Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Antique Systems :: rsts4.txt

Hacking RSTS/E Systems Part 4

ShadowSpawn BBS Presents..
                          INSIDE RSTS/E  VOLUME IV
                             By: The Marauder
                          The Legion of Hackers !
 The information in this document is intended for informational purposes only
           Written - December 11, 1984.  Zone communications, LOH
        In this document, I will describe how to create, delete, and edit
accounts, and how to modify the System Account file to help escape detection
I will assume for the most part, that you have read my earlier files on RSTS/E
and/or have a working knowledge of the RSTS/E Runtime System.
    On all versions of RSTS/E lower than V9, the system manager uses a program
called 'REACT', to create new accounts, and to remove old ones. REACT resides
normally in the system library account (1,2), under the name 'REACT.BAC', or
'REACT.TSK', depending on who installed the system.
If you don't find it in (1,2), do a 'DIR(*,*)REACT.*', And find out where
It's been moved to.
To run the program, you must have privleges, (run it from a (1,*) account).
Usage of the program is as follows:   (from 'Ready')
PROJ,PROG? 1,233
Function? - This is where you specify whether you are deleting, or creating an
           account it can be one of two choices:
           1) E= E)NTER/CREATE an Account.
           2) D = D)elete an account.
NOTE: When deleting an account, the account must be completely empty
       (use 'PIP (P,PN)/ZE), Otherwise the error message
       '?Account in use..' Will result.
Proj,Prog?   This is where you enter the Project-Programmer number of the
             account, you wish to create (or delete), it must be two numbers
             between 1, and 255 (inclusivley), seperated by a comma.
             (Ie. 1,33 - 50,50 - 2,20 - Etc..)
             If you are deleting an account, it should be the PPN of the
             account you wish to delete.
Password?    This is where you enter the password you want assigned to tha
             account, enter the password in the format: "XXXXXX"
             where "XXXXXX" = 1 to 6 upper case letters, or numbers, or
             a combination of both.. (Ie. LOD1, 1234, A1B2C, etc..)
NOTE: Some versions of REACT will respond with 'Disk:password?', Allowing
       you to specify which disk you want the account to be created on, and
       it's password. In either case, just enter the password, and ignore
       the disk qualifier, since you can only log into accounts that reside
       on the system (SY:) disk, it's for the most part useless to create an
       Account on say 'DB1:', unless you wish to use it for storage purposes
       only. If you have reason to create an account on any other disk than
       the system disk, you would use the format:
       "Disk:password? DB1:PASSWD".  To access this account, you will either
        Have to be in a privleged account (thus allowing you access to any
        other account on the system, or be logged into a 'mirror' account
        on the system disk, for example, say you created an account
        DB1:(40,40), to acess this, would have to be logged into account
        SY:(40,40), to modify anything in the account DB1:(40,40).
        In any case, if you recieve the 'Disk:password? Prompt, and wish
        to create an account on the system disk, (one that you can actually
        log into, just enter the password you have selected.
Quota?   This is where you set the maximum size of disk space (in blocks)
         That the account can have. It can be from 0 to 32767, (inclusivly).
         Selecting a Quota size of '0' (zero), gives the account unlimited
Cluster size?   This must match the clustersize of the system disk, it
                can be 4,8, or 16, (16 being the most common), you can
                find the system clustersize by using the 'SYSTAT' command, or
                if that is unavailable, use trial and error, if the clustersize
                you enter at this point does not correspond with the system
                cluster size, an error message will result, so just try
                tne next size up until it matches.
Account name?   This is a symbolic 'Account name', that is basically not
                used anywhere except in the file '$ACCT.SYS' (which will be
                discussed in detail later), you can give it any name you
                want, for the above example I used the name 'LOD USERS', in
                reality I would probably just hit <c/r> at this question,
                thus giving it no name.
     If the above questions were answered with valid responses, REACT would now
create the specified account (1-6 seconds, depending on the system performance)
And a description of the account (PPN, Disk, Password, etc.. ), Will be
entered into the file '$ACCT.SYS'.
NOTE: When using the 'D - Delete' command, you will be asked only the following
PROJ,PROG? 30,30
'D' being the 'DELETE' specification, "30,30" being the account you wish
to delete, and "SY:" being the disk that account (30,30) currently
exists on.  If the account was empty, REACT would remove this account.
(Although refrence to the account, will still exist in the file '$ACCT.SYS')
In both cases (after the account has been Created, or Deleted), REACT will
return to: "Proj,Prog?", If you have additional accounts to Create, or
Delete, you can enter them now, if you are done, hit "^Z" (control Z)
to exit.
        The file '(1,2)ACCT.SYS', is the System Account file. It is a
file that contains descriptions of the accounts that are on the system, such
as the Account Name, it's Password, etc.. Contrary to popular beleif, it is
-NOT- where RSTS/E looks to find the Password & other information, when a
Person is logging in. It is simply a symbolic file, used by the System
Manager to help keep track of what accounts are being used.  It is a standard
ASCII file, that is opened in 'APPEND' mode when REACT is used to create
a file.  It is quite useful for obtaining other accounts, especially if
you are a Non-Privleged user, and have found a program on the system that
will allow you to dump files anywhere (such as some versions of $RPGDMP.TSK)
You would simply dump this file, it should look something like this:
1,  1,SY:DEMO  ,0,16,SYSM
0,  1,SY:SYSPAK,0,16
Column 1   -  is the account # (PPN)
       2   -  the disk the account resides on, and the account's password.
       3   -  Is the the accounts Quota (see above)
       4   -  the accounts Clustersize.
       5   -  The account's Symbolic name.
1,  1 - Tells you that this is the description of account (1,1).
SY:DEMO - tells you that the password to account (1,1) is 'DEMO', and that it
          resides on the system (SY:) disk, thus you can actually log into
0     -  Say's that the the Quota for account (1,1) is '0' (unlimited)
16    -  The Clustersize for account (1,1) is 16.
SYSM  -  is the symbolic name for account (1,1), this is the only place I
         have actually seen the 'Symbolic Name' actually refrenced to. It has
         no other use than to help the System Manager determine what purpose
         the account serves (while looking through $ACCT.SYS), it is most often
         used in school systems, where the Student's name, who is the owner of
         said account, would be used for it's symbolic name.
        As I said above, every time an account is created using 'REACT', an
entry is made into $ACCT.SYS.  When an account is deleted though, REACT
-DOES NOT- Remove the entry from ACCT.SYS, so if you were to make 10 accounts
then remove them, refrence to them would STILL exist in ACCT.SYS,  Which would
Immediatly raise the suspicion of even the most naieve System Manager next time
He took a look into ACCT.SYS.  Fortunatly the file $ACCT.SYS, is a standard
ASCII file, so you can use any text editor available on the system to actually
Remove the entries in it. Simply 'TECO $ACCT.SYS', and search for the
account's and delete the entire line.
NOTE 1 - I would also advise editing $ACCT.SYS, after you create -ANY- account
        (Ones that you wish to be permanent), this makes your account a little
        less obvious, and unless a System Manager either sees you on the system
        or happens to do a "DIR (*,*)" and by luck notices it. He will not find
        refrence to it in $ACCT.SYS.
NOTE 2 - The information in $ACCT.SYS is NOT alway's 100% accurate, for example
         if the password to an account is changed (with UTILTY, or a custom
         program - to be discussed in a future volume), this DOES NOT update
         the information in $ACCT.SYS. This is especially common in schools
         Where the students are assigned a standard password, and encouraged to
         change it as soon as possible.  Fortunatly though, the privleged
         accounts's are not changed as often, and you can usually come up with
         at the worst, one privleged account/password, and use the program
         "(1,2)MONEY", or a small user written program to find every password
         on the System.
Here is a small program that will display the password for any account, given
The PPN (accout number). It does of course, require privleges to run.
1  ! LOGPAS - V1.0-00
4  !
5       EXTEND
10      ON ERROR GOTO 500
20      DIM M%(30%) : DIM T%(30%)
40      M%(I%)=0% FOR I% = 1% TO 30%
45      T%(I%)=0% FOR I% = 1% TO 30%
50      M%(0%) = 9%
55      M%(1%) = 6%
60      M%(2%) = 14%
65      M%(7%) = PROG%
79      M%(8%) = PROJ%
80      CHANGE M% TO M$
85      T$ = SYS(M$)
90      CHANGE T$ TO T%
95      PSW$ = RAD$(T%(9%)+SWAP%((T%(10%)))+RAD$(T%(11%)+SWAP%(T%(12%)))
100     PRINT 'PASSWORD = ';PSW$
110     GOTO 30
32766   NO EXTEND
32767   END
        To use this program, simply type it in at the RSTS/E BASIC parser
(at 'Ready'), or upload (as an ASCII file, the above program, directly
to the RSTS/E BASIC parser.  And type 'RUN', it will ask you for an account
(PROJ,PROG?), enter the account you want the password for, and it will be
printed out. Use ^C (control C) to exit from the program.
That's about it for this issue, until the next volume, Dial with care...
This Document, is the property of the Legion of Hackers as a whole. Sysops
are free to use it, as long as nothing is changed.  Any questions, comments, or
corrections, can be made directly to me, at my BBS, The Twilight Zone, or to
any member of the Legion of Hackers.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH