STATION ID - 7047/3.12 9x Datakit Network FOR OFFICIAL USE ONLY This is a 9x system, restricted to authorized persons and for official 9x business only. Anyone using this system, network or data is subject to being monitored at any time for system administration and for identifying unauthorized users or system misuse. Anyone using this system expressly consents to such monitoring and is advised that any evidence of criminal activity revealed through such monitoring may be provided to law enforcement for prosecution. Author : OneThought Subject: Hacking the HP3000/MPE Platform There have been several write ups written in the past about the MPE operating system and how to hack it. To me many of these are out of date with the times or havent gone into certin aspects of the MPE-iX OS. To start this off i am going to shatter the myth right now that the MPE is a out of date operating system and is "not worth hacking" a phrase i have heard more then once now a days. The HP3000/MPE OS is still ideal for a small work place of 10-15 terminals, several of these servers networked together creates a powerful accounting and work system , Infact the MPE OSes latest version was released in 1995 (MPE-iX 5.0) and is already being picked up by several companies. Right now you are asking yourself "Why should i hack a HP3000?". Besides being a fun system to navigate around, in many cases HP3000s have some very good information inside of them. Credit Card #s, Employees personal information, Payroll files are all kept on HP3000s. #Finding a HP3000.# When it comes down to finding a HP3000 your options are limited. Your best luck will definetly be scanning business exchanges, However you may also find a few inside the network information system of some unix boxes on the net. You will know when you have found one by the MPE XL: Prompt on older MPEs,MPE/iX, or MPE/V. If you are unsure of one being a HP3000 simply type some random letters at the prompt and press enter. If it is truely a HP3000 you will get the message "EXPECTED HELLO COMMAND". #Getting inside.# If you are attempting to hack a unsecured HP3000 then factory defauts will suffice most of the time. The following is a list of default accounts and some password protected accounts. ADVMAIL.HPOFFICE MGR.HPDESK MGR.ROBLLE MGR.VESOFT MGR.WORD MGR.INTX3 MGR.CAROLIAN MGR.XLSERVER MGR.CONV MGR.HPP187 MGR.HPP189 MGR.HPP189 MGR.HPP196 MGR.HPOFFICE MGR.CCC MGR.RJE MGR.SYS Acct password: LOTUS MGR.ITF3000 MGR.SECURITY MGR.HPWORD MGR.TELESUP Acct password: HPONLY User Password: MGR MGR.COGNOS MGR.HPONLY MGR.NETBASE MGR.CNAS MGR.REGO MAIL.NETBASE MAIL.MAIL MAIL.TELESUP MAIL.HPOFFICE MAILMAN.HPOFFICE OPERATOR.SUPPORT OPERATOR.SYS OPERATOR.COGNOS OPERATOR.SYSTEM OPERATOR.DISC FIELD.HP FIELD.HPUNSUP FIELD.HPWORD FIELD.SERVICE Acct password: HPWORD FIELD.SUPPORT,PUB FIELD.HPP187 MANAGER.SYS MANAGER.COGNOS MANAGER.HPOFFICE MANAGER.ITF3000 MANAGER.SECURITY MANAGER.TCH SYS.TELESP WP.HPOFFICE SPOOLMAN.HPOFFICE RSBCMON.SYS PCUSER.SYS Use the following default accounts listed above to login as souch. :HELLO MGR.SYS,PUB Login Command: HELLO Username : MGR Account name : SYS Group Name : PUB When trying account and user names sometimes you will get the message "ACCOUNT EXISTS, USERNAME DOES NOT". This means that you have enterd a valid account but not a valid user name. The same goes for "ACCOUNT/USERNAME EXIST BUT NOT IN HOME GROUP". Here you must include a valid group name with the login account name and user name. *Note The group name is not required to be typed at the login prompt most of the time. #Barriers that will stand in the way of gaining access to a HP3000.# Terminal password. Sometimes you will log in on a default account and then recieve the prompt TERMINAL PASSWORD: The terminal password is a eight bit alpha password that is not a normal feature of HP3000s, But some system administrators request it being on a new system. The only way to get by this is a brute force attack, or going out and doing some field work i.e trashing at the companys location,social engineering, etc etc. Another problem you may run across is a terminal that will not accept logins from certin accounts. When running into this you will need to find another account that can login on that terminal. Case in point: CONNECT 9600/ARQ/V32/LAPM/V42BIS MPE XL:HELLO OPERATOR.SYS HP3000 RELEASE: B.40.00 USER VERSION: B.40.00 FRI, JUN 28, 1996, 6:11 PM MPE/iX HP31900 B.30.45 Copyright Hewlett-Packard 1987. All Rights Reserved. YOU ARE AT A TERMINAL THAT YOU ARE NOT ALLOWED TO USE SO NOW I LOG YOU OFF. END OF PROGRAM CPU=1. CONNECT=1. FRI, JUN 28, 1996, 6:11 PM. NO CARRIER Something else you may run into is closed sessions. This means that at that time the system cannot create a new session for a number of reasons, Maximum of users are already signed on or logins are not allowed at that time. The best thing to do when running into that is to try again every few hours till you are allowed to start a new session. Case in point: CONNECT 9600/ARQ/V32/LAPM/V42BIS MPE XL: HELLO MGR.RJE CAN'T START A NEW SESSION (CIERR 970) NO CARRIER The last thing i will cover when it comes to barriers on HP3000s is the VESOFT add on. I will not go into this in depth but just give you a rough over view. First off to identify a system running VESOFT you will have MPE/V: as your prompt. There will be no default accounts on this system, if you get in by other means it will be extremly restrictive and secure. Your best hope here is to give up. The first thing that you will want to do once inside is find out what access (if any) that you have. This is done by doing a LISTACCT. Case in point: :LISTACCT ******************** ACCOUNT: DISC SPACE: 0(SECTORS) PASSWORD: ** CPU TIME : 2(SECONDS) LOC ATTR: $00000000 CONNECT TIME: 2(MINUTES) SECURITY--READ : ANY DISC LIMIT: UNLIMITED WRITE : ANY CPU LIMIT : UNLIMITED APPEND : ANY CONNECT LIMIT: UNLIMITED LOCK : ANY MAX PRI : 150 EXECUTE : ANY GRP UFID : $055E0002 $0AC53AD3 $0055A7BE $2C052855 $04A775F1 USER UFID: $00000000 $00000000 $00000000 $00000000 $00000000 CAP: AM,ND,SF,BA,IA Most of this is self explanitory. The imprtant part to look at is the CAP: section. Here is the capeability list needed to understand what access you have. Abrev. Capeability. SM System Manager AM Account Manager AL Account Librarian GL Group Librarian DI Diagnostician OP System Supervisor NA Network Administrator NM Node Manager SF Permanent Files ND Access to nonsharable I/O devices UV Use Volumes CV Create Volumes CS Use Communications Subsystem PS Programmatic Sessions LG User Logging PH Process Handling DS Extra Data Segments MR Multiple RINs PM Privilaged mode IA Interactive Access BA Local Batch Access Now compare the chart i have just included with what ever account you have. This will dictate what privilaged commands you may be able to execute as i will describe later in this file. #Making yourself an account# Making yourself an account requires SM or AM access. On some ocasions you will not be able to make an account with AM access if the System Manager has modified your account. You will be able to give your new account equal access as the one you are on when making it. Case in point: :NEWUSER The same can also be said for the following commands.. :NEWGROUP *Creates a new group, very noticeable :PURGEUSER *Delites a user :PURGEGROUP *Delites a group. #Time to look around.# You now have hopefully created a new account and know what access you have. Now it is time to check the system out. First you will need to know how to use the help file, as HPs may differ from version to version. Type HELP and it will bring up other words to look at or a section of the help file. Do NOT type HELP as the entire MPE manuel will be scrolled on the screen, Taking aproximetly 18 minutes to be fully scrolled. To find out how big this system is and what devices are available type.. :SHOWDEV LDEV AVAIL OWNERSHIP VOLID DEN ASSOCIATION 1 DISC N/A 2 DISC N/A 3 DISC N/A 4 DISC N/A 5 AVAIL 6 SPOOLED SPOOLER OUT 7 AVAIL 8 AVAIL 9 AVAIL 10 A AVAIL 11 AVAIL 12 AVAIL 13 AVAIL 14 AVAIL 15 AVAIL 16 AVAIL 17 AVAIL 18 AVAIL 19 AVAIL 20 A UNAVAIL #S8886: 8 FILES 21 A AVAIL 33 SPOOLED SPOOLER OUT 40 SPOOLED SPOOLER OUT 103 J AVAIL 104 J AVAIL 105 J AVAIL 106 J AVAIL 107 J AVAIL 108 J AVAIL 109 J AVAIL 110 J AVAIL 111 J AVAIL 112 J AVAIL 113 J AVAIL 114 J AVAIL 115 J AVAIL 116 J UNAVAIL #S10041: 8 FILES 117 J AVAIL This will give you a reference for downloading which i will cover later. #Navigating commands around groups and files# LISTF @ Lists every file in your current group Case in point: :LISTF @ FILENAME ABORTEST ACCTJOBS AIFKUF ALOCATEJ ANSTART ANSTAT ANSTOP ANUTIL ASOCTBL ATCUT000 ATCUTIL AUTOHIST BACKUP BDLABEL BDLT BDMO BDREPORT BDXM BRW BRWACCSD BRWAPPD BRWC000 BRWCOMP BRWCONV BRWD3000 BRWDL000 BRWDLIST BRWDUSER BRWEMPTY BRWEXEC BRWEXECO BRWF000 BRWGEND BRWJ000 BRWL000 BRWLIST BRWM000 BRWSD BRWSDEXT BRWSETUP BRWSTART BRWSTOA BRWSTRM BRWXL BUILDINT BULDACCT CATALOG CATTUTIL CCMSGCAT CDCAT CDMGR CDMGRSKT CDSERVER CDSRVSKT CDSTARTJ CDSTOPJ CEUDCS CHRDEF01 CHRDEF02 CHRDEF03 CHRDEF04 CHRDEF06 CHRDEF51 CHRDEF56 CHRDEF61 CHRDEF66 CI CICAT CICATERR CKINST CLS1 CMSTORE COB74XL COB74XLG COB74XLK COB85XL COB85XLG COB85XLK COBCAT COBCNTL COBEDIT COBMAC COBOL COBOL85 COBOLII COBUDC COMMA LISTF @.@ Lists all the files in every group on your account. LISTF @.@.@ Lists ALL files in every group on the system *If you are in a rush for time dont use the above command. LISTF @.., -1 Lists a specific users files. LISTF @.@.@,2 Lists all files on system with group and account name. DSCOPY .. to .. ^ Copies files from one account to another. PURGE .. Delites a file. RENAME ..,.. ^ Renames a file. RUN .. Runs a file. EDITOR Case in point: :EDITOR HP32201A.09.00 EDIT/3000 FRI, JUL 5, 1996, 5:01 AM (C) HEWLETT-PACKARD CO. 1993 / /END : Just type "END" to leave the editor. To download use :DOWNLOAD , *Refer back to SHOWDEV to figure out which device to use on the system. #Other useful and not so useful commands# SHOWCATALOG = This command will show commands unique to that system. Case in point: :SHOWCATALOG SYSUDC5.UDC.SYS SPENTRY SYSTEM EDIT SYSTEM COBOLII SYSTEM ED SYSTEM KSAM SYSTEM COBEDIT SYSTEM SJ SYSTEM FORMSPEC SYSTEM ENTRY SYSTEM SO SYSTEM SM SYSTEM FREE5 SYSTEM SH SYSTEM L SYSTEM QUAD SYSTEM MPEX SYSTEM MPEXLOGON SYSTEM QEDITOR SYSTEM GOD SYSTEM JOBMASTER SYSTEM SJ SYSTEM SJJ SYSTEM SJS SYSTEM QUIZ SYSTEM QUIZR SYSTEM CONVRPO SYSTEM QUICK SYSTEM COGHELP SYSTEM PHINIT12 SYSTEM PHSRVN SYSTEM PHSRVS12 SYSTEM PHSRVS SYSTEM CVRPO12E SYSTEM SETPOWERHOUSE SYSTEM RESETPOWERHOUSE SYSTEM PHRUNPROG