TUCoPS :: Antique Systems :: 9x_hp3.txt

Haqing HP3000's

STATION ID - 7047/3.12

9x Datakit Network
FOR OFFICIAL USE ONLY

This is a 9x system, restricted to authorized persons and for
official 9x business only. Anyone using this system, network or data
is subject to being monitored at any time for system administration and
for identifying unauthorized users or system misuse. Anyone using this
system expressly consents to such monitoring and is advised that any
evidence of criminal activity revealed through such monitoring may be
provided to law enforcement for prosecution.

              Author : OneThought
              Subject: Hacking the HP3000/MPE Platform

                 
  There have been several write ups written in the past about the
MPE operating system and how to hack it. To me many of these are
out of date with the times or havent gone into certin aspects of
the MPE-iX OS. To start this off i am going to shatter the myth 
right now that the MPE is a out of date operating system and is 
"not worth hacking" a phrase i have heard more then once now a 
days. The HP3000/MPE OS is still ideal for a small work place of
10-15 terminals, several of these servers networked together creates 
a powerful accounting and work system , Infact the MPE OSes latest 
version was released in 1995 (MPE-iX 5.0) and is already being picked
up by several companies. Right now you are asking yourself "Why should
i hack a HP3000?". Besides being a fun system to navigate around, in 
many cases HP3000s have some very good information inside of them. 
Credit Card #s, Employees personal information, Payroll files are 
all kept on HP3000s.

                     #Finding a HP3000.#

 When it comes down to finding a HP3000 your options are limited.
Your best luck will definetly be scanning business exchanges, However
you may also find a few inside the network information system of some
unix boxes on the net. You will know when you have found one by the
MPE XL: Prompt on older MPEs,MPE/iX, or MPE/V. If you are unsure of 
one being a HP3000 simply type some random letters at the prompt and 
press enter. If it is truely a HP3000 you will get the message 
"EXPECTED HELLO COMMAND".

                      #Getting inside.#

 If you are attempting to hack a unsecured HP3000 then factory 
defauts will suffice most of the time. The following is a list
of default accounts and some password protected accounts. 

ADVMAIL.HPOFFICE
MGR.HPDESK
MGR.ROBLLE
MGR.VESOFT
MGR.WORD
MGR.INTX3
MGR.CAROLIAN
MGR.XLSERVER
MGR.CONV
MGR.HPP187
MGR.HPP189
MGR.HPP189
MGR.HPP196
MGR.HPOFFICE
MGR.CCC
MGR.RJE
MGR.SYS             Acct password: LOTUS
MGR.ITF3000
MGR.SECURITY
MGR.HPWORD
MGR.TELESUP         Acct password: HPONLY  User Password: MGR  
MGR.COGNOS
MGR.HPONLY
MGR.NETBASE
MGR.CNAS
MGR.REGO
MAIL.NETBASE
MAIL.MAIL
MAIL.TELESUP
MAIL.HPOFFICE
MAILMAN.HPOFFICE
OPERATOR.SUPPORT
OPERATOR.SYS
OPERATOR.COGNOS
OPERATOR.SYSTEM
OPERATOR.DISC
FIELD.HP
FIELD.HPUNSUP
FIELD.HPWORD
FIELD.SERVICE       Acct password: HPWORD 
FIELD.SUPPORT,PUB
FIELD.HPP187
MANAGER.SYS
MANAGER.COGNOS
MANAGER.HPOFFICE
MANAGER.ITF3000
MANAGER.SECURITY
MANAGER.TCH
SYS.TELESP
WP.HPOFFICE
SPOOLMAN.HPOFFICE
RSBCMON.SYS
PCUSER.SYS

Use the following default accounts listed above to login as
souch. 

        :HELLO MGR.SYS,PUB
                   
           
   Login Command: HELLO    
   Username     : MGR
   Account name : SYS
   Group Name   : PUB

 When trying account and user names sometimes you will get the 
message "ACCOUNT EXISTS, USERNAME DOES NOT". This means that you
have enterd a valid account but not a valid user name. The same
goes for "ACCOUNT/USERNAME EXIST BUT NOT IN HOME GROUP". Here
you must include a valid group name with the login account name
and user name.   

