Quothe Rick Bensene, from writings of Wed, May 07, 2003 at 04:30:06PM -0700:
> Next question, back on the TSX-Plus password hacking part of the thread;
You mean password cracking, not hacking (refer to TNHD). Anyway,
enough picking nits and on with the info. that you need... :-) Not
sure if Big Brother's screwey laws make it illegal to share such info.
now, but it would be wrong to not share this info., so, here goes...
Here's a copy of some info. from Usenet that others kindly provided me
with a couple of years ago... ermmm, I mean, almost a decade ago...
wow, the message headers even contain bang paths! How time flies.
|Article 1121 of vmsnet.pdp-11:
|Path: news.umbc.edu!europa.eng.gtefsd.com!MathWorks.Com!mvb.saic.com!info-pdp11
|From: Roger N Wallace <rwallace_at_world.std.com>
|Newsgroups: vmsnet.pdp-11
|Subject: Re: RT/11 Booting, backups, floppy duplication, CPU (was: 11/73 Cabling)
|Message-ID: <Pine.3.89.9408240609.A28273-0100000_at_world.std.com>
|Date: Wed, 24 Aug 1994 07:12:59 -0400 (EDT)
|Organization: Info-Pdp11<==>Vmsnet.Pdp-11 Gateway
|X-Gateway-Source-Info: Mailing List
|Lines: 53
>On 23 Aug 1994, davis robert wrote:
>>
>> Out of curiosity, I entered "TSX" at the prompt and TSX appeared to
>> start up! I hit a dead-end however when I couldn't get past the
>> password prompt... I couldn't guess any of the right passwords or
>> usernames. :-( I'll take a look through the TSX-Plus manual before I
>> ask any more questions about this.
>>
> Fortunately (for this situation), it is very easy to circumvent
>TSX+ security _provided_ you have physical access to the system and can
>boot RT-11. Incidentally, TSX+ _must_ start from the single-job monitor
>under RT-11, so that monitor (or the "baseline" monitor, which is
>essentially a "featureless" version of -SJ) is what you have.
>
> As to getting "in" to TSX+, characteristics of each of the terminal
>lines are set in initialization "command" files, which are normally given
>names like LINE1.*, LINE2.*, ....., where * is usually either "COM" or "TSX".
>The "TSX" extension makes editing the file [when running under TSX+] a
>privileged operation. LINE1 is usually assigned to the system console.
>In some cases (which would make your task a bit more complicated) the
>individual LINEn.* files will contain only characteristics of that particular
>line, with more general characteristics set with a call to a "LINES.*" file.
>
> When you get to the point that you can use the RT-11 text editor "KED",
>open the LINE1.* file and look for a line like:
>
> RUN/LOCK LOGON
>
>which, depending on TSX+ version [check the TSX+ startup banner], could be
>abbreviated to something like:
>
> r logon
>
>Simply delete this line. The LOGON program will then not be called when the
>line starts up, and no password prompt will appear. If the RUN LOGON command
>is not in the LINE1.* file, check any command files _called_ by LINE1.* for
>occurrence of the command, and delete it where you find it.
>
> Typically, the system console under TSX+ is set up to start
>automatically as TSX+ boots. It _may_, however, be necessary to hit a
>carriage return to initiate the LINE1.* procedure.
>
> You're in reasonably good shape since you apparently have running
>versions of RT-11 and TSX+. However, if the hard drive is a _real_ ST-412
>(or DEC RD-51) with only 10 MB, then it is likely that -- in order to save
>space -- not all system software components were installed.
>
> Roger Wallace
|Article 1125 of vmsnet.pdp-11:
|Path: news.umbc.edu!europa.eng.gtefsd.com!howland.reston.ans.net!pipex!lyra.csx.cam.ac.uk!doc.ic.ac.uk!uknet!festival!unixa.nerc-murchison.ac.uk!unixa.nerc-murchison.ac.uk!not-for-mail
|From: e_gs18_at_ub.nmh.ac.uk (Russ Evans)
|Newsgroups: vmsnet.pdp-11,alt.sys.pdp11
|Subject: Re: RT/11 Booting, backups, floppy duplication, CPU (was: 11/73 Cabling)
|Date: 24 Aug 1994 18:41:11 +0100
|Organization: British Geological Survey (RG-N)
|Lines: 32
|Message-ID: <33g0nn$aga_at_unixa.nerc-murchison.ac.uk>
|References: <32peitINNp95_at_umbc8.umbc.edu> <U0PKkaE96FCD065yn_at_world.std.com> <336hepINN461_at_umbc8.umbc.edu> <uXzLkaE96xyU065yn_at_world.std.com> <33ed8iINNpfa_at_umbc8.umbc.edu> <Cv0x7K.7DG_at_world.std.com>
|NNTP-Posting-Host: mhua.nmh.ac.uk
|Xref: news.umbc.edu vmsnet.pdp-11:1125 alt.sys.pdp11:185
>mbg_at_world.std.com (Megan) writes:
>>>start up! I hit a dead-end however when I couldn't get past the
>>>password prompt... I couldn't guess any of the right passwords or
>>>usernames. :-( I'll take a look through the TSX-Plus manual before I
>>>ask any more questions about this.
>
>>Sorry, I'm a sometimes TSX user, not an expert (Bob Schor?)
>
>If you can get a version of RT-11 running, you can modify the TSX+
>password/access file (ACCESS.TSX, I think) and add a new user with
>full privileges (I hope you never thought that TSX+ was at all secure!).
>The TSX+ program to do this is called TSAUTH.SAV. You need to find
>this and run it under RT-11. The documentation should be included in
>the system manager component of your TSX+ manuals. Writing from
>memory, the syntax should be something like:
> .RUN TSAUTH
> * AUTH SYSTEM/PASSWORD=SECRET/PRIVILEGE=ALL
> * EXIT
> .
>
>You may find that the access file has been PROTECTed to provide
>another stumbling block to the potential hacker. Issue the command
> .UNPROTECT SY:ACCESS.TSX
>in order to make it accessible (this won't do any harm, in any event).
>
>Alternatively, and if I recollect correctly, simply deleting the access
>file should have the effect of leaving the system entirely open. It
>may also be possible to turn password access off using the TSXMOD
>kernel modification utility (but I don't recall how, if at all). On the
>whole, I would recommend the course of action described above!
>
>Russ
|Article 1131 of vmsnet.pdp-11:
|Path: news.umbc.edu!europa.eng.gtefsd.com!MathWorks.Com!mvb.saic.com!info-pdp11
|From: Roger N Wallace <rwallace_at_world.std.com>
|Newsgroups: vmsnet.pdp-11
|Subject: Re: RT/11 Booting, backups, floppy duplication, CPU (was: 11/73 Cabling)
|Message-ID: <Pine.3.89.9408241847.A19114-0100000_at_world.std.com>
|Date: Wed, 24 Aug 1994 18:37:34 -0400 (EDT)
|Organization: Info-Pdp11<==>Vmsnet.Pdp-11 Gateway
|X-Gateway-Source-Info: Mailing List
|Lines: 25
> The system password (default "TSX") can be changed with TSXMOD, or
>by the system operator with a "SET ..." command under TSX. Whether an
>individual line requires the system password can be set during SYSGEN or
>by the operator with a "SET TT n [NO]SYSPASSWORD".
>
> Running TSAUTH from RT11 to define a new user with known password
>will work fine, _provided_ TSAUTH is present on the system disk. Running
>TSAUTH is a privileged operation under TSX, but can be done by anyone under
>RT-11. For this reason, the manuals recommend not keeping TSAUTH on the
>system disk.
>
> Not running LOGON for a particular line will bypass all user login
>security, but will leave the requirement for the system password if it has
>been enabled.
>
> TSX is reasonably secure if user privileges have been properly set
>and the only access to the system is through its serial ports. But, unless
>_physical_ access to the system is controlled, anybody can boot RT11 and
>get to any and all files on the hard drive. MicroVAX / VAXStation systems
>are also essentially "wide open" unless physical access to the machine is
>controlled.
>
> Roger Wallace
|Article 1137 of vmsnet.pdp-11:
|Path: news.umbc.edu!haven.umd.edu!umd5.umd.edu!mojo.eng.umd.edu!bloom-beacon.mit.edu!cambridge-news.cygnus.com!noc.near.net!eisner!youdelman
|From: billy_at_mix.com
|Newsgroups: vmsnet.pdp-11
|Subject: Re: RT/11 Booting, backups, floppy duplication, CPU (was: 11/73 Cabling)
|Message-ID: <1994Aug25.060322.5086_at_eisner>
|Date: 25 Aug 94 06:03:22 -0400
|References: <Pine.3.89.9408241847.A19114-0100000_at_world.std.com>
|Organization: DECUServe
|Lines: 29
>In article <Pine.3.89.9408241847.A19114-0100000_at_world.std.com> Roger N Wallace
><rwallace_at_world.std.com> writes:
>
>> TSX is reasonably secure if user privileges have been properly set
>> and the only access to the system is through its serial ports. But, unless
>> _physical_ access to the system is controlled, anybody can boot RT11 and
>> get to any and all files on the hard drive. MicroVAX / VAXStation systems
>> are also essentially "wide open" unless physical access to the machine is
>> controlled.
>
>Speaking as one who's run an anonymously accessable bbs under TSX for
>many years, which has been beat upon by some pretty talented people,
>yes it can be made quite secure. There are only two things that are
>unusual enough to even be worth mentioning here.
>
>Prior to V6.4 tailgating on modem lines can be a problem, but one can
>run a small detached job on earlier versions that watches these lines
>and does the same thing (I include it (KRTAIL.MAC) with Kermit).
>
>Under any version a user can escape control of a command file if the
>application (such as a bbs message editor) allows the lead-in character
>for TSX's program controlled terminal options to be echoed back to the
>terminal - one option will cause the remainder of the command file to
>be immediately typed out. After that the program may exited without,
>for instance, being logged off (if that's what the command file would
>have done).
>
>Billy Y..
Hopefully this is of some help. Good luck! :-)
RDD
--
Copyright (C) 2003 R. D. Davis The difference between humans & other animals:
All Rights Reserved an unnatural belief that we're above Nature &
rdd_at_rddavis.org 410-744-4900 her other creatures, using dogma to justify such
http://www.rddavis.org beliefs and to justify much human cruelty.
Received on Wed May 07 2003 - 20:37:01 BST