💾 Archived View for spam.works › mirrors › textfiles › hacking › force5.txt captured on 2023-06-14 at 16:49:17.

View Raw

More Information

-=-=-=-=-=-=-

                                      
F O R C E   F I L E S    Volume #5
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
From The Depths Of  - THE REALM -, By:  ----====} THE FORCE {====----  08/06/87
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

UNIX
----

Unix systems have got a lot and I mean a lot of defaults. The major ones are:

who/who,   uucp/uucp,   daemon/daemon,   tty/tty,   test/test,   bin/bin
adm/adm,   nuucp/nuucp, learn/learn,     sys/sys,   root/root,   uuhost/uuhost
games/games,  root/system,   trouble/trouble

There are others, which you will have to find in the UNIX Scan which is about
to follow.

Another very good use of unix machines is an outdial facility that most of them
are equipped with.  Just type in 'man cu' once in, for more information.
Again there a lot of files on UNIX machines so I won't go into any great detail
of it's workings.  (well to tell the truth, I am not all that hot when it
                    comes to technical info on this system)

The following is a root library taken from a UNIX V, containing all the
recognised defaults, commands etc.  Brought to you By: BOBO

$ ls /*
/oldunix
/tccalendar.dbf
/tccalendar.mem
/console
/dbase_1
/dgmon
/filledt
/go
/informix_3
/mbox
/moveprofile
/multiplan_1
/secret.file
/send
/tmpfile
/tty21
/unix
/write

/bck:

/bin: appt ar as basename caldr cat cc chgrp chmod chown cmp conv convert cp
cpio cprs crypt date dd df diff dirname dis du dump echo ed env expr false file
find grep kill ld line list ln login lorder ls mail make mesg mkdir mv newgrp
nice nm nohup od passwd pdp11 pr ps pwd red rm rmail rmdir rsh sed sh size
sleep sort strip stty su sum sync tail tee time touch true tty u370 u3b u3b2
u3b5 uname vax wc who write

/boot: hdelog idisk iuart kernel mem ports ptc pts stubs sxt tty

/dev: sa boot console contty diskette dsk hdelog idsk00 idsk01 idsk02 idsk03
idsk04 idsk05 idsk06 idsk07 idsk08 idsk09 idsk0a idsk0b idsk0c idsk0d idsk0e
idsk0f idsk10 idsk11 idsk12 idsk13 idsk14 idsk15 idsk16 idsk17 idsk18 idsk19
idsk1a idsk1b idsk1c idsk1d idsk1e idsk1f ifdsk00 ifdsk01 ifdsk02 ifdsk03
ifdsk04 ifdsk05 ifdsk06 ifdsk07 install kmem mainstore mem null ptc00 ptc01
ptc02 ptc03 ptc04 ptc05 ptc06 ptc07 ptc08 ptc09 ptc10 ptc11 ptc12 ptc13 ptc14
ptc15 rsa rdiskette rdsk ridsk00 ridsk01 ridsk02 ridsk03 ridsk04 ridsk05
ridsk06 ridsk07 ridsk08 ridsk09 ridsk0a ridsk0b ridsk0c ridsk0d ridsk0e ridsk0f
ridsk10 ridsk11 ridsk12 ridsk13 ridsk14 ridsk15 ridsk16 ridsk17 ridsk18 ridsk19
ridsk1a ridsk1b ridsk1c ridsk1d ridsk1e ridsk1f rifdsk00 rifdsk01 rifdsk02
rifdsk03 rifdsk04 rifdsk05 rifdsk06 rifdsk07 rinstall rsave save swap sxt
sxt000 sxt001 sxt002 sxt003 sxt004 sxt005 sxt006 sxt007 sxt010 sxt011 sxt012
sxt013 sxt014 sxt015 sxt016 sxt017 sxt020 sxt021 sxt022 sxt023 sxt024 sxt025
sxt026 sxt027 sxt030 sxt031 sxt032 sxt033 sxt034 sxt035 sxt036 sxt037 sxt040
sxt041 sxt042 sxt043 sxt044 sxt045 sxt046 sxt047 sxt050 sxt051 sxt052 sxt053
sxt054 sxt055 sxt056 sxt057 syscon systty ttp00 ttp01 ttp02 ttp03 ttp04 ttp05
ttp06 ttp07 ttp08 ttp09 ttp10 ttp11 ttp12 ttp13 ttp14 ttp15 tty tty11 tty12
tty13 tty14 tty15 tty21 tty22 tty23 tty24 tty25

