.title Breakin .ident /V01/ ;****************************************************************************** ; ; PROGRAM: Breakin ; ; PURPOSE: This program reads from the AUDIT_SERVER listener mailbox ; (created via a $SET AUDIT/LISTENER=mailbox_name) and processes ; Breakin attempts based on the incoming audit messages. ; ; OPERATION: 1) $ RUN/DETACH BREAKIN ; ; 2) $ SET AUDIT/LISTENER=LISTENER_MBX ; ; 3) REPLY/ENABLE=OPER12 ; ; ; ENVIRONMENT: VAX MACRO ; VAX VMS V5.2 ; ; Information America ; J. Wren Hunt ; December 21, 1989 ; ; MODIFICATION HISTORY: ; ;****************************************************************************** $ssdef $iodef $nsadef ; audit record definitions $brkdef ; for $brkthru $opcdef ; defs for $sndopr chan: .word data_length: .long data: .blkb 256 junk: .blkb 255 ; SYMBIONT_0012 is the process name we assign ourselves so that we don't ; stand out. process_name: .ascid /SYMBIONT_0012/ login_str: .ascid @Breakin attempt: !AC Password: !AC !/Terminal: !AC@ faodesc: .long 180 ; output buffer length .address faobuf ; address of buffer faobuf: .blkb 180 ; 180-character buffer faolen: .blkw 1 ; 1 word for fao len .blkw 1 ; another word for $qio ; Message buffer format for OPC$_RQ_RQST rqstdesc: .long 188 .address rqsttype rqsttype: .byte opc$_rq_rqst rqsttarget: .blkb 3 ;opc$m_nm_oper12 rqstid: .long 1 rqsttext: .blkb 180 message_len = 300 message: .blkb message_len iosb: .blkw 1 ; IOSB first word is status .blkw 1 ; IOSB second word is length transferred .blkl 1 ; remainder of IOSB to make quadword mbxlognam: .ascid /LISTENER_MBX/ ; MUST be in capital letters ; Global data definitions that we're gonna share with FORTRAN (Note ; that the psect name and the COMMON name must be the same for this ; to work (Use COMMON /BREAKIN_COMMON/ in your FORTRAN program) .psect breakin_common,noexe ; Audit header packet format ia_record_type:: .long 1 ia_record_subtype:: .long 1 ia_flags:: .long 1 ia_packet_count:: .long 1 ia_rec_size:: .long 1 ia_facility:: .long 1 ; Audit data packet format ia_packet_size:: .long 1 ; size of whole packet (subtract ; 4 to get size of just the data) ia_packet_type:: .long 1 ; Most of these fields are not used by this program. They're in there ; in case we ever want to use them at a later date. pkt_access_desired:: .long 1 pkt_account:: .blkb 9 pkt_alarm_disable:: .long 1 pkt_alarm_enable:: .long 1 pkt_alarm_name:: .blkb 31 pkt_appl_data:: .long 1 pkt_audit_flags:: .long 1 pkt_audit_name:: .blkb 31 pkt_default_username:: .blkb 12 pkt_username:: .blkb 12 pkt_device_name:: .blkb 8 pkt_dismount_flags:: .long 1 pkt_field_name:: .blkb 31 pkt_final_status:: .long 1 pkt_holder_name:: .blkb 31 pkt_holder_owner:: .long 1 pkt_id_attributes:: .long 1 pkt_id_name:: .blkb 31 pkt_id_new_name:: .blkb 31 pkt_id_new_value:: .long 1 pkt_id_value:: .long 1 pkt_identifiers_used:: .long 1 pkt_image_name:: .blkb 256 pkt_install_file:: .blkb 256 pkt_install_flags:: .long 1 pkt_install_privs:: .quad 1 pkt_listener_device:: .blkb 15 pkt_local_username:: .blkb 12 pkt_system_name:: .blkb 8 pkt_system_id:: .long 1 pkt_logical_name:: .blkb 127 pkt_mount_flags:: .long 1 pkt_new_data:: .long 1 pkt_object_id:: .long 1 pkt_object_min_class:: .long 1 pkt_object_max_class:: .long 1 pkt_object_name:: .blkb 127 pkt_object_name_2:: .blkb 127 