


L                                   L
O            Lex Luthor             O
D               and                 D
$       The Legion Of Hackers       $
L             Present:              L
O    HACKING VAX'S VMS Part III     O
D                                   D
$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$
L                                   L
O This file will help  ensure  your O
D survival  on a  VMS V4.x  system. D
$ Also, information on DECnet and a $
L listing of the  major  changes in L
O the  VMS  operating  system   for O
D Version  4.X  from  Version  3.X. D
$                                   $
LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$L


COMMON ACCOUNTS (PART III):
---------------------------

   Yet more common usernames found on various VMS systems.  First, try the
username as the password and also combinations thereof, to gain access.

Username:
---------
SYS
NETCON
ALLIN1
NETPRIV
OPERVAX
ALLINONE
TELEDEMO
NETSERVER
NETNONPRIV

   When logging in with these, or any other username, if you encounter any
problems, many of which were mentioned in Part II under the 'Interior Barriers'
section, you may wish to try:

Username: UNAME /NOCOMMAND
Password:
Password:

            LOD/H Counter-Intelligence System
   Last interactive login on Friday, 01-JUN-1985 10:20.11

$

   As you have noticed, the login qualifier /NOCOMMAND was entered after the
username.  The qualifiers which may or may not be allowed to be used at
login are:

1)  /CLI=  (Command Line Interpreter) allows you to specify either DCL (Digital
            Command Language) which is the default or MCR (Monitor Control
            Routine).

2)  /COMMAND=  The default login command file for the account you are breaking
    into may not allow you access to the operating system.  /NOCOMMAND ensures
    that the default login command procedure is not executed, and therefore you
    are able to gain access to the operating system, unless the account is a
    Captive account.

3)  /DISK=  Allows you to specify a DISK other than the default.

4)  /TABLES=  Specifies the name of another CLI table to override the default
    listed in the UAF.

The most commonly used of these is  /NOCOMMAND.  None of these can be used
when the account is a Captive account.  A Captive account allows very limited
access to the system.  Captive accounts usually dump you into an application
program or special menu, which gives you very little mobility and little chance
of breaking out, since control-y is disabled, and so is the use of all login
qualifiers, thus, a very useful security measure.

Also shown above was a second password prompt which indicates that the username
requires a secondary password, this is not implemented very often though.


STEALTH CAPABILITIES:
---------------------

This section will explain how to reduce the chances of being detected on a
system.  The following information is especially useful for VMS Versions 4.x
and above.  Upon logging on, there are certain commands which should be
accomplished before you begin to scavenge the system for data.  They are, in
order of importance and occurance: SHOW USERS, SHOW PROCESS/PRIVS, SHOW SYS,
SHOW AUDIT, and SHOW INTRUSION.

  SHOW USERS was mentioned in Part I.  If you encounter other users you will
  want to take note of the usernames for 2 reasons, one is to attempt to guess
  passwords which may allow you higher access, or at least another account to
  fall back on in case your current hacked account is terminated.   Reason
  number two is that you will want to know if the users are 'active' or if they
  left their terminal logged on and went home, thus, posing no immediate threat
  to you.

$ SHOW PROCESS/PRIVS  (This was also mentioned in previous files.) You must have
                      sufficient privs to use SHOW AUDIT & SHOW INTRUSION, thus,
                      this will allow you to see if you do.  On some systems,
                      only the TMPMBX & NETMBX privileges are shown, whether you
                      have any other privs or not.  Therefore, you should try:

$ SET PROCESS/PRIVS=GROUP (Start with group and if tha works, continue up the
                           line to see if you have ALL).  You may need only
                           certain privs to run pgms, view files, etc. not ALL.

$ SHOW SYS

   VAX/VMS V4.2  on node COINS 01-JUN-1985 19:29:37.24   Uptime   14 07:06:05

Pid       Process Name  State  Pri  I/O     CPU                Page flts  Ph.Mem

00000080  NULL          COM     0    0      13 11:47:16.35     0          0
00000083  SWAPPER       HIB     16   0      0  00:00:25.29     0          0
00000084  JOB_CONTROL   LEF     8    10209  0  00:02:49.25     23461      121
0000071B  LOD/H618      CUR     4    2593   0  00:00:09.22     658        161

