362 lines
16 KiB
Plaintext
362 lines
16 KiB
Plaintext
|
|
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
|
|
$$ Introduction to Hacking into LANs.. $$
|
|
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
|
|
|
|
|
|
An official THUG production..
|
|
Written by Laughing Gas for Solsbury Hill BBS.
|
|
|
|
(Please keep the filename as THUGLAN1.TXT where possible)
|
|
|
|
|
|
::: Foreward :::
|
|
|
|
I don't have a lot of experience at hacking alot of different
|
|
type of LANs, or any secret information that couldn't be found by
|
|
any one else with a little hard work, but in an effort to spare
|
|
you that hard work, I wrote this file..
|
|
|
|
I was going to make this only one file, and include everything in
|
|
it, but since it's already about 13k and that's without any
|
|
specific discussion of the novell system, I'm going to break it
|
|
up into a series. Keep a look out for the next file, it'll have
|
|
more information on the actual hacking of a novell system, and
|
|
possibly other files focusing on other systems.
|
|
|
|
Subjects discussed (contents basically):
|
|
|
|
Foreward
|
|
About LANs: the basics
|
|
The basics of a Novell Network, and Logging In
|
|
Once you're in DOS
|
|
System Files
|
|
Brute force hacking in
|
|
|
|
onward...
|
|
|
|
::: About LANs: the basics :::
|
|
|
|
For people who know nothing at all about computers or
|
|
telecommunications, or networks, this file probably won't be very
|
|
useful, but I will attempt to provide information in a way that
|
|
the least experienced computer user can understand it. To that
|
|
ends, here's a brief section on what exact is a LAN, and how it
|
|
works, and so-on.
|
|
|
|
LAN stands for Local Area Network. A network, in computer terms
|
|
is any system which allows a person on one computer to share
|
|
resources with one or more other computers. There are two main
|
|
types, the LAN and the WAN (Wide Area Network). A WAN is
|
|
conforms to the definition of a network the same way a LAN does,
|
|
it allows a person on one computer to use the resources of one or
|
|
more other computers. So what's the difference? A LAN is a small
|
|
network, usually contained in a single building, and if not, then
|
|
in a single complex. A WAN is almost never contained in a single
|
|
building or complex, and usually extends over several states, or
|
|
across the entire nation, or internationally. An example of a
|
|
WAN is the Internet, one of the biggest and most hacked WANs
|
|
ever. The Internet is connected all over the world to thousands
|
|
upon thousands of computers at universities, military sites,
|
|
commerical sites, and more.
|
|
|
|
Another type of network is a PSN, which is similar to a WAN in
|
|
that they always extend out of a complex. PSN stands for Packet
|
|
Switching Network. What a PSN does is bundle a packet of data
|
|
from the local terminal, assemble it at the local PAD (packet
|
|
assembler/disaseembler), send it through a series of in-between
|
|
PADS and when it reachs a destination, it is disassembled by that
|
|
PAD, and fed to that computer. This allows a PSN which has PADs
|
|
which are in a chain where PAD A is local to PAD B and PAD B is
|
|
local to PAD C but PAD A is not local to PAD C to send a packet
|
|
from A to B to C and not pay the expenses of sending directly
|
|
from A to C. A PSN almost always uses phone lines for at least
|
|
part of it's connections.
|
|
|
|
|
|
A WAN or LAN operates on a different principal, it sends
|
|
information directly from the local terminal to it's destination.
|
|
In the case of a WAN, the information may pass through phone
|
|
lines, but it might not, depending on what exactly you are doing.
|
|
On the Internet, if you are connected to a university, you can
|
|
log into a computer at that university and you will be on a
|
|
direct connection, but you can call another university or
|
|
military site from there, and your data will travel over the
|
|
phone lines, or maybe even over a PSN or another network.
|
|
|
|
A LAN will ALWAYS be a local direct connection. The most common
|
|
set up on a LAN is that there are 2 or more terminals in one or
|
|
more rooms that are hooked up to one or more servers. That is
|
|
the case we will assume is true in examples throughout this file
|
|
unless otherwise specified. (We'll also assume that the LAN is
|
|
set up with IBM MS/PC-DOS compatible computers)
|
|
|
|
One scenario for how a LAN is set up would be like this: There
|
|
are 20 IBM PS/2 Model 25's with Dual 720k drives, 640k of memory,
|
|
and no hard drive hooked up to an IBM PS/2 Model 80 w/ 20 megs of
|
|
memory, a 330 meg hard drive, and a 1.44 meg and 1.2 meg drive.
|
|
In this case, the Model 80 would be the server. Each terminal
|
|
would have to have a boot disk for the network. (An alternate
|
|
situation would be if the computers had BOOT PROMS which redirect
|
|
local drive activity to allow the terminals to boot from the
|
|
server's hard drive) If you just put a dos disk in a terminal and
|
|
turned it on, you could use the full 640k of memory, and both
|
|
drives for whatever you wanted. However, if you put in a network
|
|
boot disk, (or ran the network set-up and login programs from any
|
|
disk) you would then be connected or logged in to the network.
|
|
At this point, you could access any program on the server's hard
|
|
drive (basically giving the 20 non-hard drive machines a 330 meg
|
|
drive to share). There only needs to be one copy of each program
|
|
that will be run, no matter how many people are using it.
|
|
(Assuming of course that the program is network compatible, some
|
|
programs such as perhaps a BBS program, or something using
|
|
communication interrupts, or with files constantly open, etc. may
|
|
not function with a network at all, or crash the terminal or the
|
|
whole network.) There are however special programs installed on
|
|
the network to allow different terminals to share files and so
|
|
on. Data files can be saved on the server's hard drive, or on
|
|
the local disk drives.
|
|
|
|
One function of the network software is to capture all DOS
|
|
interrupts (int 21 for MS/PC-DOS) and decide what to do with
|
|
them- either pass them on to DOS, or handle it itself.
|
|
|
|
|
|
::: the Basics of a Novell Network, and logging in :::
|
|
|
|
Novell Netware (tm) is one of the most common pieces of network
|
|
software availible for IBM MS/PC-DOS networks.
|
|
|
|
Basically, novell works like this: either on the boot disk, or
|
|
if the computer has boot proms, on the hard drive, in the
|
|
AUTOEXEC.BAT you'll find a setup somewhat like this: (comments
|
|
will be preceded by semicolons (;))
|
|
|
|
@ECHO OFF
|
|
prompt $p$g ;changes prompt to include path
|
|
mouse ;load mouse driver
|
|
;and other such stuff in the very beginning
|
|
IPX /options ;prepares the computer for the network
|
|
NET3 ;loads network
|
|
login 4 ;automatically logs in as computer #4
|
|
menu net ;loads the nifty menu
|
|
|
|
Not all computers will have all of these things, there may not be
|
|
mouse drivers, there may be extra things (initialize plotters,
|
|
etc, etc) anyway, they should have IPX and NET3, and PROBABLY
|
|
login xxx.
|
|
|
|
The way the login program works is thus; Running LOGIN with no
|
|
options will get you a prompt of "Username:" then, after entering
|
|
a valid username, "Password: " (prompts may be different..) if
|
|
you don't enter a valid username, it'll let you know. If you
|
|
enter LOGIN with one option, it will try to process that as a
|
|
username, and if it's valid you'll recieve just the "Password: "
|
|
prompt. If you enter two parameters, it will process the first
|
|
as the username, and the second as the password. If there isn't
|
|
a login xxx type of command, there should be just a LOGIN command
|
|
which will prompt you for username and password.
|
|
|
|
If the network prompts you for a username and password, you're
|
|
stuck, you have to do some hacking to get in. This file mainly
|
|
covers what to do once you're on, but see the section later on
|
|
getting in.
|
|
|
|
The line "menu net" will execute the network's MENU function with
|
|
the menu defined as NET. On my school's network this has
|
|
selections such as Word Perfect, a typing tutor, etc. If there
|
|
is another command here, it will run that program. If there is
|
|
no command here you are simply in DOS. If you are on the MENU
|
|
NET, or any other MENU <whatever> command, then simply hit the
|
|
escape <esc> key and answer yes, then press return and you are in
|
|
DOS. I believe it is possible to have set up the network to
|
|
automatically log you out at this point, but I've never seen
|
|
this. If this happens, you'll still be in dos, and you can just
|
|
type LOGIN to log in again, if you had to enter a name and
|
|
password before, do it again, and there you are, if not, then
|
|
type "type autoexec.bat" and see what the login command was, and
|
|
enter it again, and you'll be logged on to the network and in
|
|
DOS. If you are automatically put in some other sort of program
|
|
when it boots up, then it's up to you to find out how to get into
|
|
DOS on your own.
|
|
|
|
The format for the menus will be discussed in detail in my next
|
|
file, but basically it's the name of the menu on the first line,
|
|
then each menu option on a seperate line, with the commands to
|
|
run for that menu option following with at least one space like
|
|
this:
|
|
|
|
---[cut here]---
|
|
MAIN MENU ; (menu name)
|
|
WORD PERFECT ; (menu option #1)
|
|
CD\WP50 ; (change to wp dir)
|
|
WP ; (run word perfect)
|
|
CD\LOGIN ; (change back to login dir)
|
|
FOX-BASE ; (menu option #2)
|
|
CD\FOX
|
|
FOX
|
|
CD\LOGIN
|
|
---[cut here]---
|
|
Etcetera, etcetera.
|
|
|
|
|
|
::: Once you're in DOS :::
|
|
|
|
To find out what drives are availible to you do this (for you
|
|
non-IBM people)
|
|
|
|
type A: (followed by return) then B: (followed by return) then C:
|
|
(return), etc.. all the way through Z:, if you ever get a "Not
|
|
ready error reading drive <whatever>: Abort, Retry or Ignore? "
|
|
just hit abort, it can't hurt anything. And write down all the
|
|
letters which are successful. A-E will most likely be the
|
|
terminal's drives. If the terminal is a diskless terminal, then
|
|
A-E probably won't exist. If not, A and B if they exist will be
|
|
floppies, and C-E will be local hard drives. (Although it is
|
|
probably possible to configure A-E as network drives too).
|
|
|
|
It is up to the system adminsitrator(s) how the LAN is set up,
|
|
but here is how one of my school's LANs is set up:
|
|
|
|
A: terminal floppy (720k)
|
|
B: terminal floppy (720k)
|
|
C-E: configured as local drives, but there are none installed
|
|
F: main network drive
|
|
V-Z: specific network programs, these aren't real drives, rather
|
|
"fake" drives created by the SUBST dos program.
|
|
|
|
the files and directories on F: are..
|
|
|
|
AUTOEXEC.BAT: 0 byte phoney autoexec (since bootdisks are req'd)
|
|
GUIDE .BAT: (loads teachers guide or something)
|
|
Directory PUBLIC : contains public info and all net programs
|
|
Directory SYSTEM : contains network utilities
|
|
Directory MAIL : subdirectories contain mail
|
|
Directory LOGIN : dups of other files for logging in & data
|
|
Directory DBASE : DBase III
|
|
Directory WP50 : contains Word Perfect 5.0
|
|
Directory VP : V-planner
|
|
Directory TYPING : Typing Tutor
|
|
Directory ALPHA : Alphabetic Keyboarding
|
|
Directory FOX : Fox-Base
|
|
(and some other directories for various programs)
|
|
|
|
Then the drives V-Z are like this:
|
|
V:\VP> (just the F:\VP> directory subst'd to V:)
|
|
W:\WP50> (just the W:\WP> directory subst'd to W:)
|
|
etc.. through Z:
|
|
|
|
(subst'd means "substituted" with a DOS program called SUBST.EXE
|
|
which allows you to make a directory on one drive into a complete
|
|
new virtual drive)
|
|
|
|
The most interesting programs are in F:\PUBLIC. My system has no
|
|
mail on it (how boring), so I don't have any information on what
|
|
the mail directories are like (other than that they are set up
|
|
like this:
|
|
F:\MAIL\
|
|
F:\MAIL\Z14123
|
|
F:\MAIL\01234
|
|
F:\MAIL\D123111
|
|
etc) although I assume it would be easy enough to read the mail
|
|
with the TYPE command, or a program of your own for reading text
|
|
files..
|
|
|
|
The SYSTEM directory has some files that are interesting, but the
|
|
actual programs also exist in PUBLIC, and the data files are
|
|
generally boring (although you might want to scan through them to
|
|
see if there is anything interesting..)
|
|
|
|
|
|
::: System Files ::
|
|
|
|
This is one of the main sections I cut out of the file. The
|
|
sequel to this file will have a COMPLETE list of all files
|
|
distributed with the network as well as all dos files for non-dos
|
|
familiar users, with complete descriptions of what they do, and
|
|
how to use them to your advantage.
|
|
|
|
In the meantime, for non-msdos users, here's a quick rundown on
|
|
how files are handled.
|
|
|
|
|
|
When you type DIR you get a directory listing which shows all the
|
|
files and directories in the current subdirectory. A filename
|
|
under MSDOS consists of up to 8 characters plus up to 3
|
|
characters for an extension. (ie AUTOEXEC.BAT, FILENAME.EXT, or
|
|
F.F.) A file with an extension of .COM or .EXE can be executed
|
|
by typing the name of the file (and optionally the extension) at
|
|
the dos prompt (like C:\PUBLIC>) A file with an extension of
|
|
.BAT is a script or shell file which is in straight ascii form
|
|
and can be executed also by typing the name at the dos prompt,
|
|
but it is executed line by line by the dos command interpreter,
|
|
instead of actually loaded as a program with data and code
|
|
segments. Dos's .BATch language is pretty shitty as far as
|
|
script languages go, if you're used to dealing with unix or any
|
|
other more advanced language, you'll hate it.
|
|
|
|
A file which has a <DIR> instead of a file size is a sub-
|
|
directory. You can make this your current directory by typing
|
|
"CD directory-name" (ie, "CD LAN") or you can go two sub-
|
|
directories by typing "CD LAN1\LAN2". You can go up one
|
|
subdirectory by typing "CD .." (CD-space-period-period) or up to
|
|
the top by typing "CD\".
|
|
|
|
Another note: The AUTOEXEC.BAT file is automatically executed
|
|
each time the computer is booted from the disk it resides on, so
|
|
it's a good place to add your own commands. The CONFIG.SYS file
|
|
loads drivers and such into memory.
|
|
|
|
I'm not going to cover any more about DOS files or commands here,
|
|
there may be some more in the next file, but if you are
|
|
completely dos-un-educated I suggest you ask friends or buy a
|
|
book. I'm sure there are also dos tutorials availible in text
|
|
form. If enough commodore and apple type people ask me, I'll
|
|
write a comprhensive file explaining all the dos commands
|
|
basically and some things that a hacker on a dos-system might
|
|
want to know. Remember, they do call it MeSsy-DOS, and it is.
|
|
|
|
|
|
|
|
::: Brute force hacking into the system :::
|
|
|
|
If you get just a straight LOGIN.EXE w/ no options in the
|
|
Autoexec, or a login w/ a name, but you need to know the password
|
|
(I've never encountered that) then you have to actually do some
|
|
brute force hacking, or social engineering. The two most common
|
|
accounts I know of are Supervisor (for the system admin) and
|
|
Guest, which will probably left on. On my school's system there
|
|
are accounts 1-20 for each of the computers (in one lab, in
|
|
another it's c1,c2,c3..c20). If the system is secure enough to
|
|
force a account/password to be known for each login, then I doubt
|
|
you can break out of the autoexec, but its worth a try, just bang
|
|
away on Ctrl-C or Ctrl-Break as much as you can. Optionally, if
|
|
you have to have a boot disk, then make your own... w/ no
|
|
autoexec, so you can just login however you like.. or get someone
|
|
already on the system to install a trojan to snag passwords for
|
|
you, etc.
|
|
|
|
About actually finding other passwords once you're on, there are
|
|
several programs availible for various types of LANs on various
|
|
types of computers (with source sometimes) which intercept calls,
|
|
or log keystrokes from the login program, and store the results
|
|
in a hidden file, on an unsecure LAN, these programs are almost
|
|
defintely going to yield a 100% success rate, and probably won't
|
|
be found it installed right. And on a LAN as unsecure as the one
|
|
at my school, you could stick pirate wares right in the PUBLIC
|
|
directory and no one would notice (or at least they haven't yet).
|
|
|
|
|
|
::: Conclusion :::
|
|
|
|
Well, that wraps it up. In the next file I'll include all the
|
|
novell specific info, and complete information on all novell
|
|
files.
|
|
|
|
Also, I corrected a lot of mis-information and mis-wording in
|
|
this file. I very likely missed some, I'll include any
|
|
corrections in the next file. If you find anything wrong with
|
|
it, contact me on Solsbury Hill, we're in 301.
|
|
|
|
Laughing Gas, 5/17/91.
|