Yaj Computers

HOTMAIL HACKING INFO.


I_1_I  - Brute force hacking
a. Use telnet to connect to port 110 (Hotmail´s pop-server)
b. Type USER and then the victim´s username
c. Type PASS and then the guess a password
d. Repeat that until U have found the correct password.
!. This is called brute force hacking and requires patience.
It´s better than trying to guess the victims password on
hotmail homepage only because it´s faster.
____
I_2_I  - The Best way
a. Get the username of the victim (It usually stands in the adress-field
)
b. Then type " www.hotmail.com/cgi-bin/start/victimsusername "
c. U´re in!
!. This hack only work if U are on the same network or computer as the
victim and if he don´t log out.
____
I_3_I  - The old way
a. Go to http://www.hotmail/proxy.html
b. Now type the victims username. (press login)
c. Look at the source code.
d. On the fifth row U should find "action=someadress"
e. Copy that adress and paste it into the adress-field
f. You are in...
!. As you can see it´s a long procedure and the victim have
plenty of time to log out.
____
I_4_I  - Another...
a. Go to hotmail´s homepage
b. Copy the source code.
c. Make a new html file with the same code but change method=post to
method=enter
d. "view" the page
e. Change the adress to www.hotmail.com/ (don´t press enter!)
f. Make the victim type in his username and password
g. Look in the adress-field. There you´ll see ...&password:something...
!. This is the way I use, because it lets you know the password.
(If he exits the browser U can see the password in the History folder!)

READ!
Hotmail´s sysops have changed the "system" so that the victim may log
out even
if U are inside his/her account. So don´t waste U´r time!

---

So you want to get some hotmail passwords? 
This is pretty easy to do once you have got the hang of it. 
If you are a beginner, I wouldn't make this your first attempt at
hacking.  When you need to do is use a port surfer and surf over to
port 80.  While there, you have to try and mail the user that you
want the password from.  It is best to mail them using the words
"We" and "Here at Hotmail..."  Most suckers fall for this and end
up giving out their password.  There is another way to also, you can
get an anon mailer, and forge the addres as staff@hotmail.com.  But
you have to change the reply address to go to a different addres
like user@host.com.  The person that you are trying to get the pass
from MUST respond to that letter for the mail to be forwarded to you.
Have text like "Please reply to this letter with the subject "PASSWORD"
and underneith please include your user name and password. 
If you have trouble Loging in withing the next few days, this is
only because we are updating our mail servers but no need to worry,
your mail will still be there.  Even though the server may be down
for an hour.  From the staff at Hotmail, Thank You."

               


Over the past few years TCP sequence number prediction attacks have become a
real threat against unprotected networks, taking advantage of the inherent
trust relationships present in many network installations.  TCP sequence
number prediction attacks have most commonly been implemented by opening a
series of connections to the target host, and attempting to predict the
sequence number which will be used next.  Many operating systems have
therefore attempted to solve this problem by implementing a method of
generating sequence numbers in unpredictable fashions.  This method does
not solve the problem.

This advisory introduces an alternative method of obtaining the initial
sequence number from some common trusted services.  The attack presented here
does not require the attacker to open multiple connections, or flood a port
on the trusted host to complete the attack.  The only requirement is that
source routed packets can be injected into the target network with fake
source addresses.

This advisory assumes that the reader already has an understanding of how
TCP sequence number prediction attacks are implemented.

The impact of this advisory is greatly diminished due to the large number of
organizations which block source routed packets and packets with addresses
inside of their networks.  Therefore we present the information as more of
a 'heads up' message for the technically inclined, and to re-iterate that
the randomization of TCP sequence numbers is not an effective solution
against this attack.


Technical Details
~~~~~~~~~~~~~~~~~

The problem occurs when particular network daemons accept connections
with source routing enabled, and proceed to disable any source routing
options on the connection.  The connection is allowed to continue, however
the reverse route is no longer used.  An example attack can launched against
the in.rshd daemon, which on most systems will retrieve the socket options
via getsockopt() and then turn off any dangerous options via setsockopt().

An example attack follows.

Host A is the trusted host
Host B is the target host
Host C is the attacker

Host C initiates a source routed connection to in.rshd on host B, pretending
to be host A.

Host C spoofing Host A         <SYN>    -->  Host B in.rshd

Host B receives the initial SYN packet, creates a new PCB (protocol
control block) and associates the route with the PCB.  Host B responds,
using the reverse route, sending back a SYN/ACK with the sequence number.

Host C spoofing Host A  <--  <SYN/ACK>       Host B in.rshd

Host C responds, still spoofing host A, acknowledging the sequence number.
Source routing options are not required on this packet.

Host C spoofing Host A         <ACK>    -->  Host B in.rshd

We now have an established connection, the accept() call completes, and
control is now passed to the in.rshd daemon.  The daemon now does IP
options checking and determines that we have initiated a source routed
connection.  The daemon now turns off this option, and any packets sent
thereafter will be sent to the real host A, no longer using the reverse
route which we have specified.  Normally this would be safe, however the
attacking host now knows what the next sequence number will be.  Knowing
this sequence number, we can now send a spoofed packet without the source
routing options enabled, pretending to originate from Host A, and our
command will be executed.

In some conditions the flooding of a port on the real host A is required
if larger ammounts of data are sent, to prevent the real host A from
responding with an RST.  This is not required in most cases when performing
this attack against in.rshd due to the small ammount of data transmitted.

It should be noted that the sequence number is obtained before accept()
has returned and that this cannot be prevented without turning off source
routing in the kernel.

As a side note, we're very lucky that TCP only associates a source route with
a PCB when the initial SYN is received.  If it accepted and changed the ip
options at any point during a connection, more exotic attacks may be possible.
These could include hijacking connections across the internet without playing
a man in the middle attack and being able to bypass IP options checking
imposed by daemons using getsockopt().  Luckily *BSD based TCP/IP stacks will
not do this, however it would be interesting to examine other implementations.

Impact
~~~~~~

The impact of this attack is similar to the more complex TCP sequence
number prediction attack, yet it involves fewer steps, and does not require
us to 'guess' the sequence number.  This allows an attacker to execute
arbitrary commands as root, depending on the configuration of the target
system.  It is required that trust is present here, as an example, the use
of .rhosts or hosts.equiv files.


