The Unsorted BBS Collection

home *** CD-ROM | disk | FTP | other *** search

/ The Unsorted BBS Collection / thegreatunsorted.tar / thegreatunsorted / misc / hack.hp2 < prev next >

Wrap

Text File | 1980-01-01 | 16KB | 357 lines

************************ bioc agent 003's tutorial in ************************ * * * ==================== * * =hacking the hp2000= * * ==================== * * * ****************************************************************************** preface ------- the purpose of this tutorial is to give potential hackers useful information about hewlett-packard's hp2000 systems. the following notation will be used throughout this tutorial: <cr> - carriage return, return, enter, etc. ^c - a control character (control-c in example) capital letters - computer output & user input system information ------------------ each hp2000 system can support upto 32 users in a timeshared basic (tsb) environment. the systems usually run a version of hewlett packard's timeshared/basic 2000 (various levels). logon procedure --------------- once connected to a hp2000, type a nume ral followed by a <cr>. the system should then respond with: please log i n. if it does not immediately respond keep on trying this procedure u ntil it does (they tend to be slow to respond). user id: the user id consists of a let ter followed by 3 digits, eg, h241. password: the passwords are from 1 to 6 printing and/or non-printing (control) characters. the following c haracters will not be found in any passwords so don't bother tr ying them: line delete (^x), null (^@), return (^m), linefeed (^j), x-off (^s), rubout, comma (^l), space (^), back arrow (<-), & und erscore (_). hp also suggests that ^e is not used in passwords (bu t i have seen it done!). the logon format is: hello-a123,passwd where: hello is the logi n command. it may be abbreviated to hel. a123 is the user id & passwd is the password. the system will respond with either ill egal format or illegal access depending upon whether you screwed up the syntax or it is an invalid user id or password. the messages: please log in, illegal f ormat, & illegal access also help you identify hp2000 systems. the system may also respond with all po rts are busy now - please try again later or a similar message. one other possibility is no time left which means that they have used up their time limit without paying. unlike other systems where you have a c ertain amount of tries to login, the hp2000 system gives you a certain time limit to logon before it dumps you. the system default is 120 seconds (2 mi nutes). the sysop can change it to be anywhere between 1 and 255 seconds, tho ugh. in my experience, 120 seconds is sufficient time for trying between 20-3 0 logon attempts while hand-hacking & a much higher amount when using a hacki ng program. users ----- the various users are identified by the ir user id (a123) & password. users are also identified by their group. ea ch group consists of 100 users. for example, a000 through a099 is a group, a100 through a199 is another group, & z900 through z999 is the last possible group. the first user id in each group is designated as the group master & he has certain privileges. for example, a000, a100,...h200..., & z900 are all g roup masters. the user id a000 is known as the system master & he has the most privileges (besides the hardwired sysop terminal). the library associated with user z999 can be used to store a hello program which is executed each time som eone logs on. so, the best thing to hack on an hp2000 system is the system master (a000) account. it is also the only user id t hat must be on the system. he logs on by typing: hel-a000,passwd. you just have to hack out his password. if you decide to hack z999, you can create or change the hello program to give every user your own personal message every time he logs on! this is about all you can do with z999 though since it is otherwise a non-privileged account. library organization -------------------- each user has access to 3 levels of lib raries: his own private library, a group library, and the system library. to see what is in these libraries you would type: catalog, group, & library respectively (all commands can be abbreviated to the first 3 letters). t he individual user is responsible for his own library and maintaning all the files. if a program is in your catalog, then you can change it. [group masters] group masters (gm) are responsible for controling all programs in the group libraries. only members of the group c an use these programs. these are viewed by typing group. for example, user s50 0 controls all programs in the group library of all users beginning with id s5xx. other users in the group cannot modify these programs. all programs in the group library are also in the group masters private library (catalog) , therefore he can modify them! the group master also has access to 2 privi leged commands. they are: protect & unprotect. with protect, the group mas ter can render a program so it cannot be listed, saved, csaved, punched to pa per tape, or xpunched. for example, if the gm typed pro-wumpus, other users in the group would be able to run wumpus but they would not be able to list it. the gm can remove these restrictions with the unprotect command. [system master] there is exactly one system master (sm) and his user id is a000. he can protect & unprotect programs in the sys tem library. all users have access to these files by typing library to view t hem. only the system master can modify these files since his private library & group library constitute the system library. the sm also has access to oth er privileged commands such as: directory: this command will printout all files and programs stored on the sysBem according to users. dir will print out the entire directory. dir-s500 will s tart listing the directory with user s500. example: dir boces ed 1 053/84 1243 id name date length disc drum a000 alpha 043/84 00498 001384 bckgmn 053/84 04564 001526 fprint 053/84 00567 002077 stock 038/84 04332 002753 tfile 020/83 f 00028 002804 wumpus 053/84 p 02636 003142 b451 bljack 316/75 03088 011887 golf 316/75 02773 011911 s500 gis 050/84 c 03120 019061 giscl4 050/84 f 03741 022299 z999 hello 021/84 00058 011863 in this example, the system name is boc es ed 1. the date of the printout is the 53rd day of 1984 (053/84) and the t ime is 12:43 (24-hr). the files appearing under a000 are those in the s ystem library. the date associated with the program is the date it was last ref erenced. the length is how long it is in words. disc refers to its storage b lock location on one of the hard drives. drum refers to its location on the drum storage unit. only sanctified programs are stored on a drum to increase their access time. the letters after the date refer to f if it is a file, p means it is protected, and c means the program is compiled. in the example the system pr ogram, wumpus, was last used on the 53rd day of 1984 (2-22-84); it is currently unlistable (protected) and it occupies 2636 words of memory starting at disc b lock 3142. the command sdirectory will print out programs that are only stored on drum. most system directories are usually longer than the0example. the a bove example is an abridged version of a 43 page directory! the <break> key wil l stop the listing if necessary. report the report command will show the user i d, how much terminal time they have used since the last billing period (in minut es), and how much disc space they are using. example: report boces ed 1 055/84 1905 id time space id time space id time space a000 01150 12625 b451 00003 05861 b864 00000 00000 s500 00235 06861 s543 00421 00000 z999 00000 00058 the advantage of hacking the a000 passw ord first is that you can use the privileged commands to see which which user id's exist and what programs are stored where so that you can further pe netrate the system. port this command tells the character size a nd baud rate at which each of the 32 ports are configured. it is in the for mat c-bbb, where c=character size & bbb=baud rate. it is set up in columns of 8. the first row corresponds to ports 0-7, the second row corresponds t o 8-15, etc. this is generally useless in my opinion. also, the ports are usu ally only configured separately if the terminals are all hard-wired. status this command allows the sm to view info rmation concerning the mass-storage devices. it gives current locations of the id table, user swap areas, line printer status, etc. it tends to hold alot of info if it is read correctly. unfortunately, i don't have the room to fully discuss it here. since all logins & logouts are printed at the system console along with other pertinent information, i would strongly suggest that you avoid extensive use of an a000 password if you find one. the system operator has access to alot of other commands. unfortunately, he is situated at the system console which is hard-wired to the computer. if anyone figures out a way to give a remote user sysop privileges, let me know & i can help you with his commands. non-privileged commands ----------------------- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= library - lists the system programs. t here is only 1 system library & any user can access it. example: library name length name length na me length name length alpha 498 bckgmn 4564 fpr int 567 stock 4332 tfile f 28 wumpus p 2636 this uses the same notation as the priv ileged directory command. to retrieve a program from the system l ibrary, you would type: get-$name (to load the stock pro gram, you would type get-$stock) you can then run or list it. if you at tempted to list wumpus which is protected (p), it would say run only. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= group - lists all files in your group. it is in the same format as the library command. to retrieve a program from your group l ibrary, you would type: get-*name =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= catalog - lists all files in your perso nal library. it is also in the same format as the library command to retrive a program in your personal l ibrary, you would type: get-name =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= other commands you can use with your pe rsonal files (or system files if logged on as a000) include: run runs the program in the user swap area (memory) list lists the program in th e user swap area save-name name may be upto 6 char acters csave-name save in compiled form name-name assign a name to it kill-name deletes a file from you r library punch punches a program onto paper tape tape input a paper tape append-name attaches the file name to current program in memory length tells the current lengt h of program in memory lprinter designates the line pri nter as user output device open creates a file [open-fi le,# of records, (record lengths)] renumber renumbers statements [ren-(1st statement #), (interval between statements),(# to start renumbering at), (# to end renumbering)] note: all commands can be abbreviated to the first 3 digits. the main command is separated from the first para meter by a dash (-), the first parameter is separated by the second param eter by a comma (,), and all further parameters are separated by comm as. eg, hel-a000,^c (i did actually find a system where the sm passw ord was ^c). other useful commands --------------------- bye logs user off echo-on half-duplex -off full-duplex (default) scratch clears users swap area (new) key transfers control to ke yboard time informs user of total c onnect time & console time message sends a message to syso p console [mes-(text upto 68 chars)] tsb 2000 -------- the programming of the system is above the scope of this tutorial. if you do manage to get into the a000 or z999 acc ounts, there is sufficient info provided in this text to help you manip ulate the data. the basic is rather extensive. the file commands are excell ent & you can mask files so that nobody can read them without the proper mask ( i have already cracked this code, though!). briefly, it is similar to mos t other basic's. if you want, order their programming manual. it is called 20854a timeshared basic/2000, level f (part # 02000-90073). note: there are different levels (vers ions) of tsb/2000. this article is based primarily on level f. mos t of the levels are similar in their commands so the differences shou ld not affect the hacker. also, some systems are customized. eg, one system i know doesn't have the message command because they don't want the operator bothered with messages. another system says ??? instead of please log in and illegal instead of illegal access. these are only trivial problems, though. programs -------- hewlett-packard often supplies programs from their tsb library for the systems. utilities such as ascii*, fprint, & oth ers are almost inevitably found on every system. standard games such as w umpus, stock, lunar, & many others are also a "system must." other companies offer very large programs for the hp2000 also. gis (guidance information systems) is a database to help guidance counselors help students to select coll eges, jobs, financial aid, etc. gis is usually found in the s5xx group library (anyone with an s5xx password can use it). unfortunately, sometimes these pr ograms are set so that a certain password will automatically run them. in some cases you can abort by pressing the <break> key. there is a basic func tion [x=brk(0)] that disables the <break> key. in this case, only the sy sop or the program can throw you into basic. there are many alleged bugs on the hp20 00 that allow users to do all sorts of things. if you run across any of these be sure to let me know. i have seen one system that consisted o f 2 hp2000's running together. in this case, the multiplexer would first ask t he user system 1 or system 2? before logging in. you would then type sys1 o r sys2. most of the hp2000 systems are used by schools, school districts, boces, and various businesses. this was an id eal system for schools before micro- computers existed. the hp2000 system h as been in existance since around 1973. it has been replaced by the hp3000 but there are still many hp2000 systems in existance & i believe that they will st ay there for awhile. here are the dial-ups to a few hp2000 s ystems to get you started: [314/645-1289] [203/622-1933] [312/398-8170] if you need help with anything on an hp 2000 or find other hp2000 systems, feel free to ask me. any comments, correcti ons, and/or threats are also welcome. yours truly, *****bioc *=$=*agent *****003 <=-fargo 4a-=>> Text-Files 2: