The LOD/H Technical Journal: File #8 of 10 Lex Luthor and The Legion Of Hackers Present: Hacking IBM's VM/CMS Operating System Part A INTRODUCTION: ------------- IBM mainframes make up over 50% of the mainframes used in the United States. These systems are traditionally used in industries such as insurance, banking, universities and so on. For some reason, IBM systems as a whole have not been very popular with hackers. This may be due to the complexity of the Operating Systems run on IBM systems compared to others such as UNIX or VMS. Another reason may be that there is much variety from shop to shop. IBM systems are more commonly modified and customized to fit an individual corporations need and the lack of "universality" for commands, files, programs and other procedures makes it difficult to attempt to use without any type of specific documentation. The lack of detailed on-line help also hinders the hacker. I believe that the VM/CMS Operating System is by far the best and easily learned of the IBM systems. But compared to other Operating Systems like UNIX or VMS, VM/CMS is cumbersome and harder to learn. ACRONYMS: --------- Before I even attempt to start this article, I will list the IBM-specific acronyms used in this article and some others that you may find on various IBM systems. I list them here so I will not have to do it throughout this article. If you don't know what one of them means later, just refer back to this list. VM/SP: Virtual Machine/System Product CP: Control Program CMS: Conversational Monitoring System HPO: High Performance Option VSE: Virtual Storage Extended MVS: Multiple Virutal Storage TSO: Time Sharing Option JES: Job Entry System CICS: Customer Information Control System VSAM: Virtual Storage Access Method VTAM: Virtual Telecommunications Access Method IX: Interactive Executive IPL: Initial Program Load IVP: Istallation Verification Program RSCS: Remote Spooling Communications Subsystem DASD: Direct Access Storage Device EREP: Environmental Recording Editing and Printing SNA: Systems Network Architecture NCCF: Network Communications Control Facility REXX: Restructured Extended Executer Language VTOC: Volume Table Of Contents DOCS: Display Operator Console System JCL: Job Control Language ACF: Advanced Communications Functions SQL/DS: Structured Query Language/Data System DBA: Data Base Administrator GCS: Group Control System SCP: System Control Program FDP: Field Development Program CNA: Communications Network Application POF: Programmable Operator Facility PSW: Program Status Word SSCP: Subsystem Services Control Point IPCS: Interactive Problem Control System DCSS: Discontiguous Shared Segments VMCF: Virtual Machine Communications Facility FIFO: First In First Out LIFO: Last In First Out AP: Attached Processor MP: Multi-Processor R/O: Read/Only R/W: Read/Write LOGGING IN: ----------- Typically, when you come across a CMS system, it will respond with: VM/370 ONLINE ! . This message is somewhat of a contradiction. The majority of VM/CMS systems are rarely run on actual 370 systems but on other processors, such as the 43XX series and the 30XX series. The period "." prompt is the surest way of verifying that you have indeed connected to a VM/CMS system, aside from the "VM/370 ONLINE" message which is usually printed. This prompt should not be confused with DEC's TOPS-10 system, which also has the prompt of a period. The older versions of VM/CMS responded as shown above. The newer versions will give you this menu: Enter one of the following commands: LOGON userid (Example: LOGON VMUSER1) DIAL userid (Example: DIAL VMUSER2) MSG userid message (Example: MSG VMUSER3 GOOD MORNING) LOGOFF This menu may vary from system to system, since they may opt to not allow a command to be used before logging in and will omit it from the menu or they may add some commands. When hacking a system this menu will appear before you can attempt to login, thus becoming very tedious and time consuming especially at 300 baud as you have to wait an eternity for each logon attempt. Other responses after connecting are "Ready to Host", "Press break key to begin session" and "Invalid Switch Characters". The last response is commonly found on Telenet and other packet switched networks, in which you may have to specify "VM" for a VM/CMS system, or "TSO" for a MVS/TSO system. There may be other IBM systems to select from, or "VM" may not be a valid system. You may also have to specify "LOGON VM" or just "LOGON" before the port selector connects you to the host system. LOGON can be abbreviated as just "L". A userid can be from 1-8 characters in length, but the first character MUST be a letter (In most systems you come across this will be true, but due to customization of systems, its possible this and even the 8 character password limit may be extended). A typical logon may look like: .L COMOSOLO SYSGUESS NOIPL "." is the system prompt, L is the LOGON command, COMOSOLO is the userid, SYSGUESS is the password, and NOIPL is the only 'login qualifier' allowed for the VM/CMS system. NOIPL specifies that the IPL name or device in the VM/SP directory should not be used for an automatic IPL. IPL simulates the LOAD button and the device address switches on the real computer console. Basically it "boots" your part of the CMS system. This is another different concept. A user can boot (or crash) their part of the system not the whole system (in most cases). NOIPL would be used when a system dumps you into a program which allows you little or no mobility such as a restricted menu of options (IE: A system backup utility) and logs you off without gaining access to CMS. NOIPL will prevent this program from running if it is listed in your automatic IPL entry within the CP directory. This should allow you access to the system. Otherwise the program was specified to run within your PROFILE EXEC which lists things to be done upon logon. NOIPL is somewhat similar but not identical to the login qualifier "/NOCOMMAND" for DEC's VAX/VMS systems. If the Password Suppression Facility is installed on the system, you will receive an invalid format message whenever the userid and password are entered on the same line. This is obviously a security measure to prevent users from entering their password in full view of anyone who may be watching as the password is not "masked". Thus, you will have to enter your password on a separate line when the system prompts you for it. The advantage of entering the userid and password on one line (especially at 300 baud) is that you can try more userids and passwords in a shorter period of time while still availing yourself to the systems generousness of informing you when an invalid userid has been entered. Error messages: There are various error messages one may encounter while logging into a VM/CMS system. The ones you should be most concerned about are: "Userid not in CP directory": When an invalid userid has been entered, you will receive this message. This indication gives the hacker a distinct advantage for gaining entry to the system. Probably the largest security hole for any system is to tell you when a valid username has been entered. After all, obtaining a valid userid is half the battle. The other half is obtaining a valid password. Even the weakest Operating Systems no longer give an indication of when a valid ID has been entered. Why IBM has not changed this is a mystery to me. When a valid userid is entered you will be asked to enter a password if you did not already do so. If the password is correct, the system will attempt to log you on, if not, you will receive one of two messages: "Logon unsuccessful--incorrect password": As has just been stated, a valid userid has been entered but the password was incorrect. Passwords can be from 1-8 characters long, but in many cases the minimum length is changed to be at least three characters. There is no difference between upper and lower case letters for either the userid or password as they are converted to upper case by the system which is another security flaw as it reduces password possiblities. "Password incorrect - reinitiate logon procedure": This is the message received on the older versions of VM/CMS, which means the same thing as the above msg. "Maximum password attempts exceeded, try again later": The threshold has been reached for userid and/or password attempts. You will receive this message every time you attempt to logon after exceeding the threshold until a variable period of time (Probably from 1 to 5 minutes) has elapsed. This locks out ALL users who attempt to login to the system from that particuler line. I am not sure whether this is recorded anywhere or whether it is sent to the System Console so try to determine how many attempts normally trigger this and keep just short of it. "Already logged on": This message will appear when you attempt to logon with a valid userid and password and that userid is already online. Unlike other systems, VM/CMS will not allow the same userid to be logged on more than once. "Userid missing or invalid": As it implies, nothing was typed after entering the LOGON command, or the format for the userid was not correct, ie: using a number as the first character or a control character was used somewhere in the userid field. "Error in CP directory": The CP directory is the main user directory for the system. Entries in the directory contain: the userid and password, VM I/O configuration, disk usage values, associated virtual and real addresses, privilege classes, virtual processor size, and other options for each user. Without the proper directory entry, a user cannot logon to the system. Therefore receiving this error message. "Command not valid before logon": This occurs when you enter anything other than the commands listed in the menu, ie: entering BONEHEAD will return this message even though "BONEHEAD" isn't a valid command. Why this is I don't know. So don't get all excited that you found a valid command but couldn't execute it since you weren't logged on. Accounts: By constantly compiling userids from various systems you should be able to collect a nice list of accounts which may enable you to gain access to a system. The following are a few which I have found: OPERATOR CMSBATCH AUTOLOG1 OPERATNS VMTEST VMUTIL MAINT SMART VTAM EREP RSCS CMS SNA As usual, use the username as the password. Things still haven't changed from the Hacking VAX/VMS series...people are just as stupid as they were a few years ago. There are many default accounts which have the passwords listed in some IBM system manuals. These are hard to obtain and are very powerful since some passwords are rarely changed. If you can get access to the defaults, it will greatly expand your collection of systems, I guarantee it. Dial: DIAL is used to logically connect lines, whether they be switched (regular dial-up phone lines), leased (dedicated), or logically attached (directly connected), to a previously logged on multiple-access system. The DIAL command is the only substitute for the logon command. On systems running more than one Operating System, DIAL is used to connect the user to one of those systems. It is rather common to find two or more Operating Systems running parallel or "under" one another. This is quite different from most other systems, which run alone on the machine. One machine, one Operating System, but not IBM. The ability to have multiple systems running simultaneously and still providing the user with the illusion of it being a single system, (ie: the whole idea behind multi-tasking machines is to provide each user with the full resources of the machine so quickly that it appears that he or she is the only one using the system) sets IBM apart from most other computer manufacturers. Some of the systems which run on IBM's are: VM/CMS, MVS/TSO, DOS/VSE, OS/VS1. Some others are: MUSIC, JES and IX/370 which is IBM's version of UNIX which runs under VM/SP. It is always good to know what other systems are running, and if you are unable to gain access to the 'primary' system, you may be able to gain access to one of the 'secondary' system(s) by use of DIAL. Some systems will require you to specify a line number for certain systems. Others will find a line for you if one is not specified, assuming there are some allocated to that resource. Userid's are also dialable. In some cases you have to dial through a particular userid in order to gain access to certain systems or perform certain commands. A typical logon to a DIALed system may look like: .DIAL MUSICB DIALED TO MUSICB 040 *Miscellaneous Computer Services MUSIC/SP 1.1 SIGN ON. .RESET DROP FROM MUSICB 040 VM/370 ! . When it comes to finding a valid line number for systems that can be reached via DIAL, you could be in for some trouble. If the system requires a line number to be entered (unlike the above example, where line 040 was found automatically) you will not only have to come up with a defined line number, but one that is associated with the system you are attempting to access. Usually you can find this information after logging on to the VM/CMS system in various files, but if you cannot get in, you will have to sequentially enter line numbers. Some that I have seen are 001, 01B, 41A, 040. The VM/CMS system does not appear to limit the number of DIAL attempts a user can make, unlike LOGON attempts. Programming your micro to search for a valid line number to a system should work with no problem. To drop the dialed connection just type RESET. Error Messages: "Line(s) not available on 'sysname'.": Either there are no lines allocated to the system, or you must enter a correct line number. "Invalid device type - 'sysname' 'line#': You have entered a valid system or userid and line number, but the device you are on (the terminal) is invalid. In this case, a GRAF (Graphics) device, system console or 3270 terminal may be the only valid device. "'userid' not logged on": The DIAL command cannot be executed unless the user (or system) specified is logged on. "'line#' does not exist": A valid userid/system has been entered but the line number for that userid/system is not valid. Message: MSG is used to send messages to users who are currently logged on. This command can be issued before (if specified by the logon menu) and after logging in. MSG OPERATOR Help! I lost my password! My userid is COMOSOLO This will send a message to the primary system operator of the system. If there is only one CLASS A user online, the message will be sent to his terminal. MSG * This will send a message to yourself. This is useful for identifying the current userid of an abandoned terminal. Logoff: The LOGOFF command can be abbreviated as LOG. After logging off you will receive the following: CONNECT= 00:33:54 VIRTCPU= 000:00.28 TOTCPU= 000:01.76 LOGOFF AT 17:05:44 EST THURSDAY 04/16/87 CONNECT is the actual clock time you spent while on the system. VIRTCPU is the virtual CPU time that was used. TOTCPU is the total CPU time both virtual and overhead that was used. The HOLD command will hold the connection allowing you to re-logon again without having to re-dial the system. .LOG HOLD SECURITY SOFTWARE: ------------------ There are various weaknesses within VM/CMS both internally and externally which can be exploited. For this reason, various software security packages have been written. There would not be a need for these in most cases if the people in charge of system security knew what they were doing. Anyhow, these packages do provide added security when properly implemented. The most commonly found are VMSECURE and ACF2. TOP SECRET and RACF are others which are less common. These packages are easily identified. After entering a valid userid VMSECURE responds with: VMXACI104R Enter logon password: ************************** HHHHHHHHHHHHHHHHHHHHHHHHHH SSSSSSSSSSSSSSSSSSSSSSSSSS . One way to positively identify the use of VMSECURE is by using it as a userid. If it is running it will be a valid userid, and who knows, you may even hack the password. After entering a bad password ACF2 (Access Control Faclity 2) responds with: ACFV1012 PASSWORD NOT MATCHED ACFV0044 ACF2, ENTER PASSWORD ************************** HHHHHHHHHHHHHHHHHHHHHHHHHH SSSSSSSSSSSSSSSSSSSSSSSSSS . These packages provide information which SHOULD be inherent within the Operating System itself. Perhaps newer versions of CMS will contain them. Some of these features are: * Last logon date/time * Password expiration * Rules for password selection * Invalidating userids for invalid password attempts * Invalidating terminals for invalid password attempts * Shows users how many invalid password attempts have occured on their userid * Increased file security LOGGED ON: ---------- After logging on you may receive something similar to the following: ASD 190 LINKED R/O; R/W BY MAINT; R/O BY 030 USERS LOGMSG - 10:40:25 EST FRIDAY 05/22/87 ********************************************************************* * WELCOME TO MISCELLANEOUS COMPUTER SERVICES * * -VM1- * * SYSTEM WILL BE DOWN FROM 10:00 TO 10:30 EST SUNDAY MAY 24, 1987 * ********************************************************************* Logon at 13:22:59 EST FRIDAY 05/22/87 VM/SP REL 4 04/20/86 11:33 R; T=0.01/0.01 13:23:10 . Line #1: This line shows that the disk at virtual address 190 is linked with R/O access by you, R/W by userid MAINT and R/O by another 30 users. Line #2: This shows that the logon message was created at 10:40 on Friday. Line #3-7:This is the message that is shown to all users of the system upon logging on. Some systems may not have one. Line #8: The actual time of logon is printed. Line #9: The current RELEASE of VM/SP and the time and date it was installed is shown. Line #10: This is the ready message and it is printed after every command is performed where: R= Ready This indicates that the system is ready for input. T= Time The first series of numbers tells how long it took the system to perform the last task. The second set of numbers gives the time of day. If you do not receive the ready message you are in CP and must IPL CMS in order to issue CMS commands. Line #11: The system prompt, you can now enter commands. PRIVILEGE CLASSES: ------------------ As with most other Operating Systems a user must have sufficient privileges in order to execute certain commands. Every CP command belongs to one of eight IBM defined privilege classes. The CP directory defines which users can use which classes of commands. Each user has one or more privilege classes, as does each CP command. If you try to issue a command that does not match the assigned privilege class of the userid you are using, the system will not process the command. As far as I know, no records of attempts to use privileged commands are kept. Class User and Function --------------------------------- A Primary System Operator: The class A user has the ability to control the system. Any user who uses the VM/SP system console posseses this privilege class. This user can broadcast messages, control system accounting, and issue commands which affect the overall performance of the system. B System Resource Operator: The class B user has the ability to control all the "real" resources of the system, except those controlled by the spooling and primary system operators. C System Programmer: Class C users can modify real storage as opposed to virtual storage. D Spooling Operator: The class D user controls spooling data files. E System Analyst: Monitors and interprets system performance data. F Service Representative: This class is usually given to accounts that IBM Field Service personnel use for updates and also for diagnosing system problems. G General User: Class G users are the most prominent on the system. This privilege allows the user to control functions associated with their own virtual machine. Any The Any classification is given to certain CP commands which are available to any user. The commands are usually limited to Login and Logoff. H Class H is reserved for IBM use. Due to the individual needs of a site, privilege classes can be tailored to suit the facility. A total of up to 32 classes can be made. They would be shown in the CP directory as A-Z and 1-6. Typical Privilege Classes for a few common userids: Userid: P.C. ------------------------- OPERATOR A EREP F OPERATNS BCEG MAINT ABCDEFG COMMANDS: --------- Commands are made up of command names, operands, and options. Command Name: A command name is an alphanumeric symbol of up to 8 characters. Operands: These specify the information on which the system operates when it performs a command function. Options: These keywords are used to control the execution of a command. When used, they must be preceded by a left parentheses, but a closing one is not necessary. Different commands are used within different environments. To see which environment you are in, simply hit return at the period prompt. You will receive one of the following: CMS, CP, XEDIT. There are many commands that are useful to both regular system users and hackers. HELP is available on some systems, particularly on university systems. It is extensive but not as clear as yes, UNIX or VMS which is typical of IBM. Nevertheless, HELP is useful and you should get hardcopies of as many commands as you can. AID is another form of HELP which may be useful to you in learning more about the system. One nice feature of CMS HELP is that when you receive an error message, you can: .HELP DMS000000 or DMK000000 Where DMS000000 or DMK000000 is the error message you have received. The system will then explain what it is, why it happened and how you can correct it. I am going to hold off on explaining any and all commands related to minidisks until the next section. The others which I have found to be useful are as follows. You can issue any CP command while in CMS by precluding the command with CP. QUERY Query allows you to obtain various information about the system. A full list can be found from using HELP. One of the most important QUERY commands to the hacker is: .Q NAMES OPERATOR - 01F, SMART - DSC, CMS0349 - B27, LOGO0180 - B31 VSM - VMVS1 SCOTT -TP11WFM2, CMS1211 -TP11WF64, OPERATNS-TP11WFY1 R; T-0.01/0.01 11:34:28 There can be many users online, usually this list will contain from 30 to 100 users. The last user online was OPERATNS, since it was last in the list. The SMART userid is DSC, or in a disconnected state. Usually a terminal will remain disconnected for 15 to 30 minutes and then is totally logged off the system. If you logon to an already disconnected terminal, the system will reply with "RECONNECTED AT time". The other 2 userids on the same line as SMART are probably connected terminals which are in a pre-logged in or pending logon state. VSM - VMVS1 is another system running parallel to (or under) CMS. The QUERY NAMES command allows you to gain a little more security for yourself on the system. It allows you to gain more valid usernames to attempt passwords for in the unfortunate event that your current userid dies. Another use is that you can start to compile your "common accounts" list of userids which are found on VM/CMS systems. This list should get larger and larger as you gain access to more and more systems and will allow you to gain access to more systems as it gets larger. If you can't count how many users are online from the Q NAMES list: .Q USERS 0007 USERS, 0000 DIALED, 0000 NET If you didn't catch the logon message you can view it again by: .Q LOGMSG To see what release of CMS the system is: .Q CMSLEVEL VM/SP REL. 4, SERVICE LEVEL 417 If you are wondering which IBM mainframe CMS is running on, you can issue: .Q CPUID FF01472343810000 This can be interpreted as follows: CPUID= aabbbbbbccccdddd aa= "FF" when running VM/SP bbbbbb= The processor ID number cccc= The model number of the system. In the above case, CMS is running on an IBM 4381 system. dddd= "0000" This is not used for CP. SENDFILE allows you to send files within any minidisk that is currently accessed by you to another user. Anytime you send a file an entry is made in the file USERID NETLOG (where USERID is the user you are sending the file to). This command is also used for sending NOTE files which can be created with an editor and send to whomever as E-MAIL. If you are tired of seeing a text listing, or have attempted to read a compiled program and wish to exit or break out of it, simply hit a hard-break, and then type HX. HX is for Halt eXecution. It will halt whatever you are doing and put you back into the CMS environment. It may take a few lines of text after entering it for the system to stop the process. --- End of Part A --- --- Attach Part B here ---