Perhaps the most exciting Operating system to HACK on is VAX/VMS.
It offers many challenges for hackers and boasts one of the best security systems ever developed. In comparison to the security on UNIX, VMS is far superior in every respect. It can be very difficult to get inside such a system and even harder to STAY inside, but isn't that what this is all about?! I have written this file as a way for beginning hackers to learn about the VMS operating system. There is such a vast amount of information that can be related about VAX/VMS hacking that it is not possible for me to cover everything in just one file. As such i will try and stick to the basics for this file and hopefully write another file in the future that deals with heavy-duty kernal programming, the various data structures, and system service calls. All right so lets get at it!
First of all how do you recognize a VAX when you see one?! Well the
thing that always gives a VAX away, is when you logon you will see:
It may also have some other info before it asks you for the username, usually identifying the company and perhaps a message to the effect of:
Unauthorized Users will be prosecuted to the fullest extent of the law!
That should get you right in the mood for some serious hacking! Ok so when you have determined that the system you have logged into is indeed a VAX, you will have to at this point enter your SYSTEM LOGIN. Basically on VAX's there are several default logins which will get you into the system. However on MOST systems these default logins are changed by the system manager. In any case, before you try any other logins, you should try these (since some system managers are lazy and don't bother changing them):
Username Password Alternate
SYSTEM MANAGER OPERATOR
FIELD SERVICE TEST
DEFAULT DEFAULT USER
SYSTEST UETP SYSTEST
DECNET DECNET NONPRIV
That's it. Those are the default system users/passwords. The only ones on the list that are GUARANTEED to be in the userlist are SYSTEM and DEFAULT. However, I have never come across a system where these two haven't been changed from their default passwords to something else. In the above list, the alternate password is simply a password many operators set the password to from the deafult. So if the first password doesn't work, try the alternate password. It should be noted when the a user is added into the system, the default password for the new user the SAME as his username. You should keep this point in mind because it is VERY important. Most of the accounts you hack out, will be found in this way! Ok if above ones don't work, then you should try these accounts. These following accounts are NOT defaults, but through experience i have found that many systems use these accounts or some variation thereof:
DEC DEC *
DEMO DEMO *
TEST TEST *
NETNONPRIV NONPRIV *
ORACLE ORACLE *
ALLIN1 ALLIN1 *
INGRES INGRES *
GUEST GUEST *
BACKUP BACKUP *
USER USER *
REMOTE REMOTE *
INFO INFO *
OPERATOR OPERATOR *
The ones that have asterisks (*) beside them are the more popular ones and you have a better chance with them, so you should try them first. It should be noted that the VAX will not give you any indication of whether the username you typed in is indeed valid or not. Even if you type in a username that does not exist on the system, it will still ask you for a password. Keep this in mind because if you are not sure if whether an account exists or not, don't waste your time in trying to hack out its password. You could be going on a wild goose chase! You should also keep in mind that ALL bad login attempts are kept track of and when the person logs in, he is informed of how many failed attempts there were on his account. If he sees 400 login failures, I am sure that he will know someone is trying to hack his account.
Ok i am assuming you tried all the above defaults and managed to get yourself into the system. Now the real FUN begins! Ok first things first. After you log in you will get some message about the last time you logged in etc. If this is the first time you have logged into this system then you should note the last login date and time and WRITE IT DOWN! This is important for several reasons. The main one being that you want to find out if the account you have just hacked is an ACTIVE or INACTIVE account. The best accounts are the inactive ones. Why?! Well the inactive accounts are those that people are not using currently, meaning that there is a better chance of you holding onto that account and not being discovered by the system operator. If the account has not been logged into for the last month or so, theres a good chance that it is inactive. Ok anyhow once your in, if you have a normal account with access to DCL you will get a prompt that looks like:
This may vary from machine to machine but its usually the same. If you have a weird prompt and would like a normal one, type:
If this is the first time you have hacked into this system there are a couple of steps you should take immediately. First type:
This will enable your break keys (like ctrl-c) so that you can stop a file or command if you make a mistake. Usually ctrl-c is active, but this command will insure that it is. (Note: in general to abort a command, or program you can type ctrl-c or ctrl-y) Ok anyhow, the next step is to open the buffer in your terminal then type:
This will dump a file that has all the systems users listed in it. You may notice a lot of weird garbage characters. Don't worry about those, that is normal. Ok after this file ends and you get the shell prompt again ($) then save the buffer, clear it out and leave it open. Then type:
Ok after this file is buffered save it also. Ok at this point you have two files on your disk which will help you hack out MORE accounts on the system. For now, lets find out how powerful the account you currently hacked into is. You should type:
This may give you a message telling you that all your privileges were not granted. That's ok. Now type:
This will give you a list of all the privileges your account is set up for. Usually most user accounts only have NETMBX and TMPMBX privs. If you have more than these two, then it could mean that you have a nice high-level user. Unlike UNIX which only has a distinction between user and superuser, VMS has a whole shitload of different privileges you can gain. The basic privs are as follows:
NONE no privilege at all
MOUNT Execute mount volume QIO
NETMBX Create network connections (you need this to call out!)
TMPMBX Create temporary mailbox
GROUP Control processes in the same group
GRPPRV Group access through SYSTEM protection field
ACNT Disable accounting
ALLSPOOL Allocate spooled devices
BUGCHK Make bugcheck error log entries
EXQUOTA Exceed disk quotas
GRPNAM Insert group logical names n the name table
PRMCEB Create/delete permanent common event flag clusters
PRMGBL Create permanent global sections
PRMMBX Create permanent mailboxes
SHMEM Create/delete structures in shared memory
ALTPRI Set base priority higher that allotment
OPER Perform operator functions
PSWAPM Change process swap mode
WORLD Control any process
SECURITY Perform security related functions
SHARE Access devices allocated to other users
SYSLCK Lock system-wide resources
DIAGNOSE Diagnose devices
SYSGBL Create system wide global sections
VOLPRO Override volume protection
BYPASS Disregard protection
CMEXEC Change to executive mode
CMKRNL Change to kernal mode
DETACH Create detached processes of arbitrary UIC
LOG_IO Issue logical I/O requests
PFNMAP Map to specific physical pages
PHY_IO Issue physical I/O requests
READALL Possess read access to everything
SETPRV *** ENABLE ALL PRIVILEGES!!! ***
SYSNAM Insert system logical names in the name table
SYSPRV Access objects through SYSTEM protection field
Ok that's the lot of them! I will explain some of the more important privileges later in the file. For now, at least you can see just how powerful the account is. It should be noted that most accounts usually are only granted the TMPMBX and NETMBX privileges, so if you don't have the others, don't fret too much.
I think that i should clarify some of the basic concepts involved with
VAX/VMS operating systems before we go any further:
this is what is created when you log in. The system sets aside CPU time and memory for you and calls it a process. Any task that is run in VMS is called a process.
also known as child-process, this is just a process that was created by another process.
DCL : Digital Command Language. This is the shell ($) that you are put into
when you log into a VAX
MCR : an alternate shell that is used (rarely) on certain accounts. Login
prompt is a > as opposed to DCL which gives a $
SHELL : this is the '$' that you see once you are logged in. This is your
interface with the system, where you can enter the various commands execute files and perform other activities.
JOB : a process and a group of its subprocesses performing some task
SPAWN : this is the actual command that allows you to create subprocesses
'SPAWNING' is the act of creating subprocesses
PID : process identification number. This is an 8 byte ID code that is
uniquely given to each process that is created on the system.
IMAGE : this is an EXE file that you can execute (ie run)
UIC : User identification code. This is in two parts, namely: [group,member]
The way this works is that users in the same group can access each others files through the group protection code. However since the UIC MUST uniquely identify each user, the member portion separates the individuals in each group. If an account does not have a different member number, he will NOT be put in the RIGHTSLIST database.
A brief note on control sequences. Several different actions can be activated via control sequences. They are:
CTRL-H :delete last character
CTRL-B :redisplay last command (can go back up to the last 20 commands issued) CTRL-S :pause display
CTRL-Q :continue after pause
CTRL-Z :*EXIT* use to break out of things such as CREATE and EDIT CTRL-C :*CANCEL* will exit out of most operations
CTRL-Y :*INTERRUPT* will break out of whatever you are doing CTRL-T :print out statistical info about the process
sometimes upon login, the CTRL-Y, CTRL-C keys are disabled. To ensure these are enabled, issue this command upon login:
$ SET CONTROL
all the commands that are executed from DCL can be referenced from an online help manual. To access this, simply type help at any '$' prompt This help is also available within the various utilities and programs such as authorize and mail. The two MOST important commands are SET and SHOW. These should be buffered and printed out for your own reference.
FILES and DIRECTORIES
The directory structure of VMS is a heirarchical one similar to MS-DOS and UNIX. Its a simple concept, and i will only briefly skim over it. First of all it should be noted that there may be more than one hard drive or other mass-storage device hooked up to your system. Within each hard drive there is the ROOT directory. This is the highest directory in the tree and is referenced by . (this will be explained in a minute) Within the root there are several subdirectories. Within these subdirectories there may be files and even further subdirectories. The concept is quite simple, but can be difficult to explain. Here is a diagram to give you a rough idea of how it is set up:
 <--root directory
! ! !
! ! !
[d1] [d2] [d3]
! ! !
+-----+--------+ +-----+-----+ +--------+
! ! ! ! ! ! !
! ! ! ! ! [d3.d3a] [d3.d3b]
[d1.da] [d1.db] [d1.dc] [d2.d2a] [d2.d2b]
! ! !
! ! +--+-----------+
[d1.db.db1] [d2.d2a.d2a1] ! !
Hopefully this will give you some sort of an idea of how the directories
can be structured. Within each subdirectory there may be other files also. For example to see the directory after you log in you would type:
a sample result may be:
Total 7 files.
What does this tell you? The first line tells you what drive and subdirectory you are in. The next lines are the actual files. As you can see each file has a 3 character extension, followed by a comma and a number. The name before the period is the actual filename (eg. average) the 3 characters after the period is known as the extension (eg.com) and the number after the comma refers to the version of the file. So in this case, this is version number 3. Any time you modify or save a file, it automatically assigns it a version number of 1. If file already exists on your disk, it increments the version number by 1 and then saves it as such. So the next time i go ahead and save the file average.com, it would add another file to the list called average.com;4
Special note should be taken of the files that have an extension of '.DIR' These are not really files, but rather subdirectories. I will show you how to switch subdirectories in just a minute. First you should take note of the different file extensions. Although you can name the files anything you want some of the more important extensions are:
EXE Executable IMAGE. These files are programs that can be RUN
COM DCL SCRIPT files. These can also be executed, utilizing the @ command
DAT DATA file. Sometimes useful things to look at.
LIS Listing File, many times important info is in here
MAI Mail file, use the MAIL command to read these
DIR DIRECTORY - not a file
JOU Journal File, often created thru the use of other programs eg EDIT
TXT Text Files, often hold useful information.
These are just some of the extensions you are most likely to see. The two important ones are the EXE and COM files. These can be executed from the DCL level. EXE files are executed via the RUN command. Eg. to run authorize.exe: $run authorize This will run the authorize IMAGE. Supposing there were more than one version of authorize you could specify a version number. eg. $run authorize.exe;4 The other type of file you can run is the COM files. These are like SCRIPT files in UNIX or .BAT files from MS-DOS. They are just a sequence of DCL commands strung together that are executed when you initiate the file. To run COM files, use the @ command. For example to run adduser.com, type: $@adduser The version number thing i stated for EXE files also applies for COM files. ***NOTE*** To get a listing of all the files on the whole drive, try this: $sd 
$dir [...]*.* Similarly you type dir [...]*.com, if you wanted just the COM files listed. To see the contents of a file, you can use the TYPE command. For example: $type login.com this might type out something like: $ sd:==set default
$ set control=(y,t)
$ set proc/name=entity
$ set term/dev=vt100
This is great for COM files, DAT files and some of the other types, but you will always get garbage when you type EXE files so don't bother trying those. This is very useful for snooping around other peoples files and getting information. Many times i have found user/passwords lying around in TXT or LIS files left by some careless user.
Now, how do you go about changing directories? Well, first you should set up a shortcut. The normal command to change directories is SET DEFAULT. For example to change to a subdirectory called REPORTS, you would have to type:
$set default [.reports]
To make life simpler on yourself, as soon as you log in, you should type:
This defines a macro called SD that is interpreted by DCL as SET DEFAULT. You can similarly define other 'favorite' commands to some short, easy to remember definition. Anyhow heres the syntax for changing directories:
The device can be optionally left out, if you plan to remain in the same hard drive. You have to then enter a '[' followed by the root directory, followed by a period, followed by another subdirectory name etc. Eg.
Suppose at this point, you were in directory cosy, subdirectory users and there was a further subdirectory called 'info.dir'. Rather than specify the full pathname, you can simply type:
This will advance you one level into the info subdirectory. Remember to put the period in front of the subdirectory. If you don't, in this case it would assume that you were trying to reference the root directory called info. Another important thing to note is moving back levels in terms of subdirectories. For example if you were in [cosy.users.info] and wanted to move back to [cosy.users] you could type:
Similarly you can put in as many hyphens (-) as you want to move back. For example sd [--] would put you back to the cosy directory.
Another important thing to note about subdirectories are logical assigned symbols. These are names assigned to certain things. For example the main system directory is called sys$system. So to go to it you could type:
This would throw you into the system directory. Similarly you can type:
and this will put you back into the directory that you were initially in, when you first logged in. These symbols stand for actual device:directory combinations. To see the various definitions that are assigned to each process you should type:
This will list a whole bunch of global system equates that you can use to access various parts of the VAX structure. In addition to view all of your locally defined symbols, use:
$show symbol *
Ok before i begin this, let me just state that whatever i say about files also applies to directories. There are four types of file protections. There is SYSTEM,WORLD,GROUP and OWNER. These are briefly:
All users who have group numbers 0-8 and users with physical or logical I/O privileges (generally system managers, system programmers, and operators)
OWNER - the owner of the file (or subdirectory), isolated via their User
Identification Code (UIC). This means the person who created the file!
GROUP - All users who have the same group number in their UICs as the owner of
WORLD - All users who do not fall in the categories above
Each file has four types of protection within each of the above categories. They are: Read, Write, Execute, Delete. Explanations are:
READ - You can read the file and copy it.
WRITE - You can modify and rename that file.
EXECUTE- You can run the file
DELETE - You can delete the file
When you create a file the default is that you have all the privileges for that particular file. Group, world and system may only have limited privileges. This can be changed with the set protection DCL command. For example:
would set your default protection to allow other users in your group to have full read,write,execute,delete privs to the file, and others only read access to the file. The /default means that from now on all the files you create will be set with this particular protection. To change one of your own files to some other protection you can alternatively use:
$set prot topsecret.dat /prot=(system:rwed,group:rwed,world:rwed,owner:rwed)
This would enable all users on the system to access the file 'topsecret.dat' When specifying the protection, you do not have to list them for each of the four groups. You can simply choose only those that you want changed from your default.
An important utility that all VAX hackers should be familiar with is the EDT text editor. To call it up, use the EDIT DCL command. ie:
This will invoke the EDIT/EDT text editor. The [filename] refers to the file that you want to edit. If the file does not exist, it is created at this point. The EDT editor does not provide a default file type when creating files, so if you do not specify one, it will leave it as NULL. It should be noted that there is more than just the EDT editor, but when you type in EDIT, the default is /EDT. Basically it is an editor that you can use to create/modify COM or any other type of text files.
After the editor is invoked, it keeps track of everything that you enter in a JOU file. In case of lost carrier or some other accident, you can recover what you had by specifying the /RECOVER qualifier. For example:
This would take the last copy of memo.dat, load it into memory, then process your last JOU file, updating it to virtually exactly where you were before you got cut off. Journaling is automatically defaulted to ON, but can be turned off with the /NOJOURNAL qualifier. For a description of what all the qualifiers are, and what they do, refer to the online HELP manual.
Ok here is a list of the basic commands you can perform in the EDT editor:
X (where X = line number)............show line X only
X:Y (where X,Y = line numbers).........show line X through line Y A,B,C,D (a,b,c,d = line numbers).......list lines A,B,C,D
X:e ...................................list from X to end
T W ...................................TYPE WHOLE. List ALL of the text lines S/string1/string2/W....................substitute ALL occurrences of string1
for string2 as they occur from current line number downwards
"string" ..............................search for first occurrence of string
from current line downwards
T A "string" ..........................type all occurrences of string from
current line downwards
X:Y a "string" ........................search for occurrences of string within
range denoted by X through Y
D X ...................................Delete line X
D X:Y .................................Delete line X through Y, inclusively I .....................................insert a line
I X ...................................insert from line X
M X:Y to Z ............................move lines X through Y to line Z RES ...................................resequence line numbers RES/SEQ:X:10 ..........................resequence from line X in intervals of 10 R X ...................................replace from line X. This deletes the
current line and automatically goes into insertion mode.
EXIT ..................................leave the editor, and SAVE the current
QUIT ..................................leave the editor and DO NOT SAVE the
A sample editing session is shown:
hi this is just some bullshit text to test out how this EDIT program works. Oh well, easy enough. bye!
hi this is just some bullshit text to test out how this EDIT program works. Oh well, easy enough. bye!
In this section i will outline some of the more important commands that you can issue from the DCL level. This is not meant to be a complete guide. I will merely point out some of the more important commands and a very brief description. Proper help can be obtained from the online HELP facility.
NOTE: It should be noted that each of the following commands may have further
----- qualifiers that you can specify. You should check up on these from the
online help also.
@ -Lets you execute COM script files
ACCOUNTING -allows you to view and edit system accounting data that keeps
track of what system time you have racked up.
ANALYZE -lets you view the contents of OBJ files in HEX/ASCII format.
ANALYZE/SYSTEM -Invokes the SDA. VERY VERY USEFUL!! Allows you to view other
running processes, their type-ahead buffers etc.
APPEND -appends the contents of file1 to file2
ATTACH -allows you to attach yourself to one of your subprocesses
CLOSE -closes a file that was opened for input/output via OPEN
CONTINUE -continue a process that you have aborted with control-y
COPY -copy file1 to file2. You can specify full pathnames, with
device and subdirectory. If you want to copy it to your home
directory just use sys$login as your 'TO' file.
CREATE -create a text file of any type. Eg. you want to create a
simple COM file or perhaps a letter to another hacker on the
system. (you shouldn't be using MAIL to send messages!)
CREATE/DIR -If you want to create a subdirectory
DELETE -delete a filename. Remember to specify a version number when
you are deleting a file or it wont work.eg. del garbage.com;1
DELETE/INTRUSION_RECORD -gets rid of the failed password attempts
DIFFERENCES -compares two files and notifies you of their differences
DIRECTORY -get a directory of the files. Various qualifiers can be chosen
DUMP -get a hex/ascii file dump
EDIT/EDT -invokes the VAX EDT interactive text editor
EXAMINE -view the contents of virtual memory
HELP -ONLINE HELP MANUAL. REFER TO IT OFTEN!
LINK -link object files into EXE files that you can run
LOGOUT -the proper way to terminate a session
PHONE -Allows you to chat with another user on the system. It is not
recommended that you use this, except with fellow hackers.
RENAME -rename a file or directory
RUN -lets you execute EXE files
SET CONTROL -disables/enables interrupts via ctrl-y/ctrl-c
SET DEFAULT -change directories
SET HOST -allows you to connect to another mainframe
SET PASSWORD -change the password of your account
SET PROCESS -change the characteristics of your process
SET PROMPT -change the prompt ($)
SET TERMINAL -change your terminal characteristics
SHOW ACCOUNTING -show the current security/accounting enabled
SHOW AUDIT -show SECURITY enabled
SHOW DEFAULT -see your current directory. (Like PWD in UNIX)
SHOW DEVICES -check out the system setup
SHOW INTRUSION -view the contents of the breakin database
SHOW LOGICAL -current logical name assignments
SHOW NETWORK -lists all the available nodes that you can connect to
SHOW PROCESS -View your process settings
SHOW PROTECTION -show the default protection you have set
SHOW SYSTEM -useful to see the running processes
SHOW TERMINAL -display your terminal characteristics
SHOW USERS -see who else is logged in.
SPAWN -spawn a subprocess
STOP -kill off a subprocess
TYPE -view a file
This should give you a general overview of some of the more important commands that you can use. It would be impossible for me to list ALL the commands, and their descriptions, so i suggest that you go through the online HELP facility and familiarize yourself with the syntax of some these commands.
Up to this point i have mainly discussed the basic concepts involved with VMS. By now you should be familiar and comfortable with the various DCL commands and how to accomplish certain tasks. If you are still sketchy, go back and re-read the sections you don't understand. You may also want to log into a VAX and just try fiddling around in the shell getting used to how the whole thing works.
In this section i will discuss some of the techniques that you may find useful in hacking out accounts, calling out to remote systems, and gaining access to confidential information.
Lets start from the top: When you first login to the system, after it accepts your password etc, it executes the SYLOGIN.COM file. Then it searches your default directory for the file LOGIN.COM (this may be changed by the system manager if he wishes) This file basically sets up your terminal parameters and perhaps some macros that you wish to be defined. It may or may not also execute some utility.
Sometimes it may be useful to be able to skip the login procedures. For example if the system automatically runs some file as soon as you log in, and doesn't put you into the shell, this technique can be used:
Assuming the user was named entity, if you put a /nocomm qualifier, it will skip the login.com file and put you directly into DCL. Similarly you can specify some other file you want executed instead of login.com. eg.
This will execute the custom.com file upon entry into the account. It should be noted that these methods WILL NOT WORK on a CAPTIVE account. What is a captive account?! Read on...
Many times, in an attempt to make an account more secure the system manager sets the captive flag to ON, in the users profile. What this means is that when you log in, you cannot break out of the login file into the DCL shell. This means that although you can hit ctrl-y and it may even say interrupt it will not actually abort the file. So how do you exit to DCL?! Well there are a few ways. Usually accounts set up in this manner are used to allow the user to connect to other nodes. If this is the type of account that you have logged into then try the following: First choose an option from the menu that they present that allows you to call any node. When it says something like %connected to... then hit two ctrl-y in quick succession. It will then ask you if you want to really abort the current session. Type Y and it will put you at a prompt that looks like:
At this point you should type in SPAWN and it will spawn a process and throw you into the DCL Shell. This is a major security flaw in VMS and can be put to good use on many a system.
On most systems that you hack into, you will find yourself with only TMPMBX and NETMBX privileges. To see your privs type:
These however may not be all the privileges that you have assigned. Upon login, the system only assigns you your default privileges. On some accounts you may have more than just these privileges. To see if you do, type:
if this doesn't give you any error message then you have found yourself a SYSTEM account! With this account you can create new users, change the security setup read other peoples files etc. Here are a list of some of the more important privileges and what they can be used for:
CMKRNL -change to kernal mode. Very Powerful privilege!!
SETPRV -allows you to become a Super-User. You can do whatever you want!
READALL -allows you to read other peoples files and directories regardless
of the protection
OPER -allows you to perform many useful operator functions (security etc)
SYSPRV -You can gain the same UIC as the system and access just about
anything you want. Create/modify accounts
NETMBX -allows you to call out on the network to other systems
BYPASS -this allows you to view network passwords, and to bypass all types
of protection fields
These are just some of the more important ones to the hacker. For a complete list of all the privileges and what each one does, see the list i presented earlier in the file.
One important note: It is not possible to gain privileges that are not set up
in your default from the DCL level. There is one way to gain ALL privileges on ANY Vax but it involves some serious kernal programming. I could outline the program here but i chose not to. The reason for this is that many people would abuse the system if they had access to wiping out hard drives and totally trashing the system. If you work from the ground up, you begin to realize just how important gaining extra access is. You begin to respect the VMS system for what it is. A system account in the hands of novice is a very dangerous thing indeed, and my suggestion is that if you have a SYSTEM account that has more than just the default privileges that you should disable them. This will only help you from making any mistakes and screwing up the system. To do this type:
With these privileges you should be able to easily navigate throughout the system without messing anything up. Keep one thing in mind, don't delete files unless you have created them! People will notice things like this and you are guaranteed to lose your account.
Once you are an experienced hacker you may wish to create a program that gives you more privileges. To get you started in this direction i will give you an excerpt out of the 'VAX/VMS internals and data structures' manual:
If a process wishes a privilege that is not in its authorized list, one of two conditions must hold or the requested privilege is not granted.
1)The process must have SETPRV privilege. A process with this privilege can acquire any other privilege with either the set privilege system service or DCL command SET PROCESS/PRIVILEGES.
2)The system service was called from executive or kernal mode. This mechanism is an escape that allows either VMS or user-written system services to acquire whatever privileges they need without regard for whether the calling process has SETPRV privilege. Such procedures must disable privileges granted in this fashion as part of their return path.
That should give you an idea of what is necessary to go about writing a program that grants you extra privileges. For those advanced programmers, here is the relevant information:
Symbolic name Location Usage Referenced By
PHD$Q_PRIVMSK !process header !working privilege mask !system srvc's
PCB$Q_PRIV !PCB !same as phd$q_privmsk !device driver
CTL$GQ_PROCPRIV!P1 Pointer page !permanently enabled privs !SET UIC
PHD$Q_AUTHPRIV !process header !procs allowable privs !$setprv
PHD$Q_IMAGPRIV !process header !mask for enhanced priv images !$setprv
UAF$Q_PRIV !sysuaf.dat !UAF allowable privs !LOGINOUT
KFI$Q_PROCPRIV !priv install image!image installed with privs !image actvatr
IHD$Q_PRIVREQS !image header !unused - set for all privs! !image actvatr
Version 4.2 of VMS introduced the security auditing features. These features can be used to track down hackers and illegal use of the machine. Things such as access to files, login failures, process creation, adding users etc can all be monitored and logged. After you have logged into an unknown system, it is wise to check what kind of security they have enabled on the system. This is done in two ways. First you should try:
Normally this will either say accounting is disabled or will have a list of items that are being monitored. This is used mainly for charging the users for CPU time etc. What you should check for in this list is if IMAGE accounting is enabled. If it isn't, then you can relax. If it is, you know that you have a smart system manager here and you will have to take extra precautions when fiddling around on this machine. The second thing you should check is the actual level of security enabled. Generally this feature is disabled, and you have nothing to worry about. To see the security type:
One thing to note is that you must have the SECURITY privilege to issue this command. An especially secure system may have things such as breakins, logins, logfailures, file access (both successes and failures),and authorization checks. These systems require a tremendous amount of care, and are not a good place to start learning about VMS.
Another important thing that you should keep in mind is that VAX/VMS stores information about login failures (invalid password, account expired, unknown username). A security manager can identify possible breakin attempts by using:
This command requires the CMKRNL and SECURITY privileges. An interesting thing to note is that the system manager can have the VAX do certain things after it has determined that the user trying to log in is not legitimate. For example it can block all login attempts from a certain terminal, or it could turn off accepting passwords for a certain account for a specified period of time. So lets suppose you were hacking an account and after 10 tries actually entered the right password. If the intrusion alert is set at 5 tries, then even if you enter the correct password, it wont let you in!!
I want to make a quick note here about expired passwords. Often you will find after logging into an account that it will say that your password has expired and for you to enter a new password. At this point you should check when was the last date of access. If it was only a few days ago, then you should forget about this account. If it more than a few weeks ago, then you have found your- self an INACTIVE account (ie one that is not in use anymore) The first thing that you should do is set a new password. For example:
Passwords can be from 1-31 characters in length and can contain the following characters:
$ (dollar sign)
Note that uppercase, and lowercase are not differentiated (unlike UNIX). The reason that you should enter a password at this point is that if you don't, the next time the account will not let you log in since the password has expired.
GAINING MORE ACCOUNTS
Once you have managed to hack onto a VAX, often you will want to gain more accounts on the system. There are several ways to go about doing this. The first way is to get a list of all the users on the system. Remember that the default password for any account is the same as the username. Well if you have a list of users, theres a good chance you may find a few who haven't bothered to change their passwords. There are a few methods of viewing the userlist. The simplest, but least readable way is to:
and buffer the incoming information. You will notice some garbage characters also sent through. The way this file is set up is a 1-2 byte character ID followed immediately by a 32 byte string with the username. So to pick out the usernames, simply ignore the first character from each name, and then you have the usernames. There is one small problem to this. Sometimes the character ID in front of the name is a SPACE. In this case, you would still skip the first character (which is a space), but in viewing the name you would take all the characters. So you just have to use your judgement when looking at this list to determine whether the string is the whole name, or whether it has an ID code stuck in the beginning. The problem is that the ID code is not necessarily a garbage character, it could be any valid ascii character (spaces,letters, numbers etc) The thing that you should keep in mind is that these ID codes are grouped together, so you may see several names that all start with 'A' and you can assume that this is the ID and not part of the actual name.
Another method which is a bit slower, but a lot neater is to use the DUMP command on the rightslist file:
This is quite useful, because it automatically strips away control characters, and puts each name into a separate record which makes it easy to isolate the proper login names.
An alternative method is to run the psi$authorize file from the system dir. To do this, type:
When you get the PSI-authorize prompt, type:
PSI-authorize> show /id *
This will list all the users on the system. The drawback to this method is that the system that you are on, may have taken out the PSI utilities from the system directory. The PSI utilities are used mainly for remotely connecting to other mainframes.
A third method to get a listing of all the users is to go through the sysuaf database. On most accounts this is usually not possible , since most users do NOT have read/write access to sysuaf.dat. If you DO have access to this file (ie you have readall or setprv etc) then you can run authorize:
Then when you get the UAF prompt, type:
UAF>show [,] /brief
The added bonus of doing it this way is that you can also find out things such as the users home directory, when was the last time they logged in, what their privileges are etc. Easy to isolate the good accounts on the system that you may want to hack at. It should be noted however, that if you CAN perform this command, then you also have the priv's to create your own user, or better yet change the password on an inactive account.
There is another possibility that sometimes works on many systems. Often, the system manager uses the LIST command from AUTHORIZE and what it does is produce a user listing in the file called: SYSUAF.LIS in the SYS$SYSTEM directory. If he has done this, unless he explicitly changes the protection on the file, this file has WORLD READ access. In other words, anyone can go in and type out the file. To do this try:
Ok so lets assume that you have used one of these methods and have come up with a list of all the users on the system. Now comes the tedious part. What you have to do is log back into the system, and try each of the names out. For the password, enter the same thing as you did for the username. This is a long and boring process depending on how large the userbase is, but it usually yields a few good accounts.
Another interesting variation on this, is to get accounts on remote nodes that are linked with your VAX. To see other nodes that are accessible from your VAX, type:
This will produce a listing like:
VAX/VMS Network Status for local node 2.161 NORTELCOM on 01-SEP-1989
The next hop to the nearest area router is node 2.62 BELCAN
Node Links Cost Hops Next Hop to Node
2.161 NORTELCOM 0 0 0 Local -> 2.161 NORTELCOM
2.6 JANUS 0 3 3 UNA-0 -> 2.6 JANUS
2.2 LUMPY 0 9 5 UNA-0 -> 2.2 LUMPY
2.3 SBSU 0 5 4 UNA-0 -> 2.3 SBSU
2.4 AURORA 0 4 4 UNA-0 -> 2.4 AURORA
Total of 5 nodes.
This is a sample output that you would see on your screen. Let me give a brief explanation of what each column means. The first column shows the node address and the NodeName. The node name is the most important to the VAX hacker since that is how you will be contacting the remote node. LINKS shows the number of logical links between the local node and each available remote node. COST shows the total line cost of the path to a remote node. HOPS shows the number of intermittent nodes plus the target node. NEXT HOP TO NODE shows the outgoing physical line used to reach the remote node.
The important item from this list of course is the node name. By referencing this you can connect to other nodes. A nice technique that allows you to get user accounts on other nodes without actually having access to the node employs this idea. For example, if you want to find out the user list of a node SBSU, you could type:
$copy sbsu::sys$system:rightslist.dat sys$login
This will then transfer the rightslist from the other node to your login directory, giving you a list of all the users on the other system that you can hack out.
It should be noted that copying files from another node will create a file on the remote node indicating your transfer. To get rid of this, log onto the remote node and delete the file called NETSERVER.LOG (just delete the file versions that you have created, and leave the others alone!)
There is another useful trick that sometimes yields more USER accounts on other systems. Try typing:
This will present you with a giant list of what seem like symbol equates. What you should look for in here is something that accesses a file in another system eg.
Many times, a user/password combination is hidden among these definitions. To find these, simply search the file for occurrences where they have a nodename such as SBSU followed by a quote and some info. An example:
The important part is the info in quotes after the node name. The first item (before the space) is a username, and the word after the space is the password. It is rare to find such an occurrence, but it should not be overlooked, since it can sometimes yield high system level accounts. In this example, node SBSU has a user called SYSTEM, who's password is MANAGER.
DECNET and PSI
If you do a SHOW NET and it gives you a list of other nodes, you can connect to these nodes using the SET HOST command. For example to connect to node SBSU:
$set host sbsu
This will then connect you to SBSU, and you have to go through their login procedure also. An interesting trick to note is, lets suppose that you have hacked an account out on node SBSU. What you want to find out is the DATAPAC or TELENET address of the machine. To do this use:
$mc ncp tell sbsu sh known dte
This will then give you the address of the machine, so that you can call it directly rather than through this VAX. You may want to do this to increase speed, since obviously calling through another VAX slows things down a bit.
Another method which often works is to use the SHOW LOGICAL command. By specifying a certain table, you can sometimes get a list of the NUAs of the other nodes in the same cluster as your node. To do this type:
An alternative method which is a bit messy and requires higher privileges is to type out the NETCIRC.DAT file. ie:
On all the systems that I have seen, none of them had WORLD READ access to this file, so it is not possible to read this with just TMPMBX and NETMBX privileges.
Many times you will want to call a phone number to another machine. To do this use:
$set host/dte txa0: /dial=number:5551212
This command will dial out to 555-1212 using the terminal TXA0: To dial out a phone number, you MUST specify a terminal that is hooked up to a modem. To find out which terminals have modems type:
This will give you a list of devices hooked up to the VAX. Devices are 4 character strings followed by a colon (:) The terminals that you can use are usually further down the list. To test the terminal for a modem, use the following line, which also illustrates the importance of lexicals:
$write sys$output f$getdvi("txa0","tt_modem")
This above line would test the terminal TXA0: to see if it has a modem attached If it responds with TRUE, then you have a modem, otherwise not. Note that you must put the terminal name in quotes, and also that you DO NOT enter the colon.
If the VAX you have hacked onto is hooked up on a packet switching system such as DATAPAC or TELENET, then there is another USEFUL thing you can perform. To call out NUA's use the /X29 qualifier. For example:
$set host/x29 026245400050570
This would call up the NUA 026245400050570 (altos:tchh). What is interesting to note is that on many VAX's you can call out to foreign remote nodes such as in the example and the charge for the collect call is placed to the account through which you are logged in as. This is a safe and easy method to call out to PSDN's which are normally long distance from you. It should be noted that many system managers turn off foreign DNICs, which may limit you to calling only within your local DNIC.
One precaution you may want to take when using the SET HOST/X29 command is to turn off logging. Although this is usually turned off, some system managers may buffer everything you type in and keep it in a file. To temporarily turn the logging off, try this:
It will then ask for NODE: just hit RETURN, then:
this will either say that buffering is off or it will give you a filename with a directory path. If it is not off then make a note of the file, then type:
This will turn off the buffering. After you are through with the remote session be sure to turn it back on with:
PSI> set log_file xxxx:[xxxx.xxxx]xxxxx.xxx
All the xxx's represent the full filename path that you initially wrote down when you did the SHOW LOG_FILE command.
I want to point out another interesting trick that sometimes works on certain accounts. Many a time i have encountered an account on a Vax which would simply allow you to call out to another node. It had no other purpose, and would refuse to give you DCL access. If you encounter such an account and it asks you to enter a nodename, try putting /x29 NUA. This technique allows you to dial out to remote systems via some PSS even though you do not have DCL access! An example:
Enter nodename> /x29 026245400050570
If /X29 isn't disabled, this will allow you to call that NUA.
One thing to note is that not all systems allow you to call out using these methods. Some have /x29 disabled, others have /dial disabled etc. In order to overcome this barrier, it is important to know which files are involved. If you want to dial out, you MUST have the modem files (such as DMCL). If you want to dial out across a PSS, you must have the PSI utility files, and lastly if you wish to dial out to another node in the cluster you must have RTPAD.EXE on the local node and REMACP.EXE and RTTDRIVER.EXE on the remote node.
One quick note about finding other VAXes that have PSI utilities on them. Often you may want to hack only those VAXes that have PSIPAD on them. To determine if a particular VAX in your cluster has the capability, issue the command:
NODE stands for the nodename that you want to check. If this returns with a message that no files match, then this particular VAX does not have PSI installed. If on the other hand it returns with several file names, then it does have the PSI utilities installed.
This is just a VERY brief overview of the DECnet setup on VAX/VMS systems. For a more detailed analysis, look for my other file: 'Understanding DECnet and NCP'
HIDING ON THE SYSTEM
There are several methods that allow you to remain undetected once you have hacked onto a VAX. One of the most important things is to leave things as they are, in other words, do not delete files or subdirectories. You should also avoid leaving suspicious looking COM or EXE files that you may have created.
An important ability to have is being able to hide from SHOW USER. There are several ways of going about this, but the simplest is to become a non-interactive process. Or to become a subprocess of some other non-interactive process such as a BATCH or NETWORK process. Although this will hide you from SHOW USERS, you will still be visible if someone did a SHOW SYSTEM. To get around this you should also specify your process name to a printer driver or something. For example:
Look for the process that has a name of "SYMBIONT_xxxx" where xxxx is a number. These are the printer drivers on the system. Look for the last number on the list and then change your own process to one higher than this number. For example if the last printer is 5 then type:
At the end of this file i have enclosed a small 20 line assembler program that you can enter through EDIT. It allows you to hide from SHOW USER by changing your process to an OTHER non-interactive process. After you assemble the file, link it and then execute it using the RUN command. You should then copy this file to some rarely used directory, where no one else will notice it.
So you have hacked your way in, and everything is going smooth. Now you want to find out what all the other people on the system are doing. There are several ways of finding out who else is using the system and what they are doing. Here i will outline some of the basic methods.
Perhaps the simplest command that you can issue to see who else is logged in is the SHOW USER command.
a typical output might look like:
VAX/VMS Interactive Users
Total number of interactive users=5
PID Username Process Name Terminal
202000B3 DELUCAJ DELUCAJ VTA21: TTA7:
20400138 OPERATOR system monitor VTA17: OPA0:
2040013D POLLACK POLLACK VTA11: TTB0:
204000BC ENTITY FUK YOO VTA15: TTA1:
Ok so what does all this mean?! Well lets go one column at a time. The first column gives you your process identification number. This is a unique number that is assigned to each process as it logs in. The number itself really doesn't matter, however it is required for certain commands. The next column is the username of the process. This always puts the name of the account that you logged in with. Sometimes you may notice that instead of a name it says
This will set your process name to Hacker! Since everybody will see this when they do a SHOW USER command, it is not recommended that you choose something that will give you away. In general, you leave this as the default. The next column shows the virtual terminal that you are logged into. The last column shows the physical terminal that you are logged into. It is important to check this last column. You should check to make sure that nobody is logged in under OPA0: Anyone logged in under this is using the system console, which means that they could possibly be watching you! Another one to note is RTxx: which indicates a process that is remotely logged in (ie calling in from another VAX or something) Other things that you should watch out for are users who are logged in under the SYSTEM account or any other high-privileged accounts. Any one of OPERATOR,OPER,SYSTEM,SYSMGR etc could mean trouble for the hacker.
One thing that you may notice on some systems is that a process will be logged on ALL the time under the OPA0: terminal. What's going on?! Is the system manager there all the time? No. What happens on many systems is that the system manager logs into his terminal, and doesn't bother logging out at the end of the day, leaving his process running often for weeks at a time. There is no easy way to know if the guy is really there or not. There are two things you can do. One is to check the time that the account has been IDLE, but there is no easy way to check this without going into some programming. The next best you can do is issue the SHOW SYSTEM command. This will show all the processes currently running, their priority levels, how much CPU time they are eating up etc. A typical report may look like:
VAX/VMS X2EN on node DELPHI 01-SEP-1989 15:10:31.02 Uptime 0 12:06:30
Pid Process Name State Pri I/O CPU Page flts Ph. Mem
22200080 NULL COM 0 0 0 16:34:12.00 0 0
22200088 SWAPPER HIB 16 0 0 00:03:52.53 0 0
22200113 ENTITY LEF 4 16505 0 00:00:12.02 8689 233
: etc etc
This display can give you several important pieces of information about other processes. The explanation of each column:
PID - the process identification number
Proc Name - the name of the process. Note that certain non-interactive system
processes such as NULL, SWAPPER, ERRFMT etc are always running in
STATE - This is important. This tells you what the process is currently
doing. HIB-hibernating, COM-computing, LEF-active, CUR- current
PRIORITY - the higher the priority number, the higher priority it has in terms
of accessing CPU time.
I/O - Shows the accumulation of the direct I/O and buffered I/O
CPU - the total amount of CPU time the process has used so far
PAGE FLTS - page faults, number of exceptions generated. Not very useful...
