Docstoc

A Novice's Guide To Hacking

Document Sample
A Novice's Guide To Hacking Powered By Docstoc
					This file is an addendum to "A Novice's Guide To Hacking" written by "The
Mentor". The word "hacking" is here used the way the non-hacking public
thinks it is used, to mean breaking into somebody else's computer. Its
purpose is to expand and clarify the information about the TOPS-20
operating
system, which runs on DECsystem-20 mainframes. The Mentor basically
lumped
this system in with TOPS-10 and didn't note important differences between
the
two. I will here reproduce in full what The Mentor had to say about
TOPS-10
and about VMS, which are the parent and the offspring of TOPS-20.

VMS-         The VAX computer is made by Digital Equipment Corporation
(DEC),
             and runs the VMS (Virtual Memory System) operating system.
             VMS is characterized by the 'Username:' prompt. It will not
tell
             you if you've entered a valid username or not, and will
disconnect
             you after three bad login attempts.   It also keeps track of
all
             failed login attempts and informs the owner of the account
next time
             s/he logs in how many bad login attempts were made on the
account.
             It is one of the most secure operating systems around from the
             outside, but once you're in there are many things that you can
do
             to circumvent system security.   The VAX also has the best set
of
             help files in the world.   Just type HELP and read to your
heart's
             content.
             Common Accounts/Defaults: [username: password [[,password]] ]
             SYSTEM:     OPERATOR or MANAGER or SYSTEM or SYSLIB
             OPERATOR:   OPERATOR
             SYSTEST:    UETP
             SYSMAINT:   SYSMAINT or SERVICE or DIGITAL
             FIELD:      FIELD or SERVICE
             GUEST:      GUEST or unpassworded
             DEMO:       DEMO or unpassworded
             DECNET:     DECNET


DEC-10-      An earlier line of DEC computer equipment, running the TOPS-10
             operating system. These machines are recognized by their
             '.' prompt. The DEC-10/20 series are remarkably hacker-
friendly,
             allowing you to enter several important commands without ever
             logging into the system. Accounts are in the format [xxx,yyy]
where
           xxx and yyy are integers.    You can get a listing of the
accounts and
           the process names of everyone on the system before logging in
with
           the command .systat (for SYstem STATus).    If you seen an
account
           that reads [234,1001]   BOB JONES, it might be wise to try BOB
or
           JONES or both for a password on this account.    To login, you
type
           .login xxx,yyy   and then type the password when prompted for
it.
           The system will allow you unlimited tries at an account, and
does
           not keep records of bad login attempts.     It will also inform
you
           if the UIC you're trying (UIC = User Identification Code, 1,2
for
           example) is bad.
           Common Accounts/Defaults:
           1,2:        SYSLIB or OPERATOR or MANAGER
           2,7:        MAINTAIN
           5,30:       GAMES

**** note: I'm remembering this stuff from several years ago, and in
some
cases my memory may be foggy or stuff may be outdated.

TOPS-20, once you are inside, resembles VMS much more than it resembles
TOPS-10, as far as I know (I'm not really familiar with VMS). From the
outside, it's more like TOPS-10, except that the prompt is a @ instead of
a
period. You can enter many commands without logging in, including SYSTAT
and
probably FINGER. (Sometimes you can even use the mail program without
logging in.) It is very helpful. Not only does the command HELP lead to
lots of useful information, but anywhere in typing a command you can
press ?
and it will tell you what the format of the command expects. For
instance,
if you type ? by itself, it will tell you all the words that a command
can
begin with. If you type S?, it will tell you all the commands that start
with the letter S. If you type SYSTAT ?, it will tell you the options
available on the systat command. You can use this at any point in any
command. Furthermore, if there is only one possibility (you have typed a
unique abbreviation), you can press Escape and it will finish the word
for
you. I'm not sure, but I think TOPS-20 was the system that first
introduced
filename completion as well --turning a uniquely abbreviated filename
into a
complete name when you press escape, beeping if the abbreviation is not
unique. With command keywords you can leave the abbreviation un-
expanded,
with filenames you have to expand it (or type it all in) for it to work.
Use the "Login" command to log in, followed by a username. It will
prompt
for a password. Note that a password can be something like 39 characters
long, as can the username itself. TOPS-20 does NOT use numbers like
317,043
for user IDs. (Note that these numbers in TOPS-10 are octal, not
decimal.)
Furthermore, the password can contain spaces. So, if somebody wants to
make
his password difficult to guess, he can easily do so.

(But sometimes they might get overconfident. I remember a story from
Stanford... Someone asked the large cheese if he would let him know what
the
operator password was, and he said "The operator password is currently
unavailable." So the guy tried "currently unavailable" as a password,
and
got in. (Which reminds me of the time they got a real bug in the system
there... a head crash caused by an ant on the disk platter.))

In general, TOPS-20 does not limit the number of login attempts, nor does
it
keep a record of bad tries. However, it is not difficult for the local
management to add such measures, or others such as a delay of several
seconds
after each attempt. And unlike Unix, it is difficult to evade these even
once you're in. Without heavy in-depth knowledge, you can't test a
username-
password combination except through a system call, which will enforce
delays
and limited failures and such against password-trying programs.

So, TOPS-20 is easy to defend against the "database hack", in which you
try
many different common passwords with many different usernames. (Unix is
much more vulnerable to this.) But any particular system, especially a
lax
one like a college machine (DEC is always popular in academia), might
have
little defense here. But you might not know how much defense until too
late.

Do try the GUEST username.

But TOPS-20 can be very vulnerable to trojan horses. See, there's this
thing
called the Wheel bit. A username that has the Wheel property can do
anything
the system operator can do, such as ignore file protection masks, edit
the
disks at the track/sector level, change any area of memory... On Unix,
only
one user, the superuser, can read and write protected files. On TOPS-20,
any
user can do these things from any terminal, if the Wheel attribute is set
in
his user data. Some campus computers tend to accumulate excess trusted
users
with wheel bits, and have to periodically prune away the unnecessary
ones.

The thing is that a wheel can do these things without knowing that he has
done them. Normally the privileged commands are deactivated. But a
program
run by a wheel can activate the privileges, do anything it wants, cover
its
tracks, and deactivate them without the user ever being the wiser. So if
you
can get any wheel user to run any program you wrote, such as a game or
small
utility... there's no limit to what you can do. In particular, you can
create a new username, and make it a wheel. Or you can simply ask the
system
outright for someone's password, if I'm not mistaken. (All this requires
access to TOPS-20 programming manuals, but some of the necessary material
should be available on line.) You cannot actually conceal this creation,
as
far as I know... but maybe with sophisticated enough knowledge you could
make it not immediately apparent... Anyway, once you get that far in,
you can
probably keep one step ahead of them for a while... If they erase your
new
accounts, you can use the passwords to old ones... They can change all
of
the wheel passwords, but a lot of the regular users won't change for some
time... You could even lock the operators out of their own system by
changing all their passwords for them, if you were crazy enough, perhaps
forcing them to shut the machine down to regain control of it. They
might
even have to restore stuff from tape backup.

Even if you don't wedge your way into secret stuff, a TOPS-20 system can
be
fun to explore. It's much more novice-friendly than most systems, and
much
more hacker-friendly as well. I think the ascendency of Unix as the
least-
common-denominator OS that everybody can agree on is a definite loss,
compared to TOPS-20.

				
DOCUMENT INFO
Description: FEDERAL GOVERNMENT BULLETIN BOARD SYSTEMS (Last Updated: 8/23/94) OPM BBSs: ~~~~~~~~ MAINSTREET............. (202) 606-4800 Fed Pers & Job Info from OPM's Agencywide BBS Federal Jobline......... (818) 575-6521 Fed Pers & Job Info from OPM's Western Region BBS Fed Job Opp Board (FJOB) (912) 757-3100 Fed Pers & Job Info from OPM's Macon, GA Service Ctr FEDJOBS................. (215) 580-2216 Fed Pers & Job Info from OPM's Philadelphia Region BBS PayPerNet#1 ............ (202) 606-2675 Fed. Pay & Per. Mgmt Info from OPM (Line #1) PayPerNet#2 ............ (202) 606-1876 Fed. Pay & Per. Mgmt Info from OPM (Line #2) WASNET ................. (202) 606-1113 OPM Wash Area Serv Ctr BBS; phone first: 202-606-1848 OTHER FEDERAL BBSs: ~~~~~~~~~~~~~~~~~~ AGRICULTURE DEPT Agriculture Library 301-504-6510/301-504-5496 Biological Impact Assessment 703-231-3858/800-624-2723 Commercial Information Delivery Service (Must subscribe first: 202-720-5505) Economic Research Service 800-821-6229 Human Nutrition Information Service 301-436-5078 IndiaNET (USDA & EPA) 605-393-0468 AIR FORCE DEPT Air Force Small Business BBS 800-821-6229 (type SIGNUP) Small Computer Support Center 406-731-2503 ULANA BBS (AF Engrg Installation) 405-736-0928 ULANA II (AF Engrg Installation) 405-741-0824 Competition Advocate (AF Space Command) (Call voice first: 719-554-5325) Standard Systems Center 205-416-5651 Hill AFB 801-774-6509 Argonne National Laboratory 708-252-8241