-------------------------------------------------------------------------------         
         %%%%%%%%%%%%%%%%%%%%%%%%%%%%-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
         %                                                        %
         %            THE NEOPHYTE'S GUIDE TO HACKING             %
         %            ===============================             %
         %                      1993 Edition                      %
         %                 Completed on 08/28/93                  %
         %           Modification 1.1 Done on 10/10/93            %
         %           Modification 1.2 Done on 10/23/93            %
         %                          by                            %
         %%                >>>>>  Deicide  <<<<<                 %%
         %%%                                                    %%%
         %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
                                                                   
     <   The author of this file grants permission to reproduce and   >
     <   redistribute this file in any way the reader sees fit,       >
     <   including the inclusion of this file in newsletters of any   >
     <   media, provided the file is kept whole and complete,         >
     <   without any modifications, deletions or ommissions.          >
     <   (c) 1993, Deicide                                            >
TABLE OF CONTENTS ================= 1. INTRODUCTION 2. ETHICS/SAFETY 3. WHERE TO START 4. PACKET-SWITCHED NETWORKS A. Intro to PSNs B. How packet-switching works C. The Internet 1. Introduction 2. Getting access 3. FTP D. X.25 Networks 1. NUAs 2. PADs & NUIs 3. CUGs 4. SprintNet 5. BT Tymnet 6. Datapac 7. DNIC List 5. SYSTEM PENETRATION A. Unix B. VMS C. MPE (HP3000 mainframes) D. VM/CMS E. Primos F. TOPS 10/20 G. IRIS H. NOS I. DECServer J. GS/1 K. XMUX L. Starmaster/PACX M. Access 2590 N. PICK O. AOS/VS P. RSTS Q. WindowsNT R. Novell Netware S. System75/85 T. AS400 U. TSO 6. BRUTE FORCE A. Passwords B. Usernames C. Services 7. SOCIAL ENGINEERING 8. TRASHING 9. ACRONYMS 10. CONCLUSION A. Last words B. Recommended Reading C. BBSes D. References E. And finally.. F. Disclaimer INTRODUCTION: ============ ------------ Over four years ago the final version of the LOD/H's Novice's Guide to Hacking was created and distributed, and during the years since it has served as a much needed source of knowledge for the many hackers just beginning to explore the wonders of system penetration and exploration. The guide was much needed by the throng of newbies who hadn't the slightest clue what a VAX was, but were eager to learn the arcane art of hacking. Many of today's greats and moderates alike relied the guide as a valuable reference during their tentative(or not) steps into the nets. However, time has taken it's toll on the silicon networks and the guide is now a tad out of date. The basic manufacturer defaults are now usually secured , and more operating systems have come on the scene to take a large chunk of the OS percentile. In over four years not one good attempt at a sequel has been made, for reasons unbeknownst to me. So, I decided to take it upon myself to create my own guide to hacking.. the "Neophyte's Guide to Hacking" (hey..no laughing!) in the hopes that it might help others in furthering their explorations of the nets. This guide is modelled after the original, mainly due to the fact that the original *was* good. New sections have been added, and old sections expanded upon. However, this is in no means just an update, it is an entirely new guide as you'll see by the difference in size. This guide turned out to be over 4 times the size of The Mentor's guide. Also, this guide is NOT an actual "sequel" to the original; it is not LOD/H sponsored or authorized or whatever, mainly because the LOD/H is now extinct. One last thing.. this guide is in no way complete. There are many OS's I did not include, the main reasons being their rarity or my non-expertise with them. All the major OS's are covered, but in future releases I wish to include Wang, MVS, CICS, SimVTAM, Qinter, IMS, VOS, and many more. If you feel you could help, contact me by Internet email or on a board or net(if you can find me). Same thing applies for further expansion of current topics and operating systems, please contact me. Ok, a rather long intro, but fuck it.. enjoy as you wish.. Deicide - deicide@west.darkside.com ETHICS/SAFETY: ============= ------------- One of the most integral parts of a hacker's mindset is his set of ethics. And ethics frequently go hand in hand with safety, which is obviously the most critical part of the process of hacking and the system exploration, if you plan to spend your life outside of the gaol. A hacker's ethics are generally somewhat different from that of an average joe. An average joe would be taught that it is bad to break laws, even though most do anyways. I am encouraging you to break laws, but in the quest for knowledge. In my mind, if hacking is done with the right intentions it is not all that criminal. The media likes to make us out to be psychotic sociopaths bent on causing armageddon with our PCs. Not likely. I could probably turn the tables on the fearmongering media by showing that the average joe who cheats on his taxes is harming the system more than a curious interloper, but I refrain.. let them wallow.. The one thing a hacker must never do is maliciously hack(also known as crash, trash, etc..) a system. Deleting and modifying files unnecessary is BAD. It serves no purpose but to send the sysadmins on a warhunt for your head , and to take away your account. Lame. Don't do it. Anyways, if you don't understand all of these, just do your best to follow them, and take my word for it. You'll understand the reasoning behind these guidelines later. I. Don't ever maliciously hack a system. Do not delete or modify files unnecessarily, or intentionally slow down or crash a system. The lone exception to this rule is the modification of system logs and audit trails to hide your tracks. II. Don't give your name or real phone number to ANYONE, it doesn't matter who they are. Some of the most famous phreaks have turned narcs because they've been busted, and they will turn you in if you give them a chance. It's been said that one out of every three hackers is a fed, and while this is an exaggeration, use this as a rule and you should do fine. Meet them on a loop, alliance, bbs, chat system, whatever, just don't give out your voice number. III. Stay away from government computers. You will find out very fast that attempting to hack a MilTac installation is next to impossible, and will get you arrested before you can say "oh shit". Big Brother has infinite resources to draw on, and has all the time it needs to hunt you down. They will spend literally years tracking you down. As tempting as it may be, don't rush into it, you'll regret it in the end. IV. Don't use codes from your own home, ever! Period. This is the most incredibly lame thing i've seen throughout my life in the 'underground'; incredible abuse of codes, which has been the downfall of so many people. Most PBX/950/800s have ANI, and using them will eventually get you busted, without question. And calling cards are an even worse idea. Codes are a form of pseudo-phreaking which have nothing to do with the exploration of the telephone networks, which is what phreaking is about. If you are too lazy to field phreak or be inventive, then forget about phreaking. V. Don't incriminate others, no matter how bad you hate them. Turning in people over a dispute is a terrible way to solve things; kick their ass, shut off their phones/power/water, whatever, just don't bust them. It will come back to you in the end.. VI. Watch what you post. Don't post accounts or codes over open nets as a rule. They will die within days, and you will lose your new treasure. And the posting of credit card numbers is indeed a criminal offense under a law passed in the Reagan years. VII. Don't card items. This is actually a worse idea than using codes, the chances of getting busted are very high. VIII. If for some reason you have to use codes, use your own, and nothing else. Never use a code you see on a board, because chances are it has been abused beyond belief and it is already being monitored. IX. Feel free to ask questions, but keep them within reason. People won't always be willing to hand out rare accounts, and if this is the case don't be surprised. Keep the questions technical as a rule. Try and learn as much as you can from pure hands on experience X. And finally, be somewhat paranoid. Use PGP to encrypt your files, keep your notes/printouts stored secretly, whatever you can do to prolong your stay in the h/p world. XI. If you get busted, don't tell the authorities ANYTHING. Refuse to speak to them without a lawyer present. XII. If police arrive at your residence to serve a search warrant, look it over carefully, it is your right. Know what they can and can't do, and if they can't do something, make sure they don't. XIII. If at all possible, try not to hack off your own phoneline. Splice your neighbour's line, call from a Fortress Fone, phreak off a junction box, whatever.. if you hack long enough, chances are one day you'll be traced or ANI'd. Don't believe you are entirely safe on packet-switched networks either, it takes a while but if you scan/hack off your local access point they will put a trace on it. XIV. Make the tracking of yourself as difficult as possible for others. Bounce the call off several outdials, or try to go through at least two different telco companies when making a call to a dialup. When on a packet-switched network or a local or wide area network, try and bounce the call off various pads or through other networks before you reach your destination. The more bounces, the more red tape for the investigator and the easier it is for you to make a clean getaway. Try not to stay on any system for *too* long, and alternate your calling times and dates. XV. Do not keep written notes! Keep all information on computer, encrypted with PGP or another military-standard encryption program. Written notes will only serve to incriminate you in a court of law. If you write something down originally, shred the paper.. itty bitty pieces is best, or even better, burn it! Feds DO trash, just like us, and throwing out your notes complete will land in their hands, and they'll use it against you. XVI. Finally, the day/night calling controversy. Some folks think it is a better idea to call during the day(or whenever the user would normally use his account) as to not arouse the sysadmin's suspicion of abnormal calling times, while others think it is better to call when nobody is around. This is a tough one, as there is no real answer. If the sysadmin keeps logs(and reads over them) he will definetly think it strange that a secretary calls in at 3 am.. he will probably then look closer and find it even stranger that the secretary then grabbed the password file and proceeded to set him/herself up with a root shell. On the other hand, if you call during the time the user would normally call, the real owner of the account may very well log in to see his name already there, or even worse be denied access because his account is already in use. In the end, it is down to your opinion. And remember, when you make a decision stick to it; remember the time zone changes. WHERE TO START ============== -------------- Probably the hardest period in hacking is that of when you are first starting. Finding and penetrating your first system is a major step, and can be approached in many ways. The common ways to find a system to hack are; - UNIVERSITIES : Universities commonly have hundreds of users, many of which aren't too computer literate, which makes hacking a relatively simple chore. And security is often poor, so if you don't abuse the system too much your stay could be a long one. On the other hand, for a nominal fee you can usually pick up a cheap *legitimate* (now there's a concept) account. Or you could enroll in the university for a few credits, and just go until the accounts are handed out. Unfortunely, if you are caught hacking off your own account it won't be hard to trace it back to you. If you get a legimate account at first, you might be best to hack a student's account for your other-system hacking. The other fun part about universities is often they will provide access to a number of nets, usually including the Internet. Occasionally you'll have access to a PSN as well. - CARRIER SCANNING: Carrier scanning in your LATA(Local Access Transport Area), commonly known as wardialing, was popularized in the movie War Games. Unfortunely, there are a few problems inherent in finding systems this way; you are limited to the systems in your area, so if you have a small town you may find very little of interest, and secondly, ANI is a problem within your own LATA, and tracing is simple, making security risks high. If you are going to hack a system within your own lata, bounce it at least once. There are many programs, such as ToneLoc and CodeThief (ToneLoc being superior to all in my humble opinion), which will automate this process. - PACKET-SWITCHED : This is my favorite by far, as hacking on PSNs is how NETWORKS I learned nearly all I know. I've explored PSNs world-wide, and never ran out of systems to hack. No matter what PSN you try you will find many different, hackable systems. I will go more indepth on PSNs in the next section. PACKET-SWITCHED NETWORKS ======================== ------------------------ Intro to PSNs ============= First off, PSNs are also known as PSDNs, PSDCNs, PSSs and VANs to name a few. Look up the acronyms in the handy acronym reference chart. The X.25 PSNs you will hear about the most are; Sprintnet(formerly Telenet), BT Tymnet(the largest), and Datapac(Canada's largest). All these networks have advantages and disadvantages, but i'll say this; if you are in the United States, start with Sprintnet. If you are in Canada, Datapac is for you. The reason PSNs are so popular for hackers are many. There are literally thousands of systems on PSNs all around the world, all of which(if you have the right facilities) are free of charge for you to reach. And because of the immense size of public PSNs, it is a rare thing to ever get caught for scanning. Tracing is also a complicated matter, especially with a small amount of effort on your part to avoid a trace. How packet-switching works ========================== The following explanation applies for the most part to all forms of packet-switching, but is specifically about PSNs operating on the X series of protocols, such as Datapac & SprintNet, as opposed to the Internet which operates on TCP/IP. It is the same principle in essense, however. Packet-Switched Networks are kinda complicated, but I'll attempt to simplify the technology enough to make it easy to understand. You, the user, connect to the local public access port for your PSN, reachable via a phone dialup. You match communications parameters with the network host and you are ready to go. From there, all the data you send across the network is first bundled into packets, usually of 128 or 256 bytes. These packets are assembled using Packet Assembly/Disassembly, performed by the public access port, also known as a public PAD(Packet Assembler/Disassembler), or a DCE(Data Communicating Equipment or Data Circuit-Terminating Equipment). The packets are sent along the network to their destination by means of the various X protocols, standardly X.25 with help from X.28, X.29 & X.3 within your home network, and internationally using X.75/X.121. The X protocol series are the accepted CCITT standards. The host system(DTE: Data Terminal Equipment, also a PAD) which you are calling then receives the packet and disassembles the packet using Packet Assembly/Disassembly once again into data the system understands. The DTE then assembles it's data in response to your packet, and sends it back over the network to your PAD in packet form, which disassembles the packet into readable data for you, the user. And that is the simplified version! The Internet ============ Introduction ------------ Contrary to popular belief, the Internet is a packet-switched network; just not an X.25 packet-switched network. The Internet operates on the TCP/IP protocols(as a rule), which is why it is sometimes disregarded as a packet-switched network. In fact, the Internet's predecessor, the ARPAnet, was the first large-scale experiment in packet-switching technology. What was then Telenet came later. The confusion comes from peoples ignorance of the principles of packet-switching, which is simply a type of network, explained in technical detail earlier. It doesn't matter what protocols the network may use, if packet-switching is in use it is obviously a packet-switched network. Ok, now you may have noticed that the Internet has a rather small section, which is true. The reasons are many. This is a hacking guide, not an Internet tutorial, so I didn't include the IRC or Archie or whatever. And the main reason is I spent about 100% more time on X.25 nets than I did the Internet. Nonetheless, I decided to include the essential aspects of the Internet. You should be able to take it from there. The following section is derived mostly from personal experience, but the Gatsby's Internet file helped out somewhat, specifically in the classes of IP addresses. Getting Access -------------- Getting access is somewhere between easy and very difficult, depending where you live and how good(or lucky!) a hacker you are. First of all, if you are going to hack on the Internet then you must be on a system that has full Internet access, not just mail. That cuts Compuserve and Prodigy out of the picture. Most universities and some high schools have Internet access, see what you can do to get yourself an account, legitimatly or not. Some BBSes offer full Internet access for a fairly reasonable price, and that would be a good choice. If you are in an area with a FreeNet, then you get full Internet access.. for free! Check around with local hackers or PD boards to inquire where the nearest FreeNet is. Some businesses provide Internet access, for a price. Check with local netters to see what local options there are. And lastly, you can try and hack your way on. When you hack a system, check and see if they are on the net. Usually this is accomplished by doing a test call using telnet.. explained later. FTP --- FTP is the acronym for File Transfer Protocol, and it is the primary means of transporting remote files onto your own system(actually, usually the system which you are calling the Internet through). I will only provide a brief overview, as FTP is fairly easy to use, has help files online and comprehensive documentation offline at your local h/p BBS. First off, FTP can be initialized by typing 'ftp' at any system which has it. Most do, even if they don't have the Internet online. That a frustrating lesson more than a few novices has learned.. if you hack into a system that has FTP or telnet on line, it does not necessarily(and usually doesn't) have Internet access. Some SunOS's will have two sets of ftp and telnet utilities. The standard ftp and telnet commands can be used for local network connects, but not Internet. Another set of commands, itelnet, iftp and ifinger (and occasionally iwhois) is used for the Internet. When you enter the FTP utility, you'll usually find yourself at a 'ftp>' prompt, and typing 'help' should bring up a small set of help files. The commands available, along with the help files, vary from system to system. Procedure is then defined by what type of system you are on, as again, it varies. But what you usually do next is open a connection to the system you want to get a file off of. Type 'open' followed by the host name or IP address of the system you wish to connect to.. explained later. Next, you will usually find yourself at a sort of login prompt. If you have a username on that system, then type it in. If not, try 'anonymous'. Anonymous is a great little guest account that is now being built in to some OS's. Conscientious sysadmins may disable it, for obvious reasons. If however, it is not, you will be asked for a password. Type anything, it doesn't matter really. Type a few d's if you want, it really doesn't matter(as a rule don't sit on your keyboard though.. it may not like it.. type something boring). Next you simply use the 'get' command to get the file you want. Usually it is a good idea to not put the files in a directory that they will be noticed.. the sysadmin will suspect something is up if he runs into a few files that he supposedly copied into his own directory. Which brings us to the next segment.. give your files benign names, especially if they are something like /etc/passwd files or issues of Phrack. A note about FTPing /etc/passwds. It rarely works. Oh yes, you will get an /etc/passwd file, but rarely on the Internet will it be the real /etc/passwd. Check the size of the file first.. if it is 300 bytes or less, then it will likely be a substitute. Telnet will, however, get the real /etc/passwd on most occasions. Now quit the FTP utility and peruse your new files.. be sure to remove them when done. Telnet ------ While FTP has no real parallel in X.25 networks, you could equate telnet to a private PAD. Telnet lets you connect to and operate on Internet systems over the Internet as if you were connected locally. Telnet is initialized by typing 'telnet' at your shell. The operative command is, again, 'open'. Again, type 'open' followed by the domain name or the IP address. When connected, you will be at a login prompt of some kind(usually..). Enter a username if you have one, and if not you can either attempt to hack one or see if the system accepts the 'anonymous' guest user, explained in the FTP section. If all goes well, you should have a remote connection of some kind, and what follows depends on the system you are connected to, just like in any other network. Domain Names and IP Addresses - Intro ------------------------------------- For those of you unfamiliar with those terms I will give a small, condensed explanation of what the two are. One or the other is needed for connecting to a remote system, either by FTP or Telnet. The IP address could be equated to the X.25 net's Network User Address. The Domain name is a mnemonic name, used for convience more than anything, as it is generally easier to remember. If you wish to scan for systems on the Internet it is usually much easier to scan by IP address, as you won't know the mnemonic for most systems. IP addresses are 4 digit-combinations separated by dots. Address examples are 192.88.144.3(EFF) and 18.72.2.1(MIT). Addresses fall into three classes; Class A - 0 to 127 Class B - 128 to 191 Class C - 192 to 223 The earliest Internet systems are all in Class A, but it is more common to find class B or C systems. Moreover, a lot of systems are placed specifically in the 128 or 192 address prefix, as opposed to 184 or 201 or whatever. Scanning an IP address set can be accomplished in many fashions. One of which would be to pick a prefix, add two random one to two digit numbers, and scan the last portion. ie: take 192.15.43 and scan the last digit from 0 to 255. Unfortunely, the last portion (or last two portions in the case of Class C) are ports, meaning you may come up completely blank or you might hit the jack pot. Experiment to your own liking, after a while you will fall into a comfortable groove. You can also connect to specific systems using the domain name, if you know or can guess the domain name. To guess a domain name you will need to know the company or organization's name, and the type of organization it is. This is possible because host names must follow the Domain Name System, which makes guessing a lot easier. Once you have both, you can usually take a few educated guesses at the domain name. Some are easier than others. First of all, you will need to understand the principle of top-level domains. The top level is at the end of a domain name; in the case of eff.org, the top-level is 'org'. In the case of mit.edu, the top-level is 'edu'. Top levels fall into a few categories; com - commercial institutions org - non-profit organizations edu - educational facilities net - networks gov - government systems (non military) mil - non-classified military Along with various country codes. The country codes are two letters used for international calls; the US's is 'US', Brazil's is 'BR'. Determine which top-level the system falls under, and then make a few guesses. Examples are; compuserve.com xerox.com mit.edu eff.org For further reading, I suggest picking up a few of the printed Internet guides currently on the market, as well as the Gatsby's file on the Internet, printed in Phrack 33. X.25 Networks ============= From here on in the PSN section of this file is dedicated to X.25 networks. I use the acronym PSN interchangably with X.25 networks, so don't get PSN confused with all the other types of PSN networks. From here on in, it is all X.25. Network User Addresses ---------------------- NUAs(Network User Addresses) are the PSNs equivalent of a phone number. They are what you need to connect to systems on PSNs around the world, and thanks to the DNIC(Data Network Identifier Code), there are no two the same. The format for entering NUAs is different from PSN to PSN. For example, on Datapac you must include 0's, but on Sprintnet 0's are not necessary. Tymnet uses 6 digits NUAs rather than the standard 8. But the standard NUA format is this; PDDDDXXXXXXXXSS,MMMMMMMMMM Where; P is the pre-DNIC digit D is the DNIC X is the NUA S is the LCN(Logical Channel Number, subaddressing) M is the Mnemonic Various segments may be omitted depending on your PSN and where you are calling. The P is commonly a 0, but is a 1 on Datapac. It is not usually even counted as part of the NUA, but must be included(usage varying) when making calls to another PSN other than your own. Within your own PSN it is not necessary to include the pre DNIC digit. The D is the DNIC also known as the DCC(Data Country Code). The DNIC is the 4 digit country code, which insures that each NUA worldwide is unique. The DNIC is only used in calling international NUAs. If you are in Datapac(DNIC 3020) you do not have to include the DNIC for Datapac when making calls to NUAs within Datapac, but if you are in another PSN you must include the DNIC for calls to Datapac. The X symbolizes the actual NUA, which along with the optional S (subaddressing) must always be included. You can simplify the NUA even greater using this format; PPPXXXXX Where P is the prefix of the NUA, and the X's are the suffix. The prefix corresponds to an Area Code in most cases in that the NUAs within that prefix are in a certain part of the country the PSN serves. In the case of Sprintnet, the prefix corresponds directly with the Area Code(ie: all NUAs in the 914 prefix on Sprintnet are in New York, and all phone numbers in the 914 Area Code are in New York). Subaddressing, S on the diagram, is a somewhat complicated thing to explain. Subaddressing is used when desired by the owner of the DTE, and is used to connect to specified system on the same NUA. You may find more than one system on the same NUA, and these can be reached using subaddresses. ie: NUA SYSTEM PPPXXXXXSS ========== =================== Ex.1 12300456 Unix Ex.2 123004561 VMS Ex.3 1230045699 HP3000 In this example, the normal NUA is 12300456(assuming DNIC and pre-DNIC digit are not used). This NUA takes you to a Unix system. But when the LCN(Logical Channel Number, subaddress) of 1 is used, you are taken to a VMS. And the subaddress of 99 takes you to a HP3000. The systems on 12300456 are all owned by the same person/company, who wished to have one NUA only, but by using subaddresses he can give access to multiple systems on a lone NUA. Subaddresses are also used occasionally as extra security. If you hit a system that gives you an error message such as 'REMOTE PROCEDURE ERROR' or 'REMOTE DIRECTIVE', you will either need a subaddress or a mnemonic. You may choose to go through the entire possible subaddresses, 1 to 99, or if you are just scanning i would suggest these: 1,2,50,51,91,98,99 Mnemonics, M, are another tricky one to explain. They are not documented by the PSNs, I discovered them on my own. Mnemonics are also used to select systems on a single NUA as a kind of port selector, but they are more commonly used as a kind of external password, which prevents you from even seeing the system in question. The same error messages as in LCNs occur for mnemonics, but again, even if you can reach a system with a standard NUA, there is a possibly a system only reachable by mnemonic exists. Here is a list of commonly used mnemonics; SYSTEM CONSOLE PAD DIAL MODEM X25 X28 X29 SYS HOST Bypassing Reverse Charging Systems: Private PADs and NUIs ---------------------------------------------------------- Occasionally on PSNs you will run into systems which give you the error message 'COLLECT CALL REFUSED'. This denotes a reverse-charging system. When you make a call to a system on a PSN, the call is automatically collect. But a lot of sysadmins do not want to pay for your connect charges, and if all of their users have NUIs or private PADs, it is a good idea for them to make their system reverse-charging, which saves them money, but also acts as yet another security barrier from casual snoopers. But again, this can be avoided by using a private PAD or a NUI. Before we go into the details of these, remember that a private PAD is a different thing than your public access port PAD. A private PAD is a PAD which automatically assumes all connect charges. So, the reverse charging systems will let you past the reverse charging, as you agree to accept the charges. NUI's(Network User Identifiers) work the same way. You can think of a NUI as .. say a Calling Card. The Calling Card is billed for all the charges made on it, regardless of who made them; the owner gets the bill. The NUI works the same way. NUIs are used legitimatly by users willing to accept the connect charges. But, as hackers are known to do, these NUIs get stolen and used to call all NUAs all around the world, and the legitimate owner gets the bill. But unlike CCs, you will usually get away with using a NUI. However, as you can guess, private PADs and NUIs are fairly hard to come by. If somebody manages to get ahold of one, they usually won't be willing to share it. So, it comes down to you; you probably will have to find your own. PADs are only found by scanning on PSNs, and by hacking onto systems on PSNs. There are programs on Unix and Primos systems,for example, that serve as a private PAD. And there are some private PADs that are set up solely for the purpose of being a private PAD. But, these are almost always passworded, so it is up to you to get in. NUIs are somewhat the same thing. NUIs are different from PSN to PSN, some will tell you if a NUI is wrong, letting you guess one, but others will not. And of course, you still have to guess the password. I've heard stories of people carding NUIs, but i'm not sure i quite believe it, and the safety of such a practice is questionable. Closed User Groups ------------------ One of the most effective security measures i've ever seen is the CUG (Closed User Group). The CUG is what generates the 'CALL BLOCKED' message when scanning on PSNs. A CUG will only accept calls into the DTE from specified DCE NUAs. Meaning, if your NUA has not been entered into the list of acceptable NUAs, you won't be allowed to even see the system. However, CUGs aren't for everybody. If you have a system with many users that all call in from different points, CUGs are unusable. And a good thing for us. I've never heard of anyone finding a way past a CUG. I've got a few theories but.. Sprintnet --------- Now i'll go a bit more into the major US and Canadian PSNs, starting with the most popular in the States, Sprintnet To find a public indial port for Sprintnet you may possibly be able to find it in your telefone book(look under Sprintnet) or by Directory Assistance. If not, try Sprintnet Customer Service at 1-800-336-0437. This also will probably only function between 8:30 and 5:00 EST, maybe a bit different. Also, for a data number for in-dial look ups try 1-800-424-9494 at communication parameters 7/E/1(or 8/N/1 also i believe). Type twice or @D for 2400bps and press enter so Sprintnet can match your communications parameters. It will display a short herald then a TERMINAL= prompt. At the TERMINAL= prompt type VT100 for VT100 terminal emulation, if you are using a personal computer i think D1 works, or just for dumb terminal. Then type "c mail", at the username prompt type "phones", and for password type "phones" again. It is menu driven from there on. Now that you have your Sprintnet public dial port number, call it up like you would a BBS, then when it connnects type the two s for 300/1200bps or the @D for 2400bps, then it will display its herald, something like: SPRINTNET(or in some cases TELENET) 123 11A (where 123 is your area code & Sprintnet's address prefix and 11A is the port you are using) TERMINAL=(type what you did previously eg:VT100,D1,) then when Sprintnet displays the @ prompt you know you are connected to a Sprintnet public PAD and you are ready to enter NUAs. As i mentioned before, Sprintnet NUA prefixes correspond directly with Area Codes, so to scan Sprintnet simply take an AC and suffix it with the remaining digits, usually in sequence. Since Sprintnet ignores 0's, NUAs can be as small as 4 digits. When scanning, go from lowest to highest, stopping as soon as it seems NUAs have run dry(take it a hundred NUAs further to be sure..best to take it right to 2000, maybe higher if you have time). BT Tymnet --------- BT Tymnet is owned by British Telecom, and is the biggest PSN by far, but it does have some extra security. For finding Tymnet dial-ins the procedure is much the same, look in the phone book under Tymnet or BT Tymnet, or phone directory assistance and ask for BT Tymnet Public Dial Port numbers, or you can call Tymnet customer Service at 1-800-336-0149. Generally try between 8:30 and 5:00 EST. I don't have the Tymnet data number for finding in-dials, but once you are on Tymnet type INFORMATION for a complete list of in-dials as well as other things. Once you have your in-dial number set your communication parameters at either 8/N/1 or 7/E/1 then dial the number just like you would a BBS. At connect you will see a string of garbage characters or nothing at all. Press so Tymnet can match your communication parameters. You will then see the Tymnet herald which will look something like this: -2373-001- please type your terminal identifier If it wants a terminal identifier press A(if you want, you can press A instead of at connect so it can match your communication parameters and get your terminal identifer all at once). After this initial part you will see the prompt: please log in: This shows Tymnet is ready for you to enter NUAs. A great deal of the NUAs on Tymnet are in plain mnemonic format however. To reach these, just enter the mnemonic you wish, nothing else(ie: CPU or SYSTEM). To enter digital NUAs you need a NUI though. Tymnet will let you know when a NUI is wrong. Just keep guessing NUIs and passwords until you find one. BUT, keep in mind, one of the biggest security features Tymnet has is this: it will kick you off after three incorrect attempts at anything. Thus, you'll have to call again and again, and if you are in a digital switching system such as ESS it is not a good idea to call anywhere an excessive amount of time. So keep it in moderation if you choose to try Tymnet. Datapac ------- I am the most fond of Datapac, because I grew up on it. Nearly all the hacking i've done to this day was on Datapac or the international PSNs i've been able to reach through private PADs i've found on Datapac. To connect to the Datapac network from Canada you will need to dial into your local Datapac node, which is accessible in most cities via your local Datapac dial-in number. There are quite a few ways to find your local Datapac dial-in. It will usually be in your telephone book under "DATAPAC PUBLIC DIAL PORT". If not, you could try directory assistance for the same name. Alternatively, there are a couple phone #'s for finding your dial port(these are also customer assistance): 1-800-267-6574 (Within Canada) 1-613-781-6798 Also, these numbers function only from 8:30 to 5:00 EST(Eastern Standard Time).Also, the Datapac Information Service(DIS) at NUA 92100086 has a complete list of all public dial-ins. I think you can use both communication parameter settings work, but 8/N/1 (8 data bits, No parity, 1 stop bit) is used most frequently, so set it initially at that. Some NUA's on Datapac use 7/E/1, change to it if needed after you are connected to a Datapac dial-in. Ok,if you have your Datapac 3000 Public Indial number, you've set your communication parameters at 8/N/1, then you are now set to go. Dial your indial just like a BBS(duh..) and once connnected: You will have a blank screen; Type 3 periods and press RETURN (this is to tell Dpac to initialize itself) The Datapac herald will flash up stating: DATAPAC : XXXX XXXX (your in-dial's NUA) You are now ready to enter commands to Datapac. Example: (YOU ENTER) atdt 16046627732 (YOU ENTER) ... (DATAPAC RESPONDS) DATAPAC : 6710 1071 Now you are all set to enter the NUA for your destination. NUAs on Datapac must be 8 to 10 digits(not including mnemonics). 8 is standard, but 9 or 10 is possible depending on usage of subaddressing. NUA prefixes on Datapac are handed out in blocks, meaning they do not correspond to Area Codes, but by looking at the surrounding prefixes, you can tell where a prefix is located. When scanning on Datapac, keep in mind most of the valid NUAs are found in the low numbers, so to sample a prefix go from (example) 12300001 to 12300200. It is a good idea, however, to scan the prefix right up until 2000, the choice is yours. DNIC List --------- Here is a list of the previous PSN's DNICs, and most of the other DNICs for PSNs world wide. This was taken from the DIS, with a number of my own additions that were omitted(the DIS did not include other Canadian or American PSNs). The extras DNICs came from my own experience and various BBS lists. COUNTRY NETWORK DNIC DIRECTION ------- ------- ---- --------- ANDORRA ANDORPAC 2945 BI-DIR ANTIGUA AGANET 3443 INCOMING ARGENTINA ARPAC 7220 BI-DIR ARPAC 7222 BI-DIR AUSTRIA DATEX-P 2322 BI-DIR DATEX-P TTX 2323 BI-DIR RA 2329 BI-DIR AUSTRALIA AUSTPAC 5052 BI-DIR OTC DATA ACCESS 5053 BI-DIR AZORES TELEPAC 2680 BI-DIR BAHAMAS BATELCO 3640 BI-DIR BAHRAIN BAHNET 4263 BI-DIR BARBADOS IDAS 3423 BI-DIR BELGIUM DCS 2062 BI-DIR DCS 2068 BI-DIR DCS 2069 BI-DIR BELIZE BTLDATAPAC 7020 BI-DIR BERMUDA BERMUDANET 3503 BI-DIR BRAZIL INTERDATA 7240 BI-DIR RENPAC 7241 BI-DIR RENPAC 7248 INCOMING RENPAC 7249 INCOMING BULGARIA BULPAC 2841 BI-DIR BURKINA FASO BURKIPAC 6132 BI-DIR CAMEROON CAMPAC 6242 BI-DIR CANADA DATAPAC 3020 BI-DIR GLOBEDAT 3025 BI-DIR CNCP PACKET NET 3028 BI-DIR CNCP INFO SWITCH 3029 BI-DIR CAYMAN ISLANDS IDAS 3463 BI-DIR CHAD CHADPAC 6222 BI-DIR CHILE ENTEL 7302 BI-DIR CHILE-PAC 7303 INCOMING VTRNET 7305 BI-DIR ENTEL 7300 INCOMING CHINA PTELCOM 4600 BI-DIR COLOMBIA COLDAPAQ 7322 BI-DIR COSTA RICA RACSAPAC 7120 BI-DIR RACSAPAC 7122 BI-DIR RACSAPAC 7128 BI-DIR RACSAPAC 7129 BI-DIR CUBA CUBA 2329 BI-DIR CURACAO DATANET-1 3621 BI-DIR CYPRUS CYTAPAC 2802 BI-DIR CYTAPAC 2807 BI-DIR CYTAPAC 2808 BI-DIR CYTAPAC 2809 BI-DIR DENMARK DATAPAK 2382 BI-DIR DATAPAK 2383 BI-DIR DJIBOUTI STIPAC 6382 BI-DIR DOMINICAN REP. UDTS-I 3701 INCOMING EGYPT ARENTO 6020 BI-DIR ESTONIA ESTPAC 2506 BI-DIR FIJI FIJIPAC 5420 BI-DIR FINLAND DATAPAK 2441 BI-DIR DATAPAK 2442 BI-DIR DIGIPAK 2443 BI-DIR FRANCE TRANSPAC 2080 BI-DIR NTI 2081 BI-DIR TRANSPAC 2089 BI-DIR TRANSPAC 9330 INCOMING TRANSPAC 9331 INCOMING TRANSPAC 9332 INCOMING TRANSPAC 9333 INCOMING TRANSPAC 9334 INCOMING TRANSPAC 9335 INCOMING TRANSPAC 9336 INCOMING TRANSPAC 9337 INCOMING TRANSPAC 9338 INCOMING TRANSPAC 9339 INCOMING FR ANTILLIES TRANSPAC 2080 BI-DIR FR GUIANA TRANSPAC 2080 BI-DIR FR POLYNESIA TOMPAC 5470 BI-DIR GABON GABONPAC 6282 BI-DIR GERMANY F.R. DATEX-P 2624 BI-DIR DATEX-C 2627 BI-DIR GREECE HELPAK 2022 BI-DIR HELLASPAC 2023 BI-DIR GREENLAND KANUPAX 2901 BI-DIR GUAM LSDS-RCA 5350 BI-DIR PACNET 5351 BI-DIR GUATEMALA GUATEL 7040 INCOMING GUATEL 7043 INCOMING HONDURAS HONDUTEL 7080 INCOMING HONDUTEL 7082 BI-DIR HONDUTEL 7089 BI-DIR HONG KONG INTELPAK 4542 BI-DIR DATAPAK 4545 BI-DIR INET HK 4546 BI-DIR HUNGARY DATEX-P 2160 BI-DIR DATEX-P 2161 BI-DIR ICELAND ICEPAK 2740 BI-DIR INDIA GPSS 4042 BI-DIR RABMN 4041 BI-DIR I-NET 4043 BI-DIR INDONESIA SKDP 5101 BI-DIR IRELAND EIRPAC 2721 BI-DIR EIRPAC 2724 BI-DIR ISRAEL ISRANET 4251 BI-DIR ITALY DARDO 2222 BI-DIR ITAPAC 2227 BI-DIR IVORY COAST SYTRANPAC 6122 BI-DIR JAMAICA JAMINTEL 3380 INCOMING JAPAN GLOBALNET 4400 BI-DIR DDX 4401 BI-DIR NIS-NET 4406 BI-DIR VENUS-P 4408 BI-DIR VENUS-P 9955 INCOMIMG VENUS-C 4409 BI-DIR NI+CI 4410 BI-DIR KENYA KENPAC 6390 BI-DIR KOREA REP HINET-P 4500 BI-DIR DACOM-NET 4501 BI-DIR DNS 4503 BI-DIR KUWAIT BAHNET 4263 BI-DIR LEBANON SODETEL 4155 BI-DIR LIECHTENSTEIN TELEPAC 2284 BI-DIR TELEPAC 2289 BI-DIR LUXEMBOURG LUXPAC 2704 BI-DIR LUXPAC 2709 BI-DIR MACAU MACAUPAC 4550 BI-DIR MADAGASCAR INFOPAC 6460 BI-DIR MADEIRA TELEPAC 2680 BI-DIR MALAYSIA MAYPAC 5021 BI-DIR MAURITIUS MAURIDATA 6170 BI-DIR MEXICO TELEPAC 3340 BI-DIR MOROCCO MOROCCO 6040 BI-DIR MOZAMBIQUE COMPAC 6435 BI-DIR NETHERLANDS DATANET-1 2040 BI-DIR DATANET-1 2041 BI-DIR DABAS 2044 BI-DIR DATANET-1 2049 BI-DIR N. MARIANAS PACNET 5351 BI-DIR NEW CALEDONIA TOMPAC 5460 BI-DIR NEW ZEALAND PACNET 5301 BI-DIR NIGER NIGERPAC 6142 BI-DIR NORWAY DATAPAC TTX 2421 BI-DIR DATAPAK 2422 BI-DIR DATAPAC 2423 BI-DIR PAKISTAN PSDS 4100 BI-DIR PANAMA INTELPAQ 7141 BI-DIR INTELPAQ 7142 BI-DIR PAPUA-NEW GUINEA PANGPAC 5053 BI-DIR PARAGUAY ANTELPAC 7447 BI-DIR PERU DICOTEL 7160 BI-DIR PHILIPPINES CAPWIRE 5150 INCOMING CAPWIRE 5151 BI-DIR PGC 5152 BI-DIR GLOBENET 5154 BI-DIR ETPI 5156 BI-DIR POLAND POLAK 2601 BI-DIR PORTUGAL TELEPAC 2680 BI-DIR SABD 2682 BI-DIR PUERTO RICO UDTS 3300 BI-DIR UDTS 3301 BI-DIR QATAR DOHPAC 4271 BI-DIR REUNION (FR) TRANSPAC 2080 BI-DIR RWANDA RWANDA 6352 BI-DIR SAN MARINO X-NET 2922 BI-DIR SAUDI ARABIA ALWASEED 4201 BI-DIR SENEGAL SENPAC 6081 BI-DIR SEYCHELLES INFOLINK 6331 BI-DIR SINGAPORE TELEPAC 5252 BI-DIR TELEPAC 5258 BI-DIR SOLOMON ISLANDS DATANET 5400 BI-DIR SOUTH AFRICA SAPONET 6550 BI-DIR SAPONET 6551 BI-DIR SAPONET 6559 BI-DIR SPAIN TIDA 2141 BI-DIR IBERPAC 2145 BI-DIR SRI-LANKA DATANET 4132 BI-DIR SWEDEN DATAPAK TTX 2401 BI-DIR DATAPAK-2 2403 BI-DIR DATAPAK-2 2407 BI-DIR SWITZERLAND TELEPAC 2284 BI-DIR TELEPAC 2285 BI-DIR TELEPAC 2289 BI-DIR TAIWAN PACNET 4872 BI-DIR PACNET 4873 BI-DIR UDAS 4877 BI-DIR TCHECOSLOVAKA DATEX-P 2301 BI-DIR THAILAND THAIPAC 5200 BI-DIR IDAR 5201 BI-DIR TONGA DATAPAK 5390 BI-DIR TOGOLESE REP. TOGOPAC 6152 BI-DIR TORTOLA IDAS 3483 INCOMING TRINIDAD DATANETT 3745 BI-DIR TEXTET 3740 BI-DIR TUNISIA RED25 6050 BI-DIR TURKEY TURPAC 2862 BI-DIR TURPAC 2863 BI-DIR TURKS&CAICOS IDAS 3763 INCOMING U ARAB EMIRATES EMDAN 4241 BI-DIR EMDAN 4243 BI-DIR TEDAS 4310 INCOMING URUGUAY URUPAC 7482 BI-DIR URUPAC 7489 BI-DIR USSR IASNET 2502 BI-DIR U.S.A. WESTERN UNION 3101 BI-DIR MCI 3102 BI-DIR ITT/UDTS 3103 BI-DIR WUI 3104 BI-DIR BT-TYMNET 3106 BI-DIR SPRINTNET 3110 BI-DIR RCA 3113 BI-DIR WESTERN UNION 3114 BI-DIR DATAPAK 3119 BI-DIR PSTS 3124 BI-DIR UNINET 3125 BI-DIR ADP AUTONET 3126 BI-DIR COMPUSERVE 3132 BI-DIR AT&T ACCUNET 3134 BI-DIR FEDEX 3138 BI-DIR NET EXPRESS 3139 BI-DIR SNET 3140 BI-DIR BELL SOUTH 3142 BI-DIR BELL SOUTH 3143 BI-DIR NYNEX 3144 BI-DIR PACIFIC BELL 3145 BI-DIR SWEST BELL 3146 BI-DIR U.S. WEST 3147 BI-DIR CENTEL 3148 BI-DIR FEDEX 3150 BI-DIR U.S. VIRGIN I UDTS 3320 BI-DIR U. KINGDOM IPSS-BTI 2341 BI-DIR PSS-BT 2342 BI-DIR GNS-BT 2343 BI-DIR MERCURY 2350 BI-DIR MERCURY 2351 BI-DIR HULL 2352 BI-DIR VANUATU VIAPAC 5410 BI-DIR VENEZUELA VENEXPAQ 7342 BI-DIR YUGOSLAVIA YUGOPAC 2201 BI-DIR ZIMBABWE ZIMNET 6484 BI-DIR SYSTEM PENETRATION ================== ------------------ Ok, now that you've hopefully found some systems, you are going to need to know how to identify and, with any luck, get in these newfound delights. What follows is a list of as many common systems as i could find. The accounts listed along with it are not, per say, 'defaults'. There are very few actual defaults. These are 'common accounts', in that it is likely that many of these will be present. So, try them all, you might get lucky. The list of common accounts will never be complete, but mine is fairly close. I've hacked into an incredible amount of systems, and because of this I've been able to gather a fairly extensive list of common accounts. Where I left the password space blank, just try the username(and anything else you want), as there are no common passwords other than the username itself. And also, in the password space I never included the username as a password, as it is a given in every case that you will try it. And remember, passwords given are just guidelines, try what you want. UNIX- Unix is one of the most widespread Operating Systems in the world; if you scan a PSN, chances are you'll find a number of Unixes, doesn't matter where in the world the PSN resides. The default login prompt for a unix system is 'login', and while that cannot be changed, additional characters might be added to preface 'login', such as 'rsflogin:'. Hit a few times and it should disappear. Because UNIX is a non-proprietary software, there are many variants of it, such as Xenix, SCO, SunOS, BSD, etc.., but the OS stays pretty much the same. As a rule, usernames are in lowercase only, as are passwords, but Unix is case sensitive so you might want to experiment if you aren't getting any luck. You are generally allowed 4 attempts at a login/password, but this can be increased or decreased at the sysadmins whim. Unfortunely, UNIX does not let you know when the username you have entered is incorrect. UNIX informs the user of when the last bad login attempt was made, but nothing more. However, the sysadmin can keep logs and audit trails if he so wishes, so watch out. When inside a UNIX, type 'cat /etc/passwd'. This will give you the list of usernames, and the encrypted passwords. The command 'who' gives a list of users online. 