💾 Archived View for gemini.spam.works › mirrors › textfiles › hacking › VMS › ccc-vms.txt captured on 2022-06-12 at 08:53:00.
-=-=-=-=-=-=-
+----------------------------------------------------------------------------+ ! Beginners Guide to VAX/VMS Hacking ! ! ! ! File By ENTITY / Corrupt Computing Canada (c) 1989 ! ! ! ! ! ! CORRUPT COMPUTING CANADA! ! ! ! ! CALL: (416)/398-3301 Login: Guest, PW: Guest ! ! (416)/756-4545 type !! Login: lynx ! ! ! +----------------------------------------------------------------------------+ ! ! ! You may freely distribute this file as long as no modifications of any ! ! form are made to the file. All rights reserved by...What rights?! ! ! ! ! ! +----------------------------------------------------------------------------+ September 12,1989 INTRODUCTION ------------ Perhaps the most exciting Operating system to HACK on is VAX/VMS. It offers many challenges for hackers and boasts one of the best security systems ever developed. In comparison to the security on UNIX, VMS is far superior in every respect. It can be very difficult to get inside such a system and even harder to STAY inside, but isn't that what this is all about?! I have written this file as a way for beginning hackers to learn about the VMS operating system. There is such a vast amount of information that can be related about VAX/VMS hacking that it is not possible for me to cover everything in just one file. As such i will try and stick to the basics for this file and hopefully write another file in the future that deals with heavy-duty kernal programming, the various data structures, and system service calls. All right so lets get at it! GETTING IN ---------- First of all how do you recognize a VAX when you see one?! Well the thing that always gives a VAX away, is when you logon you will see: Username: It may also have some other info before it asks you for the username, usually identifying the company and perhaps a message to the effect of: Unauthorized Users will be prosecuted to the fullest extent of the law! That should get you right in the mood for some serious hacking! Ok so when you have determined that the system you have logged into is indeed a VAX, you will have to at this point enter your SYSTEM LOGIN. Basically on VAX's there are several default logins which will get you into the system. However on MOST systems these default logins are changed by the system manager. In any case, before you try any other logins, you should try these (since some system managers are lazy and don't bother changing them): Username Password Alternate ------------------------------------------------------------------------------- SYSTEM MANAGER OPERATOR FIELD SERVICE TEST DEFAULT DEFAULT USER SYSTEST UETP SYSTEST DECNET DECNET NONPRIV That's it. Those are the default system users/passwords. The only ones on the list that are GUARANTEED to be in the userlist are SYSTEM and DEFAULT. However, I have never come across a system where these two haven't been changed from their default passwords to something else. In the above list, the alternate password is simply a password many operators set the password to from the deafult. So if the first password doesn't work, try the alternate password. It should be noted when the a user is added into the system, the default password for the new user the SAME as his username. You should keep this point in mind because it is VERY important. Most of the accounts you hack out, will be found in this way! Ok if above ones don't work, then you should try these accounts. These following accounts are NOT defaults, but through experience i have found that many systems use these accounts or some variation thereof: Username Password --------------------------- VAX VAX VMS VMS DCL DCL DEC DEC * DEMO DEMO * TEST TEST * NETNONPRIV NONPRIV * NETPRIV PRIV ORACLE ORACLE * ALLIN1 ALLIN1 * INGRES INGRES * GUEST GUEST * GAMES GAMES BACKUP BACKUP * HOST HOST USER USER * DIGITAL DIGITAL REMOTE REMOTE * SAS SAS FAULT FAULT USERP USERP VISITOR VISITOR GEAC GEAC VLSI VLSI INFO INFO * POSTMASTER MAIL NET NET LIBRARY LIBRARY OPERATOR OPERATOR * OPER OPER The ones that have asterisks (*) beside them are the more popular ones and you have a better chance with them, so you should try them first. It should be noted that the VAX will not give you any indication of whether the username you typed in is indeed valid or not. Even if you type in a username that does not exist on the system, it will still ask you for a password. Keep this in mind because if you are not sure if whether an account exists or not, don't waste your time in trying to hack out its password. You could be going on a wild goose chase! You should also keep in mind that ALL bad login attempts are kept track of and when the person logs in, he is informed of how many failed attempts there were on his account. If he sees 400 login failures, I am sure that he will know someone is trying to hack his account. THE BASICS ---------- Ok i am assuming you tried all the above defaults and managed to get yourself into the system. Now the real FUN begins! Ok first things first. After you log in you will get some message about the last time you logged in etc. If this is the first time you have logged into this system then you should note the last login date and time and WRITE IT DOWN! This is important for several reasons. The main one being that you want to find out if the account you have just hacked is an ACTIVE or INACTIVE account. The best accounts are the inactive ones. Why?! Well the inactive accounts are those that people are not using currently, meaning that there is a better chance of you holding onto that account and not being discovered by the system operator. If the account has not been logged into for the last month or so, theres a good chance that it is inactive. Ok anyhow once your in, if you have a normal account with access to DCL you will get a prompt that looks like: $ This may vary from machine to machine but its usually the same. If you have a weird prompt and would like a normal one, type: $set prompt=$ If this is the first time you have hacked into this system there are a couple of steps you should take immediately. First type: $set control=(y,t) This will enable your break keys (like ctrl-c) so that you can stop a file or command if you make a mistake. Usually ctrl-c is active, but this command will insure that it is. (Note: in general to abort a command, or program you can type ctrl-c or ctrl-y) Ok anyhow, the next step is to open the buffer in your terminal then type: $type sys$system:rightslist.dat This will dump a file that has all the systems users listed in it. You may notice a lot of weird garbage characters. Don't worry about those, that is normal. Ok after this file ends and you get the shell prompt again ($) then save the buffer, clear it out and leave it open. Then type: $show logical Ok after this file is buffered save it also. Ok at this point you have two files on your disk which will help you hack out MORE accounts on the system. For now, lets find out how powerful the account you currently hacked into is. You should type: $set proc/priv=all This may give you a message telling you that all your privileges were not granted. That's ok. Now type: $show proc/priv This will give you a list of all the privileges your account is set up for. Usually most user accounts only have NETMBX and TMPMBX privs. If you have more than these two, then it could mean that you have a nice high-level user. Unlike UNIX which only has a distinction between user and superuser, VMS has a whole shitload of different privileges you can gain. The basic privs are as follows: PRIVILEGE DESCRIPTION ------------------------------------------------------------------------------ NONE no privilege at all NORMAL PRIVS ------------ MOUNT Execute mount volume QIO NETMBX Create network connections (you need this to call out!) TMPMBX Create temporary mailbox GROUP PRIVS ----------- GROUP Control processes in the same group GRPPRV Group access through SYSTEM protection field DEVOUR PRIVS ------------ ACNT Disable accounting ALLSPOOL Allocate spooled devices BUGCHK Make bugcheck error log entries EXQUOTA Exceed disk quotas GRPNAM Insert group logical names n the name table PRMCEB Create/delete permanent common event flag clusters PRMGBL Create permanent global sections PRMMBX Create permanent mailboxes SHMEM Create/delete structures in shared memory SYSTEM PRIVS ------------ ALTPRI Set base priority higher that allotment OPER Perform operator functions PSWAPM Change process swap mode WORLD Control any process SECURITY Perform security related functions SHARE Access devices allocated to other users SYSLCK Lock system-wide resources FILES PRIVS ----------- DIAGNOSE Diagnose devices SYSGBL Create system wide global sections VOLPRO Override volume protection ALL PRIVS --------- BYPASS Disregard protection CMEXEC Change to executive mode CMKRNL Change to kernal mode DETACH Create detached processes of arbitrary UIC LOG_IO Issue logical I/O requests PFNMAP Map to specific physical pages PHY_IO Issue physical I/O requests READALL Possess read access to everything SETPRV *** ENABLE ALL PRIVILEGES!!! *** SYSNAM Insert system logical names in the name table SYSPRV Access objects through SYSTEM protection field Ok that's the lot of them! I will explain some of the more important privileges later in the file. For now, at least you can see just how powerful the account is. It should be noted that most accounts usually are only granted the TMPMBX and NETMBX privileges, so if you don't have the others, don't fret too much. GENERAL TERMINOLOGY ------------------- I think that i should clarify some of the basic concepts involved with VAX/VMS operating systems before we go any further: PROCESS: this is what is created when you log in. The system sets aside CPU time and memory for you and calls it a process. Any task that is run in VMS is called a process. SUBPROCESS: also known as child-process, this is just a process that was created by another process. DCL : Digital Command Language. This is the shell ($) that you are put into when you log into a VAX MCR : an alternate shell that is used (rarely) on certain accounts. Login prompt is a > as opposed to DCL which gives a $ SHELL : this is the '