-------------------------------------------------------------------------------- ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ Û Û ßßßßßßßÛ Ûßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß Û Û ÜÜÜÜÜ ÜÜÜÜÜ ÜÜÜÜÜÜÜÜÜÜÜÜÜ Û Û Û Û Û Û Û Û Û Û Û ÛÜÜÜÛ Û Û Ûßßßßßßßß Û Û Û Û Û Û Û Û Û Û Û Û Û Û Û ÛßßßÛ Û Û ÛÜÜÜÜÜÜÜÜ Û Û Û Û Û Û Û Û ßßßßßß ßßßßß ßßßßß ßßßßßßßßßßßßß ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ Û The Hacker's Choice Û ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß -------------------------------------------------------------------------------- REMOTE ACCESS BBS HACKING TOOLS by Skywalker [F/S]/[THC] I. Preface II. Overview III. RAHACK IV. RA_CRC V. RGETF VI. RATROJAN VII. Last Words I. PREFACE --------------- Remote Access has become the 2nd most used BBS Software for the PC (after PcBoard). It is mainly used for Filebase-Oriented mailbox services and Fido/Shareware BBS. The actual version is v2.5 These fine tools will help you to hack those systems. Have fun and don't do anything illegal with it ;-) NOTE: Be EXTREMLY careful with RAHACK.EXE! 1st it's a virus and a desinfector isn't in this release ;-) 2nd It is very powerful and can hack nearly any PC based BBS Soft! All these tools were coded by Skywalker from [THC] | [F/S Labs Inc.] except RATROJAN.ZIP which was send in by another user. (sorry, I apology, I forgot who it was - please email me and I'll update that. You didn't put your name anywhere ... *sigh* ... [van Hauser]) II. OVERVIEW --------------- These are the three tools to help you getting a RA BBS hacked : RAHACK.EXE - A Virus which hooks on the serial port interrupt and watchs for special keywords. Needs INFECT?.DAT files. RA_CRC.EXE - Cracks the passwords from USERS.BBS. You can either use bruteforce or do a dictionary attack. Needs CHAR.SET for BF. RGETF.COM - Dumps a file to stdout. Uses FRESTORE.EXE to get a file back. RATROJAN - A ZIP File containing the RATROJAN.EXE (the trojan maker) and the Trojan Data File. III. RAHACK --------------- RAHACK is a simple program to hack boxes that run under Remote Access. It's function is really easy to understand: If it is installed to the target system (the bbs), it will check every second the contents of the videoram. In fact only the word before the cursor is relevant. Let's call this word KEYWORD. There are 3 keywords: 'checkboxports', 'iamtheboss', 'givegodmode' (all in lower case). Let me explain the meaning of those keywords........ checkboxports : If this keyword is in front of the cursor the TSR will output the com port number to every existing port (due to the BIOS entry) e.g.: to com port 2 a '2' will be written.... this allows you to get the com port the modem is connected to. iamtheboss : This keyword must be typed in after a valid number (1,2,3,4), which represents the current com port. After the word is identified as valid, at the local console (bbs) will be typed: ALT-J (to jump into DOS-shell) followed by 'ctty comX' where X is the number you typed before the 'iamtheboss'. So the stdio is redirected to your port ... You will get to the DOS prompt. So go on and get the sysop's TM.FON (just TYPE it !!!). e.g.: you find out that you are connected to COM 2 (by using checkboxports) you just type: 2iamtheboss (do not press CR) ====> C:\RA> hehehe..... to get back to the bbs do the following... ECHO ctty con > xy.bat ECHO exit >> xy.bat XY.BAT givegodmode : this one will type ALT-S, 6, 5, 5 ,3 ,5 , CR at the bbs console (jump to the security menu and set current user to sysop level). ;) Just try the iamtheboss at telemate via null-modem (it's the same ALT-J).... Okay... this is really nice... but how to install the TSR to the bbs ??? This is managed by a little(?) virus.... There are generaly two sorts of viruses to install at the bbs: 1. Generic EXE Infector: This one will infect nearly all EXE-Files Except files that start with 'sc', 'cl', 'tb', 'fp' or 'f-' to avoid infecting McAfee, tbav or fprot utilities. As one of the the first files it will try to infect c:\dos\smartdrv.exe. It will not infect read only files. Not all files will work if infected (e.g. dpmiload from bc35) so the sysop will recognize this virii even it is not detected by McAfee's scan, tbav or fprot. I also included a small code that will not allow to clean an infected file by heurestic clean of tbav (this one is only for lamers). 2. Target Oriented Infector: This virus only infects ONE specified EXE-File. It will infect the target even it has the read only flag set. use it e.g on C:\dos\smartdrv.exe ... so ... to attack a BBS take a fake file and type RAHACK fakefile.exe this command will append the generic exe infector to fakefile. RAHACK fakefile.exe target.exe will append the target oriented infector to fakefile.exe. the target will be target.exe (with full path). Okay... some more information... The virus will install itself in memory and hide by reducing the basememory size. It will hook int 08h for the timing and int 21h for infection. The commands at the bbs are written directly to the keyboardbuffer. It is not the best virus but it works... I also included a sign for tbav's tbscan. so just be careful with the generic exe infector.... puh... it is really awfull to clean an infected system..... NOTE: The 'iamtheboss' keyword will also work on many other BBS types which are PC based ... nearly all BBS use ALT-J to do a Jump-2-DOS ... IV. RA_CRC --------------- RA_CRC - Remote Access 2.x password hacker. If you hacked into a RA board just leech the USERS.BBS and try to get the users pwds by using this util... It's just working with a simple crc32 calculation routine. I included the crc32 table for those who want to write their own hacker... NOTE: If you use a wordlist be sure all characters are in upper case !!! V. RGET --------------- use this to get files from the remote system if only stdio of remote is available. SYNTAX: rgetf filename.ext it will dump the file (hex) to stdout. just log all... then use frestore to get the file back. SYNTAX: frestore logfile.ext outfile.ext VI. RATROJAN --------------- A nice easy Trojan Maker. All you need is a COM File you want to infect and the Username you wish to modify once the infected file is executed by the Sysop. You can change your Level, Credits, A-D Flags ... You *should* compress the file after that in a way it can not be uncompressed easily ... because the data isn't hidden in the COM file. [I left this in the original ZIP archive the author sent me because I don't know his name anymore - sorry for this.] VII. Last Words --------------- Be careful with these tools and don't play with them. Please don't just hack a BBS and format the harddisk, by this you only prove that you are still a 10 year old kid. A Sysop has much work with his BBS and users also participate that a bbs is successful. By crashing one BBS after another 1st you put the BBS scene down (which already has got problems to stand against the internet) and 2nd put a bad, bad light on us - the Hackers ... so follow the hacker codex and have fun ... -------------------------------------------------------------------------------- ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ Û Û ßßßßßßßÛ Ûßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß Û Û ÜÜÜÜÜ ÜÜÜÜÜ ÜÜÜÜÜÜÜÜÜÜÜÜÜ Û Û Û Û Û Û Û Û Û Û Û ÛÜÜÜÛ Û Û Ûßßßßßßßß Û Û Û Û Û Û Û Û Û Û Û Û Û Û Û ÛßßßÛ Û Û ÛÜÜÜÜÜÜÜÜ Û Û Û Û Û Û Û Û ßßßßßß ßßßßß ßßßßß ßßßßßßßßßßßßß ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ Û The Hacker's Choice Û ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß --------------------------------------------------------------------------------