'Learn' and 'man' bring up help facilities. Once inside, you will standardly receive the prompt $ or % for regular users, or # for superusers. The root account is the superuser, and thus the password could be anything, and is probably well protected. I left this blank, it is up to you. There won't be any common passwords for root. COMMON ACCOUNTS: Username Password -------- -------- root daemon adm admin, sysadm, sysadmin, operator, manager uucp bin sys 123 lotus, lotus123 adduser admin adm,sysadm,sysadmin,operator,manager anon anonymous anonuucp anon, uucp, nuucp anonymous anon asg device devadmin audit auth backappl backup save, tar batch bbx blast bupsched cbm cbmtest checkfsys control cron csr support, custsup dbcat database, catalog default user, guest demo tour, guest dev devel devshp diag sysdiag, sysdiags, diags, test diags diag, sysdiag, sysdiags dialup dos fax field fld, service, support, test filepro finger fms friend guest, visitor games general gp gsa guest visitor, demo, friend, tour help host hpdb info informix database ingres database inquiry install journal journals kcml learn lib library, syslib link listen lp print spooler lpadmin lpadmin lp, adm, admin lpd ls mail maint sysmaint, service makefsys man manager mgr, man, sysmgr, sysman, operator mdf menu mountfsys ncrm ncr net network netinst inst, install, net, network netman net, man, manager, mgr, netmgr, network netmgr net, man, manager, mgr, netmgr, network network net newconv news nobody anon nuucp anon oasys oa odt opendesktop online openmail mail oper operator,manager,adm,admin,sysadmin,mgr operator sysop, oper, manager opp oracle database oraclev5 oracle, database oradev oracle pcs pcsloc pctest postmaster mail powerdown shutdown priv private prod pub public public pub reboot remote report rha rje rsm rsmadm rsm, adm, admin rusr sales sas save backup savep service field, support setup shutdown smtp mail softwork space startup su sundiag sysdiag, diag, diags, sysdiags suoper su, oper, operator super supervisor, manager, operator support field, service sync sysadm adm, admin, operator, manager sysdiag diag, diags, sysdiags sysinfo info sysmaint maint, service sysman manager,mgr,man,admin,operator,sysadmin sysmgr manager,mgr,man,admin,operator,sysadmin system sys, unix, shell, syslib, lib, operator systest test, tester, testuser, user test tester, testuser, systest, user tester test, user, testuser testuser test, tester, user, systest tftp tour demo, guest, user, visitor transfer tty tutor tutorial umountfsys unix unixmail mail, unix user guest, demo userp user usr user usrlimit utest uucpadm adm, admin, uucp uuadm uucp, adm uuadmin uucp, admin uuhost uucp, host uulog uucp, log uunx uucp uupick uucp, pick uustat uucp, stat uuto uucp, to uux uucp va vashell vax visitor guest, friend, demo, tour vlsi vmsys vm, face vsifax who wp wp51 x25 pad x25test test x400 VMS- DEC's Virtual Memory System commonly runs on VAX computers. It is another very widespread system, with many users world wide. VMS will have a 'Username:' prompt, and to be sure just type in a ',' for a username. A VMS will throw back an error message on special delimeters. You will standardly get 3 and only three login attempts, and VMS is not kind enough to let you know when you have entered an incorrect username. Once inside you will find yourself at a $ prompt. COMMON ACCOUNTS: Username Password -------- -------- backup batch dcl dec decmail mail decnet default default, user dialup demo guest dsmmanager dsm, manager dsmuser dsm, user field field, service, support, test, digital games guest visitor, demo help helpdesk help_desk helpdesk host info ingres database interactive link local mail mailer mail mbmanager mb, manager, mgr, man mbwatch watch, mb mpdbadmin mpdb, admin netcon net, network netmgr net, manager, mgr, operator netpriv network, private, priv, net netserver network net newingres ingres news operations operations operator oper, manager, mgr, admin, opervax operator, vax ops oracle pcsdba pfmuser pfm, user postmaster mail priv private remote report rje remote, job, entry student suggest suggest sys sysmaint sysmaint, maint, service, digital system manager,operator,sys,syslib systest uetp,test systest_clig systest, test tapelib teledemo demo test testuser, tester uetp user test, guest, demo userp user vax vms visitor guest, demo wpusers HP3000- HP3000 mainframes run the MPE series of operating systems, such as MPE, V, ix, X, and XL. The default login prompt is ':', but this can be prefaced with characters(ie: 'mentor:') and in some cases the ':' may be taken completely away (ie: 'mentor'). To check for a HP3000, hit a , you will get an error message such as this; EXPECTED HELLO, :JOB, :DATA, OR (CMD) AS LOGON. (CIERR 1402) To login type 'hello', followed by the login information, which is in this format: USER.ACCOUNT,GROUP. The group is optional, but may be needed in some cases, and can give you different file sets and the sort. A great thing about HP3000's is they tell you exactly what is incorrect about the login name you've supplied them, be it the account is valid but the username is wrong, or the other way around. But unfortunely, if the system operators choose, they may password ALL of the login name segments; username, account and group. The internal prompt for MPE's is, again, :. 'Help' will give you help when inside a HP3000. When entering accounts, i'd suggest not to use a group at first. If you receive the error message 'not in home group', then try the group PUB, then if even that fails, move on to the common group list. I didn't list passwords along with the accounts, as it would be a bit of an awkward format, because of MPE's awkward format. The only manufacturer default passwords I am aware of are 'hponly', for mgr.telesup, 'lotus', for mgr.sys, and 'hpword' for field.support. Just remember to try the various parts of the account as a password, and anything else along those lines. If you need a password for the following user.accounts & groups, try the various parts of the name plus any combinations of it or names with obvious links to it(ie: field=service). COMMON ACCOUNTS: Username.Account ---------------- mgr.3000devs mgr.acct mgr.backup manager.blast manager.blast1 mgr.ccc spool.ccc mgr.cnas manager.cognos mgr.cognos operator.cognos mgr.common mgr.company mgr.conv mgr.corp mgr.cslxl mgr.demo operator.disc mgr.easy mgr.easydev mgr.extend mgr.hpdesk mgr.hplanmgr field.hpncs mgr.hpncs advmail.hpoffice deskmon.hpoffice mail.hpoffice mailman.hpoffice mailroom.hpoffice mailtrck.hpoffice manager.hpoffice mgr.hpoffice openmail.hpoffice pcuser.hpoffice spoolman.hpoffice x400fer.hpoffice x400xfer.hpoffice wp.hpoffice mgr.hponly mgr.hpoptmgt field.hpp187 mgr.hpp187 mgr.hpp189 mgr.hpp196 mgr.hppl85 mgr.hppl87 mgr.hppl89 mgr.hppl96 mgr.hpskts mgr.hpspool mgr.hpword mgr.hpx11 dpcont.hq mgr.hq mgr.indhpe mgr.infosys mgr.intx3 manager.itf3000 mail.mail mgr.netbase mgr.netware operator.netware mgr.orbit mgr.prod mgr.rego mgr.remacct mgr.rje manager.security mgr.security mgr.sldemo mgr.snads mgr.softrep mgr.speedwre mgr.spool manager.starbase field.support mgr.support operator.support exploit.sys manager.sys mgr.sys operator.sys pcuser.sys rsbcmon.sys operator.syslib sysrpt.syslib mgr.sysmgr operator.system mgr.tech mgr.techxl mgr.telamon field.hpword mgr.opt manager.tch field.telesup mgr.telesup sys.telesup mgr.tellx monitor.tellx mgr.utility mgr.vecsl manager.vesoft mgr.vesoft mgr.word field.xlserver mgr.xlserver mgr.xpress COMMON GROUPS: admin advmail ask brwexec brwonlne brwspec bspadmin bspdata bspinstx bsptools catbin1 catbin2 catlib classes config console convert creator curator currarc current dat data database delivery deskmon devices diadb diag diafile diaipc doc docxl document dsg easy ems emskit etdaemon example examples ezchart galpics graphics hold hpaccss hpadvlk hpadvml hpdesk hpdraw hpecm hpemm hpenv hpgal hphpbkp hplibry hplist hplt123 hpmail hpmap hpmenu hpprofs hpsw hptelex ibmpam idl idlc idpxl include infoxl instx internal itpxl job lib libipc library mailconf maildb mailhelp mailjob maillib mailserv mailstat mailtell mailxeq mediamgr memo memory mgr mmgrdata mmgrxfer mmordata mmorxfer monitor mpexl ndfiles ndports net network nwoconf office oldmail oper operator out pascalc patchxl pcbkp ppcdict ppcsave ppcutil prntmate prog prvxl pub pubxl qedit ref request restore sample sbase sfiles signal sleeper snax25 sql sruntime subfile suprvisr sx sys sysmgr sysvol tdpdata telex telexjob text tfm ti tools transmit user users validate viewlib visicalc wp wp3 x400data x400db x400fer x400file xspool VM/CMS- The VM/CMS Operating System is found on IBM mainframes, and while there are quite a few out there, they are commonly left alone by hackers who prefer Unix or VMS. VM/CMS systems are commonly found gated off Sim3278 VTAMs and ISM systems as well. The login prompt for CMS is '.', but additional information might be given before the prompt, such as; Virtual Machine/System Product ! . or; VM/370 ! . and frequently over to the side; LOGON userid DIAL userid MSG userid message LOGOFF but they all represent a VM/CMS system. To logon, type 'logon' followed by the username, which is usually 1 to 8 characters in length. To be sure it is a CMS, type 'logon' followed by some random garbage. If it is a VM/CMS, it will reply; Userid not in CP directory This is one of the great things about CMS, it tells you if the login ID you entered is incorrect, thus making the finding of valid ones fairly easy. One thing to watch out for.. if you attempt brute forcing some systems will simply shut the account or even the login facility for some time. If that is the case, find out the limit and stay just underneath it.. drop carrier or clear the circuit if necessary, but if you continually shut down the login facilities you will raise a few eyebrows before you even make it inside. Once inside, typing 'help' will get you a moderate online manual. COMMON ACCOUNTS Username Password -------- -------- $aloc$ admin operator, manager, adm, sysadmin, sysadm alertvm alert ap2svp apl2pp autolog1 autolog autolog2 autolog batch batch1 batch batch2 batch botinstl ccc cms cmsbatch cms, batch, batch1 cmsuser cms, user cpms cpnuc cprm cspuser user, csp cview datamove demo1 demo demo2 demo direct dirmaint dirmaint1 diskcnt entty erep formplus fsfadmin fsf, adm, sysadmin, sysadm, admin, fsfadm fsftask1 fsftask2 gcs gcsrecon idms idmsse iips infm-mgr infm, man, manager, mgr inoutmgr mgr, manager ipfappl ipfserv ispvm ivpm1 ivpm2 maildel mailman maint service moeserv netview network, view, net, monitor oltsep op1 opbackup backup operatns op, operator, manager, admin operator op, operatns, manager, admin opserver pdm470 pdmremi peng presdbm dbm procal prodbm prod promail psfmaint maint pssnews news pvm router rscs rscsv2 savsys sfcm1 sfcm sfcntrl sim3278 smart sna sqldba database sqluser user, sql syncrony sysadmin admin, adm, sysadm, manager, operator sysckp sysdump1 sysdump syserr syswrm tdisk disk, temp temp tsafvm vastest test vm3812 vmarch vmasmon vmassys vmbackup backup vmbsysad vmmap map vmtape tape vmtest test, testuser vmtlibr vmutil util, utils vseipo vsemaint maint vseman vsm vtam vtamuser user, vtam x400x25 PRIMOS- Run on the Prime company's mainframes, the Primos Operating System is in fairly wide use, and is commonly found on Packet-Switched Networks worldwide. Upon connect you will get a header somewhat like PRIMENET 23.3.0 INTENG This informs you that it is indeed a Primos computer, the version number, and the system identifier the owner picked, which is usually the company name or the city the Primos is located in. If you find a Primos on a network, you will receive the Primenet header, but if it is outside of a network, the header may be different(ie:Primecon). Hit a number of 's, and Primos will throw you the login prompt 'ER!'. At this point, type 'login' followed by your username. If hitting 's did not provoke an 'ER!', then type 'login' followed by your username. If you are blessed and you find some stone age company running 18.0.0 or below, you are guaranteed access. Just find a username and there will be no password prompt. If for some reason passwording exists, a a few control-C's should drop you in. Unfortunely, Primos almost always allows one and one attempt only at a username/password combination before it kicks you off, and Primos will not tell you if the ID you've entered is invalid. Once you are inside, you will find yourself at the prompt 'OK'. 'help' brings up a so-so online help guide. COMMON ACCOUNTS Username Password -------- -------- backup backup_terminal batch_service batch bootrun cmdnc0 demo diag dos dsmsr dsm dsm_logger dsm fam games guest guest1 guest lib libraries login_server mail mailer netlink net, primenet netman manager, man, mgr, netmgr network_mgt netmgt network_server server prime primos, system primenet net, netlink primos prime, system primos_cs primos, prime, system regist rje spool spoolbin spool syscol sysovl system prime, primos, sys1, operator system_debug system_manager tcpip_manager tele test timer_progress tools TOPS-10/20- An older and somewhat rare operating system, TOPS-10 ran on the DEC-10/20 machines. You can usually recognize a TOPS-10 by its' prompt, a lone period '.', while a TOPS-20 will have a '@' in its place. Most systems allow you to enter the commands 'SYSTAT' or 'FINGER' from the login prompt, before logging in. This command will let you see the users online, a valuable aide in hacking. To login, type 'login xxx,yyy', where the x and y's are digits. TOPS-10 does let you know when your username is incorrect. COMMON ACCOUNTS User ID Code Password ------------ -------- 1,2 OPERATOR, MANAGER, ADMIN, SYSLIB, LIB 2,7 MAINT, MAINTAIN, SYSMAINT 5,30 GAMES IRIS- Unfortunely, i have no experience with IRIS whatsoever. To this day i haven't even seen one. So with regret i must present old material, the following info comes entirely from the LOD/H Technical Journal #3. Hopefully it will still be applicable. The IRIS Operating System used to run soley on PDP systems, but now runs on many various machines. IRIS will commonly present itself with a herald such as; "Welcome to IRIS R9.1.4 timesharing" And then an "ACCOUNT ID?" prompt. IRIS is kind enough to tell you when you enter an incorrect ID, it won't kick you off after too many attempts, and no logs are kept. And strangely enough, passwords are not used! So if you can find yourself an IRIS OS, try the following defaults and you should drop in.. COMMON ACCOUNTS Username -------- accounting boss demo manager noname pdp8 pdp11 software tcl NOS- The NOS(Network Operating System) is found on Cyber mainframes made by CDC(the Control Data Corporation). Cyber machines are commonly run by institutions such as universities and atomic research facilities. Cybers will usually give a herald of some sort, such as Sheridan Park Cyber 180-830 Computer System or Sacremento Cyber 180-830 CSUS NOS Software System The first login prompt will be 'FAMILY:', just hit . The next prompt is 'USER NAME:'. This is more difficult, usually 7 characters. The password is even worse, commonly 7 random letters. Sound bad? It is. Brute forcing an account is next to impossible. I've never seen these defaults work, but they are better than nothing. I got them out of the LOD/H Novice's Guide to Hacking, written by the Mentor. There are no known passwords for these usernames. COMMON ACCOUNTS Username -------- $SYSTEM SYSTEMV DECSERVER- The Decserver, is as the name implies, a server made by the Digital Equipment Corporation, the same company that makes the VAX machines. It is possible the owner of the server put a password on it, if this is the case you will hit a # prompt. If the server has PADs or outdials on it, you can bet this is the case. You don't need a username, just the password. You will commonly get 3 tries, but it can be modified. The default password is 'access', but other good things to try are ; server, dec, network, net, system (and whatever else goes along with that). If you get past the #, or there isn't one, you will hit the prompt 'Enter Username>'. What you put really doesn't matter, it is just an identifier. Put something normal sounding, and not your hacker alias. It is actually interesting to look at the users online at a Decserver, as commonly there will be a few users with the username C or CCC or the like, usually meaning they are probably a fellow hacker. Also, at the Enter Username> prompt you are able to ask for help with the 'help' command, which spews out fairly lengthly logon help file. If all went well you should end up at a 'Local>' prompt. Decservers have a fairly nice set of help files, simply type 'help' and read all you want. It is a good idea to do a 'show users' when you first logon, and next do a 'show services' and 'show nodes'. The services are computers hooked up to the Decserver, which you can access. For obvious reasons you will often find many VAX/VMS systems on Decservers, but pretty much anything can be found Look for services titled Dial, Modem, PAD, X25, Network, or anthing like that. Try pretty much everything you see. Remember to try the usernames you see when you do a 'show users' as users for the systems online. Also, you will sometimes find your Decserver has Internet (Telnet, SLIP or FTP) access, make sure you make full use of this. To connect to the services you see, use 'c XXXX', where the X's represent the service name. Once inside, the manufacturer's default for privs is 'system' and it is rarely changed. The maintenance password changes from version to version. With the Decserver 200 & 500 it is 0000000000000000 (16 0's), but with 300 it is simply 0. GS/1- GS/1's are another server type system, but they are less common than the Decservers. The default prompt is 'GS/1>', but this can be changed to the sysadmins liking. To check for a GS/1, do a 'sh d', which will print out some statistics. To find what systems are available from the server, type 'sh n' or a 'sh c', and a 'sh m' for the system macros. XMUX- The XMUX is a multiplexing system that provides remote access, made by Gandalf Technologies, Inc., Gandalf of Canada Ltd. in Canada. As far as I can tell, the XMUX is used only on Packet-Switched Networks, Datapac in particular but with usage on PSNs world wide. The XMUX is not usually thought of as a stand alone system, but as a supportive system for multi-user networked systems, having a bit to do with system monitoring, channel control, and some of the features of multiplexing. Thus, you'll commonly find a XMUX on a mnemonic or a subaddress of another system, although you will find them alone on their own NUA frequently as well. To find the systems on a subaddress or a mnemonic, your best bet is to go with mnemonics, as the LOGGER mnemonic cannot be removed, while subaddressing is optional. You won't always want to check every single system, so i'll give a guideline of where to check; (REMINDER: this is only for systems on PSNs, and may not apply to your PSN) - PACX/ : The PACX/Starmaster is also made by Starmaster Gandalf, and the two are tightly Systems interwoven. If mnemonics don't work, be sure to try LCNs, as the CONSOLE on a PACX/Starmaster is an entirely different thing, and frequently using the mnemonic CONSOLE will bring you to the PACX console, not the XMUX console. - BBS Systems : BBS Systems on PSNs frequently need some help, and XMUXs are fairly commonly found with them. - Other misc. : Many of the other operating systems, systems such as Unix, AOS/VS, Pick and HP3000 have the occasional XMUX along with it. - Networked : A good portion of networked systems have systems XMUXs. If a system does have a XMUX also, you can reach it almost always by the mnemonic CONSOLE, and if not, the node name of the XMUX. If that doesn't work, try LCNs up to and including 15. Occasionally the console of the XMUX will be unpassworded, in which case you will drop straight into the console. The XMUX console is self-explanatory and menued, so i will leave you to explore it. However, in all likeliness you will find yourself at the password prompt, 'Password >'. This can not be modified, but a one-line herald may be put above it. To check for a XMUX, simply hit . It will tell you that the password was invalid, and it must be 1 to 8 alphanumeric characters. As you can see, you do not need a username for the remote console of a XMUX. UIDs are used, but internally within the workstation. As it says, the password format is 1 to 8 alphanumeric characters. There is no default password, the console is left unprotected unless the owner decides to password it. However, there are common passwords. They are; console, gandalf, xmux, system, password, sys, mux xmux1 I'll repeat them in the common passwords again later. But these will not always work, as it is up to the owner to pick the password(although they do like those). Your next best bet is to find out the node name of the XMUX (XMUXs are polling systems as well, usually hooked up somehow to one of the regional hubs). To do this, you must understand the parts of the XMUX. The XMUX has 4 default parts; the CONSOLE, the FOX, the LOGGER, and the MACHINE. I'll try and define the usage of them a bit more; CONSOLE- the main remote part of the XMUX, which performs all the maintenance functions and system maintenance. the actual system. reachable usually on the LCN(subaddress) of 0 or 4/5, and the default mnemonic CONSOLE, which can be changed. FOX - a test system, which runs through never ending lines of the alphabet and digits 0-9. reachable on the LCN of 1, mnemonic FOX. LOGGER - a device which displays log information, usually one or two lines, including the node name. reachable on the LCN of 2, mnemonic LOGGER. MACHINE- a system which i do not yet understand fully. performs some interesting functions. the prompt is '#'. type 'S' and you will(always) receive a short/long (depending on how much the system is used) system status report, containing among other things the system node name. if active, typing 'L' will bring up a more complete system log. This is VERY useful. It contains the NUAs of the systems which called the XMUX, and it contains the UIDs if used. As you can see, the XMUX is rather complicated upon first look, but it is actually fairly simple. The easiest way to grab the node name is to call the LOGGER. The logger MUST be present, always. It is a non-removable default. The LCN may be removed, but the mnemonic must stay. I explained mnemonics earlier, but i'll refresh your memory. To use the mnemonic, simply type the NUA, followed by a comma and then the mnemonic, ie; 12300456,LOGGER The very first thing in the data string you see is the node name. If it is a blank space, you have run across a rarity, a XMUX without a node name. The node name is THE most popular thing other than the other common passwords. Try combinations of it, and combinations of it along with the words XMUX and MUX. And of course, if a herald is used, use whatever you can find in the herald. But again, if it is a company, they love to use the company name or acronym as a password, and that acronym or name will often be the node name. Ok, have fun.. COMMON ACCOUNTS Console Passwords ----------------- CONSOLE XMUX GANDALF SYSTEM PASSWORD MUX XMUX1 SYS (node name) One other thing. I did not include the profile or remote profile names, or the UIDs, as they are as far as i know inapplicable from remote. And a final comment. XMUXs are powerful and potentially extremely harmful to a network. DO NOT DELETE ANYTHING. The only submenus you will have reason to access are 'DEFINE' and 'DISPLAY'. Don't boot people off channels or add console passwording or remove profiles..you will end up with your ass in jail. Taking down a network is less than funny to the people that run it. Explore, don't harm. STARMASTER- The Starmaster/PACX 2000 is still a somewhat mysterious /PACX system, but i have now explored all the security barriers as well as the network and the internal functions, so i feel this is fairly complete. The Starmaster/PACX system is a networking/server system made by, again, Gandalf Technologies Inc., Gandalf of Canada Ltd., in Canada, and is also known informally (and some what incorrectly) as the 'Gandalf Access Server.' The Access is similar, but different, as described later. It is a fairly popular system on Datapac, and has some usage in other regions of the world. Again, it is used mainly on Packet-Switched Networks, although, thanks to the dialing directory of a Sam24V outdial on a Starmaster, I have discovered that Starmasters do indeed have dialin access. The first possible security barrier is the dialin password, which is rarely used, but you should know about. The prompt is usually ; DIALIN PASSWORD? But can be changed, although it should remain similar. Dialin passwords are 1 to 8 characters, and are usually one of the following defaults; GANDALF SERVER PACX NET NETWORK STARMAST DIALIN PASSWORD ACCESS If the Starmaster has a XMUX resident(explained in previous system definition; XMUXs), find out the node name and try it. The next possible security barrier is that the sysadmin desires the users to enter a username/password before entering the server. You will find yourself at a prompt such as; USERNAME? This is the most common prompt. Usernames are 1 to 8 characters, and the Starmaster will let you know if it is wrong or not with an error message such as; INCORRECT USERNAME or INVALID RESPONSE This, like the username prompt, can be changed, but it will usually be in all-caps. You are allowed between 1 and 10 attempts at either a valid username or a valid password, depending on the owners preference. This means(if it is set to ten tries) you can enter 9 invalid usernames, and on the tenth enter a valid username, then have 10 attempts at a valid password. The defaults for this(which i will list later also) prompt are; TEST, TESTUSER, TESTER, GANDALF, SYSTEM, GUEST USER, HP, CONSOLE, and finally OPERATOR. Also, first names will work usually. The next prompt you will face, or the first one if usernames are not implemented, is the server prompt. This is the main user prompt for a Starmaster, all major user commands are used from here. But as you can guess, commands aren't used really, it is service names you desire. Sometimes you will get a list upon entering the server, but other times you will just hit the server prompt, which usually looks something like; SERVICE? or CLASS? or even service? or class? or service Or whatever the sysadmin feels like. 'SERVICE?' is the default, and the most common. Keep in mind that the services CAN be passworded, but rarely are. In the case of passwording, use your imagination. Another thing; from the PACX console, where the services are defined, there is an option which decides whether the service is allowed for remote users. If this is set to NO, then you are out of luck, you have to be in the workstation to use the command. This is common for the CONSOLE and the MAIL, and occasionally modems and PADs. You will get an error message something like 'SERVICE NOT ALLOWED'. I will give a more complete list of common services, but I will list the defaults and the major ones now. PAD, X25, X28- Will commonly take you to a Gandalf PAD, (or name of for which the default prompt is '*'. your PSN) 'HELP' will bring up a list of commands. MAIL - A non-removable default, but i've never seen it with the remote access flag in the ON position. CONNECT - Another non-removable default which i have never seen with the remote access flag in the on position. MODEM, DIAL - And variations therof. The common outdial is the Gandalf made Sam24V, which comes with a great set of help files. CONSOLE - The motherlode. The system controller, maintenance computer, test machine, and all of that. DON'T confuse the PACX console with the XMUX console, they are two very different things. The console should be protected by the sysadmin with his/her life, as every faction of the Starmaster is controlled from within the Console. The CONSOLE is a non-removable service from the server, BUT remote access can be removed thus cutting off our means of getting to it. Try it first, if it works the screen will scroll down a number of lines and give this herald/prompt; GANDALF TECHNOLOGIES INCORPORATED, COPYRIGHT 1990 OPERATOR NAME? This is not changable, it will remain the same except for possibly the copyright date. There can be 8 operators at the most, and they will have 1 to 8 characters in their name and password. And again, the PACX will tell you if your operator name is incorrect. You will be allowed 1 to 10 attempts at the login name and then it resets to 0 for the password attempt when you've found an operator name, but same limit. The same defaults for the usernames work here, if you are lucky, with the exception of HP. I'll list them again at the end. Once you get in, it is all menued and explanatory. DON'T FUCK THINGS UP. By that I mean deleting or modifying. Look. There is MUCH to see. The PACX console is incredibly powerful, and you will have much more fun exploring it. Besides, once you are in the console, the game is over. You have control over all the services, users, and all security barriers. If you get a high level console account, you are the God of the PACX, no joke. COMMON ACCOUNTS Usernames Passwords --------- --------- CONSOLE CONSOLE, PACX, GANDALF, OPERATOR, SYSTEM GAND GAND GANDALF GANDALF, SYSTEM, PACX, STARMAST, SYS GUEST GUEST, VISITOR, USER HP HP OPERATOR OPERATOR, SYSTEM, SYSLIB, LIB, GANDALF SYSTEM SYSTEM, SYS, OPERATOR, PACX, SYS, GANDALF TEST TEST, TESTUSER, USER, TESTER TESTUSER TEST, TESTUSER, USER, TESTER TESTER TEST, TESTUSER, USER, TESTER USER USER, GUEST, TEST, VISITOR, GANDALF (i've never seen an account such as MAINT, but i would guess one exists, along with standard system defaults. Try anything outside these lines) Services -------- 1 (if it works; higher) A (through Z) 10 (if it works; higher in sequence of tens) BBS CLUSTER CONNECT CONSOLE DATABASE DATAPAC DEC DIAL DIALOUT FILES FTP GATEWAY GEAC HELP HP INTERNET LIB LIBRARY LOOP MAIL MENU MODEM MUX NET NETWORK OUT OUTDIAL PACX12 PACX24 PACX96 PAD PRIME PRIMOS PROD SALES SERVER SUN SUNOS SYS SYSTEM TELNET TYMNET UNIX VAX VMS X25 X28 XCON XGATE XMUX And anything else you can think of. First names are also fairly common. Operator Name Password ------------- -------- TEST TEST, TESTUSER, USER, TESTER TESTUSER TEST, TESTUSER, USER, TESTER TESTER TEST, TESTUSER, USER, TESTER GANDALF GANDALF, SYSTEM, PACX, CONSOLE, SYS GUEST GUEST, VISITOR, USER SYSTEM SYSTEM, SYS, OPERATOR, PACX, SYS, GANDALF CONSOLE USER USER, GUEST, TEST, VISITOR, GANDALF OPERATOR OPERATOR, SYSTEM, CONSOLE, GANDALF CONSOLE CONSOLE, PACX, GANDALF, OPERATOR, SYSTEM SYS SYS, SYSTEM, GANDALF, PACX, CONSOLE And again, try first names and ANYTHING you can think of. Getting into the console should be your main objective. ACCESS2590- The Access2590 is another Gandalf creation. While it is a server system, it is different in some respects to a PACX. The Starmaster generally only connects computers on a local or wide area network(they do connect to X.25 & IP addresses, but they *usually* don't), while the Access 2590 connects to local & wide area network services, X.25 address, and IP addresses with suprising versatility. The PACX is, however, in much wider distribution. It will usually have an initial herald screen, often letting you know that it is indeed an Access server made by Gandalf. If the operator wishes he can include a menu of services with their respective descriptions in this provided space. Then you will find yourself at a prompt, the default being "Access 2590 >". I haven't seen any sort of initial protection before you hit that prompt, but i'm betting it does exist, and it probably goes along the lines of the PACX. Follow the trend I set with the PACX and you should do fine. Anyways, the one thing I like so much more about the Access 2590 compared to the Starmaster is the command "show symbols" . That was one of the big problems from a hacking point of view with the PACX; it doesn't have a command available to show you the services. If you get console access on the PACX you can get a listing of services that way, but you simply cannot hack a console account everytime, and besides that often the owner will have turned the remote console access flag off. If the operator wanted to give you help with services he had to take the initiative himself and design a herald screen or implement a help service, and few do. But the "show symbols" on an Access will give you a listing of all the available "symbols", which is Gandalf's term for services. Connect to them with "c xxx" where "xxx" is of course the service. And yes, to you eager folks who have tasted the PACX console's power, the Access does have a console. Type "c console" to get to it. Follow the PACX's guidelines, and you'll do fine. PICK- The PICK system was created by Dick Pick(no joke), and is a fairly widespread system, there are a few of them out there on the major PSNs. I really dislike PICK, but for those of you wishing to try it yourself, it is a fairly easy hack. A normal PICK login prompt looks somewhat like; 07 JUN 1993 04:00:21 Logon please: Additional data can be entered in that line, and a header may be used above that. However, PICKs are usually recognizable by that logon prompt which will normally contain the date and time, as well as the 'Logon please:'. If you aren't sure, enter the username 'SYSPROG', in ALL CAPS , as PICK is case sensitive and SYSPROG will be in capitals. SYSPROG is the superuser(or as PICK calls it the 'Ultimate User') and is similar to root on a Unix; it must be present. PICK lets you know when you've entered an invalid Username, which is helpful when finding valid accounts. Experiment with the upper and lower case if you wish, but upper case is the norm. The people who make PICK like to think of PICK as more a DBMS than an OS, and it is often sold just as that. Because of that, you may find it on Unix, MPE, and Primos based systems among others. One last note, internal passwording is possible on the PICK, so don't be too suprised if you think you've found an unpassworded system only to be hit by a password before the internal prompt. COMMON ACCOUNTS Usernames Passwords --------- --------- 1 ACC ACCT ACCTNAME ACCUMATH ACCUPLOT ACCUPLOT-DEMO ACCUPLOT, DEMO ARCHIVE AUDITOR AUDITORS BACKUP BATCH BLOCK-CONVERT BLOCK-PRINT COLDSTART COMBINATION COMM COMTEST CPA CPA.DOC CPA, DOC CPA.PROD CPA, PROD CTRL.GROUP CTRL, CONTROL DEMO DA DCG DEV DM DATA, MANAGER, MAN, MGR, DATAMGR, DATAMAN DOS ERRMSG EXCEPTIONAL EXECUTE-CONTROL EXPRESS.BATCH EXPRESS, BATCH FILE-SAVE FILESAVE, SAVE FILE-TRANSFER FINANCE FLUSHER FMS FMS.PROD FMS, PROD GAMES GAMES.DOS GAMES GENERAL INSTANT INSTANT.DOS INSTANT JOB KILL LEARN LEARN.DLR LEARN, DLR, LEARNDLR LOGON LOTUS LOTUS.DOS LOTUS MAIL.BOX MAIL MINDER MODEM-SECURITY MOTD.DATA MOTD NETCOM NET.OFF NETOFF NETUSER NETWORK NEWAC NOLOG OLD.USER ON-LINE-DIAGS DIAGS PERFECT-BKGRND POINTER-FILE PRICE.DOS PRICE PRICES.DOS PRICES PROCLIB PROC, LIBRARY, LIB PROD PROMCOR PROMIS-ARCHIVE PROMIS, ARCHIVE PROMIS-BKGRND PROMIS, BKGRND PROMO PWP QA QUALITY, CONTROL SCC.SYSPROG SCC, SYSPROG SCREENLIB SECURITY SET.PLF SET, PLF, PLFSET SL SPSYM STUDENT SUPPORT SYM.DOS SYM SYS SYS.DOC SYS SYSLIB SYSTEM, LIBRARY, SYS, LIB SYSPROG SYSTEM, PROGRAM, SYS, PROG, OPERATOR, DM SYSPROG-PL SYSPROG, PL SYSTEM-ERRORS TCL TEMP TEMP-SYSPROG TEMP, SYSPROG TEST TEST-BKGRND TEST TRAINING TRY.DOS TRY ULTICALC ULTILINK ULTIMATION UNIMAX WORDS WP WP.DOS WP WP42.DOS WP, WP42 WP50.DOS WP, WP50 WP51 WP, WP51 WP51.DOS WP, WP51 XES AOS/VS- AOS/VS is made by Data General Corporation(DGC), and is in my opinion the worst operating system i've seen yet. But, in the quest of knowledge, and to broaden your computer horizons, i suggest that you try to hack even this system, for what it's worth. The AOS/VS will usually readily identify itself with a banner such as; (yes, i'm overstepping my margin, i apologize) **** AOS/VS Rev 7.62.00.00 / Press NEW-LINE to begin logging on **** AOS/VS 7.62.00.00 / EXEC-32 7.62.00.00 11-Jun-93 0:27:31 @VCON1 Username: The username prompt looks deceivingly like a VMS, but it is not, and you can be sure by entering garbage for the username and password. The AOS/VS will reply; Invalid username - password pair AOS/VS will not let you know when you've entered an incorrect username. And a standard system will let you have 5 tries at a username/ password combination, but after that it gives this annoying message; Too many attempts, console locking for 10 seconds Having the system lock for 10 seconds does really nothing to the hacker, except slow brute forcing down a small bit(10 seconds). Anyways, once inside 'HELP' will give you a set of help files which i didn't enjoy too much, and 'WHO' will list the users online. COMMON ACCOUNTS Username Password -------- -------- guest op operator, op sysmgt sys, mgt, system, man, mgr, manager test user RSTS- Probably the oldest OS that is still out there is RSTS. RSTS was a very common OS a decade or so ago, but is now nearing extinction. However, there are still a few out there on PSNs, and thus you might want to attempt to hack in. The RSTS will usually identify itself like; RSTS V9.7-08 93.06.10 02:36 User: Before attempting to hack, try the SYSTAT command. It is likely it will be disabled, but it is worth a try. RSTS will tell you if the ID you've entered is incorrect with the error message; ?Invalid entry - try again The UIDs are in the format xxx,yyy , where x and y are digits. Just guess at UIDs until you hit one with a password. Also, the IDs will generally not go above 255 in both the x and y spots(ie: 255,255 is generally the highest ID). COMMON ACCOUNTS User ID Password ------- -------- 1,2 SYSLIB WNT- I really don't know much about Windows NT, mostly having to do with the fact that it was just released a little while ago and I have not seen it in action to this date. I don't know at what time in the future it will become widespread, but for you future hackers I did a little research and came up with the two manufacturer defaults; administrator and guest. Both come unpassworded.. administrator is the equivalent to root on a Unix, and guest is just as you'd expect .. a low level guest account. Interestingly enough, in the manuals I saw WNT sysadmins were encouraged to keep the guest account... unpassworded at that! Highly amusing.. let's see how long that lasts! Anyways.. Oh yeah.. case sensitive, too.. I'm pretty sure it is lowercase, but it is possible that the first letter is capitalized. Remember that when attempting to brute force new accounts. Oh, and keep in mind possible accounts such as "test" and "field" and the such. COMMON ACCOUNTS Username -------- administrator guest NETWARE- Novell Netware is the most common PC LAN software and is a popular among high-schools. The internal (and external for that matter) security is poor. COMMON ACCOUNTS Username Password -------- -------- admin operator, supervisor, sysadm backup guest visitor, user netware novell netware public remote server staff supervisor admin, operator, sysadm, supervis, manager system1 tape backup test testuser user visitor guest Sys75/85- AT&T's System75/85 have made a big splash in recent months despite their being around for years previous.. mostly due to codez kids discovering the PBX functions. Anyways, the hype has pretty much died down so it is probably safe to post the defaults. If you don't like my doing this, suck yourself. Anyone with access to this file probably has them by now anyways. And if not, all the better. Free information has always been one of our primary goals, and I don't intend to change that for some insecure pseudo-hackers. COMMON ACCOUNTS Username Password -------- -------- browse looker craft crftpw, craftpw cust custpw field support inads indspw, inadspw init initpw rcust rcustpw AS400- Another OS that was only really in use before my time, AS-400 is IBM made. I pulled this from the old UPT messages, thanks to anybody who contributed. It should in fact identify itself as an AS-400 at login time. I'm unsure of the case-sensativity of the characters.. i'll enter them as lowercase, but if unsuccessful use caps. COMMON ACCOUNTS Username -------- qsecofr qsysopr quser sedacm sysopr user TSO- An IBM product, TSO can be found stand alone, but is commonly found off an ISM. Upon connect you should see a login prompt that looks like: IKJ56700A ENTER USERID- Or something close. It will tell you if the username entered is incorrect: IKJ5642OI USERID xxx NOT AUTHORIZED TO USE TSO IKJ56429A REENTER- Occasionally some of the accounts will have the STC attribute and can not be used for remote login. COMMON ACCOUNTS Username Password -------- -------- admin adm, sysadm, op guest init maint systest test test1 test tso BRUTE FORCE =========== ----------- Passwords ========= Occasionally you will find yourself in a position where you wish to penetrate a system, but defaults are taken off and social engineering is not possible. The dedicated hacker then begins the tedious process of trying password after password, hoping to crowbar his way into the system. Thus the term 'Brute Force' was born, aptly describing this process. Brute force is the absolute ugliest way of obtaining an account, but is is often effective. It is ugly for a number of reasons, having to do with the fact that you will have to call the system hundreds of times if the account is not easily brute forced. However, first i will explain a modified form of brute force; intelligent brute force. In this process, the hacker tries the users first name, as that is the most common password of all, and a database of 20-100 common passwords. The difference between this and the normal brute forcing is you cut your time down considerably, but your chances of getting in go down as well. Normal brute forcing is rarely done nowadays; the greats of yesterday would spend 6 hours at a sitting trying passwords, but people nowadays seem to think 5 minutes is sufficient. Ugh. If standard brute forcing is done, it is accomplished with automation, usually. Meaning the hacker will set up a program or a script file to spew out dictionary passwords for him, then go to the movies or whatever. Obviously, any way you do it, standard brute forcing is fairly dangerous. A sysadmin is more likely to notice you trying a username/password 2000 times than 50. If you choose to do automated brute forcing, it might be a good idea to set up a hacked system to do it for you, such as a procured Unix. I would not, however, suggest wasting the powers of a Cray on such a menial task as brute force. You can only go as fast as the host system will let you. The danger in this is obvious, you will have to be connected to the remote system for a long time, leaving you wide open for a trace. It is up to you. And, of course, brute forcing requires a username. If you don't have a username, you are probably out of luck. One thing you should definetly do is make a list of first names, and make it fairly complete. Buy/steal a baby names book or look inside your phone book and copy down the more commmon names on to a piece of paper or into a file. Other than first names, husband/wife, boyfriend/girlfriend and childs names are the most common passwords. Ok, here are the basics to intelligent brute force hacking; 1. try the users first name 2. try your list of first names, male and female 2. try the users first name, with a lone digit(1 to 9) after the username 3. try the users first name, with a lone digit(1 to 9) after the username 4. try the users first name, with a letter appended to the end(A to Z) 5. try anything related to the system you are on. If you are on a VAX running VMS on the Datapac PSN, try VAX, VMS, Datapac, X25, etc 6. try anything related to the company/service the system is owned by. if the user is on a system owned by the Pepsi Cola company, try Pepsi, Cola, Pepsico, etc. 7. finally, try passwords from your list of common passwords. your list of common passwords should not be above 200 words. The most popular passwords are; password secret money sex smoke beer x25 system hello cpu aaa abc fuck shit Add on popular passwords to that as you see fit. Remember; most passwords are picked spontaneously, on whatever enters the users mind at that time(you know the feeling, i bet). Attempt to get into the users mind and environment, to think what he would think. If you can't do that, just try whatever comes to your mind, you'll get the hang of it. Brute Forcing User Names ======================== A different form of brute force is that when you need a username to hack passwords from. In order to guess a valid username, you must be on a system that informs you when your username is invalid; thus VMS and Unix are out of the question. There are two types of usernames(by my definition); user and system. The user usernames are the standard user's usernames. Examples would be John, Smith, JMS, JSmith, and JohnS. The system usernames are special usernames used by the system operators to perform various functions, such as maintenance and testing. Since these usernames are not owned by actual people(usually), they are given a name which corresponds to their function. Guessing either type is usually fairly easy. User usernames are standardly in one of 2 formats; first name or last name the more common format being first name. Less common formats are initials, first initial/last name, and first name/last initial. Occasionally the username formats will have nothing to do with names at all, and will instead be 6 or 8 digit numbers. Have fun. The users of a system will almost always have the same format as each other. When you guess one, guessing more shouldn't be too hard. For first names, again consult the list you made from the baby names book. For last names, construct a list of the most common last names, ideally out of the phone book, but if you are too lazy your mind will do fine. SMITH and JONES are the most common non-foreign names. For initials, use common sense. Guess at 3 letter combinations, and use sensible formats. Meaning don't use XYZ as a rule, go for JMS, PSJ, etc, to follow along with common first names and last names. If you are getting no luck whatsoever, try switching your case(ie: from all lower case to all upper case), the system might be case sensitive. Usually guessing system names shouldn't be necessary; I gave a default list for all the major systems. But if you run across a system not listed, you will want to discover defaults of your own. Use common sense, follow along with the name of the new OS and utilities that would fit with that name. Attempt to find out the username restrictions for that system, if usernames have to be 6 characters long, try only 6 character user names. And finally, here is a list of common defaults(they are capitalized for convienience, but as a rule use lower case); OPERATOR SYSOP OP OPER MANAGER SYSMAN SYSMGR MGR MAN ADMIN SYSADMIN ADM SYSADM BOSS MAIL SYSTEM SYS SYS1 MAINT SYSMAINT TEST TESTER TESTUSER USER USR REMOTE PUB PUBLIC GUEST VISITOR STUDENT DEMO TOUR NEWS HELP MGT SYSMGT SYSPROG PROD SALES MARKET LIB LIBRARY FILES FILEMAN NET NETWORK NETMAN NETMGR RJE DOS GAMES INFO SETUP STARTUP CONTROL CONFIG DIAG SYSDIAG STAT SYSDIAGS DIAGS BATCH SUPRVISR SYSLIB MONITOR UTILITY UTILS OFFICE CORP SUPPORT SERVICE FIELD CUST SECURITY WORD DATABASE BACKUP FRIEND DEFAULT FINANCE