|
RSTSE Hacking (DEC)
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
FOrmatted in 80 columns - Tough Shit if you have less
______________________________________________________
/ __ __ \
| | | P. h. a. Z. e. | | |
| July 22,1989 | |____________________| | July 22,1989 |
|______________| \__________________/ |______________|
\____________/ ____ ___ ____ \____________/
/ / / /abc\ \def\ \
/ / 1 / / 2 \ \ 3 \ \
/ ~~~~ ~~~~~~~ ~~~~ \
/ ______ _____ ______ \
/ /g h i/ /j k l\ \m n o\ \
/ / 4 / / 5 \ \ 6 \ \
/ ~~~~~~ ~~~~~~~~~ ~~~~~~ \
/ ________ _______ ________ \
/ /p r s/ /t u v\ \w x y\ \
/ / 7 / / 8 \ \ 9 \ \
/ ~~~~~~~~ ~~~~~~~~~~~ ~~~~~~~~ \
/ _________ ___________ _________ \
/ / / / O p e r \ \ \ \
/ / * / / 0 \ \ # \ \
/ ~~~~~~~~~ ~~~~~~~~~~~~~~~ ~~~~~~~~~ \
/ presents \
/______________________________________________________________\
| |
| The Hacker's Guide to RSTS/E |
| |
| Written by Taxi |
|______________________________________________________________|
[ Introduction ] RSTS/E - Resource System Time Sharing Enviorment
Well, I suppose either you have found what you suspect to be a RSTS/E
system, or you hope to stumble across one in the very near future. I submit to
you a comprehensive guide RSTS/E complete with illustrations, so as to avoid
confusion.
A typical system will give you a login header containing a string
similar to
"... RSTS/E Vx.x JOB x KBxx
User:"
Although it is not evident by the prompt, knowing that we are dealing
with a RSTS/E system, the proper response will be a set of two numbers in the
format x,y. The first number in the set is the accounts group number, and the
second number is the account number. Because these systems aremeant for use by
programming teams to develope software, and to time share in so far as data
retreval, and entry are concerned, RSTS/E refers to the first number as the
Project number, and the second number as the Programmer number. For this
reason, valid accounts are refered to as PPN's (Project-Programmer Numbers).
The numbers may vary between 0 and 255 for either, and usual PPN's are
[1,2], [1,3], [1,4] and [1,5]. These are the initial accounts set up when the
DEC(Digital Equipment Corporation) employee installs RSTS/E on a DEC PDP series
computer. PPN 1,2 is the most common PPN, and is the most nessessary because
it holds the system library in it's directory. PPN 1,2 also has all priv's
given to Project 1, as do all of the other 1,x PPN's, but this one has the
system library for it's default directory.
Because PPN 1,2 is the system library, and the most important PPN that
can be logged into from a remote port( Project-0 PPN's can only be logged into
from a local terminal, although, they may be accessed from any project group 1
PPN), it has the default password length of 6 characters. Common passwords for
PPN 1,2 are DEMO, SYSLIB, SYSMGR, and DECMAN. Although passwords are to be six
characters long excluding the general special characters !, #, $, %, &, etc,
most other PPN's will have the newer format allowed on RSTS/E's. This new
format password is a NO-LOOKUP password. It allows 14 character passwords, and
there are no defaults. The reason for the 6 character LOOKUP passwords is so
programmers may write routines that check the current user's password and
decide if the author is running the program automatically. This was seen as a
security breach ( Oh Drat! Foiled again! ), and the option for the 14 digits
NO-LOOKUPs was installed and is the preferred format.
Generaly, PPN 1,2 will be the only PPN that has the LOOKUP style
password.
[ Typical Privileged Account ]
At your main prompt ($) you may now make use of the SHOW command.
SHOW is a command that requires no flags or privileges to execute, so you make
make use of it any time you want. AT this point, we are going to pass a
parameter to it that will allow us to see just we've got.
-------------------------------------------------------------------------------
$ SHOW ACCOUNT/FULL
_SY:[1,3] "SPARTIN" Created: 27-Mar-89
Privileges: DATES DEVICE EXQTA GACNT GREAD GWRITE HWCFG HWCTL INSTAL
JOBCTL MOUNT PBSCTL RDMEM RDNFS SEND SETPAS SHUTUP SWCFG
SWCTL SYSIO SYSMOD TMPPRV TUNE USER1 USER2 USER3 USER4
USER5 USER6 USER7 USER8 WACNT WREAD WRTNFS WWRITE
Attributes: INTERACTIVE DIALUP NETWORK NOCAPTIVE
LOOKUP PASSWORD_PROMPT NOEXPIRE
Quotas: Disk usage - Logged out: unlimited Logged in: unlimited
Job limits - Detached: unlimited Total: unlimited
Send/Receive - RIB: unlimited Message: unlimited
Accounting: CPU Time: 03:07:04.6 Kilo-Core Ticks: 2711058
Device Time: 196:42 UFD Clustersize: 16
Connect Time: 705:30 Blocks allocated: 1464
Last Password change on 27-Mar-89 at 11:07 AM
Last login on _KB27: on 27-Jul-89 at 04:14 AM
$
-------------------------------------------------------------------------------
As you can see, we have a pretty decent account going here. It could be
better ( aka: It could be [1,1], but who cares. That'll come later ). The
next thing you will want to do is check for others on the system. This too,
can be accomplished with the SHOW function. Type
-------------------------------------------------------------------------------
$ SHOW USERS
RSTS V9.5-08 !!! SPARTIN !!! status at 29-Jul-89, 02:14 AM Up: 37:54:13
Job Who Where What Size State Run-Time Pri/RB RTS
1 1,3 P0J2 DCL 4/32K ^C 6:24.2 -8/6 DCL
2 1,3 KB0 ATPK 8/32K SL 9.7 -8/6 ...RSX
4 1,2 KB26 SYSTAT 14/32K RN Lck 3.3 -8/6 ...RSX
$
-------------------------------------------------------------------------------
As you can see here, there are currently three(3) users online. Also,
it is appearant that I am now using another dialup, as my old login was listed
as KB27 when I checked the status and privileges of this account. I should
mention here that Jobs 1 nad 2 have the same privileges as I have, due to their
group number. Next we can check a list of all the currently active Jobs. This
is done with the SYSTAT command. SYSTAT is short for System Statistics. Now
you can check out everything.
-------------------------------------------------------------------------------
$ SY
RSTS V9.5-08 !!! SPARTIN !!! status at 29-Jul-89, 02:14 AM Up: 37:54:17
Job Who Where What Size State Run-Time Pri/RB RTS
1 1,3 P0J2 DCL 4/32K ^C 6:24.2 -8/6 DCL
2 1,3 KB0 ATPK 8/32K SL 9.7 -8/6 ...RSX
3 1,2 Det PBS... 19/32K SL 2.2 -8/6 ...RSX
4 1,2 KB26 SYSTAT 14/32K RN Lck 4.0 -8/6 ...RSX
Busy Devices:
Device Job Why
PK0 2 Open
Disk Structure:
Dsk Open Size Free Clu Err Name Level Comments
DV0 0 1860 179 9% 1 0 VIRT 1.2 Pri, DLW, LDX
DU0 27 275808 17264 6% 8 0 DUSYS 1.2 Pub, DLW, LDX
DU1 1 275808 10384 3% 8 0 DU001 1.2 Pri, DLW, LDX
DU2 0 275808 38280 13% 8 0 DU002 1.2 Pri, DLW, LDX
General FIP Hung
Buffers Buffers Jobs/Jobmax TTY's Errors
600 454 4/63 0 3
Run-Time Systems:
Name Typ Dev Size Users Comments
...RSX TSK 0(32)K 3 Monitor, KBM
DCL COM DU0: 24(8)K 1 Temp, Addr:80, DF KBM
BASIC BAC DU0: 16(16)K 0 Perm, Addr:2028, KBM, CSZ
RT11 SAV DU0: 4(28)K 0 Perm, Addr:2024, KBM, CSZ, EMT:255
BP2COM TSK DU0: 4(28)K 0 Perm, Addr:2020, KBM
Resident Libraries:
Name Prot Acct Size Users Comments
CSPLIB < 42> DU0:[ 0,1 ] 8K 2 Temp, Addr:118
BASICS < 42> DU0:[ 0,1 ] 8K 0 Perm, Addr:2012
AMBASE < 42> DU0:[ 4,1 ] 16K 0 Perm, Addr:1211
RMSV18 < 42> DU0:[ 0,1 ] 23K 0 Perm, Addr:1188
RMSRES < 42> DU0:[ 0,10 ] 4K 1 Perm, Addr:1184
RMSLBA < 42> DU0:[ 0,10 ] 4K 1 Temp, Addr:1180
RMSLBB < 42> DU0:[ 0,10 ] 3K 1 Temp, Addr:1177
RMSLBC < 42> DU0:[ 0,10 ] 3K 1 Non-Res, Addr:1174
RMSLBD < 42> DU0:[ 0,10 ] 2K 1 Temp, Addr:1172
RMSLBE < 42> DU0:[ 0,10 ] 3K 1 Temp, Addr:1169
RMSLBF < 42> DU0:[ 0,10 ] 4K 1 Temp, Addr:1165
B25SML < 42> DU0:[ 0,1 ] 8K 0 Temp, Addr:1157
DAPRES < 42> DU0:[ 0,10 ] 10K 0 Non-Res, Addr:1147
EDT < 42> DU0:[ 0,11 ] 39K 0 Non-Res, Addr:1108
Message Receivers:
Rcvrid Job Rib Obj Msgs/Max Links/InMax/OutMax Access
ERRLOG 0 0 1 1/40 0/0/0 Prv
QM$CMD 3 1 3 0/20 0/0/255 Prv
QM$SRV 3 2 4 0/30 0/0/255 Prv
QM$URP 3 3 5 0/10 0/0/255 Lcl
PR$03A 3 17 65 0/5 0/0/255 Prv
PR$03B 3 25 65 0/5 0/0/255 Prv
BA$03A 3 41 66 0/5 0/0/255 Prv
BA$03B 3 49 66 0/5 0/0/255 Prv
BA$03C 3 57 66 0/5 0/0/255 Prv
$
-------------------------------------------------------------------------------
Whew! That's a lot of information, most of which you don't really care
about. At the top of this report all of the current Jobs are listed in order.
Notice that this time Job three shows up. But under the Where sub-heading, it
reads "det". That means that it is detached and you don't have to worry about
it. At the very end of the report is a summary of messages waiting to be
recieved. You will want to check out any files with mail waiting in them, as
the sysop may be running some kind of monitoring program to keep track of you.
Only ERRLOG has a message, and it has had that same message for quite
some time, becuase I'm on a system with a lazy sysop. Don't assume you'll be
so lucky!
Also, there is a list of libraries still on the system. You'll want to
check them out once you feel safe on your system. Make sure you check out all
of the 0,x and 1,x PPN directories, plus any additional libraries listed in the
system statistics. In these directories you will, no doubt, find files with an
extension of BAC, BAS or TSK. From the directory listing check their
'Protection' level. Files with a level of 232 or 252 grant privileges to the
user when they are run. It is likely that these programs were written by group
1 programmers, so as to temporarliy give the program the needed access to
perform high priv'ed tasks when run by others on hte system. Luckily, these
programs will often forget to revoke your temporary pivileges, so if you cannot
get a group 1 PPN, then maybe you can the needed privs from one of these files
while under a lesser PPN. I have included the BASIC program listing for
a utility known as MONEY.
MONEY allows a group 1 user to check all valid PPN's and if they have LOOKUP
passwords, it will look them up upon your request. It has complete
documentation. This is the official version, and has a program line to remove
any temporary privileged you may have. Insert a ! at the beginning of each
command line in that prgram line to change it to a REM statement, so as to keep
any priv's you may have accumulated. The program is completely documented with
subroutine headers and purposes, as well as a line by line description. You
will not thatthis is not a completely normal BASIC that you will find on your
personal computer.
If you cannot find the MONEY on any of your directories, ou may put it
there for you by typeing
$ CREATE MONEY.BAS
The system will go to an ascii file input mode. You can type in a program
here, but in this case you will want to send the MONEY.BAS program listing in
ascii form. Do NOT use any protocol. When the system has recieved your
listing, then type control-z. This will terminate the input cycle and write
the file to the disk. Next type
$ BASIC/BPLUS
Ready
Now you can edit the program and run it if you wish. You are in BASIC.
Here may now run any file with an extension of BAS. Use the OLD command to
load your program. If the file is in your directory as inthis case type
Ready
OLD filename.ext
But if the program is somewhere else, you will need the PPN of the
directory. As in the case of FLOAT.BAS which is owned by PPN 0,9. Type
Ready
OLD FLOAT.BAS[0,9]
Note, you cannot change your default directory, unless you log on under
that PPN. To get back to system shell, type a $ on a line all by itself
followed by a carriage return. This is very important because not all commands
will work from basic, and some RSTS/E's automatically put you in basic. If
this is hte case, you can use CAT to get a directory.
This file is by no means complete, I just wanted an opinion on it, and to know
if this bbs supports such files.
Taxi - PhaZe " the East Coasters "
|
|