pkt_object_owner:: .long 1 pkt_object_protection:: .long 1 pkt_object_type:: .long 1 pkt_original_data:: .long 1 pkt_parent_id:: .long 1 pkt_parent_name:: .blkb 15 pkt_parent_owner:: .long 1 pkt_parent_username:: .blkb 12 pkt_password:: .blkb 31 pkt_privs_used:: .quad 1 pkt_process_id:: .long 1 pkt_time_stamp:: .quad 1 pkt_terminal:: .blkb 40 ; data fields username:: .blkb 12 nodename:: .blkb 8 timestamp:: .quad 1 pid:: .long 1 ; Here's where the mainline starts... .psect code,exe,rd,nowrt .entry breakin,^m movl #0,r10 ; lower bounds to check for CASE movl #85,r11 ; upper bounds to check for CASE insv #opc$m_nm_oper12, - ; send oper request #0, - ; notification to OPER12 #24, - rqsttarget ; We run as a detached process...make sure that our process name is ; something innocuous like SYMBIONT_00012 so we don't call attention to ; our real purpose. $setprn_s prcnam = process_name ; create the permanent mailbox that will be used by AUDIT_SERVER ; to send us messages. (NOTE: This program should be run BEFORE ; the $ SET AUDIT/LISTENER=mailbox_name command to ensure that the ; mailbox exists) $crembx_s - prmflg = #1, - ; Permanent but doesn't have to be chan = chan, - maxmsg = #300, - bufquo = #1000, - lognam = mbxlognam bsbw error ; Okay, hang around waiting on incoming mailbox messages from the server. loop: $qiow_s chan=chan, - func = #io$_readvblk, - ; read from mailbox iosb = iosb, - ; hold our status p1 = message,- ; and put into message p2 = #message_len bsbw error ; We've grabbed a message from the mailbox consisting of one header ; packet followed by a variable number of data packets. Following are the ; packet layouts: (See the Audit Analysis Utility documentation) ; ; A U D I T H E A D E R P A C K E T ; 0 ; +----------------------------------------------+ ; ! nsa$w_record_subtype ! nsa$w_record_type ! ; !----------------------------------------------! ; ! nsa$w_packet_count ! nsa$w_flags ! ; +----------------------------------------------+ ; ! nsa$b_version ! unused ! nsa$w_rec_size ! ; +----------------------------------------------+ ; ! unused ! unused ! ; +----------------------------------------------+ ; ! nsa$w_facility ! unused ! ; +----------------------------------------------+ ; A U D I T D A T A P A C K E T S ; +----------------------------------------------+ ; ! nsa$w_packet_type ! nsa$w_packet_size ! ; +----------------------------------------------+ ; . . ; . nsa$r_packet_data (variable length info) . ; . . ; +----------------------------------------------+ ; Parse the main header packet movw message,ia_record_type movw message+2,ia_record_subtype movw message+6,ia_packet_count movw message+8,ia_rec_size ; Start processing the data packets. ; For the very first packet, start at offset message+20 ; (The header is 20 bytes long) moval message,r6 ; r6 is start of message buf movl #20,r7 ; r7 is offset movzwl ia_packet_count,r8 ; # of data packets in r8 addl3 r6,r7,r9 ; r9 = start of packet data ; now that we know where the data starts at in the individual packets, ; see what kind of operation we need to do to move it into our ; common area. (character or integer) data_packet_loop: movw (r9),ia_packet_size ; r9 points to start of packet movw 2(r9),ia_packet_type subl3 #4,ia_packet_size,data_length ; don't count hdr. ; Start comparing with all valid fields we're interested in. casel ia_packet_type,r10,r11 table: .word 0$-table .word 1$-table .word 2$-table .word 3$-table .word 4$-table .word 5$-table .word 6$-table .word 7$-table .word 8$-table .word 9$-table .word 10$-table .word 11$-table .word 12$-table .word 13$-table .word 14$-table .word 15$-table .word 16$-table .word 17$-table .word 18$-table .word 19$-table .word 20$-table .word 21$-table .word 22$-table .word 23$-table .word 24$-table .word 25$-table .word 26$-table .word 27$-table .word 28$-table .word 29$-table .word 30$-table .word 31$-table .word 32$-table .word 33$-table .word 34$-table .word 35$-table .word 36$-table .word 37$-table .word 38$-table .word 39$-table .word 40$-table .word 41$-table .word 42$-table .word 43$-table .word 44$-table .word 45$-table .word 46$-table .word 47$-table .word 48$-table .word 49$-table .word 50$-table .word 51$-table .word 52$-table .word 53$-table .word 54$-table .word 55$-table .word 56$-table .word 57$-table .word 58$-table .word 59$-table .word 60$-table .word 61$-table .word 62$-table .word 63$-table .word 64$-table .word 65$-table .word 66$-table .word 67$-table .word 68$-table .word 69$-table .word 70$-table .word 71$-table .word 72$-table .word 73$-table .word 74$-table .word 75$-table .word 76$-table .word 77$-table .word 78$-table .word 79$-table .word 80$-table .word 81$-table .word 82$-table .word 83$-table .word 84$-table .word 85$-table 0$: brw next_packet 1$: movl 4(r9),pkt_access_desired brw next_packet 2$: movb data_length,pkt_account movc3 data_length,4(r9),pkt_account+1 brw next_packet 3$: movb data_length,pkt_alarm_name movc3 data_length,4(r9),pkt_alarm_name+1 brw next_packet 4$: movl 4(r9),pkt_appl_data brw next_packet 5$: movl 4(r9),pkt_audit_flags brw next_packet 6$: movb data_length,pkt_audit_name movc3 data_length,4(r9),pkt_audit_name+1 brw next_packet 7$: movb data_length,pkt_system_name movc3 data_length,4(r9),pkt_system_name+1 brw next_packet 8$: movl 4(r9),pkt_system_id brw next_packet 9$: movb data_length,pkt_device_name movc3 data_length,4(r9),pkt_device_name+1 brw next_packet 10$: movl 4(r9),pkt_dismount_flags brw next_packet 11$: movc3 data_length,4(r9),pkt_holder_name brw next_packet 12$: movl 4(r9),pkt_holder_owner brw next_packet 13$: movl 4(r9),pkt_id_attributes brw next_packet 14$: movc3 data_length,4(r9),pkt_id_name brw next_packet 15$: movc3 data_length,4(r9),pkt_id_new_name brw next_packet 16$: movl 4(r9),pkt_id_value brw next_packet 17$: movl 4(r9),pkt_id_new_value brw next_packet 18$: movl 4(r9),pkt_identifiers_used brw next_packet 19$: movc3 data_length,4(r9),pkt_image_name brw next_packet 20$: movc3 data_length,4(r9),pkt_install_file brw next_packet 21$: movl 4(r9),pkt_install_flags brw next_packet 22$: movq 4(r9),pkt_install_privs brw next_packet 23$: movc3 data_length,4(r9),pkt_logical_name brw next_packet 24$: movl 4(r9),pkt_mount_flags brw next_packet 25$: movl 4(r9),pkt_new_data brw next_packet 26$: movl 4(r9),pkt_object_id brw next_packet 27$: movl 4(r9),pkt_object_min_class brw next_packet 28$: movl 4(r9),pkt_object_max_class brw next_packet 29$: movl 4(r9),pkt_object_name brw next_packet 30$: movl 4(r9),pkt_object_name_2 brw next_packet 31$: movl 4(r9),pkt_object_owner brw next_packet 32$: movl 4(r9),pkt_object_protection brw next_packet 33$: brw next_packet 34$: brw next_packet 35$: brw next_packet 36$: brw next_packet 37$: brw next_packet 38$: brw next_packet 39$: movb data_length,pkt_password movc3 data_length,4(r9),pkt_password+1 brw next_packet 40$: brw next_packet 41$: brw next_packet 42$: brw next_packet 43$: brw next_packet 44$: brw next_packet 45$: brw next_packet 46$: brw next_packet 47$: brw next_packet 48$: movl 4(r9),pkt_final_status brw next_packet 49$: movb data_length,pkt_terminal movc3 data_length,4(r9),pkt_terminal+1 brw next_packet 50$: movq 4(r9),pkt_time_stamp brw next_packet 51$: brw next_packet 52$: brw next_packet 53$: brw next_packet 54$: brw next_packet 55$: brw next_packet 56$: movb data_length,pkt_username movc3 data_length,4(r9),pkt_username+1 brw next_packet 57$: brw next_packet 58$: brw next_packet 59$: brw next_packet 60$: brw next_packet 61$: brw next_packet 62$: brw next_packet 63$: brw next_packet 64$: brw next_packet 65$: brw next_packet 66$: brw next_packet 67$: brw next_packet 68$: brw next_packet 69$: brw next_packet 70$: brw next_packet 71$: brw next_packet 72$: brw next_packet 73$: brw next_packet 74$: brw next_packet 75$: brw next_packet 76$: movl 4(r9),pkt_alarm_disable brw next_packet 77$: movl 4(r9),pkt_alarm_enable brw next_packet 78$: brw next_packet 79$: brw next_packet 80$: brw next_packet 81$: brw next_packet 82$: movb data_length,pkt_default_username movc3 data_length,4(r9),pkt_default_username+1 brw next_packet 83$: brw next_packet 84$: movc3 data_length,4(r9),pkt_field_name brw next_packet 85$: movc3 data_length,4(r9),pkt_listener_device brw next_packet next_packet: addl2 ia_packet_size,r9 ; bump to new address ; (sobgtr is out of range) decl r8 ; 1 less packet to worry with cmpl r8,#0 ; Are we out of 'em yet? beql loopend ; Yep. Outta here! brw data_packet_loop ; No. back to get more loopend: cmpw ia_record_type,#nsa$c_msg_breakin ; Breakin ?!?!?!?!?! bneq 1$ $fao_s ctrstr=login_str, - ; get the data looking outlen = faolen, - ; real pretty. outbuf = faodesc, - p1 = #pkt_username, - p2 = #pkt_password, - p3 = #pkt_terminal movc3 faolen,faodesc+8,rqsttext ; copy (w/o descrip) ; into $sndopr buf ; Alert all users that have OPER12 operator class enabled that breakin ; attempts are being done. $sndopr_s msgbuf=rqstdesc ; blank out the username/password fields so we don't have any leftover ; characters next time through. movc5 #0,0,#^A/ /,#180,faobuf ; wipe out buffers... movc5 #0,0,#^A/ /,#180,rqsttext ; not descriptors! 1$: brw loop ; loop back to wait on another msg. ; We don't want to blow out 'cause if there's no reader on the listener ; mailbox then our AUDIT_SERVER will go into a resource wait state (MWAIT) error: blbc r0,10$ rsb 10$: ret .end breakin $! BUILD_BREAKIN.COM $! $! This command procedure compiles, links and optionally runs $! the BREAKIN program. $! $! J. Wren Hunt $! $! $ Macro Breakin $ Link Breakin $! $ inquire answer "Would you like to start BREAKIN? " $! $ If answer .eqs. "Y" then goto startup_breakin $ Goto Thats_all $! $ Startup_Breakin: $! $ Set process/privilege=(oper,prmmbx,security) $! $ Reply/enable=Oper12 $! $ Set audit/alarm/enable=(breakin=all,login=all,audit) $! $ Run/detach BREAKIN $! $ Set audit/listener=listener_mbx $! $ Thats_all: $! $ Write Sys$output "That's all folks!!!" $ exit