ch19.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 931 行 · 第 1/3 页

<P>watchdog.com was written by a hacker with the handle Bagpuss. The purpose of watchdog.com
is simple: It keeps tabs on users logging in and out of the machine. It is an early
warning system that can alert you to when the system operator (or other similarly
privileged user) logs on.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The source code and full
	explanation of watchdog.com are located at <A HREF="http://www.wordserf.co.uk/mh/vaxhackpro.html"><TT>http://www.wordserf.co.uk/mh/vaxhackpro.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>Stealth</B></FONT></H3>
<P>Stealth was also written by Bagpuss. The purpose of this utility is to evade detection
in the event that someone (the system operator, perhaps) issues the <TT>SHOW USER</TT>
command. This command is much like combining the <TT>W</TT>, <TT>WHO</TT>, and <TT>PS</TT>
commands in UNIX. It identifies the users currently logged to the machine and their
status. Stealth prevents the user from being visible on such a query.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The source code for Stealth
	is at <A HREF="http://www.wordserf.co.uk/mh/vaxhackpro.html"><TT>http://www.wordserf.co.uk/mh/vaxhackpro.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>GUESS_PASSWORD</B></FONT></H3>
<P>GUESS_PASSWORD is designed to crack the password file of the VMS system. The program
works quite well, but you have to wonder about its actual value. These days, it is
unlikely that a system administrator would unprotect the <TT>SYSUAF.DAT</TT> file
(where the passwords are actually located). However, if a cracker could find such
an unprotected password file, this utility would assist in cracking it.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>GUESS_PASSWORD (with
	source) is available at <A HREF="http://www.uniud.it/ftp/vms/uaf.zip"><TT>http://www.uniud.it/ftp/vms/uaf.zip</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>WATCHER</B></FONT></H3>
<P>WATCHER is a snooping utility, most commonly used by system administrators. Its
purpose is to watch terminal sessions. From a security point of view, WATCHER is
a good resource. It will monitor how long a terminal has been idle. The system administrator
(or the user) can set the time period after which idle sessions can be automatically
killed. (Idle terminal sessions are in themselves a security risk. Crackers watch
accounts that remain idle for long periods of time. These accounts are deemed good
targets.)


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>WATCHER is available
	at <A HREF="ftp://ftp.wku.edu/madgoat/WATCHER.zip"><TT>ftp://ftp.wku.edu/madgoat/WATCHER.zip</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>Checkpass</B></FONT></H3>
<P>Checkpass is a tool that examines the relative strength or weakness of a given
password in the <TT>SYSUAF.DAT</TT> file. It's good for versions 5.4 and onward.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Checkpass is available
	at <A HREF="ftp://www.decus.org/pub/lib/vs0127/checkpass/check.zip"><TT>ftp://www.decus.org/pub/lib/vs0127/checkpass/check.zip</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>Crypt</B></FONT></H3>
<P>As you might guess, Crypt is a DES encryption module for the VMS operating system.
Interestingly, it also provides support for UNIX and DOS. It was developed (along
with the previous utility) by M. Edward Nieland, who wrote these tools primarily
in C and FORTRAN.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The CRYPT utility is
	located at <A HREF="ftp://www.decus.org/pub/lib/vs0127/crypt/crypt.zip"><TT>ftp://www.decus.org/pub/lib/vs0127/crypt/crypt.zip</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>DIAL</B></FONT></H3>
<P>A secure dialback module, DIAL is designed to prevent unauthorized remote users
from gaining access to your system. As explained in the DIAL user's guide:

<DL>
	<DD>Only pre-authorized users and their work location telephone numbers can gain
	access to the system through DIAL. Once access is granted the user is disconnected
	from the incoming call and dialed back at the authorized telephone number. This provides
	the user with free access to his accounts over public telephone lines.
</DL>

<P>The system works through the maintenance of a file that lists all valid users
and their telephone numbers. (Read: This could be one method of circumventing this
security. Reach that file and you reach DIAL.) It was written in C by Roger Talkov
at Emulex.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>DIAL is available at
	<A HREF="ftp://www.decus.org/pub/lib/v00149/dial.zip"><TT>ftp://www.decus.org/pub/lib/v00149/dial.zip</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>CALLBACK.EXE</B></FONT></H3>
<P>Written by Robert Eden of Texas Utilities, CALLBACK.EXE performs essentially the
same functions as DIAL. It was written in FORTRAN.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>CALLBACK.EXE is available
	at <A HREF="http://www.openvms.digital.com/cd/CALLBACK/CALLBACK.EXE"><TT>http://www.openvms.digital.com/cd/CALLBACK/CALLBACK.EXE</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>TCPFILTER (G. Gerard)</B></FONT></H3>
<P>TCPFILTER is a utility that restricts outgoing connects. As described in the documentation,
the utility does the following:

<DL>
	<DD>...allows the filtering of outgoing UCX TCP/IP calls. Each attempt to open an
	outgoing call is verified with a table of addresses, and is allowed or forbidden.
	The validation of the call can be done with two different mechanisms: with ACL, or
	with image names. The use of ACL allows controlling each user by the means of an
	identifier.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The previous paragraph
	is excerpted from a file titled TCPFILTER.DOC ENGLISH by G. Gerard. It can be found
	online at <A HREF="http://www.openvms.digital.com/cd/TCPFILTER/"><TT>http://www.openvms.digital.com/cd/TCPFILTER/</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>I should point out that the term <I>calls</I> means outgoing TCP/IP connect requests.
That is, you can restrict connect requests to specific IP addresses, based on user
information in the Access Control List. A pretty nifty utility. For example, you
could restrict any access to outside hacker or cracker boards. Hmm.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>TCPFILTER is located
	at <A HREF="http://www.openvms.digital.com/cd/TCPFILTER/TCP.COM"><TT>http://www.openvms.digital.com/cd/TCPFILTER/TCP.COM</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H2><FONT COLOR="#000077"><B>Changing Times</B></FONT></H2>
<P>The VAX/VMS combination was once a very popular one. And, as I have already related,
OpenVMS is alive and well. However, changes in the computer industry and in public
demand have altered the Internet's climate with regard to VMS. When coupled with
Digital's commitment to Microsoft to provide a suitable architecture on which to
run Windows NT, these changes contributed to a decrease in the use of VMS. This is
curious because today the source code is available. As I have explained elsewhere
in this book, whenever the source of an operating system is available, the security
community has an opportunity to fine-tune it.</P>
<P>Because Digital Alpha stations now run both Microsoft Windows NT and Digital UNIX,
VMS is likely to take a backseat. This is especially so with regard to Digital UNIX
because it is a 64-bit system. Imagine for a moment a 64-bit system running at 400MHz.
In my opinion, this configuration is the most powerful currently available to the
average user. Such a machine (loaded with at least 64MB of RAM) is vastly superior
in my opinion to either the Pentium or the MMX. So the days of the old VAX/VMS are
probably over.</P>
<P>Today's cracker probably knows little about these systems. More concentration
has been allotted to UNIX and as of late, Windows NT. If I were going to contract
someone to crack a VAX, I would look for someone in his mid-30s or older. Certainly,
the advent of the PC has contributed to the lack of VMS security knowledge. Young
people today work mostly with PC- or Mac-based machines. It is therefore rare to
come in contact with a VAX anymore, except as library servers or other database machines.</P>
<P>A close friend of mine has a MicroVAX II in his garage. Each time I visit his
home, we talk about the prospect of cranking up that old machine. One day soon, we'll
probably do just that.</P>
<P>At day's end, VMS is an interesting, durable, and relatively secure platform.
Moreover, DEC was always exceptionally close-mouthed about the security weaknesses
of VAX/VMS. If you retrieve all the known advisories on VAX/VMS, you will see that
DEC routinely declined to include information that could potentially be used by crackers.
(Most often, DEC would advise that VAX users contact their local DEC representative.)
This was a smart move and one that has made it traditionally difficult to crack VAX
servers. If the system administrator of a VAX has been on his toes, after a cracker
has tried all the default passwords, there is nothing left to do but turn to social
engineering.
<H2><FONT COLOR="#000077"><B>Summary</B></FONT></H2>
<P>The VAX/VMS system is an antiquated one at this stage of the game. However, it
is not out of the race yet. OpenVMS has much to offer. If you are considering a career
in Internet security, you should at least take some brief courses in VMS. Or, if
you are like me and prefer the more direct approach, buy a used VAX and set yourself
to the task of cracking it. These can be acquired for practically nothing today in
<TT>misc.forsale.computers.workstation</TT>. Many sellers even have the original
installation media.</P>
<P>In closing, it is my opinion that the security of the VAX is advanced and even
somewhat elegant. Moreover, in many parts of the world, the VAX is still popular.
Time studying VAX security is probably time well spent.
<H3><FONT COLOR="#000077"><B>Resources</B></FONT></H3>
<P><B>VAX Security: Protecting the System and the Data.</B> Sandler and Badgett.
John Wiley &amp; Sons. ISBN 0-471-51507-8.</P>
<P><B>A Retrospective on the VAX VMM Security Kernel.</B> Paul A. Karger, Mary E.
Zurko, Douglas W. Bonin, Andrew H. Mason, and Clifford E. Kahn. <I>IEEE Transactions
on Software Engineering</I>, 17(11):1147-1163, November 1991.</P>
<P><B>Database Security.</B> S. Castano, M. G. Fugini, G. Martella, and P. Samarati.
Addison-Wesley Publishing Company. 1995. (Good chapter on VAX/VMS.)</P>
<P><B>Security Guidance for VAX/VMS Systems.</B> Debra L. Banning. Sparta, Inc. 14th
National Computer Security Conference, Washington, DC, October, 1991.</P>
<P><B>A Practical Exercise in Securing an OpenVMS System.</B> Rob McMillan, Prentice
Centre, The University Of Queensland.

<UL>
	<LI><A HREF="http://nsi.org/Library/Compsec/openvms.txt"><TT>http://nsi.org/Library/Compsec/openvms.txt</TT></A>
</UL>

<P><B>How VMS Keeps Out Intruders.</B> Tanya Candia. <I>Computers &amp; Security</I>,
9(6):499-502, October 1990.</P>
<P><B>ESNET/DECNET Security Policy Procedures and Guidelines.</B> D. T. Caruso and
C. E. Bemis, Jr., <I>ESnet/DecNet Security Revised Draft</I>, December 1989.

<UL>
	<LI><A HREF="http://www.es.net/pub/esnet-doc/esnet-decnet-security.txt"><TT>http://www.es.net/pub/esnet-doc/esnet-decnet-security.txt</TT></A>
</UL>

<P><B>C.O.T.S. (Certified OpenVMS Technical Specialist) Examination.</B>

<UL>
	<LI><A HREF="http://www.repton.co.uk/cots.htm"><TT>http://www.repton.co.uk/cots.htm</TT></A>
</UL>

<P><B>Approaching Zero: The Extraordinary Underworld of Hackers, Phreakers, Virus
Writers, and Keyboard Criminals.</B> Paul Mungo and Bryan Glough.

<UL>
	<LI><A HREF="http://www.feist.com/~tqdb/h/aprozero.txt"><TT>http://www.feist.com/~tqdb/h/aprozero.txt</TT></A>
</UL>

<P><B>VMS Monitor Vulnerability.</B> CERT advisory. CA-92:16. September 22, 1992.

<UL>
	<LI><A HREF="http://www.arc.com/database/Security_Bulletins/CERT/CA-92:16.VMS.Monitor.vulnerability"><TT>http://www.arc.com/database/Security_Bulletins/CERT/CA-92:16.VMS.Monitor.vulnerability</TT></A>
</UL>

<CENTER>
<P>
<HR>
<A HREF="../ch18/ch18.htm"><IMG SRC="../button/previous.gif" WIDTH="128" HEIGHT="28"
ALIGN="BOTTOM" ALT="Previous chapter" BORDER="0"></A><A HREF="../ch20/ch20.htm"><IMG
SRC="../button/next.gif" WIDTH="128" HEIGHT="28" ALIGN="BOTTOM" ALT="Next chapter"
BORDER="0"></A><A HREF="../index.htm"><IMG SRC="../button/contents.gif" WIDTH="128"
HEIGHT="28" ALIGN="BOTTOM" ALT="Contents" BORDER="0"></A> <BR>
<BR>
<BR>
<IMG SRC="../button/corp.gif" WIDTH="284" HEIGHT="45" ALIGN="BOTTOM" ALT="Macmillan Computer Publishing USA"
BORDER="0"></P>

<P>&#169; <A HREF="../copy.htm">Copyright</A>, Macmillan Computer Publishing. All
rights reserved.
</CENTER>


</BODY>

</HTML>