Beginners Guide to VAXVMS Hacking

Order Number: XX-09929-FA

This document is a "Beginners Guide to VAX/VMS Hacking" by "ENTITY / Corrupt Computing Canada," aiming to introduce fundamental concepts and techniques for exploiting VAX/VMS operating systems.

The guide covers:

  1. Initial Access:

    • Identifying VAX systems by their "Username:" prompt.
    • Attempting default username/password combinations (e.g., SYSTEM/MANAGER, DEFAULT/DEFAULT) and a comprehensive list of common weak credentials.
    • Noting that new user accounts often default to the username as the password.

  2. System Navigation and Information Gathering:

    • Basic DCL (Digital Command Language) commands for setting the prompt, enabling break keys, and viewing information ($set, $show, $type, $dir).
    • Understanding the hierarchical VMS file and directory structure, including file extensions (EXE, COM, DAT, LIS, MAI, DIR, JOU, TXT) and versioning.
    • File protection (SYSTEM, WORLD, GROUP, OWNER with Read, Write, Execute, Delete permissions) and how to modify it.
    • Using the EDT text editor for creating and modifying files, including a list of basic commands.
    • General DCL commands for various tasks, emphasizing the use of online help.

  3. Exploitation Techniques:

    • Bypassing Login Procedures: Skipping LOGIN.COM or executing a custom file using special username qualifiers (/nocomm, /comm=file).
    • Escaping Captive Accounts: A method to break out of restricted captive accounts into a DCL shell by using SPAWN after a remote connection prompt.
    • Gaining Privileges: How to check current privileges ($show proc/priv) and attempt to gain all privileges ($set proc/priv=all) if the account is a SYSTEM one. Discusses important privileges like CMKRNL, SETPRV, READALL, SYSPRV, and BYPASS. (Notes that gaining all privileges typically requires advanced kernel programming, which is intentionally not fully detailed to prevent abuse).
    • Online Security Awareness: Checking system auditing features ($show accounting, $show audit) and intrusion records ($show intrusion) to assess system manager vigilance.
    • Utilizing Expired Passwords: Identifying inactive accounts based on last login time and immediately setting a new password.
    • Gaining More Accounts: Methods to obtain a list of system users, including type sys$system:rightslist.dat, dump sys$system:rightslist.dat, mc psiauthorize, and using AUTHORIZE to access SYSUAF.DAT. Suggests trying default username=password for any discovered users.
    • DECnet and PSI Hacking: Listing remote nodes ($show net), copying files (like rightslist.dat) from remote systems, finding user/password information in logical names, connecting to remote hosts ($set host), obtaining DATAPAC/TELENET addresses, and dialing out via modems ($set host/dte). Includes methods to turn off logging for remote sessions.
    • Trojan Horses: Detailed methods for creating DCL-based trojan horses that modify system file protections (SYSUAF.DAT, AUTHORIZE.EXE) when a privileged user executes a common system COM file (like NOTES.COM or ADDUSER.COM). Emphasizes the importance of covering tracks.
    • Creating/Modifying Accounts: Using the AUTHORIZE program (requires SYSPRV or SETPRV) to add new users or modify existing ones, with an emphasis on making changes inconspicuous.

  4. Maintaining Undetected Access:

    • Strategies for hiding on the system, such as avoiding suspicious files and becoming a non-interactive or subprocess.
    • Changing a process name to mimic system processes (e.g., printer drivers like SYMBIONT_xxxx) and includes a stealth.mar assembler program to change process type.
    • Monitoring other processes ($show user, $show system) and files they access ($show devices/files/nosystem), and using the powerful System Dump Analyzer (SDA) to examine system memory (requires CMKRNL privilege).

  5. DCL Programming Basics:

    • An introduction to writing DCL Command Procedures, covering passing parameters, getting user input, outputting information, file I/O operations, conditional logic, expressions, and lexical functions.
    • Explanation of VAX error message format.
    • Sample DCL (WATCHDOG.COM) and assembly (STEALTH.MAR) programs.

  6. Resources: Recommendations for external manuals (e.g., "VAX/VMS INTERNALS AND DATA STRUCTURES") and unconventional methods for acquiring them.

The document concludes with a list of DCL commands categorized by function. It serves as a practical, albeit ethically questionable, guide for beginners to explore and exploit VAX/VMS systems.

XX-09929-FA
May 2000
72 pages
Quality
Original
0.2MB
view download

Site structure and layout ©2025 Majenko Technologies