Search This Blog

Saturday, December 12, 2009

The REAL way to hack RemoteAccess

Why the "Fun with RA boards" hacking method is LAME!
(The REAL way to hack RemoteAccess)
-----------------------------------

Knocked up by ByTe RyDeR of the
ÚÂÄÄ ÄÄ Ä úú ú
ijÅÄÄ FundeMäNTAL CoNNeCtiON ijÄÄÄ
:ÃÄÄ ÄÄ Ä úú ú


"Saving the Brain Forest"


Well dewdz, ya seen the file text about hacking RemoteAccess and you wanna
crack that H/P or warez RA board for mega ratios? Get Real!

RA *CAN* be hacked but only in the same way as any other BBS sox... no
sysop reading that file was shat themselves .. here's why not:

Basically the technique outlined involved you writing a trojan and
disguising it as some program the sysop is really gagging for in the hope
is he'll run it on his system. Wot it'll really do is copy his USER.BBS
onto the filebase so you can call back later and d/l it... neat idea, and
one that in *theory* will work with most BBS sox (most are EVEN easier coz
they don't encrypt the users file like RA) but their execution of it sucks!

Firstly, their compiled batch file relied on the sysop running RA off their
C: drive from the directory \RA... Yeah, maybe some lame PD board they
hang out on is like that but most sysops I know run multiple drives and
many have more complex directory structures... Lame Hacker 0 - Sysop 1

Okay... letz assume they got on some lame fucking board and the users file
*is* C:\RA\USERS.BBS - next step is to copy the file into the filebase and
make it d/lable. How do they do that? (patronising Dez Lymon voice) .

Their idea was to copy the file into D:\FILES\UPLOAD .. Yeah sure guyz...
EVERY board uses the D: drive for the filebase and happen to have a file
area in \FILES\UPLOAD - NOT!!!!!! Lame Hacker 0 - Sysop 2

Right, so they got better odds than winning the national fucking lottery and
all the above worked (yeah man, we're dreamin' but let's give 'em a chance).
What next? The file has to be d/lable... you found a sysop that makes
UNCHECKED & UNSCANNED files available for download? Fuck off! Get a life!
Lame Hacker 0 - Sysop 3

So... okay.... we got a sysop that's so fucking lame he doesn't deserve
to to breath the same air as the rest of the human race and uses all the
above paths and makes unchecked uploads d/lable. RA by default won't allow
files to be d/led UNLESS they're in the file database. Unless the USERS.BBS
destination ALREADY EXISTED in that area and was previously in the area
database there's NO WAY you can d/l it.

The way they "solved" this was to add an entry to FILES.BBS in the file
directory. Nice one... EXCEPT RA DOESN'T USE FILES.BBS AS IT'S FILE
DATABASE. Unless you happen to be lucky enough that the sysop does an
import from FILES.BBS to the REAL file database before checking out your
planted file (most RA sysops only import from FILES.BBS when adding CDROMs)
the addition of this entry will do FUCK ALL! Lame Hacker 0 - Sysop 4

To quote from the author "This is a generic program and you will have to
tailor it so it will meet your needs." - yeah man, fucking rethink, redesign
and rewrite it more like!

Oh yeah... EVEN IF YOU DO get a copy of the USER.BBS file downloaded THE
PASSWORDS ARE ENCRYPTED!!! Lame Hacker :( - Sysop:-)


So how can U hack RA? Well, the idea was okay but, like hacking any system,
you gotta KNOW the system ya gonna hack b4 U stand a chance.

Most sysops will use the DOS environment variable RA set to the RA system
directory so that external doors can find the system files... that's very
helpful of the sysop, to show us where we can find his config files.

In the RA system directory should be the file CONFIG.RA. You might want to
include a check for this file within your program and possibly do a disk
and directory scan for the file if RA isn't defined or is set incorrectly.

I'm not *entirely* sure about other versions of RA, but in the current
release (2.02) the CONFIG.RA offset &h3E4 is where the name of the mail
directory starts. This is the path where USERS.BBS will be found.

Next you need to know for SURE the name of a directory which stores the
files for a filearea from which you are able to download.

I suggest you do this in one of three ways:

1) Interogate the file FILES.RA in the RA system directory which contains
the filebase area configs. You *could* just search the directory for a
valid path but you'd wouldn't know if you had d/l access to the area.

2) If you want to be a bit more clever you could interpret the file and
find out the minimum security level required to d/l from each area and
dump your copy of USERS.BBS in the area with the lowest access level,
pretty much guaranteeing that you'll be able to get to the file. This
doesn't take security flags into account so there's still a SLIM
possiblity you won't be able to d/l the file unless you also write flag
testing into your program.

