STATION ID - 7047/3.

12
9x Datakit Network
FOR OFFICIAL USE ONLY
This is a 9x system, restricted to authorized persons and for
official 9x business only. Anyone using this system, network or data
is subject to being monitored at any time for system administration and
for identifying unauthorized users or system misuse. Anyone using this
system expressly consents to such monitoring and is advised that any
evidence of criminal activity revealed through such monitoring may be
provided to law enforcement for prosecution.
Author : OneThought
Subject: Hacking the HP3000/MPE Platform
There have been several write ups written in the past about the
MPE operating system and how to hack it. To me many of these are
out of date with the times or havent gone into certin aspects of
the MPE-iX OS. To start this off i am going to shatter the myth
right now that the MPE is a out of date operating system and is
"not worth hacking" a phrase i have heard more then once now a
days. The HP3000/MPE OS is still ideal for a small work place of
10-15 terminals, several of these servers networked together creates
a powerful accounting and work system , Infact the MPE OSes latest
version was released in 1995 (MPE-iX 5.0) and is already being picked
up by several companies. Right now you are asking yourself "Why should
i hack a HP3000?". Besides being a fun system to navigate around, in
many cases HP3000s have some very good information inside of them.
Credit Card #s, Employees personal information, Payroll files are
all kept on HP3000s.
#Finding a HP3000.#
When it comes down to finding a HP3000 your options are limited.
Your best luck will definetly be scanning business exchanges, However
you may also find a few inside the network information system of some
unix boxes on the net. You will know when you have found one by the
MPE XL: Prompt on older MPEs,MPE/iX, or MPE/V. If you are unsure of
one being a HP3000 simply type some random letters at the prompt and
press enter. If it is truely a HP3000 you will get the message
"EXPECTED HELLO COMMAND".
#Getting inside.#
If you are attempting to hack a unsecured HP3000 then factory
defauts will suffice most of the time. The following is a list
of default accounts and some password protected accounts.
ADVMAIL.HPOFFICE
MGR.HPDESK
MGR.ROBLLE
MGR.VESOFT
MGR.WORD
MGR.INTX3
MGR.CAROLIAN
MGR.XLSERVER
MGR.CONV
MGR.HPP187

MGR.HPP189
MGR.HPP189
MGR.HPP196
MGR.HPOFFICE
MGR.CCC
MGR.RJE
MGR.SYS
MGR.ITF3000
MGR.SECURITY
MGR.HPWORD
MGR.TELESUP
MGR.COGNOS
MGR.HPONLY
MGR.NETBASE
MGR.CNAS
MGR.REGO
MAIL.NETBASE
MAIL.MAIL
MAIL.TELESUP
MAIL.HPOFFICE
MAILMAN.HPOFFICE
OPERATOR.SUPPORT
OPERATOR.SYS
OPERATOR.COGNOS
OPERATOR.SYSTEM
OPERATOR.DISC
FIELD.HP
FIELD.HPUNSUP
FIELD.HPWORD
FIELD.SERVICE
FIELD.SUPPORT,PUB
FIELD.HPP187
MANAGER.SYS
MANAGER.COGNOS
MANAGER.HPOFFICE
MANAGER.ITF3000
MANAGER.SECURITY
MANAGER.TCH
SYS.TELESP
WP.HPOFFICE
SPOOLMAN.HPOFFICE
RSBCMON.SYS
PCUSER.SYS

Acct password: LOTUS

Acct password: HPONLY User Password: MGR

Acct password: HPWORD

Use the following default accounts listed above to login as

souch.
:HELLO MGR.SYS,PUB
Login Command:
Username
:
Account name :
Group Name :

HELLO
MGR
SYS
PUB

When trying account and user names sometimes you will get the
message "ACCOUNT EXISTS, USERNAME DOES NOT". This means that you
have enterd a valid account but not a valid user name. The same
goes for "ACCOUNT/USERNAME EXIST BUT NOT IN HOME GROUP". Here
you must include a valid group name with the login account name

and user name.

