Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: General Information :: vthack3.txt

Virginia Tech Hacking File 3





     Well, it's time for yet another installment in Virginia Tech
hacking.  Yes, it's....   VTHACK #3!!!!  Brought to you by the
Mad Hermit and crew.  This time, we're going to focus on the OTHER
big network on campus: LocalNet.  LocalNet (L-Net) has been around
for a much longer period of time, and as such has quite a few more
caves and back alleys to explore.  Its main purpose is to connect
the faculty and grad students directly to mainframes, and thus
much of what is found when poking around are login prompts.  An
aggrivating factor that has been added to this is the inclusion of
"Port Servers" (PS's).  You know when you've hit a PS when L-Net
tells you you've connected, but no key that you press has any
effect.  The purpose of a PS is to act as a deterrent to hackers.
It also might have the additional function of baud rate detection,
but though it sounds logical, we haven't found out for sure.  We
must admit that it does protect.  The best way to keep system
crashers away is not to tell them what they've found through simple
redialing.  This is a lot like keeping party crashers away by 
saying that there's a party going on at a certain place, but not
telling them who's invited or who's giving the bash.  Effective for
the dim-witted, impatient, and amateur party crashers, but not for
others. 
     PS's sit and stare out at you until you start sending it
characters.  If the first few aren't the specific ones it's looking
for, it will continue to gobble up everything else until you give
up and hang up.  Typical PS "codes" are easy-to-remember sequences
like 'ZZ' or 'ASDF', and they then pass you on to the main login
prompt.  These "codes" aren't like passwords, since the added
access they give you isn't worth beans unless you've got a line on
where to go from the login prompt.  However, we here feel that
information like that is in fact "restricted" in that you are
gaining unauthorized additional access to systems.  As such, we've
decided to leave the fun of figuring them out to those interested
in such weekend diversiions.
     Before we give you what you're probably waiting for: neato
numbers to call on L-Net, we'd like to explain stuff.  First, this
isn't a complete list, nor could it really be.  L-Net addresses are
in Hexidecimal and range from 0000 to FFFF.  That's 65536 different
possibilities.  We only went through ten thousand of these, and are
only listing those that got any response.  Second, L-Net addresses 
may connect to any number of ports, but we haven't seen any more
than 4 or 5.  Thus, the total possible connections assuming an
average of 2 ports per connection and an average of about 15
connections per thousand addresses comes to just under 2000.  
Assuming this is correct (very doubtful), finding where these are
is quite a task.  Third, and on the positive side, some connections
open up large worlds of access.  These unpassworded gateways are 
known as servers, and typically are DECservers.  The biggest and
most notorious is listed at 0358 and can handle a max of 128 users.
You can use these servers to connect to multiple computers at once,
and have extensive help files telling you what to do.  Fourth, and
also on the plus side, L-Net doesn't kick you off.  Ever.  Multiple
redialing is the name of the game, and listed below is a Red Ryder
script that works under version 9.4 that dials consecutive integers
at a rate of about 40 a minute.  Fifth and finally, bum connections
don't just leave you in the cold.  Hitting CONTROL-A twice pops you
immediately into local mode, where a STATUS tells you where you are
connected, and a "DONE X" will disconnect you from session number
X.  Calling, by the way, is done by typing "CALL XXXX[,P]" where
XXXX is the hex address, and P is the optional port number, which
is seperated by a comma.

     Red Ryder 9.4 Local-Net Scanner Script.

COPYINTO ~8,ENTER NUMBER TO START AT
(GET1)
QUERY1 ~1
EMPTY ~1
IF YES JUMPTO (GET1)
LET EQUAL `1,~1
LET EQUAL `3,`1
COPYINTO ~8,ENTER LENGTH OF SEARCH
(GET2)
QUERY1 ~2
EMPTY ~2
IF YES JUMPTO (GET2)
LET EQUAL `2,~2
ADD `3,`2
COPYINTO ~3,`3
SUBTRACT `1,1
(NEXT)
ADD `1,1
TEST `1=~3
IF YES JUMPTO (QUIT)
TYPE Call 
TYPE `1
TYPE ^M
ALERT1 UNIT/JUMPTO (NEXT)
ALERT2 BUSY/JUMPTO (NEXT)
PANICAFTER 10
PROMPT CONNECTED
PAUSE
BELL
BELL
BELL
BELL
JUMPTO (QUIT)
(QUIT)
END

   And here's what our illustrious, untiring crew have discovered:

Node    Port#    What 
----    -----    ----
0008      1
0074     0,1     VTME (Mechanical Engineering)
0116     0,1
0124     0,1
0126     0,1
000A      1
000B     0,1
000C     0,1
000E     0,1
00FF     0,1
0170     0,1
0175     0,1     Popeye (Computer Science)
0350      0      VTCC1
0351     0,1      " "
0352     0,1      " "
0354     0,1      " "
0355      1       " "
0356     0,1      " "
0357     0,1      " "
0358     0,1     DECServer 500
0359     0,1     DECServer 500 (same as above, different port bank)
0400     0,1     VTME (again)
0401     0,1      "   "   "
0402     0,1      "   "   "
0403     0,1
0404     0,1     VTME (yet again)
0405      0       "   "   "   "
0450     0,1     DECServers (see note 3)
0451     0,1      "   "  "
0452     0,1      "   "  "
0453     0,1      "   "  "
0454     0,1      "   "  "
0455     0,1      "   "  "
0536     0,1
600-601         "Remote Ports Busy"
603-607         "Remote Ports Busy"
1010     0,1
1100-1103       "Remote Ports Busy"
1300      0      VTVM1
5100      1      VTVM1
5300     0,1
5500-5503       "Remote Ports Busy"
5510     0,1
5512     0,1
5514     0,1
5516     0,1
5518      1
5530     0,1
5534     0,1
5536     0,1
5548     0,1
5548     0,1
5550     0,1
5552     0,1
5554      0
6000      1
6002      0      Node[20] (see note 1)
6003     0,1
6100-6103       "Remote Ports Busy"
6200      1      Node[2] (see note 2)
6230-6231       "Remote Ports Busy"
6300     0,1
6301     0,1
6302     0,1     Node[2] (see note 2)
6303      0
6410      1
6414      0
6419      1
6420      1
6428     0,1
6429      1
6433      0
6437      1
643A      1
643B      0
6502      0      VTVMS
6503      0       " "
6504      0       " "
6505      0       " "
6506      0       " "
6507      0       " "
6508      0       " "
6509      0       " "
8001      1
8002      0
8003      0
8004     0,1
8005      0
8006      1
8007      1
8008      0
8009      0
8080     0,1
9000-9016       "Remote Ports Busy"
9018-9019       "Remote Ports Busy"
9302      0
9300     0,1,2,3,4

Notes:
------
1) Node[20], popularly known as the Node Router, went out of
services shortly after VTHacker #2 was distributed.  Apologies
are NOT extended to those who assumed that the list in VTHack2
was gospel.  Things change all the time, and those things that
are especially good tend to go away.  Apparently, number 40062
was used by CNS's chief diagnostician as a way to test the VA
Council of Higher Education's access to the Net and L-Net.
Poking around there was terminated, but our scan of L-Net turned
up another way in...

2) If you wondered why the Node Router was labelled "20" (really,
what happened to the other 19?), then this might clear things up.
The following connections were observed:
     Node   What
     ----   ----
      0    Passworded
      1    L-Net
      3    the Net
      5    Passworded
      6    Passworded
      9    Dead End
     10    Dead End
     12    L-Net
     20    Restricted (*)

*) This did connect you to a really screwed up L-Net port, which
continually spewed out garbage and error messages, but we think
our poking around in it got it shut off, due to the incredible
quickness with which it was restricted (we were still on-line!)

3) Ah, what a joy it is to explore, and find a pristine cavern
laden with sweet delight, and a menu to boot!  Well, what I'm
talking about is BAMBI and THUMPR, two side-by-side DECServers.
Calling the listed numbers with port 0 gets you BAMBI, and using
port 1 gets you THUMPR.  In our experience, nobody has ever been
dumped for staying on too long, and though the computers you can
connect to aren't all that interesting (all Mechanical Engineering)
the services and privileges allowed to ordinary users is about
as generous as possible.  The listings that follow are vebatim
text sent by the servers, and we think that you'll be able to
figure out what's going on.

DECserver 200 Terminal Server V2.0 (BL29) - LAT V5.1
AMDF Network - Server BAMBI

Please type HELP if you need assistance
Enter username> Jack Meoff

Local> show nodes all

Node Name       Status       Identification

BAMBI           Reachable    AMDF Network - Server BAMBI
BERT            Reachable    AMDF VAXstation I (VMS 4.2)
ERNIE           Reachable    AMDF VAXstation I (VMS 4.2)
POOH            Reachable    AMDF MicroVAX II (VMS 4.6)
SPOCK           Reachable    ZONIC Lab VAXstation 2000 (VMS 4.6)
SULU            Unreachable  AMDF Cluster VAXstation 2000 (Color)
THUMPR          Reachable    AMDF Network - Server THUMPR
UHURA           Unreachable  AMDF Cluster VAXstation 2000 (B & W)
VTME            Reachable    ME VAX 11/780 (VMS 4.4)
VTMEX           Reachable    AMDF Cluster VAXserver 3600 (VMS 4.7)

Local> show ports all


Port    Access    Status        Services Offered

  1     Dynamic   Idle          


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH