syn2cat
/
phrack
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
phrack/phrack44/22.txt

392 lines
15 KiB
Plaintext
Raw Permalink Blame History

==Phrack Magazine==
Volume Four, Issue Forty-Four, File 22 of 27
****************************************************************************
-- An Introduction to the DECserver 200 --
by Opticon The Disassembled
ANARCHY: "The belief that society
can be maintained without prisons,
armies, police or other organized force to
maintain property rights, collect taxes or
enforce such personal obligations as debts,
contracts or alimony." -EB 1966, vol.I
(taken from the Phrozen Realm)
"If ur good, nobody knows that ur there"
The DECserver is a terminal server (WOW!). The Model 200 is the most
commonly found server in VMS machines. This device connects up to eight
asynchronous (RS232C) terminals to one or more hosts available on an Ethernet
Local Area Network.
It is connected to the LAN through an Ethernet physical channel and
supports speeds up to 19.200bps. It can be found on VAXes, mVAXes and
VAXstations. It uses the Local Area Transport protocol to communicate with
the other nodes. It also implements the Terminal Device/Session Management
Protocol to achieve multiple sessions. Things that can be found plugged on
it include dial-in and out modems, terminals, printers and stuff like that.
The identification code for it in VMS is DS2. It's software is installed
via VMSINSTAL.COM to SYS$SYSROOT:[DECSERVER] or in SYS$COMMON:[DECSERVER]
for the cluster machines. And of course now you will ask why should you
be interested in a damn phucking (=relief, back to my native language) SERVER.
A lot of interesting things can be done, like dialing out for free (assuming
you can connect to it in a convenient way). You can even find a DEC server
200 dedicated to eight high speed modems. There is no need to say that you
need privileges to phuck up with devices like that...or there is?
..Set Default to SYS$SYSROOT:[DECSERVER] and run DSVCONFIG.COM :
$
$ set default sys$sysroot:[decserver]
$ show default
SYS$SYSROOT:[DECSERVER]
= SYS$SYSROOT:[DECSERVER]
= SYS$COMMON:[DECSERVER]
$ @dsvconfig
You must assign a unique DECnet node name and DECnet node
address for each new DECserver.
Press <RET> to start, or <CTRL/Z> to exit...
D E C s e r v e r C o n f i g u r a t i o n P r o c e d u r e
Version: V1.7
Menu of Options
1 - List known DECservers
2 - Add a DECserver
3 - Swap an existing DECserver
4 - Delete an existing DECserver
5 - Restore existing DECservers
CTRL/Z - Exit from this procedure
Your selection? 1
DECnet DECnet Server Service
Address Name Type Circuit Ethernet Address Load File Dump File
------- ------ ----- ------- ----------------- ------------- -------------
1.1 KEYWAY DS200 BNA-0 08-00-2B-07-39-5E PR0801ENG.SYS DS2KEYWAY.DMP
1.2 REVEAL DS200 BNA-0 08-00-2B-28-32-CB PR0801ENG.SYS DS2REVEAL.DMP
1.3 OASIS DS200 BNA-0 08-00-2B-26-A9-57 PR0801ENG.SYS DS2OASIS.DMP
1.4 PAWN DS200 BNA-0 08-00-2B-24-F3-98 PR0801ENG.SYS DS2PAWN.DMP
1.5 OPAQUE DS200 BNA-0 08-00-2B-11-EA-D4 PR0801ENG.SYS DS2OPAQUE.DMP
1.6 TOKEN DS200 BNA-0 08-00-2B-10-64-98 PR0801ENG.SYS DS2TOKEN.DMP
1.7 KERNEL DS200 BNA-0 08-00-2B-12-D6-39 PR0801ENG.SYS DS2KERNEL.DMP
1.8 IRIS DS200 BNA-0 08-00-2B-12-D6-39 PR0801ENG.SYS DS2IRIS.DMP
1.9 NEBULA DS200 BNA-0 08-00-2B-12-D6-39 PR0801ENG.SYS DS2NEBULA.DMP
Total of 9 DECservers defined.
(Press RETURN for menu)
Connecting to one of them:
$ mc ncp connect node iris
Console connected (press CTRL/D when finished)
#
Here you must give a password. The default one is usually working so try
"access". Only in "high security" systems they change the default password,
because privileges are needed anyway to access the Network Control Program
(which can be a possible subject for my next article). But since you are in
using a system account (..privileged) you can change the current password if
you find any good reason for doing so. More on that later.
DECserver 200 Terminal Server V3.0 (BL33) - LAT V5.1
Please type HELP if you need assistance
Enter username> <type anything here it doesnt really matter>
You are in.
In the DECserver there are Permanent and Operational databases. The
permanent database holds commands which affect the device permanently when
you log out. In the Operational database whatever you do is temporary and
takes effect only for the time you are logged in.
Let's go on by trying to get the default privileged account which enables
you to view various things and make changes other than the normal ones.
Local> set privileged
Password> system
Again the default password should work.
Local> show hosts
Service Name Status Identification
VMS 1 Connected Welcome to VAX/VMS V5.4-2
MODEM Available Dial In And Out
UNIX Available BSD
Local> show nodes
Node Name Status Identification
VMS 1 Connected Welcome to VAX/VMS V5.4-2
UNIX Reachable BSD
IRIS Reachable
Local> show services
Service Name Status Identification
VMS 1 Connected Welcome to VAX/VMS V5.4-2
MODEM Available Dial In And Out
UNIX Available BSD (RISC)
Local> show users
Port Username Status Service
1 anything Connected VMS
Local> show sessions (it'll display YOUR sessions)
Port 1: anything Local Mode Current Session: None
** Before proceeding lets have a better look at some Features DECserver 200
has, needed to understand some interesting things which follow or even some
things that were previously mentioned.
Remote Console Facility (RCF) is a management tool which helps you to
connect remotely to any server available via it's management port. This
is not hardware, but a logical port although it still has the same
characteristics physical ports have.
There are Privileged, non-Privileged and Secured ports. These are
variables you can define by the time you manage to get the privileged account.
A privileged port accepts all server commands. You can perform tests, define
server operations, maintain security and all that bullshit. If you don't
understand it yet, this status is enabled with the SET PRIVILEGED command we
have used previously.
A non-Privileged port can only manage and use commands which affect the
sessions that are currently connected to a host or node. This is the default
status of course.
A Secured port is something in between. Users can make use of a restricted
command set to make changes which affect only the port they own ("Property
is theft but theft is property too, Prounton." Pardon me if the translation
was destructive to the original meaning of this phrase, and if I piss you off
every time I start talking about things that are completely irrelevant
to the grand scheme of things and everything my articles are SUPPOSED
to deal with).
Our little unit has 5 types of passwords and that will help you understand
how important it is for the whole system.
(1) A PRIVILEGED password is what you should be aware of by now. You can
SET/DEFINE SERVER PRIVILEGED PASSWORD "string", to change it.
(2) A LOGIN password prevents the use of the server by unauthorized
users. This can be enabled for every port or for a single dial-in modem port.
You must first specify the password for the entire server via SET/DEFINE
SERVER LOGIN PASSWORD and then, enable or disable it depending on the needs
of a specified port, via SET/DEFINE PORT x LOGIN PASSWORD ENABLED/DISABLED.
This password takes effect when you try to login to a port. The prompt is
a "#" sign, without the double quotes.
(3) A MAINTENANCE password prevents unauthorized users from doing remote
maintenance operations like the one we did after we ran DSVCONFIG.COM.
"The DECnet service password corresponds to the server maintenance password
and it is entirely unrelated with the DECserver 200 service password". In
other words someone who wishes to modify a value in your server must give
in the NCP> command line, a parameter which specifies your server's
maintenance password. Of course if this password is set to null (0)
no password is needed. Also "Digital Equipment Corporation recommends
against storing the password in the DECnet database (as the DECnet service
password) and it strongly suggests that you change the maintenance password
from the default value of 0 to maintain adequate server security"
...tsk tsk tsk...
(4) A SERVICE password protects a service or services defined on the
server. You can increase or decrease the number of attempts before the server
gives a message, informing that the connect has failed because of an invalid
password, via SET/DEFINE SERVER PASSWORD LIMIT.
(5) A LOCK password protects your current sessions and port from other
unwanted human substances. The server accepts no input until you retype the
password you used for locking it.
Finally, a port may be available only for certain users or groups.
** As you can see, it can be really tough to break VMS' security if all the
available measures are taken.
Research for modems:
Local> show port 8
Port 8: Server: IRIS
Character Size: 8 Input Speed: 19200
Flow Control: XON Output Speed: 19200
Parity: None Modem Control: Disabled
Access: Local Local Switch: None
Backwards Switch: None Name: PORT_8
Break: Local Session Limit: 4
Forwards Switch: None Type: Soft
Preferred Service: None
Authorized Groups: 0
(Current) Groups: 0
Enabled Characteristics:
Autobaud, Autoprompt, Broadcast, Input Flow Control, Loss Notification,
Message Codes, Output Flow Control, Verification
Simple configuration, probably nothing or a terminal in there. What this
screen says is that we have on server IRIS, on port 8, something with character
size of 8, flow control XON (it could be CTS -hardware-), parity none, input
speed 19200bps, output speed 19200bps and modem control disabled.
All the other information have to do with the server and how it reacts to
certain things. So if the preferred service was "VMS" and you were logging in
through port 8, you would immediately connect to the VAX without having the
server asking you where to log you to. The "break: Local" variable means that
if you send a break character you will find yourself in the "Local>" prompt even
if you have been working in the UNIX OS of the "UNIX" host and that lets you
start multiple sessions. Quite useful. The forward and backward switches are
for moving around your sessions. Everything can be modified.
For more information concerning the parameters have a look at the command
reference or the help utility.
Local> show port 1
Port 1: Server: IRIS
Character Size: 8 Primary Speed: 9600
Flow Control: CTS Alternate Speed: 2400
Parity: None Modem Control: Enabled
Access: Dynamic Local Switch: None
Backwards Switch: None Name: MODEM_1
Break: Local Session Limit: 4
Forwards Switch: None Type: Soft
Preferred Service: VMS
Authorized Groups: 0
(Current) Groups: 0
Enabled Characteristics:
Autobaud, Autoconnect, Autoprompt, Broadcast, Dialup, DTRwait,
Inactivity Logout, Input Flow Control, Loss Notification,
Message Codes, Output Flow Control, Ring, Security, Verification
And that's, obviously, a modem. The speed, the modem control and the enabled
characteristics will help you understand even if the name is not helping at
all. Have a look at the "Alternative Speed" option.
What to do now that you have find it?
Local> set port 1 modem control disabled
Local> set service modem port 1
Local> connect modem
Start programming. This way is a little bit awkward and of course there
is a possibility that the modem is ALREADY defined as a dial-out modem. You
are a privileged user, don't forget that. I would recommend not to harm the
server ("nothing comes from violence and nothing ever good") and to leave
things as u find them. DO NOT create a permanent dial-out modem service
(which can be done directly from VMS if you really want to) and DO NOT
forget that somebody has to pay for your calls and that the line which
the modem uses, may be limited to certain numbers or even prevent out-dialing
by hardware. Use your brains...And don't stick in the idea of researching
modems. You can use a DECserver to infiltrate a system. Don't misuse those
introductions.
Overview of Commands (in alphabetical order)
* BACKWARDS
Goes back to a previous session.
* BROADCAST
Sends a message to a port.
* CLEAR
Clears a service. It belongs to the Operational Database.
* CONNECT
Connects to a service or port.
* CRASH
Shuts down the server and reinitializes it.
* DEFINE
Defines something. It belongs to the Permanent Database.
* DISCONNECT
Disconnects a session or port.
* FORWARD
Goes forward to a following session.
* HELP
Help.
* INITIALIZE
Reboots the server. You can specify a delay in minutes and
"Local>initialize cancel" if you decide, finally, not to
do it.
* LIST
Displays information on something; Devices,Nodes,Ports,Queue,
Server, Services, Sessions...
* LOCK
Locks your terminal with a password you specify that moment.
Retype your temporary password to continue.
* LOGOUT
Logs out the specified port. If none, your current port.
* MONITOR
Devices, Nodes, Ports, Queue, Server, Services, Sessions...
* PURGE
Purges a service from the Permanent database.
* RESUME
Resumes a session.
* SET
Devices, Nodes, Ports, Queue, Server, Services, Sessions,
Characteristics,Privileged,NONprivileged...It belongs to the
Operational database.
* SHOW
Everything.
* TEST
Tests a LOOP, PORT or SERVICE.
An interesting Warning Message, just for informational purposes, is the
following;
" Local -120- WARNING - Access to service is not secure
Session status information cannot be passed between the
server and the attached device because modem signals are
not present. This is not a problem if the device is a
non-secure printer; however, if the port is a non-LAT
host system, users could access other users' data. "
That's all for now I think.
There are many things to explain but there is no reason for doing that right
now. If you need more information then just have a look at the HELP utility or
contact me, somehow. [I hope you have not misunderstood my strange looking
article because my native language is not English]
" Opticon: Don't you think that I'm getting insane?
TLA: Yeah, sure looks like it..."
Love and An-archy to all those who know why.
BREAK DOWN THE WALL
Reference in New Issue View Git Blame Copy Permalink