==Phrack Magazine== Volume Four, Issue Forty-Four, File 22 of 27 **************************************************************************** -- An Introduction to the DECserver 200 -- by Opticon The Disassembled ANARCHY: "The belief that society can be maintained without prisons, armies, police or other organized force to maintain property rights, collect taxes or enforce such personal obligations as debts, contracts or alimony." -EB 1966, vol.I (taken from the Phrozen Realm) "If ur good, nobody knows that ur there" The DECserver is a terminal server (WOW!). The Model 200 is the most commonly found server in VMS machines. This device connects up to eight asynchronous (RS232C) terminals to one or more hosts available on an Ethernet Local Area Network. It is connected to the LAN through an Ethernet physical channel and supports speeds up to 19.200bps. It can be found on VAXes, mVAXes and VAXstations. It uses the Local Area Transport protocol to communicate with the other nodes. It also implements the Terminal Device/Session Management Protocol to achieve multiple sessions. Things that can be found plugged on it include dial-in and out modems, terminals, printers and stuff like that. The identification code for it in VMS is DS2. It's software is installed via VMSINSTAL.COM to SYS$SYSROOT:[DECSERVER] or in SYS$COMMON:[DECSERVER] for the cluster machines. And of course now you will ask why should you be interested in a damn phucking (=relief, back to my native language) SERVER. A lot of interesting things can be done, like dialing out for free (assuming you can connect to it in a convenient way). You can even find a DEC server 200 dedicated to eight high speed modems. There is no need to say that you need privileges to phuck up with devices like that...or there is? ..Set Default to SYS$SYSROOT:[DECSERVER] and run DSVCONFIG.COM : $ $ set default sys$sysroot:[decserver] $ show default SYS$SYSROOT:[DECSERVER] = SYS$SYSROOT:[DECSERVER] = SYS$COMMON:[DECSERVER] $ @dsvconfig You must assign a unique DECnet node name and DECnet node address for each new DECserver. Press to start, or to exit... D E C s e r v e r C o n f i g u r a t i o n P r o c e d u r e Version: V1.7 Menu of Options 1 - List known DECservers 2 - Add a DECserver 3 - Swap an existing DECserver 4 - Delete an existing DECserver 5 - Restore existing DECservers CTRL/Z - Exit from this procedure Your selection? 1 DECnet DECnet Server Service Address Name Type Circuit Ethernet Address Load File Dump File ------- ------ ----- ------- ----------------- ------------- ------------- 1.1 KEYWAY DS200 BNA-0 08-00-2B-07-39-5E PR0801ENG.SYS DS2KEYWAY.DMP 1.2 REVEAL DS200 BNA-0 08-00-2B-28-32-CB PR0801ENG.SYS DS2REVEAL.DMP 1.3 OASIS DS200 BNA-0 08-00-2B-26-A9-57 PR0801ENG.SYS DS2OASIS.DMP 1.4 PAWN DS200 BNA-0 08-00-2B-24-F3-98 PR0801ENG.SYS DS2PAWN.DMP 1.5 OPAQUE DS200 BNA-0 08-00-2B-11-EA-D4 PR0801ENG.SYS DS2OPAQUE.DMP 1.6 TOKEN DS200 BNA-0 08-00-2B-10-64-98 PR0801ENG.SYS DS2TOKEN.DMP 1.7 KERNEL DS200 BNA-0 08-00-2B-12-D6-39 PR0801ENG.SYS DS2KERNEL.DMP 1.8 IRIS DS200 BNA-0 08-00-2B-12-D6-39 PR0801ENG.SYS DS2IRIS.DMP 1.9 NEBULA DS200 BNA-0 08-00-2B-12-D6-39 PR0801ENG.SYS DS2NEBULA.DMP Total of 9 DECservers defined. (Press RETURN for menu) Connecting to one of them: $ mc ncp connect node iris Console connected (press CTRL/D when finished) # Here you must give a password. The default one is usually working so try "access". Only in "high security" systems they change the default password, because privileges are needed anyway to access the Network Control Program (which can be a possible subject for my next article). But since you are in using a system account (..privileged) you can change the current password if you find any good reason for doing so. More on that later. DECserver 200 Terminal Server V3.0 (BL33) - LAT V5.1 Please type HELP if you need assistance Enter username> You are in. In the DECserver there are Permanent and Operational databases. The permanent database holds commands which affect the device permanently when you log out. In the Operational database whatever you do is temporary and takes effect only for the time you are logged in. Let's go on by trying to get the default privileged account which enables you to view various things and make changes other than the normal ones. Local> set privileged Password> system Again the default password should work. Local> show hosts Service Name Status Identification VMS 1 Connected Welcome to VAX/VMS V5.4-2 MODEM Available Dial In And Out UNIX Available BSD Local> show nodes Node Name Status Identification VMS 1 Connected Welcome to VAX/VMS V5.4-2 UNIX Reachable BSD IRIS Reachable Local> show services Service Name Status Identification VMS 1 Connected Welcome to VAX/VMS V5.4-2 MODEM Available Dial In And Out UNIX Available BSD (RISC) Local> show users Port Username Status Service 1 anything Connected VMS Local> show sessions (it'll display YOUR sessions) Port 1: anything Local Mode Current Session: None ** Before proceeding lets have a better look at some Features DECserver 200 has, needed to understand some interesting things which follow or even some things that were previously mentioned. Remote Console Facility (RCF) is a management tool which helps you to connect remotely to any server available via it's management port. This is not hardware, but a logical port although it still has the same characteristics physical ports have. There are Privileged, non-Privileged and Secured ports. These are variables you can define by the time you manage to get the privileged account. A privileged port accepts all server commands. You can perform tests, define server operations, maintain security and all that bullshit. If you don't understand it yet, this status is enabled with the SET PRIVILEGED command we have used previously. A non-Privileged port can only manage and use commands which affect the sessions that are currently connected to a host or node. This is the default status of course. A Secured port is something in between. Users can make use of a restricted command set to make changes which affect only the port they own ("Property is theft but theft is property too, Prounton." Pardon me if the translation was destructive to the original meaning of this phrase, and if I piss you off every time I start talking about things that are completely irrelevant to the grand scheme of things and everything my articles are SUPPOSED to deal with). Our little unit has 5 types of passwords and that will help you understand how important it is for the whole system. (1) A PRIVILEGED password is what you should be aware of by now. You can SET/DEFINE SERVER PRIVILEGED PASSWORD "string", to change it. (2) A LOGIN password prevents the use of the server by unauthorized users. This can be enabled for every port or for a single dial-in modem port. You must first specify the password for the entire server via SET/DEFINE SERVER LOGIN PASSWORD and then, enable or disable it depending on the needs of a specified port, via SET/DEFINE PORT x LOGIN PASSWORD ENABLED/DISABLED. This password takes effect when you try to login to a port. The prompt is a "#" sign, without the double quotes. (3) A MAINTENANCE password prevents unauthorized users from doing remote maintenance operations like the one we did after we ran DSVCONFIG.COM. "The DECnet service password corresponds to the server maintenance password and it is entirely unrelated with the DECserver 200 service password". In other words someone who wishes to modify a value in your server must give in the NCP> command line, a parameter which specifies your server's maintenance password. Of course if this password is set to null (0) no password is needed. Also "Digital Equipment Corporation recommends against storing the password in the DECnet database (as the DECnet service password) and it strongly suggests that you change the maintenance password from the default value of 0 to maintain adequate server security" ...tsk tsk tsk... (4) A SERVICE password protects a service or services defined on the server. You can increase or decrease the number of attempts before the server gives a message, informing that the connect has failed because of an invalid password, via SET/DEFINE SERVER PASSWORD LIMIT. (5) A LOCK password protects your current sessions and port from other unwanted human substances. The server accepts no input until you retype the password you used for locking it. Finally, a port may be available only for certain users or groups. ** As you can see, it can be really tough to break VMS' security if all the available measures are taken. Research for modems: Local> show port 8 Port 8: Server: IRIS Character Size: 8 Input Speed: 19200 Flow Control: XON Output Speed: 19200 Parity: None Modem Control: Disabled Access: Local Local Switch: None Backwards Switch: None Name: PORT_8 Break: Local Session Limit: 4 Forwards Switch: None Type: Soft Preferred Service: None Authorized Groups: 0 (Current) Groups: 0 Enabled Characteristics: Autobaud, Autoprompt, Broadcast, Input Flow Control, Loss Notification, Message Codes, Output Flow Control, Verification Simple configuration, probably nothing or a terminal in there. What this screen says is that we have on server IRIS, on port 8, something with character size of 8, flow control XON (it could be CTS -hardware-), parity none, input speed 19200bps, output speed 19200bps and modem control disabled. All the other information have to do with the server and how it reacts to certain things. So if the preferred service was "VMS" and you were logging in through port 8, you would immediately connect to the VAX without having the server asking you where to log you to. The "break: Local" variable means that if you send a break character you will find yourself in the "Local>" prompt even if you have been working in the UNIX OS of the "UNIX" host and that lets you start multiple sessions. Quite useful. The forward and backward switches are for moving around your sessions. Everything can be modified. For more information concerning the parameters have a look at the command reference or the help utility. Local> show port 1 Port 1: Server: IRIS Character Size: 8 Primary Speed: 9600 Flow Control: CTS Alternate Speed: 2400 Parity: None Modem Control: Enabled Access: Dynamic Local Switch: None Backwards Switch: None Name: MODEM_1 Break: Local Session Limit: 4 Forwards Switch: None Type: Soft Preferred Service: VMS Authorized Groups: 0 (Current) Groups: 0 Enabled Characteristics: Autobaud, Autoconnect, Autoprompt, Broadcast, Dialup, DTRwait, Inactivity Logout, Input Flow Control, Loss Notification, Message Codes, Output Flow Control, Ring, Security, Verification And that's, obviously, a modem. The speed, the modem control and the enabled characteristics will help you understand even if the name is not helping at all. Have a look at the "Alternative Speed" option. What to do now that you have find it? Local> set port 1 modem control disabled Local> set service modem port 1 Local> connect modem Start programming. This way is a little bit awkward and of course there is a possibility that the modem is ALREADY defined as a dial-out modem. You are a privileged user, don't forget that. I would recommend not to harm the server ("nothing comes from violence and nothing ever good") and to leave things as u find them. DO NOT create a permanent dial-out modem service (which can be done directly from VMS if you really want to) and DO NOT forget that somebody has to pay for your calls and that the line which the modem uses, may be limited to certain numbers or even prevent out-dialing by hardware. Use your brains...And don't stick in the idea of researching modems. You can use a DECserver to infiltrate a system. Don't misuse those introductions. Overview of Commands (in alphabetical order) * BACKWARDS Goes back to a previous session. * BROADCAST Sends a message to a port. * CLEAR Clears a service. It belongs to the Operational Database. * CONNECT Connects to a service or port. * CRASH Shuts down the server and reinitializes it. * DEFINE Defines something. It belongs to the Permanent Database. * DISCONNECT Disconnects a session or port. * FORWARD Goes forward to a following session. * HELP Help. * INITIALIZE Reboots the server. You can specify a delay in minutes and "Local>initialize cancel" if you decide, finally, not to do it. * LIST Displays information on something; Devices,Nodes,Ports,Queue, Server, Services, Sessions... * LOCK Locks your terminal with a password you specify that moment. Retype your temporary password to continue. * LOGOUT Logs out the specified port. If none, your current port. * MONITOR Devices, Nodes, Ports, Queue, Server, Services, Sessions... * PURGE Purges a service from the Permanent database. * RESUME Resumes a session. * SET Devices, Nodes, Ports, Queue, Server, Services, Sessions, Characteristics,Privileged,NONprivileged...It belongs to the Operational database. * SHOW Everything. * TEST Tests a LOOP, PORT or SERVICE. An interesting Warning Message, just for informational purposes, is the following; " Local -120- WARNING - Access to service is not secure Session status information cannot be passed between the server and the attached device because modem signals are not present. This is not a problem if the device is a non-secure printer; however, if the port is a non-LAT host system, users could access other users' data. " That's all for now I think. There are many things to explain but there is no reason for doing that right now. If you need more information then just have a look at the HELP utility or contact me, somehow. [I hope you have not misunderstood my strange looking article because my native language is not English] " Opticon: Don't you think that I'm getting insane? TLA: Yeah, sure looks like it..." Love and An-archy to all those who know why. BREAK DOWN THE WALL