Hacking the SCC OS

by D-Day

First off, let me say that I only have access to the SCC OS from a terminal at my office.  It is not an OS you can call up with a modem - it is site only so therefore, you have to be at the location in order to hack this OS.  It is simple to do, so don't expect much from it.

This article is basically pointed towards newer hackers and experienced hackers looking to gain info or access.

First, let me explain SCC.  SCC is a business OS used for keeping records and making secretaries' jobs easier.  You can find it at doctors' offices, lawyer firms, and places of that sort.  It is very changeable, so you may have trouble spotting an SCC system.

SCC stands for Site Client Control.  It is a DOS program, so an SCC system has DOS somewhere on the hard drive.  I have not found any other SCC menus running off any other OS than DOS, so you might want to check up on your DOS commands before attempting an SCC system.  Here is a list of ways to shell out of DOS from an SCC system without having to crack the passwords.

Two Methods to Shell Out

On an SCC system, every unit has the option to use DOS commands.

Just choose this option, then click DIR.  It will show a command line, usually in a red-bordered box.  Just type: DIR.*

It will go to DOS and type out this command, similar to a batch file.  Then, it will discover that DIR.* is not a command and will say: TERMINATE BATCH JOB? Y/N?

Choose Yes.  You should now be sitting at a standard DOS prompt.

Second Method: If the SCC system you are targeting doesn't have the DIR option, then try this method.  Choose the Shell To DOS option by pressing F5.  It will say; ENTER PASSWORD

Then just enter something wrong.  It will go back to the Main Menu.  Then do this same option again.  And again.  After about 10 , times, it will say: SYSTEM HALTED

Then, just press Ctrl+Break.  This is tedious, and it may take more time than you have, so method one is better!

What to Do Once You've Shelled Out

Go to the root directory of the hard drive that SCC is installed on.

Get the file called: SCCD-TA.*.DTA

The .* represents the site name.  Every SCC system has a unique site name.  It will usually be a number.  Just look for anything with SCC.*.DTA, because sometimes the filename is changed.  Once you have this file, you have the password file.  Similar to UNIX, yes.  But!  SCC passwords are much easier to decrypt!  How?  When you look at the SCCDTA.DTA file with a text editor, you should get something similar to this:

Start of file: SCCDTA130.DTA 
SCC data file: site license #1046 
(site name should never be altered) 
++++++++++++++++++++++++++++++++++++=
+
+++289sjd3 
d3jw90r 
3859*@ks(@iPD(893 
USR LST 
upper:[4945416] 
charla:[3936] 
mem: [] 
mntce:[]

And then the rest after that is junk data.

Now, what you are looking at is a complete user list of the SCC System 130.

See how in the SCCDTA.*.DTA, 130 follows the SCCDTA.DTA file?  Like I said, that is the site license.

Now, on to cracking the passwords...

The makers of SCC must have thought that hackers were dumber than dirt.  You aren't going to believe how easy it is to decrypt these passwords.

Now, the user upper (the "root" account of the system) has a password of: FORTRAN

How do I know?  Well, look at the string of numbers in the [] brackets.  That's the encrypted password.

To decrypt it, all you have to do is look on a QWERTY type keyboard and find the column of letters that matches the number.

Example: For the password FORTRAN, the code would be: 4945416

Look at the letter "F" on your keyboard and follow it up.  See how it goes to "R" and then to 4?  Now, the letter "O" would be 9.  Follow "O" up and you get the number 9.  Starting to see now?

We couldn't believe how easy it was to crack these password files.  A password cracker is not needed, but we wrote one anyway, and it broke an SCC system with 400 users in 22 seconds!!!!  That's how easy the algorithm is!  Now, I could make a chart for you, but if you need one, you shouldn't be trying to hack.

Now, once you have the SCCD-TA.*.DTA file, you need to crack certain passwords to get high access.

Here is a list of permanent accounts on an SCC system plus an explanation.  These accounts are always on an SCC system!

       upper: Highest access - the "root" account.
mem / memory: Memory manager account. 
       mntce: Maintenance account. This usually doesn't have a password. 
       bckdr: Backdoor maintenance in case of a crash. 
        clip: Clip account to "clip" data.

These accounts are the only permanent accounts.  In our simulated list of accounts, charla is just a user, probably upper's secretary.

Once you have upper access, what do you do?  Since SCC is a business OS, why don't you find out this business' secrets?

How to Get Files

Once you are logged in under upper, go to the Main Menu.  Then choose the option Word Process or Text Editor.  This is like vi.  Just open files.  You usually won't get passwords, and if you do, just enter the same password you used to log in.  Just open text files and read on!  If you wanna save them to a disk, exit the text editor and go to File System and choose save files, then just save them to your disk drive.

Now you have all you need: files, access, so what?  Well, if you have a vendetta against the system, why not crash it?  Why not?

Crashing an SCC System

First, in order to crash it, you need maintenance access and upper access.  First, log in with upper.  Then choose Extended Options.  Then click Enable Maintenance and enter the password it prompts.  You have now given the maintenance account almost upper access.  Now, log out of upper and log in under maintenance (mntce).

When you get to the Main Menu, choose the option System Check and run that option.  Wait until the counter has reached zero.  If it finds any problems, do not fix them, just let them linger.  Then go back to the Main Menu.  Choose the option KILL LOWER ACCOUNTS and choose it.  It will ask for a password.  Enter the upper account's password, in this case: FORTRAN.  It will then clear the screen, and you should be at the Main Menu.

Now, remember Charla?  Well, she is no longer on this system and all files, records, and other junk has been deleted!  Presto!  A useless system!  Now, not all records are deleted.  There is a system log that is always there and is a hidden file.  It is always in the same directory as the SCC executable.

First, you have to find this file.  Shell out of SCC and go to the SCC directory.  To find hidden files you have to type something like DIR -H or DIR H.  That's why I said read your DOS book!

Now, once it lists all hidden files, the file you are looking for is always different.  It has no suffix like *.TXT or *.SYS.  It is just a file.  The filename is never the same, since it is specified by the upper account.  Just look for a file without a suffix and edit it.  Then, once you edit it, it should look like this:

DATE\TIME\ 
account:upper:12\3:30 pm 12\3:52 pm 
account:mntce:12\3:53 pm 12\4:10 pm [SYSTEM ACTION TAKEN] 
account:upper:12\4:15 pm 12\4:17 pm

Now, you should be able to figure out what this is.  If you can't, I will explain.

account name:[name]:login time:logout time

See?  Now, the second account in this system is mntce, logged in on December at 3:30 pm and logged out at 3:52 pm.  But!  See where after it says [SYSTEM ACTION TAKEN]?  Well, that's where you deleted the system.  Just erase all three logins and you are done.

Erase the account:upper, account:mntce, and the second account:upper lines.  Now you didn't login, you didn't erase the system, and you didn't log out!  Voilà!

You have committed the perfect hack!  No records, or any other way to tell and no one knows you were there!  Now you know how to hack SCC, and don't you feel better?
Return to $2600 Index