--------------------------------------------------------------- A quick and dirty guide to cracking ISP info on a Mac By Logic Jockey 1/18/99 --------------------------------------------------------------- NOTE: Most of this information was gathered on MacOS 8.5, there may be some differeces between 8.5 and other versions of the OS. I always thought it would be nice to be able to use other peoples accounts to get some free time on the internet, hence this text. This will give you a general guide on how to gain access to the name of the ISP the person is using, the phone number they dial up, and their user name. The password however, is a completely different matter. I have searched long and hard for it, but the MacOS hides passwords well. I am afraid that to get the password you will have to use a KeyLogger(I would suggest Invisible Oasis) or somthing of the sort. When you get to a persons computer it is a good idea to copy as much stuff as you can to a diskette of yours, then you can work on the files elsewhere without the danger of getting cought. In order to use these files, you will need Resedit and a Hex-Editor like "HexEdit"(or Super-Resedit). The all time best place to get any info about a Macintosh computer is the preferences folder. This folder contains data about the users 'preffered' settings, including networking settings. Open the "Dial Assist Preferences" file in Resedit. You will see a resource named DSPF, open it. Dial Assist Preferences: DSPF: ID 0) Sometimes(not always) gives the users area code starting at hex address 03. ID1) Garbage; Just a database of the county codes(for phones) all over the world. Nice information to know, but not useful for any pupose described in this text. If you actually got the persons preferences file then you most likely know what country they are in. ID 2) Garbage; It looks like it tells what numbers to push to dial outside of a building(like dialing '9' before you can enter the phone number) but it says the same thing for everybody. ID 3) Garbage; It looks like it tells you what phone company the user has, but it is also just a database. ID 4) Now don't get too happy about this one. It appears to give the users credit card and calling card numbers in hidden form, but they are just an example. They are not the actual credit card number or anything else. The Remote Access Folder in the preferences folder is a good one, open it and there are two files, "Remote Access Connections" and "Remote Access Log". Open Remote Access Connections first. Remote Access Connections: cadr: ID 128) This is a really important one. This gives you the phone number of the users ISP's modem, now you know who the user calls in order to connect to the internet. cusr: ID 128) This is a nice one, it gives you the users login name for Remote Access to connect to a ISP. dass: ID 128) Also a good one, this sometimes gives you the area code of the user, it is at hex address 09. pass: ID 128) Gives you all kinds of wierd shit, possibly the password in encrypted form but I'm not sure of that. Remote Access Log: This a very interesting one, it can give you a wealth of knowledge but you cant see it unless you have a hex-editor(or super-resedit). These are both easily found on the internet. Here is an exerpt from a hex-editor. ---------Start Exerpt-------- .......g$Connection established at 52000 bps.............N.....E...........H.4PPP ready for TCP/IP with IP address 208.254.224.73............2.....E.............%.. Welcome to the EarthLink..........0.....C...........s..PPP connection started..............0.....C...........s..PPP connection started.............PPP connection started..............................s..PPP connection started...............................s..PPP connection started..............................................................Connection terminated. ----------End Exerpt---------- As you can see, this gives you all kinds of interesting information. In the first line you can see that the person has a 56k modem on a normal phone line(it says 52k because that is the current limit that standard phone lines can handle). You also see that they are using PPP(Point to Point Protocal) to connect to their ISP, and that TCP/IP(Transfer Controll Protocal/Internet Protocal) is what they are then using to communicate. The fact that they are using PPP to connect to thier ISP account and TCP/IP to talk to the rest of the internet does not denote much, every OS in existance supports both protocals. If they were using somthing like ARAP instead of PPP then there is a fair likelyhood of their ISP using UNIX servers because ARAP is more common on UNIX then on anything else. On the second line you see the IP address that the ISP gave to the user, this could be a static IP(It is always the same) or a dynamic IP(every time the user logs in they get a different IP). Of course, if you have the whole log file and not just an exerpt like shown here then you can check to see if the IP address is the same each time, if so then you now know that users IP address. If the IP is different each time then too bad, you wont ever know what the users IP is unless you are logging what he does. Later on line two, you see the "Welcome to the EarthLink" statement. Well guess what, now you know the users login, ISP, and ISP's modem's phone number. All you need now is the password and you are in. AppleTalk Preferences: port: ID 128) Gives the port that AppleTalk is connected to at the time you got the prefs file. The ports that AppleTalk can connect to are "Remote Only", "Printer Port", and "Modem Port". Modem Preferences: ccl : ID 128) Gives you the type of modem script the user has applied to thier modem(ex. US Robotics High Speed). mdpw: ID 128) Gives you some interesting stuff. I could not make much sense of it, maybe you can. TCP/IP Preferences: isdm: ID 128) Gives you the ISP that the user connects to. port: ID 128) Gives you the protocal used to connect to the ISP(ex. PPP). vers: ID 2) Will give you the version of the MacOS the user is running on. Internet Preferences: To much stuff to list here but check it out, it is a gold mine. It can give you all kinds of information such as the users real name, email address, encrypted passwords, directory structure, and more. Compare your own file against the file you are cracking to see what each part of the file means. Apple Modem Tool Prefs: cFIG: ID 22001) Will give you some info about the modem such as whether it is Hayes Compatable. Open Transport (Folder) Way to much stuff, but also some usefull info. You will need a Hex-editor or super-resedit to see some of the files. Well, that does it for the most obvious of the networking preferences files. Have fun and don't get caught.