Please consider a donation to the Higher Intellect project. See or the Donate to Higher Intellect page for more info.

Beginners Guide to VAX/VMS Hacking

From Higher Intellect Vintage Wiki
Jump to navigation Jump to search
!		      Beginners Guide to VAX/VMS Hacking		     !
!									     !
!	      File By ENTITY /	Corrupt Computing Canada  (c) 1989	     !
!									     !
!									     !
!									     !
!		 CALL: (416)/398-3301  Login: Guest, PW: Guest		     !
!		       (416)/756-4545  type !!	  Login: lynx		     !
!									     !
!									     !
! You may freely distribute this file as long as no modifications of any     !
! form are made to the file. All rights reserved by...What rights?!	     !
!									     !
!									     !

September 12,1989


       Perhaps the most exciting Operating system to HACK on is VAX/VMS.
It offers many challenges for hackers and boasts one of the best security
systems ever developed.  In comparison to the security on UNIX, VMS is far
superior in every respect.  It can be very difficult to get inside such a
system and even harder to STAY inside, but isn't that what this is all about?!
I have written this file as a way for beginning hackers to learn about the VMS
operating system.  There is such a vast amount of information that can be
related about VAX/VMS hacking that it is not possible for me to cover
everything in just one file.  As such i will try and stick to the basics for
this file and hopefully write another file in the future that deals with
heavy-duty kernal programming, the various data structures, and system service
calls. All right so lets get at it!


       First of all how do you recognize a VAX when you see one?! Well the
thing that always gives a VAX away, is when you logon you will see:


It may also have some other info before it asks you for the username, usually
identifying the company and perhaps a message to the effect of:

Unauthorized Users will be prosecuted to the fullest extent of the law!

That should get you right in the mood for some serious hacking!  Ok so when you
have determined that the system you have logged into is indeed a VAX, you will
have to at this point enter your SYSTEM LOGIN.	Basically on VAX's there are
several default logins which will get you into the system. However on MOST
systems these default logins are changed by the system manager. In any case,
before you try any other logins, you should try these (since some system
managers are lazy and don't bother changing them):

Username	   Password	   Alternate


That's it. Those are the default system users/passwords.  The only ones on the
list that are GUARANTEED to be in the userlist are SYSTEM and DEFAULT. However,
I have never come across a system where these two haven't been changed from
their default passwords to something else.  In the above list, the alternate
password is simply a password many operators set the password to from the
deafult. So if the first password doesn't work, try the alternate password.  It
should be noted when the a user is added into the system, the default password
for the new user the SAME as his username.  You should keep this point in mind
because it is VERY important. Most of the accounts you hack out, will be found
in this way! Ok if above ones don't work,  then you should try these accounts.
These following accounts are NOT defaults, but through experience i have found
that many systems use these accounts or some variation thereof:

Username	   Password
DEC		   DEC	     *
DEMO		   DEMO      *
TEST		   TEST      *
ALLIN1		   ALLIN1    *
GUEST		   GUEST     *
USER		   USER      *
INFO		   INFO      *

The ones that have asterisks (*) beside them are the more popular ones and you
have a better chance with them, so you should try them first. It should be
noted that the VAX will not give you any indication of whether the username
you typed in is indeed valid or not.  Even if you type in a username that does
not exist on the system, it will still ask you for a password.	Keep this in
mind because if you are not sure if whether an account exists or not, don't
waste your time in trying to hack out its password. You could be going on a
wild goose chase!  You should also keep in mind that ALL bad login attempts are
kept track of and when the person logs in, he is informed of how many failed
attempts there were on his account.  If he sees 400 login failures, I am sure
that he will know someone is trying to hack his account.


Ok i am assuming you tried all the above defaults and managed to get yourself
into the system. Now the real FUN begins!  Ok first things first. After you log
in you will get some message about the last time you logged in etc. If this is
the first time you have logged into this system then you should note the last
login date and time and WRITE IT DOWN! This is important for several reasons.
The main one being that you want to find out if the account you have just
hacked is an ACTIVE or INACTIVE account.  The best accounts are the inactive
ones. Why?! Well the inactive accounts are those that people are not using
currently, meaning that there is a better chance of you holding onto that
account and not being discovered by the system operator.  If the account has
not been logged into for the last month or so, theres a good chance that it
is inactive.  Ok anyhow once your in, if you have a normal account with access
to DCL you will get a prompt that looks like:


This may vary from machine to machine but its usually the same. If you have a
weird prompt and would like a normal one, type:

$set prompt=$

If this is the first time you have hacked into this system there are a couple
of steps you should take immediately. First type:

$set control=(y,t)

This will enable your break keys (like ctrl-c) so that you can stop a file or
command if you make a mistake.	Usually ctrl-c is active, but this command will
insure that it is. (Note: in general to abort a command, or program you can
type ctrl-c or ctrl-y) Ok anyhow, the next step is to open the buffer in your
terminal then type:

$type sys$system:rightslist.dat

This will dump a file that has all the systems users listed in it.  You may
notice a lot of weird garbage characters. Don't worry about those, that is
normal.  Ok after this file ends and you get the shell prompt again ($) then
save the buffer, clear it out and leave it open. Then type:

$show logical

Ok after this file is buffered save it also.  Ok at this point you have two
files on your disk which will help you hack out MORE accounts on the system.
For now, lets find out how powerful the account you currently hacked into is.
You should type:

$set proc/priv=all

This may give you a message telling you that all your privileges were not
granted. That's ok. Now type:

$show proc/priv

This will give you a list of all the privileges your account is set up for.
Usually most user accounts only have NETMBX and TMPMBX privs.  If you have
more than these two, then it could mean that you have a nice high-level user.
Unlike UNIX which only has a distinction between user and superuser, VMS has
a whole shitload of different privileges you can gain.	The basic privs are as

NONE	       no privilege at all

MOUNT	       Execute mount volume QIO
NETMBX	       Create network connections (you need this to call out!)
TMPMBX	       Create temporary mailbox

GROUP	       Control processes in the same group
GRPPRV	       Group access through SYSTEM protection field

ACNT	       Disable accounting
ALLSPOOL       Allocate spooled devices
BUGCHK	       Make bugcheck error log entries
EXQUOTA        Exceed disk quotas
GRPNAM	       Insert group logical names n the name table
PRMCEB	       Create/delete permanent common event flag clusters
PRMGBL	       Create permanent global sections
PRMMBX	       Create permanent mailboxes
SHMEM	       Create/delete structures in shared memory

ALTPRI	       Set base priority higher that allotment
OPER	       Perform operator functions
PSWAPM	       Change process swap mode
WORLD	       Control any process
SECURITY       Perform security related functions
SHARE	       Access devices allocated to other users
SYSLCK	       Lock system-wide resources

DIAGNOSE       Diagnose devices
SYSGBL	       Create system wide global sections
VOLPRO	       Override volume protection

BYPASS	       Disregard protection
CMEXEC	       Change to executive mode
CMKRNL	       Change to kernal mode
DETACH	       Create detached processes of arbitrary UIC
LOG_IO	       Issue logical I/O requests
PFNMAP	       Map to specific physical pages
PHY_IO	       Issue physical I/O requests
READALL        Possess read access to everything
SYSNAM	       Insert system logical names in the name table
SYSPRV	       Access objects through SYSTEM protection field

Ok that's the lot of them! I will explain some of the more important privileges
later in the file.  For now, at least you can see just how powerful the account
is.  It should be noted that most accounts usually are only granted the TMPMBX
and NETMBX privileges, so if you don't have the others, don't fret too much.


    I think that i should clarify some of the basic concepts involved with
VAX/VMS operating systems before we go any further:

PROCESS: this is what is created when you log in.  The system sets aside CPU
	 time and memory for you and calls it a process. Any task that is run
	 in VMS is called a process.

SUBPROCESS: also known as child-process, this is just a process that was
	    created by another process.

DCL    : Digital Command Language. This is the shell ($) that you are put into
	 when you log into a VAX

MCR    : an alternate shell that is used (rarely) on certain accounts. Login
	 prompt is a  >  as opposed to DCL which gives a  $
SHELL  : this is the '$' that you see once you are logged in. This is your
	 interface with the system, where you can enter the various commands
	 execute files and perform other activities.

JOB    : a process and a group of its subprocesses performing some task

SPAWN  : this is the actual command that allows you to create subprocesses
	 'SPAWNING' is the act of creating subprocesses

PID    : process identification number. This is an 8 byte ID code that is
	 uniquely given to each process that is created on the system.

IMAGE  : this is an EXE file that you can execute (ie run)

UIC    : User identification code. This is in two parts, namely: [group,member]
	 The way this works is that users in the same group can access each
	 others files through the group protection code.  However since the UIC
	 MUST uniquely identify each user, the member portion separates the
	 individuals in each group.  If an account does not have a different
	 member number, he will NOT be put in the RIGHTSLIST database.


 A brief note on control sequences.  Several different actions can be activated
via control sequences. They are:

CTRL-H	:delete last character
CTRL-B	:redisplay last command (can go back up to the last 20 commands issued)
CTRL-S	:pause display
CTRL-Q	:continue after pause
CTRL-Z	:*EXIT* use to break out of things such as CREATE and EDIT
CTRL-C	:*CANCEL* will exit out of most operations
CTRL-Y	:*INTERRUPT* will break out of whatever you are doing
CTRL-T	:print out statistical info about the process

NOTE: sometimes upon login, the CTRL-Y, CTRL-C keys are disabled.  To ensure
      these are enabled, issue this command upon login:


NOTE: all the commands that are executed from DCL can be referenced from an
      online help manual.  To access this, simply type help at any '$' prompt
      This help is also available within the various utilities and programs
      such as authorize and mail. The two MOST important commands are SET and
      SHOW. These should be buffered and printed out for your own reference.


 The directory structure of VMS is a heirarchical one similar to MS-DOS and
UNIX. Its a simple concept, and i will only briefly skim over it.  First of all
it should be noted that there may be more than one hard drive or other
mass-storage device hooked up to your system. Within each hard drive there is
the ROOT directory. This is the highest directory in the tree and is referenced
by [000000]. (this will be explained in a minute)  Within the root there are
several subdirectories. Within these subdirectories there may be files and even
further subdirectories.  The concept is quite simple, but can be difficult to
explain.  Here is a diagram to give you a rough idea of how it is set up:

				 [000000] <--root directory
	  !			     !				       !
	  !			     !				       !
	[d1]			   [d2] 			     [d3]
	  !			     !				       !
    +-----+--------+	       +-----+-----+		      +--------+
    !	  !	   !	       !	   !		      !        !
    !	  !	   !	       !	   !		  [d3.d3a]  [d3.d3b]
 [d1.da] [d1.db] [d1.dc]    [d2.d2a]   [d2.d2b]
	    !		       !	   !
	    !		       !	+--+-----------+
       [d1.db.db1]	  [d2.d2a.d2a1] !	       !
				       [d2.d2b.d2b1] [d2.d2b.d2b2]

    Hopefully this will give you some sort of an idea of how the directories
can be structured. Within each subdirectory there may be other files also. For
example to see the directory after you log in you would type:


a sample result may be:


Total 7 files.

What does this tell you? The first line tells you what drive and subdirectory
you are in. The next lines are the actual files. As you can see each file has
a 3 character extension, followed by a comma and a number.  The name before the
period is the actual filename (eg. average) the 3 characters after the period
is known as the extension ( and the number after the comma refers to the
version of the file. So in this case, this is version number 3.  Any time you
modify or save a file, it automatically assigns it a version number of 1. If
file already exists on your disk, it increments the version number by 1 and
then saves it as such.	So the next time i go ahead and save the file, it would add another file to the list called;4
  Special note should be taken of the files that have an extension of '.DIR'
These are not really files, but rather subdirectories.	I will show you how to
switch subdirectories in just a minute. First you should take note of the
different file extensions.  Although you can name the files anything you want
some of the more important extensions are:

EXE	  Executable IMAGE. These files are programs that can be RUN
COM	  DCL SCRIPT files. These can also be executed, utilizing the @ command
DAT	  DATA file. Sometimes useful things to look at.
LIS	  Listing File, many times important info is in here
MAI	  Mail file,  use the MAIL command to read these
DIR	  DIRECTORY - not a file
JOU	  Journal File, often created thru the use of other programs eg EDIT
TXT	  Text Files, often hold useful information.

These are just some of the extensions you are most likely to see. The two
important ones are the EXE and COM files. These can be executed from the DCL
level. EXE files are executed via the RUN command. Eg. to run authorize.exe:

$run authorize

This will run the authorize IMAGE. Supposing there were more than one version
of authorize you could specify a version number. eg.

$run authorize.exe;4

The other type of file you can run is the COM files. These are like SCRIPT
files in UNIX or .BAT files from MS-DOS.  They are just a sequence of DCL
commands strung together that are executed when you initiate the file. To run
COM files, use the @ command. For example to run, type:

[email protected]

The version number thing i stated for EXE files also applies for COM files.

***NOTE***  To get a listing of all the files on the whole drive, try this:

$sd [000000]
$dir [...]*.*

Similarly you type dir [...]*.com, if you wanted just the COM files listed.
To see the contents of a file, you can use the TYPE command. For example:


this might type out something like:

$ sd:==set default
$ set control=(y,t)
$ set proc/name=entity
$ set term/dev=vt100

This is great for COM files, DAT files and some of the other types, but you
will always get garbage when you type EXE files so don't bother trying those.
This is very useful for snooping around other peoples files and getting
information. Many times i have found user/passwords lying around in TXT or
LIS files left by some careless user.

 Now, how do you go about changing directories? Well, first you should set up
a shortcut.  The normal command to change directories is SET DEFAULT. For
example to change to a subdirectory called REPORTS, you would have to type:

$set default [.reports]

To make life simpler on yourself, as soon as you log in, you should type:

$sd:==set default

This defines a macro called SD that is interpreted by DCL as SET DEFAULT. You
can similarly define other 'favorite' commands to some short, easy to remember
definition.  Anyhow heres the syntax for changing directories:

SD DEVICE:[dir1.dir2.dir3....]

The device can be optionally left out, if you plan to remain in the same hard
drive. You have to then enter a '[' followed by the root directory, followed
by a period, followed by another subdirectory name etc. Eg.

$sd dub0:[cosy.users]

Suppose at this point, you were in directory cosy, subdirectory users and there
was a further subdirectory called 'info.dir'.  Rather than specify the full
pathname, you can simply type:

$sd [.info]

This will advance you one level into the info subdirectory. Remember to put the
period in front of the subdirectory. If you don't, in this case it would assume
that you were trying to reference the root directory called info.  Another
important thing to note is moving back levels in terms of subdirectories. For
example if you were in [] and wanted to move back to
[cosy.users] you could type:

$sd [-]

Similarly you can put in as many hyphens (-) as you want to move back. For
example  sd [--]  would put you back to the cosy directory.

Another important thing to note about subdirectories are logical assigned
symbols. These are names assigned to certain things. For example the main
system directory is called sys$system. So to go to it you could type:

$sd sys$system

This would throw you into the system directory. Similarly you can type:

$sd sys$login

and this will put you back into the directory that you were initially in, when
you first logged in.  These symbols stand for actual device:directory
combinations.  To see the various definitions that are assigned to each process
you should type:

$show logical

This will list a whole bunch of global system equates that you can use to
access various parts of the VAX structure.  In addition to view all of your
locally defined symbols, use:

$show symbol *


Ok before i begin this, let me just state that whatever i say about files also
applies to directories.  There are four types of file protections. There is
SYSTEM,WORLD,GROUP and OWNER. These are briefly:

SYSTEM- All users who have group numbers 0-8 and users with physical or logical
	I/O privileges	(generally system managers, system programmers, and
OWNER - the owner of the file (or subdirectory), isolated via their User
	Identification Code (UIC). This means the person who created the file!
GROUP - All users who have the same group number in their UICs as the owner of
	the file.
WORLD - All users who do not fall in the categories above

Each file has four types of protection within each of the above categories.
They are: Read, Write, Execute, Delete. Explanations are:

READ   - You can read the file and copy it.
WRITE  - You can modify and rename that file.
EXECUTE- You can run the file
DELETE - You can delete the file

When you create a file the default is that you have all the privileges for that
particular file. Group, world and system may only have limited privileges. This
can be changed with the set protection DCL command. For example:

$set protection=(group:rwed,world:r)/default

would set your default protection to allow other users in your group to have
full read,write,execute,delete privs to the file, and others only read access
to the file. The /default means that from now on all the files you create will
be set with this particular protection.  To change one of your own files to
some other protection you can alternatively use:

$set prot topsecret.dat /prot=(system:rwed,group:rwed,world:rwed,owner:rwed)

This would enable all users on the system to access the file 'topsecret.dat'
When specifying the protection, you do not have to list them for each of the

four groups.  You can simply choose only those thatPath: works!merk!alliant!linus!agate!ames!!tandem!!grafex!steveh