:-----------------------------------------------------------: : : : M A K I N G T H E M O S T O F : : R S T S / E S Y S T E M S : : ====================================== : : : : Written by : Captain Hack : : : of Melbourne, : : : Australia. : : Written on : 01-Feb-86. : : File No. : V01A-01 : : : :-----------------------------------------------------------: Originally Displayed in the U.S. on: P-80 Int'l Information Systems INTRODUCTION. This file is a tutorial on making the the most of a RSTS/E system, making the most could mean anything from making the system do so neat tricks, to using it to you advantage, to taking it over completely; depending on your needs! For most of the examples you will need an account, obviously non-privilaged, else you would not be reading this tutorial. Bear in mind that most, if not all, of the techniques described can be changed by the sysop. I found this out while trying them, but most sysop's don't realize everythings full potential and how it will be used; needless to say that I most likely have missed out on things. Anyway I hope you like the tutorial and you have an educational experience! I will rely on also using your imagination and ingenuity, as this is often needed. OBTAINING OLD FILES. If ever you have a valuble file that you don't want people to see the contents of for one reason or another, always write other information (random of fixed) over the entire file before deleting it. When the system creates a file it likes to have it continuous if possible, which means many blocks will be consecutive. When a file is created the system alters information in a system file indicting that a particular block or set of blocks have been allocated so as they will not be over-written. The directory knows which which blocks are associated with which file, but when you delete a file, the system flags the used blocks as available and delete the directory entry. The system doesn't wipe the information. To dig up these old blocks, write yourself a program to open a large file, I will leave the size up to you. You use the filesize option in the OPEN statement to do this, then just read in the blocks. When possible use block I/O for file manipulation because of its speed and convienience. Look through the blocks any if one if worth keeping save if to another file. -2- Seeing as BASIC programs have line numbers, as long as you find all the blocks, file reconstruction is easy. There of course is no guarantee that you will find them all. Some may have been reallocated, but it's amazing what you can find! The bigger the block cluster size used in files the easier it is to reconstruct them. Just experiment! ANNOYING THE USERS. A way to annoy the users of the system is a techinque discovered just after we found out about the block recovery. After finding remnants of some of my data strewn across the system I decided the best thing to do was to zero all the available disk space. One Sunday night we wrote a program to open a very large file (all free disk space in fact) and proceeded to zero this. This was sucessful, except when the system was supposed to kill the file something went wrong and the file was not deleted. The next morning, before the sysops arrived, the users tried to login. Because there was no free space to write login records or do anything! No-one could login! Apparently this had the operators mystified why they couldn't get into their system. They had to reboot, or so I heard, they later worked out what had happended. They then asked why! THE PSEUDO KEYBOARD. The pseudo keyboard (device PKnn:) must be about the most useful and versatile device. This is the device to be used for the perfect hack! Originally, like many people, I saw it in a manual and really didn't read about it but as usual when I was going over the manuals with a fine tooth comb I read into it. Although most of the weak-points discussed in this tutorial can be removed by patching implemented by the system operator, they are likely to ignore them. The pseudo keyboard is a keyboard which doesn't physically exist! When you open the channel and do I/O's with it it appears like another keyboard. It even has a keyboard number. This is useful for extracting inormation for your programs that can only be accessed in command mode. An example of this is SYSTAT. I recommend that you get hold of a PROGRAMMING MANUAL and read it thoroughly, including the section on pseudo keyboards. PASSWORD CATCHING. Password catching is always desirable if you want access to a privilaged account! When I first started out we ran a crude program which did I/O's to the desired terminal and gave the responses that the system would give. A number of problems that we ran into was that you cannot fake the whole system, that is impossible using those methods, and also this did not allow for timing delays which most users were used to and expected. -3- With these old programs, the passwords obtained never lasted long because the user almost always knew they had been caught because users get suspicious when they get an INVALD ENTRY - TRY AGAIN message when they put in their correct password. This problem left me pondering how could you write the "perfect" password catcher. When I discovered pseudo keyboards I was thinking of applications, then it hit me. Why not simulate the whole job of another user? It was possible too! To do this you write a program to open a channel to the keyboard where the person will enter the desired account number and password. You also open a pseudo keyboard. Basically from then on you pass the data from one to the other, and you keep checking what is being typed and when the account number and password are detected save them to a disk file encoded or what ever. You should continue to simulate the job until the person logs off. There are a few things to be careful about. When the person runs SYSTAT make sure the output is sent to the terminal replaces the pseudo keyboard number with his keyboard number. Make sure he doesn't see a channel is open to his terminal and other things like that. Another things to be careful of is that he doesn't run programs to tell him his keyboard number or a few other things like that or a program where the terminal where it is run from affects its operation, if he does it could be quite hard to deal with. All of the techniques I describe will need practice and perfection. Perfect things before using them and don't tell people what you are doing. Another thing to be careful of are operators who look at the files in your account. A simple way to deal with those people is to encrypt/code those files and keep decoded copies online for as little time as possible. If you can't stay at a terminal to have the password catcher program running don't despair because I will show you how to detach jobs later. My biggest piece of advice is always stalk and watch the target system first for a while. Get to know what most or all of the programs in the project 1 accounts do, and only after you are sure should you try and pull a stunt like I decribe. Once you have a privilaged password you must use your own imagination to how you use it. Remember always be security conscious. Don't take unneccessary risks and by the time you get to a privilaged account you should know all the SYS functions possible and how to use them to your advantage. If you system keeps login and logout records remember to edit them, because depending on what you do, your activities should be able to go on undetected! DETACHING JOBS. There is one way a non-privilaged user can detach a job. This is done using pseudo keyboards. You will need to read the PROGRAMMING MANUAL (the RSTS/E bible for hackers!) and write yourself a program to almost simulate a job except you do it to your terminal and you don't log the passwords etc.. -4- When you are logged into your account and you run this program it will look on your terminal like you are logged out again and you will have to log into the system again. Log into the account which you want to detach the job from and you must have access to the program from this account. You should execute the program you want detached then have a special key sequence that will close the channel to the pseudo keyboard. You detacher program will finish and that is how you do it. ut you say that doesn't work, it just kills the job you started when you closed the channel to the pseudo keyboard, but you didn't wait for the most important piece! When opening the pseudo keyboard you must have included MODE 1 in the OPEN statement which tells the system to detach the job when you close the channel instead of killing the job. When you do a SYSTAT you will see your job running detached. Don't forget opertors mightn't like you detaching too many jobs so do it when they aren't around. For a job to terminate itself you may try getting it to run LOGOUT, but when it tries to output something like a message saying your disk space or have a nice afternoon it will sit there helpless in a HB wait state until someone attaches to it (like you or an operator) or an operator kills it. To get around this take notice of the message you get when you log in and you have a job detached. The system tells you that and asks if you want to attach. So you what you do is make you detached program open a pseudo keyboard in a mode that won't detach it and get that job to log into your account. Don't worry about entrusting your password to the program as others can't obtain it. Anyway when you get the new job to log in make it attach to the job you wanted killed, then when your original program closes the channel to the pseudo keyboard the job running on the pseudo keyoard is killed and it effectively kills itself as it attached to itself in a manner of speaking, and thus the job disappears! (Well it worked on the system I tried it on) RECOMMENDATIONS. When you attempt to do all of this I advise you to get hold of (buy ($20) or borrow) the RSTS/E PROGRAMMING MANUAL. There would be at least one with the system and are also available from DEC (Digital Equipment Corporation). Finally, non of the above methods and techniques are guaranteed as they can be removed or altered by the system operators. All of the techniques are valid and are not bugs in the operating system. Whether your operator knows about them or what they can do is a different matter! Anyhow have fun, RSTS/E is a good operating system, and don't do anything that I wouldn't do! :--------------------------THE-END--------------------------: