_______________________________________________________________________________ INTRODUCTION TO THE PRIMOS OPERATING SYSTEM Part I (Identification and Penetration) Written by Violence Copyright (C) 1989 The VOID Hackers _______________________________________________________________________________ INTRODUCTION to This Series This is the first in a public-release series of articles dealing with Prime computers (both mini's and supermini's) and their respective operating system, PRIMOS. PRIMOS is one of the several operating systems that the general hacker community has avoided due to unfamiliarity. In all actuality, PRIMOS is a very user-friendly operating system and as such, demands respect. In this series of articles I will cover everything that is important to the aspiring PRIMOS hacker. In the syllabus are: Part Contents ---- ------------------------------------------------------------------------ I Identification, and penetration, PRIMOS command line, command types II Making Your Stay Last Longer, Basic PRIMOS Commands, Internal Security III Useful PRIMOS Applications IV Prime Network Communications (PRIMENET and Associated Utilities) V Language Interpreters and Compilers, Advanced PRIMOS Commands ---- ------------------------------------------------------------------------ That about covers it. This series is largely based on extensive on-hands use, and all the information provided herein is guaranteed to be 100% accurate in regards to Revisions 19.xx through 22.xx of PRIMOS. I do occasionally address pre-revision 19.xx systems, but only in passing as they are extremely uncommon. In addition, all sample programs included herein have been fully tested. All PRIMOS output samples were taken from a Revision 22.0.0 PRIMOS system. I chose to write this series in a technical manner, but not like a typical AT&T document (grin). All in all, this series does not equal or even come close to the actual PRIMOS documentation, but since such documentation is generally un- available to the hacker community, I have tried my best to create a series that proves as an acceptible alternative. Due to the high content of information I have provided herein, you are advised to obtain all of the parts to this series and dump them to your printer. Spend a day reading and comprehending them. I suggest that you read the entire series before beginning to hack at Primes. NOTE IN CLOSING: I have opted to remain purposefully vague in some areas due to potential abuse. This seems to be the rage these days and I'm sorry if that upsets you, but I have no wish to compromise any of Prime Computer, Inc.'s trade secrets. _______________________________________________________________________________ WHAT'S IN PART I? There is so much to get started with that I wasn't able to get everything in to Part I. This makes the subsequent parts of this series vital to the comprehen- sion of the information presented here. There is tons more to cover, so I will urge you some more to go ahead and get ALL of the other parts. Inside this in- stallment I shall cover: o Conventions Used Throughout This Series o System Identification o Front-End Security and Penetration o The PRIMOS Command Line o A Discourse on PRIMOS Command Types o How PRIMOS Interacts With Its Users In 'Part II' I will completely detail the typical internal security setup and how to improve your security, as well as the many internal snooping tactics that I use in my day-to-day Prime wanderings. I will also discuss the vital PRIMOS commands that should be memorized. _______________________________________________________________________________ CONVENTIONS USED THROUGHOUT THIS SERIES As with any multi-part series, a set of standards is needed, otherwise the rea- der may become confused. In writing this series of articles, I had to make an important decision regarding the conventions used within command examples and with the numerous hands-on examples scattered throughout the text. All command references in this series will follow the conventions put forth in the PRIMOS reference manuals and online help facilities. Conventions follow: WORDS-IN-UPPERCASE identify command words or keywords and are to be entered literally. All command abbreviations will be listed following the actual full command name. Words-in-lowercase identify arguments. You substitute the appropriate numer- ical or text value. Braces { } indicate a choice of arguments and/or keywords. At least one must be selected. Brackets [ ] indicate that the word or argument enclosed is optional. Hyphens - indicate a command line option and must be entered literally. Parenthesis ( ) must be entered literally. Ellipses ... indicate that the preceeding argument may be repeated. Angle Brackets < > are used literally to separate the elements of a pathname. options: The word 'options' indicates that one or more keywords and/or argu- ments can be given and that a list of options for the command follow. All examples throughout this text will be indented '8' spaces so that they will be easily identifiable. All text typed by the user in these examples will be completely displayed in lowercase characters. PRIMOS output will then be easy to identify. _______________________________________________________________________________ SYSTEM IDENTIFICATION PRIMOS is Prime's uniform operating system for their extensive line of mini- and supermini computers. If you have ever read some of the articles detailing the PRIMOS operating system floating about, then you may have a basic working knowledge of PRIMOS and such. I will be referencing some of these articles in this series occasionally (all references are listed in the "References" section at the end of the last part of this series). A few years back, the Prime model 750 was all the rage. No longer is that the case, however. Now days there are many models of Primes and corporations and governments (the two main Prime owner classes) purchase the models that best suit their individual needs. Thusly, you will find Prime 250's (ancient) and 750's (also ancient, but still in use) to Prime 4150's (a mid-range system) and the huge Prime 9550's (high-end mini's). On the high-end of this you will also find Prime MCXL's (super-mini's) and Prime workstation clusters. As you can see, the army of Primes is astoundingly large. Equally large in number are the revisions of PRIMOS that they run. About all that you will see these days are Rev. 20.xx and greater but you will, on occ- asion, find a revision 17.xx, 18.xx, or 19.xx system. About the only places you will find 17.xx and 18.xx systems are on foreign packet-switched networks (PSN's) (like on Brazil's Interdata or Renpac networks and Japan's Venus-P/NTII or DDX-P/KDD networks). A scant few 18.xx and 19.xx systems are still operat- ing in the United States. As said previously, however, you will most likely find from Rev's 20.xx through 22.xx systems here (and in most other countries). To understand how PRIMOS interfaces with users you need to have a good working grasp of what the standard PRIMOS operating system model looks like. To do this you need a decent abstract model. Here: Identifying a Prime mini- or supermini computer is not very difficult. Primes generally behave in one of two ways when connected to. They either sit there, echoing nothing to your screen or, in the case of a PRIMENET-equipped system, display their PRIMENET nodename. In the former case, try this simple test upon connecting. Type a few random keystrokes followed by a RETURN and take note of what the host system responds with. If it responds with a battery of error messages followed with the rather distinctive 'ER!' prompt, then it is a Prime. Here is an example: asdf Invalid command "ASDF". (processcommand) Login please. ER! Any Prime that just sits there waiting for you to login is not running PRIMENET and generally lacks inter-system communications capability. On the other hand, those systems that are equipped with PRIMENET jump right out and yell "Hey! I'm a Prime!", as they display their revision of PRIMOS and their system nodename upon connect. Here is an example: PRIMENET 21.0.3 VOID That's all there is to Prime system identification. Like I said, it's a rather trivial task. _______________________________________________________________________________ FRONT-END SECURITY AND SYSTEM PENETRATION Now that we have located a Prime, how do we bypass the front-end security and get in? Well, before I can begin to answer that question a little discourse on the security itself is required. The government has granted Primes a C2 security rating. To give you an idea of what that means, VAXen are also classed as C2 systems. Hoewever, that C2 rat- ing sort of 'fluctuates' about. External security should really be a bit high- er, as Prime Computer, Inc. tells their administrators to remove all defaults. Not very nice, eh? On the other hand, internal security is not so hot. I'll discuss internal security more fully in the next Part of this series. The front door is similar to PRIMOS command level in that it utilizes the comm- and line (the prompting and I/O sub-systems). The only command which you can enter at this level of operation is the LOGIN command. There is no 'who' comm- and available to you prior to system login. As Evil Jay pointed out in his "Hacking PRIMOS" files (volumes I-III), there is no easy way to get into a Prime computer, as its front-door security is excellent. At this point only one option lies available, unless, of course, you know some- one on the inside (grin). This option is default accounts. How nice of Prime Computer, Inc. to install so many default accounts at their factories. As I have said, however, they tell their administrators to remove these default acc- ounts after the system has been installed. Not a few administrators fail to remove these defaults, however, and that is good for us. Also, never forget that Prime users are people and people like to use easy-to-remember passwords. But before I go any further, let me explain the LOGIN command in greater detail (patience is a virtue, you know). Typically you will type 'LOGIN' and press RETURN. You will then be requested first for User ID and then your password. Here's yet another example: login User id? user Password? Invalid user id or password; please try again. Login please. ER! Well, that sure didn't work. Notice how PRIMOS didn't echo your password to you. The above example is from a non-PRIMENET Prime. After this bad entry you are probably still connected, so you can have another go at it. A non-PRIMENET system generally has a high bad-login threshold, so you can make many attempts per connect. A PRIMENET system on the other hand is more of a bitch to hack as it will disconnect you after the first incorrect login. Here's another example (assuming you are hacking a PRIMENET system from the TELENET X.25 network): @214XXX 214 XXX CONNECTED PRIMENET 20.0.0 VOID login user Password? Invalid user id or password; please try again. 214 XXX DISCONNECTED 00 00 00:00:00:08 9 7 As you can see, one chance is all you get with a PRIMENET system. A minor note is in order here regarding all the myriad of X's in the above example. I have masked the last three digits of the system's NUA (Network User Address), for I do not wish all you eager PRIMOS hackers to start banging on my system's front door (grin). I have also edited the system's nodename from its actual nodename to a more appropriate one (grin). I will continue to mask all system identifi- cation from my examples. So far you are accustomed to typing in 'LOGIN' and pressing RETURN to start logging in. On all Primes you can nest the 'LOGIN' command and your User ID in the same line, as is illustrated in the following example: login user Password? And on a very few other Primes you can do a full LOGIN nest, as such: login user password You might not wish to use full-nesting capability when other hackers are lurk- ing about, as they might decide to practice shoulder surfing (grin). If a User ID/password combination (hereafter referred to as an 'account') is valid, you will recieve the following login herald from PRIMOS: USER (user 87) logged in Sunday, 22 Jan 89 16:15:40. Welcome to PRIMOS version 21.0.3 Copyright (c) 1988, Prime Computer, Inc. Serial #serial_number (company_name) Last login Wednesday, 18 Jan 89 23:37:48. 'serial_number' and 'company_name' will be replaced by the actual serial number and company name of the company that owns the Prime computer site. Just one more small thing I need to cover about the 'LOGIN' command right now, and that is login troubles. Troubles? You bet'cha. The first trouble occurs when the account you login to exists and is valid, but it doesn't have an init- ial ATTACH point (in other words, you don't seem to have a 'home' directory). This is no fun, since this account cannot be logged into. Bah. The other tro- uble is remote user passwords. This is definitely no fun. The prompt for such are generally different from one another, as they run both commercial and cust- om written software to handle this. When you come upon a remote password, try the User ID and, if that doesn't work, then try the system's nodename. If both of these attempts fail, you can either keep trying passwords (brute-force hack- ing) or you can give it up and move onto the next account or system. A popular commercial front-end security package is "LOGINSENTRY" from Bramalea Software Systems, Inc. "LOGINSENTRY" is an excellent package, so good luck when you go up against it. It supports remote passwords, password aging, old-password databasing, etc. That's about all you need to know about the 'LOGIN' command right away. In the section on Prime Networking I will discuss the remote login feature (similar to the UNIX 'rlogin' command). For now, this will suffice. Here is a listing of default PRIMOS accounts along with some other accounts I find that work occasionally (i.e, more than just once): NOTE: The '+' and '*' symbols are not parts of the User ID. User ID Password Comments _______________________________________________________________________________ + ADMIN ADMIN, ADMINISTRATOR Administrator account + CMDNC0 CMDNC0 External command UFD maintenance * DEMO DEMO, GUEST Demo account + DIAG DIAG Diagnostic account + FAM FMA File Access Manager + GAMES GAMES Games account (only on schools) * GUEST GUEST, VISITOR Demo account + HELP HELP Help subsystem account + INFO INFO Information account + JCL JCL Job Control Language account + LIB LIB, LIBRARY Library maintenance account + NETMAN NETMAN Network controller account + NETPRIV NETPRIV Network priv account + NEWS NEWS News account + NONETPRIV NONETPRIV Network nopriv account * PRIME PRIME Prime account + PR1ME PR1ME Prime account + PRIMOS PRIMOS Prime account + PRIMOS_CL PRIMOS_CL Prime account + REGIST REGIST User registration account + RJE RJE Remote Job Entry account + STUDENT STUDENT, SCHOOL Student account (only on schools) * SYSADM SYSADM, ADMIN Administrator account * SYSTEM SYSTEM Administrator account + TELENET TELENET GTE TELENET account * TEST TEST Test account + TOOLS TOOLS Tool maintenance account _______________________________________________________________________________ Several of these combinations will not work, as they are initial system setup accounts and the administrator, after setup, changes them or completely removes them (Prime Computer, Inc. advises this). I have denoted these accounts with a '+' symbol. The accounts marked by a '*' are the ones that I find work most commonly. More often than not they have good privileges (with exception to GUEST). Notice SYSADM. Say, isn't that a UNIX default? Sure it is but I have found it to work so many times that I just had to assume it was a default of some sort. As for TELENET I have yet to see it work, but Carrier Culprit states in the LOD Hacker's Technical Journal file on PRIMOS (LOD T/J Issue 2) that it works some- times. Lastly, unlike UNIX, the PRIMOS LOGIN subsystem is not case-dependant. This is good, as case dependancy gets boring at times. User ID "system" is the same as "SYSTEM". PRIMOS maps all command line input to upper case prior to processing it. This is true for logins and commands. Although your typing appears in lower case, PRIMOS interprets it in upper case. No big deal. Just thought I'd mention it. All of this information is for 19.xx through 22.xx systems. I do believe that I will make an appendix for logging into revision 17.xx and 18.xx systems beca- use you never know when you might find one. And besides, once you have experi- enced a revision 17.xx or 18.xx system you will love revisions 21.xx and 22.xx that much more! _______________________________________________________________________________ THE PRIMOS COMMAND LINE Before I go on any further some discussion on the PRIMOS command line is in or- der. The command line is the agent that accepts your input and then transports the input to the command processor (known affectionately as '(processcommand)') for parsing. The PRIMOS command line is interesting in the fact that it utilizes two prompts in it's execution. These prompts are 'OK,' and 'ER!'. There is no difference in the two, save that the 'ER!' prompt is displayed only after you make a mist- ake and are given an error message. After successful execution of a command, however, you will see the 'OK,' prompt again. You can alter these prompts with a special command, but I will save that for the section I have planned on cust- omizing your environment. Of all the most popular command lines (PRIMOS, UNIX, VAX/VMS) I like the PRIMOS command line the most. You can have separate commands on the same command line (just separate them with a semicolon), and so forth. No command (along with all options and arguments) can be longer than 160 char- acters. If you should enter a command line longer than 160 characters then it will be rejected by the command processor and you will get the following error message: Command line longer than 160 characters. (listen_) The PRIMOS command line has several special features, and some of these are: o User-defined abbreviations o Command line syntax suppression o Multiple commands on one line o User-defined global variables o PRIMOS command functions o Command iteration o Wildcard names o Treewalk pathnames o Name generation patterns There will be full discourses on user-defined abbreviations and command func- tions later in this series. The PRIMOS command processor identifies these features by searching for special characters entered in the command line. These special features, in the order that they are searched for, are given in the following table (this table repro- duced from the Revision 19.xx Command Reference Manual, still pretty current in this regard). Be aware that user-defined functions are always processed first and use no spe- cial characters of any sort. FEATURE SPECIAL CHARACTER COMMENTS ------------------------------------------------------------------------------- Abbreviations No special characters Syntax suppressor In first position on line only Command separator ; Global variables % % Functions [ ] Iteration ( ) Treewalking @,@@,+,^ In any intermediate position of pathname Wildcarding @,@@,+,^ In final position of pathname Name generation =,==,^=,^==,+ ------------------------------------------------------------------------------- When these special characters are found, the PRIMOS command processor substi- tutes the value of the item for the item itself. This is 'one-to-one' substi- tution. Iteration lists cause the command processor to create one command for each item found or matched on the iteration lists. In the case of wildcard or treewalk names, the user sets the pattern and the command processor searches the spec- ific directory or directories for all file system objects that "match" that pattern. These features can be thought of as creating "many-to-one" matches. Name generation patterns can be used to create matching names either for simple filenames or for whatever number of filenames resulting from a wildcard or treewalk name. NOTE: All commands support all the features listed above. The general rule is as follows: if a feature is not useful in connection with a particular command, then that command will not recognize it. _______________________________________________________________________________ A DISCOURSE ON PRIMOS COMMAND TYPES There are two kinds of PRIMOS commands, internal and external. Internal comm- ands are built right inside of PRIMOS (i.e, in the compiled programs that make up PRIMOS). External commands are programs located in the CMDNC0 directory. When an external command's filename is typed (the name of the command, less the file extension) then the program is invoked. Of course, you may add the file's extension if you wish, as it will work, but that is defeating the purpose. The reason for internal and external commands is twofold. The PRIMOS files (usually located in the DOS directory) take up a lot of memory. Not all Prime systems have whopping loads of memory, so Prime made sure that PRIMOS was able to be executed flawlessly (memory constraint-wise) on all system models. Only the MOST important commands were built inside of PRIMOS. Less vital (yet still vastly important) commands were made to be external commands. Secondly, diff- erent sites have different needs. Prime recognized this need and their command structure allows for the easy customizing of PRIMOS commands (adding, changing, removing, creating). It's an ideal setup, really. _______________________________________________________________________________ HOW PRIMOS INTERACTS WITH ITS USERS To understand how PRIMOS interfaces with users you need to have a good working grasp of what the standard PRIMOS operating system model looks like. To do this you need a decent abstract model. Here: __ ________________________ __ | | | | | | | | | CMDNC0 Externals | | | | | | __________ | | | Requests | |->| | | |<-| | Requests | | | | Kernel | | | | Replies | |<-| |__________| |->| | Replies | | | | | | | | | Command Line | | | |__| |________________________| |__| User Phantom Processes Processes As you can see, PRIMOS is made up of the kernel (the heart of the operating system; the command processor and all of the internal commands) as well as the CMDNC0 externals (prograns; external commands) and the PRIMOS command line (what the user uses to interact with PRIMOS). _______________________________________________________________________________ Well, I have come to the end of the first installment of five of the Introduct- ion to the PRIMOS Operating System. In the next part I will detail: o Making Your Stay Last Longer o Basic PRIMOS Commands to Memorize o A Full Discourse on User-to-User Communication o Internal PRIMOS Security o Exploring the Vast Reaches of a Prime Until then may the forces of darkness become confused on the way to your house. _______________________________________________________________________________ End of Part I of the "Introduction to the PRIMOS Operating System". _______________________________________________________________________________