+----------------------------------------------------------------------------+
! Beginners Guide to VAX/VMS Hacking !
! !
! File By ENTITY / Corrupt Computing Canada (c) 1989 !
! !
! !
! CORRUPT COMPUTING CANADA! !
! !
! CALL: (416)/398-3301 Login: Guest, PW: Guest !
! (416)/756-4545 type !! Login: lynx !
! !
+----------------------------------------------------------------------------+
! !
! You may freely distribute this file as long as no modifications of any !
! form are made to the file. All rights reserved by...What rights?! !
! !
! !
+----------------------------------------------------------------------------+
September 12,1989
INTRODUCTION
------------
Perhaps the most exciting Operating system to HACK on is VAX/VMS.
It offers many challenges for hackers and boasts one of the best security
systems ever developed. In comparison to the security on UNIX, VMS is far
superior in every respect. It can be very difficult to get inside such a
system and even harder to STAY inside, but isn't that what this is all about?!
I have written this file as a way for beginning hackers to learn about the VMS
operating system. There is such a vast amount of information that can be
related about VAX/VMS hacking that it is not possible for me to cover
everything in just one file. As such i will try and stick to the basics for
this file and hopefully write another file in the future that deals with
heavy-duty kernal programming, the various data structures, and system service
calls. All right so lets get at it!
GETTING IN
----------
First of all how do you recognize a VAX when you see one?! Well the
thing that always gives a VAX away, is when you logon you will see:
Username:
It may also have some other info before it asks you for the username, usually
identifying the company and perhaps a message to the effect of:
Unauthorized Users will be prosecuted to the fullest extent of the law!
That should get you right in the mood for some serious hacking! Ok so when you
have determined that the system you have logged into is indeed a VAX, you will
have to at this point enter your SYSTEM LOGIN. Basically on VAX's there are
several default logins which will get you into the system. However on MOST
systems these default logins are changed by the system manager. In any case,
before you try any other logins, you should try these (since some system
managers are lazy and don't bother changing them):
Username Password Alternate
-------------------------------------------------------------------------------
SYSTEM MANAGER OPERATOR
FIELD SERVICE TEST
DEFAULT DEFAULT USER
SYSTEST UETP SYSTEST
DECNET DECNET NONPRIV
That's it. Those are the default system users/passwords. The only ones on the
list that are GUARANTEED to be in the userlist are SYSTEM and DEFAULT. However,
I have never come across a system where these two haven't been changed from
their default passwords to something else. In the above list, the alternate
password is simply a password many operators set the password to from the
deafult. So if the first password doesn't work, try the alternate password. It
should be noted when the a user is added into the system, the default password
for the new user the SAME as his username. You should keep this point in mind
because it is VERY important. Most of the accounts you hack out, will be found
in this way! Ok if above ones don't work, then you should try these accounts.
These following accounts are NOT defaults, but through experience i have found
that many systems use these accounts or some variation thereof:
Username Password
---------------------------
VAX VAX
VMS VMS
DCL DCL
DEC DEC *
DEMO DEMO *
TEST TEST *
NETNONPRIV NONPRIV *
NETPRIV PRIV
ORACLE ORACLE *
ALLIN1 ALLIN1 *
INGRES INGRES *
GUEST GUEST *
GAMES GAMES
BACKUP BACKUP *
HOST HOST
USER USER *
DIGITAL DIGITAL
REMOTE REMOTE *
SAS SAS
FAULT FAULT
USERP USERP
VISITOR VISITOR
GEAC GEAC
VLSI VLSI
INFO INFO *
POSTMASTER MAIL
NET NET
LIBRARY LIBRARY
OPERATOR OPERATOR *
OPER OPER
The ones that have asterisks (*) beside them are the more popular ones and you
have a better chance with them, so you should try them first. It should be
noted that the VAX will not give you any indication of whether the username
you typed in is indeed valid or not. Even if you type in a username that does
not exist on the system, it will still ask you for a password. Keep this in
mind because if you are not sure if whether an account exists or not, don't
waste your time in trying to hack out its password. You could be going on a
wild goose chase! You should also keep in mind that ALL bad login attempts are
kept track of and when the person logs in, he is informed of how many failed
attempts there were on his account. If he sees 400 login failures, I am sure
that he will know someone is trying to hack his account.
THE BASICS
----------
Ok i am assuming you tried all the above defaults and managed to get yourself
into the system. Now the real FUN begins! Ok first things first. After you log
in you will get some message about the last time you logged in etc. If this is
the first time you have logged into this system then you should note the last
login date and time and WRITE IT DOWN! This is important for several reasons.
