$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$
L L
O Lex Luthor O
D AND D
$ LOD/H $
L Present: L
O ADVANCED HACKING VAX'S VMS O
D D
$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$
L L
O This file, will explain in detail O
D the more useful commands, notable D
$ differences of Version 4.0 and $
L higher from older versions, and L
O exploit the new security features O
D and software available for VMS. D
$ $
LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$L
O (C) Written 01-JUN-85 O
D By: Legion of Doom/Hackers D
$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$
NOTE: All references to things in < >
should be replaced by square brackets.
VAX/VMS BACKGROUND:
-------------------
The VMS Operating System supports all VAX-11 series computers. The system
permits an absolute limit of 8192 concurrent processes. This depends on the
physical memory and secondary storage available. The practical limit is in
excess of 100 concurrent users for a large scale system. The initial license
fee is $10,000, and when run on the VAX 8600 the fee is $15,000. There is an
estimated 22,000 sites running VAX/VMS.
CORRECTIONS:
------------
I mentioned in Part I, that VMS runs on the PDP-11. This was a mistake,
UNIX is the operating system which can run on both the VAX and PDP machines.
LOGGING IN:
-----------
Username: ACIRS508
Password:
LOD/H Advanced Computer Insecurity Research System (ACIRS).
VAX/VMS Version 4.2
Last interactive login on Wednesday, 01-JUN-1985 10:20.11
Last noninteractive login on Friday, 30-MAY-1985 15:38.27
2 failures since last successful login
You have 1 new mail message
$
All login procedures are executed by one of two methods, interactive or
noninteractive. Interactive logins require the user to follow the prompts of
the system for information. Noninteractive logins are performed exclusively by
the system without user interaction.
Types of logins are:
1) Local: This is executed by a user who is directly connected to the CPU.
2) Dial-up: Login using dial-up lines.
3) Remote: Remote logins are performed to a node over a network.
4) Network: Network logins are noninteractive as they are accomplished
automatically when a user accesses files stored in a directory on another node
or performs a network task on a remote node assuming they are both nodes on the
same network.
5) Batch: A Batch login is another noninteractive automatic procedure
performed when a batch process initiated by a user actually runs.
6) Subprocess: Subprocess logins are always noninteractive although it is also
a result of a user executing either a specific process form of a command or a
system service.
Other types are: Proxy login, a type of network login permitting a user to
access files across a network, a Detached process login which can be specified
by the user as either interactive or noninteractive. It is a result of a user
executing either a specific process form of a command or a system service.
COMMON ACCOUNTS (PART II):
--------------------------
Here are some more common accounts which may enable you to gain access.
One note, there is a difference between default and common accounts, defaults
are put in by the manufacturer, and common accounts are characteristic
of most computers or operating systems of the same make.
Username: Password:
--------- ---------
RJE RJE
HOST HOST
LINK LINK
INFO INFO
BACKUP BACKUP
NETWORK NETWORK
DECMAIL DECMAIL
HELPDESK HELPDESK
REPORT(S) REPORT(S)
As you have noticed, we are relying on the user to use thier username as a
password. If none of these get you in, you may want to try first names, social
security numbers, initials etc. Remember, all you have to do is get in, worry
about getting privileged later.
PASSWORD SECURITY:
------------------
Passwords can be selected by the user or automatically generated by the
system. User selected passwords require a minimum length of characters to
prevent use of familiar easy-to-guess words. Automatically generated passwords
offer the user a choice of randomly sequenced characters resembling English.
All passwords need to be changed about every 30 days and are one-way encrypted
when stored.
There are 2 levels of passwords used:
A user password is required of the majority of users. A system password
is required prior to a user password when restricting access to a particular
terminal. For maximum security two user passwords may be required, a primary
password and successively a secondary password. I have not encountered this
yet, but I thought I would just mention the capabilities of the VMS security
system.
INTERIOR BARRIERS:
------------------
On some systems, after successfully logging on with the username/password
combination, the system may ask you to enter a dial-up, modem, remote, etc.
password, it may dump you into an application program or it may give you a
device not found error. In any case, this prevents you from gaining access to
the operating system. A possible way around these problems is to hang up and
call back the system, hit control-c and/or control-y after the initial logon
sequence. This will prevent the system from executing the security program,
login.com file, application program, or detect that there is not a device
assigned to the user in question. You may have to try this a few times, since
timing may be crucial. Most likely, you will not be able to break out of the
program itself after logon, because of the command "set nocontrol=y" which
inhibits the use of control-y. If you find that this doesn't work, then set
nocontrol=y has been implemented from the start of your logging in, which is
accomplished by running authorize and changing the user characteristics in the
UAF. But as usual, this is not done, whether its because the system manager
is lazy, ignorant or maybe the use of the control character is needed later in
the logon session, thus, you gain unauthorized access to the machine.
VERSION 4.2:
------------
As you have seen, Version 4.2 was mentioned. At the time of this writing
it is under testing, and not yet released, but DEC kind of 'leaked' this
information to LOD/H via thier DECNET (hehe). Also, from the banner, you can
deduce that 4.0 and above has an extensive audit trail. Which when
implemented, records login failures, thus, be careful when attacking VMS 4.0
and up using trial and error techniques.
SECURITY FEATURES:
------------------
Security for VMS is based on the reference monitor concept. Under this
concept the reference monitor is the central security point for the following:
1) Subjects: users, processes, batch jobs.
2) Objects: files, programs, terminals, tapes, disks, mailboxes.
3) Reference monitor database: user authorization files, rights database, file
protection, access control lists.
4) Security audit.
The reference monitor system mediates every attempt by a subject to gain access
to an object.
The greatest advantage of VMS is its flexibility. The system manager can
choose to implement or ignore a wide range of security features, fortunately
for the hacker, they all seem to ignore the important ones. It is possible
to protect all, any or none of the files created. It is also possible to
provide general or restricted passwords, or no passwords at all. Access
codes can be global or limited. The use log can be ignored, used only for
record keeping, or be employed as a security control tool. Finally, the
encryption system can be activated where needed, defaulting to uncoded material
for normal use.
VAX/VMS has the following security features that are designed to prevent
unauthorized access or tampering:
1) It provides a system of password controls and access levels that allow the
security manager to open sections of the system only to those users with a
particular requirement or legitimate interest.
2) It keeps a careful log of all interactions so that questionable uses can be
challenged and documented.
3) It supports an encryption system that allows system management to create
coding keys that are necessary for access to programs or databases. The
encryption system of VAX/VMS provides an additional level of security,
however the other security features are sufficient to deter most losers.
the encryption system included in the operating system package would
probably not stop those few so motivated. The encrypt facility does not
use a sufficiently complex algorithm to be unbreakable, although it would
slow down or halt most potential abusers.
AUDIT TRAIL:
------------
The security log feature, if monitored, and thats a big IF, is a major
disadvantage for the hacker. Flag codes can alert an operator to an ongoing
hack; review can isolate users attempting to exceed access restrictions. The
system can "freeze" a terminal if a breach is discovered, or if multiple
wrong access codes are attempted. Of course, the log system functions somewhat
after the fact and it is possible, though difficult, to alter the security
log. A terminal can be designated as an audit alarm console and all auditable
events are displayed on the console. Some events, such as certain login
failures and uses of privilege are always auditable. Other events, such as
successful or unsuccessful attempts to gain access to sensitive files, can be
selected by users or security managers for auditing. For example, the owner
of a sensitive file might create an ACL entry requesting that all accesses
to that file be audited, whether someone reviews that audit is another story.
INTERNAL SECURITY:
------------------
VAX/VMS determines access to objects by utilizing two protection mechanisms:
Access Control Lists (ACLs), and User Identification Codes (UICs). It takes
the two together, acting with user privileges, for access. Access Control
Lists: The ACL uses identifiers to specify users. There are three types:
1) UIC identifiers depend on the user identification code that uniquely
identifies each user on the system.
2) General identifiers are defined by the security manager in the system
rights database to identify groups of users on the system.
3) System-defined identifiers describe certain types of users based on
their use of the system.
An ACL consists of one or more Action Control List Entries (ACEs). There
are three types of these:
1) Identifier ACE: This controls the type of access allowed to a particular
user or group of users. Access types are: READ, WRITE, EXECUTE, DELETE,
CONTROL, and NONE.
2) Default protection ACE: This defines the default protection for directory
files only.
3) Security alarm ACE: Watch out for this one! It provides an alarm message
when an object is accessed. This will alert managers to possible security
threats (YOU!). Alarms may be generated when an unauthorized user performs
the following access types: READ, WRITE, EXECUTE DELETE, or CONTROL.
Alarms are also issued for the SUCCESS or FAILURE of these attempts.
User Identification Codes: As stated in part I, each user has a UIC. Each
system object also has an associated UIC, defined to be the UIC of its owner,
and a protection code that defines who is allowed what type of access. Also
mentioned in part I was the protection put on objects: System, Owner, Group,
and World. Depending on these, the protection code can grant or deny access to
allow a user to read, write, execute, or delete an object. When you log in,
the identifiers which are in your "rights database" are copied into a rights
list that is part of your process. The rights list is the structure that VMS
uses to perform all protection checks.
GENERAL SYSTEM COMMANDS:
------------------------
DEC-net was breifly mentioned in part I, but I have noticed that this is
more important than I had originally anticipated, especially after I checked a
system which had 100+ nodes on the network, all of which I proceeded to break
into. Anyways, the procedure is:
$ SHOW NETWORK
Node Links Cost Hops Line
1 LEGION 0 61 6 DMC-5
2 ARCHER 0 11 1 DMC-5
3 DOCWHO 0 18 2 DMC-5
4 BLOTTO 0 20 3 DMC-5
5 PLOVER 0 15 3 DMC-5
Total of 5 nodes.
$ SET HOST ARCHER
You will get one of two responses when connecting to a node on a network:
Username:
~Y
~Y
Are you repeating ~Y to abort the remote session on node ARCHER? Y
%REM-S-END, control returned to node ACIRS::
or
%REM-F-NETERR, DECnet channel error on remote terminal link
%SYSTEM-F-UNREACHABLE, remote node is not currently reachable.
In the first instance, I merely hit two control-y's to abort the login, the
second, meant that either the system is not operating or that there is not a
node by that name.
DIRECTORIES:
------------
Instead of using wildcards for getting a directory listing, try:
$ dir <000000...>
Directory SYS$SYSDEVICE:<000000>
000000.DIR;1 AMMONS.DIR;1
NEWS.DIR;1 RJE.DIR;1
SECURITY.DIR;1 TEST.DIR;1
Total of 6 files.
Directory SYS$SYSDEVICE: