE then assembles it's data in response to your packet, and sends it
back over the network to your PAD in packet form, which disassembles the
packet into readable data for you, the user.
And that is the simplified version!
The Internet - Introduction
===========================
Contrary to popular belief, the Internet is a packet-switched network;
just not an X.25 packet-switched network. The Internet operates on the TCP/IP
protocols(as a rule), which is why it is sometimes disregarded as a
packet-switched network. In fact, the Internet's predecessor, the ARPAnet,
was the first large-scale experiment in packet-switching technology. What was
then Telenet came later.
The confusion comes from peoples ignorance of the principles of
packet-switching, which is simply a type of network, explained in technical
detail earlier. It doesn't matter what protocols the network may use, if
packet-switching is in use it is obviously a packet-switched network.
Ok, now you may have noticed that the Internet has a rather small section,
which is true. The reasons are many. This is a hacking guide, not an Internet
tutorial, so I didn't include the IRC or Archie or whatever. And the main
reason is I spent about 100% more time on X.25 nets than I did the Internet.
Nonetheless, I decided to include the essential aspects of the Internet.
You should be able to take it from there.
The following section is derived mostly from personal experience, but
the Gatsby's Internet file helped out somewhat, specifically in the classes
of IP addresses.
Getting Access
--------------
Getting access is somewhere between easy and very difficult, depending
where you live and how good(or lucky!) a hacker you are.
First of all, if you are going to hack on the Internet then you must be
on a system that has full Internet access, not just mail. That cuts Compuserve
and Prodigy out of the picture.
Most universities and some high schools have Internet access, see what
you can do to get yourself an account, legitimatly or not.
Some BBSes offer full Internet access for a fairly reasonable price, and
that would be a good choice.
If you are in an area with a FreeNet, then you get full Internet access..
for free! Check around with local hackers or PD boards to inquire where the
nearest FreeNet is.
Some businesses provide Internet access, for a price. Check with local
netters to see what local options there are.
And lastly, you can try and hack your way on. When you hack a system,
check and see if they are on the net. Usually this is accomplished by doing
a test call using telnet.. explained later.
FTP
---
FTP is the acronym for File Transfer Protocol, and it is the primary means
of transporting remote files onto your own system(actually, usually the
system which you are calling the Internet through).
I will only provide a brief overview, as FTP is fairly easy to use, has
help files online and comprehensive documentation offline at your local h/p
BBS.
First off, FTP can be initialized by typing 'ftp' at any system which
has it. Most do, even if they don't have the Internet online. That a
frustrating lesson more than a few novices has learned.. if you hack into a
system that has FTP or telnet on line, it does not necessarily(and usually
doesn't) have Internet access.
When you enter the FTP utility, you'll usually find yourself at a 'ftp>'
prompt, and typing 'help' should bring up a small set of help files. The
commands available, along with the help files, vary from system to system.
Procedure is then defined by what type of system you are on, as again,
it varies. But what you usually do next is open a connection to the system you
want to get a file off of. Type 'open' followed by the host name or IP
address of the system you wish to connect to.. explained later.
Next, you will usually find yourself at a sort of login prompt. If you
have a username on that system, then type it in. If not, try 'anonymous'.
Anonymous is a great little guest account that is now being built in to some
OS's. Conscientious sysadmins may disable it, for obvious reasons. If however,
it is not, you will be asked for a password. Type anything, it doesn't matter
really. Type a few d's if you want, it really doesn't matter(as a rule don't
sit on your keyboard though.. it may not like it.. type something boring).
Next you simply use the 'get' command to get the file you want. Usually
it is a good idea to not put the files in a directory that they will be
noticed.. the sysadmin will suspect something is up if he runs into a few
files that he supposedly copied into his own directory. Which brings us to
the next segment.. give your files benign names, especially if they are
something like /etc/passwd files or issues of Phrack.
Now quit the FTP utility and peruse your new files.. be sure to remove
them when done.
Telnet
------
While FTP has no real parallel in X.25 networks, you could equate telnet
to a private PAD. Telnet lets you connect to and operate on Internet systems
over the Internet as if you were connected locally.
Telnet is initialized by typing 'telnet' at your shell. The operative
command is, again, 'open'. Again, type 'open' followed by the domain name
or the IP address. When connected, you will be at a login prompt of some
kind(usually..). Enter a username if you have one, and if not you can either
attempt to hack one or see if the system accepts the 'anonymous' guest user,
explained in the FTP section.
If all goes well, you should have a remote connection of some kind, and
what follows depends on the system you are connected to, just like in any
other network.
Domain Names and IP Addresses - Intro
-------------------------------------
For those of you unfamiliar with those terms I will give a small,
condensed explanation of what the two are.
One or the other is needed for connecting to a remote system, either by
FTP or Telnet. The IP address could be equated to the X.25 net's Network User
Address. The Domain name is a mnemonic name, used for convience more than
anything, as it is generally easier to remember.
If you wish to scan for systems on the Internet it is usually much easier
to scan by IP address, as you won't know the mnemonic for most systems.
IP addresses are 4 digit-combinations separated by dots. Address examples
are 192.88.144.3(EFF) and 18.72.2.1(MIT).
Addresses fall into three classes;
Class A - 0 to 127
Class B - 128 to 191
Class C - 192 to 223
The earliest Internet systems are all in Class A, but it is more common
to find class B or C systems. Moreover, a lot of systems are placed
specifically in the 128 or 192 address prefix, as opposed to 184 or 201 or
whatever. Scanning an IP address set can be accomplished in many fashions.
One of which would be to pick a prefix, add two random one to two digit
numbers, and scan the last portion. ie: take 192.15.43 and scan the last
digit from 0 to 255.
Unfortunely, the last portion (or last two portions in the case of Class
C) are ports, meaning you may come up completely blank or you might hit the
jack pot.
Experiment to your own liking, after a while you will fall into a
comfortable groove.
You can also connect to specific systems using the domain name, if you
know or can guess the domain name. To guess a domain name you will need to
know the company or organization's name, and the type of organization it is.
This is possible because host names must follow the Domain Name System, which
makes guessing a lot easier. Once you have both, you can usually take a few
educated guesses at the domain name. Some are easier than others.
First of all, you will need to understand the principle of top-level
domains. The top level is at the end of a domain name; in the case of eff.org,
the top-level is 'org'. In the case of mit.edu, the top-level is 'edu'.
Top levels fall into a few categories;
com - commercial institutions
org - non-profit organizations
edu - educational facilities
net - networks
gov - government systems (non military)
mil - non-classified military
Along with various country codes. The country codes are two letters used
for international calls; the US's is 'US', Brazil's is 'BR'.
Determine which top-level the system falls under, and then make a few
guesses. Examples are;
compuserve.com
xerox.com
mit.edu
eff.org
For further reading, I suggest picking up a few of the printed Internet
guides currently on the market, as well as the Gatsby's file on the Internet,
printed in Phrack 33.
X.25 Networks
=============
From here on in the PSN section of this file is dedicated to X.25
networks. I use the acronym PSN interchangably with X.25 networks, so don't
get PSN confused with all the other types of PSN networks. From here on in,
it is all X.25.
Network User Addresses
----------------------
NUAs(Network User Addresses) are the PSNs equivalent of a phone number.
They are what you need to connect to systems on PSNs around the world, and
thanks to the DNIC(Data Network Identifier Code), there are no two the same.
The format for entering NUAs is different from PSN to PSN. For example,
on Datapac you must include 0's, but on Sprintnet 0's are not necessary.
Tymnet uses 6 digits NUAs rather than the standard 8.
But the standard NUA format is this;
PDDDDXXXXXXXXSS,MMMMMMMMMM
Where; P is the pre-DNIC digit
D is the DNIC
X is the NUA
S is the LCN(Logical Channel Number, subaddressing)
M is the Mnemonic
Various segments may be omitted depending on your PSN and where you are
calling.
The P is commonly a 0, but is a 1 on Datapac. It is not usually even counted
as part of the NUA, but must be included(usage varying) when making calls
to another PSN other than your own. Within your own PSN it is not necessary
to include the pre DNIC digit.
The D is the DNIC also known as the DCC(Data Country Code). The DNIC is the
4 digit country code, which insures that each NUA worldwide is unique. The
DNIC is only used in calling international NUAs. If you are in Datapac(DNIC
3020) you do not have to include the DNIC for Datapac when making calls to
NUAs within Datapac, but if you are in another PSN you must include the DNIC
for calls to Datapac.
The X symbolizes the actual NUA, which along with the optional S
(subaddressing) must always be included. You can simplify the NUA even greater
using this format;
PPPXXXXX
Where P is the prefix of the NUA, and the X's are the suffix. The prefix
corresponds to an Area Code in most cases in that the NUAs within that prefix
are in a certain part of the country the PSN serves. In the case of Sprintnet,
the prefix corresponds directly with the Area Code(ie: all NUAs in the 914
prefix on Sprintnet are in New York, and all phone numbers in the 914 Area
Code are in New York).
Subaddressing, S on the diagram, is a somewhat complicated thing to explain.
Subaddressing is used when desired by the owner of the DTE, and is used to
connect to specified system on the same NUA. You may find more than one system
on the same NUA, and these can be reached using subaddresses.
ie:
NUA SYSTEM
PPPXXXXXSS
========== ===================
Ex.1 12300456 Unix
Ex.2 123004561 VMS
Ex.3 1230045699 HP3000
In this example, the normal NUA is 12300456(assuming DNIC and pre-DNIC digit
are not used). This NUA takes you to a Unix system. But when the LCN(Logical
Channel Number, subaddress) of 1 is used, you are taken to a VMS. And the
subaddress of 99 takes you to a HP3000. The systems on 12300456 are all owned
by the same person/company, who wished to have one NUA only, but by using
subaddresses he can give access to multiple systems on a lone NUA.
Subaddresses are also used occasionally as extra security. If you hit a system
that gives you an error message such as 'REMOTE PROCEDURE ERROR' or 'REMOTE
DIRECTIVE', you will either need a subaddress or a mnemonic. You may choose to
go through the entire possible subaddresses, 1 to 99, or if you are just
scanning i would suggest these: 1,2,50,51,91,98,99
Mnemonics, M, are another tricky one to explain. They are not documented by
the PSNs, I discovered them on my own. Mnemonics are also used to select
systems on a single NUA as a kind of port selector, but they are more commonly
used as a kind of external password, which prevents you from even seeing the
system in question.
The same error messages as in LCNs occur for mnemonics, but again, even if you
can reach a system with a standard NUA, there is a possibly a system only
reachable by mnemonic exists. Here is a list of commonly used mnemonics;
SYSTEM CONSOLE PAD DIAL MODEM X25 X28 X29 SYS HOST
Bypassing Reverse Charging Systems: Private PADs and NUIs
---------------------------------------------------------
Occasionally on PSNs you will run into systems which give you the
error message 'COLLECT CALL REFUSED'. This denotes a reverse-charging system.
When you make a call to a system on a PSN, the call is automatically collect.
But a lot of sysadmins do not want to pay for your connect charges, and if all
of their users have NUIs or private PADs, it is a good idea for them to make
their system reverse-charging, which saves them money, but also acts as yet
another security barrier from casual snoopers.
But again, this can be avoided by using a private PAD or a NUI.
Before we go into the details of these, remember that a private PAD is a
different thing than your public access port PAD. A private PAD is a PAD which
automatically assumes all connect charges. So, the reverse charging systems
will let you past the reverse charging, as you agree to accept the charges.
NUI's(Network User Identifiers) work the same way. You can think of a NUI
as .. say a Calling Card. The Calling Card is billed for all the charges made
on it, regardless of who made them; the owner gets the bill. The NUI works the
same way. NUIs are used legitimatly by users willing to accept the connect
charges. But, as hackers are known to do, these NUIs get stolen and used to
call all NUAs all around the world, and the legitimate owner gets the bill.
But unlike CCs, you will usually get away with using a NUI.
However, as you can guess, private PADs and NUIs are fairly hard to come
by. If somebody manages to get ahold of one, they usually won't be willing to
share it. So, it comes down to you; you probably will have to find your own.
PADs are only found by scanning on PSNs, and by hacking onto systems on
PSNs. There are programs on Unix and Primos systems,for example, that serve as
a private PAD. And there are some private PADs that are set up solely for the
purpose of being a private PAD. But, these are almost always passworded, so it
is up to you to get in.
NUIs are somewhat the same thing. NUIs are different from PSN to PSN, some
will tell you if a NUI is wrong, letting you guess one, but others will not.
And of course, you still have to guess the password. I've heard stories of
people carding NUIs, but i'm not sure i quite believe it, and the safety of
such a practice is questionable.
Closed User Groups
------------------
One of the most effective security measures i've ever seen is the CUG
(Closed User Group). The CUG is what generates the 'CALL BLOCKED' message when
scanning on PSNs. A CUG will only accept calls into the DTE from specified
DCE NUAs. Meaning, if your NUA has not been entered into the list of
acceptable NUAs, you won't be allowed to even see the system. However, CUGs
aren't for everybody. If you have a system with many users that all call in
from different points, CUGs are unusable. And a good thing for us. I've never
heard of anyone finding a way past a CUG. I've got a few theories but..
Sprintnet
---------
Now i'll go a bit more into the major US and Canadian PSNs, starting with
the most popular in the States, Sprintnet
To find a public indial port for Sprintnet you may possibly be able to
find it in your telefone book(look under Sprintnet) or by Directory Assistance.
If not, try Sprintnet Customer Service at 1-800-336-0437. This also will
probably only function between 8:30 and 5:00 EST, maybe a bit different.
Also, for a data number for in-dial look ups try 1-800-424-9494 at
communication parameters 7/E/1(or 8/N/1 also i believe). Type <CR> twice
or @D for 2400bps and press enter so Sprintnet can match your communications
parameters. It will display a short herald then a TERMINAL= prompt.
At the TERMINAL= prompt type VT100 for VT100 terminal emulation, if you are
using a personal computer i think D1 works, or just <CR> for dumb terminal.
Then type "c mail", at the username prompt type "phones", and for password
type "phones" again. It is menu driven from there on.
Now that you have your Sprintnet public dial port number, call it up like
you would a BBS, then when it connnects type the two <CR>s for 300/1200bps
or the @D for 2400bps, then it will display its herald, something like:
SPRINTNET(or in some cases TELENET)
123 11A (where 123 is your area code & Sprintnet's address prefix
and 11A is the port you are using)
TERMINAL=(type what you did previously eg:VT100,D1,<ENTER>)
then when Sprintnet displays the @ prompt you know you are connected to
a Sprintnet public PAD and you are ready to enter NUAs.
As i mentioned before, Sprintnet NUA prefixes correspond directly with
Area Codes, so to scan Sprintnet simply take an AC and suffix it with the
remaining digits, usually in sequence. Since Sprintnet ignores 0's, NUAs
can be as small as 4 digits. When scanning, go from lowest to highest,
stopping as soon as it seems NUAs have run dry(take it a hundred NUAs further
to be sure..best to take it right to 2000, maybe higher if you have time).
BT Tymnet
---------
BT Tymnet is owned by British Telecom, and is the biggest PSN by far, but
it does have some extra security.
For finding Tymnet dial-ins the procedure is much the same, look in the
phone book under Tymnet or BT Tymnet, or phone directory assistance and ask
for BT Tymnet Public Dial Port numbers, or you can call Tymnet customer
Service at 1-800-336-0149. Generally try between 8:30 and 5:00 EST. I don't
have the Tymnet data number for finding in-dials, but once you are on Tymnet
type INFORMATION for a complete list of in-dials as well as other things.
Once you have your in-dial number set your communication parameters at
either 8/N/1 or 7/E/1 then dial the number just like you would a BBS. At
connect you will see a string of garbage characters or nothing at all.
Press <CR> so Tymnet can match your communication parameters. You will then
see the Tymnet herald which will look something like this:
-2373-001-
please type your terminal identifier
If it wants a terminal identifier press A(if you want, you can press A
instead of <CR> at connect so it can match your communication parameters and
get your terminal identifer all at once).
After this initial part you will see the prompt:
please log in:
This shows Tymnet is ready for you to enter NUAs. A great deal of the NUAs on
Tymnet are in plain mnemonic format however. To reach these, just enter the
mnemonic you wish, nothing else(ie: CPU or SYSTEM). To enter digital NUAs you
need a NUI though. Tymnet will let you know when a NUI is wrong. Just keep
guessing NUIs and passwords until you find one. BUT, keep in mind, one of the
biggest security features Tymnet has is this: it will kick you off after three
incorrect attempts at anything. Thus, you'll have to call again and again, and
if you are in a digital switching system such as ESS it is not a good idea to
call anywhere an excessive amount of time. So keep it in moderation if you
choose to try Tymnet.
Datapac
-------
I am the most fond of Datapac, because I grew up on it. Nearly all the
hacking i've done to this day was on Datapac or the international PSNs i've
been able to reach through private PADs i've found on Datapac.
To connect to the Datapac network from Canada you will need to dial into
your local Datapac node, which is accessible in most cities via your local
Datapac dial-in number.
There are quite a few ways to find your local Datapac dial-in. It will
usually be in your telephone book under "DATAPAC PUBLIC DIAL PORT". If
not, you could try directory assistance for the same name. Alternatively,
there are a couple phone #'s for finding your dial port(these are also
customer assistance):
1-800-267-6574 (Within Canada)
1-613-781-6798
Also, these numbers function only from 8:30 to 5:00 EST(Eastern Standard
Time).Also, the Datapac Information Service(DIS) at NUA 92100086 has a
complete list of all public dial-ins.
I think you can use both communication parameter settings work, but 8/N/1
(8 data bits, No parity, 1 stop bit) is used most frequently, so set it
initially at that. Some NUA's on Datapac use 7/E/1, change to it if needed
after you are connected to a Datapac dial-in.
Ok,if you have your Datapac 3000 Public Indial number, you've set your
communication parameters at 8/N/1, then you are now set to go. Dial your
indial just like a BBS(duh..) and once connnected:
You will have a blank screen;
Type 3 periods and press RETURN (this is to tell Dpac to initialize itself)
The Datapac herald will flash up stating:
DATAPAC : XXXX XXXX (your in-dial's NUA)
You are now ready to enter commands to Datapac.
Example:
(YOU ENTER) atdt 16046627732
(YOU ENTER) ...
(DATAPAC RESPONDS) DATAPAC : 6710 1071
Now you are all set to enter the NUA for your destination.
NUAs on Datapac must be 8 to 10 digits(not including mnemonics).
8 is standard, but 9 or 10 is possible depending on usage of subaddressing.
NUA prefixes on Datapac are handed out in blocks, meaning they do not
correspond to Area Codes, but by looking at the surrounding prefixes, you can
tell where a prefix is located. When scanning on Datapac, keep in mind most of
the valid NUAs are found in the low numbers, so to sample a prefix go from
(example) 12300001 to 12300200. It is a good idea, however, to scan the prefix
right up until 2000, the choice is yours.
DNIC List
---------
Here is a list of the previous PSN's DNICs, and most of the other DNICs
for PSNs world wide. This was taken from the DIS, with a number of my own
additions that were omitted(the DIS did not include other Canadian or
American PSNs). The extras DNICs came from my own experience and various
BBS lists.
COUNTRY NETWORK DNIC DIRECTION
------- ------- ---- ---------
ANDORRA ANDORPAC 2945 BI-DIR
ANTIGUA AGANET 3443 INCOMING
ARGENTINA ARPAC 7220 BI-DIR
ARPAC 7222 BI-DIR
AUSTRIA DATEX-P 2322 BI-DIR
DATEX-P TTX 2323 BI-DIR
RA 2329 BI-DIR
AUSTRALIA AUSTPAC 5052 BI-DIR
OTC DATA ACCESS 5053 BI-DIR
AZORES TELEPAC 2680 BI-DIR
BAHAMAS BATELCO 3640 BI-DIR
BAHRAIN BAHNET 4263 BI-DIR
BARBADOS IDAS 3423 BI-DIR
BELGIUM DCS 2062 BI-DIR
DCS 2068 BI-DIR
DCS 2069 BI-DIR
BELIZE BTLDATAPAC 7020 BI-DIR
BERMUDA BERMUDANET 3503 BI-DIR
BRAZIL INTERDATA 7240 BI-DIR
RENPAC 7241 BI-DIR
RENPAC 7248 INCOMING
RENPAC 7249 INCOMING
BULGARIA BULPAC 2841 BI-DIR
BURKINA FASO BURKIPAC 6132 BI-DIR
CAMEROON CAMPAC 6242 BI-DIR
CANADA DATAPAC 3020 BI-DIR
GLOBEDAT 3025 BI-DIR
CNCP PACKET NET 3028 BI-DIR
CNCP INFO SWITCH 3029 BI-DIR
CAYMAN ISLANDS IDAS 3463 BI-DIR
CHAD CHADPAC 6222 BI-DIR
CHILE ENTEL 7302 BI-DIR
CHILE-PAC 7303 INCOMING
VTRNET 7305 BI-DIR
ENTEL 7300 INCOMING
CHINA PTELCOM 4600 BI-DIR
COLOMBIA COLDAPAQ 7322 BI-DIR
COSTA RICA RACSAPAC 7120 BI-DIR
RACSAPAC 7122 BI-DIR
RACSAPAC 7128 BI-DIR
RACSAPAC 7129 BI-DIR
CUBA CUBA 2329 BI-DIR
CURACAO DATANET-1 3621 BI-DIR
CYPRUS CYTAPAC 2802 BI-DIR
CYTAPAC 2807 BI-DIR
CYTAPAC 2808 BI-DIR
CYTAPAC 2809 BI-DIR
DENMARK DATAPAK 2382 BI-DIR
DATAPAK 2383 BI-DIR
DJIBOUTI STIPAC 6382 BI-DIR
DOMINICAN REP. UDTS-I 3701 INCOMING
EGYPT ARENTO 6020 BI-DIR
ESTONIA ESTPAC 2506 BI-DIR
FIJI FIJIPAC 5420 BI-DIR
FINLAND DATAPAK 2441 BI-DIR
DATAPAK 2442 BI-DIR
DIGIPAK 2443 BI-DIR
FRANCE TRANSPAC 2080 BI-DIR
NTI 2081 BI-DIR
TRANSPAC 2089 BI-DIR
TRANSPAC 9330 INCOMING
TRANSPAC 9331 INCOMING
TRANSPAC 9332 INCOMING
TRANSPAC 9333 INCOMING
TRANSPAC 9334 INCOMING
TRANSPAC 9335 INCOMING
TRANSPAC 9336 INCOMING
TRANSPAC 9337 INCOMING
TRANSPAC 9338 INCOMING
TRANSPAC 9339 INCOMING
FR ANTILLIES TRANSPAC 2080 BI-DIR
FR GUIANA TRANSPAC 2080 BI-DIR
FR POLYNESIA TOMPAC 5470 BI-DIR
GABON GABONPAC 6282 BI-DIR
GERMANY F.R. DATEX-P 2624 BI-DIR
DATEX-C 2627 BI-DIR
GREECE HELPAK 2022 BI-DIR
HELLASPAC 2023 BI-DIR
GREENLAND KANUPAX 2901 BI-DIR
GUAM LSDS-RCA 5350 BI-DIR
PACNET 5351 BI-DIR
GUATEMALA GUATEL 7040 INCOMING
GUATEL 7043 INCOMING
HONDURAS HONDUTEL 7080 INCOMING
HONDUTEL 7082 BI-DIR
HONDUTEL 7089 BI-DIR
HONG KONG INTELPAK 4542 BI-DIR
DATAPAK 4545 BI-DIR
INET HK 4546 BI-DIR
HUNGARY DATEX-P 2160 BI-DIR
DATEX-P 2161 BI-DIR
ICELAND ICEPAK 2740 BI-DIR
INDIA GPSS 4042 BI-DIR
RABMN 4041 BI-DIR
I-NET 4043 BI-DIR
INDONESIA SKDP 5101 BI-DIR
IRELAND EIRPAC 2721 BI-DIR
EIRPAC 2724 BI-DIR
ISRAEL ISRANET 4251 BI-DIR
ITALY DARDO 2222 BI-DIR
ITAPAC 2227 BI-DIR
IVORY COAST SYTRANPAC 6122 BI-DIR
JAMAICA JAMINTEL 3380 INCOMING
JAPAN GLOBALNET 4400 BI-DIR
DDX 4401 BI-DIR
NIS-NET 4406 BI-DIR
VENUS-P 4408 BI-DIR
VENUS-P 9955 INCOMIMG
VENUS-C 4409 BI-DIR
NI+CI 4410 BI-DIR
KENYA KENPAC 6390 BI-DIR
KOREA REP HINET-P 4500 BI-DIR
DACOM-NET 4501 BI-DIR
DNS 4503 BI-DIR
KUWAIT BAHNET 4263 BI-DIR
LEBANON SODETEL 4155 BI-DIR
LIECHTENSTEIN TELEPAC 2284 BI-DIR
TELEPAC 2289 BI-DIR
LUXEMBOURG LUXPAC 2704 BI-DIR
LUXPAC 2709 BI-DIR
MACAU MACAUPAC 4550 BI-DIR
MADAGASCAR INFOPAC 6460 BI-DIR
MADEIRA TELEPAC 2680 BI-DIR
MALAYSIA MAYPAC 5021 BI-DIR
MAURITIUS MAURIDATA 6170 BI-DIR
MEXICO TELEPAC 3340 BI-DIR
MOROCCO MOROCCO 6040 BI-DIR
MOZAMBIQUE COMPAC 6435 BI-DIR
NETHERLANDS DATANET-1 2040 BI-DIR
DATANET-1 2041 BI-DIR
DABAS 2044 BI-DIR
DATANET-1 2049 BI-DIR
N. MARIANAS PACNET 5351 BI-DIR
NEW CALEDONIA TOMPAC 5460 BI-DIR
NEW ZEALAND PACNET 5301 BI-DIR
NIGER NIGERPAC 6142 BI-DIR
NORWAY DATAPAC TTX 2421 BI-DIR
DATAPAK 2422 BI-DIR
DATAPAC 2423 BI-DIR
PAKISTAN PSDS 4100 BI-DIR
PANAMA INTELPAQ 7141 BI-DIR
INTELPAQ 7142 BI-DIR
PAPUA-NEW GUINEA PANGPAC 5053 BI-DIR
PARAGUAY ANTELPAC 7447 BI-DIR
PERU DICOTEL 7160 BI-DIR
PHILIPPINES CAPWIRE 5150 INCOMING
CAPWIRE 5151 BI-DIR
PGC 5152 BI-DIR
GLOBENET 5154 BI-DIR
ETPI 5156 BI-DIR
POLAND POLAK 2601 BI-DIR
PORTUGAL TELEPAC 2680 BI-DIR
SABD 2682 BI-DIR
PUERTO RICO UDTS 3300 BI-DIR
UDTS 3301 BI-DIR
QATAR DOHPAC 4271 BI-DIR
REUNION (FR) TRANSPAC 2080 BI-DIR
RWANDA RWANDA 6352 BI-DIR
SAN MARINO X-NET 2922 BI-DIR
SAUDI ARABIA ALWASEED 4201 BI-DIR
SENEGAL SENPAC 6081 BI-DIR
SEYCHELLES INFOLINK 6331 BI-DIR
SINGAPORE TELEPAC 5252 BI-DIR
TELEPAC 5258 BI-DIR
SOLOMON ISLANDS DATANET 5400 BI-DIR
SOUTH AFRICA SAPONET 6550 BI-DIR
SAPONET 6551 BI-DIR
SAPONET 6559 BI-DIR
SPAIN TIDA 2141 BI-DIR
IBERPAC 2145 BI-DIR
SRI-LANKA DATANET 4132 BI-DIR
SWEDEN DATAPAK TTX 2401 BI-DIR
DATAPAK-2 2403 BI-DIR
DATAPAK-2 2407 BI-DIR
SWITZERLAND TELEPAC 2284 BI-DIR
TELEPAC 2285 BI-DIR
TELEPAC 2289 BI-DIR
TAIWAN PACNET 4872 BI-DIR
PACNET 4873 BI-DIR
UDAS 4877 BI-DIR
TCHECOSLOVAKA DATEX-P 2301 BI-DIR
THAILAND THAIPAC 5200 BI-DIR
IDAR 5201 BI-DIR
TONGA DATAPAK 5390 BI-DIR
TOGOLESE REP. TOGOPAC 6152 BI-DIR
TORTOLA IDAS 3483 INCOMING
TRINIDAD DATANETT 3745 BI-DIR
TEXTET 3740 BI-DIR
TUNISIA RED25 6050 BI-DIR
TURKEY TURPAC 2862 BI-DIR
TURPAC 2863 BI-DIR
TURKS&CAICOS IDAS 3763 INCOMING
U ARAB EMIRATES EMDAN 4241 BI-DIR
EMDAN 4243 BI-DIR
TEDAS 4310 INCOMING
URUGUAY URUPAC 7482 BI-DIR
URUPAC 7489 BI-DIR
USSR IASNET 2502 BI-DIR
U.S.A. WESTERN UNION 3101 BI-DIR
MCI 3102 BI-DIR
ITT/UDTS 3103 BI-DIR
WUI 3104 BI-DIR
BT-TYMNET 3106 BI-DIR
SPRINTNET 3110 BI-DIR
RCA 3113 BI-DIR
WESTERN UNION 3114 BI-DIR
DATAPAK 3119 BI-DIR
PSTS 3124 BI-DIR
UNINET 3125 BI-DIR
ADP AUTONET 3126 BI-DIR
COMPUSERVE 3132 BI-DIR
AT&T ACCUNET 3134 BI-DIR
FEDEX 3138 BI-DIR
NET EXPRESS 3139 BI-DIR
SNET 3140 BI-DIR
BELL SOUTH 3142 BI-DIR
BELL SOUTH 3143 BI-DIR
NYNEX 3144 BI-DIR
PACIFIC BELL 3145 BI-DIR
SWEST BELL 3146 BI-DIR
U.S. WEST 3147 BI-DIR
CENTEL 3148 BI-DIR
FEDEX 3150 BI-DIR
U.S. VIRGIN I UDTS 3320 BI-DIR
U. KINGDOM IPSS-BTI 2341 BI-DIR
PSS-BT 2342 BI-DIR
GNS-BT 2343 BI-DIR
MERCURY 2350 BI-DIR
MERCURY 2351 BI-DIR
HULL 2352 BI-DIR
VANUATU VIAPAC 5410 BI-DIR
VENEZUELA VENEXPAQ 7342 BI-DIR
YUGOSLAVIA YUGOPAC 2201 BI-DIR
ZIMBABWE ZIMNET 6484 BI-DIR
SYSTEM PENETRATION
==================
------------------
Ok, now that you've hopefully found some systems, you are going to need to
know how to identify and, with any luck, get in these newfound delights.
What follows is a list of as many common systems as i could find. The
accounts listed along with it are not, per say, 'defaults'. There are very
few actual defaults. These are 'common accounts', in that it is likely that
many of these will be present. So, try them all, you might get lucky.
The list of common accounts will never be complete, but mine is fairly
close. I've hacked into an incredible amount of systems, and because of this
I've been able to gather a fairly extensive list of common accounts.
Where I left the password space blank, just try the username(and anything
else you want), as there are no common passwords other than the username
itself.
And also, in the password space I never included the username as a
password, as it is a given in every case that you will try it.
And remember, passwords given are just guidelines, try what you want.
UNIX- Unix is one of the most widespread Operating Systems in the
world; if you scan a PSN, chances are you'll find a number of
Unixes, doesn't matter where in the world the PSN resides.
The default login prompt for a unix system is 'login', and
while that cannot be changed, additional characters might
be added to preface 'login', such as 'rsflogin:'. Hit <CR> a
few times and it should disappear.
Because UNIX is a non-proprietary software, there are many
variants of it, such as Xenix, SCO, SunOS, BSD, etc.., but
the OS stays pretty much the same.
As a rule, usernames are in lowercase only, as are passwords,
but Unix is case sensitive so you might want to experiment if
you aren't getting any luck.
You are generally allowed 4 attempts at a login/password, but
this can be increased or decreased at the sysadmins whim.
Unfortunely, UNIX does not let you know when the username
you have entered is incorrect.
UNIX informs the user of when the last bad login attempt was
made, but nothing more. However, the sysadmin can keep logs
and audit trails if he so wishes, so watch out.
When inside a UNIX, type 'cat /etc/passwd'. This will give
you the list of usernames, and the encrypted passwords.
The command 'who' gives a list of users online.
'Learn' and 'man' bring up help facilities.
Once inside, you will standardly receive the prompt $ or %
for regular users, or # for superusers.
The root account is the superuser, and thus the password
could be anything, and is probably well protected. I left
this blank, it is up to you. There won't be any common
passwords for root.
COMMON ACCOUNTS:
Username Password
-------- --------
root
daemon
adm admin, sysadm, sysadmin, operator, manager
uucp
bin
sys
123 lotus, lotus123
adduser
admin adm,sysadm,sysadmin,operator,manager
anon anonymous
anonuucp anon, uucp, nuucp
anonymous anon
asg device devadmin
audit
auth
backappl
backup save, tar
batch
bbx
bupsched
cbm
cbmtest
checkfsys
control
cron
csr support, custsup
dbcat database, catalog
default user, guest
demo tour, guest
dev
devel
devshp
diag sysdiag, sysdiags, diags, test
diags diag, sysdiag, sysdiags
dialup
dos
fax
field fld, service, support, test
filepro
finger
fms
friend guest, visitor
games
general
gp
gsa
guest visitor, demo, friend, tour
help
host
hpdb
info
informix database
ingres database
inquiry
install
journal
journals
kcml
learn
lib library, syslib
link
listen
lp print spooler lpadmin
lpadmin lp, adm, admin
lpd
ls
mail
maint sysmaint, service
makefsys
man
manager mgr, man, sysmgr, sysman, operator
mdf
menu
mountfsys
ncrm ncr
net network
netinst inst, install, net, network
netman net, man, manager, mgr, netmgr, network
netmgr net, man, manager, mgr, netmgr, network
network net
newconv
news
nobody anon
nuucp anon
oasys oa
odt opendesktop
online
openmail mail
oper operator,manager,adm,admin,sysadmin,mgr
operator sysop, oper, manager
opp
oracle database
oraclev5 oracle, database
oradev oracle
pcs
pcsloc
pctest
postmaster mail
powerdown shutdown
priv private
prod
pub public
public pub
reboot
remote
report
rha
rje
rsm
rsmadm rsm, adm, admin
rusr
sales
sas
save backup
savep
service field, support
setup
shutdown
smtp mail
softwork
space
startup
su
sundiag sysdiag, diag, diags, sysdiags
suoper su, oper, operator
super supervisor, manager, operator
support field, service
sync
sysadm adm, admin, operator, manager
sysdiag diag, diags, sysdiags
sysinfo info
sysmaint maint, service
sysman manager,mgr,man,admin,operator,sysadmin
sysmgr manager,mgr,man,admin,operator,sysadmin
system sys, unix, shell, syslib, lib, operator
systest test, tester, testuser, user
test tester, testuser, systest, user
tester test, user, testuser
testuser test, tester, user, systest
tftp
tour demo, guest, user, visitor
transfer
tty
tutor
tutorial
umountfsys
unix
unixmail mail, unix
user guest, demo
userp user
usr user
usrlimit
utest
uucpadm adm, admin, uucp
uuadm uucp, adm
uuadmin uucp, admin
uuhost uucp, host
uulog uucp, log
uunx uucp
uupick uucp, pick
uustat uucp, stat
uuto uucp, to
uux uucp
va
vashell
vax
visitor guest, friend, demo, tour
vlsi
vmsys vm, face
vsifax
who
wp
wp51
x25 pad
x25test test
x400
VMS- DEC's Virtual Memory System commonly runs on VAX computers.
It is another very widespread system, with many users world
wide.
VMS will have a 'Username:' prompt, and to be sure just type
in a ',' for a username. A VMS will throw back an error
message on special delimeters.
You will standardly get 3 and only three login attempts, and
VMS is not kind enough to let you know when you have entered
an incorrect username.
Once inside you will find yourself at a $ prompt.
COMMON ACCOUNTS:
Username Password
-------- --------
systest uetp,test
system manager,operator,sys,syslib
guest visitor, demo
visitor guest, demo
link
mail
opervax operator, vax
pfmuser pfm, user
priv private
mbwatch watch, mb
netcon net, network
netmgr net, manager, mgr, operator
default default,user
postmaster mail
demo guest
field field, service, support, test, digital
games
ingres database
help
uetp
userp user
host
netpriv network, private, priv, net
mailer mail
user test, guest, demo
mbmanager mb, manager, mgr, man
student
netserver
info
suggest suggest
network net
sysmaint sysmaint, maint, service, digital
operations operations
systest_clig systest, test
teledemo demo
newingres ingres
sys
news
operator oper, manager, mgr, admin,
dec
report
decmail mail
decnet
test testuser, tester
rje remote, job, entry
vax
vms
backup
dcl
dsmmanager dsm, manager
oracle
dsmuser dsm, user
HP3000- HP3000 mainframes run the MPE series of operating systems,
such as MPE, V, ix, X, and XL.
The default login prompt is ':', but this can be prefaced
with characters(ie: 'mentor:') and in some cases the ':' may
be taken completely away (ie: 'mentor'). To check for a
HP3000, hit a <CR>, you will get an error message such as this;
EXPECTED HELLO, :JOB, :DATA, OR (CMD) AS LOGON. (CIERR 1402)
To login type 'hello', followed by the login information,
which is in this format: USER.ACCOUNT,GROUP.
The group is optional, but may be needed in some cases, and
can give you different file sets and the sort.
A great thing about HP3000's is they tell you exactly what
is incorrect about the login name you've supplied them,
be it the account is valid but the username is wrong, or the
other way around.
But unfortunely, if the system operators choose, they may
password ALL of the login name segments; username, account
and group.
The internal prompt for MPE's is, again, :.
'Help' will give you help when inside a HP3000.
When entering accounts, i'd suggest not to use a group at
first. If you receive the error message 'not in home group',
then try the group PUB, then if even that fails, move on to
the common group list.
I didn't list passwords along with the accounts, as it would
be a bit of an awkward format, because of MPE's awkward
format. The only manufacturer's default I know of is HPONLY,
be sure to give that a try. Just remember to try the various
parts of the account as a password, and anything else along
those lines.
If you need a password for the following user.accounts &
groups, try the various parts of the name plus any
combinations of it or names with obvious links to it(ie:
field=service).
COMMON ACCOUNTS:
Username.Account
----------------
operator.sys
mgr.cognos
manager.sys
mgr.sys
mgr.telesup
mgr.backup
mgr.hpoffice
manager.itf3000
mgr.rje
field.support
operator.cognos
rsbcmon.sys
mgr.ccc
mail.mail
mgr.hpword
manager.cognos
x400fer.hpoffice
x400xfer.hpoffice
openmail.hpoffice
mgr.tech
mgr.word
operator.support
operator.syslib
mgr.3000evs
mgr.vecsl
mgr.netbase
operator.disc
mgr.common
mgr.techxl
mgr.hponly
exploit.sys
mgr.xlserver
mgr.conv
sysrpt.syslib
spoolman.hpoffice
mgr.prod
mgr.softrep
field.xlserver
mgr.cnas
pcuser.sys
mgr.support
operator.netware
spool.ccc
mgr.infosys
mgr.cslxl
operator.system
mgr.speedwre
mgr.tellx
monitor.tellx
field.hpp187
mgr.company
manager.security
mgr.security
field.telesup
mgr.hpp189
mgr.telamon
mgr.remacct
mailtrck.hpoffice
mailman.hpoffice
mgr.hppl85
mgr.hppl87
mgr.hppl89
mgr.hppl96
mgr.spool
mailroom.hpoffice
field.hpword
mgr.hpdesk
field.hpncs
deskmon.hpoffice
mgr.acct
mgr.demo
pcuser.hpoffice
manager.hpoffice
mgr.intx3
mgr.extend
wp.hpoffice
mgr.netware
mgr.sldemo
mgr.orbit
advmail.hpoffice
manager.vesoft
mgr.rego
mgr.hplanmgr
mgr.hpskts
mgr.hpspool
mgr.hq
dpcont.hq
mgr.corp
mgr.easy
mgr.easydev
mgr.sysmgr
mgr.conv
mgr.hpncs
mgr.hpoptmgt
mgr.hpx11
mgr.indhpe
mgr.snads
mgr.hpp187
manager.tch
mgr.opt
mgr.vesoft
mgr.xpress
sys.telesup
mgr.hpp196
mail.hpoffice
mgr.utility
COMMON GROUPS:
admin
advmail
ask
brwexec
brwonlne
brwspec
bspadmin
bspdata
bspinstx
bsptools
catbin1
catbin2
catlib
classes
config
console
convert
creator
curator
currarc
current
dat
data
database
delivery
deskmon
devices
diadb
diag
diafile
diaipc
doc
docxl
document
dsg
easy
ems
emskit
example
examples
ezchart
galpics
graphics
hold
hpaccss
hpadvlk
hpadvml
hpdesk
hpdraw
hpecm
hpemm
hpenv
hpgal
hphpbkp
hplibry
hplist
hplt123
hpmail
hpmap
hpmenu
hpprofs
hpsw
hptelex
ibmpam
idl
idlc
idpxl
include
infoxl
instx
internal
itpxl
job
lib
libipc
library
mailconf
maildb
mailhelp
mailjob
maillib
mailserv
mailstat
mailtell
mailxeq
mediamgr
memo
memory
mgr
mmgrdata
mmgrxfer
mmordata
mmorxfer
monitor
mpexl
ndfiles
ndports
net
network
nwoconf
office
oldmail
oper
operator
out
pascalc
patchxl
pcbkp
ppcdict
ppcsave
ppcutil
prntmate
prog
prvxl
pub
pubxl
qedit
ref
request
restore
sample
sbase
sfiles
signal
sleeper
snax25
sql
sruntime
subfile
suprvisr
sx
sys
sysmgr
sysvol
tdpdata
telex
telexjob
text
tfm
ti
tools
transmit
user
users
validate
viewlib
visicalc
wp
wp3
x400data
x400db
x400fer
x400file
xspool
VM/CMS- The VM/CMS Operating System is found on IBM mainframes, and
while there are quite a few out there, they are commonly left
alone by hackers who prefer Unix or VMS.
VM/CMS systems are commonly found gated off Sim3278 VTAMs and
ISM systems as well.
The login prompt for CMS is '.', but additional information
might be given before the prompt, such as;
Virtual Machine/System Product
!
.
or;
VM/370
!
.
and frequently over to the side;
LOGON userid
DIAL userid
MSG userid message
LOGOFF
but they all represent a VM/CMS system.
To logon, type 'logon' followed by the username, which is
usually 1 to 8 characters in length.
To be sure it is a CMS, type 'logon' followed by some random
garbage. If it is a VM/CMS, it will reply;
Userid not in CP directory
This is one of the great things about CMS, it tells you if
the login ID you entered is incorrect, thus making the
finding of valid ones fairly easy.
One thing to watch out for.. if you attempt brute forcing
some systems will simply shut the account or even the login
facility for some time. If that is the case, find out the
limit and stay just underneath it.. drop carrier or clear the
circuit if necessary, but if you continually shut down the
login facilities you will raise a few eyebrows before you
even make it inside.
Once inside, typing 'help' will get you a moderate online
manual.
COMMON ACCOUNTS
Username Password
-------- --------
operator op, operatns, manager, admin
autolog1 autolog
autolog2 autolog
operatns op, operator, manager, admin
cmsbatch cms, batch, batch1
dirmaint dirmaint1
vmtest test, testuser
cmsuser cms, user
maildel
erep
gcs
ivpm1
gcsrecon
ivpm2
maint service
cpms
cms
sna
oltsep
opbackup backup
vsm
tdisk
sysckp
cpnuc
direct
sysdump1 sysdump
tsafvm
vsemaint maint
vseipo
router
ap2svp
$aloc$
temp
savsys
syserr
syswrm
apl2pp
vmassys
vmasmon
vastest test
batch1 batch
batch2 batch
datamove
sfcntrl
fsftask1
fsftask2
iips
admin operator, manager, adm, sysadmin, sysadm
diskcnt
cprm
pdm470
entty
inoutmgr mgr, manager
pssnews news
op1
vmutil util, utils
x400x25
infm-mgr infm, man, manager, mgr
ipfserv
vm3812
batc
netview network, view, net
prodbm prod
ipfappl
psfmaint maint
formplus
botinstl
mailman
presdbm dbm
promail
cspuser user, csp
fsfadmin fsf, adm, sysadmin, sysadm, admin, fsfadm
alertvm alert
vmmap map
sysadmin admin, adm, sysadm, manager, operator
sfcm1 sfcm
pdmremi
pvm
rscs
ispvm
rscsv2
smart
vmtlibr
cview
vtam
procal
sqldba
vtamuser user, vtam
sqlusre user, sql
vmarch
idms
peng
vmbackup backup
sim3278
opserver
syncrony
vmbsysad
demo1 demo
demo2 demo
vmtape tape
vseman
moeserv
ccc
idmsse
PRIMOS- Run on the Prime company's mainframes, the Primos Operating
System is in fairly wide use, and is commonly found on
Packet-Switched Networks worldwide.
Upon connect you will get a header somewhat like
PRIMENET 23.3.0 INTENG
This informs you that it is indeed a Primos computer, the
version number, and the system identifier the owner picked,
which is usually the company name or the city the Primos is
located in. If you find a Primos on a network, you will
receive the Primenet header, but if it is outside of a
network, the header may be different(ie:Primecon).
Hit a number of <CR>'s, and Primos will throw you the login
prompt 'ER!'.
At this point, type 'login' followed by your
username.
If hitting <CR>'s did not provoke an 'ER!', then type 'login'
followed by your username.
If you are blessed and you find some stone age company
running 18.0.0 or below, you are guaranteed access.
Just find a username and there will be no password prompt.
If for some reason passwording exists, a a few control-C's
should drop you in.
Unfortunely, Primos almost always allows one and one attempt
only at a username/password combination before it kicks you
off, and Primos will not tell you if the ID you've entered is
invalid.
Once you are inside, you will find yourself at the prompt
'OK'.
'help' brings up a so-so online help guide.
COMMON ACCOUNTS
Username Password
-------- --------
backup
backup_terminal
batch_service
batch
bootrun
cmdnc0
demo
diag
dos
dsmsr dsm
dsm_logger dsm
fam
games
guest
guest1 guest
lib
libraries
login_server
mail
mailer
netlink net, primenet
netman manager, man, mgr, netmgr
network_mgt netmgt
network_server server
prime primos, system
primenet net, netlink
primos prime, system
primos_cs primos, prime, system
regist
rje
spool
spoolbin spool
syscol
sysovl
system prime, primos, sys1, operator
system_debug
system_manager
tcpip_manager
tele
test
timer_progress
tools
TOPS-10/20 An older and somewhat rare operating system, TOPS-10 ran on
the DEC-10/20 machines. You can usually recognize a TOPS-10 by
its' prompt, a lone period '.', while a TOPS-20 will have a
'@' in its place. Most systems allow you to enter the commands
'SYSTAT' or 'FINGER' from the login prompt, before logging in.
This command will let you see the users online, a valuable aide
in hacking.
To login, type 'login xxx,yyy', where the x and y's are
digits.
TOPS-10 does let you know when your username is incorrect.
COMMON ACCOUNTS
User ID Code Password
------------ --------
1,2 OPERATOR, MANAGER, ADMIN, SYSLIB, LIB
2,7 MAINT, MAINTAIN, SYSMAINT
5,30 GAMES
IRIS- Unfortunely, i have no experience with IRIS whatsoever. To
this day i haven't even seen one. So with regret i must
present old material, the following info comes entirely from
the LOD/H Technical Journal #3. Hopefully it will still be
applicable.
The IRIS Operating System used to run soley on PDP systems,
but now runs on many various machines.
IRIS will commonly present itself with a herald such as;
"Welcome to IRIS R9.1.4 timesharing"
And then an "ACCOUNT ID?" prompt.
IRIS is kind enough to tell you when you enter an incorrect
ID, it won't kick you off after too many attempts, and no
logs are kept. And strangely enough, passwords are not used!
So if you can find yourself an IRIS OS, try the following
defaults and you should drop in..
COMMON ACCOUNTS
Username
--------
manager
boss
software
demo
pdp8
pdp11
accounting
NOS- The NOS(Network Operating System) is found on Cyber
mainframes made by CDC(the Control Data Corporation).
Cyber machines are commonly run by institutions such as
universities and atomic research facilities.
Cybers will usually give a herald of some sort, such as
Sheridan Park Cyber 180-830 Computer System
or
Sacremento Cyber 180-830 CSUS NOS Software System
The first login prompt will be 'FAMILY:', just hit <CR>.
The next prompt is 'USER NAME:'. This is more difficult,
usually 7 characters. The password is even worse,
commonly 7 random letters. Sound bad? It is. Brute forcing
an account is next to impossible.
I've never seen these defaults work, but they are better than
nothing. I got them out of the LOD/H Novice's Guide to
Hacking, written by the Mentor. There are no known passwords
for these usernames.
COMMON ACCOUNTS
Username
--------
$SYSTEM
SYSTEMV
Decserver- The Decserver, is as the name implies, a server made by the
Digital Equipment Corporation, the same company that makes
the VAX machines.
It is possible the owner of the server put a password on it,
if this is the case you will hit a '#' prompt. If the server
has PADs or outdials on it, you can bet this is the case.
You don't need a username, just the password. You will
commonly get 3 tries, but it can be modified.
Good things to try are ; server, dec, network, net
(and whatever else goes along with that)
If you get past the #, or there isn't one, you will hit the
prompt 'Enter Username>'. What you put really doesn't matter,
it is just an identifier. Put something normal sounding, and
not your hacker alias. It is actually interesting to look at
the users online at a Decserver, as commonly there will be a few users
with the username 'C' or 'CCC' or the like, usually meaning
they are probably a fellow hacker.
Also, at the Enter Username> prompt you are able to ask for
help with the 'help' command, which spews out fairly lengthly
logon help file.
If all went well you should end up at a 'Local>' prompt.
Decservers have a fairly nice set of help files, simply type
'help' and read all you want.
It is a good idea to do a 'show users' when you first logon,
and next do a 'show services' and 'show nodes'. The services
are computers hooked up to the Decserver, which you can
access. For obvious reasons you will often find many VAX/VMS
systems on Decservers, but pretty much anything can be found
Look for services titled 'Dial', 'Modem', 'PAD', 'X25',
'Network', or anthing like that. Try pretty much everything
you see. Remember to try the usernames you see when you do
a 'show users' as users for the systems online.
Also, you will sometimes find your Decserver has Internet
(Telnet, SLIP or FTP) access, make sure you make full use of
this.
To connect to the services you see, use 'c XXXX', where the
X's represent the service name.
GS/1> GS/1's are another server type system, but they are less
common than the Decservers. The default prompt is 'GS/1>',
but this can be changed to the sysadmins liking.
To check for a GS/1, do a 'sh d', which will print out some
statistics.
To find what systems are available from the server, type
'sh n' or a 'sh c', and a 'sh m' for the system macros.
XMUX> The XMUX is a multiplexing system that provides remote
access, made by Gandalf Technologies, Inc., Gandalf of Canada
Ltd. in Canada. As far as I can tell, the XMUX is used only on
Packet-Switched Networks, Datapac in particular but with usage
on PSNs world wide.
The XMUX is not usually thought of as a stand alone system,
but as a supportive system for multi-user networked systems,
having a bit to do with system monitoring, channel control,
and some of the features of multiplexing.
Thus, you'll commonly find a XMUX on a mnemonic or a
subaddress of another system, although you will find them
alone on their own NUA frequently as well.
To find the systems on a subaddress or a mnemonic, your best
bet is to go with mnemonics, as the LOGGER mnemonic cannot be
removed, while subaddressing is optional.
You won't always want to check every single system, so i'll
give a guideline of where to check;
(REMINDER: this is only for systems on PSNs, and may not
apply to your PSN)
- PACX/ : The PACX/Starmaster is also made by
Starmaster Gandalf, and the two are tightly
Systems interwoven. If mnemonics don't work, be
sure to try LCNs, as the CONSOLE on a
PACX/Starmaster is an entirely different
thing, and frequently using the mnemonic
CONSOLE will bring you to the PACX
console, not the XMUX console.
- BBS Systems : BBS Systems on PSNs frequently need some
help, and XMUXs are fairly commonly
found with them.
- Other misc. : Many of the other operating systems,
systems such as Unix, AOS/VS, Pick and HP3000
have the occasional XMUX along with it.
- Networked : A good portion of networked systems have
systems XMUXs.
If a system does have a XMUX also, you can reach it almost
always by the mnemonic CONSOLE, and if not, the node name of
the XMUX. If that doesn't work, try LCNs up to and including
15.
Occasionally the console of the XMUX will be unpassworded, in
which case you will drop straight into the console. The XMUX
console is self-explanatory and menued, so i will leave you
to explore it.
However, in all likeliness you will find yourself at the
password prompt, 'Password >'. This can not be modified, but
a one-line herald may be put above it.
To check for a XMUX, simply hit <CR>. It will tell you that
the password was invalid, and it must be 1 to 8 alphanumeric
characters.
As you can see, you do not need a username for the remote
console of a XMUX. UIDs are used, but internally within the
workstation.
As it says, the password format is 1 to 8 alphanumeric
characters. There is no default password, the console is left
unprotected unless the owner decides to password it.
However, there are common passwords. They are;
console, gandalf, xmux, system, password, sys, mux xmux1
I'll repeat them in the common passwords again later.
But these will not always work, as it is up to the owner to
pick the password(although they do like those).
Your next best bet is to find out the node name of the XMUX
(XMUXs are polling systems as well, usually hooked up somehow
to one of the regional hubs).
To do this, you must understand the parts of the XMUX.
The XMUX has 4 default parts; the CONSOLE, the FOX, the
LOGGER, and the MACHINE.
I'll try and define the usage of them a bit more;
CONSOLE- the main remote part of the XMUX, which performs all
the maintenance functions and system maintenance.
the actual system.
reachable usually on the LCN(subaddress) of 0 or
4/5, and the default mnemonic CONSOLE, which can be
changed.
FOX - a test system, which runs through never ending lines
of the alphabet and digits 0-9.
reachable on the LCN of 1, mnemonic FOX.
LOGGER - a device which displays log information, usually
one or two lines, including the node name.
reachable on the LCN of 2, mnemonic LOGGER.
MACHINE- a system which i do not yet understand fully.
performs some interesting functions.
the prompt is '#'.
type 'S' and you will(always) receive a short/long
(depending on how much the system is used) system
status report, containing among other things the
system node name.
if active, typing 'L' will bring up a more complete
system log. This is VERY useful. It contains the
NUAs of the systems which called the XMUX, and it
contains the UIDs if used.
As you can see, the XMUX is rather complicated upon
first look, but it is actually fairly simple. The easiest
way to grab the node name is to call the LOGGER.
The logger MUST be present, always. It is a non-removable
default. The LCN may be removed, but the mnemonic must stay.
I explained mnemonics earlier, but i'll refresh your memory.
To use the mnemonic, simply type the NUA, followed by a comma
and then the mnemonic, ie;
12300456,LOGGER
The very first thing in the data string you see is the node
name. If it is a blank space, you have run across a rarity,
a XMUX without a node name.
The node name is THE most popular thing other than the other
common passwords.
Try combinations of it, and combinations of it along with
the words XMUX and MUX.
And of course, if a herald is used, use whatever you can find
in the herald.
But again, if it is a company, they love to use the company
name or acronym as a password, and that acronym or name will
often be the node name.
Ok, have fun..
COMMON ACCOUNTS
Console Passwords
-----------------
CONSOLE
XMUX
GANDALF
SYSTEM
PASSWORD
MUX
XMUX1
SYS
(node name)
One other thing. I did not include the profile or remote
profile names, or the UIDs, as they are as far as i know
inapplicable from remote.
And a final comment. XMUXs are powerful and potentially
extremely harmful to a network. DO NOT DELETE ANYTHING. The
only submenus you will have reason to access are 'DEFINE' and
'DISPLAY'. Don't boot people off channels or add console
passwording or remove profiles..you will end up with your ass
in jail. Taking down a network is less than funny to the
people that run it. Explore, don't harm.
STARMASTER> The Starmaster/PACX 2000 is still a somewhat mysterious
/PACX system, but i have now explored all the security barriers as
well as the network and the internal functions, so i feel
this is fairly complete.
The Starmaster/PACX system is a networking/server system made
by, again, Gandalf Technologies Inc., Gandalf of Canada Ltd.,
in Canada, and is also known informally (and some what
incorrectly) as the 'Gandalf Access Server.' The Access is
similar, but different, as described later.
It is a fairly popular system on Datapac, and has some usage
in other regions of the world. Again, it is used mainly
on Packet-Switched Networks, although, thanks to the dialing
directory of a Sam24V outdial on a Starmaster, I have
discovered that Starmasters do indeed have dialin access.
The first possible security barrier is the dialin password,
which is rarely used, but you should know about.
The prompt is usually ;
DIALIN PASSWORD?
But can be changed, although it should remain similar.
Dialin passwords are 1 to 8 characters, and are usually
one of the following defaults;
GANDALF SERVER PACX NET NETWORK STARMAST DIALIN PASSWORD
ACCESS
If the Starmaster has a XMUX resident(explained in previous
system definition; XMUXs), find out the node name and try it.
The next possible security barrier is that the sysadmin
desires the users to enter a username/password before
entering the server.
You will find yourself at a prompt such as;
USERNAME?
This is the most common prompt.
Usernames are 1 to 8 characters, and the Starmaster will let
you know if it is wrong or not with an error message such as;
INCORRECT USERNAME
or
INVALID RESPONSE
This, like the username prompt, can be changed, but it will
usually be in all-caps.
You are allowed between 1 and 10 attempts at either a valid
username or a valid password, depending on the owners
preference.
This means(if it is set to ten tries) you can enter 9 invalid
usernames, and on the tenth enter a valid username, then have
10 attempts at a valid password.
The defaults for this(which i will list later also) prompt
are; TEST, TESTUSER, TESTER, GANDALF, SYSTEM, GUEST
USER, HP, CONSOLE, and finally OPERATOR.
Also, first names will work usually.
The next prompt you will face, or the first one if usernames
are not implemented, is the server prompt. This is the main
user prompt for a Starmaster, all major user commands are
used from here.
But as you can guess, commands aren't used really, it is
service names you desire.
Sometimes you will get a list upon entering the server, but
other times you will just hit the server prompt, which
usually looks something like;
SERVICE?
or
CLASS?
or even
service?
or
class?
or
service
Or whatever the sysadmin feels like. 'SERVICE?' is the
default, and the most common.
Keep in mind that the services CAN be passworded, but
rarely are. In the case of passwording, use your imagination.
Another thing; from the PACX console, where the services are
defined, there is an option which decides whether the service
is allowed for remote users. If this is set to NO, then you
are out of luck, you have to be in the workstation to use the
command. This is common for the CONSOLE and the MAIL, and
occasionally modems and PADs. You will get an error message
something like 'SERVICE NOT ALLOWED'.
I will give a more complete list of common services, but
I will list the defaults and the major ones now.
PAD, X25, X28- Will commonly take you to a Gandalf PAD,
(or name of for which the default prompt is '*'.
your PSN) 'HELP' will bring up a list of commands.
MAIL - A non-removable default, but i've never
seen it with the remote access flag in the
ON position.
CONNECT - Another non-removable default which i have
never seen with the remote access flag in
the on position.
MODEM, DIAL - And variations therof. The common outdial
is the Gandalf made Sam24V, which comes with
a great set of help files.
CONSOLE - The motherlode. The system controller,
maintenance computer, test machine, and
all of that. DON'T confuse the PACX console
with the XMUX console, they are two very
different things.
The console should be protected by the
sysadmin with his/her life, as every faction
of the Starmaster is controlled from within
the Console.
The CONSOLE is a non-removable service from
the server, BUT remote access can be removed
thus cutting off our means of getting to it.
Try it first, if it works the screen will
scroll down a number of lines and give this
herald/prompt;
GANDALF TECHNOLOGIES INCORPORATED, COPYRIGHT 1990
OPERATOR NAME?
This is not changable, it will remain the
same except for possibly the copyright date.
There can be 8 operators at the most, and
they will have 1 to 8 characters in their
name and password. And again, the PACX will
tell you if your operator name is incorrect.
You will be allowed 1 to 10 attempts at the
login name and then it resets to 0 for the
password attempt when you've found an
operator name, but same limit.
The same defaults for the usernames work
here, if you are lucky, with the exception
of HP. I'll list them again at the end.
Once you get in, it is all menued and
explanatory. DON'T FUCK THINGS UP. By that
I mean deleting or modifying. Look. There
is MUCH to see. The PACX console is
incredibly powerful, and you will have much
more fun exploring it.
Besides, once you are in the console, the
game is over. You have control over all the
services, users, and all security barriers.
If you get a high level console account,
you are the God of the PACX, no joke.
COMMON ACCOUNTS
Usernames Passwords
--------- ---------
TEST TEST, TESTUSER, USER, TESTER
TESTUSER TEST, TESTUSER, USER, TESTER
TESTER TEST, TESTUSER, USER, TESTER
GANDALF GANDALF, SYSTEM, PACX, STARMAST, SYS
GUEST GUEST, VISITOR, USER
SYSTEM SYSTEM, SYS, OPERATOR, PACX, SYS, GANDALF
HP HP
USER USER, GUEST, TEST, VISITOR, GANDALF
OPERATOR OPERATOR, SYSTEM, SYSLIB, LIB, GANDALF
CONSOLE CONSOLE, PACX, GANDALF, OPERATOR, SYSTEM
(i've never seen an account such as MAINT, but i would guess
one exists, along with standard system defaults. Try
anything outside these lines)
Services
--------
CONSOLE
MAIL
CONNECT
HELP
PAD
X25
X28
DIAL
MODEM
OUT
DIALOUT
OUTDIAL
INTERNET
NET
NETWORK
TELNET
FTP
SERVER
VAX
VMS
UNIX
HP
SYSTEM
1 (if it works; higher)
A (through Z)
10 (if it works; higher in sequence of tens)
MENU
SYS
LIB
LIBRARY
FILES
DATABASE
GATEWAY
TYMNET
DATAPAC
XCON
XMUX
MUX
SALES
PROD
BBS
CLUSTER
PACX12
PACX24
PACX96
LOOP
GEAC
And anything else you can think of.
First names are also fairly common.
Operator Name Password
------------- --------
TEST TEST, TESTUSER, USER, TESTER
TESTUSER TEST, TESTUSER, USER, TESTER
TESTER TEST, TESTUSER, USER, TESTER
GANDALF GANDALF, SYSTEM, PACX, CONSOLE, SYS
GUEST GUEST, VISITOR, USER
SYSTEM SYSTEM, SYS, OPERATOR, PACX, SYS, GANDALF
CONSOLE
USER USER, GUEST, TEST, VISITOR, GANDALF
OPERATOR OPERATOR, SYSTEM, CONSOLE, GANDALF
CONSOLE CONSOLE, PACX, GANDALF, OPERATOR, SYSTEM
SYS SYS, SYSTEM, GANDALF, PACX, CONSOLE
And again, try first names and ANYTHING you can think of.
Getting into the console should be your main objective.
ACCESS2590- The Access2590 is another Gandalf creation. While it is a
server system, it is different in some respects to a PACX.
The Starmaster generally only connects computers on a local
or wide area network(they do connect to X.25 & IP addresses,
but they *usually* don't), while the Access 2590 connects
to local & wide area network services, X.25 address, and IP
addresses with suprising versatility. The PACX is, however,
in much wider distribution.
It will usually have an initial herald screen, often letting
you know that it is indeed an Access server made by Gandalf.
Then you will find yourself at a prompt, the default being
"Access 2590 >". I haven't seen any sort of initial
protection before you hit that prompt, but i'm betting it
does exist, and it probably goes along the lines of the PACX.
Follow the trend I set with the PACX and you should do fine.
Anyways, the one thing I like so much more about the Access
2590 compared to the Starmaster is the command "show symbols"
. That was one of the big problems from a hacking point of
view with the PACX; it doesn't have a command available to
show you the services. If the operator wanted to give you
help with services he had to take the initiative himself and
design a herald screen or implement a help service, and few
do. But the "show symbols" on an Access will give you a
listing of all the available "symbols", which is Gandalf's
term for services. Connect to them with "c xxx" where "xxx"
is of course the service.
And yes, to you eager folks who have tasted the PACX
console's power, the Access does have a console. Type "c
console" to get to it.
Follow the PACX's guidelines, and you'll do fine.
PICK- The PICK system was created by Dick Pick(no joke), and is
a fairly widespread system, there are a few of them out there
on the major PSNs. I really dislike PICK, but for those of
you wishing to try it yourself, it is a fairly easy hack.
A normal PICK login prompt looks somewhat like;
07 JUN 1993 04:00:21 Logon please:
Additional data can be entered in that line, and a header
may be used above that. However, PICKs are usually
recognizable by that logon prompt which will normally
contain the date and time, as well as the 'Logon please:'.
If you aren't sure, enter the username 'SYSPROG', in ALL CAPS
, as PICK is case sensitive and SYSPROG will be in capitals.
SYSPROG is the superuser(or as PICK calls it the 'Ultimate
User') and is similar to root on a Unix; it must be present.
PICK lets you know when you've entered an invalid Username,
which is helpful when finding valid accounts.
Experiment with the upper and lower case if you wish, but
upper case is the norm.
One last note, internal passwording is possible on the PICK,
so don't be too suprised if you think you've found an
unpassworded system only to be hit by a password before the
internal prompt.
COMMON ACCOUNTS
Usernames Passwords
--------- ---------
1
ACC
ACCT
ACCTNAME
ACCUMATH
ACCUPLOT
ACCUPLOT-DEMO ACCUPLOT, DEMO
ARCHIVE
AUDITOR
AUDITORS
BACKUP
BATCH
BLOCK-CONVERT
BLOCK-PRINT
COLDSTART
COMBINATION
COMM
COMTEST
CPA
CPA.DOC CPA, DOC
CPA.PROD CPA, PROD
DEMO
DA
DCG
DM DATA, MANAGER, MAN, MGR, DATAMGR, DATAMAN
DOS
ERRMSG
EXCEPTIONAL
EXECUTE-CONTROL
EXPRESS.BATCH EXPRESS, BATCH
FILE-SAVE FILESAVE, SAVE
FINANCE
FLUSHER
FMS
FMS.PROD FMS, PROD
GAMES
GAMES.DOS GAMES
INSTANT
INSTANT.DOS INSTANT
JOB
KILL
LEARN
LEARN.DLR LEARN, DLR, LEARNDLR
LOGON
LOTUS
LOTUS.DOS LOTUS
MAIL.BOX MAIL
MODEM-SECURITY
MOTD.DATA MOTD
NETCOM
NETOFF
NETUSER
NETWORK
NEWAC
NOLOG
ON-LINE-DIAGS DIAGS
PERFECT-BKGRND
POINTER-FILE
PRICE.DOS PRICE
PRICES.DOS PRICES
PROCLIB PROC, LIBRARY, LIB
PROMCOR
PROMIS-ARCHIVE PROMIS, ARCHIVE
PROMIS-BKGRND PROMIS, BKGRND
PROMO
PWP
QA QUALITY, CONTROL
SCC.SYSPROG SCC, SYSPROG
SCREENLIB
SECURITY
SET.PLF SET, PLF, PLFSET
SL
SPSYM
SUPPORT
SYM.DOS SYM
SYS
SYS.DOC SYS
SYSLIB SYSTEM, LIBRARY, SYS, LIB
SYSPROG SYSTEM, PROGRAM, SYS, PROG, OPERATOR, DM
SYSPROG-PL SYSPROG, PL
SYSTEM-ERRORS
TCL
TEMP
TEMP-SYSPROG TEMP, SYSPROG
TEST-BKGRND TEST
TRAINING
TRY.DOS TRY
ULTICALC
ULTILINK
ULTIMATION
UNIMAX
WORDS
WP
WP.DOS WP
WP42.DOS WP, WP42
WP50.DOS WP, WP50
WP51 WP, WP51
WP51.DOS WP, WP51
AOS/VS- AOS/VS is made by Data General Corporation(DGC), and is in
my opinion the worst operating system i've seen yet.
But, in the quest of knowledge, and to broaden your computer
horizons, i suggest that you try to hack even this system,
for what it's worth.
The AOS/VS will usually readily identify itself with a
banner such as;
(yes, i'm overstepping my margin, i apologize)
**** AOS/VS Rev 7.62.00.00 / Press NEW-LINE to begin logging on ****
AOS/VS 7.62.00.00 / EXEC-32 7.62.00.00 11-Jun-93 0:27:31 @VCON1
Username:
The username prompt looks deceivingly like a VMS, but it is
not, and you can be sure by entering garbage for the username
and password. The AOS/VS will reply;
Invalid username - password pair
AOS/VS will not let you know when you've entered an incorrect
username.
And a standard system will let you have 5 tries at a username/
password combination, but after that it gives this annoying
message;
Too many attempts, console locking for 10 seconds
Having the system lock for 10 seconds does really nothing to
the hacker, except slow brute forcing down a small bit(10
seconds).
Anyways, once inside 'HELP' will give you a set of help files
which i didn't enjoy too much, and 'WHO' will list the users
online.
COMMON ACCOUNTS
Username Password
-------- --------
op operator, op
test
user
guest
sysmgt sys, mgt, system, man, mgr, manager
RSTS- Probably the oldest OS that is still out there is RSTS. RSTS
was a very common OS a decade or so ago, but is now nearing
extinction. However, there are still a few out there on PSNs,
and thus you might want to attempt to hack in.
The RSTS will usually identify itself like;
RSTS V9.7-08 93.06.10 02:36
User:
Before attempting to hack, try the SYSTAT command. It is
likely it will be disabled, but it is worth a try.
RSTS will tell you if the ID you've entered is incorrect with
the error message;
?Invalid entry - try again
The UIDs are in the format xxx,yyy , where x and y are digits.
Just guess at UIDs until you hit one with a password.
Also, the IDs will generally not go above 255 in both the x
and y spots(ie: 255,255 is generally the highest ID).
COMMON ACCOUNTS
User ID Password
------- --------
1,2 SYSLIB
WNT- I really don't know much about Windows NT, mostly having to
do with the fact that it was just released a little while ago
and I have not seen it in action to this date. I don't know
at what time in the future it will become widespread, but for
you future hackers I did a little research and came up with
the two manufacturer defaults; administrator and guest. Both
come unpassworded.. administrator is the equivalent to root
on a Unix, and guest is just as you'd expect .. a low level
guest account. Interestingly enough, in the manuals I saw WNT
sysadmins were encouraged to keep the guest account...
unpassworded at that! Highly amusing.. let's see how long that
lasts! Anyways..
Oh yeah.. case sensitive, too.. I'm pretty sure it is
lowercase, but it is possible that the first letter is
capitalized. Remember that when attempting to brute force new
accounts. Oh, and keep in mind possible accounts such as
"test" and "field" and the such.
COMMON ACCOUNTS
Username
--------
administrator
guest
BRUTE FORCE
===========
-----------
Occasi |
