+----------------------------------------------------------------------------+

!		      Beginners Guide to VAX/VMS Hacking		     !

!									     !

!	      File By ENTITY /	Corrupt Computing Canada  (c) 1989	     !

!									     !

!									     !

!			   CORRUPT COMPUTING CANADA!			     !

!									     !

!		 CALL: (416)/398-3301  Login: Guest, PW: Guest		     !

!		       (416)/756-4545  type !!	  Login: lynx		     !

!									     !

+----------------------------------------------------------------------------+

!									     !

! You may freely distribute this file as long as no modifications of any     !

! form are made to the file. All rights reserved by...What rights?!	     !

!									     !

!									     !

+----------------------------------------------------------------------------+



September 12,1989





INTRODUCTION

------------





       Perhaps the most exciting Operating system to HACK on is VAX/VMS.

It offers many challenges for hackers and boasts one of the best security

systems ever developed.  In comparison to the security on UNIX, VMS is far

superior in every respect.  It can be very difficult to get inside such a

system and even harder to STAY inside, but isn't that what this is all about?!

I have written this file as a way for beginning hackers to learn about the VMS

operating system.  There is such a vast amount of information that can be

related about VAX/VMS hacking that it is not possible for me to cover

everything in just one file.  As such i will try and stick to the basics for

this file and hopefully write another file in the future that deals with

heavy-duty kernal programming, the various data structures, and system service

calls. All right so lets get at it!









GETTING IN

----------



       First of all how do you recognize a VAX when you see one?! Well the

thing that always gives a VAX away, is when you logon you will see:



Username:



It may also have some other info before it asks you for the username, usually

identifying the company and perhaps a message to the effect of:



Unauthorized Users will be prosecuted to the fullest extent of the law!



That should get you right in the mood for some serious hacking!  Ok so when you

have determined that the system you have logged into is indeed a VAX, you will

have to at this point enter your SYSTEM LOGIN.	Basically on VAX's there are

several default logins which will get you into the system. However on MOST

systems these default logins are changed by the system manager. In any case,

before you try any other logins, you should try these (since some system

managers are lazy and don't bother changing them):



Username	   Password	   Alternate

-------------------------------------------------------------------------------



SYSTEM		   MANAGER	   OPERATOR

FIELD		   SERVICE	   TEST

DEFAULT 	   DEFAULT	   USER

SYSTEST 	   UETP 	   SYSTEST

DECNET		   DECNET	   NONPRIV





That's it. Those are the default system users/passwords.  The only ones on the

list that are GUARANTEED to be in the userlist are SYSTEM and DEFAULT. However,

I have never come across a system where these two haven't been changed from

their default passwords to something else.  In the above list, the alternate

password is simply a password many operators set the password to from the

deafult. So if the first password doesn't work, try the alternate password.  It

should be noted when the a user is added into the system, the default password

for the new user the SAME as his username.  You should keep this point in mind

because it is VERY important. Most of the accounts you hack out, will be found

in this way! Ok if above ones don't work,  then you should try these accounts.

These following accounts are NOT defaults, but through experience i have found

that many systems use these accounts or some variation thereof:



Username	   Password

---------------------------

VAX		   VAX

VMS		   VMS

DCL		   DCL

DEC		   DEC	     *

DEMO		   DEMO      *

TEST		   TEST      *

NETNONPRIV	   NONPRIV   *

NETPRIV 	   PRIV

ORACLE		   ORACLE    *

ALLIN1		   ALLIN1    *

INGRES		   INGRES    *

GUEST		   GUEST     *

GAMES		   GAMES

BACKUP		   BACKUP    *

HOST		   HOST

USER		   USER      *

DIGITAL 	   DIGITAL

REMOTE		   REMOTE    *

SAS		   SAS

FAULT		   FAULT

USERP		   USERP

VISITOR 	   VISITOR

GEAC		   GEAC

VLSI		   VLSI

INFO		   INFO      *

POSTMASTER	   MAIL

NET		   NET

LIBRARY 	   LIBRARY

OPERATOR	   OPERATOR  *

OPER		   OPER



The ones that have asterisks (*) beside them are the more popular ones and you

have a better chance with them, so you should try them first. It should be

noted that the VAX will not give you any indication of whether the username

you typed in is indeed valid or not.  Even if you type in a username that does

not exist on the system, it will still ask you for a password.	Keep this in

mind because if you are not sure if whether an account exists or not, don't

waste your time in trying to hack out its password. You could be going on a

wild goose chase!  You should also keep in mind that ALL bad login attempts are

kept track of and when the person logs in, he is informed of how many failed

attempts there were on his account.  If he sees 400 login failures, I am sure

that he will know someone is trying to hack his account.









THE BASICS

----------



Ok i am assuming you tried all the above defaults and managed to get yourself

into the system. Now the real FUN begins!  Ok first things first. After you log

in you will get some message about the last time you logged in etc. If this is

the first time you have logged into this system then you should note the last

login date and time and WRITE IT DOWN! This is important for several reasons.

The main one being that you want to find out if the account you have just

hacked is an ACTIVE or INACTIVE account.  The best accounts are the inactive

ones. Why?! Well the inactive accounts are those that people are not using

currently, meaning that there is a better chance of you holding onto that

account and not being discovered by the system operator.  If the account has

not been logged into for the last month or so, theres a good chance that it

is inactive.  Ok anyhow once your in, if you have a normal account with access

to DCL you will get a prompt that looks like:



$



This may vary from machine to machine but its usually the same. If you have a

weird prompt and would like a normal one, type:



$set prompt=$



If this is the first time you have hacked into this system there are a couple

of steps you should take immediately. First type:



$set control=(y,t)



This will enable your break keys (like ctrl-c) so that you can stop a file or

command if you make a mistake.	Usually ctrl-c is active, but this command will

insure that it is. (Note: in general to abort a command, or program you can

type ctrl-c or ctrl-y) Ok anyhow, the next step is to open the buffer in your

terminal then type:



$type sys$system:rightslist.dat



This will dump a file that has all the systems users listed in it.  You may

notice a lot of weird garbage characters. Don't worry about those, that is

normal.  Ok after this file ends and you get the shell prompt again ($) then

save the buffer, clear it out and leave it open. Then type:



$show logical



Ok after this file is buffered save it also.  Ok at this point you have two

files on your disk which will help you hack out MORE accounts on the system.

For now, lets find out how powerful the account you currently hacked into is.

You should type:



$set proc/priv=all



This may give you a message telling you that all your privileges were not

granted. That's ok. Now type:



$show proc/priv



This will give you a list of all the privileges your account is set up for.

Usually most user accounts only have NETMBX and TMPMBX privs.  If you have

more than these two, then it could mean that you have a nice high-level user.

Unlike UNIX which only has a distinction between user and superuser, VMS has

a whole shitload of different privileges you can gain.	The basic privs are as

follows:



PRIVILEGE      DESCRIPTION

------------------------------------------------------------------------------

NONE	       no privilege at all





NORMAL PRIVS

------------

MOUNT	       Execute mount volume QIO

NETMBX	       Create network connections (you need this to call out!)