3) My favourite technique is to have the program read a small config file
which is uploaded with your archive. This file just contains the name
of a file you KNOW you have d/l access from. You can then either do a
global search for that filename or, preferably (coz it's faster) read
FILES.RA for the paths used by the filebase and search those.

So now you have the location of the USERS.BBS and the destination directory
you simply need to copy the file. However, even though the file is sitting
in a filebase directory it STILL isn't available for d/l... why? Because
it's not in the filearea database.

You could get clever and find amend filearea database files directly if you
get the fileareas path from CONFIG.RA (offset &hC12) and write to the files
HDR\FBD#####.HDR (header) IDX\FDB#####.IDX (index) and, if you want to add
a description, TXT\FBD#####.TXT, where ##### is the RA file area number.

There *is* an easier way. Shell out to DOS and execute the RAFILE utility
from the RA program path, passing the arguments "ADOPT filename #####".

E.g. the BASIC command would be:

SHELL "RAFILE ADOPT "+filename$+STR$(areanum)

Where filename$ contains the name of your USERS.BBS copy and areanum is the
RA filearea number. If your filename was USERTEST.ZIP and you'd copied it
to the directory used for RA file area 10 you'd be executing:

RAFILE ADOPT USERTEST.ZIP 10

This will "adopt" the file, adding it to the RA file database, making it
available for d/l (assuming you have the appropriate rights to the area).

All you need to do now is to package this trojan file to entice the sysop
into running it... In the LAME method for hacking RA the author used DSZ
as an example. That was about the most realistic part of the file and the
only bit worth leaching!


Your archive:
DSZ.EXE (your program)
DSZ.DAT (the *real* DSZ.EXE)
DSZ.CFG (small file containing the name of a *known*
d/lable file - preferabbly encrypted)
+ any other files that normally come with DSZ



Flow diagram for DSZ.EXE trojan:

_______
/ \
| Start |
\_______/
|
|
+--------+--------+
| Read enviroment |
| variable RA |
+--------+--------+
|
|
/ \
/ \
/CONFIG.RA\ +---------------------+
/ exist in \___>____| Scan drives & paths |
\ that path / No | search for the file |
\ ? / +----------+----------+
\ / |
\ / |
Yes | |
+------------<-------------+
|
+--------+--------+
| Read CONFIG.RA |
| to get location |
| of USERS.BBS |
+--------+--------+
|
|
+--------+--------+
| Read DSZ.CFG to |
| get a filename |
+--------+--------+
|_____________<____________
| |
+--------+--------+ |
| Read FILES.RA to| |
| get name of the | |
| next filearea | |
+--------+--------+ |
| |
| |
/ \ |
/ \ |
/does area\ |
/ contain the \________>__________|
\ file / No
\ ? /
\ /
\ /
Yes |
|
+--------+--------+
| Copy USERS.BBS |
| to the filearea |
| directory |
+--------+--------+
|
|
+--------+--------+
| Run RAFILE with |
| ADOPT to update |
| RA database |
+--------+--------+
|
|
+--------+--------+
| Delete DSZ.EXE |
| and DSZ.CFG |
+--------+--------+
|
|
+--------+--------+
| Rename DSZ.DAT |
| to DSZ.EXE |
+--------+--------+
|
___|___
/ \
| Stop! |
\_______/

Once you've uploaded the file, preferably using a pseudonym, post the sysop
a message telling him how c00l your upload is. Wait a day or so and dial
back. Do a filename search using the name you decided to use for your copy
of USERS.BBS and d/l it.

The next step, now you have the USERS.BBS file is to crack the passwords.
I only know of ONE crack program out there which has the RA password
encryption algorythm, a program based on the popular Unix CRACKERJACK
program called RA-CRACK. This simply takes a given word, encrypts it, and
compares it to the USERS.BBS file to find a user with a matching password.

RA-CRACK takes it's source words from a text file so it would be possible
to either:

a) Use a TXT dictionary file as the source. All passwords that are
normal words will be found. This method will usually find about 90%
of the user passwords.

b) Write a "brute force" cracker using a small routine that "counts"
through valid ASCII character combinations from "!" (ASCII 33) upto
a string containing 25 (max length of a RA password) null characters
(ASCII 255), passing these via a text file to RA-CRACK. This SHOULD
be _100%_ successful, but SLOW!

l8r!

>ByTe<>RyDeR<

No comments:

Post a Comment