💾 Archived View for spam.works › mirrors › textfiles › hacking › vthack2.txt captured on 2023-06-14 at 16:58:56.

View Raw

More Information

-=-=-=-=-=-=-


					VT Hacker #2

					courtesy of 
				  The Mad Hermit

Well, there's some old news, so let's get it out of the way.  The Novice menu
stuff has changed slightly.  Options 8-12 are no longer active.  in addition,
poking around above there gives you a simple error message.

	With that taken care of, we move on to:

-------- COMMUNICATIONS NETWORK SERVICES --------

	There are ways to hack into this, but I'll do an overview of general
info for those neophytes out there.  CNS is running a ROLM phone system.  Rolm
created a telephone system a few years back, and IBM used it for voice messages
& the like.  It had bugs.  It had security holes the size of Wisconsin.  While
it lasted, phreakers had a free message and conferencing system that IBM could
do nothing about.  IBM ended up buying out Rolm, and the company survived long
enough to put out a beta version of the current Tech system at the University
of New York.

	Problems arose as the illustrious hackers there showed Rolm that gross
abuses of the system were possible.  They showed Rolm the hard way.
The Pick-Up function which isn't enabled on our system is capable of picking
up someone else's phone, if you know their extension number.  Devious people
were answering other people's calls and transferring them to Topeka and other
parts unknown.  If they were really cruel, they Parked them there.  As far as I
know, just about all bugs left are harmless (well, mostly harmless).  One thing
to note: whenever you call CNS, the phone you are calling from is displayed
immediately on a monitor in front of the operator.

	The data line has a different story.  Though a few bugs exist, they
aren't exploitable.  They merely irritate.  Expect them to disappear soon, as
the technical people at CNS are very helpful and know what to do in most
circumstances.  The "Call, Display, or Modify?" prompt is your ticket to fun
and weirdness.  Normal functions include tweaking your dataline's parameters
and speed, displaying commonly used services, and calling these services by
typing:
	C VTLAN (or whatever name you want)

	Recently, a hack was discovered at this prompt.  All numbers that you
called from here went like this:  #XXXX, where # is the start number, and XXXX
is the four-digit extension.  Here is a list of current start numbers:

	
	1 - On Campus (not hooked up yet.  Will replace 961-XXXX)
	2 - On Campus (normal dataphones)
	3 - Long Distance
	4 - Special
	9 - Off Campus Local

	The 4XXXX numbers are basically for CNS use, and for special mainframe
connections.  If you call VTCOSY, for example, you get a message stating that
you are calling VTCOSY, and what modem number.  These modem numbers can be
dialed directly, leading to some interesting discoveries.   Scanning these
numbers without a program can be very time consuming, especially when you hit
several numbers that all connect to the same mainframe.  In addition, every "No
Answer" takes one minute to do, because the Net waits that long before telling
you it hasn't connected.  Below, "Dead End" means that a connection was made,
but no keypresses have any effect.

	40000-40049	Not A Dataline.
	40050-40052	Not Accessible
	40053-40055	Originate Only
	40056-40057	Group Closed
	40058-40059	No Answer
	40060-40061	Originate Only
?	40062		Node Router (see below)
	40063		Dead End
	40064-40068	No Answer
	40069-40071	Not A Dataline
	40072		Not Accessible
	40073-40089	Not A Dataline
?	40090-40093	VTLS
	40094		No Answer
	40095-40098	Connection Failed
	40099		No Answer

	40100		Not A Dataline
	40101		No Answer
	40102-40104	Dead End
	40105-40113	No Answer
?	40114		CoSy Maintenance Port (00)
	40115-40120	No Answer
	40121-40132	Not A Dataline
	40133-40134	No Answer
	40135-40136	Even Parity lines (????)
	40137-40141	No Answer
	40142-40150	Not A Dataline
	40151		No Answer
	40152-40168	Not A Dataline
	40169		Dead End
	40170-40199	Not A Dataline
	
	40200-40220	Originate Only
	40221-40243	Not A Dataline
	40244-40263	Originate Only
	40264-40276	Not Accessible
?	40277		64000 BAUD !!!
	40278-40281	Characteristics Mismatch
	40282		Not A Dataline
?	40283		64000 BAUD !!!
	40284		Originate Only
	40285-40299	No Answer

?	40300-40306	VTVMS
	40307		Not Functional
?	40308-40323	CoSy (02-17)
	40324-40339	Busy
	40340-40363	Not A Dataline
	40364		No Answer
	40365-40399	Not Accessible

	40400-40403	Not Accessible
?	40404-40433	VTVM1
	40434-40435	Not Functional
?	40436-40457	VTVM2
	40458-40459	Not Functional
?	40460-40499	VTLAN

?	40500-40506	VTLAN
	40507		Dead End
?	40508-40539	VTCC1
	40540-40551	Originate Only
?	40552-40559	"Request:" (VTDSW)

	40560		Connection Failed
?	40561-40567	"Request:" (VTDSW)
	40568-40569	Not A Dataline

	40570-40573	1200 BAUD lines
	40574		Not A Dataline
	40575		Busy
	40576-40578	Dead End
	40579		Busy

	40580		No Answer
	40581-40592	Originate Only
?	40593-40599	VM/XA VT

?	40600-40624	VM/XA VT
	40625-40699	Not A Dataline

	40700-40799 Not A Dataline

	40800-40899	Not A Dataline

	40900-40999 Not A Dataline

Note that these numbers can also be dialed on the voice line. Who knows WHAT
you'll find...