PH. MEM - amount of physical memory that the process occupies
A further thing you may notice after the last column on some processes is a single letter. This is the process indicator, and it can be one of:
B - batch job
S - subprocess
N - network process
Another useful option is the ability to know which files, each of the processes are accessing. To accomplish this type:
The only problem with this command is that it will not show the filename if you do not have read access to it. (or the BYPASS privilege)
Perhaps the most POWERFUL tool that the VAX/VMS hacker has is the System Dump Analyzer (SDA). An important option of this allows you to view all the process running on the system, what files they are accessing, their process status, the contents of their virtual memory (such as keyboard buffer) etc etc A VERY powerful command, it is started with the command:
The only drawback with this command is that it requires the CMKRNL privilege. I will discuss this feature in more detail later in the file.
A very big security loophole which is allowed on many VMS systems are detached accounts. Basically what this allows you to do is cut carrier instead of logging out properly. Instead of logging the process out, it is left waiting on the system. The next user who logs in, instead of getting a Username prompt will get your shell ($) prompt! There are many useful things you can do with a detached account. The most obvious use of course is to set up a Trojan Horse program. Basically you write a procedure that simulates the VAX/VMS login sequence. After the user enters his/her username-password, you save this info to a file, give him a 'User authorization failure' and throw him into the real login sequence. He will think he mistyped something and this time when he tries, he will be able to log in normally. But in the meantime, you have a copy of his username/password combination stored away in a file, which you can later use!
Often it becomes necessary to examine a file in greater detail than provided by a simple TYPE command. For executable and object files there is of course the ANALYZE/IMAGE and ANALYZE/OBJECT commands, but often you want to have a look at each individual byte in the file. The best way to do this is to use the DUMP command. An example:
DUMP of file DISK0:[NORMAN]test.dat on 15-APR-1989 15:43:26.08 File ID (3134,818,2) End of file block 1 / Allocated 3
Virtual block number 1 (00000001), 512 (0200) bytes
706d6173 20612073 69207369 68540033 3.This is a samp 000000
73752065 62206f74 20656c69 6620656c le file to be us 000010
61786520 504d5544 2061206e 69206465 ed in a DUMP exa 000020
00000000 00000000 0000002e 656c706d mple............ 000030
00000000 00000000 00000000 00000000 ................ 000040
00000000 00000000 00000000 00000000 ................ 0001E0
00000000 00000000 00000000 00000000 ................ 0001F0
As you can see, this not only shows the ASCII interpretation, but also the HEX value for each byte. This can be VERY valuable in certain situations. You should note that since the default is HEXADECIMAL LONGWORD, the bytes seem to be in a backwords order. This is due to the way the machine stores numbers in memory: Lo-byte,LSB,MSB,Hi-byte. You can optionally specify the numbers to come out in decimal or also in single byte format. Example:
$dump sbsu::sys$system:rightslist.dat /byte/header/decimal
See the online HELP files for more detail into the various qualifiers. You should note that you CAN use dump to access files on OTHER nodes!
CREATING TEXT FILES
This isn't the best of places to put this topic, but if I don't do it now, I will probably forget later on, so here goes...
Often you will need to create files on a system, such as messages to other hackers, notes to yourself, small DCL programs etc. The basic method is as follows:
Hi this is a dumb message that i am typing just to
see how this command works.
Basically what is happening here is you specify a filename and an extension when using the CREATE command (in this case file.txt) and then the system waits there for you to type in something. At this point you can type whatever you want, and to end the message/program/memo just hit CTRL-Z. This will return you to the DCL prompt. This is an easy method to transmit COM files that you have either created or buffered from some other system. Just issue the CREATE command, send the file through your buffer, then hit CTRL-Z to finish it off.
VAX/VMS MAIL SYSTEM
Although it is not a good idea to use the MAIL system to send or receive messages (since the messages can be read by anyone with enough privs) I will present a brief list of what it can do. One important thing to note is that whenever there are MAIL messages waiting to be read, they are stored in a file that ends with the MAI extension. So if the account you have logged into has received mail, and you really want to read it for some reason, then you can do the following from DCL:
This file is not necessarily called MAIL.MAI, it could be any other name with a MAI extension. Aside from some header information stored at the beginning of each message, the rest of the message is mostly in standard ASCII and easily readable. Doing it this way ensures that the message remains there for the REAL user when he logs in. (after a message has been read, it is put into another area, and the user will not see it. This could make him suspicious if he keeps losing important mail messages!)
Reading MAIL files can be quite useful, because sometimes important messages are stored here. Like i stated earlier, you shouldn't be actually using MAIL to read the mail since it will then get deleted, and the actual user will eventually notice. Also, you shouldn't use the MAIL system to send hacker-related information (to other hackers) because system managers can access your mail and read what you have to say.
Basically you can use the MAIL facility in two ways: Interactively and through the shell. For ease of use I will only describe the interactive method since it is easier and more flexible. If you insist on doing it from the shell, then just call up the ONLINE HELP for the qualifiers. In any case, to interactively use the MAIL utility type:
This will respond with the prompt:
At this point you can enter the various mail commands. Following is a brief overview of the more important commands and concepts. At the end, I have provided a table with all the possible commands that can be entered here.
Heres a brief list of the more important MAIL commands that I will discuss here
SEND DIRECTORY EXTRACT
READ[/NEW] DELETE PRINT
FORWARD MOVE HELP
REPLY SELECT EXIT
The first command to try is the SEND command. Try sending a message to yourself Enter the SEND command and press RETURN. Enter your own user name at the prompt and press RETURN. Enter a subject at the prompt and press RETURN again. The following example shows how to use the SEND command: MAIL> SEND
Enter your message below. Press CTRL-Z when complete, or CTRL-C to quit:
When you finish entering the text of your message, press CTRL-Z. Because you are sending the message to yourself, MAIL signals that you have just received a new message by displaying the following message: New mail on node FLAXEN from PIERCE MAIL>
Now, you are ready to use the READ command. To read the message you just sent to yourself, enter the READ command with the /NEW qualifier and press RETURN as follows: MAIL> READ/NEW
You must specify the /NEW qualifier with the READ command when you want to read new mail that arrives w