initial push of all stuff :)

[oweals/thc-archive.git] / Papers / dec-serv.txt

   Global OutDials on DECservers                  - Italy -   May 1996\r
   by Zhart/THC\r
\r
                   \r
þ Finding a DECserver\r
\r
 The DECserver is a terminal server, it connects its terminals to\r
 hosts available on an Ethernet Local Area Network.\r
 DecServers are usually reachable via telnet and sometimes via dialup.\r
 Via telnet you need to scan/search for them in the internet,\r
 Via dialups use a good Carrier Scanner like ToneLoc or THC-Scan.\r
\r
Telnet:\r
 About telnet connection decservers have normal ip addresses,\r
 but what we are interested in is the alpha address, 'cause almost always\r
 it starts with "DS"; just something like:\r
      DS7001.fuck.you.asshole\r
 and if the owners are very very lame it can even contain the\r
 string "MODEM" or "DIAL" (wow!) in its alpha address.\r
 So what I suggest is to combine a brute force scanning with an intelligent\r
 (smart) behaviour...\r
 You should first find a route ip address of a university or of a science\r
 research network or whatelse you (and, after some scanning, your experience)\r
 think could have such a beautiful device.\r
 It should be a network big enough to have several vaxes and other machines...\r
 Note that not always an alpha address starting with "DS"\r
 leads to a DECserver , i.e. sometimes ultrix machines have an address\r
 like that.\r
[I personally made a script to scan subnets from XXX.XXX.0.0 to\r
 XXX.XXX.255.255 or from XXX.XXX.XXX.0 to XXX.XXX.XXX.255\r
 and to save only interesting alpha addresses,\r
 but i don't suggest to use it automatically, in other words\r
 take it always under control and use your brain!]\r
\r
 þ Warning: usually scripts like this do a lot of noise;\r
            think about "lastcomm" "ps" and things like that ...\r
 þ Warning: to do subnet scanning you need an host with a very fast connection\r
 þ Warning: CERT SUX !!!!!!   ;)\r
\r
 NOTE: \r
 instead of a script it's wiser to do a zone transfer (for example with\r
 nslookup or dig) to get all the alpha names in a domain. But this needs\r
 a) an skilled unix user and b) the target DNS server must allow zone\r
 transfers. (There are other methods but this article isn't about unix\r
 hacking ;-) So I only present this better possiblity which not many can\r
 do reading this article.\r
\r
\r
Dialup:\r
 Nothing much to say about scanning these ... just do a fast carrier scan\r
 of an area overnight and hope you get a dec-server. If you know that a\r
 company has got dialups and a big computer network, then try to scan\r
 those local numbers. There aren't much on toll free numbers and those\r
 are usually more protected.\r
\r
 If you connect via dialup, you have no problem to recognize it:\r
_______________________________________________________________________________\r
\r
DECserver 700-08 Communications Server V1.1 (BL44G-11A) - LAT V5.1\r
DPS502-DS700\r
\r
(c) Copyright 1992, Digital Equipment Corporation - All Rights Reserved\r
\r
Please type HELP if you need assistance\r
\r
Enter username> THC\r
\r
Local>\r
\r
------------------------------------------------[FROM alt.2600/#hack.FAQ]------\r
\r
\r
 But if you connect via telnet it will not appear anything on your screen:\r
\r
-------------------------[Start Capture]---------------------------------------\r
\r
telnet> open ds7001.fuck.you.asshole\r
Trying 123.45.678.910 ...\r
Connected to ds7001.fuck.you.asshole\r
Escape character is '^]'.\r
\r
---------------------------[End Capture]--------------------------------------\r
\r
\r
 All you have to do is just press enter (it's easy uh?), and it will\r
 appear a "#" prompt (at this time you are quite sure it's a DECserver),\r
 echo gets off and ...\r
 now comes the time to type the password to enter the DEC ...\r
 I won't tell you the default pwd (which in 99% of my times was the good one)\r
 'cause .... 'cause shit ! Do I have to tell you everything??? (scan!)\r
 It's a very very lame password usually one of the firsts that you could think\r
 of. You have 3 tries, after that it disconnects you. I don't know if there are\r
 warnings or logs of wrong attempts made, but can tell that IF the password is\r
 not the default one, then the system administrators take care about security\r
 very very much, so be careful.\r
 Typing the right password appears the same screen of the first capture\r
 (look up!), you are asked a username but it isn't of any importance, just\r
 type something unsuspicious like just one letter.\r
\r
\r
þ Once in ... let's find out if there's a modem !\r
\r
 The "Local> " prompt is the DECserver prompt , I strongly suggest to give a\r
 "help" command 'cause the dec help is very kind and it will tell you\r
 more interesting things you can imagine... and you should learn from practice,\r
 not reading shitty articles like this one from zines <g> !\r
 Ok, to have an idea of where you are , there are two commands :\r
 "show users"\r
 "show services"\r
 The second one will tell you all the possible connections:\r
\r
\r
---------------------[Start Capture]-------------------------------------------\r
Local> show services\r
\r
Service Name        Status       Identification\r
AXPXXS              Available    DEC OSF/1 Version V3.2 LAT SERVICE\r
AXPXX1              Available    @sys$manager:XXXXXXXX_axp.txt\r
AXPXX2              Unknown      DEC OSF/1 Version V3.0 LAT SERVICE\r
AXPXX3              Available     ALPHA 3000/400 - XXXXXX IV - XXX\r
AXPXX5              Available     ALPHA 3000/400 - XXXXXX II - XXX\r
AXPXX6              Available     ALPHA 3000/300 - XXXXXX IV/XXXXX - XXX\r
AXPXX7              Available     ALPHA 3000/300 - C.S. - XXX\r
AXPXX8              Available     DEC 200 4/166 - XXXXXX III - XXX\r
AXPXX9              Available     DEC 200 4/166 - VETOR_1 - XXX\r
AXPXXA              Available     DEC 200 4/166 - VETOR_2 - XXX\r
AXPXXB              Available           DEC 400 4/233 -  G. XXXXXX\r
AXPXXC              Unknown       DEC 200 4/166 - AXX - XXX\r
AXPXXD              Available     DEC 200 4/166 - AXX - XXX\r
XXXXXXX             Available    ULTRIX 4.3 (RISC)\r
XXXXXXXX            Available           MV3100-M76   XXXX-XXX   XXXX2\r
XXXXXX              Available           VS3100-M76 - C. XXXXXXX\r
XXXXXX              Available    XXXXserver 310 XXXXXXXXXXXXXXXXX\r
MVCB0               Unknown             VS 2100 - XXXXX\r
MVCBCT              Available           XXXX cluster - VAX/VMS V5.5\r
MXXXX2              Available           VS3100 - XXX Server Decnet-XXX\r
MXXXX7              Available           MV3100-M76 - XXXXXXXXXXXXXXXXX\r
MVXXX8              Available           Welcome to VAX/VMS V5.5-2\r
MVXXX4              Available           VS3100-M76 - Disk server-\r
MX31CS              Available           Welcome to VAX/VMS V5.5-2\r
SATCS3              Available           MV3100-M76 - X.X.\r
XXXXXE              Unknown      DEC OSF/1 Version V3.0 LAT SERVICE\r
VAXXXX              Available    @SYS$MANAGER:XXXXXXX.TXT\r
VS31C1              Unknown             Welcome to VAX/VMS V5.5-2\r
VS40C6              Available           Welcome to VAX/VMS V5.5-2\r
VSXX12              Unknown             VS3100 - X. XXXXXX\r
VSXX11              Available           VS2000 - S. XXXXXXXXXXXX\r
VXXX12              Available           VS 2000/50 - XXXXXXS\r
VX31CS              Available           Welcome to VAX/VMS V5.5-2\r
----------------------------------[End Capture]-------------------------------\r
\r
\r
 Reading the description or the service name it's easy to find out a modem.\r
 If you find it, let's say its name is "DS1MODEM" , you just have to use\r
 the "connect" command:\r
\r
-------------------------[Start Capture]---------------------------------------\r
\r
Local> connect DS1MODEM\r
Local -010- Session 1 to DS1MODEM on node DS7001 established\r
atz\r
OK\r
atdt004969823282\r
CONNECT 14400/REL\r
Press [ENTER] to access L.o.r.E. BBS\r
\r
-------------------------[End Capture]-----------------------------------------\r
\r
\r
þ ... A little bit difficult\r
\r
 If from the "show services" doesn't seem to be any modem (try also strange\r
 services and services without description) don't lose any hope 'cause often\r
 devices such as modems are used only by sys-administrators, they create the\r
 service when they need it and then "CLEAR" it.\r
 What you have to do is look all the PORTS of the DECserver for modems ...\r
 Here you use the "SHOW PORT" command:\r
\r
--------------------------[Start Capture]--------------------------------------\r
\r
Local> show port 8\r
\r
Port  8:                               Server: DSLE8\r
Character Size:            8           Input Speed:               9600\r
Flow Control:            XON           Output Speed:              9600\r
Parity:                 None           Signal Control:        Disabled\r
Stop Bits:           Dynamic           Signal Select:  CTS-DSR-RTS-DTR\r
Access:                Local           Local Switch:              None\r
Backwards Switch:       None           Name:                    PORT_8\r
Break:                 Local           Session Limit:                4\r
Forwards Switch:        None           Type:                      Ansi\r
Default Protocol:        LAT\r
Preferred Service: VAXXX\r
Authorized Groups:   0\r
(Current)  Groups:   0\r
Enabled Characteristics:\r
Autobaud,  Autoprompt,  Broadcast,  Input Flow Control,  Lock,\r
Loss Notification,  Message Codes,  Output Flow Control,  Verification\r
\r
\r
-------------------------------[End Capture]-----------------------------------\r
\r
 All of these informations are interesting but the one which usually tells\r
 if a modem is connected to the port is:\r
\r
Enabled Characteristics:\r
Dialup, etc..., etc..., etc,...\r
\r
 So give a look at all ports, if there's nothing interesting throw that DEC\r
 in the trash ,otherwise you NEED PRIVELEGES to use the modem ...\r
 In 50% of cases the password to become privileged user is the default one,\r
 in 85% of cases it's a lame one ...\r
 Once again I won't tell you the privileged user default password (which is\r
 different from the first password) but once again I say it's an absolutely\r
 lame pwd!\r
 To become Privileged user do:\r
\r
Local> set priv\r
Password>\r
\r
 Once again have 3 tries ,but this time I'm sure that an invalid attempt\r
 is logged with a certain warning value!\r
 If after you've typed the pwd it answers with the "Local>" prompt it\r
 means you're a privileged user , and finally you can do :\r
\r
Local> set port 1 service FUCKYOU\r
Local> connect FUCKYOU\r
\r
 And enjoy your dialout ;)\r
\r
\r
þ Epilogue\r
\r
 There's a lot to learn about DECservers, about all the settings and options\r
 you can switch, so experiment ... they are useful to penetrate systems\r
 and can tell you very much about a network ... lot of DECs have also\r
 an active telnet command ...\r
\r
 And you can often find valid telnet targets with the command "show domain".\r
 So these DECservers can also be useful to pass a Firewall (!) and to enter\r
 internal networks which would normally not available (not connected to\r
 the internet) !  But this once again goes to far into unix hacking ...\r
\r
 But be careful do not abuse too much, use your brain ...\r
 Think that sooner or later a phone bill arrives to someone and ....\r
 Use modem outdials only in hours when you know offices and machines' rooms\r
 are closed ...\r
\r
Greets and Have Fun!\r
ANARCHY ALL OVER THE WORLD !!!!!!!!\r
To All Italian H/P scene doods: We need to be united !\r
                                Leave me a message on\r
                                LorE BBS +49-69-823282\r
                                Login: THC  Pwd: THC\r
\r
 Zhart/THC\r
\1a