205 lines
12 KiB
Plaintext
205 lines
12 KiB
Plaintext
|
The
|
|||
|
--=RoT=--
|
|||
|
Guide To
|
|||
|
GANDALF XMUX'S
|
|||
|
-----------------------
|
|||
|
Written by:
|
|||
|
Deicide
|
|||
|
===========================
|
|||
|
*NOTE: While writing this file i assumed that the reader has a working
|
|||
|
knowledge of Packet-Switching Networks(Such as Sprintnet, Tymnet & Datapac).
|
|||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||
|
|
|||
|
The Gandalf XMUX is made by Gandalf Technologies Incorporated. It is
|
|||
|
one of the 3 popular systems Gandalf makes, the others being the Starmaster
|
|||
|
and the PACX. These systems are very closely knit, as you'll see later, but
|
|||
|
the focus of this g-file is on the XMUX system. I still don't have a XMUX
|
|||
|
manual, so this file will be a bit incomplete, but it will give you a good
|
|||
|
sense of the system; How to Identify it, How to Penetrate it, and How to Use
|
|||
|
it. There are a number of security flaws in the XMUX, all of which can be
|
|||
|
circumvented but frequently are not. Occasionally you will find an
|
|||
|
unpassworded console, in that case just move on to the How to Use it section.
|
|||
|
The Gandalf systems are very frequently found on all the major
|
|||
|
packet-switching networks, as Gandalf's themselves often serve as network
|
|||
|
controllers. Most of the major companies, such as Xerox & Bell Canada, use
|
|||
|
XMUX's, so it is a good idea to become familiar with the system.
|
|||
|
|
|||
|
How To Find Your XMUX & How To Identify It
|
|||
|
------------------------------------------
|
|||
|
First of all, if you find an unpassworded XMUX it will tell you by the
|
|||
|
herald "Gandalf XMUX Primary Console Menu" followed by the menu itself. Skip
|
|||
|
this part for now.
|
|||
|
But for the rest of you, you probably still need to find your XMUX, and you
|
|||
|
need to know how to identify it.
|
|||
|
Before we get further into this, a small amount of knowledge of the whole
|
|||
|
scope of the XMUX is needed. Every XMUX is made up of at least 4 parts,
|
|||
|
each present on every single XMUX. These parts are called:
|
|||
|
- Console
|
|||
|
- Fox
|
|||
|
- Logger
|
|||
|
- Machine
|
|||
|
The Console is the actual system, the part that has to be hacked, the part
|
|||
|
that contains the information we are attempting to retrieve.
|
|||
|
The Fox is a test machine, serving no other purpose except to spout
|
|||
|
"THE QUICK BROWN FOX JUMPS OVER THE LAZY DOG 1234567890 DE" over and over
|
|||
|
again.
|
|||
|
The Logger is displays a line or two of information such as the time & the LCN
|
|||
|
called, for the most part unimportant. But it does contain the node name.
|
|||
|
The Machine is basically a system information giver. I have yet to discover
|
|||
|
all of it's commands, but S gives some systems stats(including the node name)
|
|||
|
and L is an optional command that supplies the user with a system log(which
|
|||
|
contains link addresses & UID's).
|
|||
|
All of these can be useful in some way.
|
|||
|
The XMUX can be found in a number of ways:
|
|||
|
- On a standard NUA(XXXX XXXX)
|
|||
|
- On a standard NUA + extention(XXXX XXXX,XXXXXXXX)
|
|||
|
- On extentions off of Starmasters & PACXs.(XXXX XXXX,XXXXXXXX)
|
|||
|
- On LCN's(subaddressing) off any other type of system/OS.
|
|||
|
??????????????????????????????????????????????????????????????????????????????
|
|||
|
NOTE:"Password >" is the password prompt for the XMUX Console, occasionally
|
|||
|
proceeded by an operator definable system message such as "Vancouver XMUX".
|
|||
|
To be sure that this is a XMUX prompt, hit <ENTER>. If it returns the message
|
|||
|
"Invalid Name
|
|||
|
Names must consist of 1 to 8 alphanumeric characters"
|
|||
|
Then you are dealing with the XMUX Console.
|
|||
|
??????????????????????????????????????????????????????????????????????????????
|
|||
|
On a standard NUA it will bring you right to the "Password >" prompt, no
|
|||
|
hassles. You can then proceed to the section that deals with hacking the
|
|||
|
console.
|
|||
|
On a standard NUA + extention, it is not so easy. When you first hit the NUA,
|
|||
|
it will give you the "Remote Directive" error message, telling you that you
|
|||
|
"forgot" the extention. Now, the error message could mean you forgot the
|
|||
|
extention for a VAX, also, but we will assume that it is a XMUX on the NUA.
|
|||
|
This is true only a fraction of the time, but try this on every Remote
|
|||
|
Directive message, you'll find a good share of XMUX's. First of all, try the
|
|||
|
LCN(subaddress) of 1 on the NUA. If you come up with the Fox segment of the
|
|||
|
XMUX(explained earlier) then you have an XMUX Console on the NUA, it's just
|
|||
|
hiding. If the LCN brings up the Remote Directive message again, then try
|
|||
|
the extention of LOGGER on the NUA. If it brings up the XMUX Logger, then
|
|||
|
again, the XMUX Console is there, but with a bit of security added on. If you
|
|||
|
now know that you are on an XMUX, try the CONSOLE extention. It should bring
|
|||
|
you to the "Password >" prompt, or occasionally right inside without needing
|
|||
|
a password.
|
|||
|
Starmaster's and PACX's almost ALWAYS have an XMUX attached on to it. Use the
|
|||
|
Starmaster or PACX's NUA + the extention CONSOLE. It will most likely bring
|
|||
|
you to the "Password >" prompt.
|
|||
|
The LCN's off all the other system/OS types is a bit more complicated. You
|
|||
|
can either guess,pick the likely ones, or try them all. What this is is an
|
|||
|
XMUX in coexistance with another type of system, such as AOS/VS. The most
|
|||
|
common way to find these is by adding an LCN of 1 to the NUA of the system.
|
|||
|
If it comes up with the XMUX FOX section, then you can be sure an XMUX is
|
|||
|
present. To find the XMUX Console, use LCN's of 4 and above(2 & 3 being Logger
|
|||
|
and Machine), up to the LCN of 15(maximum on XMUX). If you still haven't found
|
|||
|
the Console, and it's returning the Remote Directive error message, now's the
|
|||
|
time to use the CONSOLE extention. In most cases it'll bring up the
|
|||
|
"Password >" prompt, or right into the Console Menu.
|
|||
|
|
|||
|
HOW TO PENETRATE THE XMUX CONSOLE "PASSWORD >" PROMPT
|
|||
|
-----------------------------------------------------
|
|||
|
To start you off, XMUX Console Passwords MUST be within 1 to 8 alphanumeric
|
|||
|
characters. Any combination within that boundary is an acceptable password.
|
|||
|
Now, while it is true that the password could be a random letter/number
|
|||
|
combination, such as G2Z7SWJ8, and therefore extremely impractical to hack, it
|
|||
|
is almost a given that the password is a relevant word or abbreviation, with
|
|||
|
not more than one numeric character, which is usually not even included.
|
|||
|
Also, you get 4 attempts at a password before being logged off, and remember,
|
|||
|
you don't even need to find a username.
|
|||
|
When you first reach the "Password >" prompt it's a good idea to try the
|
|||
|
defaults(in order of occurance):
|
|||
|
- Gandalf
|
|||
|
- Xmux
|
|||
|
- Console
|
|||
|
- System
|
|||
|
Also, Password(no, really), Network, CPU, Switch & Network are also frequently
|
|||
|
found.
|
|||
|
Then, if the defaults don't work, it's time for a little calculated brute
|
|||
|
forcing. If the system has a herald, such as "BenDover Field Communications"
|
|||
|
then try everything you possible can thing of that is relevant to the herald,
|
|||
|
such as Bendover, Ben, Dover, BDFC, Field, Telecom, etc. Also, combine these
|
|||
|
with the defaults, particularly Xmux. As in BenXMUX, or FieldMux, etc.
|
|||
|
If there is no herald, or all the thing you can think of to do with the
|
|||
|
herald fail as passwords, then it is time to get the node name. The node name
|
|||
|
is used very frequently as a password, thus a good thing to try. But where to
|
|||
|
get the node name with out getting the password first? It is contained in two
|
|||
|
other places other than the Console, with ALWAYS at least one of the
|
|||
|
facilities open to you. The Logger(LCN 2, or extention LOGGER) always spurts
|
|||
|
out the log name first upon connect. This is always available, i have only
|
|||
|
seen one case in which the Logger information was protected, and that was
|
|||
|
achieved by wiping it out, which very few people do. The other source is the
|
|||
|
Machine(LCN 3, or extention MACHINE), a very handy source of information.
|
|||
|
You will recognize the Machine by its "#" prompt. At this prompt type "S" for
|
|||
|
system stats. The first thing you see in the system stats is the Node Name.
|
|||
|
Also, with machines type "L". Occasionally it will be set to show the log,
|
|||
|
which contains the Link Addresses(usually other netted computers, frequently
|
|||
|
Gandalfs) and UID's as well. Try the Node Name by itself as a password, then
|
|||
|
in combination with all the above, such as a combo of Default & Node Name.
|
|||
|
If you follow all these above methods, 50% of the time you will find the
|
|||
|
password. Remember, people are stupid. An elitist attitude, but it works.
|
|||
|
If you don't get the password, don't worry, there are many more XMUX's out
|
|||
|
there with poor security, go for those. But before you move on, try the LCN's
|
|||
|
from 4-15, frequently you'll find another system, often a private PAD or an
|
|||
|
outdial.
|
|||
|
|
|||
|
WHAT TO DO WITH THE XMUX CONSOLE ONCE INSIDE
|
|||
|
--------------------------------------------
|
|||
|
For those itching to read other people's mail, or retrieve confidential
|
|||
|
files, etc, you will be very disappointed. Although once inside the XMUX
|
|||
|
Console you have virtual Superuser status, the commands are all maintenance
|
|||
|
related. But, often you will find other systems, quite often networks, PADs,
|
|||
|
& outdials from inside.
|
|||
|
You will first encounter the primary menu, which looks similar to this:
|
|||
|
Gandalf XMUX (date)
|
|||
|
Rev(version) Primary Console Menu (time)
|
|||
|
Node:(nodename)
|
|||
|
Primary Menu:
|
|||
|
1. Define
|
|||
|
2. Display
|
|||
|
3. Maintenance
|
|||
|
4. Supervise
|
|||
|
5. Exit
|
|||
|
Primary selection >
|
|||
|
|
|||
|
Now, although there are some other useful and interesting features to the
|
|||
|
XMUX console, i will only show you the 3 most useful features, those being
|
|||
|
Abbreviated Command, Service & Call Status.
|
|||
|
Abbreviated Command is an option found in the Define sub-menu. Hit 7 once
|
|||
|
inside the Define sub-menu to bring up the Abbreviated Command prompt. Type
|
|||
|
a ? to show all the abbreviated commands. If there are none, curse your luck
|
|||
|
and move on to the next feature. If there are some, type them in, one at a
|
|||
|
time. Each Abbreviated command is really a macro, and a macro of a NUA plus
|
|||
|
the subaddressing and data character extension needed to enter the system.
|
|||
|
These can be very useful, not only for the NUA & subaddress, but for the fact
|
|||
|
that the extension is included. Most times extensions are hard if not
|
|||
|
impossible to guess, and the macro throws it right in your face. The
|
|||
|
Abbreviated Command is in the format of XXXXXXXXdEXTENSION, in that the X's
|
|||
|
are where the NUA is placed, the EXTENSION is the extension characters, and
|
|||
|
the 'd' is really where the comma goes to separate the two. So if the
|
|||
|
Abbreviated Command was 55500123dabc, the NUA would actually be
|
|||
|
- 55500123,abc -
|
|||
|
Service is a menu option also from the Define sub-menu. What it enables
|
|||
|
you to do is view all the services available, plus their function &
|
|||
|
LCN. Type "11" from the define menu, then "?" for a list of the services
|
|||
|
available. Console, Fox, Logger & Machine will always be present. Anything
|
|||
|
else is a bonus, and should be capitalized upon. For example, if you see
|
|||
|
"Modem" as one of the services, then enter "Modem" from the Service
|
|||
|
sub-sub-menu to see which LCN the modem is on.
|
|||
|
Display Call Status is a handy command used from the Display sub-menu
|
|||
|
which gives a log of all the calls the system has handled. In the call log
|
|||
|
are the NUA's of the system that called, often a netted system such as another
|
|||
|
Gandalf.
|
|||
|
|
|||
|
CONCLUSION
|
|||
|
----------
|
|||
|
Well, that's all for now..if you have any questions or comments you can
|
|||
|
reach me at the RoT HQ's listed below, or most of the other RoT sites.
|
|||
|
BTW, for anybody truly interested in any of the Gandalf types, contact me and
|
|||
|
i'll supply you with the NUA's for Gandalf Technologie's BBS &
|
|||
|
Employee/Manager Sites.....
|
|||
|
Deicide
|
|||
|
-=RoT=- H/P Coordinator
|
|||
|
|
|||
|
-=RoT=- -=RoT=-
|
|||
|
WHQ US HQ
|
|||
|
6 <20><><EFBFBD>T <20><>D<EFBFBD>R The Cellar
|
|||
|
(604) 824-0317 (401) PRI-VATE
|