Well, it's time for yet another installment in Virginia Tech hacking. Yes, it's.... VTHACK #3!!!! Brought to you by the Mad Hermit and crew. This time, we're going to focus on the OTHER big network on campus: LocalNet. LocalNet (L-Net) has been around for a much longer period of time, and as such has quite a few more caves and back alleys to explore. Its main purpose is to connect the faculty and grad students directly to mainframes, and thus much of what is found when poking around are login prompts. An aggrivating factor that has been added to this is the inclusion of "Port Servers" (PS's). You know when you've hit a PS when L-Net tells you you've connected, but no key that you press has any effect. The purpose of a PS is to act as a deterrent to hackers. It also might have the additional function of baud rate detection, but though it sounds logical, we haven't found out for sure. We must admit that it does protect. The best way to keep system crashers away is not to tell them what they've found through simple redialing. This is a lot like keeping party crashers away by saying that there's a party going on at a certain place, but not telling them who's invited or who's giving the bash. Effective for the dim-witted, impatient, and amateur party crashers, but not for others. PS's sit and stare out at you until you start sending it characters. If the first few aren't the specific ones it's looking for, it will continue to gobble up everything else until you give up and hang up. Typical PS "codes" are easy-to-remember sequences like 'ZZ' or 'ASDF', and they then pass you on to the main login prompt. These "codes" aren't like passwords, since the added access they give you isn't worth beans unless you've got a line on where to go from the login prompt. However, we here feel that information like that is in fact "restricted" in that you are gaining unauthorized additional access to systems. As such, we've decided to leave the fun of figuring them out to those interested in such weekend diversiions. Before we give you what you're probably waiting for: neato numbers to call on L-Net, we'd like to explain stuff. First, this isn't a complete list, nor could it really be. L-Net addresses are in Hexidecimal and range from 0000 to FFFF. That's 65536 different possibilities. We only went through ten thousand of these, and are only listing those that got any response. Second, L-Net addresses may connect to any number of ports, but we haven't seen any more than 4 or 5. Thus, the total possible connections assuming an average of 2 ports per connection and an average of about 15 connections per thousand addresses comes to just under 2000. Assuming this is correct (very doubtful), finding where these are is quite a task. Third, and on the positive side, some connections open up large worlds of access. These unpassworded gateways are known as servers, and typically are DECservers. The biggest and most notorious is listed at 0358 and can handle a max of 128 users. You can use these servers to connect to multiple computers at once, and have extensive help files telling you what to do. Fourth, and also on the plus side, L-Net doesn't kick you off. Ever. Multiple redialing is the name of the game, and listed below is a Red Ryder script that works under version 9.4 that dials consecutive integers at a rate of about 40 a minute. Fifth and finally, bum connections don't just leave you in the cold. Hitting CONTROL-A twice pops you immediately into local mode, where a STATUS tells you where you are connected, and a "DONE X" will disconnect you from session number X. Calling, by the way, is done by typing "CALL XXXX[,P]" where XXXX is the hex address, and P is the optional port number, which is seperated by a comma. Red Ryder 9.4 Local-Net Scanner Script. COPYINTO ~8,ENTER NUMBER TO START AT (GET1) QUERY1 ~1 EMPTY ~1 IF YES JUMPTO (GET1) LET EQUAL `1,~1 LET EQUAL `3,`1 COPYINTO ~8,ENTER LENGTH OF SEARCH (GET2) QUERY1 ~2 EMPTY ~2 IF YES JUMPTO (GET2) LET EQUAL `2,~2 ADD `3,`2 COPYINTO ~3,`3 SUBTRACT `1,1 (NEXT) ADD `1,1 TEST `1=~3 IF YES JUMPTO (QUIT) TYPE Call TYPE `1 TYPE ^M ALERT1 UNIT/JUMPTO (NEXT) ALERT2 BUSY/JUMPTO (NEXT) PANICAFTER 10 PROMPT CONNECTED PAUSE BELL BELL BELL BELL JUMPTO (QUIT) (QUIT) END And here's what our illustrious, untiring crew have discovered: Node Port# What ---- ----- ---- 0008 1 0074 0,1 VTME (Mechanical Engineering) 0116 0,1 0124 0,1 0126 0,1 000A 1 000B 0,1 000C 0,1 000E 0,1 00FF 0,1 0170 0,1 0175 0,1 Popeye (Computer Science) 0350 0 VTCC1 0351 0,1 " " 0352 0,1 " " 0354 0,1 " " 0355 1 " " 0356 0,1 " " 0357 0,1 " " 0358 0,1 DECServer 500 0359 0,1 DECServer 500 (same as above, different port bank) 0400 0,1 VTME (again) 0401 0,1 " " " 0402 0,1 " " " 0403 0,1 0404 0,1 VTME (yet again) 0405 0 " " " " 0450 0,1 DECServers (see note 3) 0451 0,1 " " " 0452 0,1 " " " 0453 0,1 " " " 0454 0,1 " " " 0455 0,1 " " " 0536 0,1 600-601 "Remote Ports Busy" 603-607 "Remote Ports Busy" 1010 0,1 1100-1103 "Remote Ports Busy" 1300 0 VTVM1 5100 1 VTVM1 5300 0,1 5500-5503 "Remote Ports Busy" 5510 0,1 5512 0,1 5514 0,1 5516 0,1 5518 1 5530 0,1 5534 0,1 5536 0,1 5548 0,1 5548 0,1 5550 0,1 5552 0,1 5554 0 6000 1 6002 0 Node[20] (see note 1) 6003 0,1 6100-6103 "Remote Ports Busy" 6200 1 Node[2] (see note 2) 6230-6231 "Remote Ports Busy" 6300 0,1 6301 0,1 6302 0,1 Node[2] (see note 2) 6303 0 6410 1 6414 0 6419 1 6420 1 6428 0,1 6429 1 6433 0 6437 1 643A 1 643B 0 6502 0 VTVMS 6503 0 " " 6504 0 " " 6505 0 " " 6506 0 " " 6507 0 " " 6508 0 " " 6509 0 " " 8001 1 8002 0 8003 0 8004 0,1 8005 0 8006 1 8007 1 8008 0 8009 0 8080 0,1 9000-9016 "Remote Ports Busy" 9018-9019 "Remote Ports Busy" 9302 0 9300 0,1,2,3,4 Notes: ------ 1) Node[20], popularly known as the Node Router, went out of services shortly after VTHacker #2 was distributed. Apologies are NOT extended to those who assumed that the list in VTHack2 was gospel. Things change all the time, and those things that are especially good tend to go away. Apparently, number 40062 was used by CNS's chief diagnostician as a way to test the VA Council of Higher Education's access to the Net and L-Net. Poking around there was terminated, but our scan of L-Net turned up another way in... 2) If you wondered why the Node Router was labelled "20" (really, what happened to the other 19?), then this might clear things up. The following connections were observed: Node What ---- ---- 0 Passworded 1 L-Net 3 the Net 5 Passworded 6 Passworded 9 Dead End 10 Dead End 12 L-Net 20 Restricted (*) *) This did connect you to a really screwed up L-Net port, which continually spewed out garbage and error messages, but we think our poking around in it got it shut off, due to the incredible quickness with which it was restricted (we were still on-line!) 3) Ah, what a joy it is to explore, and find a pristine cavern laden with sweet delight, and a menu to boot! Well, what I'm talking about is BAMBI and THUMPR, two side-by-side DECServers. Calling the listed numbers with port 0 gets you BAMBI, and using port 1 gets you THUMPR. In our experience, nobody has ever been dumped for staying on too long, and though the computers you can connect to aren't all that interesting (all Mechanical Engineering) the services and privileges allowed to ordinary users is about as generous as possible. The listings that follow are vebatim text sent by the servers, and we think that you'll be able to figure out what's going on. DECserver 200 Terminal Server V2.0 (BL29) - LAT V5.1 AMDF Network - Server BAMBI Please type HELP if you need assistance Enter username> Jack Meoff Local> show nodes all Node Name Status Identification BAMBI Reachable AMDF Network - Server BAMBI BERT Reachable AMDF VAXstation I (VMS 4.2) ERNIE Reachable AMDF VAXstation I (VMS 4.2) POOH Reachable AMDF MicroVAX II (VMS 4.6) SPOCK Reachable ZONIC Lab VAXstation 2000 (VMS 4.6) SULU Unreachable AMDF Cluster VAXstation 2000 (Color) THUMPR Reachable AMDF Network - Server THUMPR UHURA Unreachable AMDF Cluster VAXstation 2000 (B & W) VTME Reachable ME VAX 11/780 (VMS 4.4) VTMEX Reachable AMDF Cluster VAXserver 3600 (VMS 4.7) Local> show ports all Port Access Status Services Offered 1 Dynamic Idle �� 2 Dynamic Idle �� 3 Dynamic Local mode �� 4 Dynamic Idle �� 5 Dynamic Idle �� 6 Dynamic Idle �� 7 Dynamic Idle VTLAN�� 8 Dynamic Idle VTLAN� Local> help HELP The online HELP facility allows you to access reference and tutorial information about the DECserver 200. Choose one of the following options: o Enter TUTORIAL to see a succession of HELP frames with "getting started" information on basic DECserver functions (for beginners) � o Enter HELP for full information on how to use the HELP facility o Choose a HELP topic from the following list: � BACKWARDS FORWARDS RESUME BROADCAST HELP SET CONNECT LIST SHOW DEFINE LOCK TEST DISCONNECT LOGOUT Topic? list LIST Use the LIST command to display information from the permanent database. � LIST option � The option value is a topic about which you need information. � Additional HELP is available for the LIST options: � PORTS SERVER SERVICES LIST Subtopic? server SHOW/LIST SERVER Use the SHOW SERVER command to display information about the current operational state of the server. Use LIST SERVER to show values for the permanent server characteristics. � Command formats: � SHOW SERVER [CHARACTERISTICS] [COUNTERS ] [STATUS ] [SUMMARY ] � LIST SERVER [CHARACTERISTICS] [SUMMARY ] � The default option for SHOW/LIST SERVER is CHARACTERISTICS. Additional help available for: CHARACTERISTICS COUNTERS STATUS SUMMARY SHOW/LIST SERVER Subtopic? LIST Subtopic? Topic? show SHOW Use SHOW commands to display current status or information from the server's operational database. � SHOW option � The option value is the topic about which you need information. Additional HELP is available for the SHOW options: � NODES PORTS QUEUE SERVER SERVICES SESSIONS USERS SHOW Subtopic? Topic? Local> show server � DECserver 200 V2.0 BL29 LAT V5.1 ROM BL20 Uptime: 6 08:14:20 Address: 08-00-2B-0B-C4-EA Name: BAMBI Number: 0 Identification: AMDF Network - Server BAMBI Circuit Timer: 80 Password Limit: 3 Console Port: 1 Queue Limit: 24 Inactivity Timer: 30 Retransmit Limit: 8 Keepalive Timer: 20 Session Limit: 64 Multicast Timer: 30 Software: PR0801ENG Node Limit: 100 Service Groups: 0� Enabled Characteristics: Announcements, Broadcast, Dump� Local> help Topic? tutorial TUTORIAL HELP LOGGING INTO THE DECSERVER To login to the DECserver you may be required by your server manager to enter a login password. If you are not required to do so, go on to the next screen. If you are, here are the steps to take to log in. � 1 Press <RETURN> twice; a number sign (#) appears along with an audible "beep". � 2 Enter the login password. (You get the password from your server manager.) For example, to log in with the password A1B2C3... � <RETURN> <RETURN> enter <RETURN> twice � # A1B2C3 type the password (which is not echoed) � 3 If you make a mistake, the prompt reappears (and the "beep") to let you try again. You have several chances to enter the correct password. � 4 If you use a dial-in modem, you have 60 seconds to respond to the # prompt with the correct password. If you don't, the server disconnects your modem. If you do not need to enter a login password, press <RETURN> twice to log into your DECserver. � When you log in, an introductory line of text appears... � DECserver 200 Terminal Server V1.0 (BL20) - LAT V5.1 � If your port does not