A Little "Hacking" by Doc.Cypher: 05/04/2003] [Major Revision Work in Progress.] [Please Refer To
Total Page:16
File Type:pdf, Size:1020Kb
gein.vistech.net…openvms-hack-faq.txt Sunday, 9 November 2008 2:12:19 PM Australia/Sydney [More modifications/updates/error corrections: 11/02/2002] [A little "hacking" by Doc.Cypher: 05/04/2003] [Major revision work in progress.] [Please refer to http://vmsbox.cjb.net/vms-hackfaq] - OpenVMS HACK FAQ (Frequently Ask Questions) - - Beta 0.16 Release - - 5-APR-2003 - Originally by The Beave ([email protected]) Extra Contributions Add By Tsywt Introduction: This article contain the answers to some frequently asked question (Hence, the name FAQ) about hacking the VMS operating system. "Why a VMS Hacking FAQ?" Several reasons. Once in a while, an escape from Unix is very, very nice. Another reason is that the art of VMS hacking has since vanished, and its replacement are statements like, "Hacking VMS is impossible", "VMS is too cryptic to use", and as always, "Man, VMS sucks". These are generally statements by people who know next to nothing about VMS. I don't want to go into a "which OS is better", because that would defeat the purpose of this file. However, in my personal opinion, both operating systems have their advantages and disadvantages. I have, however, written this FAQ with a Unix overtone to it. This is to help the reader understand what is trying to be accomplished in some examples. The article may be freely redistributed in its entirety provided that credits are not altered or removed. It may not be sold for profit or incorporated in commercial documents without the written permission of the author(s). This is the beta release of this article, which means, the article is still in the working, and is not complete. Submissions, corrections, comments, input, complaints, bomb threats, cash, etc., should be directed toward the alt.2600 newsgroup or [email protected]. If you make additions to the text, please let me know. I'd like to include credits to your contributions in the next FAQ update... ([email protected]) :--- Index ---: More Common Newbie Questions. 1) VMS Basic information. ("What does VMS run on?") 2) Identifying OpenVMS/VMS systems. ("Is it a VMS box?") 3) Public VMS/OpenVMS systems ("Where's one I can play with") https://gein.vistech.net/openvms-hack-faq.txt Page 1 gein.vistech.net…openvms-hack-faq.txt Sunday, 9 November 2008 2:12:19 PM Australia/Sydney *4) The VMS Hobbyist program/where to get a VAX/ALPHA/Emulators ("Where can I get a box to play with?") [To be verified/updated] 5) Password storage information (SYSUAF.DAT) ("Where the hell is the /etc/passwd file??!?!?!") 6) User storage information (RIGHTSLIST.DAT) ("How do I get Usernames?") *7) Cracking the SYSUAF.DAT ("Is there a version of 'Crack' for VMS machines?") [To be verified/updated with J-LG's update to John] 8) Becoming invisible in VMS ("Is there a 'Cloak' routine in VMS?") 9) SET DEFAULT command ("How the do I change damn directories?") 10) The "CD" command ("I hate this SET DEFAULT crap") 11) LOGIN.COM ("Okay, where's my .profile???"). 12) Captive Accounts ("I can't get to DCL"). 13) Terminal monitoring/logging ("How can I monitor a tty?") *14) Accounting/Auditing ("Who is watching me?") [*** NEEDS TO BE MODIFIED**] 15) Buffer overflows/overruns ("Smashing VMS' stack for fun... ") 16) Physical console bypassing ("I'm in front of the machine! Get me in!") VMS Mail Hack Routines. 1) Unix/VMS Sendmail holes ("Will my sendmail holes work on VMS?") VMS Phone Hack Routines. 1) Anonymous Phone Messages ("How do I become a VAXPhone phreaker?") 2) Phone Directories ("How can I do a 'sh users' using the phone protocol?") User/Image Privilege Information. 1) Systems Privileges, Listing and explanation ("How are Priv's setup?") 2) Creating privileged images ("Can I create a SUID Shell on a VMS box?") DECNetwork Information. 1) Brief Description of a DECNet ("What is a DECNet?") 2) What it means to you ("What can it do for me?") 3) Obtaining files/system info/etc. ("How do I get information about the remote?") 4) Using remote nodes ("How do I connect interactively?") 5) Getting node lists ("How do I find connectable nodes?") 6) Proxy Logins ("Can't DECNet nodes be protected?") 7) Proxy Logs ("Are Proxy logins logged? Can I use it to break into https://gein.vistech.net/openvms-hack-faq.txt Page 2 gein.vistech.net…openvms-hack-faq.txt Sunday, 9 November 2008 2:12:19 PM Australia/Sydney nodes?") *8) Sneak Routing ("Can I get to a machine I normally couldn't through another machine?") [Need more information. Too vague] <DC>See comp.os.vms discussion about cluster with one machine in the DMZ</DC> TCP/IP Connected VMS Machines. 1) Obtaining remote usernames without "FINGER" ("How do I get usernames if FINGER is disabled?") 2) Changing the image running in FINGER ("How do I link a command name to another so it appears I am running a different image?") *3) Bypassing secondary password under Multinet 4.X. Other. *1) How to make /DEBUG/TRACEBACK INSTALL images! [Not Complete] *2) Bypassing OPCOM (Logging information) 3) Reading VMS Disks/CDs 4) WASD (An OpenVMS Web Server package) - Bugtraq security post. - Resources. - Final notes. - More Common Newbie Questions - 1) VMS Basic information ("What does VMS run on?") VMS (Virtual Memory System) runs on Digital Equipment Corp. (DEC - pronounced, "DECK" ) VAX (Virtual Address eXtension) and the DEC Alphas. Digital Equipment Corp was bought out by Compaq in 1998 (for $9.6 billon). DEC was once the second largest computer company, but had fallen due to their lack of drive in the PC market. Compaq was bought out by Hewlett Packard in May of 2002. The VAX line was introduced in 1977 (VAX 11/780). It was to replace the PDP line (12 bit and 16 bit machines). The VAX was one of the world's first 32 bit architectures. The Alpha line was introduced in November of 1992. This was a 64 bit RISC processor. Both can run the OpenVMS operating system. (Compaq began porting OpenVMS to the Intel Itanium processor. HP has continued work on the Itanium port, and the VMS Engineering team managed their first boot followed by a successful DIRECTORY command on the 31st of January 2003.) For more information and history on DEC, the VAX line of systems, Alpha line of systems, and VMS/OpenVMS, check out the G-Bell's CyberMuseum for Digital Equipment Corp at: http://research.microsoft.com/~gbell/Digital/DECMuseum.htm It's also mirrored at: https://gein.vistech.net/openvms-hack-faq.txt Page 3 gein.vistech.net…openvms-hack-faq.txt Sunday, 9 November 2008 2:12:19 PM Australia/Sydney http://www.vistech.net/users/beave/DEC When using the OpenVMS/VMS operating system, users use DCL (Digital Command Language) to interact with the computer. These commands and their syntax are completely different than those of Unix and Unix-like operating systems, thus a completely different mind-set is often required (this is the authors' opinion). 2) Identifying OpenVMS/VMS systems. ("Is it VMS box?") Identification of a possible VMS system can usually be done at the "Username:" prompt. Sometimes the welcome banner itself will reveal that it's a VMS system (for example, "Welcome to ABC Computer Under VMS 5.5-2"). One interesting note: After the Mitnick case, a lot of VMS systems removed the "Welcome" from their banners. If you're still not sure, there are some "checks" that you can perform. One indication is a invalid login attempt will give you a "User authorization failure" message. This is a pretty good indication that the remote system is running VMS. If you're still not convinced, a control-Z at the "Username" prompt will result in, "Error reading command input". For example: Connected to manson.vistech.net Escape character is '^]'. Welcome to OpenVMS (TM) VAX Operating System, Version V7.2 Username: *EXIT* [Ctrl-Z here] Error reading command input End of file detected Connection closed by foreign host. Of course, if the machine is connected to a TCP/IP network, a utility like NMap (http://www.insecure.org/nmap) could help you out as well. Note that reported version information may be inaccurate. Identification of a VMS system should be fairly straightforward. 3) Public VMS/OpenVMS systems ("Where's one I can play with") There are a few about. Here are some that I know about (let me know if there are more!). http://deathrow.vistech.net Free OpenVMS accounts, and we support security research _on our VAXen/Alphas_ (not other people's systems). We have WebSSH support, Webmail, and it's the home of this text that you're reading. DEMO (GUEST) account is available. We currently have a small DECNet up and operational, and we are clustering a mixes of systems (VAXen/Alphas). https://gein.vistech.net/openvms-hack-faq.txt Page 4 gein.vistech.net…openvms-hack-faq.txt Sunday, 9 November 2008 2:12:19 PM Australia/Sydney http://www.hobbesthevax.com Free VMS accounts. They have some decent resources at their website as well. http://www.vax6k.openecs.org Free VMS accounts on a old-school _large_ VAX 6000. DEMO (GUEST) account is available. [This has been down for a little while now]. http://eisner.decus.org VMS accounts for DECUS (err, now ENCOMPASS) members. This is a DEC Alpha DS20 running OpenVMS. They have some interesting conversations via DEC "NOTES". http://vmsbox.cjb.net Free VMS accounts on an AlphaServer 2100. Basically a small departmental server, the system is running OpenVMS v7.3, Multinet IP stack, and WASD web server.