$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$ L L O Lex Luthor O D AND D $ LOD/H $ L Present: L O ADVANCED HACKING VAX'S VMS O D D $LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$ L L O This file, will explain in detail O D the more useful commands, notable D $ differences of Version 4.0 and $ L higher from older versions, and L O exploit the new security features O D and software available for VMS. D $ $ LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$L O (C) Written 01-JUN-85 O D By: Legion of Doom/Hackers D $LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$ NOTE: All references to things in < > should be replaced by square brackets. VAX/VMS BACKGROUND: ------------------- The VMS Operating System supports all VAX-11 series computers. The system permits an absolute limit of 8192 concurrent processes. This depends on the physical memory and secondary storage available. The practical limit is in excess of 100 concurrent users for a large scale system. The initial license fee is $10,000, and when run on the VAX 8600 the fee is $15,000. There is an estimated 22,000 sites running VAX/VMS. CORRECTIONS: ------------ I mentioned in Part I, that VMS runs on the PDP-11. This was a mistake, UNIX is the operating system which can run on both the VAX and PDP machines. LOGGING IN: ----------- Username: ACIRS508 Password: LOD/H Advanced Computer Insecurity Research System (ACIRS). VAX/VMS Version 4.2 Last interactive login on Wednesday, 01-JUN-1985 10:20.11 Last noninteractive login on Friday, 30-MAY-1985 15:38.27 2 failures since last successful login You have 1 new mail message $ All login procedures are executed by one of two methods, interactive or noninteractive. Interactive logins require the user to follow the prompts of the system for information. Noninteractive logins are performed exclusively by the system without user interaction. Types of logins are: 1) Local: This is executed by a user who is directly connected to the CPU. 2) Dial-up: Login using dial-up lines. 3) Remote: Remote logins are performed to a node over a network. 4) Network: Network logins are noninteractive as they are accomplished automatically when a user accesses files stored in a directory on another node or performs a network task on a remote node assuming they are both nodes on the same network. 5) Batch: A Batch login is another noninteractive automatic procedure performed when a batch process initiated by a user actually runs. 6) Subprocess: Subprocess logins are always noninteractive although it is also a result of a user executing either a specific process form of a command or a system service. Other types are: Proxy login, a type of network login permitting a user to access files across a network, a Detached process login which can be specified by the user as either interactive or noninteractive. It is a result of a user executing either a specific process form of a command or a system service. COMMON ACCOUNTS (PART II): -------------------------- Here are some more common accounts which may enable you to gain access. One note, there is a difference between default and common accounts, defaults are put in by the manufacturer, and common accounts are characteristic of most computers or operating systems of the same make. Username: Password: --------- --------- RJE RJE HOST HOST LINK LINK INFO INFO BACKUP BACKUP NETWORK NETWORK DECMAIL DECMAIL HELPDESK HELPDESK REPORT(S) REPORT(S) As you have noticed, we are relying on the user to use thier username as a password. If none of these get you in, you may want to try first names, social security numbers, initials etc. Remember, all you have to do is get in, worry about getting privileged later. PASSWORD SECURITY: ------------------ Passwords can be selected by the user or automatically generated by the system. User selected passwords require a minimum length of characters to prevent use of familiar easy-to-guess words. Automatically generated passwords offer the user a choice of randomly sequenced characters resembling English. All passwords need to be changed about every 30 days and are one-way encrypted when stored. There are 2 levels of passwords used: A user password is required of the majority of users. A system password is required prior to a user password when restricting access to a particular terminal. For maximum security two user passwords may be required, a primary password and successively a secondary password. I have not encountered this yet, but I thought I would just mention the capabilities of the VMS security system. INTERIOR BARRIERS: ------------------ On some systems, after successfully logging on with the username/password combination, the system may ask you to enter a dial-up, modem, remote, etc. password, it may dump you into an application program or it may give you a device not found error. In any case, this prevents you from gaining access to the operating system. A possible way around these problems is to hang up and call back the system, hit control-c and/or control-y after the initial logon sequence. This will prevent the system from executing the security program, login.com file, application program, or detect that there is not a device assigned to the user in question. You may have to try this a few times, since timing may be crucial. Most likely, you will not be able to break out of the program itself after logon, because of the command "set nocontrol=y" which inhibits the use of control-y. If you find that this doesn't work, then set nocontrol=y has been implemented from the start of your logging in, which is accomplished by running authorize and changing the user characteristics in the UAF. But as usual, this is not done, whether its because the system manager is lazy, ignorant or maybe the use of the control character is needed later in the logon session, thus, you gain unauthorized access to the machine. VERSION 4.2: ------------ As you have seen, Version 4.2 was mentioned. At the time of this writing it is under testing, and not yet released, but DEC kind of 'leaked' this information to LOD/H via thier DECNET (hehe). Also, from the banner, you can deduce that 4.0 and above has an extensive audit trail. Which when implemented, records login failures, thus, be careful when attacking VMS 4.0 and up using trial and error techniques. SECURITY FEATURES: ------------------ Security for VMS is based on the reference monitor concept. Under this concept the reference monitor is the central security point for the following: 1) Subjects: users, processes, batch jobs. 2) Objects: files, programs, terminals, tapes, disks, mailboxes. 3) Reference monitor database: user authorization files, rights database, file protection, access control lists. 4) Security audit. The reference monitor system mediates every attempt by a subject to gain access to an object. The greatest advantage of VMS is its flexibility. The system manager can choose to implement or ignore a wide range of security features, fortunately for the hacker, they all seem to ignore the important ones. It is possible to protect all, any or none of the files created. It is also possible to provide general or restricted passwords, or no passwords at all. Access codes can be global or limited. The use log can be ignored, used only for record keeping, or be employed as a security control tool. Finally, the encryption system can be activated where needed, defaulting to uncoded material for normal use. VAX/VMS has the following security features that are designed to prevent unauthorized access or tampering: 1) It provides a system of password controls and access levels that allow the security manager to open sections of the system only to those users with a particular requirement or legitimate interest. 2) It keeps a careful log of all interactions so that questionable uses can be challenged and documented. 3) It supports an encryption system that allows system management to create coding keys that are necessary for access to programs or databases. The encryption system of VAX/VMS provides an additional level of security, however the other security features are sufficient to deter most losers. the encryption system included in the operating system package would probably not stop those few so motivated. The encrypt facility does not use a sufficiently complex algorithm to be unbreakable, although it would slow down or halt most potential abusers. AUDIT TRAIL: ------------ The security log feature, if monitored, and thats a big IF, is a major disadvantage for the hacker. Flag codes can alert an operator to an ongoing hack; review can isolate users attempting to exceed access restrictions. The system can "freeze" a terminal if a breach is discovered, or if multiple wrong access codes are attempted. Of course, the log system functions somewhat after the fact and it is possible, though difficult, to alter the security log. A terminal can be designated as an audit alarm console and all auditable events are displayed on the console. Some events, such as certain login failures and uses of privilege are always auditable. Other events, such as successful or unsuccessful attempts to gain access to sensitive files, can be selected by users or security managers for auditing. For example, the owner of a sensitive file might create an ACL entry requesting that all accesses to that file be audited, whether someone reviews that audit is another story. INTERNAL SECURITY: ------------------ VAX/VMS determines access to objects by utilizing two protection mechanisms: Access Control Lists (ACLs), and User Identification Codes (UICs). It takes the two together, acting with user privileges, for access. Access Control Lists: The ACL uses identifiers to specify users. There are three types: 1) UIC identifiers depend on the user identification code that uniquely identifies each user on the system. 2) General identifiers are defined by the security manager in the system rights database to identify groups of users on the system. 3) System-defined identifiers describe certain types of users based on their use of the system. An ACL consists of one or more Action Control List Entries (ACEs). There are three types of these: 1) Identifier ACE: This controls the type of access allowed to a particular user or group of users. Access types are: READ, WRITE, EXECUTE, DELETE, CONTROL, and NONE. 2) Default protection ACE: This defines the default protection for directory files only. 3) Security alarm ACE: Watch out for this one! It provides an alarm message when an object is accessed. This will alert managers to possible security threats (YOU!). Alarms may be generated when an unauthorized user performs the following access types: READ, WRITE, EXECUTE DELETE, or CONTROL. Alarms are also issued for the SUCCESS or FAILURE of these attempts. User Identification Codes: As stated in part I, each user has a UIC. Each system object also has an associated UIC, defined to be the UIC of its owner, and a protection code that defines who is allowed what type of access. Also mentioned in part I was the protection put on objects: System, Owner, Group, and World. Depending on these, the protection code can grant or deny access to allow a user to read, write, execute, or delete an object. When you log in, the identifiers which are in your "rights database" are copied into a rights list that is part of your process. The rights list is the structure that VMS uses to perform all protection checks. GENERAL SYSTEM COMMANDS: ------------------------ DEC-net was breifly mentioned in part I, but I have noticed that this is more important than I had originally anticipated, especially after I checked a system which had 100+ nodes on the network, all of which I proceeded to break into. Anyways, the procedure is: $ SHOW NETWORK Node Links Cost Hops Line 1 LEGION 0 61 6 DMC-5 2 ARCHER 0 11 1 DMC-5 3 DOCWHO 0 18 2 DMC-5 4 BLOTTO 0 20 3 DMC-5 5 PLOVER 0 15 3 DMC-5 Total of 5 nodes. $ SET HOST ARCHER You will get one of two responses when connecting to a node on a network: Username: ~Y ~Y Are you repeating ~Y to abort the remote session on node ARCHER? Y %REM-S-END, control returned to node ACIRS:: or %REM-F-NETERR, DECnet channel error on remote terminal link %SYSTEM-F-UNREACHABLE, remote node is not currently reachable. In the first instance, I merely hit two control-y's to abort the login, the second, meant that either the system is not operating or that there is not a node by that name. DIRECTORIES: ------------ Instead of using wildcards for getting a directory listing, try: $ dir <000000...> Directory SYS$SYSDEVICE:<000000> 000000.DIR;1 AMMONS.DIR;1 NEWS.DIR;1 RJE.DIR;1 SECURITY.DIR;1 TEST.DIR;1 Total of 6 files. Directory SYS$SYSDEVICE: *INTERUPT* $ This is a more effective way of listing ALL the directories on the system. The first directory you see will be the directory which lists most/every other directory on the system not including subdirectories. The difference between this and DIR <*.*> is that this lists more directories/files than using <*.*>. Usually the directory name is the same as the username thus, even though you have a non-privileged account, you can obtain more usernames to try passwords on. As you noticed, *INTERUPT* appeared and the dollar sign prompt appeared, this was because of hitting control-y. One neat thing with 4.0 and above is that if you hit a control-c in the middle of a long directory or file listing, it will simply say *CANCEL*, pause for a second, and skip over to the next directory. It will not pause when going on to the next file though. As you know, older versions simply give you the '$' prompt, so if you wanted to look at something in the 15th directory, you would have to wait for all the directories which are before it, before seeing the contents of the 15th. Now, you can hit control-c and *CANCEL* long directories and sooner, not later, view the desired information. To see more detailed information about the files in your directory: $ DIR /FULL Directory SYS$SYSDEVICE: INTRO.TXT;5 FILEID: (929,23,0) Size: 2/3 Owner: Created: 25-MAY-1985 12:38 Revised: 2-MAY-1985 12:38 (2) Expires: Backup: File organization: Sequential File attributes: Allocation: 3,Extend: o, Global buffer count: 0 Version limit: 3 Record format: Variable length, maximum 74 bytes Record attributes: Carriage return carriage control File protection: System:RWED, Owner:RWED, Group:, World:, Access Control List None The important information is: the file protection, and if there is an ACL for the file. The /FULL qualifier will continue to print the information about each file within the directory. DEVICES: -------- On occasion, when you execute a directory search, you will not find much. This is because you are not on the same device as much of the other users are. To change devices: $ SET DEVICE DEVICENAME: make sure you put the colon after the name. In the case of you not knowing what device to switch to type: $ SHOW DEVICE this will give you a list of devices currently used on the system. FILE EXTENSIONS: ---------------- The following file extensions should be used in conjunction with wildcards or <000000...> for viewing all files with that extension: .MEM memo file: These often contain inter-office memos. TYPE this file. .JOU journal file: This is a Journal file, which is created when editing .JNL journal file: a file. This may contain interesting info. Use TYPE. .TMP temporary file: This is a temporary image of a file. TYPE this file. .LIS list file: Listing file, use same procedure as stated above. ie: $ TYPE <000000...>*.MEM;* AUTHORIZE AND THE UAF: ---------------------- In part I, it was mentioned that the file AUTHORIZE.EXE;1 could be found in the directory. It almost always is, but on occasion, you will be able to find it either in the or <000000.SYSEXE> directories. If you are non-privileged, you may wish to see if you can access those directories, and TYPE out the file: SYSUAF.LIS which is a list similar to performing the SHOW * /FULL command. When executing that command or viewing that file, the output should look like: Username: SYSTEM Owner: SYSTEM MANGER Account: SYSTEM UIC: <001,004> CLI: DCL LGICMD: Default Device: SYS$ROOT: Default Directory: Login Flags: Primary days: Mon Tue Wed Thu Fri Secondary days: Sat Sun No hourly restrictions PRIO: 4 BYTLM: 20480 BIOLM: 12 PRCLM: 10 PBYTLM: 0 DIOLM: 12 ASTLM: 20 WSDEFAULT: 150 FILLM: 20 ENQLM: 20 WSQUOTA: 350 SHRFILLM: 0 TQELM: 20 WSECTENT: 1024 CPU: no limit MAXJOBS: 0 MAXACCTJOBS: 0 PGFLQUOTA: 200000 Privileges: CMKRNL CMEXEC SYSNAM GRPNAM ALLSPOOL DETACH DIAGNOSE LOG-IO GROUP ACNT PRMCEB PRMMBX PSWAPM ALTPRI SETPRV TMPMBX WORLD OPER EXQUOTA NETMBX VOLPRO PHY-IO BUGCHK PRMGBL SYSGBL MOUNT PFNMAP SHMEM SYSPRV SYSCLK GROUP BYPASS UAF> The privileges listed at the end, are in abbreviated form, the important ones as far as security goes, is: ACNT: May surpress accounting message. OPER: Operator privilege. GROUP: May affect other processes in the same group. WORLD: May affect other processes in the world. SHMEM: May create/delete objects in shared memory. ALTPRI: May set any priority level. BYPASS: May bypass UIC checking. SETPRV: May set any privilege bit. SYSLCK: May lock system wide resources. SYSPRV: May access objects via system protection. VOLPRO: May override volume protection. READALL: May read anything as the owner. SECURITY: May perform security functions. To see what privileges you have type: $ SET PROCESS /PRIVS 01-JUN-1985 15:50:56.31 RTA1:User: ACIRS508 Process privileges: LOG-IO May do logical I/O. PHY-IO May do physical I/O. TMPMBX May create temporary mailbox. Process rights identifiers: INTERACTIVE REMOTE $ the privileges listed, are usually found on low access accounts. If you have the SETPRV privilege, you can give yourself privs (as stated in part I) by: $ SET PROCESS /PRIVS=ALL SECURITY DEVICES AND SOFTWARE: ------------------------------ There are a number of additional security products available for VMS. Some of which are: Name: ALSP (Applications Level Security Package) Manufacturer: Integrated Systems Inc. Location: New Jersey. Phone: (201) 884-0892. Cost: $650.00 Description: ALSP protects system and resource access by restricting users commands of applications to authorized users. On menu driven applications, ALSP provides further security by checking menu selections against those authorized for a user. Security violations cause LOGOUT and after three unsuccessful access attempts at logon, the user must be reinstated by the system manager. ALSP also generates a message to the system operator when unauthorized users try to access secured data. Name: DIALBACK and AUDIT Manufacturer: Clyde Digital Systems Inc. Location: Provo, Utah Phone: 1-800-832-3238. Cost: $980.00 and $2500.00 respectively. Description: DIALBACK protects the system by not allowing any dial-in users to make direct contact. It stops them before they can even attempt to log onto the system and requires them to identify themselves. If a user fails to enter a valid DIALBACK ID, DIALBACK will disconnect the line. As soon as DIALBACK recognizes the ID code, it checks a list of authorized users and thier phone numbers, hangs up, and calls back the number listed. AUDIT is a sophisticated software security and documentation tool. It allows you to create a complete audit trail of the activities of any terminal on the system. Name: Data Encryption System (DES) Verson II and Menu/Authorization Processor System (M/APS) Version I. Manufacturer: McHugh, Freeman & Associates, Inc. Location: Elm Grove, Wisconsin Phone: (414) 784 8250. Cost: 1,250.00 and 995.00 respectively. Description: DES runs as a stand alone program (ENCRPT) which allows single or double encryption of system files. DEC encrypts source, data and task image (binary relocatable) files. M/APS provides secured menu access to system applications for authorized users with security displays, and audit trails of movements through the M/APS. Users once captured by the menu cannot escape to the system monitor level. CONCLUSION: ----------- If all or most security features of VMS were implemented, the system would be one of the most secure around, even more secure than IBM. IBM operating systems such as VM/CMS, MVS/TSO, DOS, CICS, etc. are insecure without the use of additional software security packages such as ACF2, RACF, TOP SECRET, etc. which costs from $20,000 to $30,000! DEC didn't do a bad job since the cost of the operating system itself is half that of those packages. But, when computers are concerned, its the people who are the main facter. Until they realize that hackers can be a real threat, they will continue to leave thier systems open to unauthorized access. ACKNOWLEDGEMENTS: ----------------- The Blue Archer PART III PREVIEW! ----------------- Look for Part III, Hacking VMS: User Commands. Part III will go more in depth into the actual uses of the operating system. It will mention things like: Creating batch jobs, using the programming languages available on the system, including DCL (Digital Command Language), using the editor, etc. ƒκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκΘ Ό Ό Ό Another fine TEXT file Supplied byΨ: Ό Ό Ό Ό T HΨE FΨIΨRΨSΨT AΨMΨMΨEΨNΨDΨMΨEΨNΨT Ό Ό €€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€ Ό Ό Ό Ό Call for all the latest TEXT files from A to Z Ό Ό Ό Ό (619) 421 - 0583 Ό Ό Ό Ό THEΨTEXTΨSPECIALIST -- 99.99% PUREΨTEXT Ό Ό Ό ικκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκκ* X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X Another file downloaded from: The NIRVANAnet(tm) Seven & the Temple of the Screaming Electron Taipan Enigma 510/935-5845 Burn This Flag Zardoz 408/363-9766 realitycheck Poindexter Fortran 510/527-1662 Lies Unlimited Mick Freen 801/278-2699 The New Dork Sublime Biffnix 415/864-DORK The Shrine Rif Raf 206/794-6674 Planet Mirth Simon Jester 510/786-6560 "Raw Data for Raw Nerves" X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X