💾 Archived View for gemini.spam.works › mirrors › textfiles › hacking › vthack3.txt captured on 2021-12-04 at 18:04:22.
View Raw
More Information
-=-=-=-=-=-=-
Well, it's time for yet another installment in Virginia Tech
hacking. Yes, it's.... VTHACK #3!!!! Brought to you by the
Mad Hermit and crew. This time, we're going to focus on the OTHER
big network on campus: LocalNet. LocalNet (L-Net) has been around
for a much longer period of time, and as such has quite a few more
caves and back alleys to explore. Its main purpose is to connect
the faculty and grad students directly to mainframes, and thus
much of what is found when poking around are login prompts. An
aggrivating factor that has been added to this is the inclusion of
"Port Servers" (PS's). You know when you've hit a PS when L-Net
tells you you've connected, but no key that you press has any
effect. The purpose of a PS is to act as a deterrent to hackers.
It also might have the additional function of baud rate detection,
but though it sounds logical, we haven't found out for sure. We
must admit that it does protect. The best way to keep system
crashers away is not to tell them what they've found through simple
redialing. This is a lot like keeping party crashers away by
saying that there's a party going on at a certain place, but not
telling them who's invited or who's giving the bash. Effective for
the dim-witted, impatient, and amateur party crashers, but not for
others.
PS's sit and stare out at you until you start sending it
characters. If the first few aren't the specific ones it's looking
for, it will continue to gobble up everything else until you give
up and hang up. Typical PS "codes" are easy-to-remember sequences
like 'ZZ' or 'ASDF', and they then pass you on to the main login
prompt. These "codes" aren't like passwords, since the added
access they give you isn't worth beans unless you've got a line on
where to go from the login prompt. However, we here feel that
information like that is in fact "restricted" in that you are
gaining unauthorized additional access to systems. As such, we've
decided to leave the fun of figuring them out to those interested
in such weekend diversiions.
Before we give you what you're probably waiting for: neato
numbers to call on L-Net, we'd like to explain stuff. First, this
isn't a complete list, nor could it really be. L-Net addresses are
in Hexidecimal and range from 0000 to FFFF. That's 65536 different
possibilities. We only went through ten thousand of these, and are
only listing those that got any response. Second, L-Net addresses
may connect to any number of ports, but we haven't seen any more
than 4 or 5. Thus, the total possible connections assuming an
average of 2 ports per connection and an average of about 15
connections per thousand addresses comes to just under 2000.
Assuming this is correct (very doubtful), finding where these are
is quite a task. Third, and on the positive side, some connections
open up large worlds of access. These unpassworded gateways are
known as servers, and typically are DECservers. The biggest and
most notorious is listed at 0358 and can handle a max of 128 users.
You can use these servers to connect to multiple computers at once,
and have extensive help files telling you what to do. Fourth, and
also on the plus side, L-Net doesn't kick you off. Ever. Multiple
redialing is the name of the game, and listed below is a Red Ryder
script that works under version 9.4 that dials consecutive integers
at a rate of about 40 a minute. Fifth and finally, bum connections
don't just leave you in the cold. Hitting CONTROL-A twice pops you
immediately into local mode, where a STATUS tells you where you are
connected, and a "DONE X" will disconnect you from session number
X. Calling, by the way, is done by typing "CALL XXXX[,P]" where
XXXX is the hex address, and P is the optional port number, which
is seperated by a comma.
Red Ryder 9.4 Local-Net Scanner Script.
