Untold Hacking Secret A Novice's Guide To Hacking


This file is an addendum to "A Novice's Guide To Hacking" written by "The Mentor". The word "hacking" is here used the way the non-hacking public thinks it is used, to mean breaking into somebody else's computer. Its purpose is to expand and clarify the information about the TOPS-20 operating system, which runs on DECsystem-20 mainframes. The Mentor basically lumped this system in with TOPS-10 and didn't note important differences between the two. I will here reproduce in full what The Mentor had to say about TOPS-10 and about VMS, which are the parent and the offspring of TOPS-20. VMS- The VAX computer is made by Digital Equipment Corporation (DEC), and runs the VMS (Virtual Memory System) operating system. VMS is characterized by the 'Username:' prompt. It will not tell you if you've entered a valid username or not, and will disconnect you after three bad login attempts. It also keeps track of all failed login attempts and informs the owner of the account next time s/he logs in how many bad login attempts were made on the account. It is one of the most secure operating systems around from the outside, but once you're in there are many things that you can do to circumvent system security. The VAX also has the best set of help files in the world. Just type HELP and read to your heart's content. Common Accounts/Defaults: [username: password [[,password]] ] SYSTEM: OPERATOR or MANAGER or SYSTEM or SYSLIB OPERATOR: OPERATOR SYSTEST: UETP SYSMAINT: SYSMAINT or SERVICE or DIGITAL FIELD: FIELD or SERVICE GUEST: GUEST or unpassworded DEMO: DEMO or unpassworded DECNET: DECNET DEC-10- An earlier line of DEC computer equipment, running the TOPS-10 operating system. These machines are recognized by their '.' prompt. The DEC-10/20 series are remarkably hacker-friendly, allowing you to enter several important commands without ever logging into the system. Accounts are in the format [xxx,yyy] where xxx and yyy are integers. You can get a listing of the accounts and the process names of everyone on the system before logging in with the command .systat (for SYstem STATus). If you seen an account that reads [234,1001] BOB JONES, it might be wise to try BOB or JONES or both for a password on this account. To login, you type .login xxx,yyy and then type the password when prompted for it. The system will allow you unlimited tries at an account, and does not keep records of bad login attempts. It will also inform you if the UIC you're trying (UIC = User Identification Code, 1,2 for example) is bad. Common Accounts/Defaults: 1,2: SYSLIB or OPERATOR or MANAGER 2,7: MAINTAIN 5,30: GAMES **** note: I'm remembering this stuff from several years ago, and in some cases my memory may be foggy or stuff may be outdated. TOPS-20, once you are inside, resembles VMS much more than it resembles TOPS-10, as far as I know (I'm not really familiar with VMS). From the outside, it's more like TOPS-10, except that the prompt is a @ instead of a period. You can enter many commands without logging in, including SYSTAT and probably FINGER. (Sometimes you can even use the mail program without logging in.) It is very helpful. Not only does the command HELP lead to lots of useful information, but anywhere in typing a command you can press ? and it will tell you what the format of the command expects. For instance, if you type ? by itself, it will tell you all the words that a command can begin with. If you type S?, it will tell you all the commands that start with the letter S. If you type SYSTAT ?, it will tell you the options available on the systat command. You can use this at any point in any command. Furthermore, if there is only one possibility (you have typed a unique abbreviation), you can press Escape and it will finish the word for you. I'm not sure, but I think TOPS-20 was the system that first introduced filename completion as well --turning a uniquely abbreviated filename into a complete name when you press escape, beeping if the abbreviation is not unique. With command keywords you can leave the abbreviation un-expanded, with filenames you have to expand it (or type it all in) for it to work. Use the "Login" command to log in, followed by a username. It will prompt for a password. Note that a password can be something like 39 characters long, as can the username itself. TOPS-20 does NOT use numbers like 317,043 for user IDs. (Note that these numbers in TOPS-10 are octal, not decimal.) Furthermore, the password can contain spaces. So, if somebody wants to make his password difficult to guess, he can easily do so. (But sometimes they might get overconfident. I remember a story from Stanford... Someone asked the large cheese if he would let him know what the operator password was, and he said "The operator password is currently unavailable." So the guy tried "currently unavailable" as a password, and got in. (Which reminds me of the time they got a real bug in the system there... a head crash caused by an ant on the disk platter.)) In general, TOPS-20 does not limit the number of login attempts, nor does it keep a record of bad tries. However, it is not difficult for the local management to add such measures, or others such as a delay of several seconds after each attempt. And unlike Unix, it is difficult to evade these even once you're in. Without heavy in-depth knowledge, you can't test a username- password combination except through a system call, which will enforce delays and limited failures and such against password-trying programs. So, TOPS-20 is easy to defend against the "database hack", in which you try many different common passwords with many different usernames. (Unix is much more vulnerable to this.) But any particular system, especially a lax one like a college machine (DEC is always popular in academia), might have little defense here. But you might not know how much defense until too late. Do try the GUEST username. But TOPS-20 can be very vulnerable to trojan horses. See, there's this thing called the Wheel bit. A username that has the Wheel property can do anything the system operator can do, such as ignore file protection masks, edit the disks at the track/sector level, change any area of memory... On Unix, only one user, the superuser, can read and write protected files. On TOPS-20, any user can do these things from any terminal, if the Wheel attribute is set in his user data. Some campus computers tend to accumulate excess trusted users with wheel bits, and have to periodically prune away the unnecessary ones. The thing is that a wheel can do these things without knowing that he has done them. Normally the privileged commands are deactivated. But a program run by a wheel can activate the privileges, do anything it wants, cover its tracks, and deactivate them without the user ever being the wiser. So if you can get any wheel user to run any program you wrote, such as a game or small utility... there's no limit to what you can do. In particular, you can create a new username, and make it a wheel. Or you can simply ask the system outright for someone's password, if I'm not mistaken. (All this requires access to TOPS-20 programming manuals, but some of the necessary material should be available on line.) You cannot actually conceal this creation, as far as I know... but maybe with sophisticated enough knowledge you could make it not immediately apparent... Anyway, once you get that far in, you can probably keep one step ahead of them for a while... If they erase your new accounts, you can use the passwords to old ones... They can change all of the wheel passwords, but a lot of the regular users won't change for some time... You could even lock the operators out of their own system by changing all their passwords for them, if you were crazy enough, perhaps forcing them to shut the machine down to regain control of it. They might even have to restore stuff from tape backup. Even if you don't wedge your way into secret stuff, a TOPS-20 system can be fun to explore. It's much more novice-friendly than most systems, and much more hacker-friendly as well. I think the ascendency of Unix as the least- common-denominator OS that everybody can agree on is a definite loss, compared to TOPS-20.

Wyszukiwarka