| | ------- ___ |--\ ----- /---\
| | | / \ | | | | |
| | | | | |--/ | |-----|
| | | | | | | | |
\___/ | \___/ | ----- | |
Febuary 1996
PUBLISHED BY: Utopium
Utopia (yoo-to-pi-a), noun 1. an imaginary island described as the place of
perfect moral and social conditions. 2. any place of perfection. 3. any
visionary plan for a perfect system of living.
Disclaimer:
Everything within this publication is purely for informational purposes.
By reading this you take sole responsibility for any consequences. I or any
place that stores this publication take no responsibility for any actions.
All information here is subject to and protected by the First Amendment of the
Constitution of the United States. There is no guarantee on any information in
here. If you feel that any information here may be offensive or illegal within
your country then stop reading now.
Part 1 . . . . . . . . . . . . . . Introduction
Part 2 . . . . . . . . . . . . . . UNIX passwd cracking guide
Part 3 . . . . . . . . . . . . . . How to get free GNN access
Part 4 . . . . . . . . . . . . . . Sprintnet Navigation
Part 5 . . . . . . . . . . . . . . Free software you can benefit from
Part 6 . . . . . . . . . . . . . . Monitored AOL session
----------------
| INTRODUCTION |
----------------
(*) By Utopium (*)
Welcome to the first issue of Utopia! I am creating the magazine so I can
help inform everyone in the digital underground, plus I had a lot of time on
my hands while I was snowed in during the blizzard. Right now I am pretty much
writing myself but I am hoping I can get other writers and expand the areas I
have and add any new ones I don't have.
Another reason I'm writing this publication is because the government is
pretty much making our lives pure hell. As of this writing, Bill Clinton just
signed the new telecommunications bill into law. This includes the net decency
act which eliminates anything not suitable for a five year old. Now do you want
the net to become a whole new government where there is no free speech and no
rights and everything is G rated? I don't think so. We need to fight the
system and do whatever we can to stop this craziness. Hopefully with enough
effort we can reach this goal.
Anyway, enjoy the magazine, hopefully it will be of good use to you. The
homepage for this can be found at http://www.geocities.com/siliconvalley/2643/
and you can also mail me with article submissions or any helpful information
at utopium@cyberspace.org. If you send any interesting letters or comments I
may publish those also.
================================
UNIX PASSWD CRACKING GUIDE
================================
By Utopium
Well, you feel like your shell isn't good enough for you and you want to
be able to access a few more. Well you go and ask your sysadmin for more
space and he just laughs in your face. Well I think you may just go cracking
some passwords and using other peoples accounts. How are you going to do
this? For one thing, you can't let the sysadmin know your doing this so you
should never try to run a cracking program from your shell. Even though this
may be easier and faster, there is software to detect these types of
intrusions. So your going to have to go to the next alternative, getting an
actual unshadowed copy of the passwd file. On some old or unsecured systems
it can be as easy as just making a straight copy. Other systems have it
shadowed though and you'll have to undo that. Fortunately some UNIX systems
can easily print out the whole things for you when you compile this program:
#include
main()
{
struct passwd *p;
while(p=getpwent())
printf("%s:%s:%d:%d:%s:%s:%s\n", p->pw_name, p->pw_passwd,
p->pw_uid, p->pw_gid, p->pw_gecos, p->pw_dir, p->pw_shell);
}
But some systems won't show even when this runs so your going to have to do a
little bit more hacking. Your on your own for that considering the approaches
on different systems can vary. Now that you've got the passwd file, it's time
to crack it. I'm assuming that you are running DOS and that you have already
got a copy of Cracker Jack. All you need now is a dictionary file. You can
make a very large one by getting word list files at the FTP site
sable.ox.ac.uk/pub/wordlists. Once you have built up a substantial word list,
you now need to use SORT to get all these in order alphabetically. When this
is done, You'll want to kill duplicates and eliminate anything that is too
short or too long. You can probably make a very simple thing in QBASIC to do
this, especially if it's already sorted and dupes come right after each
other. Once this is all done you can just run Cracker Jack and leave it going
overnight. When you wake up you will see that you now have access to many
more shells than you once did before.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
How to get free GNN access
by Utopium
Well as you know there are a bunch of online services out there which you
would like to use but cost too much. It used to be that you could fool them
so you could get free access but they plugged up their security holes and now
you have to pay. For one thing, they aren't worth it anyway. Most services
are slow and don't have a straight connection to the Internet so you can
hack. But there is a new service which will do this all for you. What I am
talking about is GNN, or Global network Navigator. This service was started
by the people at America Online in a response to the demand from the users
for a straight Internet connection. This service allows you to dialup and
connect by WINSOCK so you can use any Internet app you chose and not the
default that come with it. Making fake accounts on GNN is a little bit more
tedious than it was on other services but considering how you have been cut
off from others, this is your only shot. The people at AOL gave this service
the standard certificate login and password for a new user as always but
figured that they wouldn't have a problem if it only worked once. They were
wrong. Because of this, they don't have instant credit card checks you can
easily use a program like Credit Master or Credit Wizard to generate a false
number. Once this is done you have total access for a few days before the
account is deleted. To obtain the new user login and password, first find a
pay phone. Try and jump around to different ones each time you call. If you
call them up from your home number all the time they would catch on. Once you
are at the pay phone, call (800)819-6112 and press 1 for new user information.
Then give them a made up phone number and name and they will give you the
certificate. Then just sign on and get your free access. This certificate
will be deleted once you use it so don't think of using it again. Make sure
you use a Sprintnet dialup so they won't trace you, especially if you hack
some major system on the Internet. And just like America Online, GNN won't
accept connections through the Sprintnet 800 number so your are out of luck if
you run a laptop off a pay phone or whatever. But anyway, have fun!
+ -------------------- +
| Sprintnet Navigation |
+ -- + ---------- + -- +
| By Utopium |
+ ---------- +
Many of you people that are reading this might have never heard of
Sprintnet before and if you have, probably don't know much about it. Some of
you may know it as TELENET. They are the same in one way that TELENET is the
network software and Sprintnet is the actual physical network which uses the
software. Sprintnet is known as what is called a Packet Switching Network
(PSN) that is used to allow users to connect to systems residing on the
network anywhere in the world. It is also connected to other PSN's like
Tymenet and Datapak. Unlike the Internet, you do not need an account on the
network to use it, although of course the systems that reside on the network
are likely to need an account, you can still navigate without paying a bill.
PSN's are somewhat like the phone system though in that there are NPA's and
numbers to each individual system. Unlike a phone network, all calls are
charged collect to the system you are connecting to. This is one of the big
causes if big online services like America Online and GNN charge by the hour
for service. Of course there are a lot of other systems connected to PSN's,
mainly businesses and government computers. This is what we are interested in
looking for.
To first use Sprintnet, you need to find a local access number. Even
though you can explore Sprintnet through the 800 number this is a little more
expensive in the collect call and some customers reject connections through the
800 number to save money. To find your local number, get in your terminal
program and dial 1-800-546-2500. Once you connect, there won't be anything
displayed so you need to call up the login. Type @D and you should see
something like this:
TELENET
202 4002.46
TERMINAL=
For the TERMINAL= prompt, just type D1 for a regular dummy mode. Since
you are on the 800 number it will also ask for the NPA and prefix of your
phone number. When you are finally at the @ prompt, type MAIL and you will
come to a username and password screen in which you should just type in PHONES
for both. Then simply follow the menus and get the number closest to you.
Hangup and dial the new number. You'll have the exact same login process
except that this time it won't ask for the NPA and prefix to your phone number
since it is a local call.
Now here's where we start the actual use. Sprintnet uses a simple command
system to navigate the network. A regular connection to an address involves
simply typing the number assigned to the system. Just like the phone network,
Sprintnet uses numbers similar to ones for phones. An example of how the
Network User Address (NUA) 03110020200244.79 works can be shown here:
03110 202 00224 79
| | | |
DNIC Network Network Port
Prefix Address Number
The DNIC is used to specify the region and network you are using. If you
are staying within Sprintnet NUA's in the United States, you can leave this
part out. Here is a list of other DNIC's in the US if you want to navigate any
other networks:
03101 - PTN-1 03126 - ADP-AutoNet
03102 - MCI-Data-Trans 03127 - Telenet
03103 - ITT-UTDS II 03132 - Compuserve
03104 - WUI 03134 - AT&T AccuNet
03106 - Tymenet 03140 - SNET
03110 - Sprintnet 03142 - Bell South
03113 - RCA 03145 - Pacific Bell
03119 - Datapak 03146 - South West Bell
03124 - PSTS 03147 - Digipac
03125 - UNINET 03150 - GlobeNet
The Network Prefix usually refers to the NPA where the node resides so if
you want to search for a certain system in some area you can look up the NPA.
Say that you want to find some government systems, you would likely search the
202 area. The Network address is the actual assigned number to the node. It
has a length of one to five numbers and is usually preceded by zeros if
shorter than five but you can easily cut those off for convenience and simply
type 2021 to connect to node 1 of the 202 area. The port number has a decimal
point placed in front of it to separate it from the address. Like an Internet
port, there are different functions to different ports and you will want to
experiment with these on any system you find to explore deeper.
Now that you know how the addressing system works, you need to find some
systems to connect to. You can search around the net or BBS's for any or you
could try going at typing yourself but this can be a nuisance and lists you
may find could be out of date. It's a lot easier if you have a program to scan
NUA's for you. There is one available called NUA Attacker which is generally a
wardialer for Sprintnet. Since this just uses a one time call to the local
Sprintnet dialup, you won't have a large phone bill for doing long distance
and people in the area won't get that annoying ring in the middle of the night
so you won't have to worry about the local police questioning you. All that is
needed in configuring NUA Attacker is specify the local Sprintnet dialup and
the range of NUA's you wish to scan. You will also want to set the Bad PAD
option to Yes since this software was made for somewhat older lines. I have
scanned about 3000 NUA's in one night so you are likely to find a various
number of systems. One warning though is that the log file can clutter up with
lots of Sprintnet error messages but you should be able to separate these from
an error message a connected NUA might give you. Unless you already have a
copy of NUA Attacker, you can FTP NUA.ZIP from ninja.techwood.org under the
directory /pub/phreak. If you feel like if you can try to program your
own in BASIC or C also. But whatever fits your needs should be good enough.
Okay, so you've found some systems, looked around a bit, and want to try
another NUA but don't want to have to hangup and redial again. All you have to
do is type @ in a quick sequence. Some systems may lock this
function out and you will have to hangup anyway. And if you happen to be at
the @ prompt, just type the command HANGUP and the Sprintnet will immediately
log you off and hangup.
There is a lot more to be said about Sprintnet as I have some detailed
manuals about the network but this information should be able to connect you
up to a UNIX or VMS system which you are more experienced at. You will want to
be careful in what you hack though. Even though Sprintnet doesn't allow
traces to customers without a warrant (which has caused problems for AOL and
the like) they can do traces themselves if they have the need so if you get in
any control stations or any other important system you can expect to have
telco security knocking on your door.
But anyway, Sprintnet is a generally more safer and easier network which
you can navigate at your convenience at he low cost of a local phone call. All
you need is the time to spend exploring and a little imagination in uncovering
the inner workings of this wonderful network.
+==================================+
[Free Software You Can Benefit From]
+==================================+
By Utopium
These days there are numerous high powered applications that to obtain
you have to pay a high price for. Sure, you may go to #warez and get stuff
there but it's not always in original form and can have viruses. It would be
good to have free software available which you could obtain easily. Well if
you are smart enough in searching, you may find something. In my searches I
have saved maybe thousands than if I bought from a software store. I'll
inform you on where I have found some pretty good stuff. One thing that is
hard to find for DOS is a good C compiler. Most on other OS's are generally
free or come with the OS but DOS compilers you have to buy for over $100.
But there is a compiler made under the GNU license called GNU C. This port
from UNIX, called the DJGPP port, can be found on any Simtel mirror site
under the directory vendors/djgpp. There is also more information at
http://www.delorie.com if you want to read that before downloading. Once the
software is downloaded, you can use a number of high powered debuggers and
libraries to create your programs. C code from other DOS compilers does need
to be modified at times but it is well worth it when it can save you money.
There is a beta of version 2.0 currently in the works trying to make it a
better compiler. One thing you won't find in GNU C is the ability to make
Windows programs. Visual Basic is one of the most popular ones out there but
with a very high price tag even with the standard edition. But there is a
new company which is giving away a free 32-bit Windows programming utility.
When I ran Envelop I was surprised that the company was distributing it this
way. It will allow you to easily create a Window app for your needs at the
same power as Visual Basic. The one downside is that it is only available
for Windows 95. You can download he software at http://www.envelop.com. In
the past many UNIX systems had to be bought commercially from large
companies who charged thousands for copies. Lately there has been
development of free UNIX systems like Linux, FreeBSD, and NetBSD. These
ports of the high powered UNIX take everything in detail and are now even
used by some Internet service providers. If you are annoyed at experimenting
at hacking in your restricted UNIX shell, you can download one of these
great OS's and go straight at all the internals. You can find out more at
http://www.linux.org, http://www.freebsd.org, and http://www.netbsd.org. As
you can see you can get a lot of great software at no cost. All you need to
do is just learn how to search out for these great things.
