TUCoPS :: Antique Systems

TUCoPS :: Antique Systems :: hckvax.txt
Lex Luthor & LOD/H present Advanced Hacking VAX & VMS's

$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$
L L
O Lex Luthor O
D AND D
$ LOD/H $
L Present: L
O ADVANCED HACKING VAX'S VMS O
D D
$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$
L L
O This file, will explain in detail O
D the more useful commands, notable D
$ differences of Version 4.0 and $
L higher from older versions, and L
O exploit the new security features O
D and software available for VMS. D
$ $
LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$L
O (C) Written 01-JUN-85 O
D By: Legion of Doom/Hackers D
$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$

NOTE: All references to things in < >
should be replaced by square brackets.

VAX/VMS BACKGROUND:
-------------------

The VMS Operating System supports all VAX-11 series computers. The system
permits an absolute limit of 8192 concurrent processes. This depends on the
physical memory and secondary storage available. The practical limit is in
excess of 100 concurrent users for a large scale system. The initial license
fee is $10,000, and when run on the VAX 8600 the fee is $15,000. There is an
estimated 22,000 sites running VAX/VMS.

CORRECTIONS:
------------

I mentioned in Part I, that VMS runs on the PDP-11. This was a mistake,
UNIX is the operating system which can run on both the VAX and PDP machines.

LOGGING IN:
-----------

Username: ACIRS508
Password:

LOD/H Advanced Computer Insecurity Research System (ACIRS).

VAX/VMS Version 4.2

Last interactive login on Wednesday, 01-JUN-1985 10:20.11
Last noninteractive login on Friday, 30-MAY-1985 15:38.27
2 failures since last successful login
You have 1 new mail message

All login procedures are executed by one of two methods, interactive or
noninteractive. Interactive logins require the user to follow the prompts of
the system for information. Noninteractive logins are performed exclusively by
the system without user interaction.

Types of logins are:

1) Local: This is executed by a user who is directly connected to the CPU.
2) Dial-up: Login using dial-up lines.
3) Remote: Remote logins are performed to a node over a network.
4) Network: Network logins are noninteractive as they are accomplished
automatically when a user accesses files stored in a directory on another node
or performs a network task on a remote node assuming they are both nodes on the
same network.
5) Batch: A Batch login is another noninteractive automatic procedure
performed when a batch process initiated by a user actually runs.
6) Subprocess: Subprocess logins are always noninteractive although it is also
a result of a user executing either a specific process form of a command or a
system service.

Other types are: Proxy login, a type of network login permitting a user to
access files across a network, a Detached process login which can be specified
by the user as either interactive or noninteractive. It is a result of a user
executing either a specific process form of a command or a system service.

COMMON ACCOUNTS (PART II):
--------------------------

Here are some more common accounts which may enable you to gain access.
One note, there is a difference between default and common accounts, defaults
are put in by the manufacturer, and common accounts are characteristic
of most computers or operating systems of the same make.

Username: Password:
--------- ---------

RJE RJE
HOST HOST
LINK LINK
INFO INFO
BACKUP BACKUP
NETWORK NETWORK
DECMAIL DECMAIL
HELPDESK HELPDESK
REPORT(S) REPORT(S)

As you have noticed, we are relying on the user to use thier username as a
password. If none of these get you in, you may want to try first names, social
security numbers, initials etc. Remember, all you have to do is get in, worry
about getting privileged later.

PASSWORD SECURITY:
------------------

Passwords can be selected by the user or automatically generated by the
system. User selected passwords require a minimum length of characters to
prevent use of familiar easy-to-guess words. Automatically generated passwords
offer the user a choice of randomly sequenced characters resembling English.
All passwords need to be changed about every 30 days and are one-way encrypted
when stored.

There are 2 levels of passwords used:

A user password is required of the majority of users. A system password
is required prior to a user password when restricting access to a particular
terminal. For maximum security two user passwords may be required, a primary
password and successively a secondary password. I have not encountered this
yet, but I thought I would just mention the capabilities of the VMS security
system.

INTERIOR BARRIERS:
------------------

On some systems, after successfully logging on with the username/password
combination, the system may ask you to enter a dial-up, modem, remote, etc.
password, it may dump you into an application program or it may give you a
device not found error. In any case, this prevents you from gaining access to
the operating system. A possible way around these problems is to hang up and
call back the system, hit control-c and/or control-y after the initial logon
sequence. This will prevent the system from executing the security program,
login.com file, application program, or detect that there is not a device
assigned to the user in question. You may have to try this a few times, since
timing may be crucial. Most likely, you will not be able to break out of the
program itself after logon, because of the command "set nocontrol=y" which
inhibits the use of control-y. If you find that this doesn't work, then set
nocontrol=y has been implemented from the start of your logging in, which is
accomplished by running authorize and changing the user characteristics in the
UAF. But as usual, this is not done, whether its because the system manager
is lazy, ignorant or maybe the use of the control character is needed later in
the logon session, thus, you gain unauthorized access to the machine.

VERSION 4.2:
------------

As you have seen, Version 4.2 was mentioned. At the time of this writing
it is under testing, and not yet released, but DEC kind of 'leaked' this
information to LOD/H via thier DECNET (hehe). Also, from the banner, you can
deduce that 4.0 and above has an extensive audit trail. Which when
implemented, records login failures, thus, be careful when attacking VMS 4.0
and up using trial and error techniques.

SECURITY FEATURES:
------------------

Security for VMS is based on the reference monitor concept. Under this
concept the reference monitor is the central security point for the following:

1) Subjects: users, processes, batch jobs.
2) Objects: files, programs, terminals, tapes, disks, mailboxes.
3) Reference monitor database: user authorization files, rights database, file
protection, access control lists.
4) Security audit.

The reference monitor system mediates every attempt by a subject to gain access
to an object.

The greatest advantage of VMS is its flexibility. The system manager can
choose to implement or ignore a wide range of security features, fortunately
for the hacker, they all seem to ignore the important ones. It is possible
to protect all, any or none of the files created. It is also possible to
provide general or restricted passwords, or no passwords at all. Access
codes can be global or limited. The use log can be ignored, used only for
record keeping, or be employed as a security control tool. Finally, the
encryption system can be activated where needed, defaulting to uncoded material
for normal use.

VAX/VMS has the following security features that are designed to prevent
unauthorized access or tampering:

1) It provides a system of password controls and access levels that allow the
security manager to open sections of the system only to those users with a
particular requirement or legitimate interest.
2) It keeps a careful log of all interactions so that questionable uses can be
challenged and documented.
3) It supports an encryption system that allows system management to create
coding keys that are necessary for access to programs or databases. The
encryption system of VAX/VMS provides an additional level of security,
however the other security features are sufficient to deter most losers.
the encryption system included in the operating system package would
probably not stop those few so motivated. The encrypt facility does not
use a sufficiently complex algorithm to be unbreakable, although it would
slow down or halt most potential abusers.

AUDIT TRAIL:
------------

The security log feature, if monitored, and thats a big IF, is a major
disadvantage for the hacker. Flag codes can alert an operator to an ongoing
hack; review can isolate users attempting to exceed access restrictions. The
system can "freeze" a terminal if a breach is discovered, or if multiple
wrong access codes are attempted. Of course, the log system functions somewhat
after the fact and it is possible, though difficult, to alter the security
log. A terminal can be designated as an audit alarm console and all auditable
events are displayed on the console. Some events, such as certain login
failures and uses of privilege are always auditable. Other events, such as
successful or unsuccessful attempts to gain access to sensitive files, can be
selected by users or security managers for auditing. For example, the owner
of a sensitive file might create an ACL entry requesting that all accesses
to that file be audited, whether someone reviews that audit is another story.

INTERNAL SECURITY:
------------------

VAX/VMS determines access to objects by utilizing two protection mechanisms:
Access Control Lists (ACLs), and User Identification Codes (UICs). It takes
the two together, acting with user privileges, for access. Access Control
Lists: The ACL uses identifiers to specify users. There are three types:

1) UIC identifiers depend on the user identification code that uniquely
identifies each user on the system.
2) General identifiers are defined by the security manager in the system
rights database to identify groups of users on the system.
3) System-defined identifiers describe certain types of users based on
their use of the system.

An ACL consists of one or more Action Control List Entries (ACEs). There
are three types of these:

1) Identifier ACE: This controls the type of access allowed to a particular
user or group of users. Access types are: READ, WRITE, EXECUTE, DELETE,
CONTROL, and NONE.
2) Default protection ACE: This defines the default protection for directory
files only.
3) Security alarm ACE: Watch out for this one! It provides an alarm message
when an object is accessed. This will alert managers to possible security
threats (YOU!). Alarms may be generated when an unauthorized user performs
the following access types: READ, WRITE, EXECUTE DELETE, or CONTROL.
Alarms are also issued for the SUCCESS or FAILURE of these attempts.

User Identification Codes: As stated in part I, each user has a UIC. Each
system object also has an associated UIC, defined to be the UIC of its owner,
and a protection code that defines who is allowed what type of access. Also
mentioned in part I was the protection put on objects: System, Owner, Group,
and World. Depending on these, the protection code can grant or deny access to
allow a user to read, write, execute, or delete an object. When you log in,
the identifiers which are in your "rights database" are copied into a rights
list that is part of your process. The rights list is the structure that VMS
uses to perform all protection checks.

GENERAL SYSTEM COMMANDS:
------------------------

DEC-net was breifly mentioned in part I, but I have noticed that this is
more important than I had originally anticipated, especially after I checked a
system which had 100+ nodes on the network, all of which I proceeded to break
into. Anyways, the procedure is:

$ SHOW NETWORK

Node Links Cost Hops Line

1 LEGION 0 61 6 DMC-5
2 ARCHER 0 11 1 DMC-5
3 DOCWHO 0 18 2 DMC-5
4 BLOTTO 0 20 3 DMC-5
5 PLOVER 0 15 3 DMC-5

Total of 5 nodes.

$ SET HOST ARCHER

You will get one of two responses when connecting to a node on a network:

Username:
~Y
~Y

Are you repeating ~Y to abort the remote session on node ARCHER? Y

%REM-S-END, control returned to node ACIRS::

%REM-F-NETERR, DECnet channel error on remote terminal link
%SYSTEM-F-UNREACHABLE, remote node is not currently reachable.

In the first instance, I merely hit two control-y's to abort the login, the
second, meant that either the system is not operating or that there is not a
node by that name.

DIRECTORIES:
------------

Instead of using wildcards for getting a directory listing, try:

$ dir <000000...>

Directory SYS$SYSDEVICE:<000000>

000000.DIR;1 AMMONS.DIR;1
NEWS.DIR;1 RJE.DIR;1
SECURITY.DIR;1 TEST.DIR;1

Total of 6 files.

Directory SYS$SYSDEVICE:<AMMONS>

*INTERUPT*

This is a more effective way of listing ALL the directories on the system.
The first directory you see will be the directory which lists most/every other
directory on the system not including subdirectories. The difference between
this and DIR <*.*> is that this lists more directories/files than using <*.*>.
Usually the directory name is the same as the username thus, even though you
have a non-privileged account, you can obtain more usernames to try passwords
on. As you noticed, *INTERUPT* appeared and the dollar sign prompt appeared,
this was because of hitting control-y. One neat thing with 4.0 and above is
that if you hit a control-c in the middle of a long directory or file listing,
it will simply say *CANCEL*, pause for a second, and skip over to the next
directory. It will not pause when going on to the next file though. As
you know, older versions simply give you the '$' prompt, so if you wanted to
look at something in the 15th directory, you would have to wait for all the
directories which are before it, before seeing the contents of the 15th. Now,
you can hit control-c and *CANCEL* long directories and sooner, not later,
view the desired information.

To see more detailed information about the files in your directory:

$ DIR /FULL

Directory SYS$SYSDEVICE:<AMMONS>

INTRO.TXT;5 FILEID: (929,23,0)
Size: 2/3 Owner:<AMMONS>
Created: 25-MAY-1985 12:38 Revised: 2-MAY-1985 12:38 (2)
Expires: <none specified> Backup: <no backup done>
File organization: Sequential
File attributes: Allocation: 3,Extend: o,
Global buffer count: 0
Version limit: 3
Record format: Variable length, maximum 74 bytes
Record attributes: Carriage return carriage control
File protection: System:RWED, Owner:RWED, Group:, World:,
Access Control List None

The important information is: the file protection, and if there is an ACL
for the file. The /FULL qualifier will continue to print the information
about each file within the directory.

DEVICES:
--------

On occasion, when you execute a directory search, you will not find much.
This is because you are not on the same device as much of the other users are.
To change devices:

$ SET DEVICE DEVICENAME:

make sure you put the colon after the name. In the case of you not knowing
what device to switch to type:

$ SHOW DEVICE

this will give you a list of devices currently used on the system.

FILE EXTENSIONS:
----------------

The following file extensions should be used in conjunction with wildcards
or <000000...> for viewing all files with that extension:

.MEM memo file: These often contain inter-office memos. TYPE this file.
.JOU journal file: This is a Journal file, which is created when editing
.JNL journal file: a file. This may contain interesting info. Use TYPE.
.TMP temporary file: This is a temporary image of a file. TYPE this file.
.LIS list file: Listing file, use same procedure as stated above.

ie:

$ TYPE <000000...>*.MEM;*

AUTHORIZE AND THE UAF:
----------------------

In part I, it was mentioned that the file AUTHORIZE.EXE;1 could be found in
the <SYSEXE> directory. It almost always is, but on occasion, you will be able
to find it either in the <SYS0.SYSEXE> or <000000.SYSEXE> directories. If you
are non-privileged, you may wish to see if you can access those directories,
and TYPE out the file: SYSUAF.LIS which is a list similar to performing the
SHOW * /FULL command. When executing that command or viewing that file, the
output should look like:

Username: SYSTEM Owner: SYSTEM MANGER
Account: SYSTEM UIC: <001,004>
CLI: DCL LGICMD:
Default Device: SYS$ROOT:
Default Directory: <SYSMGR>
Login Flags:
Primary days: Mon Tue Wed Thu Fri
Secondary days: Sat Sun
No hourly restrictions

PRIO: 4 BYTLM: 20480 BIOLM: 12
PRCLM: 10 PBYTLM: 0 DIOLM: 12
ASTLM: 20 WSDEFAULT: 150 FILLM: 20
ENQLM: 20 WSQUOTA: 350 SHRFILLM: 0
TQELM: 20 WSECTENT: 1024 CPU: no limit
MAXJOBS: 0 MAXACCTJOBS: 0 PGFLQUOTA: 200000

Privileges:

CMKRNL CMEXEC SYSNAM GRPNAM ALLSPOOL DETACH DIAGNOSE LOG-IO GROUP ACNT PRMCEB
PRMMBX PSWAPM ALTPRI SETPRV TMPMBX WORLD OPER EXQUOTA NETMBX VOLPRO PHY-IO
BUGCHK PRMGBL SYSGBL MOUNT PFNMAP SHMEM SYSPRV SYSCLK GROUP BYPASS

UAF>

The privileges listed at the end, are in abbreviated form, the important ones
as far as security goes, is:

ACNT: May surpress accounting message.
OPER: Operator privilege.
GROUP: May affect other processes in the same group.
WORLD: May affect other processes in the world.
SHMEM: May create/delete objects in shared memory.
ALTPRI: May set any priority level.
BYPASS: May bypass UIC checking.
SETPRV: May set any privilege bit.
SYSLCK: May lock system wide resources.
SYSPRV: May access objects via system protection.
VOLPRO: May override volume protection.
READALL: May read anything as the owner.
SECURITY: May perform security functions.

To see what privileges you have type:

$ SET PROCESS /PRIVS

01-JUN-1985 15:50:56.31 RTA1:User: ACIRS508

Process privileges:

LOG-IO May do logical I/O.
PHY-IO May do physical I/O.
TMPMBX May create temporary mailbox.

Process rights identifiers:
INTERACTIVE
REMOTE

the privileges listed, are usually found on low access accounts. If you have
the SETPRV privilege, you can give yourself privs (as stated in part I) by:

$ SET PROCESS /PRIVS=ALL

SECURITY DEVICES AND SOFTWARE:
------------------------------

There are a number of additional security products available for VMS. Some
of which are:

Name: ALSP (Applications Level Security Package)
Manufacturer: Integrated Systems Inc.
Location: New Jersey.
Phone: (201) 884-0892.
Cost: $650.00
Description:

ALSP protects system and resource access by restricting users commands of
applications to authorized users. On menu driven applications, ALSP provides
further security by checking menu selections against those authorized for a
user. Security violations cause LOGOUT and after three unsuccessful access
attempts at logon, the user must be reinstated by the system manager. ALSP
also generates a message to the system operator when unauthorized users try to
access secured data.

Name: DIALBACK and AUDIT
Manufacturer: Clyde Digital Systems Inc.
Location: Provo, Utah
Phone: 1-800-832-3238.
Cost: $980.00 and $2500.00 respectively.
Description:

DIALBACK protects the system by not allowing any dial-in users to make direct
contact. It stops them before they can even attempt to log onto the system and
requires them to identify themselves. If a user fails to enter a valid
DIALBACK ID, DIALBACK will disconnect the line. As soon as DIALBACK recognizes
the ID code, it checks a list of authorized users and thier phone numbers,
hangs up, and calls back the number listed.

AUDIT is a sophisticated software security and documentation tool.
It allows you to create a complete audit trail of the activities of any
terminal on the system.

Name: Data Encryption System (DES) Verson II and Menu/Authorization Processor
System (M/APS) Version I.
Manufacturer: McHugh, Freeman & Associates, Inc.
Location: Elm Grove, Wisconsin
Phone: (414) 784 8250.
Cost: 1,250.00 and 995.00 respectively.
Description:

DES runs as a stand alone program (ENCRPT) which allows single or double
encryption of system files. DEC encrypts source, data and task image (binary
relocatable) files.

M/APS provides secured menu access to system applications for authorized users
with security displays, and audit trails of movements through the M/APS. Users
once captured by the menu cannot escape to the system monitor level.

CONCLUSION:
-----------

If all or most security features of VMS were implemented, the system would
be one of the most secure around, even more secure than IBM. IBM operating
systems such as VM/CMS, MVS/TSO, DOS, CICS, etc. are insecure without the use
of additional software security packages such as ACF2, RACF, TOP SECRET, etc.
which costs from $20,000 to $30,000! DEC didn't do a bad job since the cost
of the operating system itself is half that of those packages. But, when
computers are concerned, its the people who are the main facter. Until they
realize that hackers can be a real threat, they will continue to leave thier
systems open to unauthorized access.

ACKNOWLEDGEMENTS:
-----------------

The Blue Archer

PART III PREVIEW!
-----------------

Look for Part III, Hacking VMS: User Commands. Part III will go more in
depth into the actual uses of the operating system. It will mention things
like: Creating batch jobs, using the programming languages available on the
system, including DCL (Digital Command Language), using the editor, etc.

�������������������������������������������������������������ͻ
� �
� Another fine TEXT file Supplied by�: �
� �
� T H�E F�I�R�S�T A�M�M�E�N�D�M�E�N�T �
� ����������������������������������������������������� �
� �
� Call for all the latest TEXT files from A to Z �
� �
� (619) 421 - 0583 �
� �
� THE�TEXT�SPECIALIST -- 99.99% PURE�TEXT �
� �
�������������������������������������������������������������ͼ

X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X
Another file downloaded from: The NIRVANAnet(tm) Seven

& the Temple of the Screaming Electron Taipan Enigma 510/935-5845
Burn This Flag Zardoz 408/363-9766
realitycheck Poindexter Fortran 510/527-1662
Lies Unlimited Mick Freen 801/278-2699
The New Dork Sublime Biffnix 415/864-DORK
The Shrine Rif Raf 206/794-6674
Planet Mirth Simon Jester 510/786-6560

"Raw Data for Raw Nerves"
X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X