+----------------------------------------------------------------------------+ ! Beginners Guide to VAX/VMS Hacking ! ! ! ! File By ENTITY / Corrupt Computing Canada (c) 1989 ! ! ! ! ! ! CORRUPT COMPUTING CANADA! ! ! ! ! CALL: (416)/398-3301 Login: Guest, PW: Guest ! ! (416)/756-4545 type !! Login: lynx ! ! ! +----------------------------------------------------------------------------+ ! ! ! You may freely distribute this file as long as no modifications of any ! ! form are made to the file. All rights reserved by...What rights?! ! ! ! ! ! +----------------------------------------------------------------------------+ September 12,1989 INTRODUCTION ------------ Perhaps the most exciting Operating system to HACK on is VAX/VMS. It offers many challenges for hackers and boasts one of the best security systems ever developed. In comparison to the security on UNIX, VMS is far superior in every respect. It can be very difficult to get inside such a system and even harder to STAY inside, but isn't that what this is all about?! I have written this file as a way for beginning hackers to learn about the VMS operating system. There is such a vast amount of information that can be related about VAX/VMS hacking that it is not possible for me to cover everything in just one file. As such i will try and stick to the basics for this file and hopefully write another file in the future that deals with heavy-duty kernal programming, the various data structures, and system service calls. All right so lets get at it! GETTING IN ---------- First of all how do you recognize a VAX when you see one?! Well the thing that always gives a VAX away, is when you logon you will see: Username: It may also have some other info before it asks you for the username, usually identifying the company and perhaps a message to the effect of: Unauthorized Users will be prosecuted to the fullest extent of the law! That should get you right in the mood for some serious hacking! Ok so when you have determined that the system you have logged into is indeed a VAX, you will have to at this point enter your SYSTEM LOGIN. Basically on VAX's there are several default logins which will get you into the system. However on MOST systems these default logins are changed by the system manager. In any case, before you try any other logins, you should try these (since some system managers are lazy and don't bother changing them): Username Password Alternate ------------------------------------------------------------------------------- SYSTEM MANAGER OPERATOR FIELD SERVICE TEST DEFAULT DEFAULT USER SYSTEST UETP SYSTEST DECNET DECNET NONPRIV That's it. Those are the default system users/passwords. The only ones on the list that are GUARANTEED to be in the userlist are SYSTEM and DEFAULT. However, I have never come across a system where these two haven't been changed from their default passwords to something else. In the above list, the alternate password is simply a password many operators set the password to from the deafult. So if the first password doesn't work, try the alternate password. It should be noted when the a user is added into the system, the default password for the new user the SAME as his username. You should keep this point in mind because it is VERY important. Most of the accounts you hack out, will be found in this way! Ok if above ones don't work, then you should try these accounts. These following accounts are NOT defaults, but through experience i have found that many systems use these accounts or some variation thereof: Username Password --------------------------- VAX VAX VMS VMS DCL DCL DEC DEC * DEMO DEMO * TEST TEST * NETNONPRIV NONPRIV * NETPRIV PRIV ORACLE ORACLE * ALLIN1 ALLIN1 * INGRES INGRES * GUEST GUEST * GAMES GAMES BACKUP BACKUP * HOST HOST USER USER * DIGITAL DIGITAL REMOTE REMOTE * SAS SAS FAULT FAULT USERP USERP VISITOR VISITOR GEAC GEAC VLSI VLSI INFO INFO * POSTMASTER MAIL NET NET LIBRARY LIBRARY OPERATOR OPERATOR * OPER OPER The ones that have asterisks (*) beside them are the more popular ones and you have a better chance with them, so you should try them first. It should be noted that the VAX will not give you any indication of whether the username you typed in is indeed valid or not. Even if you type in a username that does not exist on the system, it will still ask you for a password. Keep this in mind because if you are not sure if whether an account exists or not, don't waste your time in trying to hack out its password. You could be going on a wild goose chase! You should also keep in mind that ALL bad login attempts are kept track of and when the person logs in, he is informed of how many failed attempts there were on his account. If he sees 400 login failures, I am sure that he will know someone is trying to hack his account. THE BASICS ---------- Ok i am assuming you tried all the above defaults and managed to get yourself into the system. Now the real FUN begins! Ok first things first. After you log in you will get some message about the last time you logged in etc. If this is the first time you have logged into this system then you should note the last login date and time and WRITE IT DOWN! This is important for several reasons. The main one being that you want to find out if the account you have just hacked is an ACTIVE or INACTIVE account. The best accounts are the inactive ones. Why?! Well the inactive accounts are those that people are not using currently, meaning that there is a better chance of you holding onto that account and not being discovered by the system operator. If the account has not been logged into for the last month or so, theres a good chance that it is inactive. Ok anyhow once your in, if you have a normal account with access to DCL you will get a prompt that looks like: $ This may vary from machine to machine but its usually the same. If you have a weird prompt and would like a normal one, type: $set prompt=$ If this is the first time you have hacked into this system there are a couple of steps you should take immediately. First type: $set control=(y,t) This will enable your break keys (like ctrl-c) so that you can stop a file or command if you make a mistake. Usually ctrl-c is active, but this command will insure that it is. (Note: in general to abort a command, or program you can type ctrl-c or ctrl-y) Ok anyhow, the next step is to open the buffer in your terminal then type: $type sys$system:rightslist.dat This will dump a file that has all the systems users listed in it. You may notice a lot of weird garbage characters. Don't worry about those, that is normal. Ok after this file ends and you get the shell prompt again ($) then save the buffer, clear it out and leave it open. Then type: $show logical Ok after this file is buffered save it also. Ok at this point you have two files on your disk which will help you hack out MORE accounts on the system. For now, lets find out how powerful the account you currently hacked into is. You should type: $set proc/priv=all This may give you a message telling you that all your privileges were not granted. That's ok. Now type: $show proc/priv This will give you a list of all the privileges your account is set up for. Usually most user accounts only have NETMBX and TMPMBX privs. If you have more than these two, then it could mean that you have a nice high-level user. Unlike UNIX which only has a distinction between user and superuser, VMS has a whole shitload of different privileges you can gain. The basic privs are as follows: PRIVILEGE DESCRIPTION ------------------------------------------------------------------------------ NONE no privilege at all NORMAL PRIVS ------------ MOUNT Execute mount volume QIO NETMBX Create network connections (you need this to call out!) TMPMBX Create temporary mailbox GROUP PRIVS ----------- GROUP Control processes in the same group GRPPRV Group access through SYSTEM protection field DEVOUR PRIVS ------------ ACNT Disable accounting ALLSPOOL Allocate spooled devices BUGCHK Make bugcheck error log entries EXQUOTA Exceed disk quotas GRPNAM Insert group logical names n the name table PRMCEB Create/delete permanent common event flag clusters PRMGBL Create permanent global sections PRMMBX Create permanent mailboxes SHMEM Create/delete structures in shared memory SYSTEM PRIVS ------------ ALTPRI Set base priority higher that allotment OPER Perform operator functions PSWAPM Change process swap mode WORLD Control any process SECURITY Perform security related functions SHARE Access devices allocated to other users SYSLCK Lock system-wide resources FILES PRIVS ----------- DIAGNOSE Diagnose devices SYSGBL Create system wide global sections VOLPRO Override volume protection ALL PRIVS --------- BYPASS Disregard protection CMEXEC Change to executive mode CMKRNL Change to kernal mode DETACH Create detached processes of arbitrary UIC LOG_IO Issue logical I/O requests PFNMAP Map to specific physical pages PHY_IO Issue physical I/O requests READALL Possess read access to everything SETPRV *** ENABLE ALL PRIVILEGES!!! *** SYSNAM Insert system logical names in the name table SYSPRV Access objects through SYSTEM protection field Ok that's the lot of them! I will explain some of the more important privileges later in the file. For now, at least you can see just how powerful the account is. It should be noted that most accounts usually are only granted the TMPMBX and NETMBX privileges, so if you don't have the others, don't fret too much. GENERAL TERMINOLOGY ------------------- I think that i should clarify some of the basic concepts involved with VAX/VMS operating systems before we go any further: PROCESS: this is what is created when you log in. The system sets aside CPU time and memory for you and calls it a process. Any task that is run in VMS is called a process. SUBPROCESS: also known as child-process, this is just a process that was created by another process. DCL : Digital Command Language. This is the shell ($) that you are put into when you log into a VAX MCR : an alternate shell that is used (rarely) on certain accounts. Login prompt is a > as opposed to DCL which gives a $ SHELL : this is the '$' that you see once you are logged in. This is your interface with the system, where you can enter the various commands execute files and perform other activities. JOB : a process and a group of its subprocesses performing some task SPAWN : this is the actual command that allows you to create subprocesses 'SPAWNING' is the act of creating subprocesses PID : process identification number. This is an 8 byte ID code that is uniquely given to each process that is created on the system. IMAGE : this is an EXE file that you can execute (ie run) UIC : User identification code. This is in two parts, namely: [group,member] The way this works is that users in the same group can access each others files through the group protection code. However since the UIC MUST uniquely identify each user, the member portion separates the individuals in each group. If an account does not have a different member number, he will NOT be put in the RIGHTSLIST database. CONTROL KEYS ------------ A brief note on control sequences. Several different actions can be activated via control sequences. They are: CTRL-H :delete last character CTRL-B :redisplay last command (can go back up to the last 20 commands issued) CTRL-S :pause display CTRL-Q :continue after pause CTRL-Z :*EXIT* use to break out of things such as CREATE and EDIT CTRL-C :*CANCEL* will exit out of most operations CTRL-Y :*INTERRUPT* will break out of whatever you are doing CTRL-T :print out statistical info about the process NOTE: sometimes upon login, the CTRL-Y, CTRL-C keys are disabled. To ensure these are enabled, issue this command upon login: $ SET CONTROL ------------------------------------------------------------------------------- NOTE: all the commands that are executed from DCL can be referenced from an online help manual. To access this, simply type help at any '$' prompt This help is also available within the various utilities and programs such as authorize and mail. The two MOST important commands are SET and SHOW. These should be buffered and printed out for your own reference. ------------------------------------------------------------------------------- FILES and DIRECTORIES --------------------- The directory structure of VMS is a heirarchical one similar to MS-DOS and UNIX. Its a simple concept, and i will only briefly skim over it. First of all it should be noted that there may be more than one hard drive or other mass-storage device hooked up to your system. Within each hard drive there is the ROOT directory. This is the highest directory in the tree and is referenced by [000000]. (this will be explained in a minute) Within the root there are several subdirectories. Within these subdirectories there may be files and even further subdirectories. The concept is quite simple, but can be difficult to explain. Here is a diagram to give you a rough idea of how it is set up: [000000] <--root directory ! ! +--------------------------+---------------------------------+ ! ! ! ! ! ! [d1] [d2] [d3] ! ! ! +-----+--------+ +-----+-----+ +--------+ ! ! ! ! ! ! ! ! ! ! ! ! [d3.d3a] [d3.d3b] [d1.da] [d1.db] [d1.dc] [d2.d2a] [d2.d2b] ! ! ! ! ! +--+-----------+ [d1.db.db1] [d2.d2a.d2a1] ! ! [d2.d2b.d2b1] [d2.d2b.d2b2] Hopefully this will give you some sort of an idea of how the directories can be structured. Within each subdirectory there may be other files also. For example to see the directory after you log in you would type: $dir a sample result may be: Directory DISK$SCHOOL:[REPORTS.JOHN] average.com;3 generate.exe;1 mail.mai;10 marks.dat;4 marks.dat;5 reportcard.dir projects.dir Total 7 files. What does this tell you? The first line tells you what drive and subdirectory you are in. The next lines are the actual files. As you can see each file has a 3 character extension, followed by a comma and a number. The name before the period is the actual filename (eg. average) the 3 characters after the period is known as the extension (eg.com) and the number after the comma refers to the version of the file. So in this case, this is version number 3. Any time you modify or save a file, it automatically assigns it a version number of 1. If file already exists on your disk, it increments the version number by 1 and then saves it as such. So the next time i go ahead and save the file average.com, it would add another file to the list called average.com;4 Special note should be taken of the files that have an extension of '.DIR' These are not really files, but rather subdirectories. I will show you how to switch subdirectories in just a minute. First you should take note of the different file extensions. Although you can name the files anything you want some of the more important extensions are: TYPE DESCRIPTION ------------------------------------------------------------------------------- EXE Executable IMAGE. These files are programs that can be RUN COM DCL SCRIPT files. These can also be executed, utilizing the @ command DAT DATA file. Sometimes useful things to look at. LIS Listing File, many times important info is in here MAI Mail file, use the MAIL command to read these DIR DIRECTORY - not a file JOU Journal File, often created thru the use of other programs eg EDIT TXT Text Files, often hold useful information. These are just some of the extensions you are most likely to see. The two important ones are the EXE and COM files. These can be executed from the DCL level. EXE files are executed via the RUN command. Eg. to run authorize.exe: $run authorize This will run the authorize IMAGE. Supposing there were more than one version of authorize you could specify a version number. eg. $run authorize.exe;4 The other type of file you can run is the COM files. These are like SCRIPT files in UNIX or .BAT files from MS-DOS. They are just a sequence of DCL commands strung together that are executed when you initiate the file. To run COM files, use the @ command. For example to run adduser.com, type: $@adduser The version number thing i stated for EXE files also applies for COM files. ***NOTE*** To get a listing of all the files on the whole drive, try this: $sd [000000] $dir [...]*.* Similarly you type dir [...]*.com, if you wanted just the COM files listed. To see the contents of a file, you can use the TYPE command. For example: $type login.com this might type out something like: $ sd:==set default $ set control=(y,t) $ set proc/name=entity $ set term/dev=vt100 : : : etc This is great for COM files, DAT files and some of the other types, but you will always get garbage when you type EXE files so don't bother trying those. This is very useful for snooping around other peoples files and getting information. Many times i have found user/passwords lying around in TXT or LIS files left by some careless user. Now, how do you go about changing directories? Well, first you should set up a shortcut. The normal command to change directories is SET DEFAULT. For example to change to a subdirectory called REPORTS, you would have to type: $set default [.reports] To make life simpler on yourself, as soon as you log in, you should type: $sd:==set default This defines a macro called SD that is interpreted by DCL as SET DEFAULT. You can similarly define other 'favorite' commands to some short, easy to remember definition. Anyhow heres the syntax for changing directories: SD DEVICE:[dir1.dir2.dir3....] The device can be optionally left out, if you plan to remain in the same hard drive. You have to then enter a '[' followed by the root directory, followed by a period, followed by another subdirectory name etc. Eg. $sd dub0:[cosy.users] Suppose at this point, you were in directory cosy, subdirectory users and there was a further subdirectory called 'info.dir'. Rather than specify the full pathname, you can simply type: $sd [.info] This will advance you one level into the info subdirectory. Remember to put the period in front of the subdirectory. If you don't, in this case it would assume that you were trying to reference the root directory called info. Another important thing to note is moving back levels in terms of subdirectories. For example if you were in [cosy.users.info] and wanted to move back to [cosy.users] you could type: $sd [-] Similarly you can put in as many hyphens (-) as you want to move back. For example sd [--] would put you back to the cosy directory. Another important thing to note about subdirectories are logical assigned symbols. These are names assigned to certain things. For example the main system directory is called sys$system. So to go to it you could type: $sd sys$system This would throw you into the system directory. Similarly you can type: $sd sys$login and this will put you back into the directory that you were initially in, when you first logged in. These symbols stand for actual device:directory combinations. To see the various definitions that are assigned to each process you should type: $show logical This will list a whole bunch of global system equates that you can use to access various parts of the VAX structure. In addition to view all of your locally defined symbols, use: $show symbol * FILE PROTECTION --------------- Ok before i begin this, let me just state that whatever i say about files also applies to directories. There are four types of file protections. There is SYSTEM,WORLD,GROUP and OWNER. These are briefly: SYSTEM- All users who have group numbers 0-8 and users with physical or logical I/O privileges (generally system managers, system programmers, and operators) OWNER - the owner of the file (or subdirectory), isolated via their User Identification Code (UIC). This means the person who created the file! GROUP - All users who have the same group number in their UICs as the owner of the file. WORLD - All users who do not fall in the categories above Each file has four types of protection within each of the above categories. They are: Read, Write, Execute, Delete. Explanations are: READ - You can read the file and copy it. WRITE - You can modify and rename that file. EXECUTE- You can run the file DELETE - You can delete the file When you create a file the default is that you have all the privileges for that particular file. Group, world and system may only have limited privileges. This can be changed with the set protection DCL command. For example: $set protection=(group:rwed,world:r)/default would set your default protection to allow other users in your group to have full read,write,execute,delete privs to the file, and others only read access to the file. The /default means that from now on all the files you create will be set with this particular protection. To change one of your own files to some other protection you can alternatively use: $set prot topsecret.dat /prot=(system:rwed,group:rwed,world:rwed,owner:rwed) This would enable all users on the system to access the file 'topsecret.dat' When specifying the protection, you do not have to list them for each of the four groups. You can simply choose only those thatPath: works!merk!alliant!linus!agate!ames!pacbell.com!tandem!UB.com!grafex!steveh