/dgn: ports sbd x.ports x.sbd edt_data

/etc: timezone bcheckrc brc bzapunix cgetty checkall checklist chroot ckauto
clri coredirs crash cron dcopy devnm dfsck disketteparm drvinstall dummy.sf
edittbl errdump ff fmtflop fmthard fsck fsck1b fsdb fsdb1b fsstat fstab fuser
getmajor getty gettydefs group grpck hdeadd hdefix hdelogger helpadm init
inittab inittab.old install ioctl.syscon junk killall labelit ldsysdump led
link log magic master.d mkboot mkfs mknod mkunix mnttab motd mount mountall
mvdir ncheck newboot old.stdprofile opasswd passwd passwd.bak passwd.old
pciconfig pcidaemon.eth pciout.232 pciout.eth pciptys pciserver.232
pciserver.eth ports prepcigettydef prepciinittab profile prtconf prtvtoc
ps_data pump pwck rc.d rc0 rc2 save.d savecpio setclk setmnt shutdown
shutdown.d stdprofile sysdef system telinit termcap tm uadmin umount umountall
unlink utmp volcopy vtoc wall whodo wtmp

/instal:
/instal unreadable

/install:
/install unreadable

/lib: cm4defs comp cpp crt0.o fcrt0.o fmcrt0.o lboot libpw.a libc.a libld.a
libm.a libp mboot mcrt0.o nmawk optim pump

/lost+found:

/mnt:

/root:

/save:

/tmp:

/usr: 123 3bnet adm admin ahp ajk alj bht bin bjc bjm bjz bkl bkm bls cbb cdev
cep chh cjw cle clh cma coldwel1 coldwel2 coldwel3 coldwell cta ctc dcp dda
demo dgh dgm dll dlp dpr dsd dsh egs ehb ejf elx enl extra gcg gello gkm guest
haverkam hcc hfs hjc include irv jaw jbg jci jee jeh jev jhd jja jkp jmr jpf
jpn jth jty jwb kla lbin lbo lib lit llg lls lost+found lrb lrk ltc mail man
mdk mgr mjp mku mlt mmg msl nab news njb options pam pci pgb phb phm plm
preserve psd pub ret rfl rlm rlv rns rnv rsb russ rwm sap sas shg sla smb smk
spool src ssb sup tll tm tmp twp unify von vov[dn wes whn wit wpt
a.out a.out.pdp aardvark ac acc acct acctcms acctcom acctcon acctcon1 acctcon2
acctdisk acctdusg acctmerg accton acctprc acctprc1 acctsh acctwtmp ad adb
addbib adduser admin adventure aliases aliens altblk analyz apropos ar ar.pdp
arcv arff arithmetic arp ar.pdp as as.pdp asa ascii asktime assign asy at atq
atrm autoconf awk back backgammon badsect banner bas basename bc bcd bdiff bfs
biff binmail bj bk boggle boot bugflier bs cal calendar canfield cat catman cb
cc cd cdc cflow chargefee chase checkcw checkers checklist checkmm checknr
chess chfn chgrp ching chmem chmod chown chparm chroot chsh ckpacct clear clri
cmp col colcrt comb comm compact comsat config connect cons convert copy core
cp cpio cpp cprs craps crash cref cribbage cron crypt csh csplit css ct ctags
cu cut cw cwcheck cxref dab144 date dbx dc dcheck dd deassign del delta deroff
devinfo devnm df dh diction diff diff3 diffmk dir dircmp dirname dis disable
disk dispart disktab display dmc dmesg dmf dn doctor dodisk doscat doscp dosdel
dosdir dosis dosmkdir doswrite cpd dpr drtest drum dtype du dump dumpdir
dumppfs dz e ebcdic ec echo ed edquota efl egrep en enable env environ eqn
eqnchar eqncheck errfile error ex expand explain expr eyacc f77 factor false
fastboot fcntl fd fed ffill fget fgrep file filehdr filesystems fill find
finger fish fixascii fl fmt fold format fortran fortune fp fpr freq fs fsck
fsdb fsend fspec fsplit fstab ftpd fwtmp gcat gcore gcosmail gdev ged get
getopt gets gettable getty gettydefs gettytab ghose gps graph graphics greek
grep group groups grpcheck grpcheck gutil halt haltsys hangman gd hd hdr head
help hex hier history hk hold hostid hostname hosts hp hpio ht htable hy hyphen
icheck id ifconfig ik il imp implog implogd indent ined inet init initab inode
install intro iostat ip ipcrm ipcs issue istat join jotto just kasb keyboard kg
kgmon kill killall kmem l last lastcomm lastlogin lc ld ld.pdp ldfcn learn
leave lex li life line linenum link lint lisp liszt ln lo lock login logname
look lookbib lorder lp lpc lpd lpq lpr lprm lpstat ls ls7 lxref m4 machid mail
mailaddr make makedev makekey man manroff mant master master.dec master.u3b
maze me mem memuse mesg mille mkdir mkfs mklost+found mknod mkproto mkstr
mkuser mm mmcheck mmt mnttab mnacct monop moo more mosd mount mptx ms msgs mt
mtab mtio mv mvdir ncheck neqn net netstat netutil newaliases newfile newform
newfs newgrp news nl nm nm.pdp nohup nroff nroff7 nscstat nsctorje null nulladm
number nusend od pac pack pagesize panic param passd paste pc pcat pcl pdx
phones pi pix plot pmerge pnch ports portstatus pr prctmp prdaily prep
primetime print printcaps printevn prmail prof profile proto protocols prs
prtacct ps pstat pti ptx pty pup put put7 pwadmin pwck pwcheck pwd px pxp pxref
qconfig qdaemon quiz quot quota quotacheck quotaon rain random ranlib ratfor rc
rcp rcvhex rdump readfile reboot refer refrom regcmp regexp reloc remote remsh
renice repquota reset restor mrrestore rev reversi rexecd rjestat rlogin
relogind rm rmail rmdel rmdir rmhist rmt rmuser robots roff roffbib rogue route
routed rpl rrstore rsh rshd rstat runacct ruptime rwho rwhod rx rxformat sa
sact sadp sag sar sash savcore scat scc sccsdiff sccsfile scnhdr script sdb
sddate sdiff se sed see send sendbug sendmail services setmnt setnode settime
sh shutacct shutdown size size.pdp skulker sky sleep snake sno soelim sorry
sort sortbib spell spline split splp ssp stab stackuse stat sticky stlogin
strings strip strip.pdp stuct ststat stty style su subset sum sum7 sumdir
swapon symorder syms sync sysadmin syslog system tab tabs tail take take7 talk
tar tbl tc tcp tee telnet telnetd term termcap test tftpd time timex tip tm toc
touch tp tplot trek trman troff troff7 trouble trpt true ts tset tsort ttt tty
ttys ttytype tu tunefs turnacct twinkle types typo uda udp ul umask umount un
uname unget uniq units unlink unmount unpack untab up update updater uptime ut
utmp users uu uuclean uucp uuencode uulog uuname uupick uusend uusnap uustat
uusub uuto uux va va vc versions vfont vfontinfo vgrind vgrindefs vi vip vipq
vmstat vp vpr vsh vtroff vv vwidth w wait wall wc what whatis whereis which who
whoami whodo worm worms write wtmp wtmpfix wump xargs xref xsend xstr yacc yes
zork

Now just you try and go throught all that hehehe..


PRIMENETS, DIALCOM - PRIMOS
----------------------------

This is where the fun is and these are my favourite systems, as you are about
to find out.

PRIMOS DEFAULTS
~~~~~~~~~~~~~~~

Both Primenets, Dialcoms, and other systems running Primos, have got default
accounts.  They are not unique to all the systems, but rather to different
versions of Primos. The most common ones include.

TEST/TEST,  TEST/PRIME,  GAMES/GAMES,  DEMO/DEMO,  SYSTEM/SYSTEM,
HELP/HELP   NETMAN,      DUMMY.


PRIMOS SUBDIRECTORIES
~~~~~~~~~~~~~~~~~~~~~

Primos has a large number of subdirectories, where system files are kept along
with other various information.   A lot of them are password protected, but
directories without protection can also be of great use.

To access a directory, from the primos prompt: (The prompt can be specified
for each individual systems, but most common ones are '>' for Dialcoms,
'Ok and ER!' for Primenetes.

 The following are but a few directories common to most Primos systems:

CATINF  - usually has no password protection. It's a master directory for
          information and help files. ie Typing INFO NAME will usually go
          to the directory and look up file NAME.  This is found on Dialcom
          systems. Primenets have the same directory, but often called
          INFO or HELP.

CATLIB  - This is a goodie.  This one contains the system files for commands
          etc.  With access to it, you can basically modify the routines to
          suit your needs.  Naturally it's protected.

SYSOVL  - This one again has usually no protection and I believe it contains
          the various codes for languages, ie PASCAL, FORTRAN etc as well as
          error codes.  It does contain a few interesting system files.

SAD     - A system directory.  I have only got into this one once on a
          primenet, but I never had enough time on it to find out what it
          was about gggrrr.

LOGIN   - Another protected directory, but I guess the name says it all.

WATCHDOG- This special directory is set up on most systems for security and
          diagnostic purposes. It allowes a user to monitor the systems which
          includes the actions of people etc.  Again, it's well protected.

There can be virtually hundereds directories, which don't actually belong to
to specific UFD's and they are worth investigating. Again use logical names
for each system.

The NETLINK facility found on Systems running PRIMOS, makes them very usefull.
Other systems may also have simmilar gateways, but the availibility of multiple
circuits is paradise.  There are several versions of NETLINK, but there are
sufficient help files on most systems to work out what's going on.

So far, a Primos system is the best I have found  for Sprinting NUA's,  if it
has a slack security.
The following is a sprinter which will run internally from primos.

-------------------------------------------------------------------------------

This program runs internaly on virtually all systems running the Primos OS.
ie DIALCOM SYSTEMS, PRIMENETS etc.    The Idea has been based on the original
concept by THUNDERBIRD 1, but with a few alterations and updates, to make the
process faster and safer.   The Success rate is about 99% and can use multiple
circuits (with a lower success rate).