COPYINTO ~8,ENTER NUMBER TO START AT
(GET1)
QUERY1 ~1
EMPTY ~1
IF YES JUMPTO (GET1)
LET EQUAL `1,~1
LET EQUAL `3,`1
COPYINTO ~8,ENTER LENGTH OF SEARCH
(GET2)
QUERY1 ~2
EMPTY ~2
IF YES JUMPTO (GET2)
LET EQUAL `2,~2
ADD `3,`2
COPYINTO ~3,`3
SUBTRACT `1,1
(NEXT)
ADD `1,1
TEST `1=~3
IF YES JUMPTO (QUIT)
TYPE Call
TYPE `1
TYPE ^M
ALERT1 UNIT/JUMPTO (NEXT)
ALERT2 BUSY/JUMPTO (NEXT)
PANICAFTER 10
PROMPT CONNECTED
PAUSE
BELL
BELL
BELL
BELL
JUMPTO (QUIT)
(QUIT)
END
And here's what our illustrious, untiring crew have discovered:
Node Port# What
---- ----- ----
0008 1
0074 0,1 VTME (Mechanical Engineering)
0116 0,1
0124 0,1
0126 0,1
000A 1
000B 0,1
000C 0,1
000E 0,1
00FF 0,1
0170 0,1
0175 0,1 Popeye (Computer Science)
0350 0 VTCC1
0351 0,1 " "
0352 0,1 " "
0354 0,1 " "
0355 1 " "
0356 0,1 " "
0357 0,1 " "
0358 0,1 DECServer 500
0359 0,1 DECServer 500 (same as above, different port bank)
0400 0,1 VTME (again)
0401 0,1 " " "
0402 0,1 " " "
0403 0,1
0404 0,1 VTME (yet again)
0405 0 " " " "
0450 0,1 DECServers (see note 3)
0451 0,1 " " "
0452 0,1 " " "
0453 0,1 " " "
0454 0,1 " " "
0455 0,1 " " "
0536 0,1
600-601 "Remote Ports Busy"
603-607 "Remote Ports Busy"
1010 0,1
1100-1103 "Remote Ports Busy"
1300 0 VTVM1
5100 1 VTVM1
5300 0,1
5500-5503 "Remote Ports Busy"
5510 0,1
5512 0,1
5514 0,1
5516 0,1
5518 1
5530 0,1
5534 0,1
5536 0,1
5548 0,1
5548 0,1
5550 0,1
5552 0,1
5554 0
6000 1
6002 0 Node[20] (see note 1)
6003 0,1
6100-6103 "Remote Ports Busy"
6200 1 Node[2] (see note 2)
6230-6231 "Remote Ports Busy"
6300 0,1
6301 0,1
6302 0,1 Node[2] (see note 2)
6303 0
6410 1
6414 0
6419 1
6420 1
6428 0,1
6429 1
6433 0
6437 1
643A 1
643B 0
6502 0 VTVMS
6503 0 " "
6504 0 " "
6505 0 " "
6506 0 " "
6507 0 " "
6508 0 " "
6509 0 " "
8001 1
8002 0
8003 0
8004 0,1
8005 0
8006 1
8007 1
8008 0
8009 0
8080 0,1
9000-9016 "Remote Ports Busy"
9018-9019 "Remote Ports Busy"
9302 0
9300 0,1,2,3,4
Notes:
------
1) Node[20], popularly known as the Node Router, went out of
services shortly after VTHacker #2 was distributed. Apologies
are NOT extended to those who assumed that the list in VTHack2
was gospel. Things change all the time, and those things that
are especially good tend to go away. Apparently, number 40062
was used by CNS's chief diagnostician as a way to test the VA
Council of Higher Education's access to the Net and L-Net.
Poking around there was terminated, but our scan of L-Net turned
up another way in...
2) If you wondered why the Node Router was labelled "20" (really,
what happened to the other 19?), then this might clear things up.
The following connections were observed:
Node What
---- ----
0 Passworded
1 L-Net
3 the Net
5 Passworded
6 Passworded
9 Dead End
10 Dead End
12 L-Net
20 Restricted (*)
- ) This did connect you to a really screwed up L-Net port, which
continually spewed out garbage and error messages, but we think
our poking around in it got it shut off, due to the incredible
quickness with which it was restricted (we were still on-line!)
3) Ah, what a joy it is to explore, and find a pristine cavern
laden with sweet delight, and a menu to boot! Well, what I'm
talking about is BAMBI and THUMPR, two side-by-side DECServers.
Calling the listed numbers with port 0 gets you BAMBI, and using
port 1 gets you THUMPR. In our experience, nobody has ever been
dumped for staying on too long, and though the computers you can
connect to aren't all that interesting (all Mechanical Engineering)
the services and privileges allowed to ordinary users is about
as generous as possible. The listings that follow are vebatim
text sent by the servers, and we think that you'll be able to
figure out what's going on.
