----------------------------- ========================================= The Reign of Terror RoT guide to HACKING THE GANDALF STARMASTER (also known as PACX or Access Server) written by >>>>>> Deicide <<<<<< 05/22/93 ========================================= ----------------------------- INTRODUCTION ------------ This entire tphile is based on my knowledge and experience alone, since I do not have access to the manuals for this system, and I have never seen another phile on this subject before. Because of this there may be mistakes or flaws, and I apologize for this, but it will give you a very good idea on how to go about hacking and exploring this wonderful system. I used to believe that the PACX and Starmaster were completely different systems, but I now think otherwise. The reason being the EXACT same 'defaults' work on both the systems, and the setup is entirely the same. So until i find out otherwise, i consider the PACX & Starmaster(also known as the Gandalf Access Server) to be one and the same. First off, the Gandalf systems, which also include XMUX/KMUX are made by Gandalf Technologies Inc., and in Canada produced by Gandalf of Canada Ltd. The XMUX & Starmaster systems are closely intertwined, as you'll see later. As always, the defaults listed will not always work, you'll have to actually do some hacking if they don't. DIALIN PASSWORD --------------- The first security feature you may find on a Starmaster is the dialin password. This is rarely used, but is a feature you should know about. You may see a herald first, then to a prompt like: DIALIN PASSWORD? If the password you enter is incorrect, you will get the message: INVALID RESPONSE and you will be back to the prompt. You will usually get 3 attempts, but it can anywhere from one to 10. As far as i know, there are no reasonable limits to the length of this password. The things to try first are: GANDALF PACX STARMASTER ACCESS SERVER 2000 NET NETWORK PASSWORD DIALIN If they don't work, try the node name. It will be explained later how it is possible(sometimes) to get the node name externally. And if that does not work, or it is unattainable, then it is back to brute forcing. USER INTERFACE -------------- Occasionally, instead of going to the server, you will face what i termed the 'User Interface'. Don't ask why, i suppose it is because it is individual oriented first, instead of the server. You will occasionally get a header, sometimes with your subscriber name, then the prompt: USERNAME? I'm not sure of the size restrictions, but i believe the maximum is between 8-12 characters, the minimum is possibly 4 characters. The usernames will often be the users first name, sometimes followed by a character(usually 1, this in the case of multiple users with the same first name). Depending on the sysadmin, it could be last names as well. The defaults to try are: TEST TESTUSER GANDALF GUEST SYSTEM There may well be others, such as MAINT or SYSMAINT, but i have never found any other non-person username. It will tell you if the username is wrong, again with the INVALID RESPONSE, so it shouldn't be too difficult to figure a name out. Frequently (but not on the defaults) there will be no passwords used. If a password exists, you'll have to resort to brute force. You will, again, receive between 1 to 10 attempts at the username, usually only three. SERVER INTRODUCTION ------------------- The server, in my opinion, is the essential part of the Starmaster system. Although console may be considered the backbone of the Starmaster, access to the server is what you need to have, and what you need to get to all the wonderful services you may find on a Starmaster. You should pop right into the server upon connect, and after bypassing the dialin password if it exists. Often you will receive some type of herald telling the node, city or system type before the prompt. The prompt for the server varies from system to system, but it will usually resemble one of the following: SERVICE? Enter service: service: class: Enter class: Etc. It can be whatever the operator desires it to be, even nothing at all! Sometimes you will even receive a menu. It will NOT list all the options, to be sure. Console will not be on there, almost for sure. But it still must exist, even if it is not allowed. If it asks for numbers, typing CONSOLE (or any other mnemonic they may have) will still bring you to the console or show you an error message. So, with all this diversity, you may be wondering how to find out for sure whether it is a Starmaster or just another server! Just enter random garbage, and you will receive a message, which is usually INVALID RESPONSE, but will occasionally be something to the effect of SERVICE UNATTAINABLE, or the such. Always in capitals. But to be sure, enter CONSOLE. If it brings you to a prompt asking for a username, or says "SERVICE ACCESS NOT ALLOWED", then you have found yourself a Starmaster/PACX system. SERVER COMMANDS --------------- Like with every server, you need to know where to go from the prompt. As you may or may not know, Gandalf Starmasters are famous for their PADs & ODs, many of which are left unprotected. This is only the beginning. First off, the motherlode. CONSOLE. This is the command to access the console of a PACX/Starmaster, which if you can hack into, is the equivalent of root on a Unix, plus more, much more. I will go a bit more into the console later on, but be aware that like the root on a Unix, console MUST exist. It is what sets up, controls, and performs maintenance on the Starmaster. But, unfortunely, there is a setting in the console that can give/take away access to the console from remote. So, if the operator knows he will never be using the console options from away from home/business, he will probably remove remote access, leaving you stranded. This will be covered a bit more later on. Now for the other possible network connections. First names are common, and usually unpassworded, but they frequently turn up nothing. Other than the default list i'll provide below, try things such as single characters, or 3 character abbreviations. Also, try anything the header(if there is one) might display. Here is a list of commonly found links: X25 X28 PAD X25PAD X28PAD DIAL DIALOUT OUTDIAL MODEM MODEM1 SERVER SPRINTNET HP3000 UNIX VAX SYSTEM NETWORK NET MENU HELP INFO TYMNET DATAPAC TELNET INTERNET MAIL SERVER XMUX XCON GATEWAY HOST X.25 X.28 HP CPU Etc, etc. Any other possible links you can think of may or may not apply. In fact, some systems are kind enough to provide a command that will give you a menu of all the possible connections! Unfortunely, passwords may exist on all or some of the services, but suprisingly, they rarely do. PADs/ODs will frequently have passwords, but i can testify the opposite on a number of occasions. It is worth a try, trust me. If passworded, the same 1-10 attempt rule applies, and you will usually have to resort to brute force(unless you have console access..hehe) if combinations of the service name do not work. CONSOLE ------- To gain access to the console should be your prime directive. It will put the system entirely at your mercy, as all other security barriers fall when you successfully penetrate the console. First off, you will get a system herald plus a user name prompt, like this: GANDALF TECHNOLOGIES INCORPORATED, COPYRIGHT 1990 OPERATOR NAME? The real operator of this system should keep this protected at all cost, thus making it difficult for you. But sometimes they do not. As a default, try these: SYSTEM GANDALF TEST The usernames are 1-8 characters long. You will have 1 to 10 tries at the username or password before being cleared from the circuit. Again, it does tell you if the username exists. Once in, it will first ask you which system type you would like. Usually it would be option 1, for VT100. After that, it will bring you to the primary menu. I am NOT going to go step by step through the entire console, as it is menued and easy to understand. The options are laid out in plain english, and it will not be hard to find what you want. But, i will help a bit. First, to scroll through the fields, moves you forward, moves you back, and toggles options in a field. The one thing you should look at is the SERVICE option(DISPLAY then SERVICE for displaying the services, or DEFINE then SERVICE for modifying them). It will give a list of all the services available, and if you look closer it will show the password if applicable. If you still can't access a service after you've verified it, make sure the setting NETWORK ACCESS PRIVILEGE is set to YES. If not, you won't be able to access it. If it is at NO, simply change it to YES with the main menu option DEFINE. I have _almost_ found a way to set up my own PADs from the console, but the connect string is setting me back. I have verified this off two completely separate Starmaster consoles, so there is no disputing the feasibility of the following, but i still don't know how to get the connect string to function. If you can, then you have a virtually unlimited supply of PADs. First, display the services. Look for some kind of Gateway service, such as XGATE0, GATE0, GATEWAY1, etc. Write one down. If for some reason it a gateway does not exist, make your own. Define a service, picking whatever name you desire between 1 and 8 characters. Something such as the ones i mentioned above. In the first field, toggle with the spacebar until you see GATEWAY. Hit and move on. The other field you'll have to define is subscriber assignment. If it is already at FIRST AVAILABLE, just hit and you are done. If not, toggle until it is. Next, define a service. This can be whatever you'd like as long as it doesn't already exist and you keep it 1 to 8 characters. In the first field, toggle with the spacebar until you come to VIRTUAL. Hit and move on to the next field. For the next field, gateway service, enter the gateway service that you wrote down previously or created. Leave the next field(service/profile) blank. The password field is up to you. Have the wait list enabled, and the ready prompt on leaving wait list as well. Do not have service idle timeout. MAKE SURE Network Access Privilege is set to YES. Have third party privilege at no. Screen refresh - no. Hit enter through the next fields until you reach the CONNECTION STRING field. This is the wall i'm facing. I know from my exploring the internals that the correct string is this: ~v(x.28) BUT, it will not accept it. This i don't understand, but possibly you will be able to figure it out, it is the only thing you need before your very own PAD is set up. CONCLUSION ---------- I hope you enjoyed that, and if there is an error, please contact me, remember, i had nothing to go on but my experience, but none the less i hope i helped you out a bit...for comments/suggestions/chat/etc you can contact me at my board, or any of the other RoT sites, listed below.. lateron... Deicide - RoT H/P Coordinator CCi H/P Moderator Sysop: AEC Private RoT SITES --------- AEC Private - WHQ - (604) 858-1983 The Cellar - USHQ - (401) XXX-XXXX Million Dollar Saloon - Member Site - (817) XXX-XXXX Psychic Link - Member Site - (818) XXX-XXXX Kung Fu Theatre - Member Site - (401) XXX-XXXX Northern Lights - Member Site - (909) XXX-XXXX Liquid Euphoria - Dist Site - (914) XXX-XXXX The Phactory - Dist Site - (313) XXX-XXXX The Web - Dist Site - (203) XXX-XXXX