*Note The group name is not required to be typed at the login prompt
most of the time.


  #Barriers that will stand in the way of gaining access to a HP3000.#

 Terminal password. Sometimes you will log in on a default account
and then recieve the prompt

TERMINAL PASSWORD:

 The terminal password is a eight bit alpha password that is not
a normal feature of HP3000s, But some system administrators request
it being on a new system. The only way to get by this is a brute
force attack, or going out and doing some field work i.e trashing
at the companys location,social engineering, etc etc.

 Another problem you may run across is a terminal that will not
accept logins from certin accounts. When running into this you will
need to find another account that can login on that terminal.

Case in point:

CONNECT 9600/ARQ/V32/LAPM/V42BIS
MPE XL:HELLO OPERATOR.SYS
HP3000  RELEASE: B.40.00   USER VERSION: B.40.00
FRI, JUN 28, 1996,  6:11 PM
MPE/iX  HP31900 B.30.45  Copyright Hewlett-Packard 1987.  
All Rights Reserved.

YOU ARE AT A TERMINAL THAT
YOU ARE NOT ALLOWED TO USE
 SO NOW I LOG YOU OFF.

END OF PROGRAM
CPU=1. CONNECT=1. FRI, JUN 28, 1996,  6:11 PM.

NO CARRIER

Something else you may run into is closed sessions. This means that
at that time the system cannot create a new session for a number of 
reasons, Maximum of users are already signed on or logins are not allowed
at that time. The best thing to do when running into that is to try again 
every few hours till you are allowed to start a new session.

Case in point:

CONNECT 9600/ARQ/V32/LAPM/V42BIS
MPE XL: HELLO MGR.RJE

CAN'T START A NEW SESSION (CIERR 970)

NO CARRIER

 The last thing i will cover when it comes to barriers on HP3000s
is the VESOFT add on. I will not go into this in depth but just give 
you a rough over view. First off to identify a system running VESOFT
you will have MPE/V: as your prompt. There will be no default accounts
on this system, if you get in by other means it will be extremly 
restrictive and secure. Your best hope here is to give up.

The first thing that you will want to do once inside is find out what 
access (if any) that you have. This is done by doing a LISTACCT.

Case in point:

:LISTACCT 
********************
ACCOUNT: <What ever acct you are>

DISC SPACE: 0(SECTORS)          PASSWORD: **
CPU TIME  : 2(SECONDS)          LOC ATTR: $00000000
CONNECT TIME: 2(MINUTES)        SECURITY--READ    : ANY
DISC LIMIT: UNLIMITED                     WRITE   : ANY
CPU LIMIT : UNLIMITED                     APPEND  : ANY
CONNECT LIMIT: UNLIMITED                  LOCK    : ANY
MAX PRI  : 150                            EXECUTE : ANY
GRP UFID : $055E0002 $0AC53AD3 $0055A7BE $2C052855 $04A775F1
USER UFID: $00000000 $00000000 $00000000 $00000000 $00000000
CAP: AM,ND,SF,BA,IA

Most of this is self explanitory. The imprtant part to look at
is the CAP: section. Here is the capeability list needed to understand
what access you have.

Abrev.     Capeability.

SM         System Manager
AM         Account Manager
AL         Account Librarian  
GL         Group Librarian
DI         Diagnostician
OP         System Supervisor
NA         Network Administrator
NM         Node Manager
SF         Permanent Files 
ND         Access to nonsharable I/O devices  
UV         Use Volumes
CV         Create Volumes 
CS         Use Communications Subsystem
PS         Programmatic Sessions
LG         User Logging
PH         Process Handling
DS         Extra Data Segments
MR         Multiple RINs
PM         Privilaged mode
IA         Interactive Access
BA         Local Batch Access

Now compare the chart i have just included with what ever
account you have. This will dictate what privilaged commands
you may be able to execute as i will describe later in this file.

                 #Making yourself an account#

  Making yourself an account requires SM or AM access. On some ocasions
you will not be able to make an account with AM access if the System 
Manager has modified your account. You will be able to give your new
account equal access as the one you are on when making it.  

Case in point:

:NEWUSER   <User id> <Group Id> <Password>

      The same can also be said for the following commands..

:NEWGROUP  <Group ID>     *Creates a new group, very noticeable

:PURGEUSER <User ID>      *Delites a user   

:PURGEGROUP <Group ID>    *Delites a group. 

                     #Time to look around.#

You now have hopefully created a new account and know what access
you have. Now it is time to check the system out. First you will need
to know how to use the help file, as HPs may differ from version
to version. Type HELP <item you need help with> and it will bring
up other words to look at or a section of the help file. Do NOT type
HELP as the entire MPE manuel will be scrolled on the screen, Taking 
aproximetly 18 minutes to be fully scrolled. 

  To find out how big this system is and what devices are available
type..

:SHOWDEV
 LDEV     AVAIL         OWNERSHIP         VOLID         DEN   ASSOCIATION

    1     DISC          N/A
    2     DISC          N/A
    3     DISC          N/A
    4     DISC          N/A
    5     AVAIL
    6     SPOOLED       SPOOLER OUT
    7     AVAIL
    8     AVAIL
    9     AVAIL
   10   A AVAIL
   11     AVAIL
   12     AVAIL
   13     AVAIL
   14     AVAIL
   15     AVAIL
   16     AVAIL
   17     AVAIL
   18     AVAIL
   19     AVAIL
   20   A UNAVAIL       #S8886: 8 FILES
   21   A AVAIL
   33     SPOOLED       SPOOLER OUT
   40     SPOOLED       SPOOLER OUT
  103   J AVAIL
  104   J AVAIL
  105   J AVAIL
  106   J AVAIL
  107   J AVAIL
  108   J AVAIL
  109   J AVAIL
  110   J AVAIL
  111   J AVAIL
  112   J AVAIL
  113   J AVAIL
  114   J AVAIL
  115   J AVAIL
  116   J UNAVAIL       #S10041: 8 FILES
  117   J AVAIL

This will give you a reference for downloading which i will cover 
later.

            #Navigating commands around groups and files#
 
  LISTF @       Lists every file in your current group

Case in point:

:LISTF @

FILENAME

ABORTEST    ACCTJOBS    AIFKUF      ALOCATEJ    ANSTART     ANSTAT
ANSTOP      ANUTIL      ASOCTBL     ATCUT000    ATCUTIL     AUTOHIST
BACKUP      BDLABEL     BDLT        BDMO        BDREPORT    BDXM
BRW         BRWACCSD    BRWAPPD     BRWC000     BRWCOMP     BRWCONV
BRWD3000    BRWDL000    BRWDLIST    BRWDUSER    BRWEMPTY    BRWEXEC
BRWEXECO    BRWF000     BRWGEND     BRWJ000     BRWL000     BRWLIST
BRWM000     BRWSD       BRWSDEXT    BRWSETUP    BRWSTART    BRWSTOA
BRWSTRM     BRWXL       BUILDINT    BULDACCT    CATALOG     CATTUTIL
CCMSGCAT    CDCAT       CDMGR       CDMGRSKT    CDSERVER    CDSRVSKT
CDSTARTJ    CDSTOPJ     CEUDCS      CHRDEF01    CHRDEF02    CHRDEF03
CHRDEF04    CHRDEF06    CHRDEF51    CHRDEF56    CHRDEF61    CHRDEF66
CI          CICAT       CICATERR    CKINST      CLS1        CMSTORE
COB74XL     COB74XLG    COB74XLK    COB85XL     COB85XLG    COB85XLK
COBCAT      COBCNTL     COBEDIT     COBMAC      COBOL       COBOL85
COBOLII     COBUDC      COMMA

 LISTF @.@     Lists all the files in every group on your account.

  LISTF @.@.@   Lists ALL files in every group on the system
  *If you are in a rush for time dont use the above command.
 
  LISTF @.<Group ID>.<Acct ID>, -1 Lists a specific users files. 
  
  LISTF @.@.@,2 Lists all files on system with group and account name.

  DSCOPY <fname>.<group id>.<acct id> to <fname>.<group id>.<acct id>
  ^ Copies files from one account to another.
   
  PURGE <fname>.<group id>.<acct id>  Delites a file.

  RENAME <old file>.<group>.<Acct>,<New file>.<Group>.<acct>
  ^ Renames a file.
  
  RUN <File name>.<Group ID>.<Acct ID>   Runs a file.   
  
 EDITOR <Filename> 

 Case in point:

:EDITOR <Whatever file here>
HP32201A.09.00 EDIT/3000 FRI, JUL  5, 1996,  5:01 AM
(C) HEWLETT-PACKARD CO. 1993
/
/END
:

  Just type "END" to leave the editor.

 To download use :DOWNLOAD <device>,<file>
*Refer back to SHOWDEV to figure out which device to use on the system.

              #Other useful and not so useful commands#

SHOWCATALOG  =  This command will show commands unique to that system.

Case in point:

:SHOWCATALOG
SYSUDC5.UDC.SYS
   SPENTRY           SYSTEM
   EDIT              SYSTEM
   COBOLII           SYSTEM
   ED                SYSTEM
   KSAM              SYSTEM
   COBEDIT           SYSTEM
   SJ                SYSTEM
   FORMSPEC          SYSTEM
   ENTRY             SYSTEM
   SO                SYSTEM
   SM                SYSTEM
   FREE5             SYSTEM
   SH                SYSTEM
   L                 SYSTEM
   QUAD              SYSTEM
   MPEX              SYSTEM
   MPEXLOGON         SYSTEM
   QEDITOR           SYSTEM
   GOD               SYSTEM
   JOBMASTER         SYSTEM
   SJ                SYSTEM
   SJJ               SYSTEM
   SJS               SYSTEM
   QUIZ              SYSTEM
   QUIZR             SYSTEM
   CONVRPO           SYSTEM
   QUICK             SYSTEM
   COGHELP           SYSTEM
   PHINIT12          SYSTEM
   PHSRVN            SYSTEM
   PHSRVS12          SYSTEM
 PHSRVS            SYSTEM
   CVRPO12E          SYSTEM
   SETPOWERHOUSE     SYSTEM
   RESETPOWERHOUSE   SYSTEM
   PHRUNPROG         SYSTEM
   PHRUNINTERBASE    SYSTEM
   GBAK              SYSTEM
   GCSU              SYSTEM
   GDEF              SYSTEM
   GDSCSERVER        SYSTEM
   GDSRSERVER        SYSTEM
   GDSLOCKPRINT      SYSTEM
   GDSRELAY          SYSTEM
   GFIX              SYSTEM
   GLTJ              SYSTEM
   GPRE              SYSTEM
   GRST              SYSTEM
   GSEC              SYSTEM
   GSTAT             SYSTEM
   ISCINSTALL        SYSTEM
   QLI               SYSTEM
   SETINTERBASE      SYSTEM
   RESETINTERBASE    SYSTEM
   PLISTF            SYSTEM
   FINDDIR           SYSTEM
   FINDFILE          SYSTEM
   LISTDIR           SYSTEM
   DISCUSE           SYSTEM
   SH                SYSTEM
   HPMPETOHFS        SYSTEM
   HPLISTFCLEANUP    SYSTEM
   HPPARSEFEQ        SYSTEM

  REPORT   =  Lists CPU allocation, disk allocation, disk volume, and
connect time for your group.

Case in point:

:REPORT

ACCOUNT       FILESPACE-SECTORS     CPU-SECONDS    CONNECT-MINUTES
   /GROUP       COUNT    LIMIT    COUNT    LIMIT    COUNT    LIMIT
RJE                 0       **        2       **        2       **
   /PUB             0       **        2       **        2       **

 SHOWJOB  =  Lists all users and their group information along
with their session number and the availability to accept messages in
the form of QUIET for not being able to accept messages.

Case in point:

:SHOWJOB

JOBNUM  STATE IPRI JIN  JLIST    INTRODUCED  JOB NAME

#J11627 EXEC        10S LP       FRI  1:11A  GLPOSTJ,MGR.HPFAS
#J11625 EXEC        10S LP       FRI  1:11A  ARPOSTJ,MGR.HPFAS
#S9651  EXEC       302  302      FRI  1:19A  LDEV220,PRINT.SPI
#S9650  EXEC       221  221      FRI  1:18A  LDEV221,FORM1.SPI
#J11626 EXEC        10S LP       FRI  1:11A  APPOSTJ,MGR.HPFAS
#S9725  EXEC       116  16      FRI  9:30P  MGR.RJE
#S8886  EXEC        20  20       FRI 10:20A  CONSOLE,OPERATOR.SYS
#J11628 EXEC        10S LP       FRI  1:11A  MAXSTART,MGR.HPFAS
#S9652  EXEC       117  117      FRI  1:45A  SPIM1.SPI
#S9656  EXEC       213  213      FRI  6:59A  MIS,MGR.HPFAS
#S9701  EXEC       202  202      FRI 12:53P  PRINT1.SPI
#S9721  EXEC       214  214      FRI  4:56P  MSPENCE.SPI
#S923  EXEC       211  211      FRI  7:39P  SUPV.SPI

13 JOBS:
    0 INTRO
    0 WAIT; INCL 0 DEFERRED
   13 EXEC; INCL 9 SESSIONS
    0 SUSP
JOBFENCE= 7; JLIMIT= 8; SLIMIT= 30


CURRENT:  6/28/96 21:44

JOBNUM  STATE IPRI JIN  JLIST    SCHEDULED-INTRO   JOB NAME

#J11607 SCHED    8  10S LP        6/28/96 22:15    FOBACKUP,MGR.SPI
#J11602 SCHED    8  10S LP        6/28/96 23:27    PSI0560J,MGR.SPI
#J11603 SCHED    8  10S LP        6/28/96 23:30    CPMNT2AJ,MGR.SPI
#J11605 SCHED    8  10S LP        6/28/96 23:35    PSI0560J,MGR.SPI
#J11608 SCHED    8  10S LP        6/29/96  0:30    SPIOFF,MGR.SPI
#J11639 SCHED    8  10S LP        6/29/96  5:00    PSI0890,MGR.SPI
#J11642 SCHED    8  10S LP        6/29/96  7:00    SLHCHCKJ,MGR.SPI
#J11866 SCHED    8  10S LP        6/29/96 16:00    UOMCHCKJ,MGR.SPI
#J10694 SCHED    8  10S LP        6/29/96 17:00    CAPCHCKJ,MGR.SPI
#J11885 SCHED    8  10S LP        6/29/96 18:00    NEWPRCEJ,MGR.SPI
#J11886 SCHED    8  10S LP        6/29/96 19:30    ORDERSJ,MGR.SPI
#J11636 SCHED    1  10S LP        6/30/96  4:00    VENDLIST,MGR.HPFAS
#J11892 SCHED    1  10S LP        6/30/96  4:00    VENDLIST,MGR.HPFAS
#J10720 SCHED    8  10S LP        7/ 1/96  0:00    WEEKINV,MGR.SPI
#J6568  SCHED    8  10S LP        7/ 1/96  6:30    DOWNTBJ,MGR.SPI
#J11884 SCHED    1  10S LP        7/ 1/96 17:15    BPOSTAR,MGR.HPFAS
#J11889 SCHED    1  10S LP        7/ 1/96 20:00    BPOSTAP,MGR.HPFAS
#J11890 SCHED    1  10S LP        7/ 1/96 20:10    BPOSTGL,MGR.HPFAS
#J11891 SCHED    1  10S LP        7/ 5/96 20:15    AUDITRPJ,MGR.HPFAS

19 SCHEDULED JOB(S)

   Commands that you wont want to use..

SHOWTIME                  Shows the current time.

TELLOP <message>          Messages Operator.

SETMSG ON/OFF             Sets your availability to recieve messages.

TELL <Job>,<User>.<acct>; Message  Sends a message to someone signed on.

                         #Logging off#  
 To log off just type BYE or EXIT at the prompt. You will then recieve
this logoff message..

:BYE

CPU=43. Connect=33. SAT, JUN 29, 1996, 1:03 AM.

NO CARRIER

                       #Conclusion#

 I hope this file will spawn possible intrest once again in HP3000s
and the MPE Platform. HP will continue to support the MPE platform
for a very long time and with the extensive business software and
porting of unix to MPE systems you should expect to see these systems
for a few more decades. Greets to Black IC for his VESOFT write up 
and to The Underground Consortium for their Hewlet Packard support.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH