*********  *    *     ****
                         *      *    *    *
                         *      ******   *  
                         *      *    *    *
                         *      *    *     ****

                         The Hacker's Choice
                      Part I - The Login Hacker
               (c) 1996 by van Hauser/THC of L.o.r.E. BBS
-----------------------------------------------------------------------------

                        The Script Documentation

 This is the Login Hacker, the first release of the THC Project of L.o.r.E.
          --->>> READ THE NORMAL DOCUMENTATION FIRST ! <<<---
 For easy targets, you don't need this script language, you can use the
 menu to select everything you like. But for more difficult targets, you
 need this : The Login Hacker Script Language. It's very easy to use.
 It's like any other script language of terminal software but has got special
 possiblities for hacking.



                        Part I - The Structure

   everything that begins with a ";" is a comment.
   everything that begins with a ":" is a jump mark for goto commands
   Then there are 4 lines that start with a "#" - that marks the beginning
   of a special part in the script. 
   The first is #DEFINE which is to define the variables. 
   The second is a special one called #NOCARRIER where is
   automatically jumped to if the carrier gets lost without purpose 
   (the hangup command is on purpose, anything else not ;-) ). 
   The third is the #START where the actual script starts.
   The #END marks the end of the script.

*******************************************************************************
If you get an ERROR when compiling, there's a file named <name>.BAK in the
same directory. Look into it and compare the error message with the output
there.
There are two types of Error Messages produced while compiling :
WARNING Messages - important to take a look after that type, but the compiler
                   will compile it anyway. The script MAY run without problems.
                   This type is produced when f.e. the specified dictionary
                   is not found. Maybe you didn't copy it already.
ERROR Messages   - This is a critical error. The compiler terminates at once.
                   Check the Error message, the .BAK and the original file
                   to correct it.

*******************************************************************************

-------------------------------------------------------------------------------
                 Part II - The Definitions -> #DEFINE

 In this part you may ONLY declare the value of the variables.
 All variables are optional EXCEPT the logfile and the phone_nr variable.
 All variables are discussed in all their possibilties.
 You may NOT define any other variables of your own here !

#DEFINE

 LOGFILE=FILENAME    The Logfile to which all output is written.
                     ** This is one to the two variable which MUST be used. **
                     Example : LOGFILE=C:\OUTPUT\NY-SYS5.LOG

 PHONE_NR=NUMBER     The phone_nr variable is used when you use the DIAL
                     command. It may have letters and digits!
                     ** This is the second variable that MUST be used. **
                     Note : If your modem needs Pulse Dialing, put a "P"
                     in front of the number!
                     Example : PHONE_NR=1-800-WHO-CARES

 INIT_MODEM=STRING   If you need a special modem init string, use this command
                     Don't put the "AT" command in front! If not specified,
                     the standard THC_Login_Hacker Setup entry is used.
                     Example : INIT_MODEM=Z   (that would be "AT Z")

 INIT_DATA=STRING    This inits the Datachannel like Parity bit, data bits. 
                     stop bits etc. common are 8N1 and 7E1. if not specified
                     the standard THC_Login_Hacker Setup entry is used.
                     It must have those 3 characters. The first may either
                     be 7 or 8, these are the data bits. The second may be
                     P for Parity, E fo Even or N for None Control Bit.
                     The Third specifies if theirs 1 start bit or 2 altogether
                     (1 start + 1 stop bit). 7/8+E/P/N+1/2

 DIAL_TRIES=NUMBER   This variable declares the maximum numbers of dial
                     attempts the script does. The Number may be between
                     0-65535. Zero means unlimited connects! If the number is
                     reached a HANGUP follows and a comment is written in the
                     script.
                     NOTE : If NOT specified in the script, the settings from
                            LOGINH.CFG will be used!
                     Example : DIAL_TRIES=3
                     Standard : 0

 LOGIN_TRIES=NUMBER  This variable declares the maximum numbers of login tries
                     the script does. It may be between 0-2300000000.
                     Zero means unlimited. Note that if a dictionary file 
                     reaches EOF, the script automatically hangs up and
                     terminates. A Login is counted as a long try if the 
                     dictionary most used does a SEND_NEXT_DIC or NEXT_DIC
                     command or the same with the BRUTE.
                     NOTE : If NOT specified in the script, the settings from
                            LOGINH.CFG will be used!
                     Example : LOGIN_TRIES=0
                     Standard : 0

 DIC(NUMBER)=FILENAME  
                     Specify a dictionary to use in the script.
                     DIC are pointers to Dictionary files. You may have up to
                     3 dictionaries, from DIC(1) to DIC(3). With the commands 
                     Send_Next_DIC(1), Send_DIC(1), and Next_DIC(1) you can use
                     it. but more on how to use this later.
                     Example : DIC(1)=C:\HACKING\DICTIONA.RY\BAD_PWS.DIC

 FROM_DIC(NUMBER)=STRING  
                     This defines from which word up the dictionary is used.
                     Example : FROM_DIC(1)=Tracy
                               This example sends every word from "Tracy" on
                               in the specified dictionary number 1

 BRUTE(NUMBER)=STRING,NUMBER,NUMBER,NUMBER
                     Specify a brute force generator to use in the script
                     Now for the hardcore thing of this program :
                              The brute force option.
                     It's very flexible as you will soon see. The options 
                     for the BRUTE variable are divided into 4 parts, 
                     each seperated by a ",".
                  (1)The first tells what is used for brute force: a=lowercase
                     A=Uppercase 1=numbers $=special chars ^=Control Characters
                     A1$ would be Upper, numbers and special chars
                     ALL is a synonymous for the WHOLE ascii table!
                  (2)The second one tells how many different types must be there
                     to be a valid choice. "types" means the charsets of (1).
                     A value of 1 means EVERY generated word is Okay while
                     a value of 2 there must be at f.e. one Upcase and one
                     number in the generated word to be valid. 
                     (A value of 0 is not possible)
                  (3)The third tells the minimum length of a valid BF password.
                  (4)The fourth the maximum length. 
                     NOTE : Minimum length is 1 - Maximum length is 12 !
                     And again you may have up to 3 brute force generators.
                     (BRUTE(2) etc.) and if one reaches the end the script 
                     finishs. 
                     Commands to use later are : 
                     Next_Brute(1), Send_Next_Brute(1), Send_Brute(1)
                     Example : BRUTE(1)=a,1,1,6
                               This example inits the brute force generator
                               number 1 with the following data :
                                * lower case letters only
                                * at least one type of char set must be present
                                  in a valid brute generated word
                                  (at least "1" means everyone will do)
                                * Minimum length of a valid word is 1
                                * Maximum length of a valid word is 6

 FROM_BRUTE(number)=STRING
                     This starts the brute force generator with this 
                     initalisation. If started with a 4 letter digit and you
                     scan 1-8 digits, 1-3 digits won't be checked.
                     The entry is generated increasingly from the right.
                     that means : first aaaa, then aaab, then aaac etc.
                     Example : FROM_BRUTE(1)=2527

-------------------------------------------------------------------------------

                         PART III - The #NOCARRIER Section

     As said before, this is the point which is executed when you loose the
     carrier and didn't use the HANGUP command. NOTE that it will terminate the
     script when you don't end this part with a GOTO(#START) or GOTO(1) etc. !!
     The DIAL_TRIES setting ISN'T checked here.
     ... remember you need to dial again to the system.
     I don't tell you the commands here ... look in the #START section.

#NOCARRIER


-------------------------------------------------------------------------------

                         PART IV - The #START Section

     This is where you program the algorythm to hack a system.
     Every command is presented here ... so read carefully !


#START

 LOG(STRING)       With the LOG() command you write something into the logfile.
                   It can be any text, variables MUST have a "$" sign in front 
                   of them and MUST have spaces around it or "(" or ")" ! 
                   Every LOG command automatically prints ENTER at the end.
                   Example : LOG(Beginning on $DATE * $TIME)
                             this prints "Beginning on 24-12-95 * 23:00"

 LOG_(STRING)      same as above but doesn't writes CRLF (End-Of-Line) after
                   the text.

 :NUMBER           every line that begins with a ":" is a GOTO Marking.
                   It can only be a number ! You may have up to 240 markings
                   (only with the numbers 1 to 240 ... no others)
                   You may jump to such a marking with the GOTO, GOSUB,
                   CHECK4OUTPUT and CHECK4CARRIER commands.
                   Example : :1   
                              this specifies the jump point number 1 on this line
                         

 GOTO(NUMBER)      This jumpt to the specified Jump Marking.
                   You may also jump to #START, #NOCARRIER and #END
                   Example : GOTO(#END)  (this terminates the script)

 GOSUB(NUMBER)     With the GOSUB Command you jump to one goto marking. 
                   It will execute normally after that; it will jump back
                   to the point the GOSUB command was executed when a 
                   RETURN command is encountered.
                   Can't be GOSUB(#END) !
                   Example : GOSUB(4)

 RETURN            Returns to the location of the last gosub command executed
                   and continues normally. If a return command is encountered
                   without a Gosub start adress in the buffer, it will be 
                   ignored. You may have as many as 255 gosubs in buffer.
                   Example : RETURN

 CHECK4CARRIER(NUMBER) 
                   Checks the modem if it has got a carrier connect. If NOT
                   it jumps to the specified goto marking. If YES it sets the
                   internal connect variable to TRUE to check for NO_CARRIERS
                   You may also jump to #NOCARRIER, #START and #END.
                   It is also possible to just turn the checking ON or OFF.
                   If Check4Carrier(ON) is done instead of check4carrier with
                   a jump marking it does a carrier detector check and if NOT
                   presents jump to #NoCarrier
                   This command is useful ONLY when you first turn 
                   CHECK4CARRIER(OFF) or you don't use the DIAL command to
                   connect to your target (f.e. let the SCAVENGER DIALER do
                   this.)
                   Examples : CHECK4CARRIER(#NOCARRIER)
                              CHECK4CARRIER(5)
                              CHECK4CARRIER(ON)
                              CHECK4CARRIER(OFF)

 CHECK4OUTPUT(NUMBER) 
                   Like the ALARM Function below : If OUTPUT from the modem
                   is detected it immedeantly jumps to this specified jump
                   marking. You may also jump to #NOCARRIER, #START and #END.
                   It is also possible to just turn the checking OFF (so disable
                   a specified output checking)
                   Examples : CHECK4CARRIER(#NOCARRIER)
                              CHECK4CARRIER(5)
                              CHECK4CARRIER(OFF)

 DIAL              This Dials the number specified in PHONE_NR. If it is still
                   connected to a system it hangs up first.
                   Example : DIAL

 HANGUP            Hangs up/drops the carrier, etc.
                   Example : HANGUP

 WAIT4STRING(NUMBER,STRING,NUMBER,COMMAND,STRING)
                   Now thats the most important command in this script language.
                   It waits for a special word in the modemoutput. 
                   If it is encountered, the script continues, if not, 
                   after the timeout, a specified string is send to the modem
                   and after a specified number of timeouts, a command may be 
                   executed.
                   NOTE: First WAIT4STRING checks if in the CURRENT line is
                   the word present. If not it waits for it.
                   The Syntax : WAIT4STRING(a,b,c,d,e)
                       a : How many seconds, after it will be an timeout. 
                           (0-255) 0=unlimited (waits until TOTAL TIMEOUT
                            - the script will jump to #NOCARRIER if no data
                           comes from modem after 5 minutes ! - if nothing 
                           gets through OR the string is detected in the
                           datastream  at any time OR carrier gets lost
                       b : The string that will be send to the modem after
                           a timeout
                       c : After how many total timeouts the failure command
                           will be executed. 0=never, 1=first time, <=255 
                       d : The special failure action command. It may be ANY
                           (or none) command EXCEPT : ALARM, WAIT4STRING, IF
                       e : The String to wait for ! (Case sensitive!)
                   Example : WAIT4STRING(15,^M,2,GOTO(1),ogin:)
                   In this example it waits for string "ogin:" for 15 
                   seconds, and if not encountered, if sends a carriage return
                   to the modem (^M), then waits again for 15s, and if "ogin:"
                   is again not encountered, ^M is send again and after the 
                   next 15s the FAILURE command is triggered, which means GOTO 
                   jump mark no. 1

 LOG_SESSION_ON    From this point up, anything send from the modem is written
                   to the logfile
                   Example : LOG_SESSION_ON

 LOG_SESSION_OFF   if writing screenoutput to log was active, 
                   it isn't any more to this point.
                   Example : LOG_SESSION_OFF