The main one being that you want to find out if the account you have just
hacked is an ACTIVE or INACTIVE account. The best accounts are the inactive
ones. Why?! Well the inactive accounts are those that people are not using
currently, meaning that there is a better chance of you holding onto that
account and not being discovered by the system operator. If the account has
not been logged into for the last month or so, theres a good chance that it
is inactive. Ok anyhow once your in, if you have a normal account with access
to DCL you will get a prompt that looks like:
$
This may vary from machine to machine but its usually the same. If you have a
weird prompt and would like a normal one, type:
$set prompt=$
If this is the first time you have hacked into this system there are a couple
of steps you should take immediately. First type:
$set control=(y,t)
This will enable your break keys (like ctrl-c) so that you can stop a file or
command if you make a mistake. Usually ctrl-c is active, but this command will
insure that it is. (Note: in general to abort a command, or program you can
type ctrl-c or ctrl-y) Ok anyhow, the next step is to open the buffer in your
terminal then type:
$type sys$system:rightslist.dat
This will dump a file that has all the systems users listed in it. You may
notice a lot of weird garbage characters. Don't worry about those, that is
normal. Ok after this file ends and you get the shell prompt again ($) then
save the buffer, clear it out and leave it open. Then type:
$show logical
Ok after this file is buffered save it also. Ok at this point you have two
files on your disk which will help you hack out MORE accounts on the system.
For now, lets find out how powerful the account you currently hacked into is.
You should type:
$set proc/priv=all
This may give you a message telling you that all your privileges were not
granted. That's ok. Now type:
$show proc/priv
This will give you a list of all the privileges your account is set up for.
Usually most user accounts only have NETMBX and TMPMBX privs. If you have
more than these two, then it could mean that you have a nice high-level user.
Unlike UNIX which only has a distinction between user and superuser, VMS has
a whole shitload of different privileges you can gain. The basic privs are as
follows:
PRIVILEGE DESCRIPTION
------------------------------------------------------------------------------
NONE no privilege at all
NORMAL PRIVS
------------
MOUNT Execute mount volume QIO
NETMBX Create network connections (you need this to call out!)
TMPMBX Create temporary mailbox
GROUP PRIVS
-----------
GROUP Control processes in the same group
GRPPRV Group access through SYSTEM protection field
DEVOUR PRIVS
------------
ACNT Disable accounting
ALLSPOOL Allocate spooled devices
BUGCHK Make bugcheck error log entries
EXQUOTA Exceed disk quotas
GRPNAM Insert group logical names n the name table
PRMCEB Create/delete permanent common event flag clusters
PRMGBL Create permanent global sections
PRMMBX Create permanent mailboxes
SHMEM Create/delete structures in shared memory
SYSTEM PRIVS
------------
ALTPRI Set base priority higher that allotment
OPER Perform operator functions
PSWAPM Change process swap mode
WORLD Control any process
SECURITY Perform security related functions
SHARE Access devices allocated to other users
SYSLCK Lock system-wide resources
FILES PRIVS
-----------
DIAGNOSE Diagnose devices
SYSGBL Create system wide global sections
VOLPRO Override volume protection
ALL PRIVS
---------
BYPASS Disregard protection
CMEXEC Change to executive mode
CMKRNL Change to kernal mode
DETACH Create detached processes of arbitrary UIC
LOG_IO Issue logical I/O requests
PFNMAP Map to specific physical pages
PHY_IO Issue physical I/O requests
READALL Possess read access to everything
SETPRV *** ENABLE ALL PRIVILEGES!!! ***
SYSNAM Insert system logical names in the name table
SYSPRV Access objects through SYSTEM protection field
Ok that's the lot of them! I will explain some of the more important privileges
later in the file. For now, at least you can see just how powerful the account
is. It should be noted that most accounts usually are only granted the TMPMBX
and NETMBX privileges, so if you don't have the others, don't fret too much.
GENERAL TERMINOLOGY
-------------------
I think that i should clarify some of the basic concepts involved with
VAX/VMS operating systems before we go any further:
PROCESS: this is what is created when you log in. The system sets aside CPU
time and memory for you and calls it a process. Any task that is run
in VMS is called a process.
SUBPROCESS: also known as child-process, this is just a process that was
created by another process.
DCL : Digital Command Language. This is the shell ($) that you are put into
when you log into a VAX
MCR : an alternate shell that is used (rarely) on certain accounts. Login
prompt is a > as opposed to DCL which gives a $
SHELL : this is the '$' that you see once you are logged in. This is your
interface with the system, where you can enter the various commands
execute files and perform other activities.
JOB : a process and a group of its subprocesses performing some task
SPAWN : this is the actual command that allows you to create subprocesses
'SPAWNING' is the act of creating subprocesses
PID : process identification number. This is an 8 byte ID code that is
uniquely given to each process that is created on the system.
IMAGE : this is an EXE file that you can execute (ie run)
UIC : User identification code. This is in two parts, namely: [group,member]
The way this works is that users in the same group can access each
others files through the group protection code. However since the UIC
MUST uniquely identify each user, the member portion separates the
individuals in each group. If an account does not have a different
member number, he will NOT be put in the RIGHTSLIST database.
CONTROL KEYS
------------
A brief note on control sequences. Several different actions can be activated
via control sequences. They are:
CTRL-H :delete last character
CTRL-B :redisplay last command (can go back up to the last 20 commands issued)
CTRL-S :pause display
CTRL-Q :continue after pause
CTRL-Z :*EXIT* use to break out of things such as CREATE and EDIT
CTRL-C :*CANCEL* will exit out of most operations
CTRL-Y :*INTERRUPT* will break out of whatever you are doing
CTRL-T :print out statistical info about the process
NOTE: sometimes upon login, the CTRL-Y, CTRL-C keys are disabled. To ensure
these are enabled, issue this command upon login:
$ SET CONTROL
-------------------------------------------------------------------------------
NOTE: all the commands that are executed from DCL can be referenced from an
online help manual. To access this, simply type help at any '$' prompt
This help is also available within the various utilities and programs
such as authorize and mail. The two MOST important commands are SET and
SHOW. These should be buffered and printed out for your own reference.
-------------------------------------------------------------------------------
FILES and DIRECTORIES
---------------------
The directory structure of VMS is a heirarchical one similar to MS-DOS and
UNIX. Its a simple concept, and i will only briefly skim over it. First of all
it should be noted that there may be more than one hard drive or other
mass-storage device hooked up to your system. Within each hard drive there is
the ROOT directory. This is the highest directory in the tree and is referenced
by [000000]. (this will be explained in a minute) Within the root there are
several subdirectories. Within these subdirectories there may be files and even
further subdirectories. The concept is quite simple, but can be difficult to
explain. Here is a diagram to give you a rough idea of how it is set up:
[000000] <--root directory
!
!
+--------------------------+---------------------------------+
! ! !
! ! !
[d1] [d2] [d3]
! ! !
+-----+--------+ +-----+-----+ +--------+
! ! ! ! ! ! !
! ! ! ! ! [d3.d3a] [d3.d3b]
[d1.da] [d1.db] [d1.dc] [d2.d2a] [d2.d2b]
! ! !
! ! +--+-----------+
[d1.db.db1] [d2.d2a.d2a1] ! !
[d2.d2b.d2b1] [d2.d2b.d2b2]
Hopefully this will give you some sort of an idea of how the directories
can be structured. Within each subdirectory there may be other files also. For
example to see the directory after you log in you would type:
$dir
a sample result may be:
Directory DISK$SCHOOL:[REPORTS.JOHN]
average.com;3
generate.exe;1
mail.mai;10
marks.dat;4
marks.dat;5
reportcard.dir
projects.dir
Total 7 files.
What does this tell you? The first line tells you what drive and subdirectory
you are in. The next lines are the actual files. As you can see each file has
a 3 character extension, followed by a comma and a number. The name before the
period is the actual filename (eg. average) the 3 characters after the period
is known as the extension (eg.com) and the number after the comma refers to the
version of the file. So in this case, this is version number 3. Any time you
modify or save a file, it automatically assigns it a version number of 1. If
file already exists on your disk, it increments the version number by 1 and
then saves it as such. So the next time i go ahead and save the file
average.com, it would add another file to the list called average.com;4
Special note should be taken of the files that have an extension of '.DIR'
These are not really files, but rather subdirectories. I will show you how to
switch subdirectories in just a minute. First you should take note of the
different file extensions. Although you can name the files anything you want
some of the more important extensions are:
TYPE DESCRIPTION
-------------------------------------------------------------------------------
EXE Executable IMAGE. These files are programs that can be RUN
COM DCL SCRIPT files. These can also be executed, utilizing the @ command
DAT DATA file. Sometimes useful things to look at.
LIS Listing File, many times important info is in here
MAI Mail file, use the MAIL command to read these
DIR DIRECTORY - not a file
JOU Journal File, often created thru the use of other programs eg EDIT
TXT Text Files, often hold useful information.
These are just some of the extensions you are most likely to see. The two
important ones are the EXE and COM files. These can be executed from the DCL
level. EXE files are executed via the RUN command. Eg. to run authorize.exe:
$run authorize
This will run the authorize IMAGE. Supposing there were more than one version
of authorize you could specify a version number. eg.
$run authorize.exe;4
The other type of file you can run is the COM files. These are like SCRIPT
files in UNIX or .BAT files from MS-DOS. They are just a sequence of DCL
commands strung together that are executed when you initiate the file. To run
COM files, use the @ command. For example to run adduser.com, type:
$@adduser
The version number thing i stated for EXE files also applies for COM files.
***NOTE*** To get a listing of all the files on the whole drive, try this:
$sd [000000]
$dir [...]*.*
Similarly you type dir [...]*.com, if you wanted just the COM files listed.
To see the contents of a file, you can use the TYPE command. For example:
$type login.com
this might type out something like:
$ sd:==set default
$ set control=(y,t)
$ set proc/name=entity
$ set term/dev=vt100
:
:
:
etc
This is great for COM files, DAT files and some of the other types, but you
will always get garbage when you type EXE files so don't bother trying those.
This is very useful for snooping around other peoples files and getting
information. Many times i have found user/passwords lying around in TXT or
LIS files left by some careless user.
Now, how do you go about changing directories? Well, first you should set up
a shortcut. The normal command to change directories is SET DEFAULT. For
example to change to a subdirectory called REPORTS, you would have to type:
$set default [.reports]
To make life simpler on yourself, as soon as you log in, you should type:
$sd:==set default
This defines a macro called SD that is interpreted by DCL as SET DEFAULT. You
can similarly define other 'favorite' commands to some short, easy to remember
definition. Anyhow heres the syntax for changing directories:
SD DEVICE:[dir1.dir2.dir3....]
The device can be optionally left out, if you plan to remain in the same hard
drive. You have to then enter a '[' followed by the root directory, followed
by a period, followed by another subdirectory name etc. Eg.
$sd dub0:[cosy.users]
Suppose at this point, you were in directory cosy, subdirectory users and there
was a further subdirectory called 'info.dir'. Rather than specify the full
pathname, you can simply type:
$sd [.info]
This will advance you one level into the info subdirectory. Remember to put the
period in front of the subdirectory. If you don't, in this case it would assume
that you were trying to reference the root directory called info. Another
important thing to note is moving back levels in terms of subdirectories. For
example if you were in [cosy.users.info] and wanted to move back to
[cosy.users] you could type:
$sd [-]
Similarly you can put in as many hyphens (-) as you want to move back. For
example sd [--] would put you back to the cosy directory.
Another important thing to note about subdirectories are logical assigned
symbols. These are names assigned to certain things. For example the main
system directory is called sys$system. So to go to it you could type:
$sd sys$system
This would throw you into the system directory. Similarly you can type:
$sd sys$login
and this will put you back into the directory that you were initially in, when
you first logged in. These symbols stand for actual device:directory
combinations. To see the various definitions that are assigned to each process
you should type:
$show logical
This will list a whole bunch of global system equates that you can use to
access various parts of the VAX structure. In addition to view all of your
locally defined symbols, use:
$show symbol *
FILE PROTECTION
---------------
Ok before i begin this, let me just state that whatever i say about files also
applies to directories. There are four types of file protections. There is
SYSTEM,WORLD,GROUP and OWNER. These are briefly:
SYSTEM- All users who have group numbers 0-8 and users with physical or logical
I/O privileges (generally system managers, system programmers, and
operators)
OWNER - the owner of the file (or subdirectory), isolated via their User
Identification Code (UIC). This means the person who created the file!
GROUP - All users who have the same group number in their UICs as the owner of
the file.
WORLD - All users who do not fall in the categories above
Each file has four types of protection within each of the above categories.
They are: Read, Write, Execute, Delete. Explanations are:
READ - You can read the file and copy it.
WRITE - You can modify and rename that file.
EXECUTE- You can run the file
DELETE - You can delete the file
When you create a file the default is that you have all the privileges for that
particular file. Group, world and system may only have limited privileges. This
can be changed with the set protection DCL command. For example:
$set protection=(group:rwed,world:r)/default
would set your default protection to allow other users in your group to have
full read,write,execute,delete privs to the file, and others only read access
to the file. The /default means that from now on all the files you create will
be set with this particular protection. To change one of your own files to
some other protection you can alternatively use:
$set prot topsecret.dat /prot=(system:rwed,group:rwed,world:rwed,owner:rwed)
This would enable all users on the system to access the file 'topsecret.dat'
When specifying the protection, you do not have to list them for each of the
four groups. You can simply choose only those thatPath: works!merk!alliant!linus!agate!ames!pacbell.com!tandem!UB.com!grafex!steveh
