==Phrack Inc.== Volume Three, Issue 27, File 6 of 12 <<<<<<<<<<<<<<<<<<<<<<*>>>>>>>>>>>>>>>>>>>>>> <<< >>> <<< Looking Around In DECNET >>> <<< >>> <<< by Deep Thought of West Germany >>> <<< >>> <<< June 1, 1989 >>> <<< >>> <<<<<<<<<<<<<<<<<<<<<<*>>>>>>>>>>>>>>>>>>>>>> Disclaimer: I take no responsibility for any use or abuse of the information contained in this article, nor for any damage caused by the use of methods described. DECNET, VAX, and VMS are possibly registered trademarks of Digital Equipment Corporation. There comes a time when every somewhat intelligent programmer asks: Is hacking difficult? Now, being in a university network, why don't just give it a try? Since one is an official student and somewhat authorized to use the computing facilities, testing the modern means of communication should cause no trouble. Well, you start searching on those nodes, you have official access for interesting programs and procedures. And you find: Netdcl, just one program of many, that obviously enables one to run commands on remote nodes without having an account on these nodes. A really interesting thing, as nearly everything is allowed that a normal user can do. The dear reader may start to think: Wasn't there always the shouting about VMS being the MOST SECURE computer system, making it UNPENETRABLE to hackers? Ok, cool down, this feature can be disabled and so, you think, if someone has super secret data on his VAX, he will stop any use or abuse of this feature. 2nd Act -- Somewhere one has heard about some mystery things called system calls. Since one always wanted to know about how to react on keystrokes on a VAX (really being not trivial!) you start reading the manuals more precisely to find out how to do it in Pascal. Randomly on browsing thru the pages you discover functions which deliver information about Userids. This comes in handy, as a friend engaged in university politics wants to distribute a leaflet by email to all registered users. In fact, it's completely unproblematic to gain a list of all users. An example program, although written in Assembler, is even contained in the manuals. Enjoy a list of 1000 Userids complete with information about network access rights. The Pascal program is contained in Appendix B (later in this file). Sorry, passwords are not stored in this list. Even the Sysop can't access them, so that's no great loss. Guess what passwords many accounts have? Sure, just try the username. It's really amazing how ignorant users can be. Of course this is a problem of group-accounts, that many users have access to and must know the password. Nevertheless, the hole is there. The real hacker, once he has logged in on such an account surely finds ways to gain system privilege. This requires in-depth knowledge of the Kernel of VMS and is another story I won't deal with. What is DECNET? ~~~~~~~~~~~~~~~ DECNET is the means, by which computers from Digital Equipment Corporation (DEC) can be connected to each other. Each computer in this network has an address which is normally given by x.y where x is the area number (an integer) and y is the node number in this area which ranges from 1 to 1023. To access DECNET nodes, one specifies just one number, which can be computed from x and y by the following formula: nodenumber = x * 1024 + y Often nodes, especially local nodes (having the same area number as your current node) have names assigned to them so they can be memorized more easily. Interesting DECNET Commands ~~~~~~~~~~~~~~~~~~~~~~~~~~~ To get a (first) list of available DECNET nodes, try the command $ SHOW NET The $ (as in the following examples) is the default prompt of VMS and should not be entered. This Command will give you a list of (hopefully) reachable nodes. All lines of the output contain the network address in the form x.y and normally a name which this node is known by. Your current node is mentioned in the first line in "VAX/VMS network status for local node X.Y Name". In most cases you will then just see local nodes listed and a line saying "The next hop to the nearest area router is node XX.YY". This node contains more information about the DECNET than the node you are currently on. If you have an account on the specified node, log on there and try again. If not, well, play with the local nodes listed and look at the command NCP shown later. Now, what can you do with those nodes that were mentioned in the output? First command is $ SET HOST Where is either a nodename or a nodenumber (see above). Thus, if SDIVAX was listed in the SHOW NET list as 42.13, then you may try both SET HOST SDIVAX or SET HOST 43021 (42*1024+13 = 43021). Probably you'll get that ugly Username: prompt. You're on your own then. Second thing you can do with DECNET is email. On VMS the MAIL program can send mail to other users. If you and your friend both have accounts on the same DECNET, you can send him mail if you know his nodename or nodenumber by specifying SDIVAX::FREDDY or 43021::FREDDY. Then there is PHONE. This is a utility to talk to another (or several) user(s) on a DECNET. If you want to call Freddy, just type PHONE SDIVAX::FREDDY. If he is logged in, his terminal will ring and if he answers his phone (with PHONE ANSWER) you may chat with him. PHONE has another nice feature built in: You may ask for a list of active users on a remote name by %DIR SDIVAX. See the online help on PHONE for further details. The next really mighty DECNET facility is remote file access. Valid filenames in VMS consist of the components node, disk, directory and filename. An example for a valid filename is SDIVAX::DISK$2:[NASA.SECRET]SDI.DOC where some components may be omitted and default values are used instead. File names including the node specification may be used in nearly all VMS commands examples being DIR, TYPE and COPY. Access to the specified file is granted, if the protection of the file allows access by world, or if the owner of the file is the user DECNET. This pseudo userid is available on every VAX and has the password DECNET. Access to that account is limited to network processing so you can't just log in with Username=DECNET, password=DECNET. By default a special directory owned by the User DECNET exists on each node. This directory can be accessed by just specifying the nodename without any disk or directory information, as in $ DIR SDIVAX:: If users played too much with this feature, the directory may be protected or otherwise disabled. The last feature described here is the remote command processing facility. If you try to open a file with the specification $ SDIVAX::"task=foo.com" Instead of opening the DCL procedure, foo.com will be executed. To make use of this feature easily, programs have been written to interactively communicate with a remote host. The command procedure NETDCL.COM does this task and is contained in the Appendix A (seen later in this file. Look at this DCL-Procedure to learn more about DECNET features. The Key To Universal Knowledge ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There is a pearl under the programs on a VAX. It's called NCP and will give readily information about the whole DECNET. You start this program either by MCR NCP or by doing a SET DEF SYS$SYSTEM and RUN NCP. Use the on-line Help provided in NCP (which means Network Control Program) to learn more. NCP> SHOW KNOWN NODES Provides a list of all nodes known on your current node, including the names you may use as node specifications. But there is more: You may connect to another node's database and get a list of nodes which are known at the remote node with NCP> SET EXEC SDIVAX And then again the SHOW KNOWN NODES command. This feature should provide you with a nearly infinite list of node names and node numbers. Conclusion ~~~~~~~~~~ There are many nice features available under DECNET. Probably I don't know all, but I hope this article showed you the mighty tools available on VMS to make network life easier. WARNING: The author has had bad experiences with some node administrators, who didn't like their machines being contacted over DECNET. Yes, that's the drawback, each DECNET activity is written to a protocol file that is printed and deleted every month. So you should be careful in using DECNET. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - APPENDIX A: The Procedure NETDCL.COM, sometimes called TELL.COM, NET.COM ----------------------- $ IF f$mode() .EQS. "NETWORK" THEN GOTO network $ IF p1 .EQS. "" THEN READ/PROMPT="_Node: " sys$command p1 $ nodespec = p1 - "::" $ nodename = f$extract(0,f$locate("""",nodespec),nodespec) $! include the following line for "hard cases" $! nodespec = nodespec+"""decnet decnet""" $ ON WARNING THEN CONTINUE $ CLOSE/ERR=open_server dcl_server $open_server: $ OPEN/READ/WRITE dcl_server 'nodespec'::"TASK=NETDCL"/ERROR=open_failure $ ON WARNING THEN GOTO exit $flush_output: $ READ dcl_server record $ IF record .EQS. "SEND_ME_A_COMMAND" - THEN GOTO send_command $ WRITE sys$output record $ GOTO flush_output $send_command: $ IF p2 .NES. "" THEN GOTO single_command $ READ sys$command record /PROMPT="''nodename'> " /END=exit $ record := 'record $ IF record .EQS. "EXIT" THEN GOTO exit $ WRITE dcl_server record $ GOTO flush_output $single_command: $ command := 'p2' 'p3' 'p4' 'p5' 'p6' 'p7' 'p8' $ WRITE dcl_server command $single_flush: $ READ dcl_server record $ IF record .EQS. "SEND_ME_A_COMMAND"- $ THEN GOTO exit $ WRITE sys$output record $ GOTO single_flush $open_failure: $ ON WARNING THEN EXIT $ COPY/LOG Netdcl.Com 'nodespec':: $ WAIT 0:0:1 $ OPEN/READ/WRITE dcl_server 'nodespec'::"TASK=NETDCL" $ ON WARNING THEN GOTO exit $ GOTO flush_output $exit: $ CLOSE dcl_server $ EXIT $network: $ OPEN/READ/WRITE dcl_link sys$net $ SET NOON $ dcl_verify = 'f$verify(0)' $ DEFINE sys$output dcl_link: $server_loop: $ WRITE dcl_link "SEND_ME_A_COMMAND" $ READ dcl_link dcl_string /END_OF_FILE=server_exit /ERROR=server_exit $ 'dcl_string' $ GOTO server_loop $server_exit: $ IF dcl_verify THEN set verify $ CLOSE dcl_link $ DEASSIGN sys$output $ EXIT ----------------------- APPENDIX B ALLUSER.PAS - Show all registered users ----------------------- { * alluser.pas - get names of all users * by Deep, 1989 * This program is freely redistributable as long no modifications are made * DISCLAIMER: I take no responsibility for any use or abuse of this * program. It is given for informational purpose only. * * program history: * 04-May-89 started * 02-Jun-89 clean up of code } [inherit ('sys$library:starlet.pen')] program alluser(input,output); type $word = [word] 0..65535; $byte = [byte] 0..255; $quadword = record lo,hi : unsigned; end; $uquad = record lo,hi : unsigned; end; var id: unsigned; status, status2: integer; length: $WORD; attrib,context,context2,context3: unsigned; ident, ident2: unsigned; name: varying [512] of char; holder: $uquad; begin writeln('Alluser - use at your own risk!'); status := SS$_NORMAL; { id = -1 selects next identifier } id := -1; context := 0; while (status <> SS$_NOSUCHID) do begin { find next identifier } status := $idtoasc(id,name.length,name.body,ident,attrib,context); if (status <> SS$_NOSUCHID) then begin write(pad(name,' ',16)); if (ident div (65536*32768) > 0) then { it's a rights-list, so print the hex-value of the identifier } begin writeln(oct(ident,12)); context2 := 0; context3 := 0; { find all holders of this right } repeat holder := zero; status2 := $find_holder(ident,holder,attrib,context2); if (holder.lo <> 0) then begin ident2 := ident; { get UIC and username } status := $idtoasc(holder.lo,name.length,name.body,ident2 ,attrib,context3); write(' ',pad(name,' ',16)); writeln('[',oct(holder.lo div 65536,3),',' ,oct(holder.lo mod 65536,3),']'); end; until (holder.lo = 0); end else { it's a UIC, so translate to [grp,user] } begin writeln('[',oct(ident div 65536,3),',',oct(ident mod 65536,3),']'); end; end; end; end. ----------------------- This article has been brought to you by Deep Thought of West Germany. If you liked this article, grant me access if I once drop in your BBS! _______________________________________________________________________________