1 Global OutDials on DECservers - Italy - May 1996
\r
5 þ Finding a DECserver
\r
7 The DECserver is a terminal server, it connects its terminals to
\r
8 hosts available on an Ethernet Local Area Network.
\r
9 DecServers are usually reachable via telnet and sometimes via dialup.
\r
10 Via telnet you need to scan/search for them in the internet,
\r
11 Via dialups use a good Carrier Scanner like ToneLoc or THC-Scan.
\r
14 About telnet connection decservers have normal ip addresses,
\r
15 but what we are interested in is the alpha address, 'cause almost always
\r
16 it starts with "DS"; just something like:
\r
17 DS7001.fuck.you.asshole
\r
18 and if the owners are very very lame it can even contain the
\r
19 string "MODEM" or "DIAL" (wow!) in its alpha address.
\r
20 So what I suggest is to combine a brute force scanning with an intelligent
\r
21 (smart) behaviour...
\r
22 You should first find a route ip address of a university or of a science
\r
23 research network or whatelse you (and, after some scanning, your experience)
\r
24 think could have such a beautiful device.
\r
25 It should be a network big enough to have several vaxes and other machines...
\r
26 Note that not always an alpha address starting with "DS"
\r
27 leads to a DECserver , i.e. sometimes ultrix machines have an address
\r
29 [I personally made a script to scan subnets from XXX.XXX.0.0 to
\r
30 XXX.XXX.255.255 or from XXX.XXX.XXX.0 to XXX.XXX.XXX.255
\r
31 and to save only interesting alpha addresses,
\r
32 but i don't suggest to use it automatically, in other words
\r
33 take it always under control and use your brain!]
\r
35 þ Warning: usually scripts like this do a lot of noise;
\r
36 think about "lastcomm" "ps" and things like that ...
\r
37 þ Warning: to do subnet scanning you need an host with a very fast connection
\r
38 þ Warning: CERT SUX !!!!!! ;)
\r
41 instead of a script it's wiser to do a zone transfer (for example with
\r
42 nslookup or dig) to get all the alpha names in a domain. But this needs
\r
43 a) an skilled unix user and b) the target DNS server must allow zone
\r
44 transfers. (There are other methods but this article isn't about unix
\r
45 hacking ;-) So I only present this better possiblity which not many can
\r
46 do reading this article.
\r
50 Nothing much to say about scanning these ... just do a fast carrier scan
\r
51 of an area overnight and hope you get a dec-server. If you know that a
\r
52 company has got dialups and a big computer network, then try to scan
\r
53 those local numbers. There aren't much on toll free numbers and those
\r
54 are usually more protected.
\r
56 If you connect via dialup, you have no problem to recognize it:
\r
57 _______________________________________________________________________________
\r
59 DECserver 700-08 Communications Server V1.1 (BL44G-11A) - LAT V5.1
\r
62 (c) Copyright 1992, Digital Equipment Corporation - All Rights Reserved
\r
64 Please type HELP if you need assistance
\r
70 ------------------------------------------------[FROM alt.2600/#hack.FAQ]------
\r
73 But if you connect via telnet it will not appear anything on your screen:
\r
75 -------------------------[Start Capture]---------------------------------------
\r
77 telnet> open ds7001.fuck.you.asshole
\r
78 Trying 123.45.678.910 ...
\r
79 Connected to ds7001.fuck.you.asshole
\r
80 Escape character is '^]'.
\r
82 ---------------------------[End Capture]--------------------------------------
\r
85 All you have to do is just press enter (it's easy uh?), and it will
\r
86 appear a "#" prompt (at this time you are quite sure it's a DECserver),
\r
87 echo gets off and ...
\r
88 now comes the time to type the password to enter the DEC ...
\r
89 I won't tell you the default pwd (which in 99% of my times was the good one)
\r
90 'cause .... 'cause shit ! Do I have to tell you everything??? (scan!)
\r
91 It's a very very lame password usually one of the firsts that you could think
\r
92 of. You have 3 tries, after that it disconnects you. I don't know if there are
\r
93 warnings or logs of wrong attempts made, but can tell that IF the password is
\r
94 not the default one, then the system administrators take care about security
\r
95 very very much, so be careful.
\r
96 Typing the right password appears the same screen of the first capture
\r
97 (look up!), you are asked a username but it isn't of any importance, just
\r
98 type something unsuspicious like just one letter.
\r
101 þ Once in ... let's find out if there's a modem !
\r
103 The "Local> " prompt is the DECserver prompt , I strongly suggest to give a
\r
104 "help" command 'cause the dec help is very kind and it will tell you
\r
105 more interesting things you can imagine... and you should learn from practice,
\r
106 not reading shitty articles like this one from zines <g> !
\r
107 Ok, to have an idea of where you are , there are two commands :
\r
110 The second one will tell you all the possible connections:
\r
113 ---------------------[Start Capture]-------------------------------------------
\r
114 Local> show services
\r
116 Service Name Status Identification
\r
117 AXPXXS Available DEC OSF/1 Version V3.2 LAT SERVICE
\r
118 AXPXX1 Available @sys$manager:XXXXXXXX_axp.txt
\r
119 AXPXX2 Unknown DEC OSF/1 Version V3.0 LAT SERVICE
\r
120 AXPXX3 Available ALPHA 3000/400 - XXXXXX IV - XXX
\r
121 AXPXX5 Available ALPHA 3000/400 - XXXXXX II - XXX
\r
122 AXPXX6 Available ALPHA 3000/300 - XXXXXX IV/XXXXX - XXX
\r
123 AXPXX7 Available ALPHA 3000/300 - C.S. - XXX
\r
124 AXPXX8 Available DEC 200 4/166 - XXXXXX III - XXX
\r
125 AXPXX9 Available DEC 200 4/166 - VETOR_1 - XXX
\r
126 AXPXXA Available DEC 200 4/166 - VETOR_2 - XXX
\r
127 AXPXXB Available DEC 400 4/233 - G. XXXXXX
\r
128 AXPXXC Unknown DEC 200 4/166 - AXX - XXX
\r
129 AXPXXD Available DEC 200 4/166 - AXX - XXX
\r
130 XXXXXXX Available ULTRIX 4.3 (RISC)
\r
131 XXXXXXXX Available MV3100-M76 XXXX-XXX XXXX2
\r
132 XXXXXX Available VS3100-M76 - C. XXXXXXX
\r
133 XXXXXX Available XXXXserver 310 XXXXXXXXXXXXXXXXX
\r
134 MVCB0 Unknown VS 2100 - XXXXX
\r
135 MVCBCT Available XXXX cluster - VAX/VMS V5.5
\r
136 MXXXX2 Available VS3100 - XXX Server Decnet-XXX
\r
137 MXXXX7 Available MV3100-M76 - XXXXXXXXXXXXXXXXX
\r
138 MVXXX8 Available Welcome to VAX/VMS V5.5-2
\r
139 MVXXX4 Available VS3100-M76 - Disk server-
\r
140 MX31CS Available Welcome to VAX/VMS V5.5-2
\r
141 SATCS3 Available MV3100-M76 - X.X.
\r
142 XXXXXE Unknown DEC OSF/1 Version V3.0 LAT SERVICE
\r
143 VAXXXX Available @SYS$MANAGER:XXXXXXX.TXT
\r
144 VS31C1 Unknown Welcome to VAX/VMS V5.5-2
\r
145 VS40C6 Available Welcome to VAX/VMS V5.5-2
\r
146 VSXX12 Unknown VS3100 - X. XXXXXX
\r
147 VSXX11 Available VS2000 - S. XXXXXXXXXXXX
\r
148 VXXX12 Available VS 2000/50 - XXXXXXS
\r
149 VX31CS Available Welcome to VAX/VMS V5.5-2
\r
150 ----------------------------------[End Capture]-------------------------------
\r
153 Reading the description or the service name it's easy to find out a modem.
\r
154 If you find it, let's say its name is "DS1MODEM" , you just have to use
\r
155 the "connect" command:
\r
157 -------------------------[Start Capture]---------------------------------------
\r
159 Local> connect DS1MODEM
\r
160 Local -010- Session 1 to DS1MODEM on node DS7001 established
\r
165 Press [ENTER] to access L.o.r.E. BBS
\r
167 -------------------------[End Capture]-----------------------------------------
\r
170 þ ... A little bit difficult
\r
172 If from the "show services" doesn't seem to be any modem (try also strange
\r
173 services and services without description) don't lose any hope 'cause often
\r
174 devices such as modems are used only by sys-administrators, they create the
\r
175 service when they need it and then "CLEAR" it.
\r
176 What you have to do is look all the PORTS of the DECserver for modems ...
\r
177 Here you use the "SHOW PORT" command:
\r
179 --------------------------[Start Capture]--------------------------------------
\r
183 Port 8: Server: DSLE8
\r
184 Character Size: 8 Input Speed: 9600
\r
185 Flow Control: XON Output Speed: 9600
\r
186 Parity: None Signal Control: Disabled
\r
187 Stop Bits: Dynamic Signal Select: CTS-DSR-RTS-DTR
\r
188 Access: Local Local Switch: None
\r
189 Backwards Switch: None Name: PORT_8
\r
190 Break: Local Session Limit: 4
\r
191 Forwards Switch: None Type: Ansi
\r
192 Default Protocol: LAT
\r
193 Preferred Service: VAXXX
\r
194 Authorized Groups: 0
\r
195 (Current) Groups: 0
\r
196 Enabled Characteristics:
\r
197 Autobaud, Autoprompt, Broadcast, Input Flow Control, Lock,
\r
198 Loss Notification, Message Codes, Output Flow Control, Verification
\r
201 -------------------------------[End Capture]-----------------------------------
\r
203 All of these informations are interesting but the one which usually tells
\r
204 if a modem is connected to the port is:
\r
206 Enabled Characteristics:
\r
207 Dialup, etc..., etc..., etc,...
\r
209 So give a look at all ports, if there's nothing interesting throw that DEC
\r
210 in the trash ,otherwise you NEED PRIVELEGES to use the modem ...
\r
211 In 50% of cases the password to become privileged user is the default one,
\r
212 in 85% of cases it's a lame one ...
\r
213 Once again I won't tell you the privileged user default password (which is
\r
214 different from the first password) but once again I say it's an absolutely
\r
216 To become Privileged user do:
\r
221 Once again have 3 tries ,but this time I'm sure that an invalid attempt
\r
222 is logged with a certain warning value!
\r
223 If after you've typed the pwd it answers with the "Local>" prompt it
\r
224 means you're a privileged user , and finally you can do :
\r
226 Local> set port 1 service FUCKYOU
\r
227 Local> connect FUCKYOU
\r
229 And enjoy your dialout ;)
\r
234 There's a lot to learn about DECservers, about all the settings and options
\r
235 you can switch, so experiment ... they are useful to penetrate systems
\r
236 and can tell you very much about a network ... lot of DECs have also
\r
237 an active telnet command ...
\r
239 And you can often find valid telnet targets with the command "show domain".
\r
240 So these DECservers can also be useful to pass a Firewall (!) and to enter
\r
241 internal networks which would normally not available (not connected to
\r
242 the internet) ! But this once again goes to far into unix hacking ...
\r
244 But be careful do not abuse too much, use your brain ...
\r
245 Think that sooner or later a phone bill arrives to someone and ....
\r
246 Use modem outdials only in hours when you know offices and machines' rooms
\r
249 Greets and Have Fun!
\r
250 ANARCHY ALL OVER THE WORLD !!!!!!!!
\r
251 To All Italian H/P scene doods: We need to be united !
\r
252 Leave me a message on
\r
253 LorE BBS +49-69-823282
\r
254 Login: THC Pwd: THC
\r