The LOD/H Technical Journal: File #4 of 10 Written by, Carrier Culprit and The Legion Of Hackers This is Part I of a II part series on the PRIME operating system. In this article I will give a general overview of the system and command usage. Note: This article will center around the Primos version 19, and revisions 19.1 and up. [Background Information] Primos is the operating system for the PRIME mainframe, and supermini systems. The operating system is usually run on the Prime 750. Primos is a relatively secure system. Externally security is great, but the internal security needs help. The latest revision of version 19 is 19.4.0 (as of this writing). This revision is more secure in both external and internal security than its predecessors. By the time this article is released, Version 20 should be out and an article on that version will be forthcoming. [Logging in V18.x.x] It is quite easy to hack into a Prime running a version 18 of Primos. The external security is rather poor. All you need is an ID to logon. There is no password prompt, thus getting an operator's account is rather easy. Occasionally, there will be some additional security software running and passwords will be needed. I am not going to go into detail on version 18 because it is obsolete, any questions regarding version 18 please leave me mail. [Logging in V19.x.x] A Primos system is very easy to recognize. Once you are connected, hit a few returns to get the "ER!" prompt or you may be prompted with the ID prompt. If you do get prompted with the ID prompt, you need not put "Login" in front of the ID. Here is an example of a Primos login: ATDT 123-4567 [2 RETURNS] ER! Login CARRIER Password: Prime (user 31) Logged in Friday, 5-Sept 14:27:20 Welcome to Primos Version 19.4.5 Last login Thursday, Sept 4 1986 02:01:12 (1 mail waiting) Note: You usually get 1 try to login before being disconnected. In some cases the 2 c/r's are not needed and some systems won't respond until you type "login" and a return. Passwords and ID's are 6 characters, they may consist of letters and numbers. Finding passwords on a Primos can be hard, but there are some common ID's and passwords. You must use "login" before entering your ID. In this case my ID is "CARRIER". Here is a common list of ID's and passwords I have come across: =============================== | ID name | Password | =============================== | PRIME | PRIME | | *SYSTEM | SYSTEM | | PRIMOS | PRIMOS | | *ADMIN | ADMIN | | RJE | RJE | | DEMO | DEMO | | GAMES | GAMES | | GUEST | GUEST | | REGIST | REGIST | | TEST | TEST | | NETMAN | NETMAN | | PRIRUN | PRIRUN | | TOOLS | TOOLS | | CMDNC0 | CMDMNC0 | | +TELENET | TELENET | =============================== Note: * means that that ID is most likely to have SYS1 priorities. Note: + account belongs to Telenet or some employees of Telenet in which the Primos will be located on the Telenet packet network. System Accounts: SYSTEM- This account usually contains configuration programs. It also contains system messages, logs, and userlists. TOOLS- This account usually contains the utility to add users and the Netlink utility (Explained later). CMDNC0- Contains help files. These are default accounts which are standard in new Primos systems. They should be there unless the userfile has been modified by the system operator. You can also mix them around, ie- Login SYSTEM Password:PRIME There is no "systat" or extensive on-line help before logging in. Don't you wish people would model their operating systems after TOPS-10 (chuckle)? The best account to get on under would be an account with SYS1 priorities. This account is for people who advise regular users. Ok, lets assume you have hacked onto a regular account something like games. The command prompt for Primos is "OK,". The first thing we would want to do is to see who is logged in. We would type "Users" and would get something like this: OK, Users Users=8 This is telling us that there are 8 users currently logged in, which isn't extremely helpful. To get a full listing of usernames we would type "Status Users" or "Status -Users". We would get a status of users currently on-line. It would show us usernames, devices, and other sub-categories. Here's a sample of what you would get: User Number Device ADMIN 3 SYSTEM 1 OBB 31 CRIMINAL 12 If you see that other people are logged in, it may be best to log off and call back later, as the operators can perform the same command, and if they know that user should not be on the system at that time, you will obviously be kicked off. If there are 2 devices specified, the user is either receiving output from a different device, sending input to that device, or has logged out incorrectly (tsk tsk). To get a full status of memory and accounting, you would type "Status System" This is usually in a Menu driven program, and you will get different options. ie- Log of users, memory, devices, etc. We can access different priority levels by using the "CHAP" command. This is the way we can find out what our priority level is. We would do: OK, CHAP UP OK, CHAP DOWN X or CHAP DOWN to return to your original priority level: OK, CHAP ORIGIN or CHAP DEFAULT Usually a user may leave his priority level rather low. You can then try to raise your level. There should be 6 different priority levels. A 0 meaning lowest, and 6 meaning highest. Here is a little diagram that will give you a list of ID's and what most of them will have access to. Note: Some may have access to more or less than what I have written, but the comments are accurate for most systems. !=================================================! ! ID ! Comments ! !=================================================! ! GAMES !Allows user to view low level ! ! !directories, and execute regular! ! !commands. ie-CHAP, STATUS ! !=================================================! ! DEMO !Allows user to run games, and ! ! !execute the tour program. Most ! ! !commands will not work, and it ! ! !has a time limit. Lastly, it can! ! !only access low lvl directories.! !=================================================! ! PRIME !Allows user to execute all ! ! !commands, except operator cmds. ! ! !User can also access PRIMENET if! ! !the system supports it. Access ! ! !to only low level directories. ! !=================================================! ! ADMIN !Access to view all directories &! ! !bypass all ACL'S. Can setup an ! ! !accounts on other Primos systems! ! !via PRIMENET (if available). ! ! !User can execute any command. ! !=================================================! ! SYSTEM !Same as ADMIN, except cannot ! ! !view feedback to ADMINS. ! !=================================================! ! RJE !Same as games, except a RJE ! ! !user can erase user log and spy.! !=================================================! ! TEST !Able to access any directory, ! ! !only restriction is a test user ! ! !is not authorized to shut down ! ! !the system. ! !=================================================! Note: RJE is a Remote Job Entry Priority levels may vary on different Primos systems, they can range from 0- to any number up to 10. The most common range is 0-6. On some Primos systems you can do a CHAP PRIORITY to see what the range is. Ok, we have checked priorities, and the system status. Lets move to directories. To list a directory type "LD" short for List Directory. This will list the directory you are attached to. In this case it will be your home directory. You will get a list of files within your own directory. To view someone elses directory you would type AT nameofdirectory. Lets say we are logged into a DEMO account. And we would like to view the files in the GAMES account. We could do either of the following: OK, AT GAMES This is telling the system we would like to default to the Games directory. This is similar to the Set Default name on a VAX/VMS system. (See Lex Luthor's Hacking VAX/VMS 3 part series for more information on VMS) or we could do OK, FUTIL >AT GAMES This is the same thing, except in the first method you can still execute Primos commands while still attached to the Games account. But when using FUTIL (File UTILity program) you can only list, create and copy files. To get out of the file utility program just hit a Control P. Here is a chart of file types and how to execute them: ------------------------------------------- | File type | How to execute it | =========================================== | .CPL | CPL pathname | | .SAVE | SAVE pathname | | .SEG | SEG pathname | | .BASICV | BASICV pathname | | .TXT | SLIST pathname | | .COM | CO pathname | ------------------------------------------- Note: SLIST will also show the program lines of the file, whether it be a CPL file or COM file. This is a good way to learn CPL (Command Procedure Language). Most files will not have suffixes. To execute them type "Resume pathname", filenames are called pathnames on PRIMOS. Unlike VMS, the PRIMOS system doesn't have the type of file as a suffix. On some files you'll get the suffix, but if not try: Resume pathname and that should execute the file, especially files with an "*" preceding them. If a file is in the format of, "*filename" do "Resume *filename". Usually basic files have an * preceding their titles. To create a directory type: OK, Create directname [-password] [-access] A password can be from 1-6 letters, if I wanted to have a password on my directory I would do- OK, Create directname [-limp] [-access] If you don't put in an access level, the directory will automatically be set to ALL access. Here's a list of access rights: P = Protect a directory D = Delete entries from directory A = Add entries to directory L = Read the contents within directory U = Attach to a directory R = Read contents of a file W = Edit contents of a file ALL = All of the Above^^^^^ NONE = Denies all access Typically, if you are logged into a DEMO account your directory will be set to ALL access. If it is, someone can attach to the demo directory and do anything they want with it. Here is a list of accounts and what access they will usually have on their directory. DEMO = ALL GAMES = LUR PRIME = ALL SYSTEM = LUR ADMIN = NONE TEST = LUR JBB = NONE RJE = LUR Most directories have LUR access which is access to read contents of the directory, attach to the directory, and read contents of a file. If you have enough privileges (priority levels) you can do the following to change the access rights: OK, Set_Access ALL [-LUR] This is setting access from ALL to LUR. ALL was the present access, now we changed it to LUR. You should only do this if it's your own personal account as changing access rights on hacked accounts could lead to your detection and subsequent expulsion from the system. To create a file, preferably a text file, type "Mail pathname", then you will be thrown into the Mail subsystem which I believe is version 3.1 now. You can type in all the info you want, when finished hit a Control-P. It will ask you for a pathname to save it to. Enter the name you would like. It will look something like this: OK, Mail DOE Mail 3.1 >Hello. This is your system operator. Any ideas on how to keep those >pesky little computer criminals out of our system? >Comments can be directed to SYSTEM. Enter Filename: Pesky.Txt The above method is rather primative but works good if you are only creating a text file. It is a common method used on version 18, and is easy to perform. The other method is more common on version 19, and is commonly used today. OK, Create Test.Txt OK, Ed EDIT $ Note: $ is not dropping you into DCL, so you DCL programmers are out of luck (chuckle). From the $ prompt you can type 'help' to get a list of commands which can be used in the Editor. $ (return) By hitting return we are given the "&" prompt, here we can input our file. Or if you know CPL you can start programming. Do not hit return on a blank line or you will be thrown into the main Editor prompt ('$'). & Hello this is Bif (the system operator) I am testing the Editor & because we have added new enhancements. This is only a test. & (return) Thus by hitting return we are given the $ prompt once again. To save our file we can type- $ Save Test In this case the filename is test. The system will reply by saying 'Test Saved'. The file should be located at the end of the files list when you List files. To make sure the contents are saved type "Slist Test.Txt", it will display the text you typed in mail or the editor. A couple of important notes: 1: Never use a "?" anywhere in the file, or it will erase all of the contents in the file. 2: Never hit a c/r twice. In other words if you hit a c/r on a blank line the system will recognize this as mail and will send it to the name you entered. If you want to make a basic program or basicv type "Basic" or "BasicV" at the "Ok," prompt and you will be thrown into that language. If you would like to make a CPL program you can enter it from the main prompt since that is the default language for Primos. To delete a file just type "Delete filename". To get a list of directories with their ACLs (Access Control Lists) type "List_Access". It would look something like this: OK, LIST_ACCESS ACL "": ADMIN : NONE DEMO : LUR SYSTEM : LUR ROBERT : ALL GAMES : LUR PRIME : ALL To get a listing of just files type "Listing", it will give you a list of files in the directory you're attached to. The only difference between this method and "LD" is that LD tells you what access rights is on that directory. On some Prime systems you may find a program located within the Demo or Games account. The name of the program is "Tour" and you can execute it by doing CPL Tour. The program will be inputing commands and the system will execute them. There is a bug within that program which can be used to your advantage. First execute it by doing CPL Tour, once the program has begun it will have a couple of pauses (while it is loading). First hit 3 Control P's. By doing this you are breaking out of the program. Next, attach to the SYSTEM directory. Once attached, SLIST the Tour program (Slist Tour). When it begins listing the file do a Ctrl-P again. Now, go into the editor (ED). When you receive the $ prompt hangup on the system. The system is now hung in the Editor, and the Tour program is still executing (from the Demo or Games account). You must call right back (and prey that the line hasn't been captured by a system operator). You will be put right into the tour program, while it is being executed. You will need no pw to login as you are attached right to it. You now have access to write and read anything your little heart desires. If you plan on trying this, do it at night, since you will most likely be the only one on the system. Always do it on a 1 line system. Never on a Prime that is used constantly (unless you have perfected this method). Remember to call right back after you have hung up, or someone like BIF may call and wonder why he did not get the ID prompt. So be careful. I also know different ways you can modify the tour program to have a little fun (using CPL commands) but due to obvious reasons I will not publicize the lines. If you are interested please get in contact with me. To send a message to someone on the system type "Message username". It would look something like this: OK, Message PRIME Hi, can you tell me why the system was down last week. Note: Remember DON'T use ?'s. The user PRIME will receive the message, unless he's busy or has executed command which refuses messages. It would look like this: OK, Message Prime Hi, can you tell me why the system was down last week. User Prime not accepting messages If you do not receive that message then the user will get your message. This is like Phone username on VMS, except on a VMS it looks better (chuckle). To send mail you type: "Mail xxxxx". If I wanted to send mail to user SYSTEM, I would type "Mail System", I would be thrown into the mail subsystem. To end a message hit a c/r on a blank line. You will be notified when you get mail when you first logon. It will say "(mail waiting)". To read it type "Mail". If you have no mail and you type Mail it will say "sorry no mail today". Once again no ?'s are allowed or the contents of the mail will be erased. Status followed by a topic will give you a system status on that topic. You can get information on the following using Status- Status ALL = Information on who is logged in and devices. Status DI = Information on devices, what devices are in use. Status SYSTEM = Information on what version of Primos is being run. Status NETWORK = Information on Netlink, and network nodes. There are others but these are probably the most important, and of course, "Status Users" which I mentioned earlier, which will give you a list of users currently logged in. Allows a user to change his password. It will look something like this: OK, Change_Password Old Password:Z102345 New Password: Verification : Notice how new password and verification don't echo, this is for security purposes so don't be alarmed. Changing passwords of hacked accounts is not a good idea. We don't want to get detected now do we? Gives info on the system. ie-who it belongs to, what version its running on and new features. Gives a list of languages the system supports. Gives a list of help commands and a small description. By typing Netlink at the main prompt (OK,) you will be thrown into the Netlink utility. Netlink is found on Primenet (which is the networking software for Primes). Netlink is used to communicate with other remote systems. You will find the netlink utility on most packet networks, since there is much use for it there. Netlink can be accessed by all users on the system. Once netlink is typed you will get a message, similar to: Netlink version x.xx >(this being the main prompt) Once again on-line help is available if you have no idea what you are doing. To call another system, you would use the NC xxxxxx format. If you were on Telenet using Primenet supporting the Netlink utility you could call any system on Telenet. For example if I wanted to call my favorite VMS I would type- >NC 201111 201111 being the address. You will get a pause for about 5 seconds and you will be connected to the remote system. It is fairly slow, but it is sufficient. The whole process would look something like this- OK, NETLINK Netlink [Version 1.x] >NC 201111 Username: Password: Username and Password shows that I have connected to the Vax running VMS. I would log onto the remote system (the VMS in this case) like I would any other time. Once I am done looking around on the remote system I can just logoff by doing a Control P (this will put you back into the utility), or I could just logoff properly by using the VMS logout command and be put back into the Netlink utility program. If you ever receive the message "WILL NOT ACCEPT COLLECT CONNECTION" from a system off of Telenet, you can just reverse the charges to the Prime you are on and log onto the remote system. You can do this by using the NC format above. This allows you to bypass the need for a Telenet ID. Netlink won't compare to something like DECNET but it gets the job done. Remember if you aren't too sure what you are doing just type "help" for on-line help. To exit the Netlink utility type "Quit" or just hit Control-P. This will give you the main prompt once again. Toggles upper and lower case. Control S = Pauses Text Control P = Aborts Text or Utility Control Q = Resumes Text If you gain access to Primos supporting on-lines games, which can be found by (AT)taching to the Games directory. There may be a game called "FRITZ", it's a fun game dealing with questions on the Primos system. It can also test your knowledge on the system. Usually if a person hangs up on the system without properly logging off you may be able to call the system and be attached to that account. This usually works on systems with one line. I called a Primos one day and was attached to a system account modifying a config program. It was interesting... There are many Prime systems on Telenet so I suggest getting ahold of the updated LOD/H Telenet Directory from Issue I and jot down a few. Preferably Primenet, since they support the Netlink utility. ============================================================================ Here's a list of some major differences between PRIMOS version 18.x.xx and Version 19.x.xxx 1. Version 19 supports Access Control Lists, which allows the user to set a specific access right on his/her directory. 2. Version 19's security has been tightened. A user will be prompted with the password prompt. A user is usually allowed only 1 unsuccessful login, if the ID or password is incorrect the user will be logged off. 3. Once a user has tried to execute a command/file without sufficient access rights he will be logged off of the system. The account will automatically be suspended until an operator has contacted the user. 4. Users have to change their password every 30 days. 5. The "CHAP" command can be executed by users to toggle their priority level. 6. Netlink has been enhanced with more commands. 7. A primary password may be used for better security. 8. After logging out you will be disconnected from the system, rather than prompted with the ER! prompt. 9. Dec VT132 is the commonly used operator terminal on version 19. 10. There have been new enhancements to the editor. ============================================================================= As you can see, PRIMOS is a very versatile system. It's not very popular among hackers since there hasn't been too much information released on it. Most commands will be the same on version 18, if not just execute the Help file. The final element to PRIMOS will be alarm (it will be similar to the one on VMS). I will go a little more in-depth on the ALARM system in Part II (I will have more information on it, and by that time it will be inserted in later revisions of version 20). Basically the alarm will record all unsuccessful logins and will alert the operator at the terminal. The alarm will be a standard part of PRIMOS and can not be shut on and off, from a reliable source, the alarm may come in a different package. ============================================================================= Part II: I will discuss new commands, creating accounts, go more in-depth on the Netlink utility, and any other changes in PRIMOS Version 20. Until then.... You can reach me via the TJ staff account, for questions, requests for more information, and corrections to this article.