The REAL way to hack RemoteAccess

Document Sample
The REAL way to hack RemoteAccess Powered By Docstoc
					             Why the "Fun with RA boards" hacking method is LAME!
                     (The REAL way to hack RemoteAccess)

                       Knocked up by ByTe RyDeR of the
                      ÚÂÄÄ ÄÄ Ä úú ú
                     ijÅÄÄ FundeMäNTAL CoNNeCtiON ijÄÄÄ
                      :ÃÄÄ ÄÄ Ä úú ú

                         "Saving the Brain Forest"

Well dewdz, ya seen the file text about hacking RemoteAccess and you
crack that H/P or warez RA board for mega ratios? Get Real!

RA *CAN* be hacked but only in the same way as any other BBS sox...    no
sysop reading that file was shat themselves .. here's why not:

Basically the technique outlined involved you writing a trojan and
disguising it as some program the sysop is really gagging for in the hope
is he'll run it on his system. Wot it'll really do is copy his USER.BBS
onto the filebase so you can call back later and d/l it... neat idea, and
one that in *theory* will work with most BBS sox (most are EVEN easier
they don't encrypt the users file like RA) but their execution of it

Firstly, their compiled batch file relied on the sysop running RA off
C: drive from the directory \RA... Yeah, maybe some lame PD board they
hang out on is like that but most sysops I know run multiple drives and
many have more complex directory structures...       Lame Hacker 0 -
Sysop 1

Okay... letz assume they got on some lame fucking board and the users
*is* C:\RA\USERS.BBS - next step is to copy the file into the filebase
make it d/lable. How do they do that? (patronising Dez Lymon voice) <g>.

Their idea was to copy the file into D:\FILES\UPLOAD .. Yeah sure
EVERY board uses the D: drive for the filebase and happen to have a file
area in \FILES\UPLOAD - NOT!!!!!!                    Lame Hacker 0 -
Sysop 2

Right, so they got better odds than winning the national fucking lottery
all the above worked (yeah man, we're dreamin' but let's give 'em a
What next? The file has to be d/lable... you found a sysop that makes
UNCHECKED & UNSCANNED files available for download? Fuck off! Get a
                                                     Lame Hacker 0 -
Sysop 3

So... okay.... we got a sysop that's so fucking lame he doesn't deserve
to to breath the same air as the rest of the human race and uses all the
above paths and makes unchecked uploads d/lable. RA by default won't
files to be d/led UNLESS they're in the file database. Unless the
destination ALREADY EXISTED in that area and was previously in the area
database there's NO WAY you can d/l it.

The way they "solved" this was to add an entry to FILES.BBS in the file
DATABASE.   Unless you happen to be lucky enough that the sysop does an
import from FILES.BBS to the REAL file database before checking out your
planted file (most RA sysops only import from FILES.BBS when adding
the addition of this entry will do FUCK ALL!         Lame Hacker 0 -
Sysop 4

To quote from the author "This is a generic program and you will have to
tailor it so it will meet your needs." - yeah man, fucking rethink,
and rewrite it more like!

Oh yeah... EVEN IF YOU DO get a copy of the USER.BBS file downloaded THE
PASSWORDS ARE ENCRYPTED!!!                       Lame Hacker :( -

So how can U hack RA? Well, the idea was okay but, like hacking any
you gotta KNOW the system ya gonna hack b4 U stand a chance.

Most sysops will use the DOS environment variable RA set to the RA system
directory so that external doors can find the system files... that's
helpful of the sysop, to show us where we can find his config files. <g>

In the RA system directory should be the file CONFIG.RA. You might want
include a check for this file within your program and possibly do a disk
and directory scan for the file if RA isn't defined or is set

I'm not *entirely* sure about other versions of RA, but in the current
release (2.02) the CONFIG.RA offset &h3E4 is where the name of the mail
directory starts. This is the path where USERS.BBS will be found.

Next you need to know for SURE the name of a directory which stores the
files for a filearea from which you are able to download.
I suggest you do this in one of three ways:

1) Interogate the file FILES.RA in the RA system directory which
    the filebase area configs. You *could* just search the directory for
    valid path but you'd wouldn't know if you had d/l access to the area.

2)    If you want to be a bit more clever you could interpret the file and
      find out the minimum security level required to d/l from each area
       dump your copy of USERS.BBS in the area with the lowest access level,
       pretty much guaranteeing that you'll be able to get to the file.
       doesn't take security flags into account so there's still a SLIM
       possiblity you won't be able to d/l the file unless you also write
       testing into your program.

3) My favourite technique     is to have the program read a small config
     which is uploaded with   your archive.   This file just contains the
     of a file you KNOW you   have d/l access from.   You can then either do
     global search for that   filename or, preferably (coz it's faster) read
     FILES.RA for the paths   used by the filebase and search those.

So now you have the location of the USERS.BBS and the destination
you simply need to copy the file. However, even though the file is
in a filebase directory it STILL isn't available for d/l... why? Because
it's not in the filearea database.

You could get clever and find amend filearea database files directly if
get the fileareas path from CONFIG.RA (offset &hC12) and write to the
HDR\FBD#####.HDR (header) IDX\FDB#####.IDX (index) and, if you want to
a description, TXT\FBD#####.TXT, where ##### is the RA file area number.

There *is* an easier way. Shell out to DOS and execute the RAFILE
from the RA program path, passing the arguments "ADOPT filename #####".

E.g. the BASIC command would be:

               SHELL "RAFILE ADOPT "+filename$+STR$(areanum)

Where filename$ contains the name of your USERS.BBS copy and areanum is
RA filearea number. If your filename was USERTEST.ZIP and you'd copied
to the directory used for RA file area 10 you'd be executing:


This will "adopt" the file, adding it to the RA file database, making it
available for d/l (assuming you have the appropriate rights to the area).

All you need to do now is to package this trojan file to entice the sysop
into running it... In the LAME method for hacking RA the author used DSZ
as an example. That was about the most realistic part of the file and
only bit worth leaching! <g>

Your archive:
                DSZ.EXE (your program)
                DSZ.DAT (the *real* DSZ.EXE)
                DSZ.CFG (small file containing the name of a *known*
                         d/lable file - preferabbly encrypted)
                + any other files that normally come with DSZ

Flow diagram for DSZ.EXE trojan:

                            /        \
                          | Start |
                      | Read enviroment |
                      |   variable RA     |
                               / \
                             /     \
                          /CONFIG.RA\            +---------------------+
                        / exist in      \___>____| Scan drives & paths |
                        \ that path / No         | search for the file |
                          \     ?     /          +----------+----------+
                             \     /                        |
                               \ /                          |
                            Yes |                           |
                      | Read CONFIG.RA |
                      | to get location |
                      |   of USERS.BBS |
| Read DSZ.CFG to |
| get a filename |
          |                          |
+--------+--------+                   |
| Read FILES.RA to|                  |
| get name of the |                   |
| next filearea |                    |
+--------+--------+                   |
          |                          |
          |                          |
         / \                          |
       /     \                        |
    /does area\                       |
  / contain the \________>__________|
  \      file     / No
    \     ?     /
       \     /
         \ /
      Yes |
| Copy USERS.BBS |
| to the filearea |
|    directory      |
| Run RAFILE with |
| ADOPT to update |
|   RA database     |
| Delete DSZ.EXE |
|   and DSZ.CFG     |
| Rename DSZ.DAT |
|   to DSZ.EXE      |
      /        \
    | Stop! |
Once you've uploaded the file, preferably using a pseudonym, post the
a message telling him how c00l your upload is. Wait a day or so and dial
back. Do a filename search using the name you decided to use for your
of USERS.BBS and d/l it.

The next step, now you have the USERS.BBS file is to crack the passwords.
I only know of ONE crack program out there which has the RA password
encryption algorythm, a program based on the popular Unix CRACKERJACK
program called RA-CRACK. This simply takes a given word, encrypts it,
compares it to the USERS.BBS file to find a user with a matching

RA-CRACK takes it's source words from a text file so it would be possible
to either:

 a)    Use a TXT dictionary file as the source. All passwords that are
       normal words will be found. This method will usually find about 90%
       of the user passwords.

 b)    Write a "brute force" cracker using a small routine that "counts"
       through valid ASCII character combinations from "!" (ASCII 33) upto
       a string containing 25 (max length of a RA password) null characters
       (ASCII 255), passing these via a text file to RA-CRACK. This SHOULD
       be _100%_ successful, but SLOW!



Description: [The following is provided via the courtesy of the Internet Society White House Press Release Gopher Service.] E X E C U T I V E O F F I C E O F T H E P R E S I D E N T THE WHITE HOUSE Office of the Press Secretary ______________________________________________________________ For Immediate Release February 22, 1993 REMARKS BY THE PRESIDENT AND VICE PRESIDENT TO SILICON GRAPHICS EMPLOYEES Silicon Graphics Mountain View, California 10:00 A.M. PST THE PRESIDENT: First of all, I want to thank you all for the introduction to your wonderful company. I want to thank Ed and Ken --we saw them last night with a number of other of the executives from Silicon Valley -- people, many of them with whom I've worked for a good length of time; many of whom the Vice President's known for a long time in connection with his work on supercomputing and other issues. We came here today for two reasons, and since mostly we just want to listen to you I'll try to state this briefly. One reason was to pick this setting to announce the implementation of the technology policy we talked about in the campaign, as an expression of what we think the national government's role is in creating a partnership with the private sector to generate more of these kinds of companies, more technological advances to keep the United States always on the cutting edge of change and to try to make sure we'll be able to create a lot of good new jobs for the future. The second reason -- can I put that down? We're not ready yet for this. The second reason I wanted to come here is, I think the government ought to work like you do. (Applause.) And before that can ever happen we have to be able to get the people, the Congress, and the press who have to interpret