138 lines
8.3 KiB
Plaintext
138 lines
8.3 KiB
Plaintext
Unauthorised Access UK 0636-708063 10pm-7am 12oo/24oo
|
|
|
|
Hackers Cove 8:30pm-7am +44 (0)204 792642
|
|
|
|
--------------------------------------------------------------------------------
|
|
Research Machines Nimbus hacking, by The Green Rhino
|
|
--------------------------------------------------------------------------------
|
|
|
|
Please upload to other boards, but keep this header intact.
|
|
Any corrections will be welcomed.
|
|
|
|
|
|
--------------------------------------------------------------------------------
|
|
As everybody probably already knows, Research Machines sell, what they claim
|
|
to be a computer, as the Nimbus. They charge double the price anybody else
|
|
charges so that they can then give schools their traditional discount. Looking
|
|
back through some PCW issues, I found a review that suggested that Nimbuses
|
|
(Nimbi? Nimbus with a long 'u' ?), with MS-NET were the best computers that a
|
|
school could buy. They were supposed to be faster, and more powerful, because
|
|
of the 80186 processor, and the network was found to be the most reliable and
|
|
fastest. They may have been better than any others at the time, but their
|
|
performance still leaves a lot to be desired.
|
|
|
|
Anyway, enough prattle, now what about hacking the network? The simplest, and
|
|
quickest way to get at the root directory is of course to get at the
|
|
fileserver, terminate the server program, and then you're in. Just type the
|
|
user password file, and then CTRL-ALT-DEL to restart the server.
|
|
|
|
As far as I know, there are two releases of the network software, and their
|
|
file structures are organised slightly differently. I'll start with release
|
|
1. The logon screen is a light blue colour. This is limited to about 64
|
|
offers. An offer is a resource e.g. a printer, a floppy drive, or a fixed
|
|
disk. An offer can be defined at the file server either at boot-up, or while
|
|
the network is running. The syntax is:
|
|
SHARE <resource name>=<path name> (password) (/[rwcd])
|
|
The resource name is an arbitrary name for the offer, up to (I think) 8
|
|
characters long. The path name is something like: "C:\FOO.BAR", or "PRN:".
|
|
There can be one or more switches, which begin with a '/' , after the password
|
|
. They are (R)ead access, (W)rite access, (C)hange access, (D)elete. They
|
|
are independent of each other, but must occur in that order.
|
|
|
|
If no access is given to a resource then anything connected to the resource
|
|
can not do anything, apart from select, and deselect it. For example, if the
|
|
resource without access is a drive, you can change to that drive, and even
|
|
change directory, but you can't do a directory of the files on the disk.
|
|
Usually read and write access is given to most resources, with important
|
|
offers being given only read access. For example, in the standard setup,
|
|
normal users are given only read access to drive P, which is public, and
|
|
read/write/change access to drive N. By the way, if you are given read and
|
|
write but not change, you just can't delete any file, although you can save
|
|
files. Also, you would normally be given only write access to a printer!
|
|
|
|
The resource name in Release 1 is usually the user name, for example two
|
|
common resource shares might be:
|
|
SHARE user1=C:\user1 pw1 /rwc
|
|
SHARE public=C:\public pw2 /rwc
|
|
|
|
So far, I haven't mentioned the password field, or how users are allocated
|
|
to resources etc. The password field is just an optional, up to 8 character
|
|
field that means that people with a little utility called USE, can't just get
|
|
in. (But more of that later). The resources are totally separate from the
|
|
users, and are held in a file called OFFERS, which, in Release1, is held on
|
|
the root directory of the server boot-up floppy.
|
|
|
|
The users information, passwords, access etc., are held in a file called USERS.
|
|
NET somewhere on the Winchester. This is generated from USERS.TXT, which
|
|
contains in ASCII format the passwords, and access. USERS.TXT is not
|
|
essential, and it is redundant in Release 2. USERS.NET is not TYPEable, but
|
|
if you try doing an ASCII dump, ignoring control characters (DEBUG.COM is good
|
|
for this), you'll see somewhere a list of user names and passwords. This file
|
|
also contains details of which resources are allocated to users. It will
|
|
contain the resource names and passwords (if any). Another way to get the
|
|
resource names and passwords is to watch the server's screen when it boots
|
|
up! If you can't understand what is happening with USERS.NET, and your
|
|
system has MAIL installed, try typing the file USERS in \MAIL.
|
|
This contains the mail passwords which are by default the login ones.
|
|
|
|
Using the user information is easy -- just type in the user name and password
|
|
at the login screen. A user to watch out for is NETMGR. He has access to
|
|
the whole hard disk -- if you succeed in cracking this user,
|
|
try drives K,L,M and N. The default password is SECRET, and it is sometimes
|
|
not changed. But doing it this way is a bit elementary, and you can get
|
|
caught all too easily if someone types 'STATUS' on the file server, as the
|
|
user name, and machine number will be displayed on the screen.
|
|
|
|
If you manage to obtain the resource names and passwords, what use are they?
|
|
Somewhere on the network you will find a little utility called USE.EXE. It
|
|
may be on the public drive, or the server boot-up floppy. The files NET.EXE,
|
|
NET.HLP, and USE.HLP, and SETNAME.COM may be of use as well. Anyway, the
|
|
syntax is:
|
|
To connect: USE <device name> \\netname\resourcename (password)
|
|
To disconnect: USE <device name> /d
|
|
Alternatively, REUSE.EXE will do just as well. Its syntax is:
|
|
REUSE <device name> \\netname\resourcename (password)
|
|
|
|
What do they do? USE (dis)connects you to a resource. REUSE connects you
|
|
to a different resource. The fields for these commands are the same as for
|
|
the SHARE command, apart from the netname command. Try typing 'SET' when
|
|
you're logged on. Somewhere there may be a line saying 'SERVER=', and then
|
|
the net name. If not, it will usually be SERVER, or SERVER1.
|
|
|
|
This is a rather sketchy report, since I don't have time to explain
|
|
everything, but another idea is to monitor the data sent across the network
|
|
directly, using sub-Bios calls. You can use BBC BASIC, or RM BASIC with the
|
|
Sub_Bios extension package to make them. For details of the calls, have a
|
|
look in the Advanced Reference Manual.
|
|
If you do manage to get USE working, then first type 'SETNAME .'. That is:
|
|
setname <dot>. This means that nobody will notice that you are using the root
|
|
directory resource.
|
|
|
|
Release 2 is slightly different. This has a dark blue screen, and the
|
|
standard system message after booting up is: 'Welcome to The Standard Network
|
|
release 2', or something of the sort. There is also a space at the bottom
|
|
where the network manager can place messages. In release 2, all the
|
|
interesting files are kept in \network, and \mgr of the hard disk. The
|
|
files in \mgr are automatically copied over to \network on boot-up, and so
|
|
the \network files are the ones in operation, the \mgr files are the ones
|
|
that will be used next boot-up. Make any modifications to files in the \mgr
|
|
directory, so that the changes won't immediately be noticed. An interesting
|
|
file to change is SYSMESS.TXT. There are other executable files in the \MGR
|
|
directory, the most notable of which is NETMAN. Just be careful using it.
|
|
The best thing is to copy all the files in \MGR over to your ram drive, run
|
|
NETMAN in the ramdrive, and then copy NETGO.BAT, and USERS.NET back to \MGR
|
|
. You get sharing violation errors if more than one person tries to run
|
|
netman directly, so check first. If you add a line at the beginning of the
|
|
file NETGO.BAT saying NETST, and create a batch file which copies USERS.NET
|
|
over to the public drive under an innocuous name, then you will be able to
|
|
find out anybody's password at any time.
|
|
|
|
Whatever you do DON'T delete important files, or somebody else's work.
|
|
It's just hooliganism and is absolutely pointless, like the viruses that are
|
|
going round. Anybody who knows enough and wants to can easily stop them --
|
|
it's only innocent users who don't know what's going on who get caught.
|
|
What might be an idea is a little suggestion in SYSMESS.TXT that the
|
|
security is improved.
|
|
--------------------------------------------------------------------------------
|
|
Downloaded From P-80 Systems 304-744-2253
|