SYSTEM PHRUNINTERBASE SYSTEM GBAK SYSTEM GCSU SYSTEM GDEF SYSTEM GDSCSERVER SYSTEM GDSRSERVER SYSTEM GDSLOCKPRINT SYSTEM GDSRELAY SYSTEM GFIX SYSTEM GLTJ SYSTEM GPRE SYSTEM GRST SYSTEM GSEC SYSTEM GSTAT SYSTEM ISCINSTALL SYSTEM QLI SYSTEM SETINTERBASE SYSTEM RESETINTERBASE SYSTEM PLISTF SYSTEM FINDDIR SYSTEM FINDFILE SYSTEM LISTDIR SYSTEM DISCUSE SYSTEM SH SYSTEM HPMPETOHFS SYSTEM HPLISTFCLEANUP SYSTEM HPPARSEFEQ SYSTEM REPORT = Lists CPU allocation, disk allocation, disk volume, and connect time for your group. Case in point: :REPORT ACCOUNT FILESPACE-SECTORS CPU-SECONDS CONNECT-MINUTES /GROUP COUNT LIMIT COUNT LIMIT COUNT LIMIT RJE 0 ** 2 ** 2 ** /PUB 0 ** 2 ** 2 ** SHOWJOB = Lists all users and their group information along with their session number and the availability to accept messages in the form of QUIET for not being able to accept messages. Case in point: :SHOWJOB JOBNUM STATE IPRI JIN JLIST INTRODUCED JOB NAME #J11627 EXEC 10S LP FRI 1:11A GLPOSTJ,MGR.HPFAS #J11625 EXEC 10S LP FRI 1:11A ARPOSTJ,MGR.HPFAS #S9651 EXEC 302 302 FRI 1:19A LDEV220,PRINT.SPI #S9650 EXEC 221 221 FRI 1:18A LDEV221,FORM1.SPI #J11626 EXEC 10S LP FRI 1:11A APPOSTJ,MGR.HPFAS #S9725 EXEC 116 16 FRI 9:30P MGR.RJE #S8886 EXEC 20 20 FRI 10:20A CONSOLE,OPERATOR.SYS #J11628 EXEC 10S LP FRI 1:11A MAXSTART,MGR.HPFAS #S9652 EXEC 117 117 FRI 1:45A SPIM1.SPI #S9656 EXEC 213 213 FRI 6:59A MIS,MGR.HPFAS #S9701 EXEC 202 202 FRI 12:53P PRINT1.SPI #S9721 EXEC 214 214 FRI 4:56P MSPENCE.SPI #S923 EXEC 211 211 FRI 7:39P SUPV.SPI 13 JOBS: 0 INTRO 0 WAIT; INCL 0 DEFERRED 13 EXEC; INCL 9 SESSIONS 0 SUSP JOBFENCE= 7; JLIMIT= 8; SLIMIT= 30 CURRENT: 6/28/96 21:44 JOBNUM STATE IPRI JIN JLIST SCHEDULED-INTRO JOB NAME #J11607 SCHED 8 10S LP 6/28/96 22:15 FOBACKUP,MGR.SPI #J11602 SCHED 8 10S LP 6/28/96 23:27 PSI0560J,MGR.SPI #J11603 SCHED 8 10S LP 6/28/96 23:30 CPMNT2AJ,MGR.SPI #J11605 SCHED 8 10S LP 6/28/96 23:35 PSI0560J,MGR.SPI #J11608 SCHED 8 10S LP 6/29/96 0:30 SPIOFF,MGR.SPI #J11639 SCHED 8 10S LP 6/29/96 5:00 PSI0890,MGR.SPI #J11642 SCHED 8 10S LP 6/29/96 7:00 SLHCHCKJ,MGR.SPI #J11866 SCHED 8 10S LP 6/29/96 16:00 UOMCHCKJ,MGR.SPI #J10694 SCHED 8 10S LP 6/29/96 17:00 CAPCHCKJ,MGR.SPI #J11885 SCHED 8 10S LP 6/29/96 18:00 NEWPRCEJ,MGR.SPI #J11886 SCHED 8 10S LP 6/29/96 19:30 ORDERSJ,MGR.SPI #J11636 SCHED 1 10S LP 6/30/96 4:00 VENDLIST,MGR.HPFAS #J11892 SCHED 1 10S LP 6/30/96 4:00 VENDLIST,MGR.HPFAS #J10720 SCHED 8 10S LP 7/ 1/96 0:00 WEEKINV,MGR.SPI #J6568 SCHED 8 10S LP 7/ 1/96 6:30 DOWNTBJ,MGR.SPI #J11884 SCHED 1 10S LP 7/ 1/96 17:15 BPOSTAR,MGR.HPFAS #J11889 SCHED 1 10S LP 7/ 1/96 20:00 BPOSTAP,MGR.HPFAS #J11890 SCHED 1 10S LP 7/ 1/96 20:10 BPOSTGL,MGR.HPFAS #J11891 SCHED 1 10S LP 7/ 5/96 20:15 AUDITRPJ,MGR.HPFAS 19 SCHEDULED JOB(S) Commands that you wont want to use.. SHOWTIME Shows the current time. TELLOP Messages Operator. SETMSG ON/OFF Sets your availability to recieve messages. TELL ,.; Message Sends a message to someone signed on. #Logging off# To log off just type BYE or EXIT at the prompt. You will then recieve this logoff message.. :BYE CPU=43. Connect=33. SAT, JUN 29, 1996, 1:03 AM. NO CARRIER #Conclusion# I hope this file will spawn possible intrest once again in HP3000s and the MPE Platform. HP will continue to support the MPE platform for a very long time and with the extensive business software and porting of unix to MPE systems you should expect to see these systems for a few more decades. Greets to Black IC for his VESOFT write up and to The Underground Consortium for their Hewlet Packard support.