Monitored AOL Session
by Utopium
Data from immediate logon and logoff of AOL. All HEX data is enclosed in []
characters. Login and password are not shown and seem to be encrypted. The
login name was "Terrychp" and the password was "8008". The service was
connected to through Sprintnet at (202)659-2733 but it doesn't seem that
the phone number means anything except in the case that Sprintnet 800
connections are rejected. The following is all data captured during the
session connecting to and disconnecting from AOL. There were no graphic
updates and there was no new mail. Nothing here has been modified
Entry Comm Command Port Time Data
1 BuildCommDCB - 18:16:21.29
2 BuildCommDCB - 18:16:21.35
3 FlushComm 1 18:16:21.57 output
4 FlushComm 1 18:16:21.62 input
5 BuildCommDCB - 18:16:21.62
6 SetCommState - 18:16:21.68 0
7 GetCommState 1 18:16:22.06 0
8 SetCommState - 18:16:22.12 0
9 EscapeCommFunc 1 18:16:22.12 6
10 EscapeCommFunc 1 18:16:22.61 5
11 WriteComm 1 18:16:22.61 A
12 WriteComm 1 18:16:22.67 T
13 WriteComm 1 18:16:22.67 &
14 WriteComm 1 18:16:22.67 F
15 WriteComm 1 18:16:22.72 E
16 WriteComm 1 18:16:22.72 1
17 WriteComm 1 18:16:22.78 Q
18 WriteComm 1 18:16:22.78 V
19 WriteComm 1 18:16:22.78 1
20 WriteComm 1 18:16:22.83 &
21 WriteComm 1 18:16:22.83 D
22 WriteComm 1 18:16:22.83 2
23 WriteComm 1 18:16:22.89 X
24 WriteComm 1 18:16:22.89 4
25 WriteComm 1 18:16:22.89 &
26 WriteComm 1 18:16:22.94 C
27 WriteComm 1 18:16:22.94 1
28 WriteComm 1 18:16:22.94 &
29 WriteComm 1 18:16:22.94 Q
30 WriteComm 1 18:16:22.99 5
31 WriteComm 1 18:16:22.99 &
32 WriteComm 1 18:16:23.05 K
33 WriteComm 1 18:16:23.05 3
34 WriteComm 1 18:16:23.10 [0D]
35 ReadComm 1 18:16:23.10 AT&FE1QV1&D2X4&C1&Q5&K3[0D]
36 ReadComm 1 18:16:23.32 [0D][0A]OK[0D][0A]
37 FlushComm 1 18:16:23.43 output
38 FlushComm 1 18:16:23.43 input
39 WriteComm 1 18:16:24.97 +
40 WriteComm 1 18:16:24.97 +
41 WriteComm 1 18:16:24.97 +
42 ReadComm 1 18:16:26.51 +++
43 WriteComm 1 18:16:26.73 A
44 WriteComm 1 18:16:26.73 T
45 WriteComm 1 18:16:26.73 H
46 WriteComm 1 18:16:26.78 [0D]
47 ReadComm 1 18:16:26.84 ATH[0D]
48 ReadComm 1 18:16:27.00 [0D][0A]OK[0D][0A]
49 WriteComm 1 18:16:27.28 A
50 WriteComm 1 18:16:27.28 T
51 WriteComm 1 18:16:27.33 D
52 WriteComm 1 18:16:27.33 T
53 WriteComm 1 18:16:27.39 2
54 WriteComm 1 18:16:27.39 0
55 WriteComm 1 18:16:27.44 2
56 WriteComm 1 18:16:27.44 -
57 WriteComm 1 18:16:27.44 6
58 WriteComm 1 18:16:27.50 5
59 WriteComm 1 18:16:27.50 9
60 WriteComm 1 18:16:27.50 -
61 WriteComm 1 18:16:27.55 2
62 WriteComm 1 18:16:27.55 7
63 WriteComm 1 18:16:27.61 3
64 WriteComm 1 18:16:27.61 3
65 WriteComm 1 18:16:27.61 [0D]
66 ReadComm 1 18:16:27.61 ATDT202-659-2733[0D]
67 ReadComm 1 18:16:50.35 [0D][0A]CONNECT 19200[0D][0A]
68 FlushComm 1 18:16:51.06 output
69 FlushComm 1 18:16:51.06 input
70 WriteComm 1 18:16:51.67 @
71 WriteComm 1 18:16:52.11 D
72 WriteComm 1 18:16:52.49 [0D]
73 ReadComm 1 18:16:52.93 [0D][0A]TELENET[0D][0A][0D][0A]202 4003.58
[0D]