ACCOUNT HOST ANON SYSTEST FAX INIT INADS SETUP Brute Forcing Services ====================== There is also the time when you are on a server system, and you need places to go. You will surely be told if the service you've entered is incorrect, so just try things that come to mind, and the following list; (the server may be case sensitive..use upper or lower case as you wish) (NOTE: Try digits(1 +) and letters(A-Z) also) SERVER NETWORK NET LINK LAN WAN MAN CONNECT LOG LOGIN HELP DIAL OUT OUTDIAL DIALOUT MODEM MODEMOUT INTERNET TELNET PAD X25 X28 FTP SYSTEM SYS SYS1 SYSTEM1 UNIX VAX VMS HP CONSOLE INFO CMDS LIST SERVICES SERVICE SERVICE1 COMP COMPUTER CPU CHANNEL CHANNEL1 CH1 CH01 GO DO ? LOG ID USERS SHOW WHO PORT1 PORT NODE1 NODE LINK1 DISPLAY CONFIG CONTROL DIAGS SYSDIAGS DIAG SYSDIAG HELLO EMAIL MAIL SET DEFINE PARAMS PRINT PHONE PHONES SESSION SESSION1 BEGIN INIT CUST SERVICE SUPPORT BUSINESS ACCT ACCOUNT FINANCE SALES BUFFER QUEUE STAT STATS SYSINFO SYSTAT FTP ACCESS DISK LIB SYSLIB LIBRARY FILES BBS LOOP TEST SEARCH MACRO CALL COMMANDS TYPE FIND ASK QUERY JOIN ATTACH JOB REMOTE COM1 COM CALLER LOGGER MACHINE BULLITEN CLUSTER RUN HELLO PAYROLL DEC SOCIAL ENGINEERING ================== ------------------ While I am in no way going to go indepth on SE(social engineering) at this point, i will explain the premise of SE to those new to it. Social engineering can be defined any number of ways, but my definition goes along the lines of; "Misrepresentation of oneself in a verbal manner to another person in order to obtain knowledge that is otherwise unattainable." Which in itself is a nice way of putting "manipulation, lying and general bullshitting". Social engineering is almost always done over the phone. I'll give an example. The hacker needs information, such as an account, which he cannot get by simple hacking. He calls up the company that owns the system he wishes to penetrate, and tells them he is Joe Blow of the Computer Fixing Company, and he is supposed to fix their computers, or test them remotely. But gosh, somebody screwed up and he doesn't have an account. Could the nice lady give him one so he can do his job and make everybody happy? See the idea? Misrepresentation of the truth; pretending to be someone you aren't. If you are skeptical, you shouldn't be. SE is tried and true, due to the fact that any company's biggest security leak is their employees. A company can design a system with 20 passwords, but if an uncaring employee unwittingly supplies a hacker with all of these passwords, the game is over. You *must* have the voice for it. If you sound like a 12 year old, you aren't going to get shit. If you can't help it, there are telephone-voice changers(which any SE practicer should have anyways) that will do it for you. If the person wishes to contact higher authority(who will probably suspect somethings up), get mad. Don't go into a rage, but do get angry. Explain that you have a job to do, and be persuasive. I won't go more into SE, there are tons of text files out there on it already. Just remember to keep calm, have a back up plan, and it is a good idea to have the script on paper, and practice it a bit before hand. If you sound natural and authorative, you will get whatever you want. And practice makes perfect. TRASHING ======== -------- Trashing is another thing i will not go too indepth on, but i will provide a very quick overview. Trashing is the name given to the process of stealing a companies trash, then rooting through it and saving the valuable information. Trashing is practiced most often on the various RBOCs, but if you are attempting to hack a system local to you, it might be a good idea to go trashing for a few weeks, you might find a printout or a scrap of paper with a dialup or username and password written on it. ACRONYMS ======== -------- This is a basic list of H/P acronyms I've compiled from various sources.. it should be big enough to serve as an easy reference without being incredibly cumbersome ABSBH: Average Busy Season Busy Hour AC: Area code ACC: Automatic Communications Control ACC: Asynchronous Communications Center ACD: Automatic Call Distributor ACE: Automatic Calling Equipment ACF: Advanced Communications Functions ACN: Area Code + Number ADPCM: Adaptive Differential Pulse Code Modulation AIS: Automatic Intercept System ALFE: Analog Line Front End ALRU: Automatic Line Record Update AM: Account Manager AM: Access Module AM: Amplitude Modulation AMA: Automatic Message Accounting AMSAT: American Satellite AN: Associated Number ANI: Automatic Number Identification ANXUR: Analyzer for Networks with Extended Routing AOSS: Auxiliary Operator Services System AP: Attached Processor ARC: Automatic Response Control ARP: Address Resolution Protocol ARPA: Advanced Reasearch Projects Agency ARS: Automatic Response System ARSB: Automated Repair Service Bureau AT: Access Tandem ATB: All Trunks Busy ATH: Abbreviated Trouble History ATM: Automated Teller Machine ATM: Asynchronous Transfer Mode AT&T: American Telegraph and Telephone Company AVD: Alternate Voice Data BCD: Binary Coded Decimal BCUG: Bilateral CUG BELLCORE: Bell Communications Research BGP: Border Gateway Protocol BHC: Busy Hour Calls BLV: Busy Line Verification BOC: Bell Operating Company BOR: Basic Output Report BOS: Business Office Supervisor BSC: Binary Synchronous Module BSCM: Bisynchronous Communications Module BSOC: Bell Systems Operating Company CA: Cable CADV: Combined Alternate Data/Voice CAMA: Centralized Automatic Message Accounting CATLAS Centralized Automatic Trouble Locating & Analysis System CAU: Controlled Access Unit CAVD: Combined Alternated Voice/Data CBC Cipher Block Chaining CBS: Cross Bar Switching CBX: Computerized Branch Exchange CBX: Computerized Business Exchange CC: Calling Card CC: Common Control CC: Central Control CC: Country Code CCC: Central Control Complex CCC: Clear Channel Capability CCC: Central Control Computer CCIS: Common Channel Interoffice Signalling CCITT: International Telephone and Telegraph Consultative Committee CCM: Customer Control Management CCNC: Common Channel Network Controller CCNC: Computer Communications Network Center CCS: Common Channel Signalling CCSA: Common Control Switching Arrangement CCSA: Common Central Switching Arrangement CCSS: Common Channel Signalling System CCT: Central Control Terminal CCTAC: Computer Communications Trouble Analysis Center CDA: Call Data Accumulator CDA: Crash Dump Analyzer CDA: Coin Detection and Announcement CDAR: Customer Dialed Account Recording CDC: Control Data Corporation CDI: Circle Digit Identification CDO: Community Dial Office CDPR: Customer Dial Pulse Receiver CDR: Call Dial Recording CDS: Cicuit Design System CEF: Cable Entrance Facility CERT: Computer Emergency Response Team CF: Coin First CGN: Concentrator Group Number CI: Cluster Interconnect CIC: Carrier Identification Codes CICS: Customer Information Control System CID: Caller ID CII: Call Identity Index CIS: Customer Intercept Service CISC: Complex Instruction Set Computing CLASS: Custom Local Area Signalling Service CLASS: Centralized Local Area Selective Signalling CLDN: Calling Line Directory Number CLEI: Common Language Equipment Identification CLI: Calling Line Identification CLID: Calling Line Identification CLLI: Common Language Location Indentifier CLNP: Connectionless Network Protocol CMAC: Centralized Maintenance and Administration Center CMC: Construction Maintenance Center CMDF: Combined Main Distributing Frame CMDS: Centralized Message Data System CMIP: Common Management Information Protocol CMS: Call Management System CMS: Conversational Monitoring System CMS: Circuit Maintenance System CMS: Communications Management Subsystem CN/A: Customer Name/Address CNA: Communications Network Application CNAB: Customer Name Address Bureau CNCC: Customer Network Control Center CNI: Common Network Interface CNS: Complimentary Network Service CO: Central Office COC: Central Office Code COCOT: Customer Owned Coin Operated Telephone CODCF: Central Office Data Connecting Facility COE: Central Office Equipment COEES: Central Office Equipmet Engineering System COER: Centarl Office Equipment Reports COLT: Central Office Line Tester COMSAT: Communications Satellite COMSEC: Communications Security COMSTAR: Common System for Technical Analysis & Reporting CONS: Connection-Oriented Network Service CONTAC: Central Office Network Access COS: Class of Service COSMIC: Common Systems Main Inter-Connection COR: Class Of Restriction COSMOS: Computerized System For Mainframe Operations COT Central Office Terminal CP: Control Program CPBXI: Computer Private Branch Exchange Interface CPC: Circuit Provisioning Center CPD: Central Pulse Distributor CPMP: Carrier Performance Measurement Plan CRAS: Cable Repair Administrative System CRC: Customer Record Center CRC: Customer Return Center CREG: Concentrated Range Extension & Gain CRG: Central Resource Group CRIS: Customer Record Information System CRS: Centralized Results System CRSAB: Centralized Repair Service Answering Bureau CRT: Cathode Ray Tube CRTC: Canadian Radio-Television and Telecommunications Commission CSA: Carrier Servicing Area CSAR: Centralized System for Analysis and Reporting CSC: Cell Site Controller CSC: Customer Support Center CSDC: Circuit Switch Digital Capability CSP: Coin Sent Paid CSMA/CD: Carrier Sense Multiple Access/Collission Detection CSR: Customer Service Records CSS: Computer Special Systems CSS: Computer Sub-System CSU: Channel Service Unit CT: Current Transformer CTC: Channel Termination Charge CTC: Central Test Center CTM: Contac Trunk Module CTMS: Carrier Transmission Measuring System CTO: Call Transfer Outside CTSS: Compatible Time Sharing System CTSS: Cray Time Sharing System CTTN: Cable Trunk Ticket Number CTTY: Console TeleType CU: Control Unit CU: Customer Unit CUG: Closed User Group CWC: City-Wide Centrex DA: Directory Assistance DACC: Directort Assistance Call Completion DAA: Digital Access Arrangements DACS: Digital Access and Cross-connect System DACS: Directory Assistance Charging System DAIS: Distributed Automatic Intercept System DAL: Dedicated Access Line DAO: Directory Assistance Operator DAP: Data Access Protocol DARC: Division Alarm Recording Center DARPA: Department of Defense Advanced Research Projects Agency DARU: Distributed Automatic Response Unit DAS: Device Access Software DAS: Directory Assistance System DAS: Distributor And Scanner DAS: Dual Attachment Station DASD: Direct Access Storage Device DBA: Data Base Administrator DBA: Digital Business Architecture DBAC: Data Base Administration Center DBAS: Data Base Administration System DBC: Digital Business Center DBM: Database Manager DBMS: Data Base Management System DBS: Duplex Bus Selector DCA: Defense Communications Agency DCC: Data Country Code DCC: Data Collection Computer DCE: Data Circuit-Terminating Equipment DCE: Data Communicating Equipment DCL: Digital Computer Language DCLU: Digital Carrier Line Unit DCM: Digital Carrier Module DCMS: Distributed Call Measurement System DCMU: Digital Concentrator Measurement Unit DCO-CS: Digital Central Office-Carrier Switch DCP: Duplex Central Processor DCS: Digital Cross-Connect System DCSS: Discontiguous Shared Segments DCSS: Digital Customized Support Services DCT: Digital Carrier Trunk DDCMP: Digital Data Communications Message Protocol DDD: Direct Distance Dialing DDN: Defense Data Network DDR: Datapac Design Request DDS: Digital Data Service DDS: Digital Data System DDS: Dataphone Digital Service DEC: Digital Equipment Corporation DES: Data Encryption Standard DF: Distributing Frame DGC: Data General Corporation DH: Distant Host DID: Direct Inward Dialing DIMA: Data Information Management Architecture DINS: Digital Information Network Service DIS: Datapac Information Service DISA: Direct Inward System Access DLC: Digital Loop Carrier DLS: Dial Line Service DM: Demultiplexer DMA: Direct Memory Access DN: Directory Numbers DNA: Datapac Network Address DNA: Digital Named Accounts DNA: Digital Network Architecture DNIC: Data Network Identifier Code DNR: Dialed Number Recorder DNS: Domain Name Service DNS: Domain Name System DOCS: Display Operator Console System DOD: Department Of Defense DOM: District Operations Manager DPSA: Datapac Serving Areas DPTX: Distributed Processing Terminal Executive DSC: Data Stream Compatibility DSI: Data Subscriber Interface DSL: Digital Subscriber Line DSN: Digital Services Network DSU: Data Service Unit DSU: Digital Service Unit DSX: Digital Signal Cross-Connect DTC: Digital Trunk Controller DTE: Data Terminal Equipment DTF: Dial Tone First DTG: Direct Trunk Group DTI: Digital Trunk Interface DTIF: Digital Tabular Interchange Format DTMF: Dual Tone Multi-Frequency DTN: Digital Telephone Network DTST: Dial Tone Speed Test DVM: Data Voice Multiplexor EAEO: Equal Access End Office EA-MF: Equal Access-Multi Frequency EBDI: Electronic Business Data Interchange EC: Exchange Carrier ECC: Enter Cable Change EDC: Engineering Data Center EDI: Electronic Data Interchange EE: End to End Signaling EEDP: Expanded Electronic Tandem Switching Dialing Plan EGP: Exterior Gateway Protocol EIES: Electronic Information Exchange System EIU: Extended Interface Unit EKTS: Electonic Key Telephone Service ELDS: Exchange Line Data Service EMA: Enterprise Management Architecture EO: End Office EOTT: End Office Toll Trunking EREP: Environmental Recording Editing and Printing ESA: Emergency Stand Alone ESB: Emergency Service Bureau ESN: Electronic Serial Number ESP: Enhanced Service Providers ESS: Electronic Switching System ESVN: Executive Secure Voice Network ETS: Electronic Tandem Switching EWS: Early Warning System FAC: Feature Access Code FAM: File Access Manager FCC: Federal Communications Commission FCO: Field Change Order FDDI: Fiber Distributed Data Interface FDM: Frequency Division Multiplexing FDP: Field Development Program FEP: Front-End Processor FEV: Far End Voice FIFO: First In First Out FIPS: Federal Information Procedure Standard FM: Frequency Modulation FMAP: Field Manufacturing Automated Process FMIC: Field Manufacturing Information Center FOA: First Office Application FOIMS: Field Office Information Management System FPB: Fast Packet Bus FRL: Facilities Restriction Level FRS: Flexible Route Selection FRU: Field Replaceable Unit FS: Field Service FSK: Frequency Shift Keying FT: Field Test FTG: Final Trunk Group FTP: File Transfer Protocol FTPD: File Transfer Protocol Daemon FX: Foreign Exchange GAB: Group Access Bridging GCS: Group Control System GECOS: General Electric Comprehensive Operating System GGP: Gateway-to-Gateway Protocol GOD: Global Out Dial GPS: Global Positioning System GRINDER: Graphical Interactive Network Designer GSA: General Services Administration GSB: General Systems Business GTE: General Telephone HCDS: High Capacity Digital Service HDLC: High Level Data Link Control HLI: High-speed LAN Interconnect HDSC: High-density Signal Carrier HPO: High Performance Option HUTG: High Usage Trunk Group HZ: Hertz IBM: International Business Machines IBN: Integrated Business Network IC: Intercity Carrier IC: InterLATA Carrier IC: Interexchange Carrier ICAN: Individual Circuit Analysis Plan ICH: International Call Handling ICM: Integrated Call Management ICMP: Internet Control Message Protocol ICN: Interconnecting Network ICPOT: Interexchange Carrier-Point of Termination ICUG: International Closed User Group ICVT: Incoming Verification Trunk IDA: Integrated Digital Access IDCI: Interim Defined Central Office Interface IDDD: International Direct Distance Dialing IDLC: Integrated Digital Loop Carrier IDN: Integrated Digital Networks IEC: Interexchange Carrier IMP: Internet Message Processor IMS: Information Management Systems IMS: Integrated Management Systems IMTS: Improved Mobile Telephone Service INAP: Intelligent Network Access Point INS: Information Network System INTT: Incoming No Test Trunks INWATS: Inward Wide Area Telecommunications Service IOC: Interoffice Channel IOC: Input/Output Controller IOCC: International Overseas Completion Center IP: Intermediate Point IP: Internet Protocol IPCF: Inter-Program Communication Facility IPCH: Initial Paging Channel IPCS: Interactive Problem Control System IPL: Initial Program Load IPLI: Internet Private Line Interface IPLS: InterLATA Private Line Services IPSS: International Packet-Switched Service IRC: Internet Relay Chat IRC: International Record Carrier ISC: Inter-Nation Switching Center ISDN: Integrated Services Digital Network ISIS: Investigative Support Information System ISO: International Standards Organization ISSN: Integrated Special Services Network ISU: Integrated Service Unit ISWS: Internal Software Services ITDM: Intelligent Time Division Multiplexer ITI: Interactive Terminal Interface ITS: Interactive Terminal Support ITS: Incompatible Time-Sharing System ITT: International Telephone and Telegraph IVP: Installation Verification Program IX: Interactive Executive IXC: Interexchange Carrier JCL: Job Control Language JES: Job Entry System KP: Key Pulse LAC: Loop Assignment Office LADS: Local Area Data Service LADT: Local Area Data Transport LAM: Lobe Access Module LAN: Local Area Network LAP: Link Access Protocol LAPB: Link Access Protocol Balanced LAPS: Link Access Procedure LASS: Local Area Signalling Service LASS: Local Area Switching Service LAST: Local Area System Transport LAT: Local Area Transport LATA: Local Access Transport Area LAVC: Local Area VAX Cluster LBS: Load Balance System LCDN: Last Call Directory Number LCM: Line Concentrating Module LCN: Logical Channel LD: Long Distance LDEV: Logical Device LDM: Limited Distance Modem LDS: Local Digital Switch LEBC: Low End Business Center LEC: Local Exchange Carrier LEN: Low End Networks LENCL: Line Equipment Number Class LGC: Line Group Controller LH: Local Host LIFO: Last In First Out LIP: Large Internet Protocol LLC: Logical Link Control LM: Line Module LMOS: Loop Maintenance and Operations System LSI: Large Scale Integration LTC: Line Trunk Controller LU: Local Use LVM: Line Verification Module MAC: Media Access Control MAC: Message Authentication MAN: Metropolitan Area Network MAP: Maintenance and Administration Position MAP: Manufacturing Automation Protocol MAT: Multi-Access Trunk MAU: Multistation Access Unit MBU: Manufacturing Business Unit MCA: Micro Channel Architecture MCI: Microwave Communications, Inc. MCP: Master Control Program MCT: Manufacturing Cycle Time MCU: Multi Chip Unit MDR: Message Detail Record MDS: Message Design Systems MDU: Marker Decoder Unit MF: Multi-Frequency MFD: Main Distributing Frame MFR: Mult-Frequency Receivers MFT: Metallic Facility Terminal MHZ: Mega-Hertz MIB: Management Information Base MIC: Management Information Center MIF: Master Item File MIS: Management Information Systems MJU: MultiPoint Junction Unit MLHG: Multiline Hunt Group MLT: Mechanized Loop Testing MNS: Message Network Basis MOP: Maintenance Operation Protocol MP: Multi-Processor MPL: Multischedule Private Line MPPD: Multi-Purpose Peripheral Device MRAA: Meter Reading Access Arrangement MSCP: Mass Storage Control Protocol MSI: Medium Scale Integration MTBF: Mean Time Between Failure MTS: Message Telecommunication Service MTS: Message Telephone Service MTS: Message Transport Service MTS: Mobile Telephone Service MTSO: Mobile Telecommunications Switching Office MTU: Maintenence Termination Unit MUX: Multiplexer MVS: Multiple Virutal Storage MWI: Message Waiting Indicator NAM: Number Assignment Module NAS: Network Application Support NC: Network Channel NCCF: Network Communications Control Facility NCI: Network Channel Interface NCIC: National Crime Information Computer NCP: Network Control Program NCS: Network Computing System NCTE: Network Channel Terminating Equipment NDA: Network Delivery Access NDC: Network Data Collection NDIS: Network Device Interface Specification NDNC: National Data Network Centre NDS: Network Data System NDU: Network Device Utility NEBS: Network Equipment Building System NECA: National Exchange Carriers Association NFS: Network File Sharing NFS: Network File System NFT: Network File Transfer NI: Network Interconnect NI: Network Interface NIC: Network Information Center NIC: Network Interface Card NJE: Network Job Entry NLM: Netware Loadable Modules NLM: Network Loadable Modules NM: Network Module NMR: Normal Mode Rejection NOS: Network Operating System NPA: Numbering Plan Area NPA: Network Performance Analyzer NSF: National Science Foundation NSP: Network Services Protocol NTE: Network Terminal Equipment NUA: Network User Address NUI: Network User Identifier OC: Operator Centralization OCC: Other Common Carrier OD: Out Dial ODA: Office Document Architecture ODDB: Office Dependent Data Base ODI: Open Data Interface OGT: Out-Going Trunk OGVT: Out-Going Verification Trunk OIS: Office Information Systems OLTP: On-Line Transaction Processing ONI: Operator Number Identification OPCR: Operator Actions Program OPM: Outside Plant Module OPM: Outage Performance Monitoring OR: Originating Register OS: Operating System OSI: Open Systems Interconnection OSL: Open System Location OSS: Operator Services System OST: Originating Station Treatment OTC: Operating Telephone Company OTR: Operational Trouble Report OUTWATS: Outward Wide Area Telecommunications Service PABX: Private Automated Branch Exchange PACT: Prefix Access Code Translator PAD: Packet Assembler/Disassembler PADSX: Partially Automated Digital Signal Cross-Connect PAM: Pulse Amplitude Modulation PAX: Private Automatic Exchange PBU: Product Business Unit PBX: Private Branch Exchange PC: Primary Center PCM: Pulse Code Modulation PCP: PC Pursuit PFM: Pulse Frequency Modulation PGA: Pin Grid Array PIN: Personal Identification Number PLA: Programmable Logic Array PLD: Programmable Logic Device PLS: Programmable Logic Sequencer PM: Phase Modulation PM: Peripheral Module PMAC: Peripheral Module Access Controller PMR: Poor Mans Routing PNC: Primenet Node Controller POC: Point of Contact POF: Programmable Operator Facility POP: Point of Presence POS: Point Of Sale POT: Point of Termination POTS: Plain Old Telephone Service PPN: Project Program Number PPP: Point to Point Protocol PPS: Public Packet Switching PPSN: Public Packet Switched Network PSAP: Public Safety Answering Point PSDC: Public Switched Digital Capability PSDCN: Packet-Switched Data Communication Network PSDN: Packet-Switched Data Network PSDS: Public Switched Digital Service PSN: Packet-Switched Network PSS: Packet-Switched Service PSW: Program Status Word PTE: Packet Transport Equipment PTS: Position and Trunk Scanner PTT: Postal Telephone & Telegraph PVC: Permanent Virtual Call PVN: Private Virtual Network PWC: Primary Wiring Center QPSK: Quadrature Phase-Shift Keying RACF: Resource Access Control Facility RAO: Revenue Accounting Office RARP: Reverse Address Resolution Protocol RBG: Realtime Business Group RBOC: Regional Bell Operating Company RC: Rate Center RC: Regional Center RDB: Relational Database RDSN: Region Digital Switched Network RDT: Restricted Data Transmissions RDT: Remote Digital Terminal REP: Reperatory Dialing REXX: Restructured Extended Executer Language RFC: Request For Comments RIP: Routing Information Protocol RIS: Remote Installation Service RISC: Reduced Instruction Set Computer RISD: Reference Information Systems Development RJE: Remote Job Entry RLCM: Remote Line Concentrating Module RNOC: Regional Network Operations Center ROTL: Remote Office Test Line RPC: Remote Procedure Call RPE: Remote Peripheral Equipment RSA: Reference System Architecture RSB: Repair Service Bureau RSC: Remote Switching Center RSCS: Remote Spooling Communications Subsystem RSS: Remote Switching System RSU: Remote Switching Unit RTA: Remote Trunk Arrangement RTG: Routing Generator R/W: Read/Write RX: Remote Exchange SA: Storage Array SABB: Storage Array Building Block SAM: Secure Access Multiport SARTS: Switched Access Remote Test System SAS: Switched Access Services SAS: Single Attachment System SBB: System Building Block SABM: Set Asynchronous Balanced Mode SAC: Special Area Code SBS: Satellite Business Systems SC: Sectional Center SCC: Specialized Common Carrier SCC: Switching Control Center SCCP: Signaling Connection Control Part SCCS: Switching Control Center System SCF: Selective Call Forwarding SCF: Supervision Control Frequency SCM: Station Class Mark SCM: Subscriber Carrier Module SCP: Signal Conversion Point SCP: System Control Program SCP: Service Control Point SCR: Selective Call Rejection SDLC: Synchronous Data Link Control SF: Single-Frequency SFE: Secure Front End SIDH: System Identification Home SIT: Special Information Tones SLIC: Subscriber Line Interface Card SLIM: Subscriber Line Interface Module SLIP: Serial Line Internet Protocol SLS: Storage Library System SLU: Serial Line Unit SM: System Manager SMDI: Storage Module Disk Interconnect SMDR: Station Manager Detail Recording SMI: System Management Interrupt SMP: Symmetrical Multi-Processing SMS: Self-Maintenance Services SMS: Station Management System SMTP: Simple Mail Transfer Protocol SNA: Systems Network Architecture SNMP: Simple Network Management Protocol SONDS: Small Office Network Data System SOST: Special Operator Service Treatment SP: Service Processor SPC: Stored Program Control SPCS: Stored Program Control System SPCSS: Stored Program Control Switching System SPM: Software Performance Montior SQL/DS: Structured Query Language/Data System SRC: System Resource Center SS: Signaling System SSAS: Station Signaling and Announcement System SSCP: Systems Service Control Point SSCP: Subsystem Services Control Point SSP: Switching Service Points SSS: Strowger Switching System ST: Start STC: Service Termination Charge STD: Subscriber Trunk Dialing STP: Signal Transfer Point STS: Synchronous Transport Signal SVC: Switched Virtual Call SWG: Sub Working Group SxS: Step-by-Step Switching T-1: Terrestrial Digital Service TAC: Trunk Access Code TAC: Terminal Access Circuit TAC: Terminal Access Center TAS: Telephone Answering Service TASI: Time Assignment Speech Interpolation TBU: Terminals Business Unit TC: Toll Center TCAP: Transaction Capabilities ApplicationPart TCC: Technical Consulting Center TCC: Telecommunications Control Computer TCF: Transparent Connect Facility TCM: Time Compression Multiplexing TCP: Transmission Control Protocol TDAS: Traffic Data Administration System TDCC: Transport Data Coordinating Committee TDM: Time Division Multiplexer TDMS: Terminal Data Management System TDS: Terrestrial Digital Service TH: Trouble History TIDE: Traffic Information Distributor & Editor TIS: Technical Information Systems TLB: TransLAN Bridge TM: Trunk Module TMSCP: Tape Mass Storage Control Protocol TNDS: Total Network Data System TNPS: Traffic Network Planning Center TO: Toll Office TOP: Technical Office Protocol TOPS: Traffic Operator Position System TP: Transport Protocol TP: Toll Point TP: Transaction Processing TPC: Transaction Processiong Performance Council TREAT: Trouble Report Evaluation and Analysis Tool TRIB: Throughput Rate in Information Bits TRT: Tropical Radio and Telephone TSB: Time Shared Basic Environment TSG: Timing Signal Generator TSN: Terminal Switching Network TSO: Time Sharing Option TSPS: Traffice Service Position System TTL: Transistor-to-Transistor Logic TTS: Trunk Time Switch TWX: Type Writer Exchange UA: Unnumbered Acknowledgement UAE: Unrecoverable Application Error UART: Universal Asynchronous Receiver Transmitter UCS: Uniform Communication Standard UDC: Universal Digital Channel UDP: User Datagram Protocol UDVM: Universal Data Voice Multiplexer UID: User Identifier UPC: Utility Port Conditioner USC: Usage Surcharge USDN: United States Digital Network USTS: United States Transmission Systems UUCP: Unix to Unix Copy Program VAN: Value Added Networks VAX: Virtual Address Extention VCPI: Virtual Control Program Interface VDU: Visual Display Unit VF: Voice Frequency VFU: Vertical Forms Unit VFY: Verify VIA: Vax Information Architecture VLM: Virtual Loadable Module VLSI: Very Large Scale Integration VMB: Voice Mail Box VMCF: Virtual Machine Communications Facility VMS: Virtual Memory System VMS: Voice Mail System VM/SP: Virtual Machine/System Product VPA: VAX Performance Advisor VPS: Voice Processing System VSAM: Virtual Storage Access Method VSE: Virtual Storage Extended VTAM: Virtual Telecommunications Access Method VTOC: Volume Table Of Contents VUIT: Visual User Interface Tool VUP: Vax Unit of Processsing WAN: Wide Area Network WATS: Wide Area Telecommunications System WATS: Wide Area Telephone Service WC: Wiring Center WCPC: Wire Center Planning Center WDCS: Wideband Digital Cross-Connect System WDM: Wavelength Division MultiPlexing WES: Western Electronics Switching WUI: Western Union International XB: Crossbar Switching XBAR: Crossbar Switching XBT: Crossbar Tandem XNS Xerox Network Systems XSV Transfer Cost System Value XTC Extended Test Controller CONCLUSION ========== ---------- Last words ========== Well, i sincerely hope that this file was of some use to you, and i would encourage you to distribute it as far as you can. If you enjoyed it, hated it, have suggestions, or whatever, feel free to email me at my Internet address(my only permanent one for now) or at a BBS, if you can find me. Have phun... - Deicide - Recommended Reading =================== Neuromancer, Mona Lisa Overdrive, Count Zero and all the rest, by William Gibson The Hacker Crackdown, by Bruce Sterling Cyberpunk, by Katie Hafner and John Markoff The Cuckoo's Egg, by Cliff Stoll 2600: The best h/p printed zine. $21 in American funds, U.S. & Canada. 2600 Subscription Dept., P.O. Box 752, Middle Island NY 11953-0752 Office: 516-751-2600 Fax: 516-751-2608 The issues of CUD, cDc, & Phrack electronic newsletters, and the LOD/H TJs, all of which can be found on the Internet and any good h/p oriented BBS. BBSes ===== Although most boards have a lifespan equivalent to that of a fruitfly, I finally have a list which is somewhat stable.. getting on them is your problem.. just be yourself and be willing to learn. - Unphamiliar Territories - Demon Roach Underground - Temple of the Screaming Electron - Burn This Flag - Dark Side of the Moon and Phrozen Realm if it returns.. References ========== All the material used in this publication is original unless specifically stated otherwise. However, i'd like to thank Phrack and the LOD/H for their textfiles which gave me a valuable push in the right direction.. And of course all the great h/p folks who have helped me along the way.. And finally =========== Thanks to the EFF, for their continued support of all of the world's rights in this technological era. Thanks to all the folks running the FreeNets who continue to support the right to free access to information in this world of cynicism. Thanks to cDc, for not selling out after all these years... Musical inspirations: Primus, Rage Against the Machine, Jimi Hendrix, Led Zeppelin, Dead Kennedys, White Zombie, the Beastie Boys, etc, etc. "Yes I know my enemies. They're the teachers who taught me to fight me. Compromise, conformity, assimilation, submission, ignorance, hypocrisy, brutality, the elite" - /Know Your Enemy/ (c) Rage Against the Machine - Deicide - deicide@west.darkside.com DISCLAIMER ========== This file was provided for informational purposes only. The author assumes no responsibilities for any individual's actions after reading this file. 1