💾 Archived View for spam.works › mirrors › textfiles › hacking › starmast.txt captured on 2023-11-14 at 09:58:26.

View Raw

More Information

⬅️ Previous capture (2023-06-14)

-=-=-=-=-=-=-

                       -----------------------------
                 =========================================
                            The Reign of Terror
                                    RoT
                                 guide to
                       
                       HACKING THE GANDALF STARMASTER
                   (also known as PACX or Access Server)
                                written by
                        >>>>>>   Deicide   <<<<<<
                                 05/22/93
                 =========================================
                       -----------------------------
INTRODUCTION
------------
    This entire tphile is based on my knowledge and experience alone, since
I do not have access to the manuals for this system, and I have never seen 
another phile on this subject before. Because of this there may be mistakes or
flaws, and I apologize for this, but it will give you a very good idea on how
to go about hacking and exploring this wonderful system.
    I used to believe that the PACX and Starmaster were completely different
systems, but I now think otherwise. The reason being the EXACT same 'defaults'
work on both the systems, and the setup is entirely the same. So until i find
out otherwise, i consider the PACX & Starmaster(also known as the Gandalf
Access Server) to be one and the same.
    First off, the Gandalf systems, which also include XMUX/KMUX are made by
Gandalf Technologies Inc., and in Canada produced by Gandalf of Canada Ltd.
    The XMUX & Starmaster systems are closely intertwined, as you'll see  
later. As always, the defaults listed will not always work, you'll have to 
actually do some hacking if they don't.

DIALIN PASSWORD
---------------
    The first security feature you may find on a Starmaster is the dialin
password. This is rarely used, but is a feature you should know about.
    You may see a herald first, then to a prompt like:
            DIALIN PASSWORD?     
    If the password you enter is incorrect, you will get the message:
            INVALID RESPONSE 
and you will be back to the prompt.        
    You will usually get 3 attempts, but it can anywhere from one to 10.
    As far as i know, there are no reasonable limits to the length of this
password.
    The things to try first are:
      GANDALF PACX STARMASTER ACCESS SERVER 2000 NET NETWORK PASSWORD DIALIN 
    If they don't work, try the node name. It will be explained later how it
is possible(sometimes) to get the node name externally.
    And if that does not work, or it is unattainable, then it is back to 
brute forcing.

USER INTERFACE
--------------
    Occasionally, instead of going to the server, you will face what i termed
the 'User Interface'. Don't ask why, i suppose it is because it is individual
oriented first, instead of the server.
    You will occasionally get a header, sometimes with your subscriber name,
then the prompt:  USERNAME?
    I'm not sure of the size restrictions, but i believe the maximum is 
between 8-12 characters, the minimum is possibly 4 characters.
    The usernames will often be the users first name, sometimes followed by a
character(usually 1, this in the case of multiple users with the same first 
name). Depending on the sysadmin, it could be last names as well.
    The defaults to try are:
        TEST TESTUSER GANDALF GUEST SYSTEM
There may well be others, such as MAINT or SYSMAINT, but i have never found 
any other non-person username.
    It will tell you if the username is wrong, again with the INVALID 
RESPONSE, so it shouldn't be too difficult to figure a name out. Frequently
(but not on the defaults) there will be no passwords used. If a password 
exists, you'll have to resort to brute force.
    You will, again, receive between 1 to 10 attempts at the username, usually
only three.

SERVER INTRODUCTION
-------------------
    The server, in my opinion, is the essential part of the Starmaster system.
Although console may be considered the backbone of the Starmaster, access to 
the server is what you need to have, and what you need to get to all the 
wonderful services you may find on a Starmaster.
    You should pop right into the server upon connect, and after bypassing the
dialin password if it exists.
    Often you will receive some type of herald telling the node, city or 
system type before the prompt.
    The prompt for the server varies from system to system, but it will 
usually resemble one of the following: 
        SERVICE?
        Enter service:
        service:
        class:
        Enter class:
Etc. It can be whatever the operator desires it to be, even nothing at all!
Sometimes you will even receive a menu. It will NOT list all the options, to
be sure. Console will not be on there, almost for sure. But it still must 
exist, even if it is not allowed. If it asks for numbers, typing CONSOLE 
(or any other mnemonic they may have) will still bring you to the console or
show you an error message.
    So, with all this diversity, you may be wondering how to find out for sure 
whether it is a Starmaster or just another server! Just enter random garbage,
and you will receive a message, which is usually INVALID RESPONSE, but will
occasionally be something to the effect of SERVICE UNATTAINABLE, or the such.
Always in capitals. But to be sure, enter CONSOLE. If it brings you to a
prompt asking for a username, or says "SERVICE ACCESS NOT ALLOWED", then you
have found yourself a Starmaster/PACX system.

SERVER COMMANDS
---------------
    Like with every server, you need to know where to go from the prompt.
As you may or may not know, Gandalf Starmasters are famous for their PADs &
ODs, many of which are left unprotected. This is only the beginning.
    First off, the motherlode. CONSOLE. This is the command to access the 
console of a PACX/Starmaster, which if you can hack into, is the equivalent of 
root on a Unix, plus more, much more. I will go a bit more into the console
later on, but be aware that like the root on a Unix, console MUST exist. It is
what sets up, controls, and performs maintenance on the Starmaster. But, 
unfortunely, there is a setting in the console that can give/take away access
to the console from remote. So, if the operator knows he will never be using
the console options from away from home/business, he will probably remove
remote access, leaving you stranded. This will be covered a bit more later on.
    Now for the other possible network connections. First names are common, 
and usually unpassworded, but they frequently turn up nothing. Other than the
default list i'll provide below, try things such as single characters, or 
3 character abbreviations. Also, try anything the header(if there is one) 
might display. Here is a list of commonly found links:
       X25 X28 PAD X25PAD X28PAD DIAL DIALOUT OUTDIAL MODEM MODEM1 SERVER 
       SPRINTNET HP3000 UNIX VAX SYSTEM NETWORK NET MENU HELP INFO TYMNET 
       DATAPAC TELNET INTERNET MAIL SERVER XMUX XCON GATEWAY HOST X.25
       X.28 HP CPU
Etc, etc. Any other possible links you can think of may or may not apply.
In fact, some systems are kind enough to provide a command that will give you
a menu of all the possible connections!
    Unfortunely, passwords may exist on all or some of the services, but 
suprisingly, they rarely do. PADs/ODs will frequently have passwords, but i 
can testify the opposite on a number of occasions. It is worth a try, trust 
me. If passworded, the same 1-10 attempt rule applies, and you will usually
have to resort to brute force(unless you have console access..hehe) if 
combinations of the service name do not work.

CONSOLE
-------
    To gain access to the console should be your prime directive. It will put
the system entirely at your mercy, as all other security barriers fall when 
you successfully penetrate the console.
    First off, you will get a system herald plus a user name prompt, like 
this:
        GANDALF TECHNOLOGIES INCORPORATED, COPYRIGHT 1990
        OPERATOR NAME? 
    The real operator of this system should keep this protected at all cost,
thus making it difficult for you. But sometimes they do not. As a default, try
these:          SYSTEM   GANDALF    TEST
    The usernames are 1-8 characters long. You will have 1 to 10 tries at the
username or password before being cleared from the circuit. Again, it does
tell you if the username exists.
    Once in, it will first ask you which system type you would like. 
Usually it would be option 1, for VT100.
    After that, it will bring you to the primary menu. 
    I am NOT going to go step by step through the entire console, as it is 
menued and easy to understand. The options are laid out in plain english, and
it will not be hard to find what you want.
    But, i will help a bit. 
    First, to scroll through the fields, <TAB> moves
you forward, <BACKSPACE> moves you back, and <SPACEBAR> toggles options in a 
field.
    The one thing you should look at is the SERVICE option(DISPLAY then 
SERVICE for displaying the services, or DEFINE then SERVICE for modifying 
them). It will give a list of all the services available, and if you look 
closer it will show the password if applicable. If you still can't access a
service after you've verified it, make sure the setting NETWORK ACCESS 
PRIVILEGE is set to YES. If not, you won't be able to access it. If it is at
NO, simply change it to YES with the main menu option DEFINE.
    I have _almost_ found a way to set up my own PADs from the console, but
the connect string is setting me back. I have verified this off two completely
separate Starmaster consoles, so there is no disputing the feasibility of 
the following, but i still don't know how to get the connect string to 
function. If you can, then you have a virtually unlimited supply of PADs.
    First, display the services. Look for some kind of Gateway service, such
as XGATE0, GATE0, GATEWAY1, etc. Write one down.
If for some reason it a gateway does not exist, make your own. Define a 
service, picking whatever name you desire between 1 and 8 characters. 
Something such as the ones i mentioned above.
In the first field, toggle with the spacebar until you see GATEWAY. Hit <CR>
and move on. The other field you'll have to define is subscriber assignment.
If it is already at FIRST AVAILABLE, just hit <CR> and you are done. If not, 
toggle until it is.
    Next, define a service. This can be whatever you'd like as long as it 
doesn't already exist and you keep it 1 to 8 characters.
    In the first field, toggle with the spacebar until you come to VIRTUAL.
Hit <CR> and move on to the next field.
    For the next field, gateway service, enter the gateway service that you
wrote down previously or created.
    Leave the next field(service/profile) blank.
    The password field is up to you.
    Have the wait list enabled, and the ready prompt on leaving wait list as
well.
    Do not have service idle timeout.
    MAKE SURE Network Access Privilege is set to YES.
    Have third party privilege at no.
    Screen refresh - no.
    Hit enter through the next fields until you reach the CONNECTION STRING
field. This is the wall i'm facing. I know from my exploring the internals 
that the correct string is this:  ~v(x.28)   BUT, it will not accept it. This
i don't understand, but possibly you will be able to figure it out, it is the
only thing you need before your very own PAD is set up.

CONCLUSION
----------
    I hope you enjoyed that, and if there is an error, please contact me, 
remember, i had nothing to go on but my experience, but none the less i hope i 
helped you out a bit...for comments/suggestions/chat/etc you can contact me at
my board, or any of the other RoT sites, listed below..
lateron...
    Deicide   -  RoT H/P Coordinator
                 CCi H/P Moderator
                 Sysop: AEC Private

RoT SITES
---------
    AEC Private           -  WHQ          -  (604) 858-1983
    The Cellar            -  USHQ         -  (401) XXX-XXXX
    Million Dollar Saloon -  Member Site  -  (817) XXX-XXXX
    Psychic Link          -  Member Site  -  (818) XXX-XXXX
    Kung Fu Theatre       -  Member Site  -  (401) XXX-XXXX
    Northern Lights       -  Member Site  -  (909) XXX-XXXX
    Liquid Euphoria       -  Dist Site    -  (914) XXX-XXXX
    The Phactory          -  Dist Site    -  (313) XXX-XXXX
    The Web               -  Dist Site    -  (203) XXX-XXXX