home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Phoenix Rising BBS
/
phoenixrising.zip
/
phoenixrising
/
e-zines
/
cmsa.tj2
< prev
next >
Wrap
Text File
|
1992-09-26
|
27KB
|
723 lines
The LOD/H Technical Journal: File #8 of 10
Lex Luthor
and
The Legion Of Hackers
Present:
Hacking IBM's VM/CMS Operating System
Part A
INTRODUCTION:
-------------
IBM mainframes make up over 50% of the mainframes used in the United
States. These systems are traditionally used in industries such as insurance,
banking, universities and so on. For some reason, IBM systems as a whole have
not been very popular with hackers. This may be due to the complexity of the
Operating Systems run on IBM systems compared to others such as UNIX or VMS.
Another reason may be that there is much variety from shop to shop. IBM
systems
are more commonly modified and customized to fit an individual corporations
need and the lack of "universality" for commands, files, programs and other
procedures makes it difficult to attempt to use without any type of specific
documentation. The lack of detailed on-line help also hinders the hacker. I
believe that the VM/CMS Operating System is by far the best and easily
learned
of the IBM systems. But compared to other Operating Systems like UNIX or VMS,
VM/CMS is cumbersome and harder to learn.
ACRONYMS:
---------
Before I even attempt to start this article, I will list the
IBM-specific
acronyms used in this article and some others that you may find on various
IBM
systems. I list them here so I will not have to do it throughout this
article.
If you don't know what one of them means later, just refer back to this list.
VM/SP: Virtual Machine/System Product
CP: Control Program
CMS: Conversational Monitoring System
HPO: High Performance Option
VSE: Virtual Storage Extended
MVS: Multiple Virutal Storage
TSO: Time Sharing Option
JES: Job Entry System
CICS: Customer Information Control System
VSAM: Virtual Storage Access Method
VTAM: Virtual Telecommunications Access Method
IX: Interactive Executive
IPL: Initial Program Load
IVP: Istallation Verification Program
RSCS: Remote Spooling Communications Subsystem
DASD: Direct Access Storage Device
EREP: Environmental Recording Editing and Printing
SNA: Systems Network Architecture
NCCF: Network Communications Control Facility
REXX: Restructured Extended Executer Language
VTOC: Volume Table Of Contents
DOCS: Display Operator Console System
JCL: Job Control Language
ACF: Advanced Communications Functions
SQL/DS: Structured Query Language/Data System
DBA: Data Base Administrator
GCS: Group Control System
SCP: System Control Program
FDP: Field Development Program
CNA: Communications Network Application
POF: Programmable Operator Facility
PSW: Program Status Word
SSCP: Subsystem Services Control Point
IPCS: Interactive Problem Control System
DCSS: Discontiguous Shared Segments
VMCF: Virtual Machine Communications Facility
FIFO: First In First Out
LIFO: Last In First Out
AP: Attached Processor
MP: Multi-Processor
R/O: Read/Only
R/W: Read/Write
LOGGING IN:
-----------
Typically, when you come across a CMS system, it will respond with:
VM/370 ONLINE
!
.
This message is somewhat of a contradiction. The majority of VM/CMS systems
are
rarely run on actual 370 systems but on other processors, such as the 43XX
series and the 30XX series.
The period "." prompt is the surest way of verifying that you have indeed
connected to a VM/CMS system, aside from the "VM/370 ONLINE" message which is
usually printed. This prompt should not be confused with DEC's TOPS-10
system,
which also has the prompt of a period. The older versions of VM/CMS responded
as shown above. The newer versions will give you this menu:
Enter one of the following commands:
LOGON userid (Example: LOGON VMUSER1)
DIAL userid (Example: DIAL VMUSER2)
MSG userid message (Example: MSG VMUSER3 GOOD MORNING)
LOGOFF
This menu may vary from system to system, since they may opt to not allow a
command to be used before logging in and will omit it from the menu or they
may
add some commands. When hacking a system this menu will appear before you can
attempt to login, thus becoming very tedious and time consuming especially at
300 baud as you have to wait an eternity for each logon attempt.
Other responses after connecting are "Ready to Host", "Press break key to
begin
session" and "Invalid Switch Characters". The last response is commonly found
on Telenet and other packet switched networks, in which you may have to
specify
"VM" for a VM/CMS system, or "TSO" for a MVS/TSO system. There may be other
IBM
systems to select from, or "VM" may not be a valid system. You may also have
to
specify "LOGON VM" or just "LOGON" before the port selector connects you to
the
host system.
LOGON can be abbreviated as just "L". A userid can be from 1-8 characters in
length, but the first character MUST be a letter (In most systems you come
across this will be true, but due to customization of systems, its possible
this and even the 8 character password limit may be extended). A typical
logon
may look like:
.L COMOSOLO SYSGUESS NOIPL
"." is the system prompt, L is the LOGON command, COMOSOLO is the userid,
SYSGUESS is the password, and NOIPL is the only 'login qualifier' allowed for
the VM/CMS system. NOIPL specifies that the IPL name or device in the VM/SP
directory should not be used for an automatic IPL. IPL simulates the LOAD
button and the device address switches on the real computer console.
Basically
it "boots" your part of the CMS system. This is another different concept. A
user can boot (or crash) their part of the system not the whole system (in
most
cases). NOIPL would be used when a system dumps you into a program which
allows
you little or no mobility such as a restricted menu of options (IE: A system
backup utility) and logs you off without gaining access to CMS. NOIPL will
prevent this program from running if it is listed in your automatic IPL entry
within the CP directory. This should allow you access to the system.
Otherwise
the program was specified to run within your PROFILE EXEC which lists things
to
be done upon logon. NOIPL is somewhat similar but not identical to the login
qualifier "/NOCOMMAND" for DEC's VAX/VMS systems.
If the Password Suppression Facility is installed on the system, you will
receive an invalid format message whenever the userid and password are
entered
on the same line. This is obviously a security measure to prevent users from
entering their password in full view of anyone who may be watching as the
password is not "masked". Thus, you will have to enter your password on a
separate line when the system prompts you for it. The advantage of entering
the
userid and password on one line (especially at 300 baud) is that you can try
more userids and passwords in a shorter period of time while still availing
yourself to the systems generousness of informing you when an invalid userid
has been entered.
Error messages:
There are various error messages one may encounter while logging into a
VM/CMS
system. The ones you should be most concerned about are:
"Userid not in CP directory": When an invalid userid has been entered, you
will
receive this message. This indication gives the hacker a distinct advantage
for
gaining entry to the system. Probably the largest security hole for any
system
is to tell you when a valid username has been entered. After all, obtaining a
valid userid is half the battle. The other half is obtaining a valid
password.
Even the weakest Operating Systems no longer give an indication of when a
valid
ID has been entered. Why IBM has not changed this is a mystery to me.
When a valid userid is entered you will be asked to enter a password if you
did
not already do so. If the password is correct, the system will attempt to log
you on, if not, you will receive one of two messages:
"Logon unsuccessful--incorrect password": As has just been stated, a valid
userid has been entered but the password was incorrect. Passwords can be from
1-8 characters long, but in many cases the minimum length is changed to be at
least three characters. There is no difference between upper and lower case
letters for either the userid or password as they are converted to upper case
by the system which is another security flaw as it reduces password
possiblities.
"Password incorrect - reinitiate logon procedure": This is the message
received
on the older versions of VM/CMS, which means the same thing as the above msg.
"Maximum password attempts exceeded, try again later": The threshold has been
reached for userid and/or password attempts. You will receive this message
every time you attempt to logon after exceeding the threshold until a
variable
period of time (Probably from 1 to 5 minutes) has elapsed. This locks out ALL
users who attempt to login to the system from that particuler line. I am not
sure whether this is recorded anywhere or whether it is sent to the System
Console so try to determine how many attempts normally trigger this and keep
just short of it.
"Already logged on": This message will appear when you attempt to logon with
a
valid userid and password and that userid is already online. Unlike other
systems, VM/CMS will not allow the same userid to be logged on more than
once.
"Userid missing or invalid": As it implies, nothing was typed after entering
the LOGON command, or the format for the userid was not correct, ie: using a
number as the first character or a control character was used somewhere in
the
userid field.
"Error in CP directory": The CP directory is the main user directory for the
system. Entries in the directory contain: the userid and password, VM I/O
configuration, disk usage values, associated virtual and real addresses,
privilege classes, virtual processor size, and other options for each user.
Without the proper directory entry, a user cannot logon to the system.
Therefore receiving this error message.
"Command not valid before logon": This occurs when you enter anything other
than the commands listed in the menu, ie: entering BONEHEAD will return this
message even though "BONEHEAD" isn't a valid command. Why this is I don't
know.
So don't get all excited that you found a valid command but couldn't execute
it
since you weren't logged on.
Accounts:
By constantly compiling userids from various systems you should be able to
collect a nice list of accounts which may enable you to gain access to a
system. The following are a few which I have found:
OPERATOR
CMSBATCH
AUTOLOG1
OPERATNS
VMTEST
VMUTIL
MAINT
SMART
VTAM
EREP
RSCS
CMS
SNA
As usual, use the username as the password. Things still haven't changed from
the Hacking VAX/VMS series...people are just as stupid as they were a few
years
ago.
There are many default accounts which have the passwords listed in some IBM
system manuals. These are hard to obtain and are very powerful since some
passwords are rarely changed. If you can get access to the defaults, it will
greatly expand your collection of systems, I guarantee it.
Dial:
DIAL is used to logically connect lines, whether they be switched (regular
dial-up phone lines), leased (dedicated), or logically attached (directly
connected), to a previously logged on multiple-access system. The DIAL
command
is the only substitute for the logon command. On systems running more than
one
Operating System, DIAL is used to connect the user to one of those systems.
It is rather common to find two or more Operating Systems running parallel or
"under" one another. This is quite different from most other systems, which
run
alone on the machine. One machine, one Operating System, but not IBM. The
ability to have multiple systems running simultaneously and still providing
the
user with the illusion of it being a single system, (ie: the whole idea
behind
multi-tasking machines is to provide each user with the full resources of the
machine so quickly that it appears that he or she is the only one using the
system) sets IBM apart from most other computer manufacturers. Some of the
systems which run on IBM's are: VM/CMS, MVS/TSO, DOS/VSE, OS/VS1. Some others
are: MUSIC, JES and IX/370 which is IBM's version of UNIX which runs under
VM/SP.
It is always good to know what other systems are running, and if you are
unable
to gain access to the 'primary' system, you may be able to gain access to one
of the 'secondary' system(s) by use of DIAL. Some systems will require you to
specify a line number for certain systems. Others will find a line for you if
one is not specified, assuming there are some allocated to that resource.
Userid's are also dialable. In some cases you have to dial through a
particular
userid in order to gain access to certain systems or perform certain
commands.
A typical logon to a DIALed system may look like:
.DIAL MUSICB
DIALED TO MUSICB 040
*Miscellaneous Computer Services MUSIC/SP 1.1 SIGN ON.
.RESET
DROP FROM MUSICB 040
VM/370
!
.
When it comes to finding a valid line number for systems that can be reached
via DIAL, you could be in for some trouble. If the system requires a line
number to be entered (unlike the above example, where line 040 was found
automatically) you will not only have to come up with a defined line number,
but one that is associated with the system you are attempting to access.
Usually you can find this information after logging on to the VM/CMS system
in
various files, but if you cannot get in, you will have to sequentially enter
line numbers. Some that I have seen are 001, 01B, 41A, 040.
The VM/CMS system does not appear to limit the number of DIAL attempts a user
can make, unlike LOGON attempts. Programming your micro to search for a valid
line number to a system should work with no problem.
To drop the dialed connection just type RESET.
Error Messages:
"Line(s) not available on 'sysname'.": Either there are no lines allocated to
the system, or you must enter a correct line number.
"Invalid device type - 'sysname' 'line#': You have entered a valid system or
userid and line number, but the device you are on (the terminal) is invalid.
In
this case, a GRAF (Graphics) device, system console or 3270 terminal may be
the
only valid device.
"'userid' not logged on": The DIAL command cannot be executed unless the user
(or system) specified is logged on.
"'line#' does not exist": A valid userid/system has been entered but the line
number for that userid/system is not valid.
Message:
MSG is used to send messages to users who are currently logged on. This
command
can be issued before (if specified by the logon menu) and after logging in.
MSG OPERATOR Help! I lost my password! My userid is COMOSOLO
This will send a message to the primary system operator of the system. If
there
is only one CLASS A user online, the message will be sent to his terminal.
MSG *
This will send a message to yourself. This is useful for identifying the
current userid of an abandoned terminal.
Logoff:
The LOGOFF command can be abbreviated as LOG. After logging off you will
receive the following:
CONNECT= 00:33:54 VIRTCPU= 000:00.28 TOTCPU= 000:01.76
LOGOFF AT 17:05:44 EST THURSDAY 04/16/87
CONNECT is the actual clock time you spent while on the system.
VIRTCPU is the virtual CPU time that was used.
TOTCPU is the total CPU time both virtual and overhead that was used.
The HOLD command will hold the connection allowing you to re-logon again
without having to re-dial the system.
.LOG HOLD
SECURITY SOFTWARE:
------------------
There are various weaknesses within VM/CMS both internally and externally
which
can be exploited. For this reason, various software security packages have
been
written. There would not be a need for these in most cases if the people in
charge of system security knew what they were doing. Anyhow, these packages
do
provide added security when properly implemented. The most commonly found are
VMSECURE and ACF2. TOP SECRET and RACF are others which are less common.
These
packages are easily identified.
After entering a valid userid VMSECURE responds with:
VMXACI104R Enter logon password:
**************************
HHHHHHHHHHHHHHHHHHHHHHHHHH
SSSSSSSSSSSSSSSSSSSSSSSSSS
.
One way to positively identify the use of VMSECURE is by using it as a
userid.
If it is running it will be a valid userid, and who knows, you may even hack
the password.
After entering a bad password ACF2 (Access Control Faclity 2) responds with:
ACFV1012 PASSWORD NOT MATCHED
ACFV0044 ACF2, ENTER PASSWORD
**************************
HHHHHHHHHHHHHHHHHHHHHHHHHH
SSSSSSSSSSSSSSSSSSSSSSSSSS
.
These packages provide information which SHOULD be inherent within the
Operating System itself. Perhaps newer versions of CMS will contain them.
Some
of these features are:
* Last logon date/time
* Password expiration
* Rules for password selection
* Invalidating userids for invalid password attempts
* Invalidating terminals for invalid password attempts
* Shows users how many invalid password attempts have occured on their userid
* Increased file security
LOGGED ON:
----------
After logging on you may receive something similar to the following:
DASD 190 LINKED R/O; R/W BY MAINT; R/O BY 030 USERS
LOGMSG - 10:40:25 EST FRIDAY 05/22/87
*********************************************************************
* WELCOME TO MISCELLANEOUS COMPUTER SERVICES *
* -VM1- *
* SYSTEM WILL BE DOWN FROM 10:00 TO 10:30 EST SUNDAY MAY 24, 1987 *
*********************************************************************
Logon at 13:22:59 EST FRIDAY 05/22/87
VM/SP REL 4 04/20/86 11:33
R; T=0.01/0.01 13:23:10
.
Line #1: This line shows that the disk at virtual address 190 is linked with
R/O access by you, R/W by userid MAINT and R/O by another 30 users.
Line #2: This shows that the logon message was created at 10:40 on Friday.
Line #3-7:This is the message that is shown to all users of the system upon
logging on. Some systems may not have one.
Line #8: The actual time of logon is printed.
Line #9: The current RELEASE of VM/SP and the time and date it was installed
is shown.
Line #10: This is the ready message and it is printed after every command is
performed where:
R= Ready This indicates that the system is ready for input.
T= Time The first series of numbers tells how long it took the system to
perform the last task. The second set of numbers gives the time of
day.
If you do not receive the ready message you are in CP and must IPL
CMS in order to issue CMS commands.
Line #11: The system prompt, you can now enter commands.
PRIVILEGE CLASSES:
------------------
As with most other Operating Systems a user must have sufficient privileges
in
order to execute certain commands. Every CP command belongs to one of eight
IBM
defined privilege classes. The CP directory defines which users can use which
classes of commands. Each user has one or more privilege classes, as does
each
CP command. If you try to issue a command that does not match the assigned
privilege class of the userid you are using, the system will not process the
command. As far as I know, no records of attempts to use privileged commands
are kept.
Class User and Function
---------------------------------
A Primary System Operator: The class A user has the ability to
control the system. Any user who uses the VM/SP system console
posseses this privilege class. This user can broadcast
messages,
control system accounting, and issue commands which affect the
overall performance of the system.
B System Resource Operator: The class B user has the ability to
control all the "real" resources of the system, except those
controlled by the spooling and primary system operators.
C System Programmer: Class C users can modify real storage as
opposed to virtual storage.
D Spooling Operator: The class D user controls spooling data
files.
E System Analyst: Monitors and interprets system performance
data.
F Service Representative: This class is usually given to
accounts
that IBM Field Service personnel use for updates and also for
diagnosing system problems.
G General User: Class G users are the most prominent on the
system. This privilege allows the user to control functions
associated with their own virtual machine.
Any The Any classification is given to certain CP commands which
are
available to any user. The commands are usually limited to
Login
and Logoff.
H Class H is reserved for IBM use.
Due to the individual needs of a site, privilege classes can be tailored to
suit the facility. A total of up to 32 classes can be made. They would be
shown in the CP directory as A-Z and 1-6.
Typical Privilege Classes for a few common userids:
Userid: P.C.
-------------------------
OPERATOR A
EREP F
OPERATNS BCEG
MAINT ABCDEFG
COMMANDS:
---------
Commands are made up of command names, operands, and options.
Command Name: A command name is an alphanumeric symbol of up to 8 characters.
Operands: These specify the information on which the system operates when it
performs a command function.
Options: These keywords are used to control the execution of a command. When
used, they must be preceded by a left parentheses, but a closing one is not
necessary.
Different commands are used within different environments. To see which
environment you are in, simply hit return at the period prompt. You will
receive one of the following: CMS, CP, XEDIT.
There are many commands that are useful to both regular system users and
hackers. HELP is available on some systems, particularly on university
systems.
It is extensive but not as clear as yes, UNIX or VMS which is typical of IBM.
Nevertheless, HELP is useful and you should get hardcopies of as many
commands
as you can. AID is another form of HELP which may be useful to you in
learning
more about the system.
One nice feature of CMS HELP is that when you receive an error message, you
can:
.HELP DMS000000 or DMK000000
Where DMS000000 or DMK000000 is the error message you have received. The
system
will then explain what it is, why it happened and how you can correct it.
I am going to hold off on explaining any and all commands related to
minidisks
until the next section. The others which I have found to be useful are as
follows.
You can issue any CP command while in CMS by precluding the command with CP.
QUERY
Query allows you to obtain various information about the system. A full list
can be found from using HELP.
One of the most important QUERY commands to the hacker is:
.Q NAMES
OPERATOR - 01F, SMART - DSC, CMS0349 - B27, LOGO0180 - B31
VSM - VMVS1
SCOTT -TP11WFM2, CMS1211 -TP11WF64, OPERATNS-TP11WFY1
R; T-0.01/0.01 11:34:28
There can be many users online, usually this list will contain from 30 to 100
users. The last user online was OPERATNS, since it was last in the list. The
SMART userid is DSC, or in a disconnected state. Usually a terminal will
remain disconnected for 15 to 30 minutes and then is totally logged off the
system. If you logon to an already disconnected terminal, the system will
reply
with "RECONNECTED AT time". The other 2 userids on the same line as SMART are
probably connected terminals which are in a pre-logged in or pending logon
state. VSM - VMVS1 is another system running parallel to (or under) CMS.
The QUERY NAMES command allows you to gain a little more security for
yourself
on the system. It allows you to gain more valid usernames to attempt
passwords
for in the unfortunate event that your current userid dies. Another use is
that
you can start to compile your "common accounts" list of userids which are
found
on VM/CMS systems. This list should get larger and larger as you gain access
to
more and more systems and will allow you to gain access to more systems as it
gets larger.
If you can't count how many users are online from the Q NAMES list:
.Q USERS
0007 USERS, 0000 DIALED, 0000 NET
If you didn't catch the logon message you can view it again by:
.Q LOGMSG
To see what release of CMS the system is:
.Q CMSLEVEL
VM/SP REL. 4, SERVICE LEVEL 417
If you are wondering which IBM mainframe CMS is running on, you can issue:
.Q CPUID
FF01472343810000
This can be interpreted as follows:
CPUID= aabbbbbbccccdddd
aa= "FF" when running VM/SP
bbbbbb= The processor ID number
cccc= The model number of the system. In the above case, CMS is running on
an IBM 4381 system.
dddd= "0000" This is not used for CP.
SENDFILE allows you to send files within any minidisk that is currently
accessed by you to another user. Anytime you send a file an entry is made in
the file USERID NETLOG (where USERID is the user you are sending the file
to).
This command is also used for sending NOTE files which can be created with an
editor and send to whomever as E-MAIL.
If you are tired of seeing a text listing, or have attempted to read a
compiled
program and wish to exit or break out of it, simply hit a hard-break, and
then
type HX. HX is for Halt eXecution. It will halt whatever you are doing and
put
you back into the CMS environment. It may take a few lines of text after
entering it for the system to stop the process.
--- End of Part A ---
--- Attach Part B here ---
Downloaded From P-80 International Information Systems 304-744-2253 12yrs+