73 [0A][0D][0A]TERMINAL=
74 WriteComm 1 18:16:53.31 D
75 WriteComm 1 18:16:53.37 1
76 WriteComm 1 18:16:53.42 [0D]
77 ReadComm 1 18:16:53.48 D1
78 ReadComm 1 18:16:53.70 [0D][0D][0A][0D][0A]@
79 WriteComm 1 18:16:53.86 p
80 WriteComm 1 18:16:53.92 a
81 WriteComm 1 18:16:53.97 r
82 WriteComm 1 18:16:54.03 ?
83 WriteComm 1 18:16:54.08
84 WriteComm 1 18:16:54.14 1
85 WriteComm 1 18:16:54.19 1
86 WriteComm 1 18:16:54.25 [0D]
87 ReadComm 1 18:16:54.30 par? 11
88 ReadComm 1 18:16:54.36 [0D]
89 ReadComm 1 18:16:54.52 [0D][0A]PAR 11:15[0D][0A][0D][0A]@
90 WriteComm 1 18:16:55.02 C
91 WriteComm 1 18:16:55.07
92 WriteComm 1 18:16:55.13 8
93 WriteComm 1 18:16:55.18 3
94 WriteComm 1 18:16:55.24 4
95 WriteComm 1 18:16:55.29 2
96 WriteComm 1 18:16:55.35 0
97 WriteComm 1 18:16:55.40 1
98 WriteComm 1 18:16:55.46 7
99 WriteComm 1 18:16:55.51 2
100 WriteComm 1 18:16:55.57 .
101 WriteComm 1 18:16:55.62 8
102 WriteComm 1 18:16:55.68 3
103 WriteComm 1 18:16:55.73 *
104 WriteComm 1 18:16:55.79 w
105 WriteComm 1 18:16:55.84 i
106 WriteComm 1 18:16:55.90 n
107 WriteComm 1 18:16:55.95 d
108 WriteComm 1 18:16:56.01 o
109 WriteComm 1 18:16:56.06 w
110 WriteComm 1 18:16:56.12 s
111 WriteComm 1 18:16:56.17
112 WriteComm 1 18:16:56.22 0
113 WriteComm 1 18:16:56.28 0
114 WriteComm 1 18:16:56.33 0
115 WriteComm 1 18:16:56.39 1
116 WriteComm 1 18:16:56.44 [0D]
117 ReadComm 1 18:16:56.50 C 83420172.83*windows 0001
118 ReadComm 1 18:16:56.72 [0D][0D][0A]834 20172.83 CONNECTED[0D][0A]
119 FlushComm 1 18:16:56.94 output
120 FlushComm 1 18:16:56.99 input
121 WriteComm 1 18:16:56.99 Zg[DC]
122 ReadComm 1 18:16:57.21 Z[B7][11]
123 WriteComm 1 18:16:57.27 Z[C4]x
124 ReadComm 1 18:16:58.26 Z=:
125 ReadComm 1 18:16:58.37 ZC[9A]
126 WriteComm 1 18:16:58.48 Z[06]~
127 ReadComm 1 18:16:59.08 @[11].[D8]Ki
128 WriteComm 1 18:17:12.10 Z[F4][C8]
129 ReadComm 1 18:17:13.03 Zro
130 ReadComm 1 18:17:13.20 @[01] [01] t [01][1F]!i
131 FlushComm 1 18:17:13.91 output
132 FlushComm 1 18:17:13.91 input
133 WriteComm 1 18:17:16.44 +
134 WriteComm 1 18:17:16.49 +
135 WriteComm 1 18:17:16.49 +
136 WriteComm 1 18:17:19.02 A
137 WriteComm 1 18:17:19.07 T
138 WriteComm 1 18:17:19.07 H
139 WriteComm 1 18:17:19.13 [0D]
140 WriteComm 1 18:17:20.17 A
141 WriteComm 1 18:17:20.17 T
142 WriteComm 1 18:17:20.17 &
143 WriteComm 1 18:17:20.23 F
144 WriteComm 1 18:17:20.23 [0D]
145 EscapeCommFunc 1 18:17:20.28 6
146 CloseComm 1 18:17:20.61