THE BASIC PROGRAM
~~~~~~~~~~~~~~~~~

Ok, lets say you are in a primos system, here is what u do:

>BASIC   (Takes you into basic version something or other)

         (once in, you'll get the '*' Prompt and just type the following)



           IF THE VERSION OF BASIC DOES NOT SUPPORT FILE MANIPULATION,
           YOU WILL HAVE TO REPLACE ALL  'WRITE #1,' STATEMENTS WITH A
           PRINT STATEMENT, AND RUN IT MANUALLY. ie:

               - from primos:   COMO -N
                                COMO SOURCE
                                BASIC
                                LOAD PROGRAM
                                RUN
                                Q
                                COMO -E
                                COMO -T
                                ED CODE

           you then edit the code file and remove all the junk at the end and
           at the beginning of the file which had been saved as well.

That's basically the program.  Now for the explanation:

5   - Defines filename 'SOURCE' which is the source code for the sprinter.

8   - Stops all text sent by the Prime system from being sent to the video
      output, thus the computer can execute anything at it's maximum speed,
      without being slowed down with 1200/1200 baud.  setting COMO -N causes
      the sprinter to run at the computers maximum speed which I think is
      in excess of 9600 baud, since the storage speed still restricts the
      NETLINK execution which should be at around 56000 baud. (I could be
      wrong on this one.. I am assuming it, since a lot of networks run at
      56000 with only some at 9600 baud. Take your pick.  Since nothing is
      going to the video display, it means if you are connecting to lets say
      MINERVA via MIDAS, both MIDAS and MINERVA operators at the consoles,
      can't see what you are doing.  This doesn't mean that it's safe, but
      quite the opposite. If any user either online or at the console is in the
      Watchdog utility,  you will stick out like a sore thumb.

9   - Opens an output file, to which all the data from netlink is stored in.
      Since nothing is being displayed on the video displays, all the
      results are sent to the filename DATA which u later edit and retrieve
      the results of the sprint.

10  - Activates the NETLINK gateway.

15  - A loop to set the required sprint Range.

20  - Writes all NUA's in the required range into the source file.

25  - Sets Counter for A, which determines number of circuits to be used.

30  - Determines after how many circuits to disconnect.  I recomend you use
      at least 5 for the best accuracy. (Warrning: if x is set to a larger
      number, particularly at prime time, it will jam the system). If you
      wish to use multiple circuits at the one time, ie sprinting virtually
      10 or more NUA's at the one time, just set the value of x to around 10.
      I'll explain later on, how to run all at the one time, although you will
      loose accuracy.

35  - Sets Counter for B, which will give you the indication of progress.

40  - Will give indication of progress every 200 NUA's. Primos will display
      a message to your terminal although all I/O goes to the drives. It's
      a handy way of determining the progress.

55  - Completes the loop for X.

60  - Writes a D ALL at the end of the SOURCE file, to disconnect any
      connected circuits.

65  - Writes 'Q' to exit out of NETLINK

70  - Sends COMO -E to primos, which closes the DATA file.

75  - Sends COMO -T to primos, which cancels the COMO -N command.

80  - The END of program

100,110  A routine, to disconnect all circuits after a particular number
         of circuits is in use.

200,220  A routine to display an error message per every 200 NUA's sprinted,
         which will give you indication of progress. It disconncts all
         Circuits, quits NETLINK and RE-enters NETLINK.  Upon re-entry, a
         warning message is displayed.  It also clears the system if it gets
         jamed from all that connecting.

---------------------------------------------------------------------------
To start up the Sprinter you do the following:


                         save it)


>DO SOURCE         (rem: Execute line by line what is in the SOURCE file)

Now all that remains is to send  '@' <RETURN>  at regular intervals, since once
connected the primos can't disconnect itself. sending the @ is the tricky bit.
IT will determine the best accuracy and speed.  On a area such as TYMNET 310600
where there are a lot of NUA's it is better to send the @ at about 10 second
intervals. On the less populated areas, it's better to extend the time.  If you
send the @ <RETURN> at less than 10 second intervals, you will almost double
the speed, but half the accuracy.

PHANTOMS
--------

Primos has a similar system to the BATCH on VAX's etc. That is, it will execute
a program and run it, without the user having to be online. In primos, they
call it a PHANTOM. You can run the Sprinter as a phantom, thus you can have the
above program going for a few weeks and then login to collect your resulrs.
This one you will have to figure out for yourselves though. I don't think this
info should be freely available to all.

USING MULTIPLE CIRCUITS
~~~~~~~~~~~~~~~~~~~~~~~
There are basically two ways in which you can run a number of programs at the
one time. The first one, is to set value for x in the A counter to the maximum
the system will give you.  ie 10-20 depending on the number of users on the
system. Basically all you do, is send the @ <RETURN> about every 2 seconds,
and this is what happens. Netlink is instructed to connect to lets say:

