$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$ L L O Lex Luthor O D and D $ The Legion Of Hackers $ L Present: L O HACKING VAX'S VMS Part III O D D $LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$ L L O This file will help ensure your O D survival on a VMS V4.x system. D $ Also, information on DECnet and a $ L listing of the major changes in L O the VMS operating system for O D Version 4.X from Version 3.X. D $ $ LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$L COMMON ACCOUNTS (PART III): --------------------------- Yet more common usernames found on various VMS systems. First, try the username as the password and also combinations thereof, to gain access. Username: --------- SYS NETCON ALLIN1 NETPRIV OPERVAX ALLINONE TELEDEMO NETSERVER NETNONPRIV When logging in with these, or any other username, if you encounter any problems, many of which were mentioned in Part II under the 'Interior Barriers' section, you may wish to try: Username: UNAME /NOCOMMAND Password: Password: LOD/H Counter-Intelligence System Last interactive login on Friday, 01-JUN-1985 10:20.11 $ As you have noticed, the login qualifier /NOCOMMAND was entered after the username. The qualifiers which may or may not be allowed to be used at login are: 1) /CLI= (Command Line Interpreter) allows you to specify either DCL (Digital Command Language) which is the default or MCR (Monitor Control Routine). 2) /COMMAND= The default login command file for the account you are breaking into may not allow you access to the operating system. /NOCOMMAND ensures that the default login command procedure is not executed, and therefore you are able to gain access to the operating system, unless the account is a Captive account. 3) /DISK= Allows you to specify a DISK other than the default. 4) /TABLES= Specifies the name of another CLI table to override the default listed in the UAF. The most commonly used of these is /NOCOMMAND. None of these can be used when the account is a Captive account. A Captive account allows very limited access to the system. Captive accounts usually dump you into an application program or special menu, which gives you very little mobility and little chance of breaking out, since control-y is disabled, and so is the use of all login qualifiers, thus, a very useful security measure. Also shown above was a second password prompt which indicates that the username requires a secondary password, this is not implemented very often though. STEALTH CAPABILITIES: --------------------- This section will explain how to reduce the chances of being detected on a system. The following information is especially useful for VMS Versions 4.x and above. Upon logging on, there are certain commands which should be accomplished before you begin to scavenge the system for data. They are, in order of importance and occurance: SHOW USERS, SHOW PROCESS/PRIVS, SHOW SYS, SHOW AUDIT, and SHOW INTRUSION. SHOW USERS was mentioned in Part I. If you encounter other users you will want to take note of the usernames for 2 reasons, one is to attempt to guess passwords which may allow you higher access, or at least another account to fall back on in case your current hacked account is terminated. Reason number two is that you will want to know if the users are 'active' or if they left their terminal logged on and went home, thus, posing no immediate threat to you. $ SHOW PROCESS/PRIVS (This was also mentioned in previous files.)You must have sufficient privs to use SHOW AUDIT & SHOW INTRUSION,thus, this will allow you to see if you do. On some systems, only the TMPMBX & NETMBX privileges are shown,whether you have any other privs or not. Therefore, you should try: $ SET PROCESS/PRIVS=GROUP (Start with group and if tha works, continue up the line to see if you have ALL). You may need only certain privs to run pgms, view files, etc. not ALL. $ SHOW SYS VAX/VMS V4.2 onnode COINS 01-JUN-1985 19:29:37.24 Uptime 14 07:06:05 Pid Process Name State Pri I/O CPU Page flts Ph.Mem 00000080 NULL COM 0 0 13 11:47:16.35 0 0 00000083 SWAPPER HIB 16 0 0 00:00:25.29 0 0 00000084 JOB_CONTROL LEF 8 10209 0 00:02:49.25 23461 121 0000071B LOD/H618 CUR 4 2593 0 00:00:09.22 658 161 Pid stands for Process ID, Process Name is a Username or a batch job name. The most important bit of information is the State. You will be particularly concerned with CUR, which means, CURRENTLY using the processor. You will see your own Username and CUR next to it. If any other Process Name has a state which is CUR, and the name is found when you perform the SHOW USERS command, then you can be sure that another user of the system is actually using the system and not on vacation with his terminal logged on 24hrs a day. If you are extremely paranoid or extremely careful, you may want to log off, since that user may check who is on the system, andnotice that that user (YOU!) should not be logged on at that time, or whatever. This can lead to a changing of the hacked account's password, or even worse, your detection/capture. COM and CMO means the computer is ready to use the processor. HBO and HIB are HIBernating processes and you shouldn't worry about them. FPG means that the system is waitingfor a Free PaGe of memory. LEF and CFO are interactive users who are thinking or may be waiting for disk I/O, these also are just as important to take note of as CUR. $ SHOW AUDIT Security alarms currently disabled or $ SHOW AUDIT Security alarms currently enabled for: ACL BREAKIN: (DIALUP,LOCAL,REMOTE,NETWORK,DETACHED) FILE_ACCESS: FAILURE: (READ,WRITE,EXECUTE,DELETE,CONTROL) BYPASS: (READ,WRITE,EXECUTE,DELETE,CONTROL) LOGIN: (DIALUP) LOGOUT: (DIALUP) The SHOW AUDIT command reveals the extent of security which is currently enabled or disabled on the system. Security Operators may receive an alarm when: 1) An Access Control List (ACL) access requests the alarm. Files which are so designated will sound an alarm when accessed either legally or illegally. Thus, you will want to do a SHOW ACL on files which you are suspicious of, before blindly accessing them. 2) The system detects a possible breakin attempt. This is dependent upon what the 'threshold' is. The threshold may be 3 invalid attempts on an account, or 10 attempts. When the threshold is reached, an alarm will sound. Knowing what the threshold is, if any, will help you if you get 'locked out' of the system. When you try to hack back in, if you only attempt 4 password attempts when the threshold is 5 and then move on to the next username, an alarm will not sound, but of course, the login failures will appear in the login message stating: "4 failures since last successful login." when the valid user finally logs in on that account. If there is no threshold, you can hack and hack and not get an alarm. It is advised that you hack until you get in on the same account, and then YOU will recieve the 200 login failures since last login message and NOT the valid user. Also, if the threshold is reached, there may not be anyone around to notice/hear it. But they will know about it sooner or later. If they do notice it right away, and you continue, be sure to call someone to bail you out of jail, since I don't think anyone would take an alarm too lightly. For all they know, you could be commiting industrial espionage, fraud and embezzlement, or just another 'pesky' hacker. 3) A file access fails with any of the R,W,E,D,or C accesses. If this alarm is used, you should not use the methods of scavenging noted in Parts I and II (the use of wildcard file/directory searches) unless you have sufficient privileges because you will get all kindsof access attempt violations and an alarm will sound. If this alarm is not activated, you can perform file and directory searches all you want and no matter how many error/violation messages you receive, no one else will know about it. 4) A file access with R,W,E,D,C access is gained by means of the BYPASS privilege. No big deal, since if you have BYPASS privs, you probably have ALL privs. System Operators are too lazy to asses end-users security needs and therefore give them more privs than they need instead of limiting them to BYPASS or some other privilege. So you access a file via another pbiv, and avoid an alarm sounding. If there are no alarms activated for using BYPASS, and you only have BYPASS (not SETPRV, or SYSPRV) then you can still circumvent all file protection and you will not have to worry whetherthe FAILURE alarm is activated or not, since if you have access to all files, howcan there be a failure by you not having sufficient access? If the system detects a possible breakin, file access attempt, dialup port login, or whenever a dialup connection logs out an alarm will sound IF the qualifier is specified within AUDIT. The dialup login alarm, is especially useful if the operators are on to you. They can simply set the alarm, tell all valid users to not logon via dialup, and wait for you, the would-be unsuspecting hacker (if you did not read this article that is) logs in, and is subsequently traced. $ SHOW INTRUSION/TYPE=ALL Intrusion Type Count Expiration Source TERMINAL INTRUDER 9 08:34:24.56 TTA0 NETWORK SUSPECT 2 09:03:33.39 COINS::NSAUSER1 This command shows the contents of the breakin database, which contains information about login failures that originate from a specific source and that result from any number of failure types (incorrect password, account expired, unknown usernames) Valid Keywords are: ALL This is the default, and shows all breakin entries. SUSPECT Any and all login failures are recorded but the threshold was not reached and it is not identified as an INTRUDER. INTRUDER Breakin entries which were high enough to warrant evasive action. If the message: "%SHOW-F-NOINTRUDERS, no intrusion records match specification" appears, then the breakin database is empty, thus, no one has attempted to illegally access the system, or there isno recording of breakin attempts. You can determine that, by SHOW AUDIT. If after you log on, you think you will be using the system a lot, you may want to check the UAF, under the account you intend to use for login flags. You do not want ANY of the login flags to be used! You may want the [NO] in front of AUDIT. This will definitly ensure that there is no auditing of the account, and you will also want to make sure there is no ACOUNTING of the account. This may be suspicious, so use caution when doing so. Most of the login flags are [NO] on default. DECNET/PROXY LOGINS: -------------------- Networking on VAX's is a major security hole. Once you gain access to a system which has DECnet, you can gain access or at least access files, do directory searches, and run programs remotely without having to guess passwords to access system resources! You can do this by: 1) $ TYPE PLOVER::SYS$SYSROOT:SYSUAF.LIS;* 2) $ DIR DOCWHO::SYS$SYSROOT:<000000...> 3) $ RUN LEGION::SYS$SYSROOT:AUTHORIZE UAF> As you can see, the format is: $ CMD-NAME NODE-NAME::DEVICE:FILE-OR-PROGRAM-NAME Note: The node-name MUST be followed by the two colons. In example 1, you are simply listing out the contents of the SYSUAF.LIS file, which is either a /BRIEF or a /FULLlisting of all users on the host system. Whenever a user enters LIST * /BRIEF (or /FULL) the system will dump the information into a file with the extension of .LIS instead of the screen. It would be dumped to the screen if LIST was replaced with SHOW. See Parts I and II for more on SYSUAF and AUDHORIZE. In example 2, you are simply getting a listing of all files in all directories on the designated device/disk, beggining with a directory containing a list of all other directories. And as stated in previous articles, Usernames are usually the same as some directory names. In example 3, you are running AUTHORIZE and can then get a listing of all the users or can create an account, etc. So you see, you do not need to break into any of those hosts, especially if you have full access on the hacked system, since the privileges 'transfer' over to the remote node. If you do not have full privs, you are limited to certain commands and files. You should still be able to get enough information by reading mail on all the other hosts, or obtaining usernames through means mentioned in the HACKING VMS series, to get priv'ed and then have priv'ed access on all other nodes. You can also remotely SHOW NETWORK to see if other nodes are networked with the remote node which are not networked with the hacked system and then access those. One more note, on most systems, all accesses to objects (See part II) are recorded. And if there are alarms for accessing objects on the remote node, they can go off. Check the file, NETSERVER.LOG and other similar NET* and .LOG files to determine exactly what information is and isn't recorded. ACCOUNTING: ----------- As usual, check previous articles for the basic information on accounting. You will definitely want do continue using an account which is consistently used. You do no want the system manager to look at the accounting record and say "No one should be using this account, I wonder who it is...". $ ACCOUNTING /FULL /USER=(LOD/H618) /SINCE=20-MAY-1985 INTERACTIVE Process Termination ------------------------------- Username: LOD/H618 UIC: [001,005] Account: LOD/H Finish time: 21-MAY-1985 20:20:53.15 Process ID: 0000071B Start time: 21-MAY-1985 20:20:06.36 Owner ID: Elapsed time: 0 00:00:46.79 Terminal name: TTD2 Processor time: 0 00:00:07.57 Remote node addr: Priority: 4 Remote node name: Privilege <31-00> 0108000 Remote ID: Privilege <63-32> 00000000 Queue entery: Final status code: 10000001 Queue name: Jobname: Final status text:%SYSTEM-S-NORMAL, normal successful completion Page faults: 644 Direct IO: 37 etc. etc. etc. etc The wildcard for accounting is a "-" instead of the usual "*". You can replace the username, with a hyphen to view all users accounting records. There are many qualifiers which can be used with the accounting command, the ones you will want to get more information on via help are: /BEFORE, /FULL, /REPORT, /SINCE, /SORT, /STATUS, /SUMMARY, /TYPE, and /USER. /TYPE=LOGFAIL is an important quailifier. This will show you whether login failures are recorded or not. If so, you will see all the 'hacksess' attempts made on the user(s) of your choice. Now, if you get locked out, it shouldn't matter how many times nor how many usernames you attempt to break into, since there will be no record of it. If there is a record, you will want to see if there is an alarm threshold, and if not, you should hack the same account until you get in. You shouldn't try too many usernames all at once unless you want all the passwords changed, probably not leaving any default/common accounts for you to get lucky on. CHANGES IN VMS 4.X FROM VMS 3.X ------------------------------- VMS V.4 is a much larger operating system than the V3 flavour. Additions to the security, logical name, privilege and priority systems have been made. A general list of modifications follows: 1. Allows larger command buffers 2. Has multinational character set capability 3. Users can set the "$" prompt to their own choice of a string up to about 30 characters (IE: $ set prompt "LOD>" LOD> SHOW ACL). 5. Command line recall (up to the last 20 lines) 6. User defined keys 7. Better error messages (they suggest actions to follow to correct problems) 8. During a batch process you can now view the job log 9. They redesigned/enhanced the Print/Batch subsystem for clusters 10. Enhancements to DCL (new commands) 13. Any VMS Version 3.4 or above can be upgraded toVersion 4.x 14. They have changed the installation method 15. VMSINSTAL has been expanded (It is not compatable with V3 syntax but V3 install will still be available on the system) 16. It is now possible for the VMS system to be on different system discs. 17. Cluster systems with common system discs support 18. New commands for Connect/Disconnect since processes are left running if a disconnect occups. If your line is dropped you can log in and see your old process and reconnect to it. 19. Control character echoing (^Y and ^C are echoed in reverse vidio which says "*interrupt*".) 20. Broadcast messages have been classed. You can determine which broadcast messages you will receive. For example , you can stop broadcast messages from being recieved while you are in the editor. 21. They now have terminal support for all of the DEC terminals. 22. There are new terminal characteristics which can be set. 23. Security has been greatly modified: A. Disc Scavange protection (deleted files are actually deleted rather than just being removed from the table of contents.) B. New privileges C. Alphanumeric UIC's and Full longword UIC's D. A rights database (a system manager can see what has a particular privilege.) E. Access Control lists F. Login security G. Security Alarms H. Optional system password to be entered before the "Username:" prompt will appear. 24. Support for larger Working Set (65,000 pages) 25. Run Time Library Enhancements (including Multiple shareable images) 26. Sort/Merge improved to 2.4 times faster. 27. EDT has been enhanced. 28. Utilities have been enhanced: A. Analyze/Media - Analyze/Crash_dump invokes SDA, has new keypad mode and new commands and qualifiers. if you set process/dump, analyze/process dump invokes debug. B. Exchange replaces FLX C. Mail - 2 key ISAM files; date/time of insertion; mail goes into folders (3 given folders are mail, newmail, and waste- basket);"file" stores mail to folders; "extract" creates disc files; New keypad mode D. Librarian - allows datareduction, /data=expand will restnre from peduce(restores spaces and tabs). This is not /compress which deletes spaces and tabs. E. Common Qualifier F. Patch/Absolute 29. RMS (Record Management Services) update, 39 characters for filenames & their extensions. Directories can also have 39 characters. 30. All VMS products will be available on mag tape. 31. Sysgen has been changed to reflect new paramaters. New show /lgi will show security login information. 32. VMS Exec Enhanced. $Getsyi shows all sysgen parameters. 33. Process ID format has been changed. Process in Kernal AST level is no longer deletable. FILE PROTECTION: ---------------- Just some notes on file protection, a more in-depth look will be featured in Part IV which will be co-written by Silver Spy. A newly created file, including a new generation, is created with the user's default protection and NOT the default protection of the directory. If the user who created the directory is, for example, UIC=010,nnn and that user's default protection is (RWED,RWED,RE,) then users who are not in group 010,nnn cannot access the file! To allow other users to access the file, WORLD access is required. Generally, world protection is set to read-execute (RE). Personally, I would not even allow the world to read nor execute files, since scavengers can easily find information which could allow them to get privileged, and then simply bypass the protection set on the file. But as I have said a hundred times, many people are lazy and ignorant when it comes to security. You can include this statement in any LOGIN.COM file: world :== set protection=(world:re)/confirm This does all of the following: 1. Can be used for explicit file name. Example: WORLD EMDEFS.COM 2. Can be used with wildcard names. Example: WORLD *.COM 3. Asks whether you want to change protection or not. When wildcard names abe used, the question is asked for EACH file name, to which the user may respond "Y" or "N". 4. Very important! Because only world protection is used in the string, the current protection for System, Owner and Group remains unchanged! A "sister" command to the above to take away world protection is: noworld :== set protection=(world)/confirm or group :== set protection=(group:re,world)/confirm DCL PROGRAMMING: ---------------- This section in subsequent files will have useful programs, this one was copied from a DEC manual. In Part IV, Silver Spy's VMS Conference 1.1 program will be featured. $! A helpful system status Display (more meaningful than SHOW SYSTEM). $! copied from VMS doc vol 2B pg A-10 $! $ save_verify = F$VERIFY(0) $ CONTEXT = "" $ savpriv = f$setprv("group,world") $! $! Output header $! $ WRITE SYS$OUTPUT - " PID Username Term UIC Process name State Pri Image" $! $ WRITE SYS$OUTPUT - "-------- ------------ ----- --------- --------------- --- ---- -------" $! $ loop: $ PID = F$PID(CONTEXT) $ IF PID .EQS. "" THEN GOTO DONE $! $ IMAGNAME := 'F$GETJPI(PID,"IMAGNAME") $ IMAGNAME := 'F$EXTRACT(F$LOCATE("]",IMAGNAME)+1,999,IMAGNAME) $ IMAGNAME := 'F$EXTRACT(0,F$LOCATE(".",IMAGNAME),IMAGNAME) $ IF "''IMAGNAME'" .EQS. "" THEN IMAGNAME := "Command" $! $! Get terminal name or assign descriptor $! $ TERMINAL = F$GETJPI(PID,"TERMINAL") $ IF TERMINAL .EQS. "" THEN - TERMINAL = "-"+F$EXTRACT(0,3,F$GETJPI(PID,"MODE"))+"-" $! $ IF TERMINAL .EQS. "-INT-" THEN - TERMINAL = "-DET-" $! $ IF F$GETJPI(PID,"OWNER") .NE. 0 THEN - TERMINAL = "-SUB-" $! $! Get a string full of the other goodies $! $ LINE = F$FAO( "!AS !12AS !5AS !9AS !15AS !4AS !2UL/!UL !10AS",- PID, - F$GETJPI(PID,"USERNAME"),- TERMINAL,- F$GETJPI(PID,"UIC"),- F$GETJPI(PID,"PRCNAM"),- F$GETJPI(PID,"STATE"),- F$GETJPI(PID,"PRI"),- F$GETJPI(PID,"PRIB"),- IMAGNAME) $ WRITE SYS$OUTPUT LINE $ GOTO LOOP $! $!Restore verify and exit $! $ DONE: $ WRITE SYS$OUTPUT - "-------- ------------ ----- --------- --------------- --- ---- -------" $ IF save_verify THEN SET VERIFY $ xpriv = f$setprv("''savpriv'") $ EXIT You can upload the above program to help you keep track of who's on your favorite hacked VMS and know what their up to. ACKNOWLEDGEMENTS: ----------------- Silver Spy, Gary Seven, and the rest of the Legion of Hackers staff.