HACKING 101: A beginers Guide to Hacking
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

To start you exiting life as a hacker learn or obtain the following:



Materials: Computer                         (duhhhhh)
           High Speed modem                 (hello?)
           A Phone Book                     (OPTIONAL but this often helps)
           A Good com program               (I prefer Qmodem)
           A high level programing language (like C to write programs)
           A working brain                  (not always necessary)
           Severl hacking programs          (OPTIONAL)
           Time                             (*MUST*)
           Patience                         (*MUST*)




        Hacking... I mean REAL hacking isint as glamorous as many people
think it is, so for all you who have just seen Sneakers or Hackers go home.
It takes pescivernce and determination. There are only FEW occasions when a
hacker can access a system by pressing only a button or two.  It is mostly
understanding how a computer works and where its faults lay.





Chapter 1: FINDING A SYSTEM TO HACK

There are pleanty of ways to find a system to hack the majority of systems
that you'll find will belong to News Services, Financial Services, Business
Information Services, University facilities, Banks, Electronic Mail Services,
and Government computers. They aernt too hard to fing if you're resoursful.


Phone Scanning

The easiest, but slowest way to get a modem number is to scan phone an
exchange. Its simple you pick a three digit phone prefix in your area and
dial every number from 0000 --> 9999 in that prefix, making a note of all
the carriers you find.  There is software available to do this for nearly
every computer in the world, so you don't have to do it by hand. The easiest
so far would probapily be TonLoc by Minor Threat and Mucho Maas...


Networks 

The best place to begin hacking is on one of the bigger networks.  First,
there is a wide variety of computers to choose from, from small Micro-Vaxen
to huge Crays. Second, the networks are safer.   Because of the enormous
number of calls that are fielded every day by the big networks, it is not
financially practical to keep track of where every call and connection are
made from It is very easy to disguise your location using the network, which
makes your hobby much more secure. However it has happened that people have
been caught using networks to hack high profile computers.

The most popular are InterNet, Sprintnet, Tymnet, and Autonet, others include
ItaPAC, JANET, DATAPAC, SBDN, PandaNet, THEnet, and a whole host of other
networks, all of which you can connect to from your terminal. There are even
lame nets that can be fun to hack such as Delphi, AoL, GEine Compuserve,
NetCom, Progigy (Lamer WHQ ), and pleanty others.


Unresponsive Systems
                        
Occasionally you will connect to a system that will do nothing, but sit there.
This is a frustrating feeling, but a methodical approach to the system will
yield a response if you take your time.  The following list will usually make
*something* happen.

1)  Change your parity, data length, and stop bits.  A system that won't
    respond at 8N1 may react at 7E1 or 8E2 or 7S2.  If you don't have a term
    program that will let you set parity to EVEN, ODD, SPACE, MARK, and NONE,
    with data length of 7 or 8, and 1 or 2 stop bits, go out and buy one.
    While having a good term program isn't absolutely necessary, it sure is
    helpful.
2)  Change baud rates.  Again, if your term program will let you choose odd
    baud rates such as 600 or 1100, you will occasionally be able to penetrate
    some very interesting systems, as most systems that depend on a strange
    baud rate seem to think that this is all the security they need...
3)  Send a series of <cr>'s.
4)  Send a hard break followed by a <cr>.
5)  Type a series of .'s (periods).  The Canadian network Datapac responds to
    this.
6)  If you're getting garbage, hit an 'i'.  Tymnet responds to this, as does a
    MultiLink II.
7)  Begin sending control characters, starting with ^A --> ^Z.
8)  Change terminal emulations.  What your vt100 emulation thinks is garbage
    may all of a sudden become crystal clear using ADM-5 emulation.  This also
    relates to how good your term program is.
9)  Type LOGIN, HELLO, LOG, ATTACH, CONNECT, START, RUN, BEGIN, LOGON, GO,
    JOIN, HELP, and anything else you can think of.
10) If it's a dialin, call the numbers around it and see if a company answers.
    If they do, try some social engineering.




CHAPTER 2: HOW TO GET IN

Defaults:

Ok... First thing that any hacker who dosent have access to a system should
do is try default (or preset) passwords programed in at the factory. If the
Sysop of the system is a total moron he/she/it will leave them in there for
you to use. You will not belive how many systems Ive gotten into because of
this, however times they are 'a' changing so dont be too dissapointed if
you do not get in. If you know what type of computer and/or operating system
you are using, life becomes alot easier.


VMS -      The VAX computer is made by Digital Equipment Corporation (DEC),
           and runs the VMS (Virtual Memory System) operating system. VMS is
           characterized by the 'Username:' prompt.  It will not tell you if
           you've entered a valid username or not, and will disconnect you
           after three bad login attempts.  It also keeps track of all failed
           login attempts and informs the owner of the account next time
           he/she logs in how many bad login attempts were made on the
           account. This is one of the most perfered systems by schools and
           big companys, also one of the most secure. Like a woman it is
           rough on the outside, but once INSIDE they can be very very
           friendly! You may type help to your hearts content!

           Common Accounts/Defaults:  [username: password]

           When DEC sells a VAX/VMS, the system comes equipped with 4
           accounts which are:

DEFAULT : This serves as a template in creating user records in the
          UAF (User Authorization File). A new user record is assigned
          the values of the default record except where the system
          manager changes those values. The default record can be
          modified but can not be deleted from the UAF.....

SYSTEM : Provides a means for the system manager to log in with full
         privileges.  The SYSTEM record can be modified but cannot be
         deleted from the UAF.......

FIELD  : Permits DIGITAL field service personnel to check out a new
         system.  The FIELD record can be deleted once the system is
         installed.

SYSTEST: Provides an appropriate environment for running the User
         Environment Test Package (UETP). The SYSTEST record can be
         deleted once the system is installed.

Usually the SYSTEM MANAGER adds,deletes, and modifies these records
which are in the UAF when the system arrives, thus eliminating the
default passwords, but this is not always the case.....
some default passwords which have been used to get in a system are....

 USERNAME                   PASSWORD

 SYSTEM                     MANAGER or OPERATOR or SYSTEM or SYSLIB
 FIELD                      SERVICE or TEST or FIELD
 DEFAULT                    USER or DEFAULT
 SYSTEST                    UETP or SYSTEST

Other typical VMS accounts are :
VAX        :   VAX or unpassworded or ?
VMS        :   VMS or unpassworded or ?
DCL        :   DCL or unpassworded or ?
GENERAL    :   GENERAL or unpassworded or ?
TEST       :   TEST or unpassworded or ?
HELP       :   HELP or unpassworded or ?
GAMES      :   GAMES or unpassworded or ?
DECNET     :   DECNET or unpassworded or ?
OPERATOR   :   OPERATOR or unpassworded or ?
SYSMAINT   :   SYSMAINT or SERVICE or DIGITAL or ?
GUEST      :   GUEST or unpassworded or ?
DEMO       :   DEMO  or unpassworded or ?
DECNET     :   DECNET or unpassworded or ?


UNIX -     There are dozens of different machines out there that run UNIX.
           While some might argue it isn't the best operating system in the
           world, it is certainly the most widely used.  A UNIX system will
           usually have a prompt like 'login:' in lower case.  UNIX also will
           give you unlimited shots at logging in (in most cases), and there
           is usually no log kept of bad attempts. There are severl different
           versions of UNIX out there such as AT&T (the original creators)
           ver., the Berkeley ver. and a few more. Some defaults and commands
           may be different. 
           
           Common Accounts/Defaults:  (note that some systems are case
           sensitive, so use lower case as a general rule.  Also, many times
           the accounts will be unpassworded, you'll just drop right in!)

           root      :       root
           admin     :       admin
           sysadmin  :       sysadmin or admin
           unix      :       unix
           uucp      :       uucp
           rje       :       rje
           guest     :       guest
           demo      :       demo
           daemon    :       daemon
           sysbin    :       sysbin




The Rest Of These Are Kinda Old and You Probapily Wont Run Into Any Of 'Em!



DEC-10 -   An earlier line of DEC computer equipment, running the TOPS-10
           operating system.  These machines are recognized by their '.'
           prompt.  The DEC-10/20 series are remarkably hacker-friendly,
           allowing you to enter several important commands without ever
           logging into the system.  Accounts are in the format [xxx,yyy]
           where xxx and yyy are integers.  You can get a listing of the
           accounts and the process names of everyone on the system before
           logging in with the command .systat (for SYstem STATus).  If you
           seen an account that reads [234,1001]   BOB JONES, it might be wise
           to try BOB or JONES or both for a password on this account.  To
           login, you type .login xxx,yyy  and then type the password when
           prompted for it.

           The system will allow you unlimited tries at an account, and does
           not keep records of bad login attempts.  It will also inform you if
           the UIC you're trying (UIC = User Identification Code, 1,2 for
           example) is bad.

           Common Accounts/Defaults:

           1,2        :        SYSLIB or OPERATOR or MANAGER
           2,7        :        MAINTAIN
           5,30       :        GAMES


Prime -    Prime computer company's mainframe running the Primos operating
           system.  The are easy to spot, as the greet you with 'Primecon
           18.23.05' or the like, depending on the version of the operating
           system you run into.  There will usually be no prompt offered, it
           will just look like it's sitting there.  At this point, type 'login
           <username>'.  If it is a pre-18.00.00 version of Primos, you can hit
           a bunch of ^C's for the password and you'll drop in.  Unfortunately,
           most people are running versions 19+.  Primos also comes with a good
           set of help files.  One of the most useful features of a Prime on
           Telenet is a facility called NETLINK.  Once you're inside, type
           NETLINK and follow the help files.  This allows you to connect to
           NUA's all over the world using the 'nc' command.

           For example, to connect to NUA 026245890040004, you would type
           @nc :26245890040004 at the netlink prompt.

           Common Accounts/Defaults:

           PRIME       PRIME or PRIMOS
           PRIMOS_CS   PRIME or PRIMOS
           PRIMENET    PRIMENET
           SYSTEM      SYSTEM or PRIME
           NETLINK     NETLINK
           TEST        TEST
           GUEST       GUEST
           GUEST1      GUEST

HP-x000 -  This system is made by Hewlett-Packard.  It is characterized by the
           ':' prompt.  The HP has one of the more complicated login sequneces
           around -- you type 'HELLO SESSION NAME,USERNAME,ACCOUNTNAME,GROUP'.
           Fortunately, some of these fields can be left blank in many cases.
           Since any and all of these fields can be passworded, this is not the
           easiest system to get into, except for the fact that there are
           usually some unpassworded accounts around.  In general, if the
           defaults don't work, you'll have to brute force it using the common
           password list (see below.)  The HP-x000 runs the MPE operating
           system, the prompt for it will be a ':', just like the logon prompt.

           Common Accounts/Defaults:

           MGR.TELESUP,PUB                      User: MGR Acct: HPONLYG rp: PUB
           MGR.HPOFFICE,PUB                     unpassworded
           MANAGER.ITF3000,PUB                  unpassworded
           FIELD.SUPPORT,PUB                    user: FLD,  others unpassworded
           MAIL.TELESUP,PUB                     user: MAIL, others unpassworded
           MGR.RJE                              unpassworded
           FIELD.HPPl89 ,HPPl87,HPPl89,HPPl96   unpassworded
           MGR.TELESUP,PUB,HPONLY,HP3           unpassworded

IRIS -     IRIS stands for Interactive Real Time Information System.  It
           originally ran on PDP-11's, but now runs on many other minis.  You
           can spot an IRIS by the 'Welcome to "IRIS" R9.1.4 Timesharing'
           banner, and the ACCOUNT ID? prompt.  IRIS allows unlimited tries at
           hacking in, and keeps no logs of bad attempts.  I don't know any
           default passwords, so just try the common ones from the password
           database below.

