Docs for the -->-->-->-->-->-->-->-->-->-->-->-->--> >-->-->-->-->-->-->-->-->-->-->-->-->-- ->-->-->-->-->-->-->-->-->-->-->-->-->- -->-->-- ->-->-->-->-->-->-->-->-->--> >-->--> /\ >-->-->-->-->-->-->-->-->-- ->-->- / > -->-->-->-->-->-->-->-->- -->-- / \/ /\ -->-->-->-->-->-->-->--> >-->- / \ >-->-->-->-->-->-->-->-- ->-->--> / \ / ->-->-->-->-->-->-->-->- -->-->-- / /\ >-->-->-->-->-->-->--> >-->-->--> / / \ >-->-->-->-->-->-->-- ->-->-->-- \ >-->-->-->-->-->-->- -->-->-->-- \ / /\ >-->-->-->-->-->--> >-->-->-->-- \/ / \ >-->-->-->-->-->-- ->-->-->-->- \ ->-->-->-->-->-->- -->-->-->-->- \ / / ->-->-->-->-->--> >-->-->-->-->- \/ / / >-->-->-->-->-- ->-->-->-->--> / / / ->-->-->-->-->- -->-->-->-->-->- \/ / /\ >-->-->-->--> >-->-->-->-->-->- \/ / \ >-->-->-->-- ->-->-->-->-->-->--> / / ->-->-->-->- -->-->-->-->-->-->-- \ / /\ -->-->--> >-->-->-->-->-->-->-- \/ / > -->-->-- ->-->-->-->-->-->-->- /!\/ /\ -->-->- -->-->-->-->-->-->-->-- ! / ! -->--> >-->-->-->-->-->-->-->--> / / >-->-- ->-->-->-->-->-->-->-->-- \_/ -->-->- -->-->-->-->-->-->-->-->--> -->-->--> >-->-->-->-->-->-->-->-->-->-->-->-->-- ->-->-->-->-->-->-->-->-->-->-->-->-->- -->-->-->-->-->-->-->-->-->-->-->-->-->  !!! !! !! !!!!_ _ _ ! _ _ ! _ _ !! / \ !/ \ / \ -+ !/ / \ -+ / \ !/ !! !_/ ! ! !_/ ! ! ! ! ! ! ! ! !! \__ ! ! \__ \ ! \_! \ \_/ ! ------------------------------------ a first novel by AUTOMAN ------------------------------------ I HIGHLY RECOMMEND THAT YOU USE YOUR PRINTER ON THIS MEGADOC. I. Explanation and Introduction -------------------------------- The Password Penetrator Program (PPP) employs the Database Hack technique for password acquisition. This means that it selects and tries passwords from a list of commonly or probably used passwords. This is the most feasible technique for password hacking from a microcomputer, since sequential or random password hacking techniques would take decades (...or centuries...or eons...) at even 1200 baud. This program preys upon the common weakness of human/machine system relationships - the people. Mainframe system programmers face a dilemma in password protection systems. If random passwords are assigned to the users by the system (making it virtually unhackable by the Database technique), the users will inevitably write down their heiroglyphic password, making it vulnerable to casual glances. Hence, this technique is seldom implemented. Another option (the most widely used) is to allow the user to select his/her own password in the hope of avoiding the password-sticker-on-the-monitor syndrome. The users, feeble-memoried humans that they are, will often select passwords that they can easily remember. ah HA!! A weakness! The Password Penetrator allows you to create a database of such commonly used passwords for automated educated guessing. Such passwords often consist of words such as "secret", "love", or "password"; single letters; first names; or initials. All of these are easily supported by the Penetrator. Included with the Penetrator are expandable databases of first names, initials, common account names, and all purpose passwords. Eventually new password allocation systems will be created such as passphrases and pseudo-random phonetic passwords. Under the passphrase system, human stupidity will remain in existence, and the Penetrator will still be useful. II. Main Menu Options ---------------------- Here are the explanations of each option on the main menu: 1: LOAD MAINFRAME DATA FILE This allows you to load a pre-saved datafile containing all the modem/hack paramaters for a specific mainframe. It contains the Dialogue which will be explained later. Values loaded from this file will replace the defaults at the various prompts. Note: the password database itself is *NOT* saved in the mainframe data file. The database *NAME*, however, along with the number of the last password used in that database are saved in the Mainframe Data File. You are first prompted to select the disk drive from which the file will be loaded, and then to enter the filename. You can press [ESC] to exit the option. Sample Mainframe Data Files included on the Hackamatic disk are: "DEC20", "PDP11", and "DATA GENERAL". 2: SAVE MAINFRAME DATA FILE This allows you to save a mainframe data file (as you might have guessed.) 