This is the unofficial guide on how to hack the database known as SASI. SASI stands for School Administrative Student Information. SASI, in case you don't know, is a database program that is widely used in many high schools across North America. SASI is DOS based and Novell network compatible. Around 3,000 schools in California are currently using it and over 4,000 schools nation wide are currently using it (something like that). The SASI database system is used in elementary schools, intermediate schools, and high schools in order to keep track of student records. Only one university I know of uses SASI. That university would be the University of Wisconsin in Milwaukee. The instructions contained within this guide explain how to essentially break in and change one's grades for the purposes of cheating. All of the information listed here should be consistent with SASI, version 3 (a.k.a. SASI III).
Disclaimer
The author of this document can't be held responsible for your own stupidity. Should you decide to implement this information, you can't blame me. If you are stupid enough to use this information, it's your fault. When you get caught and end up in a federal pennitentary, I want you to remember what was stated here. This is for informational purposes only! Of course, me warning you will not stop the inevitable.
1. Accessing the password file in SASI.
To access the password file in SASI, you first need access to the directory in which it is located. Getting this access is another hack all its own and if you don't have access to the right directory, then stop reading now. The directory you need access to is: sasi\data. Finding this directory shouldn't be hard at all (if you can't access it or find it, then see section 7).
Once you have access to the sasi\data directory, then you need to look for a file called WHO.DAT or a file called WHO-1.DAT. They both contain essentially the same data. If you are accessing this directory from the DOS prompt, then copy the file or files to a floppy disk. Like this: COPY WHO.DAT A: and COPY WHO-1.DAT. Presto, you have the password file. Now on to the hard part. It is very possible that you won't be able to copy the password files in this manner because of network sharing properties. You might get an error message that says something like "File is in use". If this is the case, then there is another technique you can use to get a copy of the password file. On some networks, there are batch file programs that will automatically rename the password file to something like WHO.BAK. It is very likely that an old copy of the password file WHO.DAT has been renamed. If this happens to be the case, then simply download the renamed file. You should be able to do this because the SASI program doesn't use a renamed (and possibly backed up) password file. If there is no backed up password file, then there is one more thing you can do to get a copy of this file. Assuming you have the proper network permissions to read the file, then you can get to it by using Microsoft Word. Simply open Microsoft Word and then open the file. Microsoft Word will tell you something like "File is in use. Do you wish to make a copy? Yes or no?". Select Yes. Microsoft Word might also ask you how you wish to convert the file. If you are asked this, select TEXT ONLY and then click OK. You should now have a copy of the password file right in front of you. You can now save it to a floppy disk. When you save it, be sure to save it as plain text. If the above technique doesn't work for some reason, then it's because the version of Microsoft Word you are using might not have these features. However, this does work with Microsoft Word 6.0 and it will probably work with the more recent versions of Word, too.
1a. Examining the password file in SASI.
The password file consists of a user I.D. number, a name to go with the user I.D., an encrypted password, and a bunch of other pointless characters. The user I.D. number and the corresponding name are in plain text.
The password, however, is very encrypted. If anyone knows of a way to crack that encryption, let me know, because I haven't a clue. I haven't even tried to crack it yet. Any info on this kind of hack would be appreciated.
Although, I do have a few basic theories as to how the passwords are encrypted. I am guessing, since this database is DOS based, it is a simple 8-bit, 16-bit, or 32-bit algorithm. There are roughly 99 lines in the password file. This is consistent with the 99 I.D.'s that the system allows to access the database. Only a maximum of 99 users are allowed. User I.D.'s are two digit numbers. 01-99. 01 is the user I.D. usually assigned to the principal of the school. I.D.'s 02-10 are usually assigned to the assistant principals. Numbers 11-99 are usually assigned to secretaries, counselors, and other related personnel.
Not all of these I.D.'s are necessarily assigned to anything or anyone. Some lines have what looks like default data that is just header (the user I.D. number and some other information, nothing more). These lines with the simple header data and no corresponding name are assigned to nothing. Ignore these lines with nothing in them.
Each line contains a school number, an I.D. number, a corresponding name that goes with that I.D., an encrypted password, and a lot more unnecessary alpha-numeric characters. Eliminate the unnecessary information from each line and isolate what the password is out of each line and you will have what you are looking for. I am also guessing that there is someone out there more skilled than me that knows how to crack the encryption. If you think you qualify, then you know how to send e-mail and request for a sample password file.
Besides decrypting, you can gain some valuable information from the password file, even in it's encrypted state. The only thing in the password file that isn't in plain text is the password (obviously). You can still read every other piece of data just fine. This can be advantageous. Suppose you would like to know who is using which user I.D. number. All you do is look at the line. Better still, search for the name you think might be in there with a text editor and find the corresponding user I.D. number in the same line. Once you have the user I.D. number, you can go to the login prompt and try guessing that person's password. If you know the person's interests, hobbies, etc., then try guessing what their password might be. You would be surprised how often you can get lucky by guessing a password. Assuming you can login in this manner, see section 6.
2. Accessing the file that has all those juicy locker combinations!
To access the locker combination file, you must first have access to the sasi\data directory. If you need to know how to access the sasi\data directory, then click here.
If you want to have everyone's locker combination, then you are looking for a file beginning with the letters: LKR and ending with the extension: .DAT.
The specific file will be titled something like this: LKRXXX.DAT. LKR, obviously, is an abbreviation of the word locker. The prefix of the file will be LKRXXX (six characters).
The first X to the right of the R will be the last number of the year it was created in. For example, a locker file created in 1998 would look like this: LKR8XX.DAT. Don't worry about the other two X's in the name of the file. They are just variables. Usually, those two X's will be 01. If you know how to search a directory in alphabetical order, then you will find the file, no problem.
Once you have located the file, download it on to a floppy disk. The file will be something like 100 to 120 kilobytes, depending on how huge your school is.
2a. Examining the locker combination file.
Once you have the locker combination file, open it with a text editor.
To find a locker and corresponding combination, you must browse through specific lines. Let me show you how to find what you need.
A line goes something like this:
Building number or letter, section number or letter (it depends) (This will be one alpha-numeric character or byte in the very beginning of the line you are looking for).
Locker number (this will take up five spaces or bytes) (all numbers) (immediately follows the very first character, which is the building number).
Locker combination (consists of 6 numbers in a row) (takes up six spaces or bytes) (comes right after the locker number) (looks like xxxxxx or 123456) (for example, the combination would be 12-34-56).
SASI I.D. number (do not confuse this with a user I.D. number) (this consists of four spaces or bytes) (you might know what this is) (you may have been asked for this number when you got your books at the beginning of the year or when you asked to see a counselor) (this number is used to identify students) (this SASI I.D. number is something you can use to your advantage at a later time, remember that).
Six zero's (completely useless, but relevant to the length of the line) (looks like: 000000).
Four digit number of some kind that is sequential (if you look at the lines, you will notice that these four numbers are steadily increasing from line to line by one)(this number is probably used by the database in some way I'm not aware of) (If it matters in any other way, then I'm dumb about it)(The number may fit into some sort of algorithim that involves checksums, etc.; if it is, that might be in the next edition).
The number zero is always the fifth to last number which comes right in between two four digit numbers that are sequential from line to line.
Four digit number that is sequential (steadily increasing by one from line to line)(different than the last four digit number)(this four digit number will end the line).
The total length of a line is 31 characters or bytes in a row. There is a single space surrounding both sides of the line. Preceding the single space before the line in question, there is another line and following the single space after the line in question, there is another line. Get the idea? The file is full of lines like the one I have described here. Finding combinations shouldn't be a problem. If you have a text editor and a search function to go with it, then finding people's combinations is a snap.
3. Getting all of the school's faculty's social security numbers!
Of course, you must first have access to the sasi\data directory. If you need to know how to access the sasi\data directory, then click here.
The files you are looking for are called TCHXXX-X.DAT and AARXXX.TMP.
Obviously, it is your duty to download them to a floppy disk.
TCHXXX-X.DAT decodes, roughly, as follows:
Obviously TCH stands for or represents the word teacher. The first X to the right of the H will be the last number of the year it was created in. For example, a file created in 1999 will look like TCH9XX-X.DAT. The remaining X's are variables and will most likely be numbers. Sound familiar? TCHXXX-X.DAT contains all of the user I.D. numbers, 01-99. Right along side those user I.D. numbers are corresponding social security numbers and names that go with all of those social security numbers. These particular names belong to the principal, assistant principals, secretaries, counselors, and other related staff. Now, how about learning how to get all of the teacher's social security numbers?!
AARXXX.TMP contains all of the teacher's social security numbers.
It decodes, roughly, as follows:
1. Open the file with your text editor. 2. Search for a teacher's name you don't like. 3. Once you have found their name, directly to the right of their name will be their social security number (much easier reading than the locker file). Write it down or cut and paste or whatever. 4. Wreak havoc with one or more of your teacher's lives! 5. Enjoy!!!
3a. Getting every student's social security numbers! And their parents, too!
As always, you need the access to the sasi\data directory.
The files you are looking for are called STU7XX.DAT and STU8XX.DAT. This is assuming that you would like to access the master student files for the class of 1997 and 1998. I am sure you see the correspondence.
