:-----------------------------------------------------------:
        :                                                           :
        :            M A K I N G    T H E    M O S T    O F         :
        :                 R S T S / E    S Y S T E M S              :
        :            ======================================         :
        :                                                           :
        :                 Written by   :   Captain Hack             :
        :                              :   of Melbourne,            :
        :                              :   Australia.               :
        :                 Written on   :   01-Feb-86.               :
        :                 File No.     :   V01A-01                  :
        :                                                           :
        :-----------------------------------------------------------:

                   Originally Displayed in the U.S. on:
                      P-80 Int'l Information Systems


                                INTRODUCTION.

             This  file  is  a tutorial on making the the most  of  a
        RSTS/E  system,  making  the most could  mean  anything  from
        making  the  system  do so neat tricks,  to using it  to  you
        advantage,  to taking it over completely;  depending on  your
        needs!

             For  most  of  the examples you will  need  an  account,
        obviously non-privilaged,  else you would not be reading this
        tutorial.  Bear  in  mind  that most,  if  not  all,  of  the
        techniques  described  can be changed by the sysop.  I  found
        this  out while trying them,  but most sysop's don't  realize
        everythings full potential and how it will be used;  needless
        to say that I most likely have missed out on things. Anyway I
        hope  you  like  the tutorial and  you  have  an  educational
        experience!  I  will rely on also using your imagination  and
        ingenuity, as this is often needed.


                            OBTAINING OLD FILES.

            If  ever  you  have a valuble file that  you  don't  want
        people  to  see the contents of for one  reason  or  another,
        always  write  other information (random of fixed)  over  the
        entire  file  before deleting it.  When the system creates  a
        file it likes to have it continuous if possible,  which means
        many blocks will be consecutive.  When a file is created  the
        system  alters information in a system file indicting that  a
        particular  block or set of blocks have been allocated so  as
        they  will  not be over-written.  The directory  knows  which
        which  blocks  are associated with which file,  but when  you
        delete a file,  the system flags the used blocks as available
        and delete the directory entry.  The system doesn't wipe  the
        information.

            To  dig up these old blocks,  write yourself a program to
        open a large file,  I will leave the size up to you.  You use
        the  filesize option in the OPEN statement to do  this,  then
        just read in the blocks. When possible use block I/O for file
        manipulation  because  of its speed  and  convienience.  Look
        through  the  blocks any if one if worth keeping save  if  to
        another file.

                                     -2-

           Seeing as BASIC programs have line numbers, as long as you
        find all the blocks, file reconstruction is easy.

           There  of course is no guarantee that you will  find  them
        all.  Some  may have been reallocated,  but it's amazing what
        you can find! The bigger the block cluster size used in files
        the easier it is to reconstruct them. Just experiment!


                             ANNOYING THE USERS.

            A way to annoy the users of  the  system is  a techinque
        discovered  just after we found out about the block recovery.
        After  finding remnants of some of my data strewn across  the
        system  I  decided the best thing to do was to zero  all  the
        available disk space.  One Sunday night we wrote a program to
        open  a  very large file (all free disk space  in  fact)  and
        proceeded to zero this.  This was sucessful,  except when the
        system was supposed to kill the file something went wrong and
        the file was not deleted. The next morning, before the sysops
        arrived,  the users tried to login. Because there was no free
        space  to  write login records or do anything!  No-one  could
        login!  Apparently this had the operators mystified why  they
        couldn't get into their system.  They had to reboot,  or so I
        heard,  they  later worked out what had happended.  They then
        asked why!


                            THE PSEUDO KEYBOARD.

            The pseudo keyboard (device PKnn:) must be about the most
        useful  and versatile device.  This is the device to be  used
        for the perfect hack!  Originally, like many people, I saw it
        in a manual and really didn't read about it but as usual when
        I  was going over the manuals with a fine tooth comb  I  read
        into  it.  Although most of the weak-points discussed in this
        tutorial can be removed by patching implemented by the system
        operator, they are likely to ignore them. The pseudo keyboard
        is a keyboard which doesn't physically exist!  When you  open
        the  channel  and  do I/O's with it it appears  like  another
        keyboard.  It even has a keyboard number.  This is useful for
        extracting  inormation  for your programs that  can  only  be
        accessed  in command mode.  An example of this is  SYSTAT.  I
        recommend  that you get hold of a PROGRAMMING MANUAL and read
        it thoroughly, including the section on pseudo keyboards.


                             PASSWORD CATCHING.

            Password catching is always desirable if you want  access
        to  a privilaged account!  When I first started out we ran  a
        crude  program  which did I/O's to the desired  terminal  and
        gave  the responses that the system would give.  A number  of
        problems  that we ran into was that you cannot fake the whole
        system, that is impossible using those methods, and also this
        did not allow for timing delays which most users were used to
        and expected.

                                     -3-

            With  these  old programs,  the passwords obtained  never
        lasted long because the user almost always knew they had been
        caught  because users get suspicious when they get an  INVALD
        ENTRY  - TRY  AGAIN message when they put  in  their  correct
        password.  This problem left me pondering how could you write
        the  "perfect"  password catcher.  When I  discovered  pseudo
        keyboards I was thinking of applications, then it hit me. Why
        not  simulate the whole job of another user?  It was possible
        too!

            To  do this you write a program to open a channel to  the
        keyboard  where  the  person will enter the  desired  account
        number  and  password.  You  also  open  a  pseudo  keyboard.
        Basically  from  then on you pass the data from  one  to  the
        other, and you keep checking what is being typed and when the
        account  number and password are detected save them to a disk
        file  encoded or what ever.  You should continue to  simulate
        the job until the person logs off.  There are a few things to
        be careful about.  When the person runs SYSTAT make sure  the
        output  is sent to the terminal replaces the pseudo  keyboard
        number  with his keyboard number.  Make sure he doesn't see a
        channel  is open to his terminal and other things like  that.
        Another  things  to  be careful of is  that  he  doesn't  run
        programs  to  tell  him his keyboard number or  a  few  other
        things  like that or a program where the terminal where it is
        run from affects its operation,  if he does it could be quite
        hard to deal with. All of the techniques I describe will need
        practice and perfection. Perfect things before using them and
        don't  tell people what you are doing.  Another thing  to  be
        careful  of  are  operators  who look at the  files  in  your
        account.  A  simple  way  to deal with  those  people  is  to
        encrypt/code  those files and keep decoded copies online  for
        as  little time as possible.  If you can't stay at a terminal
        to  have the password catcher program running  don't  despair
        because I will show you how to detach jobs later.  My biggest
        piece  of advice is always stalk and watch the target  system
        first  for  a  while.  Get to know what most or  all  of  the
        programs in the project 1 accounts do, and only after you are
        sure should you try and pull a stunt like I decribe. Once you
        have  a privilaged password you must use your own imagination
        to  how you use it.  Remember always be  security  conscious.
        Don't  take  unneccessary risks and by the time you get to  a
        privilaged  account  you should know all  the  SYS  functions
        possible and how to use them to your advantage. If you system
        keeps login and logout records remember to edit them, because
        depending  on what you do,  your activities should be able to
        go on undetected!


                               DETACHING JOBS.

            There is one way a non-privilaged user can detach a  job.
        This  is done using pseudo keyboards.  You will need to  read
        the  PROGRAMMING  MANUAL (the RSTS/E bible for hackers!)  and
        write yourself a program to almost simulate a job except  you
        do  it to your terminal and you don't log the passwords etc..


                                     -4-

        When  you  are  logged into your account  and  you  run  this
        program it will look on your terminal like you are logged out
        again  and  you will have to log into the system  again.  Log
        into  the account which you want to detach the job  from  and
        you  must have access to the program from this  account.  You
        should  execute  the program you want detached then   have  a
        special  key  sequence  that will close the  channel  to  the
        pseudo keyboard. You detacher program will finish and that is
        how  you do it.  ut you say that doesn't work,  it just kills
        the job you started when you closed the channel to the pseudo
        keyboard,  but you didn't wait for the most important  piece!
        When  opening the pseudo keyboard you must have included MODE
        1  in the OPEN statement which tells the system to detach the
        job  when you close the channel instead of killing  the  job.
        When  you do a SYSTAT you will see your job running detached.
        Don't  forget opertors mightn't like you detaching  too  many
        jobs so do it when they aren't around. For a job to terminate
        itself  you  may try getting it to run LOGOUT,  but  when  it
        tries  to  output something like a message saying  your  disk
        space  or have a nice afternoon it will sit there helpless in
        a HB wait state until someone attaches to it (like you or  an
        operator)  or an operator kills it.  To get around this  take
        notice  of the message you get when you log in and you have a
        job detached.  The system tells you that and asks if you want
        to  attach.  So you what you do is make you detached  program
        open a pseudo keyboard in a mode that won't detach it and get
        that  job  to  log  into  your  account.  Don't  worry  about
        entrusting  your  password  to the program  as  others  can't
        obtain it.  Anyway when you get the new job to log in make it
        attach to the job you wanted killed,  then when your original
        program  closes  the channel to the pseudo keyboard  the  job
        running  on the pseudo keyoard is killed and  it  effectively
        kills  itself  as  it  attached  to itself  in  a  manner  of
        speaking, and thus the job disappears! (Well it worked on the
        system I tried it on)


                              RECOMMENDATIONS.

            When  you attempt to do all of this  I advise you  to get
        hold  of (buy ($20) or borrow) the RSTS/E PROGRAMMING MANUAL.
        There  would  be at least one with the system  and  are  also
        available from DEC (Digital Equipment Corporation).

            Finally,  non  of  the above methods and  techniques  are
        guaranteed  as  they can be removed or altered by the  system
        operators.  All of the techniques are valid and are not  bugs
        in  the operating system.  Whether your operator knows  about
        them  or what they can do is a different matter!  Anyhow have
        fun, RSTS/E is a good operating system, and don't do anything
        that I wouldn't do!


        :--------------------------THE-END--------------------------:

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.