Unix OS archaeology – Tru64 UNIX part 2

I want to continue with the archaeology posts, this time we shift away from the CCCP and look into the USA Unix world. I have already covered some aspects of Tru64 Unix in a previous post here

https://astr0baby.wordpress.com/2014/04/07/running-tru64-unix-inside-a-vm-for-metasploit-testing/

I wanted to update some information about the LAB layout, scripting and most importantly the link to the “now unavailable” alphavm_free binary (linux 64bit)

So first you need to get the hypervisor for Alpha for amd64 Linux

https://dropfile.to/tmjkw4H   (DEAD)

https://drop.me/o2ewWB

Next I have updated my network configuration script that represents the diagram below of the LAB implementations. Here is a network script that is executed prior the alphavm_free execution

#Setup tap and bridge
tunctl -t tap0 -u user
ifconfig tap0 up
brctl addbr br0
brctl addif br0 eth0
brctl setfd br0 0
ifconfig eth0 10.0.2.1 up
ifconfig br0 10.0.2.2 netmask 255.255.255.0 broadcast 10.0.2.255 up
brctl addif br0 tap0
ifconfig tap0 0.0.0.0
sysctl net.ipv4.ip_forward=1
iptables -A FORWARD --in-interface eth0 -j ACCEPT
iptables --table nat -A POSTROUTING --out-interface wlan0 -j MASQUERADE

Above diagram show the network topology I use in my lab example

alphavm_free configuration file is here

system {

 type = ds10_616;
 reported_type = default;
 num_cpus = 1;
 ssn = 'EmuVM-00-000-001';
 interval_clock_freq = 1000;

memory {
 size = 1024;
}

cpu {
 server = basic;

jit {
 async = yes;
}
}


serial com1 {
 server = socket;
 port = 3000;
}
serial com2 {
 server = socket;
 port = 3001;
}

scsi_controller qla0 {
 scsi_id = 7;
}
scsi_controller qla1 {
 scsi_id = 7;
}


scsi_disk dka0 {
 scsi_bus = 0;
 scsi_id = 0;
 scsi_lun = 0;
 file = 'disk.dd';
 caching = no;
 write_through = yes;
}

scsi_disk dka1 {
 scsi_bus = 0;
 scsi_id = 2;
 scsi_lun = 0;
 file = 'disk2.dd';
 caching = no;
 write_through = yes;
}



scsi_cdrom iso {
 scsi_id = 4;
 file = 'gnu.tru64.iso';
}

ether eth0 {
 type = dec21040;
 server = dummy;
 mac_address = 0x08002B000001;
}

ether eth1 {
 type = dec21040;
 server = tap;
 interface = 'tap0';
 mac_address = 0x08002B000002;
}

}

The start-up command

./alphavm_free config.emu

And the console connection script

socat -,raw,echo=0,escape=0x1c tcp:127.0.0.1:3000

Afterwards we use standard SRM Firmware Console commands to boot the installed system

boot dka0

Here are some HOWTOs regarding Tru64 Unix

vncserver howto

edit /home/root/.vnc/xstartup file to load CDE

 #!/bin/sh
/usr/dt/bin/Xsession &

RPM package install from GNU.ISO

Installing the GNU package toolkit from CDROM

INSTALLING Red Hat Package Manager

 Execute the following shell script from the command line (as superuser):
 # /mnt/SETUP/RPM-init.ksh
 Please note that the RPM-init.ksh is a mandatory step (even if you have
 already installed any or all of the rpm kits from the previous OSSC kits).

 This script will ensure that your system meets the minimum requirements
 and checks for a previously installed version of RPM. If no prior RPM
 installation is found and provided that all requirements are met, it
 restores from a compressed archive all of the RPM 3.0.2 program files and
 initializes a new RPM database.

 If an RPM 2.5 installation is found on your system, the script will
 query your RPM database for installed packages (saving the output to
 /tmp/rpm-2.5-packages.lis) prior to installing the RPM 3.0.2 program
 files. It will then compare the list of previously installed packages
 against a list of the packages contained on this CD-ROM. Each of the
 previously installed packages will be upgraded to their corresponding
 new versions.

 # /usr/local/bin/rpm -ihv <package_file>

Mounting CDROM

mkdir /cdrom
ISO 9660
mount -t cdfs -o noversion /dev/disk/cdrom0c /cdrom

Configuring todays SSH clients to connect to Tru64 sshd 3.2.0

~/.ssh $ cat config
Host 10.0.2.10
 KexAlgorithms +diffie-hellman-group1-sha1
Host 10.0.2.10
 HostKeyAlgorithms +ssh-dss

And some remote nmap scan against a default Tru64 install

nmap -sS -sV -vv 10.0.2.10


PORT      STATE SERVICE         REASON          VERSION
21/tcp    open  ftp             syn-ack ttl 128
22/tcp    open  ssh             syn-ack ttl 128 SCS sshd 3.2.0 (protocol 2.0)
111/tcp   open  rpcbind         syn-ack ttl 128 2 (RPC #100000)
514/tcp   open  tcpwrapped      syn-ack ttl 128
543/tcp   open  login           syn-ack ttl 128 Tru64 Unix logind
544/tcp   open  tcpwrapped      syn-ack ttl 128
1024/tcp  open  status          syn-ack ttl 128 1 (RPC #100024)
1025/tcp  open  nlockmgr        syn-ack ttl 128 1-4 (RPC #100021)
1028/tcp  open  ttdbserverd     syn-ack ttl 128 1 (RPC #100083)
1030/tcp  open  iad1?           syn-ack ttl 128
1043/tcp  open  ttsession       syn-ack ttl 128 1-4 (RPC #1342177279)
1044/tcp  open  dcutility?      syn-ack ttl 128
1046/tcp  open  wfremotertm?    syn-ack ttl 128
1048/tcp  open  neod2?          syn-ack ttl 128
1055/tcp  open  ansyslmd?       syn-ack ttl 128
1108/tcp  open  rpcbind         syn-ack ttl 128
1111/tcp  open  lmsocialserver? syn-ack ttl 128
2049/tcp  open  nfs             syn-ack ttl 128 2-3 (RPC #100003)
2301/tcp  open  http            syn-ack ttl 128 Compaq Diagnostics httpd (CompaqHTTPServer 2.1)
5801/tcp  open  vnc-http        syn-ack ttl 128 TightVNC
5802/tcp  open  vnc-http        syn-ack ttl 128 TightVNC
5901/tcp  open  vnc             syn-ack ttl 128 VNC (protocol 3.3)
5902/tcp  open  vnc             syn-ack ttl 128 VNC (protocol 3.3)
6001/tcp  open  X11             syn-ack ttl 128 (access denied)
6002/tcp  open  X11             syn-ack ttl 128 (access denied)
6112/tcp  open  dtspc?          syn-ack ttl 128
30000/tcp open  unknown         syn-ack ttl 128
49400/tcp open  http            syn-ack ttl 128 Compaq Diagnostics httpd (CompaqHTTPServer 2.1)

Some obligatory video

And this is a must watch :P