TMPMBX	       Create temporary mailbox





GROUP PRIVS

-----------

GROUP	       Control processes in the same group

GRPPRV	       Group access through SYSTEM protection field





DEVOUR PRIVS

------------

ACNT	       Disable accounting

ALLSPOOL       Allocate spooled devices

BUGCHK	       Make bugcheck error log entries

EXQUOTA        Exceed disk quotas

GRPNAM	       Insert group logical names n the name table

PRMCEB	       Create/delete permanent common event flag clusters

PRMGBL	       Create permanent global sections

PRMMBX	       Create permanent mailboxes

SHMEM	       Create/delete structures in shared memory





SYSTEM PRIVS

------------

ALTPRI	       Set base priority higher that allotment

OPER	       Perform operator functions

PSWAPM	       Change process swap mode

WORLD	       Control any process

SECURITY       Perform security related functions

SHARE	       Access devices allocated to other users

SYSLCK	       Lock system-wide resources





FILES PRIVS

-----------

DIAGNOSE       Diagnose devices

SYSGBL	       Create system wide global sections

VOLPRO	       Override volume protection





ALL PRIVS

---------

BYPASS	       Disregard protection

CMEXEC	       Change to executive mode

CMKRNL	       Change to kernal mode

DETACH	       Create detached processes of arbitrary UIC

LOG_IO	       Issue logical I/O requests

PFNMAP	       Map to specific physical pages

PHY_IO	       Issue physical I/O requests

READALL        Possess read access to everything

SETPRV	       ***  ENABLE ALL PRIVILEGES!!! ***

SYSNAM	       Insert system logical names in the name table

SYSPRV	       Access objects through SYSTEM protection field





Ok that's the lot of them! I will explain some of the more important privileges

later in the file.  For now, at least you can see just how powerful the account

is.  It should be noted that most accounts usually are only granted the TMPMBX

and NETMBX privileges, so if you don't have the others, don't fret too much.







GENERAL TERMINOLOGY

-------------------



    I think that i should clarify some of the basic concepts involved with

VAX/VMS operating systems before we go any further:



PROCESS: this is what is created when you log in.  The system sets aside CPU

	 time and memory for you and calls it a process. Any task that is run

	 in VMS is called a process.



SUBPROCESS: also known as child-process, this is just a process that was

	    created by another process.



DCL    : Digital Command Language. This is the shell ($) that you are put into

	 when you log into a VAX



MCR    : an alternate shell that is used (rarely) on certain accounts. Login

	 prompt is a  >  as opposed to DCL which gives a  $

SHELL  : this is the '$' that you see once you are logged in. This is your

	 interface with the system, where you can enter the various commands

	 execute files and perform other activities.



JOB    : a process and a group of its subprocesses performing some task



SPAWN  : this is the actual command that allows you to create subprocesses

	 'SPAWNING' is the act of creating subprocesses



PID    : process identification number. This is an 8 byte ID code that is

	 uniquely given to each process that is created on the system.



IMAGE  : this is an EXE file that you can execute (ie run)



UIC    : User identification code. This is in two parts, namely: [group,member]

	 The way this works is that users in the same group can access each

	 others files through the group protection code.  However since the UIC

	 MUST uniquely identify each user, the member portion separates the

	 individuals in each group.  If an account does not have a different

	 member number, he will NOT be put in the RIGHTSLIST database.







CONTROL KEYS

------------



 A brief note on control sequences.  Several different actions can be activated

via control sequences. They are:



CTRL-H	:delete last character

CTRL-B	:redisplay last command (can go back up to the last 20 commands issued)

CTRL-S	:pause display

CTRL-Q	:continue after pause

CTRL-Z	:*EXIT* use to break out of things such as CREATE and EDIT

CTRL-C	:*CANCEL* will exit out of most operations

CTRL-Y	:*INTERRUPT* will break out of whatever you are doing

CTRL-T	:print out statistical info about the process



NOTE: sometimes upon login, the CTRL-Y, CTRL-C keys are disabled.  To ensure

      these are enabled, issue this command upon login:



$ SET CONTROL





-------------------------------------------------------------------------------

NOTE: all the commands that are executed from DCL can be referenced from an

      online help manual.  To access this, simply type help at any '$' prompt

      This help is also available within the various utilities and programs

      such as authorize and mail. The two MOST important commands are SET and

      SHOW. These should be buffered and printed out for your own reference.

-------------------------------------------------------------------------------



FILES and DIRECTORIES

---------------------



 The directory structure of VMS is a heirarchical one similar to MS-DOS and

UNIX. Its a simple concept, and i will only briefly skim over it.  First of all

it should be noted that there may be more than one hard drive or other

mass-storage device hooked up to your system. Within each hard drive there is

the ROOT directory. This is the highest directory in the tree and is referenced

by [000000]. (this will be explained in a minute)  Within the root there are

several subdirectories. Within these subdirectories there may be files and even

further subdirectories.  The concept is quite simple, but can be difficult to

explain.  Here is a diagram to give you a rough idea of how it is set up:







				 [000000] <--root directory

				     !

				     !

	  +--------------------------+---------------------------------+

	  !			     !				       !

	  !			     !				       !

	[d1]			   [d2] 			     [d3]

	  !			     !				       !

    +-----+--------+	       +-----+-----+		      +--------+

    !	  !	   !	       !	   !		      !        !

    !	  !	   !	       !	   !		  [d3.d3a]  [d3.d3b]

 [d1.da] [d1.db] [d1.dc]    [d2.d2a]   [d2.d2b]

	    !		       !	   !

	    !		       !	+--+-----------+

       [d1.db.db1]	  [d2.d2a.d2a1] !	       !

				       [d2.d2b.d2b1] [d2.d2b.d2b2]









    Hopefully this will give you some sort of an idea of how the directories

can be structured. Within each subdirectory there may be other files also. For

example to see the directory after you log in you would type:



$dir



a sample result may be:





Directory DISK$SCHOOL:[REPORTS.JOHN]



average.com;3

generate.exe;1

mail.mai;10

marks.dat;4

marks.dat;5

reportcard.dir

projects.dir



Total 7 files.



What does this tell you? The first line tells you what drive and subdirectory

you are in. The next lines are the actual files. As you can see each file has

a 3 character extension, followed by a comma and a number.  The name before the

period is the actual filename (eg. average) the 3 characters after the period

is known as the extension (eg.com) and the number after the comma refers to the

version of the file. So in this case, this is version number 3.  Any time you

modify or save a file, it automatically assigns it a version number of 1. If

file already exists on your disk, it increments the version number by 1 and

then saves it as such.	So the next time i go ahead and save the file

average.com, it would add another file to the list called average.com;4

  Special note should be taken of the files that have an extension of '.DIR'

These are not really files, but rather subdirectories.	I will show you how to

switch subdirectories in just a minute. First you should take note of the

different file extensions.  Although you can name the files anything you want

some of the more important extensions are:



TYPE	  DESCRIPTION

-------------------------------------------------------------------------------

EXE	  Executable IMAGE. These files are programs that can be RUN

COM	  DCL SCRIPT files. These can also be executed, utilizing the @ command

DAT	  DATA file. Sometimes useful things to look at.

LIS	  Listing File, many times important info is in here

MAI	  Mail file,  use the MAIL command to read these

DIR	  DIRECTORY - not a file

JOU	  Journal File, often created thru the use of other programs eg EDIT

TXT	  Text Files, often hold useful information.



These are just some of the extensions you are most likely to see. The two

important ones are the EXE and COM files. These can be executed from the DCL

level. EXE files are executed via the RUN command. Eg. to run authorize.exe:



$run authorize



This will run the authorize IMAGE. Supposing there were more than one version

of authorize you could specify a version number. eg.



$run authorize.exe;4



The other type of file you can run is the COM files. These are like SCRIPT

files in UNIX or .BAT files from MS-DOS.  They are just a sequence of DCL

commands strung together that are executed when you initiate the file. To run

COM files, use the @ command. For example to run adduser.com, type:



$@adduser



The version number thing i stated for EXE files also applies for COM files.



***NOTE***  To get a listing of all the files on the whole drive, try this:



$sd [000000]

$dir [...]*.*



Similarly you type dir [...]*.com, if you wanted just the COM files listed.

