$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$ Introduction to Hacking into LANs.. $$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ An official THUG production.. Written by Laughing Gas for Solsbury Hill BBS. (Please keep the filename as THUGLAN1.TXT where possible) ::: Foreward ::: I don't have a lot of experience at hacking alot of different type of LANs, or any secret information that couldn't be found by any one else with a little hard work, but in an effort to spare you that hard work, I wrote this file.. I was going to make this only one file, and include everything in it, but since it's already about 13k and that's without any specific discussion of the novell system, I'm going to break it up into a series. Keep a look out for the next file, it'll have more information on the actual hacking of a novell system, and possibly other files focusing on other systems. Subjects discussed (contents basically): Foreward About LANs: the basics The basics of a Novell Network, and Logging In Once you're in DOS System Files Brute force hacking in onward... ::: About LANs: the basics ::: For people who know nothing at all about computers or telecommunications, or networks, this file probably won't be very useful, but I will attempt to provide information in a way that the least experienced computer user can understand it. To that ends, here's a brief section on what exact is a LAN, and how it works, and so-on. LAN stands for Local Area Network. A network, in computer terms is any system which allows a person on one computer to share resources with one or more other computers. There are two main types, the LAN and the WAN (Wide Area Network). A WAN is conforms to the definition of a network the same way a LAN does, it allows a person on one computer to use the resources of one or more other computers. So what's the difference? A LAN is a small network, usually contained in a single building, and if not, then in a single complex. A WAN is almost never contained in a single building or complex, and usually extends over several states, or across the entire nation, or internationally. An example of a WAN is the Internet, one of the biggest and most hacked WANs ever. The Internet is connected all over the world to thousands upon thousands of computers at universities, military sites, commerical sites, and more. Another type of network is a PSN, which is similar to a WAN in that they always extend out of a complex. PSN stands for Packet Switching Network. What a PSN does is bundle a packet of data from the local terminal, assemble it at the local PAD (packet assembler/disaseembler), send it through a series of in-between PADS and when it reachs a destination, it is disassembled by that PAD, and fed to that computer. This allows a PSN which has PADs which are in a chain where PAD A is local to PAD B and PAD B is local to PAD C but PAD A is not local to PAD C to send a packet from A to B to C and not pay the expenses of sending directly from A to C. A PSN almost always uses phone lines for at least part of it's connections. A WAN or LAN operates on a different principal, it sends information directly from the local terminal to it's destination. In the case of a WAN, the information may pass through phone lines, but it might not, depending on what exactly you are doing. On the Internet, if you are connected to a university, you can log into a computer at that university and you will be on a direct connection, but you can call another university or military site from there, and your data will travel over the phone lines, or maybe even over a PSN or another network. A LAN will ALWAYS be a local direct connection. The most common set up on a LAN is that there are 2 or more terminals in one or more rooms that are hooked up to one or more servers. That is the case we will assume is true in examples throughout this file unless otherwise specified. (We'll also assume that the LAN is set up with IBM MS/PC-DOS compatible computers) One scenario for how a LAN is set up would be like this: There are 20 IBM PS/2 Model 25's with Dual 720k drives, 640k of memory, and no hard drive hooked up to an IBM PS/2 Model 80 w/ 20 megs of memory, a 330 meg hard drive, and a 1.44 meg and 1.2 meg drive. In this case, the Model 80 would be the server. Each terminal would have to have a boot disk for the network. (An alternate situation would be if the computers had BOOT PROMS which redirect local drive activity to allow the terminals to boot from the server's hard drive) If you just put a dos disk in a terminal and turned it on, you could use the full 640k of memory, and both drives for whatever you wanted. However, if you put in a network boot disk, (or ran the network set-up and login programs from any disk) you would then be connected or logged in to the network. At this point, you could access any program on the server's hard drive (basically giving the 20 non-hard drive machines a 330 meg drive to share). There only needs to be one copy of each program that will be run, no matter how many people are using it. (Assuming of course that the program is network compatible, some programs such as perhaps a BBS program, or something using communication interrupts, or with files constantly open, etc. may not function with a network at all, or crash the terminal or the whole network.) There are however special programs installed on the network to allow different terminals to share files and so on. Data files can be saved on the server's hard drive, or on the local disk drives. One function of the network software is to capture all DOS interrupts (int 21 for MS/PC-DOS) and decide what to do with them- either pass them on to DOS, or handle it itself. ::: the Basics of a Novell Network, and logging in ::: Novell Netware (tm) is one of the most common pieces of network software availible for IBM MS/PC-DOS networks. Basically, novell works like this: either on the boot disk, or if the computer has boot proms, on the hard drive, in the AUTOEXEC.BAT you'll find a setup somewhat like this: (comments will be preceded by semicolons (;)) @ECHO OFF prompt $p$g ;changes prompt to include path mouse ;load mouse driver ;and other such stuff in the very beginning IPX /options ;prepares the computer for the network NET3 ;loads network login 4 ;automatically logs in as computer #4 menu net ;loads the nifty menu Not all computers will have all of these things, there may not be mouse drivers, there may be extra things (initialize plotters, etc, etc) anyway, they should have IPX and NET3, and PROBABLY login xxx. The way the login program works is thus; Running LOGIN with no options will get you a prompt of "Username:" then, after entering a valid username, "Password: " (prompts may be different..) if you don't enter a valid username, it'll let you know. If you enter LOGIN with one option, it will try to process that as a username, and if it's valid you'll recieve just the "Password: " prompt. If you enter two parameters, it will process the first as the username, and the second as the password. If there isn't a login xxx type of command, there should be just a LOGIN command which will prompt you for username and password. If the network prompts you for a username and password, you're stuck, you have to do some hacking to get in. This file mainly covers what to do once you're on, but see the section later on getting in. The line "menu net" will execute the network's MENU function with the menu defined as NET. On my school's network this has selections such as Word Perfect, a typing tutor, etc. If there is another command here, it will run that program. If there is no command here you are simply in DOS. If you are on the MENU NET, or any other MENU command, then simply hit the escape key and answer yes, then press return and you are in DOS. I believe it is possible to have set up the network to automatically log you out at this point, but I've never seen this. If this happens, you'll still be in dos, and you can just type LOGIN to log in again, if you had to enter a name and password before, do it again, and there you are, if not, then type "type autoexec.bat" and see what the login command was, and enter it again, and you'll be logged on to the network and in DOS. If you are automatically put in some other sort of program when it boots up, then it's up to you to find out how to get into DOS on your own. The format for the menus will be discussed in detail in my next file, but basically it's the name of the menu on the first line, then each menu option on a seperate line, with the commands to run for that menu option following with at least one space like this: ---[cut here]--- MAIN MENU ; (menu name) WORD PERFECT ; (menu option #1) CD\WP50 ; (change to wp dir) WP ; (run word perfect) CD\LOGIN ; (change back to login dir) FOX-BASE ; (menu option #2) CD\FOX FOX CD\LOGIN ---[cut here]--- Etcetera, etcetera. ::: Once you're in DOS ::: To find out what drives are availible to you do this (for you non-IBM people) type A: (followed by return) then B: (followed by return) then C: (return), etc.. all the way through Z:, if you ever get a "Not ready error reading drive : Abort, Retry or Ignore? " just hit abort, it can't hurt anything. And write down all the letters which are successful. A-E will most likely be the terminal's drives. If the terminal is a diskless terminal, then A-E probably won't exist. If not, A and B if they exist will be floppies, and C-E will be local hard drives. (Although it is probably possible to configure A-E as network drives too). It is up to the system adminsitrator(s) how the LAN is set up, but here is how one of my school's LANs is set up: A: terminal floppy (720k) B: terminal floppy (720k) C-E: configured as local drives, but there are none installed F: main network drive V-Z: specific network programs, these aren't real drives, rather "fake" drives created by the SUBST dos program. the files and directories on F: are.. AUTOEXEC.BAT: 0 byte phoney autoexec (since bootdisks are req'd) GUIDE .BAT: (loads teachers guide or something) Directory PUBLIC : contains public info and all net programs Directory SYSTEM : contains network utilities Directory MAIL : subdirectories contain mail Directory LOGIN : dups of other files for logging in & data Directory DBASE : DBase III Directory WP50 : contains Word Perfect 5.0 Directory VP : V-planner Directory TYPING : Typing Tutor Directory ALPHA : Alphabetic Keyboarding Directory FOX : Fox-Base (and some other directories for various programs) Then the drives V-Z are like this: V:\VP> (just the F:\VP> directory subst'd to V:) W:\WP50> (just the W:\WP> directory subst'd to W:) etc.. through Z: (subst'd means "substituted" with a DOS program called SUBST.EXE which allows you to make a directory on one drive into a complete new virtual drive) The most interesting programs are in F:\PUBLIC. My system has no mail on it (how boring), so I don't have any information on what the mail directories are like (other than that they are set up like this: F:\MAIL\ F:\MAIL\Z14123 F:\MAIL\01234 F:\MAIL\D123111 etc) although I assume it would be easy enough to read the mail with the TYPE command, or a program of your own for reading text files.. The SYSTEM directory has some files that are interesting, but the actual programs also exist in PUBLIC, and the data files are generally boring (although you might want to scan through them to see if there is anything interesting..) ::: System Files :: This is one of the main sections I cut out of the file. The sequel to this file will have a COMPLETE list of all files distributed with the network as well as all dos files for non-dos familiar users, with complete descriptions of what they do, and how to use them to your advantage. In the meantime, for non-msdos users, here's a quick rundown on how files are handled. When you type DIR you get a directory listing which shows all the files and directories in the current subdirectory. A filename under MSDOS consists of up to 8 characters plus up to 3 characters for an extension. (ie AUTOEXEC.BAT, FILENAME.EXT, or F.F.) A file with an extension of .COM or .EXE can be executed by typing the name of the file (and optionally the extension) at the dos prompt (like C:\PUBLIC>) A file with an extension of .BAT is a script or shell file which is in straight ascii form and can be executed also by typing the name at the dos prompt, but it is executed line by line by the dos command interpreter, instead of actually loaded as a program with data and code segments. Dos's .BATch language is pretty shitty as far as script languages go, if you're used to dealing with unix or any other more advanced language, you'll hate it. A file which has a instead of a file size is a sub- directory. You can make this your current directory by typing "CD directory-name" (ie, "CD LAN") or you can go two sub- directories by typing "CD LAN1\LAN2". You can go up one subdirectory by typing "CD .." (CD-space-period-period) or up to the top by typing "CD\". Another note: The AUTOEXEC.BAT file is automatically executed each time the computer is booted from the disk it resides on, so it's a good place to add your own commands. The CONFIG.SYS file loads drivers and such into memory. I'm not going to cover any more about DOS files or commands here, there may be some more in the next file, but if you are completely dos-un-educated I suggest you ask friends or buy a book. I'm sure there are also dos tutorials availible in text form. If enough commodore and apple type people ask me, I'll write a comprhensive file explaining all the dos commands basically and some things that a hacker on a dos-system might want to know. Remember, they do call it MeSsy-DOS, and it is. ::: Brute force hacking into the system ::: If you get just a straight LOGIN.EXE w/ no options in the Autoexec, or a login w/ a name, but you need to know the password (I've never encountered that) then you have to actually do some brute force hacking, or social engineering. The two most common accounts I know of are Supervisor (for the system admin) and Guest, which will probably left on. On my school's system there are accounts 1-20 for each of the computers (in one lab, in another it's c1,c2,c3..c20). If the system is secure enough to force a account/password to be known for each login, then I doubt you can break out of the autoexec, but its worth a try, just bang away on Ctrl-C or Ctrl-Break as much as you can. Optionally, if you have to have a boot disk, then make your own... w/ no autoexec, so you can just login however you like.. or get someone already on the system to install a trojan to snag passwords for you, etc. About actually finding other passwords once you're on, there are several programs availible for various types of LANs on various types of computers (with source sometimes) which intercept calls, or log keystrokes from the login program, and store the results in a hidden file, on an unsecure LAN, these programs are almost defintely going to yield a 100% success rate, and probably won't be found it installed right. And on a LAN as unsecure as the one at my school, you could stick pirate wares right in the PUBLIC directory and no one would notice (or at least they haven't yet). ::: Conclusion ::: Well, that wraps it up. In the next file I'll include all the novell specific info, and complete information on all novell files. Also, I corrected a lot of mis-information and mis-wording in this file. I very likely missed some, I'll include any corrections in the next file. If you find anything wrong with it, contact me on Solsbury Hill, we're in 301. Laughing Gas, 5/17/91.