have a permanent username defined, enter your name (1 to 16 keyboard characters) after the following text appears... � Please type HELP if you need assistance � Enter username> � The Local> prompt appears after you type your username. � If your port does have a permanent username, here's what you see... � Please type HELP if you need assistance � Local> � USING ONLINE HELP Online help is documentation about DECserver commands that is stored in server memory. You can see this documentation interactively on your terminal while you are using the DECserver. The HELP command gives you access to online help. You can use it in two ways: � You can type HELP at the Local> prompt... � Local> HELP � This generates a succession of HELP "frames", "menus", and prompts. Frames are made up of the information that can fit on one or more terminal screens. Menus are lists of topics you can choose from. � Alternatively, you can specify topics and subtopics when you enter the HELP command. For example... � Local> HELP SET PORT � This command produces online documentation that describes the SET PORT command. � SOME DEFINITIONS The primary function of the DECserver is to allow you to connect to "services" offered on your network. A service can be a computer system that you can use just as though your terminal were attached directly to the system, or it can be a function offered by such a system. In addition, services can be set-up to allow access to printers, dial-out modems, personal computers and terminal switches. To connect to a service, you only need to know the service name. A "service node" is a computer system or server that offers services. A "session" is a connection to a service. You can have one or more simultaneous sessions with one service, or more than one service. The connection you are using at any one time is called your "current session". Your other sessions are inactive, but can be resumed by using server commands or session switches. � "Service mode" is your environment when you interact with a service. For example, if the service is a computer system, your environment is the same as a terminal directly wired to the system. You can all use the system's commands and resources. � "Local mode" is your environment when you interact with the DECserver using commands entered at the Local> prompt. � CONNECTING TO A SERVICE Use the local mode SHOW SERVICES command to display a list of services you can use. � Local> SHOW SERVICES � To connect to a service (establish a session with the service) enter the DECserver CONNECT command with the name of the service you want. For example, for a service called SALES, enter the following command: � Local> CONNECT SALES � This command places you in service mode in an active session with the service SALES. RETURNING TO LOCAL MODE FROM A SERVICE SESSION To return to local mode without ending your session, press <BREAK> or press your local switch character. Both these characters are, in effect, DECserver commands that instruct the server to go back to local mode. � The <BREAK> character must be set up to permit this (by default it is), and the local switch character must be defined (by default it is not). � Use the HELP command for more details on setting up the <BREAK> character and local switch character. � NOTE � Some modems interprets the <BREAK> character as a command to end your dial-in connection. If you are using one of these modems, do not use <BREAK> to return to local mode. Your session, now inactive, is still your current session because it is the session your were using most recently. RESUMING YOUR SERVICE SESSION FROM LOCAL MODE To resume your current session (and service mode) while your are in local mode, enter the DECserver RESUME command. � Local> RESUME You go back to where you left off when before returning to local mode. DISCONNECTING FROM A SERVICE To end your current session while in service mode, use the command that terminates whatever process you are using. For example, you can terminate a session on a VAX/VMS system by typing the VMS LOGOUT command. Refer to the documentation for the service node that offers the service. To end your current session while in local mode, enter the DECserver DISCONNECT command. � Local> DISCONNECT You cannot resume a service session after you end the connection with DISCONNECT. CONNECTING TO A SECOND SERVICE The DECserver allows you to have several sessions at one time, to the same or to different services. To connect to a second (or subsequent) service, simply enter another CONNECT command from local mode, specifying the name of the service. For example, to connect to the service PRODUCTION, enter the following command: � Local> CONNECT PRODUCTION To resume one of your non-current sessions, use the FORWARDS command to switch to your next session, or the BACKWARDS command to switch to your previous session. Alternatively, you can use the RESUME command and specify the session number. You can find this number from the SHOW SESSIONS display: � Local> RESUME SESSION 2 � To disconnect a particular session, use the DISCONNECT command and specify the session number. For example: Local> DISCONNECT SESSION 1 � LOGGING OUT OF THE DECSERVER To logout from the DECserver, enter the DECserver LOGOUT command (in local mode). Local> LOGOUT LOGOUT disconnects all sessions. A DECserver message appears verifying the logout. The next batch of stuff comes from DECServer 500: Local> show users Port Username Status Service 5 LC-1-5 Connected VTCC1 6 LC-1-6 Connected VTCC1 7 LC-1-7 Connected VTCC1 8 LC-1-8 Connected VTCC1 34 LC-3-2 Connected VTCC1 53 LC-4-5 Local Mode 67 LC-5-3 Connected VTCC1 Local> show devices all Device Device Port Device CSR Vector Total Slot Name Type List Status Address Address Errors 1 CONSOLE DL 0 Running 177560 60 1 2 NETWORK DEQNA Running 174440 120 37 3 LC-1 CXY08 1-8 Running 160440 310 2 4 LC-2 CXY08 17-24 Running 160460 320 0 5 LC-3 CXY08 33-40 Running 160500 330 1 6 LC-4 CXY08 49-56 Running 160520 340 0 7 LC-5 CXY08 65-72 Running 160540 350 0 8 LC-6 CXY08 81-88 Running 160560 360 0 9 LC-7 CXY08 97-104 Running 160600 370 5085 10 LC-8 CXY08 113-120Running 160620 400 15 Local> show server DECserver 500 V1.0 LAT V5.1 ROM V1.0.2 Uptime: 12 7:18:36 Address: 08-00-2B-0A-10-63 Name: CCSRV2 Number: 22 Identification: Circuit Timer: 80 Password Limit: 3 Inactivity Timer: 2 Queue Limit: 8 Keepalive Timer: 20 Retransmit Limit: 10 Multicast Timer: 60 Session Limit: 256 Node Limit: 100 Service Groups: 0 Backup Hosts: None Enabled Characteristics: Announcements Local> show services all Service Name Status Identification DCSSVX Unavailable VT CC DCSS VS2000 Ultrix 2.2/UNIX DSW Unavailable VT CNS dataswitch GOLEM Unavailable VT Mathematics VAXstation I VMS - Node LAN Unavailable VT CNS LocalNet MTHOPR Unavailable VT Mathematics VAXstation I VMS - Node MTHSUN Unavailable VT Mathematics Sun 3/50 - MTHSUN MTHUNH Unavailable VT Mathematics VS2000 Ultrix 2.2 - Node MTHUNX Unavailable VT Mathematics VS2000 Ultrix 2.2 - Node NFNITY Unavailable VT Mathematics VS2000 VMS - Node NFNITY POPEYE Unavailable Systems Research Center VAX-11/785 SVR2/ QUANTM Unavailable VT Mathematics VS2000 Ultrix 2.2 - Node VTAGE1 Unavailable Ag. Engineering MicroVAX II / MicroVMS V VTCC1 6 Connected TechCluster - Node VTCC1 VTCPE1 Unavailable VT EE Department VS2000 Ultrix 2.2/UNIX VTCPE2 Unavailable VT EE Department VS2000 Ultrix 2.2/UNIX VTCPE3 Unavailable VT EE Department VS2000 Ultrix 2.2/UNIX VTCPE4 Unavailable VT EE Department VS3200 Ultrix 2.2/UNIX VTCS1 Unavailable Va Tech CS Lab: VMS Service VTDAL3 Unavailable VT EE Department VS2000 Ultrix 2.0/UNIX VTDAL4 Unavailable VT EE DAL VS3200 Ultrix 2.2/Unix VTDAL5 Unavailable VT EE DAL VS3200 Ultrix 2.2/UNIX VTDAL6 Unavailable VT EE DAL VS3200 Ultrix 2.2/Unix VTHCL Unavailable Va Tech Human/Computer Interface Lab VTMAP Unavailable CE-Geography SDA Lab -Node VTMAP - Micro VTMATH Available TechCluster - Node VTCC1 VTMILO Unavailable Human/Computer Lab - VAXStation II VTODIE Unavailable VT CS Department MicroVax 2000 Ultrix 2.0 VTSDA Unavailable Spatial Data Analysis Lab - Vax 11/785 VTUNIX Available VT CC VAX 11/785 Ultrix 2.2/UNIX VTYR Unavailable VT Mathematics VS2000 VMS - Node VTYR XPRT549 Unavailable Fifth floor printer Local> show ports all Port Access Status Local Services 1 Local Idle 2 Local Idle 3 Local Idle 4 Local Idle 5 Local Connected 6 Local Connected 7 Local Connected 8 Local Connected 9 Local Offline 10 Local Offline 11 Local Offline 12 Local Offline 13 Local Offline 14 Local Offline 15 Local Offline 16 Local Offline 17 Local Idle 18 Local Idle 19 Local Idle 20 Local Idle 21 Local Local mode 22 Local Idle 23 Local Idle 24 Local Idle 25 Local Offline 26 Local Offline 27 Local Offline 28 Local Offline 29 Local Offline 30 Local Offline 31 Local Offline 32 Local Offline 33 Local Idle 34 Local Connected 35 Local Idle 36 Local Idle 37 Local Idle 38 Local Idle 39 Local Idle 40 Local Idle 41 Local Offline 42 Local Offline 43 Local Offline 44 Local Offline 45 Local Offline 46 Local Offline 47 Local Offline 48 Local Offline 49 Local Idle 50 Local Idle 51 Local Idle 52 Local Idle 53 Local Idle 54 Local Idle 55 Local Idle 56 Local Idle 57 Local Offline 58 Local Offline 59 Local Offline 60 Local Offline 61 Local Offline 62 Local Offline 63 Local Offline 64 Local Offline 65 Local Idle 66 Local Idle 67 Local Connected 68 Local Idle 69 Local Idle 70 Local Idle 71 Local Idle 72 Local Idle 73 Local Offline 74 Local Offline 75 Local Offline 76 Local Offline 77 Local Offline 78 Local Offline 79 Local Offline 80 Local Offline 81 Local Idle 82 Local Idle ������������������������������������ 83 Local Idle 84 Local Idle 85 Local Idle 86 Local Idle 87 Local Idle 88 Local Idle 89 Local Offline 90 Local Offline 91 Local Offline 92 Local Offline 93 Local Offline 94 Local Offline 95 Local Offline 96 Local Offline 97 Local Idle 98 Local Idle 99 Local Idle 100 Local Idle 101 Local Idle 102 Local Idle 103 Local Idle 104 Local Idle 105 Local Offline 106 Local Offline 107 Local Offline 108 Local Offline 109 Local Offline 110 Local Offline 111 Local ���Offline 112 Local Offline 113 Local Idle 114 Local Idle 115 Local Idle 116 Local Idle 117 Local Idle 118 Local Idle 119 Local Idle 120 Local Idle 121 Local Offline 122 Local Offline 123 Local Offline 124 Local Offline 125 Local Offline 126 Local Offline 127 Local Offline 128 Local Offline Enough stuff, huh? Well, we've got MORE news. If you're going to poke around L-Net, the following numbers into L-Net have been known to be dead (i.e. CONNECTED, but no response): 40499, 40507, 40482. And here's an update on VTHack #2's list of Net numbers: 40600-40615 No Answer 40625-40656 Originate Only 40657 Not Accessable 40658 No Answer 40659-40686 Not a Dataline 40687 No Answer 40688-40690 Not Accessable 40691 1200 baud line 40692 No Answer 40693-40699 Not a Dataline 40700-40723 Connection Failed 40724 No Answer 40725-40799 VM/XA VT 40800-40817 VM/XA VT 40818-40833 Originate Only 40834-40837 Not Accessable 40838-40839 Originate Only 40840-40899 Not a Dataline 40900-40999 Not a Dataline And what about the other 55 thousand L-Net addresses we didn't try? Hey, why don't YOU try them, and then share the news...? We're already moving on to brighter futures in hacking, so stay tuned on your local BBS or pass-the-disk network for: VTHacker #4 - Viruses, reader response, Telenet, and more updates on previous info... Downloaded From P-80 Systems 304-744-2253