=======================================
!   HACKING RSTS/E V9.X-XX Volume I   !
!  /-------------------------------/  !
!                By                   !
!           The Marauder              !
!      Legion of Doom/Hackers!        !
!      Written - June 13, 1986        !
!Copywright (c) - Zone Communications !
!    This document was written for    !
!      educational purposes only      !
=======================================

     In this volume, I will discuss the various aspects of the
RSTS/E V9 operating system, as well as some of the difference
between V9, and the older versions of RSTS/E. For the most part
I will assume you have read my previous files on RSTS.

     Version 9, is found running again on the DIGITAL PDP Series
of computers, and is the only version of RSTS supported on the
PDP-11/84. As with the older versions it will identify itself
with a standard RSTS system header, which should resemble
something like this:

Kewit Computing RSTS V9 <DIALUP> KB26 Job 26 6-JUN-86 12:37:00
User:

     At this point, RSTS is waiting for you to enter a valid
account number (or PPN for Project Programmer Number), which
consists of two numbers between 0 and 254 inclusively, seperated
by a comma (examples:  1,55 100,100 30,10), the 1,XXX accounts
again (by default being fully privleged), after entering a valid
PPN, RSTS/E will prompt with: 'Password:', where it of course is
awaiting a password. The passwords again consist of 1 to 6
characters, made up from the letters A through Z, or the numbers
0 through 9, or a combination of both (ie: SYSTEM, 12TEST,
DIAG1). On the older versions of rsts, you could also execute a
'fast login', by entering the password along with the PPN in the
format 'PPN;PASSWD' (ie 30,10;SECRET), this unfortunatly is no
longer valid, on V9, you must enter the PPN followed by a <C/R>,
and await the password prompt, (so for those of you who have a
copy of my rsts password hacker, it will have to be modified to
run correctly on V9). If you enter both a valid PPN and it's
matching password, you will be in. If an invalid PPN/passwd
combo was entered, RSTS will respond with 'Invalid entry -
please try again.', and place you back at the 'User:' prompt (5
attempts  are granted I believe). Here are some common defaults
found on rsts 9, and all versions in general:

[1,2] - SYSLIB, DECMAN, SYSTEM, SYSMGR  [100,100] - GAMES, DEMO
[1,3] - AUXLIB                          [200,200] - DECNET, DECMAL, MAIL
[1,5] - BACKUP, TAPE, OFLINE            [100,XXX] - DEMO
[1,XXX] - DEMO                          [1,99] - DIGITAL, DEC, FIELD, DDC

     Once in, you will generally find that the keyboard monitor
no longer defaults into basic, but instead DCL, which all VMS
hackers will recognize as the '$'. You can get to basic simply
by typing 'SW BASIC', but will find that many of the familiar
rsts/e utilities are no longer supported, these include (among
others) UTILTY, MONEY, REACT, TTYSET, and quite a few others.
They have for the most part been replaced with the equivalent
DCL command strings.

    The version of DCL used with RSTS/E is similar to that found
running on the VAX/VMS runtime systems, but the qualifiers &
data parameters (arguments), sometimes differ greatly between
VMS & RSTS/E. At any rate, the first thing to do once in is try
the 'HELP' command, it is almost alway's available and offers
explicit help on all of the commands & features available.

ACCOUNTS
--------
    DEC has greatly enhanced the account attributes, modifiable
by the DCL 'SET ACCOUNT' command (provided you have the proper
privleges of course). Some of the new account features are:

CAPTIVE - A captive account can only be logged in when the user
of that account is within a DCL command procedure (generally
found in the LOGIN.COM file, which will be explained later).  If
rsts sees that a captive account is in use at the interactive
level (ie, at the DCL, or BASIC command prompt(s)), it will
remove that job from the system, by default all accounts created
are of the type 'NOCAPTIVE'.

NODIALUP - If an account has a NODIALUP attribute, you cannot
login to this account via a dialup line, (you will find that on
a semi-secure system the 1,* accounts are thus marked, although
by default an account is created as DIALUP.

EXPIRE - (format = /EXPIRE=date), allows you to specify an
expiration date for the account, after which it can no longer be
logged into, although it will still remain on the system, and
you can use the command 'SET  ACCOUNT/EXPIRE=date', to reset the
expiration. By default I believe accounts are created as
'NOEXPIRE'.

LOOKUP - Allows you to specify whether the account's password
can be seen using the 'SHOW ACCOUNT/FULL' command, an account
with a NOLOOKUP attribute will not show it's password (using ANY
program/utility), whereas an attribute of LOOKUP will. By
default, accounts are created as 'LOOKUP'.

NONETWORK - Similar to the NODIALUP, but it applies to persons
logging in via a DECNET (via SET HOST command). By default
accounts are 'NETWORK'.

PRIVILEGES - Accounts can be granted various levels of
privleges, up to full.  You can examine what particular
privileges your account has by again using the 'SHOW
ACCOUNT/FULL' command, or modify them by using the: 'SET
ACCOUNT/PRIV=priv' command (ie: SET ACCOUNT/PRIV=WACNT).

CREATING YOUR OWN ACCOUNT
-------------------------
    Providing you have hacked into an account with the proper
privileges (must have either GACNT, or WACNT (more on these
later)). If your account has GACNT privleges, you will have to
create a PPN within that group (ie: GACNT = Group ACcouNT
privileges), for example if the account you're in is account
[100,1], you will have to create an account that has a project
number of '100' (ie. 100,2  100,250 etc..), if the account you
are in has WACNT priv's you can create an account anywhere on
the system (ie:  WACNT = World ACcouNt). Once you have
determined the account you wish to create (and made sure an
account with that PPN doesn't already exist!),  execute the
following command: (for this example we'll assume you want to
create an account [200,230] you would type:

'CREATE/ACCOUNT/PRIV=ALL [200,230]'

PRIVILEGES
----------

     Above I stated that under V9, any account can be given full
privileges, this is again a new feature of Version 9, under the
older versions of RSTS, any account could be given OPERATOR
priv's, but this was basically useless, and basically allowed
the owner to send messages to a program called OPSER, which you
have probably seen doing a SYSTAT, usually running detached
under account [1,2], while this was better than no privilege at
all, it lacked the power of a fully privileged [1,*] account.
Under V9, this is a different matter, now any account with a
privilege attribute of ALL has the same level of privilege as a
[1,*] account. To examine what level of privilege your
particular account has simply type the  command 'SHOW
ACCOUNT/FULL', this will list out the various account
attributes, along with what levels of privilege granted. To
modify an already existing accounts privilege level, use the set
account as:

'SET ACCOUNT/PRIV=privname' following is a list of the more
useful levels of privilege, and a short description of each:
DATES  - Allows you to alter the system time & date.

DEVICE  - Allows you to open/read/allocate any device marked as
restricted.

EXQTA  - Allows the account to exceed its storage quota, and it
also allows a program running using that account to exceed its
maximum memory allowance.

GACNT  - Allows you to create/delete/modify any account in your
group. Allows spawning of jobs under any account in your group.
Login to any other account in your group without it's password.
(GROUP = any other account with the same project number as you).

GREAD  - Read or execute any file in your group, regardless of
protection.

GWRITE  - Create/modify/rename/delete any file in your group.

HWCFG  - Change system hardware configurations.

HWCTL  - Allows you to changes a devices operation, such as
changing another users terminal attributes.

INSTAL  - Install, or remove system runtime systems, swap files,
libraries.

JOBCTL  - Allows you to detach or remove other jobs from the
system (ie: REMOVE/JOB=4, would kill the user logged in under
job 4).

MOUNT  - Allows the mounting and dismounting of system disk's.

PBSCTL  - Control the Print Batch Services, allows you to
stop/start batch servers, and hold/release batch entries.

RDMEM  - Allows you to PEEK at memory locations.

RDMFS  - Read a disk in non-file structured mode. (ie: dump the
contents).

SEND  - Allows you to BROADCAST messages to restricted
receivers. (ie. Using the DCL 'BROADCAST' Command..)

SETPAS  - Allows you to change your accounts password. (ie:
Using the DCL commad 'SET PASSWORD')

SHUTUP  - Allows you to shutdown the system, using the
'[1,2]SHUTUP' program.

SWCFG  - Change software configuration, such as initializing or
deleting batch servers and queues.

SYSIO  - Allows you to write files into the [0,*] group, and
also allows you to set the privilege bit (128) in file
protection codes, so if you were to write a basic program that
listed out passwords, etc.. but it needed privilege to run, and
your account had SYSIO privileges you would simply use PIP to
rename the files protection to <128> or <232>, etc.. ie: your
program is called GETPAS.BAC, simply type:'PIP
GETPAS.BAC<128>/RE/LO', the program would now be granted temp
privilege while running!

SYSMOD  - Allows you to 'POKE', memory locations.

TUNE  - Change a jobs priority, runburst, swapping, etc.. attributes..

WACNT - Same as GACNT, but on a system-wide basis. (ie: login to
any account, w/o suppling a password.)

WREAD - Read or execute any file on the system, regardless of
it's protection code.

WRTNFS - Write to a disk in non-file structured mode.

WWRITE - Create/modify/delete/rename any file on the system..

ALL - Account has full privileges (all of the above).

LOGIN.COM
---------

    Every account has the capability of executing a 'special'
set of DCL commands upon entry. This set of commands resides in
the 'LOGIN.COM' file in the said account. The commands can be a
simple set device commands, or they could be an entire DCL
program/script: Such is always the case with accounts with an
attribute of 'CAPTIVE', these accounts stay within the DCL
script contained in LOGIN.COM, and never exit to Command level.
Although in some cases you may find you can break out of a
captive DCL script, and find that the account in NOCAPTIVE, and
go on your merry way since the system manager forgot to speify
the account as captive. There is also a System-wide LOGIN.COM
file that resides in account [1,2], this command file is
executed by EVERY account that logs into the system, and I don't
know of any login command similar to the '/NOEXECUTE' login
qualifier present on VMS. Upon logging in, RSTS/E forces your
account to to execute [1,2]LOGIN.COM, (which usually gives you
some information about the last time you changed your password,
etc..). Upon completion of executing [1,2]LOGIN.COM, RSTS then
looks in your own account for a file named LOGIN.COM. If it is
present, it will be executed. If it is not present, RSTS simply
places you at the default KBM command level, and you are fully
logged in.

** NOTE - The DCL command file [1,2]LOGIN.COM, is an exceptional
place to put extra commands, and 'back door/trojan horse/etc..
type commands. If there is sufficent interest, I will devote a
file to that art.

MISC NOTES
----------

      If you login to DCL command level, (ie: prompt ='$'), you
will NOT be able to run BASIC programs, (ie: programs with .BAS
extension), to correct this simply use the SWITCH command to
change your KBM (KeyBoard Monitor) to BASIC, do this by typing
'SW BASIC', or on some systems you may have to type
'BASIC/BPLUS'. In either case, you will now be in basic, and can
OLD, RUN, LIST, programs as usual. (note: when at BASIC command
level, you can execute any DCL command, by simply preceding it
with a '$', ie: '$SHOW USERS'). On the other hand, most of the
examples I have used in this file are in DCL format, so if you
login to a default KBM of BASIC (ie: prompt  = 'Ready'), simply
type:'SW DCL', or on some systems simply  'DCL' or '$DCL', this
should bring you to DCL command level, if DCL is not available
on the system (slim chance, since I believe it has to be), then
the procedures described in my 'HACKING RSTS/E' files could
possibly be put to use. (note: programs, with .BAC, .TSK, .SAV,
.COM can be run from DCL level). To login to another account
once logged in, simply use the 'LOGIN XXX,XXX' command, typing
'LOGIN', will re-execute the [1,f]LOGIN.COM, and your own
LOGIN.COM file and re-log you into your own account. The
command to list the active users/jobs and various system
information: 'SYSTAT', has a various DCL equivalents, such as
'SHOW JOB/ALL' 'SHOW  SYSTEM', 'SHOW SERVERS', ETC.., but in
most cases I believe SYSTAT is still fully supported, also while
at DCL command level, note that DCL is very sensitive to '[' and
'(' in the account qualifiers, it forces you to bracket your
account qualifier with the square brackets ('[xxx,xxx]'), where
the older versions allowed you to subsitute parenthesis and
square brackets quite freely.  Example: 'SET ACCOUNT/PRIV=ALL
(200,200)',  would generate an error message, the proper format
would be: 'SET ACCOUNT/PRIV=ALL [200,200]'.


    This concludes this volume, until the next one dial with
care..


                                    The Marauder
                                    Legion of Doom/Hackers!