*Note The group name is not required to be typed at the login prompt
most of the time.
#Barriers that will stand in the way of gaining access to a HP3000.#
Terminal password. Sometimes you will log in on a default account
and then recieve the prompt
TERMINAL PASSWORD:
The terminal password is a eight bit alpha password that is not
a normal feature of HP3000s, But some system administrators request
it being on a new system. The only way to get by this is a brute
force attack, or going out and doing some field work i.e trashing
at the companys location,social engineering, etc etc.
Another problem you may run across is a terminal that will not
accept logins from certin accounts. When running into this you will
need to find another account that can login on that terminal.
Case in point:
CONNECT 9600/ARQ/V32/LAPM/V42BIS
MPE XL:HELLO OPERATOR.SYS
HP3000 RELEASE: B.40.00 USER VERSION: B.40.00
FRI, JUN 28, 1996, 6:11 PM
MPE/iX HP31900 B.30.45 Copyright Hewlett-Packard 1987.
All Rights Reserved.
YOU ARE AT A TERMINAL THAT
YOU ARE NOT ALLOWED TO USE
SO NOW I LOG YOU OFF.
END OF PROGRAM
CPU=1. CONNECT=1. FRI, JUN 28, 1996, 6:11 PM.
NO CARRIER
Something else you may run into is closed sessions. This means that
at that time the system cannot create a new session for a number of
reasons, Maximum of users are already signed on or logins are not allowed
at that time. The best thing to do when running into that is to try again
every few hours till you are allowed to start a new session.
Case in point:
CONNECT 9600/ARQ/V32/LAPM/V42BIS
MPE XL: HELLO MGR.RJE
CAN'T START A NEW SESSION (CIERR 970)
NO CARRIER
The last thing i will cover
is the VESOFT add on. I will
you a rough over view. First
you will have MPE/V: as your

when it comes to barriers on HP3000s

not go into this in depth but just give
off to identify a system running VESOFT
prompt. There will be no default accounts

on this system, if you get in by other means it will be extremly

restrictive and secure. Your best hope here is to give up.
The first thing that you will want to do once inside is find out what
access (if any) that you have. This is done by doing a LISTACCT.
Case in point:
:LISTACCT
********************
ACCOUNT: <What ever acct you are>
DISC SPACE: 0(SECTORS)
CPU TIME : 2(SECONDS)
CONNECT TIME: 2(MINUTES)
DISC LIMIT: UNLIMITED
CPU LIMIT : UNLIMITED
CONNECT LIMIT: UNLIMITED
MAX PRI : 150
GRP UFID : $055E0002 $0AC53AD3
USER UFID: $00000000 $00000000
CAP: AM,ND,SF,BA,IA

PASSWORD: **
LOC ATTR: $00000000
SECURITY--READ
: ANY
WRITE : ANY
APPEND : ANY
LOCK
: ANY
EXECUTE : ANY
$0055A7BE $2C052855 $04A775F1
$00000000 $00000000 $00000000

Most of this is self explanitory. The imprtant part to look at

is the CAP: section. Here is the capeability list needed to understand
what access you have.
Abrev.

Capeability.

SM
AM
AL
GL
DI
OP
NA
NM
SF
ND
UV
CV
CS
PS
LG
PH
DS
MR
PM
IA
BA

System Manager
Account Manager
Account Librarian
Group Librarian
Diagnostician
System Supervisor
Network Administrator
Node Manager
Permanent Files
Access to nonsharable I/O devices
Use Volumes
Create Volumes
Use Communications Subsystem
Programmatic Sessions
User Logging
Process Handling
Extra Data Segments
Multiple RINs
Privilaged mode
Interactive Access
Local Batch Access

Now compare the chart i have just included with what ever
account you have. This will dictate what privilaged commands
you may be able to execute as i will describe later in this file.
#Making yourself an account#
Making yourself an account requires SM or AM access. On some ocasions
you will not be able to make an account with AM access if the System
Manager has modified your account. You will be able to give your new

account equal access as the one you are on when making it.
Case in point:
:NEWUSER

<User id> <Group Id> <Password>

The same can also be said for the following commands..

:NEWGROUP <Group ID>

*Creates a new group, very noticeable

:PURGEUSER <User ID>

*Delites a user

:PURGEGROUP <Group ID>

*Delites a group.

#Time to look around.#

You now have hopefully created a new account and know what access
you have. Now it is time to check the system out. First you will need
to know how to use the help file, as HPs may differ from version
to version. Type HELP <item you need help with> and it will bring
up other words to look at or a section of the help file. Do NOT type
HELP as the entire MPE manuel will be scrolled on the screen, Taking
aproximetly 18 minutes to be fully scrolled.
To find out how big this system is and what devices are available
type..
:SHOWDEV
LDEV
AVAIL
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
33
40
103
104
105
106
107
108
109

A
A
J
J
J
J
J
J
J

DISC
DISC
DISC
DISC
AVAIL
SPOOLED
AVAIL
AVAIL
AVAIL
AVAIL
AVAIL
AVAIL
AVAIL
AVAIL
AVAIL
AVAIL
AVAIL
AVAIL
AVAIL
UNAVAIL
AVAIL
SPOOLED
SPOOLED
AVAIL
AVAIL
AVAIL
AVAIL
AVAIL
AVAIL
AVAIL

OWNERSHIP
N/A
N/A
N/A
N/A
SPOOLER OUT

#S8886: 8 FILES
SPOOLER OUT
SPOOLER OUT

VOLID

DEN

ASSOCIATION

110
111
112
113
114
115
116
117

J
J
J
J
J
J
J
J

AVAIL
AVAIL
AVAIL
AVAIL
AVAIL
AVAIL
UNAVAIL
AVAIL

#S10041: 8 FILES

This will give you a reference for downloading which i will cover
later.
#Navigating commands around groups and files#
LISTF @

Lists every file in your current group

Case in point:
:LISTF @
FILENAME
ABORTEST
ANSTOP
BACKUP
BRW
BRWD3000
BRWEXECO
BRWM000
BRWSTRM
CCMSGCAT
CDSTARTJ
CHRDEF04
CI
COB74XL
COBCAT
COBOLII

ACCTJOBS
ANUTIL
BDLABEL
BRWACCSD
BRWDL000
BRWF000
BRWSD
BRWXL
CDCAT
CDSTOPJ
CHRDEF06
CICAT
COB74XLG
COBCNTL
COBUDC

LISTF @.@

AIFKUF
ASOCTBL
BDLT
BRWAPPD
BRWDLIST
BRWGEND
BRWSDEXT
BUILDINT
CDMGR
CEUDCS
CHRDEF51
CICATERR
COB74XLK
COBEDIT
COMMA

ALOCATEJ
ATCUT000
BDMO
BRWC000
BRWDUSER
BRWJ000
BRWSETUP
BULDACCT
CDMGRSKT
CHRDEF01
CHRDEF56
CKINST
COB85XL
COBMAC

ANSTART
ATCUTIL
BDREPORT
BRWCOMP
BRWEMPTY
BRWL000
BRWSTART
CATALOG
CDSERVER
CHRDEF02
CHRDEF61
CLS1
COB85XLG
COBOL

ANSTAT
AUTOHIST
BDXM
BRWCONV
BRWEXEC
BRWLIST
BRWSTOA
CATTUTIL
CDSRVSKT
CHRDEF03
CHRDEF66
CMSTORE
COB85XLK
COBOL85

Lists all the files in every group on your account.

LISTF @.@.@ Lists ALL files in every group on the system

*If you are in a rush for time dont use the above command.
LISTF @.<Group ID>.<Acct ID>, -1 Lists a specific users files.
LISTF @.@.@,2 Lists all files on system with group and account name.
DSCOPY <fname>.<group id>.<acct id> to <fname>.<group id>.<acct id>
^ Copies files from one account to another.
PURGE <fname>.<group id>.<acct id> Delites a file.
RENAME <old file>.<group>.<Acct>,<New file>.<Group>.<acct>
^ Renames a file.
RUN <File name>.<Group ID>.<Acct ID>
EDITOR <Filename>
Case in point:

Runs a file.

