AOH :: P44-22.TXT

An Introduction to the Decserver 200



                              ==Phrack Magazine==

                 Volume Four, Issue Forty-Four, File 22 of 27

****************************************************************************


               -- An Introduction to the DECserver 200 --
                     by Opticon The Disassembled


 ANARCHY: "The belief that society
 can be maintained without prisons,
 armies, police or other organized force to
 maintain property rights, collect taxes or
 enforce such personal obligations as debts,
 contracts or alimony." -EB 1966, vol.I
 (taken from the Phrozen Realm)


 "If ur good, nobody knows that ur there"

    The DECserver is a terminal server (WOW!).  The Model 200 is the most
commonly found server in VMS machines.  This device connects up to eight
asynchronous (RS232C) terminals to one or more hosts available on an Ethernet
Local Area Network.

    It is connected to the LAN through an Ethernet physical channel and
supports speeds up to 19.200bps.  It can be found on VAXes, mVAXes and
VAXstations.  It uses the Local Area Transport protocol to communicate with
the other nodes.  It also implements the Terminal Device/Session Management
Protocol to achieve multiple sessions.  Things that can be found plugged on
it include dial-in and out modems, terminals, printers and stuff like that.
The identification code for it in VMS is DS2.  It's software is installed
via VMSINSTAL.COM to SYS$SYSROOT:[DECSERVER] or in SYS$COMMON:[DECSERVER]
for the cluster machines.  And of course now you will ask why should you
be interested in a damn phucking (=relief, back to my native language) SERVER.
A lot of interesting things can be done, like dialing out for free (assuming
you can connect to it in a convenient way).  You can even find a DEC server
200 dedicated to eight high speed modems.  There is no need to say that you
need privileges to phuck up with devices like that...or there is?

..Set Default to SYS$SYSROOT:[DECSERVER] and run DSVCONFIG.COM :

$
$ set default sys$sysroot:[decserver]
$ show default
  SYS$SYSROOT:[DECSERVER]
  =   SYS$SYSROOT:[DECSERVER]
  =   SYS$COMMON:[DECSERVER]
$ @dsvconfig

    You must assign a unique DECnet node name and DECnet node
address for each new DECserver.

Press <RET> to start, or <CTRL/Z> to exit...

      D E C s e r v e r   C o n f i g u r a t i o n   P r o c e d u r e

                                                      Version: V1.7

                               Menu of Options

                       1 - List known DECservers
                       2 - Add a DECserver
                       3 - Swap an existing DECserver
                       4 - Delete an existing DECserver
                       5 - Restore existing DECservers
                  CTRL/Z - Exit from this procedure

        Your selection? 1

DECnet  DECnet Server Service
Address Name   Type   Circuit  Ethernet Address   Load File      Dump File
------- ------ -----  -------  -----------------  -------------  -------------
 1.1    KEYWAY DS200  BNA-0    08-00-2B-07-39-5E  PR0801ENG.SYS  DS2KEYWAY.DMP
 1.2    REVEAL DS200  BNA-0    08-00-2B-28-32-CB  PR0801ENG.SYS  DS2REVEAL.DMP
 1.3    OASIS  DS200  BNA-0    08-00-2B-26-A9-57  PR0801ENG.SYS  DS2OASIS.DMP
 1.4    PAWN   DS200  BNA-0    08-00-2B-24-F3-98  PR0801ENG.SYS  DS2PAWN.DMP
 1.5    OPAQUE DS200  BNA-0    08-00-2B-11-EA-D4  PR0801ENG.SYS  DS2OPAQUE.DMP
 1.6    TOKEN  DS200  BNA-0    08-00-2B-10-64-98  PR0801ENG.SYS  DS2TOKEN.DMP
 1.7    KERNEL DS200  BNA-0    08-00-2B-12-D6-39  PR0801ENG.SYS  DS2KERNEL.DMP
 1.8    IRIS   DS200  BNA-0    08-00-2B-12-D6-39  PR0801ENG.SYS  DS2IRIS.DMP
 1.9    NEBULA DS200  BNA-0    08-00-2B-12-D6-39  PR0801ENG.SYS  DS2NEBULA.DMP

Total of 9 DECservers defined.
(Press RETURN for menu)

Connecting to one of them:

$ mc ncp connect node iris

Console connected (press CTRL/D when finished)
#


     Here you must give a password.  The default one is usually working so try
"access".  Only in "high security" systems they change the default password,
because privileges are needed anyway to access the Network Control Program
(which can be a possible subject for my next article).  But since you are in
using a system account (..privileged) you can change the current password if
you find any good reason for doing so.  More on that later.

DECserver 200 Terminal Server V3.0 (BL33) - LAT V5.1

Please type HELP if you need assistance

Enter username> <type anything here it doesnt really matter>


 You are in.

    In the DECserver there are Permanent and Operational databases.  The
permanent database holds commands which affect the device permanently when
you log out.  In the Operational database whatever you do is temporary and
takes effect only for the time you are logged in.

    Let's go on by trying to get the default privileged account which enables
you to view various things and make changes other than the normal ones.

Local> set privileged
Password> system

    Again the default password should work.

Local> show hosts

Service Name        Status       Identification

VMS               1 Connected    Welcome to VAX/VMS V5.4-2
MODEM               Available    Dial In And Out
UNIX                Available    BSD

Local> show nodes

Node Name           Status       Identification

VMS               1 Connected    Welcome to VAX/VMS V5.4-2
UNIX                Reachable    BSD
IRIS                Reachable

Local> show services

Service Name        Status       Identification

VMS               1 Connected   Welcome to VAX/VMS V5.4-2
MODEM               Available    Dial In And Out
UNIX                Available    BSD (RISC)

Local> show users

Port    Username             Status          Service

  1     anything             Connected       VMS

Local> show sessions (it'll display YOUR sessions)

Port 1:  anything            Local Mode    Current Session: None


** Before proceeding lets have a better look at some Features DECserver 200
has, needed to understand some interesting things which follow or even some
things that were previously mentioned.

    Remote Console Facility (RCF) is a management tool which helps you to
connect remotely to any server available via it's management port.  This
is not hardware, but a logical port although it still has the same
characteristics physical ports have.

    There are Privileged, non-Privileged and Secured ports.  These are
variables you can define by the time you manage to get the privileged account.
A privileged port accepts all server commands.  You can perform tests, define
server operations, maintain security and all that bullshit.  If you don't
understand it yet, this status is enabled with the SET PRIVILEGED command we
have used previously.

    A non-Privileged port can only manage and use commands which affect the
sessions that are currently connected to a host or node.  This is the default
status of course.

    A Secured port is something in between.  Users can make use of a restricted
command set to make changes which affect only the port they own ("Property
is theft but theft is property too, Prounton."  Pardon me if the translation
was destructive to the original meaning of this phrase, and if I piss you off
every time I start talking about things that are completely irrelevant
to the grand scheme of things and everything my articles are SUPPOSED
to deal with).

    Our little unit has 5 types of passwords and that will help you understand
how important it is for the whole system.

    (1) A PRIVILEGED password is what you should be aware of by now.  You can
SET/DEFINE SERVER PRIVILEGED PASSWORD "string", to change it.

    (2) A LOGIN password prevents the use of the server by unauthorized
users.  This can be enabled for every port or for a single dial-in modem port.
You must first specify the password for the entire server via SET/DEFINE
SERVER LOGIN PASSWORD and then, enable or disable it depending on the needs
of a specified port, via SET/DEFINE PORT x LOGIN PASSWORD ENABLED/DISABLED.
This password takes effect when you try to login to a port.  The prompt is
a "#" sign, without the double quotes.

    (3) A MAINTENANCE password prevents unauthorized users from doing remote
maintenance operations like the one we did after we ran DSVCONFIG.COM.
"The DECnet service password corresponds to the server maintenance password
and it is entirely unrelated with the DECserver 200 service password".  In
other words someone who wishes to modify a value in your server must give
in the NCP> command line, a parameter which specifies your server's
maintenance password.  Of course if this password is set to null (0)
no password is needed.  Also "Digital Equipment Corporation recommends
against storing the password in the DECnet database (as the DECnet service
password) and it strongly suggests that you change the maintenance password
from the default value of 0 to maintain adequate server security"
...tsk tsk tsk...

    (4) A SERVICE password protects a service or services defined on the
server.  You can increase or decrease the number of attempts before the server
gives a message, informing that the connect has failed because of an invalid
password, via SET/DEFINE SERVER PASSWORD LIMIT.

    (5) A LOCK password protects your current sessions and port from other
unwanted human substances.  The server accepts no input until you retype the
password you used for locking it.

    Finally, a port may be available only for certain users or groups.

** As you can see, it can be really tough to break VMS' security if all the
available measures are taken.

Research for modems:

Local> show port 8

Port 8:                                Server: IRIS

Character Size:            8           Input Speed:        19200
Flow Control:            XON           Output Speed:       19200
Parity:                 None           Modem Control:   Disabled

Access:                Local           Local Switch:       None
Backwards Switch:       None           Name:             PORT_8
Break:                 Local           Session Limit:         4
Forwards Switch:        None           Type:               Soft

Preferred Service: None

Authorized Groups:   0
(Current)  Groups:   0

Enabled Characteristics:

Autobaud, Autoprompt, Broadcast, Input Flow Control, Loss Notification,
Message Codes, Output Flow Control, Verification

    Simple configuration, probably nothing or a terminal in there.  What this
screen says is that we have on server IRIS, on port 8, something with character
size of 8, flow control XON (it could be CTS -hardware-), parity none, input
speed 19200bps, output speed 19200bps and modem control disabled.

    All the other information have to do with the server and how it reacts to
certain things.  So if the preferred service was "VMS" and you were logging in
through port 8, you would immediately connect to the VAX without having the
server asking you where to log you to.  The "break: Local" variable means that
if you send a break character you will find yourself in the "Local>" prompt even
if you have been working in the UNIX OS of the "UNIX" host and that lets you
start multiple sessions.  Quite useful.  The forward and backward switches are
for moving around your sessions.  Everything can be modified.

    For more information concerning the parameters have a look at the command
reference or the help utility.

Local> show port 1

Port 1:                                Server: IRIS

Character Size:            8           Primary Speed:      9600
Flow Control:            CTS           Alternate Speed:    2400
Parity:                 None           Modem Control:   Enabled

Access:              Dynamic           Local Switch:       None
Backwards Switch:       None           Name:            MODEM_1
Break:                 Local           Session Limit:         4
Forwards Switch:        None           Type:               Soft

Preferred Service: VMS

Authorized Groups:   0
(Current)  Groups:   0

Enabled Characteristics:

Autobaud, Autoconnect, Autoprompt, Broadcast, Dialup, DTRwait,
Inactivity Logout, Input Flow Control, Loss Notification,
Message Codes, Output Flow Control, Ring, Security, Verification


    And that's, obviously, a modem.  The speed, the modem control and the enabled
characteristics will help you understand even if the name is not helping at
all.  Have a look at the "Alternative Speed" option.

    What to do now that you have find it?

Local> set port 1 modem control disabled
Local> set service modem port 1
Local> connect modem


    Start programming.  This way is a little bit awkward and of course there
is a possibility that the modem is ALREADY defined as a dial-out modem.  You
are a privileged user, don't forget that.  I would recommend not to harm the
server ("nothing comes from violence and nothing ever good") and to leave
things as u find them.  DO NOT create a permanent dial-out modem service
(which can be done directly from VMS if you really want to) and DO NOT
forget that somebody has to pay for your calls and that the line which
the modem uses, may be limited to certain numbers or even prevent out-dialing
by hardware.  Use your brains...And don't stick in the idea of researching
modems.  You can use a DECserver to infiltrate a system.  Don't misuse those
introductions.

    Overview of Commands (in alphabetical order)

     *  BACKWARDS
         Goes back to a previous session.
     *  BROADCAST
         Sends a message to a port.
     *  CLEAR
         Clears a service.  It belongs to the Operational Database.
     *  CONNECT
         Connects to a service or port.
     *  CRASH
         Shuts down the server and reinitializes it.
     *  DEFINE
         Defines something.  It belongs to the Permanent Database.
     *  DISCONNECT
         Disconnects a session or port.
     *  FORWARD
         Goes forward to a following session.
     *  HELP
         Help.
     *  INITIALIZE
         Reboots the server.  You can specify a delay in minutes and
         "Local>initialize cancel" if you decide, finally, not to
         do it.
     *  LIST
         Displays information on something; Devices,Nodes,Ports,Queue,
         Server, Services, Sessions...
     *  LOCK
         Locks your terminal with a password you specify that moment.
         Retype your temporary password to continue.
     *  LOGOUT
         Logs out the specified port.  If none, your current port.
     *  MONITOR
         Devices, Nodes, Ports, Queue, Server, Services, Sessions...
     *  PURGE
         Purges a service from the Permanent database.
     *  RESUME
         Resumes a session.
     *  SET
         Devices, Nodes, Ports, Queue, Server, Services, Sessions,
         Characteristics,Privileged,NONprivileged...It belongs to the
         Operational database.
     *  SHOW
         Everything.
     *  TEST
         Tests a LOOP, PORT or SERVICE.

    An interesting Warning Message, just for informational purposes, is the
following;

      " Local -120- WARNING - Access to service is not secure

        Session status information cannot be passed between the
        server and the attached device because modem signals are
        not present.  This is not a problem if the device is a
        non-secure printer; however, if the port is a non-LAT
        host system, users could access other users' data. "

    That's all for now I think.

    There are many things to explain but there is no reason for doing that right
now.  If you need more information then just have a look at the HELP utility or
contact me, somehow.  [I hope you have not misunderstood my strange looking
article because my native language is not English]


    " Opticon: Don't you think that I'm getting insane?
      TLA: Yeah, sure looks like it..."

    Love and An-archy to all those who know why.

 BREAK DOWN THE WALL


AOH Site layout & design copyright © 2006 AOH