3: LOAD PASSWORD DATABASE This option loads a password database into memory for use by the Penetrator in hacking. The Password Databases supplied on the Hackamatic disk are called "ALL PURPOSE P/W'S", "FIRST NAMES", "INITIALS1", and "INITIALS2". 4: SAVE PASSWORD DATABASE Allows you to save your own databases, or save changes to previously created password files. 5: EDIT DIALOGUE The Dialogue is the conversation (so to speak) carried on between the PPP and the mainframe victim...I mean mainframe system....during password hacking. The Dialogue Editor allows you to enter and edit up to 30 lines of dialogue - more than enough for any system. To get a first feel for it, use the LOAD MAINFRAME DATA FILE option to load the Data General file from the Hackamatic disk, then use the EDIT DIALOGUE option to have a look at it. The screen displays a sequence of lines representing the system's prompts and the PPP's responses. A typical dialogue might look like this: 0 - PPP:[CONNECT TO MAINFRAME SYSTEM] 1 - SYS: 2 - PPP: 3 - SYS: ENTER USERNAME: 4 - PPP: I. M. HACKED 5 - SYS: ENTER PASSWORD: 6 - PPP:

A manual hack attempt done for this system without the PPP would look like this: ATDT XXX-YYYY CONNECT Enter Username: I.M. HACKED Enter Password: THE Nice try suckweed Enter Username: I.M. HACKED Enter Password: BUG Nice try suckweed Enter Username: I.M. HACKED Enter Password: STOPS Nice try suckweed Enter Username: I.M. HACKED Enter Password: HERE Sorry suckweed, 4 strikes and you're more than out. Goodbye... Disconnecting... )(*_~~_~~@! CARRIER LOST (Notice: this system and its outputs are purely fictitious. Any resemblance to systems living or hacked is purely coincidental.) Now look at the sample dialogue above. ("Scrolled into the Twilight Zone" you say? Should have used your printer.) Line 0 represents the PPP dialing and connecting to the victim (I mean system). Line 1 indicates that the PPP ignores the system (SYS) immediately after connect and proceeds to line 2, where the PPP sends a carriage return to activate the SYStem. (Hence the "" for Carriage Return at line 2). At line 3, the PPP waits for the system (SYS) to send "ENTER USERNAME:" at which point the PPP sends "I.M. HACKED", the name of our poor unsuspecting user (line 4). The PPP then waits to receive "ENTER PASSWORD:" from the SYS (line 5), after which the PPP tries a password from the database in memory (line 6). (the "

" at line 6 stands for

assord as you might have guessed) From this example you should see the correlation between the dialogue and the sample hack attempt. You might want to think of the SYS and PPP lines as INPUT and OUTPUT, respectively. If your computer displays lower case then you should have noticed that all Dialogue entries were in upper case, even though the hacked system's messages contained lower case letters. The Penetrator ignores case on incoming data, so all dialogue info is stored as upper case. The dialogue editor is simple yet versatile, and can be used to create a dialogue sequence for virtually any system. DIALOGUE EDITOR COMMANDS: Use the arrow keys to move the lightbar through the dialogue. Press [I] to input new lines in PPP/SYS pairs. Press [D] to delete lines in PPP/SYS pairs. Press [C] to clear the dialogue in memory. Press [F] when finished editing the Dialogue to specify other hack parameters. Press [ESC] to exit the Dialogue Editor. Press [E] to edit the dialogue line highlighted in the lightbar. During editing, any embedded control characters (including ctrl-P's and ESCape characters) will be displayed in the line. While editing a line you can: Enter [ESC] as the first character in any dialogue line to instruct the program to ignore that line and move immediately to the next. Enter ctrl-P as the first character in a PPP (not SYS) dialogue line to specify the location of the password from the database. The Penetrator will display the ctrl-P in dialogue listing as "

", just as it displays an ESCape character as "". NOTE: The ctrl-P and ESC characters must be entered as the >FIRST< characters on a Dialogue line in order for them to function as password and ignore flags, respectively. If either a ctrl-P or an ESCape is entered in a dialogue line beyond the first position, it will be taken literally by the Penetrator. Enter a semicolon [;] as the last character in a PPP (output) dialogue line to suppress the implied carriage return at the end of the line just as in BASIC when using the PRINT command. If the last character in a PPP line is not a semicolon, the program automatically adds a carriage return after sending the line. IMPORTANT! You should enter all dialogue UP TO THE POINT at which the PPP should wait for the message sent by the system in response to an incorrect password. DO NOT ENTER THE SYSTEM'S BAD PASSWORD MESSAGE IN THE DIALOGUE! You will enter it after typing the inished command. After you have finished creating your dialogue, you *MUST* exit using the inished command. You will then be be asked to enter a series of other hack parameters. Immediately after you type , the Penetrator will ask "MAINFRAME RESPONSE TO INVALID PASSWORD". Here, enter the text (or part of it) displayed by the mainframe after it receives a bad password. For the sample system above, you would enter "NICE TRY SUCKWEED" or "NICE TRY" or "SUCKWEED", or something else from the bad password message. The Penetrator's next question is "BRANCH ON BAD PW TO LINE:". Immediately after the prompt, the current bad password branch line is displayed in parentheses. Use the arrow keys to move the lightbar to the line to which the PPP should branch after receiving the bad password message entered just previously. For the sample system above, you would move the cursor to line 3 where the Penetrator waits for the SYS to display "ENTER USERNAME:", since the system drops back to this prompt after displaying "NICE TRY SUCKWEED." Next Penetrating question... "# OF PW ATTEMPTS BEFORE RESET?" Here you enter the number of passwords the Penetrator should attempt before bagging it, or reseting. Many mainframe systems, like the sample system above, let you screw up the password a fixed number of times after which they hang you up or shut down. For the sample system above, you would enter "4", since the system hangs up after 4 botched passwords. Moving right along..."DELAY BEFORE RESET <0-255 SEC.>: ". Some systems, rather than hanging up after a number of password screwups, lock up and ignore input for a period of time. An example is some Data General systems, which say "TOO MANY ATTEMPTS, CONSOLE LOCKING FOR 10 SECONDS." For such a system, you would enter 10 at the prompt. For the sample system above, you would enter 0, since the system hangs up and the PPP will have to redial anyway. WAKE UP! YOU AREN'T READING THIS FOR YOUR HEALTH. The next prompt is: "RESET TO LINE: ". As with the "BRANCH ON BAD PW TO LINE" prompt, you use the arrow keys to move the lightbar to the line to which the PPP should branch after trying the specified number of passwords and waiting the specified time before reset. For the sample system above, you would move the lightbar to line 0, to make the PPP to redial the mainframe system. Some other systems, like the type of Data General mainframe described above, do not require redialing. They will often just revert back to their initial activation sequence in which case the reset line in the dialogue would not be line 0. Once you have selected the reset line, the PPP displays "MAINFRAME RESPONSE TO INVALID PASSWORD ON LAST ATTEMPT BEFORE RESET." On many mainframe systems, the mainframe's response to the final bad password before reset will be the same as for any bad password. On some systems, however, like the imaginary one described above, the response to the final bad password before reset will differ. For the sample system above, you would enter "SORRY SUCKWEED", "GOODBYE", "DISCONNECTING" or something else from the mainframe's final message before reset. Next prompt: "TIME TO WAIT FOR PAD PW MESSAGE: (TIMES APPROXIMATELY 5 SECONDS) " After the Penetrator finishes with the dialogue, it waits to receive the bad password message you entered. If that message is not received in the amount of time you specify at this prompt, the Penetrator assumes it is a good password. At this prompt, enter a value which will produce a delay sufficiently long to receive the bad password message. The actual amount of time delayed by the PPP will be roughly (in seconds) 5 times the number you enter here. The PPP will then ask you "OUTPUT SPEED <0-255>: ." Since some systems cannot receive data from the PPP at full speed, especially during times of heavy use, the speed at which the Penetrator sends data to the victim (I mean system) can be varied. Enter a value between 0 and 255, with 255 being the fastest. The next option is "CASE TOGGLE ON PASSWORDS? ". If you answer [Y], the PPP will automatically resend every password in lower case. Normally, the PPP uses only upper case in passwords since many mainframe systems are case-insensitive on passwords. Go ahead and sleep; this is the last one anyway: "START AT PASSWORD # ". Here you enter the number of the password in the database at which the PPP will start hacking. This is especially useful if you know either the first or last name of the user whose account you are hacking, and would like to try hacking his initials from the INITIALS password databases (supplied on the Hackamatic disk). If you stopped the PPP on a previous hack before it had reached the end of the password database, the number of next password in the list will be the default. If you are using a previously created dialogue and accompanying set of hack parameters, then you do not need to use the [F] command and go through all of its options unless you plan to change them. Once you have completed these options, it is safe to hit [ESC] to exit the dialogue editor, rather than typing [F]. Finally. Now back to the main menu options...(there are others you know) 6: EDIT PASSWORD DATABASE The Password Database Editor is essentially the same as the Dialogue Editor, but there are a few minor differences. It allows you to enter and edit a database of up to 500 passwords. PASSWORD DATABASE EDITOR COMMANDS: Use the arrow keys to move one password at a time through the list. Use the < and > keys (unshifted) to move ten passwords at a time through the list. Press [I] to insert a password. Press [D] to delete the password in the lightbar. Press [B] to jump to the beginning of the list. Press [N] to jump to the ed of the list. Press [C] to clear the database in memory. Press [ESC] to exit the Password Database Editor Press [E] to edit the password in the lightbar. Note that in the Password Database Editor all characters placed in passwords are taken literally. Press [F] to find a password in the list BELOW THE LIGHTBAR. The find command searches only the passwords below the lightbar. This was done to facilitate scanning for repeated passwords. If you wish to search the entire list, use the [B] command to jump to the beginning of the list, then the [F] command to search. The passwords are stored and hacked in the order in which they are entered. I considered alphabetizing the list, but decided against it so they could be hacked in order of precedence and frequency of use. 7: SET MODEM PARAMETERS This section is essentially the same as that in the Prefix Prowler and the Code Crusher. There is nothing particularly new or tricky. See the DOC files for the Prowler and the Crusher if you have questions. Don't forget to enter the mainframe fone number before attempting to hack at it. 8: RESTORE DEFAULTS This option clears the currently loaded Mainframe Data File values and resets to the original defaults. If you have loaded a mainframe datafile, you will be prompted before the memory is cleared. 9: TERMINAL MODE This option puts you into the terminal program from the Super Serial Card firmware. From here you can send commands to your modem, call victim systems to get the dialogue format, etc. To send output to your printer, type ctrl-A and at the "APPLE SSC:" prompt (or ? if you are using a //c) type nS, where n is the slot of your printer. To set the baud rate, type ctrl-A 6B for 300 baud, or ctrl-A 8B for 1200. Consult your SSC manual for further Ctrl-A commands. Type ctrl-A and Q at the SSC prompt to exit terminal mode and return to the main menu. It is advisable to hang up your modem before exiting terminal mode. 10: HACK AT IT This option frees the Penetrator to do what it does best. It will not work, however, unless you have entered or loaded a dialogue and some passwords. The Hack Screen is similar to those of the Prowler and Crusher. The top window displays commands sent to your modem and the conversation as it occurs between the PPP and the victim (system). When waiting for input from the system being hacked, the Penetrator displays "SYS: " and then displays the characters as they are received from the system (with optional sound effects). The incoming data is displayed in upper case only. From this display you can see exactly what the Penetrator has received, and make corrections to the dialogue if characters are missed during input. Occasionally seemingly strange characters will appear immediately after the "SSC:". These are usually system echoes of the last few letters from the PPP's last output line. The center window displays passwords as they are attempted. A password will flash if the PPP finds it a possible success. The bottom window displays the runtime commands summarized below. If, after you select the "HACK AT IT" option you get: 1. "PASSWORDS AND/OR DIALOGUE NOT ENTERED," it means that you haven't loaded a password database, or that you haven't entered sufficient Dialogue info through either a datafile or the keyboard. 2. "STARTING PASSWORD POINTER IS GREATER THAN THE NUMBER OF PASSWORDS IN THE CURRENT DATABASE," it means that the starting password number, entered through the Dialogue Editor, was greater than the number of passwords currently in memory. Fix it by entering the Dialogue Editor, pressing [F] to get the hack parameters in the bottom window, and go through all the options until you reach the "START AT PASSWORD #" prompt. Here you can change the value accordingly. 3. "CURRENTLY LOADED PASSWORD DATABASE DOES NOT MATCH LAST-USED DATABASE. CONTINUE ANYWAY?," it means that the password database in memory does not match the name of the last-used password database which was stored in the Mainframe Data File. If you do not care, type [Y] to continue. NOTE however, that the PPP will start at the password in memory with the same number as the last-used password in the last-used database. PPP RUNTIME COMMANDS -------------------- Before the Penetrator starts hacking passwords, it goes through a modem initialization sequence, and sends the necessary dialing commands. During these processes you can press [ESC] to exit and return to the main menu. Once password hacking is in progress, press [ESC] to get the "COMMAND?" prompt (in flashing video at the bottom of the password window). Notice that the PPP will not stop to accept commands until it reaches a convenient stopping place. (After it knows whether the password it is currently hacking is good or bad). Be patient, it knows you pressed [ESC]. The PPP will beep when it sends the "COMMAND?" prompt. At the prompt you may enter any of the following characters: [S]: Toggles the sound effects on incoming data on and off. [G]: Pops up Hires page 2. Due to the length of the Penetrator, the hires screen will always be filled with trash -- loading a picture before running the PPP won't work. Tell your mommy that it is a school project on randomness and that you are trying to generate simulated static. You will notice small distortions in the image as the program hacks. Point out these glitches to your mommy if she is not convinced. Note that the text screen is restored at the "COMMAND?" prompt if you press [ESC] while in graphics mode. [T] to enter terminal mode. This is somewhat dangerous as it is difficult to get the PPP re-started after exiting terminal mode, and you will probably have to press [RESET] to abort hacking. [Q] to quit and save Mainframe Data File, if one was used. The Mainframe Data File must be saved if you plan to later start the PPP where it left off. If the PPP finds a possibly successful password, it will stop and beep the speaker until you press a key. You are then dropped into terminal mode to hack at your leisure. After you exit terminal modem with ctrl-A Q, the PPP will quit and allow you to re-save the Mainframe Data File. You can restart the PPP where it left off, if necessary, with the HACK AT IT option on the main menu. If the Penetrator stops during hacking because the data it is waiting for has not been received, (due to errors in your Dialogue or other unforeseen difficulties) you can enter the awaited messages from the keyboard. The PPP handles input from the keyboard the same as input from the connected mainframe. If you cannot restart the Penetrator by typing data from the keyboard, you can press RESET to return to the main menu. You can then manually save the Mainframe Datafile if needed. This RESET option is most useful for aborting a hack to correct problems in your Dialogue entries. 11: ENTER DOS COMMAND This option allows you to enter any DOS command, especially CATALOG's. 12: QUIT Funny, I seem to have forgotten what this does. III. Password Penetration tactics: ---------------------------------- For best results, use sections of the mainframe's responses which begin a few characters into the message in the dialogue editor to minimize the possibility of lost characters during hacking. In the example system in the Edit Dialogue explanation above, good dialogue representations of the system's "SORRY SUCKWEED" message would be "SUCKWEED" or "WEED". The same applies to the "MAINFRAME RESPONSE TO BAD PASSWORD" inputs. The dialogue line containing the ctrl-P password flag can hold more data, (including the semicolon carriage return suppression flag) provided it comes after the ctrl-P. If you do not know an account or user name, and need one to successfully logon, try using the "ACCOUNT NAMES" password database. Note that this is effective only on (wimp) systems which tell you if your account name is invalid. On not-so-wimpy systems like VAXes, the "FIRST NAMES" password database can be effective. I forgot to mention above that the ctrl-P password flag can be entered more than once in the Dialogue. Suppose you just connected to a Data General system and decided to use the name "John" as both the username and the password. It would look something like this: (you press RETURN here) Username: JOHN Password: JOHN Invalid Username/Password pair Username: . . . The corresponding dialogue could look like this: 0 - PPP:[CONNECT TO MAINFRAME SYSTEM] 1 - SYS: 2 - PPP: 3 - SYS: USERNAME: 4 - PPP:

5 - SYS: PASSWORD: 6 - PPP:

Thus, if you used the FIRST NAMES password database, the PPP would enter a name from the list as both the Username and the Password. Since many people use their first name as both username and password, this can be particularly effective if you cannot get a valid username used on the system. The "INITIALS1" and "INITIALS2" files contain all possible combinations of two letters except for those extremely unlikely to be used as initials for normal human beings. They are useful if you have a valid username which consists of either a first or last name. Suppose you knew that "FRED" was a valid account name, but you had not yet found a password. You could then load the "INITIALS1" password database, hop into the Password Database Editor, and find the number of the "FA" password in the list. You could then select that number in response to the "START AT PASSWORD # " prompt in the Dialogue Editor section of the PPP. This would allow you to attempt all 26 possible two-letter initials combinations starting with the letter F. To use three-letter initials combinations starting with the letter F, you could place the F in the Dialogue on a PPP output line, followed by an ignored SYS line, followed by a ctrl-p password flag in the next PPP line like this: . . . 5 - SYS: ENTER PASSWORD: 6 - PPP: F; 7 - SYS: 8 - PPP:

You would then run the Penetrator through both the entire INITIALS1 and INITIALS2 databases to hack all possible (likely) 3-letter combinations starting with "F". Nice eh? Similarly, suppose you knew that "SMITH" was a valid username, and wanted to try all possible 3-letter initials combinations ending with "S". A section of the dialogue could look like this: . . . 5 - SYS: ENTER PASSWORD: 6 - PPP:

S Where line 6 was entered as "ctrl-P S". This example illustrates the capability of the Penetrator to accept more text after the ctrl-P on a password-containing line. With line 6 entered in this way, the Penetrator would send two-letter combinations immediately followed by an "S" like this: AAS ABS ACS ADS . . . If you feel the need, you can easily create your own password databases using a program or word processor rather than the PPP's Database Editor. The databases are standard ASCII sequential text files containing the number of passwords as the first record, and then that number of passwords each separated by a carriage return. A database containing the passwords "THIS", "IS", "A", and "TEST" would look like this: 4 THIS IS A TEST Knowing this format, you could easily create a database of numerical passwords, etc. using a simple BASIC program. If you are new to hacking, try to find a DEC-20 system to practice on. They are VERY wimpy since a simple "SY" command reveals a list of valid logged-on usernames even before you log on. In addition, DEC's will tell you immediately if an attempted username is invalid. I hope you find the PPP as quick and versatile as I have. The world is in severe need of more good hackers. Happy Hacking. Call El Infierno BBS (312) 623-6761 novelist.