           Common Accounts:

           MANAGER
           BOSS
           SOFTWARE
           DEMO
           PDP8
           PDP11
           ACCOUNTING

VM/CMS -   The VM/CMS operating system runs in International Business Machines
           (IBM) mainframes.  When you connect to one of these, you will get
           message similar to 'VM/370 ONLINE', and then give you a '.' prompt,
           just like TOPS-10 does.  To login, you type 'LOGON <username>'.

           Common Accounts/Defaults are:

           AUTOLOG1:            AUTOLOG or AUTOLOG1
           CMS:                 CMS
           CMSBATCH:            CMS or CMSBATCH
           EREP:                EREP
           MAINT:               MAINT or MAINTAIN
           OPERATNS:            OPERATNS or OPERATOR
           OPERATOR:            OPERATOR
           RSCS:                RSCS
           SMART:               SMART
           SNA:                 SNA
           VMTEST:              VMTEST
           VMUTIL:              VMUTIL
           VTAM:                VTAM

NOS -      NOS stands for Networking Operating System, and runs on the Cyber
           computer made by Control Data Corporation.  NOS identifies itself
           quite readily, with a banner of 'WELCOME TO THE NOS SOFTWARE SYSTEM.
           COPYRIGHT CONTROL DATA 1978,1987.'  The first prompt you will get
           will be FAMILY:.  Just hit return here.  Then you'll get a USER
           NAME: prompt.  Usernames are typically 7 alpha-numerics characters
           long, and are *extremely* site dependent.  Operator accounts begin
           with a digit, such as 7ETPDOC.

           Common Accounts/Defaults:

           $SYSTEM              unknown
           SYSTEMV              unknown

Decserver- This is not truly a computer system, but is a network server that
           has many different machines available from it.  A Decserver will say
           'Enter Username>' when you first connect.  This can be anything, it
           doesn't matter, it's just an identifier.  Type 'c', as this is the
           least conspicuous thing to enter.  It will then present you with a
           'Local>' prompt.  From here, you type 'c <systemname>' to connect to
           a system.  To get a list of system names, type 'sh services' or 'sh
           nodes'.  If you have any problems, online help is available with the
           'help' command.  Be sure and look for services named 'MODEM' or
           'DIAL' or something similar, these are often outdial modems and can
           be useful!
GS/1 -     Another type of network server.  Unlike a Decserver, you can't
           predict what prompt a GS/1 gateway is going to give you.  The
           default prompt it 'GS/1>', but this is redifinable by the system
           administrator.  To test for a GS/1, do a 'sh d'.  If that prints out
           a large list of defaults (terminal speed, prompt, parity, etc...),
           you are on a GS/1.  You connect in the same manner as a Decserver,
           typing 'c <systemname>'.  To find out what systems are available, do
           a 'sh n' or a 'sh c'.  Another trick is to do a 'sh m', which will
           sometimes show you a list of macros for logging onto a system.  If
           there is a macro named VAX, for instance, type 'do VAX'.

           The above are the main system types in use today.  There are
           hundreds of minor variants on the above, but this should be enough
           to get you started.


Reasearch:

Now if that dosent work, try doing some research, on the system, or the
operating system (if its new or foreign), or the place that owns the compuer,
or possibly anything else that you can think of. Information sources are
available almost anywhere.

Goto your local library or bookstore and look up a book that pertains to that
machine or operating system.

Try some Social engineering and call the operator of the company and say that
you need information to that pertecular maching that they are using. Or call
an employee pretending to be the sysop and Ask them for their password...
Make up some bullshit story and say you are changing all the password because
of a computer error and need the old one to verify if he is an actual user on
the system.... or some thing along those lines. You get the picture. If you
dont go home and watch Rikki Lake!!!

