Hacking on the Front Line by Al Capone As we have seen from previous raids/busts, the consequences of being caught by the federal govemment, etc. are not worth it in the long run. If they cannot cripple you physically, then they will do it emotionally or financially. Therefore I do not recommend that any action taken to gain unauthorized access is justifiable in any way. However the choice is yours. People who desire to get into a "secure" system should know a few things about it. First off. for me the word "secure" brings to mind a picture of a human monitoring a system for 24 hours. All the nodes are watched individually, and everything is hardcopied. This is obviously, in most (if not all) cases, not feasible, as the man hours and/or the cash funding is non- existent. Besides, to a system operator, watching everything a system does could be quite boring. The hacker can capitalize on this. The two things a hacker should know about when attempting to gain access to a system are: 1. Typical formats for the system. (i.e. how you type in the login sequence. Is the login and password on one continuous line, do you have to type it in separately at different prompts, etc.) 2. Default and common passwords. Default accounts are the accounts that come with the system when it is installed ("factory accounts"). Common accounts are accounts set up by the system operator for particular tasks. The probability exists that these accounts are present on the system that the hacker is trying to penetrate, therefore they should be tried. Identifying the System If the owner of the system is not mentioned in the opening banner, you will either have to gain access to the system itself or use CNA (Customer Name and Address - the little thing that exists for identifying a telephone number). Please remember that a brute force method on some systems is often recorded to the account indicating the number of attempts that you have tried, sometimes even writing the password that you've tried. More often than not, it will just record the number of failed attempts. Aside from this, the system may "sound an alarm". This is not a bell or siren that goes off; it is just a message printed out and/or sent to any terminals designated as security operator terminals (i.e. VMS). Example: Welcome to Sphincter Systems Vax Cluster Username: CHEESEHEAD Password: Welcome to Sphincter Systems, Mr. Mouse Number of failed attempts since last entry: 227 Obviously, in the above example, Mr. Mouse would get the idea that someone was attempting to gain access to his account and would promptly change the password, assuming he was paying attention at login (Many people don't. Logging into my favorite BBS, I have often left the room while my auto-login macro was accessing the system. The same principle applies here.) Also, in the above example, it was very stupid for Sphincter Systems to display the banner identifying the system. This would only encourage the hacker in an attempt to gain access (it always encouraged me), and at 227 attempts, the hacker should have kept trying to gain access. Remember that once the account is accessed correctly, the security counter is reset to zero and Mr. Mouse will probably never know that someone else has his password (as long as no malicious or destructive actions are carried out-and as long as he doesn't keep a record of his login dates). When I was scanning a network, I often found that most of the systems identified themselves. On the other hand, the systems I found in most telephone exchanges required that they be identified by other means. The banner usually decided my interest in the system, whether I just wanted to try a few things and move on, or really concentrate on the effort. It also gave me a little extra ammunition since usernames and/or passwords may contain some information which was displayed in the banner. Another thing I noticed about networks that differed from local dial-in systems was that dial-in systems would disconnect me after three to five attempts. Granted, the system on the network would disconnect me, but only from the host. The network itself would not, creating one less problem to deal with. System operators might suspect something if they saw an outdial number being accessed every thirty seconds or so. Login: Password: (This is a Unix.) Username: Password: (This is a VMS.) @ (This is a Tops-20.) Enter Usercode/Password (This is a Burroughs.) MCR] (This is an RSX-11.) ER! (This is a Prime.) . (This is an IBM running a VM operating system.) This list is by far not complete, as there are many more systems out there, but it will get you started. Some of the time, it will tell you the name in the opening. Crays, for example, usually identify themselves. The Telephone Make sure when you are dialing into the system that you realize that somewhere along the trail there is a possibility of a trace. With all of the switching systems in effect by Bell, etc. what you need to do is dial in using an outside source. For instance, what I usually did was call an 800 extender (not in Feature Group D), and then call the target system. The only times I called the target system direct was when I was identifying the system (I did not start hacking the system at this time), but even this is not recommended these days. Things owned by Bell, such as COSMOS systems, SCCS networks, etc., are probably more risky than generic corporate systems. Of course using only one extender should be the least of what you can do. If you call several extenders and then the target system, the chances are that tracing the call back to you will be next to impossible. But this method also is risky since the long distance telephone company may not be overly enthused about you defrauding them. At one time an acquaintance was harassing a company that was tracing him. They let him know of the trace and just for the hell of it he decided