These files can get rather large, too. The largest one I've ever seen was about 12 megs. File sizes are determined by how many people in your class are attending your school. These files can get huge. You can forget downloading these files. However, sometimes the database administrator will zip up records from the previous school years and put them in a separate directory somewhere else on the server, but only if you're very lucky. So if you can't find any zipped student records, you're gonna have to do it yourself. Some method of data compression is the only way you're getting the files out of there. This is what I had to do once. Put a copy of PKZIP.EXE on a floppy and upload it to the sasi\data directory.
The upload should be successful. If it isn't, I don't know what the hell you could have done wrong. If it doesn't work, then you most likely need to get familiar with DOS.
For all you idiots out there, this is how you do it: COPY A:\PKZIP.EXE X:\SASI\DATA
This is how you do it, assuming the floppy drive is A and the target drive is X.
If you don't know how to use PKZIP, then just get to X:\SASI\DATA in the DOS prompt and type PKZIP. The PKZIP program will tell you how to zip something.
After all of the preliminary preparation, zip the file and then copy the now zipped file onto a floppy disk (if it's small enough) or your local hard drive.
The STUXXX.DAT decodes very simple. Use your text editor and look for the bastard you want to find and the information will surround their name. I'm talkin' all the dirt. Phone number, home address, social security number, mother's name, father's name, mother's social security number, father's social security number, sex, (whether or not they've had any, just kidding).
The really challenging part of all this described in this section is finding someone specifically. Because you have to know which graduating class they are in, this can be a hindrance. Knowing which graduating class they are in determines which file to compress and download.
A good way of determining file size is to know which class is the newest. For instance, the freshman class of 2000 will have less info than the senior class of 2000. Seniors have been there longer and therefore have a larger record. Freshman do not have a large record because they are new at the school and have less information compiled about them. Get the picture?
By the way, if you want everyone's social security number, this kind of project takes time. You have to know where to look. It took me six months just to get all the information I needed (getting the proper access took that long).
3b. Getting all of the miscellaneous social security numbers.
Let me just tell you which files to download from the sasi\data directory. Download the following files:
CRSXX.XXX FRMXX.XXX
That's it. You have everyone's social security number (the X's are variables, I will leave it up to you to find which file is the correct one, the most common extension is *.DAT).
4. Getting every student's phone number!
Once again, you need access to the sasi\data directory. If you need to know how to access the sasi\data directory, then click here.
The file or files you are looking for are called @ and DIALER.XXX
The @ file has no extension. It contains all of the student's phone numbers without an area code.
The @ file decodes like this:
First you will see a phone number, then a SASI number (the four digit I.D. number that was mentioned earlier, the four digit number used to identify students), and then you will see a student's name.
Here is how it works. The phone number and the SASI number preceding (or coming before) the name is who that phone number and SASI number belongs to.
Example:
John Smith's phone number would be 555-5555 and his SASI number would be 1234. Also notice that there are 10 spaces in between every piece of information in the file @.
The DIALER.XXX file decodes exactly the same way. The only difference in the data you get is that this file contains area codes for the phone numbers you're getting. The file @ does not have the area codes. Pretty simple, huh?
5. Logging in to the SASI database.
In order to login to the SASI system, you must access the login prompt. To do this, you need to write LOGIN.BAT (sometimes there will already be one written located in the sasi\prog directory).
If you're accessing it via windows, then double-click on that batch file.
If you're accessing it via the DOS prompt, then type: LOGIN.BAT
If there is no batch file there, then keep reading because you will have to write the batch file in question. You can either write one or go looking for it on other servers inside the LAN. It's up to you.
If the database is located on a file server, you must first map a drive to the target server. If you're on a Novell network (and you probably are), then type the following in the DOS prompt: MAP I:=TARGET_SERVER_NAME\SASI:APPS (this assumes that the Netware volume is labeled SASI)(the TARGET_SERVER_NAME is a whatever the server has been labeled).
Once you have typed that in and pressed enter, you will be prompted for a username and a password.
(This can be another hack all it's own. Because it is Netware related, I will not go into great details. If you need advice on how to hack Novell Netware, then consult Simple Nomad's Hacking Novell Netware FAQ. It can be found at http://www.nmrc.org. in the FAQ's section.
Assuming you can get through the Netware login prompt successfully, you should now have drive I: mapped to the target file server. If there is not already a batch file there for you to execute, then you will need to write the following batch file.
@ECHO OFF MAP INS S1:=TARGET_SERVER_NAME\SASI:APPS\SASI\PROG >NUL MAP Q:=TARGET_SERVER_NAME\SASI:APPS\SASI\DATA >NUL Q: >NUL LOGIN F: >NUL CD\LOGIN >NUL MODE CO80 >NUL MAP DEL S1: >NUL MAP DEL Q: >NUL
This batch file obviously has some variables in it which you must figure out. The file server name goes where it says TARGET_SERVER_NAME. This batch file also assumes that the VOLUME_NAME on the target server is SASI, which is why you see SASI:APPS. If the volume name is not SASI, then the 2nd and 3rd lines of the batch file would change in the following manner:
MAP INS S1:=TARGER_SERVER_NAME\ANY_OTHER_VOLUME_NAME:APPS\SASI\PROG >NUL MAP Q:=TARGET_SERVER_NAME\ANY_OTHER_VOLUME_NAME:APPS\SASI\DATA >NUL
This batch file also assumes that the drives Q: and S1: are free, meaning that those drives are not being used by some other file server or some other network resource (which drives you choose is also a variable) (which ones you choose is up to you).
The login prompt is, of course, DOS based. It has a blue background and yellow trim (default colors). If you don't know how to hack inside through the login prompt, then see the next section.
6. Attempting to hack the login prompt.
Hacking through a SASI login prompt can be a very efficient way to get access to your student record. I know what you're thinking. Why do you want to access someone's student record? Many reasons.
1. Boosting your own grades. 2. Failing someone you don't like. 3. Erasing that nasty detention or detention record from your profile or someone else's profile. 4. Charging people money to do all of the above. 5. Getting personal information on anyone.
Any multitude of reasons. The point is you need to get in for one reason or another. Besides, logging in and letting the programs do all the work is easier than decoding a 6+ meg file and altering that data with a hex editor at the binary level. Here are the easy steps to follow:
1. When you get the login prompt, you will see two very common things. You will be asked for a username and a password to go with the username. As this has already been suggested in section 1a, you will be guessing the password for each user I.D. number.
2. User I.D. number range from 01 to 99. Try the following:
Username:01 Press enter. Password: Press enter. Username:02 Press enter. Password: Press enter. Username:03 Press enter. Password: Press enter.
Get the idea? Try to find an I.D. that doesn't have a password (highly unlikely, but worth a try).
3. Once you're in with an I.D. with a guessed password or an I.D. with no password you will need to execute a SASI command.
(Very important note! You have to be logged in for any SASI program to work. If you are not logged in, then the program you are trying to execute will not work properly. You will get an error saying "Couldn't find WHO.DAT." WHO.DAT is obviously the password file. The password file must be loaded somewhere, somehow in order for a SASI program to function. If anyone can get a program to work while not logged in, then you know how to send e-mail and tell me what you did so I may update this guide.)
That command would be WHOCRT. This program, WHOCRT, is the program that controls access through the SASI login prompt. This program is responsible for assigning user numbers (01-99), issuing passwords, and permitting access for specific files and programs. If you are lucky enough to have access to this program (it is usually highly restricted only to one or two users), then take advantage of it. This sets up a perfect backdoor.
Assign yourself a personal user I.D. number. Something inconspicuous, like the initials of your school district or something like that. If you feel like adding information to the new user you have created, it is up to you.
If you are not lucky enough to have access to the WHOCRT program, then don't worry. You probably won't need it anyway. If you are even lucky enough to have gotten this far, then simply type STUCRT (don't worry, almost all users have access to the STUCRT program).
The STUCRT program accesses the master student files. Put the cursor to the field that wants the four digit SASI I.D. number. Type in the SASI I.D. number of the person's grades you want to change or look at or whatever. Press enter. At this point, you should be looking at that students profile. Presto, you're in. Change grades. Give yourself some lost credits or whatever. Give someone you hate a bad looking record.
If you have successfully logged in to the SASI system via the SASI login program, then you will need to know what your options are once you login. You will of course be able to run just about any program that is in the SASI package via the shell you will be in from logging in. For a list of these programs, click here.
7. Accessing the sasi\data directory.
If you haven't figured it out by now, you need access to the sasi\data directory in order to access all of these useful files. If you have direct access to the machine with the SASI database on it (highly unlikely), then simply search the hard drive until you find it.
If you're on a network (Novell, I assume), then you have to hack the file server where the database is located. If it is Novell (and it has to be because the SASI program has no other kind of network compatibility), then you need to familarize yourself with Novell commands and other Novell security related information. For the best information on doing this, consult Simple Nomad'd Hacking Novell Netware FAQ.
If you're on a large network, good luck finding the correct server. Finding the correct server can be a bitch. Assuming you can find and break into the correct server, you can then search for the sasi\data directory.
What you do next is up to you.
555-5555 1234 SMITH, JOHN
is a joke.