home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
HPAVC
/
HPAVC CD-ROM.iso
/
THC-LH10.ZIP
/
SCRIPT.DOC
< prev
next >
Wrap
Text File
|
1996-04-14
|
27KB
|
503 lines
********* * * ****
* * * *
* ****** *
* * * *
* * * ****
The Hacker's Choice
Part I - The Login Hacker
(c) 1996 by van Hauser/THC of L.o.r.E. BBS
-----------------------------------------------------------------------------
The Script Documentation
This is the Login Hacker, the first release of the THC Project of L.o.r.E.
--->>> READ THE NORMAL DOCUMENTATION FIRST ! <<<---
For easy targets, you don't need this script language, you can use the
menu to select everything you like. But for more difficult targets, you
need this : The Login Hacker Script Language. It's very easy to use.
It's like any other script language of terminal software but has got special
possiblities for hacking.
Part I - The Structure
everything that begins with a ";" is a comment.
everything that begins with a ":" is a jump mark for goto commands
Then there are 4 lines that start with a "#" - that marks the beginning
of a special part in the script.
The first is #DEFINE which is to define the variables.
The second is a special one called #NOCARRIER where is
automatically jumped to if the carrier gets lost without purpose
(the hangup command is on purpose, anything else not ;-) ).
The third is the #START where the actual script starts.
The #END marks the end of the script.
*******************************************************************************
If you get an ERROR when compiling, there's a file named <name>.BAK in the
same directory. Look into it and compare the error message with the output
there.
There are two types of Error Messages produced while compiling :
WARNING Messages - important to take a look after that type, but the compiler
will compile it anyway. The script MAY run without problems.
This type is produced when f.e. the specified dictionary
is not found. Maybe you didn't copy it already.
ERROR Messages - This is a critical error. The compiler terminates at once.
Check the Error message, the .BAK and the original file
to correct it.
*******************************************************************************
-------------------------------------------------------------------------------
Part II - The Definitions -> #DEFINE
In this part you may ONLY declare the value of the variables.
All variables are optional EXCEPT the logfile and the phone_nr variable.
All variables are discussed in all their possibilties.
You may NOT define any other variables of your own here !
#DEFINE
LOGFILE=FILENAME The Logfile to which all output is written.
** This is one to the two variable which MUST be used. **
Example : LOGFILE=C:\OUTPUT\NY-SYS5.LOG
PHONE_NR=NUMBER The phone_nr variable is used when you use the DIAL
command. It may have letters and digits!
** This is the second variable that MUST be used. **
Note : If your modem needs Pulse Dialing, put a "P"
in front of the number!
Example : PHONE_NR=1-800-WHO-CARES
INIT_MODEM=STRING If you need a special modem init string, use this command
Don't put the "AT" command in front! If not specified,
the standard THC_Login_Hacker Setup entry is used.
Example : INIT_MODEM=Z (that would be "AT Z")
INIT_DATA=STRING This inits the Datachannel like Parity bit, data bits.
stop bits etc. common are 8N1 and 7E1. if not specified
the standard THC_Login_Hacker Setup entry is used.
It must have those 3 characters. The first may either
be 7 or 8, these are the data bits. The second may be
P for Parity, E fo Even or N for None Control Bit.
The Third specifies if theirs 1 start bit or 2 altogether
(1 start + 1 stop bit). 7/8+E/P/N+1/2
DIAL_TRIES=NUMBER This variable declares the maximum numbers of dial
attempts the script does. The Number may be between
0-65535. Zero means unlimited connects! If the number is
reached a HANGUP follows and a comment is written in the
script.
NOTE : If NOT specified in the script, the settings from
LOGINH.CFG will be used!
Example : DIAL_TRIES=3
Standard : 0
LOGIN_TRIES=NUMBER This variable declares the maximum numbers of login tries
the script does. It may be between 0-2300000000.
Zero means unlimited. Note that if a dictionary file
reaches EOF, the script automatically hangs up and
terminates. A Login is counted as a long try if the
dictionary most used does a SEND_NEXT_DIC or NEXT_DIC
command or the same with the BRUTE.
NOTE : If NOT specified in the script, the settings from
LOGINH.CFG will be used!
Example : LOGIN_TRIES=0
Standard : 0
DIC(NUMBER)=FILENAME
Specify a dictionary to use in the script.
DIC are pointers to Dictionary files. You may have up to
3 dictionaries, from DIC(1) to DIC(3). With the commands
Send_Next_DIC(1), Send_DIC(1), and Next_DIC(1) you can use
it. but more on how to use this later.
Example : DIC(1)=C:\HACKING\DICTIONA.RY\BAD_PWS.DIC
FROM_DIC(NUMBER)=STRING
This defines from which word up the dictionary is used.
Example : FROM_DIC(1)=Tracy
This example sends every word from "Tracy" on
in the specified dictionary number 1
BRUTE(NUMBER)=STRING,NUMBER,NUMBER,NUMBER
Specify a brute force generator to use in the script
Now for the hardcore thing of this program :
The brute force option.
It's very flexible as you will soon see. The options
for the BRUTE variable are divided into 4 parts,
each seperated by a ",".
(1)The first tells what is used for brute force: a=lowercase
A=Uppercase 1=numbers $=special chars ^=Control Characters
A1$ would be Upper, numbers and special chars
ALL is a synonymous for the WHOLE ascii table!
(2)The second one tells how many different types must be there
to be a valid choice. "types" means the charsets of (1).
A value of 1 means EVERY generated word is Okay while
a value of 2 there must be at f.e. one Upcase and one
number in the generated word to be valid.
(A value of 0 is not possible)
(3)The third tells the minimum length of a valid BF password.
(4)The fourth the maximum length.
NOTE : Minimum length is 1 - Maximum length is 12 !
And again you may have up to 3 brute force generators.
(BRUTE(2) etc.) and if one reaches the end the script
finishs.
Commands to use later are :
Next_Brute(1), Send_Next_Brute(1), Send_Brute(1)
Example : BRUTE(1)=a,1,1,6
This example inits the brute force generator
number 1 with the following data :
* lower case letters only
* at least one type of char set must be present
in a valid brute generated word
(at least "1" means everyone will do)
* Minimum length of a valid word is 1
* Maximum length of a valid word is 6
FROM_BRUTE(number)=STRING
This starts the brute force generator with this
initalisation. If started with a 4 letter digit and you
scan 1-8 digits, 1-3 digits won't be checked.
The entry is generated increasingly from the right.
that means : first aaaa, then aaab, then aaac etc.
Example : FROM_BRUTE(1)=2527
-------------------------------------------------------------------------------
PART III - The #NOCARRIER Section
As said before, this is the point which is executed when you loose the
carrier and didn't use the HANGUP command. NOTE that it will terminate the
script when you don't end this part with a GOTO(#START) or GOTO(1) etc. !!
The DIAL_TRIES setting ISN'T checked here.
... remember you need to dial again to the system.
I don't tell you the commands here ... look in the #START section.
#NOCARRIER
-------------------------------------------------------------------------------
PART IV - The #START Section
This is where you program the algorythm to hack a system.
Every command is presented here ... so read carefully !
#START
LOG(STRING) With the LOG() command you write something into the logfile.
It can be any text, variables MUST have a "$" sign in front
of them and MUST have spaces around it or "(" or ")" !
Every LOG command automatically prints ENTER at the end.
Example : LOG(Beginning on $DATE * $TIME)
this prints "Beginning on 24-12-95 * 23:00"
LOG_(STRING) same as above but doesn't writes CRLF (End-Of-Line) after
the text.
:NUMBER every line that begins with a ":" is a GOTO Marking.
It can only be a number ! You may have up to 240 markings
(only with the numbers 1 to 240 ... no others)
You may jump to such a marking with the GOTO, GOSUB,
CHECK4OUTPUT and CHECK4CARRIER commands.
Example : :1
this specifies the jump point number 1 on this line
GOTO(NUMBER) This jumpt to the specified Jump Marking.
You may also jump to #START, #NOCARRIER and #END
Example : GOTO(#END) (this terminates the script)
GOSUB(NUMBER) With the GOSUB Command you jump to one goto marking.
It will execute normally after that; it will jump back
to the point the GOSUB command was executed when a
RETURN command is encountered.
Can't be GOSUB(#END) !
Example : GOSUB(4)
RETURN Returns to the location of the last gosub command executed
and continues normally. If a return command is encountered
without a Gosub start adress in the buffer, it will be
ignored. You may have as many as 255 gosubs in buffer.
Example : RETURN
CHECK4CARRIER(NUMBER)
Checks the modem if it has got a carrier connect. If NOT
it jumps to the specified goto marking. If YES it sets the
internal connect variable to TRUE to check for NO_CARRIERS
You may also jump to #NOCARRIER, #START and #END.
It is also possible to just turn the checking ON or OFF.
If Check4Carrier(ON) is done instead of check4carrier with
a jump marking it does a carrier detector check and if NOT
presents jump to #NoCarrier
This command is useful ONLY when you first turn
CHECK4CARRIER(OFF) or you don't use the DIAL command to
connect to your target (f.e. let the SCAVENGER DIALER do
this.)
Examples : CHECK4CARRIER(#NOCARRIER)
CHECK4CARRIER(5)
CHECK4CARRIER(ON)
CHECK4CARRIER(OFF)
CHECK4OUTPUT(NUMBER)
Like the ALARM Function below : If OUTPUT from the modem
is detected it immedeantly jumps to this specified jump
marking. You may also jump to #NOCARRIER, #START and #END.
It is also possible to just turn the checking OFF (so disable
a specified output checking)
Examples : CHECK4CARRIER(#NOCARRIER)
CHECK4CARRIER(5)
CHECK4CARRIER(OFF)
DIAL This Dials the number specified in PHONE_NR. If it is still
connected to a system it hangs up first.
Example : DIAL
HANGUP Hangs up/drops the carrier, etc.
Example : HANGUP
WAIT4STRING(NUMBER,STRING,NUMBER,COMMAND,STRING)
Now thats the most important command in this script language.
It waits for a special word in the modemoutput.
If it is encountered, the script continues, if not,
after the timeout, a specified string is send to the modem
and after a specified number of timeouts, a command may be
executed.
NOTE: First WAIT4STRING checks if in the CURRENT line is
the word present. If not it waits for it.
The Syntax : WAIT4STRING(a,b,c,d,e)
a : How many seconds, after it will be an timeout.
(0-255) 0=unlimited (waits until TOTAL TIMEOUT
- the script will jump to #NOCARRIER if no data
comes from modem after 5 minutes ! - if nothing
gets through OR the string is detected in the
datastream at any time OR carrier gets lost
b : The string that will be send to the modem after
a timeout
c : After how many total timeouts the failure command
will be executed. 0=never, 1=first time, <=255
d : The special failure action command. It may be ANY
(or none) command EXCEPT : ALARM, WAIT4STRING, IF
e : The String to wait for ! (Case sensitive!)
Example : WAIT4STRING(15,^M,2,GOTO(1),ogin:)
In this example it waits for string "ogin:" for 15
seconds, and if not encountered, if sends a carriage return
to the modem (^M), then waits again for 15s, and if "ogin:"
is again not encountered, ^M is send again and after the
next 15s the FAILURE command is triggered, which means GOTO
jump mark no. 1
LOG_SESSION_ON From this point up, anything send from the modem is written
to the logfile
Example : LOG_SESSION_ON
LOG_SESSION_OFF if writing screenoutput to log was active,
it isn't any more to this point.
Example : LOG_SESSION_OFF
SEND(STRING) The SEND command sends a string to the modem. You may here
also send variables with a "$". It sends an ENTER
(Carriage Return) at the end.
If no String is specified, it just prints an ENTER.
Example :
SEND(echo Hacked you system Time : $TIME - Date : $DATE > HACKED.TXT)
this sends "echo HAcked your system Time : 23:00 - Date : 24-12-95 > HACKED.TXT"
SEND_() Same as above but doesn't sends the ^M character (ENTER) at
the end. Useful if you just need to enter one character
or want to enter the modem command mode with +++
Examples : SEND_(n)
SEND_(+++)
SEND_NEXT_DIC(NUMBER)
This moves forward the pointer on the current word in
the dictionary and sends it to modem.
Example : SEND_NEXT_DIC(1)
SEND_DIC(NUMBER) This sends the current dictionary word to modem.
Example : SEND_DIC(1)
NEXT_DIC(NUMBER) This moves forward the pointer on the current word in
the dictionary.
Example : NEXT_DIC(1)
SEND_NEXT_BRUTE(NUMBER)
This generates the next valid brute force string and
prints it to modem.
Example : SEND_NEXT_BRUTE(1)
SEND_BRUTE(NUMBER)
This prints the current valid brute force string to modem.
Example : SEND_BRUTE(1)
NEXT_BRUTE(NUMBER)
This generates the next valid brute force string.
Example : NEXT_BRUTE(1)
IF VARIABLE OPERATOR STRING THEN COMMAND
The IF command isn't very flexible by now ... tell me what
you need and it will be in the next version.
SYNTAX : IF <variable><operator><string> THEN <command>
<variable> may be anything which is mentioned in PART VI
<operator> may be "=" if it must be equal, "<" or ">"
for greater and smaller and "~" if the variable
contains the string
<string> may be any word. for "<" or ">", variable and
string must be digit variables !
<command> this command is executed when the condition
is TRUE. Look at the Command Listing for
WAIT4STRING to look up what you can use.
Example : IF STRING~ogin THEN GOTO(3)
IF the CURRENT LINE(STRING) CONTAINS(~) the string
"ogin" in it THEN goto jump mark no. 3
EXECUTE(STRING) Executes a DOS Program. after the executen it continues
the script. You MAY include variables in the execution
line. You may execute internal MsDos commands.
Remember to put an "$" sign in front of variables and only
spaces or "(" and ")" in front/back.
WARNING : If you want to execute programs while connected
in the script you MUST use a fossil driver or
the computer will lock up! (Has got something to
do with the interrupts ...)
Use X00.EXE E 2 before running LOGIN HACKER
Note:If the program to exexute is in your PATH enviroment
it will be found ... but better safe then sorry ;-)
Example : EXECUTE(C:\SB\VPLAY C:\SB\VOC\HACKED.VOC)
EXECUTE(COPY $LOGFILE C:\HACKED)
ALARM(STRING,COMMAND)
If a special string from the modem is encountered at a
point, this will trigger this special command. If a Alarm
is set, it will be active until it is disabled with the
command ALARM() or a new ALARM string or command is
specified. The Syntax ; ALARM(string,command) or ALARM().
STRING : is the string for which is search in the data
which is send from the modem.
COMMAND: is the command to execute when encountered.
Look at the Command Listing for WAIT4STRING
to look up what you can use.
Useful for example if you wanna hack a BBS where the SYSOP
could break in for a chat to ask for your doing.
With this command you could automatically hangup and
terminate the script.
Example : ALARM(chat,GOTO(#END))
SET VARIABLE=STRING
With this command you can define a variable in the #START
or #NOCARRIER section. If a variable is a digit you may
only set it to a digit. You may set the following variables:
STRING, DIAL_TRIED, LOGIN_TRIED, S_TMP, D_TMP
Example : SET D_TMP=3
This sets the digit variable D_TMP to 3
INC(DIGIT_VARIABLE)
Increases the specified digit variable by 1.
Will only do the command if the variable won't be out of
the specified range after the addition.
Valid for : DIAL_TRIES, DIAL_TRIED, LOGIN_TRIES, LOGIN_TRIED
and D_TMP
Example : INC(D_TMP)
DEC(DIGIT_VARIABLE)
Decreases the specified digit variable by 1.
Will only do the command if the variable won't be out of
the specified range after the subtraction.
Valid for : DIAL_TRIES, DIAL_TRIED, LOGIN_TRIES, LOGIN_TRIED
and D_TMP
Example : DEC(D_TMP)
WAIT(NUMBER) Waits until the specifies seconds have passed. NUMBER must
be between 1-255.
Example : WAIT(10)
WAIT_(NUMBER) Waits until the specifies milliseconds have passed.
NUMBER must be between 1-65535.
Example : WAIT(500) (a half second)
BEEP It makes a BEEP ! Cool eh? ;-)
#END
-------------------------------------------------------------------------------
PART VI - Variables and Control Characters
Now I tell you all the variables that can be used for a SEND() or LOG()
command, and which additional variables you have got here.
As we said before, to print a variable to modem or logfile you must write a
"$" in front of it and there must be spaces around it. Variables you
can use are : - any of the specified in #DEFINE - but only the ones defined!
- STRING which is the last LINE sended from the modem
- STRING2 has got the last 250 chars sended from modem.
- DIAL_TRIED the actual tries to dial to the number
- LOGIN_TRIED the actual tries to login
- TIME the actual time in hoursminutes (without ":" !)
Example : TIME=1505 means 15:05 (3.05pm)
if minutes are below 10 you must write a zero
before it.
- DATE the actual date (in the format MMDD)
Example : DATE=503 means the 3th may
if a day is below 10 you must wrte a zero before
it.
- DIC(1) the actual entry of the dictionary 1
- BRUTE(2) the actual string of the brute force generator 2
- S_TMP a string variable you can use as you like
- D_TMP a digit variable you can use as you like
For the IF and SET command : you may only use these variables above, NOT the
ones in #DEFINE (where should be the logic? Those are static, constants, you
don't have to check them with IF !). Don't need the use the $ in front of
a variable here. This is only for SEND, LOG, WAIT4STRING where you need the
$ sign ...
Examples : IF TIME>1215 THEN GOTO #END (if it's after 12:15 it exits)
LOG($DIC(3))
SEND($S_TMP)
Now for special characters. You may write any CONTROL characters with the
LOG, SEND, or WAIT4STRING command with the "^" sign, proceded by the letter
of the control character. ENTER would be ^M. to print a normal "^", you must
write "^^" ... okay ? You may use from ^A to ^Z plus ^[ ^\ ^] and ^^
Examples : SEND_(^D)
-------------------------------------------------------------------------------
#DEFINE
<definitions>
#NOCARRIER
<some commands>
#START
<here you write your algorythm>
#END
-------------------------------------------------------------------------------
For suggestions or bug report, call L.o.r.E. BBS ++49-(0)69-823282
Login : THC Password : THC
to write a comment to sysop, leech any THC release or get one of the
things this board is distributor, for example the SCAVENGER Dialer,
VLAD Magazine etc.
Call ARRESTED DEVELOPMENT (see THC.NFO for number) ans write to van Hauser
OR write me an email ... adress + public pgp key below.
-------------------------------------------------------------------------------
van Hauser's Public Key Block for vh@campus.de :
van Hauser/THC L.o.r.E. BBS
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.1
mQCNAzB6PNQAAAEEALx5p2jI/2rNF9tYandxctI6jP+ZJUcGPTs7QTFtF2c+zK9H
ElFfvsC0QkaaUJjyTq7TyII18Na1IuGj2duIHTtG1DTDOnbnZzIRsXndfjCIz5p+
Dt6UYhotbJhCQKkxuIT5F8EZpLTAL88WqaMZJ155uvSTb9uk58pv3AI7GIx9AAUT
tBp2YW4gSGF1c2VyL1RIQyBvZiBMT1JFIEJCUw==
=6UhL
-----END PGP PUBLIC KEY BLOCK-----