carlo
11-06-2005, 02:21 PM
Section *: Accessing the Shared Network
----------------------------------------
Computer class (if you have one) is of course a good place to start.
Your computer class will undoubtedly use a windows operating system
(not saying this is always the case, but usually...) so let's start
from there. Usually these computers have two rights, user and
administrator rights. So our first goal here is to jump from user (the
privileges you currently have) to administrator privileges. If the
operating system is Windows *.x then we will look for the *.pwl file
for the administrator account. This will be labeled according to the
admin username. You'll find this in the windows directory. Just sneak
in a floppy disk during class and copy the file to the floppy. Then
take the file home and use a pwl cracker to crack the file (if you use
brute force, make the settings lower case letters with *-*0 characters,
but I'd s***est first trying a dictionary crack. Just collect yourself
a few word lists). It'll take a while to crack the password so you will
have to be patient. If the operating system is Windows XP then that
just makes it even easier. Just grab a Windows 2k CD (download one off
kazaa or overnet, if you don't have a copy) and sneak it into class.
Place the CD in and boot up the computer. Then start the Win2k Recovery
Console, which is a troubleshooting program. This will allow you to
operate as administrator without even having to bother with the
password. So now that you have administrator privileges go to "Network
Neighborhood" and take a look through the network. Copy a few addresses
(anything that seems interesting), and if the computers used are Win*.x,
when you go home you can load up your internet browser and type
"file://[target address]" to gain access. This is network access, but
not the kind that will allow you to gain superuser access (unless the
software the teachers use for accessing/modifying/deleting student
records happens to be installed on the computer, and the password just
conveniently happens to be the same password that the teacher uses on
the windows administration account....which is not entirely far
fetched). If the computer you are using is Win2k (Windows 2000) use the
newest version of pwdump2 to dump the hash, and then use L0phtcrack to
break it.
p.s: If you don't have a computer class, then you can try the computers
at the library.
Section 2: Network Exploitation
-------------------------------
Now let's talk network operating systems (NOSs). If your school uses
Windows workgroups as a NOS, then the method described above would be
your method in. Most likely, if the NOS is not windows workgroups, then
it is Novell Netware. So now lets get into novell. Novell Netware is a
server-based operating system for networks. Novell runs off a version
of DOS called dr-dos (also known as Caldera DOS, since it was created
by Caldera Systems Inc). It also runs off a protocol called IPX/SPX
(Internetwork Packet eXchange/Sequencial Packet eXchange), which is
very TCP/IP compatible (the later versions of novell run off a protocol
based off ipx/spx known as NCP, Netware Core Protocol). Now in novell
netware there are four different kind of rights given. There is user
which gives access to //public and some other basic files. There is
superuser, which is the access given to teachers. With this access they
can view and delete student accounts whenever neccessary, but they can
not delete, create, or change accounts. There is supervisor, which is
the access administrators give themselves to work off of. And finally
there is console, which is the highest rights one could gain on a
novell network. Now since there have already been many articles
written on novell network infiltration (and I'm in a lazy mood) I am
now going to point you in the direction of articles that I had posted
up from a previous article on a very similar subject (exactly the same
subject actually, but targeted at a specific school network)...
Novell Netware v*.x-4.x: http://www.geocities.com/anti_dcss/novell_faq.zip
Novell Netware v*.*2-4.x: http://www.geocities.com/anti_dcss/novzero.zip
Novell Netware v5.x: http://www.geocities.com/anti_dcss/hack_novell.zip
There is also AppleTalk, which may be implemented in order to
integrate the Macintosh computers with the rest of the network, but it
isn't really necessary to exploit AppleTalk so I won't get into it.
Now lets get into exploiting the network from a remote location, which
I'm sure is what most of you want to do. Lets start off with the
school's website (if your school happens to have one). The best way to
find out which server the school is using is by telneting into port
80, but instead of writing the address as it is, change the last
character of the address from .html or .htm to something like .htmx,
thereby causing the server to bring up an error which will contain the
type and version of the server that is hosting the school's website. If
the server you happen to find is an IIS server, then you can likely
find a login.asp page on the site. If you do so, then you can perform
an sql injection on the login.asp page, to gain access into the
internal network without raising any eyebrows from security (it will
only log up as an error 500 I believe, though my memory is a bit vague).
If this is not an option then you can perform a netscan (scan from
xxx.xxx.xxx.* - xxx.xxx.xxx.254) on the netblock, based on the ip
address that is hosting the web site, in order to find other servers
(ftp, remote administration, etc.) that you can use to crawl into the
internal network. For example, the router will usually be addressed on
*.*. If you do a quick port scan on the router, then you will find
either/or a telnet server (2*) or snmp (*6*). If telnet is open then
you can exploit the fact that all telnet sessions are unencrypted by
using a tool like either J***ernaut, Hunt, or IP Watcher to hijack a
session to passively sniff out sensitive information (like passwords
of course). Of course you can also skip all that and just try and crack
the telnet prompt with tools like brutus. SNMP is protected by
community strings, but in many cases these are set as default, which is
"private". If not you can use a community string brute force program
(for example SolarWinds) to break into the router. There are other
servers of course that you will find on the netrange that I will not
get into, because it will be up to you to do the research necessary
(find out which servers are running and which versions they are, what
they are vulnerable to, etc). Sometimes you can also do it the old
school way and perform an exchange scan on the school using a war
dialer (like you can see on the movie Wargames) to perhaps find an open
modem that you can break through to send you right into the internal
network (you may think such methods are outdated, but you would be
surprised). You can set the area for this scan based on one of the
public phone numbers for the school district itself. Not the school
you are attending, but the school district. Since as you may have
noticed from this article, the internal network is for the school
district, which are separated into separate networks that are routed
together. I'm sure school districts are also jumping into wireless
technology, and it's a possibility (depending on school funding and the
district's awareness) that your school has also implemented such
technologies into their internal network in order to provide
convenience and efficiency for the staff of the school district. For
an introduction to wireless technologies and how one can exploit such
implementations then I would highly s***est reading my System Cracking
2k article (which you can find with a quick google search).
Note: If the teachers at your school use a program called
TSIS to manage student records, then usually there will also be a
TSIS remote login server on the network. Using a scanner you should be
able to pick up on this. The address is usually...
http://tsis.(county name).k*2.(state initials).us
If you happen to find one of these, then you can probably use a
technique like passive packet sniffing or http cracking to gain access
into the internal network.
Note again: For those who may have noticed, this is a revised version
of my "Cracking School Networks" article.
----------------------------------------
Computer class (if you have one) is of course a good place to start.
Your computer class will undoubtedly use a windows operating system
(not saying this is always the case, but usually...) so let's start
from there. Usually these computers have two rights, user and
administrator rights. So our first goal here is to jump from user (the
privileges you currently have) to administrator privileges. If the
operating system is Windows *.x then we will look for the *.pwl file
for the administrator account. This will be labeled according to the
admin username. You'll find this in the windows directory. Just sneak
in a floppy disk during class and copy the file to the floppy. Then
take the file home and use a pwl cracker to crack the file (if you use
brute force, make the settings lower case letters with *-*0 characters,
but I'd s***est first trying a dictionary crack. Just collect yourself
a few word lists). It'll take a while to crack the password so you will
have to be patient. If the operating system is Windows XP then that
just makes it even easier. Just grab a Windows 2k CD (download one off
kazaa or overnet, if you don't have a copy) and sneak it into class.
Place the CD in and boot up the computer. Then start the Win2k Recovery
Console, which is a troubleshooting program. This will allow you to
operate as administrator without even having to bother with the
password. So now that you have administrator privileges go to "Network
Neighborhood" and take a look through the network. Copy a few addresses
(anything that seems interesting), and if the computers used are Win*.x,
when you go home you can load up your internet browser and type
"file://[target address]" to gain access. This is network access, but
not the kind that will allow you to gain superuser access (unless the
software the teachers use for accessing/modifying/deleting student
records happens to be installed on the computer, and the password just
conveniently happens to be the same password that the teacher uses on
the windows administration account....which is not entirely far
fetched). If the computer you are using is Win2k (Windows 2000) use the
newest version of pwdump2 to dump the hash, and then use L0phtcrack to
break it.
p.s: If you don't have a computer class, then you can try the computers
at the library.