Solutions
~~~~~~~~~

The ideal solution to this problem is to have any services which rely on
IP based authentication drop the connection completely when initially
detecting that source routed options are present.  Network administrators
and users can take precautions to prevent users outside of their network
from taking advantage of this problem.  The solutions are hopefully already
either implemented or being implemented.

1. Block any source routed connections into your networks
2. Block any packets with internal based address from entering your network.

Network administrators should be aware that these attacks can easily be
launched from behind filtering routers and firewalls.  Internet service
providers and corporations should ensure that internal users cannot launch
the described attacks.  The precautions suggested above should be implemented
to protect internal networks.

Example code to correctly process source routed packets is presented here
as an example.  Please let us know if there are any problems with it.
This code has been tested on BSD based operating systems.

        u_char optbuf[BUFSIZ/3];
        int optsize = sizeof(optbuf), ipproto, i;
        struct protoent *ip;

        if ((ip = getprotobyname("ip")) != NULL)
                ipproto = ip->p_proto;
        else
                ipproto = IPPROTO_IP;
        if (!getsockopt(0, ipproto, IP_OPTIONS, (char *)optbuf, &optsize) &&
            optsize != 0) {
                for (i = 0; i < optsize; ) {
                        u_char c = optbuf[i];
                        if (c == IPOPT_LSRR || c == IPOPT_SSRR)
                                exit(1);
                        if (c == IPOPT_EOL)
                                break;
                        i += (c == IPOPT_NOP) ? 1 : optbuf[i+1];
                }
        }


One critical concern is in the case where TCP wrappers are being used.  If
a user is relying on TCP wrappers, the above fix should be incorporated into
fix_options.c.  The problem being that TCP wrappers itself does not close
the connection, however removes the options via setsockopt().  In this case
when control is passed to in.rshd, it will never see any options present,
and the connection will remain open (even if in.rshd has the above patch
incorporated).  An option to completely drop source routed connections will
hopefully be provided in the next release of TCP wrappers.  The other option
is to undefine KILL_IP_OPTIONS, which appears to be undefined by default.
This passes through IP options and allows the called daemon to handle them
accordingly.


Disabling Source Routing
~~~~~~~~~~~~~~~~~~~~~~~~

We believe the following information to be accurate, however it is not
guaranteed.

--- Cisco

To have the router discard any datagram containing an IP source route option
issue the following command:

no ip source-route

This is a global configuration option.


--- NetBSD

Versions of NetBSD prior to 1.2 did not provide the capability for disabling
source routing.  Other versions ship with source routing ENABLED by default.
We do not know of a way to prevent NetBSD from accepting source routed packets.
NetBSD systems, however, can be configured to prevent the forwarding of packets
when acting as a gateway.

To determine whether forwarding of source routed packets is enabled,
issue the following command:

# sysctl net.inet.ip.forwarding
# sysctl net.inet.ip.forwsrcrt

The response will be either 0 or 1, 0 meaning off, and 1 meaning it is on.

Forwarding of source routed packets can be turned off via:

# sysctl -w net.inet.ip.forwsrcrt=0

Forwarding of all packets in general can turned off via:

# sysctl -w net.inet.ip.forwarding=0


--- BSD/OS

BSDI has made a patch availible for rshd, rlogind, tcpd and nfsd.  This
patch is availible at:

ftp://ftp.bsdi.com/bsdi/patches/patches-2.1

OR via their patches email server <patches@bsdi.com>

The patch number is
U210-037 (normal version)
D210-037 (domestic version for sites running kerberized version)


BSD/OS 2.1 has source routing disabled by default

Previous versions ship with source routing ENABLED by default.  As far as
we know, BSD/OS cannot be configured to drop source routed packets destined
for itself, however can be configured to prevent the forwarding of such
packets when acting as a gateway.

To determine whether forwarding of source routed packets is enabled,
issue the following command:

# sysctl net.inet.ip.forwarding
# sysctl net.inet.ip.forwsrcrt

The response will be either 0 or 1, 0 meaning off, and 1 meaning it is on.

Forwarding of source routed packets can be turned off via:

# sysctl -w net.inet.ip.forwsrcrt=0

Forwarding of all packets in general can turned off via:

# sysctl -w net.inet.ip.forwarding=0


--- OpenBSD

Ships with source routing turned off by default.  To determine whether source
routing is enabled, the following command can be issued:

# sysctl net.inet.ip.sourceroute

The response will be either 0 or 1, 0 meaning that source routing is off,
and 1 meaning it is on.  If source routing has been turned on, turn off via:

# sysctl -w net.inet.ip.sourceroute=0

This will prevent OpenBSD from forwarding and accepting any source routed
packets.


--- FreeBSD

Ships with source routing turned off by default.  To determine whether source
routing is enabled, the following command can be issued:

# sysctl net.inet.ip.sourceroute

The response will be either 0 or 1, 0 meaning that source routing is off,
and 1 meaning it is on.  If source routing has been turned on, turn off via:

# sysctl -w net.inet.ip.sourceroute=0


--- Linux

Linux by default has source routing disabled in the kernel.


--- Solaris 2.x

Ships with source routing enabled by default.  Solaris 2.5.1 is one of the
few commercial operating systems that does have unpredictable sequence
numbers, which does not help in this attack.

We know of no method to prevent Solaris from accepting source routed
connections, however, Solaris systems acting as gateways can be prevented
from forwarding any source routed packets via the following commands:

# ndd -set /dev/ip ip_forward_src_routed 0

You can prevent forwarding of all packets via:

# ndd -set /dev/ip ip_forwarding 0

These commands can be added to /etc/rc2.d/S69inet to take effect at bootup.


--- SunOS 4.x

We know of no method to prevent SunOS from accepting source routed
connections, however a patch is availible to prevent SunOS systems from
forwarding source routed packets.

This patch is availible at:

ftp://ftp.secnet.com/pub/patches/source-routing-patch.tar.gz

To configure SunOS to prevent forwarding of all packets, the following
command can be issued:

# echo "ip_forwarding/w 0" | adb -k -w /vmunix /dev/mem
# echo "ip_forwarding?w 0" | adb -k -w /vmunix /dev/mem

The first command turns off packet forwarding in /dev/mem, the second in
/vmunix.


--- HP-UX

HP-UX does not appear to have options for configuring an HP-UX system to
prevent accepting or forwarding of source routed packets.  HP-UX has IP
forwarding turned on by default and should be turned off if acting as a
firewall.  To determine whether IP forwarding is currently on, the following
command can be issued:

# adb /hp-ux
ipforwarding?X      <- user input
ipforwarding:
ipforwarding: 1
#

A response of 1 indicates IP forwarding is ON, 0 indicates off.  HP-UX can
be configured to prevent the forwarding of any packets via the following
commands:

# adb -w /hp-ux /dev/kmem
ipforwarding/W 0
ipforwarding?W 0
^D
#

--- AIX

AIX cannot be configured to discard source routed packets destined for itself,
however can be configured to prevent the forwarding of source routed packets.
IP forwarding and forwarding of source routed packets specifically can be
turned off under AIX via the following commands:

To turn off forwarding of all packets:

# /usr/sbin/no -o ipforwarding=0

To turn off forwarding of source routed packets:

# /usr/sbin/no -o nonlocsrcroute=0

Note that these commands should be added to /etc/rc.net



If shutting off source routing is not possible and you are still using
services which rely on IP address authentication, they should be disabled
immediately (in.rshd, in.rlogind).  in.rlogind is safe if .rhosts and
/etc/hosts.equiv are not used.


Attributions
~~~~~~~~~~~~

Thanks to Niels Provos <provos@physnet.uni-hamburg.de> for providing
the information and details of this attack.  You can view his web
site at http://www.physnet.uni-hamburg.de/provos

Thanks to Theo de Raadt, the maintainer of OpenBSD for forwarding this
information to us.  More information on OpenBSD can be found at
http://www.openbsd.org

Thanks to Keith Bostic <bostic@bsdi.com> for discussion and a quick
solution for BSD/OS.

Thanks to Brad Powell <brad.powell@west.sun.com> for providing information
for Solaris 2.x and SunOS 4.x operating systems.

Thanks go to CERT and AUSCERT for recommendations in this advisory.

You can contact the author of this advisory at oliver@secnet.com



-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia

mQCNAzJATn0AAAEEAJeGbZyoCw14fCoAMeBRKiZ3L6JMbd9f4BtwdtYTwD42/Uz1
A/4UiRJzRLGhARpt1J06NVQEKXQDbejxGIGzAGTcyqUCKH6yNAncqoep3+PKIQJd
Kd23buvbk7yUgyVlqQHDDsW0zMKdlSO7rYByT6zsW0Rv5JmHJh/bLKAOe7p9AAUR
tCVPbGl2ZXIgRnJpZWRyaWNocyA8b2xpdmVyQHNlY25ldC5jb20+iQCVAwUQMkBO
fR/bLKAOe7p9AQEBOAQAkTXiBzf4a31cYYDFmiLWgXq0amQ2lsamdrQohIMEDXe8
45SoGwBzXHVh+gnXCQF2zLxaucKLG3SXPIg+nJWhFczX2Fo97HqdtFmx0Y5IyMgU
qRgK/j8KyJRdVliM1IkX8rf3Bn+ha3xn0yrWlTZMF9nL7iVPBsmgyMOuXwZ7ZB8=
=xq4f
-----END PGP PUBLIC KEY BLOCK-----

Copyright Notice
~~~~~~~~~~~~~~~~
The contents of this advisory are Copyright (C) 1997 Secure Networks Inc,
and may be distributed freely provided that no fee is charged for
distribution, and that proper credit is given.

 You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers
 and advisories at ftp://ftp.secnet.com/advisories

 You can browse our web site at http://www.secnet.com

 You can subscribe to our security advisory mailing list by sending mail to
 majordomo@secnet.com with the line "subscribe sni-advisories"

This file is an addendum to "A Novice's Guide To Hacking" written by "The
Mentor".  The word "hacking" is here used the way the non-hacking public
thinks it is used, to mean breaking into somebody else's computer.  Its
purpose is to expand and clarify the information about the TOPS-20 operating
system, which runs on DECsystem-20 mainframes.  The Mentor basically lumped
this system in with TOPS-10 and didn't note important differences between the
two.  I will here reproduce in full what The Mentor had to say about TOPS-10
and about VMS, which are the parent and the offspring of TOPS-20.

VMS-       The VAX computer is made by Digital Equipment Corporation (DEC),
           and runs the VMS (Virtual Memory System) operating system.
           VMS is characterized by the 'Username:' prompt.  It will not tell
           you if you've entered a valid username or not, and will disconnect
           you after three bad login attempts.  It also keeps track of all
           failed login attempts and informs the owner of the account next time
           s/he logs in how many bad login attempts were made on the account.
           It is one of the most secure operating systems around from the
           outside, but once you're in there are many things that you can do
           to circumvent system security.  The VAX also has the best set of
           help files in the world.  Just type HELP and read to your heart's
           content.
           Common Accounts/Defaults:  [username: password [[,password]] ]
           SYSTEM:     OPERATOR or MANAGER or SYSTEM or SYSLIB
           OPERATOR:   OPERATOR
           SYSTEST:    UETP
           SYSMAINT:   SYSMAINT or SERVICE or DIGITAL
           FIELD:      FIELD or SERVICE
           GUEST:      GUEST or unpassworded
           DEMO:       DEMO  or unpassworded
           DECNET:     DECNET


DEC-10-    An earlier line of DEC computer equipment, running the TOPS-10
           operating system.  These machines are recognized by their
           '.' prompt.  The DEC-10/20 series are remarkably hacker-friendly,
           allowing you to enter several important commands without ever
           logging into the system.  Accounts are in the format [xxx,yyy] where
           xxx and yyy are integers.  You can get a listing of the accounts and
           the process names of everyone on the system before logging in with
           the command .systat (for SYstem STATus).  If you seen an account
           that reads [234,1001]   BOB JONES, it might be wise to try BOB or
           JONES or both for a password on this account.  To login, you type
           .login xxx,yyy  and then type the password when prompted for it.
           The system will allow you unlimited tries at an account, and does
           not keep records of bad login attempts.  It will also inform you
           if the UIC you're trying (UIC = User Identification Code, 1,2 for
           example) is bad.
           Common Accounts/Defaults:
           1,2:        SYSLIB or OPERATOR or MANAGER
           2,7:        MAINTAIN
           5,30:       GAMES

**** note:  I'm remembering this stuff from several years ago, and in some
cases my memory may be foggy or stuff may be outdated.

TOPS-20, once you are inside, resembles VMS much more than it resembles 
TOPS-10, as far as I know (I'm not really familiar with VMS).  From the
outside, it's more like TOPS-10, except that the prompt is a @ instead of a
period.  You can enter many commands without logging in, including SYSTAT and
probably FINGER.  (Sometimes you can even use the mail program without
logging in.)  It is very helpful.  Not only does the command HELP lead to
lots of useful information, but anywhere in typing a command you can press ?
and it will tell you what the format of the command expects.  For instance,
if you type ? by itself, it will tell you all the words that a command can
begin with.  If you type S?, it will tell you all the commands that start
with the letter S.  If you type SYSTAT ?, it will tell you the options
available on the systat command.  You can use this at any point in any
command.  Furthermore, if there is only one possibility (you have typed a
unique abbreviation), you can press Escape and it will finish the word for
you.  I'm not sure, but I think TOPS-20 was the system that first introduced
filename completion as well --turning a uniquely abbreviated filename into a
complete name when you press escape, beeping if the abbreviation is not
unique.  With command keywords you can leave the abbreviation un-expanded,
with filenames you have to expand it (or type it all in) for it to work.

Use the "Login" command to log in, followed by a username.  It will prompt
for a password.  Note that a password can be something like 39 characters
long, as can the username itself.  TOPS-20 does NOT use numbers like 317,043
for user IDs.  (Note that these numbers in TOPS-10 are octal, not decimal.)
Furthermore, the password can contain spaces.  So, if somebody wants to make
his password difficult to guess, he can easily do so.

(But sometimes they might get overconfident.  I remember a story from
Stanford...  Someone asked the large cheese if he would let him know what the
operator password was, and he said "The operator password is currently
unavailable."  So the guy tried "currently unavailable" as a password, and
got in.  (Which reminds me of the time they got a real bug in the system
there...  a head crash caused by an ant on the disk platter.))

In general, TOPS-20 does not limit the number of login attempts, nor does it
keep a record of bad tries.  However, it is not difficult for the local
management to add such measures, or others such as a delay of several seconds
after each attempt.  And unlike Unix, it is difficult to evade these even
once you're in.  Without heavy in-depth knowledge, you can't test a username-
password combination except through a system call, which will enforce delays
and limited failures and such against password-trying programs.

So, TOPS-20 is easy to defend against the "database hack", in which you try
many different common passwords with many different usernames.  (Unix is
much more vulnerable to this.)  But any particular system, especially a lax
one like a college machine (DEC is always popular in academia), might have
little defense here.  But you might not know how much defense until too late.

Do try the GUEST username.

But TOPS-20 can be very vulnerable to trojan horses.  See, there's this thing
called the Wheel bit.  A username that has the Wheel property can do anything
the system operator can do, such as ignore file protection masks, edit the
disks at the track/sector level, change any area of memory...  On Unix, only
one user, the superuser, can read and write protected files.  On TOPS-20, any
user can do these things from any terminal, if the Wheel attribute is set in
his user data.  Some campus computers tend to accumulate excess trusted users
with wheel bits, and have to periodically prune away the unnecessary ones.

The thing is that a wheel can do these things without knowing that he has
done them.  Normally the privileged commands are deactivated.  But a program
run by a wheel can activate the privileges, do anything it wants, cover its
tracks, and deactivate them without the user ever being the wiser.  So if you
can get any wheel user to run any program you wrote, such as a game or small
utility...  there's no limit to what you can do.  In particular, you can
create a new username, and make it a wheel.  Or you can simply ask the system
outright for someone's password, if I'm not mistaken.  (All this requires
access to TOPS-20 programming manuals, but some of the necessary material
should be available on line.)  You cannot actually conceal this creation, as
far as I know...  but maybe with sophisticated enough knowledge you could
make it not immediately apparent...  Anyway, once you get that far in, you can
probably keep one step ahead of them for a while...  If they erase your new
accounts, you can use the passwords to old ones...  They can change all of
the wheel passwords, but a lot of the regular users won't change for some
time...  You could even lock the operators out of their own system by
changing all their passwords for them, if you were crazy enough, perhaps
forcing them to shut the machine down to regain control of it.  They might
even have to restore stuff from tape backup.

Even if you don't wedge your way into secret stuff, a TOPS-20 system can be
fun to explore.  It's much more novice-friendly than most systems, and much
more hacker-friendly as well.  I think the ascendency of Unix as the least-
common-denominator OS that everybody can agree on is a definite loss,
compared to TOPS-20.

               +++++++++++++++++++++++++++++++++++++++++++++++++
               |              The LOD/H Presents               |
++++++++++++++++                                               ++++++++++++++++
 \                 A Novice's Guide to Hacking- 2004 edition                 /
  \                =========================================                /
   \                                  by                                   /
    \                             The Mentor                              /
     \                  Legion of Doom/Legion of Hackers                 /
      \                                                                 /
       \                        December, 2004                         /
        \                  Merry Christmas Everyone!                  /
         \+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++/

    **********************************************************************
    |  The author hereby grants permission to reproduce, redistribute,   |
    |  or include this file in your g-file section, electronic or print  |
    |  newletter, or any other form of transmission that you choose, as  |
    |  long as it is kept intact and whole, with no ommissions, delet-   |
    |  ions, or changes.  (C) The Mentor- Phoenix Project Productions    |
    |                                     2003,2004  XXX/XXX-XXXX        |
    **********************************************************************

Introduction: The State of the Hack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   After surveying a rather large g-file collection, my attention was drawn to
the fact that there hasn't been a good introductory file written for absolute
beginners since back when Mark Tabas was cranking them out (and almost
*everyone* was a beginner!)  The Arts of Hacking and Phreaking have changed
radically since that time, and as the 90's approach, the hack/phreak community
has recovered from the Summer '87 busts (just like it recovered from the Fall
'85 busts, and like it will always recover from attempts to shut it down), and
the progressive media (from Reality Hackers magazine to William Gibson and
Bruce Sterling's cyberpunk fables of hackerdom) is starting to take notice
of us for the first time in recent years in a positive light.
   Unfortunately, it has also gotten more dangerous since the early 80's.
Phone cops have more resources, more awareness, and more intelligence that they
exhibited in the past.  It is becoming more and more difficult to survive as
a hacker long enough to become skilled in the art.  To this end this file
is dedicated .  If it can help someone get started, and help them survive
to discover new systems and new information, it will have served it's purpose,
and served as a partial repayment to all the people who helped me out when I
was a beginner.

Contents
~~~~~~~~
   This file will be divided into four parts:
       Part 1: What is Hacking, A Hacker's Code of Ethics, Basic Hacking Safety
       Part 2: Packet Switching Networks: Telenet- How it Works, How to Use it,
               Outdials, Network Servers, Private PADs
       Part 3: Identifying a Computer, How to Hack In, Operating System
               Defaults
       Part 4: Conclusion- Final Thoughts, Books to Read, Boards to Call,
               Acknowledgements

Part One: The Basics
~~~~~~~~~~~~~~~~~~~~
    As long as there have been computers, there have been hackers.  In the 50's
at the Massachusets Institute of Technology (MIT), students devoted much time
and energy to ingenious exploration of the computers.  Rules and the law were
disregarded in their pursuit for the 'hack'.  Just as they were enthralled with
their pursuit of information, so are we.  The thrill of the hack is not in
breaking the law, it's in the pursuit and capture of knowledge.
    To this end, let me contribute my suggestions for guidelines to follow to
ensure that not only you stay out of trouble, but you pursue your craft without
damaging the computers you hack into or the companies who own them.

I.    Do not intentionally damage *any* system.
II.   Do not alter any system files other than ones needed to ensure your
      escape from detection and your future access (Trojan Horses, Altering
      Logs, and the like are all necessary to your survival for as long as
      possible.)
III.  Do not leave your (or anyone else's) real name, real handle, or real
      phone number on any system that you access illegally.  They *can* and
      will track you down from your handle!
IV.   Be careful who you share information with.  Feds are getting trickier.
      Generally, if you don't know their voice phone number, name, and
      occupation or haven't spoken with them voice on non-info trading
      conversations, be wary.
V.    Do not leave your real phone number to anyone you don't know.  This
      includes logging on boards, no matter how k-rad they seem.  If you
      don't know the sysop, leave a note telling some trustworthy people
      that will validate you.
VI.   Do not hack government computers.  Yes, there are government systems
      that are safe to hack, but they are few and far between.  And the
      government has inifitely more time and resources to track you down than
      a company who has to make a profit and justify expenses.
VII.  Don't use codes unless there is *NO* way around it (you don't have a
      local telenet or tymnet outdial and can't connect to anything 800...)
      You use codes long enough, you will get caught.  Period.
VIII. Don't be afraid to be paranoid.  Remember, you *are* breaking the law.
      It doesn't hurt to store everything encrypted on your hard disk, or
      keep your notes buried in the backyard or in the trunk of your car.
      You may feel a little funny, but you'll feel a lot funnier when you
      when you meet Bruno, your transvestite cellmate who axed his family to
      death.
IX.   Watch what you post on boards.  Most of the really great hackers in the
      country post *nothing* about the system they're currently working
      except in the broadest sense (I'm working on a UNIX, or a COSMOS, or
      something generic.  Not "I'm hacking into General Electric's Voice Mail
      System" or something inane and revealing like that.)
X.    Don't be afraid to ask questions.  That's what more experienced hackers
      are for.  Don't expect *everything* you ask to be answered, though.
      There are some things (LMOS, for instance) that a begining hacker
      shouldn't mess with.  You'll either get caught, or screw it up for
      others, or both.
XI.   Finally, you have to actually hack.  You can hang out on boards all you
      want, and you can read all the text files in the world, but until you
      actually start doing it, you'll never know what it's all about.  There's
      no thrill quite the same as getting into your first system (well, ok,
      I can think of a couple of bigger thrills, but you get the picture.)

   One of the safest places to start your hacking career is on a computer
system belonging to a college.  University computers have notoriously lax
security, and are more used to hackers, as every college computer depart-
ment has one or two, so are less likely to press charges if you should
be detected.  But the odds of them detecting you and having the personel to
committ to tracking you down are slim as long as you aren't destructive.
   If you are already a college student, this is ideal, as you can legally
explore your computer system to your heart's desire, then go out and look
for similar systems that you can penetrate with confidence, as you're already
familar with them.
   So if you just want to get your feet wet, call your local college.  Many of
them will provide accounts for local residents at a nominal (under $20) charge.
   Finally, if you get caught, stay quiet until you get a lawyer.  Don't vol-
unteer any information, no matter what kind of 'deals' they offer you.
Nothing is binding unless you make the deal through your lawyer, so you might
as well shut up and wait.

Part Two: Networks
~~~~~~~~~~~~~~~~~~
   The best place to begin hacking (other than a college) is on one of the
bigger networks such as Telenet.  Why?  First, there is a wide variety of
computers to choose from, from small Micro-Vaxen to huge Crays.  Second, the
networks are fairly well documented.  It's easier to find someone who can help
you with a problem off of Telenet than it is to find assistance concerning your
local college computer or high school machine.  Third, the networks are safer.
Because of the enormous number of calls that are fielded every day by the big
networks, it is not financially practical to keep track of where every call and
connection are made from.  It is also very easy to disguise your location using
the network, which makes your hobby much more secure.
   Telenet has more computers hooked to it than any other system in the world
once you consider that from Telenet you have access to Tymnet, ItaPAC, JANET,
DATAPAC, SBDN, PandaNet, THEnet, and a whole host of other networks, all of
which you can connect to from your terminal.
   The first step that you need to take is to identify your local dialup port.
This is done by dialing 1-800-424-9494 (1200 7E1) and connecting.  It will
spout some garbage at you and then you'll get a prompt saying 'TERMINAL='.
This is your terminal type.  If you have vt100 emulation, type it in now.  Or
just hit return and it will default to dumb terminal mode.
   You'll now get a prompt that looks like a @.  From here, type @c mail <cr>
and then it will ask for a Username.  Enter 'phones' for the username. When it
asks for a password, enter 'phones' again.  From this point, it is menu
driven.  Use this to locate your local dialup, and call it back locally.  If
you don't have a local dialup, then use whatever means you wish to connect to
one long distance (more on this later.)
   When you call your local dialup, you will once again go through the
TERMINAL= stuff, and once again you'll be presented with a @.  This prompt lets
you know you are connected to a Telenet PAD.  PAD stands for either Packet
Assembler/Disassembler (if you talk to an engineer), or Public Access Device
(if you talk to Telenet's marketing people.)  The first description is more
correct.
   Telenet works by taking the data you enter in on the PAD you dialed into,
bundling it into a 128 byte chunk (normally... this can be changed), and then
transmitting it at speeds ranging from 9600 to 19,200 baud to another PAD, who
then takes the data and hands it down to whatever computer or system it's
connected to.  Basically, the PAD allows two computers that have different baud
rates or communication protocols to communicate with each other over a long
distance.  Sometimes you'll notice a time lag in the remote machines response.
This is called PAD Delay, and is to be expected when you're sending data
through several different links.
   What do you do with this PAD?  You use it to connect to remote computer
systems by typing 'C' for connect and then the Network User Address (NUA) of
the system you want to go to.
   An NUA takes the form of   031103130002520
                              \___/\___/\___/
                                |    |    |
                                |    |    |____ network address
                                |    |_________ area prefix
                                |______________ DNIC


     This is a summary of DNIC's (taken from Blade Runner's file on ItaPAC)
     according to their country and network name.


DNIC   Network Name    Country          DNIC   Network Name    Country
_______________________________________________________________________________
                                     |
02041   Datanet 1       Netherlands  |  03110   Telenet         USA
02062   DCS             Belgium      |  03340   Telepac         Mexico
02080   Transpac        France       |  03400   UDTS-Curacau    Curacau
02284   Telepac         Switzerland  |  04251   Isranet         Israel
02322   Datex-P         Austria      |  04401   DDX-P           Japan
02329   Radaus          Austria      |  04408   Venus-P         Japan
02342   PSS             UK           |  04501   Dacom-Net       South Korea
02382   Datapak         Denmark      |  04542   Intelpak        Singapore
02402   Datapak         Sweden       |  05052   Austpac         Australia
02405   Telepak         Sweden       |  05053   Midas           Australia
02442   Finpak          Finland      |  05252   Telepac         Hong Kong
02624   Datex-P         West Germany |  05301   Pacnet          New Zealand
02704   Luxpac          Luxembourg   |  06550   Saponet         South Africa
02724   Eirpak          Ireland      |  07240   Interdata       Brazil
03020   Datapac         Canada       |  07241   Renpac          Brazil
03028   Infogram        Canada       |  09000   Dialnet         USA
03103   ITT/UDTS        USA          |  07421   Dompac          French Guiana
03106   Tymnet          USA          |

   There are two ways to find interesting addresses to connect to.  The first
and easiest way is to obtain a copy of the LOD/H Telenet Directory from the
LOD/H Technical Journal #4 or 2600 Magazine.  Jester Sluggo also put out a good
list of non-US addresses in Phrack Inc. Newsletter Issue 21.  These files will
tell you the NUA, whether it will accept collect calls or not, what type of
computer system it is (if known) and who it belongs to (also if known.)
   The second method of locating interesting addresses is to scan for them
manually.  On Telenet, you do not have to enter the 03110 DNIC to connect to a
Telenet host.  So if you saw that 031104120006140 had a VAX on it you wanted to
look at, you could type @c 412 614 (0's can be ignored most of the time.)
   If this node allows collect billed connections, it will say 412 614
CONNECTED and then you'll possibly get an identifying header or just a
Username: prompt.  If it doesn't allow collect connections, it will give you a
message such as 412 614 REFUSED COLLECT CONNECTION with some error codes out to
the right, and return you to the @ prompt.
   There are two primary ways to get around the REFUSED COLLECT message.  The
first is to use a Network User Id (NUI) to connect.  An NUI is a username/pw
combination that acts like a charge account on Telenet.  To collect to node
412 614 with NUI junk4248, password 525332, I'd type the following:
@c 412 614,junk4248,525332  <---- the 525332 will *not* be echoed to the
screen.  The problem with NUI's is that they're hard to come by unless you're
a good social engineer with a thorough knowledge of Telenet (in which case
you probably aren't reading this section), or you have someone who can
provide you with them.
   The second way to connect is to use a private PAD, either through an X.25
PAD or through something like Netlink off of a Prime computer (more on these
two below.)
   The prefix in a Telenet NUA oftentimes (not always) refers to the phone Area
Code that the computer is located in (i.e. 713 xxx would be a computer in
Houston, Texas.)  If there's a particular area you're interested in, (say,
New York City 914), you could begin by typing @c 914 001 <cr>.  If it connects,
you make a note of it and go on to 914 002.  You do this until you've found
some interesting systems to play with.
   Not all systems are on a simple xxx yyy address.  Some go out to four or
five digits (914 2354), and some have decimal or numeric extensions
(422 121A = 422 121.01).  You have to play with them, and you never know what
you're going to find.  To fully scan out a prefix would take ten million
attempts per prefix.  For example, if I want to scan 512 completely, I'd have
to start with 512 00000.00 and go through 512 00000.99, then increment the
address by 1 and try 512 00001.00 through 512 00001.99.  A lot of scanning.
There are plenty of neat computers to play with in a 3-digit scan, however,
so don't go berserk with the extensions.
   Sometimes you'll attempt to connect and it will just be sitting there after
one or two minutes.  In this case, you want to abort the connect attempt by
sending a hard break (this varies with different term programs, on Procomm,
it's ALT-B), and then when you get the @ prompt back, type 'D' for disconnect.
   If you connect to a computer and wish to disconnect, you can type <cr> @
<cr> and you it should say TELENET and then give you the @ prompt.  From there,
type D to disconnect or CONT to re-connect and continue your session
uninterrupted.

Outdials, Network Servers, and PADs
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   In addition to computers, an NUA may connect you to several other things.
One of the most useful is the outdial.  An outdial is nothing more than a modem
you can get to over telenet- similar to the PC Pursuit concept, except that
these don't have passwords on them most of the time.
   When you connect, you will get a message like 'Hayes 1200 baud outdial,
Detroit, MI', or 'VEN-TEL 212 Modem', or possibly 'Session 1234 established
on Modem 5588'.  The best way to figure out the commands on these is to
type ? or H or HELP- this will get you all the information that you need to
use one.
   Safety tip here- when you are hacking *any* system through a phone dialup,
always use an outdial or a diverter, especially if it is a local phone number
to you.  More people get popped hacking on local computers than you can
imagine, Intra-LATA calls are the easiest things in the world to trace inexp-
ensively.
   Another nice trick you can do with an outdial is use the redial or macro
function that many of them have.  First thing you do when you connect is to
invoke the 'Redial Last Number' facility.  This will dial the last number used,
which will be the one the person using it before you typed.  Write down the
number, as no one would be calling a number without a computer on it.  This
is a good way to find new systems to hack.  Also, on a VENTEL modem, type 'D'
for Display and it will display the five numbers stored as macros in the
modem's memory.
   There are also different types of servers for remote Local Area Networks
(LAN) that have many machine all over the office or the nation connected to
them.  I'll discuss identifying these later in the computer ID section.
   And finally, you may connect to something that says 'X.25 Communication
PAD' and then some more stuff, followed by a new @ prompt.  This is a PAD
just like the one you are on, except that all attempted connections are billed
to the PAD, allowing you to connect to those nodes who earlier refused collect
connections.
   This also has the added bonus of confusing where you are connecting from.
When a packet is transmitted from PAD to PAD, it contains a header that has
the location you're calling from.  For instance, when you first connected
to Telenet, it might have said 212 44A CONNECTED if you called from the 212
area code.  This means you were calling PAD number 44A in the 212 area.
That 21244A will be sent out in the header of all packets leaving the PAD.
   Once you connect to a private PAD, however, all the packets going out
from *it* will have it's address on them, not yours.  This can be a valuable
buffer between yourself and detection.

Phone Scanning
~~~~~~~~~~~~~~
   Finally, there's the time-honored method of computer hunting that was made
famous among the non-hacker crowd by that Oh-So-Technically-Accurate movie
Wargames.  You pick a three digit phone prefix in your area and dial every
number from 0000 --> 9999 in that prefix, making a note of all the carriers
you find.  There is software available to do this for nearly every computer
in the world, so you don't have to do it by hand.

Part Three: I've Found a Computer, Now What?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   This next section is applicable universally.  It doesn't matter how you
found this computer, it could be through a network, or it could be from
carrier scanning your High School's phone prefix, you've got this prompt
this prompt, what the hell is it?
   I'm *NOT* going to attempt to tell you what to do once you're inside of
any of these operating systems.  Each one is worth several G-files in its
own right.  I'm going to tell you how to identify and recognize certain
OpSystems, how to approach hacking into them, and how to deal with something
that you've never seen before and have know idea what it is.


VMS-       The VAX computer is made by Digital Equipment Corporation (DEC),
           and runs the VMS (Virtual Memory System) operating system.
           VMS is characterized by the 'Username:' prompt.  It will not tell
           you if you've entered a valid username or not, and will disconnect
           you after three bad login attempts.  It also keeps track of all
           failed login attempts and informs the owner of the account next time
           s/he logs in how many bad login attempts were made on the account.
           It is one of the most secure operating systems around from the
           outside, but once you're in there are many things that you can do
           to circumvent system security.  The VAX also has the best set of
           help files in the world.  Just type HELP and read to your heart's
           content.
           Common Accounts/Defaults:  [username: password [[,password]] ]
           SYSTEM:     OPERATOR or MANAGER or SYSTEM or SYSLIB
           OPERATOR:   OPERATOR
           SYSTEST:    UETP
           SYSMAINT:   SYSMAINT or SERVICE or DIGITAL
           FIELD:      FIELD or SERVICE
           GUEST:      GUEST or unpassworded
           DEMO:       DEMO  or unpassworded
           DECNET:     DECNET


DEC-10-    An earlier line of DEC computer equipment, running the TOPS-10
           operating system.  These machines are recognized by their
           '.' prompt.  The DEC-10/20 series are remarkably hacker-friendly,
           allowing you to enter several important commands without ever
           logging into the system.  Accounts are in the format [xxx,yyy] where
           xxx and yyy are integers.  You can get a listing of the accounts and
           the process names of everyone on the system before logging in with
           the command .systat (for SYstem STATus).  If you seen an account
           that reads [234,1001]   BOB JONES, it might be wise to try BOB or
           JONES or both for a password on this account.  To login, you type
           .login xxx,yyy  and then type the password when prompted for it.
           The system will allow you unlimited tries at an account, and does
           not keep records of bad login attempts.  It will also inform you
           if the UIC you're trying (UIC = User Identification Code, 1,2 for
           example) is bad.
           Common Accounts/Defaults:
           1,2:        SYSLIB or OPERATOR or MANAGER
           2,7:        MAINTAIN
           5,30:       GAMES

UNIX-      There are dozens of different machines out there that run UNIX.
           While some might argue it isn't the best operating system in the
           world, it is certainly the most widely used.  A UNIX system will
           usually have a prompt like 'login:' in lower case.  UNIX also
           will give you unlimited shots at logging in (in most cases), and
           there is usually no log kept of bad attempts.
           Common Accounts/Defaults: (note that some systems are case
           sensitive, so use lower case as a general rule.  Also, many times
           the accounts will be unpassworded, you'll just drop right in!)
           root:       root
           admin:      admin
           sysadmin:   sysadmin or admin
           unix:       unix
           uucp:       uucp
           rje:        rje
           guest:      guest
           demo:       demo
           daemon:     daemon
           sysbin:     sysbin

Prime-     Prime computer company's mainframe running the Primos operating
           system.  The are easy to spot, as the greet you with
           'Primecon 18.23.05' or the like, depending on the version of the
           operating system you run into.  There will usually be no prompt
           offered, it will just look like it's sitting there.  At this point,
           type 'login <username>'.  If it is a pre-18.00.00 version of Primos,
           you can hit a bunch of ^C's for the password and you'll drop in.
           Unfortunately, most people are running versions 19+.  Primos also
           comes with a good set of help files.  One of the most useful
           features of a Prime on Telenet is a facility called NETLINK.  Once
           you're inside, type NETLINK and follow the help files.  This allows
           you to connect to NUA's all over the world using the 'nc' command.
           For example, to connect to NUA 026245890040004, you would type
           @nc :26245890040004 at the netlink prompt.
           Common Accounts/Defaults:
           PRIME       PRIME or PRIMOS
           PRIMOS_CS   PRIME or PRIMOS
           PRIMENET    PRIMENET
           SYSTEM      SYSTEM or PRIME
           NETLINK     NETLINK
           TEST        TEST
           GUEST       GUEST
           GUEST1      GUEST

HP-x000-   This system is made by Hewlett-Packard.  It is characterized by the
           ':' prompt.  The HP has one of the more complicated login sequences
           around- you type 'HELLO SESSION NAME,USERNAME,ACCOUNTNAME,GROUP'.
           Fortunately, some of these fields can be left blank in many cases.
           Since any and all of these fields can be passworded, this is not
           the easiest system to get into, except for the fact that there are
           usually some unpassworded accounts around.  In general, if the
           defaults don't work, you'll have to brute force it using the
           common password list (see below.)  The HP-x000 runs the MPE operat-
           ing system, the prompt for it will be a ':', just like the logon
           prompt.
           Common Accounts/Defaults:
           MGR.TELESUP,PUB                      User: MGR Acct: HPONLY Grp: PUB
           MGR.HPOFFICE,PUB                     unpassworded
           MANAGER.ITF3000,PUB                  unpassworded
           FIELD.SUPPORT,PUB                    user: FLD,  others unpassworded
           MAIL.TELESUP,PUB                     user: MAIL, others
                                                unpassworded
           MGR.RJE                              unpassworded
           FIELD.HPPl89 ,HPPl87,HPPl89,HPPl96   unpassworded
           MGR.TELESUP,PUB,HPONLY,HP3           unpassworded


IRIS-      IRIS stands for Interactive Real Time Information System.  It orig-
           inally ran on PDP-11's, but now runs on many other minis.  You can
           spot an IRIS by the 'Welcome to "IRIS" R9.1.4 Timesharing' banner,
           and the ACCOUNT ID? prompt.  IRIS allows unlimited tries at hacking
           in, and keeps no logs of bad attempts.  I don't know any default
           passwords, so just try the common ones from the password database
           below.
           Common Accounts:
           MANAGER
           BOSS
           SOFTWARE
           DEMO
           PDP8
           PDP11
           ACCOUNTING

VM/CMS-    The VM/CMS operating system runs in International Business Machines
           (IBM) mainframes.  When you connect to one of these, you will get
           message similar to 'VM/370 ONLINE', and then give you a '.' prompt,
           just like TOPS-10 does.  To login, you type 'LOGON <username>'.
           Common Accounts/Defaults are:
           AUTOLOG1:            AUTOLOG or AUTOLOG1
           CMS:                 CMS
           CMSBATCH:            CMS or CMSBATCH
           EREP:                EREP
           MAINT:               MAINT or MAINTAIN
           OPERATNS:            OPERATNS or OPERATOR
           OPERATOR:            OPERATOR
           RSCS:                RSCS
           SMART:               SMART
           SNA:                 SNA
           VMTEST:              VMTEST
           VMUTIL:              VMUTIL
           VTAM:                VTAM

NOS-       NOS stands for Networking Operating System, and runs on the Cyber
           computer made by Control Data Corporation.  NOS identifies itself
           quite readily, with a banner of 'WELCOME TO THE NOS SOFTWARE
           SYSTEM.  COPYRIGHT CONTROL DATA 1978,1987'.  The first prompt you
           will get will be FAMILY:.  Just hit return here.  Then you'll get
           a USER NAME: prompt.  Usernames are typically 7 alpha-numerics
           characters long, and are *extremely* site dependent. Operator
           accounts begin with a digit, such as 7ETPDOC.
           Common Accounts/Defaults:
           $SYSTEM              unknown
           SYSTEMV              unknown

Decserver- This is not truly a computer system, but is a network server that
           has many different machines available from it.  A Decserver will
           say 'Enter Username>' when you first connect.  This can be anything,
           it doesn't matter, it's just an identifier.  Type 'c', as this is
           the least conspicuous thing to enter.  It will then present you
           with a 'Local>' prompt.  From here, you type 'c <systemname>' to
           connect to a system.  To get a list of system names, type
           'sh services' or 'sh nodes'.  If you have any problems, online
           help is available with the 'help' command.  Be sure and look for
           services named 'MODEM' or 'DIAL' or something similar, these are
           often outdial modems and can be useful!

GS/1-      Another type of network server.  Unlike a Decserver, you can't
           predict what prompt a GS/1 gateway is going to give you.  The
           default prompt it 'GS/1>', but this is redifinable by the
           system administrator.  To test for a GS/1, do a 'sh d'.  If that
           prints out a large list of defaults (terminal speed, prompt,
           parity, etc...), you are on a GS/1.  You connect in the same manner
           as a Decserver, typing 'c <systemname>'.  To find out what systems
           are available, do a 'sh n' or a 'sh c'.  Another trick is to do a
           'sh m', which will sometimes show you a list of macros for logging
           onto a system.  If there is a macro named VAX, for instance, type
           'do VAX'.

           The above are the main system types in use today.  There are
           hundreds of minor variants on the above, but this should be
           enough to get you started.
        
Unresponsive Systems
~~~~~~~~~~~~~~~~~~~~
   Occasionally you will connect to a system that will do nothing but sit
there.  This is a frustrating feeling, but a methodical approach to the system
will yield a response if you take your time.  The following list will usually
make *something* happen.
1)  Change your parity, data length, and stop bits.  A system that won't re-
    spond at 8N1 may react at 7E1 or 8E2 or 7S2.  If you don't have a term
    program that will let you set parity to EVEN, ODD, SPACE, MARK, and NONE,
    with data length of 7 or 8, and 1 or 2 stop bits, go out and buy one.
    While having a good term program isn't absolutely necessary, it sure is
    helpful.
2)  Change baud rates.  Again, if your term program will let you choose odd
    baud rates such as 600 or 1100, you will occasionally be able to penetrate
    some very interesting systems, as most systems that depend on a strange
    baud rate seem to think that this is all the security they need...
3)  Send a series of <cr>'s.
4)  Send a hard break followed by a <cr>.
5)  Type a series of .'s (periods).  The Canadian network Datapac responds
    to this.
6)  If you're getting garbage, hit an 'i'.  Tymnet responds to this, as does
    a MultiLink II.
7)  Begin sending control characters, starting with ^A --> ^Z.
8)  Change terminal emulations.  What your vt100 emulation thinks is garbage
    may all of a sudden become crystal clear using ADM-5 emulation.  This also
    relates to how good your term program is.
9)  Type LOGIN, HELLO, LOG, ATTACH, CONNECT, START, RUN, BEGIN, LOGON, GO,
    JOIN, HELP, and anything else you can think of.
10) If it's a dialin, call the numbers around it and see if a company
    answers.  If they do, try some social engineering.

Brute Force Hacking
~~~~~~~~~~~~~~~~~~~
   There will also be many occasions when the default passwords will not work
on an account.  At this point, you can either go onto the next system on your
list, or you can try to 'brute-force' your way in by trying a large database
of passwords on that one account.  Be careful, though!  This works fine on
systems that don't keep track of invalid logins, but on a system like a VMS,
someone is going to have a heart attack if they come back and see '600 Bad
Login Attempts Since Last Session' on their account.  There are also some
operating systems that disconnect after 'x' number of invalid login attempts
and refuse to allow any more attempts for one hour, or ten minutes, or some-
times until the next day.
   The following list is taken from my own password database plus the data-
base of passwords that was used in the Internet UNIX Worm that was running
around in November of 1988.  For a shorter group, try first names, computer
terms, and obvious things like 'secret', 'password', 'open', and the name
of the account.  Also try the name of the company that owns the computer
system (if known), the company initials, and things relating to the products
the company makes or deals with.

                              Password List
                              =============

      aaa                daniel             jester             rascal
      academia           danny              johnny             really
      ada                dave               joseph             rebecca
      adrian             deb                joshua             remote
      aerobics           debbie             judith             rick
      airplane           deborah            juggle             reagan
      albany             december           julia              robot
      albatross          desperate          kathleen           robotics
      albert             develop            kermit             rolex
      alex               diet               kernel             ronald
      alexander          digital            knight             rosebud
      algebra            discovery          lambda             rosemary
      alias              disney             larry              roses
      alpha              dog                lazarus            ruben
      alphabet           drought            lee                rules
      ama                duncan             leroy              ruth
      amy                easy               lewis              sal
      analog             eatme              light              saxon
      anchor             edges              lisa               scheme
      andy               edwin              louis              scott
      andrea             egghead            lynne              scotty
      animal             eileen             mac                secret
      answer             einstein           macintosh          sensor
      anything           elephant           mack               serenity
      arrow              elizabeth          maggot             sex
      arthur             ellen              magic              shark
      asshole            emerald            malcolm            sharon
      athena             engine             mark               shit
      atmosphere         engineer           markus             shiva
      bacchus            enterprise         marty              shuttle
      badass             enzyme             marvin             simon
      bailey             euclid             master             simple
      banana             evelyn             maurice            singer
      bandit             extension          merlin             single
      banks              fairway            mets               smile
      bass               felicia            michael            smiles
      batman             fender             michelle           smooch
      beauty             fermat             mike               smother
      beaver             finite             minimum            snatch
      beethoven          flower             minsky             snoopy
      beloved            foolproof          mogul              soap
      benz               football           moose              socrates
      beowulf            format             mozart             spit
      berkeley           forsythe           nancy              spring
      berlin             fourier            napoleon           subway
      beta               fred               network            success
      beverly            friend             newton             summer
      bob                frighten           next               super
      brenda             fun                olivia             support
      brian              gabriel            oracle             surfer
      bridget            garfield           orca               suzanne
      broadway           gauss              orwell             tangerine
      bumbling           george             osiris             tape
      cardinal           gertrude           outlaw             target
      carmen             gibson             oxford             taylor
      carolina           ginger             pacific            telephone
      caroline           gnu                painless           temptation
      castle             golf               pam                tiger
      cat                golfer             paper              toggle
      celtics            gorgeous           password           tomato
      change             graham             pat                toyota
      charles            gryphon            patricia           trivial
      charming           guest              penguin            unhappy
      charon             guitar             pete               unicorn
      chester            hacker             peter              unknown
      cigar              harmony            philip             urchin
      classic            harold             phoenix            utility
      coffee             harvey             pierre             vicky
      coke               heinlein           pizza              virginia
      collins            hello              plover             warren
      comrade            help               polynomial         water
      computer           herbert            praise             weenie
      condo              honey              prelude            whatnot
      condom             horse              prince             whitney
      cookie             imperial           protect            will
      cooper             include            pumpkin            william
      create             ingres             puppet             willie
      creation           innocuous          rabbit             winston
      creator            irishman           rachmaninoff       wizard
      cretin             isis               rainbow            wombat
      daemon             japan              raindrop           yosemite
      dancer             jessica            random             zap


Part Four: Wrapping it up!
~~~~~~~~~~~~~~~~~~~~~~~~~~
   I hope this file has been of some help in getting started.  If you're
asking yourself the question 'Why hack?', then you've probably wasted a lot
of time reading this, as you'll never understand.  For those of you who
have read this and found it useful, please send a tax-deductible donation
of $5.00 (or more!) in the name of the Legion of Doom to:
                                       The American Cancer Society
                                       90 Park Avenue
                                       New York, NY  10016


******************************************************************************
References:
1) Introduction to ItaPAC by Blade Runner
   Telecom Security Bulletin #1
2) The IBM VM/CMS Operating System by Lex Luthor
   The LOD/H Technical Journal #2
3) Hacking the IRIS Operating System by The Leftist
   The LOD/H Technical Journal #3
4) Hacking CDC's Cyber by Phrozen Ghost
   Phrack Inc. Newsletter #18
5) USENET comp.risks digest (various authors, various issues)
6) USENET unix.wizards forum (various authors)
7) USENET info-vax forum (various authors)

Recommended Reading:
1) Hackers by Steven Levy
2) Out of the Inner Circle by Bill Landreth
3) Turing's Man by J. David Bolter
4) Soul of a New Machine by Tracy Kidder
5) Neuromancer, Count Zero, Mona Lisa Overdrive, and Burning Chrome, all
   by William Gibson
6) Reality Hackers Magazine c/o High Frontiers, P.O. Box 40271, Berkeley,
   California, 94704, 415-995-2606
7) Any of the Phrack Inc. Newsletters & LOD/H Technical Journals you can find.

Acknowledgements:
   Thanks to my wife for putting up with me.
   Thanks to Lone Wolf for the RSTS & TOPS assistance.
   Thanks to Android Pope for proofreading, suggestions, and beer.
   Thanks to The Urvile/Necron 99 for proofreading & Cyber info.
   Thanks to Eric Bloodaxe for wading through all the trash.
   Thanks to the users of Phoenix Project for their contributions.
   Thanks to Altos Computer Systems, Munich, for the chat system.
   Thanks to the various security personel who were willing to talk to
             me about how they operate.