DECserver 200 Terminal Server V2.0 (BL29) - LAT V5.1
AMDF Network - Server BAMBI
Please type HELP if you need assistance
Enter username> Jack Meoff
Local> show nodes all
Node Name Status Identification
BAMBI Reachable AMDF Network - Server BAMBI
BERT Reachable AMDF VAXstation I (VMS 4.2)
ERNIE Reachable AMDF VAXstation I (VMS 4.2)
POOH Reachable AMDF MicroVAX II (VMS 4.6)
SPOCK Reachable ZONIC Lab VAXstation 2000 (VMS 4.6)
SULU Unreachable AMDF Cluster VAXstation 2000 (Color)
THUMPR Reachable AMDF Network - Server THUMPR
UHURA Unreachable AMDF Cluster VAXstation 2000 (B & W)
VTME Reachable ME VAX 11/780 (VMS 4.4)
VTMEX Reachable AMDF Cluster VAXserver 3600 (VMS 4.7)
Local> show ports all
Port Access Status Services Offered
1 Dynamic Idle ��
2 Dynamic Idle ��
3 Dynamic Local mode ��
4 Dynamic Idle ��
5 Dynamic Idle ��
6 Dynamic Idle ��
7 Dynamic Idle VTLAN��
8 Dynamic Idle VTLAN�
Local> help
HELP
The online HELP facility allows you to access reference and tutorial information about the DECserver 200. Choose one of the following options:
o Enter TUTORIAL to see a succession of HELP frames with "getting
started" information on basic DECserver functions (for beginners)
�
o Enter HELP for full information on how to use the HELP facility
o Choose a HELP topic from the following list:
�
BACKWARDS FORWARDS RESUME
BROADCAST HELP SET
CONNECT LIST SHOW
DEFINE LOCK TEST
DISCONNECT LOGOUT
Topic? list
LIST
Use the LIST command to display information from the permanent database.
�
LIST option
�
The option value is a topic about which you need information.
�
Additional HELP is available for the LIST options:
�
PORTS SERVER SERVICES
LIST Subtopic? server
SHOW/LIST SERVER
Use the SHOW SERVER command to display information about the current
operational state of the server. Use LIST SERVER to show values for the
permanent server characteristics.
�
Command formats:
�
SHOW SERVER [CHARACTERISTICS]
[COUNTERS ]
[STATUS ]
[SUMMARY ]
�
LIST SERVER [CHARACTERISTICS]
[SUMMARY ]
�
The default option for SHOW/LIST SERVER is CHARACTERISTICS.
Additional help available for:
CHARACTERISTICS COUNTERS STATUS SUMMARY
SHOW/LIST SERVER Subtopic?
LIST Subtopic?
Topic? show
SHOW
Use SHOW commands to display current status or information from the server's
operational database.
�
SHOW option
�
The option value is the topic about which you need information.
Additional HELP is available for the SHOW options:
�
NODES PORTS QUEUE SERVER SERVICES SESSIONS USERS
SHOW Subtopic?
Topic?
Local> show server
�
DECserver 200 V2.0 BL29 LAT V5.1 ROM BL20 Uptime: 6 08:14:20
Address: 08-00-2B-0B-C4-EA Name: BAMBI Number: 0
Identification: AMDF Network - Server BAMBI
Circuit Timer: 80 Password Limit: 3
Console Port: 1 Queue Limit: 24
Inactivity Timer: 30 Retransmit Limit: 8
Keepalive Timer: 20 Session Limit: 64
Multicast Timer: 30 Software: PR0801ENG
Node Limit: 100
Service Groups: 0�
Enabled Characteristics:
Announcements, Broadcast, Dump�
Local> help
Topic? tutorial
TUTORIAL HELP
LOGGING INTO THE DECSERVER
To login to the DECserver you may be required by your server manager to enter a login password. If you are not required to do so, go on to the next screen. If you are, here are the steps to take to log in.
�
1 Press <RETURN> twice; a number sign (#) appears along with an audible "beep".
�
2 Enter the login password. (You get the password from your server manager.)
For example, to log in with the password A1B2C3...
�
<RETURN> <RETURN> enter <RETURN> twice
�
# A1B2C3 type the password (which is not echoed)
�
3 If you make a mistake, the prompt reappears (and the "beep") to let you try again. You have several chances to enter the correct password.
�
4 If you use a dial-in modem, you have 60 seconds to respond to the # prompt with the correct password. If you don't, the server disconnects your modem.
If you do not need to enter a login password, press <RETURN> twice to log into
your DECserver.
�
When you log in, an introductory line of text appears...
�
DECserver 200 Terminal Server V1.0 (BL20) - LAT V5.1
�
If your port does not have a permanent username defined, enter your name (1 to
16 keyboard characters) after the following text appears...
�
Please type HELP if you need assistance
�
Enter username>
�
The Local> prompt appears after you type your username.
�
If your port does have a permanent username, here's what you see...
�
Please type HELP if you need assistance
�
Local>
�
USING ONLINE HELP
Online help is documentation about DECserver commands that is
stored in server memory. You can see this documentation
interactively on your terminal while you are using the DECserver. The HELP command gives you access to online help. You
can use it in two ways:
�
You can type HELP at the Local> prompt...
�
Local> HELP
�
This generates a succession of HELP "frames", "menus", and prompts.
Frames are made up of the information that can fit on one or more
terminal screens. Menus are lists of topics you can choose from.
�
Alternatively, you can specify topics and subtopics when you
enter the HELP command. For example...
�
Local> HELP SET PORT
�
This command produces online documentation that describes the SET
PORT command.
�
SOME DEFINITIONS
The primary function of the DECserver is to allow you to connect to "services" offered on your network. A service can be a computer system that you can use just as though your terminal were attached directly to the system, or it can be a function offered by such a system. In addition, services can be set-up to
allow access to printers, dial-out modems, personal computers and terminal switches. To connect to a service, you only need to know the service name.
A "service node" is a computer system or server that offers services.
A "session" is a connection to a service. You can have one or more simultaneous sessions with one service, or more than one service. The connection you are using at any one time is called your "current session". Your other sessions are inactive, but can be resumed by using server commands or session switches.
�
"Service mode" is your environment when you interact with a service. For example, if the service is a computer system, your environment is the same as a terminal directly wired to the system. You can all use the system's commands and resources.
�
"Local mode" is your environment when you interact with the DECserver using commands entered at the Local> prompt.
�
CONNECTING TO A SERVICE
Use the local mode SHOW SERVICES command to display a list of services you can use.
�
Local> SHOW SERVICES
�
To connect to a service (establish a session with the service) enter the DECserver CONNECT command with the name of the service you want. For example, for a service called SALES, enter the following command:
�
Local> CONNECT SALES
�
This command places you in service mode in an active session with the service SALES.
RETURNING TO LOCAL MODE FROM A SERVICE SESSION
To return to local mode without ending your session, press <BREAK> or press your local switch character. Both these characters are, in effect, DECserver commands that instruct the server to go back to local mode.
�
The <BREAK> character must be set up to permit this (by default it is), and the local switch character must be defined (by default it is not).
�
Use the HELP command for more details on setting up the <BREAK> character and local switch character.
�
NOTE
�
Some modems interprets the <BREAK> character as a command to end
your dial-in connection. If you are using one of these modems,
do not use <BREAK> to return to local mode.
Your session, now inactive, is still your current session because
it is the session your were using most recently.
RESUMING YOUR SERVICE SESSION FROM LOCAL MODE
To resume your current session (and service mode) while your are in local mode, enter the DECserver RESUME command.
�
Local> RESUME
You go back to where you left off when before returning to local mode.
DISCONNECTING FROM A SERVICE
To end your current session while in service mode, use the command that terminates whatever process you are using. For example, you can terminate a session on a VAX/VMS system by typing the VMS LOGOUT command. Refer to the documentation for the service node that offers the service.
To end your current session while in local mode, enter the DECserver DISCONNECT command.
�
Local> DISCONNECT
You cannot resume a service session after you end the connection with DISCONNECT.
CONNECTING TO A SECOND SERVICE
The DECserver allows you to have several sessions at one time, to the same or to different services. To connect to a second (or subsequent) service, simply enter another CONNECT command from local mode, specifying the name of the service. For example, to connect to the service PRODUCTION, enter the following command:
�
Local> CONNECT PRODUCTION
To resume one of your non-current sessions, use the FORWARDS command to switch to your next session, or the BACKWARDS command to switch to your previous session. Alternatively, you can use the RESUME command and specify the session
number. You can find this number from the SHOW SESSIONS display:
�
Local> RESUME SESSION 2
�
To disconnect a particular session, use the DISCONNECT command and specify the session number. For example:
Local> DISCONNECT SESSION 1
�
LOGGING OUT OF THE DECSERVER
To logout from the DECserver, enter the DECserver LOGOUT command (in local mode).
Local> LOGOUT
LOGOUT disconnects all sessions. A DECserver message appears verifying the logout.
The next batch of stuff comes from DECServer 500:
Local> show users
Port Username Status Service
5 LC-1-5 Connected VTCC1
6 LC-1-6 Connected VTCC1
7 LC-1-7 Connected VTCC1
8 LC-1-8 Connected VTCC1
34 LC-3-2 Connected VTCC1
53 LC-4-5 Local Mode
67 LC-5-3 Connected VTCC1
Local> show devices all
Device Device Port Device CSR Vector Total
Slot Name Type List Status Address Address Errors
1 CONSOLE DL 0 Running 177560 60 1
2 NETWORK DEQNA Running 174440 120 37
3 LC-1 CXY08 1-8 Running 160440 310 2
4 LC-2 CXY08 17-24 Running 160460 320 0
5 LC-3 CXY08 33-40 Running 160500 330 1
6 LC-4 CXY08 49-56 Running 160520 340 0
7 LC-5 CXY08 65-72 Running 160540 350 0
8 LC-6 CXY08 81-88 Running 160560 360 0
9 LC-7 CXY08 97-104 Running 160600 370 5085
10 LC-8 CXY08 113-120Running 160620 400 15
Local> show server
DECserver 500 V1.0 LAT V5.1 ROM V1.0.2 Uptime: 12 7:18:36
Address: 08-00-2B-0A-10-63 Name: CCSRV2 Number: 22
Identification:
Circuit Timer: 80
Password Limit: 3
Inactivity Timer: 2
Queue Limit: 8
Keepalive Timer: 20
Retransmit Limit: 10
Multicast Timer: 60
Session Limit: 256
Node Limit: 100
Service Groups: 0
Backup Hosts: None
Enabled Characteristics:
Announcements
Local> show services all
Service Name Status Identification
DCSSVX Unavailable VT CC DCSS VS2000 Ultrix 2.2/UNIX
DSW Unavailable VT CNS dataswitch
GOLEM Unavailable VT Mathematics VAXstation I VMS - Node
LAN Unavailable VT CNS LocalNet
MTHOPR Unavailable VT Mathematics VAXstation I VMS - Node
MTHSUN Unavailable VT Mathematics Sun 3/50 - MTHSUN
MTHUNH Unavailable VT Mathematics VS2000 Ultrix 2.2 - Node
MTHUNX Unavailable VT Mathematics VS2000 Ultrix 2.2 - Node
NFNITY Unavailable VT Mathematics VS2000 VMS - Node NFNITY
POPEYE Unavailable Systems Research Center VAX-11/785 SVR2/
QUANTM Unavailable VT Mathematics VS2000 Ultrix 2.2 - Node
VTAGE1 Unavailable Ag. Engineering MicroVAX II / MicroVMS V
VTCC1 6 Connected TechCluster - Node VTCC1
VTCPE1 Unavailable VT EE Department VS2000 Ultrix 2.2/UNIX
VTCPE2 Unavailable VT EE Department VS2000 Ultrix 2.2/UNIX
VTCPE3 Unavailable VT EE Department VS2000 Ultrix 2.2/UNIX
VTCPE4 Unavailable VT EE Department VS3200 Ultrix 2.2/UNIX
VTCS1 Unavailable Va Tech CS Lab: VMS Service
VTDAL3 Unavailable VT EE Department VS2000 Ultrix 2.0/UNIX
VTDAL4 Unavailable VT EE DAL VS3200 Ultrix 2.2/Unix
VTDAL5 Unavailable VT EE DAL VS3200 Ultrix 2.2/UNIX
VTDAL6 Unavailable VT EE DAL VS3200 Ultrix 2.2/Unix
VTHCL Unavailable Va Tech Human/Computer Interface Lab
VTMAP Unavailable CE-Geography SDA Lab -Node VTMAP - Micro
VTMATH Available TechCluster - Node VTCC1
VTMILO Unavailable Human/Computer Lab - VAXStation II
VTODIE Unavailable VT CS Department MicroVax 2000 Ultrix 2.0
VTSDA Unavailable Spatial Data Analysis Lab - Vax 11/785
VTUNIX Available VT CC VAX 11/785 Ultrix 2.2/UNIX
VTYR Unavailable VT Mathematics VS2000 VMS - Node VTYR
XPRT549 Unavailable Fifth floor printer
Local> show ports all
Port Access Status Local Services
1 Local Idle
2 Local Idle
3 Local Idle
4 Local Idle
5 Local Connected
6 Local Connected
7 Local Connected
8 Local Connected
9 Local Offline
10 Local Offline
11 Local Offline
12 Local Offline
13 Local Offline
14 Local Offline
15 Local Offline
16 Local Offline
17 Local Idle
18 Local Idle
19 Local Idle
20 Local Idle
21 Local Local mode
22 Local Idle
23 Local Idle
24 Local Idle
25 Local Offline
26 Local Offline
27 Local Offline
28 Local Offline
29 Local Offline
30 Local Offline
31 Local Offline
32 Local Offline
33 Local Idle
34 Local Connected
35 Local Idle
36 Local Idle
37 Local Idle
38 Local Idle
39 Local Idle
40 Local Idle
41 Local Offline
42 Local Offline
43 Local Offline
44 Local Offline
45 Local Offline
46 Local Offline
47 Local Offline
48 Local Offline
49 Local Idle
50 Local Idle
51 Local Idle
52 Local Idle
53 Local Idle
54 Local Idle
55 Local Idle
56 Local Idle
57 Local Offline
58 Local Offline
59 Local Offline
60 Local Offline
61 Local Offline
62 Local Offline
63 Local Offline
64 Local Offline
65 Local Idle
66 Local Idle
67 Local Connected
68 Local Idle
69 Local Idle
70 Local Idle
71 Local Idle
72 Local Idle
73 Local Offline
74 Local Offline
75 Local Offline
76 Local Offline
77 Local Offline
78 Local Offline
79 Local Offline
80 Local Offline
81 Local Idle
82 Local Idle ������������������������������������
83 Local Idle
84 Local Idle
85 Local Idle
86 Local Idle
87 Local Idle
88 Local Idle
89 Local Offline
90 Local Offline
91 Local Offline
92 Local Offline
93 Local Offline
94 Local Offline
95 Local Offline
96 Local Offline
97 Local Idle
98 Local Idle
99 Local Idle
100 Local Idle
101 Local Idle
102 Local Idle
103 Local Idle
104 Local Idle
105 Local Offline
106 Local Offline
107 Local Offline
108 Local Offline
109 Local Offline
110 Local Offline
111 Local ���Offline
112 Local Offline
113 Local Idle
114 Local Idle
115 Local Idle
116 Local Idle
117 Local Idle
118 Local Idle
119 Local Idle
120 Local Idle
121 Local Offline
122 Local Offline
123 Local Offline
124 Local Offline
125 Local Offline
126 Local Offline
127 Local Offline
128 Local Offline
Enough stuff, huh? Well, we've got MORE news. If you're going to
poke around L-Net, the following numbers into L-Net have been known
to be dead (i.e. CONNECTED, but no response): 40499, 40507, 40482.
And here's an update on VTHack #2's list of Net numbers:
40600-40615 No Answer
40625-40656 Originate Only
40657 Not Accessable
40658 No Answer
40659-40686 Not a Dataline
40687 No Answer
40688-40690 Not Accessable
40691 1200 baud line
40692 No Answer
40693-40699 Not a Dataline
40700-40723 Connection Failed
40724 No Answer
40725-40799 VM/XA VT
40800-40817 VM/XA VT
40818-40833 Originate Only
40834-40837 Not Accessable
40838-40839 Originate Only
40840-40899 Not a Dataline
40900-40999 Not a Dataline
And what about the other 55 thousand L-Net addresses we didn't try?
Hey, why don't YOU try them, and then share the news...? We're
already moving on to brighter futures in hacking, so stay tuned on
your local BBS or pass-the-disk network for: VTHacker #4 - Viruses,
reader response, Telenet, and more updates on previous info...
Downloaded From P-80 Systems 304-744-2253