Ask for help on yourfavorite pirate board....

You could go trashing and look for valueable pieces ok information in the
company of your choosing's dumpsters. Now remember (for all the forrest gump
Wanna-be's) Go at night, wear dark clothing, and carry some mace for the
occasional security guard, or dog, etc... AND dont bother sorting through
the trash there... Take it home then examine it. When you're finnished put
the leftovers in you're school dumpsters or a dumpster of you're choosing.

Raid the company mail boy, or find an employee and look through his/her mail
box for a week or two. Besides finding company news letters you'll also
probapliy find a credit card or playboy.....


Ok now for more specific methods.

The combonation unlock

The lamest and worst method of hacking is the The combonation unlock method,
however this method will always work (after a while). You get a name and need
a password so you a little program that (1) calls the computer (2) imputs
the username then (3) try diff passwords on that account name. the pass words
would look like this AAAAAAAA, AAAAAAAB, AAAAAAAC, AAAAAAAD and so on until
you get the password. Sounds great right??? NOT!!!! This method, while
effective, would take a year or two to complete. So its not really worth it.
Anouther problem is upper and lower case letters, spaces, and characters
other than letters. You could always try a variation of this method and
try common user passwords. But this is lame so forget about it.


The Decoy

The decoy is a program, that if put in the right place can be very helpful.
it looks just loke the login screen when used, but it is programed to
save the users USERNAME and PASSWORD tells the user he put in the wrong
password and to try again! then lets them login to the normal system.
A safe way to do this is to call the operator and request call fowarding
of the target number to your home number. When users call you will get
their USERNAME and PASSWORD and there nothing that they can do about it.


Trapdoors

They are hard to find. A trap door is the equivalent to a secret door behind
a bookshelf. Programers put them in to access the system easer. I dont know
of any however I have heard that they do exist.


Program Loop Holes

Probapily the most frequent and useful thing in the world to a hacker. A
big loophole was the F.B.I. wrote an unbreakable operating system no loop
holes, no trap doors, no defaults, no nuttin, however once you got to the
password prompt all you had to do was press CTRL-C and the program would
break, dropping you into dos. You just have to look for them, they are there
like renegade by using the archiving menu you can get a copy of user list, or
the Gnu-Emacs hole that let you place anyfile you want anywhere you want.


CHAPTER 2: WHAT TO DO ONCE INSIDE

Ok... "FORREST GUMP" you finally got in now what?!?!?! Go home and watch
an X-rated mpeg??? NO!!! you will need better access to do what you need.
Right! I wont go into an detail as they are ment to be modified, changed,
and combined.


The Trojan Horse

Just like the great horse in troy. This looks like an ordinary program,
execpt that it will look very tempting to the users or sysops. They will
want to run this program, and if a sysop runs this program, this program
will have all the access that the sysop has !!! Therefore you could make it
give you his/her USERNAME and PASSWORD, or make it create or add to an
account so that it would have superuser access. The posibulities are endless!


CooCoo's egg

The CooCoo's egg is the samething as a trojan execpt for the fact that no one
has to run it, the computer itself will run it. Like in UNIX if you replace
the ATRUN (AT or RUN) with your egg the computer will automaticaly run the
program giving you full sysop access.


Logic Bombs

It is beleved that these exist in programs to avoid pirating of software. By
sending certain CTRL- characters you could destroy a whole program. I dont
know of any yet. But imagine if you could create one for yourself ???


You can use any number of these to get superuser access, using a high level
programing language you can make any of these programs without difficulty,
however to become a real hacker make up some of your own methods of obtaining
access to a system then come back and teach me !!!





VIRUS

A computer program that can infect other computer programs by modifying them
in such a way as to include a (possibly evolved) copy of itself. Viruses are
also fun to play with. Not necessarly for hacking perpouses, but on occasion
they can be used.