To see the contents of a file, you can use the TYPE command. For example:



$type login.com



this might type out something like:



$ sd:==set default

$ set control=(y,t)

$ set proc/name=entity

$ set term/dev=vt100

	 :

	 :

	 :

	etc



This is great for COM files, DAT files and some of the other types, but you

will always get garbage when you type EXE files so don't bother trying those.

This is very useful for snooping around other peoples files and getting

information. Many times i have found user/passwords lying around in TXT or

LIS files left by some careless user.



 Now, how do you go about changing directories? Well, first you should set up

a shortcut.  The normal command to change directories is SET DEFAULT. For

example to change to a subdirectory called REPORTS, you would have to type:



$set default [.reports]



To make life simpler on yourself, as soon as you log in, you should type:



$sd:==set default



This defines a macro called SD that is interpreted by DCL as SET DEFAULT. You

can similarly define other 'favorite' commands to some short, easy to remember

definition.  Anyhow heres the syntax for changing directories:



SD DEVICE:[dir1.dir2.dir3....]



The device can be optionally left out, if you plan to remain in the same hard

drive. You have to then enter a '[' followed by the root directory, followed

by a period, followed by another subdirectory name etc. Eg.



$sd dub0:[cosy.users]



Suppose at this point, you were in directory cosy, subdirectory users and there

was a further subdirectory called 'info.dir'.  Rather than specify the full

pathname, you can simply type:



$sd [.info]



This will advance you one level into the info subdirectory. Remember to put the

period in front of the subdirectory. If you don't, in this case it would assume

that you were trying to reference the root directory called info.  Another

important thing to note is moving back levels in terms of subdirectories. For

example if you were in [cosy.users.info] and wanted to move back to

[cosy.users] you could type:



$sd [-]



Similarly you can put in as many hyphens (-) as you want to move back. For

example  sd [--]  would put you back to the cosy directory.



Another important thing to note about subdirectories are logical assigned

symbols. These are names assigned to certain things. For example the main

system directory is called sys$system. So to go to it you could type:



$sd sys$system



This would throw you into the system directory. Similarly you can type:



$sd sys$login



and this will put you back into the directory that you were initially in, when

you first logged in.  These symbols stand for actual device:directory

combinations.  To see the various definitions that are assigned to each process

you should type:



$show logical



This will list a whole bunch of global system equates that you can use to

access various parts of the VAX structure.  In addition to view all of your

locally defined symbols, use:



$show symbol *







FILE PROTECTION

---------------



Ok before i begin this, let me just state that whatever i say about files also

applies to directories.  There are four types of file protections. There is

SYSTEM,WORLD,GROUP and OWNER. These are briefly:



SYSTEM- All users who have group numbers 0-8 and users with physical or logical

	I/O privileges	(generally system managers, system programmers, and

	operators)

OWNER - the owner of the file (or subdirectory), isolated via their User

	Identification Code (UIC). This means the person who created the file!

GROUP - All users who have the same group number in their UICs as the owner of

	the file.

WORLD - All users who do not fall in the categories above



Each file has four types of protection within each of the above categories.

They are: Read, Write, Execute, Delete. Explanations are:



READ   - You can read the file and copy it.

WRITE  - You can modify and rename that file.

EXECUTE- You can run the file

DELETE - You can delete the file



When you create a file the default is that you have all the privileges for that

particular file. Group, world and system may only have limited privileges. This

can be changed with the set protection DCL command. For example:



$set protection=(group:rwed,world:r)/default



would set your default protection to allow other users in your group to have

full read,write,execute,delete privs to the file, and others only read access

to the file. The /default means that from now on all the files you create will

be set with this particular protection.  To change one of your own files to

some other protection you can alternatively use:



$set prot topsecret.dat /prot=(system:rwed,group:rwed,world:rwed,owner:rwed)



This would enable all users on the system to access the file 'topsecret.dat'

When specifying the protection, you do not have to list them for each of the



four groups.  You can simply choose only those thatPath: works!merk!alliant!linus!agate!ames!pacbell.com!tandem!UB.com!grafex!steveh