You might notice that there are only 1,000 numbers of 10,000 represented.
If you find anything else above there, let me know.  Finally, there are a
couple of ways to mess up your trail if you're paranoid or just like feeling
secure.  Call VTLAN, and then CALL 9000.  This brings you back to the Net,
through a short loop.  If you really want things messed up, call 9-232-2020.
This calls off-campus, then calls the link for getting back on the Net.
Enjoy!

The Node Router appears to be a CNS computer.  The prompt is "Node[20] Enter
Destination:" and there are 64 numbers you can type in.  Some have passwords,
some are dead ends, and others connect to other locations in the Net.

Here's a list:

	Passworded nodes:	0,32,50
	Dead Ends:			3,4,22,28,33
	Calls the Net back:	34
	"Request:" prompt:	15
	VTLAN:				1
	Net/One:			27

The Net/One prompt is the most interesting thing found yet.  It's just about
the only friendly interface ever located in CNS's part of the Net.  You get to
look at various nodes in the Net, and make connections between lines.
Don't get your hopes up, though.  My sources have only found one open link,
but in order to figure out what it could do, they ended up closing it.

Here's a list of the commands you get on the 'help' screen:

The Net/One commands are:
    CONNECT Resource Name<CR>
    GET Resource Name<CR>
    LIST<CR>
    RESUME Connection Number<CR>
    ABANDON Connection Number<CR>
    EXAMINE Resource Name<CR>
    IDENTIFY Node ID<CR>
    SET DISCONNECT /New Disconnect Sequence/<CR>
    SET HOLD /New Hold Sequence/<CR>
    SET ECHO ON<CR> or OFF<CR>
    SET LINEFEEDS ON or OFF[ FOR ECHOES or INPUT or OUTPUT]<CR>
    SET BINARY ON<CR> or OFF<CR>
    SET FLOW NONE/CHARS/ENQ-ACK/SIGS/CTS-RTS/DSR-DTR/XON-XOFF[ NIU/DEVICE]<CR>
    LOGOUT<CR>
    QUIT<CR>

'Get' requests a particular line, 'Connect' opens it for use, and 'Resume'
allows you to use it.  The last command also seems to lock up the terminal...

When you 'List', you get something like this:

  You are using port 4 of Net/One NIU-180 number 57106A, on network number 1.
  Port 4's name is "57106A4".  NIU 57106A's name is "acc30".

  Connection 1 is unused.

  Your Hold Sequence is: --none--
  Your Disconnect Sequence is: <FS>OFF

  The Net/One command editing keys are:
      Cancel whole line: <DEL> or ^<BS>   Delete last character: <BS> or ^h
      Delete last word:  <CAN> or ^x      Complete current word: <SP>
      Repeat last line:  <SOH> or ^a

  ECHO mode is turned OFF.
  Automatic insertion of linefeeds after carriage returns is turned OFF.

Recently (as of 10/19/88), the number 40062 has gone out of service due to use
by certain individuals (heh heh heh).  There is another way of getting to it,
which will be detailed in the forthcoming VT Hacker #3.  The above data was
gathered using a script file for Red Ryder.  Don't try to comprehend what it
does.  It works.  The Net kicks you off after five unsuccessful attempts at
connection, making this simple incremental scanner procedure slow, and painful.
A scanner for LocalNet is in the works, and will definitely be faster due to
the unlimited tries LocalNet allows you.  We're looking for 20+ tries per
minute, but in the meantime, here's the CNS-CBX scanner:

COPYINTO ~8,ENTER NUMBER TO START AT
(GET1)
QUERY1 ~1
EMPTY ~1
IF YES JUMPTO (GET1)
LET EQUAL `1,~1
LET EQUAL `3,`1
COPYINTO ~8,ENTER LENGTH OF SEARCH
(GET2)
QUERY1 ~2
EMPTY ~2
IF YES JUMPTO (GET2)
LET EQUAL `2,~2
ADD `3,`2
COPYINTO ~3,`3
SUBTRACT `1,1
(NEXT)
ADD `1,1
TEST `1=~3
IF YES JUMPTO (QUIT)
TYPE C 
TYPE `1
TYPE ^M
ALERT1 THIS DATALINE/JUMPTO (NNUM)
ALERT2 NOT A DATALINE/JUMPTO (NNUM)
ALERT3 BUSY/JUMPTO (BUSY)
PANICAFTER 10
PROMPT CONNECTED
PAUSE
BELL
BELL
JUMPTO (QUIT)
(BUSY)
BELL
(NNUM)
ONPANIC JUMPTO (QUIT)
PANICAFTER 10
ALERT1 DISCONNECTED/JUMPTO (HOLD)
TYPE ^M
PROMPT MODIFY?
PAUSE
JUMPTO (NEXT)
(HOLD)
PAUSE
PAUSE
PAUSE
ONPANIC JUMPTO (QUIT)
PANICAFTER 10
TYPE ^M
PROMPT MODIFY?
PAUSE
JUMPTO (NEXT)
(QUIT)
END

Downloaded From P-80 Systems 304-744-2253