:EDITOR <Whatever file here>

HP32201A.09.00 EDIT/3000 FRI, JUL 5, 1996, 5:01 AM
(C) HEWLETT-PACKARD CO. 1993
/
/END
:
Just type "END" to leave the editor.
To download use :DOWNLOAD <device>,<file>
*Refer back to SHOWDEV to figure out which device to use on the system.
#Other useful and not so useful commands#
SHOWCATALOG = This command will show commands unique to that system.
Case in point:
:SHOWCATALOG
SYSUDC5.UDC.SYS
SPENTRY
SYSTEM
EDIT
SYSTEM
COBOLII
SYSTEM
ED
SYSTEM
KSAM
SYSTEM
COBEDIT
SYSTEM
SJ
SYSTEM
FORMSPEC
SYSTEM
ENTRY
SYSTEM
SO
SYSTEM
SM
SYSTEM
FREE5
SYSTEM
SH
SYSTEM
L
SYSTEM
QUAD
SYSTEM
MPEX
SYSTEM
MPEXLOGON
SYSTEM
QEDITOR
SYSTEM
GOD
SYSTEM
JOBMASTER
SYSTEM
SJ
SYSTEM
SJJ
SYSTEM
SJS
SYSTEM
QUIZ
SYSTEM
QUIZR
SYSTEM
CONVRPO
SYSTEM
QUICK
SYSTEM
COGHELP
SYSTEM
PHINIT12
SYSTEM
PHSRVN
SYSTEM
PHSRVS12
SYSTEM
PHSRVS
SYSTEM
CVRPO12E
SYSTEM
SETPOWERHOUSE
SYSTEM
RESETPOWERHOUSE SYSTEM
PHRUNPROG
SYSTEM
PHRUNINTERBASE
SYSTEM
GBAK
SYSTEM
GCSU
SYSTEM

GDEF
GDSCSERVER
GDSRSERVER
GDSLOCKPRINT
GDSRELAY
GFIX
GLTJ
GPRE
GRST
GSEC
GSTAT
ISCINSTALL
QLI
SETINTERBASE
RESETINTERBASE
PLISTF
FINDDIR
FINDFILE
LISTDIR
DISCUSE
SH
HPMPETOHFS
HPLISTFCLEANUP
HPPARSEFEQ

SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM

REPORT = Lists CPU allocation, disk allocation, disk volume, and

connect time for your group.
Case in point:
:REPORT
ACCOUNT
/GROUP
RJE
/PUB

FILESPACE-SECTORS
COUNT
LIMIT
0
**
0
**

CPU-SECONDS
COUNT
LIMIT
2
**
2
**

CONNECT-MINUTES
COUNT
LIMIT
2
**
2
**

SHOWJOB = Lists all users and their group information along

with their session number and the availability to accept messages in
the form of QUIET for not being able to accept messages.
Case in point:
:SHOWJOB
JOBNUM STATE IPRI JIN JLIST
#J11627 EXEC
#J11625 EXEC
#S9651 EXEC
#S9650 EXEC
#J11626 EXEC
#S9725 EXEC
#S8886 EXEC
#J11628 EXEC
#S9652 EXEC
#S9656 EXEC
#S9701 EXEC
#S9721 EXEC
#S923 EXEC

10S LP
10S LP
302 302
221 221
10S LP
116 16
20 20
10S LP
117 117
213 213
202 202
214 214
211 211

INTRODUCED JOB NAME

FRI
FRI
FRI
FRI
FRI
FRI
FRI
FRI
FRI
FRI
FRI
FRI
FRI

1:11A
1:11A
1:19A
1:18A
1:11A
9:30P
10:20A
1:11A
1:45A
6:59A
12:53P
4:56P
7:39P

GLPOSTJ,MGR.HPFAS
ARPOSTJ,MGR.HPFAS
LDEV220,PRINT.SPI
LDEV221,FORM1.SPI
APPOSTJ,MGR.HPFAS
MGR.RJE
CONSOLE,OPERATOR.SYS
MAXSTART,MGR.HPFAS
SPIM1.SPI
MIS,MGR.HPFAS
PRINT1.SPI
MSPENCE.SPI
SUPV.SPI

13 JOBS:
0 INTRO
0 WAIT; INCL 0 DEFERRED
13 EXEC; INCL 9 SESSIONS
0 SUSP
JOBFENCE= 7; JLIMIT= 8; SLIMIT= 30
CURRENT: 6/28/96 21:44
JOBNUM STATE IPRI JIN JLIST
#J11607
#J11602
#J11603
#J11605
#J11608
#J11639
#J11642
#J11866
#J10694
#J11885
#J11886
#J11636
#J11892
#J10720
#J6568
#J11884
#J11889
#J11890
#J11891

SCHED
SCHED
SCHED
SCHED
SCHED
SCHED
SCHED
SCHED
SCHED
SCHED
SCHED
SCHED
SCHED
SCHED
SCHED
SCHED
SCHED
SCHED
SCHED

8
8
8
8
8
8
8
8
8
8
8
1
1
8
8
1
1
1
1

10S
10S
10S
10S
10S
10S
10S
10S
10S
10S
10S
10S
10S
10S
10S
10S
10S
10S
10S

LP
LP
LP
LP
LP
LP
LP
LP
LP
LP
LP
LP
LP
LP
LP
LP
LP
LP
LP

SCHEDULED-INTRO
6/28/96
6/28/96
6/28/96
6/28/96
6/29/96
6/29/96
6/29/96
6/29/96
6/29/96
6/29/96
6/29/96
6/30/96
6/30/96
7/ 1/96
7/ 1/96
7/ 1/96
7/ 1/96
7/ 1/96
7/ 5/96

22:15
23:27
23:30
23:35
0:30
5:00
7:00
16:00
17:00
18:00
19:30
4:00
4:00
0:00
6:30
17:15
20:00
20:10
20:15

JOB NAME
FOBACKUP,MGR.SPI
PSI0560J,MGR.SPI
CPMNT2AJ,MGR.SPI
PSI0560J,MGR.SPI
SPIOFF,MGR.SPI
PSI0890,MGR.SPI
SLHCHCKJ,MGR.SPI
UOMCHCKJ,MGR.SPI
CAPCHCKJ,MGR.SPI
NEWPRCEJ,MGR.SPI
ORDERSJ,MGR.SPI
VENDLIST,MGR.HPFAS
VENDLIST,MGR.HPFAS
WEEKINV,MGR.SPI
DOWNTBJ,MGR.SPI
BPOSTAR,MGR.HPFAS
BPOSTAP,MGR.HPFAS
BPOSTGL,MGR.HPFAS
AUDITRPJ,MGR.HPFAS

19 SCHEDULED JOB(S)
Commands that you wont want to use..
SHOWTIME

Shows the current time.

TELLOP <message>

Messages Operator.

SETMSG ON/OFF

Sets your availability to recieve messages.

TELL <Job>,<User>.<acct>; Message Sends a message to someone signed on.

#Logging off#
To log off just type BYE or EXIT at the prompt. You will then recieve
this logoff message..
:BYE
CPU=43. Connect=33. SAT, JUN 29, 1996, 1:03 AM.
NO CARRIER
#Conclusion#
I hope this file will spawn possible intrest once again in HP3000s
and the MPE Platform. HP will continue to support the MPE platform
for a very long time and with the extensive business software and

porting of unix to MPE systems you should expect to see these systems
for a few more decades. Greets to Black IC for his VESOFT write up
and to The Underground Consortium for their Hewlet Packard support.