To date there are 2500 known viruses.  This is an estimate.  In all
actuality there is 2300-3000 viruses depending on how you count them too.
When placed in families there is over 800 known families of viruses.  As
you can probably guess too, with new viruses being created and old ones
being modified, that number is going up very rapidly.  Some estimate that
there will be around 20,000 viruses or so by the year 2000.  Although
this is just an opinion, in all actuality it may very well be reached.


Virus Types:
------------

Viruses infect in two differnt ways.  We either have FILE INFECTORS
or SYSTEM or BOOT-RECORD INFECTORS.

File infectors attach themselves to ordinary program files.  These
usually infect other .COM and/or .EXE files.  Some have been known,
though, to infect .SYS, .OVL, and other types of executable files.

Breaking it down even further, there are two types of file infectors,
a NON-RESIDENT or a MEMORY RESIDENT virus.  A Non-Resident virus selects
one or more programs to infect at the time of execution, while a Memory
Resident virus hides somewhere in memory.  The first time a memory resident
virus infected program is executed it hides in memory, after that it
begins to infect other programs when they are executed or when ever else
the virus is programmed to do.  Most of the viruses written today are
memory resident.

SYSTEM or BOOT-RECORD INFECTORS are memory resident and infect certain
system areas on a disk which are not ordinary files.  Boot-sector viruses
infect only the DOS boot sector, and MBR viruses infect the Master Boot
Record on fixed disks and the DOS boot sector on diskettes.  Some examples
of this type of infector are the Brain, Stoned, and Michelangelo viruses.

Some viruses do special 'tricks' in order to hide themselves from
virus scanners.  Three of the most common types of viruses are the
stealth, self-encrypting, and the even more powerful polymorphic virus.

A STEALTH virus is a memory resident virus which hides by monitoring the
system functions that read files or physical blocks, and make the results
to be the original uninfected form of the file instead of the actual infected
form.  This makes the virus go undetected by anti-virus scanners.

A SELF-ENCRYPTING virus is one which encrypts itself using a key.
When the virus executes, it uses this key to decrypt itself, and
then performs the task it was written to do.  When completed,
the virus uses this key to 'lock' itself with encryption.

A POLYMORPHIC virus is a virus which produces various copies of itself.
This makes it hard for virus scanners to detect because usually it
will not be able to detect all instances of the virus.  One method a
polymorphic virus uses is to choose a variety of different encryption schemes.
Each one requiring different encryption algorithm.  A signature-driven
virus scanner would have to use several signatures.  It would have to
use one for each encrytion method.  Another type of polymorphic virus
will vary the sequence of instructions by using unessesscary instructions
like a No Operation instruction.  A signature-based virus scanner would
not be able to reliably identify this sort of virus.
        The most sophisticated form of polymorphism discovered so far is the
MtE "Mutation Engine" written by the Bulgarian virus writer Dark Avenger.
It comes in the form of an object module, and when added to any virus,
the result will be a polymorphic virus by adding certain call in the code
and linking it to the mutation engine.
        Polymorphic viruses have made virus-scanning more difficult than ever
Normal signature strings will not be able to pick up these viruses. Complex
algorithms will have to be created to detect these new viruses.

Some viruses use special tricks to make the tracing, disassembling,
and virus detection more difficult.  Probably the first method of
making an old virus sneak by virus scanners was by PKLITEing them.
This worked for a while until researchers picked up on this this little
trick.  Then people moved onto LZ-EXE and DIET compressing files, but soon
these tricks were picked up on.  One that is still able to slide by scanners
is to PGM-PAK a file.  As of date, no scanner I have come across has been
able to pick this one up.

  Finally, you have to actually hack.  You can hang out on boards all you
      want, and you can read all the text files in the world, but until you
      actually start doing it, you'll never know what it's all about.  There's
      no thrill quite the same as getting into your first system (well, ok, I
      can thinksavea couple of biggers thrills, but you get the picture).





                                          - /cd



Thanx to: The Mentor, Max Headroom, Cliff Stoll, The Cracker, Bladerunner
          Hugo Cornwall