@ C :0311030100341 -FCTY

Now before it has the chance to establish the connection, the @ <RETURN>
returns back to NETLINK.  and another command is sent from Primos, this time:

@ C :0311030100342 -FCTY

Now you have 2 circuits connected, since the @ RETURN alone doesn't disconnect
a circuit, but exits.   You do that one after another, and after no time, you
have 10 circuits working at the one time.  (this is usefull for areas where
the responce from remote host takes a long time)  After all the NUA's are
packed, you simply send a D ALL command which disconnects all circuits.
Those which came up with an error, will have allready disconnected, so only
the ones which give DISCONNECTED message have been connected. (if u can
follow that).  There are a few major problems.  This method runs very very fast
,but, if a system is BUSY, you miss it.  Also, you will get a false message for
the last NUA's before the D ALL command, which haven't had enough time to
connect.  Only way to prevent that, is to stick a few WAIT commands before the
D ALL command.  (just modify the basic program).   I personally don't like
using this method. The next one is a lot better, more dangerous, far more
accurate and doesn't tie you down while sprinting.
This is what you do:

When you login to minerva for example, go to Netlink straight away. From it,
just connect back to the Primos system you are in by typing the NUA.  ie from
Minerva type @ C :200000 -FCTY  to connect to itself. Now login again, under
the same account.  Now you set up your sprinter and let it go.  When
everything is running, you press @ <RETURN> which this time will bring you
back to the netlink you were in originally, while the sprinter is running in
the backround on circuit #1.  Ok, now you connect to the same system as before,
on circuit #2 and repeat the whole process, this time with a few changes:
In line #9 instead of  9 WRITE #1,"COMO DATA", simply type:
9  WRITE #1,"COMO DATA2"  if you continue on circuit #3 next time change the
file name to DATA3 etc, thus the individual programs will not overwrite
each other.  Also change line #5 in a simmilar fashion from SOURCE to SOURCE2,
SOURCE3 etc. The last thing to change is the way you activate the Sprinter.
Second or third time round, you can't type >DO SOURCE, because it would
destroy the previous source file.  Thus the first time you type:

>DO SOURCE     second time around type:
>DO2 SOURCE2   third:
>DO3 SOURCE3   etc

To Disconnect a particular connection in a loop just use the escape character
'@'.  Use '@@' to disconnect from the second leaving the first connected, '@@@'
from the third etc.

Lets say you did it 3 times and you are back in NETLINK. The sprinter is
running on circuits #1, #2, and #3  ( I wouldn't recomend more than 3, but
if there are no operators on duty, you can do as many as you like. The beauty
of this method is that you still have Circuit #4, #5 etc, to do what ever you
want to.  ie hack into systems, call your favourite BBS in the States etc.
The only problem we have is disconnecting, since as I said before, Primos
can't disconnect automatically with this program and pressing @ <RETURN>
will be picked up by the first netlink system you are going through. Well,
it's quite simple. every minute or so, since you are having fun on circuit #4,
connect to each of the circuits 1,2 and 3 by typing @ CONT 1 or CONT 2 etc.
when connected type  <ESC> @ <RETURN>  this will send the command on to the
system bypasing the initial netlink.  if that doesn't work, since I found on
some systems it don't, type  <ESC> <CTRL-P> <RETURN>  it should basically do
the same job.


EDITING THE RESULTS
~~~~~~~~~~~~~~~~~~~

After your sprints are finished, you are stuck with a very very large file
'DATA' with all the results and the prospect of d/loading it is not a very
pleasing one.  Well, simply do this:

>ED DATA     (go to Text Editor and load file DATA)

C/Conn/Conn/*      (will display all the NUA's which connected)
C/Bus/Bus/*        (will display all the NUA's which were busy)

If you were using multiple circuits, you must type:

C/Dis/Dis/*        (it will give u a list of all the disconnected circuits
                    which is the only way u can detect connections)


GENERAL HINTS
~~~~~~~~~~~~~

DO NOT GO CRAZY WITH THIS PROGRAM.....If you attempt something like 10000
NUA's at the one time. THe DATA file will get very very large and you may
end up giving the system a pain in the I/O.  Generally keep it down to
about 1000 or max 2000 at a time.  Believe me I know!! I tried doing the
TYMNET area in one go, and I brought the entire system down for 3 HRS, so
don't do it.  Another rather important note. Delete all trace of any files
after you have finished.  ie delete the program itself, the SOURCE file,
DATA file and the C_DO file, which is created on the execution of the DO SOURCE
command.

MOST IMPORTANT...BEFORE YOU START, CHECK THE DIRECTORY. IF THE USER HAS A
FILE CALLED    C_DO  ALREADY PRESENT, RENAME IT TO SOMETHING ELSE AND CHANGE
IT BACK TO C_DO AFTER YOU HAVE FINISHED AND DELETED ALL YOUR FILES.
To rename a file type:  >REN C_DO,NAME

If you know more about Primos, you can stick the program and all your files
into some neglected directory and subdirectory, which can be accessed from
any ID and just leave them there, to save you the effort on your next session.


Well, now you have the basic Idea of the COMO and DO command and some working
knowledge of the Basic prime use.   The possibilities are endless.  You can
modify the program to give you the user directory or hack passwords into
password protected subdirectories. One other thing, If you are not sure what
you are doing, or are on your last account, it's simply not worth the trouble.


-------------------------------------------------------------------------------

PRIMOS TROJANS
--------------

There are a number of ways to set up a few trojans inside Primos systems.
Last time I had a trojan running on minerva, It got around 100 accounts, but
I made a few mistakes, which I paid for dearly. Hopefully, you will not make
the same mistakes. FOR GODS SAKE, DON'T ALL RACE TO MINERVA AND SET UP WHAT
I AM ABOUT TO DESCRIBE, USE THIS ONLY ON OTHER PRIME SYSTEMS YOU HACK IN THE
FUTURE.  ie DIALCOMS, PRIMENETS etc, Since there is a limit with how much you
can get away with, in the one system.

The first place to start has a lot to do with SOCIAL ENGINEERING. You must
put yourself into the shoes of your victim. The trojan must be convincing
enough, for him not to suspect anything and for you to get his password without
him realising it.  It's also a good idea if the System Operators don't catch
on too quickly, and you should know how to combat the measures they are going
to take to fix it all up. There are far more sophisticated methods than what
I'm about to propose, but I am assuming that you only have a very low access
account to work with.

First of all, you will need an unused account. By that I mean a user who forgot
about his ID and doesn't use it, for if he was to use it in the middle of your
trojan, that would be it. A person who hasn't been on his account for a few
years will do great, and there are some of those around. If not, you can use
what are called GHOST Accounts. This are simply ID's that a system manager
has assigned to users in his UFD Directory when the users don't really
exist.  To find them, just try to attach to the next ID in the series, catalog
it's directory and if there are no files, or time/date labels are very old,
just change the password and claim the ID. Always try to aim for the 001
account, because they are just more convincing.   Next thing you will need,
is an account with Authority within the system, ie of a person who helps out
new users, or someone with the company that owns the system. Example of this
would be a OTCxxx Account on MINERVA, or BTGxxx on BT GOLD.  If you have
access to such an account, they are great, but they are not really neccassary.
Now that you have that you can start.

1 - Write a Program in Primos BASIC, to simulate the system login. It has to
    be an exac replica if it is to work proply.  When the user tries to login,
    it will save everything in a file.