Section 2: Network Exploitation
-------------------------------
Now let's talk network operating systems (NOSs). If your school uses
Windows workgroups as a NOS, then the method described above would be
your method in. Most likely, if the NOS is not windows workgroups, then
it is Novell Netware. So now lets get into novell. Novell Netware is a
server-based operating system for networks. Novell runs off a version
of DOS called dr-dos (also known as Caldera DOS, since it was created
by Caldera Systems Inc). It also runs off a protocol called IPX/SPX
(Internetwork Packet eXchange/Sequencial Packet eXchange), which is
very TCP/IP compatible (the later versions of novell run off a protocol
based off ipx/spx known as NCP, Netware Core Protocol). Now in novell
netware there are four different kind of rights given. There is user
which gives access to //public and some other basic files. There is
superuser, which is the access given to teachers. With this access they
can view and delete student accounts whenever neccessary, but they can
not delete, create, or change accounts. There is supervisor, which is
the access administrators give themselves to work off of. And finally
there is console, which is the highest rights one could gain on a
novell network. Now since there have already been many articles
written on novell network infiltration (and I'm in a lazy mood) I am
now going to point you in the direction of articles that I had posted
up from a previous article on a very similar subject (exactly the same
subject actually, but targeted at a specific school network)...
Novell Netware v*.x-4.x: http://www.geocities.com/anti_dcss/novell_faq.zip
Novell Netware v*.*2-4.x: http://www.geocities.com/anti_dcss/novzero.zip
Novell Netware v5.x: http://www.geocities.com/anti_dcss/hack_novell.zip
There is also AppleTalk, which may be implemented in order to
integrate the Macintosh computers with the rest of the network, but it
isn't really necessary to exploit AppleTalk so I won't get into it.
Now lets get into exploiting the network from a remote location, which
I'm sure is what most of you want to do. Lets start off with the
school's website (if your school happens to have one). The best way to
find out which server the school is using is by telneting into port
80, but instead of writing the address as it is, change the last
character of the address from .html or .htm to something like .htmx,
thereby causing the server to bring up an error which will contain the
type and version of the server that is hosting the school's website. If
the server you happen to find is an IIS server, then you can likely
find a login.asp page on the site. If you do so, then you can perform
an sql injection on the login.asp page, to gain access into the
internal network without raising any eyebrows from security (it will
only log up as an error 500 I believe, though my memory is a bit vague).
If this is not an option then you can perform a netscan (scan from
xxx.xxx.xxx.* - xxx.xxx.xxx.254) on the netblock, based on the ip
address that is hosting the web site, in order to find other servers
(ftp, remote administration, etc.) that you can use to crawl into the
internal network. For example, the router will usually be addressed on
*.*. If you do a quick port scan on the router, then you will find
either/or a telnet server (2*) or snmp (*6*). If telnet is open then
you can exploit the fact that all telnet sessions are unencrypted by
using a tool like either J***ernaut, Hunt, or IP Watcher to hijack a
session to passively sniff out sensitive information (like passwords
of course). Of course you can also skip all that and just try and crack
the telnet prompt with tools like brutus. SNMP is protected by
community strings, but in many cases these are set as default, which is
"private". If not you can use a community string brute force program
(for example SolarWinds) to break into the router. There are other
servers of course that you will find on the netrange that I will not
get into, because it will be up to you to do the research necessary
(find out which servers are running and which versions they are, what
they are vulnerable to, etc). Sometimes you can also do it the old
school way and perform an exchange scan on the school using a war
dialer (like you can see on the movie Wargames) to perhaps find an open
modem that you can break through to send you right into the internal
network (you may think such methods are outdated, but you would be
surprised). You can set the area for this scan based on one of the
public phone numbers for the school district itself. Not the school
you are attending, but the school district. Since as you may have
noticed from this article, the internal network is for the school
district, which are separated into separate networks that are routed
together. I'm sure school districts are also jumping into wireless
technology, and it's a possibility (depending on school funding and the
district's awareness) that your school has also implemented such
technologies into their internal network in order to provide
convenience and efficiency for the staff of the school district. For
an introduction to wireless technologies and how one can exploit such
implementations then I would highly s***est reading my System Cracking
2k article (which you can find with a quick google search).
Note: If the teachers at your school use a program called
TSIS to manage student records, then usually there will also be a
TSIS remote login server on the network. Using a scanner you should be
able to pick up on this. The address is usually...
http://tsis.(county name).k*2.(state initials).us
If you happen to find one of these, then you can probably use a
technique like passive packet sniffing or http cracking to gain access
into the internal network.
Note again: For those who may have noticed, this is a revised version
of my "Cracking School Networks" article.