 SEND(STRING)      The SEND command sends a string to the modem. You may here
                   also send variables with a "$". It sends an ENTER 
                   (Carriage Return) at the end.
                   If no String is specified, it just prints an ENTER.
                   Example : 
           SEND(echo Hacked you system Time : $TIME - Date : $DATE > HACKED.TXT)
           this sends "echo HAcked your system Time : 23:00 - Date : 24-12-95 > HACKED.TXT"

 SEND_()           Same as above but doesn't sends the ^M character (ENTER) at
                   the end. Useful if you just need to enter one character
                   or want to enter the modem command mode with  +++
                   Examples : SEND_(n)
                              SEND_(+++)

 SEND_NEXT_DIC(NUMBER)
                   This moves forward the pointer on the current word in
                   the dictionary and sends it to modem.
                   Example : SEND_NEXT_DIC(1)

 SEND_DIC(NUMBER)  This sends the current dictionary word to modem.
                   Example : SEND_DIC(1)

 NEXT_DIC(NUMBER)  This moves forward the pointer on the current word in
                   the dictionary.
                   Example : NEXT_DIC(1)

 SEND_NEXT_BRUTE(NUMBER)
                   This generates the next valid brute force string and
                   prints it to modem.
                   Example : SEND_NEXT_BRUTE(1)

 SEND_BRUTE(NUMBER) 
                   This prints the current valid brute force string to modem.
                   Example : SEND_BRUTE(1)

 NEXT_BRUTE(NUMBER)
                   This generates the next valid brute force string.
                   Example : NEXT_BRUTE(1)

 IF VARIABLE OPERATOR STRING THEN COMMAND
                   The IF command isn't very flexible by now ... tell me what
                   you need and it will be in the next version.
                   SYNTAX : IF <variable><operator><string> THEN <command>
                      <variable> may be anything which is mentioned in PART VI
                      <operator> may be "=" if it must be equal, "<" or ">" 
                                 for greater and smaller and "~" if the variable
                                 contains the string
                      <string>   may be any word. for "<" or ">", variable and 
                                 string must be digit variables !
                      <command>  this command is executed when the condition
                                 is TRUE. Look at the Command Listing for
                                 WAIT4STRING to look up what you can use.
                   Example : IF STRING~ogin THEN GOTO(3)
                             IF the CURRENT LINE(STRING) CONTAINS(~) the string
                             "ogin" in it THEN goto jump mark no. 3

 EXECUTE(STRING)   Executes a DOS Program. after the executen it continues 
                   the script. You MAY include variables in the execution
                   line. You may execute internal MsDos commands.
                   Remember to put an "$" sign in front of variables and only
                   spaces or "(" and ")" in front/back.
                   WARNING : If you want to execute programs while connected
                             in the script you MUST use a fossil driver or
                             the computer will lock up! (Has got something to
                             do with the interrupts ...)
                             Use   X00.EXE E 2   before running LOGIN HACKER
                   Note:If the program to exexute is in your PATH enviroment
                        it will be found ... but better safe then sorry ;-)
                   Example : EXECUTE(C:\SB\VPLAY C:\SB\VOC\HACKED.VOC)
                             EXECUTE(COPY $LOGFILE C:\HACKED)

 ALARM(STRING,COMMAND)
                   If a special string from the modem is encountered at a 
                   point, this will trigger this special command. If a Alarm 
                   is set, it will be active until it is disabled with the 
                   command ALARM() or a new ALARM string or command is 
                   specified. The Syntax ; ALARM(string,command) or ALARM().
                   STRING : is the string for which is search in the data 
                            which is send from the modem. 
                   COMMAND: is the command to execute when encountered.
                            Look at the Command Listing for WAIT4STRING
                            to look up what you can use.
                   Useful for example if you wanna hack a BBS where the SYSOP
                   could break in for a chat to ask for your doing. 
                   With this command you could automatically hangup and 
                   terminate the script.
                   Example : ALARM(chat,GOTO(#END))

 SET VARIABLE=STRING
                   With this command you can define a variable in the #START 
                   or #NOCARRIER section. If a variable is a digit you may 
                   only set it to a digit. You may set the following variables:
                   STRING, DIAL_TRIED, LOGIN_TRIED, S_TMP, D_TMP
                   Example : SET D_TMP=3
                             This sets the digit variable D_TMP to 3