2 - It would be too much work trying to actually set up something for the user
    to actually use, so at the login, just say that the system is not
    available. Ie down for updates and it will be up in a a few days. Simple
    as that.

3 - To automatically execute the basic program at login, we must create a file
    called C_ID which should just contain the following.

                 TY FILENAME   if you want the user to receive some additional
                               instructions before logging into the fake
                               system entry
                 BASIC
                 LOAD NEWS     where News is the name of the fake basic prog.
                 RUN

    Since all but the first are echoed to the screen, you can work them into
    some sort of an introduction, which aparently describes an alternate
    system option. ie:

            - Text from TY FILENAME  (the command not echoed)
            - Rest of the commands from C_ID file
            - More text from basic program.
            - Login.

    If you are fortunate to have a version of basic which is interactive
    with primos, well, you are laughing.

3 - The major problem, is getting the user to login under the ID where the
    trojan is waiting. For this, use your imagination.  Look at the system,
    the type of users it has and look at what it lacks. Then create it.
    The trick is to get it accross to the victim in a convincing way.

4 - Well what do you know, we have an unprotected Directory called CATINF
    which are unknown to virtually all regular users so, we are going to
    a create a new subdirectory called BUSINESS.  In the Subdirectory we place
    a file describing the new free business information Dbase and all about how
    to access it. We call the file NEWS.

5 - Next stage is to make sure that if there is a user directory, the victim
    does not decide to look into it, and see whether it's on the level.
    We locate the directory files.  It will probably be found in CATINF, with
    in some subdirectory. We should be familiar with the DIALCOM directory
    setup, so just edit the relavant files using the editor, and replace it.

6 - The last step is to inform the user and convince him, that it will be to
    his advantage to type INFO BUSINESS NEWS, which will re-call the file,
    which if worded nicelly, will compell our dear victim to login to the
    Trojan and see what he can get out of it.  You can do this by simply
    sending mail to the person. This is where the ID with authority comes in.
    If on Minerva for example a user receives the message from an OTC account,
    there will be little doubt in his mind as to the authentity, however people
    are quite stupid in a lot of ways, so if you just send it from any ole ID,
    ie, even the one with the trojan in it, it should also be effective.

To Login to the account, without you yourself being stuck in the works, just
plan ahead in the basic program, or there are other means hehe. (Again this
bit of info is not for public circulation, but if you read the files carefully
and with a bit of skill you'll figure it out.)


When I ran a trojan on minerva this is what I did.

Minerva had a habbit of running incredibly slow at prime time. This wasted a
lot of time and thus a lot of the user's money in on-line charges.  Well, I
came up with the idea of a pseudo system, which will speed up the execution
time of the system.  I wrote the fake login as a simple basic program and set
everything up on a unused ID.  I installed a file in catinf, describing the
features of the system etc, so that they would get all the info when they typed
>INFO ACCESS PSEUDO
I was lucky enough to have an OTC account.  Mr Curtis was Curtious enough hehe
to use his name as the password.
I promoted Mr Curtis to a Pseudo System Administrator and I sent a brief letter
to the victims telling them about it and to type >INFO ACCESS PSEUDO.    They
all thought they would save big bucks and came like flies to the honey. I just
logged in every few minutes and picked up their passwords.
Unfortunatelly I made some mistakes, so this is what you should watch out for:


- Choose your victims with care, the new users make the best targets.
- Don't go crazy and set up few thousand people at the one time. Just don't
  over do it.
- When the trojan is discovered, they can either do the following:
      1> Nothing since a scandal would effect business and just increase
         security to watch out for hackers.
      2> Leave the trojan going and have your arse when you call to pick up
         the passowrds, which they will probably change anyway.
      3> Send mail to all the users, informing them to change their passwords
         if they used the business system.
      4> Initiate a compulsory password change for all users
      5> Send a notice displayed at login to change the password if one used
         the trojan.

END
END