|
==Phrack Magazine== Volume Five, Issue Forty-Six, File 14 of 28 **************************************************************************** A L I T T L E A B O U T D I A L C O M *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* by Herd Beast (hbeast@phantom.com) Introduction ~~~~~~~~~~~ Dialcom is an interesting system for hackers for two reasons: First, it is used by business people, reporters and many other world wide, and it offers a variety of information services, from a bulletin board to stock market updates and news services. Second, Dialcom runs on Prime machines, so using Dialcom is a good way to learn Prime. True, it's not the best, as access is generally restricted, but it's better than, say, learning VMS from Information America. In these days, where everyone seems to be so centered about the Internet and the latest Unix holes, it's important to remember that the information super-highway is not quite here, and many interesting things are out there and not on the Internet. Phrack has always been a good place to find out more about these things and places, and I wrote this article after reading the Dialog articles in Phrack. Well, gentle reader, I guess that my meaning-of-life crap quota is full, so let's move on. Accessing Dialcom and Logging In ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Dialcom is accessible world-wide. It offers connection to Tymnet, Sprintnet, and other networks as well as dialin modems. Since I am not writing to Washington people only, I will specify only the easiest methods -- Tymnet and Sprintnet -- and some of the more interesting access methods. Dialcom is basically a Primecom network. Each user has an account on one or more of the systems connected to that network. To access Dialcom, the user needs to access the machine his account is on. First, he logs into a public data network and follows the steps required to connect to a remote note. On Tymnet, this means getting to the "please log in:" prompt, and on Sprintnet it's the famous '@' prompt. For Tymnet, you must enter at the prompt: DIALCOM;<system number> (eg, DIALCOM;57). The same goes for TYMUSA connection from outside the USA. For Sprintnet or other PADs, you must enter the correct NUA: System # Sprintnet NUA Tymnet NUA ======== ============= ============= XX 3110 301003XX 3106 004551XX (32, 34, 41 - 46, 50, 52, 57, 61, 63, 64) It should be noted that Dialcom keeps its own X.25 network, Dialnet, and the NUAs on it are those of the systems (connect to address "57" for system 57). Dialcom has other access methods, meant to be used from outside the USA, but sometimes available from within as well. One is a COMCO card, which is inserted into a reader connected to the computer and the modem through a serial link. The user then calls a special dial-up number, and can connect to Dialcom (or any other NUA). The card contains a number of "tax units" which are deducted as the connection goes through, until they are exhausted and the card is useless. The user calls the dial-up and types in ".<CR>". The amount of tax units on the card will then appear on the screen, and the user can connect to a host. COMCO dial-ups: Location Number ======================= ============== Australia +61-02-2813511 Belgium +32-02-5141710 France +33-1-40264075 West Germany +49-069-290255 Hong Kong +852-5-8611655 Netherlands +31-020-6624661 Switzerland +41-022-865507 United Kingdom +45-01-4077077 USA (Toll Free) +1-800-777-4445 USA +1-212-747-9051 The other way is through Infonet. I will not turn this into an Infonet guide, save to write the logon sequence needed to access Dialcom. At the '#' prompt, enter 'C'. At the "Center:" prompt, enter "DC". Dialcom NUAs are 31370093060XX, where XX is the system number. Once the connection to a Dialcom system has been established, you will be greeted by the Prime header: Primecom Network 19.4Q.111 System 666 Please Sign On > And the '>' prompt. This is a limited prompt as most commands cannot be issued at it, so you need to login. Dialcom user id's are typically 3 alphabetic characters followed by several digits. The password may contain any character except for ",;/*" or spaces, and my experience shows that they tend to be of intermediate complexity (most will not be found in a dictionary, but could be cracked). Password security may become useless at this point, because the Dialcom Prime systems allow ID to take both user id and password as arguments (which some other Primes do not) and in fact, Dialcom tutorials tell users to log on like this -- >ID HBT007 IMEL8 -- which makes ``shoulder surfing'' easier. One you log on, you will see: Dialcom Computer Services 19.4Q.111(666) On At 14:44 07/32/94 EDT Last On At 4:09 06/44/94 EDT > And again, the '>' prompt. >off Off At 14:45 07/32/94 EDT Time used: 00h 00m connect, 00m 01s CPU, 00m 00s I/O. Security at Dialcom ~~~~~~~~~~~~~~~~~~ As mentioned, while passwords are relatively secure, the manner in which they are entered is usually not. As for the accounts themselves, it's important to understand the general way accounts exist on Dialcom. Dialcom users are usually part of a business that has an ``account group'' on Dialcom. Each user gets an account from that group (HBT027, HBT054). Each group also has a group administrator, who controls what each account can access. The administrator determines which programs (provided by Dialcom) each user can access. A foreign correspondent for a magazine might have access to the news services while other users might not. The administrator also determines how much the user can interface with the Prime OS itself. Each user can run a few basic commands (list files, delete, sign off) but above that, it's up to the administrator. The administrator may opt to remove a user from the controlling menuing system -- in which case, the user has no restrictions forced upon him. Group administrators, however, handle only their groups, and not the Dialcom system. They need, for example, to notify Dialcom staff if they want an account removed from the system. Another (different yet combined) part of the account/group security are accounts' ``security levels'' (seclevs). Seclevs range from 3 to 7, and determine the access an account has to various places. Seclev 4 users, for example, are not restricted to seeing only users of their group on the system, and can delete accounts from the menuing system. User accounts own their directories and files within (but high seclevs can read other users' files). Each account's security is left in some extent to its owner, in that the user sets his own password. When setting a password, a user can set a secondary password. Any user wishing to access that user's directory will need that password. Furthermore, the user can allow other users to attach as owners to his directory if they know his password (come to think of it, couldn't they just login as him?). This is all controlled by the PASSWD program (see ``Common Commands'', below). Dialcom also allows for login attempt security using the NET_LOCK program. NET_LOCK blocks login attempts from addresses that have registered too many login failures over a period of time (the default being blocking for 10 minutes of addresses that have registered more than 10 failed login within 5 minutes). NET_LOCK -DISPLAY is accessible to users of Seclev 5 and shows addresses currently blocked and general information. Other options are accessible to Seclev 7 and are: -ON, -OFF, -ATTEMPTS (number of attempts so that NET_LOCK will block an address), -LOCK_PERIOD (the period in which these attempts must occur), -LOCK_TIME (time to block), -WINDOW (a time window in which the lockout feature is disabled). A little unrelated is the network reconnect feature of the Prime computers. When a user gets disconnected from the system because of a network failure, or for any other reason which is not the system's fault, he can log back in and reconnect into the disconnected job. When this happens, the user sees, upon logging on: You Have a Disconnected Job: HBT007 d09 1 109 NT NETLINK 989898989 6 3 Do You Want to Reconnect? Which means user's HBT007 job #9 (a NETLINK command) is waiting for a reconnection. At this point, the user can continue, leaving the job to hang until the system signs it off when a certain amount of time expires; sign the job off himself; or reconnect to that job. (Try "HELP" at the prompt.) This wouldn't be important, but experience shows that many disconnections occur when someone logs into Dialcom over a network, and then uses NETLINK (or another program) to connect to another site over a network, and somewhere, some time, he issues a control sequence (let's say to tell NETLINK to do something) that gets processed by the first network, which logs him off. So there is potential to log into the middle of people's sessions (yeah, like detached ttys). Common Commands ~~~~~~~~~~~~~~ Common commands are in reality the basic Prime commands that every account has access to. Here they are, in alphabetical order. `CLEAR' Clear the screen. `DATE' Shows the date at which a command was entered. Output: >DATE Proceed to next command >BAH Friday, June 38, 1994 10:01:00 AM EDT `DEL' Deletes a file. `DELP' Deletes several files based on wildcards. Can verify deletion of every file, and delete only file modified before, after, or between certain dates. `ED' Is the default and simplest file editor on Dialcom (some of its brothers are JED and FED). Once invoked, ED enters INPUT mode, in which the user just types text. To enter EDIT mode, where you can issue commands, you need to press <CR> on a blank line (the same thing will get you from EDIT mode back to INPUT mode). The EDIT mode uses a pointer to a line. All commands are carried on the line that the pointer points to. "T" will bring the pointer to the top of the text, "B" to the bottom, "N" to the next line down, "U" to the next line up, and "L <word>" to the line containing <word>. ED commands include: P: PRINT the pointer line. P<number> will print <number> of lines. C: Change words. The format is "C/old word/new word". A: Appends words. The format is "A <words>". R: Retype pointer line. The format is "R <new line>". SP: Check the spelling of the text, and then point to the top of the text. SAVE: Will save the text and exit ED. Q: Will quit/abort editing and exit ED. `F' List all file info. Output: DIALCOM.TXT 001 13/30/94 13:50 ASC D W R Which means file name "DIALCOM.TXT", size of 1 file blocks, lat modified on 13/30/94 at 13:50, is an ASC type file, and the account has the permissions to D(elete), W(rite), and R(ead) it. `HELP' (`?') Displays a nicely formatted menu of available commands. `INFO' System info. INFO <info-file-name> displays an information file, for example, INFO NETLINK. "INFO ?" lists info files. "INFO BRIEF" lists info files grouped by application "INFO INFO" lists info files with their descriptions. `L' List all file names. Output: <S666-6>HBT007 (Owner) DIALCOM.TXT `LS' Display information about available segments and the account's access to them. Output: 2 Private static segments. segment access -------------- 4000 RWX 4001 RWX 11 Private dynamic segments. segment access -------------- 4365 RX 4366 RX 4367 RWX 4370 RWX 4371 RX 4372 RWX 4373 RX 4374 RWX 4375 RX 4376 RX 4377 RWX `NAME' Changes UFD name. Output: >NAME Old Name: John Gacy UFD Name: Herd Beast All done >WHO Herd Beast <S666-6>HBT007 `NETWORK' Accesses a database that contains dial-up number for Sprintnet, Tymnet, Datapac and Dialcom's Dialnet by State/City. `OFF' Sign off the system. `ONLINE' Who's online? The amount of data displayed depends on the account's seclev. Seclevs below 4 are restricted to seeing only users of their group. Output: HBT007 PRK017 MJR `PAD' Allows you to send commands to an X.29 PAD, these commands being the SET/SET?/PAR? commands and their parameter/value pairs. `PASSWD' Change your password. PASSWD has two forms: a short one, which just changes the user's password, and a long form, invoked by PASSWD -LONG, which allows the user to set a second password for other users accessing his directory, and also to determine if they can have owner access to the directory. `PROTECT' Protects a file (removes permissions from it). "PROTECT DIALCOM.TXT" will remove all three (D, W, R) attributes from it. This will result in: >DEL DIALCOM.TXT Insufficient access rights. DIALCOM.TXT (DEL:10) But -- >DELETE DIALCOM.TXT "DIALCOM.TXT" protected, ok to force delete? y `SECLEV' Your security level. Output: Seclev=5 `SIZE' Size information about a file. Output: 1 Block, 404 Words `STORAGE' Shows storage information. `SY' Show users on system. (Same restrictions as for ONLINE apply.) Will show user name, time on, idle time, devices used, current jobs and state, etc. Output: 41 Users on sys 666 Names use idle mem State command object devs HBT007 *11 0 155 R1 SY 6 3 from Tymnet via X.25 `SYS' Displays account information and system number. Output: <S666-6>HBT007 on system 666. `TERM' Used to tell the Dialcom computer what terminal the user is using. A list of supported terminals is generated by "TERM TERMINALS". TERM options are: TYPE <terminal type> (TYPE VT100) WIDTH <width> (Terminal width, if different than default) TOP (Start listings at top of screen) PAUSE (Pause listings when screen is full) -ERASE, -KILL <char> (Sets the erase or kill character) -BREAK <ON|OFF> (Enables or disables BREAKs) -HALF or -FULL (Half duplex of full duplex) -DISPLAY (Output current terminal information) `WHO' Displays account information. Output: <S666-6>HBT007 Which means user HBT007 on system 666 on device 6. Communicating on Dialcom ~~~~~~~~~~~~~~~~~~~~~~~ Users who want to communicate on Dialcom have two choices, basically. These are the Dialcom bulletin board and electronic mail. The Dialcom bulletin board has two versions. The first consists of several message bases (called ``categories'') which are shared between some Dialcom systems (and mostly used by bored employees, it seems); there are also private bulletin boards, which are not shared between the systems. They belong to account groups, and only users in an account group can access that group's bulletin board system. These version of the Dialcom board are often empty (they have no categories defined and hence are unusable). This is accessed by the command POST (PRPOST for the private board). Once POST is activated, it will display a prompt: Send, Read or Purge: If the answer is READ, POST will ask for a category (a list of categories will be displayed if you type HELP at that prompt). Once a category has been joined, you will be able to read through the messages there: Subject: ? From: HBT007 Posted: Sat 32-July-94 16:47 Sys 666 quit /q /quit Continue to Next Item? Answering SEND at the first prompt will allow you to send a message in a category. Answering PURGE will allow you to delete messages post by your account. When you enter PURGE and the category to purge message from, the system will show you any posts that you are allowed to purge, followed by a "Disposition:" prompt. Enter DELETE to delete the message. The second way to communicate is the Dialcom MAIL system. MAIL allows sending and receiving messages, it allows for mailing lists, filing mail into categories, holding mail to read later and so on. MAIL is invoked by entering, uh... oh, yes, MAIL. It works along similar lines to those of POST, and will display the following prompt: Send, Read or Scan: SEND: Allows you to send a message. It will prompt with "To:", "Subject:" and "Text:" (where you enter the actual message, followed by ".SEND" on a blank line to end). After a message is sent, the "To:" prompt will appear again -- use "QUIT" to leave it. A word about the "To:" prompt. There are two configuration files which make its use easier. First the MAIL.REF file, which is really a mailing list file. It contains entries in the format of -- <Nick> <Accounts> DOODZ DVR014 ABC0013 XYZ053 -- and at the "To:" prompt, you can just enter "DOODZ" and the message will be sent to all three accounts. When you enter a name, MAIL searches through your MAIL.REF, and then through the account administrator's, and only then parses it as an account name. Second is the mail directory, which contains the names and account IDs of many users the account is in contact with. To display it, type "DIS DIR" at the first prompt. You'll get something like this: HERD-BEAST 6666:HBT007 WE'RE BAD AND WE'RE KRAD Which means you can type "HERD-BEAST" at the prompt, and not just HBT007. Also, there are special options for the "To:" prompt, most notable are: CC to send a carbon copy; EX to send the message with ``express priority''; DAR to request that if the message is sent to a user on another Dialcom system, POSTMASTER will send you a message verifying that your message has been sent; and NOSHOW, to keep the receiver from seeing everybody else on the "To:" list. For example (all these people are in the mail directory), To: DUNKIN D.DREW CC FOLEY NOSHOW EX You enter the message about to be sent at the "Text:" prompt. That mode accepts several commands (like .SEND), all of which begin with a dot. Any command available at the "To:" prompt is available here. For example, you can add or remove names from to "To:" field using ".TO <ids>" or ".TO -<ids>", and add a CC using ".CC <id>". You also have a display command, ".DIS". ".DIS" alone shows the text entered so far; ".DIS TO" shows the "To:" field; ".DIS HE" shows the entire header; etc. Finally, you have editing option. ".ED" will load editing mode, so you can change the text you entered. ".LOAD <filename>" will load <filename> into the text of the message. ".SP" will check the spelling of text in the message, and there are other commands. READ: Allows you to read mail in your mailbox. Once you enter READ, MAIL will display the header of the first message in your mailbox (or "No mail at this time") followed by a "--More--" prompt. To read the message, press <CR>; otherwise, enter NO. After you are done reading a message, you will be prompted with the "Disposition:" prompt, where you must determine what to do with the message. There you can enter several commands: AGAIN to read the message again; AG HE to read the header again; AP REPLY to reply to the message and append the original message to the reply; AP FO to forward the message to someone and add your comments to it; REPLY to reply to the sender of the message; REPLY ALL to reply to everybody on the "To:" field; FILE to file the message; SA to save the message into a text file; NEXT to read the next message in your mailbox; and D to delete the message. SCAN: Allows you see a summary of the messages in the mailbox. Both READ and SCAN have options that allow you to filter the messages you want to read: FR <ids> to get only messages from <ids>; TO <ids> to get only messages sent to <ids>; 'string' to get only messages containing ``string'' in the "Subject:" field; "string" to get only messages containing ``string'' in the message itself; FILE CATEGORY to get only messages filed into ``CATEGORY''; and DA Month/Day/Year to get only messages in that date (adding a '-' before or after the date will get you everything before or after that date, and it's also possible to specify two dates separated by a '-' to get everything between those dates. For example, to get all of Al Gore's messages about Clipper before August 13th: READ FILE CLIPPER FR GOR 'Great stuff' DA -8/13/94 There is also a QS (QuickScan) command that behaves the same as SCAN, only SCAN shows the entire header, and QS just shows the "From:" field. However, there is more to do here than just send, read or scan. Some of it was mentioned when explaining these commands. Both sent and received messages can be saved into a plain text file or into a special mailbox file, called MAIL.FILE. Messages filed into the MAIL.FILE can be grouped into categories in that file. SAVING MESSAGES: Messages are saved by entering "SA filename" at a prompt. For sent message, it's the "Text:" prompt, while entering the message, and the command is ".SA", not "SA". For received message, it's either the "--More--" or the "Disposition:" prompt. FILING MESSAGES: Messages are filed in two cases. First, the user can file any message into any directory, and second, the system files read messages that lay in the mailbox for over 30 days. Received messages are filed by entering "FILE" at the "Disposition:" prompt. This files the message into a miscellaneous category called BOX. If an optional <category-name> is added after "FILE", the message will be filed into that category. If <category-name> doesn't exist, MAIL can create it for you. After a message has been filed, it's not removed from the mailbox -- that's up to the user to do. Sent messages behaved the same way, but the command is ".FILE" from the "Text:" prompt. To display categories of filed mail, enter DIS FILES at a prompt. To read or scan messages in filed, just add "FILE <category-name> after the command (READ, SCAN, etc). To delete a category, enter D FILE <category-name>. To delete a single message in a category, just use D as you would on any other message, after you read it from the MAIL.FILE. Connecting via Dialcom ~~~~~~~~~~~~~~~~~~~~~ Dialcom allows its customers to access other systems through it. There are some services offered specifically through Dialcom, such as the BRS/MENUS service, which is an electronic library with databases about many subjects, Telebase's Cyclopean Gateway Service, which offers access to many online database services (like Newsnet, Dialog and even BRS) and more. These services have a direct connection to Dialcom and software that maps Dialcom user ids to their own ids (it's not usually possible for someone to access one of these services without first connecting to Dialcom). Another method is general connection to X.25 addresses. Since Dialcom is connected to X.25, and it allows users to use the Prime NETLINK commands, it's possible to PAD out of Dialcom!!#! NETLINK is invoked by entering NETLINK. NETLINK then displays its own, '@' prompt. The commands available there are QUIT, to quit back to the OS; CONTINUE, to return to an open connection; CALL, to call an address; and D, to disconnect an open connection. CALL takes addresses in several formats. A system name, to connect to a Dialcom system, or an address in the format of DNIC:NUA. For example, @ CALL :666 Circuit #1 666 Connected [...] @ CALL 3110:21300023 Circuit #2 21300023 Connected [...] NETLINK establishes connections in the form of circuits. A circuit can be broken out of into command mode (the '@' prompt), using "<CR>@<CR>", and another can be opened, or parameters can be changed, etc. NETLINK has other commands, to log connections into a file, or set PAD parameters (SET, PAR), or turn on connection debugging, or change the default '@' prompt, and more. Things to Do on Dialcom ~~~~~~~~~~~~~~~~~~~~~~ Much of what Dialcom offers was not covered until now and will not be covered. That's because most the services could use a file each, and because many account groups have things enabled or disabled just for them. Instead, I will write shortly about two of the more interesting things online, the news service and clipping service, and add pointers to some interesting commands to try out. The news service, accessed with the NEWS command, is a database of newswires from AP, Business Wire, UPI, Reuters and PR Newswire. The user enters the database, and can search for news by keywords. After entering NEWS, you will see a menu of all the news agencies. Once you choose an agency, you will enter its menu, which sometimes contains a copyright warning and terms of usage and also the list of news categories available from that agency (National, North America, Business, Sports, etc). Once you choose the category, you will be asked for the keyword to search for. If a story (or several stories) was found containing your desired keyword, you can read through the stories in the order of time, or the order they appear, or reverse order and so on, and finally mail a story to yourself, or enter new search keywords, or jump to another story, or simply quit. The news clipping service, available with the command NEWSTAB, allows the user to define keyword-based rules for selecting news clippings. The system then checks every newswire that passes through it, and if it matches the rules, mails the newswire to the user. After entering NEWSTAB, you are presented with a menu that allows you to show, add, delete, and alter your rules for choosing news. The rules are made using words or phrases, logical operators, wildcards and minimal punctuation. A rule can be as simple as "HACKING", which will get every newswire with the word "hacking" in it mailed to you, or if you want to be more selective, "NASA HACKING". Logical operators are either AND or OR. For example, "HACKING AND INTERNET". Wildcards are either '*' or '?' (both function as the same). They simple replace any number of letters. Punctuation is permitted for initials, abbreviations, apostrophes or hyphens, but not for question marks and similar. All of this is explained in the NEWSTAB service itself. For the file hungry, Dialcom offers several file transfer programs, including KERMIT and Dialcom's FT, which implements most popular protocols, like Zmodem, Xmodem, etc. A small number of other fun things to try: NET-TALK The ``interactive computer conferencing system'' -- build your private IRC! CRYPTO Dialcom's encryption program. Something they're probably going to love on sci.crypt. NUSAGE By far one of the better things to do on Dialcom, it was left out of this file because it is simply huge. This program allows the user (typically an administrator) to monitor network usage, sort the data, store it, peek into all the little details (virtual connection types, remote/local addresses, actions, time, commands, etc). Unfortunately, it's completely beyond the scope of this file, as there are tons of switches and options to use in order to put this program to effective use.