to stay on the line to see the results. The result was Paris, France. Keep in mind he lives in the United States. This story displays an excellent use of extenders. The only detriment I see is that by routing your call through two or more extenders the integrity of the line decreases. When using networks (Telenet, Tymenet, etc.) in connecting to the system, your port is sent as an ID in order to accept your connection attempt. It would really be simple then to isolate your number (providing you called the network directly from your house) if you repeatedly attempt to use the system. What you should do for this problem is loop through a gateway on the network. The gateway is essentially an outdial which will connect to a system. Use the gateway to call another network's dialup. Common Passwords The following is a list of common passwords for various systems. On a respectable system, these will be constantly changed. But not all system managers are smart or security conscious. The first system that I got into was by using a common account (no password was needed in this case, just the Unix "uucp" as a username). Sometimes systems are put up and completely left alone. It seems the managers think that nobody will find the system. In my case, the system was kept current, and I had "uucp" privileges to the School Board computer. Remember, as long as you don't do anything that damages or destroys data, they probably will never know that you have been there. Common Accounts for the Primos System Prime Admin Games Test Tools System Rje Guest Netman Cmdnco Primos Demo Regist Prirun Telenet Common Accounts for the VM/CMS System Operator Cmsbatch1 Autolog1 Operatns Vmtest Vmutil Maint Smart Vtam Erep Rscs Cms Sna Common Accounts for the VAX/VMS System Vax Vms Dcl Demo Test Help News Guest Decnet Systest Uetp Default User Field Service System Manager Operator Common Accounts for the Unix System root uucp nuucp daemon who guest io com bin sys informix uucpmgr adm profile trouble intro rje hello Ip setup powerdown uname makefsys mountfsys checkfsys umountfsys This should give you an idea on where to start. Combinations The combinations to get into a system are nearly infinite. If the password needed to get into the system is something like "FRM;UN!DA" then the chances are extremely remote that you will get in. Multiply the following: the number of tries where you use the username as the password by the variations of a word (i.e. for "CMSBATCH" passwords could be "Batch" or "BATCHCMS"). Now add on names and wild guesses. This should give you quite a list. All you can do is exhaust your list of username/password combinations and move on. You have done your best as far as trial and error hacking is concerned. Trashing for printouts is also an option. Druidic Death at one time surveyed a VM/CMS system's unencrypted password file and wrote the results down as categories. This is a list of his findings: Total number of system users: 157 Total number of accounts that can't be logged into: 37 Total number of passwords that are a form of the account name: 10 Total number of passwords that are the same as the account's name: 3 Total number of passwords that are a related word to the account name: 10 Total number of passwords that are first names, not the user's own: 17 Total number of passwords that are the user's first name: 19 Total number of passwords that are words related to the user's job: 7 Total number of passwords that are the name of the company: 1 Total number of random character passwords: 1 Total number of passwords that are, in some format, calendar dates: 32 Total number of passwords that were unchanged defaults: 7 This should give you an idea of how things are placed in a major corporate computer. Imagination This is what you need to gain access to an account. Being a number cruncher just won't do it anymore. In the following segment, I will list out ideas with about 20 or 30 examples in each. This article will get you going. You just have to finish the job. Common First and Last Names These can readily be obtainable out of the telephone book, the greatest source of all first and last names. Examples: Gus Dave Chris Michele Jessica Arthur Robert Patrick Arnold Benjamin Derek Eddie Shannon Richard Ross Keith William Bubba Mickey Clyde Colors Figure it out for yourself, everything is possible. Examples: Blue Black Orange Red Yellow Purple Magenta Green The Dictionary The single most important document. Everyone should have one, and if you do not have one get one. Many passwords are at your disposal. And, by all means when on a Unix, download/usr/dict/words, the online dictionary. I also believe that you should not limit your words to just the English versions. There is no reason why passwords cannot be in Spanish, French, etc. Types of Cars Pontiac Ford Chevy Buick Toyota Honda Ferrari Porsche Motorcycles and all venue of transportation can be included in this segment. Rock Bands Zeppelin Pink floyd Hendrix REM Cream Ozzy Gunsroses Mozart Publicenemy Etc. This section can include magazines, software, profanities (when I was validation sysop on Digital Logic's Data Service I don't know how many people used the word FUCK when asking for validation). You should have accumulated quite a list by now. Conclusion: This is it. I hope you have learned that nothing should be put past the system manager. He is the only person between you and a system that could be an excellent source of information. Enjoy! References Look at the following articles for in-depth information for specific operating systems: "Unix From the Ground Up" by The Prophet. Unbelievably helpful in learning Unix. Lex Luthor's "Hacking VAX/VMS". 2600 Magazine, February 1986. "A Guide to the Primos Operating System" by Carrier Culprit. LOD/H Technical Journal "Hacking IBM's VM/CMS Operating System" by Lex Luthor. 2600 Magazine, November and December 1987.