==Phrack Magazine==
Volume Four, Issue Forty-Four, File 22 of 27
-- An Introduction to the DECserver 200 --
by Opticon The Disassembled
ANARCHY: "The belief that society can be maintained without prisons, armies, police or other organized force to maintain property rights, collect taxes or enforce such personal obligations as debts, contracts or alimony." -EB 1966, vol.I (taken from the Phrozen Realm)
"If ur good, nobody knows that ur there"
The DECserver is a terminal server (WOW!). The Model 200 is the most
commonly found server in VMS machines. This device connects up to eight asynchronous (RS232C) terminals to one or more hosts available on an Ethernet Local Area Network.
It is connected to the LAN through an Ethernet physical channel and
supports speeds up to 19.200bps. It can be found on VAXes, mVAXes and VAXstations. It uses the Local Area Transport protocol to communicate with the other nodes. It also implements the Terminal Device/Session Management Protocol to achieve multiple sessions. Things that can be found plugged on it include dial-in and out modems, terminals, printers and stuff like that. The identification code for it in VMS is DS2. It's software is installed via VMSINSTAL.COM to SYS$SYSROOT:[DECSERVER] or in SYS$COMMON:[DECSERVER] for the cluster machines. And of course now you will ask why should you be interested in a damn phucking (=relief, back to my native language) SERVER. A lot of interesting things can be done, like dialing out for free (assuming you can connect to it in a convenient way). You can even find a DEC server 200 dedicated to eight high speed modems. There is no need to say that you need privileges to phuck up with devices like that...or there is?
..Set Default to SYS$SYSROOT:[DECSERVER] and run DSVCONFIG.COM :
$ $ set default sys$sysroot:[decserver] $ show default SYS$SYSROOT:[DECSERVER] = SYS$SYSROOT:[DECSERVER] = SYS$COMMON:[DECSERVER] $ @dsvconfig
You must assign a unique DECnet node name and DECnet node
address for each new DECserver.
Press <RET> to start, or <CTRL/Z> to exit...
D E C s e r v e r C o n f i g u r a t i o n P r o c e d u r e
Version: V1.7
Menu of Options
1 - List known DECservers
2 - Add a DECserver
3 - Swap an existing DECserver
4 - Delete an existing DECserver
5 - Restore existing DECservers
CTRL/Z - Exit from this procedure
Your selection? 1
DECnet DECnet Server Service Address Name Type Circuit Ethernet Address Load File Dump File
1.1 KEYWAY DS200 BNA-0 08-00-2B-07-39-5E PR0801ENG.SYS DS2KEYWAY.DMP 1.2 REVEAL DS200 BNA-0 08-00-2B-28-32-CB PR0801ENG.SYS DS2REVEAL.DMP 1.3 OASIS DS200 BNA-0 08-00-2B-26-A9-57 PR0801ENG.SYS DS2OASIS.DMP 1.4 PAWN DS200 BNA-0 08-00-2B-24-F3-98 PR0801ENG.SYS DS2PAWN.DMP 1.5 OPAQUE DS200 BNA-0 08-00-2B-11-EA-D4 PR0801ENG.SYS DS2OPAQUE.DMP 1.6 TOKEN DS200 BNA-0 08-00-2B-10-64-98 PR0801ENG.SYS DS2TOKEN.DMP 1.7 KERNEL DS200 BNA-0 08-00-2B-12-D6-39 PR0801ENG.SYS DS2KERNEL.DMP 1.8 IRIS DS200 BNA-0 08-00-2B-12-D6-39 PR0801ENG.SYS DS2IRIS.DMP 1.9 NEBULA DS200 BNA-0 08-00-2B-12-D6-39 PR0801ENG.SYS DS2NEBULA.DMP
Total of 9 DECservers defined. (Press RETURN for menu)
Connecting to one of them:
$ mc ncp connect node iris
Console connected (press CTRL/D when finished) #
Here you must give a password. The default one is usually working so try
"access". Only in "high security" systems they change the default password, because privileges are needed anyway to access the Network Control Program (which can be a possible subject for my next article). But since you are in using a system account (..privileged) you can change the current password if you find any good reason for doing so. More on that later.
DECserver 200 Terminal Server V3.0 (BL33) - LAT V5.1
Please type HELP if you need assistance
Enter username>
You are in.
In the DECserver there are Permanent and Operational databases. The
permanent database holds commands which affect the device permanently when you log out. In the Operational database whatever you do is temporary and takes effect only for the time you are logged in.
Let's go on by trying to get the default privileged account which enables
you to view various things and make changes other than the normal ones.
Local> set privileged Password> system
Again the default password should work.
Local> show hosts
Service Name Status Identification
VMS 1 Connected Welcome to VAX/VMS V5.4-2 MODEM Available Dial In And Out UNIX Available BSD
Local> show nodes
Node Name Status Identification
VMS 1 Connected Welcome to VAX/VMS V5.4-2 UNIX Reachable BSD IRIS Reachable
Local> show services
Service Name Status Identification
VMS 1 Connected Welcome to VAX/VMS V5.4-2 MODEM Available Dial In And Out UNIX Available BSD (RISC)
Local> show users
Port Username Status Service
1 anything Connected VMS
Local> show sessions (it'll display YOUR sessions)
Port 1: anything Local Mode Current Session: None
** Before proceeding lets have a better look at some Features DECserver 200 has, needed to understand some interesting things which follow or even some things that were previously mentioned.
Remote Console Facility (RCF) is a management tool which helps you to
connect remotely to any server available via it's management port. This is not hardware, but a logical port although it still has the same characteristics physical ports have.
There are Privileged, non-Privileged and Secured ports. These are
variables you can define by the time you manage to get the privileged account. A privileged port accepts all server commands. You can perform tests, define server operations, maintain security and all that bullshit. If you don't understand it yet, this status is enabled with the SET PRIVILEGED command we have used previously.
A non-Privileged port can only manage and use commands which affect the
sessions that are currently connected to a host or node. This is the default status of course.
A Secured port is something in between. Users can make use of a restricted
command set to make changes which affect only the port they own ("Property is theft but theft is property too, Prounton." Pardon me if the translation was destructive to the original meaning of this phrase, and if I piss you off every time I start talking about things that are completely irrelevant to the grand scheme of things and everything my articles are SUPPOSED to deal with).
Our little unit has 5 types of passwords and that will help you understand
how important it is for the whole system.
(1) A PRIVILEGED password is what you should be aware of by now. You can
SET/DEFINE SERVER PRIVILEGED PASSWORD "string", to change it.
(2) A LOGIN password prevents the use of the server by unauthorized
users. This can be enabled for every port or for a single dial-in modem port. You must first specify the password for the entire server via SET/DEFINE SERVER LOGIN PASSWORD and then, enable or disable it depending on the needs of a specified port, via SET/DEFINE PORT x LOGIN PASSWORD ENABLED/DISABLED. This password takes effect when you try to login to a port. The prompt is a "#" sign, without the double quotes.
(3) A MAINTENANCE password prevents unauthorized users from doing remote
maintenance operations like the one we did after we ran DSVCONFIG.COM. "The DECnet service password corresponds to the server maintenance password and it is entirely unrelated with the DECserver 200 service password". In other words someone who wishes to modify a value in your server must give in the NCP> command line, a parameter which specifies your server's maintenance password. Of course if this password is set to null (0) no password is needed. Also "Digital Equipment Corporation recommends against storing the password in the DECnet database (as the DECnet service password) and it strongly suggests that you change the maintenance password from the default value of 0 to maintain adequate server security" ...tsk tsk tsk...
(4) A SERVICE password protects a service or services defined on the
server. You can increase or decrease the number of attempts before the server gives a message, informing that the connect has failed because of an invalid password, via SET/DEFINE SERVER PASSWORD LIMIT.
(5) A LOCK password protects your current sessions and port from other
unwanted human substances. The server accepts no input until you retype the password you used for locking it.
Finally, a port may be available only for certain users or groups.
** As you can see, it can be really tough to break VMS' security if all the available measures are taken.
Research for modems:
Local> show port 8
Port 8: Server: IRIS
Character Size: 8 Input Speed: 19200 Flow Control: XON Output Speed: 19200 Parity: None Modem Control: Disabled
Access: Local Local Switch: None Backwards Switch: None Name: PORT_8 Break: Local Session Limit: 4 Forwards Switch: None Type: Soft
Preferred Service: None
Authorized Groups: 0 (Current) Groups: 0
Enabled Characteristics:
Autobaud, Autoprompt, Broadcast, Input Flow Control, Loss Notification, Message Codes, Output Flow Control, Verification
Simple configuration, probably nothing or a terminal in there. What this
screen says is that we have on server IRIS, on port 8, something with character size of 8, flow control XON (it could be CTS -hardware-), parity none, input speed 19200bps, output speed 19200bps and modem control disabled.
All the other information have to do with the server and how it reacts to
certain things. So if the preferred service was "VMS" and you were logging in through port 8, you would immediately connect to the VAX without having the server asking you where to log you to. The "break: Local" variable means that if you send a break character you will find yourself in the "Local>" prompt even if you have been working in the UNIX OS of the "UNIX" host and that lets you start multiple sessions. Quite useful. The forward and backward switches are for moving around your sessions. Everything can be modified.
For more information concerning the parameters have a look at the command
reference or the help utility.
Local> show port 1
Port 1: Server: IRIS
Character Size: 8 Primary Speed: 9600 Flow Control: CTS Alternate Speed: 2400 Parity: None Modem Control: Enabled
Access: Dynamic Local Switch: None Backwards Switch: None Name: MODEM_1 Break: Local Session Limit: 4 Forwards Switch: None Type: Soft
Preferred Service: VMS
Authorized Groups: 0 (Current) Groups: 0
Enabled Characteristics:
Autobaud, Autoconnect, Autoprompt, Broadcast, Dialup, DTRwait, Inactivity Logout, Input Flow Control, Loss Notification, Message Codes, Output Flow Control, Ring, Security, Verification
And that's, obviously, a modem. The speed, the modem control and the enabled
characteristics will help you understand even if the name is not helping at all. Have a look at the "Alternative Speed" option.
What to do now that you have find it?
Local> set port 1 modem control disabled Local> set service modem port 1 Local> connect modem
Start programming. This way is a little bit awkward and of course there
is a possibility that the modem is ALREADY defined as a dial-out modem. You are a privileged user, don't forget that. I would recommend not to harm the server ("nothing comes from violence and nothing ever good") and to leave things as u find them. DO NOT create a permanent dial-out modem service (which can be done directly from VMS if you really want to) and DO NOT forget that somebody has to pay for your calls and that the line which the modem uses, may be limited to certain numbers or even prevent out-dialing by hardware. Use your brains...And don't stick in the idea of researching modems. You can use a DECserver to infiltrate a system. Don't misuse those introductions.
Overview of Commands (in alphabetical order)
* BACKWARDS
Goes back to a previous session.
* BROADCAST
Sends a message to a port.
* CLEAR
Clears a service. It belongs to the Operational Database.
* CONNECT
Connects to a service or port.
* CRASH
Shuts down the server and reinitializes it.
* DEFINE
Defines something. It belongs to the Permanent Database.
* DISCONNECT
Disconnects a session or port.
* FORWARD
Goes forward to a following session.
* HELP
Help.
* INITIALIZE
Reboots the server. You can specify a delay in minutes and
"Local>initialize cancel" if you decide, finally, not to
do it.
* LIST
Displays information on something; Devices,Nodes,Ports,Queue,
Server, Services, Sessions...
* LOCK
Locks your terminal with a password you specify that moment.
Retype your temporary password to continue.
* LOGOUT
Logs out the specified port. If none, your current port.
* MONITOR
Devices, Nodes, Ports, Queue, Server, Services, Sessions...
* PURGE
Purges a service from the Permanent database.
* RESUME
Resumes a session.
* SET
Devices, Nodes, Ports, Queue, Server, Services, Sessions,
Characteristics,Privileged,NONprivileged...It belongs to the
Operational database.
* SHOW
Everything.
* TEST
Tests a LOOP, PORT or SERVICE.
An interesting Warning Message, just for informational purposes, is the
following;
" Local -120- WARNING - Access to service is not secure
Session status information cannot be passed between the
server and the attached device because modem signals are
not present. This is not a problem if the device is a
non-secure printer; however, if the port is a non-LAT
host system, users could access other users' data. "
That's all for now I think.
There are many things to explain but there is no reason for doing that right
now. If you need more information then just have a look at the HELP utility or contact me, somehow. [I hope you have not misunderstood my strange looking article because my native language is not English]
" Opticon: Don't you think that I'm getting insane?
TLA: Yeah, sure looks like it..."
Love and An-archy to all those who know why.
BREAK DOWN THE WALL