Lex Luthor and The Legion of Hackers Present:

    HACKING VAX'S VMS Part III     

      This file will help ensure your survival on a VMS C4.x
system.  Also, information on DECnet and a listing of the major
changes in the VMS operating system for Version 4.X from Version
3.X.


COMMON ACCOUNTS (Part III):
---------------------------

     Yet more common usernames found on various VMS systems.
First, try the username as the password and also combinations
thereof, to gain access.

Username:
---------
SYS
NETCON
ALLIN1
NETPRIV
OPERVAX
ALLINONE
TELEDEMO
NETSERVER
NETNONPRIV

     When logging in with these, or any other username, if you
encounter any problems, many of which were mentioned in Part II
under the 'Interior Barriers' section, you may wish to try:

Username: UNAME /NOCOMMAND
Password:
Password:

          LOD/H Counter-Intelligence System
    Last interactive login on Friday, 01-JUN-1985 10:20.11

     As you have noticed, the login qualifier /NOCOMMAND was
entered after the username. The qualifiers which may or may not
be allowed to be used at login are:

     1) /CLI    = (Command Line Interpreter) allows you to specify
               either DCL (Digital Command Language) which is the
               default, or MCR (Monitor Control Routine).

     2) /COMMAND= The default login command file for the account
               you are breaking into may not allow you access to
               the operating system. /NOCOMMAND ensures that the
               default login command procedure is not executed,
               and therefore you are able to gain access to the
               operating system, unless the account is a
               Captive account.

     3) /DISK   = Allows you to specify a DISK other than
               the default.

     4) /TABLES = Specifies the name of another CLI table to
               override the default listed in the UAF.

     The most commonly used of these is /NOCOMMAND. None of
these can be used when the account is a Captive account. A
Captive account allows very limited access to the system.
Captive accounts usually dump you into an application program or
special menu, which gives you very little mobility and little
chance of breaking out, since CRTL-Y is disabled, and so is the
use of all login qualifiers, thus, a very useful security
measure.

     Also shown above was a second password prompt which
indicates that the username requires a secondary password. This
is not implemented very often though.

STEALTH CAPABILITIES:
---------------------

     This section will explain how to reduce the chances of
being detected on a system. The following information is
especially useful for VMS Versions 4.x and above. Upon logging
on, there are certain commands which should be accomplished
before you begin to scavenge the system for data. They are, in
order of importance and occurance: SHOW USERS, SHOW
PROCESS/PRIVS, SHOW SYS, SHOW AUDIT, and SHOW INTRUSION.

     SHOW USERS was mentioned in Part I. If you encounter other
users, you will want to take note of the usernames for two
reasons, one is to attempt to guess passwords which may allow
you higher access, or at least another account to fall back on
in case your current hacked account is terminated. Reason number
two is that you will want to know if the users are 'active' or
if they left their terminal logged on and went home, thus,
posing no immediate threat to you.

     $ SHOW PROCESS/PRIVS (This was also mentioned in previous
files). You must have sufficient privs to use SHOW AUDIT and
SHOW INTRUSION, thus, this will allow you to see if you do. On
some systems, only the TMPMBX and NETMBX priviledges are shown,
whether you have any other privs or not. Therefore, you should
try:

     $ SET PROCESS/PRIVS=GROUP (Start with group and if that
works, continue up yhe line to see if you have ALL). You may
need only certain privs to run programs, view files, etc., not
ALL.

     $ SHOW SYS

        VAX/VMS V4.2 on node COINS 01-JUN-1985 19:29:37.24
                     Uptime 14 07:06:05

Pid     Process Name State Pri  I/O   CPU       Page flts  Ph.Mem
00000080 NULL        COM   0    0     13 11:47:16.35  0     0
00000083 SWAPPER     HIB   16   0     0  00:00:25.29  0     0
00000084 JOB-CONTROL LEF   8    10209 0  00:02:49.25  23461 121
0000071B LOD/H618    CUR   4    2593  0  00:00:09.22  658   161

     Pid stands for Process id, Process Name ia a Username or a
batch job name. The most important bit of information is the
State. You will be particularly concerned with CUR, which means
CURRENTLY using the processor. You will see your own Username
and CUR next to it. If any other Process Name has a state which
is CUR, and the name is found when you perform the SHOW USERS
command, then you can be sure that another user of the system is
actually using the system and not on vacation with his terminal
logged on 24 hrs a day. If you are extremely paranoid or
extremely careful, you may want to log off, since that user may
check who is on the system, and notice that that user (YOU!)
should not be logged on at that time, or whatever. This can lead
to changing of the hacked account's password, or even worse,
your detection/capture. COM and CMO means the computer is ready
to use the processor. HBO and HIB are HIBernating processes and
you shouldn't worry about them. FPG means that the system is
waiting for a Free PaGe of memory. LEF and CFO are interactive
users who are thinking or may be waiting for disk I/O, these
also are just as important to take note of as CUR.

     $ SHOW AUDIT Security alarms currently disabled
               or
     $ SHOW AUDIT Security alarms currently enabled for:

     ACL
     BREAKIN:      (DIALUP, LOCAL, REMOTE, NETWORK, DETACHED)
     FILE-ACCESS:
         FAILURE:  (READ, WRITE, EXECUTE, DELETE, CONTROL)
         BYPASS:   (READ, WRITE, EXECUTE, DELETE, CONTROL)
     LOGIN:        (DIALUP)
     LOGOUT:       (DIALUP)

     The SHOW AUDIT command reveals the extent of security which
is currently enabled or disabled on the system. Security
Operators may receive an alarm when:

     1) An Access Control List (ACL) requests the alarm. Files
which are so designated will sound an alarm when accessed either
legally or illegially. Thus, you will want to do a SHOW ACL on
files which you are suspicious of, before blindly accessing
them.

     2) The system detects a possible breakin attempt. This is
dependent upon what the 'threshold' is. The threshold may be 3
invalid attempts on an account, or 10 attempts. When the
threshold is reached, an alarm will sound. Knowing what the
threshold is, if any, will help you if you get 'locked out' of
the system. When you try to hack back in, if you only attempt 4
password attempts when the threshold is 5 and then move on to
the next username, an alarm will not sound, but of course, the
login failures will appear in the login message stating: '4
failures since last successful login.' when the valid user
finally logs in on that account. If there is no threshold, you
can hack and hack and not get an alarm. It is advised that you
hack until you get in on the same account, and then YOU will
receive the 200 login failures since last login message and NOT
the valid user. Alsom if the threshold is reached, there many
not be anyone around to notice/hear it. But they will know about
it sooner or later. If they notice it right away, and you
continue, be sure to call someone to bail you out of jail, since
I don't think anyone would take an alarm too lightly. For all
they know, you could be commiting industrial espionage, fraud
and embezzlement, or just another 'pesky' hacker.

     3) A file access fails with any of the R, W, E, D, or C
accesses. If this alarm is used, you should not use the methods
of scavenging noted in Parts I and II (the use of wildcard file/
directory searches) unless you have sufficient priviledges
because you will get all kinds of access attempt violations and
an alarm will sound. If this alarm is not activated, you can
perform file and directory searches all you want and no matter
how many error/ violation messages you receive, no one else will
know about it.

     4) A file access with R, W, E, D, C access is gained by
means of the BYPASS privilege. No big deal, since if you have
BYPASS privs, you probably have ALL privs. System operators are
too lazy to assess end-user security needs and therefore give
them more privs than they need instead of limiting them to
BYPASS or some other privilege. So you access a file via another
priv, and avoid an alarm sounding. If there are no alarms
activated for using BYPASS, and you only have BYPASS (not
SETPRV, or SYSPRV) then you can still circumvent all file
protection and you will not have to worry whether the FAILURE
alarm is activated or not, since if you have access to all
files, how can there be a failure by you not having sufficient
access?

     If the system detects a possible breakin, file access
attempt, dialup port login, or whenever a dialup connection logs
out, an alarm will sound IF the qualifier is specified within
AUDIT. The dialup login alarm is especially useful if the
operators are on to you. They can simply set the alarm, tell all
valid users to not login via dialup, and wait for you, the
would-be unsuspecting hacker (if you did not read this article
that is) logs in, and is subsequently traced.

$ SHOW INTRUSION/TYPE=ALL

Intrusion   Type    Count  Expiration   Source
TERMINAL   INTRUDER   9   08:34:24.56   TTA0
NETWORK    SUSPECT    2   09:03:33.39   COINS::NSAUSER1

     This command shows the contents of the breakin database,
which contains information about login failures that originate
from a specific source and that result from any number of
failure types (incorrect password, account expired, unknown
usernames). Valid Keywords are:

ALL     -This is the default, and shows all breakin entries.

SUSPECT -Any and all login failures are recorded, but the
         threshold was not reached and it is not identified
         as an INTRUDER.

INTRUDER-Breakin entries which were high enough to warrant
         evasive action. 

     If the message: '%SHOW-F-NOINTRUDERS, no intrusion records
match specification' appears, then the breakin database is
empty, thus, no one has attempted to illegially access the
system, or there is no recording of breakin attempts. You can
determine that, by SHOW AUDIT.

     If after you log in, you think you will be using the system
a lot, you may want to check the UAF, under the account you
intend to use for login flags. You do not want ANY of the login
flags to be used! You may want the [NO] in front of AUDIT. This
will definitely ensure that there is no auditing of the account,
and you will also want to make sure there is no ACCOUNTING of
the account. This may be suspicious, so use caution when doing
so. Most of the login flags are [NO] on default.

DECNET/PROXY LOGIN:
-------------------

     Networking on VAX's is a major security hole. Once you gain
access to a system which has DECnet, you can gain access or at
least access files, do directory searches, and run programs
remotely without having to guess passwords to access system
resources! You can do this by:

1) $ TYPE PLOVER::SYS$SYSROOT:<SYSEXE>SYSUAF.LIS;*

2) $ DIR DOCWHO::SYS$SYSROOT:<000000...>

3) $ RUN LEGION::SYS$SYSROOT:<SYSEXE>AUTHORIZE 
   UAF>

     As you can see, the format is:

$ CMD-NAME NODE-NAME::DEVICE:<DIRECTORY>FILE-OR-PROGRAM-NAME

     Note: The node-name MUST be followed by the two colons.

     In example 1, you are simply listing out the contents of
the SYSUAF.LIS file, which is either a /BRIEF or a /FULL listing
of all users on the host system. Whenever a user enter LIST *
/BRIEF (or /FULL) the system will dump the information into a
file with the extension of .LIS instead of the screen. It would
be dumped to the screen if LIST was replaced with SHOW. See
Parts I and II for more on SYSUAF and AUTHORIZE.

     In example 2, you are simply getting a listing of all files
in all directories on the designated device/disk, beginning with
a directory containing a list of all other directories. And as
stated in previous articles, Usernames are usually the same as
some directory names.

     In example 3, you are running AUTHORIZE and can then get a
listing of all the users or can create an account, etc.

     So you see, you do not need to break into any of those
hosts, especially if you have full access on the hacked system,
since the privileges 'transfer' over to the remote node. If you
do not have full privs, you are limited to certain commands and
files. You should still be able to get enough information by
reading mail on all the other hosts, or obtaining usernames
through means mentioned in the HACKING VMS series, to get
priv'ed and then have priv'ed access on all other nodes. You can
also remotely SHOW NETWORK to see if other nodes are networked
with the remote node which are not networked with the hacked
system and then access those. One more note, on most systems,
all accesses to objects (See Part II) are recorded. And if there
are alarms for accessing objects on the remote node, they can go
off. Check the file, NETSERVER.LOG and other similar NET* and
.LOG files to determine exactly what information is and isn't
recorded.

ACCOUNTING:
-----------

     As usual, check previous articles for the basic information
on accounting. You will definitely want to continue using an
account which is consistently used. You do not want the system
manager to look at the accounting record and say 'No one should
be using this account, I wonder who it is...'.

$ ACCOUNTING /FULL /USER=(LOD/H618) /SINCE=20-MAY-1985

INTERACTIVE Process Termination
-------------------------------

Username:    LOD/H618   UIC:               [001,005]
Account:     LOD/H      Finish time:       21-MAY-1985 20:20:53.15
Process ID:  0000071B   Start time:        21-MAY-1985 20:20:06.36
Owner ID:               Elapsed time:                0 00:00:46.79
Terminal name:   TTD2   Processor time:              0 00:00:07.57
Remote node addr:       Priority:              4
Remote node name:       Privilege <31-00>: 00108000
Remote ID:              Privilege <63-32>: 00000000
Queue entry:            Final status code: 10000001
Queue name:
Job name:
Final status text:%SYSTEM-S-NORMAL, normal successful completion

Page faults:    644     Direct IO:      37
etc. etc.               etc. etc.

     The wildcard for accounting is a '-' instead of the usual
'*'. You can replace the username with a hyphen to view all
users accounting records. There are many qualifiers which can be
used wioith the accounting command, the ones you will want to
get more information on via help are: /BEFORE, /FULL, /REPORT,
/SINCE, /SORT, /STATUS, /SUMMARY, /TYPE, and /USER.

     /TYPE=LOGFAIL is an important qualifier. This will show you
whether login failures are recorded or not. If so, you will see
all the 'hacksess' attempts made on the user(s) of your choice.
Now, if you get locked out, it shouldn't matter how many times
nor how many usernames you attempt to break into, since there
will be no record of it. If there is a record, you will want to
see if there is an alarm threshold, and if not, you should hack
the same account until you get in. You shouldn't try too many
usernames all at once unless you want all the passwords changed,
probably not leaving any default/common accounts for you to get
lucky on.

CHANGES IN VMS 4.X FROM VMS 3.X
-------------------------------

     VMS V.4 is a much larger operating system than the V3
flavour. Additions to the security, logical name, privilege and
priority systems have been made. A general list of modiications
follows:

1. Allows larger command buffers.

2. Has multinational character set capability.

3. Users can set the '$' prompt to their own choice of a string
up to about 30 characters (i.e., set prompt 'LOD'>' <RETURN>
LOD> SHOW ACL>.

4. Command line recall (up to last 20 lines).

5. User defined keys.

6. Better error messages (they suggest actions to follow to
correct problems).

7. During a batch process, you can view the job log.

8. They redesigned/enhanced the Print/Batch subsystem for clusters.

9. Enhanvements to DCL (new commands).

10. Any VMS Version 3.4 or above can be upgraded to Version 4.X.

11. They have changed the installation method.

12. VMSINSTAL has been expanded (It is not compatable with V3
systax, but V3 install will still be available on the system).

13. It is now possible for the VMS system to be on different
system disks.

14. Cluster systems with common system disks support.

15. New commands for Connect/Disconnect since processes are left
running if a disconnect occurs. If your line is dropped, you can
log in and see your old process and reconnect to it.

16. Control character echoing (CTRL-Y and CTRL-C are echoed in
reverse video which says '*interrupt*'.)

17. Broadcast messages have been classed. You can determine
which broadcast messages you will receive. For example, you can
stop broadcast messages from being received while you are in the
editor.

18. They now have terminal support for all of the DEC terminals.

19. There are new terminal characteristics which can be set.

20. Security has been greatly modified:

     A. Disc Scavenge protection (deleted files are actually
        deleted rather than just being removed from the table of
        contents.)

     B. New privileges.

     C. Alphanumeric UIC's and Full longword UIC's.

     D. A rights database (a system manager can see what has a
        particular privilege.)

     E. Access Control lists.

     F. Login security.

     G. Security alarms.

     H. Optional system password to be entered before the
        'Username:' prompt will appear.

21. Support for larger Working Set (65,000 pages).

22. Run Time Library Enhancements (including Multiple shareable images).

23. Sort/Merge improved to 2.4 times faster.

24. EDT has been enhanced.

25. Utilities have been enhanced.

     A. Analyze/Media- Analyze/Crash-dump invokes SDA, has new
        keypad mode and new commands and qualifiers. If you set
        process/dump, analyze/process dump invokes debug.

     B. Exchange replaces FLX.

     C. Mail- 2 key ISAM files; date/time of insertion; mail
        goes into folders (3 given folders are mail, newmail,
        and waste-basket); 'file' stores mail to folders;
        'extract' creates disc files; New keypad mode.

     D. Librarian- Allows data reduction. /DATA=EXPAND will
        restore from REDUCE (stores spaces and tabs). This is
        not /COMPRESS which deletes spaces and tabs.

     E. Common Qualifier.

     F. Patch/Absolute.

26. RMS (Records Management Services) update, 39 characters for
filenames and their extensions. Directories can also have 39
characters.

27. All VMS products will be available on mag tape.

28. SYSGEN has been changed to reflect new parameters. MNew SHOW
/LGI will show security login information.

29. VMS Exec Enhanced. $GETSYI shows all SYSGEN parameters.

30. Process ID format has been changed. Process in Kernal AST
level is no longer deletable.

FILE PROTECTION:
----------------

     A newly created file, including a new generation, is
created with the user's default protection and NOT the default
protection of the directory. If the user protection is (RWED,
RWED,RE,) then users who are not in group 010,nnn cannot access
the file! To allow other users to access the file, WORLD access
is required. Generally, world protection is set to read-execute
(RE). Personally, I would not even allow the world to read or
execute files, since scavengers can easily find information
which could allow them to get privileged, and then simply bypass
the protection set on the file. But as I have said a hundred
times, many people are lazy and ignorant when it comes to
security.

     You can include this statement in any LOGIN.COM file:

     WORLD :== SET PROTECTION=(WORLD:RE)/CONFIRM

     This does the following:

     1. Can be used for explicit file name. Example: WORLD
        EMDEFS.COM
  
     2. Can be used with wildcard names. Example: WORLD *.COM

     3. Asks whether you want to change protection or not. When
        wildcard names are used, the question is asked for EACH
        file name, to which the user may respond 'U' or 'N'.

     4. Very important! Because anly world protection is used in
        the string, the current protection for System, Owner,
        and Group remains unchanged!

     A 'sister' command to the above to take away world protection is:

     NOWORLD :== SET PROTECTION=(WORLD)/CONFIRM

           or

     GROUP   :==SET PROTECTION=(GROUP:RE,WORLD)/CONFIRM

DCL PROGRAMMING:
----------------

     This section in subsequent files will have useful programs,
this one was copied from a DEC manual.

$! A helpful system status Display
$! (more meaningful than SHOW SYSTEM).
$! Copied from VMS doc vol 2B pg A-10
$!
$  save_verify = F$VERIFY(0)
$  CONTEXT = ''
$ savpriv = f$setprv('group,world')
$!
$! Output header
$!
$ WRITE SYS$OUTPUT
' PID  Username Term  UIC  Process name State Pri  Image'
$!
$ WRITE SYS$OUTPUT -
'----- -------- ----- ---- ------------- --- ---- -------'
$!
$ loop:
$   PID = F$PID(CONTEXT)
$   IF PID .EQS. '' THEN GOTO DONE
$!
$   IMAGNAME := 'F$GETJPI(PID,'IMAGNAME')
$   IMAGNAME := 'F$EXTRACT(F$LOCATE(']',IMAGNAME)+1,999,IMAGNAME)
$   IMAGNAME := 'F$EXTRACT(0,F$LOCATE('.',IMAGNAME),IMAGNAME)
$   IF '''IMAGNAME'' .EQS. '' THEN IMAGNAME := 'Command'
$!
$! Get terminal name or assign descriptor
$!
$   TERMINAL = F$GETJPI(PID,'TERMINAL')
$   IF TERMINAL .EQS. '' THEN -
     TERMINAL = '-'+F$EXTRACT(0,3,F$GETJPI(PID,'MODE'))+'-'
$!
$   IF TERMINAL .EQS. '-INT-' THEN-
     TERMINAL = '-DET-'
$!
$   IF F$GETJPI(PID,'OWNER') .NE. 0 THEN -
     TERMINAL = '-SUB-'
$!
$! Get a string full of the other goodies
$!
$ LINE = F$FAO( '!AS !12AS !5AS !9AS !15AS !4AS !2UL/!UL !10AS',-
    PID,-
    F$GETJPI(PID,'USERNAME'),-
    TERMINAL,-
           F$GETJPI(PID,'UIC'),-
           F$GETJPI(PID,'PRCNAM'),-
           F$GETJPI(PID,'STATE'),-
           F$GETJPI(PID,'PRI'),-
           F$GETJPI(PID,'PRIB'),-^
           IMAGNAME)
$ WRITE SYS$OUTPUT LINE
$ GOTO LOOP
$!
$!Restore verify and exit
$!
$ DONE:
$   WRITE SYS$OUTPUT -
'----- -------- ----- ---- ------------- --- ---- -------'
$ IF save_verify THEN SET VERIFY
$ xpriv = F$SETPRV('''SAVPRIV'')
$ EXIT

     You can upload the above program to help you keep track of
who's on your favorite hacked VMS and know what they're up to.

ACKNOWLEDGEMENTS:
-----------------

Silver Spy, Gary Seven, and the rest of the Legion of Hackers staff.
