A Guide to VMS'pionage
by EZ Freeze
When the subject of hacking comes to mind, many people think of UNIX shell accounts and the possibilities within. UNIX has always retained a reputation of flexibility and a good starting system for countless new hackers. But a shell account with UNIX is not always the easiest place to start.
In my opinion, VMS, in terms of hacking, has been neglected. VMS has the capability for a good deal more security than UNIX, but it remains the case that many administrators don't really understand VMS enough to bring it to its full security potential.
In a VMS environment, there are many sources of important information which can give users a wide set of opportunities. Therefore, many ways of guarding these sources can be employed.
Here's a simpler way of phrasing this: The bigger the fence, the more valuable the building within it. Pretend that the building's occupants are the server's files. Now what if the fence wasn't put in place? Opportunities for spying and sneaking around the network have been set up, hence the concept of VMS'pionage.
This guide will show you a few ways to exploit a system running OpenVMS and a MultiNet server (or a server similar to MultiNet). This guide is not a how-to on operating or managing a VAX, and does not explain every command affiliated with VAX/VMS.
In this guide, I felt it was important only to include and explain commands which can be used to exploit the server the reader plans on hacking. If you want on reading a full explanation of OpenVMS, the Legion of Doom Technical Journals on the subject is an excellent resource. It is quoted from in this article.
Like many aspects of hacking, simple techniques will be employed to reveal greater results. When reading this guide and using what you've learned from it, there are a couple of essential things to keep in mind. Make sure the administrators are at least relatively lax. Don't try to match wits with admins obsessed with security because you will get caught. OpenVMS keeps many system logs with everything that occurs in the network recorded. You had just better hope that you will only be prosecuted to the full extent of the law.
The first thing you should do is get an estimate of the user population. You can pretty much assess this by using the finger command. Use finger at several times of the day, mostly times when you know a good deal of users should be connected (such as lunch and dinner times). Remember, hacking when very few people are on is only a good idea if the network is generally unoccupied. If there are always very few users and the network is not usually maintained, a hack should be a pretty safe bet. But if you're the only one on at one given moment on a normally occupied network, you will definitely stand out in the logs. Also, when you log into some VMS networks, you are informed of which operator is on duty. If this is the case with your target, try to choose a time when there is no operator on duty or when the operator is at lunch (yes, you can be informed of that as well). Once you've burned holy incense or made a ritual sacrifice for good luck, it's time to start.
VMS networks with MultiNet do not often allow anonymous FTP access, since a MultiNet server is structured differently than many others. However, if you have access to an account in the network, you can manipulate the MultiNet FTP process. If you don't happen to have an account, there is a list of default passwords at the end of this guide. If the correct security measures aren't taken, users can view other users' directories. As well as viewing, a user with normal privileges can delete, add, and transfer files to their account. However, a user can usually only access the accounts on their disk. You can find the disk you're in by typing directory or dir at the DCL prompt, and the disk is usually labeled something like $DISK(#). To view all the devices in the network, type show devices at the prompt.
The list which will follow is a set of fully functional devices. The disks in a device list usually come first. If a device is active, each column will have an entry and, most importantly, a volume label. If a device is listed but does not contain a volume label, the capacity for the device exists but the device itself was never installed. A listing can exist however, but be marked "Offline" as a status. On a server, sometimes each disk is reserved for a specific purpose.
For instance, in a college or university, one disk may be reserved for faculty while another may be marked as student. The following is a transcript of a sample FTP session, illustrating the scenarios described earlier:
This is the user DARKHACK's main directory. DARKHACK's disk is $DISK3. Note: When entering your directory or someone else's, it is received as a non-interactive login. When a user logs into their account, they are presented with the last time they made an interactive (direct login) or a non-interactive login (accessing a directory via FTP, for example). The exact time the directory was entered will show up as a non-interactive login:
This is the listing of DARKHACK's main directory, with the file PASSWORDS;1. The text in brackets indicates ownership. ELITE is the group DARKHACK belongs to; the group $DISK3 is set aside for. DARKHACK is also the file's owner. From here, DARKHACK can view his directory, delete files, and view specific files:
000000 is the root directory of $DISK3. From there, a user with normal privileges can enter the directories of any account in that $DISK3. Chances are you will only be able to view the root directory of the disk your directory exists in:
This is the listing of GOVAGENT's main directory, with the file MOSTWANTED;1. The text in brackets indicates the same as the text from DARKHACK's listing above. From here, any user can view the file MOSTWANTED;1, delete it, or download it to their directory:
This can't be good for DARKHACK! Hopefully, if GOVAGENT hasn't checked his directory yet, DARKHACK can just remove the file and GOVAGENT will never hear about it. GOVAGENT could realize the date and time of the most recent non-interactive login though:
However, if DARKHACK had wanted to warn his friends about GOVAGENT, he could have downloaded the file and then deleted it:
If any user with normal privileges wants to try and access the server's root directory (probably without success), simply type the string below. Notice the six zeroes. Those stand for the root directory, and can be found in, for example, the string $DISK3:[000000]. However, when the zeroes stand alone in a string, this stands for the server's root directory, not the root directory of any disk:
If all goes well, a listing of the directory should appear. Security measures can be taken to stop this action though. If these measures have been taken, the string below will replace the directory listing. The string below is also used anytime the user tries to violate their privileges or delve into protected files:
These commands will create a directory with the name specified by the user. This feature might be protected. If this is the case, these commands will only let you create a directory with the same name as the one owned by you, or will only let you create a directory with a different name inside the one owned by you:
The following commands will delete a directory from the server. Depending on the security, you may only be able to delete a directory you have created:
The last section in this article tells you how to hack into someone's directory with stealth. It is very risky, but if the user you're dealing with is ignorant enough, you should be able to pull this off.
First log on during a busy night and wait until another user enters the network. Don't even touch a user who's already there. Once you have the potential user, wait until they enter a Telnet session or something else which will keep them occupied, particularly with their attention away from their directory. If the user doesn't enter a Telnet session within a couple of minutes, move on and wait for another user.
Once you have a match, you can enter their directory and read or download files. Make sure not to delete or upload anything, or create any new directories, for obvious reasons. The logic behind this technique is the similarity between the interactive and non-interactive login date and times. If the times and dates of someone's interactive/non-interactive logins are too far apart, the user will be suspicious. But if the dates and times are close enough, some people will just assume the non-interactive login was invoked by some routine command they typed.
It might sound ridiculous, but it can work extremely well.
VAX/VMS Default Password List:
(Taken from "The Ultimate Beginner's Guide To Hacking And Phreaking")