| | ------- ___ |--\ ----- /---\ | | | / \ | | | | | | | | | | |--/ | |-----| | | | | | | | | | \___/ | \___/ | ----- | | Febuary 1996 PUBLISHED BY: Utopium Utopia (yoo-to-pi-a), noun 1. an imaginary island described as the place of perfect moral and social conditions. 2. any place of perfection. 3. any visionary plan for a perfect system of living. Disclaimer: Everything within this publication is purely for informational purposes. By reading this you take sole responsibility for any consequences. I or any place that stores this publication take no responsibility for any actions. All information here is subject to and protected by the First Amendment of the Constitution of the United States. There is no guarantee on any information in here. If you feel that any information here may be offensive or illegal within your country then stop reading now. Part 1 . . . . . . . . . . . . . . Introduction Part 2 . . . . . . . . . . . . . . UNIX passwd cracking guide Part 3 . . . . . . . . . . . . . . How to get free GNN access Part 4 . . . . . . . . . . . . . . Sprintnet Navigation Part 5 . . . . . . . . . . . . . . Free software you can benefit from Part 6 . . . . . . . . . . . . . . Monitored AOL session ---------------- | INTRODUCTION | ---------------- (*) By Utopium (*) Welcome to the first issue of Utopia! I am creating the magazine so I can help inform everyone in the digital underground, plus I had a lot of time on my hands while I was snowed in during the blizzard. Right now I am pretty much writing myself but I am hoping I can get other writers and expand the areas I have and add any new ones I don't have. Another reason I'm writing this publication is because the government is pretty much making our lives pure hell. As of this writing, Bill Clinton just signed the new telecommunications bill into law. This includes the net decency act which eliminates anything not suitable for a five year old. Now do you want the net to become a whole new government where there is no free speech and no rights and everything is G rated? I don't think so. We need to fight the system and do whatever we can to stop this craziness. Hopefully with enough effort we can reach this goal. Anyway, enjoy the magazine, hopefully it will be of good use to you. The homepage for this can be found at http://www.geocities.com/siliconvalley/2643/ and you can also mail me with article submissions or any helpful information at utopium@cyberspace.org. If you send any interesting letters or comments I may publish those also. ================================ UNIX PASSWD CRACKING GUIDE ================================ By Utopium Well, you feel like your shell isn't good enough for you and you want to be able to access a few more. Well you go and ask your sysadmin for more space and he just laughs in your face. Well I think you may just go cracking some passwords and using other peoples accounts. How are you going to do this? For one thing, you can't let the sysadmin know your doing this so you should never try to run a cracking program from your shell. Even though this may be easier and faster, there is software to detect these types of intrusions. So your going to have to go to the next alternative, getting an actual unshadowed copy of the passwd file. On some old or unsecured systems it can be as easy as just making a straight copy. Other systems have it shadowed though and you'll have to undo that. Fortunately some UNIX systems can easily print out the whole things for you when you compile this program: #include main() { struct passwd *p; while(p=getpwent()) printf("%s:%s:%d:%d:%s:%s:%s\n", p->pw_name, p->pw_passwd, p->pw_uid, p->pw_gid, p->pw_gecos, p->pw_dir, p->pw_shell); } But some systems won't show even when this runs so your going to have to do a little bit more hacking. Your on your own for that considering the approaches on different systems can vary. Now that you've got the passwd file, it's time to crack it. I'm assuming that you are running DOS and that you have already got a copy of Cracker Jack. All you need now is a dictionary file. You can make a very large one by getting word list files at the FTP site sable.ox.ac.uk/pub/wordlists. Once you have built up a substantial word list, you now need to use SORT to get all these in order alphabetically. When this is done, You'll want to kill duplicates and eliminate anything that is too short or too long. You can probably make a very simple thing in QBASIC to do this, especially if it's already sorted and dupes come right after each other. Once this is all done you can just run Cracker Jack and leave it going overnight. When you wake up you will see that you now have access to many more shells than you once did before. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ How to get free GNN access by Utopium Well as you know there are a bunch of online services out there which you would like to use but cost too much. It used to be that you could fool them so you could get free access but they plugged up their security holes and now you have to pay. For one thing, they aren't worth it anyway. Most services are slow and don't have a straight connection to the Internet so you can hack. But there is a new service which will do this all for you. What I am talking about is GNN, or Global network Navigator. This service was started by the people at America Online in a response to the demand from the users for a straight Internet connection. This service allows you to dialup and connect by WINSOCK so you can use any Internet app you chose and not the default that come with it. Making fake accounts on GNN is a little bit more tedious than it was on other services but considering how you have been cut off from others, this is your only shot. The people at AOL gave this service the standard certificate login and password for a new user as always but figured that they wouldn't have a problem if it only worked once. They were wrong. Because of this, they don't have instant credit card checks you can easily use a program like Credit Master or Credit Wizard to generate a false number. Once this is done you have total access for a few days before the account is deleted. To obtain the new user login and password, first find a pay phone. Try and jump around to different ones each time you call. If you call them up from your home number all the time they would catch on. Once you are at the pay phone, call (800)819-6112 and press 1 for new user information. Then give them a made up phone number and name and they will give you the certificate. Then just sign on and get your free access. This certificate will be deleted once you use it so don't think of using it again. Make sure you use a Sprintnet dialup so they won't trace you, especially if you hack some major system on the Internet. And just like America Online, GNN won't accept connections through the Sprintnet 800 number so your are out of luck if you run a laptop off a pay phone or whatever. But anyway, have fun! + -------------------- + | Sprintnet Navigation | + -- + ---------- + -- + | By Utopium | + ---------- + Many of you people that are reading this might have never heard of Sprintnet before and if you have, probably don't know much about it. Some of you may know it as TELENET. They are the same in one way that TELENET is the network software and Sprintnet is the actual physical network which uses the software. Sprintnet is known as what is called a Packet Switching Network (PSN) that is used to allow users to connect to systems residing on the network anywhere in the world. It is also connected to other PSN's like Tymenet and Datapak. Unlike the Internet, you do not need an account on the network to use it, although of course the systems that reside on the network are likely to need an account, you can still navigate without paying a bill. PSN's are somewhat like the phone system though in that there are NPA's and numbers to each individual system. Unlike a phone network, all calls are charged collect to the system you are connecting to. This is one of the big causes if big online services like America Online and GNN charge by the hour for service. Of course there are a lot of other systems connected to PSN's, mainly businesses and government computers. This is what we are interested in looking for. To first use Sprintnet, you need to find a local access number. Even though you can explore Sprintnet through the 800 number this is a little more expensive in the collect call and some customers reject connections through the 800 number to save money. To find your local number, get in your terminal program and dial 1-800-546-2500. Once you connect, there won't be anything displayed so you need to call up the login. Type @D and you should see something like this: TELENET 202 4002.46 TERMINAL= For the TERMINAL= prompt, just type D1 for a regular dummy mode. Since you are on the 800 number it will also ask for the NPA and prefix of your phone number. When you are finally at the @ prompt, type MAIL and you will come to a username and password screen in which you should just type in PHONES for both. Then simply follow the menus and get the number closest to you. Hangup and dial the new number. You'll have the exact same login process except that this time it won't ask for the NPA and prefix to your phone number since it is a local call. Now here's where we start the actual use. Sprintnet uses a simple command system to navigate the network. A regular connection to an address involves simply typing the number assigned to the system. Just like the phone network, Sprintnet uses numbers similar to ones for phones. An example of how the Network User Address (NUA) 03110020200244.79 works can be shown here: 03110 202 00224 79 | | | | DNIC Network Network Port Prefix Address Number The DNIC is used to specify the region and network you are using. If you are staying within Sprintnet NUA's in the United States, you can leave this part out. Here is a list of other DNIC's in the US if you want to navigate any other networks: 03101 - PTN-1 03126 - ADP-AutoNet 03102 - MCI-Data-Trans 03127 - Telenet 03103 - ITT-UTDS II 03132 - Compuserve 03104 - WUI 03134 - AT&T AccuNet 03106 - Tymenet 03140 - SNET 03110 - Sprintnet 03142 - Bell South 03113 - RCA 03145 - Pacific Bell 03119 - Datapak 03146 - South West Bell 03124 - PSTS 03147 - Digipac 03125 - UNINET 03150 - GlobeNet The Network Prefix usually refers to the NPA where the node resides so if you want to search for a certain system in some area you can look up the NPA. Say that you want to find some government systems, you would likely search the 202 area. The Network address is the actual assigned number to the node. It has a length of one to five numbers and is usually preceded by zeros if shorter than five but you can easily cut those off for convenience and simply type 2021 to connect to node 1 of the 202 area. The port number has a decimal point placed in front of it to separate it from the address. Like an Internet port, there are different functions to different ports and you will want to experiment with these on any system you find to explore deeper. Now that you know how the addressing system works, you need to find some systems to connect to. You can search around the net or BBS's for any or you could try going at typing yourself but this can be a nuisance and lists you may find could be out of date. It's a lot easier if you have a program to scan NUA's for you. There is one available called NUA Attacker which is generally a wardialer for Sprintnet. Since this just uses a one time call to the local Sprintnet dialup, you won't have a large phone bill for doing long distance and people in the area won't get that annoying ring in the middle of the night so you won't have to worry about the local police questioning you. All that is needed in configuring NUA Attacker is specify the local Sprintnet dialup and the range of NUA's you wish to scan. You will also want to set the Bad PAD option to Yes since this software was made for somewhat older lines. I have scanned about 3000 NUA's in one night so you are likely to find a various number of systems. One warning though is that the log file can clutter up with lots of Sprintnet error messages but you should be able to separate these from an error message a connected NUA might give you. Unless you already have a copy of NUA Attacker, you can FTP NUA.ZIP from ninja.techwood.org under the directory /pub/phreak. If you feel like if you can try to program your own in BASIC or C also. But whatever fits your needs should be good enough. Okay, so you've found some systems, looked around a bit, and want to try another NUA but don't want to have to hangup and redial again. All you have to do is type @ in a quick sequence. Some systems may lock this function out and you will have to hangup anyway. And if you happen to be at the @ prompt, just type the command HANGUP and the Sprintnet will immediately log you off and hangup. There is a lot more to be said about Sprintnet as I have some detailed manuals about the network but this information should be able to connect you up to a UNIX or VMS system which you are more experienced at. You will want to be careful in what you hack though. Even though Sprintnet doesn't allow traces to customers without a warrant (which has caused problems for AOL and the like) they can do traces themselves if they have the need so if you get in any control stations or any other important system you can expect to have telco security knocking on your door. But anyway, Sprintnet is a generally more safer and easier network which you can navigate at your convenience at he low cost of a local phone call. All you need is the time to spend exploring and a little imagination in uncovering the inner workings of this wonderful network. +==================================+ [Free Software You Can Benefit From] +==================================+ By Utopium These days there are numerous high powered applications that to obtain you have to pay a high price for. Sure, you may go to #warez and get stuff there but it's not always in original form and can have viruses. It would be good to have free software available which you could obtain easily. Well if you are smart enough in searching, you may find something. In my searches I have saved maybe thousands than if I bought from a software store. I'll inform you on where I have found some pretty good stuff. One thing that is hard to find for DOS is a good C compiler. Most on other OS's are generally free or come with the OS but DOS compilers you have to buy for over $100. But there is a compiler made under the GNU license called GNU C. This port from UNIX, called the DJGPP port, can be found on any Simtel mirror site under the directory vendors/djgpp. There is also more information at http://www.delorie.com if you want to read that before downloading. Once the software is downloaded, you can use a number of high powered debuggers and libraries to create your programs. C code from other DOS compilers does need to be modified at times but it is well worth it when it can save you money. There is a beta of version 2.0 currently in the works trying to make it a better compiler. One thing you won't find in GNU C is the ability to make Windows programs. Visual Basic is one of the most popular ones out there but with a very high price tag even with the standard edition. But there is a new company which is giving away a free 32-bit Windows programming utility. When I ran Envelop I was surprised that the company was distributing it this way. It will allow you to easily create a Window app for your needs at the same power as Visual Basic. The one downside is that it is only available for Windows 95. You can download he software at http://www.envelop.com. In the past many UNIX systems had to be bought commercially from large companies who charged thousands for copies. Lately there has been development of free UNIX systems like Linux, FreeBSD, and NetBSD. These ports of the high powered UNIX take everything in detail and are now even used by some Internet service providers. If you are annoyed at experimenting at hacking in your restricted UNIX shell, you can download one of these great OS's and go straight at all the internals. You can find out more at http://www.linux.org, http://www.freebsd.org, and http://www.netbsd.org. As you can see you can get a lot of great software at no cost. All you need to do is just learn how to search out for these great things. Monitored AOL Session by Utopium Data from immediate logon and logoff of AOL. All HEX data is enclosed in [] characters. Login and password are not shown and seem to be encrypted. The login name was "Terrychp" and the password was "8008". The service was connected to through Sprintnet at (202)659-2733 but it doesn't seem that the phone number means anything except in the case that Sprintnet 800 connections are rejected. The following is all data captured during the session connecting to and disconnecting from AOL. There were no graphic updates and there was no new mail. Nothing here has been modified Entry Comm Command Port Time Data 1 BuildCommDCB - 18:16:21.29 2 BuildCommDCB - 18:16:21.35 3 FlushComm 1 18:16:21.57 output 4 FlushComm 1 18:16:21.62 input 5 BuildCommDCB - 18:16:21.62 6 SetCommState - 18:16:21.68 0 7 GetCommState 1 18:16:22.06 0 8 SetCommState - 18:16:22.12 0 9 EscapeCommFunc 1 18:16:22.12 6 10 EscapeCommFunc 1 18:16:22.61 5 11 WriteComm 1 18:16:22.61 A 12 WriteComm 1 18:16:22.67 T 13 WriteComm 1 18:16:22.67 & 14 WriteComm 1 18:16:22.67 F 15 WriteComm 1 18:16:22.72 E 16 WriteComm 1 18:16:22.72 1 17 WriteComm 1 18:16:22.78 Q 18 WriteComm 1 18:16:22.78 V 19 WriteComm 1 18:16:22.78 1 20 WriteComm 1 18:16:22.83 & 21 WriteComm 1 18:16:22.83 D 22 WriteComm 1 18:16:22.83 2 23 WriteComm 1 18:16:22.89 X 24 WriteComm 1 18:16:22.89 4 25 WriteComm 1 18:16:22.89 & 26 WriteComm 1 18:16:22.94 C 27 WriteComm 1 18:16:22.94 1 28 WriteComm 1 18:16:22.94 & 29 WriteComm 1 18:16:22.94 Q 30 WriteComm 1 18:16:22.99 5 31 WriteComm 1 18:16:22.99 & 32 WriteComm 1 18:16:23.05 K 33 WriteComm 1 18:16:23.05 3 34 WriteComm 1 18:16:23.10 [0D] 35 ReadComm 1 18:16:23.10 AT&FE1QV1&D2X4&C1&Q5&K3[0D] 36 ReadComm 1 18:16:23.32 [0D][0A]OK[0D][0A] 37 FlushComm 1 18:16:23.43 output 38 FlushComm 1 18:16:23.43 input 39 WriteComm 1 18:16:24.97 + 40 WriteComm 1 18:16:24.97 + 41 WriteComm 1 18:16:24.97 + 42 ReadComm 1 18:16:26.51 +++ 43 WriteComm 1 18:16:26.73 A 44 WriteComm 1 18:16:26.73 T 45 WriteComm 1 18:16:26.73 H 46 WriteComm 1 18:16:26.78 [0D] 47 ReadComm 1 18:16:26.84 ATH[0D] 48 ReadComm 1 18:16:27.00 [0D][0A]OK[0D][0A] 49 WriteComm 1 18:16:27.28 A 50 WriteComm 1 18:16:27.28 T 51 WriteComm 1 18:16:27.33 D 52 WriteComm 1 18:16:27.33 T 53 WriteComm 1 18:16:27.39 2 54 WriteComm 1 18:16:27.39 0 55 WriteComm 1 18:16:27.44 2 56 WriteComm 1 18:16:27.44 - 57 WriteComm 1 18:16:27.44 6 58 WriteComm 1 18:16:27.50 5 59 WriteComm 1 18:16:27.50 9 60 WriteComm 1 18:16:27.50 - 61 WriteComm 1 18:16:27.55 2 62 WriteComm 1 18:16:27.55 7 63 WriteComm 1 18:16:27.61 3 64 WriteComm 1 18:16:27.61 3 65 WriteComm 1 18:16:27.61 [0D] 66 ReadComm 1 18:16:27.61 ATDT202-659-2733[0D] 67 ReadComm 1 18:16:50.35 [0D][0A]CONNECT 19200[0D][0A] 68 FlushComm 1 18:16:51.06 output 69 FlushComm 1 18:16:51.06 input 70 WriteComm 1 18:16:51.67 @ 71 WriteComm 1 18:16:52.11 D 72 WriteComm 1 18:16:52.49 [0D] 73 ReadComm 1 18:16:52.93 [0D][0A]TELENET[0D][0A][0D][0A]202 4003.58 [0D] 73 [0A][0D][0A]TERMINAL= 74 WriteComm 1 18:16:53.31 D 75 WriteComm 1 18:16:53.37 1 76 WriteComm 1 18:16:53.42 [0D] 77 ReadComm 1 18:16:53.48 D1 78 ReadComm 1 18:16:53.70 [0D][0D][0A][0D][0A]@ 79 WriteComm 1 18:16:53.86 p 80 WriteComm 1 18:16:53.92 a 81 WriteComm 1 18:16:53.97 r 82 WriteComm 1 18:16:54.03 ? 83 WriteComm 1 18:16:54.08 84 WriteComm 1 18:16:54.14 1 85 WriteComm 1 18:16:54.19 1 86 WriteComm 1 18:16:54.25 [0D] 87 ReadComm 1 18:16:54.30 par? 11 88 ReadComm 1 18:16:54.36 [0D] 89 ReadComm 1 18:16:54.52 [0D][0A]PAR 11:15[0D][0A][0D][0A]@ 90 WriteComm 1 18:16:55.02 C 91 WriteComm 1 18:16:55.07 92 WriteComm 1 18:16:55.13 8 93 WriteComm 1 18:16:55.18 3 94 WriteComm 1 18:16:55.24 4 95 WriteComm 1 18:16:55.29 2 96 WriteComm 1 18:16:55.35 0 97 WriteComm 1 18:16:55.40 1 98 WriteComm 1 18:16:55.46 7 99 WriteComm 1 18:16:55.51 2 100 WriteComm 1 18:16:55.57 . 101 WriteComm 1 18:16:55.62 8 102 WriteComm 1 18:16:55.68 3 103 WriteComm 1 18:16:55.73 * 104 WriteComm 1 18:16:55.79 w 105 WriteComm 1 18:16:55.84 i 106 WriteComm 1 18:16:55.90 n 107 WriteComm 1 18:16:55.95 d 108 WriteComm 1 18:16:56.01 o 109 WriteComm 1 18:16:56.06 w 110 WriteComm 1 18:16:56.12 s 111 WriteComm 1 18:16:56.17 112 WriteComm 1 18:16:56.22 0 113 WriteComm 1 18:16:56.28 0 114 WriteComm 1 18:16:56.33 0 115 WriteComm 1 18:16:56.39 1 116 WriteComm 1 18:16:56.44 [0D] 117 ReadComm 1 18:16:56.50 C 83420172.83*windows 0001 118 ReadComm 1 18:16:56.72 [0D][0D][0A]834 20172.83 CONNECTED[0D][0A] 119 FlushComm 1 18:16:56.94 output 120 FlushComm 1 18:16:56.99 input 121 WriteComm 1 18:16:56.99 Zg[DC] 122 ReadComm 1 18:16:57.21 Z[B7][11] 123 WriteComm 1 18:16:57.27 Z[C4]x 124 ReadComm 1 18:16:58.26 Z=: 125 ReadComm 1 18:16:58.37 ZC[9A] 126 WriteComm 1 18:16:58.48 Z[06]~ 127 ReadComm 1 18:16:59.08 @[11].[D8]Ki 128 WriteComm 1 18:17:12.10 Z[F4][C8] 129 ReadComm 1 18:17:13.03 Zro 130 ReadComm 1 18:17:13.20 @[01] [01] t [01][1F]!i 131 FlushComm 1 18:17:13.91 output 132 FlushComm 1 18:17:13.91 input 133 WriteComm 1 18:17:16.44 + 134 WriteComm 1 18:17:16.49 + 135 WriteComm 1 18:17:16.49 + 136 WriteComm 1 18:17:19.02 A 137 WriteComm 1 18:17:19.07 T 138 WriteComm 1 18:17:19.07 H 139 WriteComm 1 18:17:19.13 [0D] 140 WriteComm 1 18:17:20.17 A 141 WriteComm 1 18:17:20.17 T 142 WriteComm 1 18:17:20.17 & 143 WriteComm 1 18:17:20.23 F 144 WriteComm 1 18:17:20.23 [0D] 145 EscapeCommFunc 1 18:17:20.28 6 146 CloseComm 1 18:17:20.61