Pid stands for Process ID, Process Name is a Username or a batch job name.  The
most important bit of information is the State.  You will be particularly
concerned with CUR, which means, CURRENTLY using the processor.  You will see
your own Username and CUR next to it.  If any other Process Name has a state
which is CUR, and the name is found when you perform the SHOW USERS command,
then you can be sure that another user of the system is actually using the
system and not on vacation with his terminal logged on 24hrs a day.  If you are
extremely paranoid or extremely careful, you may want to log off, since that
user may check who is on the system, and notice that that user (YOU!) should not
be logged on at that time, or whatever.  This can lead to a changing of the
hacked account's password, or even worse, your detection/capture.  COM and CMO
means the computer is ready to use the processor.  HBO and HIB are HIBernating
processes and you shouldn't worry about them.  FPG means that the system is
waiting for a Free PaGe of memory.  LEF and CFO are interactive users who are
thinking or may be waiting for disk I/O, these also are just as important to
take note of as CUR.

$ SHOW AUDIT
Security alarms currently disabled
                                          or
$ SHOW AUDIT
Security alarms currently enabled for:

    ACL
    BREAKIN:     (DIALUP,LOCAL,REMOTE,NETWORK,DETACHED)
    FILE_ACCESS:
        FAILURE: (READ,WRITE,EXECUTE,DELETE,CONTROL)
        BYPASS:  (READ,WRITE,EXECUTE,DELETE,CONTROL)
    LOGIN:       (DIALUP)
    LOGOUT:      (DIALUP)

The SHOW AUDIT command reveals the extent of security which is currently enabled
or disabled on the system.  Security Operators may receive an alarm when:

1) An Access Control List (ACL) access requests the alarm.  Files which are so
   designated will sound an alarm when accessed either legally or illegally.
   Thus, you will want to do a SHOW ACL on files which you are suspicious of,
   before blindly accessing them.

2) The system detects a possible breakin attempt.  This is dependent upon what
   the 'threshold' is.  The threshold may be 3 invalid attempts on an account,
   or 10 attempts.  When the threshold is reached, an alarm will sound.  Knowing
   what the threshold is, if any, will help you if you get 'locked out' of the
   system.  When you try to hack back in, if you only attempt 4 password
   attempts when the threshold is 5 and then move on to the next username, an
   alarm will not sound, but of course, the login failures will appear in the
   login message stating: "4 failures since last successful login." when the
   valid user finally logs in on that account.  If there is no threshold, you
   can hack and hack and not get an alarm.  It is advised that you hack until
   you get in on the same account, and then YOU will recieve the 200 login
   failures since last login message and NOT the valid user.  Also, if the
   threshold is reached, there may not be anyone around to notice/hear it.  But
   they will know about it sooner or later.  If they do notice it right away,
   and you continue, be sure to call someone to bail you out of jail, since I
   don't think anyone would take an alarm too lightly.  For all they know, you
   could be commiting industrial espionage, fraud and embezzlement, or just
   another 'pesky' hacker.

3) A file access fails with any of the R,W,E,D,or C accesses.  If this alarm is
   used, you should not use the methods of scavenging noted in Parts I and II
   (the use of wildcard file/directory searches) unless you have sufficient
   privileges because you will get all kinds of access attempt violations and an
   alarm will sound.  If this alarm is not activated, you can perform file and
   directory searches all you want and no matter how many error/violation
   messages you receive, no one else will know about it.

4) A file access with R,W,E,D,C access is gained by means of the BYPASS
   privilege.  No big deal, since if you have BYPASS privs, you probably have
   ALL privs.  System Operators are too lazy to asses end-users security needs
   and therefore give them more privs than they need instead of limiting them
   to BYPASS or some other privilege.  So you access a file via another priv,
   and avoid an alarm sounding.  If there are no alarms activated for using
   BYPASS, and you only have BYPASS (not SETPRV, or SYSPRV) then you can still
   circumvent all file protection and you will not have to worry whether the
   FAILURE alarm is activated or not, since if you have access to all files,
   how can there be a failure by you not having sufficient access?

   If the system detects a possible breakin, file access attempt, dialup port
   login, or whenever a dialup connection logs out an alarm will sound IF the
   qualifier is specified within AUDIT.  The dialup login alarm, is especially
   useful if the operators are on to you.  They can simply set the alarm, tell
   all valid users to not logon via dialup, and wait for you, the would-be
   unsuspecting hacker (if you did not read this article that is) logs in, and
   is subsequently traced.

$  SHOW INTRUSION/TYPE=ALL

   Intrusion    Type        Count     Expiration     Source
   TERMINAL     INTRUDER      9       08:34:24.56    TTA0
   NETWORK      SUSPECT       2       09:03:33.39    COINS::NSAUSER1

   This command shows the contents of the breakin database, which contains
   information about login failures that originate from a specific source and
   that result from any number of failure types (incorrect password, account
   expired, unknown usernames)  Valid Keywords are:
   ALL   This is the default, and shows all breakin entries.
   SUSPECT   Any and all login failures are recorded but the threshold was not
   reached and it is not identified as an INTRUDER.
   INTRUDER   Breakin entries which were high enough to warrant evasive action.
   If the message: "%SHOW-F-NOINTRUDERS, no intrusion records match
   specification" appears, then the breakin database is empty, thus, no one has
   attempted to illegally access the system, or there is no recording of breakin
   attempts.  You can determine that, by SHOW AUDIT.

     If after you log on, you think you will be using the system a lot, you may
want to check the UAF, under the account you intend to use for login flags.  You
do not want ANY of the login flags to be used!  You may want the [NO] in front
of AUDIT.  This will definitly ensure that there is no auditing of the account,
and you will also want to make sure there is no ACOUNTING of the account.  This
may be suspicious, so use caution when doing so.  Most of the login flags are
[NO] on denault.


DECNET/PROXY LOGINS:
--------------------

     Networking on VAX's is a major security hole.  Once you gain access to a
system which has DECnet, you can gain access or at least access files, do
directory searches, and run programs remotely without having to guess passwords
to access system resources!  You can do this by:

1)  $ TYPE PLOVER::SYS$SYSROOT:<SYSEXE>SYSUAF.LIS;*

2)  $ DIR DOCWHO::SYS$SYSROOT:<000000...>

3)  $ RUN LEGION::SYS$SYSROOT:<SYSEXE>AUTHORIZE
    UAF>

As you can see, the format is:
$ CMD-NAME NODE-NAME::DEVICE:<DIRECTORY>FILE-OR-PROGRAM-NAME
Note: The node-name MUST be followed by the two colons.

In example 1, you are simply listing out the contents of the SYSUAF.LIS
file, which is either a /BRIEF or a /FULL listing of all users on the host
system.  Whenever a user enters LIST * /BRIEF (or /FULL) the system will dump
the information into a file with the extension of .LIS instead of the screen.
It would be dumped to the screen if LIST was replaced with SHOW.  See Parts I
and II for more on SYSUAF and AUTHORIZE.

In example 2, you are simply getting a listing of all files in all directories
on the designated device/disk, beggining with a directory containing a list of
all other directories.  And as stated in previous articles, Usernames are
usually the same as some directory names.

In example 3, you are running AUTHORIZE and can then get a listing of all the
users or can create an account, etc.

So you see, you do not need to break into any of those hosts, especially if you
have full access on the hacked system, since the privileges 'transfer' over to
the remote node.  If you do not have full privs, you are limited to certain
commands and files.  You should still be able to get enough information by
reading mail on all the other hosts, or obtaining usernames through means
mentioned in the HACKING VMS series, to get priv'ed and then have priv'ed access
on all other nodes.  You can also remotely SHOW NETWORK to see if other nodes
are networked with the remote node which are not networked with the hacked
system and then access those.  One more note, on most systems, all accesses
to objects (See part II) are recorded.  And if there are alarms for accessing
objects on the remote node, they can go off.  Check the file, NETSERVER.LOG and
other similar NET* and .LOG files to determine exactly what information is and
isn't recorded.


ACCOUNTING:
-----------

As usual, check previous articles for the basic information on accounting.  You
will definitely want to continue using an account which is consistently used.
You do no want the system manager to look at the accounting record and say "No
one should be using this account, I wonder who it is...".

$ ACCOUNTING /FULL /USER=(LOD/H618) /SINCE=20-MAY-1985

INTERACTIVE Process Termination
-------------------------------

Username:     LOD/H618            UIC:                 [001,005]
Account:      LOD/H               Finish time:         21-MAY-1985 20:20:53.15
Process ID:   0000071B            Start time:          21-MAY-1985 20:20:06.36
Owner ID:                         Elapsed time:                  0 00:00:46.79
Terminal name:    TTD2            Processor time:                0 00:00:07.57
Remote node addr:                 Priority:            4
Remote node name:                 Privilege <31-00>    00108000
Remote ID:                        Privilege <63-32>    00000000
Queue entery:                     Final status code:   10000001
Queue name:
Job name:
Final status text:%SYSTEM-S-NORMAL, normal successful completion

Page faults:       644            Direct IO:           37
etc. etc.                         etc. etc

The wildcard for accounting is a "-" instead of the usual "*".  You can
replace the username, with a hyphen to view all users accounting records.
There are many qualifiers which can be used with the accounting command, the
ones you will want to get more information on via help are:  /BEFORE, /FULL,
/REPORT, /SINCE, /SORT, /STATUS, /SUMMARY, /TYPE, and /USER.

/TYPE=LOGFAIL is an important quailifier.  This will show you whether login
failures are recorded or not.  If so, you will see all the 'hacksess' attempts
made on the user(s) of your choice.  Now, if you get locked out, it shouldn't
matter how many times nor how many usernames you attempt to break into, since
there will be no record of it.  If there is a record, you will want to see if
there is an alarm threshold, and if not, you should hack the same account until
you get in.  You shouldn't try too many usernames all at once unless you want
all the passwords changed, probably not leaving any default/common accounts for
you to get lucky on.

CHANGES IN VMS 4.X FROM VMS 3.X
-------------------------------

   VMS V.4 is a much larger operating system than the V3 flavour.  Additions to
the security, logical name, privilege and priority systems have been made.
A general list of modifications follows:

1. Allows larger command buffers
2. Has multinational character set capability
3. Users can set the "$" prompt to their own choice of a string up to about 30
   characters (IE: $ set prompt "LOD>" <return> LOD> SHOW ACL).
5. Command line recall (up to the last 20 lines)
6. User defined keys
7. Better error messages (they suggest actions to follow to correct problems)
8. During a batch process you can now view the job log
9. They redesigned/enhanced the Print/Batch subsystem for clusters
10. Enhancements to DCL (new commands)
13. Any VMS Version 3.4 or above can be upgraded to Version 4.x
14. They have changed the installation method
15. VMSINSTAL has been expanded (It is not compatable with V3 syntax but V3
    install will still be available on the system)
16. It is now possible for the VMS system to be on different system discs.
17. Cluster systems with common system discs support
18. New commands for Connect/Disconnect since processes are left running if a
    disconnect occurs.  If your line is dropped you can log in and see your old
    process and reconnect to it.
19. Control character echoing (^Y and ^C are echoed in reverse vidio which says
    "*interrupt*".)
20. Broadcast messages have been classed. You can determine which broadcast
    messages you will receive.  For example , you can stop broadcast messages
    from being recieved while you are in the editor.
21. They now have terminal support for all of the DEC terminals.
22. There are new terminal characteristics which can be set.
23. Security has been greatly modified:
      A. Disc Scavange protection (deleted files are actually deleted rather
         than just being removed from the table of contents.)
      B. New privileges
      C. Alphanumeric UIC's and Full longword UIC's
      D. A rights database (a system manager can see what has a particular
         privilege.)
      E. Access Control lists
      F. Login security
      G. Security Alarms
      H. Optional system password to be entered before the "Username:" prompt
         will appear.
24. Support for larger Working Set (65,000 pages)
25. Run Time Library Enhancements (including Multiple shareable images)
26. Sort/Merge improved to 2.4 times faster.
27. EDT has been enhanced.
28. Utilities have been enhanced:
    A. Analyze/Media - Analyze/Crash_dump invokes SDA, has new
       keypad mode and new commands and qualifiers.
       if you set process/dump, analyze/process dump invokes debug.
    B. Exchange replaces FLX
    C. Mail - 2 key ISAM files; date/time of insertion; mail goes
       into folders (3 given folders are mail, newmail, and waste-
       basket);"file" stores mail to folders; "extract" creates disc
       files; New keypad mode
    D. Librarian - allows data reduction, /data=expand will restore
       from reduce(restores spaces and tabs).  This is not /compress
       which deletes spaces and tabs.
    E. Common Qualifier
    F. Patch/Absolute
29. RMS (Record Management Services) update, 39 characters for filenames & their
    extensions.  Directories can also have 39 characters.
30. All VMS products will be available on mag tape.
31. Sysgen has been changed to reflect new paramaters.  New show /lgi will show
    security login information.
32. VMS Exec Enhanced. $Getsyi shows all sysgen parameters.
33. Process ID format has been changed.  Process in Kernal AST level is no
    longer deletable.


FILE PROTECTION:
----------------

   Just some notes on file protection, a more in-depth look will be featured in
Part IV which will be co-written by Silver Spy.

   A newly created file, including a new generation, is created with the user's
default protection and NOT the default protection of the directory.  If the user
who created the directory is, for example, UIC=010,nnn and that user's default
protection is (RWED,RWED,RE,) then users who are not in group 010,nnn cannot
access the file!  To allow other users to access the file, WORLD access is
required.  Generally, world protection is set to read-execute (RE).  Personally,
I would not even allow the world to read nor execute files, since scavengers can
easily find information which could allow them to get privileged, and then
simply bypass the protection set on the file.  But as I have said a hundred
times, many people are lazy and ignorant when it comes to security.

You can include this statement in any LOGIN.COM file:

      world :== set protection=(world:re)/confirm

This does all of the following:

   1. Can be used for explicit file name.  Example:  WORLD EMDEFS.COM
   2. Can be used with wildcard names.     Example:  WORLD *.COM
   3. Asks whether you want to change protection or not. When wildcard names are
      used, the question is asked for EACH file name, to which the user may
      respond "Y" or "N".
   4. Very important!  Because only world protection is used in the string, the
      current protection for System, Owner and Group remains unchanged!

A "sister" command to the above to take away world protection is:

      noworld :== set protection=(world)/confirm
  or
      group   :== set protection=(group:re,world)/confirm


DCL PROGRAMMING:
----------------

   This section in subsequent files will have useful programs, this one was
copied from a DEC manual.  In Part IV, Silver Spy's VMS Conference 1.1 program
will be featured.

$! A helpful system status Display (more meaningful than SHOW SYSTEM).
$! copied from VMS doc vol 2B pg A-10
$!
$   save_verify = F$VERIFY(0)
$   CONTEXT = ""
$ savpriv = f$setprv("group,world")
$!
$! Output header
$!
$   WRITE SYS$OUTPUT -
"   PID    Username    Term     UIC     Process name  State Pri  Image"
$!
$   WRITE SYS$OUTPUT -
"-------- ------------ ----- --------- --------------- ---  ---- -------"
$!
$ loop:
$   PID = F$PID(CONTEXT)
$   IF PID .EQS. "" THEN GOTO DONE
$!
$   IMAGNAME := 'F$GETJPI(PID,"IMAGNAME")
$   IMAGNAME := 'F$EXTRACT(F$LOCATE("]",IMAGNAME)+1,999,IMAGNAME)
$   IMAGNAME := 'F$EXTRACT(0,F$LOCATE(".",IMAGNAME),IMAGNAME)
$   IF "''IMAGNAME'" .EQS. "" THEN IMAGNAME := "Command"
$!
$! Get terminal name or assign descriptor
$!
$   TERMINAL = F$GETJPI(PID,"TERMINAL")
$   IF TERMINAL .EQS. "" THEN -
     TERMINAL = "-"+F$EXTRACT(0,3,F$GETJPI(PID,"MODE"))+"-"
$!
$   IF TERMINAL .EQS. "-INT-" THEN -
     TERMINAL = "-DET-"
$!
$   IF F$GETJPI(PID,"OWNER") .NE. 0 THEN -
     TERMINAL = "-SUB-"
$!
$! Get a string full of the other goodies
$!
$   LINE = F$FAO( "!AS !12AS !5AS !9AS !15AS !4AS !2UL/!UL !10AS",-
PID, -

F$GETJPI(PID,"USERNAME"),-

TERMINAL,-

           F$GETJPI(PID,"UIC"),-
           F$GETJPI(PID,"PRCNAM"),-
           F$GETJPI(PID,"STATE"),-
           F$GETJPI(PID,"PRI"),-
           F$GETJPI(PID,"PRIB"),-
           IMAGNAME)

$   WRITE SYS$OUTPUT LINE
$   GOTO LOOP
$!
$!Restore verify and exit
$!
$ DONE:
$   WRITE SYS$OUTPUT -
"-------- ------------ ----- --------- --------------- ---  ---- -------"
$   IF save_verify THEN SET VERIFY
$   xpriv = f$setprv("''savpriv'")
$   EXIT

You can upload the above program to help you keep track of who's on your
favorite hacked VMS and know what their up to.

ACKNOWLEDGEMENTS:
-----------------

Silver Spy, Gary Seven, and the rest of the Legion of Hackers staff.

                                                                      