Getting in the Backdoor

A Guide to Some Popular Operating Systems

by Mike Salerno

There are four popular operating systems on DEC machines that are supported by DEC.

Two of these, TOPS-10 and TOPS-20, run on the KL10 and the KS10 36-bit machines; TOPS-10 also runs on the older KA10 and KI10.

The other two are UNIX and VMS for the VAX, and PDP-11 series.  The VAX is a 32-bit machine, with a 32-bit virtual address space.  The PDP-11 is also a 32-bit machine.  VMS is a very intricate operating system, with its loopholes, as you will see.

TOPS

TOPS-10 an operating system that uses two octal numbers to identify a "user" or "account."  This is usually printed in the form of: [565,11]

The first number tells which "project" the user belongs to, and the second is which "programmer"the user is.

Passwords are any printing character up to 6-characters long, containing only upper case alphabetics.

Also associated with the Project Programmer Number (PPN) is the username, or "user ID."  This is usually either a department name, or a personal name.

Now, we all know what some people like doing, i.e. using parts of their name or department as their password (usually initials, or first names).  The only problem that remains is how to get these usernames, right?  Wrong!  TOPS-10 is one of the few operating systems, besides TOPS-20, that lets you do a few things while not logged in.

This includes running a program called SYSTAT that will give you various performance statistics, along with a list of users on the system.  If this system is running version 7 of TOPS-10, you can use SYSTAT to give you what you want.

Just type SYSTAT US  This will give a short listing, giving only users on the system and their usernames.  Useful, isn't it?  If the version is previous to version 7, you can get a SYSTAT and then, using the job number in the left column, type PJOB N where N is the user's job number.  This will give you his username.

If this is too tedious, type QUEUE.  This will show you a list of users who have entered print and batch requests, along with their username.

To login, just type LOGIN, a space, and the PPN with a comma.

Really taking over is not easy, unless you've worked with TOPS-10 for a while.  There are a few accounts that might have been left with the default passwords set, like:

[1,3] Password: OLD or OLDLIB [1,4] Password: SYS or SYSLIB [1,5] Password: NEW or NEWLIB [6,6] Password: MAINT or FIXIT or FIX-IT [7,7] Password: OPER or OPR

Like TOPS-10, TOPS-20 allows you to do certain things which are helpful to hackers.  Accounts on TOPS-20 are up to 39-alphanumeric characters including hyphens and/or periods passwords are the same.

To login, type LOGIN, a space, the username, a space, and the password.  The password will not echo.

SYSTAT can be run whether you're logged in or not on most machines.

If the host is on ARPANET, use FINGER to give a list of users on the system, along with their personal names!

There are not many privileged accounts that will have their password set to something obvious, but some may be:

Login: MAINT or F-S or FIELD Password: FIXIT or FIX-IT or MAINT

If the host is on ARPANET and you can login, try FTP, which stands for File Transfer Protocol.  With this, you can transfer files from another host on ARPANET to the one you're on, or vice versa.

You have to have an account and password to use on the other system, but guess what?  TOPS-20 systems all have an ANONYMOUS account that any person using FTP can log into with any password!

UNIX

UNIX is a pretty simple operating system, but has some pretty good security measures.

The only way you can get full file access, or any other privilege is by issuing the su command and entering the appropriate password, which (I believe) is the "root" account's password.  Accounts and passwords are stored in text form, in the directory /etc in the file passwd.  All the passwords are coded in such a way that there is no way to decode them.  The program responsible for checking these passwords codes the password you give, then checks it against the already coded password stored in the file.  The only time the real password is handled by the computer is when the user himself sets it.

All the fields in the password file are separated by a colon.  The first field is the username, the second the password.  If there is no password - two colons after the username - then that account can be logged into without a password.

Some of these may be help or learn which actually may let you into the system's command level.  The account sync is used to synchronize things so that UNIX can be crashed (never crash a UNIX system, it may leave the disks in an undesirable state).

One useful account which is usually left with no password is who, which will give you a list of users on the system, just like typing who at the command level would.  You can scan through these and see if you can find an account with no password, or part of the username as the password.  If this doesn't work, then hang it up.

One thing about UNIX - it thinks upper and lower case are different.  This allows for file names and even passwords in upper and lower case!

VMS

VMS stands for Virtual Memory System.

The VAX's 32-bit (4 gigabytes!) virtual address space is exploited fully by VMS.  The introduction of the new VAX 8600 with the speed of four VAX 780's is an impressive move by DEC.  This system should be able to support up to 256 users.

One "good" thing (depending on your point of view) about VMS is that it lets you do nothing without first logging in.  If the system has only been in operation for about 6 months or so, there is a good chance that the default accounts supplied with VMS are still there.

These include the system manager's account SYSTEM with the password MANAGER, the field service account FIELD with password SERVICE, and the system program test account SYSTEST with password UETP.  All these accounts either have full privileges or have the privileges to give themselves full privileges.

If you can't access some files from FIELD or SYSTEST, this is because you're the latter.  To give them to yourself, just type:

$ SET PROCESS/PRIV=ALL

Once you have full privileges, you can run the system program AUTHORIZE.  This program will allow you to print usernames, owners, etc., and insert new users.  You can not print passwords, since the login program works like UNIX's does.  If the VAX is hooked into DECnet, which is DEC's supported network, you can access any unprotected file on any "node" on the network.

One thing about DEC's machines is that they can all communicate with one another.  Using Ethernet, you can connect to, send mail to, and transfer files to and from almost any other DEC system.  There should be online help for the network, just type: HELP