 INC(DIGIT_VARIABLE)
                   Increases the specified digit variable by 1.
                   Will only do the command if the variable won't be out of
                   the specified range after the addition.
                   Valid for : DIAL_TRIES, DIAL_TRIED, LOGIN_TRIES, LOGIN_TRIED
                               and D_TMP
                   Example : INC(D_TMP)

 DEC(DIGIT_VARIABLE)
                   Decreases the specified digit variable by 1.
                   Will only do the command if the variable won't be out of
                   the specified range after the subtraction.
                   Valid for : DIAL_TRIES, DIAL_TRIED, LOGIN_TRIES, LOGIN_TRIED
                               and D_TMP
                   Example : DEC(D_TMP)

 WAIT(NUMBER)      Waits until the specifies seconds have passed. NUMBER must
                   be between 1-255.
                   Example : WAIT(10)

 WAIT_(NUMBER)     Waits until the specifies milliseconds have passed. 
                   NUMBER must be between 1-65535.
                   Example : WAIT(500)   (a half second)

 BEEP              It makes a BEEP ! Cool eh? ;-)


#END


-------------------------------------------------------------------------------

                  PART VI - Variables and Control Characters


 Now I tell you all the variables that can be used for a SEND() or LOG()
 command, and which additional variables you have got here.
 As we said before, to print a variable to modem or logfile you must write a
 "$" in front of it and there must be spaces around it. Variables you
 can use are : - any of the specified in #DEFINE - but only the ones defined!
               - STRING      which is the last LINE sended from the modem
               - STRING2     has got the last 250 chars sended from modem.
               - DIAL_TRIED  the actual tries to dial to the number
               - LOGIN_TRIED the actual tries to login
               - TIME        the actual time in hoursminutes (without ":" !)
                             Example : TIME=1505 means 15:05 (3.05pm)
                             if minutes are below 10 you must write a zero
                             before it.
               - DATE        the actual date (in the format MMDD)
                             Example : DATE=503 means the 3th may
                             if a day is below 10 you must wrte a zero before
                             it.
               - DIC(1)      the actual entry of the dictionary 1
               - BRUTE(2)    the actual string of the brute force generator 2
               - S_TMP       a string variable you can use as you like
               - D_TMP       a digit variable you can use as you like

 For the IF and SET command : you may only use these variables above, NOT the 
 ones in #DEFINE (where should be the logic? Those are static, constants, you
 don't have to check them with IF !). Don't need the use the $ in front of
 a variable here. This is only for SEND, LOG, WAIT4STRING where you need the
 $ sign ...

 Examples : IF TIME>1215 THEN GOTO #END     (if it's after 12:15 it exits)
            LOG($DIC(3))
            SEND($S_TMP)


 Now for special characters. You may write any CONTROL characters with the
 LOG, SEND, or WAIT4STRING command with the "^" sign, proceded by the letter
 of the control character. ENTER would be ^M. to print a normal "^", you must
 write "^^" ... okay ? You may use from ^A to ^Z plus ^[ ^\ ^] and ^^

 Examples : SEND_(^D)


-------------------------------------------------------------------------------
#DEFINE
<definitions>
#NOCARRIER
<some commands>
#START
<here you write your algorythm>
#END
-------------------------------------------------------------------------------

 For suggestions or bug report, call L.o.r.E. BBS  ++49-(0)69-823282
                                     Login : THC   Password : THC
 to write a comment to sysop, leech any THC release or get one of the
 things this board is distributor, for example the SCAVENGER Dialer,
 VLAD Magazine etc.
 Call ARRESTED DEVELOPMENT (see THC.NFO for number) ans write to  van Hauser
 OR write me an email ... adress + public pgp key below.

-------------------------------------------------------------------------------
van Hauser's Public Key Block for vh@campus.de :

van Hauser/THC   L.o.r.E. BBS
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.1

mQCNAzB6PNQAAAEEALx5p2jI/2rNF9tYandxctI6jP+ZJUcGPTs7QTFtF2c+zK9H
ElFfvsC0QkaaUJjyTq7TyII18Na1IuGj2duIHTtG1DTDOnbnZzIRsXndfjCIz5p+
Dt6UYhotbJhCQKkxuIT5F8EZpLTAL88WqaMZJ155uvSTb9uk58pv3AI7GIx9AAUT
tBp2YW4gSGF1c2VyL1RIQyBvZiBMT1JFIEJCUw==
=6UhL
-----END PGP PUBLIC KEY BLOCK-----